Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 113. Setting up Samba on an IdM domain member

You can set up Samba on a host that is joined to a Red Hat Identity Management (IdM) domain. Users from IdM and also, if available, from trusted Active Directory (AD) domains, can access shares and printer services provided by Samba.

Important

Using Samba on an IdM domain member is an unsupported Technology Preview feature and contains certain limitations. For example, IdM trust controllers do not support the Active Directory Global Catalog service, and they do not support resolving IdM groups using the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) protocols. As a consequence, AD users can only access Samba shares and printers hosted on IdM clients when logged in to other IdM clients; AD users logged into a Windows machine cannot access Samba shares hosted on an IdM domain member.

Customers deploying Samba on IdM domain members are encouraged to provide feedback to Red Hat.

If users from AD domains need to access shares and printer services provided by Samba, ensure the AES encryption type is enabled is AD. For more information, see Enabling the AES encryption type in Active Directory using a GPO.

Prerequisites

  • The host is joined as a client to the IdM domain.
  • Both the IdM servers and the client must run on RHEL 8.1 or later.

113.1. Preparing the IdM domain for installing Samba on domain members
Link kopieren

Before you can set up Samba on an IdM client, you must prepare the IdM domain using the ipa-adtrust-install utility on an IdM server.

Note

Any system where you run the ipa-adtrust-install command automatically becomes an AD trust controller. However, you must run ipa-adtrust-install only once on an IdM server.

Prerequisites

  • IdM server is installed.
  • You have root privileges to install packages and restart IdM services.

Procedure

  1. Install the required packages: 

    [root@ipaserver ~]# yum install ipa-server-trust-ad samba-client
    Copy to Clipboard Toggle word wrap

  2. Authenticate as the IdM administrative user: 

    [root@ipaserver ~]# kinit admin
    Copy to Clipboard Toggle word wrap

  3. Run the ipa-adtrust-install utility: 

    [root@ipaserver ~]# ipa-adtrust-install
    Copy to Clipboard Toggle word wrap

    The DNS service records are created automatically if IdM was installed with an integrated DNS server.

    If you installed IdM without an integrated DNS server, ipa-adtrust-install prints a list of service records that you must manually add to DNS before you can continue.

  4. The script prompts you that the /etc/samba/smb.conf already exists and will be rewritten: 

    WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing Samba configuration.

Do you wish to continue? [no]: yes
    Copy to Clipboard Toggle word wrap

  5. The script prompts you to configure the slapi-nis plug-in, a compatibility plug-in that allows older Linux clients to work with trusted users: 

    Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.

Enable trusted domains support in slapi-nis? [no]: yes
    Copy to Clipboard Toggle word wrap

  6. When prompted, enter the NetBIOS name for the IdM domain or press Enter to accept the name suggested: 

    Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.

NetBIOS domain name [IDM]:
    Copy to Clipboard Toggle word wrap

  7. You are prompted to run the SID generation task to create a SID for any existing users: 

    Do you want to run the ipa-sidgen task? [no]: yes
    Copy to Clipboard Toggle word wrap

    This is a resource-intensive task, so if you have a high number of users, you can run this at another time.

  8. Optional: By default, the Dynamic RPC port range is defined as 49152-65535 for Windows Server 2008 and later. If you need to define a different Dynamic RPC port range for your environment, configure Samba to use different ports and open those ports in your firewall settings. The following example sets the port range to 55000-65000. 

    [root@ipaserver ~]# net conf setparm global 'rpc server dynamic port range' 55000-65000
[root@ipaserver ~]# firewall-cmd --add-port=55000-65000/tcp
[root@ipaserver ~]# firewall-cmd --runtime-to-permanent
    Copy to Clipboard Toggle word wrap

  9. Restart the ipa service: 

    [root@ipaserver ~]# ipactl restart
    Copy to Clipboard Toggle word wrap

  10. Use the smbclient utility to verify that Samba responds to Kerberos authentication from the IdM side: 

    [root@ipaserver ~]# smbclient -L ipaserver.idm.example.com -U user_name --use-kerberos=required
lp_load_ex: changing to config backend registry
    Sharename       Type      Comment
    ---------       ----      -------
    IPC$            IPC       IPC Service (Samba 4.15.2)
...
    Copy to Clipboard Toggle word wrap

113.2. Installing and configuring a Samba server on an IdM client
Link kopieren

You can install and configure Samba on a client enrolled in an IdM domain.

