[Samba] RHEL7/Centos7 with Samba AD
vincent at cojot.name
vincent at cojot.name
Thu Dec 6 19:11:53 UTC 2018
Hi All,
I know RHEL has bad press here but I'd like to share a different opinion
(works for me) and maybe share some of my settings.
BTW, Those views are my own, not those of my employer.
I run a small AD at home. The setup is as follows:
- two AD DCs (RHEL7.6 KVM virtual machines + Samba 4.8.7 rpms based on
SPECs from TranquilIT/Fedora).
- several Win10 laptops joined to the domain.
- several RHEL7.6 clients/Machines running 'realmd' and joined to the
domain. The AD users can log into those machines and their Linux account
gets mapped appropriately.
I set policies from a Win10 VM using RSAT and since there is a lot of
litterature on the excellent Samba wiki and on the net, this wasn't too
difficult for the Win* noob in me.
It's been running great so far but because I'm rebuilding the rpms myself
and actually using 'realmd' I feel a little like I am in uncharted
territory. At least, the RHEL7 part is familiar to me. :)
First, I needed to make a few changes to the client Linux systems:
a slightly modified krb5 client config and a custom sssd config once they
were joined ('realm join ...') to the AD domain.
The most important part was that the RHEL7 hosts wouldn't be heavily
modified, except for the two AD DCs which run a custom build of Samba, of
course.
For sssd, I used the following (customized file):
------------------------------------------------------
[sssd]
domains = ad.lasthome.solace.krynn
config_file_version = 2
services = nss, pam, pac
[domain/ad.lasthome.solace.krynn]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ad_gpo_access_control = disabled
override_gid = 100
ad_domain = ad.lasthome.solace.krynn
krb5_realm = AD.LASTHOME.SOLACE.KRYNN
realmd_tags = manages-system joined-with-samba
#
cache_credentials = True
krb5_store_password_if_offline = True
ldap_id_mapping = False
use_fully_qualified_names = False
default_shell = /bin/bash
fallback_homedir = /export/home/%u@%d
ldap_referrals = False
ignore_group_members = True
[nss]
[pam]
------------------------------------------------------
For realmd, it was only a matter of following the documentation, which
resulted in
# realm join --automatic-id-mapping=no ad.lasthome.solace.krynn -U administrator
[...]
# realm list
ad.lasthome.solace.krynn
type: kerberos
realm-name: AD.LASTHOME.SOLACE.KRYNN
domain-name: ad.lasthome.solace.krynn
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
So, IMHO RHEL7/Centos7 does just fine in a Samba AD/DC setup either as
clients or DCs. I still have a few details to work out (how to move the
Samba servers from local auth to AD auth, etc.. mostly because it's not
my area of expertise) but it's been working fine for me so far.
The only area of concern on el7 is to find a -reliable- Samba RPM builder
for el7. So far, I've tried:
- TranquilIT - https://dev.tranquil.it/wiki/Samba4
Their latest 4.8.x rpms are stuck on 4.8.5 and they don't provide
source rpms unless you complain a lot.
- http://azzurro.ezplanet.net : Seems pretty much out of updates
- http://wing-net.ddo.jp/wing : Web page still up but I've been unable to
pull down rpms from them for months.
Any non-inflamatory comments are welcome! :)
Vincent
More information about the samba
mailing list