Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Chapter 39. Setting up Samba to Authenticate Users to the IdM Domain

39.1. Configuring an SSSD Client to Run a Samba Server

If you run Red Hat Identity Management (IdM) and Samba in your environment, you can configure the Samba server to use Kerberos to authenticate IdM users connecting to a share.

Important

IdM does not provide a Global Catalog. Therefore, IdM only allows users stored in the IdM domain to authenticate to the Samba server. Users who are stored in trusted Active Directory domains cannot access these Samba shares.

Preconditions

On the IdM master, run ipa-adtrust-install to configure the master to manage object classes and attributes specific to Samba. For details, see the corresponding section in the Red Hat Enterprise Linux Windows Integration Guide.

Setting up Samba to Authenticate Users to the IdM Domain

To set up a new Samba server that authenticates users to the IdM domain:
  1. Install the required packages for IdM and join the client to the domain. For details, see the corresponding section in the Red Hat Linux Domain Identity, Authentication, and Policy Guide.
  2. Install the Samba server and the sssd-winbind-idmap package:
    # yum install samba sssd-winbind-idmap
  3. Create the cifs Kerberos principal for Samba server. For example:
    # ipa service-add cifs/samba_server.idm.example.com
  4. Retrieve the Kerberos keytab for the cifs principal, and store it in the /etc/samba/samba.keytab file:
    # ipa-getkeytab -p cifs/samba_server.idm.example.com -k /etc/samba/samba.keytab
  5. Set the following parameters in the [global] section of the /etc/samba/smb.conf file:
    workgroup = IDM
    realm = IDM.EXAMPLE.COM
    security = ads
    dedicated keytab file = FILE:/etc/samba/samba.keytab
    kerberos method = dedicated keytab
    idmap config * : backend = tdb
    idmap config * : range = 10000-999999
    idmap config IDM : backend = sss
    idmap config IDM : range = 2000000-2999999
  6. Set up file and printer shares. For details, see the following sections in the Red Hat System Administrator's Guide:
  7. Verify the /etc/samba/smb.conf file:
    # testparm
    If the testparm utility does not return any error, the configuration is valid.
  8. Open the required ports and reload the firewall configuration using the firewall-cmd utility:
    # firewall-cmd --permanent --add-service=samba
    # firewall-cmd --reload
  9. Start the smb service:
    # systemctl start smb
  10. Optionally, configure that the smb service starts automatically when the system boots:
    # systemctl enable smb
  11. Verify that the sssd service is enabled and running:
    # systemctl status sssd
  12. Verify that the winbind service is enabled and running:
    # systemctl status winbind

Verifying That IdM Users Can Authenticate to Samba

To verify, list the shares the Samba server provides. For example:
  1. Install the samba-client package:
    # yum install samba-client
  2. Authenticate to Kerberos:
    # kinit user_name
  3. List the shares:
    # smbclient -k -U user_name -L samba_server.idm.example.com

Additional Resources

For further details about Samba, see the corresponding section in the Red Hat System Administrator's Guide.