Join a domain with winbind: preparation¶
Choosing the identity mapping backend, and planning its ranges, is the first and most important aspect of joining a domain. To actually perform the join, however, a few more configuration steps are necessary. These steps are common to both backend types, the only difference being the actual idmap configuration.
To continue, this is the minimum set of packages that are needed:
sudo apt install winbind libnss-winbind libpam-winbind
Next, it will make everything much easier if the DNS resolver is pointed at the Active Directory DNS server. If that is already the case as provided by the DHCP server, this part can be skipped.
For example, for a default netplan configuration file which looks like this:
network:
version: 2
ethernets:
eth0:
dhcp4: true
You can add a nameservers
block which will override the DNS options sent by the DHCP server. For example, if the DNS server is at 10.10.4.5
and the domain search value is example.internal
, this would be the new configuration:
network:
version: 2
ethernets:
eth0:
dhcp4: true
nameservers:
addresses: [10.10.4.5]
search: [example.internal]
To make the changes effective, first make sure there are no syntax errors:
sudo netplan generate
If there are no complaints, the changes can be applied:
sudo netplan apply
NOTE
Be careful whenever changing network parameters over an ssh connection. If there are any mistakes, you might lose remote access!
To check if the resolver was updated, run resolvectl status
:
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 281 (eth0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
DNS Servers: 10.10.4.5 10.10.4.1
DNS Domain: example.internal
Now we need to configure the system to also use the winbind NSS module to look for users and groups. In Ubuntu 24.04 LTS and later, this is done automatically, but for older LTS releases, edit the file /etc/nsswitch.conf
and add winbind
to the end of the passwd:
and group:
lines:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd winbind
group: files systemd winbind
(...)
Finally, let’s enable automatic home directory creation for users as they login. Run the command:
sudo pam-auth-update --enable mkhomedir
Now we are set to perform the final winbind configuration depending on the identity mapping backend that was chosen, and actually join the domain.