[Samba] How to join RHEL 7 Linux Server to Active Directory Domain

Nico Kadel-Garcia nkadel at gmail.com
Mon Sep 26 02:08:18 UTC 2022

On Sun, Sep 25, 2022 at 1:15 PM Eddie Rowe via samba
<samba at lists.samba.org> wrote:
> As Rowland indicated this isn't the Samba way that is documented in https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member which I found VERY helpful, but I have not fully worked out how RHEL setup in Chapter 16. File and Print Servers Red Hat Enterprise Linux 7 | Red Hat Customer Portal<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers#setting_up_samba_as_a_domain_member> is configured for Kerberos.  Specifically I am not sure how Winbind would use Kerberos in client mode since RHEL does not have steps to configure the /etc/krb5.conf.  RHEL 7's default /etc/krb5.conf does use the include line for /etc/krb5.conf.d/ which is empty.  I find this curious...does Winbind have AI to work out the Kerberos server? 8-)
> Samba Server Mode:  My understanding of Kerberos is there is no interaction between the Samba server and the Kerberos server.  The client system that wants to talk to the Samba server interacts with the Kerberos (Active Directory) server and the presents its service ticket to the Samba server that uses its secret key to verify the client is authenticated.
> Samba Client Mode:  Since my understanding is there is interaction between the client and the Kerberos server, my question is how does the RHEL Winbind setup know who to contact to get a Kerberos ticket?  I am led to guess that Winbind must somehow be able to ask the REALM defined in smb.conf for which server provides this functionality?

sssd is.... well, I'm going to restrain my tendency for colorful
metaphors. sssd is entirely reliant on the underlying Samba provided
libraries. And it has a *lot* of problems when you push it hard. One
is that the "authocnfig", used to tune or enable it from the command
line, wipes out any locally edited or tunded settings in
/etc/sssd/sssd.conf, and there is no way to recover them except to set
up your own, entirely distinct configuration and management tools.
This is a waste of the time of Red Hat sys-admins.

Another issue is that sssd starts up, answers queries for a while, but
attempts to pre-cache the entire LDAP setup. You can pick and choose
relevant LDAP, but can only do so effective if the LDAP provided OU's
are in one substructure, not if they scattered. And very, very few
large environments organize their LDAP well enough to optimize this.
They leave user groups scattered around different parts of their
chart, and you wind up needing the whole thing. But if the LDAP is too
big, sssd times out and shoots itself through the head, and restarts
start over reloading the same bulky LDAP environment from scratch, and
fail again. It's been more than a decade, and there is no solution to
this problem except to set up another LDAP server closer to the
clients, which gets expensive and makes AD admins throw a hissy, even
if you offer to set up a Samba host for them to avoid expensive
Windows server icenses.

The Samba clients don't have this rat's nest of clients, but RHEL
documentation does not support using just Samba as a client anymore.
And the Samba built into RHEL has the domain controller features
disabled, so switching to a pure Samba setup becomes..... more
difficult, though there are many published Samba releases with those
features, including mine over at https://github.com/nkadel/samba4repo/
or built into most modern network storage applicances. Red Hat instead
encourages the use of FreeIPA as the server, and sssd as the client,
which in my observation don't buy you anything useful except the
simplified "authconfig" command settings, which in fact destabilize
Samba or AD clients.

Nico Kadel-Garcia

> -----Original Message-----
> From: samba <samba-bounces at lists.samba.org> On Behalf Of Turritopsis Dohrnii Teo En Ming (tdtemccna at gmail.com) via samba
> Sent: Thursday, July 7, 2022
> To: samba at lists.samba.org
> Subject: [Samba] How to join RHEL 7 Linux Server to Active Directory Domain
> Good day from Singapore,
> I didn't realize it is so easy to join RHEL 7 Linux server to Active
> Directory Domain.
> You only need a few simple commands.
> # yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common
> samba-common-tools krb5-workstation openldap-clients
> policycoreutils-python -y
> # realm join -v --user=[domain user account] addc01.project.domain.com
> # realm list
> project.domain.com
> type: kerberos
> realm-name: PROJECT.DOMAIN.COM
> domain-name: project.domain.com
> configured: kerberos-member
> server-software: sssd
> required-package: oddjob
> required-package: oddjob-mkhomedir
> required-package: sssd
> required-package: adcli
> required-package: samba-common-tools
> login-formats: %U at project.domain.com
> login-policy: allow-realm-logins
> That's it.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list