Setting up full Windows AD support (shares and login) on Ubuntu

You will need to install Samba and Winbind, and set up some stuff in pam. Then you need to join the domain.

Installing stuff

This installs the necessary packages as well as some useful extras:

apt-get install ldap-utils samba winbind smbfs smbldap-tools smbclient

Configuring stuff

Samba and Winbind

This is a complete configuration, minus any shares:

   workgroup = MYDOMAIN
   realm =
   server string = MYHOSTNAME and its description
   wins server =
   client schannel = no
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = domain
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template shell = /bin/bash
   template homedir = /home/%D/%U
   template primary group = "Domain Users"
   winbind cache time = 1800
   nt acl support = Yes
   preserve case = Yes
   winbind use default domain = yes
   unix charset = ISO8859-1
   create mask = 0770
   directory mask = 0770

If you want to change the separator used between domain name and user name to something other than the default backslash, you can add this:

winbind separator = +


Here you need to let the system know to ask winbind for account and group information. Add "winbind" to the lines for "passwd", "group" and "shadow":

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind


Add this to /etc/pam.d/common-auth:

auth    sufficient

Add this to /etc/pam.d/common-account:

account sufficient

Add this to /etc/pam.d/common-session:

session required
skel=/etc/skel umask=0027


Use visudo to comment out all the trash in /etc/sudoers and add this, to allow only domain admins to use sudo indiscrimininately:
%admin ALL=(ALL) ALL
%domain\ admins ALL=(ALL) ALL


Remember to enable PasswordAuthentication in /etc/ssh/sshd_config. This should of course be disabled on all systems unless it is needed for things like this.

Joining the domain

net rpc join member -n MYHOSTNAME -w MYDOMAIN -S -U adminuser


When all this is done, you need to restart samba, winbind and sshd. Or you may want to reboot the system.

/etc/init.d/winbind restart
/etc/init.d/samba restart
/etc/init.d/sshd restart