How do I join Unbuntu Server 17.10 to Active Directory
Hello,
Due the to overwhelming amount of inaccurate information online, I am seeking guidance on how to make this happen step by step. My goal is to setup Ubuntu Server for File and Print in my home lab which will serve files and a printer to windows workstations and servers. Permissions to the files will be Read/Write for Domain Admins and Domain Users.
Samba and all dependencies should be installed and I can ping the domain, realmd says I am connected but I am unable to get joined to the domain, says cannot rpc due to access denied when attempting sudo net ads join. Rather that try to find an needle in a haystack, I am going to start over. Again, this is for version 17.10 which is the latest, so the steps MUST be accurate and functional to that version. The Active Directory server is Windows 2000 Server. Both the Active Directory server and Ubuntu are virtual machines in a Hyper-V environment.
Thank you.
Due the to overwhelming amount of inaccurate information online, I am seeking guidance on how to make this happen step by step. My goal is to setup Ubuntu Server for File and Print in my home lab which will serve files and a printer to windows workstations and servers. Permissions to the files will be Read/Write for Domain Admins and Domain Users.
Samba and all dependencies should be installed and I can ping the domain, realmd says I am connected but I am unable to get joined to the domain, says cannot rpc due to access denied when attempting sudo net ads join. Rather that try to find an needle in a haystack, I am going to start over. Again, this is for version 17.10 which is the latest, so the steps MUST be accurate and functional to that version. The Active Directory server is Windows 2000 Server. Both the Active Directory server and Ubuntu are virtual machines in a Hyper-V environment.
Thank you.
ASKER
Thanks for the reply. The join was successful but now when I login as a domain admin with the sudo su command I get the following notice. Is this of any concern?
$ sudo su admin@domain.local
su: System error
(Ignored)
groups: cannot find name for group ID 1614600512
groups: cannot find name for group ID 1614600518
groups: cannot find name for group ID 1614600519
groups: cannot find name for group ID 1614601256
$ sudo su admin@domain.local
su: System error
(Ignored)
groups: cannot find name for group ID 1614600512
groups: cannot find name for group ID 1614600518
groups: cannot find name for group ID 1614600519
groups: cannot find name for group ID 1614601256
Do these ID's translate to group SID's in active directory? I assume they will. Have you given the box a reboot after the join? Might be worth trying the old turn it off and on again trick.
What output do you get the following commands?
id admin@domain.local
kinit admin@domain.local
klist admin@domain.local
What output do you get the following commands?
id admin@domain.local
kinit admin@domain.local
klist admin@domain.local
ASKER
Well I tried reboot but it had no effect. What I get is the following.
$ id admin@DOMAIN.LOCAL
uid=1614601108(admin@domai
No output given for kinit admin@domain.local. It just asks for password and goes back to prompt.
$ klist admin@DOMAIN.LOCAL
klist: No credentials cache found (filename: admin@DOMAIN.LOCAL)
klist did show something before the reboot though. Not sure what happened.
$ id admin@DOMAIN.LOCAL
uid=1614601108(admin@domai
No output given for kinit admin@domain.local. It just asks for password and goes back to prompt.
$ klist admin@DOMAIN.LOCAL
klist: No credentials cache found (filename: admin@DOMAIN.LOCAL)
klist did show something before the reboot though. Not sure what happened.
ASKER
I'm going to downgrade to version 16.04 to see if that works any better. Even the official server documentation online is not for version 17 yet.
ASKER
Wow this is frustrating. It still doesn't work. The group ID errors still exist and I cannot get the samba shares to work. Says no authentication servers available for my share when I tried to explorer it from Windows.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the replies. I was hoping to not have to upgrade but I may not have a choice (I heard the upgrade path from 2000 to 2008 is rough). Where I have run into a roadblock now is with the sudo net ads join command. Even with the correct settings the error I get is below. Would this also have to do with using Windows 2000 server? I've been through the Ubuntu documentation many times and cannot find where it specifies a minimum windows server level. It just generically says Window AD domain controller.
Failed to join domain: failed to lookup DC info for domain 'DOMAIN.LOCAL' over rpc: Access denied.
I've spent the last two days researching online but keep ending up at a dead end. I've tried the domain admin account and a designated joining account but same result.
I was able to join using realmd but it cannot find the group names and samba doesn't work with it.
Failed to join domain: failed to lookup DC info for domain 'DOMAIN.LOCAL' over rpc: Access denied.
I've spent the last two days researching online but keep ending up at a dead end. I've tried the domain admin account and a designated joining account but same result.
I was able to join using realmd but it cannot find the group names and samba doesn't work with it.
Hi BigEven2002,
To be honest, I don't know, but if you were able to spin up a 2008R2 server, and try it, if it works, that would be strongly indicative that you cannot do it with Server 2000.
Alan.
To be honest, I don't know, but if you were able to spin up a 2008R2 server, and try it, if it works, that would be strongly indicative that you cannot do it with Server 2000.
Alan.
ASKER
No problem thanks. I am setting a 2012 R2 new forest AD now we'll see how it goes.
Cool - will be interested to know!
ASKER
Well, I'll be. Using a 2012 R2 server was successful! Looks like I will have to either upgrade or use Zentyal going forward. Thanks for pointing me in the right direction! Before I can mark this a success, I still need to test samba which I will do tomorrow and report back. Thanks!
ASKER
I think we're set. Thanks again!
Seemed to do the trick. DNS was the complication in my case, though I never got an access denied message. Make sure that you are using an account with relevant access to create computer objects and join computers to the domain.