Rocky 9 AD Join & AD Authentication on Win Svr SMB Shares

Hi All,
I don’t know, but hope this is the right section.
I’ve spent a lot of time working to integrate Rocky into an Active Directory Authenticated Environment, indeed getting this working is probably the only hope we have to legitimately run some of the dev teams first choice in production,

I have the AD Join Perfect, I can assign AD User and Group Permission on Rocky Folders.

It is the first time also I’ve actually successfully seen the correct UID and GID come from active directory.
I also have an MFA for SSH users via a Radius Proxy, the users are also working and correctly logged in.

The problem is now - I’d like the users to be able to view the correct SMB shares from Windows File Servers using their creds authenticated from AD but authenticated ON Rocky.

Are their any suggestions for the correct samba.conf file to make this work correctly?

I don’t think you’ll need to do any samba configuration at all for this.

In my own setup with SSSD, the only things I had to add to get smb share access working were kerberos related. I install the package krb5-workstation and also set default_ccache_name = FILE:/tmp/krb5cc_%{uid} in /etc/krb5.conf.

(The default value of default_ccache_name didn’t work for me in Rocky 8 – not sure if I’ve ever tested it in Rocky 9.)

1 Like

Thank, I’ll try this Monday am…I have a feeling I’ve made a slight misconfiguration even though AD is working fine …in krb that is…

Hi Linde,

Is there any specific setting you can recommend for smb.conf that will automatically authenticate against AD Users credentials with accessing Windows SMB shares from AD Joined Rocky machines?

I am not sure I have this right…

workgroup = DOMAIN
realm = domainname.local
security = ADS
kerberos method = secrets and keytab

there doesn’t seem to be definitive documentation on AD Joined machines access AD Authenticated SMB shares - if there is I am missing it :slight_smile:

Your smb.conf settings look equivalent to the same ones I have in my last winbind-based setup, but I’m almost entirely on SSSD these days.

Just like the original poster, I think you need to be looking at kerberos instead of samba. (Especially if the output from the realm list command shows client-software: sssd instead of client-software: winbind.)

When you log into a domain-joined Windows system, it’s kerberos tickets that the system uses to authenticate you to network shares without providing your password again. The same applies on Linux with either SSSD or winbind.

After you log into Linux with an AD account, use the klist command to see if you have a valid ticket granting ticket.

Whenever I have found share access not working without a password prompt, it has been either from not having a valid ticket or from something being unable to access the ticket.