Differences

This shows you the differences between two versions of the page.

--- samba4_as_domain_member [2017/05/26 21:49]
cbustillo@uclv [Testing the winbind user/group mapping]
+++ samba4_as_domain_member [2020/04/10 17:38]
@@ Line 1: / Line 1: @@
-**Samba4 as AD Domain Member**
-===== Introduction =====
-This HOWTO provides you the way for a basic setup of a Samba 4.x Member Server, that is part of an Active Directory (regardless if Samba or Windows provides the AD).
-Samba4 have four roles:
-  - **Active Directory Domain Controller:**
-  - **Read Only Domain Controller (RODC):**
-  - **Member Server (File Server):**
-  - **Standalone Server:**
-===== Required Packages =====
-----
-See [[Requeriments|Samba4 Requirements]] for dependencies and recommendations.
-===== Compiling and installation =====
-----
-After you have downloaded and unpacked the sources, you have to run inside of the extracted directory:
-<code>
- # ./configure --with-ads --with-shared-modules=idmap_ad,idmap_rid --enable-debug --enable-selftest
- # make
- # make install
-</code>
-**//Note://** you can see './configure' options:
-<code>
- # ./configure --help | less
-</code>
-To install Samba4 from SerNet repositories (before check [[http://repos.uclv.edu.cu]] to configure repositories):
-<code>
- # apt-get install sernet-samba sernet-samba-winbind attr acl krb5-user
-</code>
-===== Setting up Kerberos =====
-----
-**NOTE:** //currently this step is not mandatory, you can skip!!//
-You must to backup the original file in /etc/krb5.conf':
-<code>
- # mv /etc/krb5.conf{,.orig}
-</code>
-Create the new file:
-<code>
- # nano /etc/krb5.conf
-</code>
-Then adjust the content with the following content:
-<code>
- [logging]
-     default = FILE:/var/log/krb5libs.log
-     kdc = FILE:/var/log/krb5kdc.log
-     admin_server = FILE:/var/log/kadmind.log
- [libdefaults]
-     default_realm = REDTIC.UCLV.CU
-     dns_lookup_realm = false
-     dns_lookup_kdc = true
-     ticket_lifetime = 24h
-     forwardable = yes
- [appdefaults]
-     pam = {
-          debug = false
-          ticket_lifetime = 36000
-          renew_lifetime = 36000
-          forwardable = true
-          krb4_convert = false
-     }
-</code>
-===== Configure NTP =====
-----
-Active Directory requires an accurate time synchronization between the clients and the DC(s). It's highly recommended to run NTP or another form of synchronization. You can follow the instructions in [[requeriments#configure_ntp|Samba4 Requirements web page.]] or simply install "ntpdate":
-<code>
- # apt-get install ntpdate
-</code>
-To configure ntpdate:
-<code>
- # nano /etc/default/ntpdate
-</code>
-Then adjust the parameters to your configuration.
-**//Note://** Remember that you need to sync your 'ntpd' with your Active Directory Server.
-===== Setting up a basic smb.conf =====
-----
-The following is a very basic example of a 'smb.conf'. Normally this file is located in '/usr/local/samba/etc/'. Depending on your 'configure' parameters, it could be located on a different place.
-If you use Samba from repositories the location is /etc/samba/.
-<code>
-[global]
-   workgroup = REDTIC        # SHORTDOMAINNAME
-   security = ADS
-   realm = REDTIC.UCLV.CU    # YOUR.SAMBA.DOMAIN.NAME
-   dedicated keytab file = /etc/krb5.keytab
-   kerberos method = secrets and keytab
-   # Default ID mapping configuration for local BUILTIN accounts
-   # and groups on a domain member. The default (*) domain:
-   # - must not overlap with any domain ID mapping configuration!
-   # - must use an read-write-enabled back end, such as tdb.
-   idmap config *:backend = tdb
-   idmap config *:range = 3000-9999
-   idmap config REDTIC:backend = ad
-   idmap config REDTIC:schema_mode = rfc2307
-   idmap config REDTIC:range = 10000-99999999
-   winbind trusted domains only = no
-   winbind use default domain = yes
-   winbind enum users  = yes
-   winbind enum groups = yes
-   winbind refresh tickets = Yes
-   # Uncomment the following options if you needs really
-   # Looking for these options in smb.conf before!!
-   #winbind expand groups = 4
-   #winbind normalize names = Yes
-   #domain master = no
-   #local master = no
-   # Use template settings for login shell and home directory
-   winbind nss info = rfc2307
-   template shell = /bin/bash
-   template homedir = /home/%D/%U
-   # Disable CUPS errors
-   printing = bsd
-   printcap name = /dev/null
-   # Real Windows ACL's
-   vfs objects = acl_xattr
-   map acl inherit = Yes
-   store dos attributes = Yes
-[Demo]
-     path = /srv/samba/Demo/
-     read only = no
-</code>
-This is just very a basic example that will make your member server part of your Active Directory. The ID mapping for domain users/groups is done via schema mode rfc2307. Users/groups having a uidNumber/gidNumber set in AD, are available on your member server with the same IDs as in your AD. If you use different UID/GID ranges in your AD, you have to adapt them. For all non-domain accounts (like BUILTIN, etc.) the mappings are stored in a local TDB file and the IDs are taken from the given range.
-**NOTE:** If yours users/groups in AD don't have uidNumber/gidNumber:
-  * Change line 'idmap config REDTIC:backend = ad' to 'idmap config REDTIC:backend = rid'.
-  * Change line 'winbind nss info = rfc2307' to 'winbind nss info = template'.
-  * Comment out the line: 'idmap config REDTIC:schema_mode = rfc2307'
-For further explanation on the 'smb.conf' parameters, see the manpage:
-<code>
- # man smb.conf
-</code>
-**//Notes://**
-  - The choice domain back-end depends of who provide the domain. If you have MSAD without "Services for Unix (SFU)", you should use 'rid' back-end; instead for Samba4 AD use 'ad' back-end, as showed in the previous example.
-  - The parameter values of "idmap config *:range" can't not contained in "idmap config SHORTDOMAINNAME:range".
-  - In case that you have a big database, last number in the interval in "idmap config SHORTDOMAINNAME:range =" should be a big number, because some users are not detected by Samba.
-  - The 'dedicated keytab file = /etc/krb5.keytab' & 'kerberos method = secrets and keytab' lines will create the keytab when the machine joins the domain and set samba to use it, 'winbind refresh tickets = Yes' tells winbind to ensure that the keytab is kept updated.
-===== Joining the member server to the domain =====
-----
-<code>
- # net ads join -Uadministrator
-</code>
-You can check whether participation in a domain is still valid (this step is optional):
-<code># net ads testjoin -Uadministrator</code>
-===== Make domain users/groups available locally through winbind =====
-----
-To enable hosts to receive user and group information from a domain using Winbind, you must create two symbolic links in a directory of the operating system's library path.
-To determine the operating system's platform:
-<code>
- # uname -i
-</code>
-The 'libnss_winbind.so.2' library is installed in the Samba library directory set at compile time. To locate the folder:
-<code>
- # smbd -b | grep LIBDIR
-   LIBDIR: /usr/local/samba/lib/
-</code>
-**For amd64 (x86_64):**
-<code>
- # ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/
- # ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
- # ldconfig
-</code>
-**For i386:**
-<code>
- # ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/
- # ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so
- # ldconfig
-</code>
-//**For Samba4 Sernet or repository distro installation: (you should not have to do the following normally, if not work try:)**//
-**For amd64(x86_64):**
-You must have linked '/lib/x86_64-linux-gnu/libnss_winbind.so -> libnss_winbind.so.2'. To linked:
-<code>
- # ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
- # ldconfig
-</code>
-**For i386:**
-You must have linked '/lib/i386-linux-gnu/libnss_winbind.so -> libnss_winbind.so.2'. To linked:
-<code>
- # ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so
- # ldconfig
-</code>
-**To check if library are enables correctly:**
-<code>
- # ldconfig -v | grep libnss_winbind | grep -v grep
-</code>
-The next step is to add 'winbind' to the 'passwd' and 'group' entry of your '/etc/nsswitch.conf':
-<code>
- passwd: compat winbind
- group:  compat winbind
-</code>
-===== Starting the daemons =====
-----
-Before start Samba
-Once you have finished the above steps, you must start the following services:
-  * winbindd
-  * smbd
-  * nmbd
-You should write/get a start script to avoid starting the services by hand everytime. Make sure that winbind is being started before smbd. You can find some examples in [[samba4_as_ad_dc#starting_samba|Samba4 Requirements page.]]
-** To reload Samba configuration **
-<code>
- # smbcontrol all reload-config
-</code>
-==== Enable Samba4 at startup ====
-If you use Samba4 from SerNet Repositories the file '/etc/default/samba-sernet' controls the way that Samba daemon start. You must edit this file and adjust to yours requirements. Keep in mind that Member Server is part of Samba AD therefore you should enable "classic" option in '/etc/default/samba-sernet':
-<code>
- # nano /etc/default/sernet-samba
-</code>
-Then select 'SAMBA_START_MODE="classic"' because when you use Samba as Member Server, the daemons smbd, nmbd and winbbind are used.
-Finally start Samba4 deamons:
-<code>
- # /etc/init.d/sernet-samba-smbd start
- # /etc/init.d/sernet-samba-nmbd start
- # /etc/init.d/sernet-samba-winbindd start
-</code>
-===== Testing the winbind user/group mapping =====
-----
-To check if winbind receives user and groups from the domain, run the following commands:
-<code>
- # wbinfo -u
- # wbinfo -g
-</code>
-This should show up a list of all users and groups provided from the domain via winbind.
-If you have setup your nsswitch.conf correct, you should also be able to get users and groups from the domain:
-<code>
- # id [domain_user]
- # wbinfo -i [domain_user]
- # getent passwd [domain_user]
-</code>
-Or
-<code>
- # getent passwd DOMAIN\\user
- # getent group DOMAIN\\group
-</code>
-The enumeration of users and groups ("getent passwd/group" without another argument) is disabled by default because the domain can be very big and enumeration is ad bad thing in cases like that.
-If you are not able to look up users using "getent", even though you see them with "wbinfo", look at AD and verify that all groups have GIDs. It may not be strictly necessary to have GIDs on *all* groups, but unless someone with a better understanding can clarify the requirement, it's the safe thing to do.
-===== Verifying the File Server =====
-----
-To list all shares provided by the Samba File Server:
-<code>
- # smbclient -L localhost -U%
-</code>
-To verify authentication, connect to the "Demo" share using the domain administrator account:
-<code>
- # smbclient //localhost/Demo -UAdministrator -c 'ls'
-</code>
-===== Try out some net commands to see if Samba can communicate with AD: =====
-----
-<code>
- # net ads info
- # net ads lookup
- # net ads status -U administrator | less
-</code>
-===== Leaving domain =====
-----
-If you want to leave the domian:
-<code># net ads leave -Uadministrator</code>
-===== Setting up services =====
-----
-  * [[setup_config_file_shares|Setup and configure file shares]]
-  * [[print_server|Samba as a Print Server]]

ICT Network Project

User Tools

Site Tools

Differences

Page Tools