samba - Sep 2022 - How to join RHEL 7 Linux Server to Active Directory Domain

As Rowland indicated this isn't the Samba way that is documented in
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member which I
found VERY helpful, but I have not fully worked out how RHEL setup in Chapter
16. File and Print Servers Red Hat Enterprise Linux 7 | Red Hat Customer
Portal<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers#setting_up_samba_as_a_domain_member>
is configured for Kerberos.  Specifically I am not sure how Winbind would use
Kerberos in client mode since RHEL does not have steps to configure the
/etc/krb5.conf.  RHEL 7's default /etc/krb5.conf does use the include line
for /etc/krb5.conf.d/ which is empty.  I find this curious...does Winbind have
AI to work out the Kerberos server? 8-)

Samba Server Mode:  My understanding of Kerberos is there is no interaction
between the Samba server and the Kerberos server.  The client system that wants
to talk to the Samba server interacts with the Kerberos (Active Directory)
server and the presents its service ticket to the Samba server that uses its
secret key to verify the client is authenticated.

Samba Client Mode:  Since my understanding is there is interaction between the
client and the Kerberos server, my question is how does the RHEL Winbind setup
know who to contact to get a Kerberos ticket?  I am led to guess that Winbind
must somehow be able to ask the REALM defined in smb.conf for which server
provides this functionality?



-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Turritopsis
Dohrnii Teo En Ming (tdtemccna at gmail.com) via samba
Sent: Thursday, July 7, 2022
To: samba at lists.samba.org
Subject: [Samba] How to join RHEL 7 Linux Server to Active Directory Domain



Good day from Singapore,

I didn't realize it is so easy to join RHEL 7 Linux server to Active
Directory Domain.

You only need a few simple commands.

# yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common
samba-common-tools krb5-workstation openldap-clients
policycoreutils-python -y

# realm join -v --user=[domain user account] addc01.project.domain.com

# realm list
project.domain.com
type: kerberos
realm-name: PROJECT.DOMAIN.COM
domain-name: project.domain.com
configured: kerberos-member
server-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U at project.domain.com
login-policy: allow-realm-logins

That's it.

On 25/09/2022 18:13, Eddie Rowe via samba wrote:
> As Rowland indicated this isn't the Samba way that is documented in
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member which I
found VERY helpful, but I have not fully worked out how RHEL setup in Chapter
16. File and Print Servers Red Hat Enterprise Linux 7 | Red Hat Customer
Portal<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers#setting_up_samba_as_a_domain_member>
is configured for Kerberos.  Specifically I am not sure how Winbind would use
Kerberos in client mode since RHEL does not have steps to configure the
/etc/krb5.conf.  RHEL 7's default /etc/krb5.conf does use the include line
for /etc/krb5.conf.d/ which is empty.  I find this curious...does Winbind have
AI to work out the Kerberos server? 8-)
You just use the Samba krb5.conf
> 
> Samba Server Mode:  My understanding of Kerberos is there is no interaction
between the Samba server and the Kerberos server.  The client system that wants
to talk to the Samba server interacts with the Kerberos (Active Directory)
server and the presents its service ticket to the Samba server that uses its
secret key to verify the client is authenticated.
> 
> Samba Client Mode:  Since my understanding is there is interaction between
the client and the Kerberos server, my question is how does the RHEL Winbind
setup know who to contact to get a Kerberos ticket?
It isn't RHEL's winbind, it is Samba's winbind, no matter what OS
you
run Samba on, it will work just the same.


   I am led to guess that Winbind must somehow be able to ask the REALM 
defined in smb.conf for which server provides this functionality?

I think you might require this:

sudo authconfig --update --kickstart --enablewinbind --enablewinbindauth 
--smbsecurity=ads --smbworkgroup=SAMDOM --smbrealm=SAMDOM.EXAMPLE.COM 
--disablesssd --disablesssdauth --enableforcelegacy --disablecachecreds 
--enablemkhomedir --enablelocauthorize

Where 'SAMDOM' is your workgroup and 'SAMDOM.EXAMPLE.COM' is
your realm.

Just to note, I don't help with sssd, it isn't a Samba product and I do 
not see the point in using it with Samba, there is just too much 
missing. There is a place for sssd and that is with IPA.

