Ubuntu – Joining / Logging into Windows Domains

You have a Linux client machine, and you want to authenticate to, and log into a Windows domain. I don’t have too much history with Linux, but from what I’ve read this used to be a nightmare. Using Ubuntu (10.10) I did have a couple of hiccups, but I did get there in the end.

Note: The domain controller is a Windows 2008 R2 Server.



1. The commands needed to install the “likewise-open5” package, and join the domain, (assuming the FQDN of the domain is domaina.com and the user name you are using to join the domain is administrator).

[box]sudo apt-get install likewise-open5 sudo domainjoin-cli join domaina.com administrator sudo reboot[/box]

2. Then to allow users to logon from the Ubuntu welcome screen,

[box]sudo nano /etc/samba/lwiauthd.conf[/box]

3. Add the following line (the file will probably be empty), to Save press CTRL+X, then Y, then {enter}.

[box]winbind use default domain = yes[/box]

4. Then reboot.

[box]sudo reboot[/box]

5. To allow sudo for the domain user(s),

[box]sudo nano /etc/sudoers[/box]

Locate the line that reads “#Members of the Admin group may gain root privileges and do the following:”. Below that, type the following (assuming the domain name is domaina and the user is a member of the domain admins group, domain^users also works).

[box]%domainadomain^admins ALL=(ALL) ALL[/box]/p>

Problem 1

Error: Lsass Error [code 0x00080047]

9502 (0x251E) DNS_ERROR_BAD_PACKET – A bad packet was received from a DNS server. Potentially the requested address does not exist.


This plagued me for a while, I tried everything I read online (like making sure that my time was correct – which it wasn’t (see below), making sure firewalls were off (they were), make sure your DNS has a reverse lookup zone (mine has), and finally make sure there are no existing DNS records for the IP address you are connecting with (mine did so I deleted them). None of these fixed the problem, to fix it is annoyingly simple.


Firstly make sure that the Ubuntu client is looking at your domain DNS server, for it’s DNS, the following command will tell you,

[box]cat /etc/resolv.conf[/box]

Then get the domain syntax right, in my case the domain name.


[WORKS] sudo domainjoin-cli join domaina.com administrator

[WONT WORK] sudo domainjoin-cli join DOMAINA.COM administrator
[WONT WORK] sudo domainjoin-cli join domaina administrator
[WONT WORK] sudo domainjoin-cli join DOMAINA administrator


And then it connected faultlessly.

Problem 2

Error: Lsass Error [code 0x00080047]

5 (0x5) ERROR_ACCESS_DENIED – Access is denied.

This turned out to be a variation on the problem above, If you put in the domain name in UPPER CASE you will see this error.


[WORKS] sudo domainjoin-cli join domaina.com administrator

[WONT WORK] sudo domainjoin-cli join DOMAINA.COM administrator


If you would like to add your domain user(s) to the welcome screen click here.

Update 04/01/12

Attention:  PeteNetLive – Suggestion 

Message: Hi,

Thanks very much for you YouTube and description of joining Ubuntu to a domain.  There was however one step extra that I needed to do to enable to logon screen to show users other than the local use and the guest account.  To do this I had to add the following line to /etc/lightdm/lightdm.conf


I was joining Ubuntu 12.10 to the domain so maybe it is specific to 12.10 since you didn’t experience it but it would be good to add it to your article along with the other fixes to issues.

Thanks again.

From: Roland Elferink

Enabling DNS Lookups on Cisco Devices

For the most part, devices are more concerned with IP and MAC addresses, but the devices do have the ability to translate those IP addresses using DNS.


How to Enable DNS Lookups on Cisco ASA5500

As ASA is ‘My Thing’ I will start with that.

1. Connect to the ASA, log in and go to enable mode, and then global configuration mode.


Type help or '?' for a list of available commands.
PetesASA> enable
Password: **********
PetesASA# configure terminal


2. Now if you have corporate DNS server on your LAN you might prefer to use those, so you would use ‘inside’ as opposed to ‘outside’. (Note: Your interfaces might not have these names, let common sense prevail).


PetesASA(config)# dns domain-lookup outside


3. There are two ways to specify the actual DNS servers I’ll show both, though I suggest in future versions, only the second way will work!


The Original Way

PetesASA(config)# dns name-server
PetesASA(config)# exit
The New Way

PeteASA(config)# dns server-group DefaultDNS
PeteASA(config-dns-server-group)# name-server
PeteASA(config-dns-server-group)# name-server
PeteASA(config-dns-server-group)# exit


4. To test it, simply ping a hostname and see if it works.


PetesASA# ping www.google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms

5. Save the changes.


PetesASA# write mem
Building configuration...
Cryptochecksum: ac21d44c 109662c4 66495572 e5a106c7

49756 bytes copied in 3.540 secs (16585 bytes/sec)



How to Enable DNS Lookups on Cisco IOS Device

Below I’ll setup DNS lookups on a Cisco Router, but the process is the same for a Catalyst switch.

1. Connect to the device, log in and go to enable mode, and then global configuration mode. By default DNS lookups are enabled, (you would disable with a no ip domain-lookup command). But let’s make sure.


PetesRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PetesRouter(config)#ip domain-lookup


2. Now specify the DNS server you want to use.


PetesRouter(config)#ip name-server
PetesRouter(config)#ip name-server
*Jul 17 18:17:26.099: %SYS-5-CONFIG_I: Configured from console by console


3. To test it, simply ping a hostname and see if it works.


PetesRouter#ping www.google.com 


Translating "www.google.com"...domain server ( [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/28/36 ms


4. Save the changes.


PetesRouter#write mem
Building configuration...



