Home / How to configure a Samba server with SSSD in CentOS 7 or 8

How to configure a Samba server with SSSD in CentOS 7 or 8

The idmap sss module has some restrictions when used with CentOS 7. As a result, it is currently not advised to utilize the idmap sss module for Samba file servers registered with AD domains.

If you are configuring a CentOS 8 or above version, you must run the following command. The system must be rebooted to execute this command.

You must run the following command while configuring a CentOS 8 or higher version. The system must be rebooted to execute this command.

# update-crypto-policies --set DEFAULT:AD-SUPPORT

Login to the server as root user and install SSSD and Samba packages as follows.

# yum install realmd oddjob oddjob-mkhomedir sssd adcli samba samba-winbind krb5-workstation

Connect to the server using the realm command.

# realm  discover testlab.centos.com

# realm  join testlab.centos.com -U Administrator --client-software=sssd --membership-software=samba 

In /etc/sssd/sssd.conf. In the example [domain/testlab.centos.com] section. Add the following.

ad_update_samba_machine_account_password = True

Start SSSD service.

# systemctl stop sssd ; rm -f /var/lib/sss/db/* ; systemctl start sssd

Verify that AD user lookup and authentication are functioning correctly.

# id <AD Username>
# kinit <AD Username>
# klist

Install and remove packages.

# yum remove sssd-libwbclient
# yum install sssd-winbind-idmap

Configure /etc/samba/smb.conf file as follows.


    workgroup = TESTLAB
    security = ads
    kerberos method = secrets and keytab 
    template homedir = /home/%U
    idmap config * : backend = tdb
    idmap config * :  range = 10000-199999
    idmap config TESTLAB : backend = sss
    idmap config TESTLAB : range = 200000-2147483647
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    machine password timeout = 0 


    comment = Test Share
    path = /testshare
    read only = No
    valid users = <AD Username>

Start smb service.

# systemctl start smb

Create a test share directory.

# mkdir /testshare
# chcon -t samba_share_t /testshare
# chmod 770 /testshare
# chown <AD Username>:<GroupName> /testshare

Enable and start the samba service.

# systemctl enable smb ; systemctl enable winbind ; systemctl restart smb ; systemctl restart winbind

Enable samba in firewalld.

# firewall-cmd --add-service=samba
# firewall-cmd --add-service=samba --permanent

Check if Samba share access based on an AD user is functional.

# kinit <AD Username>
# smbclient -L `hostname` -k
# smbclient //`hostname`/test -k

In the steps above, replace every instance of "AD Username" or "GroupName" with the appropriate user name or group.

Leave a Reply