Rowland

On Sun, Sep 25, 2022 at 1:15 PM Eddie Rowe via samba
<samba at lists.samba.org> wrote:
>
> As Rowland indicated this isn't the Samba way that is documented in
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member which I
found VERY helpful, but I have not fully worked out how RHEL setup in Chapter
16. File and Print Servers Red Hat Enterprise Linux 7 | Red Hat Customer
Portal<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers#setting_up_samba_as_a_domain_member>
is configured for Kerberos.  Specifically I am not sure how Winbind would use
Kerberos in client mode since RHEL does not have steps to configure the
/etc/krb5.conf.  RHEL 7's default /etc/krb5.conf does use the include line
for /etc/krb5.conf.d/ which is empty.  I find this curious...does Winbind have
AI to work out the Kerberos server? 8-)
>
> Samba Server Mode:  My understanding of Kerberos is there is no interaction
between the Samba server and the Kerberos server.  The client system that wants
to talk to the Samba server interacts with the Kerberos (Active Directory)
server and the presents its service ticket to the Samba server that uses its
secret key to verify the client is authenticated.
>
> Samba Client Mode:  Since my understanding is there is interaction between
the client and the Kerberos server, my question is how does the RHEL Winbind
setup know who to contact to get a Kerberos ticket?  I am led to guess that
Winbind must somehow be able to ask the REALM defined in smb.conf for which
server provides this functionality?
sssd is.... well, I'm going to restrain my tendency for colorful
metaphors. sssd is entirely reliant on the underlying Samba provided
libraries. And it has a *lot* of problems when you push it hard. One
is that the "authocnfig", used to tune or enable it from the command
line, wipes out any locally edited or tunded settings in
/etc/sssd/sssd.conf, and there is no way to recover them except to set
up your own, entirely distinct configuration and management tools.
This is a waste of the time of Red Hat sys-admins.

Another issue is that sssd starts up, answers queries for a while, but
attempts to pre-cache the entire LDAP setup. You can pick and choose
relevant LDAP, but can only do so effective if the LDAP provided OU's
are in one substructure, not if they scattered. And very, very few
large environments organize their LDAP well enough to optimize this.
They leave user groups scattered around different parts of their
chart, and you wind up needing the whole thing. But if the LDAP is too
big, sssd times out and shoots itself through the head, and restarts
start over reloading the same bulky LDAP environment from scratch, and
fail again. It's been more than a decade, and there is no solution to
this problem except to set up another LDAP server closer to the
clients, which gets expensive and makes AD admins throw a hissy, even
if you offer to set up a Samba host for them to avoid expensive
Windows server icenses.

The Samba clients don't have this rat's nest of clients, but RHEL
documentation does not support using just Samba as a client anymore.
And the Samba built into RHEL has the domain controller features
disabled, so switching to a pure Samba setup becomes..... more
difficult, though there are many published Samba releases with those
features, including mine over at https://github.com/nkadel/samba4repo/
or built into most modern network storage applicances. Red Hat instead
encourages the use of FreeIPA as the server, and sssd as the client,
which in my observation don't buy you anything useful except the
simplified "authconfig" command settings, which in fact destabilize
Samba or AD clients.

Nico Kadel-Garcia

> -----Original Message-----
> From: samba <samba-bounces at lists.samba.org> On Behalf Of
Turritopsis Dohrnii Teo En Ming (tdtemccna at gmail.com) via samba
> Sent: Thursday, July 7, 2022
> To: samba at lists.samba.org
> Subject: [Samba] How to join RHEL 7 Linux Server to Active Directory Domain
>
>
>
> Good day from Singapore,
>
> I didn't realize it is so easy to join RHEL 7 Linux server to Active
> Directory Domain.
>
> You only need a few simple commands.
>
> # yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common
> samba-common-tools krb5-workstation openldap-clients
> policycoreutils-python -y
>
> # realm join -v --user=[domain user account] addc01.project.domain.com
>
> # realm list
> project.domain.com
> type: kerberos
> realm-name: PROJECT.DOMAIN.COM
> domain-name: project.domain.com
> configured: kerberos-member
> server-software: sssd
> required-package: oddjob
> required-package: oddjob-mkhomedir
> required-package: sssd
> required-package: adcli
> required-package: samba-common-tools
> login-formats: %U at project.domain.com
> login-policy: allow-realm-logins
>
> That's it.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba