Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 1. Using Samba as a server
Samba implements the Server Message Block (SMB) protocol in Red Hat Enterprise Linux. The SMB protocol is used to access resources on a server, such as file shares and shared printers. Additionally, Samba implements the Distributed Computing Environment Remote Procedure Call (DCE RPC) protocol used by Microsoft Windows.
For more information refer to the:
-
smb.conf(5)man page on your system -
/usr/share/docs/samba-version/directory that contains general documentation, example scripts, and LDAP schema files, provided by the Samba project
You can run Samba as:
- An Active Directory (AD) or NT4 domain member
- A standalone server
An NT4 Primary Domain Controller (PDC) or Backup Domain Controller (BDC)
NoteRed Hat supports the PDC and BDC modes only in existing installations with Windows versions which support NT4 domains. Red Hat recommends not setting up a new Samba NT4 domain, because Microsoft operating systems later than Windows 7 and Windows Server 2008 R2 do not support NT4 domains.
Red Hat does not support running Samba as an AD domain controller (DC).
Independently of the installation mode, you can optionally share directories and printers. This enables Samba to act as a file and print server.
1.1. Understanding the different Samba services and modes
The samba package provides multiple services. Depending on your environment and the scenario you want to configure, you require one or more of these services and configure Samba in different modes.
1.1.1. The Samba services
Samba services in Linux include smbd, nmbd, winbindd, and samba-bgqd. Understand their roles in file and printer sharing, name resolution, domain integration, and printer management.
Samba provides the following services:
smbdThis service provides file sharing and printing services using the SMB protocol. Additionally, the service is responsible for resource locking and for authenticating connecting users. For authenticating domain members,
smbdrequireswinbindd. Thesmbsystemdservice starts and stops thesmbddaemon.To use the
smbdservice, install thesambapackage.nmbdThis service provides host name and IP resolution using the NetBIOS over IPv4 protocol. Additionally to the name resolution, the
nmbdservice enables browsing the SMB network to locate domains, work groups, hosts, file shares, and printers. For this, the service either reports this information directly to the broadcasting client or forwards it to a local or master browser. Thenmbsystemdservice starts and stops thenmbddaemon.Note that modern SMB networks use DNS to resolve clients and IP addresses. For Kerberos a working DNS setup is required.
To use the
nmbdservice, install thesambapackage.winbinddThis service provides an interface for the Name Service Switch (NSS) to use AD or NT4 domain users and groups on the local system. This enables, for example, domain users to authenticate to services hosted on a Samba server or to other local services. The
winbindsystemdservice starts and stops thewinbindddaemon.If you set up Samba as a domain member,
winbinddmust be started before thesmbdservice. Otherwise, domain users and groups are not available to the local system.To use the
winbinddservice, install thesamba-winbindpackage.ImportantRed Hat only supports running Samba as a server with the
winbinddservice to provide domain users and groups to the local system. Due to certain limitations, such as missing Windows access control list (ACL) support and NT LAN Manager (NTLM) fallback, SSSD is not supported.samba-bgqd-
The Samba background queue daemon regularly updates the printer list with printers from CUPS. For print servers with multiple printers, run this daemon. It is managed by the
samba-bgqdsystemdservice. If it fails to run,rpcd_spoolssstarts it on demand.
1.1.2. The Samba security services
The security parameter in the [global] section in the /etc/samba/smb.conf file manages how Samba authenticates users that are connecting to the service.
Depending on the mode you install Samba in, the parameter must be set to different values:
- On an AD domain member, set
security = ads - In this mode, Samba uses Kerberos to authenticate AD users.
- On a standalone server, set
security = user - In this mode, Samba uses a local database to authenticate connecting users.
- On an NT4 PDC or BDC, set
security = user - In this mode, Samba authenticates users to a local or LDAP database.
- On an NT4 domain member, set
security = domain - In this mode, Samba authenticates connecting users to an NT4 PDC or BDC. You cannot use this mode on AD domain members.
1.1.3. Scenarios when Samba services and Samba client utilities load and reload their configuration
When Samba services and client utilities load or reload configuration files, details triggers for automatic and manual reloads, and certain settings require a full service restart for configuration changes to become effective.
The following describes when Samba services and utilities load and reload their configuration:
Samba services reload their configuration:
- Automatically every 3 minutes
-
On manual request, for example, when you run the
smbcontrol all reload-configcommand.
- Samba client utilities read their configuration only when you start them.
Note that certain parameters, such as security require a restart of the smb service to take effect and a reload is not sufficient. For more information, refer to:
-
The
How configuration changes are appliedsection in thesmb.conf(5)man page on your system -
smbd(8),nmbd(8), andwinbindd(8)man pages on your system
1.1.4. Editing the Samba configuration in a safe way
Samba services automatically reload their configuration every 3 minutes. For details, see Scenarios when Samba services and Samba client utilities load and reload their configuration
To prevent that the services reload the changes before you have verified the configuration using the testparm utility, you can edit the Samba configuration in a safe way.
Prerequisites
- Samba is installed.
Procedure
Create a copy of the
/etc/samba/smb.conffile:# cp /etc/samba/smb.conf /etc/samba/samba.conf.copy- Edit the copied file and make the required changes.
Verify the configuration in the
/etc/samba/samba.conf.copyfile:# testparm -s /etc/samba/samba.conf.copyIf
testparmreports errors, fix them and run the command again.Override the
/etc/samba/smb.conffile with the new configuration:# mv /etc/samba/samba.conf.copy /etc/samba/smb.confWait until the Samba services automatically reload their configuration or manually reload the configuration:
# smbcontrol all reload-config
1.2. Verifying the smb.conf file by using the testparm utility
The testparm utility verifies that the Samba configuration in the /etc/samba/smb.conf file is correct. The utility detects invalid parameters and values, but also incorrect settings, such as for ID mapping. If testparm reports no problem, the Samba services will successfully load the /etc/samba/smb.conf file. Note that testparm cannot verify that the configured services will be available or work as expected.
Red Hat recommends that you verify the /etc/samba/smb.conf file by using testparm after each modification of this file.
Prerequisites
- You installed Samba.
-
The
/etc/samba/smb.conffile exists.
Procedure
Run the
testparmutility as therootuser:# testparmLoad smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Unknown parameter encountered: "log level" Processing section "[example_share]" Loaded services file OK. ERROR: The idmap range for the domain * (tdb) overlaps with the range of DOMAIN (ad)! Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] ... [example_share] ...The previous example output reports a non-existent parameter and an incorrect ID mapping configuration.
-
If
testparmreports incorrect parameters, values, or other errors in the configuration, fix the problem and run the utility again.
1.3. Setting up Samba as a standalone server
You can set up Samba as a server that is not a member of a domain. In this installation mode, Samba authenticates users to a local database instead of to a central DC. Additionally, you can enable guest access to allow users to connect to one or multiple services without authentication.
1.3.1. Setting up the server configuration for the standalone server
You can set up the server configuration for a Samba standalone server. For more information, see the smb.conf(5) man page on your system.
Procedure
Install the
sambapackage:# dnf install sambaEdit the
/etc/samba/smb.conffile and set the following parameters:[global] workgroup = Example-WG netbios name = Server security = user log file = /var/log/samba/%m.log log level = 1This configuration defines a standalone server named
Serverwithin theExample-WGwork group. Additionally, this configuration enables logging on a minimal level (1) and log files will be stored in the/var/log/samba/directory. Samba will expand the%mmacro in thelog fileparameter to the NetBIOS name of connecting clients. This enables individual log files for each client.Optional: Configure file or printer sharing. See:
Verify the
/etc/samba/smb.conffile:# testparmIf you set up shares that require authentication, create the user accounts.
For details, see Creating and enabling local user accounts.
Open the required ports and reload the firewall configuration by using the
firewall-cmdutility:# firewall-cmd --permanent --add-service=samba# firewall-cmd --reloadEnable and start the
smbservice:# systemctl enable --now smb
1.3.2. Creating and enabling local user accounts
To enable users to authenticate when they connect to a share, you must create the accounts on the Samba host both in the operating system and in the Samba database. Samba requires the operating system account to validate the Access Control Lists (ACL) on file system objects and the Samba account to authenticate connecting users.
If you use the passdb backend = tdbsam default setting, Samba stores user accounts in the /var/lib/samba/private/passdb.tdb database.
You can create a local Samba user named example.
Prerequisites
- Samba is installed and configured as a standalone server.
Procedure
Create the operating system account:
# useradd -M -s /sbin/nologin exampleThis command adds the
exampleaccount without creating a home directory. If the account is only used to authenticate to Samba, assign the/sbin/nologincommand as shell to prevent the account from logging in locally.Set a password to the operating system account to enable it:
# passwd exampleEnter new UNIX password: password Retype new UNIX password: password passwd: password updated successfullySamba does not use the password set on the operating system account to authenticate. However, you need to set a password to enable the account. If an account is disabled, Samba denies access if this user connects.
Add the user to the Samba database and set a password to the account:
# smbpasswd -a exampleNew SMB password: password Retype new SMB password: password Added user example.Use this password to authenticate when using this account to connect to a Samba share.
Enable the Samba account:
# smbpasswd -e exampleEnabled user example.
1.4. Understanding and configuring Samba ID mapping
Windows domains distinguish users and groups by unique Security Identifiers (SID). However, Linux requires unique UIDs and GIDs for each user and group. If you run Samba as a domain member, the winbindd service is responsible for providing information about domain users and groups to the operating system.
To enable the winbindd service to provide unique IDs for users and groups to Linux, you must configure ID mapping in the /etc/samba/smb.conf file for:
- The local database (default domain)
- The AD or NT4 domain the Samba server is a member of
- Each trusted domain from which users must be able to access resources on this Samba server
Samba provides different ID mapping back ends for specific configurations. The most frequently used back ends are:
| Back end | Use case |
|---|---|
|
|
The |
|
| AD domains only |
|
| AD and NT4 domains |
|
|
AD, NT4, and the |
1.4.1. Planning Samba ID ranges
Regardless of whether you store the Linux UIDs and GIDs in AD or if you configure Samba to generate them, each domain configuration requires a unique ID range that must not overlap with any of the other domains.
If you set overlapping ID ranges, Samba fails to work correctly.
Example 1.1. Unique ID Ranges
The following shows non-overlapping ID mapping ranges for the default (*), AD-DOM, and the TRUST-DOM domains.
[global]
...
idmap config * : backend = tdb
idmap config * : range = 10000-999999
idmap config AD-DOM:backend = rid
idmap config AD-DOM:range = 2000000-2999999
idmap config TRUST-DOM:backend = rid
idmap config TRUST-DOM:range = 4000000-4999999You can only assign one range per domain. Therefore, leave enough space between the domains ranges. This enables you to extend the range later if your domain grows.
If you later assign a different range to a domain, the ownership of files and directories previously created by these users and groups will be lost.
1.4.2. The * default domain
You can configure the default Samba ID mapping domain to ensure proper ID assignment for local users, groups, and built-in accounts. Select and manage appropriate back ends to maintain system security, scalability, and compliance in domain environments.
In a domain environment, you add one ID mapping configuration for each of the following:
- The domain the Samba server is a member of
- Each trusted domain that should be able to access the Samba server
However, for all other objects, Samba assigns IDs from the default domain. This includes:
- Local Samba users and groups
-
Samba built-in accounts and groups, such as
BUILTIN\Administrators
You must configure the default domain as described to enable Samba to operate correctly.
The default domain back end must be writable to permanently store the assigned IDs.
