While I can find permission issues to Samba using local Linux users here and across Google search, I cannot find a solution to my specific problem. I don't have any experience with Samba, so this whole process has been quite an adventure, but now I'm pulling my hair out. I'd really appreciate some ideas. I'm including everything I did in case others need to do it and hopefully to help someone help me.
I have a single Windows Server 2016 Active Directory domain. The root name is ad.company.com. I need a commercially supported Linux server with an SMB share which allows read access to some domain groups and write access to others. Why Linux? It will be talking to other Linux machines and will use many Linux tools. Our current setup at another client is working well this way, but it was not configured by us, and it uses RHEL 5.
I went with RHEL 7.3 server as our company is most familiar with this distro. I installed the Minimal Install from the Server ISO. The hash for the ISO shows it is not corrupted. I have successfully mounted an ext4 partition to /mnt/share. I have configured the server to have a host name in the root domain namespace, set the DNS server to the PDC, set the search suffix to be the domain (ad.company.com) and set it up with a static IP. This was all done in the installer. The machine can easily resolve hostnames of the Windows servers in the domain. The Windows servers can resolve the hostname of the Linux machine. IPs can be pinged in both directions.
As this is the initial configuration, everything below was done under root.
I installed the following packages.
yum install nano
yum install net-tools
yum install nmap
yum install ntp ntpdate ntp-doc
yum install krb5-workstation
yum install samba
yum install samba-winbind
yum install samba-winbind-clients
I set the NTP server to be the PDC.
/etc/ntp.conf
driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server pdc.ad.company.com iburst prefer
restrict pdc.ad.company.com mask 255.255.255.255 nomodify notrap nopeer noquery
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
I configured the KRB5 client to connect to the AD domain.
/etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 600
default_realm = AD.COMPANY.COM
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
AD.COMPANY.COM = {
kdc = pdc.ad.company.com
admin_server = pdc.ad.company.com
}
[domain_realm]
.ad.company.com = AD.COMPANY.COM
ad.company.com = AD.COMPANY.COM
I tested the connection to the PDC. It was successful.
kinit admin@AD.COMPANY.COM
I configured samba to connect to the domain, use extended ACL attributes, and make a share available called "share".
/etc/samba/smb.conf
[global]
security = ADS
workgroup = AD
realm = AD.COMPANY.COM
idmap config * : backend = tbd
idmap config * :range = 3000-7999
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
log level = 1
[share]
path = /mnt/share
read only = no
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775
I configured nsswitch to use winbind.
/etc/nsswitch.conf
passwd: files winbind
shadow: files sss
group: files winbind
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files
aliases: files nisplus
I started windbindd, smbd, and nmbd.
winbindd
smbd
nmbd
I set them up to start on boot.
systemctl enable smb nmb winbind
I rebooted, then tested windbind to test the connection to the domain. It succeeded.
wbinfo --ping-dc
One of the docs I read said ext4 supports extended ACLs, but I checked just in case. It says it's there.
smbd -b | grep HAVE_LIBACL
I granted the permission granting privilege to AD.COMPANY.COM\Domain Admins
.
net rpc rights grant "AD\Domain Admins" SeDiskOperatorPrivilege -U "AD\administrator"
I then tested to make sure it stuck.
net rpc rights list privileges SeDiskOperatorPrivilege -U "AD\administrator"
I used testparm to verify the syntax of the smb.conf file. It parsed the whole file with no errors.
testparm /etc/samba/smb.conf
The next thing to do is connect to the share as a Domain Admin and configure the ACL. Here's where I hit a snag. From both Windows Server 2016 and Windows 10, I cannot connect to the server via File Explorer. I have tried \\linuxserver
, \\linuxserver\share
, \\192.168.1.75
, and \\192.168.1.75\share
. In all cases, Windows tells me "The network path was not found." It does not prompt me for credentials or tell me I don't have permissions. It's like it can't see it at all.
Here is what I've done to troubleshoot it so far.
I can successfully ping the Linux server by hostname and IP.
I made sure smbd, nmbd, and windbindd are running.
ps -eo 'tty,pid,comm' | grep smbd
ps -eo 'tty,pid,comm' | grep nmbd
ps -eo 'tty,pid,comm' | grep winbindd
I made sure smbd is listening on port 445.
netstat -plnt
nmap -sT -O localhost
I disabled SMB2 and SMB3 via an admin Powershell session on the Windows machine to see if I could use SMB1.
Set-SmbServerConfiguration -EnableSMB2Protocol $false
I verified the setting stuck, rebooted, then tried with the same result.
Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
I rebooted the Linux server for good measure.
Whew! Thanks for reading the whole thing!
Best Answer
Did you really do
\linuxserver\share
instead of\\linuxserver\share
? On Redhat 7.x, you can runrealm join
and that handles almost all of the AD setup.EDIT: If you use two backslashes in comments, it changes them back to one backslash. So it made it look like you did a single backslash before the servername.