Skip to main content

Domain Join and Samba Configuration

# Domain Join and Samba Configuration

This document provides instructions for setting up a Linux machine to join an Active Directory (AD) domain, configure Kerberos authentication, set up Samba for file sharing, and use SSSD for managing domain users.

## Prerequisites

Ensure the following packages are installed on the system:

- `sssd`: Manages domain authentication and users.
- `cifs-utils`: Mounts and manages SMB/CIFS shares.
- `chrony`: Synchronizes system time with servers.
- `samba`: Provides file and printer sharing.
- `samba-client`: Access and manage Samba shares.
- `samba-common`: Common Samba files and configuration.
- `samba-winbind`: Connects AD users and groups.
- `samba-winbind-clients`: Tools for AD authentication support.
- `krb5-workstation`: Kerberos client tools for authentication.

### Install Required Packages

sudo dnf install realmd sssd cifs-utils chrony samba samba-client samba-common samba-winbind samba-winbind-clients krb5-workstation


## Configuration Files

### 1. Kerberos Configuration (`/etc/krb5.conf`)

The `krb5.conf` file contains the Kerberos authentication settings. Ensure the following content is configured correctly for your environment:


#### /etc/krb5.conf

includedir /etc/krb5.conf.d/
[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
[libdefaults]
    default_realm = FOURCOFFEE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true
[realms]
    FOURCOFFEE.COM = {
        kdc = fc-dc-01.fourcoffee.com
        admin_server = fc-dc-01.fourcoffee.com
    }
[domain_realm]
    .fourcoffee.com = FOURCOFFEE.COM
    fourcoffee.com = FOURCOFFEE.COM


### 2. Samba Configuration (`/etc/samba/smb.conf`)

The `smb.conf` file configures Samba for sharing files and printers with AD users.


#### /etc/samba/smb.conf


[global]
    workgroup = FOURCOFFEE
    realm = FOURCOFFEE.COM
    security = ads
    encrypt passwords = yes
    # Use winbind for domain users and groups
    idmap config * : range = 10000-20000
    idmap config FOURCOFFEE : backend = rid
    idmap config FOURCOFFEE : range = 20001-30000
    # Enable winbind to resolve users and groups
    winbind use default domain = yes
    winbind offline logon = yes
    template shell = /bin/bash
    template homedir = /home/%U
    # Enable ACL Support
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes
    # Enable Secure Kerberos Communication
    client signing = mandatory
    client schannel = yes
    server signing = mandatory
    server schannel = yes
[homes]
    comment = Home Directories
    valid users = %S, %D%w%S
    browseable = No
    read only = No
    inherit acls = Yes


### 3. SSSD Configuration (`/etc/sssd/sssd.conf`)

The `sssd.conf` file is used for integrating with AD to manage user accounts and authentication.


#### /etc/sssd/sssd.conf

[sssd]
domains = fourcoffee.com
config_file_version = 2
services = nss, pam

[domain/fourcoffee.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = FOURCOFFEE.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_domain = fourcoffee.com
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
ad_gpo_ignore_unreadable = True
ad_gpo_map_network = +nx


### 4. Chrony Configuration (Time Synchronization)

Ensure that your system clock is synchronized with the domain controllers using Chrony or any other time synchronization method.

## Steps

### 1. Join the Domain  

Use the `realm` command to join the domain:

sudo realm join --user=Administrator FOURCOFFEE.COM

### 2. Start Services  

Enable and start the required services:

sudo systemctl enable sssd
sudo systemctl start sssd
sudo systemctl enable winbind
sudo systemctl start winbind
sudo systemctl enable nmb
sudo systemctl start nmb
sudo systemctl enable smb
sudo systemctl start smb
sudo systemctl enable chronyd
sudo systemctl start chronyd


### 3. Testing  

- Verify Kerberos authentication:

  kinit <domain-user>

 klist

- Test domain users with `id` and `getent` commands:

  id <domain-user>

 getent passwd <domain-user>


## Notes

- Modify the domain-specific details (`FOURCOFFEE.COM`, `fc-dc-01.fourcoffee.com`) to match your environment.

- Ensure the firewall allows necessary ports for Samba and AD communication.


## Author

`fourcoffee.md` was created by [Udayakumar Rajendran] on [2024-10-09].


Comments

Post a Comment

Popular posts from this blog

Setting an Account Expiration Date in Active Directory using PowerShell

  In this blog post, we will walk through a simple PowerShell script that allows you to set an account expiration date for a user in Active Directory. The Script Here is the PowerShell script: # Prompt the user to enter the username $username = Read-Host "Enter the username:" # Prompt the user to enter the account expiration date in the specified format $dateString = Read-Host "Enter the account expiration date in the format 'MM/dd/yyyy hh:mm AM/PM':" # Convert the user input into a DateTime object using the ParseExact method $time = [ DateTime ]::ParseExact( $dateString , "MM/dd/yyyy hh:mm tt" , $null ) # Get the AD user object for the specified username and retrieve the AccountExpirationDate property $user = Get-ADUser -Identity $username -Properties "AccountExpirationDate" # Set the AccountExpirationDate property of the user account to the specified date and time $user .AccountExpirationDate = $time # Update the...
Post a Comment
Read more

Ansible : Installation and Configuration on Rocky Linux Using Python

Installing and Configuring Ansible on Rocky Linux using Python This document will guide you through the process of installing and configuring Ansible on Rocky Linux using Python. Ansible is an open-source automation tool that allows you to automate IT tasks, configuration management, application deployment, and more. Prerequisites Before we begin, make sure you have the following prerequisites in place: A running instance of Rocky Linux. Python installed on your Rocky Linux server. Python 3 is preferred. Note - Using CentOS 7 for this is possible but requires installation of python 3.9 or above is required. Also, this upgrade from python 2.7.5(preinstalled version) will come along with updating paths/SSL certificate and such. So, I opted for Rocky Linux which has latest updates. Step 1: Update System Packages Let's start by ensuring that the system packages are up to date: sudo yum update Step 2: Check and Install Python and Pip Ansible requires Python on the host mach...
Post a Comment
Read more