Samba4 as AD Domain Member
This HOWTO provides you the way for a basic setup of a Samba 4.x Member Server, that is part of an Active Directory (regardless if Samba or Windows provides the AD).
Samba4 have four roles:
See Samba4 Requirements for dependencies and recommendations.
After you have downloaded and unpacked the sources, you have to run inside of the extracted directory:
# ./configure --with-ads --with-shared-modules=idmap_ad,idmap_rid --enable-debug --enable-selftest # make # make install
Note: you can see './configure' options:
# ./configure --help | less
To install Samba4 from SerNet repositories (before check http://repos.uclv.edu.cu to configure repositories):
# apt-get install sernet-samba sernet-samba-winbind attr acl krb5-user
NOTE: currently this step is not mandatory, you can skip!!
You must to backup the original file in /etc/krb5.conf':
# mv /etc/krb5.conf{,.orig}
Create the new file:
# nano /etc/krb5.conf
Then adjust the content with the following content:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = REDTIC.UCLV.CU dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Active Directory requires an accurate time synchronization between the clients and the DC(s). It's highly recommended to run NTP or another form of synchronization. You can follow the instructions in Samba4 Requirements web page. or simply install “ntpdate”:
# apt-get install ntpdate
To configure ntpdate:
# nano /etc/default/ntpdate
Then adjust the parameters to your configuration.
Note: Remember that you need to sync your 'ntpd' with your Active Directory Server.
The following is a very basic example of a 'smb.conf'. Normally this file is located in '/usr/local/samba/etc/'. Depending on your 'configure' parameters, it could be located on a different place.
If you use Samba from repositories the location is /etc/samba/.
[global] workgroup = REDTIC # SHORTDOMAINNAME security = ADS realm = REDTIC.UCLV.CU # YOUR.SAMBA.DOMAIN.NAME dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use an read-write-enabled back end, such as tdb. idmap config *:backend = tdb idmap config *:range = 3000-9999 idmap config REDTIC:backend = ad idmap config REDTIC:schema_mode = rfc2307 idmap config REDTIC:range = 10000-99999999 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes # Uncomment the following options if you needs really # Looking for these options in smb.conf before!! #winbind expand groups = 4 #winbind normalize names = Yes #domain master = no #local master = no # Use template settings for login shell and home directory winbind nss info = rfc2307 template shell = /bin/bash template homedir = /home/%D/%U # Disable CUPS errors printing = bsd printcap name = /dev/null # Real Windows ACL's vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes [Demo] path = /srv/samba/Demo/ read only = no
This is just very a basic example that will make your member server part of your Active Directory. The ID mapping for domain users/groups is done via schema mode rfc2307. Users/groups having a uidNumber/gidNumber set in AD, are available on your member server with the same IDs as in your AD. If you use different UID/GID ranges in your AD, you have to adapt them. For all non-domain accounts (like BUILTIN, etc.) the mappings are stored in a local TDB file and the IDs are taken from the given range.
NOTE: If yours users/groups in AD don't have uidNumber/gidNumber:
For further explanation on the 'smb.conf' parameters, see the manpage:
# man smb.conf
Notes:
# net ads join -Uadministrator
You can check whether participation in a domain is still valid (this step is optional):
# net ads testjoin -Uadministrator
To enable hosts to receive user and group information from a domain using Winbind, you must create two symbolic links in a directory of the operating system's library path.
To determine the operating system's platform:
# uname -i
The 'libnss_winbind.so.2' library is installed in the Samba library directory set at compile time. To locate the folder:
# smbd -b | grep LIBDIR LIBDIR: /usr/local/samba/lib/
For amd64 (x86_64):
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/ # ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so # ldconfig
For i386:
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/ # ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so # ldconfig
For Samba4 Sernet or repository distro installation: (you should not have to do the following normally, if not work try:)
For amd64(x86_64):
You must have linked '/lib/x86_64-linux-gnu/libnss_winbind.so → libnss_winbind.so.2'. To linked:
# ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so # ldconfig
For i386:
You must have linked '/lib/i386-linux-gnu/libnss_winbind.so → libnss_winbind.so.2'. To linked:
# ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so # ldconfig
To check if library are enables correctly:
# ldconfig -v | grep libnss_winbind | grep -v grep
The next step is to add 'winbind' to the 'passwd' and 'group' entry of your '/etc/nsswitch.conf':
passwd: compat winbind group: compat winbind
Once you have finished the above steps, you must start the following services:
You should write/get a start script to avoid starting the services by hand everytime. Make sure that winbind is being started before smbd. You can find some examples in Samba4 Requirements page.
To reload Samba configuration
# smbcontrol all reload-config
If you use Samba4 from SerNet Repositories the file '/etc/default/samba-sernet' controls the way that Samba daemon start. You must edit this file and adjust to yours requirements. Keep in mind that Member Server is part of Samba AD therefore you should enable “classic” option in '/etc/default/samba-sernet':
# nano /etc/default/sernet-samba
Then select 'SAMBA_START_MODE=“classic”' because when you use Samba as Member Server, the daemons smbd, nmbd and winbbind are used.
Finally start Samba4 deamons:
# /etc/init.d/sernet-samba-smbd start # /etc/init.d/sernet-samba-nmbd start # /etc/init.d/sernet-samba-winbindd start
To check if winbind receives user and groups from the domain, run the following commands:
# wbinfo -u # wbinfo -g
This should show up a list of all users and groups provided from the domain via winbind.
If you have setup your nsswitch.conf correct, you should also be able to get users and groups from the domain:
# id [domain_user] # wbinfo -i [domain_user] # getent passwd [domain_user]
Or
# getent passwd DOMAIN\\user # getent group DOMAIN\\group
The enumeration of users and groups (“getent passwd/group” without another argument) is disabled by default because the domain can be very big and enumeration is ad bad thing in cases like that.
If you are not able to look up users using “getent”, even though you see them with “wbinfo”, look at AD and verify that all groups have GIDs. It may not be strictly necessary to have GIDs on *all* groups, but unless someone with a better understanding can clarify the requirement, it's the safe thing to do.
To list all shares provided by the Samba File Server:
# smbclient -L localhost -U%
To verify authentication, connect to the “Demo” share using the domain administrator account:
# smbclient //localhost/Demo -UAdministrator -c 'ls'
# net ads info # net ads lookup # net ads status -U administrator | less
If you want to leave the domian:
# net ads leave -Uadministrator