samba - Dec 2023 - How to configure samba, sssd, pam etc so that domain users can log in the linux server?

Hi.

I'm struggling hard with those tons of configurations in order to allow
samba ad-dc users log in the Debian server.

I couldn't really find a place with definite configuration. It seems that
there are many possibilities what make people really confused.

I decided to build samba from scratch meaning that I'm not using the distro
version. The version I installed is 4.19.3.

Let me tell the basic configurations I have now.

/usr/local/samba/etc/smb.conf:

# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = MEUSAMBA
        realm = XXXX.LOCAL
        server role = active directory domain controller
        workgroup = XXXX
        idmap_ldb:use rfc2307 = yes
        include registry

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/xxxx.local/scripts
        read only = No

[nas]
        path = /dados/nas
        read only = No

[suporte]
        path = /dados/suporte
        read only = no

/etc/sssd/sssd.conf

[sssd]
domains = xxxx.local
config_file_version = 2
services = nss, pam

[domain/ibam.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = XXXX.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = xxxx.local
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad

In fact, I configured this way because the site said I should do so, but
I'd rather do not use kerberos. I'd like to keep it simpler.

Any help will be very much apreciated.

Thanks,

Ricardo

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
N?o
cont?m v?rus.www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Tue, 12 Dec 2023 20:19:25 -0300
Ricardo Campos via samba <samba at lists.samba.org> wrote:
> Hi.
> 
> I'm struggling hard with those tons of configurations in order to
> allow samba ad-dc users log in the Debian server.
Samba does not recommend using a DC as a fileserver.
> 
> I couldn't really find a place with definite configuration. It seems
> that there are many possibilities what make people really confused.
It isn't that confusing on a Samba DC, you either use the default
idmap_ldb (which will give you IDs in the '3000000' range) or you use
rfc2307 attributes with idmap_ldb (in which case you get to choose the
range).
> 
> I decided to build samba from scratch meaning that I'm not using the
> distro version. The version I installed is 4.19.3.
Why build it yourself, what is wrong with Samba 4.19.3 from
bookworm-backports ?
> 
> Let me tell the basic configurations I have now.
> 
> /usr/local/samba/etc/smb.conf:
> 
> # Global parameters
> [global]
>         dns forwarder = 8.8.8.8
>         netbios name = MEUSAMBA
>         realm = XXXX.LOCAL
>         server role = active directory domain controller
>         workgroup = XXXX
>         idmap_ldb:use rfc2307 = yes
>         include registry
Why use the registry ?
> 
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
> 
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/xxxx.local/scripts
>         read only = No
> 
> [nas]
>         path = /dados/nas
>         read only = No
> 
> [suporte]
>         path = /dados/suporte
>         read only = no
> 
> /etc/sssd/sssd.conf
Samba, because it does not produce sssd, cannot provide support for it
and you do not actually need it.
> 
> In fact, I configured this way because the site said I should do so,
What 'site' ?
> but I'd rather do not use kerberos. I'd like to keep it simpler.
Active Directory requires kerberos, which in turn requires DNS, so it
isn't simple, but then again it isn't rocket science :-)

Rowland