This post is a slight modification of the official wiki for setting up Samba as an AD Domain Member.
In my lab, I built a Windows 2012R2 domain controller/DNS and a CentOS 7.1 VM running Samba 4.2.10.
My Windows domain is kdomain.local and the NETBIOS name is MYDOMAIN. They are on the same subnet and the IP of the CentOS VM is in the DNS. Let’s verify the prerequisites before we install Samba. Make sure that everything checks out.
Check the hostname first.
If you need to change the hostname, use hostnamectl set-hostname your_hostname
Make sure your resolver points to a valid domain controller.
cat /etc/resolv.conf search kdomain.local nameserver 192.168.1.19
Check your IP.
ip addr show | grep inet inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host inet 192.168.1.6/24 brd 192.168.1.255 scope global eno16777736
Check the resolving. dc03 is my domain controller, centos7dd is my CentOS member server, the one that I am configuring.
host -t A dc03.kdomain.local dc03.kdomain.local has address 192.168.1.19 host -t A centos7dd.kdomain.local centos7dd.kdomain.local has address 192.168.1.6
If you get an error that host is an unknown command, install bind-utils with yum install bind-utils. You don’t have to, but make sure that all IPs and resolving works fine.
Some more checks, to see if you don’t have something messed up in /etc/hosts file.
getent hosts centos7dd 192.168.1.6 centos7dd.kdomain.local
Now it’s time to install samba.
yum install samba samba-devel samba-winbind samba-winbind-clients
Before you go further, you need to know what’s realm, NETBIOS and workgroup in Samba terms. They are kind of misleading as you can see below from the samba config file. On the domain controller, open up a command prompt and type:
set | find "DOMAIN" USERDNSDOMAIN=KDOMAIN.LOCAL USERDOMAIN=MYDOMAIN USERDOMAIN_ROAMINGPROFILE=MYDOMAIN
My domain is KDOMAIN.LOCAL and the NETBIOS domain name is MYDOMAIN. The hostname of my domain controller is DC03, but that’s irrelevant.
Find where the config file is stored.
smbd -b | grep CONFIGFILE CONFIGFILE: /etc/samba/smb.conf
Rename the original file as something else and edit smb.conf so it’s an empty file. Add the following lines there.
[global] netbios name = centos7dd realm = KDOMAIN.LOCAL workgroup = MYDOMAIN security = ADS winbind enum groups = Yes winbind enum users = Yes winbind nss info = rfc2307 idmap config *:range = 2000-9999 idmap config * : backend = tdb
Now, you can join the VM to the domain.
net ads join -U administrator Enter administrator's password: Using short domain name -- MYDOMAIN Joined 'CENTOS7DD' to dns domain 'kdomain.local'
Let’s make sure that Samba starts now and on each boot.
systemctl start smb.service systemctl start nmb.service systemctl start winbind.service systemctl enable smb.service systemctl enable nmb.service systemctl enable winbind.service
Make sure you get the domain users and groups back.
wbinfo -u MYDOMAIN\administrator MYDOMAIN\guest MYDOMAIN\klimenta MYDOMAIN\krbtgt
wbinfo -g MYDOMAIN\winrmremotewmiusers__ MYDOMAIN\domain computers MYDOMAIN\domain controllers MYDOMAIN\schema admins MYDOMAIN\enterprise admins ....
Now, edit /etc/nsswitch.conf and modify these three lines. Just add winbind after sss for passwd , shadow and group entries, so it looks like this. Don’t change the lines where it says #passwd: db files nisplus nis.
passwd: files sss winbind shadow: files sss winbind group: files sss winbind
Now, do getent passwd and getent group. You should recieve both local and domain users and groups as output.
Finally, if you have a firewall, add an exception for Samba services.
firewall-cmd --permanent --zone=public --add-service=samba firewall-cmd --reload
At this point, you’ll have the OS fully configured as a domain member, but you still can’t log in to CentOS with a domain account. In order to do that, we’ll have to run authconfig-tui.
Make sure these options are set.
…and these. You don’t have to join to the domain, just select OK.
This utility will change a lot of files, especially those in /etc/pam.d directory and it will also change smb.conf. Restart the winbind service in order for these changes to take effect.
systemctl restart winbind.service
Make sure you have these lines in smb.conf.
template shell = /bin/sh template homedir = /home/%D/%U
Reload Samba config.
systemctl reload smb.service
Because of the template homedir directive above, all home directories for the domain users will be under /home/MYDOMAIN (or whatever domain you have).
Finally, create the home dir and log as the user.
mkdir -p /home/MYDOMAIN/klimenta cd /home/MYDOMAIN chown -R firstname.lastname@example.org klimenta
Now, you can log as the domain user.
login as: email@example.com firstname.lastname@example.org@192.168.1.6's password: Last login: Wed Sep 7 11:08:10 2016 from 192.168.1.101 -bash-4.2$ pwd /home/MYDOMAIN/klimenta
What if we want to share our home or some other folder on the CentOS server? We have to add a config change in smb.conf file. I’ll explain how to share the home folder. If you want to share some other folder, make sure that the domain user has rights to that folder. In my case, I’ll have the domain user klimenta access the shared home folder for the domain user klimenta on the CentOS server. The permissions are already in place. Edit /etc/samba/smb.conf file and add these lines at the end.
[share] comment = klimenta domain user share path = /home/MYDOMAIN/klimenta valid users = email@example.com guest ok = no writable = yes browsable = yes
Restart both services
systemctl restart smb.service systemctl restart nmb.service
Now, from a Windows workstation go to \\