Knowledge Base (Posts about samba)https://bgstack15.ddns.net/blog/enContents © 2022 <a href="mailto:bgstack15@gmail.com">bgstack15</a> <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"> <img alt="Creative Commons License BY-SA" style="border-width:0; margin-bottom:12px;" src="https://bgstack15.ddns.net/.images/l_by-sa_4.0_88x31.png"></a>Sun, 27 Feb 2022 04:04:45 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssSamba share with AD auth, 2020 May editionhttps://bgstack15.ddns.net/blog/posts/2020/05/25/samba-share-with-ad-auth-2020-may-edition/bgstack15<h2>Overview</h2> <p>I wrote about this topic almost 4 years ago: <a href="https://bgstack15.ddns.net/blog/posts/2016/06/28/samba-share-with-ad-authentication/">Samba share with AD authentication</a> This article is the updated version. It has a different environment and purpose, as well as a new version of samba that requires <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1648399">a workaround</a>. The goal today is just get a quick home directories share.</p> <h2>Prequisites</h2> <ul> <li>Server is joined to the domain</li> <li>Working on CentOS 7. The previous article included Ubuntu commands for the package manager and firewall.</li> </ul> <h2>Setting up Samba</h2> <p>Install the packages, including the server package.</p> <pre class="code literal-block"><span></span><code>yum -y install samba </code></pre> <p>Open the firewall.</p> <pre class="code literal-block"><span></span><code>firewall-cmd --permanent --add-service=samba systemctl restart firewalld.service </code></pre> <p>Configure Samba.</p> <pre class="code literal-block"><span></span><code><span class="n">cat</span> <span class="o">&lt;&lt;</span><span class="n">EOFSMB</span> <span class="o">&gt;</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">samba</span><span class="o">/</span><span class="n">smb</span><span class="o">.</span><span class="n">conf</span> <span class="p">[</span><span class="n">global</span><span class="p">]</span> <span class="n">workgroup</span> <span class="o">=</span> <span class="n">EXAMPLE</span> <span class="n">security</span> <span class="o">=</span> <span class="n">ads</span> <span class="n">realm</span> <span class="o">=</span> <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="n">kerberos</span> <span class="n">method</span> <span class="o">=</span> <span class="n">system</span> <span class="n">keytab</span> <span class="n">netbios</span> <span class="n">name</span> <span class="o">=</span> <span class="o">$</span><span class="p">(</span> <span class="n">hostname</span> <span class="o">-</span><span class="n">s</span> <span class="p">)</span> <span class="n">server</span> <span class="n">string</span> <span class="o">=</span> <span class="n">Description</span> <span class="n">here</span> <span class="nb">log</span> <span class="n">file</span> <span class="o">=</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">samba</span><span class="o">/</span><span class="nb">log</span><span class="o">.%</span><span class="n">m</span> <span class="nb">max</span> <span class="nb">log</span> <span class="n">size</span> <span class="o">=</span> <span class="mi">50</span> <span class="n">dns</span> <span class="n">proxy</span> <span class="o">=</span> <span class="n">no</span> <span class="n">encrypt</span> <span class="n">passwords</span> <span class="o">=</span> <span class="n">yes</span> <span class="n">passdb</span> <span class="n">backend</span> <span class="o">=</span> <span class="n">tdbsam</span> <span class="n">printcap</span> <span class="n">name</span> <span class="o">=</span> <span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="nb nb-Type">null</span> <span class="nb">load</span> <span class="n">printers</span> <span class="o">=</span> <span class="n">no</span> <span class="p">[</span><span class="n">homes</span><span class="p">]</span> <span class="n">comment</span> <span class="o">=</span> <span class="n">Home</span> <span class="n">Directories</span> <span class="n">valid</span> <span class="n">users</span> <span class="o">=</span> <span class="n">user1</span><span class="p">,</span> <span class="n">user2</span><span class="p">,</span> <span class="err">@</span><span class="n">group1</span> <span class="n">browseable</span> <span class="o">=</span> <span class="n">No</span> <span class="n">read</span> <span class="n">only</span> <span class="o">=</span> <span class="n">No</span> <span class="n">inherit</span> <span class="n">acls</span> <span class="o">=</span> <span class="n">Yes</span> <span class="n">guest</span> <span class="n">only</span> <span class="o">=</span> <span class="n">no</span> <span class="n">EOFSMB</span> </code></pre> <p>Starting with Samba 4.9.1, a workaround is needed for Samba to work when the id mapping is not set up thoroughly. This example does not do any id mapping, so use this quick and dirty fix.</p> <pre class="code literal-block"><span></span><code>net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin </code></pre> <p>You can see the custom mapping for the guest user with:</p> <pre class="code literal-block"><span></span><code>$ net -s /dev/null groupmap list nobody <span class="o">(</span>S-1-5-32-546<span class="o">)</span> -&gt; nobody Reference: <span class="o">[</span><span class="m">1648399</span> – Samba <span class="m">4</span>.9.1: smb.service fails with ERROR: failed to setup guest info<span class="o">](</span>https://bugzilla.redhat.com/show_bug.cgi?id<span class="o">=</span><span class="m">1648399</span><span class="o">)</span> <span class="o">(</span>RHBZ<span class="o">)</span> </code></pre> <p>And enable and start the services.</p> <pre class="code literal-block"><span></span><code>systemctl enable --now smb nmb </code></pre> <p>This command enables (sets to run at system startup) and starts immediately, these two services. NMB is the NetBIOS name server. It helps the main Samba daemon in ways deeper than I care to research.</p> <h2>Configuring SELinux</h2> <p>Set a few SE booleans.</p> <pre class="code literal-block"><span></span><code><span class="k">for</span> <span class="n">word</span> <span class="ow">in</span> <span class="n">samba_export_all_rw</span> <span class="n">samba_create_home_dirs</span> <span class="p">;</span> <span class="n">do</span> <span class="n">setsebool</span> <span class="o">-</span><span class="n">P</span> <span class="s2">"${word}"</span> <span class="mi">1</span> <span class="p">;</span> <span class="n">done</span> </code></pre>adlinuxsambashareupdatehttps://bgstack15.ddns.net/blog/posts/2020/05/25/samba-share-with-ad-auth-2020-may-edition/Mon, 25 May 2020 20:21:17 GMTSamba and ntlm for Windows clientshttps://bgstack15.ddns.net/blog/posts/2017/10/01/samba-and-ntlm-for-windows-clients/bgstack15<h2>tl;dr</h2> <p>Use one or the other:</p> <h5>1. Insecure but fast, in <strong>/etc/samba/smb.conf</strong> :</h5> <pre class="code literal-block"><span></span><code><span class="k">[global]</span> <span class="na">ntlm auth</span> <span class="o">=</span> <span class="s">yes</span> </code></pre> <h5>2. Best, on client Windows machine:</h5> <pre class="code literal-block"><span></span><code>Windows Registry Editor Version 5.00 <span class="k">[</span><span class="nb">HKEY_LOCAL_MACHINE</span><span class="k">\SYSTEM\CurrentControlSet\Control\Lsa]</span> <span class="na">"LmCompatibilityLevel"</span><span class="o">=</span><span class="nv">dword</span><span class="p">:</span><span class="m">00000001</span> </code></pre> <h2>Samba and ntlm</h2> <p>With the published "ETERNALBLUE" vulnerability (<a href="http://www.cvedetails.com/cve/CVE-2017-0146/">CVE-2017-0146</a>) a few months ago, the effects finally trickled down to the default settings for samba in CentOS 7. After updating to samba 4.6.2, I was unable to access my samba share from a Windows client (<a href="https://bgstack15.ddns.net/blog/posts/2017/05/10/samba-share-with-freeipa-auth/">using my freeipa credentials</a>). Here's what I found in /var/log/samba/log.lsasd after setting <strong>[global] log level = 3</strong> :</p> <pre class="code literal-block"><span></span><code><span class="w"> </span><span class="nl">check_ntlm_password</span><span class="p">:</span><span class="w"> </span><span class="n">Authentication</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">user</span><span class="w"> </span><span class="o">[</span><span class="n">bgstack15</span><span class="o">]</span><span class="w"> </span><span class="o">-&gt;</span><span class="w"> </span><span class="o">[</span><span class="n">bgstack15</span><span class="o">]</span><span class="w"> </span><span class="n">FAILED</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">error</span><span class="w"> </span><span class="n">NT_STATUS_WRONG_PASSWORD</span><span class="w"></span> <span class="o">[</span><span class="n">2017/10/01 16:45:54.106771, 2, pid=5289</span><span class="o">]</span><span class="w"> </span><span class="p">..