Join Ubuntu Server 10.04 to Windows domain

This has gotten a lot easier from a previous post about joining an Ubuntu 9.10 desktop to a windows domain. Always make backups of the files that you change, you never know when something will get messed up.

This is largely taken from https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto with a lot of the extra taken out and some more detail added.

Open a terminal and away we go.

First things first;
apt-get update
apt-get upgrade
(restart if needed)

apt-get install samba smbfs smbclient smbldap-tools winbind krb5-user krb5-config krb5-doc libkrb5-3 libpam-krb5

When installing the above krb5-config should prompt you for a realm this will be your domain name in upper case DOMAIN.LOCAL.

Add the following information to the /etc/hosts file (this is precautionary incase the dns servers aren’t resolving properly)

vim /etc/hosts

x.x.x.x (IP address of domain controller) dc.domain.local dc

Add your realm to the krb5.conf file. I personally take out all the other realms in there as they aren’t needed.

vim /etc/krb5.conf

[realms]
DOMAIN.LOCAL = {
kdc = ip address of DC1
kdc = ip address of DC2 (if you have more than one)
admin_server = ip address of DC
}

I personally delete everything in smb.conf and copy/paste rather than trying to find these individually in the file.

vim /etc/samba/smb.conf
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
server string = %h server (Samba %v)
security = ADS
map to guest = Bad Password
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
log level = 3
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
wins server = winsserver.domain.local
allow trusted domains = no
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
idmap config * : range = 10000-20000
idmap config * : backend = tdb
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = Yes
winbind nested groups = Yes
admin users = ‘@domain admins’
read list = ‘@domain admins’
write list = ‘@domain admins’
create mask = 0777
force create mode = 0777
force security mode = 0777
directory mask = 0777
force directory mode = 0777
force directory security mode = 0777
winbind enum users = Yes
winbind enum groups = Yes

Adding valid users = @”Domain Users” to the [global] section will allow all Domain Users to see all of the shares avaliable without a password. This is the equivlient to allowing “Everyone” to read all shares. If you want to restrict reading a share then you will have to specify valid users for that share.

service winbind stop
service smbd restart
service winbind start

kinit user@DOMAIN.LOCAL
klist

You should see a ticket from AD.
If there are no errors time to carry on.

net ads join -U Domain Admin (or other user that has permissions to join a computer to the domain)

You may get a DNS Update failed! message, this can be ignored.

Instead of modifying each pam file by itself you can now run:

pam-auth-update

We make some changes to /etc/pam.d/common-session, add the lines below.

vim /etc/pam.d/common-session
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

Modify nsswitch.conf

passwd: compat winbind
group: compat winbind
shadow: compat winbind

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

service winbind stop
service smbd restart
service winbind start

Now test it out.

wbinfo -u (this should list all domain users)
wbinfo -g (this should list all groups)

If you have domain trusts and need to see those users and groups change ‘allow domain trusts = no’ to yes.
If you aren’t seeing all your users/groups you may need to change the idmap uid/gid and increase the range.

Some more testing.

getent passwd (should list all domain users in a passwd file format)
getent group (should list all groups in group file format)

If you haven’t gotten any errors you should now be able to login to your machine using AD credentials.

This was all I needed to get my server on the domain and thus I’ve excluded a lot of information that was included in the article at https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto. If you are experiencing problems you may want to check there or post a question.

One thought on “Join Ubuntu Server 10.04 to Windows domain

  1. Brilliant!

    Had to google some errors I got like using caps for domain (DOMAIN.LOCAL)
    and few errors when adding computer to domain.

    Added the DC in the line where joining did the trick
    sudo net ads join -S WIN2K3 -U %

    Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>