Debian 11 Bullseye
Sponsored Link

Samba : Samba Winbind2021/09/14

 
Join in Windows Active Directory Domain with Samba Winbind.
This tutorial needs Windows Active Directory Domain Service in your Local Network.
This example is based on the environment like follows.
Domain Server : Windows Server 2019
Domain Name : srv.world
Hostname : fd3s.srv.world
NetBIOS Name : FD3S01
Realm : SRV.WORLD
[1] Install Winbind.
root@smb:~#
apt -y install winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules
# specify Realm

 +------------------+ Configuring Kerberos Authentication +------------------+
 | When users attempt to use Kerberos and specify a principal or user name   |
 | without specifying what administrative Kerberos realm that principal      |
 | belongs to, the system appends the default realm.  The default realm may  |
 | also be used as the realm of a Kerberos service running on the local      |
 | machine.  Often, the default realm is the uppercase version of the local  |
 | DNS domain.                                                               |
 |                                                                           |
 | Default Kerberos version 5 realm:                                         |
 |                                                                           |
 | SRV.WORLD________________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+
# specify hostname of AD DS

     +--------------+ Configuring Kerberos Authentication +---------------+
     | Enter the hostnames of Kerberos servers in the SRV.WORLD           |
     | Kerberos realm separated by spaces.                                |
     |                                                                    |
     | Kerberos servers for your realm:                                   |
     |                                                                    |
     | fd3s.srv.world____________________________________________________ |
     |                                                                    |
     |                               <Ok>                                 |
     |                                                                    |
     +--------------------------------------------------------------------+
# specify hostname of AD DS

 +------------------+ Configuring Kerberos Authentication +------------------+
 | Enter the hostname of the administrative (password changing) server for   |
 | the SRV.WORLD Kerberos realm.                                             |
 |                                                                           |
 | Administrative server for your Kerberos realm:                            |
 |                                                                           |
 | fd3s.srv.world___________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+
[2] Configure Winbind.
root@smb:~#
mv /etc/samba/smb.conf /etc/samba/smb.conf.org

root@smb:~#
vi /etc/samba/smb.conf
# create new
# replace [realm] and [workgroup] for your environment

[global]
   kerberos method = secrets and keytab
   realm = SRV.WORLD
   workgroup = FD3S01
   security = ads
   template shell = /bin/bash
   winbind enum groups = Yes
   winbind enum users = Yes
   winbind separator = +
   idmap config * : rangesize = 1000000
   idmap config * : range = 1000000-19999999
   idmap config * : backend = autorid

root@smb:~#
vi /etc/nsswitch.conf
# line 7 : add like follows

passwd:         files systemd winbind
group:          files systemd winbind

root@smb:~#
vi /etc/pam.d/common-session
# add to the end if you need (auto create a home directory at initial login)

session optional        pam_mkhomedir.so skel=/etc/skel umask=077

# change DNS setting to refer to AD

root@smb:~#
vi /etc/resolv.conf
domain srv.world
search srv.world
nameserver 10.0.0.100
[3] Join in Windows Active Directory Domain.
# join in domain ( net ads join -U [AD's Administrative user])

root@smb:~#
net ads join -U Administrator

Enter Administrator's password:
Using short domain name -- FD3S01
Joined 'SMB' to dns domain 'srv.world'
No DNS domain configured for smb. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER
root@smb:~#
systemctl restart winbind
# show domain info

root@smb:~#
net ads info

LDAP server: 10.0.0.100
LDAP server name: fd3s.srv.world
Realm: SRV.WORLD
Bind Path: dc=SRV,dc=WORLD
LDAP port: 389
Server time: Tue, 14 Sep 2021 09:16:16 JST
KDC server: 10.0.0.100
Server time offset: 0
Last machine account password change: Tue, 14 Sep 2021 09:16:04 JST

# show AD user list

root@smb:~#
wbinfo -u

FD3S01+administrator
FD3S01+guest
FD3S01+krbtgt
FD3S01+serverworld
FD3S01+ldapuser
FD3S01+aduser01

# verify to login with an AD user

root@smb:~#
exit

logout

Debian GNU/Linux 11 smb.srv.world ttyS0

smb login: FD3S01+serverworld
Password:
Linux smb.srv.world 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Creating directory '/home/FD3S01/serverworld'.
FD3S01+serverworld@smb:~$      # logined

serverworld@smb:~$
id

uid=2001103(FD3S01+serverworld) gid=2000513(FD3S01+domain users) groups=2000513(FD3S01+domain users),2001103(FD3S01+serverworld)
Matched Content