Setting up Samba as a Domain Member

From SambaWiki
Revision as of 00:48, 15 June 2017 by Jasonblewis (talk | contribs) (reverting change, move my edit to troubleshooting as per Marc's suggestion)

Introduction

A Samba domain member is a Linux machine joined to a domain that is running Samba and does not provide domain services, such as an NT4 primary domain controller (PDC) or Active Directory (AD) domain controller (DC).

On a Samba domain member, you can:

  • Use domain users and groups in local ACLs on files and directories.
  • Set up shares to act as a file server.
  • Set up printing services to act as a print server.
  • Configure PAM to enable domain users to log on locally or to authenticate to local installed services.

For details about setting up a Samba NT4 domain or Samba AD, see Domain Control.



Preparing the Installation

General Preparation

  • Verify that no Samba processes are running:
# ps ax | egrep "samba|smbd|nmbd|winbindd"
If the output lists any samba, smbd, nmbd, or winbindd processes, shut down the processes.
  • If you previously run a Samba installation on this host:
  • Remove the existing smb.conf file. To list the path to the file, enter:
# smbd -b | grep "CONFIGFILE"
   CONFIGFILE: /usr/local/samba/etc/samba/smb.conf
  • Remove all Samba database files, such as *.tdb and *.ldb files. To list the folders containing Samba databases:
# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
  LOCKDIR: /usr/local/samba/var/lock/
  STATEDIR: /usr/local/samba/var/locks/
  CACHEDIR: /usr/local/samba/var/cache/
  PRIVATE_DIR: /usr/local/samba/private/
Starting with a clean environment helps you to prevent confusion, and no files from your previous Samba installation are mixed with your new domain member installation.


Preparing a Domain Member to Join an Active Directory Domain

Configuring DNS

For details, see Linux and Unix DNS Configuration.


Configuring Kerberos

Samba uses Heimdal Kerberos at present, but work is ongoing to change to MIT Kerberos.

This means that, until the change is made, the Kerberos file /etc/krb5.conf needs to only contain the following:

[libdefaults]
	default_realm = SAMDOM.EXAMPLE.COM
	dns_lookup_realm = false
	dns_lookup_kdc = true

Using anything other than the above, could lead to errors.

You will need to replace SAMDOM.EXAMPLE.COM with your KERBEROS realm.


Configuring Time Synchronisation

Kerberos requires a synchronised time on all domain members. Thus it is recommended to set up an NTP client. For further details, see Configuring Time Synchronisation on a Unix Domain Member.


Local Host Name Resolution

When you join the host to the domain, Samba tries to register the host name in the AD DNS zone. For this, the net utility must be able to resolve the host name using DNS or using a correct entry in the /etc/hosts file.

To verify that your host name resolves correctly, use the getent hosts command. For example:

# getent hosts M1
10.99.0.5      M1.samdom.example.com    M1

The host name and FQDN must not resolve to the 127.0.0.1 IP address or any other IP address other than the one used on the LAN interface of the domain member.

If no output is displayed or the host is resolved to the wrong IP address and you are not using dhcp, set the correct entry in the /etc/hosts file. For example:

127.0.0.1      localhost localhost.localdomain
10.99.0.5      M1.samdom.example.com    M1

If you are using dhcp, check that /etc/hosts only contains the '127.0.0.1' line shown above. If you continue to have problems, contact the sysadmin who controls your DHCP server.

  • On debian related systems you wil see 127.0.1.1 hostname also in /etc/hosts remove it before you install samba.
  • Please keep the line : 127.0.0.1 localhost localhost.localdomain alias3 alias4 etc, in this order.

If resolving 127.0.0.1 by gethostbyname() and running nslookup will return two different answers (provided nsswitch.conf is configured with "files dns"). Which is why you must keep the order in /etc/hosts to 127.0.0.1 localhost ALIAS See also : RFC 1912

Preparing a Domain Member to Join an NT4 Domain

For joining a host to an NT4 domain, no preparation is required.

Installing Samba

For details, see Installing Samba.



