How to join Ubuntu/Samba to a Windows 2003 Active Directory domain


  • A Windows network with an Active Directory server (like Windows Server 2003)
  • Ubuntu Linux 5.10 installed
  • TCP/IP setup properly (the Linux machine taking its address by DHCP from the Windows server)
  • No firewall yet on the Linux machine! First get it working, then secure it.

More info:

1. Installing

We assume that Ubuntu Linux has been installed.

Install the following packages with the Synaptic Package Manager. You may need to specify “universe” as an extra source for packages.

  • Samba (version 3):
    • samba
    • samba-common (installed by default)
    • smbclient (installed by default)
    • winbind
  • Kerberos:
    • krb5-config
    • krb5-user
  • ... and any packages that might be needed to meet dependencies.

2. Edit configuration files

Edit the following configuration files. We assume the following:

  • The local DNS domain is mycompany.local
  • The Windows 2003 server is obelix.mycompany.local


security = ADS
workgroup = mycompany
password server = obelix.mycompany.local
wins support = no
wins server =
invalid users = root
# Winbind settings
idmap uid = 10000-20000
idmap gid = 10000-20000
# For testing
debuglevel = 2

# A shared folder for testing purposes
path = /home/onno2/Shared_Folder
available = yes
public = yes
writable = yes
force create mode = 0666
force directory mode = 0777

Make sure the path (/home/onno2/Shared_Folder or whatever you choose) exists and that the rights are set properly (chmod 777 <mapnaam> or something similar)


 default_realm = MYCOMPANY.LOCAL
 krb4_config = /etc/krb.conf
 krb4_realms = /etc/krb.realms
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
 v4_instance_resolve = false
 v4_name_convert = {
  host = {
   rcmd = host
   ftp = ftp
  plain = {
   something = something-else
        kdc = obelix.mycompany.local
        admin_server = obelix.mycompany.local
 .mycompany.local = OBELIX.MYCOMPANY.LOCAL
 mycompany.local = OBELIX.MYCOMPANY.LOCAL
 krb4_convert = true
 krb4_get_tickets = true


The only change here was adding winbind twice.

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd:         compat winbind
group:          compat winbind
shadow:         compat
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

3. Start or restart services

/etc/init.d/samba restart
/etc/init.d/winbind restart

4. Join domain

net ads join -U administrator If this doesn’t work, check the logs in Linux (/var/log/samba/*) and Windows.

5. Test your setup

testparm to check if your smb.conf has a correct syntax.
kinit onno@MYCOMPANY.LOCAL test if kerberos works properly.
wbinfo -u should give a list of users.
wbinfo -g should give a list of groups.
getent passwd should give a list of users in the passwd style.
getent group should give a list of groups.
ls -ltr /var/log/samba gives a list of log files, sorted by time of last change.
smbclient -L <hostname> -U onno should give you a list of available shares.

If this all works properly, try to access the share (/home/onno2/Shared_Folder) from any Windows machine in the domain by using network neighbourhood.

What's next?

If all works, try setting up your favorite firewall. I like Shorewall.

how_to_join_ubuntu_samba_to_a_windows_2003_active_directory_domain.txt · Laatst gewijzigd: 2006/03/20 21:15
Recent changes RSS feed Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki
Copyright © Onno Zweers