CentOS 7 Samba Server - Integrate with Windows AD

Question

I am deploying Samba Server on CentOS 7 using winbind. And I am joining AD using #net join ads but i am getting below error. But i am able to login domain users in CentOS.

# net join ads -U Administrator
Enter Administrator's password:
Failed to join domain: failed to find DC for domain ads - {Operation Failed} The requested operation was unsuccessful.
ADS join did not work, falling back to RPC...
Enter Administrator's password:
Using short domain name -- EXAMPLE
Joined 'FILESERVER' to realm 'example.com'

My Requirement: Integrate AD users in CentOS Samba server - Manage users in windows AD it will take effect in samba shares in CentOS

What I'm Achieved:

1. I am able to login AD users in CentOS
2. Able to list AD users& groups (using #wbinfo -u ) in CentOS

what I'm Need to achieve (Not Achieved):

1. Can't able to allow AD groups& users from samba share in CentOS
2. Samba share need allow windows groups and authenticate with AD password

What Error I'm getting:

Attempt failed while try to login samba share with Ad users in windows(same domain system)

My Config:

/etc/samba/smb.conf

[Global]
netbios name = Fileserver
server string = CentOS 8
workgroup = EXAMPLE
security = ads
realm = EXAMPLE.COM
encrypt passwords = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
#password server = pdc.example.com
#domain master = no
#local master = no
#preferred master = no
kerberos method = secrets and keytab
#password server = example.com
passdb backend = tdbsam
#printcap name = /etc/printcap

client signing = auto
client signing = auto
client ntlmv2 auth = yes
restrict anonymous = 2
client use spnego = yes

inherit acls = yes
map acl inherit = yes
acl group control = yes

#works smaba 3.2 and 3.6
#idmap backend = tdbsam
idmap uid = 10000-99999
idmap gid = 10000-99999

# no tld
idmap config * : backend = tdb
idmap config * : range = 10000-20000

wins server = pdc.example.com
wins proxy = no
winbind enum users = yes
winbind enum groups = yes
# use username instead of [email protected]
winbind use default domain = yes
winbind nested groups = yes
# winbind refersh tickets = yes
# winbind offline login = true
winbind cache time = 300
winbind separator = +

#Becomes /home/domain/user
#template homedir = /home/%D/%U

# No shell access
template 

log file = /var/log/samba/samba.%Dlog
log level = 2

[test]
        comment = for product support
        public = yes
        path = /data/product_support
        valid users = @"test"
        force group = "test"
        writable = yes
        read only = no
        force create mode = 0660
        create mask = 0777
        directory mask = 0777
        force directory mode = 0777
        access based share enum = yes
        guest ok = yes
        hide unreadable = yes 

/etc/krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
# ticket_lifetime = 24h
# renew_lifetime = 7d
# forwardable = true
# rdns = false
# pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
 default = EXAMPLE.COM
# default_ccache_namo = KEYRING:persistent:%{uid}

[realms]
 EXAMPLE.COM = {
        kdc = 192.168.1.2:88
       #admin_server = 192.168.1.2:749
        default_domain = example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 

/etc/sssd/sssd.conf

[sssd]
domains = example.com
config_file_version = 2
services = nss, pam

[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad

What I'm missing ?, Please guide me.

Answer 1

Try using this '[global]' part of the smb.conf:

[global]
netbios name = Fileserver
server string = CentOS 8
workgroup = EXAMPLE
security = ads
realm = EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

client ntlmv2 auth = yes
restrict anonymous = 2

vfs objects = acl_xattr
map acl inherit = Yes

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 10000-99999

# use username instead of [email protected]
winbind use default domain = yes
winbind nested groups = yes
winbind refersh tickets = yes
winbind separator = +

log file = /var/log/samba/samba.%Dlog
log level = 2

Replace /etc/krb5.conf with this:

[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = true
 default_realm = EXAMPLE.COM

Remove sssd