[Samba] How to join RHEL 7 Linux Server to Active Directory Domain
rpenny at samba.org
Sun Sep 25 17:39:16 UTC 2022
On 25/09/2022 18:13, Eddie Rowe via samba wrote:
> As Rowland indicated this isn't the Samba way that is documented in https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member which I found VERY helpful, but I have not fully worked out how RHEL setup in Chapter 16. File and Print Servers Red Hat Enterprise Linux 7 | Red Hat Customer Portal<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers#setting_up_samba_as_a_domain_member> is configured for Kerberos. Specifically I am not sure how Winbind would use Kerberos in client mode since RHEL does not have steps to configure the /etc/krb5.conf. RHEL 7's default /etc/krb5.conf does use the include line for /etc/krb5.conf.d/ which is empty. I find this curious...does Winbind have AI to work out the Kerberos server? 8-)
You just use the Samba krb5.conf
> Samba Server Mode: My understanding of Kerberos is there is no interaction between the Samba server and the Kerberos server. The client system that wants to talk to the Samba server interacts with the Kerberos (Active Directory) server and the presents its service ticket to the Samba server that uses its secret key to verify the client is authenticated.
> Samba Client Mode: Since my understanding is there is interaction between the client and the Kerberos server, my question is how does the RHEL Winbind setup know who to contact to get a Kerberos ticket?
It isn't RHEL's winbind, it is Samba's winbind, no matter what OS you
run Samba on, it will work just the same.
I am led to guess that Winbind must somehow be able to ask the REALM
defined in smb.conf for which server provides this functionality?
I think you might require this:
sudo authconfig --update --kickstart --enablewinbind --enablewinbindauth
--smbsecurity=ads --smbworkgroup=SAMDOM --smbrealm=SAMDOM.EXAMPLE.COM
--disablesssd --disablesssdauth --enableforcelegacy --disablecachecreds
Where 'SAMDOM' is your workgroup and 'SAMDOM.EXAMPLE.COM' is your realm.
Just to note, I don't help with sssd, it isn't a Samba product and I do
not see the point in using it with Samba, there is just too much
missing. There is a place for sssd and that is with IPA.
More information about the samba