Integrate Ubuntu 16.04 to AD as a Domain Member with Samba and Winbind – Part 8

This tutorial describes how to join an Ubuntu machine into a Samba4 Active Directory domain in order to authenticate AD accounts with local ACL for files and directories or to create and map volume shares for domain controller users (act a as file server).

Requirements:

  1. Create an Active Directory Infrastructure with Samba4 on Ubuntu

Step 1: Initial Configurations to Join Ubuntu to Samba4 AD

1. Before starting to join an Ubuntu host into an Active Directory DC you need to assure that some services are configured properly on local machine.

An important aspect of your machine represents the hostname. Setup a proper machine name before joining the domain with the help of hostnamectl command or by manually editing /etc/hostname file.

# hostnamectl set-hostname your_machine_short_name
# cat /etc/hostname
# hostnamectl
Set System Hostname

Set System Hostname

2. On the next step, open and manually edit your machine network settings with the proper IP configurations. The most important settings here are the DNS IP addresses which points back to your domain controller.

Edit /etc/network/interfaces file and add dns-nameservers statement with your proper AD IP addresses and domain name as illustrated on the below screenshot.

Also, make sure that the same DNS IP addresses and the domain name are added to /etc/resolv.conf file.

Configure Network Settings for AD

Configure Network Settings for AD

On the above screenshot, 192.168.1.254 and 192.168.1.253 are the IP addresses of the Samba4 AD DC and Tecmint.lan represents the name of the AD domain which will be queried by all machines integrated into realm.

3. Restart the network services or reboot the machine in order to apply the new network configurations. Issue a ping command against your domain name in order to test if DNS resolution is working as expected.

The AD DC should replay with its FQDN. In case you have configured a DHCP server in your network to automatically assign IP settings for your LAN hosts, make sure you add AD DC IP addresses to the DHCP server DNS configurations.

# systemctl restart networking.service
# ping -c2 your_domain_name

4. The last important configuration required is represented by time synchronization. Install ntpdate package, query and sync time with the AD DC by issuing the below commands.

$ sudo apt-get install ntpdate
$ sudo ntpdate -q your_domain_name
$ sudo ntpdate your_domain_name
Time Synchronization with AD

Time Synchronization with AD

5. On the next step install the software required by Ubuntu machine to be fully integrated into the domain by running the below command.

$ sudo apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
Install Samba4 in Ubuntu Client

Install Samba4 in Ubuntu Client

While the Kerberos packages are installing you should be asked to enter the name of your default realm. Use the name of your domain with uppercases and press Enter key to continue the installation.

Add AD Domain Name

Add AD Domain Name

6. After all packages finish installing, test Kerberos authentication against an AD administrative account and list the ticket by issuing the below commands.

# kinit ad_admin_user
# klist
Check Kerberos Authentication with AD

Check Kerberos Authentication with AD

Step 2: Join Ubuntu to Samba4 AD DC

7. The first step in integrating the Ubuntu machine into the Samba4 Active Directory domain is to edit Samba configuration file.

Backup the default configuration file of Samba, provided by the package manager, in order to start with a clean configuration by running the following commands.

# mv /etc/samba/smb.conf /etc/samba/smb.conf.initial
# nano /etc/samba/smb.conf 

On the new Samba configuration file add the below lines:

[global]
        workgroup = TECMINT
        realm = TECMINT.LAN
        netbios name = ubuntu
        security = ADS
        dns forwarder = 192.168.1.1

idmap config * : backend = tdb        
idmap config *:range = 50000-1000000
	
   template homedir = /home/%D/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind nss info = rfc2307
   winbind enum users = yes
   winbind enum groups = yes

  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes
Configure Samba for AD

Configure Samba for AD

Replace workgroup, realm, netbios name and dns forwarder variables with your own custom settings.

The winbind use default domain parameter causes winbind service to treat any unqualified AD usernames as users of the AD. You should omit this parameter if you have local system accounts names which overlap AD accounts.

8. Now you should restart all samba daemons and stop and remove unnecessary services and enable samba services system-wide by issuing the below commands.

$ sudo systemctl restart smbd nmbd winbind
$ sudo systemctl stop samba-ad-dc
$ sudo systemctl enable smbd nmbd winbind

9. Join Ubuntu machine to Samba4 AD DC by issuing the following command. Use the name of an AD DC account with administrator privileges in order for the binding to realm to work as expected.

$ sudo net ads join -U ad_admin_user
Join Ubuntu to Samba4 AD DC

Join Ubuntu to Samba4 AD DC

10. From a Windows machine with RSAT tools installed you can open AD UC and navigate to Computers container. Here, your Ubuntu joined machine should be listed.

