Setting up a Samba File Server on RedHat8 and derived distributions
Attention
This documentation is based on the Redhat8 distribution.
The Samba package version of the Redhat8 distribution is sufficiently up-to-date to provide optimal file service. There is therefore no need to recompile Samba from source.
Note
In this documentation, it is assumed:
That you will have installed the system base of your file server by following the base installation documentation and that your server is called srvfiles.
That the IP address of your domain controller is 192.168.1.11.
That your domain is called mydomain.lan.
Modify the file
/etc/hosts
so that it contains the DNS resolution of the FQDN of the machine on its IP (ie not 127.0.0.1), with the long name first then the short name.Modify the
/etc/resolv.conf
file to point to the AD DNS, modify thenetwork-scripts
file as well:search mydomain.lan domain mydomain.lan nameserver 192.168.1.11
Hint
Add domain mydomain.lan in the /etc/resolv.conf
file is necessary because in the smb.conf
, the winbind use default domain
= yes option relies on it.
If this is not done, it causes the following problems:
Problem with the command net ads testjoin that says it can’t find the domain controller.
The command chown userad1 myfile does not work.
A wbinfo -u / -g / -i does not return a result.
Reboot the machine so it takes its new name into account:
reboot
Install the dependencies;
yum install samba samba-winbind samba-winbind-clients krb5-workstation
Joining the file server to the domain
Edit the
/etc/krb5.conf
file and replace the whole file with the lines below:[libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = MYDOMAIN.LAN
Ensure that the DNS configuration in
/etc/nsswitch.conf
has not been modified by installing any package. If the host line looks like the line below, change it to look like the line just after:hosts: files dns mdns4_minimal [NOTFOUND=return] mdns #BAD!!! hosts: files dns myhostname #GOOD
Ensure that kerberos is properly configured:
kinit administrator klist
Configuration of the smb.conf
Depending on the type of schema used (RFC2307 / AD), the file will not be similar!
Create the samba configuration file
/etc/samba/smb.conf
.Replace the name MYDOMAIN.LAN by your kerberos kingdom.
RID based operation
You will usually use the RID configuration if you have migrated from an MS-AD or if you have created a new Samba-AD domain. You will usually use the RFC2307 configuration if you migrated from samba-NT4 to samba-AD. For more information, see the explanations on IDMapping.
RID mode |
RFC2307 mode |
---|---|
[global]
workgroup = MYDOMAIN
security = ADS
realm = MYDOMAIN.LAN
winbind separator = +
idmap config *:backend = tdb
idmap config *:range = 700001-800000
idmap config MYDOMAIN:backend = rid
idmap config MYDOMAIN:range = 10000-700000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
template homedir = /home/homes/%U
[shares]
path = /home/shares
read only = no
[homes]
path = /home/homes/%U
read only = no
[profiles]
path = /home/profiles
read only = no
|
[global]
workgroup = MYDOMAIN
security = ADS
realm = MYDOMAIN.LAN
idmap config *:backend = tdb
idmap config *:range = 700001-800000
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 500-700000
winbind nss info = rfc2307
vfs objects = acl_xattr
map acl inherit = Yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/homes/%U
[shares]
path = /home/shares
read only = no
[homes]
path = /home/homes/%U
read only = no
[profiles]
path = /home/profiles
read only = no
|
Note
If you do not want to use your file server as a print service, add the following options in the global
section of the file /etc/samba/smb.conf
.
printcap name = /dev/null load printers = no disable spoolss = yes printing = bsd
Joining the file server to the domain
net ads join -U administrator
Configure the
/etc/nsswitch.conf
file, change the following lines:passwd: files sssd winbind group: files sssd winbind shadow: files sssd winbind
Enable & restart services:
systemctl enable winbind smb systemctl restart winbind systemctl restart smb
Reboot in order to empty the nsswitch caches:
reboot
Check the correct connection to the domain:
The following 3 commands should return users, groups and AD account informations as received by winbindd:
wbinfo -u wbinfo -g wbinfo -i administrator
The 2 following commands should return users and groups with their uidNumber as interpreted by the Linux system. Make sure that you can see the users of the AD: administrator, krbtgt, etc.
getent passwd administrator getent group "domain admins"