# Integrate Ubuntu 16.04 to AD as a Domain Member with Samba and Winbind – Part 8

## If You Appreciate What We Do Here On TecMint, You Should Consider:

3. Get your own self-hosted blog with a Free Domain at ($3.45/month). 4. Become a Supporter - Make a contribution via PayPal 5. Support us by purchasing our premium books in PDF format. 6. Support us by taking our online Linux courses We are thankful for your never ending support. Matei Cezar I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting. Your name can also be listed here. Got a tip? Submit it here to become an TecMint author. #### You may also like... ### 60 Responses 1. froce says: Sorry for my poor English. I followed the article, and everything is right. I success to join my AD and can use AD account as Ubuntu account. But when I want to share a folder, I can see the folder but I can’t connect to the folder. On Windows, it gets ERROR 53「The network path was not found」. On ubuntu, it gets 「 NT_STATUS_BAD_NETWORK_NAME」. Here is my smb.conf configuration. [global] workgroup = [AD] realm = [AD] netbios name = S676100003 security = ADS dns forwarder = [AD's IP] idmap config * : backend = tdb idmap config *:range = 50000-1000000 template homedir = /home/%D/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = false winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes [Backup] comment = Backup file store path = /BACKUP valid users = "[AD account(like:AD\user)]" public = yes writable = yes create mode = 0600 directory mode = 0700  • froce says: Sorry, I find what is wrong and now it’s work. Thanks. • Shiva says: Hi, I am not able to get this samba folder work. Here is my smb.conf [global] workgroup = ITTIAM realm = ITTIAM.COM netbios name = IN0164LINUX security = ADS dns forwarder = 172.20.47.254 idmap config * : backend = tdb idmap config *:range = 50000-1000000 template homedir = /home/%D/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = false winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes [work] comment = test path = /shii browseable = yes writable = yes #valid users = ITTIAM\in0164 guest ok = yes  • Matei Cezar says: Be aware that Linux is case sensitive. BACKUP and backup are different names through filesystem. 2. Jim Compton says: This was freakin awesome! Thank you! It worked well up to the net ads join, which came back with not having a record in my windows Server 2008r2 DNS server. It refused to dynamically update. Finally, I created an A record for the linux box, and it ran like a champ! I’ve been looking for how to do this for ages, and finally a step by step that I can use out of the box. 3. Preston Vertich says: I have the Linux machine added to AD and everything up till step 17 was flawless, but for whatever reason I get: $ su - your_ad_user

su: Authentication failure


I do not know where to go from here. Any assistance would be appreciated.

• Matei Cezar says:

The Linux machine was not correctly added into samba realm. Verify DNS resolution also to see if you can reach the domain controller and firewall rules.

4. Andy Kostka says:

Hi,

When I am trying to test if machine was integrated to realm with wbinfo command I get:

could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!

Error looking up domain users

5. Denis says:

Hello, problem in step 9:

Error:
kinit succeeded but ads_sasl_spnego_gensec_bind (KRB5) failed: Invalid credentials
Failed to join domain: failed to connect to AD: Invalid credentials

The Administrator password in AD is correct. On windows it works correctly. Has anyone had this problem? How can I solve. I noticed that it can be pane in my AD (Samba 4).

6. Malc P says:

Hi – very comprehensive, clear and useful/usable instructions, appreciate the time and effort going in to this.

I have a query on password which I’d appreciate some help on if it’s appropriate in this forum (if not, could someone point me in the right direction please?):

I’m setting up a UBUNTU 16.04LTS server system running a database app and I want users to connect from their desktops using PuTTY in SSH mode using their windows ADS credentials. I can tell PuTTY to connect using the System Username option and the terminal prompt comes up with something like “Using username “FredBloggs” followed by “[email protected][desktop IP]’s password:”

Any idea how I can get this to use the user’s Windows password (we can safely assume they’ve logged in to Windows successfully with their password so it’s not necessary to type it in again).

Many thanks
Malc

• Matei Cezar says:

Integrate the database server into the AD and use the AD credentials to login to the database server via SSH. You want to automate SSH logins via Putty with AD logged in accounts in Windows? In Windows 10 I think it can be done via Bash shell scripts edited under windows with Windows Subsystem for Linux. In windows 7 you should install Cygwin environment and automate the process from there.

7. pixel says:

I am unable to change domain user password. All other things work fine. Able to login and have sudo rights to domain admins but unable to change password. why this cause? when login with domain user and do a passwd the following error occurs.

passwd: Authentication token manipulation error

how to fix this?

• Matei Cezar says:

Have You tried to remove “use_authtok” option from /etc/pam.d/common-account as detailed in point 15?

• pixel says:

yes i have removed it but i am not able to change password.

• pixel says:

any solution Matei?

• Matei Cezar says:

Seems to be a bug with pam authentication modules on the client side. I suggest you change the domain password complexity level on the DC with the following commands and check if the problem solves.

• pixel says:

ERROR(ldb): uncaught exception – ldb_search: invalid basedn ‘(null)’
File “/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py”, line 175, in _run
return self.run(*args, **kwargs)
File “/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py”, line 1150, in run
“lockOutObservationWindow”])

this error occurred when i ran samba-tool domain passwordsettings show .

8. pieter says:

Hi, after a day of issues, it seems to an cifs mount from the AD is fighting with the ldap implementation.

I’m using the following line in /etc/fstab

//172.19.32.50/Data /media/Data cifs credentials=/home/pcoussem/.smbcredentials_general,_netdev,iocharset=utf8,sec=ntlm,rw,file_mode=0777,dir_mode=0777 0 0

This share should be accessible for all user (local and ldap). I added a symlink to the home drives of all user (actually in skeleton), but this seems not to work properly (browsing files in folders besides the symlink hangs).

How can I solve this?

• Matei Cezar says:

Edit samba configuration file and allow symlink access with the below parameters set:
[global]
allow insecure wide links = yes

[share]

9. Matei Cezar says:

System users overlap domain users? All? You could try to log in with the domain counterpart, eg: domain\domain_user or [email protected].
But make sure the statement winbind use default domain is set to false in smb.conf.
Domain policy don’t apply in Linux. You could add some scripts in /etc/skel/ directory to manage some stuff.

• pieter says:

Indeed that worked. Thanks for prompt reply!
works like a charm… (even for an LDAP noob like me)

10. pieter says:

Hi,

Works as a charm.

I have one issue nonetheless. My current server was already in use for some time and has already some users, to make thing worse, they have the same name as the LDAP users (which made sense at the creation time).

Is there a way to specify to use the ldap account during login? Otherwise I’m always redirected to existing account?

Could the existing accounts and the ldap accounts be linked (e.g. the same home drive?)

I would also like to run a script when a home for an ldap users is created (basically, create some symlinks, add a printer). Where and how should this be defined? Should/could this be setup on the AD host, or should this be done on the integrated server?

Thanks.

• pieter says:

Hi
I solved it.

FYI:
samba setting: winbind use default domain = true, made the difference when having multiple accounts already on the server
I changed the skeleton setup to fix the symlink.

This site uses Akismet to reduce spam. Learn how your comment data is processed.