Talk:Active Directory integration

From ArchWiki
Jump to navigation Jump to search

PAM / Kerberos update required

This article was first published on Feb 6th, 2012 based on a previous wiki page called "Arch_Server_and_Active_Directory".

When I follow these instructions, the pam configuration is way different, I end up having to guess that the instructions mean /etc/pam.d/system-auth. Additionally, since the ticket granting ticket expires and winbindd fails to renew it, and since the max lifetime is 7 days anyway, basically the system becomes unable to log in to after a restart. I end up having to mount the arch linux drive in another system, or boot from the install cd, and remove the references to winbind from /etc/nsswitch.conf before I can log into the system again after this happens. Also, testparm complains that idmap uid and idmap gid are deprecated, and that template primary group is an unknown parameter.

Perhaps someone who knows what the hell they're doing with Samba and Kerberos AD integration might want to update this documentation, because I don't know how to fix it, nor can I find any useful documentation in any of my Google searches. (Redscourge (talk) 20:42, 8 March 2013 (UTC))

I have found a forum post about this issue, located here: Also that was not enough by itself, I have made a few changes to my system-login to get sound and graphics (among other things) working (which you can find here: By using "idmap config * : range = 10000-33554431" or to control each domain "idmap config DOMAIN : range = 10000-33554431" syntax, you can resolve idmap uid/gid deprecated messages. I'm still stuck on offline logins though. If you follow the instructions, you won't be able to log in without a working AD connection. --Queljin (talk) 15:56, 15 May 2013 (UTC)

ADS client integration

The following thread points to some required Updates to install / configure an Arch system as a ADS-client. I can't add to it; noting it for reference here. --Indigo (talk) 08:07, 22 August 2014 (UTC)

Looking over that thread, immediately the suggestion to add the DC to the hosts file is not necessary, and is probably bad practice as well (the IP might change, it really shouldn't but we live in the real world, and networks grow and change). DNS should handle this. The Arch installation guide covers the entry in the /etc/hosts file.

User:Agartner removed mentions of with [1] without a reason in the edit summary. Since this violates ArchWiki:Contributing#Always_properly_use_the_edit_summary I'm reporting the edit here in case somebody had something to object. — Kynikos (talk) 11:04, 28 April 2015 (UTC)

My apologies, this was my first contribution. I just set up Active Directory Integration, and it appears that is no longer needed. The functionality is handled by smb and winbind (as defined in pam_winbind.conf and smb.conf) --Agartner (talk) 05:42, 29 April 2015 (UTC)
Fixed a long time ago.

A couple of notes on content

No major changes (yet), just a few notes about style, technical accuracy, modernization to see what others think (on parts that don't affect me directly, unfortunately).

Updating the GPO: As of Samba4, this should probably be removed (I think). This was definitely necessary in S3, do we still support/care for S3? Can somebody confirm or deny the need for S4?

Updating DNS: There is no guarantee that the DNS servers are a domain controller, or even a windows server for that matter. Perhaps "Active Directory domain controllers" could be replaced by "internal DNS servers. In many small networks, these will be the domain controllers."?

Kerberos: PDC and BDC are old terms that should have died 15 years ago for Windows admins, and at release of Samba4 for us, but live on (and on, and on, and...). There are five FSMO roles now, four of which can be duplicated any number of times. A generic server1 and server2 would be good IMO. Also, the "Let us assume" part is an odd read for me, especially in a technical document. If a scenario is necessary, it should probably be covered in the introduction (unless the scenario must be built inline, and even then, an overview should be provided in the introduction). Finally, does Samba no longer create its own krb5.conf in /var/lib/samba/private/? I'm only looking from the ADDC POV right now, so I don't know. I'll setup a Samba client at some point before making any edits.

Creating a Kerberos Ticket: Rename "Requesting a Kerberos ticket". Also, there are other title capitalization errors elsewhere (including the title of the article), but the important part was creating vs requesting.

Finally, the general flow of the article could use some work. It feels a little piecemeal to me as you continue further into the additional sections not yet mentioned (probably due to it having major edits by 15 or so users over the past few years).

Objections to any of the above? DJ L (talk) 17:07, 6 June 2015 (UTC)

Issues with shares config

Ran into an issue configuring shares today. In /etc/samba/smbd.conf, valid users = ... seems to be invalid now. Instead, using users = ... works. Morganskier (talk) 22:55, 4 July 2016 (UTC)

Also ran into an issue configuring shares. On a network with a Windows Server 2016 ADDC and a bunch of Arch domain computers, creating a share from an arch host as per the wiki page and accessing it from the ADDC fails with Access Denied. Didn't try using users = ..., but followed the instructions here with success. Not sure if this should be added (or if what I did is even a good idea), can anyone advise? Hmakale (talk) 00:50, 1 February 2020 (UTC)

GLOBAL section

In samba 4.5.1 is not possible combine

 security = ads
 password server =

"WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter. (by default Samba will discover the correct DC to contact automatically)."

Addressed on 2020-05-10 DJ L (talk) 07:26, 10 May 2020 (UTC)

idmap config rid backend

In Samba 4.6+, the idmap backend of rid for the wildcard domain appears to be depreciated. (See [2]). The following error was shown via journalctl:

    winbindd[3868]:   main: FATAL: Invalid idmap backend rid configured as the default backend!

I was able to get the following to work with a basic WS2012R2 active directory setup (Source: [3]). Obviously replacing '<DOMAIN NAME' with an all-caps domain name.

    idmap config <DOMAIN NAME> : backend = rid
    idmap config <DOMAIN NAME> : range = 10000-20000
    idmap config * : range = 10000-20000

D4rkeagle6591 (talk) 19:15, 10 June 2017 (UTC)

Addressed on 2020-05-10. DJ L (talk) 07:29, 10 May 2020 (UTC)

Wireless WPA-EAP Machine Authentication

I did a small write-up on how to join a Cisco-Wifi with Machine-Auth against AD. I'm not good at writing :) Feel free to fix and integrate the content. User:B2ag/Active Directory Integration/WPA-EPA-machine-auth

B2ag (talk) 22:38, 9 October 2019 (UTC)