DocumentationRelease Notes
Documentation

Samba

Suggest Edits

This section assumes you are a systems administrator who knows how to manage shared files and folders on Linux, Unix, and Windows computers, including configuring the Linux and Unix file servers to run Samba and to comply with your IT security policy.

Instructions on how to set up Samba are beyond the scope of this content.

ℹ️

Note

For information about installing and configuring Samba, see the Samba documentation.

Requirements

The following prerequisites must be in place:

  • Root access to the Linux or Unix file server where you want to run Samba and AD Bridge.
  • AD Bridge 6.0.8330 or later.
  • The Linux or Unix computer must be connected to Active Directory with AD Bridge.
  • Samba 3.6 or later.
  • Samba 4.x support requires AD Bridge 8.5.2 or later.
  • Samba package must support ADS security. AD Bridge relies on ADS security in a Samba and AD Bridge configuration.
  • Samba 4.10 and later, run the following commands:
/opt/pbis/bin/samba-interop-install --uninstall

/opt/pbis/bin/samba-interop-install --install

ℹ️

Note

For more information, see the following:

Install files

AD Bridge includes a tool to install the files necessary to use Samba: /opt/pbis/bin/samba-interop-install –install.

Run the tool with the install option:

  • AD Bridge idmapper plug-in for Winbind replaces Samba's version.
  • libwbclient is replaced with the AD Bridge version.
  • The machine password is synchronized in Active Directory.
  • The AD Bridge version of libwbclient communicates directly with the AD Bridge authentication service, instead of Winbind.

Upgrade

If any of the following occur, then it is recommended to reinstall the samba-interop tool. This is to correct any synchronization that might have been broken.

  • Samba is updated
  • Operating system is updated
  • AD Bridge is upgraded
  • Joining a new domain
  • Rejoining your existing domain

Configure Samba on a Linux or Unix computer

  1. On the Linux or Unix computer that is running Samba, add the following settings to the global section of the Samba configuration file (Typically located at /etc/samba/smb.conf): 
    [global]
security = ADS
workgroup = DEMO
realm = DEMO.COM
machine password timeout = 0

The ADS value for the security setting is required. Replace the values of workgroup and realm with the values for the network. The workgroup is the computer's NetBIOS domain name. The realm is the computer's Active Directory domain.

ℹ️

Note

If the machine password option is not added to the smb.conf and set to 0, Samba will change the machine account password without notifying the AD Bridge authentication service, leaving AD Bridge unable to connect to the domain.

  1. If an alternate hostname is used, then set that hostname as the NetBIOS name: netbios name = CENTOS-TEST.
  2. Create a new section to define a shared resource and constrain access to the Active Directory group pbis_group. Limit write access to pbisadmin: 
    [testshare]
comment = This is a test share
path = /share
valid users = +DEMO\pbis_group
write list = DEMO\pbisadmin
  3. Run the testparm command to make sure smb.conf contains no syntax errors.
  4. Make sure the path exists and permissions for the share are set: 
    mkdir /share
chmod 750 /share
chown DEMO\\pbisadmin:DEMO\\pbis_group /share
  5. Restart Samba: systemctl restart smbd.
  6. Create a dns entry for the Samba server: /opt/pbis/bin/update-dns.

The computer is now ready to access the share from a Windows computer and log on with an Active Directory account.

Home shares

Example

Example of using homes with AD Bridge home directories.

[homes]
   comment = Home Directory of User %U in Domain %D
   path = /home/%D/%U
   browseable = no
   create mask = 640
   directory mask = 0750
   valid users = %U

Debug

To help troubleshoot, turn on Samba logging by adding the following settings to the global section of the Samba configuration file, smb.conf:

[global]
...
#Debugging settings:
log level = 10
debug pid = true
log file = /var/log/samba/smbd.log
max log size = 50 # max 50KB per log file, then rotate

Troubleshoot the Samba integration

  1. Check firewall ports are open for Samba. Make sure that at least the following ports are open for use by Samba:
    • 137/udp: used by nmbd
    • 138/udp: used by nmbd
    • 139/tcp: used by smbd
    • 445/tcp: used by smbd
  2. Check the folder permissions of the share.
  3. Verify that the machine password in secrets.tdb is up to date by running: net ads testjoin. A successful result will look like this: Join is OK.
  4. Test user authentication locally with smbclient: smbclient -L 127.0.0.1 -U DEMO\\pbisadmin.

Net ADS testjoin failed

If there is an issue, manually compare the machine password that is stored in secrets.tdb (location varies across the Linux distributions) with the machine password that is used by AD Bridge.

Use tdbtool to check the machine password in secrets.tdb: 

# cd /var/lib/samba/private/; ls
msg.sock  passdb.tdb  secrets.ldb  secrets.tdb
# tdbtool
tdb> open secrets.tdb
tdb> dump

To list AD Bridge password run: /opt/pbis/bin/lsa ad-get-machine password.

The passwords must match. If they do not, resolve the mismatch by re-running the AD Bridge Samba interop tool. The tool resynchronizes the machine password in secrets.tdb with the machine password AD Bridge set in Active Directory. Samba will need to be restarted for the change to take effect. Make sure machine password timeout = 0 is set to prevent this from occurring.

Authentication failure - NT_STATUS_LOGON_FAILURE

If smbclient returns NT_STATUS_LOGON_FAILURE as in the below results: 

[root@cen73 ~]# smbclient -L 127.0.0.1 -U pbisadminEnter DEMO\pbisadmin's password:session setup failed: NT_STATUS_LOGON_FAILURE

Make sure that the SAM account name exactly matches the first component of the UPN used Samba, as shown in the following examples.

  1. Check the SAM account name by running: 
    [root@cen73 ~]# /opt/pbis/bin/lsa ad-get-machine account | grep SAM
SAM Account Name: CEN1234-SU1AY3B$
  2. Compare the SAM account name with the first component of the UPN used by Samba in the logs: 
    [root@cen73 ~]# tail -f log.smbd | grep kerberos_kinit_password
kerberos_kinit_password [email protected] failed: Client not found in Kerberos database

If the SAM account name and the first component of the UPN do not match, resolve the mismatch by doing the following:

  1. Make sure the host name is 15 characters or less.
  2. Make sure there are no computer accounts in AD that have the same SAM account name but a different DNS suffix.
  3. Leave the domain with --deleteAccount.
  4. Rejoin the domain.
  5. Try smbclient test again.

Fix error code 40022: Failed to refresh machine TGT

If you get an error in the log that looks something like the following entries (the time stamps and the machine name have been removed), you must add the machine password timeout option to the global section of smb.conf and set it to 0 to integrate AD Bridge with Samba: 

lsassd[1722]: 0x7fafc3ff7700:Error:
Failed to refresh machine TGT [Error code: 40022]
lsassd[1722]: 0x7fafc3ff7700:Error:
Failed to refresh machine TGT [Error code: 40022]

ℹ️

Note

If the machine password option is not added to the smb.conf and set to 0, Samba will change the machine account password without notifying the AD Bridge authentication service, leaving AD Bridge unable to connect to the domain.

Updated about 1 month ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.