1.5. Setting up Samba as an AD domain member server

Procedure

1. If your AD requires the deprecated RC4 encryption type for Kerberos authentication, enable support for these ciphers in RHEL:

   # update-crypto-policies --set DEFAULT:AD-SUPPORT

2. Install the following packages:

   # dnf install realmd oddjob-mkhomedir oddjob samba-winbind-clients \
          samba-winbind samba-common-tools samba-winbind-krb5-locator krb5-workstation

3. To share directories or printers on the domain member, install the samba package:

   # dnf install samba

4. Backup the existing /etc/samba/smb.conf Samba configuration file:

   # mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

5. Join the domain. For example, to join a domain named ad.example.com:

   # realm join --membership-software=samba --client-software=winbind ad.example.com

   Using the previous command, the realm utility automatically:

   • Creates a /etc/samba/smb.conf file for a membership in the ad.example.com domain
   • Adds the winbind module for user and group lookups to the /etc/nsswitch.conf file
   • Updates the Pluggable Authentication Module (PAM) configuration files in the /etc/pam.d/ directory
   • Starts the winbind service and enables the service to start when the system boots

6. Optional: Set an alternative ID mapping back end or customized ID mapping settings in the /etc/samba/smb.conf file.

   For details, see Understanding and configuring Samba ID mapping.

7. Edit the /etc/krb5.conf file and add the following section:

   [plugins]
       localauth = {
           module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
           enable_only = winbind
       }

8. Verify that the winbind service is running:

   # systemctl status winbind
   ...
      Active: active (running) since Tue 2018-11-06 19:10:40 CET; 15s ago

   중요

   To enable Samba to query domain user and group information, the winbind service must be running before you start smb.

9. If you installed the samba package to share directories and printers, enable and start the smb service:

   # systemctl enable --now smb

Verification

1. Display an AD user’s details, such as the AD administrator account in the AD domain:

   # getent passwd "AD\administrator"
   AD\administrator:*:10000:10000::/home/administrator@AD:/bin/bash

2. Query the members of the domain users group in the AD domain:

   # getent group "AD\Domain Users"
       AD\domain users:x:10000:user1,user2

3. Optional: Verify that you can use domain users and groups when you set permissions on files and directories. For example, to set the owner of the /srv/samba/example.txt file to AD\administrator and the group to AD\Domain Users:

   # chown "AD\administrator":"AD\Domain Users" /srv/samba/example.txt

4. Verify that Kerberos authentication works as expected:

   1. On the AD domain member, obtain a ticket for the administrator@AD.EXAMPLE.COM principal:

      # kinit administrator@AD.EXAMPLE.COM

   2. Display the cached Kerberos ticket:

      # klist
      Ticket cache: KCM:0
      Default principal: administrator@AD.EXAMPLE.COM
      
      Valid starting       Expires              Service principal
      01.11.2018 10:00:00  01.11.2018 20:00:00  krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
              renew until 08.11.2018 05:00:00

5. Display the available domains:

   # wbinfo --all-domains
   BUILTIN
   SAMBA-SERVER
   AD

Procedure

1. Install the samba-gpupdate package:

   # dnf install samba-gpupdate

2. Append the following settings to the /etc/samba/smb.conf file:

   kerberos method = secrets and keytab
   sync machine password to keytab = "/etc/krb5.keytab:account_name:sync_spns:spn_prefixes=host:sync_kvno:machine_password", "/etc/samba/cepces.keytab:account_name:machine_password"
   apply group policies = yes

   The settings specified in the Samba configuration include the following configuration:

   kerberos method = secrets and keytab

   Configures Samba to use the /var/lib/samba/private/secrets.tdb file first to verify Kerberos tickets and then the /etc/krb5.keytab file.

   sync machine password to keytab = <list_of_keytab_files_and_their_principals>

   Defines paths to keytab files that Samba maintains and the Kerberos principals in these files. With the shown value, Samba continues maintaining the /etc/krb5.keytab system keytab and, additionally, a /etc/samba/cepces.keytab file that the cepces-submit submission helper for certmonger uses to authenticate to the CA.

   apply group policies = yes

   Configures the winbind service to execute the gpupdate command in intervals. The update interval is 90 minutes, plus a random offset between 0 and 30 minutes.

3. Create the /etc/samba/cepces.keytab file:

   # net ads keytab create

4. Edit the /etc/cepces/cepces.conf file, and make the following changes:

   1. In the [global] section, set the server variable to the fully-qualified domain name (FQDN) of the Windows server which runs the CA service:

      [global]
      server=win-server.ad.example.com

   2. In the [kerberos] section, set the keytab variable to /etc/samba/cepces.keytab:

      [kerberos]
      keytab=/etc/samba/cepces.keytab

5. Enable and start the certmonger service:

   # systemctl enable --now certmonger

   The certmonger service requests the certificates from the CA and automatically renews them before they expire.

6. Manually run samba-gpupdate to ensure that the group policies have been loaded from AD:

   # samba-gpupdate

7. The certmonger service stores the keys and certificates in the following directories:

   • Private keys: /var/lib/samba/private/certs/

   • Issued certificates: /var/lib/samba/certs/

     You can now start using the keys and certificates in services on the same host.

8. Optional: Display the certificates that certmonger manages:

   # getcert list
   Number of certificates and requests being tracked: 1.
   Request ID 'AD-ROOT-CA.Machine':
   	status: MONITORING
   	stuck: no
   	key pair storage: type=FILE,location='/var/lib/samba/private/certs/AD-ROOT-CA.Machine.key'
   	certificate: type=FILE,location='/var/lib/samba/certs/AD-ROOT-CA.Machine.crt'
   	CA: AD-ROOT-CA
   	issuer: CN=AD-ROOT-CA,DC=ad,DC=example,DC=com
   	subject: CN=rhel9.ad.example.com
   	issued: 2025-03-25 14:22:07 CET
   	expires: 2026-03-25 14:22:07 CET
   	dns: rhel9.ad.example.com
   	key usage: digitalSignature,keyEncipherment
   	eku: id-kp-clientAuth,id-kp-serverAuth
   	certificate template/profile: Machine
   	profile: Machine
   	pre-save command:
   	post-save command:
   	track: yes
   	auto-renew: yes

   By default, the Windows CA issues only a certificate by using the Machine certificate template. If you configured additional templates in the Windows CA that apply for this host, certmonger requests certificates for these templates as well, and the getcert list output includes also entries for them.