Prerequisites

Procedure

  1. Install the ipa-client-samba package: 

    [root@idm_client]# yum install ipa-client-samba
    Copy to Clipboard Toggle word wrap

  2. Use the ipa-client-samba utility to prepare the client and create an initial Samba configuration: 

    [root@idm_client]# ipa-client-samba
Searching for IPA server...
IPA server: DNS discovery
Chosen IPA master: idm_server.idm.example.com
SMB principal to be created: cifs/idm_client.idm.example.com@IDM.EXAMPLE.COM
NetBIOS name to be used: IDM_CLIENT
Discovered domains to use:

 Domain name: idm.example.com
NetBIOS name: IDM
         SID: S-1-5-21-525930803-952335037-206501584
    ID range: 212000000 - 212199999

 Domain name: ad.example.com
NetBIOS name: AD
         SID: None
    ID range: 1918400000 - 1918599999

Continue to configure the system with these values? [no]: yes
Samba domain member is configured. Please check configuration at /etc/samba/smb.conf and start smb and winbind services
    Copy to Clipboard Toggle word wrap

  3. By default, ipa-client-samba automatically adds the [homes] section to the /etc/samba/smb.conf file that dynamically shares a user’s home directory when the user connects. If users do not have home directories on this server, or if you do not want to share them, remove the following lines from /etc/samba/smb.conf: 

    [homes]
    read only = no
    Copy to Clipboard Toggle word wrap

  4. Share directories and printers. For details, see the following sections:

  5. Open the ports required for a Samba client in the local firewall: 

    [root@idm_client]# firewall-cmd --permanent --add-service=samba-client
[root@idm_client]# firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

  6. Enable and start the smb and winbind services: 

    [root@idm_client]# systemctl enable --now smb winbind
    Copy to Clipboard Toggle word wrap

Verification

Run the following verification step on a different IdM domain member that has the samba-client package installed:

  • List the shares on the Samba server using Kerberos authentication: 

    $ smbclient -L idm_client.idm.example.com -U user_name --use-kerberos=required
lp_load_ex: changing to config backend registry

    Sharename       Type      Comment
    ---------       ----      -------
    example         Disk
    IPC$            IPC       IPC Service (Samba 4.15.2)
...
    Copy to Clipboard Toggle word wrap

Samba requires an ID mapping configuration for each domain from which users access resources. On an existing Samba server running on an IdM client, you must manually add an ID mapping configuration after the administrator added a new trust to an Active Directory (AD) domain.

Prerequisites

  • You configured Samba on an IdM client. Afterward, a new trust was added to IdM.
  • The DES and RC4 encryption types for Kerberos must be disabled in the trusted AD domain. For security reasons, RHEL 8 does not support these weak encryption types.

Procedure

  1. Authenticate using the host’s keytab: 

    [root@idm_client]# kinit -k
    Copy to Clipboard Toggle word wrap

  2. Use the ipa idrange-find command to display both the base ID and the ID range size of the new domain. For example, the following command displays the values for the ad.example.com domain: 

    [root@idm_client]# ipa idrange-find --name="AD.EXAMPLE.COM_id_range" --raw
---------------
1 range matched
---------------
  cn: AD.EXAMPLE.COM_id_range
  ipabaseid: 1918400000
  ipaidrangesize: 200000
  ipabaserid: 0
  ipanttrusteddomainsid: S-1-5-21-968346183-862388825-1738313271
  iparangetype: ipa-ad-trust
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard Toggle word wrap

    You need the values from the ipabaseid and ipaidrangesize attributes in the next steps.

  3. To calculate the highest usable ID, use the following formula: 

    maximum_range = ipabaseid + ipaidrangesize - 1
    Copy to Clipboard Toggle word wrap

    With the values from the previous step, the highest usable ID for the ad.example.com domain is 1918599999 (1918400000 + 200000 - 1).

  4. Edit the /etc/samba/smb.conf file, and add the ID mapping configuration for the domain to the [global] section: 

    idmap config AD : range = 1918400000 - 1918599999
idmap config AD : backend = sss
    Copy to Clipboard Toggle word wrap

    Specify the value from ipabaseid attribute as the lowest and the computed value from the previous step as the highest value of the range.

  5. Restart the smb and winbind services: 

    [root@idm_client]# systemctl restart smb winbind
    Copy to Clipboard Toggle word wrap

Verification

  • List the shares on the Samba server using Kerberos authentication: 

    $ smbclient -L idm_client.idm.example.com -U user_name --use-kerberos=required
lp_load_ex: changing to config backend registry

    Sharename       Type      Comment
    ---------       ----      -------
    example         Disk
    IPC$            IPC       IPC Service (Samba 4.15.2)
...
    Copy to Clipboard Toggle word wrap
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat