Difference between revisions of "Samba File Server CentOS 7"
Jump to navigation
Jump to search
(Created page with "# Use winbind for samba if using as fileserver as sssd still has home id map limits and issues ## Install ``` #!/bin/bash set -e # https://access.redhat.com/documentation/en...") |
|||
| (12 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
# Use winbind for samba if using as fileserver as sssd still has home id map limits and issues | # Use winbind for samba if using as fileserver as sssd still has home id map limits and issues | ||
| + | - https://access.redhat.com/solutions/3802321 and https://access.redhat.com/articles/4355391 - Don't use sssd | ||
| + | - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers#the_samba_services | ||
| + | - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers | ||
| + | - https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs | ||
## Install | ## Install | ||
``` | ``` | ||
| − | #!/bin/bash | + | #!/usr/bin/env bash |
set -e | set -e | ||
| Line 19: | Line 23: | ||
realm join --membership-software=samba --client-software=winbind MYDOMAIN.com -U busk | realm join --membership-software=samba --client-software=winbind MYDOMAIN.com -U busk | ||
| + | |||
| + | wbinfo --all-domains | ||
systemctl start smb | systemctl start smb | ||
systemctl enable smb | systemctl enable smb | ||
| + | ``` | ||
| + | ## Login to host via ssh | ||
| + | ``` | ||
ssh from powershell 10.x.x.x | ssh from powershell 10.x.x.x | ||
| + | $ id | ||
``` | ``` | ||
| + | Note how directory is autocreated with /home/myuser@MYDOMAIN | ||
## File Sharing | ## File Sharing | ||
| + | ``` | ||
mkdir /jtest | mkdir /jtest | ||
echo "test file for samba" > /jtest/example.txt | echo "test file for samba" > /jtest/example.txt | ||
| Line 36: | Line 48: | ||
setenforce 1 getenforce | setenforce 1 getenforce | ||
| − | |||
vim /etc/selinux/config | vim /etc/selinux/config | ||
``` | ``` | ||
| + | We are disabling selinux in order to share outside of home directory, modify sepolicy if you want to keep it enabled. | ||
## Add share accessed by \\10.x.x.x\jtest | ## Add share accessed by \\10.x.x.x\jtest | ||
/etc/samba/smb.conf | /etc/samba/smb.conf | ||
``` | ``` | ||
| + | systemctl restart smb | ||
| + | |||
# have user use id command to get AD group mappings | # have user use id command to get AD group mappings | ||
[jtest] | [jtest] | ||
| Line 49: | Line 63: | ||
writeable = yes | writeable = yes | ||
browseable = yes | browseable = yes | ||
| − | + | # force createmode=0640 | |
| − | + | # force directorymode=0750 | |
| − | + | create mask = 660 | |
| − | + | directory mask = 770 | |
| − | + | inherit acls = Yes # Used for windows simulation, set to "no"(default) if not needed | |
| − | valid users = @"MYDOMAIN\domain | + | valid users = @"MYDOMAIN\domain users" @"MYDOMAIN\server administrators" # @ denotes a group |
| + | # You may additional use chown/chmod to restrict access to share. | ||
``` | ``` | ||
| Line 68: | Line 83: | ||
\\10.x.x.x\jtest | \\10.x.x.x\jtest | ||
| + | ``` | ||
yum install -y tcpdump | yum install -y tcpdump | ||
tcpdump -nnpli ens192 not port 22 | tcpdump -nnpli ens192 not port 22 | ||
``` | ``` | ||
| + | |||
| + | Using id command as it it preferred over groups | ||
| + | ``` | ||
| + | $ groups | ||
| + | $ groups userNameHere | ||
| + | $ id -Gn | ||
| + | $ id -Gn userNameHere | ||
| + | $ getent passwd MYDOMAIN\myuser | ||
| + | ``` | ||
| + | |||
| + | Leaving | ||
| + | ``` | ||
| + | realm leave ad.example.com -U 'AD.EXAMPLE.COM\user' | ||
| + | ``` | ||
| + | use --remove to actually delete computer account | ||
| + | |||
| + | https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/realmd-ad-unenroll | ||
Latest revision as of 01:09, 28 May 2020
Use winbind for samba if using as fileserver as sssd still has home id map limits and issues
- https://access.redhat.com/solutions/3802321 and https://access.redhat.com/articles/4355391 - Don't use sssd
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers#the_samba_services
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers
- https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
Install
#!/usr/bin/env bash set -e # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers#the_samba_services yum install -y realmd oddjob-mkhomedir oddjob samba-winbind-clients \ samba-winbind samba-common-tools yum install -y samba # To share directories yum install -y samba-winbind-krb5-locator mv /etc/samba/smb.conf /etc/samba/smb.conf.orig realm join --membership-software=samba --client-software=winbind MYDOMAIN.com -U busk wbinfo --all-domains systemctl start smb systemctl enable smb
Login to host via ssh
ssh from powershell 10.x.x.x $ id
Note how directory is autocreated with /home/myuser@MYDOMAIN
File Sharing
mkdir /jtest echo "test file for samba" > /jtest/example.txt chown "MYDOMAIN\busk":"MYDOMAIN\Domain Users" /jtest/example.txt firewall-cmd --permanent --add-port=445/tcp firewall-cmd --reload setenforce 1 getenforce vim /etc/selinux/config
We are disabling selinux in order to share outside of home directory, modify sepolicy if you want to keep it enabled.
/etc/samba/smb.conf
systemctl restart smb
# have user use id command to get AD group mappings
[jtest]
path = /jtest
read only = no
writeable = yes
browseable = yes
# force createmode=0640
# force directorymode=0750
create mask = 660
directory mask = 770
inherit acls = Yes # Used for windows simulation, set to "no"(default) if not needed
valid users = @"MYDOMAIN\domain users" @"MYDOMAIN\server administrators" # @ denotes a group
# You may additional use chown/chmod to restrict access to share.
Some tests
getent passwd MYDOMAIN\busk getent group "MYDOMAIN\Domain Users" chown "MYDOMAIN\busk":"AD\Domain Users" /srv/samba/example.txt
kinit busk@MYDOMAIN.COM
\10.x.x.x\jtest
yum install -y tcpdump tcpdump -nnpli ens192 not port 22
Using id command as it it preferred over groups
$ groups $ groups userNameHere $ id -Gn $ id -Gn userNameHere $ getent passwd MYDOMAIN\myuser
Leaving
realm leave ad.example.com -U 'AD.EXAMPLE.COM\user'
use --remove to actually delete computer account