Join a Ubuntu machine to a Windows domain
I had been hoping to accomplish this for some time now. At work we work under a Windows domain and I have a Ubuntu test machine that I have been hoping to join to that domain. Finally, thanks to Likewise-Open5, it happened. And, believe it or not, it's not all that difficult.
Oh sure you can use Samba to take this task on, but you better be prepared for some serious configuration and work. With Likewise-Open5 that job is made significantly easier. Now I understand that with the upcoming major release of Samba, joining a domain should be much simpler. But with the tools we have now, Likewise-Open5 is your best bet. In this article I will show you how to join a Windows domain using a Ubuntu box.
Installing Likewise-Open5 is simple. Although there is a GUI that comes along with Likewise-Open5, we are going to install and use the CLI tool. Why? It's more reliable. So for installation open up a terminal window and issue the Â following command:
sudo apt-get install likewise-open5
That command should pick up all the necessary dependencies and have you ready to join i no time.
What you need
In order to connect to your domain, you will need the following information:
- Domain name: This is the domain name (FQDN) of the domain you want to join.
- DNS: Although you may be tempted to use something like OpenDNS, you will want to use the DNS used on your domain.
- Access: You will need to have an account that is able to join your domain.
You will also need some more information for configuring Sudo later.
To join the domain, the command you want to use looks like this:
sudo domainjoin-cli join DOMAIN USER
Where DOMAIN is the domain you want to join and USER is the username that has rights to join said domain.
You will be prompted for your password. Once you have authenticated, you have officially joined that domain.
Now, let's set Likewise-Open to use this domain as the default domain. This will mean you can actually log into your domain from your Ubuntu login screen. In other words, you will automatically be joined upon boot. To do this open up the file /etc/samba/lwiauthd.conf and add the following line:
windbind use default domain = yes
Now, restart the daemon with the command /etc/init.d/likewise-open restart and all is well.
If you want to leave the domain, just issue the following command:
sudo domainjoin-cli leave
One thing you will notice is that, when you have logged in under the domain, your user has no sudo rights. In order to get around this you need to log into your machine as your standard user and edit your /etc/sudoers file. But at this point you need one more bit of information. You need to know the Group your user is a member of in Active Directory. Most likely this is Users. If that doesn't work, contact your IT department and they should be able to tell you.
In the /etc/sudoers file, look for this line:
#Members of the Admin group may gain root privileges and do the following:
and append the following under it:
%DOMAIN\\GROUP ALL=(ALL) ALL
Where DOMAIN is the actual domain and GROUP is the group your user belongs to. Now if you log out and log back in your domain user should have sudo rights.
Linux has come a long, long way. And I have confidence this process will soon become a part of either the installation or be included as an easy to use wizard. But for now, it's no longer a harrowing experience to join a Windows domain.Advertisement
very cool. thanks
Now thÃ¡t was an interesting article!
I’ve played with joining linux servers to an Windows NT domain using samba in a grey past (10 yrs) but never thougt of joining a linux client PC.
Indeed, samba has come a long way.
Btw, have you noticed that the counter on this site where it says
“2 Responses to ” is always off by one? It says here
2 Responses though there is only one so far. I began noticing this
earlier this week.
They’ve got some problems some time ago. Cli-command were working and both Likewise 4 and 5 could help you in joining AD domain but version 4 was more useful for the real network. I’m gonna check version 5 out.
I added my ubuntu 10.04 LTS client machine following your suggestions. However there are couple of things doesn’t apply in my case.
First I cannot find the file /etc/samba/lwiauthd.conf. The only .conf file I can find under samba folder is smb.conf, should I change this file withe winbind?
Second, once after I reboot the machine I cannot logon to the ubunu machine using my windows domain username “[email protected]”. It always say the authentication failed.
However, I can see the ubuntu machine registered under AD repos.
What could have went wrong?
Thanks for your great article
raj: You can add that line “winbind use default domain = yes” to your smb.conf file.
I managed to get it working. I was trying various methods to join the ubuntu box to windows domain until coming across your post about using likewise open.
So from the previous attempts, I created one username (my domain username) as local username with ubuntu, which was causing the trouble. Once I removed the local user and tried to login, it worked and I can access all my network shares without any issues.
Thank you very much
Thanks for posting a follow-on article that highlights Centrify Express as another and an easier method for joining Ubuntu to AD.
i am unable to find the file ‘lwiauthd.conf’
Wow – this used to be such a pain in the ass to do a few years ago… Thanks for the great info!
Error: DNS_ERROR_BAD_PACKET [code 0x0000251e]
A bad packet was received from a DNS server. Potentially the requested address
does not exist.
LikewiseOpen is now called Beyond Trust, and the old website is gone. Here is the article that talks about this change, and gives updated links: