4 Configuring a Samba Server as an AD Member
The following procedure shows one way of configuring a Samba server as an AD member:
- Install the required packages.
Install the following packages:
-
realmd
The
realmd
tool is used to for joiningKerberos
realms, such as Active Directory domains. -
oddjob
andoddjob-mkhomedir
oddjob
is a D-Bus service which runs jobs on behalf of client applications.oddjob-mkhomedir
is anoddjob
helper which creates and populates home directories. -
samba-winbind-clients
,samba-winbind
,samba-common-tools
,samba-winbind-krb5-locator
, andsamba
.You can run the following command to install the required packages:
sudo dnf install realmd \ oddjob-mkhomedir \ oddjob \ samba-winbind-clients \ samba-winbind \ samba-common-tools \ samba-winbind-krb5-locator \ samba
-
- Backup the Samba configuration file.
Make a backup copy of the Samba configuration file:
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.copy
- Join the AD domain.
Use the
realm join
command to join AD domain. The following example assumes you want to join domainEXAMPLE.COM
:sudo realm join --membership-software=samba \ --client-software=winbind EXAMPLE.COM
When you run the command as shown,
realm
does the following:-
Creates the
/etc/samba/smb.conf
file with membership of the EXAMPLE.COM domain configured. -
Adds the
winbind
module for user and group lookups to the/etc/nsswitch.conf
file. -
Updates the Pluggable Authentication Module (PAM) configuration files in the
/etc/pam.d/
directory -
Starts and enables the
winbind
service.
-
- Configure ID mapping.
Set up ID Mapping in the
/etc/samba/smb.conf
file required in the configuration.For further details on ID Mapping see ID Mapping Backends in the Active Domain Member Setup
- Verify the configuration.
Check that the entries in the
/etc/samba/smb.conf
file meet all configuration requirements.For more information on the configuration file see The Samba Configuration File
- Check that
winbind
is running.Verify that the
winbind
service is running:sudo systemctl status winbind
Important:
The
winbind
service must be running before you start thesmb
service. Otherwise, Samba can't retrieve domain user and group information. - Start the
smb
service.After verifying that the
winbind
is running in the preceding step, start and enable thesmb
service:sudo systemctl enable --now smb
- Verify the Samba server is working.
Perform verification steps such as the following:
-
Get the details of a domain user. The following assumes the details of user exampleuser in the EXAMPLE.COM domain are being retrieved:
sudo getent passwd EXAMPLE.COM\\exampleuser
EXAMPLE.COM\exampleuser:*:10000:10000::/home/exampleuser@EXAMPLE.COM:/bin/bash
-
Test the command to get users from the
Domain Users
group in the domain. The following assumes the details of users in theDomain Users
group in the EXAMPLE.COM domain are being retrieved:sudo getent group "EXAMPLE.COM\Domain Users"
EXAMPLE.COM\domain users:x:10000:exampleuser1,exampleuser2
-
Confirm that you can use domain users and groups when using file and directory commands. For example, to set the owner of the /srv/samba/shareexample/ directory to
EXAMPLE.COM\administrator
and the group toEXAMPLE.COM\Domain Users
run the following command:sudo chown "EXAMPLE.COM\administrator":"EXAMPLE.COM\Domain Users" /srv/samba/shareexample
-