This is very much still a work in progress.
These are some misc notes on how I’v gotten CentOS to host smb shares over the network and use active directory to authenticate users to them.
Before going any further get yourself a CentOS minimal install on whatever system you plan on using for your file server run updates and configure networking (give your VM/Container/Server a hostname that makes sense) grab a cup of coffee and open your favorite terminal emulator/ssh client, login and su yourself to root.
Disable selinux by setting SELINUX=disabled in /etc/sysconfig/selinux
If you want to keep selinux enabled you’ll have to run
chcon -t samba_share_t /your_smb_share_dir
on every share you make.
Install Samba and its friends
yum install realmd samba samba-common oddjob oddjob-mkhomedir sssd ntpdate ntp
Make sure samba can talk threw the firewall
firewall-cmd --permanent --add-service=samba
setup system time
systemctl enable ntpd.service
systemctl start ntpd.service
Some have noted that in order for things to work right you might need to add your DC as a server entry to /etc/ntp.conf, I have not yet needed to do this.
CentOS meet Windows active directory
realm join --firstname.lastname@example.org yourdomain.tld
Confirm that things went well and CentOS is joined to AD
If everything went well you should see the output that lists your domain you can now use your favorite terminal emulator to ssh into your centos using your AD login, it should look something like this
If that worked your good to go, if not google is your friend
Before the nextstep you will need to login to one of your domain controllers and create a security group you’ll specify in your samba config members of this AD group will be able to access the files in the file share specified.
Configuring Samba to play well with windows file sharing
time to edit /etc/samba/smb.conf
sudo vi /etc/samba/smb.conf
workgroup = MYACTIVEDIRECTORYDOMAIN
server string = Samba Server Version %v
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = MYDOMAIN.LOCAL
# in my test network I could not get AD authentication for smb shares to work
# without adding "kerberos method = secrets and keytab"
kerberos method = secrets and keytab
# Add the IPs / network ranges / subnets allowed acces to the server in general.
# this is not a nesessary entry but in general a good idea.
# hosts allow = 127. your local network info
# log files split per-machine:
log file = /var/log/samba/log.%m
# enable the following line to debug:
# log level =3
# maximum size of 50KB per log file, then rotate:
max log size = 50
# Not interested in printers
load printers = no
cups options = raw
# This stops an annoying message from appearing in logs
printcap name = /dev/null
# File Shares under valid users I put a group if you create a group for samba in # active directory and add users to it those users will be able to access smb
# shares from this server over the network.
comment = My shared folder
path = /home
public = no
writable = yes
guest ok = no
valid users = @"email@example.com"
Make sure Samba is enabled
systemctl enable smb.service
systemctl start smb.service
Now that samba is setup to share /home you’ll need to edit permissions on /home so users can access their home folders, its also worth noting that in order for those home folders to be created you may need to su to them so the home folder is created or have another way to automatically create their home folders with the correct permissions.
chown root:firstname.lastname@example.org /home
This next part I feel could be tightened up permissions wise, in ubuntu the default permission for home is 755, in CentOS it seems to be 700 by default.
chmod 775 /home
After configuring my CentOS install and setting up samba to share out home folders this way my permissions look like
drwxrwxr-x. 6 root domain email@example.com 177 Oct 11 14:33 home
drwx------ 3 firstname.lastname@example.org domain email@example.com 215 Oct 11 17:05 firstname.lastname@example.org
If your concerned about the file permissions on a root directory being messed with its likely you have bigger issues. Since what samba is sharing is only modifiable by the owner this seems ok to me, this is not a server out on the internet it should be behind a firewall and being accessed by your users via a VPN or over the internal LAN. As such we are not hardening this server its in a trusted zone and if we really want to protect access we should do that with something like ZeroTier One.
All thats left to do is test, from your ssh session as root on your CentOS7 server log in as an ad user, this will create a home folder for them.
Then try and hit that smb share over the network if all went well you should see a home folder named the full AD username your domain and all, youll be able to see other network home folders as well but not access them, samba wont let you (which is perfect)
Something I’v not yet figured out is how to stop someone who’s authenticated from being able to write anything to the /home folder, I suspect that it has something to do with chmod 775 /home
This guide is my notes with some modifications that worked for me in my environment to get things working for me I found the guide at hexblot very helpful and some of the commands are direct copy and paste from their guide the credit for this post goes to them. http://www.hexblot.com/blog/centos-7-active-directory-and-samba