CentOS: Setup Samba as an AD Domain Member

by Kliment Andreev
0 comment
Reading Time: 3 minutes

This post is a slight modification of the official wiki for setting up Samba as an AD Domain Member.

In my lab, I built a Windows 2012R2 domain controller/DNS and a CentOS 7.1 VM running Samba 4.2.10.
My Windows domain is kdomain.local and the NETBIOS name is MYDOMAIN. They are on the same subnet and the IP of the CentOS VM is in the DNS. Let’s verify the prerequisites before we install Samba. Make sure that everything checks out.

Check the hostname first.


If you need to change the hostname, use hostnamectl set-hostname your_hostname
Make sure your resolver points to a valid domain controller.

cat /etc/resolv.conf
search kdomain.local

Check your IP.

ip addr show | grep inet
    inet scope host lo
    inet6 ::1/128 scope host
    inet brd scope global eno16777736

Check the resolving. dc03 is my domain controller, centos7dd is my CentOS member server, the one that I am configuring.

host -t A dc03.kdomain.local
dc03.kdomain.local has address
host -t A centos7dd.kdomain.local
centos7dd.kdomain.local has address

If you get an error that host is an unknown command, install bind-utils with yum install bind-utils. You don’t have to, but make sure that all IPs and resolving works fine.
Some more checks, to see if you don’t have something messed up in /etc/hosts file.

getent hosts centos7dd     centos7dd.kdomain.local

Now it’s time to install samba.

yum install samba samba-devel samba-winbind samba-winbind-clients

Before you go further, you need to know what’s realm, NETBIOS and workgroup in Samba terms. They are kind of misleading as you can see below from the samba config file. On the domain controller, open up a command prompt and type:

set | find  "DOMAIN"

My domain is KDOMAIN.LOCAL and the NETBIOS domain name is MYDOMAIN. The hostname of my domain controller is DC03, but that’s irrelevant.
Find where the config file is stored.

smbd -b | grep CONFIGFILE
   CONFIGFILE: /etc/samba/smb.conf

Rename the original file as something else and edit smb.conf so it’s an empty file. Add the following lines there.

        netbios name = centos7dd
        realm = KDOMAIN.LOCAL
        workgroup = MYDOMAIN
        security = ADS
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind nss info = rfc2307
        idmap config *:range = 2000-9999
        idmap config * : backend = tdb

Now, you can join the VM to the domain.

net ads join -U administrator
Enter administrator's password:
Using short domain name -- MYDOMAIN
Joined 'CENTOS7DD' to dns domain 'kdomain.local'

Let’s make sure that Samba starts now and on each boot.

systemctl start smb.service
systemctl start nmb.service
systemctl start winbind.service
systemctl enable smb.service
systemctl enable nmb.service
systemctl enable winbind.service

Make sure you get the domain users and groups back.

wbinfo -u
wbinfo -g
MYDOMAIN\domain computers
MYDOMAIN\domain controllers
MYDOMAIN\schema admins
MYDOMAIN\enterprise admins

Now, edit /etc/nsswitch.conf and modify these two lines. Just add winbind after sss for passwd , shadow and group entries, so it looks like this.

passwd:     files sss winbind
shadow:     files sss winbind
group:      files sss winbind

Now, do getent passwd and getent group. You should recieve both local and domain users and groups as output.

Finally, if you have a firewall, add an exception for Samba services.

firewall-cmd --permanent --zone=public --add-service=samba

At this point, you’ll have the OS fully configured as a domain member, but you still can’t log in to CentOS with a domain account. In order to do that, we’ll have to run authconfig-tui.


Make sure these options are set.


…and these. You don’t have to join to the domain, just select OK.


This utility will change a lot of files, especially those in /etc/pam.d directory and it will also change smb.conf. Restart the winbind service in order for these changes to take effect.

systemctl restart winbind.service

Make sure you have these lines in smb.conf.

template shell = /bin/sh
template homedir = /home/%D/%U

Reload Samba config.

systemctl reload smb.service

Because of the template homedir directive above, all home directories for the domain users will be under /home/MYDOMAIN (or whatever domain you have).
Finally, create the home dir and log as the user.

mkdir -p /home/MYDOMAIN/klimenta
cd /home/MYDOMAIN
chown -R klimenta@kdomain.local klimenta

Now, you can log as the domain user.

login as: klimenta@kdomain.local
klimenta@kdomain.local@'s password:
Last login: Wed Sep  7 11:08:10 2016 from
-bash-4.2$ pwd

Related Articles

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More