Friday, October 9, 2009

Joining Ubuntu to Windows Active Directory Domain

Over the years, I have joined Ubuntu to a Microsoft Domain in a couple different ways.  The first method I had tried was quite manual and described on Ubuntu's Community Documentation website.  The last 2-3 times, I have joined Ubuntu computers, I started using a new automated method provided by Likewise Open.

I found some likewise-open documentation for the older version of Ubuntu 8.04.  Since the process is automated, the documentation hasn't changed much.  However, one of the features of the manual process was allowing users to connect to the samba server on my Ubuntu machine.  I had to piece together how to get this to also work.  Maybe there will be a modification to likewise-open5 eventually that will include some automation with this.

=== to be continued ===

http://likewise.com/resources/user_documentation/Likewise-Samba-Guide-5.pdf
1. Create a directory named ‘idmap’ under /usr/lib/samba, if
necessary (/usr/lib64/samba for 64-bit servers). Create a
symbolic link from /usr/lib/samba/idmap/lwicompat_v2.so to
point to /opt/likewise/lib/lwicompat_v2.so. Repeat for
lwicompat_v3 and lwicompat_v4.
# cd /usr/lib/samba
# mkdir idmap
# cd idmap
# ln -s /opt/likewise/lib/lwicompat_v2.so /usr/lib/samba/idmap/lwicompat_v2.so
# ln -s /opt/likewise/lib/lwicompat_v3.so /usr/lib/samba/idmap/lwicompat_v3.so
# ln -s /opt/likewise/lib/lwicompat_v4.so /usr/lib/samba/idmap/lwicompat_v4.so
On a 64-bit server, the path is slightly different:
# cd /usr/lib64/samba
# mkdir idmap
# cd idmap
# ln –s /opt/likewise/lib64/lwicompat_v2.so /usr/lib64/samba/idmap/lwicompat_v2.so
# ln –s /opt/likewise/lib64/lwicompat_v3.so /usr/lib64/samba/idmap/lwicompat_v3.so
# ln –s /opt/likewise/lib64/lwicompat_v4.so /usr/lib64/samba/idmap/lwicompat_v4.so

2. Confirm the version of Samba that you have installed and edit the
Samba configuration file accordingly.
# smbd –V
Version 3.0.26a-1478
Now that you know the version number, edit the Samba
configuration file /etc/samba/smb.conf to set the following
parameters to the listed values. If the parameters are not included
in the smb.conf file, add a new line for them in the [global]
section. Here are the compatability plugins to use by Samba
version:
lwicompat_v2 for Samba 3.0.0 - 3.0.22
6
Copyright © 2009 Likewise Software. All rights reserved. 3.16.2009.

Product Documentation
Likewise 5: Samba 3 Integration Guide
lwicompat_v3 for Samba 3.0.23 - 3.0.24
lwicompat_v4 for Samba 3.0.25 and later 3.0 releases.
Here is how to edit your smb.conf file for lwicompat_v2 or
lwicompat_v3:
security = ads
workgroup = <enter NETBIOS name from /opt/likewise/bin/lw-get-
status>
realm           = <enter realm from /etc/krb5.conf>
# idmap backend = lwicompat_v2
idmap backend = lwicompat_v3
idmap uid = 50-9999999999
idmap gid = 50-9999999999
The configuration for Samba 3.0.25 and later 3.0 releases is
different. Here is how to edit your smb.conf file for lwicompat_v4
for Samba version 3.0.25 and later 3.0 releases:
security = ads
workgroup = <enter NETBIOS name from /opt/likewise/bin/lw-get-
status>
realm           = <enter realm from /etc/krb5.conf>
idmap domains = ALL
idmap config ALL:backend = lwicompat_v4
idmap config ALL:default = yes
idmap config ALL:readonly = yes
3. Print out the machine account information by running the following
command as root to retrieve the machine account password from
the Likewise authentication system and provide it to the Samba
server’s authentication system:
/opt/likewise/bin/lw-dump-machine-acct <dns domain>
DomainSID                                     = S-1-5-21-aaaa-bbbbb-ccccc-ddddd
DomainName                                    = AD
Domain DNS Name                               = AD.PLAINJOE.ORG
HostName                                      = srv3
Machine Account Name                          = srv3$
Machine Account Password = EncryptedStringPassword
4. Set the domain SID in Samba's database by using the Samba net
command:
net setdomainsid S-1-5-21-aaaa-bbbbb-ccccc-ddddd
7
Copyright © 2009 Likewise Software. All rights reserved. 3.16.2009.

Product Documentation
Likewise 5: Samba 3 Integration Guide
5. Store the machine account password by using the net command.
You can copy the encrypted machine account password from the
output of the /opt/likewise/bin/lw-dump-machine-acct
<dns domain>  that you executed in a previous step.
Important: Your machine account password expires, according
to your default AD domain policy, after 40 days. Therefore, you
must repeat these steps every time your machine account
password expires. However, you can set up a cron job to
automate this operation, but doing so is beyond the scope of this
document.
net changesecretpw -f
Enter password: <EncryptedStringPassword>