KB ID 0000384
Problem
You have a Linux client machine, and you want to authenticate to, and log into a Windows domain. I don’t have too much history with Linux, but from what I’ve read this used to be a nightmare. Using Ubuntu (10.10) I did have a couple of hiccups, but I did get there in the end.
Note: The domain controller is a Windows 2008 R2 Server.
Solution
Notes
1. The commands needed to install the “likewise-open5” package, and join the domain, (assuming the FQDN of the domain is domaina.com and the user name you are using to join the domain is administrator).
2. Then to allow users to logon from the Ubuntu welcome screen,
3. Add the following line (the file will probably be empty), to Save press CTRL+X, then Y, then {enter}.
4. Then reboot.
5. To allow sudo for the domain user(s),
Locate the line that reads “#Members of the Admin group may gain root privileges and do the following:”. Below that, type the following (assuming the domain name is domaina and the user is a member of the domain admins group, domain^users also works).
Problem 1
Error: Lsass Error [code 0x00080047]
9502 (0x251E) DNS_ERROR_BAD_PACKET – A bad packet was received from a DNS server. Potentially the requested address does not exist.
This plagued me for a while, I tried everything I read online (like making sure that my time was correct – which it wasn’t (see below), making sure firewalls were off (they were), make sure your DNS has a reverse lookup zone (mine has), and finally make sure there are no existing DNS records for the IP address you are connecting with (mine did so I deleted them). None of these fixed the problem, to fix it is annoyingly simple.
FIX
Firstly make sure that the Ubuntu client is looking at your domain DNS server, for it’s DNS, the following command will tell you,
Then get the domain syntax right, in my case the domain name.
[WORKS] sudo domainjoin-cli join domaina.com administrator [WONT WORK] sudo domainjoin-cli join DOMAINA.COM administrator [WONT WORK] sudo domainjoin-cli join domaina administrator [WONT WORK] sudo domainjoin-cli join DOMAINA administrator
And then it connected faultlessly.
Problem 2
Error: Lsass Error [code 0x00080047]
5 (0x5) ERROR_ACCESS_DENIED – Access is denied.
This turned out to be a variation on the problem above, If you put in the domain name in UPPER CASE you will see this error.
[WORKS] sudo domainjoin-cli join domaina.com administrator [WONT WORK] sudo domainjoin-cli join DOMAINA.COM administrator
If you would like to add your domain user(s) to the welcome screen click here.
Update 04/01/12
Attention: PeteNetLive – Suggestion
Message: Hi,
Thanks very much for you YouTube and description of joining Ubuntu to a domain. There was however one step extra that I needed to do to enable to logon screen to show users other than the local use and the guest account. To do this I had to add the following line to /etc/lightdm/lightdm.conf
greeter-show-manual-login=true
I was joining Ubuntu 12.10 to the domain so maybe it is specific to 12.10 since you didn’t experience it but it would be good to add it to your article along with the other fixes to issues.
Thanks again.
From: Roland Elferink
Related Articles, References, Credits, or External Links
Thanks to Roland Elferink for the update.
Original Article written 27/01/11
