Centrify Express is free tool offered by the company that makes various Single Sign-On tools, of which only Express is available free and easily for the Linux operating system. Once you have used this tool to join a Windows Domain you will be shocked at how easily it is done.

Installation

I am going to illustrate this installation process on a Ubuntu 10.10 machine. If you need to install on a different distribution (or on Windows, or Mac) you will need to sign up for a download. If you do that you will find pre-compiled binaries for:

• Windows
• Mac
• CentOS
• Debian
• Mandriva
• SUSE
• OpenSolaris
• Oracle Enterprise Linux
• Red Hat Enterprise Linux
• Scientific Linux

But if you are using Ubuntu, you can follow these easy steps:

1. Open up the Ubuntu Software Center.
2. Search for “centrify” (No quotes).
3. Click Install.
4. Type your sudo password and press Enter.
5. Once the installation is finished you can then close out the Ubuntu Software Center.

Now it’s time to do just a tiny bit of configuration.

Configuration

The only configuration you need to take care of is in the /etc/nsswitch file. In that file you will find a line that looks like:
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4

Change that file to just read:

hosts:        files dns

Now there is one other configuration you need to take care of BEFORE you join the domain. In the file /etc/centrifydc/group.ignore you need to add the group “admin” (no quotes) to this list. If you do not do this your sudo users will not longer have sudo privileges. Without sudo privileges your users will not be able to install applications or run anything that needs administrative permissions.

Once you have configured that file, save  it. You are now ready to join the comain.

Joining the domain

You will need the domain admin password for this to be successful. To join the domain do the following:

Open up a terminal window.

Issue the command sudo adjoin -w DOMAIN (Where DOMAIN is the domain you want to join).

Type the Domain admin password and hit Enter.

It may take some time but you will eventually be joined to the domain. You should now be able to open up Nautilus and explore your network by hostname as if you were using a Windows machine.

If you find you can not see your network by hostname, you might have to reboot and then log in with your AD credentials.

Final thoughts

You now have two methods with which to join a Windows domain. The enterprise pastures, for Linux, are growing greener and greener by the day.

Of course it is not just a matter of working on the Linux end of things. There is one issue to settle on the MS end. You have to activate Secure LDAP on your AD Server. This process goes beyond the scope of this article, but the steps are pretty clear.

Enable SLDAP

Here are the steps to enable Secure LDAP on your Windows 2003 AD server (I will leave out the details):

1. Create an Active Directory domain controller certificate request.
2. Create a Certification Authority.
3. Sign the certificate request by the Certification Authority.
4. Export the root certificate Certification Authority.
5. Import the root certificate Certification Authority onto the Domain Controller.
6. Import the LDAP Server certificate onto the Domain Controller.
7. Set up the UMRA (LDAP Client) computer.
8. Verify Secure LDAPS using SSL.

Installing adtool

Fortunately adtool will be found in your distributions’ repositories. So all you have to do is follow these steps:

1. Fire up Synaptic (or whichever Add/Remove Software utility you use).
2. Do a search for “adtool” (no quotes).
3. Mark the results for installation.
4. Click Apply to install.
5. Close Synaptic.

Configuring adtool

This is a bit of configuration you need to handle before you can use adtool on your AD server. First create the file (if it doesn’t exist) /etc/adtool.cfg and add the following contents:

uri ldaps://YOUR.DOMAIN.HERE
binddn cn=Administrator,cn=Users,dc=domain,dc=tld
bindpw $PASSWORD
searchbase dc=domain,dc=tld

Where YOUR.DOMAIN.HERE is the actual address to your Active Directory server.

Where PASSWORD is the password for the AD user that has proper permissions to manage the AD server.

You will also need to make sure the following is in your /etc/ldap/ldap.conf file:

BASE    dc=YOUR,dc=DOMAIN,dc=HERE
URI     ldaps://YOUR.DOMAIN.HERE
TLS_REQCERT allow

Without the above configuration you will not be able to accept the SSL certificates from the server.

Basic usage

The basic usage of the adtool command is simple. Of course you will have to understand Active Directory in order to really understand the usage of this tool. Below I will give you samples of commands to handle the basic tasks for AD. Any information in ALL CAPS would be altered to fit your needs.

Create a new organizational unit:

adtool oucreate ORGANIZATION NAME ou=user,dc=DOMAIN,dc=COM

Add a user:

adtool useradd USER ou=ORGANIZATION ou=user,cd=DOMAIN,dc=COM

Set a user password:

adtool setpass USER PASSWORD

Unlock a user:

adtool unlock USER

Create a group

adtool groupcreate GROUP ou=user,cd=DOMAIN,dc=COM

Add a user to a group:

adtool groupadd allusers USER

Add an email address for the user:

adtool attributereplace USER mail EMAIL@ADDRESS

Final thoughts

We’ve only really scratched the surface of this powerful tool. But from this you should be able to see how easy adtool can be as well as how helpful it is.

USB Blocker (via Techie Buzz) is a software program that can protect USB ports from being accessed unauthorized. One main benefit of USB Blocker is that it relies solely on group policy mechanisms and does not have to be deployed on client computer systems. USB port protection can be achieved with just a few mouse clicks on connected computer systems.

The application is controlled via a small interface that pops up for the first time after installation. A click on the Block USB Devices checkbox enables the options for managed active directory domains and provides the means to exclude computers from being blocked by the USB port protection software. There is also an option to only block devices for specific organizational units in the Active directory.

The usb port protection software can only be downloaded after a quick registration (without verification) at the website of the developer. USB Blocker is compatible with most Microsoft operating systems. A commercial version exists as well which extends the functionality of the USB port protection to include additional devices among other things.