The idmap sss module has some restrictions when used with CentOS 7. As a result, it is currently not advised to utilize the idmap sss module for Samba file servers registered with AD domains.

If you are configuring a CentOS 8 or above version, you must run the following command. The system must be rebooted to execute this command.

You must run the following command while configuring a CentOS 8 or higher version. The system must be rebooted to execute this command.

# update-crypto-policies --set DEFAULT:AD-SUPPORT

# yum install realmd oddjob oddjob-mkhomedir sssd adcli samba samba-winbind krb5-workstation

Connect to the server using the realm command.

# realm  discover testlab.centos.com

# realm  join testlab.centos.com -U Administrator --client-software=sssd --membership-software=samba

In /etc/sssd/sssd.conf. In the example [domain/testlab.centos.com] section. Add the following.

ad_update_samba_machine_account_password = True

Start SSSD service.

# systemctl stop sssd ; rm -f /var/lib/sss/db/* ; systemctl start sssd

Verify that AD user lookup and authentication are functioning correctly.

# id <AD Username>
# kinit <AD Username>
# klist

Install and remove packages.

# yum remove sssd-libwbclient
# yum install sssd-winbind-idmap

Configure /etc/samba/smb.conf file as follows.

[global]

    realm = TESTLAB.CENTOS.COM
    workgroup = TESTLAB
    security = ads
    kerberos method = secrets and keytab 
    template homedir = /home/%U
    idmap config * : backend = tdb
    idmap config * :  range = 10000-199999
    idmap config TESTLAB : backend = sss
    idmap config TESTLAB : range = 200000-2147483647
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    machine password timeout = 0 

[test]

    comment = Test Share
    path = /testshare
    read only = No
    valid users = <AD Username>

Start smb service.

# systemctl start smb

Create a test share directory.

# mkdir /testshare
# chcon -t samba_share_t /testshare
# chmod 770 /testshare
# chown <AD Username>:<GroupName> /testshare

Enable and start the samba service.

# systemctl enable smb ; systemctl enable winbind ; systemctl restart smb ; systemctl restart winbind

Enable samba in firewalld.

# firewall-cmd --add-service=samba
# firewall-cmd --add-service=samba --permanent

Check if Samba share access based on an AD user is functional.

# kinit <AD Username>
# smbclient -L `hostname` -k
# smbclient //`hostname`/test -k

In the steps above, replace every instance of "AD Username" or "GroupName" with the appropriate user name or group.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

How to configure a Samba server with SSSD in CentOS 7 or 8

Leave a Reply Cancel reply