Академический Документы
Профессиональный Документы
Культура Документы
SetupSambaasanADDomainMember
FromSambaWiki
Contents
1 Introduction
2 Installation
3 Preparingthehostforthedomainjoin
3.1 ADDNSzoneresolution
3.2 NTP
3.3 Localhostnameresolution
4 SetupaDomainMembersmb.conffile
5 Thedomainjoin
6 libnss_winbind
7 Startdaemons
8 TestingWinbindduser/groupretrieval
8.1 wbinfo
8.2 Usingdomainaccounts/groupsinOScommands
9 AuthenticatingDomainUsersUsingPAM
9.1 Generalinformation
9.2 ConfigurePAM
9.3 Verifydomainuserlogin
10 Settingupadditionalservices
Introduction
InthecontextofSamba,youusuallyonlyhearaboutservers(ADDCs,NT4PDCs,fileservers,etc.).You
usuallydonothearmuchaboutaSambaworkstationasaDomainMember,similartohostsrunningaversion
ofWindowse.g.Windows10Proorsomeotherworkstationedition.WhatifyouwanttojoinaLinux
workstationtothedomain,toauthenticateuserloginsagainstyourDomainController(s)?
Generallyspeaking,aSambaserverisjustaSambaworkstationthatprovidesfilesharesorprintservices.This
ishowwewillstructureourdocumentationherebeingaDomainMemberistheprerequisiteforconfiguringa
Sambafileand/orprintserver.
Seethehostinformationusedindocumentationpageforusedpaths,hostnames,etc.
Installation
YouhavethefollowingoptionstoinstallSamba:
BuildSambayourself
Installdistributionspecificpackages
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member 1/7
11/1/2016 SetupSambaasanADDomainMemberSambaWiki
InstallSerNetSamba+(http://www.samba.plus)/Enterprise(http://www.samba.plus/olderpackages/)
packages
Preparingthehostforthedomainjoin
ADDNSzoneresolution
ManythingsinanActiveDirectory,suchasKerberos,relyonDNS.Thereforeitisrequiredthatthehostisable
toresolveADDNSzones.IfyouhavemultipleDCsactingasaDNSserver,it'srecommendedtosetup
multiplenameserverentriesforfailoverreasons.
OnLinuxandUnixes,youusuallyconfigureDNSsettingsin/etc/resolv.conf:
nameserver10.99.0.1
nameserver10.99.0.2
searchsamdom.example.com
Sometools,suchasNetworkManager,mayoverwritemanualchangesinthatfile.Pleaseconsultyour
distributionsdocumentationforconfiguringnameresolution.
Toverifyacorrectnameresolution,tryresolvingthehostnameofoneofyourDomainControllers:
#hosttADC1.samdom.example.com
DC1.samdom.example.comhasaddress10.99.0.1
NTP
InanActiveDirectory,accuratetimesynchronizationisnecessaryforKerberos,topreventreplayattacksand
forresolvingdirectoryreplicationconflicts.Forthosereasons,ifthetimedifferstoyourAD,yourhostwon't
beabletoaccessADserversandanysharesitprovideswon'tbeaccessiblebyothers.SeeTimeSyncronisation
forfurtherinformationandconfigurationexamples.
Localhostnameresolution
DuringtheDomainjoin,Sambatriestoregister/updatethehostsnameandIPinyourADDNS.Thisrequires
that"net"canresolveboth,eitherviaDNSor/etc/hosts.Toverify,run
#getenthostsM1
10.99.0.5M1.samdom.example.comM1
ThecommandsoutputmustshowthecorrectLANinterfaceIP(not127.*.*.*!)andthehostnameincludingthe
ADDNSzone.Additionalaliasnamesareoptional.Ifyougetadifferentoutput,fixitinyourDNSorby
adding/changingthe/etc/hostsentry:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member 2/7
11/1/2016 SetupSambaasanADDomainMemberSambaWiki
10.99.0.5M1.samdom.example.comM1
SetupaDomainMembersmb.conffile
Beforejoiningadomain,itisnecessarytocreatetheSambaconfigurationfile"smb.conf".Thefollowing
commandshows,wherethefileislocatedinyourinstallation:
Note:Youshouldusethesame"smb.conf"fileonalldomainmembersyousetupinthedomain.
#smbdb|grepCONFIGFILE
CONFIGFILE:/usr/local/samba/etc/smb.conf
Inthefollowingyouseeansmb.confexamplesufficienttojoinadomain,ifyouaddan"idmapconfig"part,
fittingtoyourenvironment:
[global]
security=ADS
workgroup=SAMDOM
realm=SAMDOM.EXAMPLE.COM
logfile=/var/log/samba/%m.log
loglevel=1
#idmapconfigusedforyourdomain.
