Integrate Ubuntu 16.04 to AD as a Domain Member with Samba and Winbind – Part 8

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.95/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

8 Responses

  1. Hannes van Vuuren says:

    Useful tidbit: you don’t *have* to (and probably shouldn’t without good reason) use Domain Admin privileges to join a member to the domain (net ads join) despite the poor error message given by the net tool.

    Delegate the ability to create objects in the Computers subdir of your AD tree to a “joiner” user using MS RSAT tools. See: https://community.spiceworks.com/topic/95291-minimum-permission-needed-to-join-computer-to-domain

  2. Jay says:

    Following this guide on Debian Stretch, Winbind would fail to start.
    Instead, syslog was saying “Could not fetch our SID – did we join?” and “unable to initialize domain list”.

    I had to edit /etc/nsswitch.conf and add “wins” to “hosts”, i.e: “hosts: files dns wins”
    Apparently there was some kind of name resolution problem, even though my resolv.conf was pointing to the domain controller host (running Samba).

    Unfortunately, I’ve yet to figure out why “net ads join -U Administrator” is not working. Kinit and klist work, and “net ads join” accepts the password but after that just exits with
    “Failed to join domain: failed to connect to AD: No results returned”

    • Jay says:

      Ok, “No results returned” mystery finally solved: there was slapd (OpenLDAP) running on the same host, so apparently “net ads join” was interrogating it, and obviously getting no results. Uninstalling slapd fixed it.

      • Matei Cezar says:

        Yes, Samba has its own LDAP database built-in. Never configure Samba4 as a domain controller with LDAP service installed on the same host.

        • Hannes van Vuuren says:

          Note though that it is possible (and probably advisable for very large installations) to use a separate OpenLDAP server as back-end for Samba Domain Controllers. I haven’t tried it myself, though, but I suspect in such a case the Samba DC will still serve LDAP and the OpenLDAP server will have to be on a separate machine (or set of ports).

  3. David says:

    If I may: it is not the /etc/pam.d/common-account file that should be used but rather /etc/pam.d/common-session about the pam_mkhomedir.so module.

  4. Vijay Kadadi says:

    Is it possible to do this same setup( AD+DNS ) on Centos7..?

  5. David says:

    Excellent article and really very clear. Why not use the SSSD daemon for your article? What do you think are the advantages and disadvantages of authentication over SSSD compared to Winbind? Thank you for your reply.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

Join Over 300K+ Linux Users
  1. 257,757
  2. 11,967
  3. 39,682

Are you subscribed?