Joining an Ubuntu Machine to Samba with Winbind

This is the third part of a series of howtos showing how to setup and use Samba4 as a drop in for MS Active Directory Server. The first part Samba4 AD DC on Ubuntu 14.04 is here. The second part in this series take a look at Administering AD DC via Windows.

In this part we will connect an Ubuntu 14.04 machine to the domain and then login with users configured with Active Directory.

Active Domain details

  • AD DC host: lab-addc1.dragon.lab
  • ip address:
  • Domain: BLACK
  • netbios name:LAB-ADDC1

Therefore domain users will always have the same UID and GIDs regardless of the machine they log into. You will need to have created some users, as we did in part 2.

Domain Users

  • Real name: Fred Blogs
  • User name: fred
  • Member Of: Domain Users, Domain Admins
  • Real name: Mary Money
  • User name: mary
  • Member Of: Domain Users, finance
  • Real name: Bert Worker
  • User name: bert
  • Member Of: Domain Users

I was using likewise-open but after being taken over by Power Broker they have messed it up and introduced a number of rather annoying bugs. The open version is also functionally crippled in-order to get you to pay for the enterprise version. 🙁

The PBIS settings have to be changed using a clunky config tool, as they are now stored in a binary blob and not flat files. So all the downsides of a Windows registry, bloated, awkward to access and prone to corruption. 🙁

I no longer use PBIS! Rant over. 🙂

I used my normal install method, starting with a minimal server and then adding MATE.

After the install I change its name in /etc/hosts, lab-desktop1.dragon.lab, and /etc/hostname, lab-desktop1. Also, check that /etc/network/interface is setup to use DHCP for eth0.

We will need to install some packages on your Linux desktop. so let’s get that out of the way.

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install samba winbind samba libnss-winbind libpam-winbind \
                     krb5-config krb5-locales krb5-user gvfs-backends

During the install you will be asked for the default realm to use for Kerberos, enter BLACK.DRAGON.LAB.

Update the kerberos config file.

sudo nano /etc/krb5.conf
# Be careful with CAPS they are significant!
 default_realm = BLACK.DRAGON.LAB
 ticket_lifetime = 24000
 default_tgs_entypes = rc4-hmac des-cbc-md5
 default_tkt__enctypes = rc4-hmac des-cbc-md5
 permitted_enctypes = rc4-hmac des-cbc-md5
 dns_lookup_realm = true
 dns_lookup_kdc = true
 dns_fallback = yes
  kdc = black.dragon.lab:88
  default_domain = black.dragon.lab
# So are leading fullstops
 .black.dragon.lab = BLACK.DRAGON.LAB
 black.dragon.lab = BLACK.DRAGON.LAB
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

You should now be able to authenticate against Kerberos for the users in our domain. Try this with Fred, Mary and Bert.

Password for bert@BLACK.DRAGON.LAB:

The prompt should request the password for the user you used in the kinit command. It should not ask for the Administrator password. When you enter the correct password for the user you will get a ticket.

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: bert@BLACK.DRAGON.LAB
Valid starting     Expires            Service principal
10/05/15 13:40:53  10/05/15 20:20:47  krbtgt/BLACK.DRAGON.LAB@BLACK.DRAGON.LAB

Now update the Samba configuration to include the following settings. I usually remove everything from the file and just use the following basic values.

sudo nano /etc/samba/smb.conf
   workgroup = BLACK
   security = ADS
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   idmap config *:backend = tdb
   idmap config *:range = 5000-9999
   idmap config BLACK:backend = ad
   idmap config BLACK:range = 10000-29999
   idmap config BLACK:schema_mode = rfc2307
   winbind nss info = rfc2307
   winbind use default domain = Yes
   winbind enum users  = Yes
   winbind enum groups = Yes
   winbind refresh tickets = Yes
   winbind normalize names = Yes
   store dos attributes = Yes
   vfs objects = acl_xattr
   map acl inherit = Yes
NOTE: The values for the two ranges '*:range' and 'BLACK:range' must be the same on all other AD members and the Controller. Also they must not overlap.

Check that /etc/nsswitch.conf has winbind appended to the passwd and group, amend the lines if they are not.

sudo nano /etc/nsswitch.conf
  passwd: compat winbind
  group:  compat winbind
  shadow: compat

If you installed libpam-winbind above, this step is all you need to do to configure pam.

sudo pam-auth-update

When you run pam-auth-update, all the options should already be selected, just press return to continue.

Add the following line at the end of the file, before the last comment. It will allow for the automatic creation of home directories on the local file system.

sudo nano /etc/pam.d/common-account
session optional skel=/etc/skel umask=0022

I reboot at this point, it saves me reloading or restarting the services one at a time and I can also grab a quick coffee.

Joining the Domain

Once the desktop comes back up, we can join the domain.

sudo net ads join  -U administrator
Enter administrator's password:
Using short domain name -- BLACK
Joined 'LAB-DESKTOP1' to dns domain 'black.dragon.lab'

I saw an error for ERROR_DNS_GSS_ERROR, but it appears it does not matter. The message that matters is the Joined ‘LAB-DESKTOP1’ part. If you did not see that, you should recheck everything as there is something wrong.

