Linux: Configuring SAMBA

[Work in progress]…

My configuration based on Fedora 23 server, connecting to a Windows Server 2012 R2 DC.

It [will] includes kerberos authentication, SSS id mapping and a samba configuration that allows permissioning of shares from AD.

Troubleshooting

Host is not configured as a member server.

Check sssd service status:

If it can’t start because the kerberos ktab file is missing, make sure the server is configured with realmd. i.e:  realm join -v ad.domain before attempting the net join command. This creates the AD object. See Red Hat article here.

The realmd system provides a clear and simple way to discover and join identity domains. It does not connect to the domain itself but configures underlying Linux system services, such as SSSD or Winbind, to connect to the domain.

Then restart sssd: # systemctl start sssd

Host is not configured as a member server.

Check values in /etc/samba/smb.conf. I’m guessing re-running the realm command changed a bunch of settings including:

  • security=user  rather than security=ads
  • realm
  • workgroup

Configure:

  • /etc/samba/smb.conf
  • /etc/krb5.conf
  • /etc/sssd/sssd.conf

files accordingly.

Granting Permission to Domain Admins to do things

Set permissions to modify ACL’s

Following: https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting

net rpc rights grant 'DOMAIN\Domain Admins' SeDiskOperatorPrivilege -Uadministrator@ad.domain.com

In /var/log/samba/log.127.0.0.1

Does ldbsearch exist?

Try: ldbsearch -H /var/lib/sss/db/cache_ad.domain.com.ldb objectclass=

Returns:  -bash: ldbsearch: No such file or directory . LDB tools aren’t installed.

Try ldbsearch command again:

ldbsearch -H /var/lib/sss/db/cache_ad.domain.com.ldb objectclass=group > /tmp/ldbsearch.log 2>&1 ; vi /tmp/ldbsearch.log

Clear caches:

Source: https://lists.fedorahosted.org/pipermail/sssd-users/2014-August/002028.html

Notes:

  • Winbind has been superseded by SSS, however Winbind still exists.
  • To trace kinit: # KRB5_TRACE=/dev/stdout kinit Administrator

net join verbose: # net ads join -k -d 10 > /tmp/join.log 2>&1

Full logging output to /tmp/join.log . Setting -d 3 will suffice for most debugging.

  • There are various types of net join. I am using ADS for Active Directory.
  • Use # testparm /etc/samba/smb.conf  to check file is ok.

Useful Commands

CommandDescription
sss_cache -EClear sss cache

Please feel free to leave a comment...