Setting up Samba as a Domain Member: Difference between revisions
Mmuehlfeld (talk | contribs) m (Mmuehlfeld moved page Setup Samba as an AD Domain Member to Setting up Samba as a Domain Member: Move to a better fitting title) |
Mmuehlfeld (talk | contribs) (Rewrote page. Moved general content to a separage page to enable linking to it from other guides, removed duplicated content, clearer structure, additional details, removed unclear information) |
||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
A Samba domain member is a Linux machine joined to a domain that is running Samba and does not provide domain services, such as an NT4 primary domain controller (PDC) or Active Directory (AD) domain controller (DC). |
|||
In the context of Samba, you usually only hear about servers ([[Active_Directory_Domain_Controller|AD DCs]], [[NT4_Domains|NT4 PDCs]], [[Samba_File_Serving|file servers]], etc.). You usually do not hear much about a Samba workstation as a Domain Member, similar to hosts running a version of Windows e. g. Windows 10 Pro or some other workstation edition. What if you want to join a Linux workstation to the domain, to authenticate user logins against your Domain Controller(s)? |
|||
On a Samba domain member, you can: |
|||
Generally speaking, a Samba server is just a Samba workstation that provides file shares or print services. This is how we will structure our documentation here - being a Domain Member is the prerequisite for configuring a Samba [[Samba_File_Serving|file]] and/or [[Setup_a_Samba_print_server|print]] server. |
|||
* Use domain users and groups in local ACLs on files and directories. |
|||
{{Imbox |
|||
* Set up shares to act as a file server. |
|||
| type = important |
|||
* Set up printing services to act as a print server. |
|||
| text = None of the smb.conf <code>idmap_ad</code> information to be found here will have any affect on a Samba AD DC, none of it should be added to the smb.conf found on a DC. |
|||
* Configure PAM to enable domain users to log on locally or to authenticate to local installed services. |
|||
}} |
|||
For details about setting up a Samba NT4 domain or Samba AD, see [[Domain_Control|Domain Control]]. |
|||
= Installation = |
|||
You have the following options to install Samba: |
|||
= Preparing the Installation = |
|||
* [[Build_Samba_from_Source|Build Samba]] yourself |
|||
== General Preparation == |
|||
* Install [[Distribution-specific_Package_Installation|distribution specific packages]] |
|||
* Verify that no Samba processes are running: |
|||
* Install SerNet [http://www.samba.plus Samba+]/[http://www.samba.plus/older-packages/ Enterprise] packages |
|||
# ps ax | egrep "samba|smbd|nmbd|winbindd" |
|||
: If the output lists any <code>samba</code>, <code>smbd</code>, <code>nmbd</code>, or <code>winbindd</code> processes, shut down the processes. |
|||
* If you previously run a Samba installation on this host: |
|||
:* Remove the existing <code>smb.conf</code> file. To list the path to the file, enter: |
|||
# smbd -b | grep "CONFIGFILE" |
|||
CONFIGFILE: /usr/local/samba/etc/samba/smb.conf |
|||
:* Remove all Samba database files, such as <code>*.tdb</code> and <code>*.ldb</code> files. To list the folders containing Samba databases: |
|||
# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" |
|||
LOCKDIR: /usr/local/samba/var/lock/ |
|||
STATEDIR: /usr/local/samba/var/locks/ |
|||
CACHEDIR: /usr/local/samba/var/cache/ |
|||
PRIVATE_DIR: /usr/local/samba/private/ |
|||
: Starting with a clean environment helps you to prevent confusion, and no files from your previous Samba installation are mixed with your new domain member installation. |
|||
= Preparing the host for the domain join = |
|||
== AD DNS zone resolution == |
|||
Many things in an Active Directory, such as Kerberos, rely on DNS. Therefore it is required that the host is able to resolve AD DNS zones. If you have multiple DCs acting as a DNS server, it's recommended to setup multiple nameserver entries for fail over reasons. |
|||
== Preparing a Domain Member to Join an Active Directory Domain == |
|||
On Linux and Unixes, you usually configure DNS settings in /etc/resolv.conf: |
|||
== Configuring DNS == |
|||
nameserver 10.99.0.1 |
|||
nameserver 10.99.0.2 |
|||
search samdom.example.com |
|||
