Samba : Samba Winbind2023/04/28 |
Join in Windows Active Directory Domain with Samba Winbind.
This tutorial needs Windows Active Directory Domain Service in your Local Network.
This example is based on the environment like follows.
|
|||||||||||
[1] | Install Winbind. |
root@smb:~#
apt -y install winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules # specify Realm +------------------+ Configuring Kerberos Authentication +------------------+ | When users attempt to use Kerberos and specify a principal or user name | | without specifying what administrative Kerberos realm that principal | | belongs to, the system appends the default realm. The default realm may | | also be used as the realm of a Kerberos service running on the local | | machine. Often, the default realm is the uppercase version of the local | | DNS domain. | | | | Default Kerberos version 5 realm: | | | | SRV.WORLD________________________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ # specify hostname of AD DS +--------------+ Configuring Kerberos Authentication +---------------+ | Enter the hostnames of Kerberos servers in the SRV.WORLD | | Kerberos realm separated by spaces. | | | | Kerberos servers for your realm: | | | | fd3s.srv.world____________________________________________________ | | | | <Ok> | | | +--------------------------------------------------------------------+ # specify hostname of AD DS +------------------+ Configuring Kerberos Authentication +------------------+ | Enter the hostname of the administrative (password changing) server for | | the SRV.WORLD Kerberos realm. | | | | Administrative server for your Kerberos realm: | | | | fd3s.srv.world___________________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ |
[2] | Configure Winbind. |
# create new # replace [realm] and [workgroup] for your environment [global] kerberos method = secrets and keytab realm = SRV.WORLD workgroup = FD3S01 security = ads template shell = /bin/bash winbind enum groups = Yes winbind enum users = Yes winbind separator = + idmap config * : rangesize = 1000000 idmap config * : range = 1000000-19999999 idmap config * : backend = autorid
root@smb:~#
vi /etc/nsswitch.conf # line 7 : add like follows passwd: files systemd winbind group: files systemd winbind
root@smb:~#
vi /etc/pam.d/common-session # add to the end if you need (auto create a home directory at initial login) session optional pam_mkhomedir.so skel=/etc/skel umask=077
.....
.....
nameservers:
addresses: [10.0.0.100]
root@smb:~# netplan apply
|
[3] | Join in Windows Active Directory Domain. |
# join in domain ( net ads join -U [AD's Administrative user]) root@smb:~# net ads join -U Administrator Password for [FD3S01\Administrator]: Using short domain name -- FD3S01 Joined 'SMB' to dns domain 'srv.world' No DNS domain configured for smb. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER
root@smb:~#
systemctl restart winbind
# show domain info root@smb:~# net ads info LDAP server: 10.0.0.100 LDAP server name: fd3s.srv.world Realm: SRV.WORLD Bind Path: dc=SRV,dc=WORLD LDAP port: 389 Server time: Fri, 28 Apr 2023 11:14:40 JST KDC server: 10.0.0.100 Server time offset: 1 Last machine account password change: Fri, 28 Apr 2023 11:14:26 JST # show AD user list root@smb:~# wbinfo -u FD3S01+administrator FD3S01+guest FD3S01+krbtgt FD3S01+serverworld FD3S01+sqladmin FD3S01+exchangeadmin FD3S01+ubuntu FD3S01+debian FD3S01+centos FD3S01+fedora # verify to login with an AD user root@smb:~# exit logout Ubuntu 23.04 smb.srv.world ttyS0 smb login: FD3S01+serverworld Password: Welcome to Ubuntu 23.04 (GNU/Linux 6.2.0-20-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage ..... ..... Creating directory '/home/FD3S01/serverworld'. FD3S01+serverworld@smb:~$ # loginedserverworld@smb:~$ id uid=2001103(FD3S01+serverworld) gid=2000513(FD3S01+domain users) groups=2000513(FD3S01+domain users),2000512(FD3S01+domain admins),2000572(FD3S01+denied rodc password replication group),2001103(FD3S01+serverworld),2001153(FD3S01+esx admins) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 |
Sponsored Link |
|