Join a simple domain with the rid backend

Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.

Let’s expand on the configuration we had for the rid backend and complete the /etc/samba/smb.conf configuration file with the remaining details. We are joining a single domain called EXAMPLE.INTERNAL. The new configuration options were added at the end of the [global] section:

[global]
    security = ads
    realm = EXAMPLE.INTERNAL
    workgroup = EXAMPLE

    idmap config * : backend       = tdb
    idmap config * : range         = 100000 - 199999
    idmap config EXAMPLE : backend = rid
    idmap config EXAMPLE : range   = 1000000 - 1999999

    # allow logins when the DC is unreachable
    winbind offline logon = yes
    # this *can* be yes if there is absolute certainty that there is only a
    # single domain involved
    winbind use default domain = no
    # setting these enumeration options to yes has a high performance impact
    # and can cause instabilities
    winbind enum groups = no
    winbind enum users = no
    winbind refresh tickets = yes
    # if domain users should be allowed to login, they will need a login shell
    template shell = /bin/bash
    # the home directory template for domain users
    template homedir = /home/%D/%U
    kerberos method = secrets and keytab

Right after saving /etc/samba/smb.conf, it’s always good practice to run the testparm utility. It will perform a quick syntax check on the configuration file and alert you of any issues. Here is the output we get with the above configuration settings:

Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions
(...)

During the domain join process, the tooling will attempt to update the DNS server with the hostname of this system. Since its IP is likely not yet registered in DNS, that’s kind of a chicken and egg problem. It helps to, beforehand, set the hostname manually to the FQDN. For this example, we will use a host named n1 in the example.internal domain:

sudo hostnamectl hostname n1.example.internal

So that the output of hostname -f (and also just hostname) is n1.example.internal.

With the config file in place and checked, and all the other changes we made in the previous section, the domain join can be performed:

$ sudo net ads join -U Administrator
Password for [EXAMPLE\Administrator]:
Using short domain name -- EXAMPLE
Joined 'N1' to dns domain 'example.internal'

You can now revert the hostnamectl change from before, and set the hostname back to the short version, i.e., n1 in this example:

sudo hostnamectl hostname n1

As the last step of the process, the winbind service must be restarted:

sudo systemctl restart winbind.service

Verifying the join

The quickest way to test the integrity of the domain join is via the wbinfo command:

$ sudo wbinfo -t
checking the trust secret for domain EXAMPLE via RPC calls succeeded

The next verification step should be to actually try to resolve an existing username from the domain. In the EXAMPLE.INTERNAL domain, for example, we have some test users we can check:

$ id [email protected]
uid=1001103(EXAMPLE\jammy) gid=1000513(EXAMPLE\domain users) groups=1000513(EXAMPLE\domain users),1001103(EXAMPLE\jammy)

Another valid syntax for domain users is prefixing the name with the domain, like this:

$ id EXAMPLE\\jammy
uid=1001103(EXAMPLE\jammy) gid=1000513(EXAMPLE\domain users) groups=1000513(EXAMPLE\domain users),1001103(EXAMPLE\jammy)

And finally, attempt a console login:

n1 login: [email protected]
Password:
Welcome to Ubuntu 24.04 LTS (GNU/Linux 6.5.0-26-generic x86_64)
(...)
Creating directory '/home/EXAMPLE/jammy'.
EXAMPLE\jammy@n1:~$

The output above also shows the automatic on-demand home directory creation, according to the template defined in /etc/samba/smb.conf.

Note:
The actual login name used can have multiple formats: DOMAIN\user at the terminal login prompt, DOMAIN\\user when referred to in shell scripts (note the escaping of the ‘\’ character), and user@domain is also accepted.

This page was last modified 4 months ago. Help improve this document in the forum.