PHReeK.oRG

This guide details the steps necessary to configure a SAMBA 3.5.10 member server on CentOS, RHEL or Scientific Linux in an existing Windows Active Directory domain. It is assumed that you have already installed a basic, functional server and configured details such as hostname, IP, DNS, timezone, etc.

I used the CentOS minimal ISO. I also performed a "yum update" and a reboot prior to commencing installation and configuration.

For the purposes of this guide, the environment details are as follows. You will need to substitute your own values as necessary:

LAN subnet: 10.1.1.0/24

AD domain: test.local
DC name: prkdc1.test.local
DC IP: 10.1.1.1

SAMBA name: prkms1.test.local
SAMBA IP: 10.1.1.2

Install the required packages:

yum install -y ntpdate samba samba-client samba-winbind krb5-workstation policycoreutils-python

The main pre-requisites in any Active Directory environment are correct DNS configuration and correct time synchronisation. If either of these are incorrect you will be chasing your tail.

Edit /etc/resolv.conf and make sure the SAMBA server is querying DNS against your DC:

domain test.local
nameserver 10.1.1.1

You also need to synchronise the SAMBA server's time on a regular basis through crontab. I configure my SAMBA servers to synchronise time with the DC every 6hrs under the "root" user crontab:

crontab -e

# Add the following:
0 */4  * * * /usr/sbin/ntpdate 10.1.1.1 >/dev/null 2>&1

Perform an initial time synchronisation against your DC:

ntpdate 10.1.1.1

Edit /etc/samba/smb.conf to the following. Note that capitalisation is important:

[global]
	workgroup = TEST 
	server string = Samba Server Version %v
	security = ads
	realm = TEST.LOCAL
	password server = 10.1.1.1
	domain master = no
	local master = no
	preferred master = no
	
	idmap backend = tdb
	idmap uid = 10000-99999
	idmap gid = 10000-99999
	idmap config TEST:backend = rid
	idmap config TEST:range = 10000-99999
	
	winbind separator = +
	winbind enum users = yes
	winbind enum groups = yes
	winbind use default domain = yes
	winbind nested groups = yes
	winbind refresh tickets = yes
	template homedir = /home/%D/%U
	template shell = /bin/bash
	
	client use spnego = yes
	client ntlmv2 auth = yes
	encrypt passwords = yes
	restrict anonymous = 2
	
	log file = /var/log/samba/log.%m
	max log size = 50	

#============================ Share Definitions ==============================

[testshare]
	comment = Test share
	path = /samba/testshare
	read only = no
	valid users = @"TEST+Domain Users"
	force group = "Domain Users"
	directory mode = 0770
	force directory mode = 0770
	create mode = 0660
	force create mode = 0660
	# Hide share from users who don't have access
	access based share enum = yes
	# Hide files/directories if user doesn't have read access
	hide unreadable = yes

Edit /etc/krb5.conf to the following. Again, capitalisation is important:

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = TEST.LOCAL
  ticket_lifetime = 24h
  forwardable = yes

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

Some SAMBA /etc/krb5.conf examples I have seen include [realms] and [domain_realm] stanzas specifying the KDC manually. I leave them out because Active Directory DNS publishes the Kerberos server details based on your AD site and domain controller topology. Configuring those settings manually could result in failure (if you ever removed the domain controller) or sub-optimal performance if you're not connecting to your closest domain controller.

You also need to update the following 2 lines in /etc/nsswitch.conf, append "winbind" as follows:

passwd: files winbind
group: files winbind

Now you're ready to join the SAMBA server to the domain:

net ads join -U administrator
# Enter your TEST\administrator password when prompted

You should see a message saying the server was joined to the domain successfully. You will probably also see a message saying DNS could not be updated. At this point I manually create an "A" record on my DC pointing to the SAMBA server.

If the domain join fails, it is most likely due to incorrect DNS settings or time synchronisation on your SAMBA server. Double-check them.

Restart your SAMBA services:

service winbind restart
service nmb restart
service smb restart

At this point, your SAMBA server is a member of your AD domain and you should be able to list your AD users and groups with the following commands:

# List your AD users
wbinfo -u

# List your AD groups
wbinfo -g

If domain membership is operating correctly, you can update the firewall to allow other domain members to connect. Edit /etc/sysconfig/iptables and add the following lines before the icmp-reject-unreachable rule:

-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 135 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

Apply the new IPTables rules:

service iptables restart

If you don't add those rules before the unreachable rule, you'll probably waste a bit of time trying to work out why your AD clients can't connect to your SAMBA server. It's because you're firewalling them off.

Next we need to create the directory for the file share. Assuming you're storing your shares on their own mount point or just within their own /samba directory:

mkdir -p /samba/testshare
chmod 0770 /samba/testshare
chgrp "Domain users" /samba/testshare
semanage fcontext -a -t samba_share_t /samba/*
restorecon -R -v /samba

At this point you should be able to connect to the share from another AD member. If it fails, try restarting the services:

service winbind restart
service smb restart
service nmb restart

If you're not able to browse the SAMBA server, you need to confirm the following details:

1. DNS is correct
2. Time synchronisation (within 5mins for Kerberos)
3. /etc/nsswitch.conf includes the "winbind" updates
4. IPTables is allowing UDP - 137, 138 and TCP - 135, 139, 445
5. You've set the correct SELinux context on your share directory. It should be "samba_share_t"