Tux's lil' helper
Joined: 02 Jan 2003
|Posted: Fri Sep 25, 2020 6:58 pm Post subject: Adventures in joining Samba 4 to Active Directory
|We just bought a new server at work for purposes of making basically a glorified NAS box, as several of our VMware hosts are running low. Getting Gentoo up and running on a Dell PowerEdge R7515 was a piece of cake: boot the last v5 SystemRescueCD in EFI mode from my computer-imaging USB SSD, do all of the usual stuff to install Gentoo, then tell the server firmware where GRUB lives in the EFI system partition (since it's RAID-1 and grub-install doesn't want to configure EFI on the server...this was the only snag I hit). I got iSCSI sorted, and then I figured that Samba could be useful to have on there.
Getting Samba configured and joined to the domain as a member server took the better part of yesterday, thanks largely to outdated documentation and some recent breakage in the software.
Piecing together several configuration snippets across multiple websites of which I didn't take note, /etc/samba/smb.conf ended up with these changes from stock in global settings. Our domain controller is still running Windows Server 2008 R2, but I think this will hold up against newer versions. I've taken our actual domain name and changed it to EXAMPLE:
|security = ADS
workgroup = EXAMPLE
client min protocol = SMB2
idmap config * : backend = tdb
idmap config * : range = 1000-7999
idmap config EXAMPLE:backend = ad
idmap config EXAMPLE:schema_mode = rfc2307
idmap config EXAMPLE:range = 10000-999999
idmap config EXAMPLE:unix_nss_info = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
realm = EXAMPLE.TLD
Samba is built with the kerberos, ldap, winbind and ads USE flags, and we're running v4.11.11.
One problem I ran into was with the lack of a guest user; Samba wouldn't even start up. According to https://bugzilla.redhat.com/show_bug.cgi?id=1648399, you'll want to run this once to set up the guest user:
|$ sudo net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin |
Another was some breakage between Samba and Kerberos 1.18, documented at https://bbs.archlinux.org/viewtopic.php?id=254832. I dug the last pre-1.18 Kerberos ebuild out of Portage and put it in my overlay. Use this to get it:
|$ sudo layman -a salfter
$ echo \>=app-crypt/mit-krb5-1.18 | sudo tee /etc/portage/package.mask/mit-krb5
$ sudo emerge -1 mit-krb5 samba
Once all the above was in place, this finally worked:
|$ sudo net ads join -U administrator |
This last bit is mainly a convenience...there's a line in smb.conf:
|idmap config EXAMPLE:unix_nss_info = yes |
This allows Active Directory accounts to be linked to local accounts; by setting the uidNumber and gidNumber attributes to my user account, my home directory was exported. It looks like there are other attributes that potentially might even lead to authenticating for login against Active Directory instead of /etc/passwd, etc., but that's another matter for another time.