For the default domain, you can use one of the following back ends:
tdbWhen you configure the default domain to use the
tdbback end, set an ID range that is big enough to include objects that will be created in the future and that are not part of a defined domain ID mapping configuration.For example, set the following in the
[global]section in the/etc/samba/smb.conffile:idmap config * : backend = tdb idmap config * : range = 10000-999999autoridWhen you configure the default domain to use the
autoridback end, adding additional ID mapping configurations for domains is optional.NoteThe range should be a multiple of the
rangesizeand must be at least twice its value to ensure sufficient id range space for the mandatoryBUILTINdomain. With a defaultrangesizeof 100000, the range must span at least 200000. For example, range = 100000 - 299999.For example, set the following in the
[global]section in the/etc/samba/smb.conffile:idmap config * : backend = autorid idmap config * : range = 10000-999999
1.4.3. Using the tdb ID mapping back end
The winbindd service uses the writable tdb ID mapping back end by default to store Security Identifier (SID), UID, and GID mapping tables. This includes local users, groups, and built-in principals.
Use this back end only for the * default domain. For example:
idmap config * : backend = tdb
idmap config * : range = 10000-9999991.4.4. Using the ad ID mapping back end
You can configure a Samba AD member to use the ad ID mapping back end.
The ad ID mapping back end implements a read-only API to read account and group information from AD. This provides the following benefits:
- All user and group settings are stored centrally in AD.
- User and group IDs are consistent on all Samba servers that use this back end.
- The IDs are not stored in a local database which can corrupt, and therefore file ownerships cannot be lost.
The ad ID mapping back end does not support {AD} domains with one-way trusts. If you configure a domain member in an {AD} with one-way trusts, use instead one of the following ID mapping back ends: tdb, rid, or autorid.
The ad back end reads the following attributes from AD:
| AD attribute name | Object type | Mapped to |
|---|---|---|
|
| User and group | User or group name, depending on the object |
|
| User | User ID (UID) |
|
| Group | Group ID (GID) |
|
| User | Path to the shell of the user |
|
| User | Path to the home directory of the user |
|
| User | Primary group ID |
[a]
Samba only reads this attribute if you set idmap config DOMAIN:unix_nss_info = yes.
[b]
Samba only reads this attribute if you set idmap config DOMAIN:unix_primary_group = yes.
| ||
Prerequisites
-
Both users and groups must have unique IDs set in AD, and the IDs must be within the range configured in the
/etc/samba/smb.conffile. Objects whose IDs are outside of the range will not be available on the Samba server. - Users and groups must have all required attributes set in AD. If required attributes are missing, the user or group will not be available on the Samba server. The required attributes depend on your configuration.
- You installed Samba.
-
The Samba configuration, except ID mapping, exists in the
/etc/samba/smb.conffile.
Procedure
Edit the
[global]section in the/etc/samba/smb.conffile:Add an ID mapping configuration for the default domain (
*) if it does not exist. For example:idmap config * : backend = tdb idmap config * : range = 10000-999999Enable the
adID mapping back end for the AD domain:idmap config DOMAIN : backend = adSet the range of IDs that is assigned to users and groups in the AD domain. For example:
idmap config DOMAIN : range = 2000000-2999999ImportantThe range must not overlap with any other domain configuration on this server. Additionally, the range must be set big enough to include all IDs assigned in the future. For further details, see Planning Samba ID ranges.
Set that Samba uses the RFC 2307 schema when reading attributes from AD:
idmap config DOMAIN : schema_mode = rfc2307To enable Samba to read the login shell and the path to the users home directory from the corresponding AD attribute, set:
idmap config DOMAIN : unix_nss_info = yesAlternatively, you can set a uniform domain-wide home directory path and login shell that is applied to all users. For example:
template shell = /bin/bash template homedir = /home/%UBy default, Samba uses the
primaryGroupIDattribute of a user object as the user’s primary group on Linux. Alternatively, you can configure Samba to use the value set in thegidNumberattribute instead:idmap config DOMAIN : unix_primary_group = yes
Verify the
/etc/samba/smb.conffile:# testparmReload the Samba configuration:
# smbcontrol all reload-config
1.4.5. Using the rid ID mapping back end
You can configure a Samba domain member to use the rid ID mapping back end.
Samba can use the relative identifier (RID) of a Windows SID to generate an ID on Red Hat Enterprise Linux.
The RID is the last part of a SID. For example, if the SID of a user is S-1-5-21-5421822485-1151247151-421485315-30014, then 30014 is the corresponding RID.
The rid ID mapping back end implements a read-only API to calculate account and group information based on an algorithmic mapping scheme for AD and NT4 domains. When you configure the back end, you must set the lowest and highest RID in the idmap config DOMAIN : range parameter. Samba will not map users or groups with a lower or higher RID than set in this parameter.
As a read-only back end, rid cannot assign new IDs, such as for BUILTIN groups. Therefore, do not use this back end for the * default domain.
Benefits of using the rid back end
- All domain users and groups that have an RID within the configured range are automatically available on the domain member.
- You do not need to manually assign IDs, home directories, and login shells.
Drawbacks of using the rid back end
- All domain users get the same login shell and home directory assigned. However, you can use variables.
-
User and group IDs are only the same across Samba domain members if all use the
ridback end with the same ID range settings. - You cannot exclude individual users or groups from being available on the domain member. Only users and groups outside of the configured range are excluded.
-
Based on the formulas the
winbinddservice uses to calculate the IDs, duplicate IDs can occur in multi-domain environments if objects in different domains have the same RID.
Prerequisites
- You installed Samba.
-
The Samba configuration, except ID mapping, exists in the
/etc/samba/smb.conffile.
Procedure
Edit the
[global]section in the/etc/samba/smb.conffile:Add an ID mapping configuration for the default domain (
*) if it does not exist. For example:idmap config * : backend = tdb idmap config * : range = 10000-999999Enable the
ridID mapping back end for the domain:idmap config DOMAIN : backend = ridSet a range that is big enough to include all RIDs that will be assigned in the future. For example:
idmap config DOMAIN : range = 2000000-2999999Samba ignores users and groups whose RIDs in this domain are not within the range.
ImportantThe range must not overlap with any other domain configuration on this server. Additionally, the range must be set big enough to include all IDs assigned in the future.
