We’re on the domain!

I finally got my Ubuntu 5.10 workstation to authenticate on the Active Directory domain at work. Once I finally saw what I was doing wrong, I slapped myself on the forehead just like I said I would in a previous post. The problem was with the winbind separator.

I wiped out the installation that was on the test system and reloaded Ubuntu using one of the free CD’s they sent me (thanks Ubuntu team). The first thing I did, once the system was running, was to install all the updates and the following components with any required dependencies:

samba
winbind
krb5-user
libpam-krb5 (PAM module for kerberos)

If you use the Synaptic Package Manager, you will need to add the Universe repository in order to get winbind and krb5-user. I then followed the same steps as before, steps found in the Ubuntu forums. At first, it didn’t work. I tried logging on just using my domain name and password but it would always fail.

When it started to look like another failed attempt, I did a search on Google for winbindd. I don’t remember where I saw the winbindd command but I figured I’d search for it for more information. That search yielded this site. The site gave me the following “smack yourself” information:

Now start winbindd and you should find that your user and group database is expanded to include your NT users and groups, and that you can login to your unix box as a domain user, using the DOMAIN+user syntax for the username.

That’s what I had been missing all along! I wasn’t typing the domain name and plus sign (the designated winbind seperator) before my username! Once I typed that in front of my domain username, and then typed my domain password, it logged on as it should. A light shined down upon me and angels began to play the most beautiful music.

I did comment out the winbind separator = + line in the smb.conf file to see if the default “DOMAIN\username” would work and it did. A couple of sites I found said that using the backslash as a separator could cause issues but I’ll leave it until I run accross any of those issues. Even the Samba page about winbind shows using the backslash. You know the saying, “If it ain’t broke….”.

Something else might have been wrong in the previous attempts, also, because when I ran the net ads join command, I didn’t receive any errors like I did in previous attempts. My domain login works and the user home directory does get created in the /home/DOMAIN directory for each login I tried. The only thing left to do is try to get find a way for the domain accounts (domain admins, domain users, etc.) to somehow map to the linux groups. I hope there is a way to do it so that domain admins have full admin rights on the linux workstation without having to manually add them.

Tips on how to accomplish domain group mapping to linux group mapping would be greately appreciated.