Goal / Scope
Successful Active Directory Authentication using Power Broker Open, formerly Likewise and configuration of settings.
Likewise has been around for quite a while now and can be used to join a Linux or Mac computer to an Active Directory domain. It makes quick and easy work of configuration that used to take a long time and varied between flavors of Linux. It still can be confusing.
Methodology / Process Steps
Initial installation and joining the computer to the domain
download the package / source specific to the flavor of Linux from the following location
change the attributes of the file to allow it to be run
$ sudo chmod +x [filename].sh
run the file with the following command
$ sudo sh [filename].sh
This will initiate the installation. Once the installation is complete, the next step is joining the computer to the domain
sudo domainjoin-cli join [domain.internal] [username] (entered credentials when prompted)
if everything is configured correctly and the command completes successfully, the computer will be joined to the domain and a request to restart will be displayed. It is recommend restarting the computer, just to be complete.
All of the commands and settings for Power Broker will be found in the following location:
./config –list (will list the various options available)
./config –show [option name] (will display the current configuration of the option)
./config –details [option name] (will display the full details of the option)
The domain prefix for users can be set with this option.
sudo ./config UserDomainPrefix DOMAIN
(where DOMAIN is the NetBIOS domain of the the Active Directory domain)
The location of newly created accounts can be set with this option.
sudo ./config HomeDirTemplate %H/%U
(where %H/%U translates into system home directory and system username) Other options exist as well.
The login shell associated with the new user accounts by default is set with the LoginShellTemplate option.
sudo ./config LoginShellTemplate /bin/bash
By default, the login shell is /bin/sh
The AssumeDefault Domain option, allows only the username to be entered, the domain name is not required. A domain name can be specified, but if one has not be entered, it will assume the value assigned in UserDomainPrefix. The accepted input for this option is either “true” or “false”
sudo ./config AssumeDefaultDomain true
(where “true” will add the value in UserDomainPrefix if a domain is not specified with the login)
Access to Linux servers can be restricted to specific Active Directory security groups. This can be achieved by the following configuration setting: RequireMembershipOf
NOTE: To review all configuration settings, the following command will list all available settings
$ ./config --list
In order to view the current configuration (by default the configuration doesn’t specify a group allowing any connections, authenticated by Active Directory, to successfully connect.), the following command displays the basic configuration of the setting.
$ ./config --show RequireMembershipOf
To add users and / or groups, the following command is used
$ ./config RequireMembershipOf "DOMAIN\\examplegroup" "DOMAIN\\username"
To review all the details of this configuration setting, the following command will provide all information regarding this setting:
$ ./config --detail RequireMembershipOf
Known Issues / Troubleshooting
This section is for the issues that have well defined and tested solutions.
Problem: | Authentication is failing when a security group is specified for RequireMembershipOf, but when security group is removed, authentication is successful
Solution: | The group may not be found. The syntax is extremely important when specifying a group name. Verify the following:
- double backslash (\\) is used when specifying the domain
- The carret (^) is used in place of spaces
- quotes have been used (this has solved issues on certain flavors of Linux)
- issuing the following command to check for existence of the group
- verifying group membership of the user to the group
If all of these things have been verified, the next step will be to verify successful domain membership.
More information is provided in the Power Broker documentation
Enterprise Linux Administration Guide
Enterprise Group Policy Administration Guide