Introduction

A Samba domain member is a Linux machine joined to a domain that is running Samba and does not provide domain services, such as an NT4 primary domain controller (PDC) or Active Directory (AD) domain controller (DC).

On a Samba domain member, you can:

• Use domain users and groups in local ACLs on files and directories.
• Set up shares to act as a file server.
• Set up printing services to act as a print server.
• Configure PAM to enable domain users to log on locally or to authenticate to local installed services.

For details about setting up a Samba NT4 domain or Samba AD, see Domain Control.

Preparing the Installation

General Preparation

• Verify that no Samba processes are running:

# ps ax | egrep "samba|smbd|nmbd|winbindd"

If the output lists any samba, smbd, nmbd, or winbindd processes, shut down the processes.

• If you previously run a Samba installation on this host:

• Remove the existing smb.conf file. To list the path to the file, enter:

# smbd -b | grep "CONFIGFILE"
   CONFIGFILE: /usr/local/samba/etc/samba/smb.conf

• Remove all Samba database files, such as *.tdb and *.ldb files. To list the folders containing Samba databases:

# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
  LOCKDIR: /usr/local/samba/var/lock/
  STATEDIR: /usr/local/samba/var/locks/
  CACHEDIR: /usr/local/samba/var/cache/
  PRIVATE_DIR: /usr/local/samba/private/

Starting with a clean environment helps you to prevent confusion, and no files from your previous Samba installation are mixed with your new domain member installation.

Preparing a Domain Member to Join an Active Directory Domain

Configuring DNS

For details, see Linux and Unix DNS Configuration.

Configuring Kerberos

The Kerberos file /etc/krb5.conf should only contain the following:

[libdefaults]
	default_realm = SAMDOM.EXAMPLE.COM
	dns_lookup_realm = false
	dns_lookup_kdc = true

You will need to replace SAMDOM.EXAMPLE.COM with your KERBEROS realm.

Configuring Time Synchronisation

Kerberos requires a synchronised time on all domain members. Thus it is recommended to set up an NTP client. For further details, see Configuring Time Synchronisation on a Unix Domain Member.

Local Host Name Resolution

When you join the host to the domain, Samba tries to register the host name in the AD DNS zone. For this, the net utility must be able to resolve the host name using DNS or using a correct entry in the /etc/hosts file.

To verify that your host name resolves correctly, use the getent hosts command. For example:

# getent hosts M1
10.99.0.5      M1.samdom.example.com    M1

The host name and FQDN must not resolve to the 127.0.0.1 IP address or any other IP address other than the one used on the LAN interface of the domain member.

If no output is displayed or the host is resolved to the wrong IP address and you are not using dhcp, set the correct entry in the /etc/hosts file. For example:

127.0.0.1      localhost.localdomain    localhost
10.99.0.5      M1.samdom.example.com    M1

If you are using dhcp, check that /etc/hosts only contains the '127.0.0.1' line shown above. If you continue to have problems, contact the sysadmin who controls your DHCP server.

• Please keep the line : 127.0.0.1 localhost localhost.localdomain alias3 alias4 etc, in this order.

If resolving 127.0.0.1 by gethostbyname() and running nslookup will return two different answers (provided nsswitch.conf is configured with "files dns"). See also : RFC 1912

Preparing a Domain Member to Join an NT4 Domain

For joining a host to an NT4 domain, no preparation is required.

Installing Samba

For details, see Installing Samba.

Install a maintained Samba version. For details, see Samba Release Planning.

Configuring Samba

Setting up a Basic smb.conf File

Before joining the domain, configure the domain member's smb.conf file:

• To locate the file, enter:

# smbd  -b | grep CONFIGFILE
  CONFIGFILE: /usr/local/samba/etc/smb.conf

• Edit the smb.conf file and set the following configuration:

[global]
       security = ADS
       workgroup = SAMDOM
       realm = SAMDOM.EXAMPLE.COM

       log file = /var/log/samba/%m.log
       log level = 1

       # Default ID mapping configuration for local BUILTIN accounts
       # and groups on a domain member. The default (*) domain:
       # - must not overlap with any domain ID mapping configuration!
       # - must use an read-write-enabled back end, such as tdb.
       idmap config * : backend = tdb
       idmap config * : range = 3000-7999

For information on the parameters, see the smb.conf(5) man page.

