Samba v4 Unix/Linux Domain Members

tested on ubuntu and slackware

Install

ubuntu

apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

default kerberos version 5 realm: EXAMPLE.LOCAL
server: PDC...
adm server: PDC...

apt install krb5-user libpam-krb5 libpam-ccreds
# auth-client-config
apt install smbclient
apt install libnss-winbind libpam-winbind

slackware

slackpkg update
slackpkg install samba lzo krb5 pam-krb5 bind lmdb libuv json-c
ldd /usr/bin/smbclient | grep found
slackpkg install talloc tevent icu4c libunwind
ldd /usr/lib64/ldb/password_hash.so | grep found
slackpkg install gpgme libassuan

DNS client setup

vi /etc/resolv.conf

domain example.local
search example.local
nameserver PDC-INTERNAL
nameserver BDC-INTERNAL

host -t SRV _ldap._tcp.example.local
host -t SRV _kerberos._udp.example.local

host dc1.example.local
ping -c1 dc1.example.local

host dc2.example.local
ping -c1 dc2.example.local

should point to the PDC

host example.net
ping -c1 example.net

check dns forwarding

host opendns.com
ping -c1 opendns.com

host maps

getent hosts

Domain member

file shares

smbclient -L dc1.example.net -Uuser1

domain membership

vi /etc/samba/smb.conf # new file

[global]
       security = ADS
       workgroup = EXAMPLE
       realm = EXAMPLE.LOCAL

       log file = /var/log/samba/%m.log
       log level = 1

        winbind nss info = template
        template shell = /bin/bash
        template homedir = /home/%U

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        idmap config EXAMPLE : backend = rid
        idmap config EXAMPLE : range = 10000-999999

        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes

ls -lF /etc/krb5.conf # no exist
vi /etc/krb5.conf

[libdefaults]
    default_realm = EXAMPLE.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true

klist # no cache yet
kinit user1
klist

net ads join -U administrator

identity maps

cp -pi /etc/nsswitch.conf /etc/nsswitch.conf.dist
vi /etc/nsswitch.conf

passwd:         compat winbind
group:          compat winbind

ubuntu

systemctl status winbind
systemctl start winbind
systemctl enable winbind

slackware

vi /etc/rc.d/rc.local

echo rc.local path is $PATH

/usr/sbin/winbindd
/usr/bin/ps auxw | /usr/bin/grep winbind

reload and check

smbcontrol winbind reload-config

wbinfo --ping-dc
wbinfo -u
wbinfo -g

getent passwd EXAMPLE\\user3 
getent group "EXAMPLE\\Domain Users"

getent passwd user3 
getent group "Domain Users"

getent passwd | grep user
getent group | grep domain

for testing without a share, create a homedir for some user

cd /home/
mkdir user1/
chown user1:"domain users" user1/

now try to login through SSH to one of those members as user1

LDAP-only

instead of joining the domain, talking to DC’s LDAP directly is an option

Troubleshooting

When getting this error when attempting to join the domain

Failed to join domain: failed to lookup DC info for domain 'EXAMPLE.LOCAL' over rpc: Logon failure

==> not sure how I solved this, maybe some of the settings above was missing. It was solved after fixing nsswitch.conf and restarting the winbind service, but this might be just a coincidence as I am not sure that issue is stricly related to winbind anyhow

When getting this error when attempting to join the domain

Enter administrator's password:
Using short domain name -- EXAMPLE
Joined 'UBUNTU63' to dns domain 'example.local'
No DNS domain configured for ubuntu63. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER

==> fix /etc/hosts, FQDN for local hostname, please

Joined 'SLACK1' to dns domain 'example.net'
DNS Update for slack1.localdomain failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

==> …

Resources

samba

Setting up Samba as a Domain Member https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Troubleshooting Samba Domain Members https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members

getent not Finding Domain Users and Groups https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#getent_not_Finding_Domain_Users_and_Groups

Idmap config rid https://wiki.samba.org/index.php/Idmap_config_rid

Idmap config ad https://wiki.samba.org/index.php/Idmap_config_ad

Updating Samba https://wiki.samba.org/index.php/Updating_Samba

ubuntu

https://help.ubuntu.com/lts/serverguide/sssd-ad.html

https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

https://help.ubuntu.com/lts/serverguide/samba-ad-integration.html

https://www.tecmint.com/join-ubuntu-to-active-directory-domain-member-samba-winbind/

windows

Joining a Windows Client or Server to a Domain https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain

alternatives

Linux LDAP authentication with Samba4 https://zachbethel.wordpress.com/2013/04/10/linux-ldap-authentication-with-samba4/

[Samba] Problem with Active Directory authentication https://lists.samba.org/archive/samba/2016-June/200346.html

Re: [Freeipa-users] pam_systemd(sshd:session): Failed to create session https://www.redhat.com/archives/freeipa-users/2012-June/msg00371.html

https://help.ubuntu.com/lts/serverguide/kerberos.html

http://computing.help.inf.ed.ac.uk/kerberos-ubuntu

14.2 > Network > krb5 (1.19.1) https://slackbuilds.org/repository/14.2/network/krb5/

Install and configuring kerberos On Slackware without PAM https://docs.slackware.com/howtos:network_services:kerberizing_slackware_without_pam


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun