Install winbind
yum install samba samba-winbind
Kerberos authentication
Create a backup of the krb5.conf file.
mv /etc/krb5.conf /etc/krb5.conf.org
vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
[libdefaults]
default_realm = CONTOSO.COM
dns_lookup_realm = false
dns_lookup_kdc = false
clock_skew = 300
ticket_lifetime = 24h
forwardable = yes
[realms]
CONTOSO.COM = {
kdc = DC.CONTOSO.COM
admin_server = DC.CONTOSO.COM
default_domain = CONTOSO.COM
}
Test kerberos DC connection
kinit administrator
SMB configuration
Create a backup of the smb.conf file.
mv /etc/samba/smb.conf /etc/samba/smb.conf.org
vi /etc/samba/smb.conf
[global]
workgroup = CONTOSO
realm = CONTOSO.COM
load printers = no
preferred master = no
local master = no
server string = fileserver
password server = 10.0.0.2
encrypt passwords = yes
security = ADS
netbios name = storage
client signing = Yes
dns proxy = No
wins server = 10.0.0.2
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
auth methods = winbind
template shell = /bin/false
interfaces = lo eth0 127.0.0.1 10.0.0.10
bind interfaces only = yes
#
acl compatibility = auto
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=262144 SO_SNDBUF=262144
getwd cache = yes
#
#log level = 1
Add SAMBA server to Domain
kinit administrator
net ads join -U administrator
Start winbind
/etc/init.d/winbind start
/etc/init.d/winbind status
net rpc getsid
or
net rpc getsid net rpc getsid -S CONTOSO.COM -U administrator
Edit /etc/nsswitch.conf and add wins to do host lookups.
hosts: files dns wins
Check winbind get domain users/grups
wbinfo -u
wbinfo -g
Now tell PAM that samba requires authentication and account from winbind. Add the following lines to /etc/pam.d/samba
vi /etc/pam.d/samba
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so
Edit the /etc/nsswitch.conf file so it will look like this:
vi /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
Create a share.
First we need to create a folder
mkdir –p /data/share
chmod 777 /data/share
Mount filesystem
vi /etc/fstab
/dev/sda3 /data/share ext4 rw,acl,user_xattr 0 0
mount /data/share
# Or remount existing partition
#mount -o remount /data/share
Enable SELinux share permission (relable)
chcon -R -t samba_share_t '/data/share'
Open the /etc/samba/smb.conf file and paste the following lines:
vi /etc/samba/smb.conf
[share]
comment = share
read only = no
path = /data/share
hide files = /lost+found/
valid users = @"CONTOSO+domain users"
admin users = @"CONTOSO+Domain Admins", root , administrator
write list = @"CONTOSO+Domain Admins" , root , administrator
read list = @"CONTOSO+domain users"
available = yes
browseable = yes
public = yes
writable = yes
acl check permissions = Yes
acl group control = Yes
acl map full control = Yes
#acl map full control = no
force unknown acl user = No
dos filemode = no
inherit permissions = yes
store dos attributes = no
map archive = No
map hidden = No
map system = No
map readonly = No
nt acl support = Yes
map acl inherit = yes
profile acls = No
inherit owner = No
inherit acls = yes
acl group control = yes
vfs objects = acl_xattr
Restart the Samba service via:
/etc/init.d/samba restart
Test the new share. Go to your Windows box and browse to the Linux box via \\share
Debuging
SAMBA reset ACL on file or directory
Test the new share. Go to your Windows box and browse to the Linux box via \\share