Samba 3 as a Domain Member (CentOS 6+PBIS)
Requirements
Supported Samba versions:
- Samba version 3.0.25 or later versions in the 3.0 series
- Samba 3.2.X
- Samba 3.4.X
- Samba 3.5.X
Winbind must be installed and running when you are using Samba version 3.0.25 or later versions in the 3.0 series.
If you are using Samba version 3.2.X or 3.5.X, Winbind is not required.
Samba package must support ADS security.
PowerBroker Identity Services relies on ADS security in a Samba and PowerBroker Identity Services configuration.
For more information, see: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Installation and configuration
https://github.com/BeyondTrust/pbis-open/releases
wget https://github.com/BeyondTrust/pbis-open/releases/download/8.6.0/pbis-open-8.6.0.427.linux.x86_64.rpm.sh
./pbis-open-8.6.0.427.linux.x86_64.rpm.sh install
/opt/pbis/bin/domainjoin-cli join --assumeDefaultDomain yes sub.domain.com domainjoinusername
/opt/pbis/bin/update-dns
/opt/pbis/bin/get-status
yum install samba-3.6.23
mv /etc/samba/smb.conf /etc/samba/smb.conf_bk
vi /etc/samba/smb.conf [global] workgroup = SUB realm = SUB.DOMAIN.COM server string = %h server security = ADS map to guest = Bad User pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes ; syslog = 0 log file = /var/log/samba/log.%m ; max log size = 1000 load printers = No printcap name = /dev/null disable spoolss = Yes dns proxy = No ; wins server = 10.10.10.10 ; usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d ; idmap config * : range = 10000-33554431 ; idmap config * : range = 3000-7999 ; idmap config * : backend = tdb ; printing = bsd ; print command = lpr -r -P'%p' %s ; lpq command = lpq -P'%p' ; lprm command = lprm -P'%p' %j machine password timeout = 0 ; log level = 5 ; debug pid = true [share] path = /smb/share valid users = @adgroup force user = aduser force group = domain^users read only = No acl check permissions = No create mask = 0640 directory mask = 0750 browseable = No
/opt/pbis/bin/samba-interop-install --check-version
Found smbd version 3.6.23-46el6_9
Samba version supported
/opt/pbis/bin/samba-interop-install --install --loglevel verbose
service smb restart;service nmb restart;
Troubleshooting
Issue: The primary group domain sid(S-1-2-34-5678901234-5678901234-5678901234-567) does not match the domain sid(S-1-2-34-2414616913-1771598462-3719962008) for aduser(S-1-22-1-1234567890)
Fix:
net getdomainsid
net setlocalsid S-1-2-34-5678901234-5678901234-5678901234-567
------------------------
# net ads join -U administrator
Enter administrator’s password: Passw0rd
Using short domain name - SUB
Joined ‘SMBTEST01V’ to dns domain ‘sub.domain.com’
------------------------
Debug:
smbclient //10.10.10.11/share/ -U SUB/aduser
smbclient -L 10.10.10.11 -U SUB/aduser
/opt/pbis/bin/enum-users
pbis status
/opt/pbis/domainjoin-cli query
/opt/pbis/bin/lwsm list
/opt/pbis/bin/lwsm set-log-target -p lsass - file /tmp/lsass.log
/opt/pbis/bin/lwsm set-log-level -p lsass - debug
“Troubleshooting PBIS-Samba Integration” from here https://www.beyondtrust.com/wp-content/uploads/documentation-pbis-samba-integration-guide.pdf
Links:
https://www.beyondtrust.com/wp-content/uploads/documentation-pbis-samba-integration-guide.pdf
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://github.com/BeyondTrust/pbis-open/releases
Originally published at trichev.com/blog. You can comment here or there.
Supported Samba versions:
- Samba version 3.0.25 or later versions in the 3.0 series
- Samba 3.2.X
- Samba 3.4.X
- Samba 3.5.X
Winbind must be installed and running when you are using Samba version 3.0.25 or later versions in the 3.0 series.
If you are using Samba version 3.2.X or 3.5.X, Winbind is not required.
Samba package must support ADS security.
PowerBroker Identity Services relies on ADS security in a Samba and PowerBroker Identity Services configuration.
For more information, see: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Installation and configuration
https://github.com/BeyondTrust/pbis-open/releases
wget https://github.com/BeyondTrust/pbis-open/releases/download/8.6.0/pbis-open-8.6.0.427.linux.x86_64.rpm.sh
./pbis-open-8.6.0.427.linux.x86_64.rpm.sh install
/opt/pbis/bin/domainjoin-cli join --assumeDefaultDomain yes sub.domain.com domainjoinusername
/opt/pbis/bin/update-dns
/opt/pbis/bin/get-status
yum install samba-3.6.23
mv /etc/samba/smb.conf /etc/samba/smb.conf_bk
vi /etc/samba/smb.conf [global] workgroup = SUB realm = SUB.DOMAIN.COM server string = %h server security = ADS map to guest = Bad User pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes ; syslog = 0 log file = /var/log/samba/log.%m ; max log size = 1000 load printers = No printcap name = /dev/null disable spoolss = Yes dns proxy = No ; wins server = 10.10.10.10 ; usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d ; idmap config * : range = 10000-33554431 ; idmap config * : range = 3000-7999 ; idmap config * : backend = tdb ; printing = bsd ; print command = lpr -r -P'%p' %s ; lpq command = lpq -P'%p' ; lprm command = lprm -P'%p' %j machine password timeout = 0 ; log level = 5 ; debug pid = true [share] path = /smb/share valid users = @adgroup force user = aduser force group = domain^users read only = No acl check permissions = No create mask = 0640 directory mask = 0750 browseable = No
/opt/pbis/bin/samba-interop-install --check-version
Found smbd version 3.6.23-46el6_9
Samba version supported
/opt/pbis/bin/samba-interop-install --install --loglevel verbose
service smb restart;service nmb restart;
Troubleshooting
Issue: The primary group domain sid(S-1-2-34-5678901234-5678901234-5678901234-567) does not match the domain sid(S-1-2-34-2414616913-1771598462-3719962008) for aduser(S-1-22-1-1234567890)
Fix:
net getdomainsid
net setlocalsid S-1-2-34-5678901234-5678901234-5678901234-567
------------------------
# net ads join -U administrator
Enter administrator’s password: Passw0rd
Using short domain name - SUB
Joined ‘SMBTEST01V’ to dns domain ‘sub.domain.com’
------------------------
Debug:
smbclient //10.10.10.11/share/ -U SUB/aduser
smbclient -L 10.10.10.11 -U SUB/aduser
/opt/pbis/bin/enum-users
pbis status
/opt/pbis/domainjoin-cli query
/opt/pbis/bin/lwsm list
/opt/pbis/bin/lwsm set-log-target -p lsass - file /tmp/lsass.log
/opt/pbis/bin/lwsm set-log-level -p lsass - debug
“Troubleshooting PBIS-Samba Integration” from here https://www.beyondtrust.com/wp-content/uploads/documentation-pbis-samba-integration-guide.pdf
Links:
https://www.beyondtrust.com/wp-content/uploads/documentation-pbis-samba-integration-guide.pdf
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://github.com/BeyondTrust/pbis-open/releases
Originally published at trichev.com/blog. You can comment here or there.