Setting up a Member Server (file server for our purposes)
This article will show you how to set up an Active Directory Member server, typically used as a file server. For simplicity, we will call this machine “FS1”.
You have prepared your server in advance, and have installed binaries for a member server.
Make sure Samba is stopped
For a member server, only `smbd` and `winbind` are needed. Make sure the `samba-ad-dc` service is masked — it must not be active on a member server.
systemctl stop samba-ad-dc.service && systemctl mask samba-ad-dc.service systemctl stop nmbd.service && systemctl mask nmbd.service systemctl stop smbd.service systemctl stop winbind.service
Remove all old databases and config files
Warning: This will delete all current Samba state on the machine.
rm /run/samba/*.tdb \ /run/samba/*.ldb \ /var/lib/samba/*.tdb \ /var/lib/samba/*.ldb \ /var/cache/samba/*.tdb \ /var/cache/samba/*.ldb \ /var/lib/samba/private/*.tdb \ /var/lib/samba/private/*.ldb mv /etc/samba/smb.conf /etc/samba/smb.conf.bak mv /etc/krb5.conf /etc/krb5.conf.bak
Configure your /etc/resolv.conf file with your DC's IP address
nameserver 192.168.0.2 nameserver 192.168.0.3 search mad.caponato.es
Configure the Time Service
Samba member servers do not need to serve time, just to sync it.
apt-get remove ntp ntpstat python3-ntp ntpsec --purge apt-get install systemd-timesyncd
Edit `/etc/systemd/timesyncd.conf`:
[Time] NTP=dc1.mad.caponato.es dc2.mad.caponato.es FallbackNTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org
Enable and restart:
systemctl enable systemd-timesyncd
systemctl restart systemd-timesyncd
Check status:
systemctl status systemd-timesyncd
Expected output snippet:
Status: "Contacted time server 192.168.0.2:123 (dc1.mad.caponato.es)."
Get info on your network card "predictable" name
echo /sys/class/net/*
Example output:
/sys/class/net/ens3 /sys/class/net/lo
Write down your actual physical card name for later use in `smb.conf`.
Copy the Kerberos configuration file from a DC
rsync -a dc1:/etc/krb5.conf /etc/
Or use:
[libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = MAD.CAPONATO.ES
Test Kerberos
kinit administrator klist
Expected:
Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@MAD.CAPONATO.ES
If `kinit` fails, do not proceed until Kerberos is correctly configured.
Configure (or check configuration of) the Name Service Switch
Edit `/etc/nsswitch.conf`:
passwd: files systemd winbind group: files systemd winbind
Choosing an idmap backend for your member server
See: Choosing an idmap backend
Unless you have a compelling reason to use `ad`, use `rid`.
Configure a basic smb.conf file (/etc/samba/smb.conf)
Use the correct physical interface name(s):
[global] security = ADS workgroup = MAD realm = MAD.CAPONATO.ES server role = member server log file = /var/log/samba/%m.log bind interfaces only = yes interfaces = lo ens3 # winbind config: winbind use default domain = yes # Optional testing parameters: # winbind enum users = yes # winbind enum groups = yes # Kerberos integration winbind refresh tickets = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # ACL handling vfs objects = acl_xattr map acl inherit = yes acl_xattr:ignore system acls = yes # Veto unwanted files veto files = /Thumbs.db/.DS_Store/.../.@__desc/:2e*/$/._ delete veto files = yes # ID mapping idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config MAD : backend = rid idmap config MAD : range = 10000-999999
Before joining the domain, make a backup of this file — the join process may reorganize and overwrite it.
cp /etc/samba/smb.conf /etc/samba/smb.conf.org
More info: smb.conf explained
Get some shares going
As an example, append to `smb.conf`:
[users] hide unreadable = yes path = /data/users/ read only = no [shares] hide unreadable = yes path = /data/shares/ read only = no
Note: These shares are for file servers, not print servers.
Join the domain and reboot
net ads join -U "Administrator" # or: samba-tool domain join mad.caponato.es MEMBER -U "Administrator"
Expected output:
Joined 'FS1' to dns domain 'mad.caponato.es'
You may also see:
DNS Update for fs1.mad.caponato.es failed: ERROR_DNS_UPDATE_FAILED
This is not critical — it usually means the DNS record already exists.
reboot
Final tests
net ads testjoin wbinfo --ping-dc wbinfo -u wbinfo -g
If `wbinfo` fails, check your `nsswitch.conf` and `smb.conf` carefully.
Create your shared directories
After joining the domain, the server is able to resolve and identify Active Directory users and groups through `winbind`. This means you can now assign ownership and permissions to AD accounts. You should create the shared directories at this point, as attempting to assign permissions earlier would fail — the system wouldn't recognize domain users.
Let's assume `caponato` is a member of the “Domain Admins” group and will be configuring the shares.
In this example, we will use the folders defined earlier: `/data/users/` and `/data/shares/`.
mkdir -p /data/users chown caponato:"Domain Users" /data/users chmod 2770 /data/users
Repeat the same steps for `/data/shares` or any other folders you wish to share.
Define share permission and security
Use a Windows machine joined to the domain and install RSAT. Follow this guide to configure permissions via GUI.
Congratulations! Your member server has joined the domain and is ready to share files.
Consider Hardening the Samba Server
See: Hardening Samba
Enabling GPOs for Member Servers (Optional)
Only needed if you're applying Linux-specific GPOs.
See: Samba Wiki - GPOs Group Policy for Linux - Book
In `smb.conf`, add:
apply group policies = yes
Caponato's Samba notebook. Start here or else Main menu