For details, see [[Linux_and_Unix_DNS_Configuration|Linux and Unix DNS Configuration]]. |
|||
Some tools, such as NetworkManager, may overwrite manual changes in that file. Please consult your distributions documentation for configuring name resolution. |
|||
To verify a correct name resolution, try resolving the hostname of one of your Domain Controllers: |
|||
# host -t A DC1.samdom.example.com |
|||
DC1.samdom.example.com has address 10.99.0.1 |
|||
= Configuring Time Synchronisation = |
|||
Kerberos requires a synchronised time on all domain members. Thus it is recommended to set up an NTP client. For further details, see [[Time_Synchronisation#Configuring_Time_Synchronisation_on_a_Linux_Domain_Member|Configuring Time Synchronisation on a Linux Domain Member]]. |
|||
== NTP == |
|||
In an Active Directory, accurate time synchronization is necessary for Kerberos, to prevent replay attacks and for resolving directory replication conflicts. For those reasons, if the time differs to your AD, your host won't be able to access AD servers and any shares it provides won't be accessible by others. See [[Time_Synchronisation|Time Syncronisation]] for further information and [[Time_Synchronisation#Configuring_time_synchronisation_on_a_Samba_Domain_Members|configuration examples]]. |
|||
== Local Host Name Resolution == |
|||
When you join the host to the domain, Samba tries to register the host name in the AD DNS zone. For this, the <code>net</code> utility must be able to resolve the host name using DNS or using a correct entry in the <code>/etc/hosts</code> file. |
|||
To verify that your host name resolves correctly, use the <code>getent hosts</code> command. For example: |
|||
== Local hostname resolution == |
|||
During the Domain join, Samba tries to register/update the hosts name and IP in your AD DNS. This requires that "net" can resolve both, either using DNS or /etc/hosts. To verify, run |
|||
# getent hosts M1 |
# getent hosts M1 |
||
10.99.0.5 M1.samdom.example.com M1 |
10.99.0.5 M1.samdom.example.com M1 |
||
The host name and FQDN must not resolve to the <code>127.0.0.1</code> IP address or any other IP address than the one used on the LAN interface of the domain member. |
|||
The commands output must show the correct LAN interface IP (not 127.*.*.*!) and the hostname including the AD DNS zone. Additional alias names are optional. If you get a different output, fix it in your DNS or by adding/changing the /etc/hosts entry: |
|||
If no output is displayed or the host is resolved to the wrong IP address, set the correct entry in the <code>/etc/hosts</code> file. For example: |
|||
127.0.0.1 localhost.localdomain localhost |
|||
10.99.0.5 M1.samdom.example.com M1 |
10.99.0.5 M1.samdom.example.com M1 |
||
== Preparing a Domain Member to Join an NT4 Domain == |
|||
For joining a host to an NT4 domain, no preparation is required. |
|||
= Setup a Domain Member smb.conf file = |
|||
Before joining a domain, it is necessary to create the Samba configuration file "smb.conf". The following command shows, where the file is located in your installation: |
|||
'''Note:''' You should use the same "smb.conf" file on all domain members you set up in the domain. |
|||
# smbd -b | grep CONFIGFILE |
|||
CONFIGFILE: /usr/local/samba/etc/smb.conf |
|||
= Installing Samba = |
|||
In the following you see an smb.conf example sufficient to join a domain, if you add an "idmap config" part, fitting to your environment. |
|||
For details, see [[Installing_Samba|Installing Samba]]. |
|||
{{Imbox |
{{Imbox |
||
| type = |
| type = note |
||
| text = Install a maintained Samba version. For details, see [[Samba_Release_Planning|Samba Release Planning]]. |
|||
| text = The ID ranges of the <code>*</code> default domain and all other domains configured in the <code>smb.conf</code> file must not overlap. |
|||
}} |
}} |
||
= Configuring Samba = |
|||
== Setting up a Basic <code>smb.conf</code> File == |
|||
Before joining the domain, configure the domain member's <code>smb.conf</code> file: |
|||
* To locate the file, enter: |
|||
# smbd -b | grep CONFIGFILE |
|||
CONFIGFILE: /usr/local/samba/etc/smb.conf |
|||
* Edit the <code>smb.conf</code> file and set the following configuration: |
|||
[global] |
[global] |
||
Line 93: | Line 116: | ||
log level = 1 |
log level = 1 |
