Show Table of Contents
Chapter 39. Setting up Samba to Authenticate Users to the IdM Domain
39.1. Configuring an SSSD Client to Run a Samba Server
If you run Red Hat Identity Management (IdM) and Samba in your environment, you can configure the Samba server to use Kerberos to authenticate IdM users connecting to a share.
Important
IdM does not provide a Global Catalog. Therefore, IdM only allows users stored in the IdM domain to authenticate to the Samba server. Users who are stored in trusted Active Directory domains cannot access these Samba shares.
Preconditions
On the IdM master, run
ipa-adtrust-install to configure the master to manage object classes and attributes specific to Samba. For details, see the corresponding section in the Red Hat Enterprise Linux Windows Integration Guide.
Setting up Samba to Authenticate Users to the IdM Domain
To set up a new Samba server that authenticates users to the IdM domain:
- Install the required packages for IdM and join the client to the domain. For details, see the corresponding section in the Red Hat Linux Domain Identity, Authentication, and Policy Guide.
- Install the Samba server and the sssd-winbind-idmap package:
# yum install samba sssd-winbind-idmap
- Create the
cifsKerberos principal for Samba server. For example:# ipa service-add cifs/samba_server.idm.example.com
- Retrieve the Kerberos keytab for the
cifsprincipal, and store it in the/etc/samba/samba.keytabfile:# ipa-getkeytab -p cifs/samba_server.idm.example.com -k /etc/samba/samba.keytab
- Set the following parameters in the
[global]section of the/etc/samba/smb.conffile:workgroup = IDM realm = IDM.EXAMPLE.COM security = ads dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab idmap config * : backend = tdb idmap config * : range = 10000-999999 idmap config IDM : backend = sss idmap config IDM : range = 2000000-2999999
- Set up file and printer shares. For details, see the following sections in the Red Hat System Administrator's Guide:
- Verify the
/etc/samba/smb.conffile:# testparm
If thetestparmutility does not return any error, the configuration is valid. - Open the required ports and reload the firewall configuration using the
firewall-cmdutility:# firewall-cmd --permanent --add-service=samba # firewall-cmd --reload
- Start the
smbservice:# systemctl start smb
- Optionally, configure that the
smbservice starts automatically when the system boots:# systemctl enable smb
- Verify that the
sssdservice is enabled and running:# systemctl status sssd
- Verify that the
winbindservice is enabled and running:# systemctl status winbind
Verifying That IdM Users Can Authenticate to Samba
To verify, list the shares the Samba server provides. For example:
- Install the samba-client package:
# yum install samba-client
- Authenticate to Kerberos:
# kinit user_name
- List the shares:
# smbclient -k -U user_name -L samba_server.idm.example.com
Additional Resources
For further details about Samba, see the corresponding section in the Red Hat System Administrator's Guide.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.