Learn how to integrate Linux SMB file servers with Active Directory for seamless Windows authentication.
Introduction
After many days of configuration and internet research, I couldn’t find anything that covered all the information needed to integrate this type of configuration into a system. My current job, for example, absolutely requires centralized SSSD across all Linux servers, so below is the configuration I managed to implement on both RedHat 8 and OpenSUSE 15.6.
Architecture Overview
The solution combines several components:
- Samba - SMB/CIFS file server
- SSSD - System Security Services Daemon for AD integration
- Kerberos - Authentication protocol
- realmd - Domain join utility
Prerequisites
System Requirements
- Red Hat/CentOS/Rocky Linux 8+ or Ubuntu 20.04+
- Network connectivity to Active Directory Domain Controllers
- DNS resolution properly configured
- NTP/Chrony for time synchronization
Required Information
- Domain name:
company.com - Domain Controller:
dc1.company.com - Domain admin account with join privileges
- Target OU for computer objects (optional)
Step 1: Package Installation
RHEL/CentOS/Rocky Linux
# Install required packagessudo dnf install -y realmd sssd oddjob oddjob-mkhomedir adcli \ samba-common-tools krb5-workstation chrony samba samba-client \ cifs-utils policycoreutils-python-utils
# Enable and start servicessudo systemctl enable --now chronydsudo systemctl enable --now sssdUbuntu/Debian
# Update package listsudo apt update
# Install required packagessudo apt install -y realmd sssd sssd-tools libnss-sss libpam-sss \ adcli samba-common-bin krb5-user chrony samba samba-client \ cifs-utils policycoreutils-python-utils
# Enable and start servicessudo systemctl enable --now chronysudo systemctl enable --now sssdStep 2: DNS and Time Configuration
DNS Configuration
# Verify DNS resolutiondig company.comdig _ldap._tcp.company.com SRV
# Find domain controllersdig +short NS company.comEdit /etc/resolv.conf:
sudo nano /etc/resolv.confnameserver 192.168.1.10 # Primary DC IPnameserver 192.168.1.11 # Secondary DC IP (optional)search company.comdomain company.comTime Synchronization
# Configure chrony to sync with domain controllersudo nano /etc/chrony.confAdd/modify:
server dc1.company.com iburst preferserver dc2.company.com iburst# Restart and verifysudo systemctl restart chronydchrony sources -vtimedatectl statusStep 3: Kerberos Configuration
# Create Kerberos configurationsudo nano /etc/krb5.conf[libdefaults] default_realm = COMPANY.COM dns_lookup_kdc = true dns_lookup_realm = false rdns = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true udp_preference_limit = 0
[realms] COMPANY.COM = { kdc = dc1.company.com admin_server = dc1.company.com default_domain = company.com }
[domain_realm] .company.com = COMPANY.COM company.com = COMPANY.COM
[logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = SYSLOG:NOTICE:DAEMONTest Kerberos
# Test authenticationklistkdestroyStep 4: Domain Join with realmd
Discover Domain
# Discover the domainsudo realm discover company.comJoin Domain
# Join domain with SSSD and Samba integrationsudo realm join company.com -U administrator \ --client-software=sssd \ --membership-software=sambaVerify Join
# Check realm statussudo realm list
# Verify computer accountnet ads testjoinStep 5: SSSD Configuration
# Edit SSSD configurationsudo nano /etc/sssd/sssd.conf[sssd]enable_files_domain = truedomains = company.comconfig_file_version = 2services = nss, pam
[domain/local]id_provider = files
[domain/company.com]# Basic AD configurationad_domain = company.comkrb5_realm = COMPANY.COMrealmd_tags = manages-system joined-with-sambacache_credentials = Trueid_provider = adad_update_samba_machine_account_password = True
# User/Group formattingfull_name_format = %3$s\%1$suse_fully_qualified_names = Falsefallback_homedir = /home/%udefault_shell = /bin/bash
# ID mapping (disable for consistent UIDs across servers)ldap_id_mapping = False
# Kerberos settingskrb5_store_password_if_offline = True
# Access controlaccess_provider = simplesimple_allow_groups = [email protected], [email protected]simple_allow_users = [email protected]
# Performance tuningenumerate = Falsecache_first = TrueSet permissions and restart
sudo chmod 600 /etc/sssd/sssd.confsudo systemctl restart sssdsudo systemctl enable sssdStep 6: NSS Configuration
The nsswitch.conf should include both sss and winbind:
sudo nano /etc/nsswitch.confKey lines should look like:
passwd: files sss winbindgroup: files sss winbindshadow: files sssnetgroup: sss filesStep 7: Samba Configuration
Create Samba configuration
sudo nano /etc/samba/smb.conf[global] # Domain settings realm = COMPANY.COM workgroup = COMPANY security = ads
# Kerberos configuration kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab
# Logging log file = /var/log/samba/log.%m log level = 2
# VFS and ACL support vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes
# User mapping template homedir = /home/%U template shell = /bin/bash
# ID mapping configuration idmap config * : backend = tdb idmap config * : range = 10000-199999 idmap config COMPANY : range = 200000-2147483647 idmap config COMPANY : backend = sss
# Security settings client signing = mandatory server signing = mandatory
# Performance socket options = TCP_NODELAY IPTOS_LOWDELAY
# Example share configuration[shared] path = /srv/shared read only = no browsable = yes force group = linuxadmins create mask = 0664 directory mask = 0775
[data] path = /srv/data read only = no browsable = yes force group = dataaccess create mask = 0660 directory mask = 0770
[homes] comment = Home Directories browsable = no read only = no create mask = 0700 directory mask = 0700Create share directories
# Create dirssudo mkdir -p /srv/shared /srv/data
# Set permissionssudo chgrp linuxadmins /srv/sharedsudo chmod 775 /srv/sharedsudo chgrp dataaccess /srv/datasudo chmod 770 /srv/data
# Set SELinux contexts (RHEL/CentOS)sudo setsebool -P samba_export_all_ro=1 samba_export_all_rw=1sudo semanage fcontext -a -t samba_share_t "/srv/shared(/.*)?"sudo semanage fcontext -a -t samba_share_t "/srv/data(/.*)?"sudo restorecon -R /srv/shared /srv/dataStep 8: Join Samba to Domain
Alternative join method with net command
# Join using net command (alternative to realm join)sudo net ads join -U administrator
# Verify joinsudo net ads testjoin# Should return: Join is OKTest authentication
# Test user lookup
# Test group lookupStep 9: Service Management and Testing
Start Samba services
sudo systemctl enable --now smb winbindsudo systemctl status smb winbindTest SMB shares
# List shares
# Test access to share
# From Windows client# \\linux-server\sharedStep 10: Troubleshooting and Maintenance
Cache Management
# Clear SSSD cachesudo sss_cache -Esudo systemctl restart sssd
# Clear Samba cachesudo net cache flush
# Remove Samba TDB files (if corruption suspected)sudo systemctl stop smb winbindsudo rm -f /var/lib/samba/*.tdbsudo systemctl start winbind smbLog Analysis
# SSSD logssudo tail -f /var/log/sssd/sssd_company.com.log
# Samba logssudo tail -f /var/log/samba/log.smbd
# Enable debug logging in SSSDsudo nano /etc/sssd/sssd.conf# Add: debug_level = 9 in [domain/company.com] sectionsudo systemctl restart sssdConnection Testing
# Test AD connectivitysudo net ads info
# Test user authenticationsudo net ads lookup testuser
# Test group membershipsudo net ads group info "linuxadmins"
# Kerberos ticket statusklist -k /etc/krb5.keytabPerformance Monitoring
# Monitor active SMB connectionssudo smbstatus
# Check winbind statussudo wbinfo -t # Trust secretsudo wbinfo -u # List userssudo wbinfo -g # List groupsAdvanced Configuration
User and Group Mapping
# Map Windows groups to Linux groupssudo net groupmap add ntgroup="Domain Admins" unixgroup=wheel type=domain
# List current mappingssudo net groupmap listShare-level Permissions
# Advanced share configuration[finance] path = /srv/finance read only = no browsable = yes force group = finance create mask = 0640 directory mask = 0750 veto files = /*.mp3/*.avi/*.mpg/ hide unreadable = yesSecurity Considerations
Firewall Configuration
# Open required portssudo firewall-cmd --permanent --add-service=sambasudo firewall-cmd --permanent --add-port=445/tcpsudo firewall-cmd --permanent --add-port=139/tcpsudo firewall-cmd --reloadSELinux Configuration (RHEL/CentOS)
# Required SELinux booleanssudo setsebool -P samba_domain_controller=onsudo setsebool -P use_samba_home_dirs=onsudo setsebool -P samba_enable_home_dirs=on
# Check SELinux statussudo getsebool -a | grep sambaRegular Maintenance Tasks
# Create maintenance scriptsudo nano /usr/local/bin/samba-maintenance.sh#!/bin/bash# Samba/AD maintenance script
# Refresh machine account passwordnet ads changetrustpw
# Clear old cache entriessss_cache -E
# Backup TDB filestdbbackup /var/lib/samba/*.tdb
# Check domain trustnet ads testjoin
echo "Maintenance completed: $(date)"sudo chmod +x /usr/local/bin/samba-maintenance.sh
# Add to crontab (weekly maintenance)echo "0 2 * * 0 /usr/local/bin/samba-maintenance.sh >> /var/log/samba-maintenance.log 2>&1" | sudo crontab -Common Issues and Solutions
Issue: “NT_STATUS_ACCESS_DENIED” errors
# Check user permissions
# Verify share configurationsudo testparm -s
# Check SELinux contextsls -Z /srv/sharedIssue: Users not resolving
# Clear cache and restart servicessudo sss_cache -Esudo systemctl restart sssd winbind
# Check NSS configurationIssue: Authentication failures
# Check Kerberos ticketsklist
# Verify time syncchrony sources -v
# Check domain trustnet ads testjoinConclusion
This setup provides robust SMB/CIFS file sharing with Active Directory authentication. The combination of SSSD for user resolution and Samba for file services offers excellent performance and reliability. Regular maintenance and monitoring ensure continued operation in enterprise environments.
Key benefits of this configuration:
- Seamless Windows integration
- Centralized user management
- Kerberos SSO support
- Scalable for large environments
- Comprehensive logging and monitoring
Remember to regularly update your systems and monitor the logs for any authentication or connectivity issues.