CentOS: Setup Samba as an AD Domain Member

by Kliment Andreev
0 comment
Reading Time: 3 minutes

This post is a slight modification of the official wiki for setting up Samba as an AD Domain Member.

In my lab, I built a Windows 2012R2 domain controller/DNS and a CentOS 7.1 VM running Samba 4.2.10.
My Windows domain is kdomain.local and the NETBIOS name is MYDOMAIN. They are on the same subnet and the IP of the CentOS VM is in the DNS. Let’s verify the prerequisites before we install Samba. Make sure that everything checks out.

Check the hostname first.

hostname
centos7dd.kdomain.local

If you need to change the hostname, use hostnamectl set-hostname your_hostname
Make sure your resolver points to a valid domain controller.

cat /etc/resolv.conf
search kdomain.local
nameserver 192.168.1.19

Check your IP.

ip addr show | grep inet
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
    inet 192.168.1.6/24 brd 192.168.1.255 scope global eno16777736

Check the resolving. dc03 is my domain controller, centos7dd is my CentOS member server, the one that I am configuring.

host -t A dc03.kdomain.local
dc03.kdomain.local has address 192.168.1.19
host -t A centos7dd.kdomain.local
centos7dd.kdomain.local has address 192.168.1.6

If you get an error that host is an unknown command, install bind-utils with yum install bind-utils. You don’t have to, but make sure that all IPs and resolving works fine.
Some more checks, to see if you don’t have something messed up in /etc/hosts file.

getent hosts centos7dd
192.168.1.6     centos7dd.kdomain.local

Now it’s time to install samba.

yum install samba samba-devel samba-winbind samba-winbind-clients

Before you go further, you need to know what’s realm, NETBIOS and workgroup in Samba terms. They are kind of misleading as you can see below from the samba config file. On the domain controller, open up a command prompt and type:

set | find  "DOMAIN"
USERDNSDOMAIN=KDOMAIN.LOCAL
USERDOMAIN=MYDOMAIN
USERDOMAIN_ROAMINGPROFILE=MYDOMAIN

My domain is KDOMAIN.LOCAL and the NETBIOS domain name is MYDOMAIN. The hostname of my domain controller is DC03, but that’s irrelevant.
Find where the config file is stored.

smbd -b | grep CONFIGFILE
   CONFIGFILE: /etc/samba/smb.conf

Rename the original file as something else and edit smb.conf so it’s an empty file. Add the following lines there.

[global]
        netbios name = centos7dd
        realm = KDOMAIN.LOCAL
        workgroup = MYDOMAIN
        security = ADS
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind nss info = rfc2307
        idmap config *:range = 2000-9999
        idmap config * : backend = tdb

Now, you can join the VM to the domain.

net ads join -U administrator
Enter administrator's password:
Using short domain name -- MYDOMAIN
Joined 'CENTOS7DD' to dns domain 'kdomain.local'

Let’s make sure that Samba starts now and on each boot.

systemctl start smb.service
systemctl start nmb.service
systemctl start winbind.service
systemctl enable smb.service
systemctl enable nmb.service
systemctl enable winbind.service

Make sure you get the domain users and groups back.

wbinfo -u
MYDOMAIN\administrator
MYDOMAIN\guest
MYDOMAIN\klimenta
MYDOMAIN\krbtgt
wbinfo -g
MYDOMAIN\winrmremotewmiusers__
MYDOMAIN\domain computers
MYDOMAIN\domain controllers
MYDOMAIN\schema admins
MYDOMAIN\enterprise admins
....

Now, edit /etc/nsswitch.conf and modify these three lines. Just add winbind after sss for passwd , shadow and group entries, so it looks like this. Don’t change the lines where it says #passwd: db files nisplus nis.

passwd:     files sss winbind
shadow:     files sss winbind
group:      files sss winbind

Now, do getent passwd and getent group. You should recieve both local and domain users and groups as output.

Finally, if you have a firewall, add an exception for Samba services.

firewall-cmd --permanent --zone=public --add-service=samba
firewall-cmd --reload

At this point, you’ll have the OS fully configured as a domain member, but you still can’t log in to CentOS with a domain account. In order to do that, we’ll have to run authconfig-tui.

authconfig-tui

Make sure these options are set.

bl01

…and these. You don’t have to join to the domain, just select OK.

bl02

This utility will change a lot of files, especially those in /etc/pam.d directory and it will also change smb.conf. Restart the winbind service in order for these changes to take effect.

systemctl restart winbind.service

Make sure you have these lines in smb.conf.

template shell = /bin/sh
template homedir = /home/%D/%U

Reload Samba config.

systemctl reload smb.service

Because of the template homedir directive above, all home directories for the domain users will be under /home/MYDOMAIN (or whatever domain you have).
Finally, create the home dir and log as the user.

mkdir -p /home/MYDOMAIN/klimenta
cd /home/MYDOMAIN
chown -R klimenta@kdomain.local klimenta

Now, you can log as the domain user.

login as: klimenta@kdomain.local
klimenta@kdomain.local@192.168.1.6's password:
Last login: Wed Sep  7 11:08:10 2016 from 192.168.1.101
-bash-4.2$ pwd
/home/MYDOMAIN/klimenta

What if we want to share our home or some other folder on the CentOS server? We have to add a config change in smb.conf file. I’ll explain how to share the home folder. If you want to share some other folder, make sure that the domain user has rights to that folder. In my case, I’ll have the domain user klimenta access the shared home folder for the domain user klimenta on the CentOS server. The permissions are already in place. Edit /etc/samba/smb.conf file and add these lines at the end.

[share]
        comment = klimenta domain user share
        path =  /home/MYDOMAIN/klimenta
        valid users = klimenta@kdomain.local
        guest ok = no
        writable = yes
        browsable = yes

Restart both services

systemctl restart smb.service
systemctl restart nmb.service

Now, from a Windows workstation go to \\ and you’ll see the folder opened with all the files in there.

Related Articles

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More