Configure Samba File Sharing AD Auth on RHEL/CentOS 7

Scenario: How to configure file sharing using samba with AD authentification on CentOS/RHEL 7
– CentOS/RHEL 7, IP address:, hostname: centos7ht
– Windows Server 2012 as AD Domain:, IP address:, also as DNS server.

Steps as root login:
1) Point cetos7ht DNS server to AD server and edit /etc/hosts
– Edit /etc/hosts.
# vi /etc/hosts toya

– Edit DNS /etc/resolv.conf
# vi /etc/resolv.conf

# Generated by NetworkManager

2) Install package samba
# yum install realmd samba samba-common oddjob oddjob-mkhomedir sssd

3) Join domain using domain user who have priviledge to join domain.
# realm join --user=bachem

[root@centos7ht ~]# realm join --user=bachem
Password for bachem:
[root@centos7ht ~]# realm list
  type: kerberos
  realm-name: TOYA.TOYASETA.COM
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-policy: allow-realm-logins
[root@centos7ht ~]#

Test get user AD group:

[root@centos7ht ~]# id bachem@toya
uid=1337601107( gid=1337600513(domain groups=1337600513(domain,1337601603(,1337601105(,1337600512(domain,1337600572(denied rodc password replication
[root@centos7ht ~]# getent group "financemd@toya"*
[root@centos7ht ~]#

+Optional: Set up just show user or group without FQDN
# vi /etc/sssd/sssd.conf

use_fully_qualified_names = False

-Restart sssd service

# systemctl restart sssd

-After Set up no FQDN:

[bachem@centos7ht ~]$ getent group "financemd@toya"
[bachem@centos7ht ~]$ id bachem@toya
uid=1337601107(bachem) gid=1337600513(domain users) groups=1337600513(domain users),10(wheel),1000(bachem),1337601603(financemd),1337601105(it),1337600512(domain admins),1337600572(denied rodc password replication group)
[bachem@centos7ht ~]$

4) Edit samba.conf to set up folder sharing.
We will create folder sharing Finance which can access by AD Group FinanceRO(just Read Only) and FinanceMD(can Modified) in the same path.

# vi /etc/samba/smb.conf

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

        workgroup = TOYA
        server string = Samba Server Version %v
        security = ads
        encrypt passwords = yes
        passdb backend = tdbsam
        realm = TOYA.TOYASETA.COM

# Add the IPs / subnets allowed acces to the server in general.
# The following allows local and 10.0.*.* access
        hosts allow = 127. 10.0. 192.168.

# log files split per-machine:
        log file = /var/log/samba/log.%m

# enable the following line to debug:
#log level =3

# maximum size of 50KB per log file, then rotate:
        max log size = 50

# Not interested in printers
#printing = cups
        load printers = no
        cups options = raw

# This stops an annoying message from appearing in logs
        printcap name = /dev/null

comment = Finance Modified
path = /datasamba/finance/
browseable = yes
read only = no
writable = yes
guest ok = no
valid users = @"FinanceMD@TOYA"
inherit permissions = no

comment = Finance Read Only
path = /datasamba/finance/
browseable = yes
read only = yes
writable = no
guest ok = no
valid users = @"FinanceRO@TOYA"
inherit permissions = no

# No need below
#       comment = Home Directories
#       valid users = %S, %D%w%S
#       browseable = No
#       read only = No
#       inherit acls = Yes

#       comment = All Printers
#       path = /var/tmp
#       printable = Yes
#       create mask = 0600
#       browseable = No

#       comment = Printer Drivers
#       path = /var/lib/samba/drivers
#       write list = @printadmin root
#       force group = @printadmin
#       create mask = 0664
#       directory mask = 0775

5) Setup folder sharing path permission access.
# setfacl -m g:financero@TOYA:r-x /datasamba/finance/
# setfacl -m g:financemd@TOYA:rwx /datasamba/finance/

[root@centos7ht /]# setfacl -m g:financero@TOYA:r-x /datasamba/finance/
[root@centos7ht /]# setfacl -m g:financemd@TOYA:rwx /datasamba/finance/

6) Setup Selinux on folder sharing path
# chcon -t samba_share_t /datasamba/finance

[root@centos7ht /]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
[root@centos7ht /]# chcon -t samba_share_t /datasamba/finance
[root@centos7ht /]# ls -lZ /datasamba/
drwxr-xr-x. root root unconfined_u:object_r:samba_share_t:s0 finance
[root@centos7ht /]#

7) Setup Firewalld to allow samba service
# firewall-cmd --permanent --zone=public --add-service=samba
# firewall-cmd --reload

[root@centos7ht /]# firewall-cmd --permanent --zone=public --add-service=samba
[root@centos7ht /]# firewall-cmd --reload
[root@centos7ht /]#

8) Start samba service and enable start at boot
# systemctl start smb.service
# systemctl enable smb.service

[root@centos7ht /]# systemctl restart smb
[root@centos7ht /]# systemctl enable  smb
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/smb.service.
[root@centos7ht /]#


Leave a Reply

Your email address will not be published. Required fields are marked *