Configure Samba File Sharing AD Auth on RHEL/CentOS 7

Scenario: How to configure file sharing using samba with AD authentification on CentOS/RHEL 7
System:
– CentOS/RHEL 7, IP address: 192.168.99.15, hostname: centos7ht
– Windows Server 2012 as AD Domain: toya.toyaseta.com, IP address: 192.168.99.10, also as DNS server.

Steps as root login:
1) Point cetos7ht DNS server to AD server and edit /etc/hosts
– Edit /etc/hosts.
# vi /etc/hosts

192.168.99.10 toya.toyaseta.com toya

– Edit DNS /etc/resolv.conf
# vi /etc/resolv.conf

# Generated by NetworkManager
search toya.toyaseta.com
nameserver 192.168.99.10
nameserver 192.168.99.1

2) Install package samba
# yum install realmd samba samba-common oddjob oddjob-mkhomedir sssd

3) Join domain using domain user who have priviledge to join domain.
# realm join --user=bachem toya.toyaseta.com

[root@centos7ht ~]# realm join --user=bachem toya.toyaseta.com
Password for bachem:
[root@centos7ht ~]# realm list
toya.toyaseta.com
 type: kerberos
 realm-name: TOYA.TOYASETA.COM
 domain-name: toya.toyaseta.com
 configured: kerberos-member
 server-software: active-directory
 client-software: sssd
 required-package: oddjob
 required-package: oddjob-mkhomedir
 required-package: sssd
 required-package: adcli
 required-package: samba-common-tools
 login-formats: %U@toya.toyaseta.com
 login-policy: allow-realm-logins
[root@centos7ht ~]#

Test get user AD group:

[root@centos7ht ~]# id bachem@toya
uid=1337601107(bachem@toya.toyaseta.com) gid=1337600513(domain users@toya.toyaseta.com) groups=1337600513(domain users@toya.toyaseta.com),1337601603(financemd@toya.toyaseta.com),1337601105(it@toya.toyaseta.com),1337600512(domain admins@toya.toyaseta.com),1337600572(denied rodc password replication group@toya.toyaseta.com)
[root@centos7ht ~]# getent group "financemd@toya"
financemd@toya.toyaseta.com:*:1337601603:bachem@toya.toyaseta.com
[root@centos7ht ~]#

+Optional: Set up just show user or group without FQDN
# vi /etc/sssd/sssd.conf

use_fully_qualified_names = False

-Restart sssd service

# systemctl restart sssd

-After Set up no FQDN:

[bachem@centos7ht ~]$ getent group "financemd@toya"
financemd:*:1337601603:bachem
[bachem@centos7ht ~]$ id bachem@toya
uid=1337601107(bachem) gid=1337600513(domain users) groups=1337600513(domain users),10(wheel),1000(bachem),1337601603(financemd),1337601105(it),1337600512(domain admins),1337600572(denied rodc password replication group)
[bachem@centos7ht ~]$

4) Edit samba.conf to set up folder sharing.
Example:
We will create folder sharing Finance which can access by AD Group FinanceRO(just Read Only) and FinanceMD(can Modified) in the same path.

# vi /etc/samba/smb.conf

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
 workgroup = TOYA
 server string = Samba Server Version %v
 security = ads
 encrypt passwords = yes
 passdb backend = tdbsam
 realm = TOYA.TOYASETA.COM

# Add the IPs / subnets allowed acces to the server in general.
# The following allows local and 10.0.*.* access
 hosts allow = 127. 10.0. 192.168.

# log files split per-machine:
 log file = /var/log/samba/log.%m

# enable the following line to debug:
#log level =3

# maximum size of 50KB per log file, then rotate:
 max log size = 50


# Not interested in printers
#printing = cups
 load printers = no
 cups options = raw

# This stops an annoying message from appearing in logs
 printcap name = /dev/null

[FinanceMD]
comment = Finance Modified
path = /datasamba/finance/
browseable = yes
read only = no
writable = yes
guest ok = no
valid users = @"FinanceMD@TOYA"
inherit permissions = no

[FinanceRO]
comment = Finance Read Only
path = /datasamba/finance/
browseable = yes
read only = yes
writable = no
guest ok = no
valid users = @"FinanceRO@TOYA"
inherit permissions = no

# No need below
#[homes]
# comment = Home Directories
# valid users = %S, %D%w%S
# browseable = No
# read only = No
# inherit acls = Yes

#[printers]
# comment = All Printers
# path = /var/tmp
# printable = Yes
# create mask = 0600
# browseable = No

#[print$]
# comment = Printer Drivers
# path = /var/lib/samba/drivers
# write list = @printadmin root
# force group = @printadmin
# create mask = 0664
# directory mask = 0775

5) Setup folder sharing path permission access.
# setfacl -m g:financero@TOYA:r-x /datasamba/finance/
# setfacl -m g:financemd@TOYA:rwx /datasamba/finance/

[root@centos7ht /]# setfacl -m g:financero@TOYA:r-x /datasamba/finance/
[root@centos7ht /]# setfacl -m g:financemd@TOYA:rwx /datasamba/finance/

6) Setup Selinux on folder sharing path
# chcon -t samba_share_t /datasamba/finance

[root@centos7ht /]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
[root@centos7ht /]# chcon -t samba_share_t /datasamba/finance
[root@centos7ht /]# ls -lZ /datasamba/
drwxr-xr-x. root root unconfined_u:object_r:samba_share_t:s0 finance
[root@centos7ht /]#

7) Setup Firewalld to allow samba service
# firewall-cmd --permanent --zone=public --add-service=samba
# firewall-cmd --reload

[root@centos7ht /]# firewall-cmd --permanent --zone=public --add-service=samba
success
[root@centos7ht /]# firewall-cmd --reload
success
[root@centos7ht /]#

8) Start samba service and enable start at boot
# systemctl start smb.service
# systemctl enable smb.service

[root@centos7ht /]# systemctl restart smb
[root@centos7ht /]# systemctl enable smb
Created symlink from /etc/systemd/system/multi-user.target.wants/smb.service to /usr/lib/systemd/system/smb.service.
[root@centos7ht /]#

Reference:
http://www.hexblot.com/blog/centos-7-active-directory-and-samba
https://www.svennd.be/samba-login-using-windows-ad-on-centos-7/


Leave a Reply

Your email address will not be published. Required fields are marked *