Integrate Samba with Active Directory (Linux & Windows)


FreeIPA, Linux

In the previous tutorial we learned how to add CentOS 8 Linux client to Windows Domain Controller (AD) using Winbind. Now in this article we will learn about samba integration with active directory wherein we will create shares on Windows Domain Controller and access them using samba on the Linux client and vice versa.

 

Some more articles on similar topic:

 

1. Lab Environment

I have already configured AD on Windows Server 2012 VM which has an IP Address of 192.168.0.107 while my CentOS 8 client which I have added to this Windows AD has an IP Address of 192.168.0.117.

 

2. Create Share using Server Manager on Windows Domain Controller

First of all let us create a share on our Windows Domain Controller which we will later access through our Linux client. I will be using Windows Server 2012 R2 where I have configured my AD with the File Server and File Server Resource Manager (FSRM) sub-roles installed on my server. This gives access to some of the advanced configuration options when creating a new file share.

 

2.1 Install File Server Resource Manager

Log on to Windows Server with a domain administrator account:

Open Server Manager using the icon available in the desktop taskbar. On the Server Manager, click on "Add roles and features"

Integrate Samba with Active Directory (Linux & Windows)

 

Select "Role-based or feature-based installation" and click on Next

Integrate Samba with Active Directory (Linux & Windows)

 

Select your server from the available pool and click on Next

Integrate Samba with Active Directory (Linux & Windows)

 

When you get to the Select server roles screen, scroll down to the File And Storage Services area expand File and iSCSI services and check File Server Resource Manager.

Integrate Samba with Active Directory (Linux & Windows)

 

When you do this, you’ll be prompted to add additional features. Click Add Features and click Next to move on.

Integrate Samba with Active Directory (Linux & Windows)

 

On the Features screen, you can make sure that File Server Resource Manager Tools as highlighted below is selected for installation under Remote Server Administration Tools. Click on Next to proceed to the next step.

Integrate Samba with Active Directory (Linux & Windows)

 

Verify the list of roles and features to be installed and click on Install to proceed.

Integrate Samba with Active Directory (Linux & Windows)

 

You will see a similar message on the screen once the installation of FSRM role is complete. Click on Close to end the setup.

Integrate Samba with Active Directory (Linux & Windows)

 

2.2 Create a File Share on Windows AD

Next to create a share select File and Storage Services from the Server Manager's left pane.

Integrate Samba with Active Directory (Linux & Windows)

 

Under Shares from the left pane click on TASKS and select New Share to create a new share.

Integrate Samba with Active Directory (Linux & Windows)

 

We will select SMB Share - Advanced to get additional configuration option. Click on Next to continue

Integrate Samba with Active Directory (Linux & Windows)

 

Select the volume under which you want to create your share. We will select C drive and click on Next to continue

Integrate Samba with Active Directory (Linux & Windows)

 

Provide the name of the share. By default this new folder will be created under C:\Shares as shown the highlighted section. If this folder doesn't exist then it will be created automatically. We will name our share as data_share and click on Next to continue.

Integrate Samba with Active Directory (Linux & Windows)

 

On the Configure share settings screen, check or deselect any of the additional options for the share as required, such as Enable access-based enumeration and Encrypt data access. Click Next to continue

Integrate Samba with Active Directory (Linux & Windows)

 

To change the default NTFS folder or share permissions, click Customize permissions on the Specify permissions to control access screen, set the permissions as required in the dialog box and click OK when you’re done. Now click Next to continue.

Integrate Samba with Active Directory (Linux & Windows)

 

On the Management Properties screen, you can optionally select a folder usage value for the share if you plan to use classification rules. Click Next to continue.

Integrate Samba with Active Directory (Linux & Windows)

 

Finally, on the Apply a quota to a folder or volume screen, you can chose to apply a quota template to the share. Click Next when you’re done.

Integrate Samba with Active Directory (Linux & Windows)

 

Verify the configuration for the new share and click on Create to create the share with the defined configuration.

Integrate Samba with Active Directory (Linux & Windows)

 

Click Close when the share has been successfully created.

Integrate Samba with Active Directory (Linux & Windows)

 

Under Shares now you should be able to see the newly created share.

Integrate Samba with Active Directory (Linux & Windows)

 

2.3 Access Windows Share on Linux client using Samba

Now we will access this share which we created on the Windows Domain Controller using Linux client. We have already joined our CentOS 8 Linux client to Windows AD using winbind.

To make sure that Linux client is able to connect to Windows AD, you can use following command:

[root@centos8 ~]# wbinfo -t
checking the trust secret for domain GOLINUXCLOUD via RPC calls succeeded

So, the RPC call has succeeded. Next list the available Samba shares using smbclient tool which is provided as part of samba-client rpm:

[root@centos8 ~]# smbclient -U Administrator -L 192.168.0.107
Enter GOLINUXCLOUD\Administrator's password:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        data_share      Disk
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        SYSVOL          Disk      Logon server share
SMB1 disabled -- no workgroup available

Here 192.168.0.107 is the IP of my Windows Domain Controller. As you can see data_share is available and shared via our AD.

