Joining Ubuntu 7.04 Feisty to a Windows 2003 Domain

This page is a step-by-step walkthrough of how I joined my fresh install of 7.04 Feisty to my Windows 2003 domain. I'll use a standard placeholders as follows:

FQDN of the Domain Controller	`domain-controller.domain.local`
Domain Controller IP	`192.168.0.2`
Domain short NETBIOS name	`shortname`
Computer name being joined	`computer-name`
DC Administrator login	`Administrator`
DC Administrator password	`password`

Substitute your own values, paying attention to capitalization, as it can screw things up.

Preparation

Enable root by setting the root password. This is bad for security, yes, but essential if you get to the point where you can't login (which is quite possible, since we'll be messing with the PAM).

sudo passwd root
Password: <enter your current account password here>
Enter new UNIX password: <enter desired root password here>
Retype new UNIX password: <retype it here>
passwd: password updated successfully

Set up your network settings. Go to System->Administration->Networking, and enter the following values:
General
- Hostname: computer-name
- Domain name: <blank>
DNS
- DNS Servers: 192.168.0.2
- Search Domains: domain.local
Hosts
- Delete any existing entries and add these two:
  - Your Machine:
    - IP Address: 127.0.0.1
    - Aliases:
```
computer-name.domain.local
computer-name
```
  - Server:
    - IP Address: 192.168.0.2
    - Aliases:
```
domain-controller.domain.local
domain-controller
```
Now, save those settings as something sensible like JoinDomain. They have a tendency to run away when you connect to other networks and such, so if you save them, you can reinstate them by just selecting the corresponding preset from the dropdown and clicking the button with the check on it.

SADMS

SADMS is your friend when it comes to joining domains. It may be confusing, but it's a whole lot better than trying to figure out which files to modify how. So, first step is to download SADMS.

Download and install the samba package through Synaptic. This is required for SADMS.
Download SADMS - forunately, they have a .deb file on the SourceForge page, avaialble here, that will take care of any other dependencies. Download the tarball and drill down to sadms-2.0.11/debian, where you'll find a deb file. Extract it somewhere useful and run it, it should install itself fairly easily.
For some reason, SADMS omitted a space in the menu items that messes things up. You can edit them through the GUI, but I chose to edit the launchers with a root gedit, just paste sudo gedit /usr/share/applications/sadms.desktop /usr/share/applications/sadms-fsacls.desktop /usr/share/applications/sadms-globs.desktop /usr/share/applications/sadms-users.desktop /usr/share/applications/sadms-share.desktop /usr/share/applications/sadms-shares.desktop into a terminal, because the GUI is miserably slow. Either way, just change the launcher target so that it reads gksu /usr/local/bin/sadms-whatever, add a space after gksu.

Now, launch SADMS. You should have checks for the bottom three options. Go to the Data tab and fill in the following:

DNS	`domain.local`
realm	`DOMAIN.LOCAL`
kdc	`domain-controller`
Netbios domain name	`SHORTNAME`
Netbios server name	`computer-name`
Domain users group	`Domain Users`
Hosts allow	`192.168.0.0/255.255.255.0`
OU to place host in	`Computers`
WINS server	`<leave empty>`
Domain administrator login	`Administrator`
Domain administrator password	`password`

If you want to, you can save these in a file instead (the SADMS save function doesn't seem to work), open a root gedit (with sudo gedit /usr/local/lib/sadms-2.0.11/settings/domain.sadms) and paste the following (again with your info filled in):

realm=DOMAIN.LOCAL
dns=domain.local
kdc=domain-controller
domain=SHORTNAME
server=computer-name
hostOu=Computers
administrator=Administrator
administratorPassword=
users=Domain Users
hostsAllow=192.168.0.0/255.255.255.0
winsServer=

You can then save this in /usr/local/lib/sadms-2.0.11/settings/domain.sadms. You'll probably actually have to save it somewhere else and then sudo cp domain.sadms /usr/local/lib/sadms-2.0.11/, since you need root permissions to write there. You'll note I left the password blank, storing your admin password in a plaintext file is probably a Bad Idea (tm).

Click the "Validate" button. Everything should light up green except for the option WINS server.
Make sure everything works by running all the tests in the Diagnostics menu (DNS, Network, Kerberos are the most important to make sure things are right). If you get errors, try the following:
- Double-triple-check all your settings. Make sure you haven't used two different domain names or computer names in two different places - it's a common mistake.
- Make sure you can ping the server (ping 192.168.0.2). If not, try disabling a re-enabling networking, make sure DHCP and DNS are set up properly on the server. Also make sure your network settings are still intact (see above).
- If you're sure everything is as it should be, Google your errors and see if you can resolve them. This may take some doing and some luck.
Cross your fingers, hold your breath, and click the "Install Button". Go to the Output tab to watch it go, and watch for errors. If there are none, then go ahead and uncheck the "Test only" item in the PAM menu and click "Install PAM". IMPORTANT: Make sure you have activated the root login as is detailed above. As noted above, messing with PAM can really screw stuff up if something goes awry. Note: I'm not sure yet what to put in the Home Server and Home Share boxes, that part isn't working for me yet. It won't, however, affect your ability to log in.
Assuming you've gotten this far, you should be able to do a sudo su at the command prompt followed by a login command. If all went well, you should be able to login with a domain account, here and at the gdm (graphical login prompt).

If the domain join drops off after a reboot, try replacing your /etc/init.d/samba script. Do so in a root gedit with sudo gedit /etc/init.d/samba and save it as something like samba.bkup . Then paste the following, replacing the whole file:

 #!/bin/sh
#
# chkconfig: - 91 35
# description: Starts and stops the Samba smbd and
nmbd daemons \
#              used to provide SMB network services.
#
# pidfile: /var/run/samba/smbd.pid
# pidfile: /var/run/samba/nmbd.pid
#config:  /etc/samba/smb.conf

# Source function library.
if [ -f /etc/init.d/functions ] ; then
  . /etc/init.d/functions
elif [ -f /etc/rc.d/init.d/functions ] ; then
  . /etc/rc.d/init.d/functions
else
  exit 0
fi

# Avoid using root's TMPDIR
unset TMPDIR

# Source networking configuration.
. /etc/sysconfig/network

if [ -f /etc/sysconfig/samba ]; then
   . /etc/sysconfig/samba
fi

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# Check that smb.conf exists.
[ -f /etc/samba/smb.conf ] || exit 0

RETVAL=0

SMBHOME="/usr/local/samba/sbin"

start() {
        KIND="SMB"
        echo -n $"Starting $KIND services: "
        daemon $SMBHOME/smbd $SMBDOPTIONS
        RETVAL=$?
        echo
        KIND="NMB"
        echo -n $"Starting $KIND services: "
        daemon $SMBHOME/nmbd $NMBDOPTIONS
        RETVAL2=$?
        echo
        KIND="Winbind"
        echo -n $"Starting $KIND services: "
        daemon $SMBHOME/winbindd
        RETVAL3=$?
        echo
        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3
-eq 0 ] && touch /var/lock/subsys/smb || \
           RETVAL=1
        return $RETVAL

}

stop() {
        KIND="SMB"
        echo -n $"Shutting down $KIND services: "
        killproc smbd
        RETVAL=$?
        echo
        KIND="NMB"
        echo -n $"Shutting down $KIND services: "
        killproc nmbd
        RETVAL2=$?
        echo
        KIND="Winbind"
        echo -n $"Shutting down $KIND services: "
        killproc winbindd
        RETVAL3=$?
        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3
-eq 0 ] && rm -f /var/lock/subsys/smb
        echo ""
        return $RETVAL

}

restart() {
        stop
        start

}

reload() {
        echo -n $"Reloading smb.conf file: "
        killproc smbd -HUP
        RETVAL=$?
        echo
        return $RETVAL

}

rhstatus() {
        status smbd
        status nmbd
        status winbindd

}

# Allow status as non-root.
if [ "$1" = status ]; then
       rhstatus
       exit $?
fi

# Check that we can write to it... so non-root users
stop here
[ -w /etc/samba/smb.conf ] || exit 0

case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        restart
        ;;
  reload)
        reload
        ;;
  status)
        rhstatus
        ;;
  condrestart)
        [ -f /var/lock/subsys/smb ] && restart || :
        ;;
  *)
        echo $"Usage: $0
{start|stop|restart|reload|status|condrestart}"
        exit 1
esac

exit $?

and save it as samba, overwriting the old file. This fixed the issue for me, and I haven't noticed any adverse effects.

If ever you need to re-join the domain, you can do so by issuing the following commands on the command line:
```
kinit Adminstrator@DOMAIN.LOCAL
net ads join -UAdministrator@DOMAIN.LOCAL
```
Some more ways to test your join are by listing the domain users and groups using wbinfo or SADMS. With wbinfo, just issue the following commands on a command line to make sure you are properly connected to the domain:
```
wbinfo -u
wbinfo -g
```

References

These are some of the main resources that were helpful in the process, and in writing this guide:

HOWTO: NT Domain Authentication on the Ubuntu Forums
ActiveDirectoryWinbindHowto from this wiki
Howto posting with the /etc/init.d/samba file that I used
SADMS homepage

CategoryNetworking CategoryLookMergeDelete