
Likewise Open simplifies the necessary configuration needed to authenticate a Linux™ machine to an Active Directory™ domain. Based on Winbind, the Likewise Open package takes the pain out of integrating Kubuntu™ authentication into an existing Windows™ network.
There are two ways to use Likewise Open: likewise-open the command line utility and likewise-open-gui. This section focuses on the command line utility.
To install the likewise-open package, open a terminal and enter:
sudo apt-get install likewise-open
Starting with Kubuntu™ 9.04, likewise-open 5.0 is available in the Universe repository. However, since upgrading from likewise-open 4.1 currently requires the system to leave the domain and re-join, a separate package for version 5 was created.
To install likewise-open 5.0, enter:
sudo apt-get install likewise-open5
Warning
Installing likewise-open5 over an existing likewise-open (4.1) installation will replace it. The domain will have to be rejoined afterward.
The main executable file of the likewise-open package is /usr/bin/domainjoin-cli
, which is used to join a computer to the domain. Before joining a domain, the following are needed:
Access to an Active Directory™ user with appropriate rights to join the domain.
The Fully Qualified Domain Name (FQDN) of the domain being joined. If the AD domain does not match a valid domain such as example.com, it is likely that it is in the form of domainname.local.
Properly set up DNS for the domain. In a production AD environment, this is typically the case. Proper Microsoft™ DNS is needed so that client workstations can determine that the Active Directory™ domain is available.
If there is not a Windows™ DNS server on the network, see the section called “DNS Microsoft” for details.
Щоб долучитися до домену, у командному рядку введіть таку команду:
sudo domainjoin-cli join example.com Administrator
Note
Замініть example.com на належну назву домену, а Administrator на ім’я відповідного користувача.
З’явиться запрошення на введення пароля користувача. Якщо пароль буде вказано правильно, у консолі з’явиться повідомлення SUCCESS.
Note
Після долучення до домену треба перезавантажити систему, перш ніж повторювати спробу пройти розпізнавання доменом.
After successfully joining a Kubuntu™ machine to an Active Directory™ domain, any valid AD user can be used to authenticate. To log in, the user name must be entered as 'domain\username'. For example, to ssh to a server joined to the domain, enter:
ssh 'example\steve'@hostname
Note
If configuring a desktop, the user name will need to be prefixed with domain\ in the graphical logon as well.
To make Likewise Open use a default domain, the following statement can be added to /etc/samba/lwiauthd.conf
:
winbind use default domain = yes
Then restart the Likewise Open daemons:
sudo /etc/init.d/likewise-open restart
Note
Once configured for a default domain, the 'domain\' is no longer required. Users can log in using only their username.
The domainjoin-cli utility can also be used to leave the domain. From a terminal:
sudo domainjoin-cli leave
The likewise-open package comes with a few other utilities that may be useful for gathering information about the Active Directory™ environment. These utilities are used to join the machine to the domain, and are the same as those available in the samba-common and Winbind packages:
lwinet: Returns information about the network and the domain.
lwimsg: Allows interaction with the likewise-winbindd daemon.
lwiinfo: Displays information about various parts of the domain.
Please refer to each utility's man page for details.
If the client has trouble joining the domain, check that the Microsoft™ DNS is listed first in
/etc/resolv.conf
. For example:nameserver 192.168.0.1
For more information when joining a domain, use the --loglevel verbose or --advanced option of the domainjoin-cli utility:
sudo domainjoin-cli --loglevel verbose join example.com Administrator
If an Active Directory™ user has trouble logging in, check the
/var/log/auth.log
for details.When joining a Kubuntu™ Desktop workstation to a domain, it may be necessary to edit
/etc/nsswitch.conf
if the AD domain uses the .local syntax. In order to join the domain, the "mdns4" entry should be removed from the hosts option. For example:hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
Змініть наведений вище рядок на такий:
hosts: files dns [NOTFOUND=return]
Після цього перезапустіть роботу мережі такою командою:
sudo /etc/init.d/networking restart
It should now be possible to join the Active Directory™ domain.
The following are instructions for installing DNS on an Active Directory™ domain controller running Windows Server™ 2003, but the instructions should be similar for other versions:
Click → → . This will open the Server Role Management utility.
Add or remove a role.
Next.
Select "DNS Server".
Next.
Next again to proceed.
Позначте пункт Create a forward lookup zone, якщо його ще не позначено.
Next.
Make sure "This server maintains the zone" is selected and Next.
Enter the domain name and Next.
Next to "Allow only secure dynamic updates".
Enter the IP for DNS servers to forward queries to, or Select "No, it should not forward queries" and Next.
Finish
Finish
DNS is now installed and can be further configured using the Microsoft™ Microsoft Management Console DNS snap-in.
Next, configure the server to use itself for DNS queries:
Start
Панель керування
Мережеві з'єднання
"Local Area Connection"
Properties
"Internet Protocol (TCP/IP)"
Enter the server's IP address as the "Preferred DNS server"
again to save the settings
Please refer to the Likewise home page for further information.
For more domainjoin-cli options, see the man page: man domainjoin-cli.