I installed Samba during the initital server installtion's tasksel-like dialog.
apt install ntp ntpdate winbind libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user
vim /etc/ntp.conf
Set pool = ada.example.com
Set pool = adb.example.com
service ntp restart
vim /etc/krb5.conf
[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt__enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes
[realms]
EXAMPLE.COM = {
kdc = ada.example.com
kdc = adb.example.com
default_domain = ada.example.com
}
[domain_realm]
.example.com= ADA.EXAMPLE.COM
example.com = ADA.EXAMPLE.COM
.example.com = ADB.EXAMPLE.COM
example.com = ADB.EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kinit administrator
klist
vim /etc/samba/smb.conf
[global]
workgroup = EXAMPLE
security = ads
realm = EXAMPLE.COM
idmap backend = tdb
idmap uid = 10000-99999
idmap gid = 10000-99999
idmap config EXAMPLE:backend = rid
idmap config EXAMPLE:range = 10000-99999
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
winbind offline logon = true
winbind expand groups = 1
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
log file = /var/log/samba/samba.log
log level = 2
;obey pam restrictions = yes
min protocol = SMB2
client min protocol = SMB2
inherit permissions = yes
[homes]
comment = Home directories and personal storage for lab users
read only = No
browseable = No
[data]
comment = Main data store for lab users
path = /data
valid users = +EXAMPLE\labusers
force group = +EXAMPLE\labusers
writable = yes
read only = no
create mask = 2770
force create mode = 2770
directory mask = 2770
force directory mode = 2770
access based share enum = yes
net ads join -U administrator
Pam-auth-update
[*] create home directory on login
vim /etc/pam.d/common-session
session optional pam_umask.so umask=0007
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
vim /etc/nsswitch.conf
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat winbind
vim /etc/pam.d/common-auth
#password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
password sufficient pam_winbind.so
vim /etc/ssh/sshd_config
AllowGroups sudo groupName
systemctl restart smbd nmbd winbind
Try mapping drives, creating files over SMB, using touch, changing passwords, etc.