Ubuntu 23.04
Sponsored Link

Samba : Samba Winbind2023/04/28

 
Join in Windows Active Directory Domain with Samba Winbind.
This tutorial needs Windows Active Directory Domain Service in your Local Network.
This example is based on the environment like follows.
Domain Server : Windows Server 2022
Domain Name : srv.world
Hostname : fd3s.srv.world
NetBIOS Name : FD3S01
Realm : SRV.WORLD
[1] Install Winbind.
root@smb:~#
apt -y install winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules
# specify Realm

 +------------------+ Configuring Kerberos Authentication +------------------+
 | When users attempt to use Kerberos and specify a principal or user name   |
 | without specifying what administrative Kerberos realm that principal      |
 | belongs to, the system appends the default realm.  The default realm may  |
 | also be used as the realm of a Kerberos service running on the local      |
 | machine.  Often, the default realm is the uppercase version of the local  |
 | DNS domain.                                                               |
 |                                                                           |
 | Default Kerberos version 5 realm:                                         |
 |                                                                           |
 | SRV.WORLD________________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+
# specify hostname of AD DS

     +--------------+ Configuring Kerberos Authentication +---------------+
     | Enter the hostnames of Kerberos servers in the SRV.WORLD           |
     | Kerberos realm separated by spaces.                                |
     |                                                                    |
     | Kerberos servers for your realm:                                   |
     |                                                                    |
     | fd3s.srv.world____________________________________________________ |
     |                                                                    |
     |                               <Ok>                                 |
     |                                                                    |
     +--------------------------------------------------------------------+
# specify hostname of AD DS

 +------------------+ Configuring Kerberos Authentication +------------------+
 | Enter the hostname of the administrative (password changing) server for   |
 | the SRV.WORLD Kerberos realm.                                             |
 |                                                                           |
 | Administrative server for your Kerberos realm:                            |
 |                                                                           |
 | fd3s.srv.world___________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+
[2] Configure Winbind.
root@smb:~#
mv /etc/samba/smb.conf /etc/samba/smb.conf.org

root@smb:~#
vi /etc/samba/smb.conf
# create new
# replace [realm] and [workgroup] for your environment

[global]
   kerberos method = secrets and keytab
   realm = SRV.WORLD
   workgroup = FD3S01
   security = ads
   template shell = /bin/bash
   winbind enum groups = Yes
   winbind enum users = Yes
   winbind separator = +
   idmap config * : rangesize = 1000000
   idmap config * : range = 1000000-19999999
   idmap config * : backend = autorid

root@smb:~#
vi /etc/nsswitch.conf
# line 7 : add like follows

passwd:         files systemd winbind
group:          files systemd winbind

root@smb:~#
vi /etc/pam.d/common-session
# add to the end if you need (auto create a home directory at initial login)

session optional        pam_mkhomedir.so skel=/etc/skel umask=077

# change DNS setting to refer to AD

root@smb:~#
vi /etc/netplan/01-netcfg.yaml
.....
.....
      nameservers:
        addresses: [10.0.0.100]

root@smb:~#
netplan apply
[3] Join in Windows Active Directory Domain.
# join in domain ( net ads join -U [AD's Administrative user])

root@smb:~#
net ads join -U Administrator

Password for [FD3S01\Administrator]:
Using short domain name -- FD3S01
Joined 'SMB' to dns domain 'srv.world'
No DNS domain configured for smb. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER
root@smb:~#
systemctl restart winbind
# show domain info

root@smb:~#
net ads info

LDAP server: 10.0.0.100
LDAP server name: fd3s.srv.world
Realm: SRV.WORLD
Bind Path: dc=SRV,dc=WORLD
LDAP port: 389
Server time: Fri, 28 Apr 2023 11:14:40 JST
KDC server: 10.0.0.100
Server time offset: 1
Last machine account password change: Fri, 28 Apr 2023 11:14:26 JST

# show AD user list

root@smb:~#
wbinfo -u

FD3S01+administrator
FD3S01+guest
FD3S01+krbtgt
FD3S01+serverworld
FD3S01+sqladmin
FD3S01+exchangeadmin
FD3S01+ubuntu
FD3S01+debian
FD3S01+centos
FD3S01+fedora

# verify to login with an AD user

root@smb:~#
exit

logout

Ubuntu 23.04 smb.srv.world ttyS0

smb login: FD3S01+serverworld
Password:
Welcome to Ubuntu 23.04 (GNU/Linux 6.2.0-20-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

.....
.....

Creating directory '/home/FD3S01/serverworld'.
FD3S01+serverworld@smb:~$      # logined

serverworld@smb:~$
id

uid=2001103(FD3S01+serverworld) gid=2000513(FD3S01+domain users) groups=2000513(FD3S01+domain users),2000512(FD3S01+domain admins),2000572(FD3S01+denied rodc password replication group),2001103(FD3S01+serverworld),2001153(FD3S01+esx admins) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Matched Content