In this tutorial, I will be walking through how to join an Ubuntu 14.04 LTS Server to a Windows Active Directory Domain. Furthermore, we will be adding a new domain group to the "sudoers" group on the box so that our Domain Admins will automatically have the ability to use sudo to administer your Ubuntu Servers as needed.
Additionally, we will also be making it easy for them to login (no appending of the domain onto their user account name) and giving them the more user-friendly BASH shell, rather than the default SH.
All commands reference the fictional domain "CONTOSO.COM" to make the syntax easier to understand. The Domain Controller (DC) for the domain will be at "192.168.0.100". The domain controller is assumed to be running DNS services as this is tightly integrated with Active Directory. The name of the domain admin in the Windows domain is "admin"
This guide assumes the following:
2. You are running Ubuntu 13.10 or above on your server (I am working on a 14.04 LTS release). This may work on older versions.
3. You are at least a domain admin or can instruct someone who is to make some domain changes.
4. You have full root privileges on the Ubuntu server
Ahead of time….
1. Install Ubuntu Server and name it appropriately. If you want your server to ultimately be found at linuxserver05.contoso.com then you would edit your /etc/hostname file to read "linuxserver05″ (without the quotes).
2. Set a static IP address on your Linux server. As part of the config be sure to specify the following lines (in etc/network/interfaces):
dns-nameservers 192.168.0.100 ##the IP address of your domain controller
Okay, let's go!
We are going to be using a software package called "Power Broker Identity Services, Open Edition" to simplify life. The download packages for this service can be found here: http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True
So the first thing to do is to log in, elevate your privileges, and use wget to pull the latest package file down:
Next, we need to install the package
bash pbis-open-8.0.0.2016.linux.x86_64.deb.sh
shutdown now -r
"No" you do not need "legacy links"
The last command reboots your box. Once it comes back up, login and elevate your privileges, then we are going to join the domain and reboot again…
Once the box comes back up again, elevate your privileges and then configure several more things…
/opt/pbis/bin/config UserDomainPrefix magur
/opt/pbis/bin/config AssumeDefaultDomain true
/opt/pbis/bin/config LoginShellTemplate /bin/bash
/opt/pbis/bin/update-dns
/opt/pbis/bin/ad-cache --delete-all
Now, there is also a small bug in PAM (an authentication module used by PBIS). We need to modify a config file. You can do this via the following:
Find the line that says "session sufficient pam_lsass.so" and change it to read this:
————–OKAY – JUMP OVER TO YOUR WINDOWS DOMAIN CONTROLLER AND LOGIN AS A DOMAIN ADMIN——–
Do the following:
1. Create a new global security group called "LinuxAdmins" (without the quotes)
2. Add the built-in "Domain Admins" group to the newly created "LinuxAdmins" group
—————BACK TO YOUR UBUNTU BOX——————
We need to edit the "sudoers" file which is done via VISUDO. NANO is the default text editor. If you want to change to something else (I prefer "vim") use the following command:
Once you have chosen a text editor you prefer, launch VISUDO
Append this new line to the bottom of the file:
Save and close… reboot the box one more time and then attempt a login with your domain admin credentials.
EDIT: I had some trouble with the syntax on the very last step for adding the AD group to the sudoers file. Here is what helped. Log in as a domain user in the Linuxadmins group. Then run this command and examine the output:
You should see that your user is a member of the "LinuxAdmins" group or a member of the "contoso\linuxadmins" group. If you followed the above tutorial it should be the former and the syntax now provided in the tutorial for adding the group to the sudoers file should work.
This is because we ran this command earlier:
Which means the system assumes the "contoso\" in front of all usernames and group names. If when you run the "id" command it is showing your domain name in front of the group name. Your sudoer line will need to look like this:
Notice the double "\\" – it is necessary (not a typo) however I am not going to go into why.
REFERENCES:
http://notesonit.blogspot.com/2013/03/howto-powerbroker-identity-services.html
http://askubuntu.com/questions/452904/likewise-open-14-04-other-easy-way-to-connect-ad
http://askubuntu.com/questions/363869/powerbroker-likewise-open-ubuntu-13-04-13-10-upgrade?rq=1
http://ubuntuforums.org/showthread.php?t=766763
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
http://www.cyberciti.biz/faq/ubuntu-add-user-to-group/
--
No comments:
Post a Comment