Setting up Samba as a Domain Member: Difference between revisions
m (/* slight kerberos update) |
m (/* changed note to infobox) |
||
(28 intermediate revisions by 5 users not shown) | |||
Line 44: | Line 44: | ||
== Preparing a Domain Member to Join an Active Directory Domain == |
== Preparing a Domain Member to Join an Active Directory Domain == |
||
== Configuring DNS == |
=== Configuring DNS === |
||
For details, see [[Linux_and_Unix_DNS_Configuration|Linux and Unix DNS Configuration]]. |
For details, see [[Linux_and_Unix_DNS_Configuration|Linux and Unix DNS Configuration]]. |
||
Line 50: | Line 50: | ||
== Configuring Kerberos == |
=== Configuring Kerberos === |
||
Samba |
Samba supports Heimdal and MIT Kerberos back ends. To configure Kerberos on the domain member, set the following in your <code>/etc/krb5.conf</code> file: |
||
This means that, until the change is made, the Kerberos file <code>/etc/krb5.conf</code> needs to only contain the following: |
|||
[libdefaults] |
[libdefaults] |
||
default_realm = SAMDOM.EXAMPLE.COM |
default_realm = SAMDOM.EXAMPLE.COM |
||
Line 60: | Line 59: | ||
dns_lookup_kdc = true |
dns_lookup_kdc = true |
||
The previous example configures Kerberos for the <code>SAMDOM.EXAMPLE.COM</code> realm. |
|||
Using anything other than the above, could lead to errors. |
|||
The Samba teams recommends to no set any further parameters in the <code>/etc/krb5.conf</code> file. |
|||
You will need to replace <code>SAMDOM.EXAMPLE.COM</code> with your KERBEROS realm. |
|||
If your <code>/etc/krb5.conf</code> contains an <code>include</code> line it will not work, you '''Must''' remove this line. |
|||
= Configuring Time Synchronisation = |
|||
=== Configuring Time Synchronisation === |
|||
Kerberos requires a synchronised time on all domain members. Thus it is recommended to set up an NTP client. For further details, see [[Time_Synchronisation#Configuring_Time_Synchronisation_on_a_Unix_Domain_Member|Configuring Time Synchronisation on a Unix Domain Member]]. |
Kerberos requires a synchronised time on all domain members. Thus it is recommended to set up an NTP client. For further details, see [[Time_Synchronisation#Configuring_Time_Synchronisation_on_a_Unix_Domain_Member|Configuring Time Synchronisation on a Unix Domain Member]]. |
||
Line 72: | Line 75: | ||
== Local Host Name Resolution == |
=== Local Host Name Resolution === |
||
When you join the host to the domain, Samba tries to register the host name in the AD DNS zone. For this, the <code>net</code> utility must be able to resolve the host name using DNS or using a correct entry in the <code>/etc/hosts</code> file. |
When you join the host to the domain, Samba tries to register the host name in the AD DNS zone. For this, the <code>net</code> utility must be able to resolve the host name using DNS or using a correct entry in the <code>/etc/hosts</code> file. |
||
Line 85: | Line 88: | ||
If no output is displayed or the host is resolved to the wrong IP address and you are not using dhcp, set the correct entry in the <code>/etc/hosts</code> file. For example: |
If no output is displayed or the host is resolved to the wrong IP address and you are not using dhcp, set the correct entry in the <code>/etc/hosts</code> file. For example: |
||
127.0.0.1 |
127.0.0.1 localhost |
||
10.99.0.5 M1.samdom.example.com M1 |
10.99.0.5 M1.samdom.example.com M1 |
||
If you are using dhcp, check that <code>/etc/hosts</code> only contains the '127.0.0.1' line shown above. If you continue to have problems, contact the sysadmin who controls your DHCP server. |
If you are using dhcp, check that <code>/etc/hosts</code> only contains the '127.0.0.1' line shown above. If you continue to have problems, contact the sysadmin who controls your DHCP server. |
||
* On debian related systems you will also see the line <code>127.0.1.1 hostname</code> in /etc/hosts, remove it before you install samba. |
|||
* Please keep the line : <code>127.0.0.1 localhost</code> |
|||
if you need to add aliases to the machine hostname, add them to the end of the line that starts with the machines ipaddress, not the 127.0.0.1 line. |
|||
* Please keep the line : 127.0.0.1 localhost localhost.localdomain alias3 alias4 etc, in this order. |
|||
If resolving 127.0.0.1 by gethostbyname() and running nslookup will return two different answers (provided nsswitch.conf is configured with "files dns"). |
|||
See also : RFC 1912 |
|||
== Preparing a Domain Member to Join an NT4 Domain == |
== Preparing a Domain Member to Join an NT4 Domain == |
||
For joining a host to an NT4 domain, no preparation is required. |
For joining a host to an NT4 domain, no preparation is required. |
||
= Installing Samba = |
= Installing Samba = |
||
Line 114: | Line 124: | ||
== Setting up a Basic <code>smb.conf</code> File == |
== Setting up a Basic <code>smb.conf</code> File == |
||
When Setting up smb.conf on a Unix domain member, you will need to make a few decisions. |
|||
* Do you require users and groups to have the same IDs everywhere, including Samba AD DCs ? |
|||
* Do you only want your users and groups to have the same IDs on Unix domain members ? |
|||
After making your decision, you will have another decision to make, this decision could affect what you think you have already decided. |
|||
* Do you want or need individual users to have different login shells and/or Unix home directory paths ? |
|||
If you need your users to have different login shells and/or Unix home directory paths, or you want them to have the same ID everywhere, you will need to use the winbind 'ad' backend and add RFC2307 attributes to AD. |
|||
{{Imbox |
|||
| type = note |
|||
| text = The RFC2307 attributes are not added automatically when users or groups are created. |
|||
}} |
|||
{{Imbox |
|||
| type = important |
|||
| text = The ID numbers found on a DC (numbers in the 3000000 range) are NOT rfc2307 attributes They cannot and will not be used on Unix Domain Members, if you want to have the same ID numbers everywhere, you must add uidNumber & gidNumber attributes to AD and use the winbind 'ad' backend on Unix Domain Members. If you do decide to add uidNumber & gidNumber attributes to AD, you do not need to use numbers in the 3000000 range and in fact it would definitely be a good idea to use a different range. |
|||
}} |
|||
If your users will only use the Samba AD DC for authentication and will not store data on it or log into it, you can use the the winbind 'rid' backend, this calculates the user and group IDs from the Windows RID, if you use the same [global] section of the smb.conf on every Unix domain member, you will get the same IDs. |
|||
If you use the 'rid' backend you do not need to add anything to AD and in fact, any RFC2307 attributes will be ignored. |
|||
When using the 'rid' backend you must set the 'template shell' and 'template homedir' parameters in smb.conf, these are global settings and everyone gets the same login shell and Unix home directory path, unlike the RFC2307 attributes where you can set individual Unix home directory paths and shells. |
|||
There is another way of setting up Samba, this is where you require your users and groups to have the same ID everywhere, but only need your users to have the same login shell and use the same Unix home directory path. You can do this by using the winbind 'ad' backend and using the template lines in smb.conf. This way you only have to add uidNumber & gidNumbers attributes to AD. |
|||
Having decided which winbind backend to use, you now have a further decision to make, the ranges to use with 'idmap config' in smb.conf. |
|||
By default on a Unix domain member, there are multiple blocks of users & groups: |
|||
* The local system users & groups: These will be from 0-999 |
|||
* The local Unix users and groups: These start at 1000 |
|||
* The 'well Known SIDs': ???? |
|||
* The DOMAIN users and groups: ADUC, by default, starts these at 10000 |
|||
* Trusted domains: ???? |
|||
