Giter VIP home page Giter VIP logo

samba-with-ad's Introduction

samba-with-ad

I have not found any complete guides on how to configure Samba to do access control on shares using Active Directory users and groups. I finally worked it out on an Ubunutu 22 VM and documented the steps.

Note: this guide reflects my understanding of the subject and I might be wrong... :)

Install SSSD components

sudo apt install sssd-ad sssd-tools realmd adcli samba winbind

Install Samba components

sudo apt samba winbind

Install Kerberos tools

This installs klist and kinit.

sudo apt install krb5-user

Join realm

This joins the computer to the AD domain through realm.

sudo realm join -v domain.tld

Note: replace domain.tld with your AD DNS name.

After joining, you should be able to login using an AD user:

sudo login

And enter an AD credential. Login through SSH won't work.

Enable home directory creation

sudo pam-auth-update --enable mkhomedir

Setup Samba for the domain

Edit /etc/samba/smb.conf with the following:

[global]
workgroup = DOMAIN
realm = DOMAIN.TLD
security = ADS
kerberos method = secrets and keytab

Note: Replace DOMAIN with your AD domain's name, and DOMAIN.TLD with your AD domain's DNS name.

The last line tells samba to write computer account password to not only the samba secrets file but to keytab too.

Also add idmap configuration. My understanding is that this will map windows users to Linux user id's for Samba.

[global]
idmap config * : backend = tdb
idmap config * : range = 10000-19999
idmap config DOMAIN : backend = nss
idmap config DOMAIN : range = 200000-2000200000

Note: replace DOMAIN with your AD domain's name (not DNS name).

Set SSSD to also update Samba key store

Add the following line to /etc/sssd/sssd.conf:

ad_update_samba_machine_account_password = true

This line tells sssd to write computer account password not only to keytab but to the samba secrets file too.

Restart services

sudo systemctl restart sssd
sudo systemctl restart smbd
sudo systemctl enable winbind
sudo systemctl start winbind

Join AD domain through net

This joins the computer to the domain through net too. Yes, you need to join through net too, not just through realm.

sudo net ads join -U Administrator

Note: replace Administrator with the username that has permissions to join computers to the domain.

Create a Samba share

Create the share directory:

mkdir /srv/share1

Add a share definition to /etc/samba/smb.conf:

[share1]
path = /srv/share1
read only = no

Set permissions on the directory:

sudo chgrp "DOMAIN\\groupname" /srv/share1

This will allow DOMAIN\\groupname owner access to the directory. Customize permissions as needed through chgrp, chown and chmod.

Then, restart samba so it picks up the new share.

sudo systemctl restart smbd

Test

Now you should be able to access the share using Kerberos auth from a domain joined Windows computer.

samba-with-ad's People

Contributors

andrasg avatar

Watchers

 avatar

Forkers

cherez0ff

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.