TechTalk
Talking a bit of Tech

Ubuntu 14.04.3 – PBIS – AD Domain

techtalk Ubuntu Linux May 10, 2016

LOGO-U1-300x212Ok, I have gotten this down to working well enough that a few people are using it in our company.

Before we get started I need to point out a few things …

The following steps will be based on these specifications:

  • MS Windows Server 2012 Domain Name: techtalk.local
  • Domain admin username: administrator
  • Domain user username: bob

When installing Ubuntu you are requested to create a user. I am going to end up using this user as a kind of local administrator user account on the PC for use ONLY when the domain user login is not working. This user account will be hidden from the Ubuntu login screen.

  • Local PC Administrator user name: temp

So basically what I will end up with on this PC when it’s finished being setup is:

  • User “temp” – Local PC Administrator account completely non-related to the Domain
  • User “administrator” – Domain administrator account
  • User “bob” – Domain user account

REMEMBER: You must be connected to the Domain network!!

 

Install Ubuntu 14.04.3

Install the OS as you normally would and when prompted create the Local PC Administration account. I use ‘temp’ for the username … you can use whatever you like of course.

Update Ubuntu

sudo apt-get update
sudo apt-get dist-upgrade

Edit avahi config

If you don’t do this you will get conflicts later when installing PBIS.

sudo nano /etc/avahi/avahi-daemon.conf

replace: #domain-name=local

with: domain-name=.alocal

Install ssh:

sudo apt-get install ssh

… then Reboot

Install PBIS:

  • Download install file >

http://download.beyondtrust.com/PBISO/8.3/pbis-open-8.3.0.3287.linux.x86_64.deb.sh

(Download website: http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True)

  • Make install file executable >

sudo chmod +x Downloads/pbis-open-8.3.0.3287.linux.x86_64.deb.sh

  • Execute install file

sudo ./Downloads/pbis-open-8.3.0.3287.linux.x86_64.deb.sh

Install package for legacy links? -> no
Would you like to install now? -> yes

After install you might get a GUI tool asking you to join the domain. I prefer to close it and to continue via the terminal.

Join PC to domain

sudo domainjoin-cli join domain.local domain-administrator-username

So for our example it would be:

sudo domainjoin-cli join techtalk.local administrator

You will be prompted for the Domain Administrator password and then should see “SUCCESS”.

Restart ssh service

sudo service ssh restart

Set AD login settings

sudo /opt/pbis/bin/config UserDomainPrefix techtalk
sudo /opt/pbis/bin/config AssumeDefaultDomain true
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
sudo /opt/pbis/bin/config HomeDirTemplate %H/%U
sudo /opt/pbis/bin/config RequireMembershipOf techtalk\\DomainUsers

DomainUsers = Domain Users Security Group

Edit lightdm (login screen settings)

sudo nano /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf

  • Insert the following >

allow-guest=false
greeter-show-manual-login=true

… then Reboot

 

Domain administrator account setup

  • Login as Domain Administrator

This may work right off the bat or it may fail. If it fails see “Domain User Login Fails!” issue under the Troubleshooting section at the bottom of this article.

  • Logout of Domain Administrator account and login as local user ‘temp’
  • Add Domain Administrator account to ‘sudo’ group

The reason we do this is to allow the Domain Administrator to make administrative changes to the local PC.

sudo usermod -aG sudo administrator

  • Logout of ‘temp’ and login as Domain Administrator

 

Hide user “temp”

  • As Domain Administrator open terminal and do

sudo nano /var/lib/AccountsService/users/temp

change:

[User]
SystemAccount=false

to:

[User]
SystemAccount=true

Save file and exit.

 

Finishing

You are basically done. Now all you need to do is add the Domain User account to the PC. This is done simply by logging into Ubuntu as the Domain User.

You don’t have to enter the username with the domain prefix either, but just the username itself.

If you want the Domain User to also have administrative rights on the local PC you need to add it to the ‘sudo’ group with

sudo usermod -aG sudo bob

And it may also be a good idea to add the Domain User to the ‘sambashare’ group in the same way

sudo usermod -aG sambashare bob

TIP: Once a Domain User/Administrator has been successfully added to the PC (by logging in) the login will work when disconnected from the Domain’s network.

 

Troubleshooting

  • Domain User Login Fails!

Login with the Local PC Administrator account ‘temp’.

Open a terminal and check your connection to the domain:

sudo domainjoin-cli query

If you get something back like

“LW_ERROR_PASSWORD_MISMATCH [code 0x00009c56]”

you will need to rejoin the domain once more with:

sudo domainjoin-cli join techtalk.local administrator

Once you are reconnected to the domain, logout of user ‘temp’ and login now as domain user or administrator – this time it should work.

