Here I will explain a solution that worked for me to configure an Ubuntu workstation to authenticate with an Active Directory domain. The workstation was able to browse domain resources (ie, filesystem) without having to log in and it pulled the AD group information from the domain controller. A process was used to map certain groups to Linux (Ubuntu) groups, however extensive verification of the results could not be performed.
If you’re using a VMWare client then you must set a static MAC address, don’t allow your VM software to automatically update the MAC address.
Setup your network
First, set your IP to static IP and configure DNS to point to your domain controllers or any other DNS server you may have. This will allow you to call Windows computers by their short names. You must also fill in the Search Domains with your domain name.
Notice that I used “mydomain.local“. This causes a stupid issue with mDNS that will need to be adjusted. If you use something like “mydomain.com” then you shouldn’t need to do the next step.
Modify nsswitch.conf (fix the .local mDNS issue)
Open the file /etc/nsswitch.conf by starting your terminal (Applications >> Accessories >> Terminal) and type in:
sudo gedit /etc/nsswitch.conf
Modify the line that reads:
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
Change it to:
hosts: files dns mdns4_minimal mdns4
This should allow a program called Likewise-open to authenticate with Active Directory and create a computer account.
Now, in the terminal, type in
sudo apt-get install likewise-open5 likewise-open5-gui
You can also use Synaptic and search for “likewise”. You’ll notice a likewise-open and also likewise-open5. They both seem to work. I have installed likewise-open5 and likewise-open5-gui.
Join the domain
Once those are installed you can configure Likewise-open by going to System >> Administration >> Active Directory membership. Likewise-open will ask you for a username and password. This user must have privileges to join a computer to the domain.
You can also use the command line to join the computer to the domain:
sudo domainjoin-cli join mydomain.local Administrator
You will then be asked to restart the computer. When the computer restarts you can use the Other User login option.
Type in “mydomain\username” where “mydomain” is the short name for your domain and “username” is some domain user account. If all of the steps above worked out well then you should be authenticated and logged into Ubuntu. You might get an Authentication Failure notice, which is usually due to one of the network settings from above being messed up or the username being typed in wrong.
When you’ve verified that the account can log in you can log out and return to your normal Ubuntu account. A few more optional steps can be used to complete the process.
Edit your sudoers file by opening up a terminal window and typing
A vi-style program will show and allow you to edit the sudoers configuration. Under the %admin line you should add the following:
%MYDOMAIN\\Domain^Admins ALL=(ALL) ALL
Make MYDOMAIN whatever your short domain name is (don’t make it MYDOMAIN.LOCAL).
Add users to the login screen
Most domains won’t want this but you might like it for a Kiosk or a sample computer. When using domain logins you will have to type “mydomain\username” using the Other User login option. This can be too many steps for some people so it may be necessary to add a single-click option for their username. The end result will look like the following image.
Log in as your domain user and open up the terminal. Type “id” in the terminal window to view your UID and GID information. It will look something like:
DOMAIN\username@ubuntu-client:~$ id uid=1234567889(username) ....
We only really care about the uid at this point. Write it down and log out of this user and back into the normal Ubuntu user account.
You will need to edit your /etc/passwd file. Open a terminal window and type the following command:
sudo gedit /etc/passwd
Make a new line at the bottom and duplicate the following information with the numbers that you wrote down:
The group id (0) is admin to help make this person a local admin, but you should be able to use the uid in it’s place if you don’t want to use the admin group. It should look like this in that case:
Now you can log out of the local Ubuntu user’s account and see the updated login screen. The domain user or kiosk user can click on the big button and type in the password for the account.