Active Directory CIFS (Samba) w/ CentOS/Red Hat Enterprise Linux 8

There are many guides, cheat sheets, and white papers on authenticating Linux with Active Directory, and many different ways to do it. This iuvo Technologies blog will go through one tried and true method that works on CentOS/RHEL 8. We will also setup a Samba CIFS file share and use AD authentication for connections to that.


Active directory linux


In the examples show below the following assumptions are made:

  1. DNS for the Active Directory Domain is properly working and is used by the CentOS/RHEL system being joined to the Domain.
  2. The Active Directory domain name is:
  3. The Active Directory short domain name is: CONTOSO
  4. The Active Directory Domain Controller is:
  5. The account has Domain Admin rights
  6. The accounts username1 and username2 are both in Active Directory as regular users
  7. /test is a test share, that username2 and username2 are allowed to connect to


Getting Started

To start we need access to Microsoft Active Directory Domain Controllers. This can be through Azure Active Directory Domain Services, and a working connection (including proper DNS) to the provisioned DCs or with on premises DCs. In our examples we will use on premises DCs that are also providing DNS for the subnet hosting the CentOS/RHEL 8 file server.


In addition to the Microsoft requirements above, we also need the CentOS/RHEL Linux server. This can be either a physical or virtual system. We will use a virtual CentOS 8.3 server with the "Minimal Install" software group loaded. Then always make sure to start out with a full patched system, which can be done with:

dnf update


If there are kernel updates installed from the command above, the server should be rebooted before proceeding further.


With CentOS/RHEL 8 the RC4 encryption cipher has been disabled, so AES must be enabled in Active Directory for the systems to communicate or re-enable RC4 in CentOS/RHEL 8. We recommend using AES rather than RC4, but for this blog we will outline enabling RC4 to keep the focus on setting up the Linux server. If you are interested in AES on the Domain Controllers, please look here:


To enable RC4 in Linux, run this command:

sudo update-crypto-policies --set DEFAULT:AD-SUPPORT


Now reboot again for the above command to take effect.


We need to install the following packages:

sudo dnf install samba samba-common-tools samba-winbind samba-winbind-clients \

samba-winbind-krb5-locator oddjob oddjob-mkhomedir realmd krb5-workstation \



also install any dependencies dnf asks for.


Now we are ready to join the system to AD. This will also update the Samba configuration file in /etc/samba/smb.conf:

sudo realm join --membership-software=samba --client-software=winbind


Next, we need to update the /etc/krb5.conf file and update it as follows:

# To opt out of the system crypto-policies configuration of krb5, remove the

# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.

includedir /etc/krb5.conf.d/



   default = FILE:/var/log/krb5libs.log

   kdc = FILE:/var/log/krb5kdc.log

   admin_server = FILE:/var/log/kadmind.log



   dns_lookup_realm = false

   ticket_lifetime = 24h

   renew_lifetime = 7d

   forwardable = true

   rdns = false

   pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt

   spake_preauth_groups = edwards25519

   default_realm = CONTOSO.COM

   default_ccache_name = KEYRING:persistent:%{uid}




       kdc =

       admin_server =



[domain_realm] = CONTOSO.COM = CONTOSO.COM



   localauth = {

       module = winbind:/usr/lib64/samba/krb5/

       enable_only = winbind



Now start Samba:

sudo systemctl enable --now smb


After Samba is running we can query AD for user information:

sudo getent passwd "CONTOSO\Administrator"


Should return something like:



Now we can test Kerberos (make sure the AD DOMAIN NAME below is in caps):

kinit administrator@CONTOSO.COM

enter password



Output from klist should be similar to:

Ticket cache: KCM:0

Default principal: administrator@CONTOSO.COM


Valid starting       Expires             Service principal

02/10/2021 17:19:45 02/11/2021 03:19:45 krbtgt/CONTOSO.COM@CONTOSO.COM

      renew until 02/17/2021 17:19:38


This shows that Kerberos is working properly.


Now we can configure the file shares. First, we will create our test folder to share out:

sudo mkdir /test

sudo chmod 777 /test


The /etc/samba/smb.conf should look like:

# See smb.conf.example for a more detailed config file or

# read the smb.conf manpage.

# Run 'testparm' to verify the config is correct after

# you modified it.



log level = 0

workgroup = CONTOSO

security = ads

passdb backend = tdbsam

printing = cups

printcap name = cups

load printers = yes

cups options = raw

kerberos method = secrets and keytab

template homedir = /home/%U

template shell = /bin/bash


idmap config CONTOSO: range = 2000000-2999999

idmap config CONTOSO : backend = rid

idmap config * : range = 10000-999999

idmap config * : backend = tdb

winbind use default domain = yes

winbind refresh tickets = yes

winbind offline logon = yes

winbind enum groups = no

winbind enum users = no



comment = Home Directories

valid users = %S, %D%w%S

browseable = No

read only = No

inherit acls = Yes



comment = All Printers

path = /var/tmp

printable = Yes

create mask = 0600

browseable = No



comment = Printer Drivers

path = /var/lib/samba/drivers

write list = @printadmin root

force group = @printadmin

create mask = 0664

directory mask = 0775



comment = Test Share

path = /test

browseable = yes

guest ok = no

writeable = yes

write list = username1 username2

create mode = 0666

directory mode 0777

valid users = username1 username2


Now we should restart Samba:

sudo systemctl restart smb


The firewall also needs to be configured to allow Samba connections through it:

firewall-cmd --permanent --add-service=samba

firewall-cmd --reload


We also need to tell SELINUX to allow the connections:

sudo setsebool -P samba_export_all_ro=1 samba_export_all_rw=1

sudo getsebool -a | grep samba_export

sudo semanage fcontext -at samba_share_t "/test(/.*)?"

sudo restorecon /test




Troubleshooting authentication issues can be particularly frustrating.

  1. In the smb.conf file above increasing the logging level can help pinpoint problems.
    1. You can look at the log in /var/log/samba/log.smbd
  2. Double check the DNS is correct, and the domain controller is resolved properly
  3. Make sure your CentOS/RHEL server is show up in Active Directory Users and Computers
  4. The file /var/log/secure will show authentication errors
  5. Try temporarily disabling selinux: sudo setenforce 0
  6. Use the "id" and "getent" programs to confirm if account information is passing to the system.


If you would like to discuss this more, please contact us. We would be happy to share our experience!


Related Content: 




Subscribe Here For Our Blogs:

Recent Posts


see all