||
# |
# Default ID mapping configuration for local BUILTIN accounts |
||
# |
# and groups on a domain member. The default (*) domain: |
||
# - must not overlap with any domain ID mapping configuration! |
|||
# on the available winbind idmap backends, |
|||
# - must use an read-write-enabled back end, such as <code>tdb</code>. |
|||
# Choose the one that fits your requirements |
|||
# then add the corresponding configuration. |
|||
idmap config * : backend = tdb |
idmap config * : backend = tdb |
||
idmap config * : range = |
idmap config * : range = 3000-7999 |
||
# Just adding one of the following three lines is not enough!! |
|||
# Please follow the links. |
|||
# |
|||
# - [[idmap_config_ad|use the winbind 'ad' backend.]] |
|||
# Or |
|||
# - [[idmap_config_rid|use the winbind 'rid' backend.]] |
|||
# Or |
|||
# - [https://www.samba.org/samba/docs/man/manpages-3/idmap_autorid.8.html use the winbind 'autorid' backend.] |
|||
:For information on the parameters, see the <code>smb.conf(5)</code> man page. |
|||
See the manpage of "smb.conf" for detailed information about the parameters and options used. |
|||
* Add an ID mapping configuration for every domain in the <code>[global]</code> section of your <code>smb.conf</code> file. Samba supports the following back ends for domains: |
|||
= The domain join = |
|||
:{| class="wikitable" |
|||
'''<u>A note on provisioning</u>:''' A Domain Member <u>must not</u> be provisioned by using "samba-tool"! This would setup an AD DC on your Domain Member with some parts turned off and writes to sam.ldb instead of passdb.tdb. Don't use this way to join, to avoid unwanted side effects! The Domain Member provisioning option will be removed in the future. |
|||
!Back End |
|||
!Documentation |
|||
!Man Page |
|||
|- |
|||
|<code>ad</code> |
|||
|[[Idmap_config_ad|idmap config ad]] |
|||
|<code>idmap_ad(8)</code> |
|||
|- |
|||
|<code>rid</code> |
|||
|[[Idmap_config_rid|idmap config rid]] |
|||
|<code>idmap_rid(8)</code> |
|||
|- |
|||
|<code>autorid</code> |
|||
|[[Idmap_config_autorid|idmap config autorid]] |
|||
|<code>idmap_autorid(8)</code> |
|||
|- |
|||
|<code>hash</code> |
|||
|[[Idmap_config_hash|idmap config hash]] |
|||
|<code>idmap_hash(8)</code> |
|||
|- |
|||
|<code>ldap</code> |
|||
|[[Idmap_config_ldap|idmap config ldap]] |
|||
|<code>idmap_ldap(8)</code> |
|||
|- |
|||
|<code>nss</code> |
|||
|[[Idmap_config_nss|idmap config nss]] |
|||
|<code>idmap_nss(8)</code> |
|||
|} |
|||
:{{Imbox |
|||
The following command will join the host to the domain and automatically register/update its DNS record: |
|||
| type = important |
|||
| text = For every domain, add an additional ID mapping configuration. The ID ranges of the default (<code>*</code>) domain and other domains configured in the <code>smb.conf</code> file must not overlap. |
|||
}} |
|||
# net ads join -U administrator |
|||
Enter administrator's password: Passw0rd |
|||
Using short domain name -- SAMDOM |
|||
Joined 'M1' to dns domain 'samdom.example.com' |
|||
If you encounter any error message(s), see [[Troubleshooting_Samba_Domain_Members|Troubleshooting Samba Domain Members]]. |
|||
== Mapping the Domain Administrator Account to the Local <code>root</code> User == |
|||
= libnss_winbind = |
|||
Samba enables you to map domain accounts to a local account. Use this feature to execute file operations on the domain member's file system as a different user than the account that requested the operation on the client. |
|||
Domain users and groups are made available to your local system through libnss_winbind. The [[#Setup_a_Domain_Member_smb.conf_file|smb.conf configuration]] was already done in a previous step. Next is to tell your system to retrieve that information from winbindd by adding "winbind" to the following two lines of your /etc/nsswitch.conf: |
|||
{{Imbox |
|||
passwd: files winbind |
|||
| type = note |
|||
group: files winbind |
|||
| text = Mapping the domain administrator to the local <code>root</code> account is optional. Only configure the mapping if the domain administrator must be able to execute file operations on the domain member using <code>root</code> permissions. |
|||
}} |
|||
To map the domain administrator to the local <code>root</code> account: |
|||
