You have a Linux client machine, and you want to authenticate to, and log into a Windows domain. I don't have too much history with Linux, but from what I've read this used to be a nightmare. Using Ubuntu (10.10) I did have a couple of hiccups, but I did get there in the end.

Note: The domain controller is a Windows 2008 R2 Server.

Notes

1. The commands needed to install the "likewise-open5" package, and join the domain, (assuming the FQDN of the domain is domaina.com and the user name you are using to join the domain is administrator).

sudo apt-get install likewise-open5 sudo domainjoin-cli join domaina.com administrator sudo reboot

2. Then to allow users to logon from the Ubuntu welcome screen,

sudo nano /etc/samba/lwiauthd.conf

3. Add the following line (the file will probably be empty), to Save press CTRL+X, then Y, then {enter}.

winbind use default domain = yes

4. Then reboot.

sudo reboot

5. To allow sudo for the domain user(s),

sudo nano /etc/sudoers

Locate the line that reads "\\#Members of the Admin group may gain root privileges and do the following:". Below that, type the following (assuming the domain name is domaina and the user is a member of the domain admins group, domain^users also works).

%domaina\\domain^admins ALL=(ALL) ALL

Problem 1

Error: Lsass Error [code 0x00080047]

9502 (0x251E) DNS_ERROR_BAD_PACKET - A bad packet was received from a DNS server. Potentially the requested address does not exist.

This plagued me for a while, I tried everything I read online (like making sure that my time was correct - which it wasn't (see below), making sure firewalls were off (they were), make sure your DNS has a reverse lookup zone (mine has), and finally make sure there are no existing DNS records for the IP address you are connecting with (mine did so I deleted them). None of these fixed the problem, to fix it is annoyingly simple.

FIX

Firstly make sure that the Ubuntu client is looking at your domain DNS server, for it's DNS, the following command will tell you,

cat /etc/resolv.conf

Then get the domain syntax right, in my case the domain name.

[WORKS] sudo domainjoin-cli join domaina.com administrator [WONT WORK] sudo domainjoin-cli join DOMAINA.COM administrator [WONT WORK] sudo domainjoin-cli join domaina administrator [WONT WORK] sudo domainjoin-cli join DOMAINA administrator

And then it connected faultlessly.

Problem 2

Error: Lsass Error [code 0x00080047]

5 (0x5) ERROR_ACCESS_DENIED - Access is denied.

This turned out to be a variation on the problem above, If you put in the domain name in UPPER CASE you will see this error.

[WORKS] sudo domainjoin-cli join domaina.com administrator [WONT WORK] sudo domainjoin-cli join DOMAINA.COM administrator

If you would like to add your domain user(s) to the welcome screen click here.

If this post helped you, PLEASE take the time to +1 it.

Please be aware, all information is provided free, but it does cost me to have this site hosted, if I've helped you in any way, or saved you some time/cost please take time to make a donation.

If you have anything to add to an article, or have an article you would like us to publish please feel free to contact PeteNetLive. (Please be aware I get a LOT of email, I cannot assist and fix everyone's problems, please do not be offended if you do not get a response).