> I have another samba server and upgraded it to samba4. testparm returns
> clean with the old config (ROLE_DOMAIN_PDC) and starts up fine. smbclient
> seems to work fine.
>
> The next thing now is to try and make it a domain member so it can auth
> against AD.
>
> Thanks, Andrew, I appreciate the pointers.
You might want to take a look at "Integrating Red Hat Enterprise Linux 6
with Active Directory". It's the best document I've seen on this
topic. I found that Samba/Kerberos/Winbind is the most complete solution for
attaching a Samba fileserver in my AD environment.
https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf
SSSD is really the way to go if you're running Centos 7, take a look at
"Red Hat Enterprise Linux 7 Windows Integration Guide":
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Windows_Integration_Guide/Red_Hat_Enterprise_Linux-7-Windows_Integration_Guide-en-US.pdf
Below is my documentation on how to attach a RHEL/CentOS system to an Active
Directory Domain using Samba/Kerberos/Winbind. This configuration will allow you
to provide SMB file sharing and SSH logins for users in your AD domain. Note
this works in my AD domain but there might be some additional settings required
for your AD domain. Work closely with your AD domain administrator.
The name of the example server in this document is server.example.com,
substitute all values specific to your environment. Sample configuration files
are included following these directions. The following packages should be
installed:
samba4, samba4-common, samba4-client, samba4-winbind, samba4-winbind-clients,
krb5-workstation, openldap-clients
1. Set NTP to use the correct server for your Active Directory domain:
system-config-time
Set the primary NTP server to be your domain/forest NTP server
NTP_IP_address
2. Make backups of and edit the following system configuration files:
a. cp -p /etc/resolv.conf{,.bak}
b. vi /etc/resolv.conf
c. cp -p /etc/hosts{,.bak}
d. vi /etc/hosts
e. cp -p /etc/nsswitch.conf{,.bak}
f. vi /etc/nsswitch.conf
g. cp -p /etc/samba/smb.conf{,.bak}
h. vi /etc/samba/smb.conf
If you are editing a smb.conf file of a previously existing Samba fileserver, do
not change the range value in the "idmap config * : range =" parameter
i. cp -p /etc/krb5.conf{,.bak}
j. vi /etc/krb5.conf
3. Start the smb and winbind services:
a. /etc/init.d/smb start
b. /etc/init.d/winbindd start
Note that smb and winbind daemons need to be set to start up on boot. In
addition, the appropriate TCP ports will need to open on the system firewall if
you are deploying a SMB/CIFS fileserver.
4. Create a computer record in your Active Directory OU Computers container:
For server.example.com create a computer record called server
5. Initialize Kerberos and attach it to the Active Directory domain:
a. kinit username
b. net ads join -w EXAMPLE.COM -U username
6. Verify the bind to AD is valid:
a. net ads info
b. net ads testjoin
7. Create a Kerberos /etc/krb5.keytab file:
net ads keytab create -U username
8. Verify the contents of the Kerberos keytab file:
klist -ke
9. Add a share that has access restricted to an Active Directory group:
a. mkdir /data
b. vi /etc/samba/smb.conf
After the [homes}, section add the following text:
[data]
comment = Data Directory
path = /data
valid users = @"DOMAIN\AD_Group"
writable = yes
browseable = yes
Substitute DOMAIN\AD_Group with an AD group that will be accessing this share.
c. /etc/init.d/smb restart
10. Enable home directory creation
a. system-config-authentication
b. In the Advance Options tab, check the "Create home directories on the
first login" checkbox.
11. Restrict SSH logins to a specific local and Active Directory groups
Add this line to /etc/ssh/sshd_config:
a. AllowGroups group_name
Replace group_name with your local and AD group names. Note that the group names
cannot have a space in the group name. Also make sure that at least one local
group is added, otherwise you will not be able to SSH into your own server with
a local account.
12. Restart your server
Sample files:
/etc/resolv.conf
search example.com
nameserver IP_address
/etc/hosts
127.0.0.1 localhost.localdomain localhost
IP_address server.example.com server
/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
/etc/samba/smb.conf
workgroup = example
realm = EXAMPLE.COM
server string = %h
password server = *
security = ads
client use spnego principal = yes
client use spnego = yes
kerberos method = secrets and keytab
server max protocol = SMB3
client signing = auto
server signing = auto
machine password timeout = 0
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind refresh tickets = true
idmap config * : range = 16777216-33554431
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
default_keytab_name = /etc/krb5.keytab
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com.:88
kdc = IP_address
admin_server = kdc.example.com
kdc = IP_address
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Andrew