User Tools

Site Tools


samba4_as_domain_member

Samba4 as AD Domain Member

Introduction

This HOWTO provides you the way for a basic setup of a Samba 4.x Member Server, that is part of an Active Directory (regardless if Samba or Windows provides the AD).

Samba4 have four roles:

  1. Active Directory Domain Controller:
  2. Read Only Domain Controller (RODC):
  3. Member Server (File Server):
  4. Standalone Server:

Required Packages


See Samba4 Requirements for dependencies and recommendations.

Compiling and installation


After you have downloaded and unpacked the sources, you have to run inside of the extracted directory:

 # ./configure --with-ads --with-shared-modules=idmap_ad,idmap_rid --enable-debug --enable-selftest
 # make
 # make install

Note: you can see './configure' options:

 # ./configure --help | less

To install Samba4 from SerNet repositories (before check http://repos.uclv.edu.cu to configure repositories):

 # apt-get install sernet-samba sernet-samba-winbind attr acl krb5-user

Setting up Kerberos


NOTE: currently this step is not mandatory, you can skip!!

You must to backup the original file in /etc/krb5.conf':

 # mv /etc/krb5.conf{,.orig}

Create the new file:

 # nano /etc/krb5.conf

Then adjust the content with the following content:

 [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log

 [libdefaults]
     default_realm = REDTIC.UCLV.CU
     dns_lookup_realm = false
     dns_lookup_kdc = true
     ticket_lifetime = 24h
     forwardable = yes

 [appdefaults]
     pam = {
          debug = false
          ticket_lifetime = 36000
          renew_lifetime = 36000
          forwardable = true
          krb4_convert = false
     }

Configure NTP


Active Directory requires an accurate time synchronization between the clients and the DC(s). It's highly recommended to run NTP or another form of synchronization. You can follow the instructions in Samba4 Requirements web page. or simply install “ntpdate”:

 # apt-get install ntpdate

To configure ntpdate:

 # nano /etc/default/ntpdate

Then adjust the parameters to your configuration.

Note: Remember that you need to sync your 'ntpd' with your Active Directory Server.

Setting up a basic smb.conf


The following is a very basic example of a 'smb.conf'. Normally this file is located in '/usr/local/samba/etc/'. Depending on your 'configure' parameters, it could be located on a different place.

If you use Samba from repositories the location is /etc/samba/.

[global]

   workgroup = REDTIC        # SHORTDOMAINNAME
   security = ADS
   realm = REDTIC.UCLV.CU    # YOUR.SAMBA.DOMAIN.NAME
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   # Default ID mapping configuration for local BUILTIN accounts
   # and groups on a domain member. The default (*) domain:
   # - must not overlap with any domain ID mapping configuration!
   # - must use an read-write-enabled back end, such as tdb. 
   idmap config *:backend = tdb
   idmap config *:range = 3000-9999
   idmap config REDTIC:backend = ad
   idmap config REDTIC:schema_mode = rfc2307
   idmap config REDTIC:range = 10000-99999999

   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes
   winbind refresh tickets = Yes

   # Uncomment the following options if you needs really
   # Looking for these options in smb.conf before!!
   #winbind expand groups = 4
   #winbind normalize names = Yes
   #domain master = no
   #local master = no
   
   # Use template settings for login shell and home directory
   winbind nss info = rfc2307
   template shell = /bin/bash
   template homedir = /home/%D/%U

   # Disable CUPS errors
   printing = bsd
   printcap name = /dev/null

   # Real Windows ACL's
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

[Demo]
     path = /srv/samba/Demo/
     read only = no

This is just very a basic example that will make your member server part of your Active Directory. The ID mapping for domain users/groups is done via schema mode rfc2307. Users/groups having a uidNumber/gidNumber set in AD, are available on your member server with the same IDs as in your AD. If you use different UID/GID ranges in your AD, you have to adapt them. For all non-domain accounts (like BUILTIN, etc.) the mappings are stored in a local TDB file and the IDs are taken from the given range.

NOTE: If yours users/groups in AD don't have uidNumber/gidNumber:

  • Change line 'idmap config REDTIC:backend = ad' to 'idmap config REDTIC:backend = rid'.
  • Change line 'winbind nss info = rfc2307' to 'winbind nss info = template'.
  • Comment out the line: 'idmap config REDTIC:schema_mode = rfc2307'

For further explanation on the 'smb.conf' parameters, see the manpage:

 # man smb.conf

Notes:

  1. The choice domain back-end depends of who provide the domain. If you have MSAD without “Services for Unix (SFU)”, you should use 'rid' back-end; instead for Samba4 AD use 'ad' back-end, as showed in the previous example.
  2. The parameter values of “idmap config *:range” can't not contained in “idmap config SHORTDOMAINNAME:range”.
  3. In case that you have a big database, last number in the interval in “idmap config SHORTDOMAINNAME:range =” should be a big number, because some users are not detected by Samba.
  4. The 'dedicated keytab file = /etc/krb5.keytab' & 'kerberos method = secrets and keytab' lines will create the keytab when the machine joins the domain and set samba to use it, 'winbind refresh tickets = Yes' tells winbind to ensure that the keytab is kept updated.

Joining the member server to the domain


 # net ads join -Uadministrator

You can check whether participation in a domain is still valid (this step is optional):

# net ads testjoin -Uadministrator

Make domain users/groups available locally through winbind


To enable hosts to receive user and group information from a domain using Winbind, you must create two symbolic links in a directory of the operating system's library path.

To determine the operating system's platform:

 # uname -i

The 'libnss_winbind.so.2' library is installed in the Samba library directory set at compile time. To locate the folder:

 # smbd -b | grep LIBDIR
   LIBDIR: /usr/local/samba/lib/

For amd64 (x86_64):

 # ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/
 # ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
 # ldconfig

For i386:

 # ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/
 # ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so
 # ldconfig

For Samba4 Sernet or repository distro installation: (you should not have to do the following normally, if not work try:)

For amd64(x86_64):

You must have linked '/lib/x86_64-linux-gnu/libnss_winbind.so → libnss_winbind.so.2'. To linked:

 # ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
 # ldconfig

For i386:

You must have linked '/lib/i386-linux-gnu/libnss_winbind.so → libnss_winbind.so.2'. To linked:

 # ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so
 # ldconfig

To check if library are enables correctly:

 # ldconfig -v | grep libnss_winbind | grep -v grep

The next step is to add 'winbind' to the 'passwd' and 'group' entry of your '/etc/nsswitch.conf':

 passwd: compat winbind
 group:  compat winbind

Starting the daemons


Once you have finished the above steps, you must start the following services:

  • winbindd
  • smbd
  • nmbd

You should write/get a start script to avoid starting the services by hand everytime. Make sure that winbind is being started before smbd. You can find some examples in Samba4 Requirements page.

To reload Samba configuration

 # smbcontrol all reload-config

Enable Samba4 at startup

If you use Samba4 from SerNet Repositories the file '/etc/default/samba-sernet' controls the way that Samba daemon start. You must edit this file and adjust to yours requirements. Keep in mind that Member Server is part of Samba AD therefore you should enable “classic” option in '/etc/default/samba-sernet':

 # nano /etc/default/sernet-samba

Then select 'SAMBA_START_MODE=“classic”' because when you use Samba as Member Server, the daemons smbd, nmbd and winbbind are used.

Finally start Samba4 deamons:

 # /etc/init.d/sernet-samba-smbd start
 # /etc/init.d/sernet-samba-nmbd start
 # /etc/init.d/sernet-samba-winbindd start

Testing the winbind user/group mapping


To check if winbind receives user and groups from the domain, run the following commands:

 # wbinfo -u
 # wbinfo -g

This should show up a list of all users and groups provided from the domain via winbind.

If you have setup your nsswitch.conf correct, you should also be able to get users and groups from the domain:

 # id [domain_user]
 # wbinfo -i [domain_user]
 # getent passwd [domain_user]

Or

 # getent passwd DOMAIN\\user
 # getent group DOMAIN\\group

The enumeration of users and groups (“getent passwd/group” without another argument) is disabled by default because the domain can be very big and enumeration is ad bad thing in cases like that.

If you are not able to look up users using “getent”, even though you see them with “wbinfo”, look at AD and verify that all groups have GIDs. It may not be strictly necessary to have GIDs on *all* groups, but unless someone with a better understanding can clarify the requirement, it's the safe thing to do.

Verifying the File Server


To list all shares provided by the Samba File Server:

 # smbclient -L localhost -U%

To verify authentication, connect to the “Demo” share using the domain administrator account:

 # smbclient //localhost/Demo -UAdministrator -c 'ls'

Try out some net commands to see if Samba can communicate with AD:


 # net ads info
 # net ads lookup
 # net ads status -U administrator | less

Leaving domain


If you want to leave the domian:

# net ads leave -Uadministrator

Setting up services

samba4_as_domain_member.txt · Last modified: 2020/04/10 17:38 (external edit)