Set a shell and home directory path that will be assigned to all mapped users. For example:
template shell = /bin/bash template homedir = /home/%U
Verify the
/etc/samba/smb.conffile:# testparmReload the Samba configuration:
# smbcontrol all reload-configFor more information, see:
-
VARIABLE SUBSTITUTIONSsection in thesmb.conf(5)man page on your system -
Calculation of the local ID from a RID, see the
idmap_rid(8)man page on your system
-
1.4.6. Using the autorid ID mapping back end
You can configure a Samba domain member to use the autorid ID mapping back end.
The autorid back end works similar to the rid ID mapping back end, but can automatically assign IDs for different domains. This enables you to use the autorid back end in the following situations:
-
Only for the
*default domain -
For the
*default domain and additional domains, without the need to create ID mapping configurations for each of the additional domains - Only for specific domains
If you use autorid for the default domain, adding additional ID mapping configuration for domains is optional.
Parts of this section were adopted from the idmap config autorid documentation published in the Samba Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the Wiki page.
Benefits of using the autorid back end
- All domain users and groups whose calculated UID and GID is within the configured range are automatically available on the domain member.
- You do not need to manually assign IDs, home directories, and login shells.
- No duplicate IDs, even if multiple objects in a multi-domain environment have the same RID.
Drawbacks
- User and group IDs are not the same across Samba domain members.
- All domain users get the same login shell and home directory assigned. However, you can use variables.
- You cannot exclude individual users or groups from being available on the domain member. Only users and groups whose calculated UID or GID is outside of the configured range are excluded.
Prerequisites
- You installed Samba.
-
The Samba configuration, except ID mapping, exists in the
/etc/samba/smb.conffile.
Procedure
Edit the
[global]section in the/etc/samba/smb.conffile:Enable the
autoridID mapping back end for the*default domain:idmap config * : backend = autoridSet a range that is big enough to assign IDs for all existing and future objects. For example:
idmap config * : range = 10000-999999Samba ignores users and groups whose calculated IDs in this domain are not within the range.
WarningAfter you set the range and Samba starts using it, you can only increase the upper limit of the range. Any other change to the range can result in new ID assignments, and thus in losing file ownerships.
Optional: Set a range size. For example:
idmap config * : rangesize = 200000Samba assigns this number of continuous IDs for each domain’s object until all IDs from the range set in the
idmap config * : rangeparameter are taken.NoteIf you set a rangesize, you need to adapt the range accordingly. The range needs to be a multiple of the rangesize.
Set a shell and home directory path that will be assigned to all mapped users. For example:
template shell = /bin/bash template homedir = /home/%UOptional: Add additional ID mapping configuration for domains. If no configuration for an individual domain is available, Samba calculates the ID using the
autoridback end settings in the previously configured*default domain.ImportantThe range must not overlap with any other domain configuration on this server. Additionally, the range must be set big enough to include all IDs assigned in the future. For further details, see Planning Samba ID ranges.
Verify the
/etc/samba/smb.conffile:# testparmReload the Samba configuration:
# smbcontrol all reload-configFor more information, see:
-
THE MAPPING FORMULASsection in theidmap_autorid(8)man page on your system -
rangesizeparameter description in theidmap_autorid(8)man page on your system -
VARIABLE SUBSTITUTIONSsection in thesmb.conf(5)man page on your system
-
1.5. Setting up Samba as an AD domain member server
If you are running an AD or NT4 domain, use Samba to add your Red Hat Enterprise Linux server as a member to the domain.
This helps you to gain the following:
- Access domain resources on other domain members
-
Authenticate domain users to local services, such as
sshd - Share directories and printers hosted on the server to act as a file and print server
1.5.1. Joining a RHEL system to an AD domain
Samba Winbind is an alternative to the System Security Services Daemon (SSSD) for connecting a Red Hat Enterprise Linux (RHEL) system with Active Directory (AD). You can join a RHEL system to an AD domain by using realmd to configure Samba Winbind. For more information see, the realm(8) man page on your system.
Procedure
If your AD requires the deprecated RC4 encryption type for Kerberos authentication, enable support for these ciphers in RHEL:
# update-crypto-policies --set DEFAULT:AD-SUPPORTInstall the following packages:
# dnf install realmd oddjob-mkhomedir oddjob samba-winbind-clients \ samba-winbind samba-common-tools samba-winbind-krb5-locator krb5-workstationTo share directories or printers on the domain member, install the
sambapackage:# dnf install sambaBackup the existing
/etc/samba/smb.confSamba configuration file:# mv /etc/samba/smb.conf /etc/samba/smb.conf.bakJoin the domain. For example, to join a domain named
ad.example.com:# realm join --membership-software=samba --client-software=winbind ad.example.comUsing the previous command, the
realmutility automatically:-
Creates a
/etc/samba/smb.conffile for a membership in thead.example.comdomain -
Adds the
winbindmodule for user and group lookups to the/etc/nsswitch.conffile -
Updates the Pluggable Authentication Module (PAM) configuration files in the
/etc/pam.d/directory -
Starts the
winbindservice and enables the service to start when the system boots
-
Creates a
Optional: Set an alternative ID mapping back end or customized ID mapping settings in the
/etc/samba/smb.conffile.For details, see Understanding and configuring Samba ID mapping.
