Using Microsoft AD authentication in (X)ubuntu 14.04
Software Requirements
Install PowerBroker Identity Services Open Edition (replaces likewiseopen5 on Ubuntu 14) from http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True
chmod a+x pbis-open-8.0.1.2029.linux.x86.deb.sh
bash pbis-open-8.0.1.2029.linux.x86.deb.sh
“Legacy links” are not required, in practice it would add likewise open links to PowerBroker’s executables.
Install sshd, it is required by domain-join.
Reboot
Join domain
Replace AD.LOCAL with what ever your AD should be.
# sudo /opt/pbis/bin/domainjoin-cli join AD.LOCAL domainadminuser@AD.LOCAL
If join didn’t work add your AD’s IP as nameserver line in /etc/network/interfaces and retry.
dns-nameservers 10.10.20.30
Reboot
Finishing touches
Set correct user shell
# sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
Fix PAM bug
Without doing this LDAP auth works with ttys but not on GUI greeters.
# sudo nano /etc/pam.d/common-session
Find the line that says “session sufficient pam_lsass.so” and change it to read this:
session [success=ok default=ignore] pam_lsass.so
sudo Rights
# sudo visudo
Add lines for groups and users if user exceptions are needed.
# Allow LDAP user hero to sudo
%AD\\hero ALL=(ALL) ALL# Allow group “3 tech” to sudo
%AD\\3^tech ALL=(ALL) ALL
With sudo problems check user and groups information by running “id” with that specific user, group names should be in same format in sudoers file.
WTF, (X)ubuntu still asks for first user password
Don’t worry it’s just something called policy kit and it doesn't use sudoers at all.
# sudo nano /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
Append your sudo groups to
[Configuration]
AdminIdentities=unix-group:admin
by adding ;unix-group:groupname, remember to check group name with id if you run into problems.
[Configuration]
AdminIdentities=unix-group:admin;unix-group:AD\\3^tech
Sources
- AD domain join and login: http://www.kiloroot.com/add-ubuntu-14-04-lts-server-to-a-windows-active-directory-domain-fullest-integration/
- First user password fix: http://www.ossramblings.com/ubuntu-with-ldap-user-root-password-issue