4 Configuring a Samba Server as an AD Member

The following procedure shows one way of configuring a Samba server as an AD member:

  1. Install the required packages.

    Install the following packages:

    • realmd

      The realmd tool is used to for joining Kerberos realms, such as Active Directory domains.

    • oddjob and oddjob-mkhomedir

      oddjob is a D-Bus service which runs jobs on behalf of client applications.

      oddjob-mkhomedir is an oddjob helper which creates and populates home directories.

    • samba-winbind-clients, samba-winbind, samba-common-tools, samba-winbind-krb5-locator, and samba.

      You can run the following command to install the required packages:

      sudo dnf install realmd \
       oddjob-mkhomedir \
       oddjob  \
       samba-winbind-clients \
       samba-winbind  \
       samba-common-tools  \
       samba-winbind-krb5-locator  \
       samba
  2. Backup the Samba configuration file.

    Make a backup copy of the Samba configuration file:

    sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.copy
  3. Join the AD domain.

    Use the realm join command to join AD domain. The following example assumes you want to join domain EXAMPLE.COM:

    sudo realm join --membership-software=samba \
     --client-software=winbind EXAMPLE.COM  

    When you run the command as shown, realm does the following:

    • Creates the /etc/samba/smb.conf file with membership of the EXAMPLE.COM domain configured.

    • Adds the winbind module for user and group lookups to the /etc/nsswitch.conf file.

    • Updates the Pluggable Authentication Module (PAM) configuration files in the /etc/pam.d/directory

    • Starts and enables the winbind service.

  4. Configure ID mapping.

    Set up ID Mapping in the /etc/samba/smb.conf file required in the configuration.

    For further details on ID Mapping see ID Mapping Backends in the Active Domain Member Setup

  5. Verify the configuration.

    Check that the entries in the /etc/samba/smb.conf file meet all configuration requirements.

    For more information on the configuration file see The Samba Configuration File

  6. Check that winbind is running.

    Verify that the winbind service is running:

    sudo systemctl status winbind

    Important:

    The winbind service must be running before you start the smb service. Otherwise, Samba can't retrieve domain user and group information.

  7. Start the smb service.

    After verifying that the winbind is running in the preceding step, start and enable the smb service:

    sudo systemctl enable --now smb 
  8. Verify the Samba server is working.

    Perform verification steps such as the following:

    • Get the details of a domain user. The following assumes the details of user exampleuser in the EXAMPLE.COM domain are being retrieved:

      sudo getent passwd EXAMPLE.COM\\exampleuser
      EXAMPLE.COM\exampleuser:*:10000:10000::/home/exampleuser@EXAMPLE.COM:/bin/bash
    • Test the command to get users from the Domain Users group in the domain. The following assumes the details of users in the Domain Users group in the EXAMPLE.COM domain are being retrieved:

      sudo getent group "EXAMPLE.COM\Domain Users"
      EXAMPLE.COM\domain users:x:10000:exampleuser1,exampleuser2
    • Confirm that you can use domain users and groups when using file and directory commands. For example, to set the owner of the /srv/samba/shareexample/ directory to EXAMPLE.COM\administrator and the group to EXAMPLE.COM\Domain Users run the following command:

      sudo chown "EXAMPLE.COM\administrator":"EXAMPLE.COM\Domain Users" /srv/samba/shareexample