11/1/2016 SetupSambaasanADDomainMemberSambaWiki

SetupSambaasanADDomainMember
FromSambaWiki

Contents
1 Introduction
2 Installation
3 Preparingthehostforthedomainjoin
3.1 ADDNSzoneresolution
3.2 NTP
3.3 Localhostnameresolution
4 SetupaDomainMembersmb.conffile
5 Thedomainjoin
6 libnss_winbind
7 Startdaemons
8 TestingWinbindduser/groupretrieval
8.1 wbinfo
8.2 Usingdomainaccounts/groupsinOScommands
9 AuthenticatingDomainUsersUsingPAM
9.1 Generalinformation
9.2 ConfigurePAM
9.3 Verifydomainuserlogin
10 Settingupadditionalservices

Introduction
InthecontextofSamba,youusuallyonlyhearaboutservers(ADDCs,NT4PDCs,fileservers,etc.).You
usuallydonothearmuchaboutaSambaworkstationasaDomainMember,similartohostsrunningaversion
ofWindowse.g.Windows10Proorsomeotherworkstationedition.WhatifyouwanttojoinaLinux
workstationtothedomain,toauthenticateuserloginsagainstyourDomainController(s)?

Generallyspeaking,aSambaserverisjustaSambaworkstationthatprovidesfilesharesorprintservices.This
ishowwewillstructureourdocumentationherebeingaDomainMemberistheprerequisiteforconfiguringa
Sambafileand/orprintserver.

Seethehostinformationusedindocumentationpageforusedpaths,hostnames,etc.

Installation
YouhavethefollowingoptionstoinstallSamba:

BuildSambayourself

Installdistributionspecificpackages

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member 1/7
11/1/2016 SetupSambaasanADDomainMemberSambaWiki

InstallSerNetSamba+(http://www.samba.plus)/Enterprise(http://www.samba.plus/olderpackages/)
packages

Preparingthehostforthedomainjoin
ADDNSzoneresolution
ManythingsinanActiveDirectory,suchasKerberos,relyonDNS.Thereforeitisrequiredthatthehostisable
toresolveADDNSzones.IfyouhavemultipleDCsactingasaDNSserver,it'srecommendedtosetup
multiplenameserverentriesforfailoverreasons.

OnLinuxandUnixes,youusuallyconfigureDNSsettingsin/etc/resolv.conf:

nameserver10.99.0.1
nameserver10.99.0.2
searchsamdom.example.com

Sometools,suchasNetworkManager,mayoverwritemanualchangesinthatfile.Pleaseconsultyour
distributionsdocumentationforconfiguringnameresolution.

Toverifyacorrectnameresolution,tryresolvingthehostnameofoneofyourDomainControllers:

#hosttADC1.samdom.example.com
DC1.samdom.example.comhasaddress10.99.0.1

NTP
InanActiveDirectory,accuratetimesynchronizationisnecessaryforKerberos,topreventreplayattacksand
forresolvingdirectoryreplicationconflicts.Forthosereasons,ifthetimedifferstoyourAD,yourhostwon't
beabletoaccessADserversandanysharesitprovideswon'tbeaccessiblebyothers.SeeTimeSyncronisation
forfurtherinformationandconfigurationexamples.

Localhostnameresolution
DuringtheDomainjoin,Sambatriestoregister/updatethehostsnameandIPinyourADDNS.Thisrequires
that"net"canresolveboth,eitherviaDNSor/etc/hosts.Toverify,run

#getenthostsM1
10.99.0.5M1.samdom.example.comM1

ThecommandsoutputmustshowthecorrectLANinterfaceIP(not127.*.*.*!)andthehostnameincludingthe
ADDNSzone.Additionalaliasnamesareoptional.Ifyougetadifferentoutput,fixitinyourDNSorby
adding/changingthe/etc/hostsentry:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member 2/7
11/1/2016 SetupSambaasanADDomainMemberSambaWiki

10.99.0.5M1.samdom.example.comM1

SetupaDomainMembersmb.conffile
Beforejoiningadomain,itisnecessarytocreatetheSambaconfigurationfile"smb.conf".Thefollowing
commandshows,wherethefileislocatedinyourinstallation:

Note:Youshouldusethesame"smb.conf"fileonalldomainmembersyousetupinthedomain.

#smbdb|grepCONFIGFILE
CONFIGFILE:/usr/local/samba/etc/smb.conf

Inthefollowingyouseeansmb.confexamplesufficienttojoinadomain,ifyouaddan"idmapconfig"part,
fittingtoyourenvironment:

[global]
security=ADS
workgroup=SAMDOM
realm=SAMDOM.EXAMPLE.COM

logfile=/var/log/samba/%m.log
loglevel=1

#idmapconfigusedforyourdomain.
#Clickonthefollowinglinksformoreinformation
#ontheavailablewinbindidmapbackends,
#Choosetheonethatfitsyourrequirements
#thenaddthecorrespondingconfiguration.

