Scenario: How to configure file sharing using samba with AD authentification on CentOS/RHEL 7
System:
– CentOS/RHEL 7, IP address: 192.168.99.15, hostname: centos7ht
– Windows Server 2012 as AD Domain: toya.toyaseta.com, IP address: 192.168.99.10, also as DNS server.
Steps as root login:
1) Point cetos7ht DNS server to AD server and edit /etc/hosts
– Edit /etc/hosts.
# vi /etc/hosts
192.168.99.10 toya.toyaseta.com toya
– Edit DNS /etc/resolv.conf
# vi /etc/resolv.conf
# Generated by NetworkManager search toya.toyaseta.com nameserver 192.168.99.10 nameserver 192.168.99.1
2) Install package samba
# yum install realmd samba samba-common oddjob oddjob-mkhomedir sssd
3) Join domain using domain user who have priviledge to join domain.
# realm join --user=bachem toya.toyaseta.com
[root@centos7ht ~]# realm join --user=bachem toya.toyaseta.com Password for bachem: [root@centos7ht ~]# realm list toya.toyaseta.com type: kerberos realm-name: TOYA.TOYASETA.COM domain-name: toya.toyaseta.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@toya.toyaseta.com login-policy: allow-realm-logins [root@centos7ht ~]#
Test get user AD group:
[root@centos7ht ~]# id bachem@toya uid=1337601107(bachem@toya.toyaseta.com) gid=1337600513(domain users@toya.toyaseta.com) groups=1337600513(domain users@toya.toyaseta.com),1337601603(financemd@toya.toyaseta.com),1337601105(it@toya.toyaseta.com),1337600512(domain admins@toya.toyaseta.com),1337600572(denied rodc password replication group@toya.toyaseta.com) [root@centos7ht ~]# getent group "financemd@toya" financemd@toya.toyaseta.com:*:1337601603:bachem@toya.toyaseta.com [root@centos7ht ~]#
+Optional: Set up just show user or group without FQDN
# vi /etc/sssd/sssd.conf
use_fully_qualified_names = False
-Restart sssd service
# systemctl restart sssd
-After Set up no FQDN:
[bachem@centos7ht ~]$ getent group "financemd@toya" financemd:*:1337601603:bachem [bachem@centos7ht ~]$ id bachem@toya uid=1337601107(bachem) gid=1337600513(domain users) groups=1337600513(domain users),10(wheel),1000(bachem),1337601603(financemd),1337601105(it),1337600512(domain admins),1337600572(denied rodc password replication group) [bachem@centos7ht ~]$
4) Edit samba.conf to set up folder sharing.
Example:
We will create folder sharing Finance which can access by AD Group FinanceRO(just Read Only) and FinanceMD(can Modified) in the same path.
# vi /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or # read the smb.conf manpage. # Run 'testparm' to verify the config is correct after # you modified it. [global] workgroup = TOYA server string = Samba Server Version %v security = ads encrypt passwords = yes passdb backend = tdbsam realm = TOYA.TOYASETA.COM # Add the IPs / subnets allowed acces to the server in general. # The following allows local and 10.0.*.* access hosts allow = 127. 10.0. 192.168. # log files split per-machine: log file = /var/log/samba/log.%m # enable the following line to debug: #log level =3 # maximum size of 50KB per log file, then rotate: max log size = 50 # Not interested in printers #printing = cups load printers = no cups options = raw # This stops an annoying message from appearing in logs printcap name = /dev/null [FinanceMD] comment = Finance Modified path = /datasamba/finance/ browseable = yes read only = no writable = yes guest ok = no valid users = @"FinanceMD@TOYA" inherit permissions = no [FinanceRO] comment = Finance Read Only path = /datasamba/finance/ browseable = yes read only = yes writable = no guest ok = no valid users = @"FinanceRO@TOYA" inherit permissions = no # No need below #[homes] # comment = Home Directories # valid users = %S, %D%w%S # browseable = No # read only = No # inherit acls = Yes #[printers] # comment = All Printers # path = /var/tmp # printable = Yes # create mask = 0600 # browseable = No #[print$] # comment = Printer Drivers # path = /var/lib/samba/drivers # write list = @printadmin root # force group = @printadmin # create mask = 0664 # directory mask = 0775
5) Setup folder sharing path permission access.
# setfacl -m g:financero@TOYA:r-x /datasamba/finance/
# setfacl -m g:financemd@TOYA:rwx /datasamba/finance/
[root@centos7ht /]# setfacl -m g:financero@TOYA:r-x /datasamba/finance/ [root@centos7ht /]# setfacl -m g:financemd@TOYA:rwx /datasamba/finance/
6) Setup Selinux on folder sharing path
# chcon -t samba_share_t /datasamba/finance
[root@centos7ht /]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 [root@centos7ht /]# chcon -t samba_share_t /datasamba/finance [root@centos7ht /]# ls -lZ /datasamba/ drwxr-xr-x. root root unconfined_u:object_r:samba_share_t:s0 finance [root@centos7ht /]#
7) Setup Firewalld to allow samba service
# firewall-cmd --permanent --zone=public --add-service=samba
# firewall-cmd --reload
[root@centos7ht /]# firewall-cmd --permanent --zone=public --add-service=samba success [root@centos7ht /]# firewall-cmd --reload success [root@centos7ht /]#
8) Start samba service and enable start at boot
# systemctl start smb.service
# systemctl enable smb.service
[root@centos7ht /]# systemctl restart smb [root@centos7ht /]# systemctl enable smb Created symlink from /etc/systemd/system/multi-user.target.wants/smb.service to /usr/lib/systemd/system/smb.service. [root@centos7ht /]#
Reference:
http://www.hexblot.com/blog/centos-7-active-directory-and-samba
https://www.svennd.be/samba-login-using-windows-ad-on-centos-7/