apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind apt install krb5-user libpam-krb5 libpam-ccreds auth-client-config apt install smbclient apt install libnss-winbind libpam-winbind
find /var/log/packages/ | grep samba slackpkg install samba lzo wget http://slackbuilds.org/slackbuilds/14.2/network/krb5.tar.gz tar xzf krb5.tar.gz cd krb5 wget http://web.mit.edu/kerberos/dist/krb5/1.15/krb5-1.15.2.tar.gz slackpkg install libunistring ./krb5.SlackBuild installpkg /tmp/krb5-1.15.2-x86_64-1_SBo.tgz
vi /etc/resolv.conf domain example.local nameserver INTERNAL-IP host -t SRV _ldap._tcp.example.local. host -t SRV _kerberos._udp.example.local. host -t A dc1.example.local. ping -W1 -c1 opendns.com # forwarding enabled on the AD ping -W1 -c1 example.local # should point to the AD itself
See Time Config.
ls -lhF /etc/krb5.conf #does not exist yet cat > /etc/krb5.conf <<-EOF [libdefaults] default_realm = EXAMPLE.LOCAL dns_lookup_realm = false dns_lookup_kdc = true EOF klist #empty so far kinit user1 klist
Testing,
getent hosts smbclient -L dc1.example.local -Uuser1
Setting up the domain membership and identity mappings,
mv /etc/samba/smb.conf /etc/samba/smb.conf.dist vi /etc/samba/smb.conf [global] security = ADS workgroup = EXAMPLE realm = EXAMPLE.LOCAL log file = /var/log/samba/%m.log log level = 1 winbind nss info = template template shell = /bin/bash template homedir = /home/%U idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config EXAMPLE : backend = rid idmap config EXAMPLE : range = 10000-999999 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes
Joining the domain,
net ads join -U administrator
Enabling identity mappings,
cp -pi /etc/nsswitch.conf /etc/nsswitch.conf.dist vi /etc/nsswitch.conf passwd: compat winbind group: compat winbind
on ubuntu,
systemctl status winbind systemctl start winbind systemctl enable winbind
on slackware,
vi /etc/rc.d/rc.local echo rc.local path is $PATH /usr/sbin/winbindd /usr/bin/ps auxw | /usr/bin/grep winbind
and to reload,
smbcontrol winbind reload-config
check,
wbinfo --ping-dc wbinfo -u wbinfo -g getent passwd EXAMPLE\\user3 getent group "EXAMPLE\\Domain Users" getent passwd user3 getent group "Domain Users" getent passwd | grep user getent group | grep domain
Create a homedir for user
,
cd /home mkdir user1 chown user1:"domain users" user1
Now try to login through SSH to one of those members, as user1
.
Instead of joining the domain, talking to Samba4’s LDAP directly is an option, as described in this post: https://zachbethel.wordpress.com/2013/04/10/linux-ldap-authentication-with-samba4/.
When getting this error when attempting to join the domain,
Failed to join domain: failed to lookup DC info for domain 'EXAMPLE.LOCAL' over rpc: Logon failure
==> not sure how I solved this, maybe some of the settings above was missing. It was solved after fixing nsswitch,conf
and restarting the winbind
service, but this might be just a coincidence as I am not sure that issue is stricly related to winbind anyhow.
When getting this error when attempting to join the domain,
Enter administrator's password: Using short domain name -- EXAMPLE Joined 'UBUNTU63' to dns domain 'example.local' No DNS domain configured for ubuntu63. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER
==> fix /etc/hosts
, FQDN for local hostname, please.