How to configure Samba to use Windows's login ID?

18,573

You need to configure winbind, so you need to install and configure kerberos as well edir /etc/krb5.conf something like this:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
        default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
        default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
        ticket_lifetime = 24000
        default_realm = YOUR.DOMAIN.COM
        dns_lookup_realm = false
        dns_lookup_kdc = false

[realms]
        YOUR.DOMAIN.COM = {
        kdc = your.ads.com
        admin_server = your.ads.com

        }

[domain_realm]
 .your.domain.com = YOUR.DOMAIN.COM
 your.domain.com = YOUR.DOMAIN.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

then smb.conf on relevant part:

[global]
        workgroup = YOUR-GROUP
        realm = YOUR.DOMAIN.COM
        netbios name = SERVER-NAME
        winbind separator = -
        winbind uid =  1000-1000000
        winbind gid =  1000-1000000
        winbind enum users = yes
        winbind use default domain = yes
        security = ADS
        encrypt passwords = yes
        client use spnego = no
        auth methods = winbind

then you need to have admin rights to join the linux box to the domain

net ads join -Uadminuser -d2

you will get something like this

Using short domain name -- YOUR-GROUP
Joined 'SERVER_NAME' to realm 'your-domain.com

then start the services winbind smb nmb in centos for example is

service smb start
service nmb start
service winbind start

check if the server was joined

net ads testjoin
Join is OK

check for a user

wbinfo -i username

or list the groups in the ADS

wbinfo -g

or list the users

wbinfo -u

ping the service

wbinfo -P

checking the NETLOGON dc connection to "your.ads.com" succeeded

Configure a share folder

[share_name]
        path = /path_to_share
        valid users = user1 user1

18,573

huahsin68

Updated on September 18, 2022

Comments

huahsin68 over 1 year
I'm trying to access the Linux share folder from Windows using Windows's domain authentication. I come across the integration of Windows Active Directory into Samba on a Linux box, thus I have this being configure in smb.conf:
```
# LDAP settings
        passdb backend = ldapsam:ldap://xxx.xxx.xxx.xxx:xxx
        ldap suffix = DC=org,dc=huahsin,dc=IT
        ldap user suffix = OU=Users,OU=Tech,OU=MY
        ldap admin dn = CN=AccountA,OU=Users,OU=Tech,OU=MY,DC=org,DC=huahsin,DC=IT
        ldap passwd sync = yes
```
And this is how I configure to my share folder:
```
[homes]
   comment = Home Directories
   browseable = yes
   path = /home/huahsin/share
```
Anyhow I'm still not able to access my share folder. May I know what are the missing part in Samba configuration in order to authenticate through Windows's login ID when accessing a Linux share folder?