* Anything that isn't a 'well Known SID' or a member of DOMAIN or a trusted domain: ???? |
|||
As you can see from the above, you shouldn't set either the '*' or 'DOMAIN' ranges to start at 999 or less, as they would interfere with the local system users & groups. You also should leave a space for any local Unix users & groups, so starting the 'idmap config' ranges at 3000 seems to be a good compromise. |
|||
You need to decide how large your 'DOMAIN' is likely to grow to and you also need to know if you have any trusted domains or if you may need to have any in future. |
|||
Bearing the above information in mind, you could set the 'idmap config' ranges to the following: |
|||
:{| class="wikitable" |
|||
!Domain |
|||
!Range |
|||
|- |
|||
|<code>*</code> |
|||
|'''3000-7999''' |
|||
|- |
|||
|<code>DOMAIN</code> |
|||
|'''10000-999999''' |
|||
|} |
|||
You could also have any trusted domains starting at: |
|||
:{| class="wikitable" |
|||
!Domain |
|||
!Range |
|||
|- |
|||
|<code>TRUSTED</code> |
|||
|'''1000000-9999999''' |
|||
|} |
|||
If you set the '*' range above the 'DOMAIN' range, the ranges will conflict if the 'Domain' grows to the point that the next ID would be the same as the '*' range start ID. |
|||
With the above suggested ranges, no range will overlap or interfere with another. |
|||
You may also have seen examples of the '*' range being used for everything, this is not recommended and should not be used. |
|||
Before joining the domain, configure the domain member's <code>smb.conf</code> file: |
Before joining the domain, configure the domain member's <code>smb.conf</code> file: |
||
Line 122: | Line 206: | ||
CONFIGFILE: /usr/local/samba/etc/smb.conf |
CONFIGFILE: /usr/local/samba/etc/smb.conf |
||
* |
* After reading this wikipage, edit the <code>smb.conf</code> file and use this example configuration as a basis to set yours, do not just 'cut & paste' it: |
||
[global] |
[global] |
||
Line 135: | Line 219: | ||
# and groups on a domain member. The default (*) domain: |
# and groups on a domain member. The default (*) domain: |
||
# - must not overlap with any domain ID mapping configuration! |
# - must not overlap with any domain ID mapping configuration! |
||
# - must use |
# - must use a read-write-enabled back end, such as <code>tdb</code>. |
||
# - '''Adding just this is not enough''' |
|||
# - '''You must set a DOMAIN backend configuration, see below''' |
|||
idmap config * : backend = tdb |
idmap config * : backend = tdb |
||
idmap config * : range = 3000-7999 |
idmap config * : range = 3000-7999 |
||
Line 141: | Line 227: | ||
:For information on the parameters, see the <code>smb.conf(5)</code> man page. |
:For information on the parameters, see the <code>smb.conf(5)</code> man page. |
||
* |
* '''You must add an ID mapping configuration, for each domain that you want Samba to be aware of, to the <code>[global]</code> section of your <code>smb.conf</code> file.''' |
||
* '''You must click on one of the following hyperlinks to find information about the Samba domain back ends:''' |
|||
:{| class="wikitable" |
:{| class="wikitable" |
||
Line 149: | Line 236: | ||
|- |
|- |
||
|<code>ad</code> |
|<code>ad</code> |
||
|[[Idmap_config_ad|idmap config ad]] |
|'''[[Idmap_config_ad|idmap config ad]]''' |
||
|<code>idmap_ad(8)</code> |
|<code>idmap_ad(8)</code> |
||
|- |
|- |
||
|<code>rid</code> |
|<code>rid</code> |
||
|[[Idmap_config_rid|idmap config rid]] |
|'''[[Idmap_config_rid|idmap config rid]]''' |
||
|<code>idmap_rid(8)</code> |
|<code>idmap_rid(8)</code> |
||
|- |
|- |
||
|<code>autorid</code> |
|<code>autorid</code> |
||
|[[Idmap_config_autorid|idmap config autorid]] |
|'''[[Idmap_config_autorid|idmap config autorid]]''' |
||
|<code>idmap_autorid(8)</code> |
|<code>idmap_autorid(8)</code> |
||
|- |
|||
|<code>hash</code> |
|||
|[[Idmap_config_hash|idmap config hash]] |
|||
|<code>idmap_hash(8)</code> |
|||
|- |
|- |
||
|<code>ldap</code> |
|<code>ldap</code> |
||
Line 175: | Line 258: | ||
:{{Imbox |
