Samba share with AD authentication


AD is great for a Windows environment. Now I have a guide for Samba shares with freeipa auth!


This document describes how to configure a Linux system joined to an AD environment to have a working Samba share for Windows users that uses the AD users and groups for authentication.

Preliminary steps

These steps are covered in the internal CentOS and Ubuntu 16.04 templates.

  • Ensure ntp is running and enabled
  • The server is joined to the domain

Setting up samba

Install samba (which should include samba-client and samba-common, at least for rpm)

Centos 7 Ubuntu 16.04
yum -y install samba
apt-get install -y samba


Open firewall

Centos 7 Ubuntu 16.04
firewall-cmd --permanent --add-service=samba
systemctl restart firewalld.service
ufw allow samba

Modify /etc/samba/smb.conf

bup /etc/samba/smb.conf 2>/dev/null
cat <<EOFSMB > /etc/samba/smb.conf
        security = ads
        workgroup = EXAMPLE
        realm = EXAMPLE.COM
        kerberos method = system keytab
        netbios name = $( hostname -s )
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        max log size = 50
        dns proxy = no
        encrypt passwords = yes
        passdb backend = tdbsam
        load printers = no
        cups options = raw
        printcap name = /dev/null
        comment = Home Directories
        browseable = no
        writable = yes

/bin/cp -p /etc/samba/smb.conf /etc/samba/smb.conf.example

Reference for kerberos method:
On CentOS 7 only, set SELinux to allow samba to share nfs locations if necessary.

setsebool -P samba_share_nfs 1

Start and enable the samba service

Centos 7 Ubuntu 16.04
systemctl enable smb
systemctl start smb
systemctl enable smbd nmbd
systemctl start smbd nmbd

Making smb.conf dynamic

Unfortunately smb.conf does not provide support for a directive similar to “include = /etc/samba/smb.conf.d/*.conf.” However, with some modifications and a shell script this can be simulated.
A template file, input directory for extra snippets, and output file can be used along with this script.

cat <<'EOFSCRIPT' > /usr/local/bin/samba-conf
# File: /usr/local/bin/samba-conf

tmpfile1=/etc/samba/smb.conf.orig.$( date "+%Y-%m-%d").$$

[[ ! -f "${infile1}" ]] && echo "$0: 2. Template not found: ${infile1}. Aborted." 1>&2 && exit 1

   cat "${infile1}"
   printf "\n"
   find "${indir1}" -type f -regex ".*.conf" 2>/dev/null | sed -e 's/^/include = /;'
} > "${tmpfile1}"

   if ! diff -q "${tmpfile1}" "${outfile1}";
      /bin/chmod --ref "${outfile1}" "${tmpfile1}"
      /bin/cp -p "${tmpfile1}" "${outfile1}"
      /bin/rm -rf "${tmpfile1}"
   /bin/rm -rf "${tmpfile1}"
} >/dev/null 2>&1
chmod 750 /usr/local/bin/samba-conf

Modify any files in /etc/samba/smb.conf.d/ and then run samba-conf.

Connecting client to the share

On a Windows client, use Windows Explorer and navigate to \\\ and see if the share is available. If you must log in as a different user, you can use the Windows command on the command line:

net use \\\bgscripts /user:example\bgscripts

Also to clear a connection to a shared location, use:

net use \\\bgscripts /delete


Sample share file /etc/samba/smb.conf.d/bgscripts.conf

mkdir -p /etc/samba/smb.conf.d/
cat <<EOF > /etc/samba/smb.conf.d/bgscripts.conf
        path = /mnt/scripts/share
        comment = Test samba share
        browsable = yes
        public = yes
        writable = yes
        valid users = @"Linux-Server-Access_grp@EXAMPLE.COM"



  3. Complete working guide with AD users and everything
  4. SELinux managing contexts

SELinux Policy: Managing File Contexts
Change file context

chcon -R -t public_content_t /mydata/html

Does not persist across a relabel! (eg reboot)
Add new mapping

semanage fcontext -a -t public_content_t '/mydata/html(/.*)?'

Apply the policy context to existing files

restorecon -vvFR /mydata/html
  1. SELinux policy
  2. Ubuntu needed help accessing AD through SSSD. Found solution here

Internal documents

  1. The environment required, including krb5.conf and sssd.conf, comes from Building the Centos 7 Template
  2. Firewall commands from Adding the service httpd

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.