[Samba] How to join join Ubuntu desktop to AD

lingpanda101 lingpanda101 at gmail.com
Wed Dec 7 13:33:54 UTC 2016


On 12/6/2016 3:09 PM, Rowland Penny via samba wrote:
> On Tue, 6 Dec 2016 14:52:20 -0500
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
>> On 12/6/2016 1:49 PM, Rowland Penny via samba wrote:
>>> On Tue, 6 Dec 2016 19:38:49 +0100
>>> Marc Muehlfeld via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hello,
>>>>
>>>> Am 06.12.2016 um 19:15 schrieb lingpanda101 via samba:
>>>>>       Does the wiki contain documentation on how to join a Linux
>>>>> workstation to Samba? I can't seem to find it. I do see this
>>>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>>>> but this appears to use SSH to login. I'm looking to login
>>>>> locally.
>>>> This is the documentation you're looking for.
>>>>
>>>> SSH is just an example in the documentation how to use pam_winbind.
>>>> Have a look at your PAM configuration files and the PAM
>>>> documentation to see which file you have to add pam_winbind to for
>>>> local logins.
>>>>
>>>> Regards,
>>>> Marc
>>>>
>>> libpam-winbind, libpam-krb5 and libnss-winbind on Debian, presumably
>>> the same on Ubuntu.
>>>
>>> Rowland
>>>
>> OK thanks. I'm a bit stuck at the part where I configure my smb.conf.
>> I'm going with the winbind ad backend.
>>
>> [global]
>>       security = ADS
>>       workgroup = MYDOMAIN
>>       realm = MYDOMAIN.LOCAL (Yes I know about .local)
>>
>>       log file = /var/log/samba/%m.log
>>       log level = 1
>>       idmap config * : backend = tdb
>>       idmap config * : range = 2000-9999  (This is the range for local
>> users on the workstation?)
>>       winbind nss info = rfc2307
>>       idmap config MYDOMAIN:backend = ad
>>       idmap config MYDOMAIN:schema_mode = rfc2307
>>       idmap config MYDOMAIN:range = 10000-999999 (This is the default
>> range samba uses correct?)
>>
>> If I # cat /etc/adduser.conf I see
>>
>> FIRST_UID=1000
>> LAST_UID=29999
>>
>> Is this the range I should use for 'idmap config * : range =
>> 2000-9999'?
> No, the '*' range is for the 'well known SIDs' (see here:
> https://support.microsoft.com/en-us/kb/243330) and anything outside
> your domain (aka workgroup).
>
> The suggested ranges on the samba wiki are known to work (well, they
> work for me). They allow for local Unix users & groups in the range
> 1000-1999, for the well known SIDs in the range 2000-9999 and domain
> users & groups in the range 10000-999999
>
> The local Unix users & groups will get their IDs when they are added
> and they will be created in /etc/passwd and /etc/group.
> The well known SIDs will be allocated an ID, starting from 2000 i.e.
> the start number for the range
> You will have to add unique uidNumber attributes to each user, starting
> from 10000, you must also give 'Domain Users' a gidNumber attribute,
> you can use 10000 for this (yes, you can have a user with uidNumber
> 10000 and a group with the same number)
>
> If everything is installed and setup correctly and you run 'getent
> passwd auser' you should get something like this:
>
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> Any further questions, just ask ;-)
>
> Rowland
>
>
>
>
OK, unable to get anything back from 'getent'. Using Ubuntu 16.04.1, 
Samba 4.5.1 built from tar.

*# /usr/local/samba/bin/net ads join -U administrator*
Enter administrator's password:
Using short domain name -- DOMAIN
Joined 'DR210' to dns domain 'domain.local'
DNS update failed: NT_STATUS_UNSUCCESSFUL (I manually added the DNS A RR.)

*smb.conf file*

[global]
        security = ADS
        workgroup = DOMAIN
        realm = DOMAIN.LOCAL

        log file = /var/log/samba/%m.log
        log level = 1

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        winbind nss info = rfc2307
        idmap config DOMAIN:backend = ad
        idmap config DOMAIN:schema_mode = rfc2307
        idmap config DOMAIN:range = 10000-999999


*'libnss_winbind' links*

lrwxrwxrwx 1 root root      41 Dec  7 07:51 libnss_winbind.so -> 
/lib/x86_64-linux-gnu/libnss_winbind.so.2
lrwxrwxrwx 1 root root      40 Dec  7 07:51 libnss_winbind.so.2 -> 
/usr/local/samba/lib/libnss_winbind.so.2


*root at DR210:/# cat /etc/nsswitch.conf*
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


*root at DR210:/# cat /etc/resolv.conf *
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by 
resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 172.16.232.29
nameserver 172.16.232.39
search domain.local


*root at DR210:/# cat /var/log/samba/winbindd.log *

[2016/12/07 08:12:17.545371,  0] 
../lib/util/become_daemon.c:124(daemon_ready)
   STATUS=daemon 'winbindd' finished starting up and ready to serve 
connections
[2016/12/07 08:14:32.678686,  1] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)
   tdb(/usr/local/samba/var/lock/mutex.tdb): tdb_lock failed on list 63 
ltype=1 (Interrupted system call)
[2016/12/07 08:14:32.678743,  0] 
../source3/lib/util_tdb.c:497(tdb_chainlock_with_timeout_internal)
   tdb_chainlock_with_timeout_internal: alarm (40) timed out for key 
PFDC1 in tdb /usr/local/samba/var/lock/mutex.tdb
[2016/12/07 08:14:32.678796,  1] 
../source3/lib/server_mutex.c:97(grab_named_mutex)
   Could not get the lock for PFDC1
[2016/12/07 08:14:32.678860,  0] 
../source3/winbindd/winbindd_cm.c:1039(cm_prepare_connection)
   cm_prepare_connection: mutex grab failed for PFDC1
[2016/12/07 08:18:13.433118,  1] 
../source3/winbindd/winbindd_util.c:352(trustdom_list_done)
   trustdom_list_done: Could not receive trusts for domain DOMAIN

-- 
- James



More information about the samba mailing list