Adding Ubuntu to a Windows Domain

While, to be fair, there is documentation on this process, I’ve found that it tends to not really… work. So I’m throwing in my attempt at documenting how to add various Linux flavors to an Active Directory Domain, with massive research assistance from Rob.

Right off the bat, I assume that the domain exists, that the Linux box is on the same network as the AD Controller, and that the AD Controller is also serving DNS. With that said, let us begin.

The Windows Part

Double check your hostname, domain, and workgroup. Workgroup is found when you login, the shorthand of your domain before your user name. Domain and hostname can be found by right-clicking This PC and selecting “Properties.” You have something like this:



So my workgroup is PERIODIC, hostname is nitrogen, and domain is periodic.table. This will be needed later.

Ubuntu

First off is a few installs.

sudo apt install samba krb5-config krb5-user winbind libnss-winbind libpam-winbind


With those in place, we have some config changes to make. Let’s start off with the easiest one, hosts. This will make it so that even if DNS goes down for some reason, Ubuntu will still resolve at least the AD hostname:

127.0.0.1 localhost
$linux_ip$ $linux_hostname$.$domain$ $linux_hostname$
$ad_ip$ $ad_hostname$.$domain$ $ad_hostname$


Next is to set DNS to resolve from AD. This can be done a few ways, so I won’t really cover it aside from saying that for me it is an extra line in /etc/network/interfaces in the block where I set a static IP. On Ubuntu 18, it will probably be under /etc/netplan.

Now that we are resolving DNS from Windows, we can setup Kerberos. This is the part where most people will make mistakes, but the worst thing that will happen is it doesn’t work. Nothing should break. /etc/krb5.conf:

[libdefaults]
default_realm = $DOMAIN$

[realms]
$DOMAIN$ = {
kdc = $AD_HOSTNAME$.$DOMAIN$
default_domain = $DOMAIN$
}

[domain_realm]
.$domain$ = .$DOMAIN$
$domain$ = $DOMAIN$


The caps are important, make sure to match them. This is a very basic config, it can easily get more complex.

There are a couple changes that need to be made in /etc/samba/smb.conf. We’re not setting up a share, but we do need to tell it about the realm. Make sure that these variables are set in Samba’s config file:

workgroup = $WORKGROUP$
netbios name = $LINUX_HOSTNAME$
realm = $DOMAIN$
server string =
security = ads
encrypt passwords = yes
password server = $AD_HOSTNAME$.$DOMAIN$
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = False
local master = No
domain master = No
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
client use spnego = yes
template shell = /bin/bash
template homedir  = /home/%U


The template shell section will be the default shell of users added via Samba, which can be any shell installed on the system (bash, zsh, sh, etc). template homedir is the default home folder of the new users. To have them be made in a folder for the domain, you can change it to: template homedir = /home/%D/%U. Now enable and restart Samba:

sudo systemctl enable smbd.service
sudo systemctl restart smbd


And finally, we can attempt to join the domain.

sudo net ads join -S $AD_HOSTNAME$.$DOMAIN$ -U Administrator


Theoretically, you are now joined to AD. Restart winbind and run wbinfo to confirm:

sudo systemctl enable winbind
sudo systemctl restart winbind
sudo wbinfo -u



Now that we are joined to the domain, we will need to edit nsswitch.conf to allow authentication to work. At this point, Ubuntu’s hostname should be listed under Users and Computers in Active Directory. The top of /etc/nsswitch.conf should roughly match the following:

passwd:   compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files
hosts: files dns



You can confirm that authentication is working by signing into an AD account, or by running getent passwd and seeing if the new users have been added. While authenticating should work, the default shell should be set to /bin/false. Settings policies that control default shell and home folder are dependent upon AD configuration. The article here details how to handle this.



About: Bailey Kasin

I build virtual environments and challenges for Cybersecurity students to complete as a way to gain experience before graduating and entering the workforce.


19 thoughts on “Adding Ubuntu to a Windows Domain”

  1. Hi, I followed the steps and while I am adding the Linux host to the AD domain (sudo net ads join …), an error message shown:
    Host is not configured as a member server.
    Invalid configuration. Existing….
    Failed to join domain: This operation is only allowed for the PDC of the domain.

