Ubuntu 16.04 Winbind and Active Directory

Official SSSD and Active Directory guide doesn’t work. It is hard to find what’s wrong. Using Winbind works well.

Installation:

sudo apt install winbind samba

sudo apt install cups-common python-crypto-dbg python-crypto-doc bind9 bind9utils ctdb ldb-tools ntp smbldap-tools heimdal-clients libnss-winbind libpam-winbind

Configuration:

sudo vi /etc/samba/smb.conf
[global]

## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
#   workgroup = GROUP
# server string is the equivalent of the NT Description field
  server string = %h server (Samba, Ubuntu)
        security = ads
        realm = MYDOMAIN.COM

# If the system doesn't find the domain controller automatically, you may need the following line
#        password server = 10.0.0.1
# note that workgroup is the 'short' domain name
        workgroup = MYDOMAIN
#       winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2

Restart services:

sudo service winbind stop

sudo service samba-ad-dc restart

sudo service winbind start

Join the AD (see “net ads help”):

#sudo kinit [email protected]
# check klist
#sudo klist
# join (ignore the dns error messages)
# sudo net ads join -k
# Don't know why join -k doesn't work.
# Using join -U instead
sudo net ads join -U [email protected]

If have trouble, using folloing command leave the domain and rejoin it.

sudo net nds leave -U [email protected]

Setup Authentication

sudo vi /etc/nsswitch.conf

passwd:         compat winbind

group:          compat winbind

shadow:         compat

Restart Winbind

sudo service winbind restart

PAM Configuration

sudo pam-auth-update

Create Home directory

sudo mkdir /home/MYDOMAIN

Add sudo users

sudo vi /etc/sudoers.d/MYDOMAIN

# replace adgroup as real domain group name

%adgroup        ALL=(ALL) NOPASSWD: ALL

Test

wbinfo -u

wbinfo -g

Login as a domain user and enjoy…

Written on December 14, 2016