Integrate Ubuntu 16.04 to AD as a Domain Member with Samba and Winbind – Part 8

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.95/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Matei Cezar

I’am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

31 Responses

  1. Malc P says:

    Hi – very comprehensive, clear and useful/usable instructions, appreciate the time and effort going in to this.

    I have a query on password which I’d appreciate some help on if it’s appropriate in this forum (if not, could someone point me in the right direction please?):

    I’m setting up a UBUNTU 16.04LTS server system running a database app and I want users to connect from their desktops using PuTTY in SSH mode using their windows ADS credentials. I can tell PuTTY to connect using the System Username option and the terminal prompt comes up with something like “Using username “FredBloggs” followed by “[email protected][desktop IP]’s password:”

    Any idea how I can get this to use the user’s Windows password (we can safely assume they’ve logged in to Windows successfully with their password so it’s not necessary to type it in again).

    Many thanks

    • Matei Cezar says:

      Integrate the database server into the AD and use the AD credentials to login to the database server via SSH. You want to automate SSH logins via Putty with AD logged in accounts in Windows? In Windows 10 I think it can be done via Bash shell scripts edited under windows with Windows Subsystem for Linux. In windows 7 you should install Cygwin environment and automate the process from there.

  2. pixel says:

    I am unable to change domain user password. All other things work fine. Able to login and have sudo rights to domain admins but unable to change password. why this cause? when login with domain user and do a passwd the following error occurs.

    passwd: Authentication token manipulation error
    passwd: password unchanged

    how to fix this?

    • Matei Cezar says:

      Have You tried to remove “use_authtok” option from /etc/pam.d/common-account as detailed in point 15?

      • pixel says:

        yes i have removed it but i am not able to change password.

      • pixel says:

        any solution Matei?

        • Matei Cezar says:

          Seems to be a bug with pam authentication modules on the client side. I suggest you change the domain password complexity level on the DC with the following commands and check if the problem solves.
          samba-tool domain passwordsettings show
          samba-tool domain passwordsettings -h

          • pixel says:

            ERROR(ldb): uncaught exception – ldb_search: invalid basedn ‘(null)’
            File “/usr/lib/python2.7/dist-packages/samba/netcmd/”, line 175, in _run
            return*args, **kwargs)
            File “/usr/lib/python2.7/dist-packages/samba/netcmd/”, line 1150, in run

            this error occurred when i ran samba-tool domain passwordsettings show .

  3. pieter says:

    Hi, after a day of issues, it seems to an cifs mount from the AD is fighting with the ldap implementation.

    I’m using the following line in /etc/fstab

    // /media/Data cifs credentials=/home/pcoussem/.smbcredentials_general,_netdev,iocharset=utf8,sec=ntlm,rw,file_mode=0777,dir_mode=0777 0 0

    This share should be accessible for all user (local and ldap). I added a symlink to the home drives of all user (actually in skeleton), but this seems not to work properly (browsing files in folders besides the symlink hangs).

    How can I solve this?

    • Matei Cezar says:

      Edit samba configuration file and allow symlink access with the below parameters set:
      allow insecure wide links = yes

      follow symlinks = yes
      wide links = yes

  4. Matei Cezar says:

    System users overlap domain users? All? You could try to log in with the domain counterpart, eg: domain\domain_user or [email protected].
    But make sure the statement winbind use default domain is set to false in smb.conf.
    Domain policy don’t apply in Linux. You could add some scripts in /etc/skel/ directory to manage some stuff.

  5. pieter says:


    Works as a charm.

    I have one issue nonetheless. My current server was already in use for some time and has already some users, to make thing worse, they have the same name as the LDAP users (which made sense at the creation time).

    Is there a way to specify to use the ldap account during login? Otherwise I’m always redirected to existing account?

    Could the existing accounts and the ldap accounts be linked (e.g. the same home drive?)

    I would also like to run a script when a home for an ldap users is created (basically, create some symlinks, add a printer). Where and how should this be defined? Should/could this be setup on the AD host, or should this be done on the integrated server?


    • pieter says:

      I solved it.

      samba setting: winbind use default domain = true, made the difference when having multiple accounts already on the server
      I changed the skeleton setup to fix the symlink.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *