Joining a Debian server to a Windows domain using winbind

• Last updated: Mar 18, 2023

We will see here how to set up a Samba file sharing server with Winbind on GNU/Linux in order to integrate it with an Active Directory. The goal is for clients to be able to authenticate to the share with their user domain account.

• The main advantages of Winbind are :
  • Allows GNU/Linux systems to authenticate and access shared resources on Windows servers
  • Can map Windows users ang groups in order to set acls on a samba share
  • Centralized users credentials and accounts on a Active Directory server

To achieve this I used a Debian 11 version.

Network Architecture

Install and Configure

⚠️Prerequisites: Ensure that the clock time of the Windows and Debian servers is synchronized.⚠️

• Set hostname :

root@SAMBA:~# echo "SAMBA" > /etc/hostname root@SAMBA:~# hostname SAMBA

• Edit and set /etc/hosts file :

127.0.0.1 localhost 127.0.1.1 samba.std.local samba

• Edit and set /etc/resolv.conf file :

domain std.local search std.local nameserver 192.168.1.200

• Install necessary packages :

root@SAMBA:~# apt update && apt install samba winbind libnss-winbind libpam-winbind krb5-user

• Edit and set /etc/krb5.conf file :

[libdefaults] default_realm = STD.LOCAL ticket_lifetime = 1d renew_lifetime = 7d dns_lookup_realm = false dns_lookup_kdc = true [realms] STD.LOCAL = { kdc = 192.168.1.200 admin_server = 192.168.1.200 }

• Create share folder :

root@SAMBA:~# mkdir /data

• Edit and set /etc/samba/smb.conf file :

[global] workgroup = std security = ads realm = std.local idmap config *:backend = tdb idmap config *:range = 700001-800000 idmap config STD:backend = rid idmap config STD:range = 10000-700000 winbind use default domain = yes template homedir = /home/%U map acl inherit = yes template shell = /bin/bash winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr ; improve security : ntlm auth = no ; improve security, Windows > 8 only : server min protocol = SMB3_00 [share] path = /data writable = yes guest ok = no create mask = 660 directory mask = 770

• Check /etc/samba/smb.conf configuration file :

root@SAMBA:~# testparm

• Edit and set /etc/nsswitch.conf file :

# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files systemd winbind group: files systemd winbind shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis

• Add server to Active Directory :

root@SAMBA:~# net ads join -U administrator@std.local

• Restart services :

root@SAMBA:~# systemctl restart smbd.service nmbd.service winbind.service

• Check domain connectivity :

root@SAMBA:~# wbinfo --ping-dc checking the NETLOGON for domain[STD] dc connection to "ad.std.local" succeeded

• Check you can list users and groups with the wbinfo tool :

root@SAMBA:~# wbinfo -u administrator guest krbtgt e.cartman s.marsh […] root@SAMBA:~# wbinfo -g domain computers domain controllers schema admins enterprise admins domain users domain guests […]

• Set rights :

root@SAMBA:~# chown -R "domain users:administrator" /data/

• From Active Directory server set Permissions :