Replacing Windows file servers with CentOS7, SSSD, and Samba

This is very much still a work in progress.

These are some misc notes on how I’v gotten CentOS to host smb shares over the network and use active directory to authenticate users to them.

Before going any further get yourself a CentOS minimal install on whatever system you plan on using for your file server run updates and configure networking (give your VM/Container/Server a hostname that makes sense) grab a cup of coffee and open your favorite terminal emulator/ssh client, login and su yourself to root.

Disable selinux by setting SELINUX=disabled in /etc/sysconfig/selinux

vi /etc/sysconfig/selinux
SELINUX=disabled

If you want to keep selinux enabled you’ll have to run 

chcon -t samba_share_t /your_smb_share_dir

on every share you make. 

Install Samba and its friends

yum install realmd samba samba-common oddjob oddjob-mkhomedir sssd ntpdate ntp

Make sure samba can talk threw the firewall

firewall-cmd --permanent --add-service=samba
firewall-cmd --reload

setup system time

systemctl enable ntpd.service
ntpdate yourdomaincontroller.yourdomain.tld
systemctl start ntpd.service

Some have noted that in order for things to work right you might need to add your DC as a server entry to /etc/ntp.conf, I have not yet needed to do this.

CentOS meet Windows active directory

realm join --user=domainadmin@yourdomain.tld yourdomain.tld

Confirm that things went well and CentOS is joined to AD

realm list

If everything went well you should see the output that lists your domain you can now use your favorite terminal emulator to ssh into your centos using your AD login, it should look something like this

ssh austin.janey@mydomain.com@your_centos_server

If that worked your good to go, if not google is your friend

Before the nextstep you will need to login to one of your domain controllers and create a security group you’ll specify in your samba config members of this AD group will be able to access the files in the file share specified.

Configuring Samba to play well with windows file sharing
time to edit /etc/samba/smb.conf

sudo vi /etc/samba/smb.conf
[global]
workgroup = MYACTIVEDIRECTORYDOMAIN
server string = Samba Server Version %v
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = MYDOMAIN.LOCAL

# in my test network I could not get AD authentication for smb shares to work 
# without adding "kerberos method = secrets and keytab"
kerberos method = secrets and keytab

# Add the IPs / network ranges / subnets allowed acces to the server in general.
# this is not a nesessary entry but in general a good idea.
# hosts allow = 127. your local network info

# log files split per-machine:
log file = /var/log/samba/log.%m

# enable the following line to debug:
# log level =3
# maximum size of 50KB per log file, then rotate:
max log size = 50

# Not interested in printers
load printers = no
cups options = raw

# This stops an annoying message from appearing in logs
printcap name = /dev/null

# File Shares under valid users I put a group if you create a group for samba in # active directory and add users to it those users will be able to access smb 
# shares from this server over the network.

[home directory]
comment = My shared folder
path = /home
public = no
writable = yes
guest ok = no
valid users = @"agroup@youraddomain.tld"

Make sure Samba is enabled

systemctl enable smb.service
systemctl start smb.service

Now that samba is setup to share /home you’ll need to edit permissions on /home so users can access their home folders, its also worth noting that in order for those home folders to be created you may need to su to them so the home folder is created or have another way to automatically create their home folders with the correct permissions.

chown root:adgroupyoumade@yourdomain.tld /home

This next part I feel could be tightened up permissions wise, in ubuntu the default permission for home is 755, in CentOS it seems to be 700 by default.

chmod 775 /home

After configuring my CentOS install and setting up samba to share out home folders this way my permissions look like

drwxrwxr-x.   6 root domain users@mydomain.com  177 Oct 11 14:33 home
drwx------   3 austin.janey@mydomain.com   domain users@mydomain.com   215 Oct 11 17:05 austin.janey@mydomain.com

If your concerned about the file permissions on a root directory being messed with its likely you have bigger issues. Since what samba is sharing is only modifiable by the owner this seems ok to me, this is not a server out on the internet it should be behind a firewall and being accessed by your users via a VPN or over the internal LAN. As such we are not hardening this server its in a trusted zone and if we really want to protect access we should do that with something like ZeroTier One.

All thats left to do is test, from your ssh session as root on your CentOS7 server log in as an ad user, this will create a home folder for them.

su someadname@yourdomain.tld

Then try and hit that smb share over the network if all went well you should see a home folder named the full AD username your domain and all, youll be able to see other network home folders as well but not access them, samba wont let you (which is perfect)

Something I’v not yet figured out is how to stop someone who’s authenticated from being able to write anything to the /home folder, I suspect that it has something to do with chmod 775 /home

This guide is my notes with some modifications that worked for me in my environment to get things working for me I found the guide at hexblot very helpful and some of the commands are direct copy and paste from their guide the credit for this post goes to them. http://www.hexblot.com/blog/centos-7-active-directory-and-samba

Advertisements

One thought on “Replacing Windows file servers with CentOS7, SSSD, and Samba

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s