Ubuntu 16.04 Winbind and Active Directory

Official SSSD and Active Directory guide doesn’t work. It is hard to find what’s wrong. Using Winbind works well.


sudo apt install winbind samba
sudo apt install cups-common python-crypto-dbg python-crypto-doc bind9 bind9utils ctdb ldb-tools ntp smbldap-tools heimdal-clients libnss-winbind libpam-winbind


sudo vi /etc/samba/smb.conf

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
#   workgroup = GROUP

# server string is the equivalent of the NT Description field
  server string = %h server (Samba, Ubuntu)

        security = ads
        realm = MYDOMAIN.COM
# If the system doesn't find the domain controller automatically, you may need the following line
#        password server =
# note that workgroup is the 'short' domain name
        workgroup = MYDOMAIN
#       winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2

Restart services:

sudo service winbind stop
sudo service samba-ad-dc restart
sudo service winbind start

Join the AD (see “net ads help”):

sudo kinit Admin@MYDOMAIN.COM
# check klist
sudo klist
# join (ignore the dns error messages)
sudo net ads join -k

sudo net ads join -U Admin@MYDOMAIN.COM

Setup Authentication

sudo vi /etc/nsswitch.conf


passwd:         compat winbind
group:          compat winbind
shadow:         compat

Restart Winbind

sudo service winbind restart

PAM Configuration

sudo pam-auth-update

Create Home directory

sudo mkdir /home/MYDOMAIN

Add sudo users

sudo vi /etc/sudoers.d/MYDOMAIN


# replace adgroup as real domain group name
%adgroup        ALL=(ALL) NOPASSWD: ALL


wbinfo -u
wbinfo -g

Login as a domain user and enjoy…

Dns command, primary DNS server in domain

To change DNS from command line: dnscmd

List all A type records:

> dnscmd <dns-server> /EnumRecords <your domain> . /type A

Add a A type record:

> dnscmd <dns-server> /RecordAdd <your domain> docker01 A

More information for dnscmd:

> dnscmd /help

Set the primary DNS server in domain and auto update other DNS servers. Assume the primary DNS server is dns.my.ads.


Configuring NTP on Windows Server 2012

Original: http://www.sysadminlab.net/windows/configuring-ntp-on-windows-server-2012

Run using PowerShell as Administrator:

w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL
Stop-Service w32time
Start-Service w32time

Check status:

w32tm /query /status

Force a resnyc

w32tm /resync

Start from scratch:

Stop-Service w32time
w32tm /unregister
w32tm /register

Promote Windows 2012 R2 Domain Controller as a Primary DC

Run operations on the new Domain Controller server.

Server manager → Tools → Active directory Domains and Trusts


Click right button on Root (Active Directory Domains and Trusts [win2012 server name]) → Operations Master → Change… → close


Server manager → Tools → Active Directory Users and Computers

Click right button on the domain name → Operations master … → RIP tab → Chage … → PDC tab → Change… → Infrasturcture → Change… —> Close


Start → Command Prompt (Admin) → regsvr32 schmmgmt.dll

regsvr32 schmmgmt.dll

mmc → File → Add/Remove Snap-in … → Add “Active Directory Schema” → OK


right click “Active Directory Schema” → Change Active Directory Domain Controller → Choose win2012 server (cc-dc2.cc01.adlan)



 right click “Active Directory Schema [cc-dc2.cc01.adlan]” → Operations Master … → Change… → Close


Check status in command prompt window (example output. Win2012 server name is CC-DC2.cc01.adlan):

> netdom query fsmo
Schema master				CC-DC2.cc01.adlan
Domain naming master			CC-DC2.cc01.adlan
PDC					CC-DC2.cc01.adlan
RID pool manager			CC-DC2.cc01.adlan
Infrastructure master		        CC-DC2.cc01.adlan