Edit the
/etc/krb5.conffile and add the following section:[plugins] localauth = { module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so enable_only = winbind }Verify that the
winbindservice is running:# systemctl status winbind... Active: active (running) since Tue 2018-11-06 19:10:40 CET; 15s agoImportantTo enable Samba to query domain user and group information, the
winbindservice must be running before you startsmb.If you installed the
sambapackage to share directories and printers, enable and start thesmbservice:# systemctl enable --now smb
Verification
Display an AD user’s details, such as the AD administrator account in the AD domain:
# getent passwd "AD\administrator"AD\administrator:*:10000:10000::/home/administrator@AD:/bin/bashQuery the members of the domain users group in the AD domain:
# getent group "AD\Domain Users"AD\domain users:x:10000:user1,user2Optional: Verify that you can use domain users and groups when you set permissions on files and directories. For example, to set the owner of the
/srv/samba/example.txtfile toAD\administratorand the group toAD\Domain Users:# chown "AD\administrator":"AD\Domain Users" /srv/samba/example.txtVerify that Kerberos authentication works as expected:
On the AD domain member, obtain a ticket for the
administrator@AD.EXAMPLE.COMprincipal:# kinit administrator@AD.EXAMPLE.COMDisplay the cached Kerberos ticket:
# klistTicket cache: KCM:0 Default principal: administrator@AD.EXAMPLE.COM Valid starting Expires Service principal 01.11.2018 10:00:00 01.11.2018 20:00:00 krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM renew until 08.11.2018 05:00:00
Display the available domains:
# wbinfo --all-domainsBUILTIN SAMBA-SERVER AD
If you do not want to use the deprecated RC4 ciphers, you can enable the AES encryption type in AD. See Enabling the AES encryption type in Active Directory using a GPO.
1.5.2. Using the local authorization plug-in for MIT Kerberos
The winbind service provides {AD} users to the domain member. In certain situations, administrators want to enable domain users to authenticate to local services, such as an SSH server, which are running on the domain member. When using Kerberos to authenticate the domain users, enable the winbind_krb5_localauth plug-in to correctly map Kerberos principals to {AD} accounts through the winbind service.
For example, if the sAMAccountName attribute of an {AD} user is set to EXAMPLE and the user tries to log with the user name lowercase, Kerberos returns the user name in upper case. As a consequence, the entries do not match and authentication fails.
Using the winbind_krb5_localauth plug-in, the account names are mapped correctly. Note that this only applies to GSSAPI authentication and not for getting the initial ticket granting ticket (TGT).
Prerequisites
- Samba is configured as a member of an {AD}.
- Red Hat Enterprise Linux authenticates log in attempts against {AD}.
-
The
winbindservice is running.
Procedure
Edit the
/etc/krb5.conffile and add the following section:[plugins] localauth = { module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so enable_only = winbind }For more information, see the
winbind_krb5_localauth(8)man page on your system.
1.5.3. Enabling certificate auto-enrollment on a Samba client
Enable certificate auto-enrollment on a Samba client to automate certificate requests and renewals from an Active Directory (AD) certificate authority (CA). This feature helps you prevent outages by managing certificates without manual monitoring or user interaction.
If an AD provides a certificate authority (CA) and a RHEL host is a member of the AD, you can enable certificate auto-enrollment on the RHEL host. Samba then applies the auto-enrollment group policy from AD, and configures the certmonger service to request and manage certificates.
Prerequisites
- Samba is configured as a member of an AD.
A Windows server in the AD has the Active Directory Certificate Services server role with the following services installed:
- Certificate Authority
- Certificate Enrollment
- Policy Web Service
- Internet Information Services (ISS) is configured to provide the certificate auto-enrollment feature over HTTPS.
- ISS uses a certificate issued by the AD CA.
- The Certificate Enrollment service supports Kerberos Authentication.
- A group policy object (GPO) for certificate auto-enrollment is configured in AD.
Procedure
Install the
samba-gpupdatepackage:# dnf install samba-gpupdateAppend the following settings to the
/etc/samba/smb.conffile:kerberos method = secrets and keytab sync machine password to keytab = "/etc/krb5.keytab:account_name:sync_spns:spn_prefixes=host:sync_kvno:machine_password", "/etc/samba/cepces.keytab:account_name:machine_password" apply group policies = yesThe settings specified in the Samba configuration include the following configuration:
kerberos method = secrets and keytab-
Configures Samba to use the
/var/lib/samba/private/secrets.tdbfile first to verify Kerberos tickets and then the/etc/krb5.keytabfile. sync machine password to keytab = <list_of_keytab_files_and_their_principals>-
Defines paths to keytab files that Samba maintains and the Kerberos principals in these files. With the shown value, Samba continues maintaining the
/etc/krb5.keytabsystem keytab and, additionally, a/etc/samba/cepces.keytabfile that thecepces-submitsubmission helper forcertmongeruses to authenticate to the CA. apply group policies = yes-
Configures the
winbindservice to execute thegpupdatecommand in intervals. The update interval is 90 minutes, plus a random offset between 0 and 30 minutes.
Create the
/etc/samba/cepces.keytabfile:# net ads keytab createEdit the
/etc/cepces/cepces.conffile, and make the following changes:In the
[global]section, set theservervariable to the fully-qualified domain name (FQDN) of the Windows server which runs the CA service:[global] server=win-server.ad.example.comIn the
[kerberos]section, set thekeytabvariable to/etc/samba/cepces.keytab:[kerberos] keytab=/etc/samba/cepces.keytab
Enable and start the
certmongerservice:# systemctl enable --now certmongerThe
certmongerservice requests the certificates from the CA and automatically renews them before they expire.Manually run
samba-gpupdateto ensure that the group policies have been loaded from AD:# samba-gpupdateThe
certmongerservice stores the keys and certificates in the following directories:-
Private keys:
/var/lib/samba/private/certs/ Issued certificates:
/var/lib/samba/certs/You can now start using the keys and certificates in services on the same host.
-
Private keys:
Optional: Display the certificates that
certmongermanages:# getcert listNumber of certificates and requests being tracked: 1. Request ID 'AD-ROOT-CA.Machine': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/samba/private/certs/AD-ROOT-CA.Machine.key' certificate: type=FILE,location='/var/lib/samba/certs/AD-ROOT-CA.Machine.crt' CA: AD-ROOT-CA issuer: CN=AD-ROOT-CA,DC=ad,DC=example,DC=com subject: CN=rhel9.ad.example.com issued: 2025-03-25 14:22:07 CET expires: 2026-03-25 14:22:07 CET dns: rhel9.ad.example.com key usage: digitalSignature,keyEncipherment eku: id-kp-clientAuth,id-kp-serverAuth certificate template/profile: Machine profile: Machine pre-save command: post-save command: track: yes auto-renew: yesBy default, the Windows CA issues only a certificate by using the
Machinecertificate template. If you configured additional templates in the Windows CA that apply for this host,certmongerrequests certificates for these templates as well, and thegetcert listoutput includes also entries for them.
