Samba ввести в домен¶

net ads join -U administrator - ввести в домен
net ads leave -U administrator - вывести самбу из домена

вводим в домен AD вторым контроллером

samba-tool domain join test.local DC -U useradmin

проверим работу службы репликации каталогов (DRS)

samba-tool drs showrepl

минимальный конфиг для рабочей станции¶

/etc/krb5.conf

[libdefaults]
    default_realm = NET.LAN
    clockskew = 300
 v4_instance_resolve = false


[realms]
    NET.LAN = { 
        kdc = dc0.net.lan
        admin_server = dc0.net.lan
        default_domain = net.lan
    }   

[domain_realm]
    .net.lan = NET.LAN
    net.lan = NET.LAN

[global]
    ldap server require strong auth = No
    realm = NET.LAN
    server string = samba
    server role = member server
    workgroup = NET 
    security = ADS 
    password server = dc0 
    encrypt passwords = Yes 
    #logon script = %U.bat
    kerberos method = secrets only
    winbind use default domain = true
    winbind offline logon = false
    passdb backend = tdbsam
    log level = 5 
    max log size = 20480 
    wins support = yes 
    idmap config * : range = 10000-24999999
    idmap config * : rangesize = 200000
    idmap config * : backend = autorid
    idmap_ldb:use rfc2307 = yes 
 
    winbind enum users = yes 
    winbind enum groups = yes 
 
    bind interfaces only = yes 
    interfaces = lo0 em0 
 
    template shell = /bin/sh
    #winbind separator = +
    winbind enum users = yes 
    winbind enum groups = yes 
    winbind use default domain = yes