Confirm Ubuntu Client in Windows AD DC

Confirm Ubuntu Client in Windows AD DC

Step 3: Configure AD Accounts Authentication

11. In order to perform authentication for AD accounts on the local machine, you need to modify some services and files on the local machine.

First, open and edit The Name Service Switch (NSS) configuration file.

$ sudo nano /etc/nsswitch.conf

Next append winbind value for passwd and group lines as illustrated on the below excerpt.

passwd:         compat winbind
group:          compat winbind
Configure AD Accounts Authentication

Configure AD Accounts Authentication

12. In order to test if the Ubuntu machine was successfully integrated to realm run wbinfo command to list domain accounts and groups.

$ wbinfo -u
$ wbinfo -g
List AD Domain Accounts and Groups

List AD Domain Accounts and Groups

13. Also, check Winbind nsswitch module by issuing the getent command and pipe the results through a filter such as grep to narrow the output only for specific domain users or groups.

$ sudo getent passwd| grep your_domain_user
$ sudo getent group|grep 'domain admins'
Check AD Domain Users and Groups

Check AD Domain Users and Groups

14. In order to authenticate on Ubuntu machine with domain accounts you need to run pam-auth-update command with root privileges and add all the entries required for winbind service and to automatically create home directories for each domain account at the first login.

Check all entries by pressing [space] key and hit ok to apply configuration.

$ sudo pam-auth-update
Authenticate Ubuntu with Domain Accounts

Authenticate Ubuntu with Domain Accounts

15. On Debian systems you need to manually edit /etc/pam.d/common-account file and the following line in order to automatically create homes for authenticated domain users.

session    required    pam_mkhomedir.so    skel=/etc/skel/    umask=0022
Authenticate Debian with Domain Accounts

Authenticate Debian with Domain Accounts

16. In order for Active Directory users to be able to change password from command line in Linux open /etc/pam.d/common-password file and remove the use_authtok statement from password line to finally look as on the below excerpt.

password       [success=1 default=ignore]      pam_winbind.so try_first_pass
Users Allowed to Change Password

Users Allowed to Change Password

17. To authenticate on Ubuntu host with a Samba4 AD account use the domain username parameter after su – command. Run id command to get extra info about the AD account.

$ su - your_ad_user
Find AD User Information

Find AD User Information

Use pwd command to see your domain user current directory and passwd command if you want to change password.

18. To use a domain account with root privileges on your Ubuntu machine, you need to add the AD username to the sudo system group by issuing the below command:

$ sudo usermod -aG sudo your_domain_user

Login to Ubuntu with the domain account and update your system by running apt-get update command to check if the domain user has root privileges.

Add Sudo User Root Group

Add Sudo User Root Group

19. To add root privileges for a domain group, open end edit /etc/sudoers file using visudo command and add the following line as illustrated on the below screenshot.

%YOUR_DOMAIN\your_domain\  group       		 ALL=(ALL:ALL) ALL
Add Root Privileges to Domain Group

Add Root Privileges to Domain Group

Use backslashes to escape spaces contained into your domain group name or to escape the first backslash. In the above example the domain group for TECMINT realm is named “domain admins”.

The preceding percent sign (%) symbol indicates that we are referring to a group, not a username.

20. In case you are running the graphical version of Ubuntu and you want to login on the system with a domain user, you need to modify LightDM display manager by editing /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf file, add the following lines and reboot the machine to reflect changes.

greeter-show-manual-login=true
greeter-hide-users=true

It should now be able to perform logins on Ubuntu Desktop with a domain account using either your_domain_username or [email protected]_domain.tld or your_domain\your_domain_username format.

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

71 Responses

  1. Andy says:

    When I attempt to su to a domain user I get an Authentication failure. Everything else up to that point works with no issues. Even went back through everything and still have the same error

    • Jim Compton says:

      I have three possibilities.

      1) same user name local and Active Directory. I had issues when I tried to do that when I had jcompton as a local and AD user, with different passwords; PAM got confused, I think.

      2) pam.d configuration issue. Either the common-password file or the pam-auth-update would be my guess.

      3) restart services (or reboot) and see if that works.

  2. Gomar says:

    Hi!

    Thank you very much for this tutorial! It was helped me a LOT! (sorry English is not my native language).

    I do everything what you writes here, but i have a little problem.

    When i log in an AD user in Ubuntu (16.04) i have this error message:

    [email protected]:/etc$ su – tesztelek
    Password:
    groups: cannot find name for 50011 groupID (it’s not the original message because I’m using different language than English, but something similar)

    Then is run getent group command:

    Then i got a list all the groups and IDs (Linux and AD as well)

    The 50011 Group is missing, But 50010 and 50012 is on the list. What is it 50011 Group? And how can i figure out how to repair it?

