Samba File Server with Microsoft AD

How often do you wish you didn’t have to spin up a full blown Windows File Server, but would rather spin up a minimal Linux Samba file server with Microsoft AD for authentication instead?

Spinning up a Linux file server running Samba and using MS Active Directory for authentication via Winbind is actually a lot easier than it seems.

In many circumstances, this is very fitting and provides a number of benefits over Windows Server.

Installing Fedora 27

First we’ll start at the beginning… installing Fedora 27 minimal followed by a few good practices.

1. Install Fedora 27 via Net Install ISO.
2. In Software Selection, select Minimal Install.
3. In Network & Host Name, set the Host Name, then click Apply and Done.
   
4. In Installation Destination, select Custom, then click Done.
   1. Verify LVM is selected.
   2. Click “Click here to create them automatically”.
      1. Verify / is XFS File System.
      2. Under Desired Capacity for /, type “65 GiB” (or appropriate for your needs) and then click the Update Settings button.
      3. Create a /home (verify it’s XFS) partition using the remaining space.  Type “999999999999” in capacity field, then OK.   It’ll automatically set it to the max available.
      4. Click Done, then click Accept Changes in the Summary of Changes window pop-up.
5. Click Begin Installation.
6. Set a Root Password, then click Done.
7. Wait for installation to complete, then reboot.

Post Install

1. Log in as root, and verify OS is up to date:
   dnf upgrade --refresh
2. Fix Fedora MAC Address & DHCP Issue: (if using Windows DHCP services)
   echo "send dhcp-client-identifier = hardware;" >> /etc/dhcp/dhclient.conf
   1. Reboot to get reserved IP if desired.
3. Create a new secure SSH key: (because the default is only 2048 bit)
   ssh-keygen -t rsa -b 4096 -C "root-tgserv-key"
   1. Hit enter for default location and name.
   2. Hit enter again to skip passphrase creation.
   3. Now you should SSH to server to continue.
4. Install the following packages, then reboot:

   dnf install -y hyperv-daemons hyperv-tools cockpit cockpit-storaged policycoreutils-python-utils rsync tar unzip net-tools dnf-automatic
   

   1. Note:  if you are not installing this on a Hyper-V hypervisor, exclude the following packages:  hyperv-daemons hyperv-tools
5. Configure Services:

   systemctl enable --now cockpit.socket
   

6. Configure Firewall:

   firewall-cmd --add-service=cockpit --permanent
   firewall-cmd --reload
   

   1. Reboot now
7. Configure automatic update settings, set the following in the below file:
   vi /etc/dnf/automatic.conf
   1. apply_updates = yes
   2. emit_via = email
   3. email_from = serveralerts@email.com
   4. email_to = it@email.com
   5. email_host = yourSMTPserver
8. Configure automatic update schedule, change to the following in below file (to fit your update requirements):
   vi /usr/lib/systemd/system/dnf-automatic-install.timer
   1. OnUnitInactiveSec=6h
9. Enable automatic update system timer:
   systemctl enable dnf-automatic-install.timer && systemctl start dnf-automatic-install.timer
   1. Verify timer is showing up after a reboot by the following command:
      systemctl list-timers

Install Packages

UPDATE 2018 May 16:  SSSD broke with SAMBA ADS, and now produces the error pictured below.  Due to this, I have re-written the guide to use Winbind instead.  The updated method below is working on Fedora 27 and Fedora 28.

NT_STATUS_NO_MEMORY
ERROR: failed to setup guest info

1. Install Samba:
   dnf install -y samba
2. Rename default samba configuration file:
   mv /etc/samba/smb.conf /etc/samba/smb.conf.old
   1. Realmd will automatically create a smb.conf file, and configure kerberos, winbind, pam, etc. later when you join the domain.
3. Install Realmd and other dependencies:

   dnf install -y realmd oddjob-mkhomedir oddjob samba-winbind-clients samba-winbind samba-common-tools samba-winbind-krb5-locator

Configure System

This section details steps to take, in order, to configure Fedora 27 to AD Domain and Samba to use AD authentication.

Join Domain

1. Join the domain:
   realm join --client-software=winbind yourDomain.com
   1. Type the Domain Admin password when prompted.
2. Test to verify you’re now domain joined:
   id someUser@yourDomain.com

Create Shares

Create a place for the file shares to live:

1. Create directory:
   mkdir /home/test
2. Set directory ownership (appropriately to your needs, example below):
   chown administrator@yourDomain.com:"domain admins@yourDomain.com" /home/test
3. Set permissions (appropriately to your needs, example below):
   chmod 0770 /home/test

Configure Samba

Some of the default stuff REALMD places into the GLOBAL section has been depreciated.  I recommend you follow the below:

1. Open and edit the following file:
   vi /etc/samba/smb.conf
2. Paste in the following contents, below is a working example:

   [global]
   	kerberos method = system keytab
   	template homedir = /home/%U@%D
   	workgroup = DOMAIN
   	template shell = /bin/bash
   	security = ads
   	realm = DOMAIN.COM
   	server string = servername
   	encrypt passwords = yes
   	idmap config * : backend = tdb
   	idmap config * : range = 10000-2000000
   	idmap config DOMAIN.COM : schema_mode = rfc2307
   	winbind use default domain = no
   	winbind refresh tickets = yes
   	winbind offline logon = yes
   	winbind enum groups = no
   	winbind enum users = no
   	hosts allow = 192.168. 127. 172.
   	server min protocol = SMB2_10
   	log file = /var/log/samba/%m.log
   	max log size = 100
   	dns proxy = no
   	printing = cups
   	printcap name = cups
   	load printers = no
   	cups options = raw
   #	vfs objects = acl_xattr
   #	nt acl support = yes
   	map acl inherit = yes
   	store dos attributes = yes
   
   # [homes]
   	# comment = Home Directories
   	# valid users = %S, %D%w%S
   	# browseable = No
   	# read only = No
   	# inherit acls = Yes
   
   # [printers]
   	# comment = All Printers
   	# path = /var/tmp
   	# printable = Yes
   	# create mask = 0600
   	# browseable = No
   
   # [print$]
   	# comment = Printer Drivers
   	# path = /var/lib/samba/drivers
   	# write list = @printadmin root
   	# force group = @printadmin
   	# create mask = 0664
   	# directory mask = 0775
   
   [test]
   	path = /home/test
   	comment = Test Share
   	guest ok = no
   	browseable = yes
   	read only = no
   	inherit acls = yes
   	inherit permissions = yes
   	valid users = @"domain admins@yourDomain.com"
   	admin users = @"domain admins@yourDomain.com"
   

    

Configure Services and Firewall

1. Enable services:
   systemctl enable smb nmb
2. Configure firewall:
   firewall-cmd --add-service=samba --permanent
firewall-cmd --reload
3. Configure SELinux:
   semanage fcontext -a -t samba_share_t "/home(/.*)?"
restorecon -Rv /home/

Useful Commands

1. testparm
2. smbcontrol all reload-config
3. service smb restart && service nmb restart