Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

Samba share with AD authentication

bgstack15

Comments

Updates

AD is great for a Windows environment. Now I have a guide for Samba shares with freeipa auth!

Overview

This document describes how to configure a Linux system joined to an AD environment to have a working Samba share for Windows users that uses the AD users and groups for authentication.

Preliminary steps

These steps are covered in the internal CentOS and Ubuntu 16.04 templates.

  • Ensure ntp is running and enabled
  • The server is joined to the domain

Setting up samba

Install samba (which should include samba-client and samba-common, at least for rpm) Centos 7 | Ubuntu 16.04
---|--- 

yum -y install samba

|

apt-get install -y samba

Reference: https://www.howtoforge.com/samba-server-installation-and- configuration-on-centos-7#-preliminary-note Open firewall Centos 7 | Ubuntu 16.04
---|--- 

firewall-cmd --permanent --add-service=samba
systemctl restart firewalld.service

|

ufw allow samba

Reference: https://wiki.centos.org/HowTos/SetUpSamba Modify /etc/samba/smb.conf

bup /etc/samba/smb.conf 2>/dev/null
cat <<EOFSMB > /etc/samba/smb.conf
[global]
        security = ads
        workgroup = EXAMPLE
        realm = EXAMPLE.COM
        kerberos method = system keytab
        netbios name = $( hostname -s )
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        max log size = 50
        dns proxy = no
        encrypt passwords = yes
        passdb backend = tdbsam
        load printers = no
        cups options = raw
        printcap name = /dev/null
[homes]
        comment = Home Directories
        browseable = no
        writable = yes

# END BASELINE SMB.CONF 
EOFSMB
/bin/cp -p /etc/samba/smb.conf /etc/samba/smb.conf.example

Reference for kerberos method: https://access.redhat.com/documentation/en- US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad- integration.html On CentOS 7 only, set SELinux to allow samba to share nfs locations if necessary.

setsebool -P samba_share_nfs 1

Reference: http://serverfault.com/questions/470878/is-there-a-way-to-share- via-smb-a-filesystem-mounted-via-nfs-without-disabling-s/470879#470879 Start and enable the samba service Centos 7 | Ubuntu 16.04
---|--- 

systemctl enable smb
systemctl start smb

|

systemctl enable smbd nmbd
systemctl start smbd nmbd

Making smb.conf dynamic

Unfortunately smb.conf does not provide support for a directive similar to "include = /etc/samba/smb.conf.d/*.conf." However, with some modifications and a shell script this can be simulated. A template file, input directory for extra snippets, and output file can be used along with this script.

cat <<'EOFSCRIPT' > /usr/local/bin/samba-conf
#!/bin/sh
# File: /usr/local/bin/samba-conf

infile1=/etc/samba/smb.conf.example
indir1=/etc/samba/smb.conf.d
outfile1=/etc/samba/smb.conf
tmpfile1=/etc/samba/smb.conf.orig.$( date "+%Y-%m-%d").$$

[[ ! -f "${infile1}" ]] && echo "$0: 2. Template not found: ${infile1}. Aborted." 1>&2 && exit 1

{
   cat "${infile1}"
   printf "\n"
   find "${indir1}" -type f -regex ".*.conf" 2>/dev/null | sed -e 's/^/include = /;'
} > "${tmpfile1}"

{
   if ! diff -q "${tmpfile1}" "${outfile1}";
   then
      /bin/chmod --ref "${outfile1}" "${tmpfile1}"
      /bin/cp -p "${tmpfile1}" "${outfile1}"
      /bin/rm -rf "${tmpfile1}"
   fi
   /bin/rm -rf "${tmpfile1}"
} >/dev/null 2>&1
EOFSCRIPT
chmod 750 /usr/local/bin/samba-conf

Modify any files in /etc/samba/smb.conf.d/ and then run samba-conf.

Connecting client to the share

On a Windows client, use Windows Explorer and navigate to \\hostname.example.com\ and see if the share is available. If you must log in as a different user, you can use the Windows command on the command line:

net use \\hostname.example.com\bgscripts /user:example\bgscripts

Also to clear a connection to a shared location, use:

net use \\hostname.example.com\bgscripts /delete

Appendices

Sample share file /etc/samba/smb.conf.d/bgscripts.conf

mkdir -p /etc/samba/smb.conf.d/
cat <<EOF > /etc/samba/smb.conf.d/bgscripts.conf
[bgscripts]
        path = /mnt/scripts/share
        comment = Test samba share
        browsable = yes
        public = yes
        writable = yes
        valid users = @"Linux-Server-Access_grp@EXAMPLE.COM"
EOF

References

Weblinks

  1. https://wiki.centos.org/HowTos/SetUpSamba
  2. https://www.howtoforge.com/samba-server-installation-and-configuration-on-centos-7#-preliminary-note
  3. Complete working guide with AD users and everything http://www.hexblot.com/blog/centos-7-active-directory-and-samba
  4. SELinux managing contexts http://www.linuxquestions.org/questions/linux-security-4/selinux-and-help-with-chcon-762735/

SELinux Policy: Managing File Contexts Change file context

chcon -R -t public_content_t /mydata/html

Does not persist across a relabel! (eg reboot) Add new mapping

semanage fcontext -a -t public_content_t '/mydata/html(/.*)?'

Apply the policy context to existing files

restorecon -vvFR /mydata/html
  1. SELinux policy http://serverfault.com/questions/470878/is-there-a-way-to-share-via-smb-a-filesystem-mounted-via-nfs-without-disabling-s/470879#470879
  2. Ubuntu needed help accessing AD through SSSD. Found solution here https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html

Internal documents

  1. The environment required, including krb5.conf and sssd.conf, comes from Building the Centos 7 Template
  2. Firewall commands from Adding the service httpd

Comments