Ubuntu 16.04 Winbind and Active Directory

Official SSSD and Active Directory guide doesn’t work. It is hard to find what’s wrong. Using Winbind works well.


sudo apt install winbind samba

sudo apt install cups-common python-crypto-dbg python-crypto-doc bind9 bind9utils ctdb ldb-tools ntp smbldap-tools heimdal-clients libnss-winbind libpam-winbind


sudo vi /etc/samba/smb.conf

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of

#   workgroup = GROUP

# server string is the equivalent of the NT Description field

  server string = %h server (Samba, Ubuntu)

        security = ads

        realm = MYDOMAIN.COM

# If the system doesn't find the domain controller automatically, you may need the following line

#        password server =

# note that workgroup is the 'short' domain name

        workgroup = MYDOMAIN

#       winbind separator = +

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        winbind enum users = yes

        winbind enum groups = yes

        template homedir = /home/%D/%U

        template shell = /bin/bash

        client use spnego = yes

        client ntlmv2 auth = yes

        encrypt passwords = yes

        winbind use default domain = yes

        restrict anonymous = 2

Restart services:

sudo service winbind stop

sudo service samba-ad-dc restart

sudo service winbind start

Join the AD (see “net ads help”):

sudo kinit [email protected]

# check klist

sudo klist

# join (ignore the dns error messages)

sudo net ads join -k


sudo net ads join -U [email protected]

Setup Authentication

sudo vi /etc/nsswitch.conf

passwd:         compat winbind

group:          compat winbind

shadow:         compat

Restart Winbind

sudo service winbind restart

PAM Configuration

sudo pam-auth-update

Create Home directory

sudo mkdir /home/MYDOMAIN

Add sudo users

sudo vi /etc/sudoers.d/MYDOMAIN

# replace adgroup as real domain group name

%adgroup        ALL=(ALL) NOPASSWD: ALL


wbinfo -u

wbinfo -g

Login as a domain user and enjoy…

Written on December 14, 2016