CentOS Stream 9
Sponsored Link

Samba : Samba Winbind2022/03/18

 
Join in Windows Active Directory Domain with Samba Winbind.
This tutorial needs Windows Active Directory Domain Service in your Local Network.
This example is based on the environment like follows.
Domain Server : Windows Server 2022
Hostname : fd3s.srv.world
Domain Name : srv.world
NetBIOS Name : FD3S01
Realm : SRV.WORLD
[1] Install Winbind.
[root@smb ~]#
dnf -y install samba-winbind samba-winbind-clients oddjob-mkhomedir
[2] Configure Samba to bind Active Directory domain.
[root@smb ~]#
vi /etc/krb5.conf
# line 20 : uncomment and specify Realm

default_realm =
SRV.WORLD
# line 24 : add to specify Realm and Hostname of AD

[realms]
  SRV.WORLD = {
      kdc = fd3s.srv.world
      admin_server = fd3s.srv.world
  }

[root@smb ~]#
mv /etc/samba/smb.conf /etc/samba/smb.conf.org

[root@smb ~]#
vi /etc/samba/smb.conf
# create new
# replace [realm] and [workgroup] for your environment

[global]
        kerberos method = secrets and keytab
        realm = SRV.WORLD
        workgroup = FD3S01
        security = ads
        template shell = /bin/bash
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind separator = +
        idmap config * : rangesize = 1000000
        idmap config * : range = 1000000-19999999
        idmap config * : backend = autorid

# switch to Winbind

[root@smb ~]#
authselect select winbind --force

Backup stored at /var/lib/authselect/backups/2022-03-18-01-52-37.Mbe8Ml
Profile "winbind" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group

Make sure that winbind service is configured and enabled. See winbind documentation for more information.

# set if you need (create home directory when initial login)

[root@smb ~]#
authselect enable-feature with-mkhomedir

[root@smb ~]#
systemctl enable --now oddjobd
[3] Join in Active Directory Domain.
# change DNS setting to refer to AD

[root@smb ~]#
nmcli connection modify enp1s0 ipv4.dns 10.0.0.100

[root@smb ~]#
nmcli connection down enp1s0; nmcli connection up enp1s0

Connection 'enp1s0' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
# join in domain [-U (AD user)]

[root@smb ~]#
net ads join -U Administrator

Password for [FD3S01\Administrator]:
Using short domain name -- FD3S01
Joined 'SMB' to dns domain 'srv.world'
No DNS domain configured for smb. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER
[root@smb ~]#
systemctl enable --now winbind
# show domain info

[root@smb ~]#
net ads info

LDAP server: 10.0.0.100
LDAP server name: fd3s.srv.world
Realm: SRV.WORLD
Bind Path: dc=SRV,dc=WORLD
LDAP port: 389
Server time: Fri, 18 Mar 2022 08:55:44 JST
KDC server: 10.0.0.100
Server time offset: -7199
Last machine account password change: Fri, 18 Mar 2022 10:54:53 JST

# show AD user list

[root@smb ~]#
wbinfo -u

FD3S01+administrator
FD3S01+guest
FD3S01+krbtgt
FD3S01+serverworld
FD3S01+redhat
FD3S01+debian
FD3S01+ldapuser
FD3S01+aduser01

# verify possible to login with AD user

[root@smb ~]#
exit

logout

CentOS Stream 9
Kernel 5.14.0-70.el9.x86_64 on an x86_64

Activate the web console with: systemctl enable --now cockpit.socket

smb login: FD3S01+serverworld
Password:
[FD3S01+serverworld@smb ~]$ id
uid=2001103(FD3S01+serverworld) gid=2000513(FD3S01+domain users) groups=2000513(FD3S01+domain users),2000512(FD3S01+domain admins),2000572(FD3S01+denied rodc password replication group),2001103(FD3S01+serverworld) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Matched Content