Replacing Windows File Servers with CentOS 7
December 4, 2018•5,542 words
Replacing Windows File Servers with CentOS 7
After a fair amount of trial and error I finally have a process that’s working well for me. This is in no way a comprehensive guide on using SSSD with Samba to authenticate active directory users/groups to file shares but its a great start and is working well in my lab. Many thanks to all those who contributed to articles in the helpful resources list at the bottom.
Part 1: Install and configure SSSD
Packages needed for SSSD to work correctly
yum install realmd sssd adcli oddjob oddjob-mkhomedir samba-common-tools net-tools ntpdate ntp
Network Configuration
make sure you have a network connection, if you installed the above packages then you should be good.
Edit your network configuration:
vi /etc/sysconfig/network
Hostname=centoshostname.addomainname.tld
Edit your hosts file:
vi /etc/hosts
192.168.1.2 centoshostname.addomainname.tld
Restart networking
/etc/init.d/network restart
Setup System Time
systemctl enable ntpd.service
ntpdate yourdomaincontroller.yourdomain.tld
systemctl start ntpd.service
Note: some have noted that in order for things to work right you might need to add your DC as a server entry to /etc/ntp.conf, I have not yet needed to do this.
Join The Domain
sudo realm join -v -U domainuser addomainname.tld
You can use either the ID command against a user or use realm list to discover if you have joined the domain.
Considerations
Once you are domain joined anyone on the domain can SSH into the joined server.
You may want to lock down your sudoers policy
SSH Config
In order to limit what users are allowed to login to the newly joined server you will want to edit your ssh config /etc/ssh/sshd_config
Add the lines:
AllowGroups groupname@domain.whatever
Note: Adding an ad group to control ssh permissions is a good idea, if you were to add the group ssh-users in AD you would add the line:
AllowGroups ssh-users@domain.whatever
don’t assume group nesting will work, SSSD only looks at the immediate users of a group.
Note: Doing this will explicitly allow only members of domain group you listed to log in.
sudoers file
this is not the best or least privilege way to do this but it is the way that will allow you to control everything in AD, create a group in AD that you want to give sudoers rights to and add the following line to your sudoers file on your newly joined server.
Traditionally, the visudo command opens the /etc/sudoers file with the vi text editor.
%groupname@ADDOMAIN.TLD ALL=(ALL:ALL) ALL
caps may be required for the domain name.
Part 2: Install and configure SAMBA
Install SAMBA
Yum install samba
Make sure samba can talk threw the firewall
firewall-cmd --permanent --add-service=samba
firewall-cmd --reload
smb.conf working example
The following samba config file was pulled from a working server.
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
workgroup = YOURDOMAINNAMEWITHNOTLD
server string = Samba Server Version %v
encrypt passwords = yes
security = ads
realm = REPLACEWITHYOURDOMAINNAME
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
kerberos method = secrets and keytab
load printers = no
cups options = raw
printcap name = /dev/null
log file = /var/log/samba/log.%m
max log size = 50
#Test fix for idmap bug
idmap config * : backend = tdb
idmap config * : range = 300000-400000
[home directory]
path = /home/%u
comment = Home Directories
guest ok = no
browseable = yes
read only = no
inherit acls = yes
inherit permissions = yes
valid users = @“SOMEGROUP@YOURDOMAIN.TLD"
admin users = @"SOMEGROUP@YOURDOMAIN.TLD"
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775
An example of what look to me like some sane defaults from http://www.hexblot.com/blog/centos-7-active-directory-and-samba includes:
[global]
workgroup = MYDOMAINLOCAL
server string = Samba Server Version %v
# Add the IPs / subnets allowed acces to the server in general.
# The following allows local and 10.0.*.* access
hosts allow = 127. 10.0.
# log files split per-machine:
log file = /var/log/samba/log.%m
# enable the following line to debug:
# log level =3
# maximum size of 50KB per log file, then rotate:
max log size = 50
# Here comes the juicy part!
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = MYDOMAIN.LOCAL
# Not interested in printers
load printers = no
cups options = raw
# This stops an annoying message from appearing in logs
printcap name = /dev/null
Now that samba is setup to share /home youll need to edit permissions on /home so users can access their home folders. In the case of active directory domain home folders using “domain users@yourdomain.tld” should provide a good option.
chown root:"adgroupyoumade@yourdomain.tld" /home
chmod 0770 /home
Note about SELinux
If you haven’t disabled it (which you probably shouldn’t) Upon finishing up and setting permissions you might find that you can’t access your shares, it might be SELinux. You either need to
(Please don’t) disable it completely (by setting SELINUX=disabled in /etc/sysconfig/selinux ) or
enter the following command for each share you make:
chcon -t samba_share_t /var/myshare
To share out home directories you will need to run
setsebool -P samba_enable_home_dirs on
Enable and Start SAMBA
systemctl enable smb.service
systemctl start smb.service
Congrats! You should now be able to authenticate to your samba file shares using active directory authentication!
Helpful resources
Securing samba shares: http://linux-training.be/networking/ch21.html
Notes on SE Linus and best practice: https://wiki.centos.org/HowTos/SetUpSamba
Notes on integrating with AD (huge thanks to Hexblot) http://www.hexblot.com/blog/centos-7-active-directory-and-samba