REMEMBER: When making an initial login attempt with any Domain user account you must be connected to the Domain’s network!!

About: techtalk

13 thoughts on “Ubuntu 14.04.3 – PBIS – AD Domain”

  1. Hello ,

    I have followed the article and successfully joined the Linux box to the AD.
    Unfortunately, I cannot log in the same since it showing invalid password.
    I have tried with different domain users but fails.

    As a part of troubleshooting, I have issued command sudo domainjoin-cli query and it returned correct domain details without any error.

    Can you please guide me on this ?

    Reply

  2. #sudo domainjoin-cli query

    OUTPUT:

    Name = hp
    Domain = EXAMPLE.COM
    Distinguished Name = CN=HP,CN=Computers,DC=EXAMPLE,DC=COM

    but still I’m not able to join a domain I have tried one ore more users but no use!

    please help me..

    Reply

    1. Are you not able to join or not able to login?
      You should only be able to join the domain with domain administrator account credentials.

      Reply

      1. Yes, I’m using domain administrator account credentials only but still not able to login so I logged with Local user and restarted lwsmd.service manually then after switching I’m able to login… BUt after system restart I’m facing same issue

        Reply

        1. Sounds to me like you have a problem with lwsmd.service not starting up properly. You would need to investigate that (logs).

          Reply

          2. Yes I have tried now its showing pam unable to dlopen, pam adding faulty module:pam_gnome_ceyring.so

            what is this happening

          3. Jun 20 18:55:49 smof systemd-logind[703]: New seat seat0.
            Jun 20 18:55:49 smof systemd-logind[703]: Watching system buttons on /dev/input/event1 (Power Button)
            Jun 20 18:55:49 smof systemd-logind[703]: Watching system buttons on /dev/input/event0 (Power Button)
            Jun 20 18:55:53 smof dbus[583]: [system] Rejected send message, 7 matched rules; type=”method_return”, sender=”:1.13″ (uid=0 pid=970 comm=”/usr/sbin/dnsmasq –no-reso$
            Jun 20 18:55:57 smof lightdm: PAM unable to dlopen(pam_gnome_keyring.so): /lib/security/pam_gnome_keyring.so: cannot open shared object file: No such file or directory
            Jun 20 18:55:57 smof lightdm: PAM adding faulty module: pam_gnome_keyring.so
            Jun 20 18:55:57 smof lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
            Jun 20 18:55:57 smof lightdm: PAM adding faulty module: pam_kwallet.so
            Jun 20 18:55:57 smof lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
            Jun 20 18:55:57 smof systemd-logind[703]: New session c1 of user lightdm.
            Jun 20 18:55:57 smof systemd-logind[703]: Linked /tmp/.X11-unix/X0 to /run/user/107/X11-display.
            Jun 20 18:55:58 smof lightdm: PAM unable to dlopen(pam_gnome_keyring.so): /lib/security/pam_gnome_keyring.so: cannot open shared object file: No such file or directory
            Jun 20 18:55:58 smof lightdm: PAM adding faulty module: pam_gnome_keyring.so
            Jun 20 18:55:58 smof lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
            Jun 20 18:55:58 smof lightdm: PAM adding faulty module: pam_kwallet.so
            Jun 20 18:55:58 smof lightdm: pam_succeed_if(lightdm:auth): requirement “user ingroup nopasswdlogin” not met by user “lubuntu”
            Jun 20 18:56:30 smof lightdm: PAM unable to dlopen(pam_gnome_keyring.so): /lib/security/pam_gnome_keyring.so: cannot open shared object file: No such file or directory
            Jun 20 18:56:30 smof lightdm: PAM adding faulty module: pam_gnome_keyring.so

    1. That’s a new error to me.
      I would try to leave and rejoin the domain with:

      sudo domainjoin-cli leave
      sudo domainjoin-cli join DOMAIN.local administrator

      And I would do this from the non-domain user account in Ubuntu.

      Reply

  4. I’m using Lubuntu distro, I’ll Install fresh ubuntu 14.04 lts fresh ones again please let me know what steps should I follow because there are different documentation on the net with jumping steps please help…

    Reply

    1. I can only tell you what worked for me using Ubuntu 14.04 (not any other *buntu distro) with my Domain Controller etc …
      You may not have the same outcome with a different DC setup etc …

      Reply

  5. Sir,

    I have joined Ubuntu 16.04 successfully as per given details but when try to join domain admin login, its failed with message access denied. query command status shows successfully joined domain server (no error). Please help

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *