Samba File Server with Microsoft AD

How often do you wish you didn’t have to spin up a full blown Windows File Server, but would rather spin up a minimal Linux Samba file server with Microsoft AD for authentication instead?

Spinning up a Linux file server running Samba and using MS Active Directory for authentication via Winbind is actually a lot easier than it seems.

In many circumstances, this is very fitting and provides a number of benefits over Windows Server.

Installing Fedora 27

First we’ll start at the beginning… installing Fedora 27 minimal followed by a few good practices.

  1. Install Fedora 27 via Net Install ISO.
  2. In Software Selection, select Minimal Install.
  3. In Network & Host Name, set the Host Name, then click Apply and Done.
  4. In Installation Destination, select Custom, then click Done.
    1. Verify LVM is selected.
    2. Click “Click here to create them automatically”.
      1. Verify / is XFS File System.
      2. Under Desired Capacity for /, type “65 GiB” (or appropriate for your needs) and then click the Update Settings button.
      3. Create a /home (verify it’s XFS) partition using the remaining space.  Type “999999999999” in capacity field, then OK.   It’ll automatically set it to the max available.
      4. Click Done, then click Accept Changes in the Summary of Changes window pop-up.
  5. Click Begin Installation.
  6. Set a Root Password, then click Done.
  7. Wait for installation to complete, then reboot.

Post Install

  1. Log in as root, and verify OS is up to date:
    dnf upgrade --refresh
  2. Fix Fedora MAC Address & DHCP Issue: (if using Windows DHCP services)
    echo "send dhcp-client-identifier = hardware;" >> /etc/dhcp/dhclient.conf

    1. Reboot to get reserved IP if desired.
  3. Create a new secure SSH key: (because the default is only 2048 bit)
    ssh-keygen -t rsa -b 4096 -C "root-tgserv-key"

    1. Hit enter for default location and name.
    2. Hit enter again to skip passphrase creation.
    3. Now you should SSH to server to continue.
  4. Install the following packages, then reboot:
    dnf install -y hyperv-daemons hyperv-tools cockpit cockpit-storaged policycoreutils-python-utils rsync tar unzip net-tools dnf-automatic
    
    1. Note:  if you are not installing this on a Hyper-V hypervisor, exclude the following packages:  hyperv-daemons hyperv-tools
  5. Configure Services:
    systemctl enable --now cockpit.socket
    
  6. Configure Firewall:
    firewall-cmd --add-service=cockpit --permanent
    firewall-cmd --reload
    
    1. Reboot now
  7. Configure automatic update settings, set the following in the below file:
    vi /etc/dnf/automatic.conf

    1. apply_updates = yes
    2. emit_via = email
    3. email_from = serveralerts@email.com
    4. email_to = it@email.com
    5. email_host = yourSMTPserver
  8. Configure automatic update schedule, change to the following in below file (to fit your update requirements):
    vi /usr/lib/systemd/system/dnf-automatic-install.timer

    1. OnUnitInactiveSec=6h
  9. Enable automatic update system timer:
    systemctl enable dnf-automatic-install.timer && systemctl start dnf-automatic-install.timer

    1. Verify timer is showing up after a reboot by the following command:
      systemctl list-timers

Install Packages

UPDATE 2018 May 16:  SSSD broke with SAMBA ADS, and now produces the error pictured below.  Due to this, I have re-written the guide to use Winbind instead.  The updated method below is working on Fedora 27 and Fedora 28.

  1. Install Samba:
    dnf install -y samba
  2. Rename default samba configuration file:
    mv /etc/samba/smb.conf /etc/samba/smb.conf.old

    1. Realmd will automatically create a smb.conf file, and configure kerberos, winbind, pam, etc. later when you join the domain.
  3. Install Realmd and other dependencies:
    dnf install -y realmd oddjob-mkhomedir oddjob samba-winbind-clients samba-winbind samba-common-tools samba-winbind-krb5-locator

Configure System

This section details steps to take, in order, to configure Fedora 27 to AD Domain and Samba to use AD authentication.

Join Domain

  1. Join the domain:
    realm join --client-software=winbind yourDomain.com

    1. Type the Domain Admin password when prompted.
  2. Test to verify you’re now domain joined:
    id someUser@yourDomain.com

Create Shares

Create a place for the file shares to live:

  1. Create directory:
    mkdir /home/test
  2. Set directory ownership (appropriately to your needs, example below):
    chown administrator@yourDomain.com:"domain admins@yourDomain.com" /home/test
  3. Set permissions (appropriately to your needs, example below):
    chmod 0770 /home/test

Configure Samba

Some of the default stuff REALMD places into the GLOBAL section has been depreciated.  I recommend you follow the below:

  1. Open and edit the following file:
    vi /etc/samba/smb.conf
  2. Paste in the following contents, below is a working example:
    [global]
    	kerberos method = system keytab
    	template homedir = /home/%U@%D
    	workgroup = DOMAIN
    	template shell = /bin/bash
    	security = ads
    	realm = DOMAIN.COM
    	server string = servername
    	encrypt passwords = yes
    	idmap config * : backend = tdb
    	idmap config * : range = 10000-2000000
    	idmap config DOMAIN.COM : schema_mode = rfc2307
    	winbind use default domain = no
    	winbind refresh tickets = yes
    	winbind offline logon = yes
    	winbind enum groups = no
    	winbind enum users = no
    	hosts allow = 192.168. 127. 172.
    	server min protocol = SMB2_10
    	log file = /var/log/samba/%m.log
    	max log size = 100
    	dns proxy = no
    	printing = cups
    	printcap name = cups
    	load printers = no
    	cups options = raw
    #	vfs objects = acl_xattr
    	map acl inherit = yes
    	store dos attributes = yes
    
    # [homes]
    	# comment = Home Directories
    	# valid users = %S, %D%w%S
    	# browseable = No
    	# read only = No
    	# inherit acls = Yes
    
    # [printers]
    	# comment = All Printers
    	# path = /var/tmp
    	# printable = Yes
    	# create mask = 0600
    	# browseable = No
    
    # [print$]
    	# comment = Printer Drivers
    	# path = /var/lib/samba/drivers
    	# write list = @printadmin root
    	# force group = @printadmin
    	# create mask = 0664
    	# directory mask = 0775
    
    [test]
    	path = /home/test
    	comment = Test Share
    	guest ok = no
    	browseable = yes
    	read only = no
    	inherit acls = yes
    	inherit permissions = yes
    	valid users = @"domain admins@yourDomain.com"
    	admin users = @"domain admins@yourDomain.com"
    

     

Configure Services and Firewall

  1. Enable services:
    systemctl enable smb nmb
  2. Configure firewall:
    firewall-cmd --add-service=samba --permanent
    firewall-cmd --reload
  3. Configure SELinux:
    semanage fcontext -a -t samba_share_t "/home(/.*)?"
    restorecon -Rv /home/

Useful Commands

  1. testparm
  2. smbcontrol all reload-config
  3. service smb restart && service nmb restart

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *