Active Directory Authentication From Linux

February 19, 2012

It has become a very common scenario these days to have Linux workstations or servers in a given network environment right alongside Windows Servers and Active Directory. It has long been possible to configure your Linux systems to authenticate users against the Active Directory.

Authenticating against Active Directory means that rather than configuring a discrete account for Joe Test(JTest) on your Linux server so that he can access a SAMBA share or some other service, Joe can use his account credentials from Active Directory, and in the case of SAMBA shares, his Windows workstation will handle the login seamlessly from behind the scenes. This makes life easier for Joe and it makes life for the administrator that creates and manages all these accounts much easier.

The process of configuring Linux to use Active Directory has typically been a cumbersome one requiring the installation and configuration of various Kerberos packages as well as PAM, the Linux Pluggable Authentication Module. But thanks to Likewise Open, recently renamed PowerBroker Identity Services Open Edition from Beyond Trust, configuring Linux to authenticate against Active Directory is now a snap as Likewise Open installs and configures the necessary Linux packages for you.

Below are the instructions on how to get Likewise Open working. The instructions assume that you already have a working Microsoft Windows Active Directory environment as well as a working Linux desktop or server. Although there is a graphical user interface for the Likewise setup and configuration, these instructions utilize the command line so that they will work equally well on graphical desktop systems and headless servers.

If your Linux distribution does not include a Likewise Open or Power Broker Identity Service package you can download the one appropriate for your distribution here.

These instructions are for Ubuntu, they make it so very easy. But as you can see, regardless of the Linux distribution, once the Likewise Open software is installed it takes only two commands to get you up and running.

sudo apt-get install likewise-open

After the installation is complete join the Linux machine to the Active Directory domain with this command:

sudo domainjoin-cli join YourDomain.local administrator

You should be prompted for the windows domain administrator’s password and after a few seconds, you should receive a SUCCESS message. At this point your Linux machine is joined to the Active directory domain just like any windows workstation or standalone server. Rebooting the Linux machine is not always required but is generally a good idea at this point.

Active Directory users can now login to the Linux machine using their Active Directory account credentials. However, in most cases then need to prefix the login name with the domain name like this, domain\account. If you only have one domain or your users are unaccustomed to logging in this way, it can be annoying. But you can set an option that will cause it assume the default domain and the user can enter just their login ID. To do that you must execute this command on the Linux system.

sudo lwconfig assumedefaultdomain true

Now, Joe Test can login to the Linux machine via SSH or connecting to a SAMBA share by simply entering his Active Directory credentials jtest and his password when prompted.

Sweet!