Joining Ubuntu to Windows Active Directory Domain

Over the years, I have joined Ubuntu to a Microsoft Domain in a couple different ways.  The first method I had tried was quite manual and described on Ubuntu’s Community Documentation website.  The last 2-3 times, I have joined Ubuntu computers, I started using a new automated method provided by Likewise Open.

I found some likewise-open documentation for the older version of Ubuntu 8.04.  Since the process is automated, the documentation hasn’t changed much.  However, one of the features of the manual process was allowing users to connect to the samba server on my Ubuntu machine.  I had to piece together how to get this to also work.  Maybe there will be a modification to likewise-open5 eventually that will include some automation with this.

=== to be continued ===

http://likewise.com/resources/user_documentation/Likewise-Samba-Guide-5.pdf

1. Create a directory named ‘idmap’ under /usr/lib/samba, if
necessary (/usr/lib64/samba for 64-bit servers). Create a
symbolic link from /usr/lib/samba/idmap/lwicompat_v2.so to
point to /opt/likewise/lib/lwicompat_v2.so. Repeat for
lwicompat_v3 and lwicompat_v4.
# cd /usr/lib/samba
# mkdir idmap
# cd idmap
# ln -s /opt/likewise/lib/lwicompat_v2.so /usr/lib/samba/idmap/lwicompat_v2.so
# ln -s /opt/likewise/lib/lwicompat_v3.so /usr/lib/samba/idmap/lwicompat_v3.so
# ln -s /opt/likewise/lib/lwicompat_v4.so /usr/lib/samba/idmap/lwicompat_v4.so
On a 64-bit server, the path is slightly different:
# cd /usr/lib64/samba
# mkdir idmap
# cd idmap
# ln –s /opt/likewise/lib64/lwicompat_v2.so /usr/lib64/samba/idmap/lwicompat_v2.so
# ln –s /opt/likewise/lib64/lwicompat_v3.so /usr/lib64/samba/idmap/lwicompat_v3.so
# ln –s /opt/likewise/lib64/lwicompat_v4.so /usr/lib64/samba/idmap/lwicompat_v4.so

2. Confirm the version of Samba that you have installed and edit the
Samba configuration file accordingly.
# smbd –V
Version 3.0.26a-1478
Now that you know the version number, edit the Samba
configuration file /etc/samba/smb.conf to set the following
parameters to the listed values. If the parameters are not included
in the smb.conf file, add a new line for them in the [global]
section. Here are the compatability plugins to use by Samba
version:
lwicompat_v2 for Samba 3.0.0 – 3.0.22
6
Copyright © 2009 Likewise Software. All rights reserved. 3.16.2009.

Product Documentation
Likewise 5: Samba 3 Integration Guide
lwicompat_v3 for Samba 3.0.23 – 3.0.24
lwicompat_v4 for Samba 3.0.25 and later 3.0 releases.
Here is how to edit your smb.conf file for lwicompat_v2 or
lwicompat_v3:
security = ads
workgroup = <enter NETBIOS name from /opt/likewise/bin/lw-get-
status>
realm           = <enter realm from /etc/krb5.conf>
# idmap backend = lwicompat_v2
idmap backend = lwicompat_v3
idmap uid = 50-9999999999
idmap gid = 50-9999999999
The configuration for Samba 3.0.25 and later 3.0 releases is
different. Here is how to edit your smb.conf file for lwicompat_v4
for Samba version 3.0.25 and later 3.0 releases:
security = ads
workgroup = <enter NETBIOS name from /opt/likewise/bin/lw-get-
status>
realm           = <enter realm from /etc/krb5.conf>
idmap domains = ALL
idmap config ALL:backend = lwicompat_v4
idmap config ALL:default = yes
idmap config ALL:readonly = yes
3. Print out the machine account information by running the following
command as root to retrieve the machine account password from
the Likewise authentication system and provide it to the Samba
server’s authentication system:
/opt/likewise/bin/lw-dump-machine-acct <dns domain>
DomainSID                                     = S-1-5-21-aaaa-bbbbb-ccccc-ddddd
DomainName                                    = AD
Domain DNS Name                               = AD.PLAINJOE.ORG
HostName                                      = srv3
Machine Account Name                          = srv3$
Machine Account Password = EncryptedStringPassword
4. Set the domain SID in Samba’s database by using the Samba net
command:
net setdomainsid S-1-5-21-aaaa-bbbbb-ccccc-ddddd
7
Copyright © 2009 Likewise Software. All rights reserved. 3.16.2009.

Product Documentation
Likewise 5: Samba 3 Integration Guide
5. Store the machine account password by using the net command.
You can copy the encrypted machine account password from the
output of the /opt/likewise/bin/lw-dump-machine-acct
<dns domain>  that you executed in a previous step.
Important: Your machine account password expires, according
to your default AD domain policy, after 40 days. Therefore, you
must repeat these steps every time your machine account
password expires. However, you can set up a cron job to
automate this operation, but doing so is beyond the scope of this
document.
net changesecretpw -f
Enter password: <EncryptedStringPassword>

Powershell Example

What Can I Do With Windows PowerShell?

Scenario: Needed to test disaster recovery procedures at the hospital.  All employees were told to go to a website and type in a url.

Problem: Workstations located in the doctor-patient procedure rooms don’t have that ability because of patients have been known to ’surf’ the web while waiting to be helped.

Solution: Needed to copy a new http:// shortcut to every workstation ASAP

Tools used: Active Directory Users and Computers and Powershell

1. Export a list of all Procedure Workstations from Active Directory
2. I was going to use psexec tool but then remembered powershell was capable of running a foreach loop
3. Started with: cat ’secured workstations.txt’ | foreach-object -process {echo copy-item ’shortcut.lnk’ \\$_\c$\documents and settings\userprofile\start menu}
4. After failure I started looking at backslash as an escape character and putting parts of the phrase in quotes
5. Tested one computer with: echo ‘computername’ | foreach-object -process {copy-item ’shortcut.lnk’ \\$_”\c$\documents and settings\userprofile\start menu\”}
6. Ran final command: cat ’secured workstations.txt’ | foreach-object -process {copy-item ’shortcut.lnk’ \\$_”\c$\documents and settings\userprofile\start menu\”}

Powershell Script To update links

Single line to deploy new shortcut to all workstations:

cat workstations.txt | ForEach-Object -process {copy-item ’shortcut.lnk’ -destination “\\$_\c$\documents and settings\all users\start menu”}

If I was to work on this again I would want to add a line that would tell me what workstation was being worked on like the untested code below.  If the computer is turned off or not able to be connected then the error just shows up as “Copy-Item : The network path was not found” or “Copy-Item : Could not find a part of the path” without any indication of what workstation was failing.

cat workstations.txt | ForEach-Object -process {

write-host “Trying to connect to $_”; copy-item ’shortcut.lnk’ -destination “\\$_\c$\documents and settings\all users\start menu”}

Powershell Notes

I’m working on a Powershell script to change the owners of every home directory to {the domain}\{the folder name}.

Here are some notes:

• set-alias -name grep -value select-string

•     IanG on Tap: Learning PowerShell: FINDSTR Equivalent

•