The following introduction will express that the Lubuntu 16.04 join the Active Directory domain by using the Power Broker Identity Service Open Edition.
AD Environment
*MS Windows Server 2016 Domain Name: corpnet.lab*Domain admin username: administrator
*Domain user username: test1
Linux Environment
*Linux Platform: Lubuntu 16.04 x64
*Linux admain username: davidwa
$ sudo apt install ssh
we will receive a "SUCCESS" prompt when finished and automatically set the FQDN in the /etc/hosts file.(# 2)
[Integrade with Samba]
If we want to use a Linux Samba server that is integrated with AD using PBIS
$ sudo /opt/pbis/bin/samba-interop-install --install
[Disable local resolver]
Note that starting from Ubuntu 14.04 NetworkManager has a local resolver which needs to be disabled
[Confiure PAM authentication]
From a terminal:
[Edit the lightdm configuration file]
[Add AD Domain user to sudoers file]
" DomainUserAccount" ALL=(ALL:ALL) ALL
$ su - "Domain Account"
[pre-requisite]
**Update Lubuntu
**Update Lubuntu
$ sudo apt update
$ sudo apt dist-upgrade
For launch PBIS GUI, we need to install the following package.
$ sudo apt install libglade2-0
$ sudo apt install ssh
[Install PBIS software]
To download the latest stable version of the pbis-open file based on the self-platform from GitHun as https://github.com/BeyondTrust/pbis-open/releases
In the terminal shell, switch to the download path as cd ~/Downloads and set the executable permission by run sudo chmod +x pbis-open-***.linux.x86_64.deb.sh command
To install the pbis-open package by run sudo ./pbis-open-***.linux.x86_64.deb.sh command
[Use PBIS-Open Package to join the workstation to the Windows Domain]
After installing,it will pop up a dialog about domain join windows. If not, then later enter sudo /opt/pbis/bin/domainjoin-gui command to show a GUI-based domain join tool as well. (# 1)
When prompted for a password supply the appropriate credentials,
we will receive a "SUCCESS" prompt when finished and automatically set the FQDN in the /etc/hosts file.(# 2)
On Lubuntu/Ubuntu computer, we will swith to the location of the domain join command-line utility and execute the command for joining the current machine into an AD domain. (# 3)
$ cd /opt/pbis/bin/
$ sudo domainjoin-cli join "DomainFQDNName" "DomainAdminAccount"
or
$ sudo domainjoin-cli join " DomainFQDNName" "DomainAdminUPNAccount"
*where
EXAMPLE:
$ sudo su
$ domainjoin-cli join corpnet.lab administrator
[Set-up default configuration for domain users]
To set the PBIS environment for all domain users that will be logon the system.
$ sudo /opt/pbis/bin/config UserDomainPrefix LAB
$ sudo /opt/pbis/bin/config UserDomainPrefix LAB
$ sudo /opt/pbis/bin/config AssumeDefaultDomain true
$ sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
$ sudo /opt/pbis/bin/config HomeDirTemplate %H/%U
$ sudo /opt/pbis/bin/config RequireMembershipOf "LAB\\domain^users"
$ sudo /opt/pbis/bin/ad-cache --delete-all
$ sudo /opt/pbis/bin/update-dns
*where
LAB = Domain Name
domain^users = Domain Users Security Group
[Integrade with Samba]
If we want to use a Linux Samba server that is integrated with AD using PBIS
$ sudo apt install samba
$ sudo /opt/pbis/bin/samba-interop-install --install
[Disable local resolver]
Note that starting from Ubuntu 14.04 NetworkManager has a local resolver which needs to be disabled
$ sudo nano /etc/NetworkManager/NetworkManager.conf
Find the line that states the following:
dns=dnsmasq
Replace it with:
#dns=dnsmasq
[Confiure PAM authentication]
From a terminal:
$ sudo nano /etc/pam.d/common-session
Find the line that states the following:
session optional pam_lsass.so
Replace it with:
session [success=ok default=ignore] pam_lsass.so
$ sudo pam-auth-update --force
enable “Create home directory on login”
[Edit the lightdm configuration file]
For Ubuntu, edit the lightdm configuration file
$ sudo nano /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf
and append the following lines:
allow-guest=false
greeter-show-manual-login=true
For Lubuntu, edit the lightdm configuration file will be:
$ sudo nano /usr/share/lightdm/lightdm.conf.d/60-lightdm-gtk-greeter.conf
and append the following lines:
allow-guest=false
greeter-show-manual-login=true
[Add AD Domain user to sudoers file]
If we want to give them sudo privileges, we can add any domain users and/or groups to the sudoers file.
From a terminal, edit /etc/sudoers with the following entries
$ sudo nano /etc/sudoers
and append the following lines:
%"DomainName"\\"Domain Users Security Group" ALL=(ALL) ALL
EXAMPLE:
test1 ALL=(ALL:ALL) ALL
%LAB\\domain^users ALL=(ALL) ALL
restart computer
$ sudo restart
[Verify function]
**logon domain user
**logon domain user
$ id "Domain Account"
or
$ id "Domain Name"\\"Domain Account"
**Login linux account
$ su - "Domain Account"
Until now, we make sure that this linux platform has already successfully join into the AD domain.
Reference:
(# 1) If no install "libglade2-0" by executing sudo apt install libglade2-0, we cannot launch the pbis-open gui and will get error message as follows:
(# 2) If want to join a Linux computer to the domain without changing the /etc/hosts file, we can run the following command as
# sudo su
# /opt/pbis/bin/domainjoin-cli join --disable hostname
(# 3) If we don't install/enable SSH daemon, maybe need to disable ssh module when join the AD domain.
$ sudo domainjoin-cli join --disable ssh "DomainFQDNName" "DomainAdminAccount"
or
$ sudo domainjoin-cli join --disable ssh " DomainFQDNName" "DomainAdminUPNAccount"
* The command usage refer to http://manpages.ubuntu.com/manpages/precise/man8/domainjoin-cli.8.html
沒有留言:
張貼留言