
Likewise Open simplifies the necessary configuration needed to authenticate a Linux machine to an Active Directory domain. Based on winbind, the likewise-open package takes the pain out of integrating Kubuntu authentication into an existing Windows network.
There are two ways to use Likewise Open, likewise-open the command line utility and likewise-open-gui. This section focuses on the command line utility.
To install the likewise-open package, open a terminal prompt and enter:
sudo apt-get install likewise-open
Starting with Kubuntu 9.04, Likewise Open 5.0 is available in the Universe repository. However, since upgrading from Likewise Open 4.1 currently requires the system to leave the domain and re-join, a separate package for version five was created.
To install Likewise Open 5.0 enter:
sudo apt-get install likewise-open5
Warning
Installing likewise-open5 over an existing likewise-open (4.1) installation will replace it. The domain will have to be rejoined after install.
The main executable file of the likewise-open package
is /usr/bin/domainjoin-cli
, which is used to join a
computer to the domain. Before joining a domain, the following are needed:
Access to an Active Directory user with appropriate rights to join the domain.
The Fully Qualified Domain Name (FQDN) of the domain being joined. If the AD domain does not match a valid domain such as example.com, it is likely that it is in the form of domainname.local.
DNS for the domain set up properly. In a production AD environment, this is typically the case. Proper Microsoft DNS is needed so that client workstations can determine that the Active Directory domain is available.
If there is not a Windows DNS server on the network, see the section called “Microsoft DNS” for details.
To join a domain, from a terminal prompt enter:
sudo domainjoin-cli join example.com Administrator
Note
Replace example.com with the proper domain name, and Administrator with the appropriate user name.
There will be a prompt for the user's password. If all goes well, a SUCCESS message should be printed to the console.
Note
After joining the domain, it is necessary to reboot before attempting to authenticate against the domain.
After successfully joining an Kubuntu machine to an Active Directory domain, any valid AD user can be used to authenticate. To login, the user name must be entered as 'domain\username'. For example to ssh to a server joined to the domain, enter:
ssh 'example\steve'@hostname
Note
If configuring a Desktop, the user name will need to be prefixed with domain\ in the graphical logon as well.
To make likewise-open use a default domain, the following statement can be added
to /etc/samba/lwiauthd.conf
:
winbind use default domain = yes
Then restart the likewise-open daemons:
sudo /etc/init.d/likewise-open restart
Note
Once configured for a default domain, the 'domain\' is no longer required. Users can login using only their username.
The domainjoin-cli utility can also be used to leave the domain. From a terminal:
sudo domainjoin-cli leave
The likewise-open package comes with a few other utilities that may be useful for gathering information about the Active Directory environment. These utilities are used to join the machine to the domain, and are the same as those available in the samba-common and winbind packages:
lwinet: Returns information about the network and the domain.
lwimsg: Allows interaction with the likewise-winbindd daemon.
lwiinfo: Displays information about various parts of the Domain.
Please refer to each utility's man page specific for details.
If the client has trouble joining the domain, check that the Microsoft DNS is listed first in
/etc/resolv.conf
. For example:nameserver 192.168.0.1
For more information when joining a domain, use the --loglevel verbose or --advanced option of the domainjoin-cli utility:
sudo domainjoin-cli --loglevel verbose join example.com Administrator
If an Active Directory user has trouble logging in, check the
/var/log/auth.log
for details.When joining an Kubuntu Desktop workstation to a domain, it may be necessary to edit
/etc/nsswitch.conf
if the AD domain uses the .local syntax. In order to join the domain, the "mdns4" entry should be removed from the hosts option. For example:hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
Change the above to:
hosts: files dns [NOTFOUND=return]
Then restart networking by entering:
sudo /etc/init.d/networking restart
It should now be possible to join the Active Directory domain.
The following are instructions for installing DNS on an Active Directory domain controller running Windows Server 2003, but the instructions should be similar for other versions:
Click ->->. This will open the Server Role Management utility.
Click Add or remove a role
Click Next
Select "DNS Server"
Click Next
Click Next again to proceed
Select "Create a forward lookup zone" if it is not selected.
Click Next
Make sure "This server maintains the zone" is selected and click Next.
Enter the domain name and click Next
Click Next to "Allow only secure dynamic updates"
Enter the IP for DNS servers to forward queries to, or Select "No, it should not forward queries" and click Next.
Click Finish
Click Finish
DNS is now installed and can be further configured using the Microsoft Management Console DNS snap-in.
Ensuite, configurez le serveur pour qu'il traite lui-même les requêtes DNS :
Click Start
Control Panel
Connexions réseau
Right Click "Local Area Connection"
Click Properties
Double click "Internet Protocol (TCP/IP)"
Enter the Server's IP Address as the "Preferred DNS server"
Cliquez sur Ok
Cliquez à nouveau sur Ok pour sauvegarder les réglages.
Veuillez consulter la page d'accueil de Likewise (en anglais) pour plus d'informations.
For more domainjoin-cli options see the man page: man domainjoin-cli.