Skip to content

Samba Kerberized Server

Setting up Kerberized Samba Server on CentOS 7.X

This documentation outlines the basic setup process of a Kerberized Samba Server. For detailed information about Samba server setup please refer to Samba Wiki.

Software installation

As root on your CC7 system run:

# yum install samba

Configuration

Configure /etc/samba/smb.conf to contain:
# note: this is minimal example config !
[global]
 netbios name = HOSTNAMESHORT
 security = ADS
 #log level = 3
 workgroup = CERN
 realm = CERN.CH

# # Please see SMB1 phaseout. # client min protocol = SMB2 client max protocol = SMB3 server min protocol = SMB2 server max protocol = SMB3

[tmptestshare] path = /tmp/testshare read only = no

create the test share in /tmp (only for testing):
mkdir /tmp/testshare
chmod 1777 /tmp/testshare
chcon -t samba_share_t /tmp/testshare
restorecon -R -v /tmp/testshare
Note: HOSTNAMESHORT: hostame without domain name (do not include .cern.ch) For hosts where total lenght of hostname (including domain name) is over 15 characters please use the value of sAMAccountName attribute of the host object in Active Directory (without trailing $).

Next use cern-get-keytab in order to save Active Directory Computer Account password in Samba secrets database:

# cern-get-keytab --passwordsmb --service cifs [ --force ]
and finally enable Samba service and start smb daemon:
systemctl enable smb
systemctl start smb

Openning the firewall

CentOS 7 uses firewalld, allow samba service:

# firewall-cmd --add-service=samba
# firewall-cmd --add-service=samba --permanent

Testing connection

On another linux system, check that your kerberos ticket is valid (run kinit -R to force renewal).

# kinit -R
# klist
Ticket cache: FILE:/tmp/krb5cc_14213_WcuP2k
Default principal: jpolok@CERN.CH

Valid starting Expires Service principal 03/21/2016 15:13:50 03/22/2016 16:13:50 krbtgt/CERN.CH@CERN.CH renew until 03/26/2016 14:50:03

List shares on samba server:
# smbclient -k -L HOSTNAME.cern.ch
Domain=[CERN] OS=[Windows 6.1] Server=[Samba 4.2.3]

Sharename       Type      Comment
---------       ----      -------
tmptestshare    Disk
IPC$            IPC       IPC Service (Samba 4.2.3)

Note: always use fully qualified hostname !

Access share:

# smbclient -k \\HOSTNAME.cern.ch\\tmptestshare
Domain=[CERN] OS=[Windows 6.1] Server=[Samba 4.2.3]
smb: > put testfile
putting file testfile as \testfile (51.4 kb/s) (average 51.4 kb/s)
smb: > dir
  .                                   D        0  Mon Mar 21 15:19:58 2016
  ..                                  D        0  Mon Mar 21 15:17:53 2016
  testfile                            A      158  Mon Mar 21 15:19:58 2016

    83845120 blocks of size 1024. 12506532 blocks available

smb: > quit #

Note: SMB2 protocol is not compatible with SLC5.