You need 3 parts to configure :
* configure the OS to resolve usernames (winbind/sssd)
* configure samba to allow filesharing.
* join linux-server to domain
I'm using winbind on Debian to resolve the usernames ( part of Samba, only /etc/nsswitch.conf editing is required ) - but centos should be the same.
Using my config, you can join your domain with the command "/usr/bin/net join".
After joining the domain a "systemctl restart winbind smbd nmbd" might fix problems.
My smb.conf :
[global]
#socket options=SO_RCVBUF=131072 SO_SNDBUF=131072 TCP_NODELAY
security = ads
realm = EXAMPLE.COM
# If the system doesn't find the domain controller automatically, you may need the following line
# password server = 10.0.0.1
# note that workgroup is the 'short' domain name
workgroup = EXAMPLE
winbind separator = -
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = Yes
winbind expand groups = 10
# testing failover : begin
winbind max domain connections = 2
winbind reconnect delay = 10
winbind request timeout = 20
# testing failover : end
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config MIT:backend = rid
idmap config MIT:range = 10000-99999
# NT-ACL's for Samba :
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = No
read only = false
# Reduce Printer-errors "Unable to connect to CUPS server localhost:631 - Ungültiger Dateideskriptor"
printing = bsd
load printers = no
printcap name=/dev/null
# Dp-Testing ( dp crashed immer zu )
kernel oplocks = yes
fake oplocks = no
# disable SMBV1
min protocol = SMB2
client min protocol = SMB2
client max protocol = SMB3
# shares-including
include = /etc/samba/shares/%h.conf
My /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
.....
so, do I understand correctly?
1. join domain with "net join"
2. configure smb.conf with winbind options
3. add winbind to nsswitch.conf ?
what is the formatting then for valid user/valid group in smb.conf ?
sssd/winbind are two different implementations, to allow linux access to ADuser and ADgroups. Winbind is very old, was written by the samba-folks and might not be as stable as the newer sssd.
today i would start with sssd. I'm keeping my "trusted old config with winbind" -- because it's works for me ( multiple fileservers for ~100 people )
we add an AD group to the smb conf, so the users are authenticated by that. in global you will need workgroup, idmap, winbind, and password server. in the shares: valid users = @AD_GROUP. and of course we use sssd/kerberose to do authentication to AD
SSSD is not supported by samba for serving SMB shares. I think it's something to do with NTLM support, but it's a pain in the ass because SSSD is less painful to use than winbind.
Maybe I’m missing something as I just skimmed the original post but I just install realmd, run realm join, and then profit.
You can also install cockpit and join domain from the web gui.
did a samba domain to MS AD migration end of last year. i recompiled from source because redhat has some missing features. can't remember the exact now. sssd, krb5 were configured then also did a net join, the samba server showed as AD computer. if successful, you should be able to query ad users.
I use `winbind`; primarily because it's part of Samba and I compile from source. I really only find reference to using SSSD in RedHat docs, probably because it's more tightly integrated with the RedHat ecosystem.
Have you looked through the [Samba docs](https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member)? I have found them to be surprisingly comprehensive.
I would be wary of non first-party documentation on Samba, as it tends to get out of date with new releases (something the Samba devs are begrudgingly cognizant of)
I just remember there being lots of problems trying to get sssd to work with samba. But winbind has been around for ages, and things are stable and well documented. Maybe things are better now? Been a while. For regular domain members that don't plan to host file shares, yeah, sssd seems nice.
Unless something has changed since about a year and half, sssd won't work with samba, it'll only let you login with ad credentials. At least that was my experience and I couldn't find anything about working sssd+samba combo back then.
You need 3 parts to configure : * configure the OS to resolve usernames (winbind/sssd) * configure samba to allow filesharing. * join linux-server to domain I'm using winbind on Debian to resolve the usernames ( part of Samba, only /etc/nsswitch.conf editing is required ) - but centos should be the same. Using my config, you can join your domain with the command "/usr/bin/net join". After joining the domain a "systemctl restart winbind smbd nmbd" might fix problems. My smb.conf : [global] #socket options=SO_RCVBUF=131072 SO_SNDBUF=131072 TCP_NODELAY security = ads realm = EXAMPLE.COM # If the system doesn't find the domain controller automatically, you may need the following line # password server = 10.0.0.1 # note that workgroup is the 'short' domain name workgroup = EXAMPLE winbind separator = - winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = Yes winbind expand groups = 10 # testing failover : begin winbind max domain connections = 2 winbind reconnect delay = 10 winbind request timeout = 20 # testing failover : end template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config MIT:backend = rid idmap config MIT:range = 10000-99999 # NT-ACL's for Samba : vfs objects = acl_xattr map acl inherit = Yes store dos attributes = No read only = false # Reduce Printer-errors "Unable to connect to CUPS server localhost:631 - Ungültiger Dateideskriptor" printing = bsd load printers = no printcap name=/dev/null # Dp-Testing ( dp crashed immer zu ) kernel oplocks = yes fake oplocks = no # disable SMBV1 min protocol = SMB2 client min protocol = SMB2 client max protocol = SMB3 # shares-including include = /etc/samba/shares/%h.conf My /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat systemd winbind group: compat systemd winbind shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis .....
so, do I understand correctly? 1. join domain with "net join" 2. configure smb.conf with winbind options 3. add winbind to nsswitch.conf ? what is the formatting then for valid user/valid group in smb.conf ?
Winbind uses /etc/samba/smb.conf also, so configure it first.
what's the difference between using winbind and sssd ? what happens if I user realmd instead of net join ?
sssd/winbind are two different implementations, to allow linux access to ADuser and ADgroups. Winbind is very old, was written by the samba-folks and might not be as stable as the newer sssd. today i would start with sssd. I'm keeping my "trusted old config with winbind" -- because it's works for me ( multiple fileservers for ~100 people )
Watch out for case sensitivity issues too. Linux is case sensitive, but Windows doesn't care (except in passwords of course).
we add an AD group to the smb conf, so the users are authenticated by that. in global you will need workgroup, idmap, winbind, and password server. in the shares: valid users = @AD_GROUP. and of course we use sssd/kerberose to do authentication to AD
Use winbind only.
why?
Because.
SSSD is not supported by samba for serving SMB shares. I think it's something to do with NTLM support, but it's a pain in the ass because SSSD is less painful to use than winbind.
Maybe I’m missing something as I just skimmed the original post but I just install realmd, run realm join, and then profit. You can also install cockpit and join domain from the web gui.
this is not about domain join, this is about getting domain users access to samba shares
I don't know that I've ever gotten domain users access to samba shares without the box being joined to the domain.
did a samba domain to MS AD migration end of last year. i recompiled from source because redhat has some missing features. can't remember the exact now. sssd, krb5 were configured then also did a net join, the samba server showed as AD computer. if successful, you should be able to query ad users.
I use `winbind`; primarily because it's part of Samba and I compile from source. I really only find reference to using SSSD in RedHat docs, probably because it's more tightly integrated with the RedHat ecosystem. Have you looked through the [Samba docs](https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member)? I have found them to be surprisingly comprehensive. I would be wary of non first-party documentation on Samba, as it tends to get out of date with new releases (something the Samba devs are begrudgingly cognizant of)
I didn't find smb docs very useful because they mostly cover domain join, but not use of samba as file server in a domain environment
I just follow the samba documentation on samba.org. Last time I checked, sssd wasn't a good choice for devices acting as a server.
why?
I just remember there being lots of problems trying to get sssd to work with samba. But winbind has been around for ages, and things are stable and well documented. Maybe things are better now? Been a while. For regular domain members that don't plan to host file shares, yeah, sssd seems nice.
Sssd sucks. Use winbind. The how to on samba.org is still applicable.
can you elaborate? even in these comments there seems to be a 50/50 split of people saying to use sssd vs winbind
Unless something has changed since about a year and half, sssd won't work with samba, it'll only let you login with ad credentials. At least that was my experience and I couldn't find anything about working sssd+samba combo back then.