rss logo

Joining a Debian server to a Windows domain using winbind

samba linux logo

We will see here how to set up a Samba file sharing server with Winbind on GNU/Linux in order to integrate it with an Active Directory. The goal is for clients to be able to authenticate to the share with their user domain account.

To achieve this I used a Debian 11 version.

Network Architecture

Winbind architecture with one Active Directory server, one Samba server, and one Windows client.
Winbind Architecture.

Install and Configure

⚠️Prerequisites: Ensure that the clock time of the Windows and Debian servers is synchronized.⚠️

  • Set hostname :
root@SAMBA:~# echo "SAMBA" > /etc/hostname root@SAMBA:~# hostname SAMBA
  • Edit and set /etc/hosts file : localhost samba.std.local samba
  • Edit and set /etc/resolv.conf file :
domain std.local search std.local nameserver
  • Install necessary packages :
root@SAMBA:~# apt update && apt install samba winbind libnss-winbind libpam-winbind krb5-user
  • Edit and set /etc/krb5.conf file :
[libdefaults] default_realm = STD.LOCAL ticket_lifetime = 1d renew_lifetime = 7d dns_lookup_realm = false dns_lookup_kdc = true [realms] STD.LOCAL = { kdc = admin_server = }
  • Create share folder :
root@SAMBA:~# mkdir /data
  • Edit and set /etc/samba/smb.conf file :
[global] workgroup = std security = ads realm = std.local idmap config *:backend = tdb idmap config *:range = 700001-800000 idmap config STD:backend = rid idmap config STD:range = 10000-700000 winbind use default domain = yes template homedir = /home/%U map acl inherit = yes template shell = /bin/bash winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr ; improve security : ntlm auth = no ; improve security, Windows > 8 only : server min protocol = SMB3_00 [share] path = /data writable = yes guest ok = no create mask = 660 directory mask = 770
  • Check /etc/samba/smb.conf configuration file :
root@SAMBA:~# testparm
  • Edit and set /etc/nsswitch.conf file :
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files systemd winbind group: files systemd winbind shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
  • Add server to Active Directory :
root@SAMBA:~# net ads join -U administrator@std.local
  • Restart services :
root@SAMBA:~# systemctl restart smbd.service nmbd.service winbind.service
  • Check domain connectivity :
root@SAMBA:~# wbinfo --ping-dc checking the NETLOGON for domain[STD] dc connection to "ad.std.local" succeeded
  • Check you can list users and groups with the wbinfo tool :
root@SAMBA:~# wbinfo -u administrator guest krbtgt e.cartman s.marsh […] root@SAMBA:~# wbinfo -g domain computers domain controllers schema admins enterprise admins domain users domain guests […]
  • Set rights :
root@SAMBA:~# chown -R "domain users:administrator" /data/
  • From Active Directory server set Permissions :
Permissions windows on a microsoft windows server
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address