:{{Imbox |
||
| type = important |
| type = important |
||
| text = |
| text = Add an additional ID mapping configuration for every domain. The ID ranges of the default (<code>*</code>) domain and other domains configured in the <code>smb.conf</code> file must not overlap. |
||
}} |
}} |
||
Line 188: | Line 269: | ||
{{Imbox |
{{Imbox |
||
| type = note |
| type = note |
||
| text = Mapping the domain administrator to the local <code>root</code> account is optional. Only configure the mapping if the domain administrator must be able to execute file operations on the domain member using <code>root</code> permissions. |
| text = Mapping the domain administrator to the local <code>root</code> account is optional. Only configure the mapping if the domain administrator must be able to execute file operations on the domain member using <code>root</code> permissions. You should be aware that mapping Administrator to the <code>root</code> account will not allow you to log onto Unix domain members as <code>Administrator</code>. |
||
}} |
}} |
||
Line 213: | Line 294: | ||
= Joining the Domain = |
= Joining the Domain = |
||
{{Imbox |
|||
| type = important |
|||
| text = Do not provision a domain member using the <code>samba-tool</code> utility. This option is not supported and will be removed from the <code>samba-tool</code> utility in a future release. |
|||
}} |
|||
* To join the host to an Active Directory (AD), enter: |
* To join the host to an Active Directory (AD), enter: |
||
Line 228: | Line 304: | ||
* To join the host to an NT4 domain, enter: |
* To join the host to an NT4 domain, enter: |
||
# net |
# net rpc join -U administrator |
||
Enter administrator's password: Passw0rd |
Enter administrator's password: Passw0rd |
||
Joined domain SAMDOM. |
Joined domain SAMDOM. |
||
{{Imbox |
|||
| type = important |
|||
| text = Do not provision or join a domain member using the <code>samba-tool</code> utility. These options are unsupported and can cause problems with your AD replication. The options will be removed from <code>samba-tool</code> in a future release. |
|||
}} |
|||
If you have problems joining the domain, check your configuration. For further help, see [[Troubleshooting_Samba_Domain_Members|Troubleshooting Samba Domain Members]]. |
If you have problems joining the domain, check your configuration. For further help, see [[Troubleshooting_Samba_Domain_Members|Troubleshooting Samba Domain Members]]. |
||
Line 256: | Line 337: | ||
}} |
}} |
||
:{{Imbox |
|||
* If you compiled Samba, add symbolic links from the <code>libnss_winbind</code> library to the operating system's library path. For details, see [[Libnss_winbind_Links|libnss_winbind Links]]. If you used packages to install Samba, the link is usually created automatically. |
|||
| type = note |
|||
| text = If you compiled Samba, add symbolic links from the <code>libnss_winbind</code> library to the operating system's library path. For details, see [[Libnss_winbind_Links|libnss_winbind Links]]. If you used packages to install Samba, the link is usually created automatically. |
|||
}} |
|||
Line 264: | Line 349: | ||
= Starting the Services = |
= Starting the Services = |
||
Start the following services to have a fully functioning Unix domain member: |
|||
* The <code>smbd</code> service |
|||
* Start the <code>winbindd</code> service to enable the name service switch (NSS) library to look up domain users and groups: |
|||
* The <code>nmbd</code> service |
|||
* The <code>winbindd</code> service |
|||
* If you set up file shares or printer services on the domain member, additionally start the <code>smbd</code> and <code>nmbd</code> service: |
|||
:{{Imbox |
|||
# smbd |
|||
| type = note |
|||
# nmbd |
|||
| text = If you do not require Network Browsing, you do not need to start the <code>nmbd</code> service on a Unix domain member. |
|||
}} |
|||
:{{Imbox |
:{{Imbox |
||
Line 279: | Line 368: | ||
| text = You must not start the <code>samba</code> service on a domain member. This service is required only on Active Directory (AD) domain controllers (DC). |
| text = You must not start the <code>samba</code> service on a domain member. This service is required only on Active Directory (AD) domain controllers (DC). |
||
}} |
}} |
||
Samba does not provide System V init scripts, <code>systemd</code>, <code>upstart</code>, or service files for other init services. |
Samba does not provide System V init scripts, <code>systemd</code>, <code>upstart</code>, or service files for other init services. |
||
Line 309: | Line 399: | ||
The <code>libnss_winbind</code> library enables you to look up domain users and groups. For example: |
The <code>libnss_winbind</code> library enables you to look up domain users and groups. For example: |
||
* To look up the domain user <code>demo01</code>: |
* To look up the domain user <code>SAMDOM\demo01</code>: |
||
# getent passwd demo01 |
# getent passwd SAMDOM\\demo01 |
||
demo01:*:10000:10000:demo01:/home/demo01:/bin/bash |
SAMDOM\demo01:*:10000:10000:demo01:/home/demo01:/bin/bash |
||
* To look up the domain group <code>Domain Users</code>: |
* To look up the domain group <code>Domain Users</code>: |
||
# getent group "Domain Users" |
# getent group "SAMDOM\\Domain Users" |
||
domain users:x:10000: |
SAMDOM\domain users:x:10000: |
||
Line 324: | Line 415: | ||
The name service switch (NSS) library enables you to use domain user accounts and groups in commands. For example to set the owner of a file to the <code>demo01</code> domain user and the group to the <code>Domain Users</code> domain group, enter: |
The name service switch (NSS) library enables you to use domain user accounts and groups in commands. For example to set the owner of a file to the <code>demo01</code> domain user and the group to the <code>Domain Users</code> domain group, enter: |
||
# chown demo01: |
# chown "SAMDOM\\demo01:SAMDOM\\domain users" file.txt |
||
Line 334: | Line 425: | ||
On a Samba domain member, you can additionally set up: |
On a Samba domain member, you can additionally set up: |
||
* File shares to act as a file server. For details, see [[Samba_File_Serving|Samba File Serving]]. |
* File shares to act as a file server. For details, see [[Samba_File_Serving|Samba File Serving]]. |
||
* Print services to act as a print server. For details, see [[ |
* Print services to act as a print server. For details, see [[Print_Server_Support|Print Server Support]]. |
||
* PAM authentication of domain users for local services. For details, see [[Authenticating_Domain_Users_Using_PAM|Authenticating Domain Users Using PAM]]. |
* PAM authentication of domain users for local services. For details, see [[Authenticating_Domain_Users_Using_PAM|Authenticating Domain Users Using PAM]]. |
||
Line 344: | Line 435: | ||
For details, see [[Troubleshooting_Samba_Domain_Members|Troubleshooting Samba Domain Members]]. |
For details, see [[Troubleshooting_Samba_Domain_Members|Troubleshooting Samba Domain Members]]. |
||
---- |
|||
[[Category:Active Directory]] |
|||
[[Category:Domain Members]] |
|||
[[Category:NT4 Domains]] |
Revision as of 15:19, 14 September 2018
Introduction
A Samba domain member is a Linux machine joined to a domain that is running Samba and does not provide domain services, such as an NT4 primary domain controller (PDC) or Active Directory (AD) domain controller (DC).
On a Samba domain member, you can:
- Use domain users and groups in local ACLs on files and directories.
- Set up shares to act as a file server.
- Set up printing services to act as a print server.
- Configure PAM to enable domain users to log on locally or to authenticate to local installed services.
For details about setting up a Samba NT4 domain or Samba AD, see Domain Control.
Preparing the Installation
General Preparation
- Verify that no Samba processes are running:
# ps ax | egrep "samba|smbd|nmbd|winbindd"
- If the output lists any
samba
,smbd
,nmbd
, orwinbindd
processes, shut down the processes.
- If you previously run a Samba installation on this host:
- Remove the existing
smb.conf
file. To list the path to the file, enter:
- Remove the existing
# smbd -b | grep "CONFIGFILE" CONFIGFILE: /usr/local/samba/etc/samba/smb.conf
- Remove all Samba database files, such as
*.tdb
and*.ldb
files. To list the folders containing Samba databases:
- Remove all Samba database files, such as
# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" LOCKDIR: /usr/local/samba/var/lock/ STATEDIR: /usr/local/samba/var/locks/ CACHEDIR: /usr/local/samba/var/cache/ PRIVATE_DIR: /usr/local/samba/private/
- Starting with a clean environment helps you to prevent confusion, and no files from your previous Samba installation are mixed with your new domain member installation.
Preparing a Domain Member to Join an Active Directory Domain
Configuring DNS
For details, see Linux and Unix DNS Configuration.
Configuring Kerberos
Samba supports Heimdal and MIT Kerberos back ends. To configure Kerberos on the domain member, set the following in your /etc/krb5.conf
file:
[libdefaults] default_realm = SAMDOM.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true
The previous example configures Kerberos for the SAMDOM.EXAMPLE.COM
realm.
The Samba teams recommends to no set any further parameters in the /etc/krb5.conf
file.
If your /etc/krb5.conf
contains an include
line it will not work, you Must remove this line.
Configuring Time Synchronisation
Kerberos requires a synchronised time on all domain members. Thus it is recommended to set up an NTP client. For further details, see Configuring Time Synchronisation on a Unix Domain Member.
Local Host Name Resolution
When you join the host to the domain, Samba tries to register the host name in the AD DNS zone. For this, the net
utility must be able to resolve the host name using DNS or using a correct entry in the /etc/hosts
file.
To verify that your host name resolves correctly, use the getent hosts
command. For example:
# getent hosts M1 10.99.0.5 M1.samdom.example.com M1
The host name and FQDN must not resolve to the 127.0.0.1
IP address or any other IP address other than the one used on the LAN interface of the domain member.
If no output is displayed or the host is resolved to the wrong IP address and you are not using dhcp, set the correct entry in the /etc/hosts
file. For example:
127.0.0.1 localhost 10.99.0.5 M1.samdom.example.com M1
If you are using dhcp, check that /etc/hosts
only contains the '127.0.0.1' line shown above. If you continue to have problems, contact the sysadmin who controls your DHCP server.
- On debian related systems you will also see the line
127.0.1.1 hostname
in /etc/hosts, remove it before you install samba. - Please keep the line :
127.0.0.1 localhost
if you need to add aliases to the machine hostname, add them to the end of the line that starts with the machines ipaddress, not the 127.0.0.1 line.
Preparing a Domain Member to Join an NT4 Domain
For joining a host to an NT4 domain, no preparation is required.
Installing Samba
For details, see Installing Samba.
Install a maintained Samba version. For details, see Samba Release Planning. |
Configuring Samba
Setting up a Basic smb.conf
File
When Setting up smb.conf on a Unix domain member, you will need to make a few decisions.
- Do you require users and groups to have the same IDs everywhere, including Samba AD DCs ?
- Do you only want your users and groups to have the same IDs on Unix domain members ?
After making your decision, you will have another decision to make, this decision could affect what you think you have already decided.
- Do you want or need individual users to have different login shells and/or Unix home directory paths ?
If you need your users to have different login shells and/or Unix home directory paths, or you want them to have the same ID everywhere, you will need to use the winbind 'ad' backend and add RFC2307 attributes to AD.
The RFC2307 attributes are not added automatically when users or groups are created. |
The ID numbers found on a DC (numbers in the 3000000 range) are NOT rfc2307 attributes They cannot and will not be used on Unix Domain Members, if you want to have the same ID numbers everywhere, you must add uidNumber & gidNumber attributes to AD and use the winbind 'ad' backend on Unix Domain Members. If you do decide to add uidNumber & gidNumber attributes to AD, you do not need to use numbers in the 3000000 range and in fact it would definitely be a good idea to use a different range. |
If your users will only use the Samba AD DC for authentication and will not store data on it or log into it, you can use the the winbind 'rid' backend, this calculates the user and group IDs from the Windows RID, if you use the same [global] section of the smb.conf on every Unix domain member, you will get the same IDs. If you use the 'rid' backend you do not need to add anything to AD and in fact, any RFC2307 attributes will be ignored. When using the 'rid' backend you must set the 'template shell' and 'template homedir' parameters in smb.conf, these are global settings and everyone gets the same login shell and Unix home directory path, unlike the RFC2307 attributes where you can set individual Unix home directory paths and shells.
There is another way of setting up Samba, this is where you require your users and groups to have the same ID everywhere, but only need your users to have the same login shell and use the same Unix home directory path. You can do this by using the winbind 'ad' backend and using the template lines in smb.conf. This way you only have to add uidNumber & gidNumbers attributes to AD.
Having decided which winbind backend to use, you now have a further decision to make, the ranges to use with 'idmap config' in smb.conf. By default on a Unix domain member, there are multiple blocks of users & groups:
- The local system users & groups: These will be from 0-999
- The local Unix users and groups: These start at 1000
- The 'well Known SIDs': ????
- The DOMAIN users and groups: ADUC, by default, starts these at 10000
- Trusted domains: ????
- Anything that isn't a 'well Known SID' or a member of DOMAIN or a trusted domain: ????
As you can see from the above, you shouldn't set either the '*' or 'DOMAIN' ranges to start at 999 or less, as they would interfere with the local system users & groups. You also should leave a space for any local Unix users & groups, so starting the 'idmap config' ranges at 3000 seems to be a good compromise.
You need to decide how large your 'DOMAIN' is likely to grow to and you also need to know if you have any trusted domains or if you may need to have any in future.
Bearing the above information in mind, you could set the 'idmap config' ranges to the following:
Domain Range *
3000-7999 DOMAIN
10000-999999
You could also have any trusted domains starting at:
Domain Range TRUSTED
1000000-9999999
If you set the '*' range above the 'DOMAIN' range, the ranges will conflict if the 'Domain' grows to the point that the next ID would be the same as the '*' range start ID.
With the above suggested ranges, no range will overlap or interfere with another.
You may also have seen examples of the '*' range being used for everything, this is not recommended and should not be used.
Before joining the domain, configure the domain member's smb.conf
file:
- To locate the file, enter:
# smbd -b | grep CONFIGFILE CONFIGFILE: /usr/local/samba/etc/smb.conf
- After reading this wikipage, edit the
smb.conf
file and use this example configuration as a basis to set yours, do not just 'cut & paste' it:
[global]
security = ADS
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM
log file = /var/log/samba/%m.log
log level = 1
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb
.
# - Adding just this is not enough
# - You must set a DOMAIN backend configuration, see below
idmap config * : backend = tdb
idmap config * : range = 3000-7999
- For information on the parameters, see the
smb.conf(5)
man page.
- You must add an ID mapping configuration, for each domain that you want Samba to be aware of, to the
[global]
section of yoursmb.conf
file. - You must click on one of the following hyperlinks to find information about the Samba domain back ends:
Back End Documentation Man Page ad
idmap config ad idmap_ad(8)
rid
idmap config rid idmap_rid(8)
autorid
idmap config autorid idmap_autorid(8)
ldap
idmap config ldap idmap_ldap(8)
nss
idmap config nss idmap_nss(8)
Add an additional ID mapping configuration for every domain. The ID ranges of the default ( *
) domain and other domains configured in thesmb.conf
file must not overlap.
Mapping the Domain Administrator Account to the Local root
User
Samba enables you to map domain accounts to a local account. Use this feature to execute file operations on the domain member's file system as a different user than the account that requested the operation on the client.
