HOWTO: Active Directory Authentication

[Kileli]

Ok guys Few Question i have been struggling to get my Linux machine connected to my Domain for about a week now. i tried following this HOW TO: but to no success the only way i seam to be able to get it to join is to use LIKEWISE. Only i still cannot see the share drives on the windows server.what is the difference between likewise and this how to: i really want to make this work. also i was thinking about building a Linux server that would also communicate with the windows server. is that even possible.
i have to admit i am the definition of a noob in the Linux world but i catch on quick any help would be most appreciated. i have to learn as much as i can as fast as i can so i will be able to support several machines at work.

[caaron]

Everything worked but joining my system to the domain

here is the error I get

Using short domain name -- DOMAIN
Deleted account for 'WORKSTATION' in realm 'DOMAIN.LOCAL'
Failed to join domain: Type or value exists

Any ideas?

[gab]

This HowTo was what I needed to get AD integration of my Linux boxes up and running, thanks!

My "problem" is more or less a curyosyty. I have a lockal user whit the same loginname as one of the AD users. The local user has $HOME=/home/<login> and the AD user has $HOME=/home/AD/<login>. When I tyr to login, I punch login and the password and get loged in and the $HOME is /home/<login>. It does not mather if i use the password to the lockal or the AD user, I end up in /home/<login>.

Is there anybody that has any idea of how to conf pam (I thinck pam is the key) so that I get the right $HOME.

[whitenight639]

This How to is using ubuntu server, im a noob with regards to networking and AD but at work we have 20 odd low spec laptops that arn't capable of running XP can we use ubuntu to connect to AD, if so can we use the normal desktop edition or do we need to use ubuntu server?

comments would be appreciated!

[dboot]

Can anyone help me with these errors?

Code:

[root home]# kinit DOMAINADMIN@DOMAIN.COM
Password for DOMAINADMIN@DOMAIN.COM: 
[root home]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: DOMAINADMIN@DOMAIN.COM

Valid starting     Expires            Service principal
09/10/08 02:27:10  09/10/08 03:07:10  krbtgt/DOMAIN.COM@DOMAIN.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root home]# net ads join -U DOMAINADMIN@DOMAIN.COM
DOMAINADMIN@DOMAIN.COM's password: 
Failed to join domain!
[root home]# net ads info
LDAP server: 192.168.1.5
LDAP server name: windowserver.domain.com
Realm: DOMAIN.COM
Bind Path: dc=DOMAIN,dc=COM
LDAP port: 389
Server time: Wed, 10 Sep 2008 02:26:45 EDT
KDC server: 192.168.1.5
Server time offset: -69

Thanks for any suggestions!

[MrFrame]

Hi,

I applied the provided setup about 10 months ago successfully. Thanks for that.
Meanwhile a new request arised, which I currently don't know how to address:
A dedicated AD User account should be setup to inherit root privileges in order to "clean up" user shares, i.e. delete files and directories.
I tried alread to add "write list" with the acccount's name to the smb.conf [global] and [homes] sections, but w/o any luck.

Any ideas on how to set this up?

Thanks.

[DouglasK]

I've followed through the howto and am having good success on Ubuntu 8.10 (Intrepid Ibex, I think) until the "net ads join" stage. I'm getting my ticket fine:

Code:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: myusername@MYSUBDOMAIN.MYDOMAIN.ICS

Valid starting     Expires            Service principal
11/06/08 13:01:01  11/06/08 19:41:01  krbtgt/MYSUBDOMAIN.MYDOMAIN.ICS@MYSUBDOMAIN.MYDOMAIN.ICS


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached

But when I perform the net ads join, I get the following (with debug enabled):

Code:

$ net ads join -U myusername@MYSUBDOMAIN.MYDOMAIN.ICS -d1
Enter myusername@MYSUBDOMAIN.MYDOMAIN.ICS's password:
[2008/11/06 13:01:18,  1] libnet/libnet_join.c:libnet_Join(1770)
  libnet_Join:
      libnet_JoinCtx: struct libnet_JoinCtx
          in: struct libnet_JoinCtx
              dc_name                  : NULL
              machine_name             : 'MYHOSTNAME'
              domain_name              : *
                  domain_name              : 'MYSUBDOMAIN.MYDOMAIN.ICS'
              account_ou               : NULL
              admin_account            : 'myusername@MYSUBDOMAIN.MYDOMAIN.ICS'
              admin_password           : *
              machine_password         : NULL
              join_flags               : 0x00000023 (35)
                     0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                     0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                     0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                     0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                     0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                     1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                     0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                     0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                     1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                     1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
              os_version               : NULL
              os_name                  : NULL
              create_upn               : 0x00 (0)
              upn                      : NULL
              modify_config            : 0x00 (0)
              ads                      : NULL
              debug                    : 0x01 (1)
              secure_channel_type      : SEC_CHAN_WKSTA (2)
[2008/11/06 13:01:19,  1] libnet/libnet_join.c:libnet_Join(1801)
  libnet_Join:
      libnet_JoinCtx: struct libnet_JoinCtx
          out: struct libnet_JoinCtx
              account_name             : NULL
              netbios_domain_name      : NULL
              dns_domain_name          : NULL
              dn                       : NULL
              domain_sid               : NULL
                  domain_sid               : (NULL SID)
              modified_config          : 0x00 (0)
              error_string             : 'failed to find DC for domain MYSUBDOMAIN.MYDOMAIN.ICS'
              domain_is_ad             : 0x00 (0)
              result                   : WERR_DOMAIN_CONTROLLER_NOT_FOUND
Failed to join domain: failed to find DC for domain MYSUBDOMAIN.MYDOMAIN.ICS

I can ping the DC machine by hostname without issue, fwiw. Any thoughts on how to work around this?

~~Douglas K

[innovate2000]

Has anyone found a resolution? I am using Intrepid Ibex and have the same experience that DouglasK has. I've been working this for several days trying this and that but am at my wits end. ANy help appreciated (please post here for others who are in the same boat). Thanks

[Rudy507]

I'd like to put a link to this thread in here because it has to do with my question:
http://ubuntuforums.org/showthread.php?t=897860.

I didn't exactly follow the instructions that started this thread to join my Ubuntu box to a Windows Active Directory DOMAIN (instead, I followed these).

I am wondering how to map to a user's network drive (i.e. smb://DOMAIN/username$) so THAT is the user's Home location (instead of the default user/home).

I also need to set permissions so that the AD users don't have access to even read the root directory (or other people's stuff), install anything, etc... Would this be done by adding a Active Directory's group to Ubuntu, and setting that group's permissions while logged in as root or Super User?

[Daga]

Has anyone found a resolution? I am using Intrepid Ibex and have the same experience that DouglasK has. I've been working this for several days trying this and that but am at my wits end. ANy help appreciated (please post here for others who are in the same boat). Thanks

It seems the Russians are pretty smart:

http://forum.ubuntu.ru/index.php?topic=10062.msg308220

(For the benefit of those of you who don't want to run to Google translate and can't understand Russian: ) It looks like you can join the domain without including '@MYSUBDOMAIN.MYDOMAIN.ICS' on the "net ads join" command.

Woohoo!