    It’s seems everything is working well except this group…

    • Jim Compton says:

      50011 would be a group in Active Directory (that is what this line means: idmap config *:range = 50000-1000000) The fact that you are able to get the list of all groups and that group is not shown means that your user is listed as a member of an AD group that is no longer there.

      My advice to you would be to check your user’s group membership in Active Directory vs. all available groups (that list you get from getent group command) and remove that particular group from your user’s membership; assuming that group truly IS no longer there.

      Cheers!

  3. Randeer Lalanga says:

    I got an error when I edited /etc/sudoers as %TEST\\domain\ admins ALL=(ALL:ALL) ALL.
    linuxadmin is not in the sudoers file. This incident will be reported.

    Then i ran getent group | grep -i admin

    domain admins:x:50011:
    

    Then I added the entry as:

    %domain\ admins  ALL=(ALL:ALL) ALL
    

    It resolved the error.

  4. Abhinav Aggarwal says:

    Hi,

    The guide seems pretty useful.

    But I am not able to connect my Ubuntu 16.04 machine and 18.04 machine to the samba ad.

    I am have made the changes in the network ip4 connections with dns server as my domain controller and also set the domain search

    But i am not able to ping my domain using ping -c2 my_domain

    Can you please help me with the same.

    • Abhinav Aggarwal says:

      Hi,

      I am able to resolve the above issue.

      Followed the following link :
      https://askubuntu.com/questions/507649/ubuntu-can-not-ping-host-name-but-can-ping-ip

      Needed to install libnss-winbind, and thereafter made the changes in /etc/nsswitch.conf.

      I am able to complete the process for registering the machine with the SAMBA AD.

      But at the end I am not able to login with command su – domain_user_id.

      I am now getting error as:

      su: Authentication service cannot retrieve authentication info
      

      I think this is the last step remaining for me to successfully login with SAMBA AD domain controller.

      Can any body please help me in this regard.

      Thanks a ton in advance.

      Abhinav Aggarwal

    • James Compton says:

      Abhinav,

      I have been adding member workstations on mint (Ubuntu 16.04 based) by, instead of changing the interfaces file just adding dns info into network manager (with GUI) and rebooting. If that is your set up as well, that might work better for you.

  5. Jim Compton says:

    I just got done adding another Mint machine to the network, and had a devil of a time because it kept saying it couldn’t find /usr/lib/x86_64-linux-gnu/samba/ldb when trying to join the domain.

    I finally found (Thank you SAMBA Mail list!) that it is missing the samba-dsdb-modules. They need installed apt install samba-dsdb-modules. If you need the VFS modules, apt install samba-vfs-modules. Apparently this was a packaging bug at Debian? This may have been fixed since then, but it hadn’t trickled downstream to Mint yet.

    I thought I was going crazy because I’d added several to the domain, and then suddenly it stopped working.

  6. Jim Compton says:

    As a side note, this works pretty well on Linux Mint, but the lightdm information needs to be in /etc/lightdm/lightdm.conf.

    Here’s mine:

    [Seat:*]
    greeter-show-manual-login=true
    greeter-hide-users=true
    

    Thanks again for putting this up, Matei!

  7. Darkcap says:

    Hi, This works all except that when i try getent doesn’t show AD users.

    Do i need to change something else.

    Thanks
    Regards

    • F17 says:

      Same problem here, does anyone has a solution ?

      • Jim says:

        I first checked nsswitch.conf to make sure I didn’t screw anything up, shut down, and restarted the next day (it was quitting time). Worked well after that. I figure if you restart and re-enable various samba services the same thing would probably work. I just needed to head home and that was a great stopping point. LOL

  8. Juan says:

    Hi, nice job, but i’m getting trouble with GID and UID, not the same as the AD, and that generates that AD Shared folders have wrong permissions.

    • Matei Cezar says:

      Try to add the below lines in samba server and on clients:

      Idmap config *:backend = tdb
      idmap config *:range = 85000-86000
      
  9. Matei Cezar says:

    You need to generate the SSH key on the client and copy the public key on the server with ssh-copy-id command. But only if your AD user has permissions to authenticate on the domain server. Is there any reason why a AD user must authenticate on server-side via SSH? The scope of a AD central authentication server is to provide and verify the credentials required by a account to login on the local box.

  10. Muhammad Yousery says:

    If there is any way to achieve ssh public key authentication between AD and the Ubuntu, I have followed your tutorial and it is great but it achieves only password authentication, not by public keys stored on AD.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.