Linux and Active Directory

* See my newer post, it’s much better.

Getting Linux to work well with LDAP is a pain. Here is how I set it up to match what one typically finds in a corporate environment, that is Logging in with a domain name and having access to various shares.

Logging in
First is just getting it to login. It’s actually not that hard, I went with using likewise-open which can be installed in Ubuntu via
sudo apt-get install likewise-open
Now to configure we run
sudo domainjoin-cli join yourdomain.yourserver.com Administrator
Now assuming you only use one domain you probably want to make it default.

In 9.10 you need to edit /etc/likewise-open5/lsassd.conf and set “assume-default-domain” to yes

In 10.04 there is a bug that keeps this from working. See https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/534629 Basically you need to get a ppa version and then Change AssumeDefaultDomain to dword:00000001 in /etc/likewise-open/lsassd.reg

Now if you reboot you should be able to log in via the domain user.

Shares
Now you need to mount all the shares, perhaps a company wide share and a personal one. Run this
sudo apt-get install libpam_mount
Sadly the Ubuntu packages don’t configure it right. Edit /etc/pam.d/common-session and rearrange to lines near the bottom so it looks like this
session optional pam_mount.so
session sufficient pam_lsass.so

Now it will work. The problem is that pam ignores pam_mount when using the likewise open module by default.
Next /etc/security/pam_mount.conf.xml
You can use variables like %USER to have it mount the user’s personal share. Mine looks like this

<pam_mount>
<!-- Volume definitions -->
<volume user="*" fstype="cifs" server="server" path="users/%(USER)" mountpoint="~/Documents" />

* in 10.04 %(USER) gives you the domain/user.  If you just want the user use %(DOMAIN_USER)

Don’t try mounting anything as Desktop because gnome won’t allow it. Too bad.

Wifi
Likewise open doesn’t work with wifi unless you login as a user first, which seems not to be a solution. It’s because network-manager sucks and doesn’t connect until some user logs in. So you need to not use network-manager. I uninstalled it and setup wifi by editing /etc/network/interfaces. It works well but now I can’t change the wifi myself. Useful if the computer never leaves the building. In my case this is acceptable. I hear wicd is a network-manager replacement that can do this. Didn’t try it myself.

Mass deployment
Next you might want to be deploying it on many computers and not one by one. If you want to mess with the default user setup you could install and run sabayon. It crashes a lot, but its actually really useful. Next you need to change the hostname of every machine. I made this script and put it on crontab @restart.
#!/bin/bash
# If hostname is netbook, assume this is a fresh image that needs setup
hostCurrent=$(/bin/hostname)
hostOld='freshimage'
if [ "$hostCurrent" == "$hostOld" ]
then
# set hostname based on Serial Number
host1=$(/usr/sbin/dmidecode | /bin/grep 'Serial Number: ' | /bin/sed 's/.*: \(.*\)/\1/;q')
host2='linux'
host=$host1$host2
host=$(echo $host | sed 's/ //g')
echo $host
/bin/hostname $host
/bin/echo $host > /etc/hostname
# wait for wifi
sleep 10
# join AD
/usr/bin/domainjoin-cli join domain.server.org Administrator 'mypassword'
fi

It automatically makes up a unique hostname and joins my domain at first boot. I set the cloning image’s hostname to “freshinstall” which the script looks for. Clone the hard drive boot it. Wait for GDM to come up, reboot and your good.  This is actually way better than joining many Windows computers to a domain, which requires many reboots.

Odds and Ends
I still don’t know a great way to mount ~/Desktop
If you must have MS Office you could try wine, but you may need to use Crossover Linux Pro which generally costs a lot. With CX Pro you can set up Office to multiple users.
I’ll write a follow up post on how the deployments go.

2 thoughts on “Linux and Active Directory”

Leave a Reply

Your email address will not be published. Required fields are marked *

*