samba:file-server

Setting up a Member Server (file server for our purposes)

This article will show you how to set up an Active Directory Member server, typically used as a file server. For simplicity, we will call this machine “FS1”.

You have prepared your server in advance, and have installed binaries for a member server.

Make sure Samba is stopped

For a member server, only `smbd` and `winbind` are needed. Make sure the `samba-ad-dc` service is masked — it must not be active on a member server.

systemctl stop samba-ad-dc.service && systemctl mask samba-ad-dc.service
systemctl stop nmbd.service && systemctl mask nmbd.service
systemctl stop smbd.service
systemctl stop winbind.service

Remove all old databases and config files

Warning: This will delete all current Samba state on the machine.

rm /run/samba/*.tdb \
   /run/samba/*.ldb \
   /var/lib/samba/*.tdb \
   /var/lib/samba/*.ldb \
   /var/cache/samba/*.tdb \
   /var/cache/samba/*.ldb \
   /var/lib/samba/private/*.tdb \
   /var/lib/samba/private/*.ldb
 
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
mv /etc/krb5.conf /etc/krb5.conf.bak

Configure your /etc/resolv.conf file with your DC's IP address

nameserver 192.168.0.2
nameserver 192.168.0.3
search mad.caponato.es

Configure the Time Service

Samba member servers do not need to serve time, just to sync it.

apt-get remove ntp ntpstat python3-ntp ntpsec --purge
apt-get install systemd-timesyncd

Edit `/etc/systemd/timesyncd.conf`:

[Time]
NTP=dc1.mad.caponato.es dc2.mad.caponato.es 
FallbackNTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org

Enable and restart:

systemctl enable systemd-timesyncd
systemctl restart systemd-timesyncd

Check status:

systemctl status systemd-timesyncd

Expected output snippet:

Status: "Contacted time server 192.168.0.2:123 (dc1.mad.caponato.es)."

Get info on your network card "predictable" name

echo /sys/class/net/*

Example output:

/sys/class/net/ens3 /sys/class/net/lo

Write down your actual physical card name for later use in `smb.conf`.

Copy the Kerberos configuration file from a DC

rsync -a dc1:/etc/krb5.conf /etc/

Or use:

[libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = true
  default_realm = MAD.CAPONATO.ES

Test Kerberos

kinit administrator
klist

Expected:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MAD.CAPONATO.ES

If `kinit` fails, do not proceed until Kerberos is correctly configured.

Configure (or check configuration of) the Name Service Switch

Edit `/etc/nsswitch.conf`:

passwd:         files systemd winbind
group:          files systemd winbind

Choosing an idmap backend for your member server

See: Choosing an idmap backend

Unless you have a compelling reason to use `ad`, use `rid`.

Configure a basic smb.conf file (/etc/samba/smb.conf)

Use the correct physical interface name(s):

[global]
security = ADS
workgroup = MAD
realm = MAD.CAPONATO.ES
server role = member server
log file = /var/log/samba/%m.log
bind interfaces only = yes
interfaces = lo ens3
 
# winbind config:
winbind use default domain = yes
 
# Optional testing parameters:
# winbind enum users = yes  
# winbind enum groups = yes
 
# Kerberos integration
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
 
# ACL handling
vfs objects = acl_xattr 
map acl inherit = yes
acl_xattr:ignore system acls = yes
 
# Veto unwanted files
veto files = /Thumbs.db/.DS_Store/.../.@__desc/:2e*/$/._
delete veto files = yes
 
# ID mapping
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MAD : backend = rid
idmap config MAD : range = 10000-999999

Before joining the domain, make a backup of this file — the join process may reorganize and overwrite it.

cp /etc/samba/smb.conf /etc/samba/smb.conf.org

More info: smb.conf explained

Get some shares going

As an example, append to `smb.conf`:

[users]
hide unreadable = yes    
path = /data/users/
read only = no
 
[shares]
hide unreadable = yes
path = /data/shares/
read only = no

Note: These shares are for file servers, not print servers.

Join the domain and reboot

net ads join -U "Administrator"
# or:
samba-tool domain join mad.caponato.es MEMBER -U "Administrator"

Expected output:

Joined 'FS1' to dns domain 'mad.caponato.es'

You may also see:

DNS Update for fs1.mad.caponato.es failed: ERROR_DNS_UPDATE_FAILED

This is not critical — it usually means the DNS record already exists.

reboot

Final tests

net ads testjoin
wbinfo --ping-dc
wbinfo -u
wbinfo -g

If `wbinfo` fails, check your `nsswitch.conf` and `smb.conf` carefully.

Create your shared directories

After joining the domain, the server is able to resolve and identify Active Directory users and groups through `winbind`. This means you can now assign ownership and permissions to AD accounts. You should create the shared directories at this point, as attempting to assign permissions earlier would fail — the system wouldn't recognize domain users.

Let's assume `caponato` is a member of the “Domain Admins” group and will be configuring the shares.

In this example, we will use the folders defined earlier: `/data/users/` and `/data/shares/`.

mkdir -p /data/users
chown caponato:"Domain Users" /data/users
chmod 2770 /data/users

Repeat the same steps for `/data/shares` or any other folders you wish to share.

Define share permission and security

Use a Windows machine joined to the domain and install RSAT. Follow this guide to configure permissions via GUI.

Congratulations! Your member server has joined the domain and is ready to share files.

Consider Hardening the Samba Server

See: Hardening Samba

Enabling GPOs for Member Servers (Optional)

Only needed if you're applying Linux-specific GPOs.

See: Samba Wiki - GPOs Group Policy for Linux - Book

In `smb.conf`, add:

apply group policies = yes

Caponato's Samba notebook. Start here or else Main menu