HOW TO: Samba as an AD Domain Member

There are probably a million and one articles about how to make Samba 3 an Active Directory domain member. But with all of that, this process still seems to require hours of research. So I've decided to compile my latest experiences here.

The domain member box is running Gentoo Linux. So you may need to adjust the steps to fit your flavor. Make sure the USE flags kerberos, ldap, samba, ssl, and winbind are set. Start by installing an NTP client.

$ emerge ntp

The purpose of NTP is to keep your computer's clock in-sync with the domain controller. Edit your /etc/ntp.conf file to use your domain controller as the time server. Then sync your clock, start the NTP client, and install Samba:

$ ntpdate ad01.rit.edu
$ /etc/init.d/ntpd start
$ rc-update add ntpd default
$ emerge samba

Now you can configure kerberos. Open your /etc/krb5.conf file and make it look like this:

[libdefaults]
ticket_lifetime = 600
default_realm = RIT.EDU
clockskew = 120

[realms]
RIT.EDU = {
  kdc = ad01.rit.edu
  default_domain = RIT.EDU
}

[domain_realm]
.rit.edu = RIT.EDU
rit.edu = RIT.EDU

Test your kerberos setup by requesting a ticket from your domain controller.

$ kinit administrator
$ klist
$ kdestroy

Edit your Samba configuration.

[global]
workgroup = RIT
realm = RIT.EDU
server string =

log file = /var/log/samba/log.%m
max log size = 50

hosts allow = 127.0.0.1 129.21.0.0/16
hosts deny = 0.0.0.0/0
security = ADS
allow trusted domains = yes
password server = ad01.rit.edu
encrypt passwords = yes
min protocol = NT1

winbind enum users = yes
winbind enum groups = yes
winbind cache time = 600
winbind use default domain = yes
template homedir = /home/%U
obey pam restrictions = yes
template shell = /bin/bash

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain master = no
local master = no

idmap uid = 10000-99999
idmap gid = 10000-99999

Add winbind to the daemon_list variable in /etc/conf.d/samba.

daemon_list="smbd nmbd winbind"

Join the domain and start Samba.

$ net ads join -U administrator
$ /etc/init.d/samba start

Add winbind to the passwd and group lines in /etc/nsswitch.conf.

passwd: compat winbind
shadow: compat
group: compat winbind

Test user resolution and add Samba to the startup:

$ getent passwd administrator
$ rc-update add samba default

Add the bolded lines to your /etc/pam.d/system-auth file.

auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so

account required pam_access.so
account sufficient pam_winbind.so
account required pam_unix.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so
session required pam_mkhomedir.so

That's it! Now all you need to do is start samba and your box is an AD domain member.