Get Mozilla Firefox
Here we'll look at how to configure a Samba file-sharing server with Winbind on GNU/Linux in order to integrate it with an Active Directory. The aim is to enable clients to authenticate to the share with their domain account.
To achieve this, I used a Debian 12 version.
⚠️Prerequisites: Ensure that Windows and Debian server clock are synchronized.⚠️
root@SAMBA:~# echo "SAMBA" > /etc/hostname
root@SAMBA:~# hostname SAMBA
127.0.0.1 localhost
127.0.1.1 samba.std.local samba
domain std.local
search std.local
nameserver 192.168.1.200
root@SAMBA:~# apt update && apt install samba winbind libnss-winbind libpam-winbind krb5-user
[libdefaults]
default_realm = STD.LOCAL
ticket_lifetime = 1d
renew_lifetime = 7d
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
STD.LOCAL = {
kdc = 192.168.1.200
admin_server = 192.168.1.200
}
root@SAMBA:~# mkdir /data
[global]
workgroup = std
security = ads
realm = std.local
idmap config *:backend = tdb
idmap config *:range = 700001-800000
idmap config STD:backend = rid
idmap config STD:range = 10000-700000
winbind use default domain = yes
template homedir = /home/%U
map acl inherit = yes
template shell = /bin/bash
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
; improve security :
ntlm auth = no
; improve security, Windows > 8 only :
server min protocol = SMB3_00
[share]
path = /data
writable = yes
guest ok = no
create mask = 660
directory mask = 770
root@SAMBA:~# testparm
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd winbind
group: files systemd winbind
shadow: files systemd
gshadow: files systemd
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
root@SAMBA:~# net ads join -U administrator@std.local
root@SAMBA:~# systemctl restart smbd.service nmbd.service winbind.service
root@SAMBA:~# wbinfo --ping-dc
checking the NETLOGON for domain[STD] dc connection to "ad.std.local" succeeded
root@SAMBA:~# wbinfo -u
administrator
guest
krbtgt
e.cartman
s.marsh
[…]
root@SAMBA:~# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
domain users
domain guests
[…]
root@SAMBA:~# getent passwd
[…]
administrator:*:10500:10513::/home/administrator:/bin/bash
s.marsh:*:11115:10513::/home/s.marsh:/bin/bash
k.brofloski:*:11116:10513::/home/k.brofloski:/bin/bash
b.stotch:*:11117:10513::/home/b.stotch:/bin/bash
[…]
root@SAMBA:~# getent group
[…]
domain admins:x:10512:
domain users:x:10513:
[…]
root@SAMBA:~# chown -R "administrator:domain users" /data/
root@SAMBA:~# chown -R "10500:10513" /data/
Contact :
