{"id":11046,"date":"2025-12-27T11:04:39","date_gmt":"2025-12-27T16:04:39","guid":{"rendered":"https:\/\/stevepedwards.today\/DebianAdmin\/?p=11046"},"modified":"2025-12-28T00:29:29","modified_gmt":"2025-12-28T05:29:29","slug":"joining-ubuntu-to-windows-domain","status":"publish","type":"post","link":"https:\/\/stevepedwards.today\/DebianAdmin\/joining-ubuntu-to-windows-domain\/","title":{"rendered":"Joining Linux Mint to Windows Domain (coz Ubuntu Desktop is Horrible!)"},"content":{"rendered":"<div class=\"pvc_clear\"><\/div>\n<p id=\"pvc_stats_11046\" class=\"pvc_stats all  \" data-element-id=\"11046\" style=\"\"><i class=\"pvc-stats-icon medium\" aria-hidden=\"true\"><svg aria-hidden=\"true\" focusable=\"false\" data-prefix=\"far\" data-icon=\"chart-bar\" role=\"img\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 512 512\" class=\"svg-inline--fa fa-chart-bar fa-w-16 fa-2x\"><path fill=\"currentColor\" d=\"M396.8 352h22.4c6.4 0 12.8-6.4 12.8-12.8V108.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v230.4c0 6.4 6.4 12.8 12.8 12.8zm-192 0h22.4c6.4 0 12.8-6.4 12.8-12.8V140.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v198.4c0 6.4 6.4 12.8 12.8 12.8zm96 0h22.4c6.4 0 12.8-6.4 12.8-12.8V204.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v134.4c0 6.4 6.4 12.8 12.8 12.8zM496 400H48V80c0-8.84-7.16-16-16-16H16C7.16 64 0 71.16 0 80v336c0 17.67 14.33 32 32 32h464c8.84 0 16-7.16 16-16v-16c0-8.84-7.16-16-16-16zm-387.2-48h22.4c6.4 0 12.8-6.4 12.8-12.8v-70.4c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v70.4c0 6.4 6.4 12.8 12.8 12.8z\" class=\"\"><\/path><\/svg><\/i> <img loading=\"lazy\" decoding=\"async\" width=\"16\" height=\"16\" alt=\"Loading\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/plugins\/page-views-count\/ajax-loader-2x.gif\" border=0 \/><\/p>\n<div class=\"pvc_clear\"><\/div>\n<p><strong>The 5 Point Plan Overview: Joining Linux Mint to Active Directory (Windows Server 2022)<\/strong><\/p>\n<p><strong>Step 1: Network &amp; DNS (The Foundation)<\/strong><\/p>\n<p>Before touching any domain commands, the Linux machine must \"see\" the world exactly as the Domain Controller does.<\/p>\n<ul>\n<li><strong>Action:<\/strong> Set a static IP (e.g., 172.27.176.32).<\/li>\n<li><strong>The \"Why\":<\/strong> Linux uses DNS SRV records to find the DC. If your DNS points to a router or Google (8.8.8.8) instead of your DC (172.27.176.34), the realm join will fail or become \"intermittent,\" which is a primary cause of future 1311 errors.<\/li>\n<li><strong>Verification:<\/strong> Run ping server2022.local. It must resolve to the DC IP.<\/li>\n<\/ul>\n<p><strong>Step 2: The Domain Join (The Handshake)<\/strong><\/p>\n<p>Use the realm tool. It is the modern \"human-method\" because it automatically configures Kerberos (krb5.conf) and SSSD for you.<\/p>\n<ul>\n<li><strong>Action:<\/strong> sudo realm join -U Administrator server2022.local<\/li>\n<li><strong>The \"Why\":<\/strong> This creates the computer object in Active Directory and negotiates the initial \"Machine Password.\"<\/li>\n<li><strong>Note:<\/strong> If you have re-installed Mint multiple times, you <strong>must<\/strong> \"Reset Account\" on the computer object in the Windows AD console first to ensure the Key Version Number (KVNO) starts at a clean state.<\/li>\n<\/ul>\n<p><strong>Step 3: SSSD Hardening (The Security Gate)<\/strong><\/p>\n<p>The System Security Services Daemon (SSSD) handles the actual \"Who are you?\" requests.<\/p>\n<ul>\n<li><strong>Action:<\/strong> Ensure \/etc\/sssd\/sssd.conf is owned by root:root and set permissions to 600.\n<ul>\n<li>sudo chmod 600 \/etc\/sssd\/sssd.conf<\/li>\n<\/ul>\n<\/li>\n<li><strong>The \"Why\":<\/strong> SSSD handles sensitive Kerberos keys. If the file is readable by anyone else, the service will refuse to start for security reasons. This is often why the service fails after a manual edit.<\/li>\n<\/ul>\n<p><strong>Step 4: Samba Configuration (The File Bridge)<\/strong><\/p>\n<p>Samba needs to be told to \"step back\" and let SSSD handle the identities.<\/p>\n<ul>\n<li><strong>Action:<\/strong> In smb.conf, set security = ADS and workgroup = LABSERVER2022.<\/li>\n<li><strong>The \"Why\":<\/strong> A common \"revelation\" error is having both security = ADS and security = user. This creates a conflict that crashes the SMB service.