Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 2. Connecting RHEL systems directly to AD using Samba Winbind

Samba Winbind integrates RHEL systems with Active Directory to facilitate seamless SMB file and printer sharing. The realmd utility automates domain discovery and configures the underlying Winbind authentication services.

To connect a RHEL system to Active Directory (AD), use:

  • Samba Winbind to interact with the AD identity and authentication source
  • realmd to detect available domains and configure the underlying RHEL system services.

2.1. Overview of direct integration using Samba Winbind
Copier lien

Samba Winbind emulates a Windows client to enable direct Active Directory communication. The realmd service automates the configuration of the winbindd service for NSS authentication. This approach simplifies SMB resource sharing but requires bidirectional trusts for multi-forest support.

You can use the realmd service to configure Samba Winbind by:

  • Configuring network authentication and domain membership in a standard way.
  • Automatically discovering information about accessible domains and realms.
  • Not requiring advanced configuration to join a domain or realm.

Note that:

  • Direct integration with Winbind in a multi-forest AD setup requires bidirectional trusts.
  • Remote forests must trust the local forest to ensure that the idmap_ad plug-in handles remote forest users correctly.

Samba’s winbindd service provides an interface for the Name Service Switch (NSS) and enables domain users to authenticate to AD when logging into the local system.

Using winbindd provides the benefit that you can enhance the configuration to share directories and printers without installing additional software.

The realm utility automates the configuration of Samba Winbind for Active Directory integration. This tool installs dependencies, generates the smb.conf file, and updates system authentication stacks to authorize domain users.

Procedure

  1. If your AD requires the deprecated RC4 encryption type for Kerberos authentication, enable support for these ciphers in RHEL: 

    # update-crypto-policies --set DEFAULT:AD-SUPPORT

  2. Install the following packages: 

    # dnf install realmd oddjob-mkhomedir oddjob samba-winbind-clients \
     samba-winbind samba-common-tools samba-winbind-krb5-locator \
     rb5-workstation

  3. To share directories or printers on the domain member, install the samba package: 

    # dnf install samba

  4. Backup the existing /etc/samba/smb.conf Samba configuration file: 

    # mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

  5. Join the domain. For example, to join a domain named ad.example.com: 

    # realm join --membership-software=samba --client-software=winbind ad.example.com

    Using the previous command, the realm utility automatically:

    • Creates a /etc/samba/smb.conf file for a membership in the ad.example.com domain
    • Adds the winbind module for user and group lookups to the /etc/nsswitch.conf file
    • Updates the Pluggable Authentication Module (PAM) configuration files in the /etc/pam.d/ directory
    • Starts the winbind service and enables the service to start when the system boots

  6. Optional: Set an alternative ID mapping back end or customized ID mapping settings in the /etc/samba/smb.conf file.

    For details, see Understanding and configuring Samba ID mapping.

  7. Edit the /etc/krb5.conf file and add the following section: 

    [plugins]
    localauth = {
        module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
        enable_only = winbind
    }

  8. Verify that the winbind service is running: 

    # systemctl status winbind
     
    Active: active (running) since Tue 2018-11-06 19:10:40 CET; 15s ago
    Important

    To enable Samba to query domain user and group information, the winbind service must be running before you start smb.

  9. If you installed the samba package to share directories and printers, enable and start the smb service: 

    # systemctl enable --now smb

Verification

  1. Display an AD user’s details, such as the AD administrator account in the AD domain: 

    # getent passwd "AD\administrator"
     
    AD\administrator:*:10000:10000::/home/administrator@AD:/bin/bash

  2. Query the members of the domain users group in the AD domain: 

    # getent group "AD\Domain Users"
     
    AD\domain users:x:10000:user1,user2

  3. Optional: Verify that you can use domain users and groups when you set permissions on files and directories. For example, to set the owner of the /srv/samba/example.txt file to AD\administrator and the group to AD\Domain Users: 

    # chown "AD\administrator":"AD\Domain Users" /srv/samba/example.txt

  4. Verify that Kerberos authentication works as expected:

    1. On the AD domain member, obtain a ticket for the administrator@AD.EXAMPLE.COM principal: 

      # kinit administrator@AD.EXAMPLE.COM

    2. Display the cached Kerberos ticket: 

      # klist
       
      Ticket cache: KCM:0
Default principal: administrator@AD.EXAMPLE.COM

Valid starting       Expires              Service principal
01.11.2018 10:00:00  01.11.2018 20:00:00  krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
        renew until 08.11.2018 05:00:00

  5. Display the available domains: 

    # wbinfo --all-domains
     
    BUILTIN
SAMBA-SERVER
AD
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2026 Red HatRetour au début