Joining Ubuntu to Windows Active Directory Domain

Over the years, I have joined Ubuntu to a Microsoft Domain in a couple different ways.  The first method I had tried was quite manual and described on Ubuntu’s Community Documentation website.  The last 2-3 times, I have joined Ubuntu computers, I started using a new automated method provided by Likewise Open.

I found some likewise-open documentation for the older version of Ubuntu 8.04.  Since the process is automated, the documentation hasn’t changed much.  However, one of the features of the manual process was allowing users to connect to the samba server on my Ubuntu machine.  I had to piece together how to get this to also work.  Maybe there will be a modification to likewise-open5 eventually that will include some automation with this.

=== to be continued ===

http://likewise.com/resources/user_documentation/Likewise-Samba-Guide-5.pdf

1. Create a directory named ‘idmap’ under /usr/lib/samba, if
necessary (/usr/lib64/samba for 64-bit servers). Create a
symbolic link from /usr/lib/samba/idmap/lwicompat_v2.so to
point to /opt/likewise/lib/lwicompat_v2.so. Repeat for
lwicompat_v3 and lwicompat_v4.
# cd /usr/lib/samba
# mkdir idmap
# cd idmap
# ln -s /opt/likewise/lib/lwicompat_v2.so /usr/lib/samba/idmap/lwicompat_v2.so
# ln -s /opt/likewise/lib/lwicompat_v3.so /usr/lib/samba/idmap/lwicompat_v3.so
# ln -s /opt/likewise/lib/lwicompat_v4.so /usr/lib/samba/idmap/lwicompat_v4.so
On a 64-bit server, the path is slightly different:
# cd /usr/lib64/samba
# mkdir idmap
# cd idmap
# ln –s /opt/likewise/lib64/lwicompat_v2.so /usr/lib64/samba/idmap/lwicompat_v2.so
# ln –s /opt/likewise/lib64/lwicompat_v3.so /usr/lib64/samba/idmap/lwicompat_v3.so
# ln –s /opt/likewise/lib64/lwicompat_v4.so /usr/lib64/samba/idmap/lwicompat_v4.so

2. Confirm the version of Samba that you have installed and edit the
Samba configuration file accordingly.
# smbd –V
Version 3.0.26a-1478
Now that you know the version number, edit the Samba
configuration file /etc/samba/smb.conf to set the following
parameters to the listed values. If the parameters are not included
in the smb.conf file, add a new line for them in the [global]
section. Here are the compatability plugins to use by Samba
version:
lwicompat_v2 for Samba 3.0.0 – 3.0.22
6
Copyright © 2009 Likewise Software. All rights reserved. 3.16.2009.

Product Documentation
Likewise 5: Samba 3 Integration Guide
lwicompat_v3 for Samba 3.0.23 – 3.0.24
lwicompat_v4 for Samba 3.0.25 and later 3.0 releases.
Here is how to edit your smb.conf file for lwicompat_v2 or
lwicompat_v3:
security = ads
workgroup = <enter NETBIOS name from /opt/likewise/bin/lw-get-
status>
realm           = <enter realm from /etc/krb5.conf>
# idmap backend = lwicompat_v2
idmap backend = lwicompat_v3
idmap uid = 50-9999999999
idmap gid = 50-9999999999
The configuration for Samba 3.0.25 and later 3.0 releases is
different. Here is how to edit your smb.conf file for lwicompat_v4
for Samba version 3.0.25 and later 3.0 releases:
security = ads
workgroup = <enter NETBIOS name from /opt/likewise/bin/lw-get-
status>
realm           = <enter realm from /etc/krb5.conf>
idmap domains = ALL
idmap config ALL:backend = lwicompat_v4
idmap config ALL:default = yes
idmap config ALL:readonly = yes
3. Print out the machine account information by running the following
command as root to retrieve the machine account password from
the Likewise authentication system and provide it to the Samba
server’s authentication system:
/opt/likewise/bin/lw-dump-machine-acct <dns domain>
DomainSID                                     = S-1-5-21-aaaa-bbbbb-ccccc-ddddd
DomainName                                    = AD
Domain DNS Name                               = AD.PLAINJOE.ORG
HostName                                      = srv3
Machine Account Name                          = srv3$
Machine Account Password = EncryptedStringPassword
4. Set the domain SID in Samba’s database by using the Samba net
command:
net setdomainsid S-1-5-21-aaaa-bbbbb-ccccc-ddddd
7
Copyright © 2009 Likewise Software. All rights reserved. 3.16.2009.

