1. The key config of smb.conf :
client use spnego = yes
client signing = yes
realm = YOUR.ADS.DOMAIN
security = ADS
;only used if the ads user will login the samba member ;winbind uid = 10000-20000 ;winbind gid = 10000-20000 ;winbind enum groups = yes ;winbind enum users = yes
2. The /etc/krb5.conf
[libdefaults]
default_realm = IEPCLAN.IE.CUHK.EDU.HK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
YOUR.ADS.DOMAIN = {
kdc = ip.of.your.dc
default_domain = your.ads.domain
}
[domain_realm]
.your.ads.domain = YOUR.ADS.DOMAIN
your.ads.domain = YOUR.ADS.DOMAIN
3. kinit administrator (enter the administrator password when prompted). The klist command should then list a ticket.
4. edit /etc/hosts file, add your host ip and your.ads.domain if you got the below error :
Using short domain name — YOURADDOMAIN
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Deleted account for ‘HOSTNAME’ in realm ‘YOUR.AD.DOMAIN’
Failed to join domain: Type or value exists
5. net ads join -U Administrator
6. store your winbind credentials with : net setauthuser -U winbind (enter winbind password in AD)
7. restart samba and winbindd
8. use wbinfo -u to check the winbindd works or not
References :
http://www.section6.net/wiki/index.php/Configuring_Samba3_to_be_a_Windows_Domain_Member
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id2560123
Leave a Reply