Using Microsoft AD authentication in (X)ubuntu 14.04

2 min readFeb 17, 2015

Software Requirements

chmod a+x pbis-open-8.0.1.2029.linux.x86.deb.sh
bash pbis-open-8.0.1.2029.linux.x86.deb.sh

“Legacy links” are not required, in practice it would add likewise open links to PowerBroker’s executables.

Install sshd, it is required by domain-join.

Reboot

Replace AD.LOCAL with what ever your AD should be.

# sudo /opt/pbis/bin/domainjoin-cli join AD.LOCAL domainadminuser@AD.LOCAL

If join didn’t work add your AD’s IP as nameserver line in /etc/network/interfaces and retry.

dns-nameservers 10.10.20.30

Reboot

# sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash

Without doing this LDAP auth works with ttys but not on GUI greeters.

# sudo nano /etc/pam.d/common-session

Find the line that says “session sufficient pam_lsass.so” and change it to read this:

session [success=ok default=ignore] pam_lsass.so

# sudo visudo

Add lines for groups and users if user exceptions are needed.

# Allow LDAP user hero to sudo
%AD\\hero ALL=(ALL) ALL# Allow group “3 tech” to sudo
%AD\\3^tech ALL=(ALL) ALL

With sudo problems check user and groups information by running “id” with that specific user, group names should be in same format in sudoers file.

Don’t worry it’s just something called policy kit and it doesn't use sudoers at all.

# sudo nano /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf

Append your sudo groups to

[Configuration]
AdminIdentities=unix-group:admin

by adding ;unix-group:groupname, remember to check group name with id if you run into problems.

[Configuration]
AdminIdentities=unix-group:admin;unix-group:AD\\3^tech