Get Mozilla Firefox
We will see here how to set up a Samba file sharing server with Winbind on GNU/Linux in order to integrate it with an Active Directory. The goal is for clients to be able to authenticate to the share with their user domain account.
To achieve this I used a Debian 12 version.
⚠️Prerequisites: Ensure that the clock time of the Windows and Debian servers is synchronized.⚠️
root@SAMBA:~# echo "SAMBA" > /etc/hostname
root@SAMBA:~# hostname SAMBA
127.0.0.1 localhost
127.0.1.1 samba.std.local samba
domain std.local
search std.local
nameserver 192.168.1.200
root@SAMBA:~# apt update && apt install samba winbind libnss-winbind libpam-winbind krb5-user
[libdefaults]
default_realm = STD.LOCAL
ticket_lifetime = 1d
renew_lifetime = 7d
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
STD.LOCAL = {
kdc = 192.168.1.200
admin_server = 192.168.1.200
}
root@SAMBA:~# mkdir /data
[global]
workgroup = std
security = ads
realm = std.local
idmap config *:backend = tdb
idmap config *:range = 700001-800000
idmap config STD:backend = rid
idmap config STD:range = 10000-700000
winbind use default domain = yes
template homedir = /home/%U
map acl inherit = yes
template shell = /bin/bash
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
; improve security :
ntlm auth = no
; improve security, Windows > 8 only :
server min protocol = SMB3_00
[share]
path = /data
writable = yes
guest ok = no
create mask = 660
directory mask = 770
root@SAMBA:~# testparm
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd winbind
group: files systemd winbind
shadow: files systemd
gshadow: files systemd
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
root@SAMBA:~# net ads join -U administrator@std.local
root@SAMBA:~# systemctl restart smbd.service nmbd.service winbind.service
root@SAMBA:~# wbinfo --ping-dc
checking the NETLOGON for domain[STD] dc connection to "ad.std.local" succeeded
root@SAMBA:~# wbinfo -u
administrator
guest
krbtgt
e.cartman
s.marsh
[…]
root@SAMBA:~# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
domain users
domain guests
[…]
root@SAMBA:~# getent passwd
[…]
administrator:*:10500:10513::/home/administrator:/bin/bash
s.marsh:*:11115:10513::/home/s.marsh:/bin/bash
k.brofloski:*:11116:10513::/home/k.brofloski:/bin/bash
b.stotch:*:11117:10513::/home/b.stotch:/bin/bash
[…]
root@SAMBA:~# getent group
[…]
domain admins:x:10512:
domain users:x:10513:
[…]
root@SAMBA:~# chown -R "administrator:domain users" /data/
root@SAMBA:~# chown -R "10500:10513" /data/
Contact :
