Introduction#
After many days of configuration and internet research, I couldn’t find anything that covered all the information needed to integrate this type of configuration into a system. My current job, for example, absolutely requires centralized SSSD across all Linux servers, so below is the configuration I managed to implement on both RedHat 8 and OpenSUSE 15.6.
Architecture Overview#
The solution combines several components:
- Samba - SMB/CIFS file server
- SSSD - System Security Services Daemon for AD integration
- Kerberos - Authentication protocol
- realmd - Domain join utility
Prerequisites#
System Requirements#
- Red Hat/CentOS/Rocky Linux 8+ or Ubuntu 20.04+
- Network connectivity to Active Directory Domain Controllers
- DNS resolution properly configured
- NTP/Chrony for time synchronization
Required Information#
- Domain name:
company.com
- Domain Controller:
dc1.company.com
- Domain admin account with join privileges
- Target OU for computer objects (optional)
Step 1: Package Installation#
RHEL/CentOS/Rocky Linux#
# Install required packages
sudo dnf install -y realmd sssd oddjob oddjob-mkhomedir adcli \
samba-common-tools krb5-workstation chrony samba samba-client \
cifs-utils policycoreutils-python-utils
# Enable and start services
sudo systemctl enable --now chronyd
sudo systemctl enable --now sssd
Ubuntu/Debian#
# Update package list
sudo apt update
# Install required packages
sudo apt install -y realmd sssd sssd-tools libnss-sss libpam-sss \
adcli samba-common-bin krb5-user chrony samba samba-client \
cifs-utils policycoreutils-python-utils
# Enable and start services
sudo systemctl enable --now chrony
sudo systemctl enable --now sssd
Step 2: DNS and Time Configuration#
DNS Configuration#
# Verify DNS resolution
dig company.com
dig _ldap._tcp.company.com SRV
# Find domain controllers
dig +short NS company.com
Edit /etc/resolv.conf
:
sudo nano /etc/resolv.conf
nameserver 192.168.1.10 # Primary DC IP
nameserver 192.168.1.11 # Secondary DC IP (optional)
search company.com
domain company.com
Time Synchronization#
# Configure chrony to sync with domain controller
sudo nano /etc/chrony.conf
Add/modify:
server dc1.company.com iburst prefer
server dc2.company.com iburst
# Restart and verify
sudo systemctl restart chronyd
chrony sources -v
timedatectl status
Step 3: Kerberos Configuration#
# Create Kerberos configuration
sudo nano /etc/krb5.conf
[libdefaults]
default_realm = COMPANY.COM
dns_lookup_kdc = true
dns_lookup_realm = false
rdns = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit = 0
[realms]
COMPANY.COM = {
kdc = dc1.company.com
admin_server = dc1.company.com
default_domain = company.com
}
[domain_realm]
.company.com = COMPANY.COM
company.com = COMPANY.COM
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
Test Kerberos#
# Test authentication
kinit [email protected]
klist
kdestroy
Step 4: Domain Join with realmd#
Discover Domain#
# Discover the domain
sudo realm discover company.com
Join Domain#
# Join domain with SSSD and Samba integration
sudo realm join company.com -U administrator \
--client-software=sssd \
--membership-software=samba
Verify Join#
# Check realm status
sudo realm list
# Verify computer account
net ads testjoin
Step 5: SSSD Configuration#
# Edit SSSD configuration
sudo nano /etc/sssd/sssd.conf
[sssd]
enable_files_domain = true
domains = company.com
config_file_version = 2
services = nss, pam
[domain/local]
id_provider = files
[domain/company.com]
# Basic AD configuration
ad_domain = company.com
krb5_realm = COMPANY.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
ad_update_samba_machine_account_password = True
# User/Group formatting
full_name_format = %3$s\%1$s
use_fully_qualified_names = False
fallback_homedir = /home/%u
default_shell = /bin/bash
# ID mapping (disable for consistent UIDs across servers)
ldap_id_mapping = False
# Kerberos settings
krb5_store_password_if_offline = True
# Access control
access_provider = simple
simple_allow_groups = [email protected], [email protected]
simple_allow_users = [email protected]
# Performance tuning
enumerate = False
cache_first = True
Set permissions and restart#
sudo chmod 600 /etc/sssd/sssd.conf
sudo systemctl restart sssd
sudo systemctl enable sssd
Step 6: NSS Configuration#
The nsswitch.conf should include both sss
and winbind
:
sudo nano /etc/nsswitch.conf
Key lines should look like:
passwd: files sss winbind
group: files sss winbind
shadow: files sss
netgroup: sss files
Step 7: Samba Configuration#
Create Samba configuration#
sudo nano /etc/samba/smb.conf
[global]
# Domain settings
realm = COMPANY.COM
workgroup = COMPANY
security = ads
# Kerberos configuration
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
# Logging
log file = /var/log/samba/log.%m
log level = 2
# VFS and ACL support
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# User mapping
template homedir = /home/%U
template shell = /bin/bash
# ID mapping configuration
idmap config * : backend = tdb
idmap config * : range = 10000-199999
idmap config COMPANY : range = 200000-2147483647
idmap config COMPANY : backend = sss
# Security settings
client signing = mandatory
server signing = mandatory
# Performance
socket options = TCP_NODELAY IPTOS_LOWDELAY
# Example share configuration
[shared]
path = /srv/shared
read only = no
browsable = yes
valid users = @[email protected], @[email protected]
force group = linuxadmins
create mask = 0664
directory mask = 0775
[data]
path = /srv/data
read only = no
browsable = yes
valid users = @[email protected]
force group = dataaccess
create mask = 0660
directory mask = 0770
[homes]
comment = Home Directories
browsable = no
read only = no
create mask = 0700
directory mask = 0700
Create share directories#
# Create directories
sudo mkdir -p /srv/shared /srv/data
# Set permissions
sudo chgrp linuxadmins /srv/shared
sudo chmod 775 /srv/shared
sudo chgrp dataaccess /srv/data
sudo chmod 770 /srv/data
# Set SELinux contexts (RHEL/CentOS)
sudo setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
sudo semanage fcontext -a -t samba_share_t "/srv/shared(/.*)?"