• Add an ID mapping configuration for every domain in the [global] section of your smb.conf file. Samba supports the following back ends for domains:

Back End	Documentation	Man Page
ad	idmap config ad	idmap_ad(8)
rid	idmap config rid	idmap_rid(8)
autorid	idmap config autorid	idmap_autorid(8)
hash	idmap config hash	idmap_hash(8)
ldap	idmap config ldap	idmap_ldap(8)
nss	idmap config nss	idmap_nss(8)

For every domain, add an additional ID mapping configuration. The ID ranges of the default (*) domain and other domains configured in the smb.conf file must not overlap.

Mapping the Domain Administrator Account to the Local root User

Samba enables you to map domain accounts to a local account. Use this feature to execute file operations on the domain member's file system as a different user than the account that requested the operation on the client.

Mapping the domain administrator to the local root account is optional. Only configure the mapping if the domain administrator must be able to execute file operations on the domain member using root permissions.

To map the domain administrator to the local root account:

• Add the following parameter to the [global] section of your smb.conf file:

username map = /usr/local/samba/etc/user.map

• Create the /usr/local/samba/etc/user.map file with the following content:

!root = SAMDOM\Administrator

When using the ad ID mapping back end, do not set the uidNumber attribute for the domain administrator account. If the account has the attribute set, the value overrides the local UID 0 of the root user and thus the mapping fails.

For further details, see username map parameter in the smb.conf(5) man page.

Joining the Domain

Do not provision a domain member using the samba-tool utility. This option is not supported and will be removed from the samba-tool utility in a future release.

• To join the host to an Active Directory (AD), enter:

# net ads join -U administrator
Enter administrator's password: Passw0rd
Using short domain name -- SAMDOM
Joined 'M1' to dns domain 'samdom.example.com'

• To join the host to an NT4 domain, enter:

# net ads join -U administrator
Enter administrator's password: Passw0rd
Joined domain SAMDOM.

If you have problems joining the domain, check your configuration. For further help, see Troubleshooting Samba Domain Members.

Configuring the Name Service Switch

To enable the name service switch (NSS) library to make domain users and groups available to the local system:

• Append the winbind entry to the following databases in the /etc/nsswitch.conf file:

passwd: files winbind
group:  files winbind

• Keep the files entry as first source for both databases. This enables NSS to look up domain users and groups from the /etc/passwd and /etc/group files before querying the Winbind service.

• Do not add the winbind entry to the NSS shadow database. This can cause the wbinfo utility fail.

Do not use the same user names in the local /etc/passwd file as in the domain.

• If you compiled Samba, add symbolic links from the libnss_winbind library to the operating system's library path. For details, see libnss_winbind Links. If you used packages to install Samba, the link is usually created automatically.

Starting the Services

To start the services on a domain member:

• Start the winbindd service to enable the name service switch (NSS) library to look up domain users and groups:

# winbindd

• If you set up file shares or printer services on the domain member, additionally start the smbd and nmbd service:

# smbd
# nmbd

You must not start the samba service on a domain member. This service is required only on Active Directory (AD) domain controllers (DC).

Samba does not provide System V init scripts, systemd, upstart, or service files for other init services.

• If you installed Samba using packages, use the script or service configuration file provided by the package to start Samba.
• If you built Samba, see your distribution's documentation for how to create a script or configuration to start services.

Testing the Winbindd Connectivity

Sending a Winbindd Ping

To verify if the Winbindd service is able to connect to Active Directory (AD) Domain Controllers (DC) or a primary domain controller (PDC), enter:

# wbinfo --ping-dc
checking the NETLOGON for domain[SAMDOM] dc connection to "DC.SAMDOM.EXAMPLE.COM" succeeded

If the previous command fails, verify:

• That the winbindd service is running.
• Your smb.conf file is set up correctly.

Using Domain Accounts and Groups in Operating System Commands

Looking up Domain Users and Groups

The libnss_winbind library enables you to look up domain users and groups. For example:

• To look up the domain user demo01:

# getent passwd demo01
demo01:*:10000:10000:demo01:/home/demo01:/bin/bash

• To look up the domain group Domain Users:

# getent group "Domain Users"
domain users:x:10000:

Assigning File Permissions to Domain Users and Groups

The name service switch (NSS) library enables you to use domain user accounts and groups in commands. For example to set the owner of a file to the demo01 domain user and the group to the Domain Users domain group, enter:

# chown demo01:"domain users" file.txt

Setting up Additional Services on the Domain Member

On a Samba domain member, you can additionally set up:

• File shares to act as a file server. For details, see Samba File Serving.
• Print services to act as a print server. For details, see Print Server Support.
• PAM authentication of domain users for local services. For details, see Authenticating Domain Users Using PAM.

Troubleshooting

For details, see Troubleshooting Samba Domain Members.