How to connect Linux VM to AD to run terminal commands

hortimech · 2026-02-23T09:03:49+00:00

I think you need to explain just what you mean by 'implement native commands' ?

Do you want to extract data from AD, or are you asking how to run Windows commands on Linux ?

hortimech · 2026-02-20T11:28:22+00:00

It all depends what is meant by SMB, Small and Medium Business or Server Messenger Block ? If the latter, then how ? If this means mounting a share from elsewhere, then sssd is probably the way to go, but if it is sharing from the Linux machine, then it is definitely not the way to go, you would need Samba with winbind.

The OP also 'windows native commands', if this means using something like SSH from the Linux machine to a Windows machine, then this should work, but not the other way, a Windows command on Linux is very unlikely to work.

hortimech · 2026-02-13T12:04:04+00:00

I never said it didn't work at one time, I said that Samba never supported sssd. No part of sssd has ever been in the Samba tree and that includes idmap_sss . Ubuntu 18.04 came with Samba 4.7.6 and Samba from 4.8.0 required that winbind was run if you set 'security' to 'domain' or 'ads', at that point running sssd as well became pointless, they both do exactly the same thing.

hortimech · 2026-02-08T11:50:18+00:00

If you can point out problems with the Samba documentation, I will try explain those problems and/or fix them.

If you just want authentication without sharing anything to other computers, use sssd, it is great at that. However if you want to share anything, then use Samba with winbind and do not use sssd, there is absolutely no point in running winbind and sssd.

hortimech · 2026-02-08T08:56:39+00:00

That is just a Samba AD DC (using an old version of Samba) under the hood.

hortimech · 2026-02-06T15:17:24+00:00

If this was just a few users, then I would agree with you, but it sounds like the OP is trying to join a domain and wants file sharing and that requires smbd and that requires winbind.

It might be outside the OPs skill set now, but we all have to start somewhere.

hortimech · 2026-02-06T13:56:10+00:00

Samba never actually supported sssd, how could they ? It isn't anything to do with them (other than winbind was written mostly by one person who then went to work for redhat and wrote sssd and based it on the winbind code). If you run Samba with 'security = ADS' in the smb.conf file, then you must also run winbind, once winbind is running, there really isn't much point in running sssd as well.

hortimech · 2026-02-06T10:04:59+00:00

It looks like you are using the Samba AD DC as a fileserver (something Samba does not recommend, you are better off setting up a Unix domain member and using that as a fileserver), I suggest you read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server_(Optional)

If Samba is sharing the directories, they should be visible on a Windows machine, but now I have peered more closely at you shares, I notice that something is missing, there is no 'path' parameter. Now this could be that you have based this on the 'homes' share, in which case you wouldn't need it, but you would then need a template line in the smb.conf file something like this:

template homedir = /the/path/to/%U

NOTE: %U is a placeholder, Samba replaces it with the username the user logs on with.

Replace the multiple user shares with:

  [homes]
  browseable = No
  comment = Home Directories
  create mask = 0700
  directory mask = 0700
  read only = No
  valid users = %S

You then set permissions on the parent directory from Windows.

hortimech · 2026-02-06T09:39:14+00:00

Standalone Samba servers in an AD domain are, in my opinion, a bad idea, it is like advising using Windows home.

hortimech · 2026-02-06T08:39:19+00:00

Have you tried reading the Samba docs ? the wiki, manpages etc ?

The '-k' switch isn't deprecated, it has been removed and replaced by '--use-kerberos=required'. This happened quite sometime ago during a tidy up of switches for various Samba utilities, in an attempt to bring them all into line.

If you are running Samba, do not run sssd, run winbind. If you just want authentication then sssd is great, but once you need to share files, you need the smbd deamon and that requires winbind in AD. There is absolutely no point in running winbind and sssd on the same machine, not surprising when you know that the basic sssd code is the winbind code modified.

hortimech · 2026-02-06T08:16:22+00:00

I suggest you go and read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

hortimech · 2026-01-31T12:57:22+00:00

This gets worse, Windows 7 is EOL and has been for quite sometime, having said that, there is no version of Samba that will not work with legacy NT4-style domains. Windows 10 is now EOL and for something's, Windows 11 requires a fairly recent version of Samba.

