302.4 Samba Domain Membership (weight: 4)

Tech Tutorial: 302.4 Samba Domain Membership #

Introduction #

In this tutorial, we will cover how to integrate a Linux Samba server into an existing Active Directory (AD) domain. This process allows Linux servers to authenticate users from AD, leveraging existing user accounts and simplifying user management across both Windows and Linux systems.

Key Knowledge Areas: #

  • Installation and configuration of Samba and Winbind.
  • Joining a Samba server to an Active Directory domain.
  • Configuring Samba to authenticate using AD.
  • Managing NTFS permissions and ownership from Linux.

Utilities: #

  • samba
  • smb.conf
  • winbind
  • wbinfo
  • net ads
  • testparm

Step-by-Step Guide #

Step 1: Installing Samba and Required Packages #

# Update your package repositories
sudo apt update

# Install Samba, Winbind, and necessary libraries
sudo apt install samba winbind libpam-winbind libnss-winbind krb5-user

Step 2: Configuring Kerberos #

Edit the Kerberos configuration file to match your AD domain settings:

sudo nano /etc/krb5.conf

Here is an example configuration:

[libdefaults]
    default_realm = AD.EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true

[realms]
    AD.EXAMPLE.COM = {
        kdc = ad.example.com
        admin_server = ad.example.com
    }

[domain_realm]
    .example.com = AD.EXAMPLE.COM
    example.com = AD.EXAMPLE.COM

Step 3: Configuring Samba #

Edit the Samba configuration file:

sudo nano /etc/samba/smb.conf

A basic AD integration configuration might look like this:

[global]
    workgroup = EXAMPLE
    security = ads
    realm = AD.EXAMPLE.COM
    netbios name = SAMBASERVER

    winbind use default domain = true
    winbind enum users = yes
    winbind enum groups = yes

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    idmap config EXAMPLE:backend = rid
    idmap config EXAMPLE:schema_mode = rfc2307
    idmap config EXAMPLE:range = 10000-99999

    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes

[homes]
    comment = Home Directories
    browseable = no
    writable = yes

Validate your Samba configuration:

testparm

Step 4: Joining the Domain #

Ensure your system time is synchronized with the AD domain controller, then join the domain:

sudo net ads join -U Administrator

Authenticate with your AD administrator credentials when prompted.

Step 5: Configuring NSS and PAM #

Enable Winbind in NSSwitch:

sudo nano /etc/nsswitch.conf

Add winbind to the passwd and group lines:

passwd:         compat winbind
group:          compat winbind
shadow:         compat

Configure PAM for Winbind:

sudo pam-auth-update

Select Winbind NT/Active Directory authentication and apply the changes.

Step 6: Starting Services and Testing #

Start and enable Samba and Winbind services:

sudo systemctl enable smbd nmbd winbind
sudo systemctl start smbd nmbd winbind

Check the status of the domain join:

wbinfo -u # Lists AD users
wbinfo -g # Lists AD groups

Conclusion #

You have now successfully integrated a Samba server with an Active Directory domain using Winbind. This setup allows you to manage user authentications through AD, making it easier to maintain a consistent user management system across different platforms. For further customization and security enhancements, consider exploring more advanced Samba configurations and the use of LDAP alongside AD integration.