Centrify DirectControl Express can quickly and easily join an Ubuntu server or desktop to Active Directory and supports authentication using your Active Directory username and password or SSO using Kerberos. The same software package can be used in Express mode or can be upgraded to a supported version without reinstalling the package.
For instructions on installing software and using repositories see the InstallingSoftware page.
While Centrify provides an intelligent shell script to install the DirectControl Express agent and join the system to Active Directory, most Ubuntu users prefer to install software packages using the built in package managers like Software Center, Synaptic, Adept, Aptitude, apt-get or others.
Before you get started, make sure you have:
- The sudo password and rights to install the software regardless of the method used.
- The username and password of an Active Directory account that has permission to join a computer to AD
The first step is to enable the partner repository where the DirectControl Express package is made available. There are many ways to do this:
Via the Software Center you need to select Edit ==> Software Sources ==> Other Software (tab) and make sure the checkbox is checked for the partner repository.
- Via a terminal:
sudo add-apt-repository "deb http://archive.canonical.com/ precise partner"
Once the partner repository is enabled you may install via apt-get as follows:
sudo apt-get install centrifydc
Once this succeeds you are ready to join the system to Active Directory
Join an Ubuntu system to Active Directory
Once you have successfully install the centrifydc package you must join the system to Active Directory as follows:
sudo adjoin -w domain.name
where domain.name is the name of your Active Directory domain.
NOTE: You will need your Active Directory administrator password to run this command. You may specify a user other than the default administrator with the -u option (--user). See the adjoin manpage for more information on how to run the adjoin command as another user.
Ensuring the adjoin was successful
Assuming this is successful you should be able to run the following command to verify the join:
and the output should look something like this:
cowillia@ubuntu:~$ adinfo Local host name: ubuntu Joined to domain: centrify.se Joined as: ubuntu.centrify.se Pre-win2K name: ubuntu Current DC: se-win2k8ent.centrify.se Preferred site: Default-First-Site-Name Zone: Auto Zone CentrifyDC mode: connected Licensed Features: Disabled
That's it, you have now joined your Linux system to Active Directory! Verify authentication by attempting to log on to the Linux computer by using an Active Directory user account. When using Centrify DirectControl Express Edition, you are connected to the domain through Auto Zone, which is essentially one super zone for the forest. By default, when you join a domain by connecting to Auto Zone, all users and groups defined in Active Directory for the forest automatically become valid users and groups on the Ubuntu system.
NOTE: GDM needs to be restarted before graphical console login for an AD user will work, the easiest way is to simply restart the system.
You can also attempt to login remotely using SSH as follows:
ssh username@hostname ssh firstname.lastname@example.org
NOTE: With Centrify DirectControl Express, the domain can be implicit as long as the username is unique in the forest.
Enabling sudo for administrators
To make a Domain Group a sudoer in your ubuntu machine is to edit the file /etc/sudoers (using the command visudo) and add the following line:
%adgroup ALL=(ALL) ALL
Where, adgroup, is a group from your active directory. The group names from active directory are transformed into all lower case letters with underscores replacing spaces, so you can use %domain_admins for the Domain Admins group.