Samba : Samba Winbind2021/09/14 |
Join in Windows Active Directory Domain with Samba Winbind.
This tutorial needs Windows Active Directory Domain Service in your Local Network.
This example is based on the environment like follows.
|
|||||||||||
[1] | Install Winbind. |
root@smb:~#
apt -y install winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules # specify Realm +------------------+ Configuring Kerberos Authentication +------------------+ | When users attempt to use Kerberos and specify a principal or user name | | without specifying what administrative Kerberos realm that principal | | belongs to, the system appends the default realm. The default realm may | | also be used as the realm of a Kerberos service running on the local | | machine. Often, the default realm is the uppercase version of the local | | DNS domain. | | | | Default Kerberos version 5 realm: | | | | SRV.WORLD________________________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ # specify hostname of AD DS +--------------+ Configuring Kerberos Authentication +---------------+ | Enter the hostnames of Kerberos servers in the SRV.WORLD | | Kerberos realm separated by spaces. | | | | Kerberos servers for your realm: | | | | fd3s.srv.world____________________________________________________ | | | | <Ok> | | | +--------------------------------------------------------------------+ # specify hostname of AD DS +------------------+ Configuring Kerberos Authentication +------------------+ | Enter the hostname of the administrative (password changing) server for | | the SRV.WORLD Kerberos realm. | | | | Administrative server for your Kerberos realm: | | | | fd3s.srv.world___________________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ |
[2] | Configure Winbind. |
# create new # replace [realm] and [workgroup] for your environment [global] kerberos method = secrets and keytab realm = SRV.WORLD workgroup = FD3S01 security = ads template shell = /bin/bash winbind enum groups = Yes winbind enum users = Yes winbind separator = + idmap config * : rangesize = 1000000 idmap config * : range = 1000000-19999999 idmap config * : backend = autorid
root@smb:~#
vi /etc/nsswitch.conf # line 7 : add like follows passwd: files systemd winbind group: files systemd winbind
root@smb:~#
vi /etc/pam.d/common-session # add to the end if you need (auto create a home directory at initial login) session optional pam_mkhomedir.so skel=/etc/skel umask=077
domain srv.world
search srv.world
nameserver 10.0.0.100
|
[3] | Join in Windows Active Directory Domain. |
# join in domain ( net ads join -U [AD's Administrative user]) root@smb:~# net ads join -U Administrator Enter Administrator's password: Using short domain name -- FD3S01 Joined 'SMB' to dns domain 'srv.world' No DNS domain configured for smb. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER
root@smb:~#
systemctl restart winbind
# show domain info root@smb:~# net ads info LDAP server: 10.0.0.100 LDAP server name: fd3s.srv.world Realm: SRV.WORLD Bind Path: dc=SRV,dc=WORLD LDAP port: 389 Server time: Tue, 14 Sep 2021 09:16:16 JST KDC server: 10.0.0.100 Server time offset: 0 Last machine account password change: Tue, 14 Sep 2021 09:16:04 JST # show AD user list root@smb:~# wbinfo -u FD3S01+administrator FD3S01+guest FD3S01+krbtgt FD3S01+serverworld FD3S01+ldapuser FD3S01+aduser01 # verify to login with an AD user root@smb:~# exit logout Debian GNU/Linux 11 smb.srv.world ttyS0 smb login: FD3S01+serverworld Password: Linux smb.srv.world 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Creating directory '/home/FD3S01/serverworld'. FD3S01+serverworld@smb:~$ # loginedserverworld@smb:~$ id uid=2001103(FD3S01+serverworld) gid=2000513(FD3S01+domain users) groups=2000513(FD3S01+domain users),2001103(FD3S01+serverworld) |
Sponsored Link |
|