Setup Samba 4 as an Active Directory member server on Debian 11

If you want to set up a Samba server as a domain member in an Active Directory (AD) domain, you need to follow some steps to configure and join the server to the domain. This webpage provides a detailed guide on how to do that using Ubuntu Linux as an example. You will learn how to:

  • Install and configure the necessary packages, such as Samba, realmd, winbind and Kerberos.
  • Verify that your server has a fully qualified domain name (FQDN) and can resolve the AD server’s name and records.
  • Join the domain using the realmd command with the Samba tooling option.
  • Test the winbind connectivity and use domain users and groups in local commands and permissions.

By following this guide, you will be able to use your Samba server as a file and print server for AD users, as well as authenticate them to local services. You will also benefit from the security and management features of AD, such as Group Policy Objects (GPOs), password policies and encryption.

Note: Samba only supports up to Windows Server 2012R2 schema. There are experimental patches that support newer schemas but they are not covered here.

Software install
apt install realmd samba packagekit libnss-winbind libpam-winbind krb5-user

Join the domain using Winbind (instead of SSSD)
realm join -v -U administrator --membership-software=samba --client-software=winbind domain.local
Enter the administrator password when prompted
Change administrator to your admin user if administrator is disabled
Replace domain.local with your own domain

Enable home folders
pam-auth-update --enable mkhomedir

Add winbind to /etc/nsswitch.conf
nano /etc/nsswitch.conf
adding the word winbind to the passwd and group lines
service winbind restart

WSSD install on Debian 11
Enables Samba server to appear in Windows Network by using Web Service Discovery
wget -O- | gpg --dearmour > /usr/share/keyrings/wsdd.gpg
source /etc/os-release
echo "deb [signed-by=/usr/share/keyrings/wsdd.gpg] ${UBUNTU_CODENAME:-${VERSION_CODENAME:-UNKNOWN}} main" > /etc/apt/sources.list.d/wsdd.list
apt update
apt install wsdd
service wsdd start

Edit Samba config to add a network share
nano /etc/samba/smb.conf
Scroll to the end of the file
Example share

read only = no

Save the changes and restart Samba
service smbd restart

Edit Samba config to allow usernames without domain
Change winbind use default domain = no
to winbind use default domain = yes
service smbd restart
service winbind restart

Leave a Reply

Your email address will not be published. Required fields are marked *

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.