Samba v4 Unix/Linux Domain Members

tested on ubuntu and slackware

Install

ubuntu

apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

default kerberos version 5 realm: EXAMPLE.LOCAL
server: PDC...
adm server: PDC...

apt install krb5-user libpam-krb5 libpam-ccreds
# auth-client-config
apt install smbclient
apt install libnss-winbind libpam-winbind

slackware

slackpkg update
slackpkg install samba lzo krb5 pam-krb5 bind lmdb libuv json-c
ldd /usr/bin/smbclient | grep found
slackpkg install talloc tevent icu4c libunwind
ldd /usr/lib64/ldb/password_hash.so | grep found
slackpkg install gpgme libassuan

DNS client setup

vi /etc/resolv.conf

domain example.local
search example.local
nameserver PDC-INTERNAL
nameserver BDC-INTERNAL

host -t SRV _ldap._tcp.example.local
host -t SRV _kerberos._udp.example.local

host dc1.example.local
ping -c1 dc1.example.local

host dc2.example.local
ping -c1 dc2.example.local

should point to the PDC

host example.net
ping -c1 example.net

check dns forwarding

host opendns.com
ping -c1 opendns.com

host maps

getent hosts

Domain member

file shares

smbclient -L dc1.example.net -Uuser1

domain membership

vi /etc/samba/smb.conf # new file

[global]
       security = ADS
       workgroup = EXAMPLE
       realm = EXAMPLE.LOCAL

       log file = /var/log/samba/%m.log
       log level = 1

        winbind nss info = template
        template shell = /bin/bash
        template homedir = /home/%U

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        idmap config EXAMPLE : backend = rid
        idmap config EXAMPLE : range = 10000-999999

        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes

ls -lF /etc/krb5.conf # no exist
vi /etc/krb5.conf

[libdefaults]
    default_realm = EXAMPLE.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true

klist # no cache yet
kinit user1
klist

net ads join -U administrator

identity maps

cp -pi /etc/nsswitch.conf /etc/nsswitch.conf.dist
vi /etc/nsswitch.conf

passwd:         compat winbind
group:          compat winbind

ubuntu

systemctl status winbind
systemctl start winbind
systemctl enable winbind

slackware

vi /etc/rc.d/rc.local

echo rc.local path is $PATH

/usr/sbin/winbindd
/usr/bin/ps auxw | /usr/bin/grep winbind

reload and check

smbcontrol winbind reload-config

wbinfo --ping-dc
wbinfo -u
wbinfo -g

getent passwd EXAMPLE\\user3 
getent group "EXAMPLE\\Domain Users"

getent passwd user3 
getent group "Domain Users"

getent passwd | grep user
getent group | grep domain

for testing without a share, create a homedir for some user

cd /home/
mkdir user1/
chown user1:"domain users" user1/

now try to login through SSH to one of those members as user1

LDAP-only

instead of joining the domain, talking to DC’s LDAP directly is an option

Troubleshooting

When getting this error when attempting to join the domain

Failed to join domain: failed to lookup DC info for domain 'EXAMPLE.LOCAL' over rpc: Logon failure

==> not sure how I solved this, maybe some of the settings above was missing. It was solved after fixing nsswitch.conf and restarting the winbind service, but this might be just a coincidence as I am not sure that issue is stricly related to winbind anyhow

When getting this error when attempting to join the domain

Enter administrator's password:
Using short domain name -- EXAMPLE
Joined 'UBUNTU63' to dns domain 'example.local'
No DNS domain configured for ubuntu63. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER

==> fix /etc/hosts, FQDN for local hostname, please

Joined 'SLACK1' to dns domain 'example.net'
DNS Update for slack1.localdomain failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

==> …