</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">gensec</span><span class="o">/</span><span class="n">spnego</span><span class="p">.</span><span class="nl">c</span><span class="p">:</span><span class="mi">768</span><span class="p">(</span><span class="n">gensec_spnego_server_negTokenTarg</span><span class="p">)</span><span class="w"></span> <span class="w"> </span><span class="n">SPNEGO</span><span class="w"> </span><span class="n">login</span><span class="w"> </span><span class="nl">failed</span><span class="p">:</span><span class="w"> </span><span class="n">NT_STATUS_WRONG_PASSWORD</span><span class="w"></span> <span class="o">[</span><span class="n">2017/10/01 16:45:54.106860, 3, pid=5289</span><span class="o">]</span><span class="w"> </span><span class="p">..</span><span class="o">/</span><span class="n">source3</span><span class="o">/</span><span class="n">smbd</span><span class="o">/</span><span class="n">smb2_server</span><span class="p">.</span><span class="nl">c</span><span class="p">:</span><span class="mi">3097</span><span class="p">(</span><span class="n">smbd_smb2_request_error_ex</span><span class="p">)</span><span class="w"></span> <span class="w"> </span><span class="nl">smbd_smb2_request_error_ex</span><span class="p">:</span><span class="w"> </span><span class="nl">smbd_smb2_request_error_ex</span><span class="p">:</span><span class="w"> </span><span class="n">idx</span><span class="o">[</span><span class="n">1</span><span class="o">]</span><span class="w"> </span><span class="n">status</span><span class="o">[</span><span class="n">NT_STATUS_LOGON_FAILURE</span><span class="o">]</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="k">at</span><span class="w"> </span><span class="p">..</span><span class="o">/</span><span class="n">source3</span><span class="o">/</span><span class="n">smbd</span><span class="o">/</span><span class="n">smb2_sesssetup</span><span class="p">.</span><span class="nl">c</span><span class="p">:</span><span class="mi">134</span><span class="w"></span> <span class="o">[</span><span class="n">2017/10/01 16:45:54.107513, 3, pid=5289</span><span class="o">]</span><span class="w"> </span><span class="p">..</span><span class="o">/</span><span class="n">source3</span><span class="o">/</span><span class="n">smbd</span><span class="o">/</span><span class="n">server_exit</span><span class="p">.</span><span class="nl">c</span><span class="p">:</span><span class="mi">246</span><span class="p">(</span><span class="n">exit_server_common</span><span class="p">)</span><span class="w"></span> <span class="w"> </span><span class="n">Server</span><span class="w"> </span><span class="k">exit</span><span class="w"> </span><span class="p">(</span><span class="n">NT_STATUS_CONNECTION_RESET</span><span class="p">)</span><span class="w"></span> <span class="o">[</span><span class="n">2017/10/01 16:45:54.113588, 3, pid=5249</span><span class="o">]</span><span class="w"> </span><span class="p">..</span><span class="o">/</span><span class="n">source3</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">util_procid</span><span class="p">.</span><span class="nl">c</span><span class="p">:</span><span class="mi">54</span><span class="p">(</span><span class="n">pid_to_procid</span><span class="p">)</span><span class="w"></span> <span class="w"> </span><span class="nl">pid_to_procid</span><span class="p">:</span><span class="w"> </span><span class="n">messaging_dgm_get_unique</span><span class="w"> </span><span class="nl">failed</span><span class="p">:</span><span class="w"> </span><span class="k">No</span><span class="w"> </span><span class="n">such</span><span class="w"> </span><span class="k">file</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="n">directory</span><span class="w"></span> </code></pre> <p>After lots and lots of research, I finally found the answer at the <a href="https://forums.freebsd.org/threads/62169/">FreeBSD forum</a>! Gotta love the FreeBSD folks; they keep us all sane and grounded in free and open computing. Just add <strong>ntlm auth = yes</strong> to your [global] section of smb.conf! However, I looked it up and that enables samba to accept ntlmv1, which was the vulnerable protocol based on that CVE I mentioned earlier in this article. I wanted to find out how to stick to ntlmv2 authentication, if possible, and I did discover it! You can just configure your Windows clients to use the more secure settings either using the registry or the graphical secpol.msc tool. For the Local Security Policy (secpol.msc) tool, navigate to Security Settings-&gt;Local Policies-&gt;Security Options-&gt;"Network security: LAN Manager authentication level." Set it to "Send LM &amp; NTLM - use NTLMv2 session security if negotiated."</p> <h2>[![secpol.msc utility showing directory tree navigated to Network security:</h2> <p>LAN Manager authentication level setting](/2017/10/secpol.png)](/2017/10/secpol.png) Local Security Policy window with setting</p> <p>To automate this setting, you can make a registry file such as ntlmv2.reg with the following contents:</p> <pre class="code literal-block"><span></span><code>Windows Registry Editor Version 5.00 <span class="k">[</span><span class="nb">HKEY_LOCAL_MACHINE</span><span class="k">\SYSTEM\CurrentControlSet\Control\Lsa]</span> <span class="na">"LmCompatibilityLevel"</span><span class="o">=</span><span class="nv">dword</span><span class="p">:</span><span class="m">00000001</span> </code></pre> <p>I recognize this location from when I've adjusted it in the past, at a place that would not have been affected by this vulnerability or its remediation because they were forcing NTLMv2 years ago on the workstations.</p> <h2>Reference</h2> <h3>Weblinks</h3> <ol> <li>Samba quick answer <a href="https://forums.freebsd.org/threads/62169/">https://forums.freebsd.org/threads/62169/</a></li> <li>Client secpol.msc answer <a href="https://support.symantec.com/en_US/article.TECH132917.html">https://support.symantec.com/en_US/article.TECH132917.html</a></li> <li>Client registry answer <a href="https://kb.iu.edu/d/atcb">https://kb.iu.edu/d/atcb</a></li> <li>Notes about different values for this registry key <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level">https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level</a></li> </ol>freeipalinuxntlmsambawindowshttps://bgstack15.ddns.net/blog/posts/2017/10/01/samba-and-ntlm-for-windows-clients/Sun, 01 Oct 2017 21:06:40 GMTSamba share with freeipa authhttps://bgstack15.ddns.net/blog/posts/2017/05/10/samba-share-with-freeipa-auth/bgstack15<h2>Use FreeIPA Authentication for Samba CIFS Shares for Non-domain Windows</h2> <p>Clients</p> <p>I couldn't find a singular place on the Internet for a descriptive guide of how to configure samba to use freeipa authentication for cifs shares for non- domain Windows clients. There are guides out there for freeipa cross-domain trust, so you can share with a domain-joined Windows client, including <a href="https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA">https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA</a>. This document will show you how to set up Samba 4.4.4 to use FreeIPA 4.4.0 usernames and passwords to allow Windows clients to connect to cifs shares.</p> <h3>Example environment</h3> <ul> <li>Freeipa domain is vm.example.com.</li> <li>A freeipa master on CentOS7 host1.vm.example.com 192.168.100.10</li> <li>A freeipa replica on CentOS7 host2.vm.example.com 192.168.100.11</li> <li>Samba server will go on host2.vm.examplecom.</li> <li>Windows client is horatio.vm.example.com.</li> </ul> <h6>update 2020-02-12</h6> <p>For the past few months, I have had to keep certain samba packages back to keep myfreeipa auth working. Between these package versions, something happens that prevents samba from properly using the freeipa authentication. I have to keep to 4.8.3 of samba* and lib(sm|w)bclient packages so my samba share can accept my freeipa domain users for smb:// access.</p> <pre class="code literal-block"><span></span><code><span class="o">---&gt;</span> <span class="n">Package</span> <span class="n">samba</span><span class="o">-</span><span class="n">libs</span><span class="p">.</span><span class="n">x86_64</span> <span class="mi">0</span><span class="o">:</span><span class="mf">4.8.3</span><span class="o">-</span><span class="mf">6.</span><span class="n">el7_6</span> <span class="n">will</span> <span class="n">be</span> <span class="n">updated</span> <span class="o">---&gt;</span> <span class="n">Package</span> <span class="n">samba</span><span class="o">-</span><span class="n">libs</span><span class="p">.</span><span class="n">x86_64</span> <span class="mi">0</span><span class="o">:</span><span class="mf">4.9.1</span><span class="o">-</span><span class="mf">10.</span><span class="n">el7_7</span> <span class="n">will</span> <span class="n">be</span> <span class="n">an</span> <span class="n">update</span> </code></pre> <h6>update 2020-03-03</h6> <p>With the information shared by <a href="https://bgstack15.ddns.net/blog/posts/2017/05/10/samba-share-with-freeipa-auth/comment-page-1/#comment-3027">Alexander NA</a> below, by changing a few lines in smb.conf, samba 4.9.1 will work with freeipa! You need to comment out these lines:</p> <pre class="code literal-block"><span></span><code>#domain master = Yes #domain logons = Yes </code></pre> <p>I actually filed a <a href="https://bugs.centos.org/view.php?id=16515">bug</a> a while ago in CentOS, but I need to go update it now.</p> <h2>Samba share with freeipa auth</h2> <h3>Install freeipa server (and replica)</h3> <p>You need a working freeipa environment, which is outside the scope of this document. A quick sample installation process is:</p> <pre class="code literal-block"><span></span><code><span class="c1">### INSTALL FREEIPA host1.vm.example.com</span> <span class="n">firewall</span><span class="o">-</span><span class="n">cmd</span> <span class="o">--</span><span class="n">permanent</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">service</span><span class="o">=</span><span class="n">freeipa</span><span class="o">-</span><span class="n">ldap</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">service</span><span class="o">=</span><span class="n">freeipa</span><span class="o">-</span><span class="n">ldaps</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">service</span><span class="o">=</span><span class="n">ntp</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">service</span><span class="o">=</span><span class="n">dns</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">service</span><span class="o">=</span><span class="n">dhcp</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">service</span><span class="o">=</span><span class="n">kerberos</span> <span class="n">firewall</span><span class="o">-</span><span class="n">cmd</span> <span class="o">--</span><span class="n">reload</span> <span class="n">yum</span> <span class="n">install</span> <span class="o">-</span><span class="n">y</span> <span class="n">ipa</span><span class="o">-</span><span class="n">server</span> <span class="n">ipa</span><span class="o">-</span><span class="n">client</span> <span class="n">ipa</span><span class="o">-</span><span class="n">server</span><span class="o">-</span><span class="n">install</span> <span class="o">-</span><span class="n">r</span> <span class="n">VM</span><span class="o">.</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="o">-</span><span class="n">n</span> <span class="n">vm</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> <span class="o">--</span><span class="n">mkhomedir</span> <span class="o">--</span><span class="n">hostname</span><span class="o">=</span><span class="s2">"$( hostname --fqdn )"</span> <span class="o">--</span><span class="n">admin</span><span class="o">-</span><span class="n">password</span><span class="o">=</span><span class="s1">'adminpassword'</span> <span class="o">--</span><span class="n">ds</span><span class="o">-</span><span class="n">password</span><span class="o">=</span><span class="s1">'dspassword'</span> <span class="c1">### INSTALL REPLICA host2.vm.example.com</span> <span class="n">firewall</span><span class="o">-</span><span class="n">cmd</span> <span class="o">--</span><span class="n">permanent</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">service</span><span class="o">=</span><span class="n">freeipa</span><span class="o">-</span><span class="n">ldap</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">service</span><span class="o">=</span><span class="n">freeipa</span><span class="o">-</span><span class="n">ldaps</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">service</span><span class="o">=</span><span class="n">ntp</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">service</span><span class="o">=</span><span class="n">dns</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">service</span><span class="o">=</span><span class="n">dhcp</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">service</span><span class="o">=</span><span class="n">kerberos</span> <span class="n">firewall</span><span class="o">-</span><span class="n">cmd</span> <span class="o">--</span><span class="n">reload</span> <span class="n">yum</span> <span class="n">install</span> <span class="o">-</span><span class="n">y</span> <span class="n">ipa</span><span class="o">-</span><span class="n">server</span> <span class="n">ipa</span><span class="o">-</span><span class="n">client</span> <span class="n">ipa</span><span class="o">-</span><span class="n">client</span><span class="o">-</span><span class="n">install</span> <span class="o">--</span><span class="n">mkhomedir</span> <span class="o">--</span><span class="n">force</span><span class="o">-</span><span class="n">ntpd</span> <span class="o">--</span><span class="n">enable</span><span class="o">-</span><span class="n">dns</span><span class="o">-</span><span class="n">updates</span> <span class="n">ipa</span><span class="o">-</span><span class="n">replica</span><span class="o">-</span><span class="n">install</span> <span class="o">--</span><span class="n">setup</span><span class="o">-</span><span class="n">ca</span> <span class="o">--</span><span class="n">mkhomedir</span> </code></pre> <h3>Install samba server</h3> <p>Install the samba packages.</p> <pre class="code literal-block"><span></span><code>yum -y install samba samba-client sssd-libwbclient </code></pre> <p>Create the cifs principal for samba on one of the ipa controllers.</p> <pre class="code literal-block"><span></span><code># run on an ipa controller. This principal name is "service/hostname" ipa service-add cifs/host2.vm.example.com </code></pre> <p>Fetch the keytab to the samba server. In this example, it's the same as the replica.</p> <pre class="code literal-block"><span></span><code># on samba server kinit -kt /etc/krb5.keytab ipa-getkeytab -s host1.vm.example.com -p cifs/host2.vm.example.com -k /etc/samba/samba.keytab setsebool -P samba_enable_home_dirs on &amp; </code></pre> <p>Reference: <a href="https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA">https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA</a></p> <h3>Install adtrust components</h3> <h4>On the freeipa controller</h4> <pre class="code literal-block"><span></span><code>yum -y install ipa-server-trust-ad ipa-adtrust-install --add-sids </code></pre> <p>I recommend running this interactively, as shown above. Let it overwrite your samba config. It will configure it to use the registry, and we will rewrite it to suit the demands here. The ipa-adtrust-install command generates the records you need to add to dns. They will look like:</p> <pre class="code literal-block"><span></span><code><span class="nv">Add</span> <span class="nv">the</span> <span class="nv">following</span> <span class="nv">service</span> <span class="nv">records</span> <span class="nv">to</span> <span class="nv">your</span> <span class="nv">DNS</span> <span class="nv">server</span> <span class="k">for</span> <span class="nv">DNS</span> <span class="nv">zone</span> <span class="nv">vm</span>.<span class="nv">example</span>.<span class="nv">com</span>: <span class="nv">_ldap</span>.<span class="nv">_tcp</span>.<span class="nv">Default</span><span class="o">-</span><span class="nv">First</span><span class="o">-</span><span class="nv">Site</span><span class="o">-</span><span class="nv">Name</span>.<span class="nv">_sites</span>.<span class="nv">dc</span>.<span class="nv">_msdcs</span>.<span class="nv">vm</span>.<span class="nv">example</span>.<span class="nv">com</span>. <span class="mi">86400</span> <span class="nv">IN</span> <span class="nv">SRV</span> <span class="mi">0</span> <span class="mi">100</span> <span class="mi">389</span> <span class="nv">host2</span>.<span class="nv">vm</span>.<span class="nv">example</span>.<span class="nv">com</span>. <span class="nv">_kerberos</span>.<span class="nv">_udp</span>.<span class="nv">dc</span>.<span class="nv">_msdcs</span>.<span class="nv">vm</span>.<span class="nv">example</span>.<span class="nv">com</span>. <span class="mi">86400</span> <span class="nv">IN</span> <span class="nv">SRV</span> <span class="mi">0</span> <span class="mi">100</span> <span class="mi">88</span> <span class="nv">host2</span>.<span class="nv">vm</span>.<span class="nv">example</span>.<span class="nv">com</span>. <span class="nv">_kerberos</span>.<span class="nv">_udp</span>.<span class="nv">Default</span><span class="o">-</span><span class="nv">First</span><span class="o">-</span><span class="nv">Site</span><span class="o">-</span><span class="nv">Name</span>.<span class="nv">_sites</span>.<span class="nv">dc</span>.<span class="nv">_msdcs</span>.<span class="nv">vm</span>.<span class="nv">example</span>.<span class="nv">com</span>. <span class="mi">86400</span> <span class="nv">IN</span> <span class="nv">SRV</span> <span class="mi">0</span> <span class="mi">100</span> <span class="mi">88</span> <span class="nv">host2</span>.<span class="nv">vm</span>.<span class="nv">example</span>.<span class="nv">com</span>. <span class="nv">_ldap</span>.<span class="nv">_tcp</span>.<span class="nv">dc</span>.<span class="nv">_msdcs</span>.<span class="nv">vm</span>.<span class="nv">example</span>.<span class="nv">com</span>. <span class="mi">86400</span> <span class="nv">IN</span> <span class="nv">SRV</span> <span class="mi">0</span> <span class="mi">100</span> <span class="mi">389</span> <span class="nv">host2</span>.<span class="nv">vm</span>.<span class="nv">example</span>.<span class="nv">com</span>. <span class="nv">_kerberos</span>.<span class="nv">_tcp</span>.<span class="nv">dc</span>.<span class="nv">_msdcs</span>.<span class="nv">vm</span>.<span class="nv">example</span>.<span class="nv">com</span>. <span class="mi">86400</span> <span class="nv">IN</span> <span class="nv">SRV</span> <span class="mi">0</span> <span class="mi">100</span> <span class="mi">88</span> <span class="nv">host2</span>.<span class="nv">vm</span>.<span class="nv">example</span>.<span class="nv">com</span>. <span class="nv">_kerberos</span>.<span class="nv">_tcp</span>.<span class="nv">Default</span><span class="o">-</span><span class="nv">First</span><span class="o">-</span><span class="nv">Site</span><span class="o">-</span><span class="nv">Name</span>.<span class="nv">_sites</span>.<span class="nv">dc</span>.<span class="nv">_msdcs</span>.<span class="nv">vm</span>.<span class="nv">example</span>.<span class="nv">com</span>. <span class="mi">86400</span> <span class="nv">IN</span> <span class="nv">SRV</span> <span class="mi">0</span> <span class="mi">100</span> <span class="mi">88</span> <span class="nv">host2</span>.<span class="nv">vm</span>.<span class="nv">example</span>.<span class="nv">com</span>. </code></pre> <p>I successfully added them just fine by pasting them into my zone file and running <strong>rndc reconfig</strong> or <strong>systemctl restart named</strong>. The adtrust mechanism adds new attributes to each user and group, specifically ipaNTSecurityIdentifier (the SID) and ipaNTHash. Technically the ipaNTHash can only be generated when the user changes passwords. Reference: <a href="https://www.redhat.com/archives/freeipa-users/2015-September/msg00052.html">https://www.redhat.com/archives/freeipa-users/2015-September/msg00052.html</a></p> <h4>On the samba server</h4> <p>Install the ipa-server-trust-ad package on the samba server. You need this package there to get the ipasam config option in smb.conf.</p> <pre class="code literal-block"><span></span><code>yum -y install ipa-server-trust-ad </code></pre> <p>Open the firewall for the ports mentioned in the output of the command. You can use this script.</p> <pre class="code literal-block"><span></span><code>tf=/lib/firewalld/services/freeipa-samba.xml touch "<span class="cp">${</span><span class="n">tf</span><span class="cp">}</span>"; chmod 0644 "<span class="cp">${</span><span class="n">tf</span><span class="cp">}</span>"; chown root:root "<span class="cp">${</span><span class="n">tf</span><span class="cp">}</span>"; restorecon "<span class="cp">${</span><span class="n">tf</span><span class="cp">}</span>" cat <span class="err">&lt;</span><span class="nt">&lt;EOFXML</span> <span class="nt">&gt;</span> "<span class="cp">${</span><span class="n">tf</span><span class="cp">}</span>" <span class="cp">&lt;?xml version="1.0" encoding="utf-8"?&gt;</span> <span class="nt">&lt;service&gt;</span> <span class="nt">&lt;short&gt;</span>IPA and Samba<span class="nt">&lt;/short&gt;</span> <span class="nt">&lt;description&gt;</span>This service provides the ports required by the ipa-adtrust-install command.<span class="nt">&lt;/description&gt;</span> <span class="nt">&lt;port</span> <span class="na">protocol=</span><span class="s">"tcp"</span> <span class="na">port=</span><span class="s">"135"/</span><span class="nt">&gt;</span> <span class="nt">&lt;port</span> <span class="na">protocol=</span><span class="s">"tcp"</span> <span class="na">port=</span><span class="s">"138"/</span><span class="nt">&gt;</span> <span class="nt">&lt;port</span> <span class="na">protocol=</span><span class="s">"tcp"</span> <span class="na">port=</span><span class="s">"139"/</span><span class="nt">&gt;</span> <span class="nt">&lt;port</span> <span class="na">protocol=</span><span class="s">"tcp"</span> <span class="na">port=</span><span class="s">"445"/</span><span class="nt">&gt;</span> <span class="nt">&lt;port</span> <span class="na">protocol=</span><span class="s">"tcp"</span> <span class="na">port=</span><span class="s">"1024-1300"/</span><span class="nt">&gt;</span> <span class="nt">&lt;port</span> <span class="na">protocol=</span><span class="s">"udp"</span> <span class="na">port=</span><span class="s">"138"/</span><span class="nt">&gt;</span> <span class="nt">&lt;port</span> <span class="na">protocol=</span><span class="s">"udp"</span> <span class="na">port=</span><span class="s">"139"/</span><span class="nt">&gt;</span> <span class="nt">&lt;port</span> <span class="na">protocol=</span><span class="s">"udp"</span> <span class="na">port=</span><span class="s">"389"/</span><span class="nt">&gt;</span> <span class="nt">&lt;port</span> <span class="na">protocol=</span><span class="s">"udp"</span> <span class="na">port=</span><span class="s">"445"/</span><span class="nt">&gt;</span> <span class="nt">&lt;/service&gt;</span> EOFXML systemctl restart firewalld firewall-cmd --permanent --add-service=freeipa-samba firewall-cmd --reload echo done </code></pre> <h3>Allow samba to read passwords</h3> <p>This is the magic part that is so hard to find on the Internet. You will need to give special permissions to the samba service to read user passwords.</p> <pre class="code literal-block"><span></span><code>ipa permission-add "CIFS server can read user passwords" \ --attrs={ipaNTHash,ipaNTSecurityIdentifier} \ --type=user --right={read,search,compare} --bindtype=permission ipa privilege-add "CIFS server privilege" ipa privilege-add-permission "CIFS server privilege" \ --permission="CIFS server can read user passwords" ipa role-add "CIFS server" ipa role-add-privilege "CIFS server" --privilege="CIFS server privilege" ipa role-add-member "CIFS server" --services=cifs/host2.vm.example.com </code></pre> <p>Reference: <a href="http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-%0Asamba-3-or-4-with-freeipa">http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate- samba-3-or-4-with-freeipa</a></p> <h4>Explanation</h4> <p>If you use ldapsearch with kerberos authentication (after a kinit admin, of course), you can see attributes about users.</p> <pre class="code literal-block"><span></span><code>ldapsearch -Y gssapi "(uid=username)" </code></pre> <p>Even if the user has generated a new password since the adtrust installation, even the admin cannot see the ipaNTHash attribute. To confirm the samba service can read the <strong>ipaNTHash</strong> , use its keytab and search for that attribute.</p> <pre class="code literal-block"><span></span><code># on the samba server, so host2.vm.example.com kdestroy -A kinit -kt /etc/samba/samba.keytab cifs/host2.vm.example.com ldapsearch -Y gssapi "(ipaNTHash=*)" ipaNTHash </code></pre> <h3>Configure samba to use freeipa auth</h3> <p>When freeipa adjusts the samba config, it will just make it use the registry backend. You can view the equivalent conf file with <strong>testparm</strong>. Here is a complete /etc/samba/smb.conf.</p> <pre class="code literal-block"><span></span><code><span class="n">tf</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="n">samba</span><span class="o">/</span><span class="n">smb</span><span class="p">.</span><span class="n">conf</span><span class="w"></span> <span class="n">touch</span><span class="w"> </span><span class="ss">"${tf}"</span><span class="p">;</span><span class="w"> </span><span class="n">chmod</span><span class="w"> </span><span class="mi">0644</span><span class="w"> </span><span class="ss">"${tf}"</span><span class="p">;</span><span class="w"> </span><span class="n">chown</span><span class="w"> </span><span class="nl">root</span><span class="p">:</span><span class="n">root</span><span class="w"> </span><span class="ss">"${tf}"</span><span class="p">;</span><span class="w"> </span><span class="n">restorecon</span><span class="w"> </span><span class="ss">"${tf}"</span><span class="w"></span> <span class="n">cat</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="ss">"${tf}"</span><span class="w"></span> <span class="o">[</span><span class="n">global</span><span class="o">]</span><span class="w"></span> <span class="w"> </span><span class="n">debug</span><span class="w"> </span><span class="n">pid</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">yes</span><span class="w"></span> <span class="w"> </span><span class="n">realm</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">VM</span><span class="p">.</span><span class="n">EXAMPLE</span><span class="p">.</span><span class="n">COM</span><span class="w"></span> <span class="w"> </span><span class="n">workgroup</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">VM</span><span class="w"></span> <span class="w"> </span><span class="n">#domain</span><span class="w"> </span><span class="n">master</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Yes</span><span class="w"></span> <span class="w"> </span><span class="n">ldap</span><span class="w"> </span><span class="k">group</span><span class="w"> </span><span class="n">suffix</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">cn</span><span class="o">=</span><span class="n">groups</span><span class="p">,</span><span class="n">cn</span><span class="o">=</span><span class="n">accounts</span><span class="w"></span> <span class="w"> </span><span class="n">ldap</span><span class="w"> </span><span class="n">machine</span><span class="w"> </span><span class="n">suffix</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">cn</span><span class="o">=</span><span class="n">computers</span><span class="p">,</span><span class="n">cn</span><span class="o">=</span><span class="n">accounts</span><span class="w"></span> <span class="w"> </span><span class="n">ldap</span><span class="w"> </span><span class="n">ssl</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">off</span><span class="w"></span> <span class="w"> </span><span class="n">ldap</span><span class="w"> </span><span class="n">suffix</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">dc</span><span class="o">=</span><span class="n">vm</span><span class="p">,</span><span class="n">dc</span><span class="o">=</span><span class="n">example</span><span class="p">,</span><span class="n">dc</span><span class="o">=</span><span class="n">com</span><span class="w"></span> <span class="w"> </span><span class="n">ldap</span><span class="w"> </span><span class="k">user</span><span class="w"> </span><span class="n">suffix</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">cn</span><span class="o">=</span><span class="n">users</span><span class="p">,</span><span class="n">cn</span><span class="o">=</span><span class="n">accounts</span><span class="w"></span> <span class="w"> </span><span class="nf">log</span><span class="w"> </span><span class="k">file</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">/</span><span class="nf">var</span><span class="o">/</span><span class="nf">log</span><span class="o">/</span><span class="n">samba</span><span class="o">/</span><span class="nf">log</span><span class="w"></span> <span class="w"> </span><span class="nf">max</span><span class="w"> </span><span class="nf">log</span><span class="w"> </span><span class="k">size</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">100000</span><span class="w"></span> <span class="w"> </span><span class="n">#domain</span><span class="w"> </span><span class="n">logons</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Yes</span><span class="w"></span> <span class="w"> </span><span class="n">registry</span><span class="w"> </span><span class="n">shares</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Yes</span><span class="w"></span> <span class="w"> </span><span class="n">disable</span><span class="w"> </span><span class="n">spoolss</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Yes</span><span class="w"></span> <span class="w"> </span><span class="n">dedicated</span><span class="w"> </span><span class="n">keytab</span><span class="w"> </span><span class="k">file</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">FILE</span><span class="err">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">samba</span><span class="o">/</span><span class="n">samba</span><span class="p">.</span><span class="n">keytab</span><span class="w"></span> <span class="w"> </span><span class="n">kerberos</span><span class="w"> </span><span class="k">method</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">dedicated</span><span class="w"> </span><span class="n">keytab</span><span class="w"></span> <span class="w"> </span><span class="n">#passdb</span><span class="w"> </span><span class="n">backend</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nl">ipasam</span><span class="p">:</span><span class="nl">ldapi</span><span class="p">:</span><span class="o">//%</span><span class="mi">2</span><span class="n">fvar</span><span class="o">%</span><span class="mi">2</span><span class="n">frun</span><span class="o">%</span><span class="mi">2</span><span class="n">fslapd</span><span class="o">-</span><span class="n">VM</span><span class="o">-</span><span class="n">EXAMPLE</span><span class="o">-</span><span class="n">COM</span><span class="p">.</span><span class="n">socket</span><span class="w"></span> <span class="w"> </span><span class="n">#passdb</span><span class="w"> </span><span class="n">backend</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nl">ldapsam</span><span class="p">:</span><span class="nl">ldapi</span><span class="p">:</span><span class="o">//%</span><span class="mi">2</span><span class="n">fvar</span><span class="o">%</span><span class="mi">2</span><span class="n">frun</span><span class="o">%</span><span class="mi">2</span><span class="n">fslapd</span><span class="o">-</span><span class="n">VM</span><span class="o">-</span><span class="n">EXAMPLE</span><span class="o">-</span><span class="n">COM</span><span class="p">.</span><span class="n">socket</span><span class="w"></span> <span class="w"> </span><span class="n">passdb</span><span class="w"> </span><span class="n">backend</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nl">ipasam</span><span class="p">:</span><span class="nl">ldap</span><span class="p">:</span><span class="o">//</span><span class="n">host2</span><span class="p">.</span><span class="n">vm</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="w"> </span><span class="nl">ldap</span><span class="p">:</span><span class="o">//</span><span class="n">host1</span><span class="p">.</span><span class="n">vm</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="w"></span> <span class="w"> </span><span class="n">security</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">USER</span><span class="w"></span> <span class="w"> </span><span class="k">create</span><span class="w"> </span><span class="n">krb5</span><span class="w"> </span><span class="n">conf</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">No</span><span class="w"></span> <span class="w"> </span><span class="nl">rpc_daemon</span><span class="p">:</span><span class="n">lsasd</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">fork</span><span class="w"></span> <span class="w"> </span><span class="nl">rpc_daemon</span><span class="p">:</span><span class="n">epmd</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">fork</span><span class="w"></span> <span class="w"> </span><span class="nl">rpc_server</span><span class="p">:</span><span class="n">tcpip</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">yes</span><span class="w"></span> <span class="w"> </span><span class="nl">rpc_server</span><span class="p">:</span><span class="n">netlogon</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">external</span><span class="w"></span> <span class="w"> </span><span class="nl">rpc_server</span><span class="p">:</span><span class="n">samr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">external</span><span class="w"></span> <span class="w"> </span><span class="nl">rpc_server</span><span class="p">:</span><span class="n">lsasd</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">external</span><span class="w"></span> <span class="w"> </span><span class="nl">rpc_server</span><span class="p">:</span><span class="n">lsass</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">external</span><span class="w"></span> <span class="w"> </span><span class="nl">rpc_server</span><span class="p">:</span><span class="n">lsarpc</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">external</span><span class="w"></span> <span class="w"> </span><span class="nl">rpc_server</span><span class="p">:</span><span class="n">epmapper</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">external</span><span class="w"></span> <span class="w"> </span><span class="nl">ldapsam</span><span class="p">:</span><span class="n">trusted</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">yes</span><span class="w"></span> <span class="w"> </span><span class="n">idmap</span><span class="w"> </span><span class="n">config</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="err">:</span><span class="w"> </span><span class="n">backend</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">tdb</span><span class="w"></span> <span class="w"> </span><span class="n">ldap</span><span class="w"> </span><span class="k">admin</span><span class="w"> </span><span class="n">dn</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">cn</span><span class="o">=</span><span class="n">Directory</span><span class="w"> </span><span class="n">Manager</span><span class="w"></span> <span class="o">[</span><span class="n">homes</span><span class="o">]</span><span class="w"></span> <span class="w"> </span><span class="n">comment</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Home</span><span class="w"> </span><span class="n">Directories</span><span class="w"></span> <span class="w"> </span><span class="n">valid</span><span class="w"> </span><span class="n">users</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">%</span><span class="n">S</span><span class="p">,</span><span class="w"> </span><span class="o">%</span><span class="n">D</span><span class="o">%</span><span class="n">w</span><span class="o">%</span><span class="n">S</span><span class="w"></span> <span class="w"> </span><span class="n">browseable</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">No</span><span class="w"></span> <span class="w"> </span><span class="k">read</span><span class="w"> </span><span class="k">only</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">No</span><span class="w"></span> <span class="w"> </span><span class="n">inherit</span><span class="w"> </span><span class="n">acls</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Yes</span><span class="w"></span> <span class="n">EOFCONF</span><span class="w"></span> <span class="n">systemctl</span><span class="w"> </span><span class="n">restart</span><span class="w"> </span><span class="n">smb</span><span class="p">.</span><span class="n">service</span><span class="w"></span> </code></pre> <h2>Appendices</h2> <h3>Get localsid</h3> <p>Get the local SID</p> <pre class="code literal-block"><span></span><code>net getlocalsid </code></pre> <h3>Changing ipa domains</h3> <p>It's possible that if you change ipa domains, the sssd cache is not cleared and you will have cached information for the old domain which can prevent user authentication from happening. You can just clear the cache directory manually and restart sssd.</p> <pre class="code literal-block"><span></span><code><span class="n">rm</span> <span class="o">-</span><span class="n">rf</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">sss</span><span class="o">/</span><span class="n">db</span><span class="o">/*</span> <span class="n">systemctl</span> <span class="n">restart</span> <span class="n">sssd</span><span class="o">.</span><span class="n">service</span> </code></pre> <p>Reference: </p> <h2>References</h2> <h3>Weblinks</h3> <ol> <li>install samba and kerberize it <a href="https://sites.google.com/site/wikirolanddelepper/directory-services/ipa-server-with-samba">https://sites.google.com/site/wikirolanddelepper/directory-services/ipa-server-with-samba</a></li> <li>add cifs/servername entry <a href="https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA">https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA</a></li> <li>cifs service needs custom privilege to read password <a href="http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa">http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa</a></li> <li>Each user must generate a new password <a href="https://www.redhat.com/archives/freeipa-users/2015-September/msg00052.html">https://www.redhat.com/archives/freeipa-users/2015-September/msg00052.html</a></li> <li>Seminal article about freeipa and samba integration <a href="https://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/">https://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/</a></li> <li>Changing ipa domains </li> </ol>cifsfreeipasambasharewindowshttps://bgstack15.ddns.net/blog/posts/2017/05/10/samba-share-with-freeipa-auth/Wed, 10 May 2017 11:23:42 GMTSamba share with AD authenticationhttps://bgstack15.ddns.net/blog/posts/2016/06/28/samba-share-with-ad-authentication/bgstack15<h2>Updates</h2> <p>AD is great for a Windows environment. Now I have a guide for <a href="https://bgstack15.ddns.net/blog/posts/2017/05/10/samba-share-with-freeipa-auth/">Samba shares with freeipa auth</a>!</p> <h2>Overview</h2> <p>This document describes how to configure a Linux system joined to an AD environment to have a working Samba share for Windows users that uses the AD users and groups for authentication.</p> <h3>Preliminary steps</h3> <p>These steps are covered in the internal CentOS and Ubuntu 16.04 templates.</p> <ul> <li>Ensure ntp is running and enabled</li> <li>The server is joined to the domain</li> </ul> <h2>Setting up samba</h2> <p>Install samba (which should include samba-client and samba-common, at least for rpm) <strong>Centos 7</strong> | <strong>Ubuntu 16.04</strong><br> ---|--- </p> <pre class="code literal-block"><span></span><code>yum -y install samba </code></pre> <p>|</p> <pre class="code literal-block"><span></span><code>apt-get install -y samba </code></pre> <p>Reference: <a href="https://www.howtoforge.com/samba-server-installation-and-%0Aconfiguration-on-centos-7#-preliminary-note">https://www.howtoforge.com/samba-server-installation-and- configuration-on-centos-7#-preliminary-note</a> Open firewall <strong>Centos 7</strong> | <strong>Ubuntu 16.04</strong><br> ---|--- </p> <pre class="code literal-block"><span></span><code>firewall-cmd --permanent --add-service=samba systemctl restart firewalld.service </code></pre> <p>|</p> <pre class="code literal-block"><span></span><code>ufw allow samba </code></pre> <p>Reference: <a href="https://wiki.centos.org/HowTos/SetUpSamba">https://wiki.centos.org/HowTos/SetUpSamba</a> Modify /etc/samba/smb.conf</p> <pre class="code literal-block"><span></span><code><span class="n">bup</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">samba</span><span class="o">/</span><span class="n">smb</span><span class="o">.</span><span class="n">conf</span> <span class="mi">2</span><span class="o">&gt;/</span><span class="n">dev</span><span class="o">/</span><span class="nb nb-Type">null</span> <span class="n">cat</span> <span class="o">&lt;&lt;</span><span class="n">EOFSMB</span> <span class="o">&gt;</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">samba</span><span class="o">/</span><span class="n">smb</span><span class="o">.</span><span class="n">conf</span> <span class="p">[</span><span class="n">global</span><span class="p">]</span> <span class="n">security</span> <span class="o">=</span> <span class="n">ads</span> <span class="n">workgroup</span> <span class="o">=</span> <span class="n">EXAMPLE</span> <span class="n">realm</span> <span class="o">=</span> <span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="n">kerberos</span> <span class="n">method</span> <span class="o">=</span> <span class="n">system</span> <span class="n">keytab</span> <span class="n">netbios</span> <span class="n">name</span> <span class="o">=</span> <span class="o">$</span><span class="p">(</span> <span class="n">hostname</span> <span class="o">-</span><span class="n">s</span> <span class="p">)</span> <span class="n">server</span> <span class="n">string</span> <span class="o">=</span> <span class="n">Samba</span> <span class="n">Server</span> <span class="n">Version</span> <span class="o">%</span><span class="n">v</span> <span class="nb">log</span> <span class="n">file</span> <span class="o">=</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">samba</span><span class="o">/</span><span class="nb">log</span><span class="o">.%</span><span class="n">m</span> <span class="nb">max</span> <span class="nb">log</span> <span class="n">size</span> <span class="o">=</span> <span class="mi">50</span> <span class="n">dns</span> <span class="n">proxy</span> <span class="o">=</span> <span class="n">no</span> <span class="n">encrypt</span> <span class="n">passwords</span> <span class="o">=</span> <span class="n">yes</span> <span class="n">passdb</span> <span class="n">backend</span> <span class="o">=</span> <span class="n">tdbsam</span> <span class="nb">load</span> <span class="n">printers</span> <span class="o">=</span> <span class="n">no</span> <span class="n">cups</span> <span class="n">options</span> <span class="o">=</span> <span class="n">raw</span> <span class="n">printcap</span> <span class="n">name</span> <span class="o">=</span> <span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="nb nb-Type">null</span> <span class="p">[</span><span class="n">homes</span><span class="p">]</span> <span class="n">comment</span> <span class="o">=</span> <span class="n">Home</span> <span class="n">Directories</span> <span class="n">browseable</span> <span class="o">=</span> <span class="n">no</span> <span class="n">writable</span> <span class="o">=</span> <span class="n">yes</span> <span class="c1"># END BASELINE SMB.CONF </span> <span class="n">EOFSMB</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">cp</span> <span class="o">-</span><span class="n">p</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">samba</span><span class="o">/</span><span class="n">smb</span><span class="o">.</span><span class="n">conf</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">samba</span><span class="o">/</span><span class="n">smb</span><span class="o">.</span><span class="n">conf</span><span class="o">.</span><span class="n">example</span> </code></pre> <p>Reference for kerberos method: <a href="https://access.redhat.com/documentation/en-%0AUS/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-%0Aintegration.html">https://access.redhat.com/documentation/en- US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad- integration.html</a> On CentOS 7 only, set SELinux to allow samba to share nfs locations if necessary.</p> <pre class="code literal-block"><span></span><code>setsebool -P samba_share_nfs 1 </code></pre> <p>Reference: <a href="http://serverfault.com/questions/470878/is-there-a-way-to-share-%0Avia-smb-a-filesystem-mounted-via-nfs-without-disabling-s/470879#470879">http://serverfault.com/questions/470878/is-there-a-way-to-share- via-smb-a-filesystem-mounted-via-nfs-without-disabling-s/470879#470879</a> Start and enable the samba service <strong>Centos 7</strong> | <strong>Ubuntu 16.04</strong><br> ---|--- </p> <pre class="code literal-block"><span></span><code>systemctl enable smb systemctl start smb </code></pre> <p>|</p> <pre class="code literal-block"><span></span><code>systemctl enable smbd nmbd systemctl start smbd nmbd </code></pre> <h3>Making smb.conf dynamic</h3> <p>Unfortunately smb.conf does not provide support for a directive similar to "include = /etc/samba/smb.conf.d/*.conf." However, with some modifications and a shell script this can be simulated. A template file, input directory for extra snippets, and output file can be used along with this script.</p> <pre class="code literal-block"><span></span><code>cat <span class="err">&lt;&lt;</span>'EOFSCRIPT' &gt; /usr/local/bin/samba-conf #!/bin/sh # File: /usr/local/bin/samba-conf infile1=/etc/samba/smb.conf.example indir1=/etc/samba/smb.conf.d outfile1=/etc/samba/smb.conf tmpfile1=/etc/samba/smb.conf.orig.$( date "+%Y-%m-%d").$$ [[ ! -f "<span class="cp">${</span><span class="n">infile1</span><span class="cp">}</span>" ]] <span class="err">&amp;&amp;</span> echo "$0: 2. Template not found: <span class="cp">${</span><span class="n">infile1</span><span class="cp">}</span>. Aborted." 1&gt;<span class="err">&amp;</span>2 <span class="err">&amp;&amp;</span> exit 1 { cat "<span class="cp">${</span><span class="n">infile1</span><span class="cp">}</span>" printf "\n" find "<span class="cp">${</span><span class="n">indir1</span><span class="cp">}</span>" -type f -regex ".*.conf" 2&gt;/dev/null | sed -e 's/^/include = /;' } &gt; "<span class="cp">${</span><span class="n">tmpfile1</span><span class="cp">}</span>" { if ! diff -q "<span class="cp">${</span><span class="n">tmpfile1</span><span class="cp">}</span>" "<span class="cp">${</span><span class="n">outfile1</span><span class="cp">}</span>"; then /bin/chmod --ref "<span class="cp">${</span><span class="n">outfile1</span><span class="cp">}</span>" "<span class="cp">${</span><span class="n">tmpfile1</span><span class="cp">}</span>" /bin/cp -p "<span class="cp">${</span><span class="n">tmpfile1</span><span class="cp">}</span>" "<span class="cp">${</span><span class="n">outfile1</span><span class="cp">}</span>" /bin/rm -rf "<span class="cp">${</span><span class="n">tmpfile1</span><span class="cp">}</span>" fi /bin/rm -rf "<span class="cp">${</span><span class="n">tmpfile1</span><span class="cp">}</span>" } &gt;/dev/null 2&gt;<span class="err">&amp;</span>1 EOFSCRIPT chmod 750 /usr/local/bin/samba-conf </code></pre> <p>Modify any files in /etc/samba/smb.conf.d/ and then run samba-conf.</p> <h2>Connecting client to the share</h2> <p>On a Windows client, use Windows Explorer and navigate to \\hostname.example.com\ and see if the share is available. If you must log in as a different user, you can use the Windows command on the command line:</p> <pre class="code literal-block"><span></span><code>net use \\hostname.example.com\bgscripts /user:example\bgscripts </code></pre> <p>Also to clear a connection to a shared location, use:</p> <pre class="code literal-block"><span></span><code>net use \\hostname.example.com\bgscripts /delete </code></pre> <h2>Appendices</h2> <h4>Sample share file /etc/samba/smb.conf.d/bgscripts.conf</h4> <pre class="code literal-block"><span></span><code><span class="n">mkdir</span><span class="w"> </span><span class="o">-</span><span class="n">p</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">samba</span><span class="o">/</span><span class="n">smb</span><span class="p">.</span><span class="n">conf</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="w"></span> <span class="n">cat</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="n">EOF</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">samba</span><span class="o">/</span><span class="n">smb</span><span class="p">.</span><span class="n">conf</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">bgscripts</span><span class="p">.</span><span class="n">conf</span><span class="w"></span> <span class="p">[</span><span class="n">bgscripts</span><span class="p">]</span><span class="w"></span> <span class="w"> </span><span class="n">path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">/</span><span class="n">mnt</span><span class="o">/</span><span class="n">scripts</span><span class="o">/</span><span class="n">share</span><span class="w"></span> <span class="w"> </span><span class="n">comment</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Test</span><span class="w"> </span><span class="n">samba</span><span class="w"> </span><span class="n">share</span><span class="w"></span> <span class="w"> </span><span class="n">browsable</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">yes</span><span class="w"></span> <span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">yes</span><span class="w"></span> <span class="w"> </span><span class="n">writable</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">yes</span><span class="w"></span> <span class="w"> </span><span class="n">valid</span><span class="w"> </span><span class="n">users</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">@"Linux-Server-Access_grp@EXAMPLE.COM"</span><span class="w"></span> <span class="n">EOF</span><span class="w"></span> </code></pre> <h2>References</h2> <h3>Weblinks</h3> <ol> <li><a href="https://wiki.centos.org/HowTos/SetUpSamba">https://wiki.centos.org/HowTos/SetUpSamba</a></li> <li><a href="https://www.howtoforge.com/samba-server-installation-and-configuration-on-centos-7#-preliminary-note">https://www.howtoforge.com/samba-server-installation-and-configuration-on-centos-7#-preliminary-note</a></li> <li>Complete working guide with AD users and everything <a href="http://www.hexblot.com/blog/centos-7-active-directory-and-samba">http://www.hexblot.com/blog/centos-7-active-directory-and-samba</a></li> <li>SELinux managing contexts <a href="http://www.linuxquestions.org/questions/linux-security-4/selinux-and-help-with-chcon-762735/">http://www.linuxquestions.org/questions/linux-security-4/selinux-and-help-with-chcon-762735/</a></li> </ol> <p>SELinux Policy: Managing File Contexts Change file context</p> <pre class="code literal-block"><span></span><code>chcon -R -t public_content_t /mydata/html </code></pre> <p>Does not persist across a relabel! (eg reboot) Add new mapping</p> <pre class="code literal-block"><span></span><code>semanage fcontext -a -t public_content_t '/mydata/html(/.*)?' </code></pre> <p>Apply the policy context to existing files</p> <pre class="code literal-block"><span></span><code>restorecon -vvFR /mydata/html </code></pre> <ol> <li>SELinux policy <a href="http://serverfault.com/questions/470878/is-there-a-way-to-share-via-smb-a-filesystem-mounted-via-nfs-without-disabling-s/470879#470879">http://serverfault.com/questions/470878/is-there-a-way-to-share-via-smb-a-filesystem-mounted-via-nfs-without-disabling-s/470879#470879</a></li> <li>Ubuntu needed help accessing AD through SSSD. Found solution here <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html</a></li> </ol> <h3>Internal documents</h3> <ol> <li>The environment required, including krb5.conf and sssd.conf, comes from Building the Centos 7 Template</li> <li>Firewall commands from Adding the service httpd</li> </ol>linuxsambasharehttps://bgstack15.ddns.net/blog/posts/2016/06/28/samba-share-with-ad-authentication/Tue, 28 Jun 2016 13:59:45 GMT