#Clickonthefollowinglinksformoreinformation
#ontheavailablewinbindidmapbackends,
#Choosetheonethatfitsyourrequirements
#thenaddthecorrespondingconfiguration.
#Justaddingoneofthefollowingthreelinesisnotenough!!
#Pleasefollowthelinks.
#
#usethewinbind'ad'backend.
#Or
#usethewinbind'rid'backend.
#Or
#usethewinbind'autorid'backend.(https://www.samba.org/samba/docs/man/manpages3/idmap_autorid.8.html)
Seethemanpageof"smb.conf"fordetailedinformationabouttheparametersandoptionsused.
Thedomainjoin
Anoteonprovisioning:ADomainMembermustnotbeprovisionedbyusing"sambatool"!Thiswouldsetup
anADDConyourDomainMemberwithsomepartsturnedoffandwritestosam.ldbinsteadofpassdb.tdb.
Don'tusethiswaytojoin,toavoidunwantedsideeffects!TheDomainMemberprovisioningoptionwillbe
removedinthefuture.
Thefollowingcommandwilljointhehosttothedomainandautomaticallyregister/updateitsDNSrecord:
#netadsjoinUadministrator
Enteradministrator'spassword:Passw0rd
UsingshortdomainnameSAMDOM
Joined'M1'todnsdomain'samdom.example.com'
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member 3/7
11/1/2016 SetupSambaasanADDomainMemberSambaWiki
Ifyouencounteranyerrormessage(s),seeTroubleshootingSambaDomainMembers.
Ifyouusetheparameter:bindinterfacesonly=yesinsmb.conf,joinwith:
#netadsjoinUadministratorSaddc.samdom.example.com
libnss_winbind
Domainusersandgroupsaremadeavailabletoyourlocalsystemthroughlibnss_winbind.Thesmb.conf
configurationwasalreadydoneinapreviousstep.Nextistotellyoursystemtoretrievethatinformationfrom
winbinddbyadding"winbind"tothefollowingtwolinesofyour/etc/nsswitch.conf:
passwd:fileswinbind
group:fileswinbind
Keeptheexistingdatabase"files"(sometimesyoumayfind"compat"insteadof"files").Itdefinesthat
accountsandgroupsarefirstlookedupinlocalfiles(/etc/passwdand/etc/group),thenviaWinbindd.
Note:Donotadd'winbind'tothe'shadow'line,thishasbeenreportedtocauseproblemswith'wbinfo',itis
alsototallyunneeded.
Note:youcannothaveusers&groupswiththesamenameinthelocalfilesandthedomaini.e.auser'foo'that
appearsin/etc/passwdwouldbethesameuseras'DOMAIN\foo',inthisinstanceyouwouldneedtoremoveor
renameoneoftheusers.
Important:IfyouhavecompiledSamba,youmayneedtoaddtwosymboliclinks.Seelibnss_winbindLinks
forOSspecificinformationonwheretoplacethem.Sambapackageinstallationsusuallyplacethefiledirectly
intheOSlibrarypathorhavethelinksincluded.
Startdaemons
DependingonhowyouuseyourDomainMember,youhavetostartdifferentdaemons:
ForapureDomainMember(domainlogonsonly):
#winbindd
ForDomainMemberssharingdirectories(fileserver)and/orprinters(printserver):
#smbd
#nmbd
#winbindd
Note:Youdonotstartthe'samba'daemononadomainmember.
IfyouinstalledSambaviapackages,youusuallyhaveinitscriptsorsystemd/upstartsupportincluded.Ifyou
havecompiledSamba,youwillneedtowriteyourownscripts.Seetheinitscriptpageforexamples.For
automaticstartupoftheservice(s)atboottime,pleaseconsultyoudistributionsdocumentation.
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member 4/7
11/1/2016 SetupSambaasanADDomainMemberSambaWiki
TestingWinbindduser/groupretrieval
wbinfo
YoufirstneedtocheckthatWinbinddisabletoretrievedomainusersandgroups.Onasuccessfulsetup,the
followingcommandswillprintallusers/groupsinyourdomain:
#wbinfou
administrator
krbtgt
guest
...
#wbinfog
enterpriseadmins
domaincomputers
domainadmins
...
Usingdomainaccounts/groupsinOScommands
Ifyouhavecorrectlyincludedlibnss_winbindinyoursystem,thefollowingcommandsshouldprintalllocal
systemusers/groups,followedbyanylocalUnixusers/groupsandthentheonesfromthedomain(see
/etc/nsswitch.conforder):
#getentpasswd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
...
demo01:*:10000:10000:demo01:/home/demo01:/bin/bash
...
