Replacing Windows File Servers with CentOS 7
After a fair amount of trial and error I finally have a process that’s working well for me. This is in no way a comprehensive guide on using SSSD with Samba to authenticate active directory users/groups to file shares but its a great start and is working well in my lab. Many thanks to all those who contributed to articles in the helpful resources list at the bottom.
Part 1: Install and configure SSSD
Packages needed for SSSD to work correctly
yum install realmd sssd adcli oddjob oddjob-mkhomedir samba-common-tools net-tools ntpdate ntp
make sure you have a network connection, if you installed the above packages then you should be good.
Edit your network configuration:
Edit your hosts file:
vi /etc/hosts192.168.1.2 centoshostname.addomainname.tld
Setup System Time
systemctl enable ntpd.servicentpdate yourdomaincontroller.yourdomain.tldsystemctl start ntpd.service
Note: some have noted that in order for things to work right you might need to add your DC as a server entry to /etc/ntp.conf, I have not yet needed to do this.
Join The Domain
sudo realm join -v -U domainuser addomainname.tld
You can use either the ID command against a user or use realm list to discover if you have joined the domain.
Once you are domain joined anyone on the domain can SSH into the joined server.
You may want to lock down your sudoers policy
In order to limit what users are allowed to login to the newly joined server you will want to edit your ssh config /etc/ssh/sshd_config
Add the lines:
Note: Adding an ad group to control ssh permissions is a good idea, if you were to add the group ssh-users in AD you would add the line:
don’t assume group nesting will work, SSSD only looks at the immediate users of a group.
Note: Doing this will explicitly allow only members of domain group you listed to log in.
this is not the best or least privilege way to do this but it is the way that will allow you to control everything in AD, create a group in AD that you want to give sudoers rights to and add the following line to your sudoers file on your newly joined server.
Traditionally, the visudo command opens the /etc/sudoers file with the vi text editor.
%groupname@ADDOMAIN.TLD ALL=(ALL:ALL) ALL
caps may be required for the domain name.
Part 2: Install and configure SAMBA
Yum install samba
Make sure samba can talk threw the firewall
firewall-cmd --permanent --add-service=sambafirewall-cmd --reload
smb.conf working example
The following samba config file was pulled from a working server.
# See smb.conf.example for a more detailed config file or# read the smb.conf manpage.# Run 'testparm' to verify the config is correct after# you modified it.[global]workgroup = YOURDOMAINNAMEWITHNOTLDserver string = Samba Server Version %vencrypt passwords = yessecurity = adsrealm = REPLACEWITHYOURDOMAINNAMEpassdb backend = tdbsamprinting = cupsprintcap name = cupsload printers = yescups options = rawkerberos method = secrets and keytabload printers = nocups options = rawprintcap name = /dev/nulllog file = /var/log/samba/log.%mmax log size = 50#Test fix for idmap bugidmap config * : backend = tdbidmap config * : range = 300000-400000[home directory]path = /home/%ucomment = Home Directoriesguest ok = nobrowseable = yesread only = noinherit acls = yesinherit permissions = yesvalid users = @“SOMEGROUP@YOURDOMAIN.TLD"admin users = @"SOMEGROUP@YOURDOMAIN.TLD"[printers]comment = All Printerspath = /var/tmpprintable = Yescreate mask = 0600browseable = No[print$]comment = Printer Driverspath = /var/lib/samba/driverswrite list = @printadmin rootforce group = @printadmincreate mask = 0664directory mask = 0775
An example of what look to me like some sane defaults from http://www.hexblot.com/blog/centos-7-active-directory-and-samba includes:
[global]workgroup = MYDOMAINLOCALserver string = Samba Server Version %v
# Add the IPs / subnets allowed acces to the server in general.# The following allows local and 10.0.*.* accesshosts allow = 127. 10.0. # log files split per-machine:log file = /var/log/samba/log.%m# enable the following line to debug:# log level =3# maximum size of 50KB per log file, then rotate:max log size = 50 # Here comes the juicy part!security = adsencrypt passwords = yespassdb backend = tdbsamrealm = MYDOMAIN.LOCAL # Not interested in printersload printers = nocups options = raw # This stops an annoying message from appearing in logsprintcap name = /dev/null
Now that samba is setup to share /home youll need to edit permissions on /home so users can access their home folders. In the case of active directory domain home folders using “domain email@example.com” should provide a good option.
chown root:"firstname.lastname@example.org" /homechmod 0770 /home
Note about SELinux
If you haven’t disabled it (which you probably shouldn’t) Upon finishing up and setting permissions you might find that you can’t access your shares, it might be SELinux. You either need to
(Please don’t) disable it completely (by setting SELINUX=disabled in /etc/sysconfig/selinux ) or
enter the following command for each share you make:
chcon -t samba_share_t /var/myshare
To share out home directories you will need to run
setsebool -P samba_enable_home_dirs on
Enable and Start SAMBA
systemctl enable smb.servicesystemctl start smb.service
Congrats! You should now be able to authenticate to your samba file shares using active directory authentication!
Securing samba shares: http://linux-training.be/networking/ch21.html
Notes on SE Linus and best practice: https://wiki.centos.org/HowTos/SetUpSamba
Notes on integrating with AD (huge thanks to Hexblot) http://www.hexblot.com/blog/centos-7-active-directory-and-samba