Keep the existing database "files" (sometimes you may find "compat" instead of "files"). It defines that accounts and groups are first looked up in local files (/etc/passwd and /etc/group), then using Winbindd. |
|||
* Add the following parameter to the <code>[global]</code> section of your <code>smb.conf</code> file: |
|||
'''Note:''' Do not add 'winbind' to the 'shadow' line, this has been reported to cause problems with 'wbinfo', it is also totally unneeded. |
|||
username map = /usr/local/samba/etc/user.map |
|||
'''Note:''' you cannot have users & groups with the same name in the local files and the domain i.e. a user 'foo' that appears in /etc/passwd would be the same user as 'DOMAIN\foo', in this instance you would need to remove or rename one of the users. |
|||
* Create the <code>/usr/local/samba/etc/user.map</code> file with the following content: |
|||
'''Important:''' If you have compiled Samba, you may need to add two symbolic links. See [[Libnss_winbind_Links|libnss_winbind Links]] for OS specific information on where to place them. Samba package installations usually place the file directly in the OS library path or have the links included. |
|||
!root = SAMDOM\Administrator |
|||
:{{Imbox |
|||
| type = important |
|||
| text = When using the <code>ad</code> ID mapping back end, do not set the <code>uidNumber</code> attribute for the domain administrator account. If the account has the attribute set, the value overrides the local UID <code>0</code> of the <code>root</code> user and thus the mapping fails. |
|||
}} |
|||
For further details, see <code>username map</code> parameter in the <code>smb.conf(5)</code> man page. |
|||
= Start daemons = |
|||
Depending on how you use your Domain Member, you have to start different daemons: |
|||
= Joining the Domain = |
|||
For a pure Domain Member (domain logons only): |
|||
{{Imbox |
|||
# winbindd |
|||
| type = important |
|||
| text = Do not provision a domain member using the <code>samba-tool</code> utility. This option is not supported and will be removed from the <code>samba-tool</code> utility in a future release. |
|||
}} |
|||
* To join the host to an Active Directory (AD), enter: |
|||
For Domain Members [[Samba_File_Serving|sharing directories (file server)]] and/or [[Setup_a_Samba_print_server|printers (print server)]]: |
|||
# net ads join -U administrator |
|||
# smbd |
|||
Enter administrator's password: Passw0rd |
|||
# nmbd |
|||
Using short domain name -- SAMDOM |
|||
# winbindd |
|||
Joined 'M1' to dns domain 'samdom.example.com' |
|||
* To join the host to an NT4 domain, enter: |
|||
# net ads join -U administrator |
|||
If you installed Samba using packages, you usually have init scripts or systemd/upstart support included. If you have compiled Samba, you will need to write your own scripts. For automatic startup of the service(s) at boot time, please consult you distributions documentation. |
|||
Enter administrator's password: Passw0rd |
|||
Joined domain SAMDOM. |
|||
If you have problems joining the domain, check your configuration. For further help, see [[Troubleshooting_Samba_Domain_Members|Troubleshooting Samba Domain Members]]. |
|||
= Testing Winbindd domain controller connectivity = |
|||
= Configuring the Name Service Switch = |
|||
== wbinfo == |
|||
To enable the name service switch (NSS) library to make domain users and groups available to the local system: |
|||
You first need to check if winbind is able to connect to a domain controller with wbinfo --ping-dc: |
|||
* Append the <code>winbind</code> entry to the following databases in the <code>/etc/nsswitch.conf</code> file: |
|||
# wbinfo --ping-dc |
|||
checking the NETLOGON for domain[SAMDOM] dc connection to "DC.SAMDOM.EXAMPLE.COM" succeeded |
|||
passwd: files <u>winbind</u> |
|||
group: files <u>winbind</u> |
|||
:* Keep the <code>files</code> entry as first source for both databases. This enables NSS to look up domain users and groups from the <code>/etc/passwd</code> and <code>/etc/group</code> files before querying the Winbind service. |
|||
== Using domain accounts/groups in OS commands == |
|||
:* Do not add the <code>winbind</code> entry to the NSS <code>shadow</code> database. This can cause the <code>wbinfo</code> utility fail. |
|||
