Samba 3 as a Domain Member (CentOS 6+PBIS)

Requirements

Supported Samba versions:
– Samba version 3.0.25 or later versions in the 3.0 series
– Samba 3.2.X
– Samba 3.4.X
– Samba 3.5.X

Winbind must be installed and running when you are using Samba version 3.0.25 or later versions in the 3.0 series.
If you are using Samba version 3.2.X or 3.5.X, Winbind is not required.

Samba package must support ADS security.
PowerBroker Identity Services relies on ADS security in a Samba and PowerBroker Identity Services configuration.
For more information, see: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Installation and configuration

https://github.com/BeyondTrust/pbis-open/releases

wget https://github.com/BeyondTrust/pbis-open/releases/download/8.6.0/pbis-open-8.6.0.427.linux.x86_64.rpm.sh
./pbis-open-8.6.0.427.linux.x86_64.rpm.sh install

/opt/pbis/bin/domainjoin-cli join --assumeDefaultDomain yes sub.domain.com domainjoinusername
/opt/pbis/bin/update-dns

/opt/pbis/bin/get-status

yum install samba-3.6.23

mv /etc/samba/smb.conf /etc/samba/smb.conf_bk

vi /etc/samba/smb.conf
[global]
        workgroup = SUB
        realm = SUB.DOMAIN.COM
        server string = %h server
        security = ADS
        map to guest = Bad User
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
;        syslog = 0
        log file = /var/log/samba/log.%m
;        max log size = 1000
        load printers = No
        printcap name = /dev/null
        disable spoolss = Yes
        dns proxy = No
;        wins server = 10.10.10.10
;        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
;        idmap config * : range = 10000-33554431
;        idmap config * : range = 3000-7999
;        idmap config * : backend = tdb
;        printing = bsd
;        print command = lpr -r -P'%p' %s
;        lpq command = lpq -P'%p'
;        lprm command = lprm -P'%p' %j
        machine password timeout = 0
;        log level = 5
;        debug pid = true

[share]
        path = /smb/share
        valid users = @adgroup
        force user = aduser
        force group = domain^users
        read only = No
        acl check permissions = No
        create mask = 0640
        directory mask = 0750
        browseable = No

/opt/pbis/bin/samba-interop-install --check-version
Found smbd version 3.6.23-46el6_9
Samba version supported

/opt/pbis/bin/samba-interop-install --install --loglevel verbose

service smb restart;service nmb restart;

Troubleshooting

Issue: The primary group domain sid(S-1-2-34-5678901234-5678901234-5678901234-567) does not match the domain sid(S-1-2-34-2414616913-1771598462-3719962008) for aduser(S-1-22-1-1234567890)

Fix:
net getdomainsid
net setlocalsid S-1-2-34-5678901234-5678901234-5678901234-567

————————————————————————
# net ads join -U administrator
Enter administrator’s password: Passw0rd
Using short domain name — SUB
Joined ‘SMBTEST01V’ to dns domain ‘sub.domain.com’
————————————————————————

Debug:
smbclient //10.10.10.11/share/ -U SUB/aduser
smbclient -L 10.10.10.11 -U SUB/aduser
/opt/pbis/bin/enum-users
pbis status
/opt/pbis/domainjoin-cli query
/opt/pbis/bin/lwsm list
/opt/pbis/bin/lwsm set-log-target -p lsass – file /tmp/lsass.log
/opt/pbis/bin/lwsm set-log-level -p lsass – debug

“Troubleshooting PBIS-Samba Integration” from here https://www.beyondtrust.com/wp-content/uploads/documentation-pbis-samba-integration-guide.pdf

Links:
https://www.beyondtrust.com/wp-content/uploads/documentation-pbis-samba-integration-guide.pdf
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://github.com/BeyondTrust/pbis-open/releases