[Samba] How to join join Ubuntu desktop to AD

Rowland Penny rpenny at samba.org
Tue Dec 6 20:09:41 UTC 2016 

On Tue, 6 Dec 2016 14:52:20 -0500
lingpanda101 via samba <samba at lists.samba.org> wrote:

> On 12/6/2016 1:49 PM, Rowland Penny via samba wrote:
> > On Tue, 6 Dec 2016 19:38:49 +0100
> > Marc Muehlfeld via samba <samba at lists.samba.org> wrote:
> >
> >> Hello,
> >>
> >> Am 06.12.2016 um 19:15 schrieb lingpanda101 via samba:
> >>>      Does the wiki contain documentation on how to join a Linux
> >>> workstation to Samba? I can't seem to find it. I do see this
> >>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> >>> but this appears to use SSH to login. I'm looking to login
> >>> locally.
> >> This is the documentation you're looking for.
> >>
> >> SSH is just an example in the documentation how to use pam_winbind.
> >> Have a look at your PAM configuration files and the PAM
> >> documentation to see which file you have to add pam_winbind to for
> >> local logins.
> >>
> >> Regards,
> >> Marc
> >>
> > libpam-winbind, libpam-krb5 and libnss-winbind on Debian, presumably
> > the same on Ubuntu.
> >
> > Rowland
> >
> 
> OK thanks. I'm a bit stuck at the part where I configure my smb.conf. 
> I'm going with the winbind ad backend.
> 
> [global]
>      security = ADS
>      workgroup = MYDOMAIN
>      realm = MYDOMAIN.LOCAL (Yes I know about .local)
> 
>      log file = /var/log/samba/%m.log
>      log level = 1
>      idmap config * : backend = tdb
>      idmap config * : range = 2000-9999  (This is the range for local 
> users on the workstation?)
>      winbind nss info = rfc2307
>      idmap config MYDOMAIN:backend = ad
>      idmap config MYDOMAIN:schema_mode = rfc2307
>      idmap config MYDOMAIN:range = 10000-999999 (This is the default 
> range samba uses correct?)
> 
> If I # cat /etc/adduser.conf I see
> 
> FIRST_UID=1000
> LAST_UID=29999
> 
> Is this the range I should use for 'idmap config * : range =
> 2000-9999'?

No, the '*' range is for the 'well known SIDs' (see here:
https://support.microsoft.com/en-us/kb/243330) and anything outside
your domain (aka workgroup).

The suggested ranges on the samba wiki are known to work (well, they
work for me). They allow for local Unix users & groups in the range
1000-1999, for the well known SIDs in the range 2000-9999 and domain
users & groups in the range 10000-999999

The local Unix users & groups will get their IDs when they are added
and they will be created in /etc/passwd and /etc/group.
The well known SIDs will be allocated an ID, starting from 2000 i.e.
the start number for the range
You will have to add unique uidNumber attributes to each user, starting
from 10000, you must also give 'Domain Users' a gidNumber attribute,
you can use 10000 for this (yes, you can have a user with uidNumber
10000 and a group with the same number)

If everything is installed and setup correctly and you run 'getent
passwd auser' you should get something like this:

rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

Any further questions, just ask ;-)

Rowland

More information about the samba mailing list