Mapping the domain administrator to the local root account is optional. Only configure the mapping if the domain administrator must be able to execute file operations on the domain member using root permissions. You should be aware that mapping Administrator to the root account will not allow you to log onto Unix domain members as Administrator . |
To map the domain administrator to the local root
account:
- Add the following parameter to the
[global]
section of yoursmb.conf
file:
username map = /usr/local/samba/etc/user.map
- Create the
/usr/local/samba/etc/user.map
file with the following content:
!root = SAMDOM\Administrator
When using the ad
ID mapping back end, do not set theuidNumber
attribute for the domain administrator account. If the account has the attribute set, the value overrides the local UID0
of theroot
user and thus the mapping fails.
For further details, see username map
parameter in the smb.conf(5)
man page.
Joining the Domain
- To join the host to an Active Directory (AD), enter:
# net ads join -U administrator Enter administrator's password: Passw0rd Using short domain name -- SAMDOM Joined 'M1' to dns domain 'samdom.example.com'
- To join the host to an NT4 domain, enter:
# net rpc join -U administrator Enter administrator's password: Passw0rd Joined domain SAMDOM.
Do not provision or join a domain member using the samba-tool utility. These options are unsupported and can cause problems with your AD replication. The options will be removed from samba-tool in a future release. |
If you have problems joining the domain, check your configuration. For further help, see Troubleshooting Samba Domain Members.
Configuring the Name Service Switch
To enable the name service switch (NSS) library to make domain users and groups available to the local system:
- Append the
winbind
entry to the following databases in the/etc/nsswitch.conf
file:
passwd: files winbind group: files winbind
- Keep the
files
entry as first source for both databases. This enables NSS to look up domain users and groups from the/etc/passwd
and/etc/group
files before querying the Winbind service.
- Keep the
- Do not add the
winbind
entry to the NSSshadow
database. This can cause thewbinfo
utility fail.
- Do not add the
Do not use the same user names in the local /etc/passwd
file as in the domain.
If you compiled Samba, add symbolic links from the libnss_winbind
library to the operating system's library path. For details, see libnss_winbind Links. If you used packages to install Samba, the link is usually created automatically.
Starting the Services
Start the following services to have a fully functioning Unix domain member:
- The
smbd
service
- The
nmbd
service
- The
winbindd
service
If you do not require Network Browsing, you do not need to start the nmbd
service on a Unix domain member.
You must not start the samba
service on a domain member. This service is required only on Active Directory (AD) domain controllers (DC).
Samba does not provide System V init scripts, systemd
, upstart
, or service files for other init services.
- If you installed Samba using packages, use the script or service configuration file provided by the package to start Samba.
- If you built Samba, see your distribution's documentation for how to create a script or configuration to start services.
Testing the Winbindd Connectivity
Sending a Winbindd Ping
To verify if the Winbindd service is able to connect to Active Directory (AD) Domain Controllers (DC) or a primary domain controller (PDC), enter:
# wbinfo --ping-dc checking the NETLOGON for domain[SAMDOM] dc connection to "DC.SAMDOM.EXAMPLE.COM" succeeded
If the previous command fails, verify:
- That the
winbindd
service is running. - Your
smb.conf
file is set up correctly.
Using Domain Accounts and Groups in Operating System Commands
Looking up Domain Users and Groups
The libnss_winbind
library enables you to look up domain users and groups. For example:
- To look up the domain user
SAMDOM\demo01
:
# getent passwd SAMDOM\\demo01 SAMDOM\demo01:*:10000:10000:demo01:/home/demo01:/bin/bash
- To look up the domain group
Domain Users
:
# getent group "SAMDOM\\Domain Users" SAMDOM\domain users:x:10000:
Assigning File Permissions to Domain Users and Groups
The name service switch (NSS) library enables you to use domain user accounts and groups in commands. For example to set the owner of a file to the demo01
domain user and the group to the Domain Users
domain group, enter:
# chown "SAMDOM\\demo01:SAMDOM\\domain users" file.txt
Setting up Additional Services on the Domain Member
On a Samba domain member, you can additionally set up:
- File shares to act as a file server. For details, see Samba File Serving.
- Print services to act as a print server. For details, see Print Server Support.
- PAM authentication of domain users for local services. For details, see Authenticating Domain Users Using PAM.
Troubleshooting
For details, see Troubleshooting Samba Domain Members.