2.2. Connecting a RHEL system directly to AD using Samba Windbind

Procedure

1. Install the following packages:

   # dnf install realmd oddjob-mkhomedir oddjob samba-winbind-clients \
          samba-winbind samba-common-tools samba-winbind-krb5-locator krb5-workstation

2. To share directories or printers on the domain member, install the samba package:

   # dnf install samba

3. Backup the existing /etc/samba/smb.conf Samba configuration file:

   # mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

4. Join the domain. For example, to join a domain named ad.example.com:

   # realm join --membership-software=samba --client-software=winbind ad.example.com

   Using the previous command, the realm utility automatically:

   • Creates a /etc/samba/smb.conf file for a membership in the ad.example.com domain
   • Adds the winbind module for user and group lookups to the /etc/nsswitch.conf file
   • Updates the Pluggable Authentication Module (PAM) configuration files in the /etc/pam.d/ directory
   • Starts the winbind service and enables the service to start when the system boots

5. Optional: Set an alternative ID mapping back end or customized ID mapping settings in the /etc/samba/smb.conf file.

   For details, see Understanding and configuring Samba ID mapping.

6. Edit the /etc/krb5.conf file and add the following section:

   [plugins]
       localauth = {
           module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
           enable_only = winbind
       }

7. Verify that the winbind service is running:

   # systemctl status winbind
   ...
      Active: active (running) since Tue 2018-11-06 19:10:40 CET; 15s ago

   重要

   To enable Samba to query domain user and group information, the winbind service must be running before you start smb.

8. If you installed the samba package to share directories and printers, enable and start the smb service:

   # systemctl enable --now smb

Verification

1. Display an AD user’s details, such as the AD administrator account in the AD domain:

   # getent passwd "AD\administrator"
   AD\administrator:*:10000:10000::/home/administrator@AD:/bin/bash

2. Query the members of the domain users group in the AD domain:

   # getent group "AD\Domain Users"
       AD\domain users:x:10000:user1,user2

3. Optional: Verify that you can use domain users and groups when you set permissions on files and directories. For example, to set the owner of the /srv/samba/example.txt file to AD\administrator and the group to AD\Domain Users:

   # chown "AD\administrator":"AD\Domain Users" /srv/samba/example.txt

4. Verify that Kerberos authentication works as expected:

   1. On the AD domain member, obtain a ticket for the administrator@AD.EXAMPLE.COM principal:

      # kinit administrator@AD.EXAMPLE.COM

   2. Display the cached Kerberos ticket:

      # klist
      Ticket cache: KCM:0
      Default principal: administrator@AD.EXAMPLE.COM
      
      Valid starting       Expires              Service principal
      01.11.2018 10:00:00  01.11.2018 20:00:00  krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
              renew until 08.11.2018 05:00:00

5. Display the available domains:

   # wbinfo --all-domains
   BUILTIN
   SAMBA-SERVER
   AD