    Could you help with this error? Thanks a lot.

    1. Sorry for the late reply. One thing you can try is pre-making a machine account on the AD server. To do this through the Server Manager, you would do:

      Tools -> Users and Computers, and then right click in your default OU and make a machine account with the same name as the machine you’re adding.

      Other things to check are:

      1. Is your DNS pointing to AD?
      2. Are you running net ads join with an admin account?

  2. Hi,
    In my case, everything is ok until this part “You can confirm that authentication is working by signing into an AD account, or by running getent passwd and seeing if the new users have been added”. in witch I can’t see my AD users.
    Could you help me please?
    Thanks.

    1. Do you get any sort of error, or are they just not listed? Also, was there any error during the process up to this point?

  3. Did this and all seemed ok however upon signing in I imediately get signed out, getent passwd shows like this for the users:

    Domain\user:*:10012:10000:
    :/home/Domain/user:/bin/false

    (Split at the :: for formatting on mobile)

    Any advice?

    1. If you want to change the shell for just that user you can use the chsh (change shell) command. To make it so that all users will have a certain shell as their accounts get made, you can add the following to your Samba config:

      template shell = /bin/bash

      And then restart smbd. I don’t think this will retroactively change shells.

      Thank you for your question and so for the late reply! I’ll update the guide to include this info.

      1. You might need to edit my first reply, just noticed on my phone that it’s probably going to break your sites mobile optimisation as that long piece of text crawls off the page and has given me horizontal scroll, sorry about that.

        I will try that this evening (GMT time) and let you know how I get on, it’s weird because after a reboot I was able to sign in as a domain user but I get a cursor for a second or two and then I’m thrown back to signing in.

        Great tutorial though, it was all easy to follow and implement.

        1. Ah, so it does. I’ll see about fixing that when I’m at my computer in a couple hours.

          I’ve encountered a problem exactly like that before but I can’t remember what the cause and solution were, so I’m curious if setting the shell will fix it.

          And I’m glad to hear it!

          1. Okay, I tried that and I can now get through the CLI (hope that’s right, ctrl-alt-f5) and when I sign in domain\username, I get last login bla bla bla… and the bit I thought may have been important – “No directory, logging in with HOME=/. “

          2. You’re correct on both CLI and that part being important. To set the default folder for domain users, add this after the shell part in the Samba config:

            template homedir = /home/%U

            If you want domain users to be a bit separate from local users, you can do:

            template homedir = /home/%D/%U

            Then restart the service and attempt a sign in again. You might have to delete the user before this will work.

          3. I tried both with and without the domain in home and both occasions gave the same results as before even when deleting the user and restarting, have you got any other ideas? I’ve done a bit of googling but no good results just yet

          4. Odd. Can you double check /etc/passwd to see if the created user actually has a home folder set? If they don’t try setting one and then making the folder for them (and giving them ownership of that folder).

  4. So, it seems to be working but I got a couple of worrying messages (in Ubuntu 18.04) – should I be worried about the Segmentation Fault or the Ubuntu crash report?

    “`mike@NUC7i5Upstairs:/etc/samba$ sudo net ads join -S CRICOID.NIM4.COM -U Administrator
    Enter Administrator’s password:
    Using short domain name — NIM4
    Joined ‘NUC7I5UPSTAIRS’ to dns domain ‘nim4.com’

    Segmentation fault

    mike@NUC7i5Upstairs:/etc/samba$ sudo systemctl enable winbind
    Synchronizing state of winbind.service with SysV service script with /lib/systemd/systemd-sysv-install.
    Executing: /lib/systemd/systemd-sysv-install enable winbind
    mike@NUC7i5Upstairs:/etc/samba$ sudo systemctl restart winbind
    mike@NUC7i5Upstairs:/etc/samba$ sudo wbinfo -u
    administrator
    guest
    krbtgt
    smitha1
    andert1
    “`

Leave a Reply

Your email address will not be published. Required fields are marked *