<\/li>\n<li><strong>The \"Secret\" Line:<\/strong> Add kerberos method = secrets and keytab. This forces Samba to use the same \"passport\" that SSSD just created during the join, preventing 1311 \"Domain Unavailable\" errors.<\/li>\n<\/ul>\n<p><strong>Step 5: Authentication &amp; Mapping (The Validation)<\/strong><\/p>\n<p>Windows Server 2022 is stricter about how it verifies targets than previous versions.<\/p>\n<ul>\n<li><strong>Action:<\/strong> Always attempt the initial map using the Hostname: net use Z: \\\\MINT-SRV\\Share.<\/li>\n<li><strong>The \"Why\":<\/strong> When you use an IP address, Kerberos (the secure protocol) often fails because it can't \"prove\" the IP belongs to the server, leading to Error 1311. By using the Hostname, you force a proper ticket exchange.<\/li>\n<li><strong>Service Check:<\/strong> Always run systemctl status sssd smbd to ensure the \"lights are on\" before trying to map.<\/li>\n<\/ul>\n<p><strong>Final Troubleshooting Note for the .docx<\/strong><\/p>\n<p>If \"System Error 1311\" appears:<\/p>\n<ol>\n<li><strong>Check Time:<\/strong> Run date on Mint and check the clock on the DC. They must be within 5 minutes of each other.<\/li>\n<li><strong>Clear Tickets:<\/strong> On Windows, run klist purge before retrying the map.<\/li>\n<\/ol>\n<p><strong>Would you like me to provide the exact, finalized text for the sssd.conf and smb.conf files to go along with this 5-step guide?<\/strong><\/p>\n<p>1. Network Configuration (Internal LAN)<\/p>\n<p>Before joining the domain, Mint must be able to resolve the Domain Controller's SRV records.<\/p>\n<ul>\n<li>IP Address: 172.27.176.32<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"793\" height=\"634\" class=\"wp-image-11058\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-11046-1-1.png\" \/><\/p>\n<ul>\n<li>Netmask: 255.255.0.0 (for \/16)<\/li>\n<li>Gateway: 172.27.176.1 (Laptop Inet Bridge)<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"988\" height=\"686\" class=\"wp-image-11059\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-11046-2-1.png\" \/><\/p>\n<ul>\n<li>DNS Server: 172.27.176.34 (The DC)\n<ul>\n<li><em>Note:<\/em> Ensure the DC is the only DNS server listed to prevent lookups from leaking to an external DNS that doesn't know about server2022.local.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>2. Keyboard Setup (Latam\/Colombia)<\/p>\n<p>To ensure the @ symbol (AltGr + Q) works for entering domain credentials:<\/p>\n<ol>\n<li>Open Menu -&gt; Keyboard -&gt; Layouts.<\/li>\n<li>Add Spanish (Latin American).<\/li>\n<li>Click Options... -&gt; Expand Key to choose 3rd level.<\/li>\n<li>Select Right Alt (AltGr).<\/li>\n<li><em>Test the @ symbol in the terminal before proceeding.<\/em><\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1315\" height=\"618\" class=\"wp-image-11060\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-11046-3-1.png\" \/><\/p>\n<p>3. Domain Stack Installation (SSSD Only)<\/p>\n<p>We are excluding winbind entirely to prevent \"System Error 1311\" and identity conflicts.<\/p>\n<p>Bash<\/p>\n<p>sudo apt update<\/p>\n<p>sudo apt install -y sssd-ad sssd-tools realmd adcli krb5-user samba-common-bin<\/p>\n<p>4. Join the Active Directory Domain<\/p>\n<p>Ensure the hostname is set correctly, then join using the Domain Administrator.<\/p>\n<p>Bash<\/p>\n<p>sudo hostnamectl set-hostname mint-srv<\/p>\n<p>steve@MintVM:~$ sudo realm join -U Administrator sbs.server2022.local<\/p>\n<p>Password for Administrator: xxxxxxxxxx<\/p>\n<p>steve@MintVM:~$<\/p>\n<p>5. Samba Configuration (\/etc\/samba\/smb.conf)<\/p>\n<p>Critical: You must manually update the [global] section to replace the default WORKGROUP with your actual Domain NetBIOS name.<\/p>\n<p>NB! This NETBIOS name was a pasted error at the VM install, so stuck with it as a core property of the DC.