Integrate Ubuntu 16.04 to AD as a Domain Member with Samba and Winbind – Part 8

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

68 Responses

  1. Andy says:

    When I attempt to su to a domain user I get an Authentication failure. Everything else up to that point works with no issues. Even went back through everything and still have the same error

    • Jim Compton says:

      I have three possibilities.

      1) same user name local and Active Directory. I had issues when I tried to do that when I had jcompton as a local and AD user, with different passwords; PAM got confused, I think.

      2) pam.d configuration issue. Either the common-password file or the pam-auth-update would be my guess.

      3) restart services (or reboot) and see if that works.

  2. Gomar says:


    Thank you very much for this tutorial! It was helped me a LOT! (sorry English is not my native language).

    I do everything what you writes here, but i have a little problem.

    When i log in an AD user in Ubuntu (16.04) i have this error message:

    [email protected]:/etc$ su – tesztelek
    groups: cannot find name for 50011 groupID (it’s not the original message because I’m using different language than English, but something similar)

    Then is run getent group command:

    Then i got a list all the groups and IDs (Linux and AD as well)

    The 50011 Group is missing, But 50010 and 50012 is on the list. What is it 50011 Group? And how can i figure out how to repair it?

    It’s seems everything is working well except this group…

    • Jim Compton says:

      50011 would be a group in Active Directory (that is what this line means: idmap config *:range = 50000-1000000) The fact that you are able to get the list of all groups and that group is not shown means that your user is listed as a member of an AD group that is no longer there.

      My advice to you would be to check your user’s group membership in Active Directory vs. all available groups (that list you get from getent group command) and remove that particular group from your user’s membership; assuming that group truly IS no longer there.


  3. Randeer Lalanga says:

    I got an error when I edited /etc/sudoers as %TEST\\domain\ admins ALL=(ALL:ALL) ALL.
    linuxadmin is not in the sudoers file. This incident will be reported.

    Then i ran getent group | grep -i admin

    domain admins:x:50011:

    Then I added the entry as:

    %domain\ admins  ALL=(ALL:ALL) ALL

    It resolved the error.

  4. Abhinav Aggarwal says:


    The guide seems pretty useful.

    But I am not able to connect my Ubuntu 16.04 machine and 18.04 machine to the samba ad.

    I am have made the changes in the network ip4 connections with dns server as my domain controller and also set the domain search

    But i am not able to ping my domain using ping -c2 my_domain

    Can you please help me with the same.

    • Abhinav Aggarwal says:


      I am able to resolve the above issue.

      Followed the following link :

      Needed to install libnss-winbind, and thereafter made the changes in /etc/nsswitch.conf.

      I am able to complete the process for registering the machine with the SAMBA AD.

      But at the end I am not able to login with command su – domain_user_id.

      I am now getting error as:

      su: Authentication service cannot retrieve authentication info

      I think this is the last step remaining for me to successfully login with SAMBA AD domain controller.

      Can any body please help me in this regard.

      Thanks a ton in advance.

      Abhinav Aggarwal

    • James Compton says:


      I have been adding member workstations on mint (Ubuntu 16.04 based) by, instead of changing the interfaces file just adding dns info into network manager (with GUI) and rebooting. If that is your set up as well, that might work better for you.

  5. Jim Compton says:

    I just got done adding another Mint machine to the network, and had a devil of a time because it kept saying it couldn’t find /usr/lib/x86_64-linux-gnu/samba/ldb when trying to join the domain.

    I finally found (Thank you SAMBA Mail list!) that it is missing the samba-dsdb-modules. They need installed apt install samba-dsdb-modules. If you need the VFS modules, apt install samba-vfs-modules. Apparently this was a packaging bug at Debian? This may have been fixed since then, but it hadn’t trickled downstream to Mint yet.

    I thought I was going crazy because I’d added several to the domain, and then suddenly it stopped working.

  6. Jim Compton says:

    As a side note, this works pretty well on Linux Mint, but the lightdm information needs to be in /etc/lightdm/lightdm.conf.

    Here’s mine:


    Thanks again for putting this up, Matei!

  7. Darkcap says:

    Hi, This works all except that when i try getent doesn’t show AD users.

    Do i need to change something else.


    • F17 says:

      Same problem here, does anyone has a solution ?

      • Jim says:

        I first checked nsswitch.conf to make sure I didn’t screw anything up, shut down, and restarted the next day (it was quitting time). Worked well after that. I figure if you restart and re-enable various samba services the same thing would probably work. I just needed to head home and that was a great stopping point. LOL

  8. Juan says:

    Hi, nice job, but i’m getting trouble with GID and UID, not the same as the AD, and that generates that AD Shared folders have wrong permissions.

    • Matei Cezar says:

      Try to add the below lines in samba server and on clients:

      Idmap config *:backend = tdb
      idmap config *:range = 85000-86000
  9. Matei Cezar says:

    You need to generate the SSH key on the client and copy the public key on the server with ssh-copy-id command. But only if your AD user has permissions to authenticate on the domain server. Is there any reason why a AD user must authenticate on server-side via SSH? The scope of a AD central authentication server is to provide and verify the credentials required by a account to login on the local box.

  10. Muhammad Yousery says:

    If there is any way to achieve ssh public key authentication between AD and the Ubuntu, I have followed your tutorial and it is great but it achieves only password authentication, not by public keys stored on AD.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.