If you have included [[#libnss_winbind|libnss_winbind]] in your system and setup smb.conf correctly, the following commands should print the relevant information for the supplied user or group: |
|||
:{{Imbox |
|||
# getent passwd demo01 |
|||
| type = note |
|||
demo01:*:10000:10000:demo01:/home/demo01:/bin/bash |
|||
| text = Do not use the same user names in the local <code>/etc/passwd</code> file as in the domain. |
|||
... |
|||
}} |
|||
* If you compiled Samba, add symbolic links from the <code>libnss_winbind</code> library to the operating system's library path. For details, see [[Libnss_winbind_Links|libnss_winbind Links]]. If you used packages to install Samba, the link is usually created automatically. |
|||
# getent group Domain\ Users |
|||
domain users:x:10000: |
|||
... |
|||
'''Note:''' If you do not get any output, verify that |
|||
* [[#libnss_winbind|libnss_winbind]] configuration is correct - especially that "ldconfig" is able to find "libnss_winbind.so.2" and "libnss_winbind.so" |
|||
* smb.conf is setup correctly |
|||
* if using [[idmap_config_ad|idmap config ad]], accounts/groups have [[Maintaining_Unix_Attributes_in_AD_using_ADUC|RFC2307 attributes]] set |
|||
'''Note:''' if you want to display all users & groups with 'getent', add these lines to your smb.conf (This is only recommended for testing): |
|||
winbind enum users = yes |
|||
winbind enum groups = yes |
|||
= Starting the Services = |
|||
To start the services on a domain member: |
|||
Any domain accounts/groups shown by getent or id can be used in the OS, i.e. |
|||
* Start the <code>winbindd</code> service to enable the name service switch (NSS) library to look up domain users and groups: |
|||
# id demo01 |
|||
uid=10000(demo01) gid=10000(domain users) groups=10000(domain users),2001(BUILTIN\users) |
|||
# winbindd |
|||
# chown demo01:"domain users" file.txt |
|||
# ls -s file.txt |
|||
-rw-------. 1 demo01 domain users 992 18. Oct 2015 file.txt |
|||
* If you set up file shares or printer services on the domain member, additionally start the <code>smbd</code> and <code>nmbd</code> service: |
|||
# smbd |
|||
'''Note:''' For various reasons, Administrator needs to be mapped to the Unix user 'root', this is done automatically on a Samba AD DC. On a domain member you will need to add a line to 'smb.conf': |
|||
# nmbd |
|||
:{{Imbox |
|||
username map = /usr/local/samba/etc/user.map |
|||
| type = note |
|||
| text = You must not start the <code>samba</code> service on a domain member. This service is required only on Active Directory (AD) domain controllers (DC). |
|||
}} |
|||
Samba does not provide System V init scripts, <code>systemd</code>, <code>upstart</code>, or service files for other init services. |
|||
You will then need to create /usr/local/samba/etc/user.map: |
|||
* If you installed Samba using packages, use the script or service configuration file provided by the package to start Samba. |
|||
* If you built Samba, see your distribution's documentation for how to create a script or configuration to start services. |
|||
!root = SAMDOM\Administrator SAMDOM\administrator Administrator administrator |
|||
Do not give Administrator a uidNumber attribute, this will turn Administrator into a normal Unix user, without the required permissions & rights it needs. |
|||
= Authenticating Domain Users Using PAM = |
|||
''If you have setup this Domain Member as a server providing file shares or print services, you may want to skip this part, By following this part, you will allow domain users to logon locally to the hosts console.'' |
|||
= Testing the Winbindd Connectivity = |
|||
== Sending a Winbindd Ping == |
|||
To verify if the Winbindd service is able to connect to Active Directory (AD) Domain Controllers (DC) or a primary domain controller (PDC), enter: |
|||
== General information == |
|||
# wbinfo --ping-dc |
|||
'''Important note:''' Before you start changing your PAM configuration: |
|||
checking the NETLOGON for domain[SAMDOM] dc connection to "DC.SAMDOM.EXAMPLE.COM" succeeded |
|||
* make sure you know what you're doing! |
|||
* before you start, login within a second terminal and keep it open until everything works as expected. Otherwise, you may lockout yourself and won't be able to login again! |
|||
If the previous command fails, verify: |
|||