Product Documentation
Likewise 5: Samba 3 Integration Guide
5. Store the machine account password by using the net command.
You can copy the encrypted machine account password from the
output of the /opt/likewise/bin/lw-dump-machine-acct
<dns domain>  that you executed in a previous step.
Important: Your machine account password expires, according
to your default AD domain policy, after 40 days. Therefore, you
must repeat these steps every time your machine account
password expires. However, you can set up a cron job to
automate this operation, but doing so is beyond the scope of this
document.
net changesecretpw -f
Enter password: <EncryptedStringPassword>

ATI Radeon X1300 Works!

My ATI Radeon X1300 video card (Dell Optiplex 745) now works with the newest 8.33.6 driver which came out today.

1. Download the new ATI Driver Installer
2. chmod +x *.run
3. fakeroot ./*.run –buildpkg Ubuntu/edgy
4. sudo dpkg -i *.deb
5. sudo module-assistant auto-install fglrx
6. sudo /etc/init.d/gdm stop
7. sudo modprobe -r fglrx
8. sudo depmod -a
9. sudo /etc/init.d/gdm start
10. fglrxinfo
11. fgl_glxgears

I still have a minor issue with the mtrr but it doesn’t affect the 3D.

ATI x1300 and Ubuntu

I’m having problems running Ubuntu Edgy with a new Dell Optiplex 745 with an ATI x1300 (RV 516 7183) video card. 2D works great but 3D is borked. When running fglrxinfo I get:

display: :0.0 screen: 0
OpenGL vendor string: ATI Technologies Inc.
OpenGL renderer string: Generic
OpenGL version string: 2.0.6234 (8.32.5)

but when I run fgl_glxgears I get this window and a listing of FPS

Using GLX_SGIX_pbuffer
3933 frames in 5.0 seconds = 786.600 FPS
4462 frames in 5.0 seconds = 892.400 FPS
4483 frames in 5.0 seconds = 896.600 FPS

Update: I was able to get the ATI card to work when ATI corrected their driver in version 8.33.6.

Must Have for Integrating Linux in a Windows World

Ubuntu’s AD Samba Guide ActiveDirectoryHowto – Community Ubuntu Documentation

Novell’s Ubuntu AD Samba Guide HOWTO: Configure Ubuntu for Active Directory Authentication

Note: Samba is hosted on Novell’s servers because Novell is starting to seem pretty agnostic on what distribution people are running. Good for them

I was able allow my machine to authenticate on a Windows AD domain without joining it to the domain. The second step of setting up libpam-ldap and ncsd would require changes to the domain controllers, but I am only able to log on if the user account in /usr/passwd is identical to a domain account. If I had libpam-ldap installed and joined this computer to the domain, I would be able to accept anyone’s domain account as a login on this machine.

I am now able to cruise network shares through Gnome (nautilus) with smb://servername without having to supply a password for each connection. Previously, my credentials would be encrypted to the nautilus keyring, so it may have seemed like authentication only happened once but it was really happening each time you connected. With a kerberos ticket, I am authenticated as myself until the ticket is closed or if the ticket is revoked by a domain controller.  This truely becomes a single sign on Microsoft environment.

Now I have to work out how single sign ons for our intranet is handled (NTLM?) which was developed on .Net.  When I go to the site with Firefox (Windows and Linux) I get asked for continuous passwords, it seems.  I had heard from a Novell Open Audio Podcast that Suse had figured out a way to use Firefox with single sign on.  I just can’t remember if it was with a Firefox kerberos plugin, or if there was a special setting in the about:config.