sudo semanage fcontext -a -t samba_share_t "/srv/data(/.*)?"
sudo restorecon -R /srv/shared /srv/data
Step 8: Join Samba to Domain#
Alternative join method with net command#
# Join using net command (alternative to realm join)
sudo net ads join -U administrator
# Verify join
sudo net ads testjoin
# Should return: Join is OK
Test authentication#
# Test user lookup
getent passwd [email protected]
id [email protected]
# Test group lookup
getent group [email protected]
Step 9: Service Management and Testing#
Start Samba services#
sudo systemctl enable --now smb winbind
sudo systemctl status smb winbind
Test SMB shares#
# List shares
sudo smbclient -L localhost -U [email protected]
# Test access to share
sudo smbclient //localhost/shared -U [email protected]
# From Windows client
# \\linux-server\shared
Step 10: Troubleshooting and Maintenance#
Cache Management#
# Clear SSSD cache
sudo sss_cache -E
sudo systemctl restart sssd
# Clear Samba cache
sudo net cache flush
# Remove Samba TDB files (if corruption suspected)
sudo systemctl stop smb winbind
sudo rm -f /var/lib/samba/*.tdb
sudo systemctl start winbind smb
Log Analysis#
# SSSD logs
sudo tail -f /var/log/sssd/sssd_company.com.log
# Samba logs
sudo tail -f /var/log/samba/log.smbd
# Enable debug logging in SSSD
sudo nano /etc/sssd/sssd.conf
# Add: debug_level = 9 in [domain/company.com] section
sudo systemctl restart sssd
Connection Testing#
# Test AD connectivity
sudo net ads info
# Test user authentication
sudo net ads lookup testuser
# Test group membership
sudo net ads group info "linuxadmins"
# Kerberos ticket status
klist -k /etc/krb5.keytab
Performance Monitoring#
# Monitor active SMB connections
sudo smbstatus
# Check winbind status
sudo wbinfo -t # Trust secret
sudo wbinfo -u # List users
sudo wbinfo -g # List groups
Advanced Configuration#
User and Group Mapping#
# Map Windows groups to Linux groups
sudo net groupmap add ntgroup="Domain Admins" unixgroup=wheel type=domain
# List current mappings
sudo net groupmap list
Share-level Permissions#
# Advanced share configuration
[finance]
path = /srv/finance
read only = no
browsable = yes
valid users = @[email protected]
admin users = @[email protected]
force group = finance
create mask = 0640
directory mask = 0750
veto files = /*.mp3/*.avi/*.mpg/
hide unreadable = yes
Security Considerations#
Firewall Configuration#
# Open required ports
sudo firewall-cmd --permanent --add-service=samba
sudo firewall-cmd --permanent --add-port=445/tcp
sudo firewall-cmd --permanent --add-port=139/tcp
sudo firewall-cmd --reload
SELinux Configuration (RHEL/CentOS)#
# Required SELinux booleans
sudo setsebool -P samba_domain_controller=on
sudo setsebool -P use_samba_home_dirs=on
sudo setsebool -P samba_enable_home_dirs=on
# Check SELinux status
sudo getsebool -a | grep samba
Regular Maintenance Tasks#
# Create maintenance script
sudo nano /usr/local/bin/samba-maintenance.sh
#!/bin/bash
# Samba/AD maintenance script
# Refresh machine account password
net ads changetrustpw
# Clear old cache entries
sss_cache -E
# Backup TDB files
tdbbackup /var/lib/samba/*.tdb
# Check domain trust
net ads testjoin
echo "Maintenance completed: $(date)"
sudo chmod +x /usr/local/bin/samba-maintenance.sh
# Add to crontab (weekly maintenance)
echo "0 2 * * 0 /usr/local/bin/samba-maintenance.sh >> /var/log/samba-maintenance.log 2>&1" | sudo crontab -
Common Issues and Solutions#
Issue: “NT_STATUS_ACCESS_DENIED” errors#
# Check user permissions
id [email protected]
# Verify share configuration
sudo testparm -s
# Check SELinux contexts
ls -Z /srv/shared
Issue: Users not resolving#
# Clear cache and restart services
sudo sss_cache -E
sudo systemctl restart sssd winbind
# Check NSS configuration
getent passwd [email protected]
Issue: Authentication failures#
# Check Kerberos tickets
klist
kinit [email protected]
# Verify time sync
chrony sources -v
# Check domain trust
net ads testjoin
Conclusion#
This setup provides robust SMB/CIFS file sharing with Active Directory authentication. The combination of SSSD for user resolution and Samba for file services offers excellent performance and reliability. Regular maintenance and monitoring ensure continued operation in enterprise environments.
Key benefits of this configuration:
- Seamless Windows integration
- Centralized user management
- Kerberos SSO support
- Scalable for large environments
- Comprehensive logging and monitoring
Remember to regularly update your systems and monitor the logs for any authentication or connectivity issues.