CentOS 6 SAMBA AD Member Server

This guide details the steps necessary to configure a SAMBA member server on CentOS, RHEL or Scientific Linux in an existing Windows Active Directory domain. It is assumed that you have already installed a basic, functional server and configured details such as hostname, IP, DNS, timezone, etc.

I used the CentOS minimal ISO. I also performed a “yum update” and a reboot prior to commencing installation and configuration.

Updated 10-12-2013: These instructions are still current for CentOS 6.5.

For the purposes of this guide, the environment details are as follows. You will need to substitute your own values as necessary:

LAN subnet:

AD domain: test.local
DC name: tstdc1.test.local

SAMBA name: tstms1.test.local

Install the required packages:

yum install -y ntpdate samba samba-client samba-winbind krb5-workstation policycoreutils-python

The main pre-requisites in any Active Directory environment are correct DNS configuration and correct time synchronisation. If either of these are incorrect you will be chasing your tail.

Edit /etc/resolv.conf and make sure the SAMBA server is querying DNS against your DC:

domain test.local

You also need to synchronise the SAMBA server’s time on a regular basis through crontab. I configure my SAMBA servers to synchronise time with the DC every 6hrs under the “root” user crontab:

crontab -e

# Add the following:
0 */4  * * * /usr/sbin/ntpdate >/dev/null 2>&1

Perform an initial time synchronisation against your DC:


Edit /etc/samba/smb.conf to the following. Note that capitalisation is important:

	workgroup = TEST 
	security = ads
	realm = TEST.LOCAL
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
        use sendfile = true

	idmap config * : backend = tdb
	idmap config * : range = 100000-299999
	idmap config TEST : backend = rid
	idmap config TEST : range = 10000-99999
	winbind separator = +
	winbind enum users = yes
	winbind enum groups = yes
	winbind use default domain = yes
	winbind refresh tickets = yes
	restrict anonymous = 2
	log file = /var/log/samba/log.%m
	max log size = 50	

#============================ Share Definitions ==============================

	comment = Test share
	path = /samba/testshare
	read only = no
	force group = "Domain Users"
	directory mask = 0770
	force directory mode = 0770
	create mask = 0660
	force create mode = 0660
	# Hide share from users who don't have access
	access based share enum = yes
	# Hide files/directories if user doesn't have read access
	hide unreadable = yes

Edit /etc/krb5.conf to the following. Again, capitalisation is important:

  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

  default_realm = TEST.LOCAL
  ticket_lifetime = 24h
  forwardable = yes

  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false

Some SAMBA /etc/krb5.conf examples I have seen include [realms] and [domain_realm] stanzas specifying the KDC manually. I leave them out because Active Directory DNS publishes the Kerberos server details based on your AD site and domain controller topology. Configuring those settings manually could result in failure (if you ever removed the domain controller) or sub-optimal performance if you’re not connecting to your closest domain controller.

You also need to update the following 2 lines in /etc/nsswitch.conf, append “winbind” as follows:

passwd: files winbind
group: files winbind

Now you’re ready to join the SAMBA server to the domain:

net ads join -U administrator
# Enter your TEST\administrator password when prompted

You should see a message saying the server was joined to the domain successfully. You will probably also see a message saying DNS could not be updated. At this point I manually create an “A” record on my DC pointing to the SAMBA server.

If the domain join fails, it is most likely due to incorrect DNS settings or time synchronisation on your SAMBA server. Double-check them.

Restart your SAMBA services:

service winbind restart
service nmb restart
service smb restart

At this point, your SAMBA server is a member of your AD domain and you should be able to list your AD users and groups with the following commands:

# List your AD users
wbinfo -u
getent passwd

# List your AD groups
wbinfo -g
getent group

If domain membership is operating correctly, you can update the firewall to allow other domain members to connect. Edit /etc/sysconfig/iptables and add the following lines before the icmp-reject-unreachable rule:

-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 135 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

Apply the new IPTables rules:

service iptables restart

If you don’t add those rules before the unreachable rule, you’ll probably waste a bit of time trying to work out why your AD clients can’t connect to your SAMBA server. It’s because you’re firewalling them off.

Next we need to create the directory for the file share. Assuming you’re storing your shares on their own mount point or just within their own /samba directory:

mkdir -p /samba/testshare
chmod 0770 /samba/testshare
chgrp "Domain users" /samba/testshare
semanage fcontext -a -t samba_share_t /samba/*
restorecon -R -v /samba

At this point you should be able to connect to the share from another AD member. If it fails, try restarting the services:

service winbind restart
service smb restart
service nmb restart

If you can successfully connect to the share, you are ready to set your services to start on boot:

chkconfig --level 345 winbind on
chkconfig --level 345 smb on
chkconfig --level 345 nmb on

If you’re not able to browse the SAMBA server, you need to confirm the following details:

  1. DNS is correct
  2. Time synchronisation (within 5mins for Kerberos)
  3. /etc/nsswitch.conf includes the “winbind” updates
  4. IPTables is allowing UDP – 137, 138 and TCP – 135, 139, 445
  5. You’ve set the correct SELinux context on your share directory. It should be “samba_share_t”

7 thoughts on “CentOS 6 SAMBA AD Member Server

  1. Thank you for an excellent post. I’ve been tearing my hair out with this one for the past two days. I could see all the AD groups and users from Scientific Linux 6.6 but couldn’t get them connecting to a working share. 28 hours of effort in the past 2 days and this write up solved the final piece of the puzzle. Maybe I will be able to sleep tonight!

  2. Thanks for this article. it works perfectly. i just have a question, i always have to apply the net ads join after a reboot, is there a solution to let automatically ?

    • Hey btissam, you simply have to make sure you have added the server in Active Directory. Also make sure you have the following file on your system, /etc/krb5.keytab.

  3. The instructions above just lead to

    # kinit [email protected]
    # net ads join -k
    Failed to join domain: failed to lookup DC info for domain ‘REALM’ over rpc: Logon failure

    • your kerberos realm would be REALM.LOCAL or something similar. you should just be able to say:

      # kinit administrator

      Since the net ads join is saying it can’t find the DC info it sounds like a DNS issue.

Leave a Reply

Your email address will not be published. Required fields are marked *