Samba4 Unix/Linux Clients/Members

ubuntu

apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
apt install krb5-user libpam-krb5 libpam-ccreds auth-client-config
apt install smbclient
apt install libnss-winbind libpam-winbind

slackware

find /var/log/packages/ | grep samba
slackpkg install samba lzo

wget http://slackbuilds.org/slackbuilds/14.2/network/krb5.tar.gz
tar xzf krb5.tar.gz
cd krb5
wget http://web.mit.edu/kerberos/dist/krb5/1.15/krb5-1.15.2.tar.gz
slackpkg install libunistring
./krb5.SlackBuild 
installpkg /tmp/krb5-1.15.2-x86_64-1_SBo.tgz

DNS

vi /etc/resolv.conf

domain example.local
nameserver INTERNAL-IP

host -t SRV _ldap._tcp.example.local.
host -t SRV _kerberos._udp.example.local.
host -t A dc1.example.local.
ping -W1 -c1 opendns.com # forwarding enabled on the AD
ping -W1 -c1 example.local # should point to the AD itself

NTP

See NTP client setup

Kerberos

ls -lhF /etc/krb5.conf #does not exist yet
cat > /etc/krb5.conf <<-EOF
[libdefaults]
    default_realm = EXAMPLE.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true
EOF

klist #empty so far
kinit user1
klist

1) Joining the domain

Testing

getent hosts
smbclient -L dc1.example.local -Uuser1

Setting up the domain membership and identity mappings

mv /etc/samba/smb.conf /etc/samba/smb.conf.dist
vi /etc/samba/smb.conf

[global]
       security = ADS
       workgroup = EXAMPLE
       realm = EXAMPLE.LOCAL

       log file = /var/log/samba/%m.log
       log level = 1

        winbind nss info = template
        template shell = /bin/bash
        template homedir = /home/%U

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        idmap config EXAMPLE : backend = rid
        idmap config EXAMPLE : range = 10000-999999

        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes

Joining the domain

net ads join -U administrator

Enabling identity mappings

cp -pi /etc/nsswitch.conf /etc/nsswitch.conf.dist
vi /etc/nsswitch.conf

passwd:         compat winbind
group:          compat winbind

on ubuntu

systemctl status winbind
systemctl start winbind
systemctl enable winbind

on slackware

vi /etc/rc.d/rc.local

echo rc.local path is $PATH

/usr/sbin/winbindd
/usr/bin/ps auxw | /usr/bin/grep winbind

and to reload

smbcontrol winbind reload-config

check

wbinfo --ping-dc
wbinfo -u
wbinfo -g

getent passwd EXAMPLE\\user3 
getent group "EXAMPLE\\Domain Users"

getent passwd user3 
getent group "Domain Users"

getent passwd | grep user
getent group | grep domain

Create a homedir for user

cd /home
mkdir user1
chown user1:"domain users" user1

Now try to login through SSH to one of those members, as user1

2) using LDAP/Kerberos instead

Instead of joining the domain, talking to Samba4’s LDAP directly is an option, as described in this post

Troubleshooting

When getting this error when attempting to join the domain

Failed to join domain: failed to lookup DC info for domain 'EXAMPLE.LOCAL' over rpc: Logon failure

==> not sure how I solved this, maybe some of the settings above was missing. It was solved after fixing nsswitch.conf and restarting the winbind service, but this might be just a coincidence as I am not sure that issue is stricly related to winbind anyhow

When getting this error when attempting to join the domain

Enter administrator's password:
Using short domain name -- EXAMPLE
Joined 'UBUNTU63' to dns domain 'example.local'
No DNS domain configured for ubuntu63. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER

==> fix /etc/hosts, FQDN for local hostname, please

Resources

samba

Setting up Samba as a Domain Member https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Troubleshooting Samba Domain Members https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members

getent not Finding Domain Users and Groups https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#getent_not_Finding_Domain_Users_and_Groups

Idmap config rid https://wiki.samba.org/index.php/Idmap_config_rid

Idmap config ad https://wiki.samba.org/index.php/Idmap_config_ad

Updating Samba https://wiki.samba.org/index.php/Updating_Samba

ubuntu

https://help.ubuntu.com/lts/serverguide/sssd-ad.html

https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

https://help.ubuntu.com/lts/serverguide/samba-ad-integration.html

https://www.tecmint.com/join-ubuntu-to-active-directory-domain-member-samba-winbind/

windows

Joining a Windows Client or Server to a Domain https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain

alternative methods

[Samba] Problem with Active Directory authentication https://lists.samba.org/archive/samba/2016-June/200346.html

Re: [Freeipa-users] pam_systemd(sshd:session): Failed to create session https://www.redhat.com/archives/freeipa-users/2012-June/msg00371.html

https://help.ubuntu.com/lts/serverguide/kerberos.html

http://computing.help.inf.ed.ac.uk/kerberos-ubuntu

14.2 > Network > krb5 (1.19.1) https://slackbuilds.org/repository/14.2/network/krb5/

Install and configuring kerberos On Slackware without PAM https://docs.slackware.com/howtos:network_services:kerberizing_slackware_without_pam


GUIDES | LECTURES | BENCHMARKS | SMTP HEALTH