Tabla de Contenidos

Samba4 as AD Domain Member

Introduction

This HOWTO provides you the way for a basic setup of a Samba 4.x Member Server, that is part of an Active Directory (regardless if Samba or Windows provides the AD).

Samba4 have four roles:

  1. Active Directory Domain Controller:
  2. Read Only Domain Controller (RODC):
  3. Member Server (File Server):
  4. Standalone Server:

Required Packages


See Samba4 Requirements for dependencies and recommendations.

Compiling and installation


After you have downloaded and unpacked the sources, you have to run inside of the extracted directory:

 # ./configure --with-ads --with-shared-modules=idmap_ad,idmap_rid --enable-debug --enable-selftest 
 # make
 # make install

Note: you can see './configure' options:

 # ./configure --help | less

To install Samba4 from SerNet repositories (before check http://ftp.uo.edu.cu to configure repositories):

 # apt-get install sernet-samba-ad attr acl krb5-user

Setting up Kerberos


You must to backup the original file in /etc/krb5.conf':

 # mv /etc/krb5.conf{,.orig}

Create the new file:

 # nano /etc/krb5.conf

Then adjust the content with the following content:

 [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log

 [libdefaults]
     default_realm = REDTIC.UCLV.CU
     dns_lookup_realm = true
     dns_lookup_kdc = true
     ticket_lifetime = 24h
     forwardable = yes

 [appdefaults]
     pam = {
          debug = false
          ticket_lifetime = 36000
          renew_lifetime = 36000
          forwardable = true
          krb4_convert = false
     }

Configure NTP


Active Directory requires an accurate time synchronization between the clients and the DC(s). It's highly recommended to run NTP or another form of synchronization. You can follow the instructions in Samba4 Requirements web page. or simply install “ntpdate”:

 # apt-get install ntpdate

To configure ntpdate:

 # nano /etc/default/ntpdate

Then adjust the parameters to your configuration.

Note: Remember that you need to sync your 'ntpd' with your Active Directory Server.

Setting up a basic smb.conf


The following is a very basic example of a 'smb.conf'. Normally this file is located in '/usr/local/samba/etc/'. Depending on your 'configure' parameters, it could be located on a different place.

If you use Samba from repositories the location is /etc/samba/.

 global]

   workgroup = REDTIC  # SHORTDOMAINNAME
   security = ADS
   realm = REDTIC.UCLV.CU  # YOUR.SAMBA.DOMAIN.NAME

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config REDTIC:backend = ad
   idmap config REDTIC:schema_mode = rfc2307
   idmap config REDTIC:range = 500-40000

   winbind nss info = rfc2307
   
   printing = bsd

[public]
   path = /srv/samba/public
   read only = no

This is just very a basic example that will make your member server part of your Active Directory. The ID mapping for domain users/groups is done via schema mode rfc2307. Users/groups having a uidNumber/gidNumber set in AD, are available on your member server with the same IDs as in your AD. If you use different UID/GID ranges in your AD, you have to adapt them. For all non-domain accounts (like BUILTIN, etc.) the mappings are stored in a local TDB file and the IDs are taken from the given range.

For further explanation on the 'smb.conf' parameters, see the manpage:

 # man smb.conf

Notes:

  1. The choice domain back-end depends of who provide the domain. If you have MSAD without “Services for Unix (SFU)”, you should use 'rid' back-end; instead for Samba4 AD use 'ad' back-end, as showed in the previous example.
  2. The parameter values of “idmap config *:range” can't not contained in “idmap config SHORTDOMAINNAME:range”.
  3. In case that you have a big database, last number in the interval in “idmap config SHORTDOMAINNAME:range =” should be a big number, because some user are not detected by Samba.

Joining the member server to the domain


 # net ads join -Uadministrator

Make domain users/groups available locally through winbind


To have your domain users and groups available on your member server, you have to place two links in your /lib (/lib64 for amd64) folder:

For i386:

 # ln -s /usr/local/samba/lib/libnss_winbind.so /lib
 # ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
 # ldconfig

For amd64:

 # ln -s /usr/local/samba/lib/libnss_winbind.so /lib64
 # ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
 # ldconfig

For Samba4 Sernet:

For i386:

 # ln -s /lib/i386-linux-gnu/libnss_winbind.so /lib
 # ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
 # ldconfig

For amd64:

 # ln -s /lib/x86_64-linux-gnu/libnss_winbind.so /lib64
 # ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
 # ldconfig

To check if library are enables correctly:

 # ldconfig -v | grep libnss_winbind | grep -v grep

The next step is to add 'winbind' to the 'passwd' and 'group' entry of your '/etc/nsswitch.conf':

 passwd: compat winbind
 group:  compat winbind

Starting the daemons


Once you have finished the above steps, you must start the following services:

You should write/get a start script to avoid starting the services by hand everytime. Make sure that winbind is being started before smbd. You can find some examples in Samba4 Requirements page.

If you installed Samba form SerNet repositories you must enable Samba4 as a sercice:

 # nano /etc/default/sernet-samba

Then locate the line 'SAMBA_START_MODE=“none”' and change “none” for “classic”.

 # service sernet-samba-ad start

Finally start Samba4 deamons:

 # /etc/init.d/sernet-samba-smbd start
 # /etc/init.d/sernet-samba-nmbd start
 # /etc/init.d/sernet-samba-winbindd start

To reload Samba configuration

 # smbcontrol all reload-config

Enable Samba4 at startup

If you use Samba4 from SerNet Repositories the file '/etc/default/samba-sernet' controls the way that Samba daemon start. You must edit this file and adjust to yours requirements. Keep in mind that Member Server is part of Samba AD therefore you should enable “classic” option in '/etc/default/samba-sernet':

 # nano /etc/default/sernet-samba

Then select 'SAMBA_START_MODE=“classic”' because when you use Samba as Member Server, the daemons smbd, nmbd and winbbind are used.

Testing the winbind user/group mapping


To check if winbind receives user and groups from the domain, run the following commands:

 # wbinfo -u
 # wbinfo -g

This should show up a list of all users and groups provided from the domain via winbind.

If you have setup your nsswitch.conf correct, you should also be able to get users and groups from the domain:

 # id [domain_user]
 # wbinfo -i [domain_user]
 # getent passwd [domain_user]

Or

 # getent passwd DOMAIN\\user
 # getent group DOMAIN\\group

The enumeration of users and groups (“getent passwd/group” without another argument) is disabled by default because the domain can be very big and enumeration is ad bad thing in cases like that.

If you are not able to look up users using “getent”, even though you see them with “wbinfo”, look at AD and verify that all groups have GIDs. It may not be strictly necessary to have GIDs on *all* groups, but unless someone with a better understanding can clarify the requirement, it's the safe thing to do.

Setting up services