Joining Ubuntu 18.04 to Windows Active Directory Domain

manpreet Best Answer 2 years ago

I'm currently attempting to join an Ubuntu box to a Windows domain, eventually with the intention of allowing Windows-based domain members to access a Samba network share using their AD credentials. The DC is running on Windows (not Samba) and has DHCP/DNS running on a Linux server (using BIND). The DC (dc0/dc0.corp.company.internal) has authority within the "CORP" zone, which is also being used as the name of the domain itself.

Kerberos kinit/klist appear to work fine:

root@samba:~# kinit
Password for administrator@CORP.COMPANY.INTERNAL:

root@samba:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@CORP.COMPANY.INTERNAL

Valid starting       Expires              Service principal
04/11/2019 00:10:39  04/11/2019 00:20:33  krbtgt/CORP.COMPANY.INTERNAL@CORP.COMPANY.INTERNAL

DNS appears to be working properly as well.

My assumption as to why the issue is with the Samba configuration, as I was able to join before. I didn't realize this at the time as there were still some errors - so I continued to change the smb.conf file to get it to "work."

Unfortunately, I do not have/did not save the configuration which actually worked. I'm trying to get it back to that stage, but am not sure what's actually wrong in order to diagnose it.

I've been following the following guide on the Samba wiki: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Everything seems to work until "Configuring Samba" and the steps that follow. There are two sets of errors I believe to be most important, first from "net ads join:"

root@samba:/etc/samba# net ads join -U administrator
Enter administrator's password:
gse_get_client_auth_token: gss_init_sec_context failed with [ Miscellaneous failure (see text): Message stream modified](______)
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dc0 with user[administrator] realm[CORP.COMPANY.INTERNAL]: The attempted logon is invalid. This is either due to a bad username or authentication information.
Failed to join domain: failed to connect to AD: The attempted logon is invalid. This is either due to a bad username or authentication information.

Second, I get an error when I attempt to start Winbind:

systemd[1]: Starting Samba Winbind Daemon...
winbindd[22323]: [0] ../source3/winbindd/winbindd_cache.c:3170(initialize_winbindd_cache)
winbindd[22323]:   initialize_winbindd_cache: clearing cache and re-creating with version number 2
winbindd[22323]: [0] ../source3/winbindd/winbindd_util.c:891(init_domain_list)
winbindd[22323]:   Could not fetch our SID - did we join?
winbindd[22323]: [0] ../source3/winbindd/winbindd.c:1366(winbindd_register_handlers)
winbindd[22323]:   unable to initialize domain list
systemd[1]: winbind.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: winbind.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Samba Winbind Daemon.

Here is my current smb.conf file:

[global]

username map = /usr/local/samba/etc/user.map

realm = CORP.COMPANY.INTERNAL
security = ADS
workgroup = CORP

log file = /var/log/samba/%m.log
log level = 1

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999

# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U

The solutions mentioned in other similar questions (such as removing avahi-daemon) have already been attempted and failed. The steps have also been attempted on a secondary machine and account which had not at any point been joined to the domain and have been successfully reproduced. Given that it has already, in some capacity, previously succeeded, I am assuming that the problem is not with the DNS/DC configuration but rather with the client/member configuration, most likely smb.conf and potentially krb5.cond.

I'm not sure if it's an issue with Ubuntu 18.04 and Winbind/Samba versions, something about which Winbind backend I use (ad/rid/autorid) or if it would be a better idea to use SSSD or something instead of Winbind. I might be following the steps in the Samba wiki guide incorrectly, but I've attempted them multiple times and unfortunately I haven't seen clear enough errors to find exactly what I'm doing wrong.

If anyone can please point me as to where I should look for clear documentation on this, or point out where I made a mistake, I would greatly appreciate it, thanks!