Integrate Ubuntu 16.04 to AD as a Domain Member with Samba and Winbind – Part 8

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

53 Responses

  1. froce says:

    Sorry for my poor English.

    I followed the article, and everything is right. I success to join my AD and can use AD account as Ubuntu account. But when I want to share a folder, I can see the folder but I can’t connect to the folder.

    On Windows, it gets ERROR 53「The network path was not found」.
    On ubuntu, it gets 「 NT_STATUS_BAD_NETWORK_NAME」.

    Here is my smb.conf configuration.

    [global]
    workgroup = [AD]
    realm = [AD]
    netbios name = S676100003
    security = ADS
    dns forwarder = [AD's IP]
    idmap config * : backend = tdb
    idmap config *:range = 50000-1000000
    template homedir = /home/%D/%U
    template shell = /bin/bash
    winbind use default domain = true
    winbind offline logon = false
    winbind nss info = rfc2307
    winbind enum users = yes
    winbind enum groups = yes
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes
    [Backup]
    comment = Backup file store
    path = /BACKUP
    valid users = "[AD account(like:AD\user)]"
    public = yes
    writable = yes
    create mode = 0600
    directory mode = 0700
    
    • froce says:

      Sorry, I find what is wrong and now it’s work. Thanks.

      • Shiva says:

        Hi, I am not able to get this samba folder work.

        Here is my smb.conf

        [global]
        workgroup = ITTIAM
        realm = ITTIAM.COM
        netbios name = IN0164LINUX
        security = ADS
        dns forwarder = 172.20.47.254
        idmap config * : backend = tdb
        idmap config *:range = 50000-1000000
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind use default domain = true
        winbind offline logon = false
        winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes
        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes
        [work]
        comment = test
        path = /shii
        browseable = yes
        writable = yes
        #valid users = ITTIAM\in0164
        guest ok = yes
        
    • Matei Cezar says:

      Be aware that Linux is case sensitive. BACKUP and backup are different names through filesystem.

  2. Jim Compton says:

    This was freakin awesome! Thank you!

    It worked well up to the net ads join, which came back with not having a record in my windows Server 2008r2 DNS server. It refused to dynamically update. Finally, I created an A record for the linux box, and it ran like a champ!

    I’ve been looking for how to do this for ages, and finally a step by step that I can use out of the box.

  3. Preston Vertich says:

    I have the Linux machine added to AD and everything up till step 17 was flawless, but for whatever reason I get:

    $ su - your_ad_user
    su: Authentication failure
    

    I do not know where to go from here. Any assistance would be appreciated.

    • Matei Cezar says:

      The Linux machine was not correctly added into samba realm. Verify DNS resolution also to see if you can reach the domain controller and firewall rules.

  4. Andy Kostka says:

    Hi,

    When I am trying to test if machine was integrated to realm with wbinfo command I get:

    could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
    could not obtain winbind domain name!

    Error looking up domain users

  5. Denis says:

    Hello, problem in step 9:

    Error:
    # net ads join -U Administrator
    Enter Administrator’s password:
    kinit succeeded but ads_sasl_spnego_gensec_bind (KRB5) failed: Invalid credentials
    Failed to join domain: failed to connect to AD: Invalid credentials

    The Administrator password in AD is correct. On windows it works correctly. Has anyone had this problem? How can I solve. I noticed that it can be pane in my AD (Samba 4).

  6. Malc P says:

    Hi – very comprehensive, clear and useful/usable instructions, appreciate the time and effort going in to this.

    I have a query on password which I’d appreciate some help on if it’s appropriate in this forum (if not, could someone point me in the right direction please?):

    I’m setting up a UBUNTU 16.04LTS server system running a database app and I want users to connect from their desktops using PuTTY in SSH mode using their windows ADS credentials. I can tell PuTTY to connect using the System Username option and the terminal prompt comes up with something like “Using username “FredBloggs” followed by “[email protected][desktop IP]’s password:”

    Any idea how I can get this to use the user’s Windows password (we can safely assume they’ve logged in to Windows successfully with their password so it’s not necessary to type it in again).

    Many thanks
    Malc

    • Matei Cezar says:

      Integrate the database server into the AD and use the AD credentials to login to the database server via SSH. You want to automate SSH logins via Putty with AD logged in accounts in Windows? In Windows 10 I think it can be done via Bash shell scripts edited under windows with Windows Subsystem for Linux. In windows 7 you should install Cygwin environment and automate the process from there.

  7. pixel says:

    I am unable to change domain user password. All other things work fine. Able to login and have sudo rights to domain admins but unable to change password. why this cause? when login with domain user and do a passwd the following error occurs.

    passwd: Authentication token manipulation error
    passwd: password unchanged

    how to fix this?

    • Matei Cezar says:

      Have You tried to remove “use_authtok” option from /etc/pam.d/common-account as detailed in point 15?

      • pixel says:

        yes i have removed it but i am not able to change password.

      • pixel says:

        any solution Matei?

        • Matei Cezar says:

          Seems to be a bug with pam authentication modules on the client side. I suggest you change the domain password complexity level on the DC with the following commands and check if the problem solves.
          samba-tool domain passwordsettings show
          samba-tool domain passwordsettings -h

          • pixel says:

            ERROR(ldb): uncaught exception – ldb_search: invalid basedn ‘(null)’
            File “/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py”, line 175, in _run
            return self.run(*args, **kwargs)
            File “/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py”, line 1150, in run
            “lockOutObservationWindow”])

            this error occurred when i ran samba-tool domain passwordsettings show .

  8. pieter says:

    Hi, after a day of issues, it seems to an cifs mount from the AD is fighting with the ldap implementation.

    I’m using the following line in /etc/fstab

    //172.19.32.50/Data /media/Data cifs credentials=/home/pcoussem/.smbcredentials_general,_netdev,iocharset=utf8,sec=ntlm,rw,file_mode=0777,dir_mode=0777 0 0

    This share should be accessible for all user (local and ldap). I added a symlink to the home drives of all user (actually in skeleton), but this seems not to work properly (browsing files in folders besides the symlink hangs).

    How can I solve this?

    • Matei Cezar says:

      Edit samba configuration file and allow symlink access with the below parameters set:
      [global]
      allow insecure wide links = yes

      [share]
      follow symlinks = yes
      wide links = yes

  9. Matei Cezar says:

    System users overlap domain users? All? You could try to log in with the domain counterpart, eg: domain\domain_user or [email protected].
    But make sure the statement winbind use default domain is set to false in smb.conf.
    Domain policy don’t apply in Linux. You could add some scripts in /etc/skel/ directory to manage some stuff.

  10. pieter says:

    Hi,

    Works as a charm.

    I have one issue nonetheless. My current server was already in use for some time and has already some users, to make thing worse, they have the same name as the LDAP users (which made sense at the creation time).

    Is there a way to specify to use the ldap account during login? Otherwise I’m always redirected to existing account?

    Could the existing accounts and the ldap accounts be linked (e.g. the same home drive?)

    I would also like to run a script when a home for an ldap users is created (basically, create some symlinks, add a printer). Where and how should this be defined? Should/could this be setup on the AD host, or should this be done on the integrated server?

    Thanks.

    • pieter says:

      Hi
      I solved it.

      FYI:
      samba setting: winbind use default domain = true, made the difference when having multiple accounts already on the server
      I changed the skeleton setup to fix the symlink.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.