AD Authenticated CIFS (Samba) w/ CentOS/Red Hat Enterprise Linux 8

There are many guides, cheat sheets, and white papers on authenticating Linux with Active Directory, and many different ways to do it. This iuvo Technologies blog will go through one tried and true method that works on CentOS/RHEL 8. We will also setup a Samba CIFS file share and use AD authentication for connections to that.

 

Active-Directory-5603790_1920

Notes

In the examples show below the following assumptions are made:

  1. DNS for the Active Directory Domain is properly working and is used by the CentOS/RHEL system being joined to the Domain.
  2. The Active Directory domain name is: contoso.com
  3. The Active Directory short domain name is: CONTOSO
  4. The Active Directory Domain Controller is: dc1.contoso.com
  5. The account Administrator@contoso.com has Domain Admin rights
  6. The accounts username1 and username2 are both in Active Directory as regular users
  7. /test is a test share, that username2 and username2 are allowed to connect to

 

Getting Started

To start we need access to Microsoft Active Directory Domain Controllers. This can be through Azure Active Directory Domain Services, and a working connection (including proper DNS) to the provisioned DCs or with on premises DCs. In our examples we will use on premises DCs that are also providing DNS for the subnet hosting the CentOS/RHEL 8 file server.

 

In addition to the Microsoft requirements above, we also need the CentOS/RHEL Linux server. This can be either a physical or virtual system. We will use a virtual CentOS 8.3 server with the "Minimal Install" software group loaded. Then always make sure to start out with a full patched system, which can be done with:

dnf update

 

If there are kernel updates installed from the command above, the server should be rebooted before proceeding further.

 

With CentOS/RHEL 8 the RC4 encryption cipher has been disabled, so AES must be enabled in Active Directory for the systems to communicate or re-enable RC4 in CentOS/RHEL 8. We recommend using AES rather than RC4, but for this blog we will outline enabling RC4 to keep the focus on setting up the Linux server. If you are interested in AES on the Domain Controllers, please look here:

https://docs.microsoft.com/en-US/troubleshoot/windows-server/windows-security/unsupported-etype-error-accessing-trusted-domain

 

To enable RC4 in Linux, run this command:

sudo update-crypto-policies --set DEFAULT:AD-SUPPORT

 

Now reboot again for the above command to take effect.

 

We need to install the following packages:

sudo dnf install samba samba-common-tools samba-winbind samba-winbind-clients \

samba-winbind-krb5-locator oddjob oddjob-mkhomedir realmd krb5-workstation \

policycoreutils-python-utils

 

also install any dependencies dnf asks for.

 

Now we are ready to join the system to AD. This will also update the Samba configuration file in /etc/samba/smb.conf:

sudo realm join --membership-software=samba --client-software=winbind contoso.com

 

Next, we need to update the /etc/krb5.conf file and update it as follows:

# To opt out of the system crypto-policies configuration of krb5, remove the

# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.

includedir /etc/krb5.conf.d/

 

[logging]

   default = FILE:/var/log/krb5libs.log

   kdc = FILE:/var/log/krb5kdc.log

   admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

   dns_lookup_realm = false

   ticket_lifetime = 24h

   renew_lifetime = 7d

   forwardable = true

   rdns = false

   pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt

   spake_preauth_groups = edwards25519

   default_realm = CONTOSO.COM

   default_ccache_name = KEYRING:persistent:%{uid}

 

[realms]

   LAB.PERKINSDESIGN.NET = {

       kdc = dc1.contoso.com

       admin_server = dc1.contoso.com

   }

 

[domain_realm]

   .contoso.com = CONTOSO.COM

   contoso.com = CONTOSO.COM

 

[plugins]

   localauth = {

       module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so

       enable_only = winbind

   }

 

Now start Samba:

sudo systemctl enable --now smb

 

After Samba is running we can query AD for user information:

sudo getent passwd "CONTOSO\Administrator"

 

Should return something like:

CONTOSO\administrator:*:2000500:2000513::/home/administrator@CONTOSO:/bin/bash

 

Now we can test Kerberos (make sure the AD DOMAIN NAME below is in caps):

kinit administrator@CONTOSO.COM

enter password

klist

 

Output from klist should be similar to:

Ticket cache: KCM:0

Default principal: administrator@CONTOSO.COM

 

Valid starting       Expires             Service principal

02/10/2021 17:19:45 02/11/2021 03:19:45 krbtgt/CONTOSO.COM@CONTOSO.COM

      renew until 02/17/2021 17:19:38

 

This shows that Kerberos is working properly.

 

Now we can configure the file shares. First, we will create our test folder to share out:

sudo mkdir /test

sudo chmod 777 /test

 

The /etc/samba/smb.conf should look like:

# See smb.conf.example for a more detailed config file or

# read the smb.conf manpage.

# Run 'testparm' to verify the config is correct after

# you modified it.

 

[global]

log level = 0

workgroup = CONTOSO

security = ads

passdb backend = tdbsam

printing = cups

printcap name = cups

load printers = yes

cups options = raw

kerberos method = secrets and keytab

template homedir = /home/%U

template shell = /bin/bash

realm = CONTOSO.COM

idmap config CONTOSO: range = 2000000-2999999

idmap config CONTOSO : backend = rid

idmap config * : range = 10000-999999

idmap config * : backend = tdb

winbind use default domain = yes

winbind refresh tickets = yes

winbind offline logon = yes

winbind enum groups = no

winbind enum users = no

 

[homes]

comment = Home Directories

valid users = %S, %D%w%S

browseable = No

read only = No

inherit acls = Yes

 

[printers]

comment = All Printers

path = /var/tmp

printable = Yes

create mask = 0600

browseable = No

 

[print$]

comment = Printer Drivers

path = /var/lib/samba/drivers

write list = @printadmin root

force group = @printadmin

create mask = 0664

directory mask = 0775

 

[test]

comment = Test Share

path = /test

browseable = yes

guest ok = no

writeable = yes

write list = username1 username2

create mode = 0666

directory mode 0777

valid users = username1 username2

 

Now we should restart Samba:

sudo systemctl restart smb

 

The firewall also needs to be configured to allow Samba connections through it:

firewall-cmd --permanent --add-service=samba

firewall-cmd --reload

 

We also need to tell SELINUX to allow the connections:

sudo setsebool -P samba_export_all_ro=1 samba_export_all_rw=1

sudo getsebool -a | grep samba_export

sudo semanage fcontext -at samba_share_t "/test(/.*)?"

sudo restorecon /test

 

Troubleshooting

 

Troubleshooting authentication issues can be particularly frustrating.

  1. In the smb.conf file above increasing the logging level can help pinpoint problems.
    1. You can look at the log in /var/log/samba/log.smbd
  2. Double check the DNS is correct, and the domain controller is resolved properly
  3. Make sure your CentOS/RHEL server is show up in Active Directory Users and Computers
  4. The file /var/log/secure will show authentication errors
  5. Try temporarily disabling selinux: sudo setenforce 0
  6. Use the "id" and "getent" programs to confirm if account information is passing to the system.

 

If you would like to discuss this more, please contact us. We would be happy to share our experience!

 

Subscribe Here For Our Blogs:

Recent Posts