Samba4 Unix/Linux Clients/Members

ubuntu

apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
apt install krb5-user libpam-krb5 libpam-ccreds auth-client-config
apt install smbclient
apt install libnss-winbind libpam-winbind

slackware

find /var/log/packages/ | grep samba
slackpkg install samba lzo

wget http://slackbuilds.org/slackbuilds/14.2/network/krb5.tar.gz
tar xzf krb5.tar.gz
cd krb5
wget http://web.mit.edu/kerberos/dist/krb5/1.15/krb5-1.15.2.tar.gz
slackpkg install libunistring
./krb5.SlackBuild 
installpkg /tmp/krb5-1.15.2-x86_64-1_SBo.tgz

DNS

vi /etc/resolv.conf

domain example.local
nameserver INTERNAL-IP

host -t SRV _ldap._tcp.example.local.
host -t SRV _kerberos._udp.example.local.
host -t A dc1.example.local.
ping -W1 -c1 opendns.com # forwarding enabled on the AD
ping -W1 -c1 example.local # should point to the AD itself

NTP

See Time Config.

Kerberos

ls -lhF /etc/krb5.conf #does not exist yet
cat > /etc/krb5.conf <<-EOF
[libdefaults]
    default_realm = EXAMPLE.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true
EOF

klist #empty so far
kinit user1
klist

1) Joining the domain

Testing,

getent hosts
smbclient -L dc1.example.local -Uuser1

Setting up the domain membership and identity mappings,

mv /etc/samba/smb.conf /etc/samba/smb.conf.dist
vi /etc/samba/smb.conf

[global]
       security = ADS
       workgroup = EXAMPLE
       realm = EXAMPLE.LOCAL

       log file = /var/log/samba/%m.log
       log level = 1

        winbind nss info = template
        template shell = /bin/bash
        template homedir = /home/%U

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        idmap config EXAMPLE : backend = rid
        idmap config EXAMPLE : range = 10000-999999

        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes

Joining the domain,

net ads join -U administrator

Enabling identity mappings,

cp -pi /etc/nsswitch.conf /etc/nsswitch.conf.dist
vi /etc/nsswitch.conf

passwd:         compat winbind
group:          compat winbind

on ubuntu,

systemctl status winbind
systemctl start winbind
systemctl enable winbind

on slackware,

vi /etc/rc.d/rc.local

echo rc.local path is $PATH

/usr/sbin/winbindd
/usr/bin/ps auxw | /usr/bin/grep winbind

and to reload,

smbcontrol winbind reload-config

check,

wbinfo --ping-dc
wbinfo -u
wbinfo -g

getent passwd EXAMPLE\\user3 
getent group "EXAMPLE\\Domain Users"

getent passwd user3 
getent group "Domain Users"

getent passwd | grep user
getent group | grep domain

Create a homedir for user,

cd /home
mkdir user1
chown user1:"domain users" user1

Now try to login through SSH to one of those members, as user1.

2) using LDAP/Kerberos instead

Instead of joining the domain, talking to Samba4’s LDAP directly is an option, as described in this post: https://zachbethel.wordpress.com/2013/04/10/linux-ldap-authentication-with-samba4/.

Troubleshooting

When getting this error when attempting to join the domain,

Failed to join domain: failed to lookup DC info for domain 'EXAMPLE.LOCAL' over rpc: Logon failure

==> not sure how I solved this, maybe some of the settings above was missing. It was solved after fixing nsswitch,conf and restarting the winbind service, but this might be just a coincidence as I am not sure that issue is stricly related to winbind anyhow.

When getting this error when attempting to join the domain,

Enter administrator's password:
Using short domain name -- EXAMPLE
Joined 'UBUNTU63' to dns domain 'example.local'
No DNS domain configured for ubuntu63. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER

==> fix /etc/hosts, FQDN for local hostname, please.

References

samba

ubuntu

alternatives ubuntu

alternatives slackware

alternatives

windows clients

freeipa