Configure Samba File Server with AD Users

Some Pre-requisites

1. AD join is completed. See TID: https://www.suse.com/support/kb/doc/?id=000018831
2. SMB is configured
   1. 12SP5 Documentation: https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-samba.html
   2. 15SP3 Documentation: https://documentation.suse.com/en-us/sles/15-SP3/html/SLES-all/cha-samba.html
3. If you choose to use SSSD, but also want to run a samba file server, then running winbindd is mandatory since samba 4.8. In that situation, when a user establishes an SMB session, SSSD provides the NSS information and smbd delegates the user authentication to Winbind. Additionally, it requires careful setup because both services will attempt to renew the computer account password at regular intervals which can end in one daemon or another not able to login.

Option 1: Using Winbind

1. Install required packages:

   # zypper in samba
   

2. Prepare the shares directory:

   # mkdir /srv/share1
   # chgrp "EXAMPLE\\Domain Users" /srv/share1
   # chmod g+w /srv/share1
   

3. Configure shares in /etc/samba/smb.conf:

   [share1]
   path = /srv/share1
   read only = no
   

4. Configure idmap settings: It is important to select the appropriate idmap backend for your needs and to set the ranges properly. See the following TID for options and examples: https://www.suse.com/support/kb/doc/?id=000017458 Example in the “[global]” section of the /etc/samba/smb.conf:

   idmap config * : backend = tdb
   idmap config * : range = 10000-19999
   idmap config EXAMPLE : backend = rid
   idmap config EXAMPLE : range = 20000-29999
   

5. Enable and start samba daemon:

   # systemctl enable smb
   # systemctl start smb
   

Option 2: Using SSSD

In this setup sssd will provide the NSS information for the AD users and winbindd will perform the authentication of the SMB sessions. It is not possible to run smbd without winbind. The fallback behavior where smbd contacted the domain controller directly was removed in samba 4.8.

Also, after CVE-2020-25717 patches, it is necessary to properly set up the idmap settings because fallback behavior ignoring the domain was removed.

For more information please see: https://www.suse.com/support/kb/doc/?id=000020533

1. Install required packages:

   # zypper in samba samba-winbind
   

2. Both SSSD and Winbind change the machine account password at regular intervals by default. This can be a problem because the SSSD daemon stores the machine account password in the system keytab and samba stores it in the secrets.tdb file. If/When the password is changed by one of the services, the other service will stop working since it now has an outdated password.

   To prevent this problem, we have to tell samba to update the system keytab as well when the machine password is changed. The netbios name of the AD server will be needed for the workgroup parameter.
   Add to the /etc/samba/smb.conf:

   [global]
   workgroup = EXAMPLE
   realm = EXAMPLE.COM
   security = ADS
   kerberos method = secrets and keytab
   

   Likewise we can tell SSSD to update the secrets.tdb file. Add to the /etc/sssd/sssd.conf one of the following parameters:

   [domain/example.com]
   
   # To update samba's secrets.tdb, *or*
   ad_update_samba_machine_account_password = true
   
   # To disable password changes.
   # If the AD server requires password changes this will not be an option.
   ad_maximum_machine_account_password_age = 0
   

   Restart SSSD after any changes:

   # systemctl restart sssd
   

3. Join to the domain:

   If the computer was already joined to the domain using adcli, we need to join again using “net” to create the secrets.tdb file for samba. Since we have also configured samba to update the system keytab, we can join using the “net” utility (”-U” could also be used. Either way the AD user must be able to create/modify computer accounts):

   # kinit Administrator
   # net ads join -k
   

4. Prepare the shares directory:

   # mkdir /srv/share1
   # chgrp "EXAMPLE\\Domain Users" /srv/share1
   # chmod g+w /srv/share1
   

5. Configure shares in /etc/samba/smb.conf:

   [share1]
   path = /srv/share1
   read only = no
   

6. Configure idmap settings:

   After CVE-2020-25717 patches it is necessary to set the correct idmap settings so winbindd will get the NSS information for AD users from sssd through NSS. It is important to select the appropriate idmap backend and to set the ranges properly. See the following TID for options and examples: https://www.suse.com/support/kb/doc/?id=000017458

   Example in the “[global]” section of the /etc/samba/smb.conf:

   idmap config * : backend = tdb
   idmap config * : range = 10000-19999
   idmap config EXAMPLE : backend = nss
   idmap config EXAMPLE : range = 200000-2000200000
   

7. Start Winbind and samba daemons:

   # systemctl enable smb
   # systemctl enable winbind
   # systemctl start smb
   # systemctl start winbind
   

Test

Any user should be able to replace "user1" below. Keep in mind that the command won't work if the foo.txt file already exists in the share (/srv/share1):

# touch foo.txt
# smbclient //localhost/share1 -U EXAMPLE\\user1 -c 'put foo.txt'
Password for [EXAMPLE\\user1]:
putting file foo.txt as \\foo.txt (0,0 kb/s) (average 0,0 kb/s)
ls -l /srv/share1/
total 0
-rwxr--r-- 1 user1 domain users 0 feb 18 13:51 foo.txt