If you have compiled Samba, you need to add a symbolic links. See [[Pam_winbind_Link|pam_winbind Link]] for OS specific information, where to place it. Samba package installations usually place the file directly in the right folder or have a link included. |
|||
* That the <code>winbindd</code> service is running. |
|||
* Your <code>smb.conf</code> file is set up correctly. |
|||
== Using Domain Accounts and Groups in Operating System Commands == |
|||
== Configure PAM == |
|||
=== Looking up Domain Users and Groups === |
|||
'''Note:''' Whenever your distribution ship tools to configure PAM, it's recommended to use them, instead of manually editing the configuration files! |
|||
* Red Hat based OS: authconfig/authconfig-tui |
|||
* Debian based OS: pam-auth-update |
|||
* SUSE based OS: yast |
|||
The <code>libnss_winbind</code> library enables you to look up domain users and groups. For example: |
|||
For manual changes: Typically the PAM configuration files are located in /etc/pam.d/ Depending on your distribution, the filename(s) may differ. E. g. on RHEL, you configure system login authentication in /etc/pam.d/password-auth-ac: |
|||
* To look up the domain user <code>demo01</code>: |
|||
#%PAM-1.0 |
|||
auth required pam_env.so |
|||
auth sufficient pam_unix.so nullok try_first_pass |
|||
auth requisite pam_succeed_if.so uid >= 1000 quiet_success |
|||
auth sufficient pam_winbind.so use_first_pass # <-- add this line |
|||
auth required pam_deny.so |
|||
account required pam_unix.so broken_shadow |
|||
account sufficient pam_localuser.so |
|||
account sufficient pam_succeed_if.so uid < 1000 quiet |
|||
account [default=bad success=ok user_unknown=ignore] pam_winbind.so # <-- add this line |
|||
account required pam_permit.so |
|||
password requisite pam_cracklib.so try_first_pass retry=3 type= |
|||
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok |
|||
password sufficient pam_winbind.so use_authtok # <-- add this line |
|||
password required pam_deny.so |
|||
session optional pam_keyinit.so revoke |
|||
session required pam_limits.so |
|||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid |
|||
session required pam_unix.so |
|||
# getent passwd demo01 |
|||
For additional information about PAM configuration and settings used in the example above, please consult the [http://www.linux-pam.org PAM] documentation and the manpages of pam.conf and pam_winbind. |
|||
demo01:*:10000:10000:demo01:/home/demo01:/bin/bash |
|||
* To look up the domain group <code>Domain Users</code>: |
|||
# getent group "Domain Users" |
|||
domain users:x:10000: |
|||
== Verify domain user login == |
|||
=== Assigning File Permissions to Domain Users and Groups === |
|||
Try to login on the local console with a domain user account: |
|||
The name service switch (NSS) library enables you to use domain user accounts and groups in commands. For example to set the owner of a file to the <code>demo01</code> domain user and the group to the <code>Domain Users</code> domain group, enter: |
|||
# chown demo01:"domain users" file.txt |
|||
= Setting up Additional Services on the Domain Member = |
|||
On a Samba domain member, you can additionally set up: |
|||
* File shares to act as a file server. For details, see [[Samba_File_Serving|Samba File Serving]]. |
|||
* Print services to act as a print server. For details, see [[Print_server_support|Print Server Support]]. |
|||
* PAM authentication of domain users for local services. For details, see [[Authenticating_Domain_Users_Using_PAM|Authenticating Domain Users Using PAM]]. |
|||
CentOS Linux 7 (Core) |
|||
Kernel 3.10.0-229.11.1.el.7.x86_64 on an x86_64 |
|||
M1 login: demo01 |
|||
Password: Passw0rd |
|||
[demo01@M1 ~]$ _ |
|||
= Troubleshooting = |
|||
= Setting up additional services = |
|||
For details, see [[Troubleshooting_Samba_Domain_Members|Troubleshooting Samba Domain Members]]. |
|||
Now you have successfully made your host be a Domain Member, you can, as on a Windows OS, additionally [[Samba_File_Serving|share directories (file server)]] or act as an [[Setup_a_Samba_print_server|print server]]. |
Revision as of 00:42, 18 December 2016
Introduction
A Samba domain member is a Linux machine joined to a domain that is running Samba and does not provide domain services, such as an NT4 primary domain controller (PDC) or Active Directory (AD) domain controller (DC).
