[Samba] How to join join Ubuntu desktop to AD

lingpanda101 lingpanda101 at gmail.com
Wed Dec 14 16:37:10 UTC 2016 

On 12/13/2016 3:38 PM, Rowland Penny via samba wrote:
> On Tue, 13 Dec 2016 14:57:59 -0500
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
>> On 12/12/2016 3:27 PM, lingpanda101 wrote:
>>> On 12/11/2016 8:59 AM, Brian Candler via samba wrote:
>>>> On 10/12/2016 16:25, Brian Candler wrote:
>>>>> I think there's plenty of emphasis now, but I think there is a
>>>>> part which is misleading:
>>>>>
>>>>>> To enable Samba to retrieve user and group information from
>>>>>> Active
>>>>> Directory (AD):
>>>>>> * Users must have at least the uidNumber and groups the
>>>>>> gidNumber
>>>>> attribute set.
>>>> I'm so sorry: I misread this as "Users must have at least the
>>>> uidNumber and gidNumber attribute set", which is of course *not*
>>>> what it says.  Hence the text is accurate (if you read it
>>>> correctly); it's my brain which is at fault.
>>>>
>>>> I do still think that the alternative text I gave is clearer - for
>>>> my brain anyway :-)
>>>>
>>>> Regards,
>>>>
>>>> Brian.
>>>>
>>>>
>>> OK finally solved. Added to my smb.conf
>>>
>>>      'winbind use default domain = yes'
>>>
>>> Disabling Avahi and using the above was the issue.  Next to attempt
>>> actually signing in from the login screen and not via. SSH.
>>>
>>>
>>>
>> Following the wiki and I'm stuck at 'Authenticating Domain Users
>> Using PAM'. I see the section
>>
>> If you have compiled Samba, you need to add a symbolic links.
>> Seepam_winbind Link
>> <https://wiki.samba.org/index.php/Pam_winbind_Link>for OS specific
>> information, where to place it.
>>
>>
>> If I follow the link it appears to take me to a page similar to
>> 'libnss_winbind' linking. I don't see any difference. I ran
> Give that man a prize, the only difference between the 'Libnss winbind
> Links' page and the 'Pam winbind Link' page is the title, they both
> refer to setting up the libnss_winbind lib
>
> I will fix it, not sure how because the links should probably all be on
> one page.
>
>> 'pam-auth-update' and made sure to enable Winbind NT/Active Directory
>> authentication. I did not manually edit pam config files. If I
>> attempt to login with a domain account I get
>>
>> user1 at DR210:/$ su domainuser
>>
>> Password:
>>
>> su: Authentication failure
>>
>>
>> Any ideas? Thanks.
>>
>>
> You need three extra links:
>
> ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so
> ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so.2
> ln
> -s /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so
>
> You also need a file /usr/share/pam-configs/winbind
>
> Name: Winbind NT/Active Directory authentication
> Default: yes
> Priority: 192
> Auth-Type: Primary
> Auth:
> 	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
> Auth-Initial:
> 	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
> Account-Type: Primary
> Account:
> 	[success=end new_authtok_reqd=done default=ignore]	pam_winbind.so
> Password-Type: Primary
> Password:
> 	[success=end default=ignore]	pam_winbind.so use_authtok try_first_pass
> Password-Initial:
> 	[success=end default=ignore]	pam_winbind.so
> Session-Type: Additional
> Session:
> 	optional			pam_winbind.so
>
> You will also need to install libpam-krb5
>
> Finally check that the 'passwd' and 'group' lines in /etc/nsswitch.conf
> have 'winbind' in them.
>
> Rowland
>
Rowland,

Success!

I'll post a few observations during this adventure.

Incorrect case on this page 
https://wiki.samba.org/index.php/Libnss_winbind_Links for smbd -B. 
Should be lowercase b.

smbd -b | grep LIBDIR
    LIBDIR: /usr/local/samba/lib/

I could not retrieve users or groups unless I added

'winbind use default domain = yes'

in my smb.conf file.  It's not listed in the wiki on this page 
https://wiki.samba.org/index.php/Idmap_config_ad as being optional or 
required. Did I do something wrong or should this be added to the wiki? 
Without it I would need to explicitly define it when using

id user1 at DOMAIN.LOCAL

I was unable to ping my DC when using it's FQDN. The fix was to disable 
Avahi in my nsswitch.conf file. This was due to using .local for my domain.

#hosts:          files mdns4_minimal [NOTFOUND=return] dns

hosts: files dns

Should this be added to the troubleshooting section of the wiki?

These three links also needed to be created. Not in the wiki that I seen.

ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so
ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so.2
ln -s /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so

I installed libpam-winbind that created this file

'/usr/share/pam-configs/winbind'

I didn't need to manually create as suggested. However doing so created 
the following file

'/lib/x86_64-linux-gnu/security/pam_winbind.so'

I had to rename and create the link you suggested.

ln -s /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so

Hopeful this helps others who attempt to join to Ubuntu. Now I will 
attempt to login from the GUI.



-- 
- James

More information about the samba mailing list