To access this share we can use again use smbclient with the following syntax:

smbclient //<REALM>/<SHARENAME> -U Administrator

So to access data_share on GOLINUXCLOUD.COM we will use:

[root@centos8 ~]# smbclient //www.golinuxcloud.com/data_share -U Administrator
Enter GOLINUXCLOUD\Administrator's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Mar  4 13:08:07 2021
  ..                                  D        0  Thu Mar  4 13:08:07 2021

                7774207 blocks of size 4096. 4135298 blocks available

smb: \> mkdir file  <--- Create a new directory
smb: \> ls  <--- Verify the new directory
  .                                   D        0  Thu Mar  4 13:41:07 2021
  ..                                  D        0  Thu Mar  4 13:41:07 2021
  file                                D        0  Thu Mar  4 13:41:07 2021

                7774207 blocks of size 4096. 4135298 blocks available

Now verify the directory on the Windows AD under C:\Shares\data_share

Integrate Samba with Active Directory (Linux & Windows)

 

3. Create Share on Linux client using Samba Winbind

Now let us try to share a folder from our Linux client to Windows AD Domain Controller (or any other Windows Server which is part of the GOLINUXCLOUD REALM).

 

3.1 Configure Samba Winbind

Add the following content in your /etc/samba/smb.conf. Here we are configuring Samba for /linux_share PATH with some pre-defined conditions. As you can see, an active directory group is defined with an @, and a user without. Also, when there are spaces in the groupname, you escape that with quotes: "@EXAMPLE\Domain Users".

[linux_share]
        comment = My Samba Share
        path = /linux_share
        read only = no
        public = yes
        guest ok = no
        writable = yes
        valid users = "@GOLINUXCLOUD\Users", "GOLINUXCLOUD.COM\Administrator"
        write list = "GOLINUXCLOUD\Administrator"

A group name can be added as a value by using two characters before the name:

 @ (at symbol)  NIS groups searched
 + (plus sign)  will not search NIS

Examples:

valid users = @groupname
invalid users = +groupname

So in our smb.conf, GOLINUXCLOUD\Users group and GOLINUXCLOUD.COM\Administrator are considered as valid wherein GOLINUXCLOUD\Administrator will have read/write access.

 

3.2 Create Samba Share and Assign Permission

Next let us create the share which we have used in /etc/samba/smb.conf i.e /linux_share and assign required permission so it is accessible in the network.

[root@centos8 ~]# mkdir /linux_share

Change group owner to GOLINUXCLOUD\Administrator. We are using double backslash because a backslash is considered an escape character.

[root@centos8 ~]# chgrp -R "GOLINUXCLOUD.COM\\Administrator" /linux_share

We will give full permission to user and group owner while only read and execute privilege for others.

[root@centos8 ~]# chmod 0775 /linux_share/

Verify the permission

[root@centos8 ~]# ls -ld /linux_share/
drwxrwxr-x. 2 root GOLINUXCLOUD\administrator 4096 Mar  4 01:20 /linux_share/

Enable firewall for samba service:

[root@centos8 ~]# firewall-cmd --add-service=samba --permanent

Reload firewalld service to activate the changes

[root@centos8 ~]# systemctl reload firewalld

Verify the changes:

[root@centos8 ~]# firewall-cmd --list-service
cockpit dhcpv6-client samba ssh

We have kept our SELinux in Permissive mode:

[root@centos8 ~]# getenforce
Permissive

Finally start/restart the smb service to activate the changes:

[root@centos8 ~]# systemctl restart smb

 

3.3 Access Linux Samba share on Windows AD

Since I only have a single Wndows VM with me so I will use my Active Directory which is installed with Windows Server 2012 for verification. Open the run prompt and provide the IP Address of the Linux client to access it's available shares:

Integrate Samba with Active Directory (Linux & Windows)

 

So as you can see our linux_share is accessible using the Linux Client IP Address from the Windows AD.

Integrate Samba with Active Directory (Linux & Windows)

 

We also have write permission as we were able to create a new folder inside linux_share

Integrate Samba with Active Directory (Linux & Windows)

 

The same can be verified on the Linux client

[root@centos8 ~]# ls -l /linux_share/
total 8
drwxr-xr-x. 2 GOLINUXCLOUD\administrator GOLINUXCLOUD\domain users 4096 Mar  4 01:38 'New folder'

 

Summary

In this tutorial we learned how to create samba share and share it across Windows and Linux client which are part of the Windows Active Directory Doman Controller. These steps are verified when the Linux client is integrated using Winbind service as the steps would vary if you are using a different service such as SSSD or REALM etc.

Assigning permissions to these shares can be tricky when you are working with big organization with multiple groups and users. In such case you can check /etc/samba/smb.conf.example for some sample configurations or the man page of smb.conf for a clear understanding.

Lastly I hope the steps from the article on samba integration with Active Directory was helpful. So, let me know your suggestions and feedback using the comment section.

 

Further Reading

You may also read these articles to get more understanding on Samba shares and permissions:
man page of smb.conf
How do I set permissions to Samba shares?

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment