virtual grind thoughts from the virtual world


Using Likewise To Integrate Ubuntu Into Active Directory

Just thought I would share a quick post on adding your Ubuntu servers to Active Directory. Using Active Directory for centralized and distributed management of computers and users is a common practice. Allowing Linux machines to interact with the Active Directory extends this functionality into the Linux world, allowing administrators to use things like security groups and permissions for easy access.

Fortunately, in today's times, this process is a lot easier than it was years ago with the use of Likewise. To install Likewise, simply add the package via apt:

sudo apt-get install likewise-open

Once the package is installed, you have to join your Ubuntu installation to the Active Directory:

sudo domainjoin-cli join virtualgrind.local Administrator

In the above line, you are joining an Active Directory domain with a name of "virtualgrind.local" with the user "Administrator". Note that you will need to enter your domain name and a user account that has permissions to join the domain, if you do not use the Administrator account.

Once you enter the domainjoin-cli command, you will be prompted for the Active Directory account's password that was specified. If all goes well, you will see a "SUCCESS" message. You will also see the Ubuntu machine added as a computer in your Active Directory.

At this point, any Active Directory account will be able to ssh into the server. You can test this by creating a ssh session to the machine with an Active Directory account:

ssh virtualgrind\\johndoe@ubuntu-server
ssh 'virtualgrind\johndoe'@ubuntu-server

In the above example, you are providing the standard UNC naming convention as the username for your ssh connection, or DOMAINNAME\USERNAME. In this particular example, the domain name is "VIRTUALGRIND" and the user name is "johndoe". Also note that the hostname of this example is "ubuntu-server". You could also use the IP address of the server as well.

To limit the groups of users that are able to ssh into the server, you will then need to use the "lwregshell" command:

sudo lwregshell set_value '[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory\]' RequireMembershipOf "virtualgrind\\SSH^Users" "virtualgrind\\Linux_Admins"

...then, to apply the changes and restart the service:

sudo lwsm refresh lsass

In this example, the lwregshell command is requiring that ssh users are members of the Active Group "SSH Users" or "Linux_Admins". I included two groups to show how to deal with spaces in a group name, or by using something like an underscore for your group names in Active Directory.

Finally, if any of the users that are accessing the system from Active Directory need to use the sudo command, you will also need to provide the UNC style name to the sudoers file:


In this example, we are adding a line to the /etc/sudoers with the UNC name of the domain and group. For this instance, we are allowing the "Linux_Admins" group from the domain "VIRTUALGRIND" full sudo access. Remember to use the visudo command when performing this versus using something like pico or vi.

Comments (0) Trackbacks (0)

No comments yet.

Leave a comment

No trackbacks yet.