1.6. Setting up Samba on an IdM domain member
You can set up Samba on a host that is joined to a Red Hat Identity Management (IdM) domain. Users from IdM and also, if available, from trusted Active Directory (AD) domains, can access shares and printer services provided by Samba.
Using Samba on an IdM domain member is an unsupported Technology Preview feature and contains certain limitations. For example, IdM trust controllers do not support the Active Directory Global Catalog service, and they do not support resolving IdM groups using the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) protocols. As a consequence, AD users can only access Samba shares and printers hosted on IdM clients when logged in to other IdM clients; AD users logged into a Windows machine cannot access Samba shares hosted on an IdM domain member.
Customers deploying Samba on IdM domain members are encouraged to provide feedback to Red Hat.
If users from AD domains need to access shares and printer services provided by Samba, ensure the AES encryption type is enabled is AD.
1.6.1. Prerequisites
- The host is joined as a client to the IdM domain.
- Both the IdM servers and the client must run on RHEL 10.
1.6.2. Preparing the IdM domain for installing Samba on domain members
Before you can set up Samba on an IdM client, you must prepare the IdM domain using the ipa-adtrust-install utility on an IdM server.
Any system where you run the ipa-adtrust-install command automatically becomes an AD trust controller. However, you must run ipa-adtrust-install only once on an IdM server.
Prerequisites
- IdM server is installed.
- You have root privileges to install packages and restart IdM services.
Procedure
Install the required packages:
[root@ipaserver ~]# dnf install ipa-server-trust-ad samba-clientAuthenticate as the IdM administrative user:
[root@ipaserver ~]# kinit adminRun the
ipa-adtrust-installutility:[root@ipaserver ~]# ipa-adtrust-installThe DNS service records are created automatically if IdM was installed with an integrated DNS server.
If you installed IdM without an integrated DNS server,
ipa-adtrust-installprints a list of service records that you must manually add to DNS before you can continue.The script prompts you that the
/etc/samba/smb.confalready exists and will be rewritten:WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing Samba configuration. Do you wish to continue? [no]: yesThe script prompts you to configure the
slapi-nisplug-in, a compatibility plug-in that allows older Linux clients to work with trusted users:Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. Enable trusted domains support in slapi-nis? [no]: yesYou are prompted to run the SID generation task to create a SID for any existing users:
Do you want to run the ipa-sidgen task? [no]: yesThis is a resource-intensive task, so if you have a high number of users, you can run this at another time.
Optional: By default, the Dynamic RPC port range is defined as
49152-65535for Windows Server 2008 and later. If you need to define a different Dynamic RPC port range for your environment, configure Samba to use different ports and open those ports in your firewall settings. The following example sets the port range to55000-65000.[root@ipaserver ~]# net conf setparm global 'rpc server dynamic port range' 55000-65000 [root@ipaserver ~]# firewall-cmd --add-port=55000-65000/tcp [root@ipaserver ~]# firewall-cmd --runtime-to-permanentRestart the
ipaservice:[root@ipaserver ~]# ipactl restartUse the
smbclientutility to verify that Samba responds to Kerberos authentication from the IdM side:[root@ipaserver ~]# smbclient -L ipaserver.idm.example.com -U user_name --use-kerberos=requiredlp_load_ex: changing to config backend registry Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba 4.15.2) ...
1.6.3. Installing and configuring a Samba server on an IdM client
You can install and configure Samba on an IdM client to securely share files with integrated authentication, leveraging IdM domain accounts for access. Ensure proper prerequisites and configuration to enable seamless resource sharing across your network.
Prerequisites
- Both the IdM servers and the client must run on RHEL 10 or later.
- The IdM domain is prepared as described in Preparing the IdM domain for installing Samba on domain members.
- If IdM has a trust configured with AD, enable the AES encryption type for Kerberos. For example, use a group policy object (GPO) to enable the AES encryption type. For details, see Enabling AES encryption in Active Directory using a GPO.
Procedure
Install the
ipa-client-sambapackage:[root@idm_client]# dnf install ipa-client-sambaUse the
ipa-client-sambautility to prepare the client and create an initial Samba configuration:[root@idm_client]# ipa-client-sambaSearching for IPA server... IPA server: DNS discovery Chosen IPA master: idm_server.idm.example.com SMB principal to be created: cifs/idm_client.idm.example.com@IDM.EXAMPLE.COM NetBIOS name to be used: IDM_CLIENT Discovered domains to use: Domain name: idm.example.com NetBIOS name: IDM SID: S-1-5-21-525930803-952335037-206501584 ID range: 212000000 - 212199999 Domain name: ad.example.com NetBIOS name: AD SID: None ID range: 1918400000 - 1918599999 Continue to configure the system with these values? [no]: yes Samba domain member is configured. Please check configuration at /etc/samba/smb.conf and start smb and winbind servicesBy default,
ipa-client-sambaautomatically adds the[homes]section to the/etc/samba/smb.conffile that dynamically shares a user’s home directory when the user connects. If users do not have home directories on this server, or if you do not want to share them, remove the following lines from/etc/samba/smb.conf:[homes] read only = noShare directories and printers. For details, see:
Open the ports required for a Samba client in the local firewall:
[root@idm_client]# firewall-cmd --permanent --add-service=samba-client[root@idm_client]# firewall-cmd --reloadEnable and start the
smbandwinbindservices:[root@idm_client]# systemctl enable --now smb winbind
Verification
Run the following verification step on a different IdM domain member that has the
samba-clientpackage installed:List the shares on the Samba server using Kerberos authentication:
$ smbclient -L idm_client.idm.example.com -U user_name --use-kerberos=requiredlp_load_ex: changing to config backend registry Sharename Type Comment --------- ---- ------- example Disk IPC$ IPC IPC Service (Samba 4.15.2) ...For more information, see the
ipa-client-samba(1)man page on your system.
