Samba : Samba Winbind2025/11/18

Join in Windows Active Directory Domain with Samba Winbind.

This tutorial needs Windows Active Directory Domain Service in your Local Network.
This example is based on the environment like follows.

Domain Server	: Windows Server 2025
Domain Name	: srv.world
Hostname	: fd3s.srv.world
NetBIOS Name	: FD3S01
Realm	: SRV.WORLD

[1]

Install Winbind.

[root@smb ~]#

dnf -y install samba-winbind samba-winbind-clients oddjob-mkhomedir

[2]	Configure Samba.

[root@smb ~]#

vi /etc/krb5.conf

# line 20 : uncomment and specify Realm

default_realm =

SRV.WORLD

# line 24-27 : add to specify Realm and Hostname of AD

[realms]
  SRV.WORLD = {
      kdc = fd3s.srv.world
      admin_server = fd3s.srv.world
  }

[root@smb ~]#

mv /etc/samba/smb.conf /etc/samba/smb.conf.org

[root@smb ~]#

vi /etc/samba/smb.conf

# create new
# replace [realm] and [workgroup] for your environment

[global]
        kerberos method = secrets and keytab
        realm = SRV.WORLD
        workgroup = FD3S01
        security = ads
        template shell = /bin/bash
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind separator = +
        idmap config * : rangesize = 1000000
        idmap config * : range = 1000000-19999999
        idmap config * : backend = autorid

# switch to Winbind

[root@smb ~]#

authselect select winbind --force

Backup stored at /var/lib/authselect/backups/2025-05-08-00-44-24.LkS9aU
Profile "winbind" was selected.

Make sure that winbind service is configured and enabled. See winbind documentation for more information.

# set if you need (create home directory when initial login)

[root@smb ~]#

authselect enable-feature with-mkhomedir

[root@smb ~]#

systemctl enable --now oddjobd

[3]	Join in Active Directory Domain.

# change DNS setting to refer to AD

[root@smb ~]#

nmcli connection modify enp1s0 ipv4.dns 10.0.0.100

[root@smb ~]#

nmcli connection up enp1s0

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)

# join in domain [-U (AD user)]

[root@smb ~]#

net ads join -U Administrator

Password for [FD3S01\Administrator]:
Using short domain name -- FD3S01
Joined 'SMB' to dns domain 'srv.world'

[root@smb ~]#

systemctl enable --now winbind

# show domain info

[root@smb ~]#

net ads info

LDAP server: 10.0.0.100
LDAP server name: fd3s.srv.world
Workgroup: FD3S01
Realm: SRV.WORLD
Bind Path: dc=SRV,dc=WORLD
LDAP port: 389
Server time: Tue, 18 Nov 2025 09:29:39 JST
KDC server: 10.0.0.100
Server time offset: 0
Last machine account password change: Tue, 18 Nov 2025 09:29:30 JST

# show AD user list

[root@smb ~]#

wbinfo -u

FD3S01+administrator
FD3S01+guest
FD3S01+krbtgt
FD3S01+serverworld
FD3S01+ldapuser
FD3S01+nextcloud
FD3S01+aduser01

# verify possible to login with AD user

[root@smb ~]#

exit

logout

Fedora Linux 43 (Server Edition)
Kernel 6.17.7-300.fc43.x86_64 on x86_64 (ttyS0)

Web console: https://smb.srv.world:9090/ or https://10.0.0.33:9090/

Try contacting this VM's SSH server via 'ssh vsock%1' from host.

smb login: FD3S01+serverworld
Password:

[FD3S01+serverworld@smb ~]$ id

uid=2001103(FD3S01+serverworld) gid=2000513(FD3S01+domain users) groups=2000513(FD3S01+domain users),2001103(FD3S01+serverworld) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Matched Content