The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
If you use the Authentication Configuration GUI and select Winbind as the user account database, you are prompted for the information that is required to connect to a Microsoft workgroup, Active Directory, or Windows NT domain controller. Enter the name of the Winbind domain and select the security model for the Samba server:
-
ads In the Activity Directory Server (ADS) security model, Samba acts as a domain member in an ADS realm, and clients use Kerberos tickets for Active Directory authentication. You must configure Kerberos and join the server to the domain, which creates a machine account for your server on the domain controller.
-
domain In the domain security model, the local Samba server has a machine account (a domain security trust account) and Samba authenticates user names and passwords with a domain controller in a domain that implements Windows NT4 security.
WarningIf the local machine acts as a Primary or Backup Domain Controller, do not use the domain security model. Use the user security model instead.
-
server In the server security model, the local Samba server authenticates user names and passwords with another server, such as a Windows NT server.
WarningThe server security model is deprecated as it has numerous security issues.
-
user In the user security model, a client must log in with a valid user name and password. This model supports encrypted passwords. If the server successfully validates the client's user name and password, the client can mount multiple shares without being required to specify a password.
Depending on the security model that you choose, you might also need to specify the following information:
The name of the ADS realm that the Samba server is to join (ADS security model only).
The names of the domain controllers. If there are several domain controllers, separate the names with spaces.
The login template shell to use for the Windows NT user account (ADS and domain security models only).
Whether to allow user authentication using information that has been cached by the System Security Services Daemon (SSSD) if the domain controllers are offline.
Your selection updates the security directive in the
[global] section of the
/etc/samba/smb.conf configuration file.
If you have initialized Kerberos, you can click Join Domain to create a machine account on the Active Directory server and grant permission for the Samba domain member server to join the domain.
You can also use the authconfig command to configure Winbind authentication. To use the user-level security models, specify the name of the domain or workgroup and the host names of the domain controllers. for example:
#authconfig --enablewinbind --enablewinbindauth --smbsecurity user\ [--enablewinbindoffline]--smbservers="ad1.mydomain.com ad2.mydomain.com"\--smbworkgroup=MYDOMAIN --update
To allow user authentication using information that has been cached by the System Security Services Daemon (SSSD) if the domain controllers are offline, specify the --enablewinbindoffline option.
For the domain security model, additionally specify the template shell, for example:
#authconfig --enablewinbind --enablewinbindauth --smbsecurity domain\ [--enablewinbindoffline]--smbservers="ad1.mydomain.com ad2.mydomain.com"\--smbworkgroup=MYDOMAIN --update --winbindtemplateshell=/bin/bash --update
For the ADS security model, additionally specify the ADS realm and template shell, for example:
#authconfig --enablewinbind --enablewinbindauth --smbsecurity ads\ [--enablewinbindoffline]--smbservers="ad1.mydomain.com ad2.mydomain.com"\--smbworkgroup=MYDOMAIN --update --smbrealm MYDOMAIN.COM\--winbindtemplateshell=/bin/bash --update
For more information, see the authconfig(8)
manual page.