Samba share with AD authentication

Updates

AD is great for a Windows environment. Now I have a guide for Samba shares with freeipa auth!

Overview

This document describes how to configure a Linux system joined to an AD environment to have a working Samba share for Windows users that uses the AD users and groups for authentication.

Preliminary steps

These steps are covered in the internal CentOS and Ubuntu 16.04 templates.

  • Ensure ntp is running and enabled
  • The server is joined to the domain

Setting up samba

Install samba (which should include samba-client and samba-common, at least for rpm)

Centos 7 Ubuntu 16.04
yum -y install samba
apt-get install -y samba

Reference: https://www.howtoforge.com/samba-server-installation-and-configuration-on-centos-7#-preliminary-note

Open firewall

Centos 7 Ubuntu 16.04
firewall-cmd --permanent --add-service=samba
systemctl restart firewalld.service
ufw allow samba

Reference: https://wiki.centos.org/HowTos/SetUpSamba
Modify /etc/samba/smb.conf

bup /etc/samba/smb.conf 2>/dev/null
cat <<EOFSMB > /etc/samba/smb.conf
[global]
        security = ads
        workgroup = EXAMPLE
        realm = EXAMPLE.COM
        kerberos method = system keytab
        netbios name = $( hostname -s )
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        max log size = 50
        dns proxy = no
        encrypt passwords = yes
        passdb backend = tdbsam
        load printers = no
        cups options = raw
        printcap name = /dev/null
[homes]
        comment = Home Directories
        browseable = no
        writable = yes

# END BASELINE SMB.CONF 
EOFSMB
/bin/cp -p /etc/samba/smb.conf /etc/samba/smb.conf.example

Reference for kerberos method: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html
On CentOS 7 only, set SELinux to allow samba to share nfs locations if necessary.

setsebool -P samba_share_nfs 1

Reference: http://serverfault.com/questions/470878/is-there-a-way-to-share-via-smb-a-filesystem-mounted-via-nfs-without-disabling-s/470879#470879
Start and enable the samba service

Centos 7 Ubuntu 16.04
systemctl enable smb
systemctl start smb
systemctl enable smbd nmbd
systemctl start smbd nmbd

Making smb.conf dynamic

Unfortunately smb.conf does not provide support for a directive similar to “include = /etc/samba/smb.conf.d/*.conf.” However, with some modifications and a shell script this can be simulated.
A template file, input directory for extra snippets, and output file can be used along with this script.

cat <<'EOFSCRIPT' > /usr/local/bin/samba-conf
#!/bin/sh
# File: /usr/local/bin/samba-conf

infile1=/etc/samba/smb.conf.example
indir1=/etc/samba/smb.conf.d
outfile1=/etc/samba/smb.conf
tmpfile1=/etc/samba/smb.conf.orig.$( date "+%Y-%m-%d").$$

[[ ! -f "${infile1}" ]] && echo "$0: 2. Template not found: ${infile1}. Aborted." 1>&2 && exit 1

{
   cat "${infile1}"
   printf "\n"
   find "${indir1}" -type f -regex ".*.conf" 2>/dev/null | sed -e 's/^/include = /;'
} > "${tmpfile1}"

{
   if ! diff -q "${tmpfile1}" "${outfile1}";
   then
      /bin/chmod --ref "${outfile1}" "${tmpfile1}"
      /bin/cp -p "${tmpfile1}" "${outfile1}"
      /bin/rm -rf "${tmpfile1}"
   fi
   /bin/rm -rf "${tmpfile1}"
} >/dev/null 2>&1
EOFSCRIPT
chmod 750 /usr/local/bin/samba-conf

Modify any files in /etc/samba/smb.conf.d/ and then run samba-conf.

Connecting client to the share

On a Windows client, use Windows Explorer and navigate to \\hostname.example.com\ and see if the share is available. If you must log in as a different user, you can use the Windows command on the command line:

net use \\hostname.example.com\bgscripts /user:example\bgscripts

Also to clear a connection to a shared location, use:

net use \\hostname.example.com\bgscripts /delete

Appendices

Sample share file /etc/samba/smb.conf.d/bgscripts.conf

mkdir -p /etc/samba/smb.conf.d/
cat <<EOF > /etc/samba/smb.conf.d/bgscripts.conf
[bgscripts]
        path = /mnt/scripts/share
        comment = Test samba share
        browsable = yes
        public = yes
        writable = yes
        valid users = @"Linux-Server-Access_grp@EXAMPLE.COM"
EOF

References

Weblinks

  1. https://wiki.centos.org/HowTos/SetUpSamba
  2. https://www.howtoforge.com/samba-server-installation-and-configuration-on-centos-7#-preliminary-note
  3. Complete working guide with AD users and everything http://www.hexblot.com/blog/centos-7-active-directory-and-samba
  4. SELinux managing contexts http://www.linuxquestions.org/questions/linux-security-4/selinux-and-help-with-chcon-762735/

SELinux Policy: Managing File Contexts
Change file context

chcon -R -t public_content_t /mydata/html

Does not persist across a relabel! (eg reboot)
Add new mapping

semanage fcontext -a -t public_content_t '/mydata/html(/.*)?'

Apply the policy context to existing files

restorecon -vvFR /mydata/html
  1. SELinux policy http://serverfault.com/questions/470878/is-there-a-way-to-share-via-smb-a-filesystem-mounted-via-nfs-without-disabling-s/470879#470879
  2. Ubuntu needed help accessing AD through SSSD. Found solution here https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html

Internal documents

  1. The environment required, including krb5.conf and sssd.conf, comes from Building the Centos 7 Template
  2. Firewall commands from Adding the service httpd
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s