Adding Ubuntu to a Windows Domain
While, to be fair, there is documentation on this process, I’ve found that it tends to not really… work. So I’m throwing in my attempt at documenting how to add various Linux flavors to an Active Directory Domain, with massive research assistance from Rob.
Right off the bat, I assume that the domain exists, that the Linux box is on the same network as the AD Controller, and that the AD Controller is also serving DNS. With that said, let us begin.
The Windows Part
Double check your hostname, domain, and workgroup. Workgroup is found when you login, the shorthand of your domain before your user name. Domain and hostname can be found by right-clicking This PC and selecting “Properties.” You have something like this:
So my workgroup is PERIODIC, hostname is nitrogen, and domain is periodic.table. This will be needed later.
Ubuntu
First off is a few installs.
sudo apt install samba krb5-config krb5-user winbind libnss-winbind libpam-winbind
With those in place, we have some config changes to make. Let’s start off with the easiest one, hosts. This will make it so that even if DNS goes down for some reason, Ubuntu will still resolve at least the AD hostname:
127.0.0.1 localhost
$linux_ip$ $linux_hostname$.$domain$ $linux_hostname$
$ad_ip$ $ad_hostname$.$domain$ $ad_hostname$
Next is to set DNS to resolve from AD. This can be done a few ways, so I won’t really cover it aside from saying that for me it is an extra line in /etc/network/interfaces
in the block where I set a static IP. On Ubuntu 18, it will probably be under /etc/netplan
.
Now that we are resolving DNS from Windows, we can setup Kerberos. This is the part where most people will make mistakes, but the worst thing that will happen is it doesn’t work. Nothing should break. /etc/krb5.conf
:
[libdefaults]
default_realm = $DOMAIN$
[realms]
$DOMAIN$ = {
kdc = $AD_HOSTNAME$.$DOMAIN$
default_domain = $DOMAIN$
}
[domain_realm]
.$domain$ = .$DOMAIN$
$domain$ = $DOMAIN$
The caps are important, make sure to match them. This is a very basic config, it can easily get more complex.
There are a couple changes that need to be made in /etc/samba/smb.conf
. We’re not setting up a share, but we do need to tell it about the realm. Make sure that these variables are set in Samba’s config file:
workgroup = $WORKGROUP$ netbios name = $LINUX_HOSTNAME$ realm = $DOMAIN$ server string = security = ads encrypt passwords = yes password server = $AD_HOSTNAME$.$DOMAIN$ log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = False local master = No domain master = No dns proxy = No idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes client use spnego = yes template shell = /bin/bash template homedir = /home/%U
The template shell
section will be the default shell of users added via Samba, which can be any shell installed on the system (bash, zsh, sh, etc). template homedir
is the default home folder of the new users. To have them be made in a folder for the domain, you can change it to: template homedir = /home/%D/%U
. Now enable and restart Samba:
sudo systemctl enable smbd.service
sudo systemctl restart smbd
And finally, we can attempt to join the domain.
sudo net ads join -S $AD_HOSTNAME$.$DOMAIN$ -U Administrator
Theoretically, you are now joined to AD. Restart winbind and run wbinfo
to confirm:
sudo systemctl enable winbind
sudo systemctl restart winbind
sudo wbinfo -u
Now that we are joined to the domain, we will need to edit nsswitch.conf to allow authentication to work. At this point, Ubuntu’s hostname should be listed under Users and Computers
in Active Directory. The top of /etc/nsswitch.conf
should roughly match the following:
passwd: compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files
hosts: files dns
You can confirm that authentication is working by signing into an AD account, or by running getent passwd
and seeing if the new users have been added. While authenticating should work, the default shell should be set to /bin/false
. Settings policies that control default shell and home folder are dependent upon AD configuration. The article here details how to handle this.
Hi, I followed the steps and while I am adding the Linux host to the AD domain (sudo net ads join …), an error message shown:
Host is not configured as a member server.
Invalid configuration. Existing….
Failed to join domain: This operation is only allowed for the PDC of the domain.
Could you help with this error? Thanks a lot.
Sorry for the late reply. One thing you can try is pre-making a machine account on the AD server. To do this through the Server Manager, you would do:
Tools -> Users and Computers, and then right click in your default OU and make a machine account with the same name as the machine you’re adding.
Other things to check are:
1. Is your DNS pointing to AD?
2. Are you running net ads join with an admin account?
Hi,
In my case, everything is ok until this part “You can confirm that authentication is working by signing into an AD account, or by running getent passwd and seeing if the new users have been added”. in witch I can’t see my AD users.
Could you help me please?
Thanks.
Do you get any sort of error, or are they just not listed? Also, was there any error during the process up to this point?
Nope, and when I execute “sudo wbinfo -u” the result is a whole AD members list. I’m a little stuck…
Interesting. Have you tried signing into one of those accounts?
Yes. System recognizes the user but It doesn’t catch the password…….
A great post, thank you very much. To add, it would be nice to configure the NTP client. The idea is that the NTP client synchronizes time with the domain controller (DC). Here is an interesting guide to check: https://www.sysadmit.com/2019/11/linux-anadir-equipo-al-dominio-windows.html
Did this and all seemed ok however upon signing in I imediately get signed out, getent passwd shows like this for the users:
Domain\user:*:10012:10000:
:/home/Domain/user:/bin/false
(Split at the :: for formatting on mobile)
Any advice?
If you want to change the shell for just that user you can use the
chsh
(change shell) command. To make it so that all users will have a certain shell as their accounts get made, you can add the following to your Samba config:template shell = /bin/bash
And then restart smbd. I don’t think this will retroactively change shells.
Thank you for your question and so for the late reply! I’ll update the guide to include this info.
You might need to edit my first reply, just noticed on my phone that it’s probably going to break your sites mobile optimisation as that long piece of text crawls off the page and has given me horizontal scroll, sorry about that.
I will try that this evening (GMT time) and let you know how I get on, it’s weird because after a reboot I was able to sign in as a domain user but I get a cursor for a second or two and then I’m thrown back to signing in.
Great tutorial though, it was all easy to follow and implement.
Ah, so it does. I’ll see about fixing that when I’m at my computer in a couple hours.
I’ve encountered a problem exactly like that before but I can’t remember what the cause and solution were, so I’m curious if setting the shell will fix it.
And I’m glad to hear it!
Okay, I tried that and I can now get through the CLI (hope that’s right, ctrl-alt-f5) and when I sign in domain\username, I get last login bla bla bla… and the bit I thought may have been important – “No directory, logging in with HOME=/. “
You’re correct on both CLI and that part being important. To set the default folder for domain users, add this after the shell part in the Samba config:
template homedir = /home/%U
If you want domain users to be a bit separate from local users, you can do:
template homedir = /home/%D/%U
Then restart the service and attempt a sign in again. You might have to delete the user before this will work.
I tried both with and without the domain in home and both occasions gave the same results as before even when deleting the user and restarting, have you got any other ideas? I’ve done a bit of googling but no good results just yet
Odd. Can you double check /etc/passwd to see if the created user actually has a home folder set? If they don’t try setting one and then making the folder for them (and giving them ownership of that folder).
So, it seems to be working but I got a couple of worrying messages (in Ubuntu 18.04) – should I be worried about the Segmentation Fault or the Ubuntu crash report?
“`mike@NUC7i5Upstairs:/etc/samba$ sudo net ads join -S CRICOID.NIM4.COM -U Administrator
Enter Administrator’s password:
Using short domain name — NIM4
Joined ‘NUC7I5UPSTAIRS’ to dns domain ‘nim4.com’
Segmentation fault
mike@NUC7i5Upstairs:/etc/samba$ sudo systemctl enable winbind
Synchronizing state of winbind.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable winbind
mike@NUC7i5Upstairs:/etc/samba$ sudo systemctl restart winbind
mike@NUC7i5Upstairs:/etc/samba$ sudo wbinfo -u
administrator
guest
krbtgt
smitha1
andert1
“`
Eh, if authentication is working then it’s probably fine.
Nice job, worked from the start.