SAMBA Domain Member as File Server

One of the most common ways to network Debian GNU/Linux and Windows computers is to configure Samba Domain Member as a File Server.

This section covers :

Adding Samba as domain member
Set up shares to act as a file server.
Use domain users and groups to setup ACLs.

Adding Samba as domain member

Prepare computer for Samba:

Before install Samba need to check DNS (dns need to be part of domain) :

grep "nameserver" /etc/resolv.conf

Install packages for Samba :

sudo apt install acl samba winbind libnss-winbind krb5-user

Configure Kerbaros (depend of domain settings) :

sudo nano /etc/krb5.conf

Under section libdefaults change default_realm :

[libdefaults]
        default_realm = SAMDOM.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

Configure NSS :

sudo nano /etc/nsswitch.conf

Update passwd, group (add winbind) and hosts (add wins) :

passwd: files winbind
group:  files winbind
hosts:  files dns wins

Make backup of /etc/samba/smb.conf and make new file :

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf-bak
sudo nano /etc/samba/smb.conf

Example of smb.conf :

# Global parameters
[global]
       realm = SAMDOM.EXAMPLE.COM
       security = ADS
       workgroup = SAMDOM

       idmap config SAMDOM : range = 10000 - 999999
       idmap config SAMDOM : backend = rid
       idmap config * : range = 3000-7999
       idmap config * : backend = tdb

       map acl inherit = Yes
       vfs objects = acl_xattr

       dedicated keytab file = /etc/krb5.keytab
       kerberos method = secrets and keytab
       winbind refresh tickets = Yes

Check Kerbaros:

sudo kinit administrator
sudo klist

Join Samba as domain member:

sudo net ads info testjoin
sudo net ads join -k

After success join to domain rerstart service :

sudo systemctl restart smbd nmbd winbind

Set up shares to act as a file server

Prepare directory for share :

sudo mkdir /media/share
sudo chmod -R 775 /media/share
sudo chown -R "SAMDOM\administrator":root /media/share

Add share folder to Samba :

Update smb.conf and add share :

sudo nano /etc/samba/smb.conf

[Share]
       acl_xattr:ignore system acl = Yes
       acl allow execute always = Yes
       acl group control = Yes
       inherit acls = Yes
       inherit owner = windows and unix
       inherit permissions = Yes
       path = /media/share
       read only = No

Final restart of service and all is ready:

sudo systemctl restart smbd nmbd winbind

Use domain users and groups to setup ACLs

On Windows client now open Windows Explorer :

Right click on Share and select Security and click on Edit. Now select users or group from Domain to adjust need.

Jurišić blog