1.6.4. Manually adding an ID mapping configuration if IdM trusts a new domain
Samba requires an ID mapping configuration for each domain from which users access resources. On an existing Samba server running on an IdM client, you must manually add an ID mapping configuration after the administrator added a new trust to an Active Directory (AD) domain.
Prerequisites
- You configured Samba on an IdM client. Afterward, a new trust was added to IdM.
- The DES and RC4 encryption types for Kerberos must be disabled in the trusted AD domain. For security reasons, RHEL 10 does not support these weak encryption types.
Procedure
Authenticate using the host’s keytab:
[root@idm_client]# kinit -kUse the
ipa idrange-findcommand to display both the base ID and the ID range size of the new domain. For example, the following command displays the values for thead.example.comdomain:[root@idm_client]# ipa idrange-find --name="AD.EXAMPLE.COM_id_range" --raw--------------- 1 range matched --------------- cn: AD.EXAMPLE.COM_id_range ipabaseid: 1918400000 ipaidrangesize: 200000 ipabaserid: 0 ipanttrusteddomainsid: S-1-5-21-968346183-862388825-1738313271 iparangetype: ipa-ad-trust ---------------------------- Number of entries returned 1 ----------------------------You need the values from the
ipabaseidandipaidrangesizeattributes in the next steps.To calculate the highest usable ID, use the following formula:
maximum_range = ipabaseid + ipaidrangesize - 1With the values from the previous step, the highest usable ID for the
ad.example.comdomain is1918599999(1918400000 + 200000 - 1).Edit the
/etc/samba/smb.conffile, and add the ID mapping configuration for the domain to the[global]section:idmap config AD : range = 1918400000 - 1918599999 idmap config AD : backend = sssSpecify the value from
ipabaseidattribute as the lowest and the computed value from the previous step as the highest value of the range.Restart the
smbandwinbindservices:[root@idm_client]# systemctl restart smb winbind
Verification
List the shares on the Samba server using Kerberos authentication:
$ smbclient -L idm_client.idm.example.com -U user_name --use-kerberos=requiredlp_load_ex: changing to config backend registry Sharename Type Comment --------- ---- ------- example Disk IPC$ IPC IPC Service (Samba 4.15.2) ...
1.13. Configuring Samba for macOS clients
The fruit virtual file system (VFS) Samba module provides enhanced compatibility with Apple server message block (SMB) clients.
1.15. Setting up Samba as a print server
If you set up Samba as a print server, clients in your network can use Samba to print. Additionally, Windows clients can, if configured, download the driver from the Samba server.
1.15.1. Prerequisites
Samba has been set up in one of the following modes:
- Standalone server
- Domain member
1.15.2. Enabling print server support in Samba
By default, print server support is not enabled in Samba. To use Samba as a print server, you must configure Samba accordingly.
Print jobs and printer operations require remote procedure calls (RPCs). By default, Samba starts the rpcd_spoolss service on demand to manage RPCs. During the first RPC call, or when you update the printer list in CUPS, Samba retrieves the printer information from CUPS. This can require approximately 1 second per printer. Therefore, if you have more than 50 printers, tune the rpcd_spoolss settings.
Prerequisites
The printers are configured in a CUPS server.
For details about configuring printers in CUPS, see the documentation provided in the CUPS web console (https://printserver:631/help) on the print server.
Procedure
Edit the
/etc/samba/smb.conffile:Add the
[printers]section to enable the printing backend in Samba:[printers] comment = All Printers path = /var/tmp/ printable = yes create mask = 0600ImportantThe
[printers]share name is hard-coded and cannot be changed.If the CUPS server runs on a different host or port, specify the setting in the
[printers]section:cups server = printserver.example.com:631If you have many printers, set the number of idle seconds to a higher value than the numbers of printers connected to CUPS. For example, if you have 100 printers, set in the
[global]section:rpcd_spoolss:idle_seconds = 200If this setting does not scale in your environment, also increase the number of
rpcd_spoolssworkers in the[global]section:rpcd_spoolss:num_workers = 10By default,
rpcd_spoolssstarts 5 workers.
Verify the
/etc/samba/smb.conffile:# testparmOpen the required ports and reload the firewall configuration using the
firewall-cmdutility:# firewall-cmd --permanent --add-service=samba# firewall-cmd --reloadRestart the
smbservice:# systemctl restart smbAfter restarting the service, Samba automatically shares all printers that are configured in the CUPS back end. If you want to manually share only specific printers, see
Verification
Submit a print job. For example, to print a PDF file, enter:
# smbclient -Uuser //sambaserver.example.com/printer_name -c "print example.pdf"
1.15.3. Manually sharing specific printers
If you configured Samba as a print server, by default, Samba shares all printers that are configured in the CUPS back end. The following procedure explains how to share only specific printers.
Prerequisites
- Samba is set up as a print server
Procedure
Edit the
/etc/samba/smb.conffile:In the
[global]section, disable automatic printer sharing by setting:load printers = noAdd a section for each printer you want to share. For example, to share the printer named
examplein the CUPS back end asExample-Printerin Samba, add the following section:[Example-Printer] path = /var/tmp/ printable = yes printer name = exampleYou do not need individual spool directories for each printer. You can set the same spool directory in the
pathparameter for the printer as you set in the[printers]section.
Verify the
/etc/samba/smb.conffile:# testparmReload the Samba configuration:
# smbcontrol all reload-config
1.16. Setting up automatic printer driver downloads for Windows clients on Samba print servers
If you are running a Samba print server for Windows clients, you can upload drivers and preconfigure printers.
If a user connects to a printer, Windows automatically downloads and installs the driver locally on the client. The user does not require local administrator permissions for the installation. Additionally, Windows applies preconfigured driver settings, such as the number of trays.
