4.2. Using SMB shares with SSSD

This section describes how you can use SSSD clients to access and fully use shares based on the Server Message Block (SMB) protocol, also known as the Common Internet File System (CIFS) protocol.

Note

Prior to Red Hat Enterprise Linux 7.1, only Winbind provided this functionality. In Red Hat Enterprise Linux 7.1 and later, you no longer need to run Winbind and SSSD in parallel to access SMB shares. For example, accessing the Access Control Lists (ACLs) no longer requires Winbind on SSSD clients.

Important

SSSD does not support all the services that Winbind provides. For example, SSSD does not support authentication using the NT LAN Manager (NTLM) or NetBIOS name lookup. If you need these services, use Winbind. Note that in Identity Management domains, Kerberos authentication and DNS name lookup are available for the same purposes.

4.2.1. How SSSD Works with SMB

The SMB file-sharing protocol is widely used on Windows machines. In Red Hat Enterprise Linux environments with a trust between Identity Management and Active Directory, SSSD enables seamless use of SMB as if it was a standard Linux file system.
To access a SMB share, the system must be able to translate Windows SIDs to Linux POSIX UIDs and GIDs. SSSD clients use the SID-to-ID or SID-to-name algorithm, which enables this ID mapping.

4.2.2. Determining Whether to Use SSSD or Winbind for SMB Shares

For most SSSD clients, using SSSD is recommended:
  • Identity Management clients use SSSD by default to map Active Directory users to UNIX users. Using Winbind for the SMB ID mapping instead of SSSD can result in inconsistent mapping.
  • In environments with direct Active Directory integration where the clients use SSSD for general Active Directory user mappings, using Winbind for the SMB ID mapping instead of SSSD can result in inconsistent mapping.

Important

SSSD does not support all the services that Winbind provides. For example, SSSD does not support authentication using the NT LAN Manager (NTLM) or NetBIOS name lookup. If you need these services, use Winbind. Note that in Identity Management domains, Kerberos authentication and DNS name lookup are available for the same purposes.

4.2.3. Accessing SMB Shares from SSSD Clients

You can access SMB shares from all SSSD clients that belong to the Samba domain.
To verify that the system uses SSSD for accessing SMB shares, use the alternatives utility. The utility displays the currently used library. In the following example, the system uses the SSSD library:
# alternatives --list | grep -E cifs\|libwbclient
cifs-idmap-plugin       auto     /usr/lib64/cifs-utils/cifs_idmap_sss.so
libwbclient.so.0.11-64 auto /usr/lib64/sssd/modules/libwbclient.so.0.11.0

4.2.4. Switching Between SSSD and Winbind for SMB Share Access

This procedure describes how you can switch between SSSD and Winbind plug-ins that are used for accessing SMB shares from SSSD clients.
  1. Optional. Find out whether you are currently using SSSD or Winbind to access SMB shares from the SSSD client:
    # alternatives --display cifs-idmap-plugin
    cifs-idmap-plugin - status is auto.
     link currently points to /usr/lib/cifs-utils/cifs_idmap_sss.so
    /usr/lib/cifs-utils/cifs_idmap_sss.so - priority 20
    /usr/lib/cifs-utils/idmapwb.so - priority 10
    Current `best' version is /usr/lib/cifs-utils/cifs_idmap_sss.so.
    If the SSSD plug-in (cifs_idmap_sss.so) is installed, it has a higher priority than the Winbind plug-in (idmapwb.so) by default.
  2. Before switching to the Winbind plug-in, make sure Winbind is running on the system:
    # systemctl is-active winbind.service
    active
    Before switching to the SSSD plug-in, make sure SSSD is running on the system:
    # systemctl is-active sssd.service
    active
  3. To switch to a different plug-in, use the alternatives --set cifs-idmap-plugin command, and specify the path to the required plug-in. For example, to switch to Winbind:
    # alternatives --set cifs-idmap-plugin /usr/lib/cifs-utils/idmapwb.so

4.2.5. Configuring an SSSD Client to Run a Samba Server Without Using Winbind

If you run Red Hat Identity Management (IdM) and Samba in your environment, you can configure the Samba server to use Kerberos to authenticate IdM users connecting to a share.

Preconditions

On the IdM master, run ipa-adtrust-install to configure the master to manage object classes and attributes specific to Samba. For details, see Section 5.2.2.1.1, “Preparing the IdM Server for Trust”.

Setting up Samba to Authenticate Users to the IdM Domain

To set up a new Samba server that authenticates users to the IdM domain:
  1. Install the required packages for IdM and join the client to the domain. For details, see the corresponding section in the Red Hat Linux Domain Identity, Authentication, and Policy Guide.
  2. Install the Samba server and the sssd-libwbclient package:
    # yum install samba sssd-libwbclient
    The sssd-libwbclient package provides the libwbclient.so library. This library is the System Security Services Daemon (SSSD) alternative to the library provided by the libwbclient package used by the Winbind service.
  3. Create the cifs Kerberos principal for Samba server. For example:
    # ipa service-add cifs/samba_server.idm.example.com
  4. Retrieve the Kerberos keytab for the cifs principal, and store it in the /etc/samba/samba.keytab file:
    # ipa-getkeytab -p cifs/samba_server.idm.example.com -k /etc/samba/samba.keytab
  5. Set the following parameters in the [global] section of the /etc/samba/smb.conf file:
    workgroup = IDM
    realm = IDM.EXAMPLE.COM
    security = ads
    dedicated keytab file = FILE:/etc/samba/samba.keytab
    kerberos method = dedicated keytab
  6. Set up file and printer shares. For details, see the following sections in the Red Hat System Administrator's Guide:
  7. Verify the /etc/samba/smb.conf file:
    # testparm
    If the testparm utility does not return any error, the configuration is valid.
  8. Open the required ports and reload the firewall configuration using the firewall-cmd utility:
    # firewall-cmd --permanent --add-service=samba
    # firewall-cmd --reload
  9. Start the smb service:
    # systemctl start smb
  10. Optionally, configure that the smb service starts automatically when the system boots:
    # systemctl enable smb

Verifying That IdM Users Can Authenticate to Samba

To verify, list the shares the Samba server provides. For example:
  1. Install the samba-client package:
    # yum install samba-client
  2. Authenticate to Kerberos:
    # kinit user_name
  3. List the shares:
    # smbclient -k -U user_name -L samba_server.idm.example.com

Additional Resources

For further details about Samba, see the corresponding section in the Red Hat System Administrator's Guide.