Ubuntu to Windows Domain via Active Directory

Attach Ubuntu to Windows Domain via Active Directory (+ sudo)

Posted by Jagdish Goswami

There may not be too many advantages to adding your Ubuntu machines to your Windows domain, but if you think of them this will allow you to work toward them.  It’s actually pretty easy to add a Linux box to Active Directory.  This is true because AD started out life as an LDAP server and it still retains its LDAP genes somewhere deep inside its withered exterior.

First thing you will want to do is add this utility to your Ubuntu machine:

sudo apt-get install likewise-open

It will allow you to authenticate against AD using Kerberos.  If you don’t know what that means it’s not important at this stage; it’s enough to understand that it’s a secure method for assuring identity between your client machine and your AD server.

I then added the machine to the domain.  Again this is a simple operation.  Before you do anything on the Ubuntu machine, hop into Active Directory and create a machine account in the name of the Ubuntu machine.  Then back on the Ubuntu machine it’s one line of code:

sudo domainjoin-cli join [domain.name] [username]

Easy enough.

Further I added a domain group to the local sudo group by adding these lines to the/etc/sudoers file:

# Active Directory group [groupname] given sudo privs
%[domain.name]\\[groupname] ALL=(ALL) ALL

If you don’t know how to edit a protected file like /etc/sudoers I recommend using Gedit:

gksudo gedit /etc/sudoers

Just add those two lines to the end of the file.  The first line is just a comment line and could say something different.  Replace those items in the square brackets with the appropriate information to your network.

For the group I created in Active Directory to grant these sudo privileges I included Domain Administrators and a couple of individuals who would likely be using the Ubuntu box and need sudo rights.  If you’d rather you could substitute a username for thegroupname in the edit above, but I think it’s better to use a security group in AD since you’re now attached to it.

Anyway, that’s about it.  Not too exciting but sure it’s useful for something.  Have fun with it.

(The same can be done with Macs or probably any Unix-like system as long as it can authenticate against an LDAP.  Of course for other systems the details will be, you know, different.)