Integrate Ubuntu 22.04 with Active Directory using Winbind

From Notes_Wiki

Home > Ubuntu > Ubuntu 22.04 > Integrate Ubuntu 22.04 with Active Directory using Winbind


Integrate Ubuntu with Active Directory Using Winbind

Note: These steps are tested and verified to work on Ubuntu 22.04, 24.04.

Set Primary DNS to AD Server

Configure your network interface to use the AD server as the primary DNS: 

nmcli connection modify "<connection-name>" ipv4.dns "<ad-server-ip> 8.8.8.8"
nmcli connection modify "<connection-name>" ipv4.ignore-auto-dns yes
nmcli connection down "<connection-name>"
nmcli connection up "<connection-name>"
  • Replace <connection-name> with your network connection name (e.g:Wired connection 1).
  • Replace <ad-server-ip> with your AD DNS server IP.

Verify with: 

nmcli device show <interface-name> | grep IP4.DNS
  • Replace <interface-name> (e.g: ens18).

Alternatively, for netplan-based systems, edit /etc/netplan/01-netcfg.yaml to set your DNS and apply with: 

sudo netplan apply

Set Hostname

Edit /etc/hostname and set: 

<hostname>.<domain>

Example: 

gbb-laptop1.gbb.local

Edit /etc/hosts and add: 

127.0.1.1   <hostname>.<domain> <hostname>

Example: 

127.0.1.1   gbb-laptop1.gbb.local gbb-laptop

Install Required Packages

Install Winbind and dependencies: 

sudo apt update -y
sudo apt install samba winbind libpam-winbind libnss-winbind krb5-user -y

Configure Kerberos

Edit /etc/krb5.conf: 

[libdefaults]
    default_realm = <DOMAIN>
    dns_lookup_realm = false
    dns_lookup_kdc = true
  • Replace <DOMAIN> with your domain in uppercase.

Configure Samba for AD Integration

Edit /etc/samba/smb.conf: 

[global]
   workgroup = <WORKGROUP>
   security = ads
   realm = <DOMAIN>
   winbind use default domain = yes
   winbind offline logon = yes
   winbind cache time = 300
   winbind request timeout = 3
   idmap config * : backend = tdb
   idmap config * : range = 3000-7999
   idmap config <WORKGROUP> : backend = rid
   idmap config <WORKGROUP> : range = 10000-999999
   template shell = /bin/bash
   template homedir = /home/%U
   lock directory = /var/cache/samba/
  • <WORKGROUP> is your NetBIOS name (usually your domain in uppercase, e.g., <EXAMPLE>).
  • <DOMAIN> is your AD domain in uppercase.

Join Ubuntu to the AD Domain

sudo net ads join -U <administrator>;
  • Replace <administrator> with your AD admin username.

NSS and PAM Configuration

Edit </etc/nsswitch.conf> and ensure: 

passwd:         compat winbind
group:          compat winbind

Enable Home Directory Creation for AD Users

Run: 

sudo pam-auth-update --enable mkhomedir

Select:

  • Winbind NT/Active Directory authentication
  • Create home directory on login

Restart Services

sudo systemctl restart smbd nmbd winbind

Check AD users: 

getent passwd | grep <ad-username>
  • Replace <AD-username> with an AD username to test.

Enable Winbind 10-Day Offline Logon Cache

Samba Configuration for Offline Logon

In /etc/samba/smb.conf under [global], set: 

winbind offline logon = yes
winbind cache time = 864000
winbind refresh tickets = true
  • 864000 seconds = 10 days.

Configure PAM Winbind for Cached Login

Create or edit /etc/security/pam_winbind.conf. 

[global]
  cached_login = yes

Ensure PAM Configuration for Cached Logins

In /etc/pam.d/common-auth, ensure you have: 

auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

Update NSS Configuration

In /etc/nsswitch.conf. 

passwd:         files winbind
group:          files winbind

Restart Winbind and Samba Services

sudo systemctl restart winbind smbd nmbd

How Offline Logon Works

  • Any user who logs in while online will have their credentials cached.
  • When offline, those users can still log in for the duration of the cache (10 days).

Set NTP to Use AD Server

Set the NTP server to your AD server’s IP address to ensure your system clock stays synchronized with the domain controller. Accurate time is required for successful Active Directory authentication and secure communication.

Edit /etc/systemd/timesyncd.conf. 

[Time]
NTP=<ad-server-ip>
FallbackNTP=ntp.ubuntu.com

Restart and verify: 

sudo systemctl restart systemd-timesyncd
timedatectl show-timesync --all

You should see ServerName=<ad-server-ip> in the output.


Home > Ubuntu > Ubuntu 22.04 > Integrate Ubuntu 22.04 with Active Directory using Winbind

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Integrate_Ubuntu_22.04_with_Active_Directory_using_Winbind&oldid=8959"