On a Samba domain member, you can:
- Use domain users and groups in local ACLs on files and directories.
- Set up shares to act as a file server.
- Set up printing services to act as a print server.
- Configure PAM to enable domain users to log on locally or to authenticate to local installed services.
For details about setting up a Samba NT4 domain or Samba AD, see Domain Control.
Preparing the Installation
General Preparation
- Verify that no Samba processes are running:
# ps ax | egrep "samba|smbd|nmbd|winbindd"
- If the output lists any
samba
,smbd
,nmbd
, orwinbindd
processes, shut down the processes.
- If you previously run a Samba installation on this host:
- Remove the existing
smb.conf
file. To list the path to the file, enter:
- Remove the existing
# smbd -b | grep "CONFIGFILE" CONFIGFILE: /usr/local/samba/etc/samba/smb.conf
- Remove all Samba database files, such as
*.tdb
and*.ldb
files. To list the folders containing Samba databases:
- Remove all Samba database files, such as
# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" LOCKDIR: /usr/local/samba/var/lock/ STATEDIR: /usr/local/samba/var/locks/ CACHEDIR: /usr/local/samba/var/cache/ PRIVATE_DIR: /usr/local/samba/private/
- Starting with a clean environment helps you to prevent confusion, and no files from your previous Samba installation are mixed with your new domain member installation.
Preparing a Domain Member to Join an Active Directory Domain
Configuring DNS
For details, see Linux and Unix DNS Configuration.
Configuring Time Synchronisation
Kerberos requires a synchronised time on all domain members. Thus it is recommended to set up an NTP client. For further details, see Configuring Time Synchronisation on a Linux Domain Member.
Local Host Name Resolution
When you join the host to the domain, Samba tries to register the host name in the AD DNS zone. For this, the net
utility must be able to resolve the host name using DNS or using a correct entry in the /etc/hosts
file.
To verify that your host name resolves correctly, use the getent hosts
command. For example:
# getent hosts M1 10.99.0.5 M1.samdom.example.com M1
The host name and FQDN must not resolve to the 127.0.0.1
IP address or any other IP address than the one used on the LAN interface of the domain member.
If no output is displayed or the host is resolved to the wrong IP address, set the correct entry in the /etc/hosts
file. For example:
127.0.0.1 localhost.localdomain localhost 10.99.0.5 M1.samdom.example.com M1
Preparing a Domain Member to Join an NT4 Domain
For joining a host to an NT4 domain, no preparation is required.
Installing Samba
For details, see Installing Samba.
Install a maintained Samba version. For details, see Samba Release Planning. |
Configuring Samba
Setting up a Basic smb.conf
File
Before joining the domain, configure the domain member's smb.conf
file:
- To locate the file, enter:
# smbd -b | grep CONFIGFILE CONFIGFILE: /usr/local/samba/etc/smb.conf
- Edit the
smb.conf
file and set the following configuration:
[global]
security = ADS
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM
log file = /var/log/samba/%m.log
log level = 1
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use an read-write-enabled back end, such as tdb
.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
- For information on the parameters, see the
smb.conf(5)
man page.
- Add an ID mapping configuration for every domain in the
[global]
section of yoursmb.conf
file. Samba supports the following back ends for domains:
Back End Documentation Man Page ad
idmap config ad idmap_ad(8)
rid
idmap config rid idmap_rid(8)
autorid
idmap config autorid idmap_autorid(8)
hash
idmap config hash idmap_hash(8)
ldap
idmap config ldap idmap_ldap(8)
nss
idmap config nss idmap_nss(8)
For every domain, add an additional ID mapping configuration. The ID ranges of the default ( *
) domain and other domains configured in thesmb.conf
file must not overlap.
Mapping the Domain Administrator Account to the Local root
User
Samba enables you to map domain accounts to a local account. Use this feature to execute file operations on the domain member's file system as a different user than the account that requested the operation on the client.
Mapping the domain administrator to the local root account is optional. Only configure the mapping if the domain administrator must be able to execute file operations on the domain member using root permissions. |
To map the domain administrator to the local root
account:
- Add the following parameter to the
[global]
section of yoursmb.conf
file:
username map = /usr/local/samba/etc/user.map
- Create the
/usr/local/samba/etc/user.map
file with the following content:
!root = SAMDOM\Administrator
When using the ad
ID mapping back end, do not set theuidNumber
attribute for the domain administrator account. If the account has the attribute set, the value overrides the local UID0
of theroot
user and thus the mapping fails.
For further details, see username map
parameter in the smb.conf(5)
man page.
Joining the Domain
Do not provision a domain member using the samba-tool utility. This option is not supported and will be removed from the samba-tool utility in a future release. |
- To join the host to an Active Directory (AD), enter:
# net ads join -U administrator Enter administrator's password: Passw0rd Using short domain name -- SAMDOM Joined 'M1' to dns domain 'samdom.example.com'
- To join the host to an NT4 domain, enter:
# net ads join -U administrator Enter administrator's password: Passw0rd Joined domain SAMDOM.
If you have problems joining the domain, check your configuration. For further help, see Troubleshooting Samba Domain Members.
Configuring the Name Service Switch
To enable the name service switch (NSS) library to make domain users and groups available to the local system:
- Append the
winbind
entry to the following databases in the/etc/nsswitch.conf
file:
passwd: files winbind group: files winbind
- Keep the
files
entry as first source for both databases. This enables NSS to look up domain users and groups from the/etc/passwd
and/etc/group
files before querying the Winbind service.
- Keep the
- Do not add the
winbind
entry to the NSSshadow
database. This can cause thewbinfo
utility fail.
- Do not add the
Do not use the same user names in the local /etc/passwd
file as in the domain.
- If you compiled Samba, add symbolic links from the
libnss_winbind
library to the operating system's library path. For details, see libnss_winbind Links. If you used packages to install Samba, the link is usually created automatically.
Starting the Services
To start the services on a domain member:
- Start the
winbindd
service to enable the name service switch (NSS) library to look up domain users and groups:
# winbindd
- If you set up file shares or printer services on the domain member, additionally start the
smbd
andnmbd
service:
# smbd # nmbd
You must not start the samba
service on a domain member. This service is required only on Active Directory (AD) domain controllers (DC).
Samba does not provide System V init scripts, systemd
, upstart
, or service files for other init services.
- If you installed Samba using packages, use the script or service configuration file provided by the package to start Samba.
- If you built Samba, see your distribution's documentation for how to create a script or configuration to start services.
Testing the Winbindd Connectivity
Sending a Winbindd Ping
To verify if the Winbindd service is able to connect to Active Directory (AD) Domain Controllers (DC) or a primary domain controller (PDC), enter:
# wbinfo --ping-dc checking the NETLOGON for domain[SAMDOM] dc connection to "DC.SAMDOM.EXAMPLE.COM" succeeded
If the previous command fails, verify:
- That the
winbindd
service is running. - Your
smb.conf
file is set up correctly.
Using Domain Accounts and Groups in Operating System Commands
Looking up Domain Users and Groups
The libnss_winbind
library enables you to look up domain users and groups. For example:
- To look up the domain user
demo01
:
# getent passwd demo01 demo01:*:10000:10000:demo01:/home/demo01:/bin/bash
- To look up the domain group
Domain Users
:
# getent group "Domain Users" domain users:x:10000:
Assigning File Permissions to Domain Users and Groups
The name service switch (NSS) library enables you to use domain user accounts and groups in commands. For example to set the owner of a file to the demo01
domain user and the group to the Domain Users
domain group, enter:
# chown demo01:"domain users" file.txt
Setting up Additional Services on the Domain Member
On a Samba domain member, you can additionally set up:
- File shares to act as a file server. For details, see Samba File Serving.
- Print services to act as a print server. For details, see Print Server Support.
- PAM authentication of domain users for local services. For details, see Authenticating Domain Users Using PAM.
Troubleshooting
For details, see Troubleshooting Samba Domain Members.