How do I join Unbuntu Server 17.10 to Active Directory


Due the to overwhelming amount of inaccurate information online, I am seeking guidance on how to make this happen step by step.  My goal is to setup Ubuntu Server for File and Print in my home lab which will serve files and a printer to windows workstations and servers.  Permissions to the files will be Read/Write for Domain Admins and Domain Users.

Samba and all dependencies should be installed and I can ping the domain, realmd says I am connected but I am unable to get joined to the domain, says cannot rpc due to access denied when attempting sudo net ads join.  Rather that try to find an needle in a haystack, I am going to start over.  Again, this is for version 17.10 which is the latest, so the steps MUST be accurate and functional to that version.  The Active Directory server is Windows 2000 Server.  Both the Active Directory server and Ubuntu are virtual machines in a Hyper-V environment.

Thank you.
LVL 17
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I followed the guide here from Microsoft.

  1. sudo apt-get install realmd krb5-user software-properties-common python-software-properties packagekit
  2. sudo realm join domain.fqdn -U 'administrator@domain.fqdn' -v
  3. kinit user@domain.fqdn
  4. klist

Seemed to do the trick. DNS was the complication in my case, though I never got an access denied message. Make sure that you are using an account with relevant access to create computer objects and join computers to the domain.
bigeven2002Author Commented:
Thanks for the reply.  The join was successful but now when I login as a domain admin with the sudo su command I get the following notice.  Is this of any concern?

$ sudo su admin@domain.local
su: System error
groups:  cannot find name for group ID 1614600512
groups:  cannot find name for group ID 1614600518
groups:  cannot find name for group ID 1614600519
groups:  cannot find name for group ID 1614601256
Do these ID's translate to group SID's in active directory? I assume they will. Have you given the box a reboot after the join? Might be worth trying the old turn it off and on again trick.

What output do you get the following commands?

id admin@domain.local
kinit admin@domain.local
klist admin@domain.local
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

bigeven2002Author Commented:
Well I tried reboot but it had no effect.  What I get is the following.

$ id admin@DOMAIN.LOCAL
uid=1614601108(admin@domain.local) gid=1614600512 groups=1614600519,1614601256,1614600518

No output given for kinit admin@domain.local.  It just asks for password and goes back to prompt.

$ klist admin@DOMAIN.LOCAL
klist:  No credentials cache found (filename: admin@DOMAIN.LOCAL)

klist did show something before the reboot though.  Not sure what happened.
bigeven2002Author Commented:
I'm going to downgrade to version 16.04 to see if that works any better.  Even the official server documentation online is not for version 17 yet.
bigeven2002Author Commented:
Wow this is frustrating.  It still doesn't work.  The group ID errors still exist and I cannot get the samba shares to work.  Says no authentication servers available for my share when I tried to explorer it from Windows.
Hi BigEven2002,

Is there any chance of trying this a later version of Windows Server - say, anything from 2008R2 onwards?

I seem to recall getting this to work, but it was at least five years ago, and maybe more.  I suspect it was either an Ubuntu 10.04 LTS or 12.04 LTS, but again, I cannot recall for certain.

Oh wow, I completely missed you were running Active Directory in FFL 2000 with Windows 2000 Servers. The product is 2 decades old, which in the tech world is a very long time (Forest functional level features - without even going into OS differences). I have no idea if you would be able to get Ubuntu 16.x or 17.x working with such an old AD functional level and OS; you will need to look through the Ubuntu support documentation to see what their requirements are around AD OS version and forest functional level. Personally anything lower than Server 2008 R2 should be in the bin in my opinion, but I know there are many organisations in the world still running XP/2003/2003 R2 servers out there for one reason or another, but Server 2000 on the other hand was end of life almost a decade ago now.

I agree with Alan, at least consider getting 2008 R2 domain controllers and a 2003 or 2008 R2 functional level.

No output given for kinit admin@domain.local.  It just asks for password and goes back to prompt.

That is normal, but you should get an output from klist after you have run kinit. It should show you your Keberos token (cached credentials). Being that you are running such an old OS for you DC's its hard to say if it is an old AD/Ubuntu compatibility issue.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bigeven2002Author Commented:
Thanks for the replies.  I was hoping to not have to upgrade but I may not have a choice (I heard the upgrade path from 2000 to 2008 is rough).  Where I have run into a roadblock now is with the sudo net ads join command.  Even with the correct settings the error I get is below.  Would this also have to do with using Windows 2000 server?  I've been through the Ubuntu documentation many times and cannot find where it specifies a minimum windows server level.  It just generically says Window AD domain controller.

Failed to join domain:  failed to lookup DC info for domain 'DOMAIN.LOCAL' over rpc:  Access denied.

I've spent the last two days researching online but keep ending up at a dead end.  I've tried the domain admin account and a designated joining account but same result.

I was able to join using realmd but it cannot find the group names and samba doesn't work with it.
Hi BigEven2002,

To be honest, I don't know, but if you were able to spin up a 2008R2 server, and try it, if it works, that would be strongly indicative that you cannot do it with Server 2000.

bigeven2002Author Commented:
No problem thanks.  I am setting a 2012 R2 new forest AD now we'll see how it goes.
Cool - will be interested to know!
bigeven2002Author Commented:
Well, I'll be.  Using a 2012 R2 server was successful!  Looks like I will have to either upgrade or use Zentyal going forward.  Thanks for pointing me in the right direction!  Before I can mark this a success, I still need to test samba which I will do tomorrow and report back.  Thanks!
bigeven2002Author Commented:
I think we're set.  Thanks again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.