In the previous tutorial we learned how to add CentOS 8 Linux client to Windows Domain Controller (AD) using Winbind. Now in this article we will learn about samba integration with active directory wherein we will create shares on Windows Domain Controller and access them using samba on the Linux client and vice versa.
Some more articles on similar topic:
- How to join Linux client to Windows AD Domain using realmd with SSSD (CentOS/RHEL 7/8)
- How to join Linux client to Windows AD Domain using adcli with SSSD (CentOS/RHEL 7/8)
- How to join Linux client to Windows AD Domain using winbind (CentOS/RHEL 7/8)
1. Lab Environment
I have already configured AD on Windows Server 2012 VM which has an IP Address of 192.168.0.107
while my CentOS 8 client which I have added to this Windows AD has an IP Address of 192.168.0.117
.
First of all let us create a share on our Windows Domain Controller which we will later access through our Linux client. I will be using Windows Server 2012 R2 where I have configured my AD with the File Server and File Server Resource Manager (FSRM) sub-roles installed on my server. This gives access to some of the advanced configuration options when creating a new file share.
2.1 Install File Server Resource Manager
Log on to Windows Server with a domain administrator account:
Open Server Manager using the icon available in the desktop taskbar. On the Server Manager, click on "Add roles and features"
Select "Role-based or feature-based installation" and click on Next
Select your server from the available pool and click on Next
When you get to the Select server roles screen, scroll down to the File And Storage Services area expand File and iSCSI services and check File Server Resource Manager.
When you do this, you’ll be prompted to add additional features. Click Add Features and click Next to move on.
On the Features screen, you can make sure that File Server Resource Manager Tools as highlighted below is selected for installation under Remote Server Administration Tools. Click on Next to proceed to the next step.
Verify the list of roles and features to be installed and click on Install to proceed.
You will see a similar message on the screen once the installation of FSRM role is complete. Click on Close to end the setup.
2.2 Create a File Share on Windows AD
Next to create a share select File and Storage Services from the Server Manager's left pane.
Under Shares from the left pane click on TASKS and select New Share to create a new share.
We will select SMB Share - Advanced to get additional configuration option. Click on Next to continue
Select the volume under which you want to create your share. We will select C drive and click on Next to continue
Provide the name of the share. By default this new folder will be created under C:\Shares
as shown the highlighted section. If this folder doesn't exist then it will be created automatically. We will name our share as data_share
and click on Next to continue.
On the Configure share settings screen, check or deselect any of the additional options for the share as required, such as Enable access-based enumeration and Encrypt data access. Click Next to continue
To change the default NTFS folder or share permissions, click Customize permissions on the Specify permissions to control access screen, set the permissions as required in the dialog box and click OK when you’re done. Now click Next to continue.
On the Management Properties screen, you can optionally select a folder usage value for the share if you plan to use classification rules. Click Next to continue.
Finally, on the Apply a quota to a folder or volume screen, you can chose to apply a quota template to the share. Click Next when you’re done.
Verify the configuration for the new share and click on Create to create the share with the defined configuration.
Click Close when the share has been successfully created.
Under Shares now you should be able to see the newly created share.
2.3 Access Windows Share on Linux client using Samba
Now we will access this share which we created on the Windows Domain Controller using Linux client. We have already joined our CentOS 8 Linux client to Windows AD using winbind.
To make sure that Linux client is able to connect to Windows AD, you can use following command:
[root@centos8 ~]# wbinfo -t
checking the trust secret for domain GOLINUXCLOUD via RPC calls succeeded
So, the RPC call has succeeded. Next list the available Samba shares using smbclient
tool which is provided as part of samba-client
rpm:
[root@centos8 ~]# smbclient -U Administrator -L 192.168.0.107
Enter GOLINUXCLOUD\Administrator's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
data_share Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
Here 192.168.0.107
is the IP of my Windows Domain Controller. As you can see data_share
is available and shared via our AD.
