Tech Tutorial: 302.4 Samba Domain Membership #
Introduction #
In this tutorial, we will cover how to integrate a Linux Samba server into an existing Active Directory (AD) domain. This process allows Linux servers to authenticate users from AD, leveraging existing user accounts and simplifying user management across both Windows and Linux systems.
Key Knowledge Areas: #
- Installation and configuration of Samba and Winbind.
- Joining a Samba server to an Active Directory domain.
- Configuring Samba to authenticate using AD.
- Managing NTFS permissions and ownership from Linux.
Utilities: #
samba
smb.conf
winbind
wbinfo
net ads
testparm
Step-by-Step Guide #
Step 1: Installing Samba and Required Packages #
# Update your package repositories
sudo apt update
# Install Samba, Winbind, and necessary libraries
sudo apt install samba winbind libpam-winbind libnss-winbind krb5-user
Step 2: Configuring Kerberos #
Edit the Kerberos configuration file to match your AD domain settings:
sudo nano /etc/krb5.conf
Here is an example configuration:
[libdefaults]
default_realm = AD.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
AD.EXAMPLE.COM = {
kdc = ad.example.com
admin_server = ad.example.com
}
[domain_realm]
.example.com = AD.EXAMPLE.COM
example.com = AD.EXAMPLE.COM
Step 3: Configuring Samba #
Edit the Samba configuration file:
sudo nano /etc/samba/smb.conf
A basic AD integration configuration might look like this:
[global]
workgroup = EXAMPLE
security = ads
realm = AD.EXAMPLE.COM
netbios name = SAMBASERVER
winbind use default domain = true
winbind enum users = yes
winbind enum groups = yes
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config EXAMPLE:backend = rid
idmap config EXAMPLE:schema_mode = rfc2307
idmap config EXAMPLE:range = 10000-99999
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
Validate your Samba configuration:
testparm
Step 4: Joining the Domain #
Ensure your system time is synchronized with the AD domain controller, then join the domain:
sudo net ads join -U Administrator
Authenticate with your AD administrator credentials when prompted.
Step 5: Configuring NSS and PAM #
Enable Winbind in NSSwitch:
sudo nano /etc/nsswitch.conf
Add winbind
to the passwd
and group
lines:
passwd: compat winbind
group: compat winbind
shadow: compat
Configure PAM for Winbind:
sudo pam-auth-update
Select Winbind NT/Active Directory authentication
and apply the changes.
Step 6: Starting Services and Testing #
Start and enable Samba and Winbind services:
sudo systemctl enable smbd nmbd winbind
sudo systemctl start smbd nmbd winbind
Check the status of the domain join:
wbinfo -u # Lists AD users
wbinfo -g # Lists AD groups
Conclusion #
You have now successfully integrated a Samba server with an Active Directory domain using Winbind. This setup allows you to manage user authentications through AD, making it easier to maintain a consistent user management system across different platforms. For further customization and security enhancements, consider exploring more advanced Samba configurations and the use of LDAP alongside AD integration.