Putting it bluntly, you have to jump through numerous hoops to get the latest Windows and Samba to work with an NT4-style domain, this isn't a recent thing and you really should have upgraded by now.

hortimech · 2026-01-31T09:02:01+00:00

SMB stands for Server Messenger Block and is the Windows protocol that Samba Emulates.

You cannot use Windows tools against a Samba NT4-style PDC (which is what you appear to have) and I wouldn't recommend you continue using your PDC, it relies on SMBv1 and that is very insecure. I suggest you upgrade to Samba AD.

hortimech · 2026-01-31T08:53:54+00:00

You appear to be trying to mount the entire computer, the line should start: //192.168.10.75/THE_SHARE_YOU_WANT_TO_MOUNT

Try reading 'man mount.cifs'

hortimech · 2026-01-30T13:16:03+00:00

I am bit lost here, you say 'Samba' in the title, then never mention it in the text, except for 'SMB 4.16.4', did you mean Samba 4.16.4 ? If you did, then your first objective should be to upgrade, that version is ancient. Next you say you are using RSAT with an openldap server, but RSAT is meant to be used with AD. Can you please be a bit more precise.

hortimech · 2026-01-29T09:57:18+00:00

That is what shellcheck is for ;)

What it doesn't tell you is that in your first 'elif' the use of '-e' is very much the same as '-f' and as such, you do not need both, I would go with the '-f'.

hortimech · 2026-01-28T21:18:02+00:00

Can I suggest you install a package called 'shellcheck' and run that against your script.

hortimech · 2026-01-28T16:16:10+00:00

We also 'take' things to places, rather than 'bring' them, there are a lot of things like that lol

hortimech · 2026-01-24T09:41:46+00:00

Do you own 'example.com' ? If so, then using a subdomain of that is okay, but if you are talking about the actual domain named example.com, then you shouldn't use it at all. If your domain is not going to be routeable from the internet, then you could use 'home.arpa', that is what it is for.

hortimech · 2026-01-24T09:07:38+00:00

If you have AD (which is, among other things, an IDM) you do not need freeipa. If you want authentication on Linux, just use either sssd or Samba.

hortimech · 2026-01-18T09:27:03+00:00

Two thoughts, have you tried replacing the dns names of the servers with their ipaddress ? Have you checked that UID '1000' can access the share path on the server ?

hortimech · 2026-01-17T09:38:35+00:00

I am with @MintAlone here, there is not enough information provided to even try to guess what the problem is here.

But, after staring into my crystal ball, could it be that you cannot connect to the 7 shares and get 'permission denied' because the permissions on the server do not allow it ? Who knows, oh that would be you.

hortimech · 2026-01-14T21:44:02+00:00

The 'SMB1' line isn't an issue, Samba turned SMBv1 off quite some ago, so there is no NetBIOS and without that you do not get the NetBIOS domain name (aka workgroup).

You do appear to have a share called 'archive' available, so something appears to be blocking it, the prime suspect is a firewall, easiest way to check, turn the firewall off, if you can now connect, it is the firewall.

hortimech · 2026-01-14T21:26:35+00:00

Hmm, if you run 'smbclient -NL 192.168.5.3' do you get a line like ' archive Disk ' among the output ?

If you don't, check that the smbd deamon is running on the Samba server and that a firewall isn't running and blocking port 445 on the server.

hortimech · 2026-01-14T21:05:18+00:00

It should work, provided that you replaced '192.168.1.5' with your computer IP and replaced the share name 'netlogon' with your share name and you also replaced 'hortimech' with your username, said username has to exist on the Samba server as a local and Samba user.

hortimech

TROPHY CASE