Integrate Ubuntu 16.04 to AD as a Domain Member with Samba and Winbind – Part 8

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.95/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Matei Cezar

I’am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

31 Responses

  1. bouchta says:

    I meet with is that I try to connect to the ace on the client Ubuntu to ldap with lightdm it tells me that the word Pass is expired but it still logs in And it proposes me no changed the password

  2. bouchta says:

    Thank you for this tutorial it is very easy to use bravo in any case the only problem that I meet with is that I try to connect to the ace on the client with lightdm it tells me that the word Pass is expired but it still logs in And it proposes me no changed the password

  3. Jason S says:

    I found that running Ubuntu 16.04 that step 19 needs to be modified.

    Instead of:
    %YOUR_DOMAIN\\your_domain\ group ALL=(ALL:ALL) ALL

    I had to put in:
    %your_domain\ group ALL=(ALL:ALL) ALL

    • bouchta says:

      doesn’t’ work in command line password change is okay, but in Lightdm i haven’t change password dialog and i cant connected to client ad with old password.

  4. Martin says:

    Hi, I cannot add a Linux machine to my domain. I can do the management of my SAMBA4 as you explained at part 1,2,3, but now when I try to add a Linux desktop my ADC is block.

    I received this:

    [email protected]:~$ kinit [email protected]
    Password for [email protected]:
    Warning: Your password will expire in 38 days on Wed 09 Aug 2017 04:24:11 PM ART
    [email protected]:~$ sudo klist
    klist: Credentials cache file '/tmp/krb5cc_0' not found
    [email protected]:~$
  5. João Manuel Alvaro Nunes says:

    My AD users are not sudoers, what i did wrong , I cannot find the “Domain” on local groups of Ubuntu.

  6. Hannes van Vuuren says:

    Useful tidbit: you don’t *have* to (and probably shouldn’t without good reason) use Domain Admin privileges to join a member to the domain (net ads join) despite the poor error message given by the net tool.

    Delegate the ability to create objects in the Computers subdir of your AD tree to a “joiner” user using MS RSAT tools. See:

  7. Jay says:

    Following this guide on Debian Stretch, Winbind would fail to start.
    Instead, syslog was saying “Could not fetch our SID – did we join?” and “unable to initialize domain list”.

    I had to edit /etc/nsswitch.conf and add “wins” to “hosts”, i.e: “hosts: files dns wins”
    Apparently there was some kind of name resolution problem, even though my resolv.conf was pointing to the domain controller host (running Samba).

    Unfortunately, I’ve yet to figure out why “net ads join -U Administrator” is not working. Kinit and klist work, and “net ads join” accepts the password but after that just exits with
    “Failed to join domain: failed to connect to AD: No results returned”

    • Jay says:

      Ok, “No results returned” mystery finally solved: there was slapd (OpenLDAP) running on the same host, so apparently “net ads join” was interrogating it, and obviously getting no results. Uninstalling slapd fixed it.

      • Matei Cezar says:

        Yes, Samba has its own LDAP database built-in. Never configure Samba4 as a domain controller with LDAP service installed on the same host.

        • Hannes van Vuuren says:

          Note though that it is possible (and probably advisable for very large installations) to use a separate OpenLDAP server as back-end for Samba Domain Controllers. I haven’t tried it myself, though, but I suspect in such a case the Samba DC will still serve LDAP and the OpenLDAP server will have to be on a separate machine (or set of ports).

  8. David says:

    If I may: it is not the /etc/pam.d/common-account file that should be used but rather /etc/pam.d/common-session about the module.

  9. Vijay Kadadi says:

    Is it possible to do this same setup( AD+DNS ) on Centos7..?

  10. David says:

    Excellent article and really very clear. Why not use the SSSD daemon for your article? What do you think are the advantages and disadvantages of authentication over SSSD compared to Winbind? Thank you for your reply.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *