Setting up a Samba File Server on RedHat8 and derived distributions

Attention

This documentation is based on the Redhat8 distribution.

The Samba package version of the Redhat8 distribution is sufficiently up-to-date to provide optimal file service. There is therefore no need to recompile Samba from source.

Note

In this documentation, it is assumed:

• That you will have installed the system base of your file server by following the base installation documentation and that your server is called srvfiles.

• That the IP address of your domain controller is 192.168.1.11.

• That your domain is called mydomain.lan.

• Modify the file /etc/hosts so that it contains the DNS resolution of the FQDN of the machine on its IP (ie not 127.0.0.1), with the long name first then the short name.

• Modify the /etc/resolv.conf file to point to the AD DNS, modify the network-scripts file as well:

  search mydomain.lan
  domain mydomain.lan
  nameserver 192.168.1.11
  

Hint

Add domain mydomain.lan in the /etc/resolv.conf file is necessary because in the smb.conf, the winbind use default domain = yes option relies on it. If this is not done, it causes the following problems:

• Problem with the command net ads testjoin that says it can’t find the domain controller.

• The command chown userad1 myfile does not work.

• A wbinfo -u / -g / -i does not return a result.

• Reboot the machine so it takes its new name into account:

  reboot
  

• Install the dependencies;

  yum install samba samba-winbind samba-winbind-clients krb5-workstation
  

Joining the file server to the domain

• Edit the /etc/krb5.conf file and replace the whole file with the lines below:

  [libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = true
  default_realm = MYDOMAIN.LAN
  

• Ensure that the DNS configuration in /etc/nsswitch.conf has not been modified by installing any package. If the host line looks like the line below, change it to look like the line just after:

  hosts: files dns mdns4_minimal [NOTFOUND=return] mdns    #BAD!!!
  hosts: files dns myhostname                              #GOOD
  

• Ensure that kerberos is properly configured:

  kinit administrator
  klist
  

Configuration of the smb.conf

Depending on the type of schema used (RFC2307 / AD), the file will not be similar!

• Create the samba configuration file /etc/samba/smb.conf.

• Replace the name MYDOMAIN.LAN by your kerberos kingdom.

RID based operation

You will usually use the RID configuration if you have migrated from an MS-AD or if you have created a new Samba-AD domain. You will usually use the RFC2307 configuration if you migrated from samba-NT4 to samba-AD. For more information, see the explanations on IDMapping.

Configuration of /etc/samba/smb.conf

RID mode

RFC2307 mode

[global] workgroup = MYDOMAIN security = ADS realm = MYDOMAIN.LAN winbind separator = + idmap config *:backend = tdb idmap config *:range = 700001-800000 idmap config MYDOMAIN:backend = rid idmap config MYDOMAIN:range = 10000-700000 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = Yes template homedir = /home/homes/%U [shares] path = /home/shares read only = no [homes] path = /home/homes/%U read only = no [profiles] path = /home/profiles read only = no

[global] workgroup = MYDOMAIN security = ADS realm = MYDOMAIN.LAN idmap config *:backend = tdb idmap config *:range = 700001-800000 idmap config MYDOMAIN:backend = ad idmap config MYDOMAIN:schema_mode = rfc2307 idmap config MYDOMAIN:range = 500-700000 winbind nss info = rfc2307 vfs objects = acl_xattr map acl inherit = Yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template homedir = /home/homes/%U [shares] path = /home/shares read only = no [homes] path = /home/homes/%U read only = no [profiles] path = /home/profiles read only = no

Note

If you do not want to use your file server as a print service, add the following options in the global section of the file /etc/samba/smb.conf.

printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd

Joining the file server to the domain

net ads join -U administrator

• Configure the /etc/nsswitch.conf file, change the following lines:

  passwd:         files sssd winbind
  group:          files sssd winbind
  shadow:         files sssd winbind
  

• Enable & restart services:

  systemctl enable winbind smb
  systemctl restart winbind
  systemctl restart smb
  

• Reboot in order to empty the nsswitch caches:

  reboot
  

• Check the correct connection to the domain:

  • The following 3 commands should return users, groups and AD account informations as received by winbindd:

    wbinfo -u
    wbinfo -g
    wbinfo -i administrator
    

  • The 2 following commands should return users and groups with their uidNumber as interpreted by the Linux system. Make sure that you can see the users of the AD: administrator, krbtgt, etc.

    getent passwd administrator
    getent group "domain admins"
    

Creating network shares

mkdir /home/shares
chown administrator:"domain users" /home/shares
chmod 770 /home/shares