Jump to: navigation, search

Howto/Integrating a Samba File Server With IPA

Provided by Loris Santamaria on the freeipa-users@redhat.com list.

Samba is a popular choice for a CIFS file server in Linux and Windows deployments, and thanks to SSSD v1.12.2+ now it is easier than ever to integrate a Samba file server in an IPA domain, with the usual goodies expected from IPA, such as Single Sign On and support for trusted Active Directory users.

NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication.

Requirements:

  • An IPA v3.3+ domain
  • A CentOS or RHEL 7 server, which will be configured as a Samba file server (Fedora 21 and RHEL7.1 are preferred)
  • Optionally, one trusted AD forest

NOTE: On the IPA masters run ipa-adtrust-install to configure IPA masters to handle Samba-specific object classes and attributes. ipa-adtrust-install is part of freeipa-server-trust-ad package in Fedora (ipa-server-trust-ad in RHEL 7 or CentOS).

IMPORTANT NOTE: On the samba file server it is necessary to install sssd v1.12.2+, available in RHEL7.1/CentOS7.1 or Fedora 21. The packages sssd-libwbclient and libwbclient(from samba) use alternatives to switch between these libraries. Packaging can be different on other distributions and thus it needn't work even with sssd-libwbclient v1.12+.

1) Install required packages packages:

yum -y install ipa-client sssd-libwbclient samba samba-client

2) join file server to the ipa realm:

ipa-client-install --mkhomedir

NOTE: This step may fail shortly after creating the keytab and configuring sssd, caused by the version mismatch between ipa server (3.3) and client (4.1). If failure happens, one can complete the configuration manually:

authconfig --enablesssdauth --enablemkhomedir --update (on the samba file server)

ipa dnsrecord-add my.realm sambatest --a-rec=x.y.w.z (on ipa server)

3) On the ipa server create the cifs principal for samba:

ipa service-add cifs/sambatest.my.realm

4) Install keytab on the samba file server:

ipa-getkeytab -s ipaserver.my.realm -p cifs/sambatest.my.realm -k /etc/samba/samba.keytab

5) Edit /etc/samba/smb.conf on the samba file server: 

[global]
        workgroup = MY
        realm = MY.REALM
        dedicated keytab file = FILE:/etc/samba/samba.keytab
        kerberos method = dedicated keytab
        log file = /var/log/samba/log.%m
        security = ads

[homes]
        browsable = no
        writable = yes

[shared]
        path = /home/shared
        writable = yes
        browsable=yes
        write list = @admins

6) To enable samba /home sharing you should turn the proper selinux boolean:

setsebool -P samba_enable_home_dirs on

7) restart samba

systemctl restart smb.service

Testing:

On another linux member of the IPA domain it is possible to connect to the samba shares using smbclient -k:

kinit user@MY.REALM

smbclient -k -L sambatest.my.realm

smbclient -k //sambatest.my.realm/shared

On a Microsoft Windows machine member of a trusted AD domain it is possible to connect to the samba shares by typing in the windows explorer location bar:

\\sambatest.my.realm

Also, if the AD user is an (indirect) member of the IPA admins group, thanks to the trust relationship and with the above sample smb.conf he may have write access to the \shared folder.

Retrieved from "http://www.freeipa.org/index.php?title=Howto/Integrating_a_Samba_File_Server_With_IPA&oldid=11906"