[Samba] join an ubuntu desktop client do samba domain, and login in

Bob Miller bob at computerisms.ca
Thu Mar 3 10:18:04 MST 2011

On Thu, 2011-03-03 at 09:25 +0100, Marcello Romani wrote:
> Il 03/03/2011 09:15, fdelval at rojatex.com ha scritto:
> > Hello,
> > I did all the steps to build a DC, i even joined windows clients ok.
> >
> > Now i want to add a ubuntu desktop.
> > Ok, i modified the Workgroup and other parameters in smb.conf, i ran the
> > net rpc join -S DOMPDC -UAdministrator%password
> > i got an OK messange.
> >
> >
> > Now, i reboot, the login screen appears and.....?
> >
> > i cant login with MyDomain\Myuser, nor i cant find an user management
> > screen to add my domain users...
> >
> >
> > i cant find info on that, how do i login with domain users in an ubuntu
> > desktop?
> >
> > thanks
> >
> Although a bit dated, I belive this might be helpful:
> http://www.ubuntugeek.com/how-to-add-ubuntu-804-to-win-server-2003-active-directory-domain.html
> It talks about Likewise-open.
> -- 
> Marcello Romani

I was charged with this task recently, took quite a bit of time to put
everything together, but I have it working. 
I am not clear if you are using a samba pdc or a windows pdc, I expect
the ubuntu workstation set up should be close or the same for either.  I
use a samba pdc, and I found it necessary to refine my group permissions
system using the net command to get this working (the command that
brought it all together was `net sam mapunixgroup` or some such, which
led to having to remap group users, which led to shares on windows
workstations with domain permissions breaking, which led to several
applications breaking until permissions were re-applied).  In other
words, this only works if all your ducks are in a row on the samba pdc.
But I have a handful of ubuntu machines in a primarily XP environment
connecting to a Samba pdc.  The ubuntu machines will also work through
an openswan vpn. 
This set up will allow users to log in with just their domain.name
(instead of DOMAIN\domain.name), and will mount the same shares as the
windows computers will do via the logon script.  Here are the notes,
good luck with everything:

  1. sudo su
     2. apt-get install winbind samba libpam-mount smbfs
     3. mv /etc/hosts /etc/hosts.orig
     4. vi /etc/hosts <= set this file so that it contains only the
        following lines: 
       localhost TEST1 TEST1.ctfn.ca
       pdc pdc.domain.com
     5. mkdir /home/DOMAIN
     6. vi /etc/nsswitch.conf <= modify the following 3 lines, leave the
        rest of the file as is: 
                passwd: compat winbind
                group: compat winbind
                hosts: files dns wins mdns4_minimal mdns4
     7. mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
     8. vi /etc/samba/smb.conf <= copy/paste the following into this
                 ;Workstation Settings
                workgroup = DOMAIN
                netbios name = TEST1
                server string = %h
                security = domain
                idmap backend = tdb
                idmap uid = 15000-20000
                idmap gid = 15000-20000
                wins server =
                winbind use default domain = yes
                winbind enum groups = yes
                winbind enum users = yes
                password server =
                template shell = /bin/bash 
                template homedir = /home/%D/%U 
                log level = 2
                log file = /var/log/samba/log.%m 
                max log size = 1000 
                syslog = 0 
                panic action = /usr/share/samba/panic-action %d 
     9. /etc/init.d/smbd restart
    10. /etc/init.d/nmbd restart
    11. /etc/init.d/winbind restart
    12. net join DOMAIN <= If this does not return a line stating join
        Domain DOMAIN was successful, stop and review, you missed
    13. cd /etc/pam.d <= Note: modifying files in this location
        incorrectly may result in locking you out of the machine. Boot
        from a live cd and copy the original files back to fix.
    14. mv common-account common-account.orig
    15. vi common-account <= copy/paste the following into this file: 
                account [success=2 default=ignore] pam_winbind.so 
                account [success=1 default=ignore] pam_unix.so 
                account requisite pam_deny.so
                account required pam_permit.so
    16. mv common-auth common-auth.orig
    17. vi common-auth <= copy/paste the following into this file: 
                auth [success=2 default=ignore] pam_unix.so
                auth [success=1 default=ignore] pam_winbind.so
                auth requisite pam_deny.so
                auth optional pam_mount.so
                auth required pam_permit.so
    18. mv common-session common-session.orig
    19. vi common-session <= copy/paste the following into this file: 
                session required pam_unix.so nullok_secure
                session required pam_mkhomedir.so skel=/etc/skel
                session optional pam_mount.so
                session [default=1] pam_permit.so
                session requisite pam_deny.so
                session required pam_permit.so
                session optional pam_ck_connector.so nox11
    20. mv /etc/security/pam_mount.conf.xml /etc/security/pam_mount.conf.xml.orig
    21. vi /etc/security/pam_mount.conf.xml <= copy/paste the following
        into this file: 
                <?xml version="1.0" encoding="utf-8" ?>
                <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
                <debug enable="0" />
                <volume options="user=%(DOMAIN_USER),domain=DOMAIN" \
                fstype="cifs" server="mainlian" path="Common" \
                <volume options="user=
                %(DOMAIN_USER),domain=DOMAIN,noperm" \ fstype="cifs"
                server="mainlian" path="Departments" \
                <volume options="user=%(DOMAIN_USER),domain=DOMAIN" \
                fstype="cifs" server="mainlian" path="%(DOMAIN_USER)" \
                <logout wait="0" hup="0" term="0" kill="0" />
                <mkmountpoint enable="1" remove="true" />
    22. Open system==>Administration==>login screen==>press the unlock
        button==>enter password for network-admin
    23. Uncheck "play login sound" and uncheck "show list of users".
        Ensure "show the screen for choosing who will log in is
    24. Log out user network-admin and log in with domain user.
    25. Open Departments mount from Desktop, drag department folders for
        this user to menu on left side of nautilus window.

Bob Miller
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions

More information about the samba mailing list