Part 11: How to use SSH to connect to an Active Directory
SSH cannot connect to an Active Directory server directly, as far as I have been able to find out. What will connect is a Linux computer on the same local network as the AD server and SSH will connect me to that computer. So this article is not really about SSH per se, but I hope that it is found to be useful nevertheless. Note that I have not tried this method on flavours of Linux other than Ubuntu.
Assumptions: by following the instructions in the previous sections, you have been able to set up a Ubuntu server at work and are able to connect to it, using reverse tunneling, from your home Linux server. Furthermore, as per sections 3 and 4, you are able to connect to your home server from anywhere in the world.
UPDATE: You don't have to install "Likewise" as intructed to below!
Just do the following:
1. make a directory for where you want to mount the Active Directory share: e.g. "mkdir $HOME/AD_Users" or "mkdir /mnt/officeUsers"
2. Use the smbmount command as seen below in the list of useful commands.
Installation
You'll have to install the "LikeWise Open" package |
sudo aptitude search likewise sudo apt-get install likewise-open-gui |
The following command will join your Ubuntu server to the Active Directory domain. You will need to replace "$DOMAIN" with the domainname (e.g. ABC.PRI) and $USERNAME with your username |
sudo domainjoin-cli join $DOMAIN $USERNAME |
This is another commant that you just need to run once (to update all of the Ubuntu startup scripts) The results of the command are also shown. |
sudo update-rc.d likewise-open defaults <enter your sudo password here> Adding system startup for /etc/init.d/likewise-open ... /etc/rc0.d/K20likewise-open -> ../init.d/likewise-open /etc/rc1.d/K20likewise-open -> ../init.d/likewise-open /etc/rc6.d/K20likewise-open -> ../init.d/likewise-open /etc/rc2.d/S20likewise-open -> ../init.d/likewise-open /etc/rc3.d/S20likewise-open -> ../init.d/likewise-open /etc/rc4.d/S20likewise-open -> ../init.d/likewise-open /etc/rc5.d/S20likewise-open -> ../init.d/likewise-open |
Finally, start the likewise-open daemon. I think that it may have already been started by one of the commands above, but it doesn't hurt to make sure. |
sudo /etc/init.d/likewise-open start * Starting the Likewise-open auth daemon |
Usage
Once likewise-open is installed, there are a number of useful commands that you can use. Since they all begin with "smb", you can list them by typing "smb<TAB><TAB>" on the Ubuntu commandline.
Command | Explanation |
---|---|
smbtree | This will list all machines on the network. You can use it to find servers to connect to. Don't need a password most of the time. You can also try options -D or -S |
smbclient //servername/users | This connects you to the folder specified in a way that is very similar to an FTP connection.
You can automatically specify your username (and password) by adding "-U username%password" |
smbclient -L //servername | This will list all of the services on the server. Again, you'll probably need to add "-U username". For some reason, I am also getting the output of SMBTREE after the services are listed! |
smbclient -I //10.10.1.6 | This is supposed to list what services are available on the server specified by the IP address. I can't get it to work. |
smbmount //10.10.1.6/users $HOME/AD_Users -o user=$USERNAME dom=$DOMAIN | This is the most useful command. It will mount the AD share called "users" onto your local directory
(named AD_Users in this example). Note: This mount will remain even when you log off. This means that anyone else who has sudo rights on your Ubuntu server can access your Active Directory folder. The folder is only unmounted by rebooting the server or by the following command. |
smbumount $HOME/AD_Users | This will unmount your Active Directory shares. |
FileZilla
Now, it is really easy to use an FTP program like FileZilla to access not just Work-LinSrv, but your mounted Active Directory shares.
- Start PuTTY. Connect to your home server (Fishbuntu). Include the tunnel 5533:localhost:5522
- Start FileZilla. Make a "Site" like the following.
How it works:- What this does is ask FileZilla to make an SSH connection to port 5533 on your computer.
- Putty takes port 5533 from your computer and forwards it on to port 5522 on Fishbuntu.
- There is already a reverse tunnel from Work-LinSrv listening on port 5522 on Fishbuntu.
- It takes everything from port 5522 on Fishbuntu and sends it to port 22 on Work-LinSrv.
- This means that the SFTP requests from FileZilla go to your work server seamlessly.
- Now you can connect to your Linux server at the office and browse/updload/download the files there, as well as browse the folders that contain your Active Directory shares. (Sorry, for privacy reasons, I can't show you my Active Directory shares and files.)