#Justaddingoneofthefollowingthreelinesisnotenough!!
#Pleasefollowthelinks.
#
#usethewinbind'ad'backend.
#Or
#usethewinbind'rid'backend.
#Or
#usethewinbind'autorid'backend.(https://www.samba.org/samba/docs/man/manpages3/idmap_autorid.8.html)

Seethemanpageof"smb.conf"fordetailedinformationabouttheparametersandoptionsused.

Thedomainjoin
Anoteonprovisioning:ADomainMembermustnotbeprovisionedbyusing"sambatool"!Thiswouldsetup
anADDConyourDomainMemberwithsomepartsturnedoffandwritestosam.ldbinsteadofpassdb.tdb.
Don'tusethiswaytojoin,toavoidunwantedsideeffects!TheDomainMemberprovisioningoptionwillbe
removedinthefuture.

Thefollowingcommandwilljointhehosttothedomainandautomaticallyregister/updateitsDNSrecord:

#netadsjoinUadministrator
Enteradministrator'spassword:Passw0rd
UsingshortdomainnameSAMDOM
Joined'M1'todnsdomain'samdom.example.com'

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member 3/7
11/1/2016 SetupSambaasanADDomainMemberSambaWiki

Ifyouencounteranyerrormessage(s),seeTroubleshootingSambaDomainMembers.

Ifyouusetheparameter:bindinterfacesonly=yesinsmb.conf,joinwith:

#netadsjoinUadministratorSaddc.samdom.example.com

libnss_winbind
Domainusersandgroupsaremadeavailabletoyourlocalsystemthroughlibnss_winbind.Thesmb.conf
configurationwasalreadydoneinapreviousstep.Nextistotellyoursystemtoretrievethatinformationfrom
winbinddbyadding"winbind"tothefollowingtwolinesofyour/etc/nsswitch.conf:

passwd:fileswinbind
group:fileswinbind

Keeptheexistingdatabase"files"(sometimesyoumayfind"compat"insteadof"files").Itdefinesthat
accountsandgroupsarefirstlookedupinlocalfiles(/etc/passwdand/etc/group),thenviaWinbindd.

Note:Donotadd'winbind'tothe'shadow'line,thishasbeenreportedtocauseproblemswith'wbinfo',itis
alsototallyunneeded.

Note:youcannothaveusers&groupswiththesamenameinthelocalfilesandthedomaini.e.auser'foo'that
appearsin/etc/passwdwouldbethesameuseras'DOMAIN\foo',inthisinstanceyouwouldneedtoremoveor
renameoneoftheusers.

Important:IfyouhavecompiledSamba,youmayneedtoaddtwosymboliclinks.Seelibnss_winbindLinks
forOSspecificinformationonwheretoplacethem.Sambapackageinstallationsusuallyplacethefiledirectly
intheOSlibrarypathorhavethelinksincluded.

Startdaemons
DependingonhowyouuseyourDomainMember,youhavetostartdifferentdaemons:

ForapureDomainMember(domainlogonsonly):

#winbindd

ForDomainMemberssharingdirectories(fileserver)and/orprinters(printserver):

#smbd
#nmbd
#winbindd

Note:Youdonotstartthe'samba'daemononadomainmember.

IfyouinstalledSambaviapackages,youusuallyhaveinitscriptsorsystemd/upstartsupportincluded.Ifyou
havecompiledSamba,youwillneedtowriteyourownscripts.Seetheinitscriptpageforexamples.For
automaticstartupoftheservice(s)atboottime,pleaseconsultyoudistributionsdocumentation.
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member 4/7
11/1/2016 SetupSambaasanADDomainMemberSambaWiki

TestingWinbindduser/groupretrieval
wbinfo
YoufirstneedtocheckthatWinbinddisabletoretrievedomainusersandgroups.Onasuccessfulsetup,the
followingcommandswillprintallusers/groupsinyourdomain:

#wbinfou
administrator
krbtgt
guest
...

#wbinfog
enterpriseadmins
domaincomputers
domainadmins
...

Usingdomainaccounts/groupsinOScommands
Ifyouhavecorrectlyincludedlibnss_winbindinyoursystem,thefollowingcommandsshouldprintalllocal
systemusers/groups,followedbyanylocalUnixusers/groupsandthentheonesfromthedomain(see
/etc/nsswitch.conforder):

#getentpasswd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
...
demo01:*:10000:10000:demo01:/home/demo01:/bin/bash
...

#getentgroup
root:x:0:
bin:x:1:
daemon:x:2:
...
domainadmins:x:10001:
domainusers:x:10000:
...

Note:Ifyou'renotgettingdomainaccounts/groupsinthatoutput,verifythat

libnss_winbindconfigurationiscorrectexpeciallyif"ldconfig"isabletofind"libnss_winbind.so.2"
and"libnss_winbind.so"
ifusingidmapconfigad,accounts/groupshaveRFC2307attributesset
"winbindenumusers"and"winbindenumgroups"aresetto"yes"inyoursmb.conf

Anydomainaccounts/groupsshownbygetentoridcanbeusedintheOS,i.e.
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member 5/7
11/1/2016 SetupSambaasanADDomainMemberSambaWiki

#iddemo01
uid=10000(demo01)gid=10000(domainusers)groups=10000(domainusers),2001(BUILTIN\users)

#chowndemo01:"domainusers"file.txt
#lssfile.txt
rw.1demo01domainusers99218.Oct2015file.txt

AuthenticatingDomainUsersUsingPAM
IfyouhavesetupthisDomainMemberasaserverprovidingfilesharesorprintservices,youmaywanttoskip
thispart,Byfollowingthispart,youwillallowdomainuserstologonlocallytothehostsconsole.

Generalinformation
Importantnote:BeforeyoustartchangingyourPAMconfiguration:

makesureyouknowwhatyou'redoing!
beforeyoustart,loginwithinasecondterminalandkeepitopenuntileverythingworksasexpected.
Otherwise,youmaylockoutyourselfandwon'tbeabletologinagain!

IfyouhavecompiledSamba,youneedtoaddasymboliclinks.Seepam_winbindLinkforOSspecific
information,wheretoplaceit.Sambapackageinstallationsusuallyplacethefiledirectlyintherightfolderor
havealinkincluded.

ConfigurePAM
Note:WheneveryourdistributionshiptoolstoconfigurePAM,it'srecommendedtousethem,insteadof
manuallyeditingtheconfigurationfiles!

RedHatbasedOS:authconfig/authconfigtui
DebianbasedOS:pamauthupdate
SUSEbasedOS:yast

Formanualchanges:TypicallythePAMconfigurationfilesarelocatedin/etc/pam.d/Dependingonyour
distribution,thefilename(s)maydiffer.E.g.onRHEL,youconfiguresystemloginauthenticationin
/etc/pam.d/passwordauthac:

#%PAM1.0
authrequiredpam_env.so
authsufficientpam_unix.sonulloktry_first_pass
authrequisitepam_succeed_if.souid>=1000quiet_success
authsufficientpam_winbind.souse_first_pass#<addthisline
authrequiredpam_deny.so

accountrequiredpam_unix.sobroken_shadow
accountsufficientpam_localuser.so
accountsufficientpam_succeed_if.souid<1000quiet
account[default=badsuccess=okuser_unknown=ignore]pam_winbind.so#<addthisline
accountrequiredpam_permit.so

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member 6/7
11/1/2016 SetupSambaasanADDomainMemberSambaWiki

passwordrequisitepam_cracklib.sotry_first_passretry=3type=
passwordsufficientpam_unix.sosha512shadownulloktry_first_passuse_authtok
passwordsufficientpam_winbind.souse_authtok#<addthisline
passwordrequiredpam_deny.so

sessionoptionalpam_keyinit.sorevoke
sessionrequiredpam_limits.so
session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid
sessionrequiredpam_unix.so

ForadditionalinformationaboutPAMconfigurationandsettingsusedintheexampleabove,pleaseconsultthe
PAM(http://www.linuxpam.org)documentationandthemanpagesofpam.confandpam_winbind.

Verifydomainuserlogin
Trytologinonthelocalconsolewithadomainuseraccount:

CentOSLinux7(Core)
Kernel3.10.0229.11.1.el.7.x86_64onanx86_64

M1login:demo01
Password:Passw0rd

[demo01@M1~]$_

Settingupadditionalservices
NowyouhavesuccessfullymadeyourhostbeaDomainMember,youcan,asonaWindowsOS,additionally
sharedirectories(fileserver)oractasanprintserver.

Retrievedfrom"https://wiki.samba.org/index.php?
title=Setup_Samba_as_an_AD_Domain_Member&oldid=12425"

Thispagewaslastmodifiedon26October2016,at15:16.
Thispagehasbeenaccessed10,350times.
ContentisavailableundertheCCGNUGPLv2orlaterunlessotherwisenoted.

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member 7/7