#getentgroup
root:x:0:
bin:x:1:
daemon:x:2:
...
domainadmins:x:10001:
domainusers:x:10000:
...
Note:Ifyou'renotgettingdomainaccounts/groupsinthatoutput,verifythat
libnss_winbindconfigurationiscorrectexpeciallyif"ldconfig"isabletofind"libnss_winbind.so.2"
and"libnss_winbind.so"
ifusingidmapconfigad,accounts/groupshaveRFC2307attributesset
"winbindenumusers"and"winbindenumgroups"aresetto"yes"inyoursmb.conf
Anydomainaccounts/groupsshownbygetentoridcanbeusedintheOS,i.e.
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member 5/7
11/1/2016 SetupSambaasanADDomainMemberSambaWiki
#iddemo01
uid=10000(demo01)gid=10000(domainusers)groups=10000(domainusers),2001(BUILTIN\users)
#chowndemo01:"domainusers"file.txt
#lssfile.txt
rw.1demo01domainusers99218.Oct2015file.txt
AuthenticatingDomainUsersUsingPAM
IfyouhavesetupthisDomainMemberasaserverprovidingfilesharesorprintservices,youmaywanttoskip
thispart,Byfollowingthispart,youwillallowdomainuserstologonlocallytothehostsconsole.
Generalinformation
Importantnote:BeforeyoustartchangingyourPAMconfiguration:
makesureyouknowwhatyou'redoing!
beforeyoustart,loginwithinasecondterminalandkeepitopenuntileverythingworksasexpected.
Otherwise,youmaylockoutyourselfandwon'tbeabletologinagain!
IfyouhavecompiledSamba,youneedtoaddasymboliclinks.Seepam_winbindLinkforOSspecific
information,wheretoplaceit.Sambapackageinstallationsusuallyplacethefiledirectlyintherightfolderor
havealinkincluded.
ConfigurePAM
Note:WheneveryourdistributionshiptoolstoconfigurePAM,it'srecommendedtousethem,insteadof
manuallyeditingtheconfigurationfiles!
RedHatbasedOS:authconfig/authconfigtui
DebianbasedOS:pamauthupdate
SUSEbasedOS:yast
Formanualchanges:TypicallythePAMconfigurationfilesarelocatedin/etc/pam.d/Dependingonyour
distribution,thefilename(s)maydiffer.E.g.onRHEL,youconfiguresystemloginauthenticationin
/etc/pam.d/passwordauthac:
#%PAM1.0
authrequiredpam_env.so
authsufficientpam_unix.sonulloktry_first_pass
authrequisitepam_succeed_if.souid>=1000quiet_success
authsufficientpam_winbind.souse_first_pass#<addthisline
authrequiredpam_deny.so
accountrequiredpam_unix.sobroken_shadow
accountsufficientpam_localuser.so
accountsufficientpam_succeed_if.souid<1000quiet
account[default=badsuccess=okuser_unknown=ignore]pam_winbind.so#<addthisline
accountrequiredpam_permit.so
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member 6/7
11/1/2016 SetupSambaasanADDomainMemberSambaWiki
passwordrequisitepam_cracklib.sotry_first_passretry=3type=
passwordsufficientpam_unix.sosha512shadownulloktry_first_passuse_authtok
passwordsufficientpam_winbind.souse_authtok#<addthisline
passwordrequiredpam_deny.so
sessionoptionalpam_keyinit.sorevoke
sessionrequiredpam_limits.so
session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid
sessionrequiredpam_unix.so
ForadditionalinformationaboutPAMconfigurationandsettingsusedintheexampleabove,pleaseconsultthe
PAM(http://www.linuxpam.org)documentationandthemanpagesofpam.confandpam_winbind.
Verifydomainuserlogin
Trytologinonthelocalconsolewithadomainuseraccount:
CentOSLinux7(Core)
Kernel3.10.0229.11.1.el.7.x86_64onanx86_64
M1login:demo01
Password:Passw0rd
[demo01@M1~]$_
Settingupadditionalservices
NowyouhavesuccessfullymadeyourhostbeaDomainMember,youcan,asonaWindowsOS,additionally
sharedirectories(fileserver)oractasanprintserver.
Retrievedfrom"https://wiki.samba.org/index.php?
title=Setup_Samba_as_an_AD_Domain_Member&oldid=12425"
Thispagewaslastmodifiedon26October2016,at15:16.
Thispagehasbeenaccessed10,350times.
ContentisavailableundertheCCGNUGPLv2orlaterunlessotherwisenoted.
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member 7/7