After days of configuration and research, I couldn’t find a single source that covered everything needed for this setup end to end. My job requires centralized SSSD across all Linux servers, so here’s what I got working on both RHEL 8 and OpenSUSE 15.6.
The stack: Samba for SMB/CIFS, SSSD for AD integration, Kerberos for authentication, and realmd for domain join.
What you need before starting: DNS resolving your domain controllers, NTP/Chrony running and synced, a domain admin account with join privileges, and the following info on hand — domain name (company.com), DC hostname (dc1.company.com).
Step 1: Package Installation
RHEL/CentOS/Rocky Linux
sudo dnf install -y realmd sssd oddjob oddjob-mkhomedir adcli \ samba-common-tools krb5-workstation chrony samba samba-client \ cifs-utils policycoreutils-python-utils
sudo systemctl enable --now chronydsudo systemctl enable --now sssdUbuntu/Debian
sudo apt updatesudo apt install -y realmd sssd sssd-tools libnss-sss libpam-sss \ adcli samba-common-bin krb5-user chrony samba samba-client \ cifs-utils policycoreutils-python-utils
sudo systemctl enable --now chronysudo systemctl enable --now sssdStep 2: DNS and Time
/etc/resolv.conf
nameserver 192.168.1.10nameserver 192.168.1.11search company.comdomain company.comVerify:
dig company.comdig _ldap._tcp.company.com SRV/etc/chrony.conf
server dc1.company.com iburst preferserver dc2.company.com iburstsudo systemctl restart chronydchrony sources -vtimedatectl statusStep 3: Kerberos Configuration
/etc/krb5.conf
[libdefaults] default_realm = COMPANY.COM dns_lookup_kdc = true dns_lookup_realm = false rdns = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true udp_preference_limit = 0
[realms] COMPANY.COM = { kdc = dc1.company.com admin_server = dc1.company.com default_domain = company.com }
[domain_realm] .company.com = COMPANY.COM company.com = COMPANY.COM
[logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = SYSLOG:NOTICE:DAEMONTest it:
kinit administrator@COMPANY.COMklistkdestroyStep 4: Domain Join
sudo realm discover company.com
sudo realm join company.com -U administrator \ --client-software=sssd \ --membership-software=samba
sudo realm listnet ads testjoinStep 5: SSSD Configuration
/etc/sssd/sssd.conf
[sssd]enable_files_domain = truedomains = company.comconfig_file_version = 2services = nss, pam
[domain/local]id_provider = files
[domain/company.com]ad_domain = company.comkrb5_realm = COMPANY.COMrealmd_tags = manages-system joined-with-sambacache_credentials = Trueid_provider = adad_update_samba_machine_account_password = True
full_name_format = %3$s\%1$suse_fully_qualified_names = Falsefallback_homedir = /home/%udefault_shell = /bin/bash
# Disable for consistent UIDs across serversldap_id_mapping = False
krb5_store_password_if_offline = True
access_provider = simplesimple_allow_groups = linuxadmins@company.com, itstaff@company.comsimple_allow_users = testuser@company.com
enumerate = Falsecache_first = Truesudo chmod 600 /etc/sssd/sssd.confsudo systemctl restart sssdsudo systemctl enable sssdStep 6: NSS Configuration
/etc/nsswitch.conf
passwd: files sss winbindgroup: files sss winbindshadow: files sssnetgroup: sss filesStep 7: Samba Configuration
/etc/samba/smb.conf
[global] realm = COMPANY.COM workgroup = COMPANY security = ads
kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab
log file = /var/log/samba/log.%m log level = 2
vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes
template homedir = /home/%U template shell = /bin/bash
idmap config * : backend = tdb idmap config * : range = 10000-199999 idmap config COMPANY : range = 200000-2147483647 idmap config COMPANY : backend = sss
client signing = mandatory server signing = mandatory
socket options = TCP_NODELAY IPTOS_LOWDELAY
[shared] path = /srv/shared read only = no browsable = yes valid users = @linuxadmins@company.com, @itstaff@company.com force group = linuxadmins create mask = 0664 directory mask = 0775
[data] path = /srv/data read only = no browsable = yes valid users = @dataaccess@company.com force group = dataaccess create mask = 0660 directory mask = 0770
[homes] comment = Home Directories browsable = no read only = no create mask = 0700 directory mask = 0700Create share directories
sudo mkdir -p /srv/shared /srv/data
sudo chgrp linuxadmins /srv/sharedsudo chmod 775 /srv/sharedsudo chgrp dataaccess /srv/datasudo chmod 770 /srv/data
# SELinux (RHEL/CentOS)sudo setsebool -P samba_export_all_ro=1 samba_export_all_rw=1sudo semanage fcontext -a -t samba_share_t "/srv/shared(/.*)?"sudo semanage fcontext -a -t samba_share_t "/srv/data(/.*)?"sudo restorecon -R /srv/shared /srv/dataStep 8: Join Samba to Domain
sudo net ads join -U administratorsudo net ads testjoin# Should return: Join is OK
# Verify user/group lookupgetent passwd testuser@company.comid testuser@company.comgetent group linuxadmins@company.comStep 9: Start Services and Test
sudo systemctl enable --now smb winbindsudo systemctl status smb winbind
# List sharessudo smbclient -L localhost -U testuser@company.com
# Test share accesssudo smbclient //localhost/shared -U testuser@company.comFrom a Windows client: \\linux-server\shared
Step 10: Troubleshooting
Cache
sudo sss_cache -Esudo systemctl restart sssd
sudo net cache flush
# If TDB corruption suspectedsudo systemctl stop smb winbindsudo rm -f /var/lib/samba/*.tdbsudo systemctl start winbind smbLogs
sudo tail -f /var/log/sssd/sssd_company.com.logsudo tail -f /var/log/samba/log.smbdFor deeper SSSD debugging, add debug_level = 9 in the [domain/company.com] section and restart sssd.
AD Connectivity and Auth
sudo net ads infosudo net ads lookup testusersudo net ads group info "linuxadmins"klist -k /etc/krb5.keytab
# Winbind checkssudo wbinfo -t # trust secretsudo wbinfo -u # list userssudo wbinfo -g # list groups
# Active connectionssudo smbstatusCommon Errors
NT_STATUS_ACCESS_DENIED:
id username@company.comsudo testparm -sls -Z /srv/sharedUsers not resolving:
sudo sss_cache -Esudo systemctl restart sssd winbindgetent passwd username@company.comAuthentication failures:
klistkinit username@COMPANY.COMchrony sources -vnet ads testjoinFirewall and SELinux
sudo firewall-cmd --permanent --add-service=sambasudo firewall-cmd --permanent --add-port=445/tcpsudo firewall-cmd --permanent --add-port=139/tcpsudo firewall-cmd --reload
# SELinux booleans (RHEL/CentOS)sudo setsebool -P samba_domain_controller=onsudo setsebool -P use_samba_home_dirs=onsudo setsebool -P samba_enable_home_dirs=onMaintenance Script
sudo nano /usr/local/bin/samba-maintenance.sh#!/bin/bashnet ads changetrustpwsss_cache -Etdbbackup /var/lib/samba/*.tdbnet ads testjoinecho "Maintenance completed: $(date)"sudo chmod +x /usr/local/bin/samba-maintenance.sh
# Weekly cronecho "0 2 * * 0 /usr/local/bin/samba-maintenance.sh >> /var/log/samba-maintenance.log 2>&1" | sudo crontab -