[Samba] How to join join Ubuntu desktop to AD
rpenny at samba.org
Tue Dec 13 20:38:36 UTC 2016
On Tue, 13 Dec 2016 14:57:59 -0500
lingpanda101 via samba <samba at lists.samba.org> wrote:
> On 12/12/2016 3:27 PM, lingpanda101 wrote:
> > On 12/11/2016 8:59 AM, Brian Candler via samba wrote:
> >> On 10/12/2016 16:25, Brian Candler wrote:
> >>> I think there's plenty of emphasis now, but I think there is a
> >>> part which is misleading:
> >>> > To enable Samba to retrieve user and group information from
> >>> > Active
> >>> Directory (AD):
> >>> >
> >>> > * Users must have at least the uidNumber and groups the
> >>> > gidNumber
> >>> attribute set.
> >> I'm so sorry: I misread this as "Users must have at least the
> >> uidNumber and gidNumber attribute set", which is of course *not*
> >> what it says. Hence the text is accurate (if you read it
> >> correctly); it's my brain which is at fault.
> >> I do still think that the alternative text I gave is clearer - for
> >> my brain anyway :-)
> >> Regards,
> >> Brian.
> > OK finally solved. Added to my smb.conf
> > 'winbind use default domain = yes'
> > Disabling Avahi and using the above was the issue. Next to attempt
> > actually signing in from the login screen and not via. SSH.
> Following the wiki and I'm stuck at 'Authenticating Domain Users
> Using PAM'. I see the section
> If you have compiled Samba, you need to add a symbolic links.
> Seepam_winbind Link
> <https://wiki.samba.org/index.php/Pam_winbind_Link>for OS specific
> information, where to place it.
> If I follow the link it appears to take me to a page similar to
> 'libnss_winbind' linking. I don't see any difference. I ran
Give that man a prize, the only difference between the 'Libnss winbind
Links' page and the 'Pam winbind Link' page is the title, they both
refer to setting up the libnss_winbind lib
I will fix it, not sure how because the links should probably all be on
> 'pam-auth-update' and made sure to enable Winbind NT/Active Directory
> authentication. I did not manually edit pam config files. If I
> attempt to login with a domain account I get
> user1 at DR210:/$ su domainuser
> su: Authentication failure
> Any ideas? Thanks.
You need three extra links:
ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so
ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so.2
-s /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so
You also need a file /usr/share/pam-configs/winbind
Name: Winbind NT/Active Directory authentication
[success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
[success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
[success=end new_authtok_reqd=done default=ignore] pam_winbind.so
[success=end default=ignore] pam_winbind.so use_authtok try_first_pass
[success=end default=ignore] pam_winbind.so
You will also need to install libpam-krb5
Finally check that the 'passwd' and 'group' lines in /etc/nsswitch.conf
have 'winbind' in them.
More information about the samba