SvennD
Samba login using windows AD on Centos 7
May 4, 2018

Samba login using windows AD on Centos 7

Posted on May 4, 2018  •  6 minutes  • 1192 words  •  Suggest Changes

I’m no expert on this, but I had to google everything together so many times, I made a soon-to-be-outdated half-ass guide on how to let users access a samba share on Linux using the windows domain controller “AD” (active directory) or at least how I got it to work. Let me know if it worked out for you or if you hit a brick wall. Perhaps we need to tune the sound a bit ;-).

Dependency’s

They might be needed or not, I have no clue, just install them already.

yum install sssd realmd oddjob oddjob-mkhomedir adcli krb5-workstation openldap-clients policycoreutils-python samba samba-client samba-common samba-common-tools ntpdate ntp

sssd, is a relatively new method of getting the system to talk to the AD server. Samba obviously is needed for creating the windows accessible shares. The last dependency might not be required but its good to make sure if you got issues its not because servers disagree on time/date. Hence, NTP will help set a same date between servers.

Connecting

Or better say lets “join” the dark side of windows. I’m not gone lie, this is pretty ugly, but in Kerbal Space Program’s motto, any landing you can walk away from is called a succes.

First add the domain controller to /etc/hosts this ensures that every connection will go to the right server, irrelevant of DNS, since the hosts file has the highest priority.

# cat /etc/hosts
123.123.123.123 mydomain.at.my.be mydomain

123.123.123.123 should be the IP and mydomain.at.my.be should be the full domain and the last is optional the alias for the domain.

Many guides will also adapt /etc/resolv.conf while I don’t think its needed, we do not take risks here,  resolv.conf is used for looking up the DNS, for this server the domain controller is highly suggested.

# cat /etc/resolv.conf

search my_domain.be
nameserver 123.123.123.123

Adapt as required.

The next step, is making sure the servers have the same time setup, this won’t be an issue for many, but its good practice. Do a ntpdate call to the domain server to get a fix.

# ntpdate domain
4 May 15:47:01 ntpdate[17004]: adjust time server 123.123.123.123 offset 0.015744 sec

Something similar should be shown, after that we can set the service up to take over. If there is a huge difference, perhaps add the domain controller as NTP server. This would be done in /etc/ntp.conf as “server domain iburst”.

systemctl enable ntpd.service
systemctl start ntpd.service

Then finally we are ready to join the domain, this is done using :

realm join --user=domain_admin mydomain

This hopefully, silently ads your computer to the domain (after login), or if it fails it spits errors. After this is silently successful, you will find the realm in the realm list.

# realm list
domain.url
  type: kerberos
  realm-name: DOMAIN.url
  domain-name: DOMAIN.url
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy: allow-realm-logins

note : slightly modified configuration shown.

Configuration

After we got initial connection, its time to setup the configuration, this is done in /etc/sssd/sssd.conf . There are multiple parameters here that can be adapted here. One in particular pops up as having an annoying default set.

use_fully_qualified_names

By default this is set to True, domain users will be identified as “name@domain” instead of “name”. Set False, to drop the @domain

use_fully_qualified_names = False

In a similar way, home directories have a _@ _symbol in the name. While this in itself is harmless it can be annoying in script or tools that can’t deal with these symbols. Perhaps some people have multiple domains, but for me its never the case. So I tend to remove the domain entirely. Alternatively you could do something like /home/domain/user /home/%d/%u . Below I use /home/user, such as native users on Linux system. Change /home/%u@%d to /home/%u

fallback_homedir = /home/%u

After edit(s), reload sssd :

systemctl restart sssd

To verify the connection is functional, you can check a random (non-local) AD user :

# id svennd
uid=1406204049(svennd) gid=1406200519(enterprise admins) groups=1406200519(enterprise admins),1406200513(domain users),1406200512(domain admins),1406204598(bioinf users)

At this point, all AD users should be able login using SSH on the system. (if sshd is running)

Samba

OK, now users can login to the server over ssh, but we want to bring a samba share available; so install samba if you did not do this in the first part. Don’t worry I will wait.

yum install samba samba-client samba-common

Now adapt the configuration mostly to your own wishes; This is how I use mine : (/etc/samba/smb.conf)

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
        workgroup = DOMAIN # CAPITALS make it work, domain controllers need hearing aids
        security = ads # active domain server
        encrypt passwords = yes
        realm = domain_url # adapt to full domain url

        passdb backend = tdbsam # starting this will replace it for user_id issues

        printing = cups
        printcap name = /dev/null # mute annoying errors
        load printers = no 
        cups options = raw
[data]
        valid users = @"domain_group@domain_url"
        path = /data
        public = yes # everyone can see it (if you are able to login)
        writable = yes # evereyone can write here (if you are a valid_user)
        guest ok = no

Important parts here are :

workgroup = DOMAIN

Workgroup has to be the domain.

security = ads

Sets the security as “Active Directory Server”, domain won’t work.

realm = domain_url

Full realm, you can find this using realm list

For restriction you can change the valid users using this syntax :

valid users = @"domain_group@domain_url"

This would only allow users of that group, syntax works for domain groups, local groups just have @devs. Also individual users can be added. Like this :

valid users = @"domain_group@domain_url" @localgroup svennd alice
Pitfalls & debugging
  1. Firewall / Iptables

During debugging shut them down and if everything is resolved put them back up. For the firewalld lovers (default) add samba as allowed ports :

firewall-cmd --permanent --zone=public --add-service=samba
firewall-cmd --reload

For iptables.

  1. SELinux

Ow god this again, yes!!! To check if SELinux is enabled, (yes by default, even on minimal) use sestatus :

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Unless you want to disable selinux, you will require the typical voodoo SELinux talk; For any directory where you set a share you need to run :

chcon -t samba_share_t /dir

If you like to have home directories automatically generated if a domain users authenticates (/etc/samba/smb.conf)

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

You need to run :

semanage fcontext -a -t home_root_t /home
semanage fcontext -a -t user_home_dir_t /home
semanage fcontext -a -t user_home_t /home
restorecon -Rv /home

or some other magic.

After all that, you can start samba :

systemctl enable smb
systemctl enable nmb
systemctl start smb
systemctl start nmb

And that’s it. Kudo’s to all the slightly-out-date tutorials.

Support

If you enjoyed this website, consider buying me a Dr. Pepper

Buy me a Dr PepperBuy me a Dr Pepper