After a fair amount of trial and error I finally have a process thats working well for me. This is in no way a comprehensive guide on using SSSD with Samba to authenticate active directory users/groups to file shares but its a great start and is working well in my lab. Many thanks to all those who contributed to articles in the helpful resources list at the bottom.
Part 1: Install and configure SSSD
Packages needed for SSSD to work correctly
make sure you have a network connection, if you installed the above packages then you should be good.
Edit your network configuration:
Edit your hosts file:
setup system time
NOTE: some have noted that in order for things to work right you might need to add your DC as a server entry to /etc/ntp.conf, I have not yet needed to do this.
Join the domain
You can use either the ID command against a user or use realm list to discover if you have joined the domain.
- Once you are domain joined anyone on the domain can SSH into the joined server.
- You may want to lock down your sudoers policy
In order to limit what users are allowed to login to the newly joined server you will want to edit your ssh config
Add the lines:
NOTE: Adding an ad group to control ssh permissions is a good idea, if you were to add the group ssh-users in AD you would add the line:
- don't assume group nesting will work, SSSD only looks at the immediate users of a group.
- NOTE: Doing this will explicitly allow only members of domain group you listed to log in.
this is not the best or least privilege way to do this but it is the way that will allow you to control everything in AD, create a group in AD that you want to give sudoers rights to and add the following line to your sudoers file on your newly joined server.
Traditionally, the visudo command opens the /etc/sudoers file with the vi text editor.
- caps may be required for the domain name.
Part 2: Install and configure SAMBA
make sure samba can talk threw the firewall
smb.conf working example
The following samba config file was pulled from a working server.
An example of what look to me like some sane defaults from http://www.hexblot.com/blog/centos-7-active-directory-and-samba includes:
Now that samba is setup to share /home youll need to edit permissions on /home so users can access their home folders. In the case of active directory domain home folders using “domain email@example.com” should provide a good option.
Note about SELinux:
If you haven’t disabled it (which you probably shouldn’t) Upon finishing up and setting permissions you might find that you can’t access your shares, it might be SELinux. You either need to
- (Please don't) disable it completely (by setting SELINUX=disabled in /etc/sysconfig/selinux ) or
- enter the following command for each share you make:
To share out home directories you will need to run
Enable and Start up Samba
Congrats you should now be able to authenticate to your samba file shares using active directory authentication!
Securing samba shares: http://linux-training.be/networking/ch21.html
Notes on SE Linus and best practice: https://wiki.centos.org/HowTos/SetUpSamba
Notes on integrating with AD (huge thanks to Hexblot) http://www.hexblot.com/blog/centos-7-active-directory-and-samba