Ubuntu 16.04 Winbind and Active Directory

Official SSSD and Active Directory guide doesn’t work. It is hard to find what’s wrong. Using Winbind works well.


sudo apt install winbind samba

sudo apt install cups-common python-crypto-dbg python-crypto-doc bind9 bind9utils ctdb ldb-tools ntp smbldap-tools heimdal-clients libnss-winbind libpam-winbind


sudo vi /etc/samba/smb.conf

## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
#   workgroup = GROUP
# server string is the equivalent of the NT Description field
  server string = %h server (Samba, Ubuntu)
        security = ads
        realm = MYDOMAIN.COM

# If the system doesn't find the domain controller automatically, you may need the following line
#        password server =
# note that workgroup is the 'short' domain name
        workgroup = MYDOMAIN
#       winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2

Restart services:

sudo service winbind stop

sudo service samba-ad-dc restart

sudo service winbind start

Join the AD (see “net ads help”):

#sudo kinit [email protected]
# check klist
#sudo klist
# join (ignore the dns error messages)
# sudo net ads join -k
# Don't know why join -k doesn't work.
# Using join -U instead
sudo net ads join -U [email protected]

If have trouble, using folloing command leave the domain and rejoin it.

sudo net nds leave -U [email protected]

Setup Authentication

sudo vi /etc/nsswitch.conf

passwd:         compat winbind

group:          compat winbind

shadow:         compat

Restart Winbind

sudo service winbind restart

PAM Configuration

sudo pam-auth-update

Create Home directory

sudo mkdir /home/MYDOMAIN

Add sudo users

sudo vi /etc/sudoers.d/MYDOMAIN

# replace adgroup as real domain group name

%adgroup        ALL=(ALL) NOPASSWD: ALL


wbinfo -u

wbinfo -g

Login as a domain user and enjoy…

Written on December 14, 2016