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"614\" height=\"568\" class=\"wp-image-11061\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-11046-4-1.png\" \/><\/p>\n<p>Plaintext<\/p>\n<p>[global]<\/p>\n<p># Change 'WORKGROUP' to your actual domain short name<\/p>\n<p>workgroup = LABSERVER2022<\/p>\n<p>realm = SERVER2022.LOCAL<\/p>\n<p>security = ADS<\/p>\n<p># SSSD Identity Mapping<\/p>\n<p>idmap config * : backend = tdb<\/p>\n<p>idmap config * : range = 3000-7999<\/p>\n<p>idmap config LABSERVER2022 : backend = sssd<\/p>\n<p>idmap config LABSERVER2022 : range = 10000-999999<\/p>\n<p># Modern Windows Security Protocols<\/p>\n<p>server ntlm auth = ntlmv2-only<\/p>\n<p>client ntlmv2 auth = yes<\/p>\n<p>&nbsp;<\/p>\n<p>[DomainShare]<\/p>\n<p>comment = Shared Folder for Windows Admins<\/p>\n<p>path = \/srv\/samba\/domain_share<\/p>\n<p>browseable = yes<\/p>\n<p>read only = no<\/p>\n<p>guest ok = no<\/p>\n<p>valid users = \"@domain admins@server2022.local\"<\/p>\n<p>vfs objects = acl_xattr<\/p>\n<p>map acl inherit = yes<\/p>\n<p>store dos attributes = yes<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"643\" height=\"604\" class=\"wp-image-11062\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-11046-5-1.png\" \/><\/p>\n<p>6. Directory Permissions &amp; Services<\/p>\n<p>Create the mount point and assign ownership to the Domain Admins group.<\/p>\n<p>Bash<\/p>\n<p>sudo mkdir -p \/srv\/samba\/domain_share<\/p>\n<p>sudo chown \"administrator@server2022.local\":\"domain admins@server2022.local\" \/srv\/samba\/domain_share -R<\/p>\n<p>sudo chmod +x \/srv\/samba<\/p>\n<p># Restart services to apply changes<\/p>\n<p>sudo systemctl restart sssd smbd<\/p>\n<p>7. Connecting from the DC (SBS.SERVER2022.LOCAL)<\/p>\n<p>Since you are connecting from the DC itself, you must clear the Kerberos cache to avoid loopback authentication errors.<\/p>\n<ol>\n<li>Open PowerShell (Admin) on the DC.<\/li>\n<li>Run: klist purge<\/li>\n<li>Run: net use Z: \\\\172.27.176.32\\DomainShare \/user:administrator@server2022.local<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<div class=\"pvc_clear\"><\/div>\n<p id=\"pvc_stats_11046\" class=\"pvc_stats all  \" data-element-id=\"11046\" style=\"\"><i class=\"pvc-stats-icon medium\" aria-hidden=\"true\"><svg aria-hidden=\"true\" focusable=\"false\" data-prefix=\"far\" data-icon=\"chart-bar\" role=\"img\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 512 512\" class=\"svg-inline--fa fa-chart-bar fa-w-16 fa-2x\"><path fill=\"currentColor\" d=\"M396.8 352h22.4c6.4 0 12.8-6.4 12.8-12.8V108.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v230.4c0 6.4 6.4 12.8 12.8 12.8zm-192 0h22.4c6.4 0 12.8-6.4 12.8-12.8V140.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v198.4c0 6.4 6.4 12.8 12.8 12.8zm96 0h22.4c6.4 0 12.8-6.4 12.8-12.8V204.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v134.4c0 6.4 6.4 12.8 12.8 12.8zM496 400H48V80c0-8.84-7.16-16-16-16H16C7.16 64 0 71.16 0 80v336c0 17.67 14.33 32 32 32h464c8.84 0 16-7.16 16-16v-16c0-8.84-7.16-16-16-16zm-387.2-48h22.4c6.4 0 12.8-6.4 12.8-12.8v-70.4c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v70.4c0 6.4 6.4 12.8 12.8 12.8z\" class=\"\"><\/path><\/svg><\/i> <img loading=\"lazy\" decoding=\"async\" width=\"16\" height=\"16\" alt=\"Loading\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/plugins\/page-views-count\/ajax-loader-2x.gif\" border=0 \/><\/p>\n<div class=\"pvc_clear\"><\/div>\n<p>The 5 Point Plan Overview: Joining Linux Mint to Active Directory (Windows Server 2022) Step 1: Network &amp; DNS (The Foundation) Before touching any domain commands, the Linux machine must \"see\" the world exactly as the Domain Controller does. Action: Set a static IP (e.g., 172.27.176.32). The \"Why\": Linux uses DNS SRV records to find <a href=\"https:\/\/stevepedwards.today\/DebianAdmin\/joining-ubuntu-to-windows-domain\/\" class=\"more-link\">...<span class=\"screen-reader-text\">\u00a0 Joining Linux Mint to Windows Domain (coz Ubuntu Desktop is Horrible!)<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-11046","post","type-post","status-publish","format-standard","hentry","category-post"],"a3_pvc":{"activated":true,"total_views":12,"today_views":0},"_links":{"self":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/11046","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/comments?post=11046"}],"version-history":[{"count":6,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/11046\/revisions"}],"predecessor-version":[{"id":11063,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/11046\/revisions\/11063"}],"wp:attachment":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/media?parent=11046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/categories?post=11046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/tags?post=11046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}