Samba share with AD auth, 2020 May edition

Overview

I wrote about this topic almost 4 years ago: Samba share with AD authentication
This article is the updated version. It has a different environment and purpose, as well as a new version of samba that requires a workaround.
The goal today is just get a quick home directories share.

Prequisites

  • Server is joined to the domain
  • Working on CentOS 7. The previous article included Ubuntu commands for the package manager and firewall.

Setting up Samba

Install the packages, including the server package.

yum -y install samba

Open the firewall.

firewall-cmd --permanent --add-service=samba
systemctl restart firewalld.service

Configure Samba.

cat <<EOFSMB > /etc/samba/smb.conf
[global]
   workgroup = EXAMPLE
   security = ads
   realm = EXAMPLE.COM
   kerberos method = system keytab
   netbios name = $( hostname -s )
   server string = Description here
   log file = /var/log/samba/log.%m
   max log size = 50
   dns proxy = no
   encrypt passwords = yes
   passdb backend = tdbsam
   printcap name = /dev/null
   load printers = no

[homes]
   comment = Home Directories
   valid users = user1, user2, @group1
   browseable = No
   read only = No
   inherit acls = Yes
   guest only = no
EOFSMB

Starting with Samba 4.9.1, a workaround is needed for Samba to work when the id mapping is not set up thoroughly. This example does not do any id mapping, so use this quick and dirty fix.

net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin

You can see the custom mapping for the guest user with:

$ net -s /dev/null groupmap list
nobody (S-1-5-32-546) -> nobody
Reference: 1648399 – Samba 4.9.1: smb.service fails with ERROR: failed to setup guest info (RHBZ)

And enable and start the services.

systemctl enable --now smb nmb

This command enables (sets to run at system startup) and starts immediately, these two services. NMB is the NetBIOS name server. It helps the main Samba daemon in ways deeper than I care to research.

Configuring SELinux

Set a few SE booleans.

for word in samba_export_all_rw samba_create_home_dirs ; do setsebool -P "${word}" 1 ; done

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.