Join a domain with winbind: preparation

Choosing the identity mapping backend, and planning its ranges, is the first and most important aspect of joining a domain. To actually perform the join, however, a few more configuration steps are necessary. These steps are common to both backend types, the only difference being the actual idmap configuration.

To continue, this is the minimum set of packages that are needed:

sudo apt install winbind libnss-winbind libpam-winbind

Next, it will make everything much easier if the DNS resolver is pointed at the Active Directory DNS server. If that is already the case as provided by the DHCP server, this part can be skipped.

For example, for a default netplan configuration file which looks like this:

    network:
    version: 2
    ethernets:
        eth0:
            dhcp4: true

You can add a nameservers block which will override the DNS options sent by the DHCP server. For example, if the DNS server is at 10.10.4.5 and the domain search value is example.internal, this would be the new configuration:

    network:
    version: 2
    ethernets:
        eth0:
            dhcp4: true
            nameservers:
                addresses: [10.10.4.5]
                search: [example.internal]

To make the changes effective, first make sure there are no syntax errors:

sudo netplan generate

If there are no complaints, the changes can be applied:

sudo netplan apply

NOTE

Be careful whenever changing network parameters over an ssh connection. If there are any mistakes, you might lose remote access!

To check if the resolver was updated, run resolvectl status:

Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub

Link 281 (eth0)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
       DNS Servers: 10.10.4.5 10.10.4.1
        DNS Domain: example.internal

Now we need to configure the system to also use the winbind NSS module to look for users and groups. In Ubuntu 24.04 LTS and later, this is done automatically, but for older LTS releases, edit the file /etc/nsswitch.conf and add winbind to the end of the passwd: and group: lines:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd winbind
group:          files systemd winbind
(...)

Finally, let’s enable automatic home directory creation for users as they login. Run the command:

sudo pam-auth-update --enable mkhomedir

Now we are set to perform the final winbind configuration depending on the identity mapping backend that was chosen, and actually join the domain.