[Samba] How to join RHEL 7 Linux Server to Active Directory Domain

Eddie Rowe eddie.rowe at tdhca.state.tx.us
Sun Sep 25 17:13:37 UTC 2022

As Rowland indicated this isn't the Samba way that is documented in https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member which I found VERY helpful, but I have not fully worked out how RHEL setup in Chapter 16. File and Print Servers Red Hat Enterprise Linux 7 | Red Hat Customer Portal<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers#setting_up_samba_as_a_domain_member> is configured for Kerberos.  Specifically I am not sure how Winbind would use Kerberos in client mode since RHEL does not have steps to configure the /etc/krb5.conf.  RHEL 7's default /etc/krb5.conf does use the include line for /etc/krb5.conf.d/ which is empty.  I find this curious...does Winbind have AI to work out the Kerberos server? 8-)

Samba Server Mode:  My understanding of Kerberos is there is no interaction between the Samba server and the Kerberos server.  The client system that wants to talk to the Samba server interacts with the Kerberos (Active Directory) server and the presents its service ticket to the Samba server that uses its secret key to verify the client is authenticated.

Samba Client Mode:  Since my understanding is there is interaction between the client and the Kerberos server, my question is how does the RHEL Winbind setup know who to contact to get a Kerberos ticket?  I am led to guess that Winbind must somehow be able to ask the REALM defined in smb.conf for which server provides this functionality?

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Turritopsis Dohrnii Teo En Ming (tdtemccna at gmail.com) via samba
Sent: Thursday, July 7, 2022
To: samba at lists.samba.org
Subject: [Samba] How to join RHEL 7 Linux Server to Active Directory Domain

Good day from Singapore,

I didn't realize it is so easy to join RHEL 7 Linux server to Active
Directory Domain.

You only need a few simple commands.

# yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common
samba-common-tools krb5-workstation openldap-clients
policycoreutils-python -y

# realm join -v --user=[domain user account] addc01.project.domain.com

# realm list
type: kerberos
domain-name: project.domain.com
configured: kerberos-member
server-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U at project.domain.com
login-policy: allow-realm-logins

That's it.

More information about the samba mailing list