Parallel AD domain cannot log into Ubuntu desktop with domain accounts

I have a Windows 2012 AD domain working well for Windows and Apple Mac computers. Apple Mac can simply login using the domain account.

I’ve installed a UCS server to test ubuntu domain joins. But I’ve been unable to log in to the ubuntu desktop with any domain account. The error is that the password is incorrect but it’s 100% correct as we can use it to login to Windows computers for example.
Furthermore, when the login is failed, ubuntu takes you back to the account selector and my domain account is showing there. So the login attempt is matching the domain account but is failing for authentication.

The steps to set it up is simple:

  1. install ucs VM server
  2. join existing AD domain

Then from the ubuntu desktop I add the PPA and install the univention tool for joining the ubuntu system to the UCS domain.

In the “devices” I see the ubuntu system there but not in AD. It is only visible in UCS “devices”.

I was expecting this ubuntu computer to be domain-joined in AD and visible in UCS.

I dont want to run a separate UCS domain. I do want to extend the functionality of the existing domain so that I can manage Ubuntu desktops in terms of user account authentication at a minimum. Is this possible?

Hello @tonyppe,

In this scenario, UCS will only be a member server of the Microsoft AD domain. It will do a one-way sync of users, groups (and computers) from the MS AD to UCS - but not the other way round!

The Univention Domain Join Assistant will join your Ubuntu to UCS, but it won’t get synced to the Microsoft AD Domain Controller. I suppose this is also the reason, why you can’t log in. Domain authentication via Kerberos will be performed against or forwarded to the Microsoft AD Domain Controller, who has no knowledge of the Ubuntu client.

I’m afraid you combined two scenarios that work well on their own with UCS, but don’t work well together.

The main purpose of joining UCS to an existing MS AD domain is that UCS can then provide Linux-based applications (e.g. Apps from the Univention App Center) for users, groups (and computers) that already exist in the MS AD domain.

The Univention Domain Join Assistant will join an Ubuntu based client to a UCS domain (create computer account in the OpenLDAP directory of UCS, set a password, configure the client to use the UCS Master as LDAP-, Kerberos-, DNS- and Time-Server). Period.

I can think of ways to get your scenario working, but then we are talking about a project backed by our professional services team and not about out-of-the-box product features.

Best regards,
Michael Grandjean

Thanks for the information.

Happy to speak with your project team. I like how the UCS system is joined to the AD domain. Do you have the packages in a git somewhere that I could use them within ubuntu to try out there?

Mastodon