To access this share we can use again use smbclient
with the following syntax:
smbclient //<REALM>/<SHARENAME> -U Administrator
So to access data_share
on GOLINUXCLOUD.COM
we will use:
[root@centos8 ~]# smbclient //www.golinuxcloud.com/data_share -U Administrator Enter GOLINUXCLOUD\Administrator's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Mar 4 13:08:07 2021 .. D 0 Thu Mar 4 13:08:07 2021 7774207 blocks of size 4096. 4135298 blocks available smb: \> mkdir file <--- Create a new directory smb: \> ls <--- Verify the new directory . D 0 Thu Mar 4 13:41:07 2021 .. D 0 Thu Mar 4 13:41:07 2021 file D 0 Thu Mar 4 13:41:07 2021 7774207 blocks of size 4096. 4135298 blocks available
Now verify the directory on the Windows AD under C:\Shares\data_share
Now let us try to share a folder from our Linux client to Windows AD Domain Controller (or any other Windows Server which is part of the GOLINUXCLOUD REALM).
3.1 Configure Samba Winbind
Add the following content in your /etc/samba/smb.conf
. Here we are configuring Samba for /linux_share
PATH with some pre-defined conditions. As you can see, an active directory group is defined with an @, and a user without. Also, when there are spaces in the groupname, you escape that with quotes: "@EXAMPLE\Domain Users"
.
[linux_share] comment = My Samba Share path = /linux_share read only = no public = yes guest ok = no writable = yes valid users = "@GOLINUXCLOUD\Users", "GOLINUXCLOUD.COM\Administrator" write list = "GOLINUXCLOUD\Administrator"
A group name can be added as a value by using two characters before the name:
@ (at symbol) NIS groups searched + (plus sign) will not search NIS
Examples:
valid users = @groupname invalid users = +groupname
So in our smb.conf
, GOLINUXCLOUD\Users
group and GOLINUXCLOUD.COM\Administrator
are considered as valid wherein GOLINUXCLOUD\Administrator
will have read/write access.
3.2 Create Samba Share and Assign Permission
Next let us create the share which we have used in /etc/samba/smb.conf
i.e /linux_share
and assign required permission so it is accessible in the network.
[root@centos8 ~]# mkdir /linux_share
Change group owner to GOLINUXCLOUD\Administrator
. We are using double backslash because a backslash is considered an escape character.
[root@centos8 ~]# chgrp -R "GOLINUXCLOUD.COM\\Administrator" /linux_share
We will give full permission to user and group owner while only read and execute privilege for others.
[root@centos8 ~]# chmod 0775 /linux_share/
Verify the permission
[root@centos8 ~]# ls -ld /linux_share/
drwxrwxr-x. 2 root GOLINUXCLOUD\administrator 4096 Mar 4 01:20 /linux_share/
Enable firewall for samba service:
[root@centos8 ~]# firewall-cmd --add-service=samba --permanent
Reload firewalld service to activate the changes
[root@centos8 ~]# systemctl reload firewalld
Verify the changes:
[root@centos8 ~]# firewall-cmd --list-service
cockpit dhcpv6-client samba ssh
We have kept our SELinux in Permissive mode:
[root@centos8 ~]# getenforce
Permissive
Finally start/restart the smb service to activate the changes:
[root@centos8 ~]# systemctl restart smb
3.3 Access Linux Samba share on Windows AD
Since I only have a single Wndows VM with me so I will use my Active Directory which is installed with Windows Server 2012 for verification. Open the run prompt and provide the IP Address of the Linux client to access it's available shares:
So as you can see our linux_share
is accessible using the Linux Client IP Address from the Windows AD.
We also have write permission as we were able to create a new folder inside linux_share
The same can be verified on the Linux client
[root@centos8 ~]# ls -l /linux_share/
total 8
drwxr-xr-x. 2 GOLINUXCLOUD\administrator GOLINUXCLOUD\domain users 4096 Mar 4 01:38 'New folder'
Summary
In this tutorial we learned how to create samba share and share it across Windows and Linux client which are part of the Windows Active Directory Doman Controller. These steps are verified when the Linux client is integrated using Winbind service as the steps would vary if you are using a different service such as SSSD or REALM etc.
Assigning permissions to these shares can be tricky when you are working with big organization with multiple groups and users. In such case you can check /etc/samba/smb.conf.example for some sample configurations or the man page of smb.conf for a clear understanding.
Lastly I hope the steps from the article on samba integration with Active Directory was helpful. So, let me know your suggestions and feedback using the comment section.
Further Reading
You may also read these articles to get more understanding on Samba shares and permissions:
man page of smb.conf
How do I set permissions to Samba shares?