This guide details the steps required to configure SAMBA as an Active Directory member server on CentOS 8.


The following presumptions are made and you will need to substitute your own values unless you have also built a test DC just to follow this guide:

AD Domain/realm: TEST.LOCAL
NetBIOS domain: TEST
AD DC: TSTDC1
CentOS Server: TSTLNX1
TSTLNX1 has been configured to use TSTDC1 for DNS
  1. Boot from DVD ISO
  2. Configure static network settings, geographical location (for time sync), destination drive, etc
  3. Ensure “Software Selection” is set to “Minimal”
  4. Begin the installation, setting your “root” user password during the process and creating an additional user if you like
  5. Reboot when prompted
  6. Ensure base system is fully updated:
    # yum update -y
  7. Reboot
  8. Install required packages:
    # yum install -y samba samba-client samba-winbind samba-winbind-clients krb5-workstation policycoreutils-python-utils
  9. Rename /etc/samba/smb.conf and set to example below:
    [global]
    	workgroup = TEST
    	server string = Samba Server Version %v
    	security = ads
    	realm = TEST.LOCAL
    	domain master = no
    	local master = no
    	preferred master = no
            socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
            use sendfile = true
    
    	idmap config * : backend = tdb
    	idmap config * : range = 100000-299999
    	idmap config TEST : backend = rid
    	idmap config TEST : range = 10000-99999
    	
    	winbind separator = +
    	winbind enum users = yes
    	winbind enum groups = yes
    	winbind use default domain = yes
    	winbind nested groups = yes
    	winbind refresh tickets = yes
    	template homedir = /home/%D/%U
    	template shell = /bin/bash
    	
    	client use spnego = yes
    	client ntlmv2 auth = yes
    	encrypt passwords = yes
    	restrict anonymous = 2
    	
    	log file = /var/log/samba/log.%m
    	max log size = 50	
    
    #============================ Share Definitions ==============================
    
    [testshare]
    	comment = Test share
    	path = /samba/testshare
    	read only = no
    	valid users = @"TEST+Domain Users"
    	force group = "Domain Users"
    	directory mode = 0770
    	force directory mode = 0770
    	create mode = 0660
    	force create mode = 0660
    	# Hide share from users who don't have access
    	access based share enum = yes
    	# Hide files/directories if user doesn't have read access
    	hide unreadable = yes
  10. Create /etc/krb5.conf.d/TEST.LOCAL as below:
    [logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
        default_realm = TEST.LOCAL
        ticket_lifetime = 24h
        forwardable = yes
    
    [appdefaults]
        pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
    }
    
  11. Edit /etc/nsswitch.conf and update the following lines (35 and 37):
    passwd:      sss files systemd winbind
    group:       sss files systemd winbind
  12. Update firewall to allow SAMBA services:
    # firewall-cmd --zone=public --add-service=samba --permanent && firewall-cmd --reload
  13. Join Centos to domain using your domain admin password:
    # net ads join --no-dns-updates -U administrator
    # net ads testjoin
    * Should return "Join OK"
    * At this point you should manually create a DNS entry for your SAMBA server on a DC
    * You should also move its AD object to the appropriate OU within your AD structure
  14. Restart SAMBA services with new configuration:
    # systemctl restart smb && systemctl restart nmb && systemctl restart winbind
  15. Test you can view your AD users and groups
    # wbinfo -u
    # wbinfo -g
    # getent passwd
    # getent group
  16. Create share location with appropriate SELinux policy:
    # mkdir -p /samba/testshare
    # chmod 0770 /samba/testshare
    # chgrp "Domain users" /samba/testshare
    # semanage fcontext -a -t samba_share_t /samba/*
    # restorecon -R -v /samba
  17. You should now be able to connect to \\TSTLNX1\testshare and create files and directories as any AD user who is a member of the “Domain Users” group
  18. If you check /samba/testshare on TSTLNX1 you should be able to see the files/directories
  19. Make sure all services are enabled to start after reboots:
    # systemctl enable smb && systemctl enable nmb && systemctl enable winbind
Categories: CentOS

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *