apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind apt install krb5-user libpam-krb5 libpam-ccreds auth-client-config apt install smbclient apt install libnss-winbind libpam-winbind
find /var/log/packages/ | grep samba slackpkg install samba lzo wget http://slackbuilds.org/slackbuilds/14.2/network/krb5.tar.gz tar xzf krb5.tar.gz cd krb5 wget http://web.mit.edu/kerberos/dist/krb5/1.15/krb5-1.15.2.tar.gz slackpkg install libunistring ./krb5.SlackBuild installpkg /tmp/krb5-1.15.2-x86_64-1_SBo.tgz
vi /etc/resolv.conf domain example.local nameserver INTERNAL-IP host -t SRV _ldap._tcp.example.local. host -t SRV _kerberos._udp.example.local. host -t A dc1.example.local. ping -W1 -c1 opendns.com # forwarding enabled on the AD ping -W1 -c1 example.local # should point to the AD itself
See Time Config.
ls -lhF /etc/krb5.conf #does not exist yet
cat > /etc/krb5.conf <<-EOF
[libdefaults]
default_realm = EXAMPLE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
EOF
klist #empty so far
kinit user1
klist
Testing,
getent hosts smbclient -L dc1.example.local -Uuser1
Setting up the domain membership and identity mappings,
mv /etc/samba/smb.conf /etc/samba/smb.conf.dist
vi /etc/samba/smb.conf
[global]
security = ADS
workgroup = EXAMPLE
realm = EXAMPLE.LOCAL
log file = /var/log/samba/%m.log
log level = 1
winbind nss info = template
template shell = /bin/bash
template homedir = /home/%U
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 10000-999999
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
Joining the domain,
net ads join -U administrator
Enabling identity mappings,
cp -pi /etc/nsswitch.conf /etc/nsswitch.conf.dist vi /etc/nsswitch.conf passwd: compat winbind group: compat winbind
on ubuntu,
systemctl status winbind systemctl start winbind systemctl enable winbind
on slackware,
vi /etc/rc.d/rc.local echo rc.local path is $PATH /usr/sbin/winbindd /usr/bin/ps auxw | /usr/bin/grep winbind
and to reload,
smbcontrol winbind reload-config
check,
wbinfo --ping-dc wbinfo -u wbinfo -g getent passwd EXAMPLE\\user3 getent group "EXAMPLE\\Domain Users" getent passwd user3 getent group "Domain Users" getent passwd | grep user getent group | grep domain
Create a homedir for user,
cd /home mkdir user1 chown user1:"domain users" user1
Now try to login through SSH to one of those members, as user1.
Instead of joining the domain, talking to Samba4’s LDAP directly is an option, as described in this post: https://zachbethel.wordpress.com/2013/04/10/linux-ldap-authentication-with-samba4/.
When getting this error when attempting to join the domain,
Failed to join domain: failed to lookup DC info for domain 'EXAMPLE.LOCAL' over rpc: Logon failure
==> not sure how I solved this, maybe some of the settings above was missing. It was solved after fixing nsswitch,conf and restarting the winbind service, but this might be just a coincidence as I am not sure that issue is stricly related to winbind anyhow.
When getting this error when attempting to join the domain,
Enter administrator's password: Using short domain name -- EXAMPLE Joined 'UBUNTU63' to dns domain 'example.local' No DNS domain configured for ubuntu63. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER
==> fix /etc/hosts, FQDN for local hostname, please.