網頁

2017年10月8日 星期日

Lubuntu 16.04 -- How to Join Microsoft AD domain by using Power Broker Identity Service Open Edition.

In general, we know the linux platform join to Microsoft AD domain by using the Samba package. But the related process need to be done very much. Wether has the alternative package can do the same action?
The following introduction will express that the Lubuntu 16.04 join the Active Directory domain by using the Power Broker Identity Service Open Edition.


AD Environment
*MS Windows Server 2016 Domain Name: corpnet.lab
*Domain admin username: administrator
*Domain user username: test1


Linux Environment
*Linux Platform: Lubuntu 16.04 x64
*Linux admain username: davidwa



[pre-requisite]
**Update Lubuntu
$ sudo apt update
$ sudo apt dist-upgrade

For launch PBIS GUI, we need to install the following package.
$ sudo apt install libglade2-0
擷取選取區域_007

$ sudo apt install ssh
擷取選取區域_008


[Install PBIS software]
To download the latest stable version of the pbis-open file based on the self-platform from GitHun as https://github.com/BeyondTrust/pbis-open/releases
擷取選取區域_001

In the terminal shell, switch to the download path as cd ~/Downloads and set the executable permission by run sudo chmod +x pbis-open-***.linux.x86_64.deb.sh command
擷取選取區域_002

To install the pbis-open package by run sudo ./pbis-open-***.linux.x86_64.deb.sh command
擷取選取區域_004


[Use PBIS-Open Package to join the workstation to the Windows Domain]
After installing,it will pop up a dialog about domain join windows. If not, then later enter sudo /opt/pbis/bin/domainjoin-gui command to show a GUI-based domain join tool as well. (# 1)

When prompted for a password supply the appropriate credentials,
擷取選取區域_012

we will receive a "SUCCESS" prompt when finished and automatically set the FQDN in the /etc/hosts file.(# 2)
擷取選取區域_015
擷取選取區域_016


On Lubuntu/Ubuntu computer, we will swith to the location of the domain join command-line utility and execute the command for joining the current machine into an AD domain. (# 3)
$ cd /opt/pbis/bin/
$ sudo domainjoin-cli join "DomainFQDNName" "DomainAdminAccount"
or
$ sudo domainjoin-cli join "DomainFQDNName" "DomainAdminUPNAccount"

*where
"DomainFQDNName" = the FQDN of the Microsoft Active Directory domain as ad.com
"DomainAdminAccount" = domainuser  with the permission that join computer to domain
"DomainAdminUPNAccount" = domainuser@domainFQDNname


EXAMPLE:
$ sudo su
$ domainjoin-cli join corpnet.lab administrator


[Set-up default configuration for domain users]
To set the PBIS environment for all domain users that will be logon the system.
$ sudo /opt/pbis/bin/config UserDomainPrefix LAB
$ sudo /opt/pbis/bin/config AssumeDefaultDomain true
$ sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
$ sudo /opt/pbis/bin/config HomeDirTemplate %H/%U
$ sudo /opt/pbis/bin/config RequireMembershipOf "LAB\\domain^users"
$ sudo /opt/pbis/bin/ad-cache --delete-all
$ sudo /opt/pbis/bin/update-dns

*where
LAB = Domain Name
domain^users = Domain Users Security Group
擷取選取區域_019

[Integrade with Samba]
If we want to use a Linux Samba server that is integrated with AD using PBIS
$ sudo apt install samba
擷取選取區域_021

$ sudo /opt/pbis/bin/samba-interop-install --install
擷取選取區域_023


[Disable local resolver]
Note that starting from Ubuntu 14.04 NetworkManager has a local resolver which needs to be disabled
$ sudo nano /etc/NetworkManager/NetworkManager.conf
Find the line that states the following:
dns=dnsmasq
Replace it with:
#dns=dnsmasq
擷取選取區域_026


[Confiure PAM authentication]
From a terminal:
$ sudo nano /etc/pam.d/common-session
Find the line that states the following:
session optional pam_lsass.so
Replace it with:
session [success=ok default=ignore] pam_lsass.so
擷取選取區域_027


$ sudo pam-auth-update --force

enable “Create home directory on login”
擷取選取區域_031


[Edit the lightdm configuration file]
For Ubuntu, edit the lightdm configuration file
$ sudo nano /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf
and append the following lines:
allow-guest=false
greeter-show-manual-login=true


For Lubuntu, edit the lightdm configuration file will be:
$ sudo nano /usr/share/lightdm/lightdm.conf.d/60-lightdm-gtk-greeter.conf
and append the following lines:
allow-guest=false
greeter-show-manual-login=true
擷取選取區域_029


[Add AD Domain user to sudoers file]
If we want to give them sudo privileges, we can add any domain users and/or groups to the sudoers file.
From a terminal, edit /etc/sudoers with the following entries
$ sudo nano /etc/sudoers
and append the following lines:
"DomainUserAccount" ALL=(ALL:ALL) ALL
%"DomainName"\\"Domain Users Security Group" ALL=(ALL) ALL
EXAMPLE:
test1 ALL=(ALL:ALL) ALL
%LAB\\domain^users ALL=(ALL) ALL
擷取選取區域_030

restart computer
$ sudo restart


[Verify function]
**logon domain user
擷取選取區域_032
擷取選取區域_025


$ id "Domain Account"
or
$ id "Domain Name"\\"Domain Account"
擷取選取區域_033


**Login linux account
擷取選取區域_034

$ su - "Domain Account"
擷取選取區域_035


Until now, we make sure that this linux platform has already successfully join into the AD domain.


Reference:
(# 1)   If no install "libglade2-0" by executing sudo apt install libglade2-0, we cannot launch the pbis-open gui and will get error message as follows:
擷取選取區域_006

(# 2) If want to join a Linux computer to the domain without changing the /etc/hosts file, we can run the following command as
# sudo su
# /opt/pbis/bin/domainjoin-cli join --disable hostname

(# 3) If we don't install/enable SSH daemon, maybe need to disable ssh module when join the AD domain.
$ sudo domainjoin-cli join --disable ssh "DomainFQDNName" "DomainAdminAccount"
or
$ sudo domainjoin-cli join --disable ssh "DomainFQDNName" "DomainAdminUPNAccount"

* The command usage refer to http://manpages.ubuntu.com/manpages/precise/man8/domainjoin-cli.8.html


沒有留言:

張貼留言

Since 2010 Design by Davidwa
©Copyright Davidwa Inc. All rights reserved.