Austin Janey


Sysadmin by day and IT consultant by night. I drink lots of coffee and solve lots of problems... hopefully. Guestbook

Replacing Windows File Servers with CentOS 7

After a fair amount of trial and error I finally have a process thats working well for me.  This is in no way a comprehensive guide on using SSSD with Samba to authenticate active directory users/groups to file shares but its a great start and is working well in my lab.  Many thanks to all those who contributed to articles in the helpful resources list at the bottom.

Part 1: Install and configure SSSD
Packages needed for SSSD to work correctly
yum install realmd sssd adcli oddjob oddjob-mkhomedir samba-common-tools net-tools ntpdate ntp

Network Configuration
make sure you have a network connection, if you installed the above packages then you should be good.
Edit your network configuration:
vi /etc/sysconfig/network
Edit your hosts file:
vi /etc/hosts centoshostname.addomainname.tld
Restart networking
/etc/init.d/network restart

setup system time
systemctl enable ntpd.service
ntpdate yourdomaincontroller.yourdomain.tld
systemctl start ntpd.service
NOTE: some have noted that in order for things to work right you might need to add your DC as a server entry to /etc/ntp.conf, I have not yet needed to do this.

Join the domain
sudo realm join -v -U domainuser addomainname.tld
You can use either the ID command against a user or use realm list to discover if you have joined the domain.

  • Once you are domain joined anyone on the domain can SSH into the joined server. 
  • You may want to lock down your sudoers policy

SSH Config
In order to limit what users are allowed to login to the newly joined server you will want to edit your ssh config

Add the lines:
AllowGroups groupname@domain.whatever
NOTE: Adding an ad group to control ssh permissions is a good idea, if you were to add the group ssh-users in AD you would add the line:
AllowGroups ssh-users@domain.whatever
  • don't assume group nesting will work, SSSD only looks at the immediate users of a group.
  • NOTE: Doing this will explicitly allow only members of domain group you listed to log in.

sudoers file
this is not the best or least privilege way to do this but it is the way that will allow you to control everything in AD, create a group in AD that you want to give sudoers rights to and add the following line to your sudoers file on your newly joined server.  
Traditionally, the visudo command opens the /etc/sudoers file with the vi text editor.
  • caps may be required for the domain name.

Part 2: Install and configure SAMBA
Install Samba
Yum install samba

make sure samba can talk threw the firewall
firewall-cmd --permanent --add-service=samba
firewall-cmd --reload

smb.conf working example
The following samba config file was pulled from a working server.
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
        server string = Samba Server Version %v
        encrypt passwords = yes
        security = ads
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw
        kerberos method = secrets and keytab
        load printers = no
        cups options = raw
        printcap name = /dev/null
        log file = /var/log/samba/log.%m
        max log size = 50
#Test fix for idmap bug
        idmap config * : backend = tdb
        idmap config * : range = 300000-400000
[home directory]
        path = /home/%u
        comment = Home Directories
        guest ok = no
        browseable = yes
        read only = no
        inherit acls = yes
        inherit permissions = yes
        valid users = @“SOMEGROUP@YOURDOMAIN.TLD"
        admin users = @"SOMEGROUP@YOURDOMAIN.TLD"
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @printadmin root
        force group = @printadmin
        create mask = 0664
        directory mask = 0775

An example of what look to me like some sane defaults from includes:
server string = Samba Server Version %v

# Add the IPs / subnets allowed acces to the server in general.
# The following allows local and 10.0.*.* access
hosts allow = 127. 10.0.

# log files split per-machine:
log file = /var/log/samba/log.%m
# enable the following line to debug:
# log level =3
# maximum size of 50KB per log file, then rotate:
max log size = 50

# Here comes the juicy part!
security = ads
encrypt passwords = yes
passdb backend = tdbsam

# Not interested in printers
load printers = no
cups options = raw

# This stops an annoying message from appearing in logs
printcap name = /dev/null

Now that samba is setup to share /home youll need to edit permissions on /home so users can access their home folders.  In the case of active directory domain home folders using “domain users@yourdomain.tld” should provide a good option.
chown root:"adgroupyoumade@yourdomain.tld" /home
chmod 0770 /home

Note about SELinux:
If you haven’t disabled it (which you probably shouldn’t) Upon finishing up and setting permissions you might find that you can’t access your shares, it might be SELinux. You either need to
  • (Please don't) disable it completely (by setting SELINUX=disabled in /etc/sysconfig/selinux ) or
  • enter the following command for each share you make: 
chcon -t samba_share_t /var/myshare
To share out home directories you will need to run
setsebool -P samba_enable_home_dirs on

Enable and Start up Samba
systemctl enable smb.service
systemctl start smb.service

Congrats you should now be able to authenticate to your samba file shares using active directory authentication! 

Helpful resources
Notes on SE Linus and best practice:
Notes on integrating with AD (huge thanks to Hexblot)

You'll only receive email when Austin Janey publishes a new post

More from Austin Janey: