Setting up a Samba File Server on RedHat8 and derived distributions

Attention

This documentation is based on the Redhat8 distribution.

The Samba package version of the Redhat8 distribution is sufficiently up-to-date to provide optimal file service. There is therefore no need to recompile Samba from source.

Note

In this documentation, it is assumed:

  • That you will have installed the system base of your file server by following the base installation documentation and that your server is called srvfiles.

  • That the IP address of your domain controller is 192.168.1.11.

  • That your domain is called mydomain.lan.

  • Modify the file /etc/hosts so that it contains the DNS resolution of the FQDN of the machine on its IP (ie not 127.0.0.1), with the long name first then the short name.

  • Modify the /etc/resolv.conf file to point to the AD DNS, modify the network-scripts file as well:

    search mydomain.lan
    domain mydomain.lan
    nameserver 192.168.1.11
    

Hint

Add domain mydomain.lan in the /etc/resolv.conf file is necessary because in the smb.conf, the winbind use default domain = yes option relies on it. If this is not done, it causes the following problems:

  • Problem with the command net ads testjoin that says it can’t find the domain controller.

  • The command chown userad1 myfile does not work.

  • A wbinfo -u / -g / -i does not return a result.

  • Reboot the machine so it takes its new name into account:

    reboot
    
  • Install the dependencies;

    yum install samba samba-winbind samba-winbind-clients krb5-workstation
    

Joining the file server to the domain

  • Edit the /etc/krb5.conf file and replace the whole file with the lines below:

    [libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = MYDOMAIN.LAN
    
  • Ensure that the DNS configuration in /etc/nsswitch.conf has not been modified by installing any package. If the host line looks like the line below, change it to look like the line just after:

    hosts: files dns mdns4_minimal [NOTFOUND=return] mdns    #BAD!!!
    hosts: files dns myhostname                              #GOOD
    
  • Ensure that kerberos is properly configured:

    kinit administrator
    klist
    

Configuration of the smb.conf

Depending on the type of schema used (RFC2307 / AD), the file will not be similar!

  • Create the samba configuration file /etc/samba/smb.conf.

  • Replace the name MYDOMAIN.LAN by your kerberos kingdom.

RID based operation

You will usually use the RID configuration if you have migrated from an MS-AD or if you have created a new Samba-AD domain. You will usually use the RFC2307 configuration if you migrated from samba-NT4 to samba-AD. For more information, see the explanations on IDMapping.

Configuration of /etc/samba/smb.conf

RID mode

RFC2307 mode

[global]
  workgroup = MYDOMAIN
  security = ADS
  realm = MYDOMAIN.LAN
  winbind separator = +
  idmap config *:backend = tdb
  idmap config *:range = 700001-800000
  idmap config MYDOMAIN:backend  = rid
  idmap config MYDOMAIN:range  = 10000-700000
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  template homedir = /home/homes/%U

[shares]
  path = /home/shares
  read only = no

[homes]
  path = /home/homes/%U
  read only = no

[profiles]
  path = /home/profiles
  read only = no
[global]
  workgroup = MYDOMAIN
  security = ADS
  realm = MYDOMAIN.LAN
  idmap config *:backend = tdb
  idmap config *:range = 700001-800000
  idmap config MYDOMAIN:backend = ad
  idmap config MYDOMAIN:schema_mode = rfc2307
  idmap config MYDOMAIN:range = 500-700000
  winbind nss info = rfc2307
  vfs objects = acl_xattr
  map acl inherit = Yes
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes
  template homedir = /home/homes/%U

[shares]
  path = /home/shares
  read only = no

[homes]
  path = /home/homes/%U
  read only = no

[profiles]
  path = /home/profiles
  read only = no

Note

If you do not want to use your file server as a print service, add the following options in the global section of the file /etc/samba/smb.conf.

printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd

Joining the file server to the domain

net ads join -U administrator
  • Configure the /etc/nsswitch.conf file, change the following lines:

    passwd:         files sssd winbind
    group:          files sssd winbind
    shadow:         files sssd winbind
    
  • Enable & restart services:

    systemctl enable winbind smb
    systemctl restart winbind
    systemctl restart smb
    
  • Reboot in order to empty the nsswitch caches:

    reboot
    
  • Check the correct connection to the domain:

    • The following 3 commands should return users, groups and AD account informations as received by winbindd:

      wbinfo -u
      wbinfo -g
      wbinfo -i administrator
      
    • The 2 following commands should return users and groups with their uidNumber as interpreted by the Linux system. Make sure that you can see the users of the AD: administrator, krbtgt, etc.

      getent passwd administrator
      getent group "domain admins"
      

Creating network shares

mkdir /home/shares
chown administrator:"domain users" /home/shares
chmod 770 /home/shares