Configuring Samba

Setting up a Basic smb.conf File

Before joining the domain, configure the domain member's smb.conf file:

  • To locate the file, enter:
# smbd  -b | grep CONFIGFILE
  CONFIGFILE: /usr/local/samba/etc/smb.conf
  • Edit the smb.conf file and set the following configuration:
[global]
       security = ADS
       workgroup = SAMDOM
       realm = SAMDOM.EXAMPLE.COM

       log file = /var/log/samba/%m.log
       log level = 1

       # Default ID mapping configuration for local BUILTIN accounts
       # and groups on a domain member. The default (*) domain:
       # - must not overlap with any domain ID mapping configuration!
       # - must use an read-write-enabled back end, such as tdb.
       idmap config * : backend = tdb
       idmap config * : range = 3000-7999
For information on the parameters, see the smb.conf(5) man page.
  • You must add an ID mapping configuration, for each domain that you want Samba to be aware of, to the [global] section of your smb.conf file.
  • You must select from the following Samba domain back ends:
Back End Documentation Man Page
ad idmap config ad idmap_ad(8)
rid idmap config rid idmap_rid(8)
autorid idmap config autorid idmap_autorid(8)
hash idmap config hash idmap_hash(8)
ldap idmap config ldap idmap_ldap(8)
nss idmap config nss idmap_nss(8)



Mapping the Domain Administrator Account to the Local root User

Samba enables you to map domain accounts to a local account. Use this feature to execute file operations on the domain member's file system as a different user than the account that requested the operation on the client.

To map the domain administrator to the local root account:

  • Add the following parameter to the [global] section of your smb.conf file:
username map = /usr/local/samba/etc/user.map
  • Create the /usr/local/samba/etc/user.map file with the following content:
!root = SAMDOM\Administrator

For further details, see username map parameter in the smb.conf(5) man page.



Joining the Domain

  • To join the host to an Active Directory (AD), enter:
# net ads join -U administrator
Enter administrator's password: Passw0rd
Using short domain name -- SAMDOM
Joined 'M1' to dns domain 'samdom.example.com'
  • To join the host to an NT4 domain, enter:
# net ads join -U administrator
Enter administrator's password: Passw0rd
Joined domain SAMDOM.

If you have problems joining the domain, check your configuration. For further help, see Troubleshooting Samba Domain Members.



Configuring the Name Service Switch

To enable the name service switch (NSS) library to make domain users and groups available to the local system:

  • Append the winbind entry to the following databases in the /etc/nsswitch.conf file:
passwd: files winbind
group:  files winbind
  • Keep the files entry as first source for both databases. This enables NSS to look up domain users and groups from the /etc/passwd and /etc/group files before querying the Winbind service.
  • Do not add the winbind entry to the NSS shadow database. This can cause the wbinfo utility fail.
  • If you compiled Samba, add symbolic links from the libnss_winbind library to the operating system's library path. For details, see libnss_winbind Links. If you used packages to install Samba, the link is usually created automatically.



Starting the Services

To start the services on a domain member:

  • Start the winbindd service to enable the name service switch (NSS) library to look up domain users and groups:
# winbindd
  • If you set up file shares or printer services on the domain member, additionally start the smbd and nmbd service:
# smbd
# nmbd

Samba does not provide System V init scripts, systemd, upstart, or service files for other init services.

  • If you installed Samba using packages, use the script or service configuration file provided by the package to start Samba.
  • If you built Samba, see your distribution's documentation for how to create a script or configuration to start services.



Testing the Winbindd Connectivity

Sending a Winbindd Ping

To verify if the Winbindd service is able to connect to Active Directory (AD) Domain Controllers (DC) or a primary domain controller (PDC), enter:

# wbinfo --ping-dc
checking the NETLOGON for domain[SAMDOM] dc connection to "DC.SAMDOM.EXAMPLE.COM" succeeded

If the previous command fails, verify:

  • That the winbindd service is running.
  • Your smb.conf file is set up correctly.


Using Domain Accounts and Groups in Operating System Commands

Looking up Domain Users and Groups

The libnss_winbind library enables you to look up domain users and groups. For example:

  • To look up the domain user demo01:
# getent passwd demo01
demo01:*:10000:10000:demo01:/home/demo01:/bin/bash
  • To look up the domain group Domain Users:
# getent group "Domain Users"
domain users:x:10000:


Assigning File Permissions to Domain Users and Groups

The name service switch (NSS) library enables you to use domain user accounts and groups in commands. For example to set the owner of a file to the demo01 domain user and the group to the Domain Users domain group, enter:

# chown demo01:"domain users" file.txt



Setting up Additional Services on the Domain Member

On a Samba domain member, you can additionally set up:



Troubleshooting

For details, see Troubleshooting Samba Domain Members.