Samba
Samba / SMB / Server Message Block
- File Server
- Member Server
- Active Directory Domain Controller
- Support
idmap:- WinBind
- More compatible
- SSSD (Not fully support)
- SSSD mainly for Linux joining AD, use AD account to login Linux
- Newer than WinBind
- More secure
- WinBind
| ID / UID | Linux ID of user |
| SID | Windows ID of user |
realm CLI
- Discover / Join / Leave / List realm (domain)
- Use to auto setup SSSD / SMB / Kerberos config
realmuse kerberos credential cache
List realm command
realm
Discover realm
# realm discover [-v] [<realm>]
realm discover -v
Join realm
Join with default software (SSSD)
# realm join [-v] [-U <user>] <realm>
realm join -v -U Administrator example.com
Join with Samba and WinBind
- If join successful,
realmwill update/etc/samba/smb.conf, and other config
realm join -v --membership-software=samba --client-software=winbind example.com
If join failed, try clear kerberos tickets
List realm
realm list
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: libnss-winbind
required-package: winbind
required-package: libpam-winbind
required-package: samba-common-bin
login-formats: %U
login-policy: allow-any-login
Leave realm
# realm leave [-v] [<realm>]
realm leave
Clear samba idmap cache
Ref: ID Mapping
- Need to clear after changing
idmap
systemctl stop winbind smbd
net cache flush
systemctl start winbind smbd
Kerberos
List Kerberos cached tickets
klist
Clear Kerberos cached tickets
# kdestroy [-A] [-c cache_name] [-p princ_name]
kdestroy -A
Test and dump Samba config
testparm [-s]
Reload config
caution
This does not reload
smbcontrol smbd reload-config
systemctl restart smbd.service
Check domain / WinBind user
- If
/etc/nsswitch.confhas addedwinbind,idcommand can check domain user - Check
idmapinfo
/etc/nsswitch.conf
passwd: files systemd winbind
group: files systemd winbind
# id '<domain>\<user>'
# id '<user>@<domain>'
id 'EXAMPLE\user'
id 'user@example.com'
uid=11000(user) gid=10500(domain users) groups=10500(domain users)
List WinBind users
wbinfo -u
Enable Extended ACL Support
[global]
vfs objects = acl_xattr
map acl inherit = yes
Audit
- Log to
syslog
Ref:
man vfs_audit
[global]
# Log the following Samba VFS operations:
# connect disconnect opendir mkdir rmdir open close rename unlink chmod fchmod
vfs objects = audit
# audit:facility = local1
# audit:priority = info
Ref:
man vfs_full_audit
-
VFS full audit operations change in different version, even
man vfs_full_auditis not updated -
If un-supported operation is set,
allis usedRef:
init_bitmap()invfs_full_audit.c
[global]
# Log specified Samba VFS operations
# https://www.samba.org/samba/docs/current/man-html/vfs_full_audit.8.html
vfs objects = full_audit
# Default
# full_audit:prefix = %u|%I
full_audit:failure = connect disconnect opendir closedir mkdir rmdir open close rename unlink
full_audit:success = connect disconnect opendir closedir mkdir rmdir open close rename unlink
# auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp, local0, ..., local7
full_audit:facility = local1
# debug, info, notice, warning, err, crit, alert, emerg
full_audit:priority = info
Samba member server (ADS) config
[global]
security = ADS
realm = EXAMPLE.COM
workgroup = EXAMPLE
kerberos method = secrets and keytab
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = Yes
winbind refresh tickets = Yes
# Access ID without domain
# `id user` = `id 'EXAMPLE\user'`
winbind use default domain = Yes
idmap config EXAMPLE : range = 2000000-2999999
idmap config EXAMPLE : backend = rid
idmap config * : range = 1000000-1999999
idmap config * : backend = tdb