AD for authentication with Samba
Thanks to /u/cheerwiner on reddit. Archiving post here https://old.reddit.com/r/debian/comments/jdf7oe/debian_samba_sssd_and_active_directory/
Remove sssd and install other packages for Samba:
sudo apt purge sssd
sudo apt-get install winbind libnss-winbind libpam-winbind libpam-krb5 samba cifs-utils
Edit /etc/krb5.conf:
[libdefaults]
default_realm = HQ.MYCOMPANY.COM
dns_lookup_realm = false
dns_lookup_kdc = true
Edit /etc/samba/smb.conf:
[global]
workgroup = MYCOMPANY
security = ADS
realm = HQ.MYCOMPANY.COM
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
idmap config * : backend = autorid
idmap config * : range = 10000-24999999
template shell = /bin/bash
template homedir = /home/%U
[myshare]
path = /opt/blah/myshare/
public = no
writable = yes
guest ok = no
valid users = johndoe,janedoe,administrator
create mask = 0770
directory mask = 0770
read only = no
browseable = yes
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
Join the Active Directory domain- change 'administrator' to the domain admin account you use:
net ads join -U administrator
Edit /etc/nsswitch.conf and add winbind lines to the end of passwd and group:
passwd: files systemd winbind
group: files systemd winbind
Restart all of the samba services:
systemctl restart smbd nmbd winbind