As this is a Windows domain we need to reboot or just restart the services. The coffee you started above should be ready by now.

sudo service winbind restart
sudo service nmbd restart
sudo service smbd restart

or as you will be running these three commands a lot while playing around and testing, why not setup a quick bash function.

smbrestart() { sudo service winbind restart; sudo service nmbd restart; sudo service smbd restart; }

Just call it on the command line with smbrestart

Testing Those Settings

To check that user and group data are available from the AD we can use the wbinfo and getent commands.

wbinfo -u      # Should list all the domain users.
wbinfo -g      # Should list all the domain groups.
wbinfo -i fred # Displays data for the user Fred.
wbinfo -r fred # Displays the groups Fred is in.
getent group domain_admins # Displays users that are members of the group domain_admins.
getent group "domain admins" # Save as above
getent group  # Supposed to display all groups local and domain

I have yet to get the last getent group command to work. But see below to check that domain groups are available from the command line.

If the first of these commands worked then you are probably all connected to the domain.

The final test, can you log in? I usually do an initial test using ‘su’ before logging out and back in with another user.

su - fred

If you can log in then its working. Do a long listing with ls -la and you should see something like this below, note you see the owner as fred and the group as domain users and not the UID/GID which you would if you used the crippled PBIS open.

-rw------- 1 fred domain_users   59 Aug 25 14:26 .bash_history
-rw------- 1 fred domain_users  220 Aug 25 13:06 .bash_logout
-rw------- 1 fred domain_users 3637 Aug 25 13:06 .bashrc

Now to test using those pesky domain groups. You should see the group name changing with each of these commands.

touch fred_was_here
ll fred_was_here
-rw-r--r-- 1 fred domain_users 0 May 12 19:14 fred_was_here
chgrp domain_admins fred_was_here
ll fred_was_here
-rw-r--r-- 1 fred domain_admins 0 May 12 19:14 fred_was_here
chgrp 'Domain Users' fred_was_here
ll fred_was_here
-rw-r--r-- 1 fred domain_users 0 May 12 19:14 fred_was_here

This is testing you can use the domain groups on the command line. Within bash expansion works with the tab key as well. Also as this is pretending to be Windows, the AD DC part, the group name is not case sensitive. ‘Domain Users’ = ‘domain users’ = ‘DoMaIn UsErS’ = domain_users = DomaiN_Users.

Giving ‘sudo’ Permissions

With Ubuntu you can add a user to the sudo group which will allow access to the sudo command.

sudo usermod -a -G sudo fred

Testing Those Permissions

Assuming you have already created the test users Fred, Bert and Mary along with the shared folders finance and shared. Now log in to the domain with each of the three users. Fred and Mary should be able to access both folders and also create and modify files in the share. While Bert ‘the drudge’ Worker will only be able to do stuff in shared.

To use caja (File Manager) to access the shares type smb://lab-addc1 into the location input and press return. Then proceed as normal once the shares are displayed.

If that is not the case go back and check the permissions on the users and shares.

8 thoughts on “Joining an Ubuntu Machine to Samba with Winbind

  1. Rich Nahra

    Very helpful. Wasted a lot of time trying to use sssd with ubuntu 16.04 in multi-domain environment. This works perfectly

  2. Ross Walker

    I have used the below smb.conf for my winbind hosts for years with no problems. RIDs are always mapped predictably and there is absolutely no need to set any custom attributes in AD.

    workgroup =
    password server = *
    realm =
    security = ads
    idmap config * : range = 100000-999999
    template homedir = /home/%U
    template shell = /bin/bash
    kerberos method = secrets and keytab
    winbind use default domain = true
    winbind offline logon = false
    allow trusted domains = No
    client NTLMv2 auth = Yes
    name resolve order = wins bcast host
    idmap backend = rid
    create krb5 conf = No

    For protected hosts I only allow select groups to login through /etc/security/pam_winbind.conf:

    krb5_auth = yes
    krb5_ccache_type = FILE
    require_membership_of = ,

    I add those group names to sudoers:

    %Group\ Name ALL=(ALL) ALL
    %Group\ Name ALL=(ALL) ALL

    Add pam_winbind module in system-auth appropriately:

    account [default=bad success=ok user_unknown=ignore]
    password sufficient use_authtok
    session optional

    Kerberos is only setup for single sign on, but not necessary for basic system access and all Kerberos system principals are managed through AD and the computer object. You can add principals to AD and your local keytab through the samba ‘net’ command.

  3. darklord520

    After configuring this in ubuntu 14.04 and adding a windows security group to the sudoers file my domain user can’t open gnome-terminal and can’t login with ssh. They all show as admin. The weird thing is passwd file has no /bin/bash record for the domain users. Is there a step missed above?

  4. Mark Wilson

    Currently Power Broker (PBIS) doesn’t work with Samba 4. If you install Ubuntu 14.04, you’ll get Samba 4 as part of the install. It becomes a nightmare trying to downgrade Samba from 4 to 3, just to get PBIS to work (if you don’t need Samba, PBIS will work with Ubuntu 14.04). I’ve been talking to PBIS and they hope to have their software working with Samba 4 by the end of 2015. I’ve been using PBIS/Likewise since 2012, but now I’m looking at alternative solutions.

    1. Richard Post author

      When it was likewise open it worked rather well. Then it was taken over by PBIS and they crippled it. Why would it take almost 2 years, from the time Ubuntu 14.04 came out to getting it updated. Seems they only want to sell their own version now.

  5. Gnaggi

    Many thanks for this great working tutorial !!
    After hours of tries with PBIS you saved me.
    Had to watch uppercase/lowercase for inputs of realm and username of the domain strictly.
    This tutorial works with a .local Domain too.

    thanks again


    1. Richard Post author

      I am glad it was of use to you. The upper/lower case can be a nightmare especially as Windows is only sometimes case sensitive 🙂

      When Power Broker took over the likewise open project it went down hill fast.


Leave a Reply

Your email address will not be published. Required fields are marked *