[Samba] How to join join Ubuntu desktop to AD

Rowland Penny rpenny at samba.org
Tue Dec 13 20:38:36 UTC 2016 

On Tue, 13 Dec 2016 14:57:59 -0500
lingpanda101 via samba <samba at lists.samba.org> wrote:

> On 12/12/2016 3:27 PM, lingpanda101 wrote:
> > On 12/11/2016 8:59 AM, Brian Candler via samba wrote:
> >> On 10/12/2016 16:25, Brian Candler wrote:
> >>> I think there's plenty of emphasis now, but I think there is a
> >>> part which is misleading:
> >>>
> >>> > To enable Samba to retrieve user and group information from
> >>> > Active 
> >>> Directory (AD):
> >>> >
> >>> > * Users must have at least the uidNumber and groups the
> >>> > gidNumber 
> >>> attribute set. 
> >>
> >> I'm so sorry: I misread this as "Users must have at least the 
> >> uidNumber and gidNumber attribute set", which is of course *not*
> >> what it says.  Hence the text is accurate (if you read it
> >> correctly); it's my brain which is at fault.
> >>
> >> I do still think that the alternative text I gave is clearer - for
> >> my brain anyway :-)
> >>
> >> Regards,
> >>
> >> Brian.
> >>
> >>
> >
> > OK finally solved. Added to my smb.conf
> >
> >     'winbind use default domain = yes'
> >
> > Disabling Avahi and using the above was the issue.  Next to attempt 
> > actually signing in from the login screen and not via. SSH.
> >
> >
> >
> 
> Following the wiki and I'm stuck at 'Authenticating Domain Users
> Using PAM'. I see the section
> 
> If you have compiled Samba, you need to add a symbolic links. 
> Seepam_winbind Link 
> <https://wiki.samba.org/index.php/Pam_winbind_Link>for OS specific 
> information, where to place it.
> 
> 
> If I follow the link it appears to take me to a page similar to 
> 'libnss_winbind' linking. I don't see any difference. I ran 

Give that man a prize, the only difference between the 'Libnss winbind
Links' page and the 'Pam winbind Link' page is the title, they both
refer to setting up the libnss_winbind lib

I will fix it, not sure how because the links should probably all be on
one page.

> 'pam-auth-update' and made sure to enable Winbind NT/Active Directory 
> authentication. I did not manually edit pam config files. If I
> attempt to login with a domain account I get
> 
> user1 at DR210:/$ su domainuser
> 
> Password:
> 
> su: Authentication failure
> 
> 
> Any ideas? Thanks.
> 
> 

You need three extra links:

ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so
ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so.2
ln
-s /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so

You also need a file /usr/share/pam-configs/winbind

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
	[success=end new_authtok_reqd=done default=ignore]	pam_winbind.so
Password-Type: Primary
Password:
	[success=end default=ignore]	pam_winbind.so use_authtok try_first_pass
Password-Initial:
	[success=end default=ignore]	pam_winbind.so
Session-Type: Additional
Session:
	optional			pam_winbind.so

You will also need to install libpam-krb5

Finally check that the 'passwd' and 'group' lines in /etc/nsswitch.conf
have 'winbind' in them.

Rowland

More information about the samba mailing list