Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Join a domain with winbind: preparation

Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.

Choosing the identity mapping backend, and planning its ranges, is the first and most important aspect of joining a domain. To actually perform the join, however, a few more configuration steps are necessary. These steps are common to both backend types, the only difference being the actual idmap configuration.

To continue, this is the minimum set of packages that are needed:

sudo apt install winbind libnss-winbind libpam-winbind

Next, it will make everything much easier if the DNS resolver is pointed at the Active Directory DNS server. If that is already the case as provided by the DHCP server, this part can be skipped.

For example, for a default netplan configuration file which looks like this:

    network:
    version: 2
    ethernets:
        eth0:
            dhcp4: true

You can add a nameservers block which will override the DNS options sent by the DHCP server. For example, if the DNS server is at 10.10.4.5 and the domain search value is example.internal, this would be the new configuration:

    network:
    version: 2
    ethernets:
        eth0:
            dhcp4: true
            nameservers:
                addresses: [10.10.4.5]
                search: [example.internal]

To make the changes effective, first make sure there are no syntax errors:

sudo netplan generate

If there are no complaints, the changes can be applied:

sudo netplan apply

NOTE

Be careful whenever changing network parameters over an ssh connection. If there are any mistakes, you might lose remote access!

To check if the resolver was updated, run resolvectl status:

Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub

Link 281 (eth0)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
       DNS Servers: 10.10.4.5 10.10.4.1
        DNS Domain: example.internal

Now we need to configure the system to also use the winbind NSS module to look for users and groups. In Ubuntu 24.04 LTS and later, this is done automatically, but for older LTS releases, edit the file /etc/nsswitch.conf and add winbind to the end of the passwd: and group: lines:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd winbind
group:          files systemd winbind
(...)

Finally, let’s enable automatic home directory creation for users as they login. Run the command:

sudo pam-auth-update --enable mkhomedir

Now we are set to perform the final winbind configuration depending on the identity mapping backend that was chosen, and actually join the domain.

Previous Legacy pages: OpenLDAP backend Next Join a simple domain with the rid backend

This page was last modified 2 months ago. Help improve this document in the forum.