1.16.1. Prerequisites
- Samba is set up as a print server
1.16.2. Basic information about printer drivers
Learn key concepts about printer drivers in Samba, including supported versions and limitations. Understand driver preparation and how to provide compatible drivers for both 32-bit and 64-bit Windows clients in different environments.
Supported driver model version
Samba only supports the printer driver model version 3 which is supported in Windows 2000 and later, and Windows Server 2000 and later. Samba does not support the driver model version 4, introduced in Windows 8 and Windows Server 2012. However, these and later Windows versions also support version 3 drivers.
Package-aware drivers
Samba does not support package-aware drivers.
Preparing a printer driver for being uploaded
Before you can upload a driver to a Samba print server:
- Unpack the driver if it is provided in a compressed format.
Some drivers require to start a setup application that installs the driver locally on a Windows host. In certain situations, the installer extracts the individual files into the operating system’s temporary folder during the setup runs. To use the driver files for uploading:
- Start the installer.
- Copy the files from the temporary folder to a new location.
- Cancel the installation.
Ask your printer manufacturer for drivers that support uploading to a print server.
Providing 32-bit and 64-bit drivers for a printer to a client
To provide the driver for a printer for both 32-bit and 64-bit Windows clients, you must upload a driver with exactly the same name for both architectures. For example, if you are uploading the 32-bit driver named Example PostScript and the 64-bit driver named Example PostScript (v1.0), the names do not match. Consequently, you can only assign one of the drivers to a printer and the driver will not be available for both architectures.
1.16.3. Enabling users to upload and preconfigure drivers
To be able to upload and preconfigure printer drivers, a user or a group needs to have the SePrintOperatorPrivilege privilege granted. A user must be added into the printadmin group. Red Hat Enterprise Linux automatically creates this group when you install the samba package. The printadmin group gets assigned the lowest available dynamic system GID that is lower than 1000.
Procedure
For example, to grant the
SePrintOperatorPrivilegeprivilege to theprintadmingroup:# net rpc rights grant "printadmin" SePrintOperatorPrivilege -U "DOMAIN\administrator"Enter DOMAIN\administrator's password: Successfully granted rights.NoteIn a domain environment, grant
SePrintOperatorPrivilegeto a domain group. This enables you to centrally manage the privilege by updating a user’s group membership.To list all users and groups having
SePrintOperatorPrivilegegranted:# net rpc rights list privileges SePrintOperatorPrivilege -U "DOMAIN\administrator"Enter administrator's password: SePrintOperatorPrivilege: BUILTIN\Administrators DOMAIN\printadmin
1.16.5. Creating a GPO to enable clients to trust the Samba print server
For security reasons, recent Windows operating systems prevent clients from downloading non-package-aware printer drivers from an untrusted server. If your print server is a member in an AD, you can create a Group Policy Object (GPO) in your domain to trust the Samba server.
Prerequisites
- The Samba print server is a member of an AD domain.
- The Windows computer you are using to create the GPO must have the Windows Remote Server Administration Tools (RSAT) installed. For details, see the Windows documentation.
Procedure
-
Log into a Windows computer using an account that is allowed to edit group policies, such as the AD domain
Administratoruser. -
Open the
Group Policy Management Console. Right-click to your AD domain and select
Create a GPO in this domain, and Link it here.
-
Enter a name for the GPO, such as
Legacy Printer Driver Policyand clickOK. The new GPO will be displayed under the domain entry. -
Right-click to the newly-created GPO and select
Editto open theGroup Policy Management Editor. Navigate to
. 
On the right side of the window, double-click
Point and Print Restrictionto edit the policy:Enable the policy and set the following options:
-
Select
Users can only point and print to these serversand enter the fully-qualified domain name (FQDN) of the Samba print server to the field next to this option. In both check boxes under
Security Prompts, selectDo not show warning or elevation prompt.
-
Select
- Click OK.
Double-click
Package Point and Print - Approved serversto edit the policy:-
Enable the policy and click the
Showbutton. Enter the FQDN of the Samba print server.
-
Close both the
Show Contentsand the policy’s properties window by clickingOK.
-
Enable the policy and click the
-
Close the
Group Policy Management Editor. Close the
Group Policy Management Console.After the Windows domain members applied the group policy, printer drivers are automatically downloaded from the Samba server when a user connects to a printer.
For using group policies, see the Windows documentation.
1.16.6. Uploading drivers and preconfiguring printers
Use the Print Management application on a Windows client to upload drivers and preconfigure printers hosted on the Samba print server. For further details, see the Windows documentation.
1.17. Running Samba on a server with FIPS mode enabled
This section provides an overview of the limitations of running Samba with FIPS mode enabled. It also provides the procedure for enabling FIPS mode on a Red Hat Enterprise Linux host running Samba.
1.17.1. Limitations of using Samba in FIPS mode
Samba features have specific limitations when running in FIPS mode, with some modes working under certain conditions while others are restricted for security compliance.
The following Samba modes and features work in FIPS mode under the indicated conditions:
- Samba as a domain member only in Active Directory (AD) or Red Hat Enterprise Linux Identity Management (IdM) environments with Kerberos authentication that uses AES ciphers.
- Samba as a file server on an Active Directory domain member. However, this requires that clients use Kerberos to authenticate to the server.
Due to the increased security of FIPS, the following Samba features and modes do not work if FIPS mode is enabled:
- NT LAN Manager (NTLM) authentication because RC4 ciphers are blocked
- The server message block version 1 (SMB1) protocol
- The stand-alone file server mode because it uses NTLM authentication
- NT4-style domain controllers
- NT4-style domain members. Note that Red Hat continues supporting the primary domain controller (PDC) functionality IdM uses in the background.
- Password changes against the Samba server. You can only perform password changes using Kerberos against an Active Directory domain controller.
The following feature is not tested in FIPS mode and, therefore, is not supported by Red Hat:
- Running Samba as a print server
1.17.2. Using Samba in FIPS mode
You can enable the FIPS mode on a RHEL host that runs Samba.
Prerequisites
- Samba is configured on the Red Hat Enterprise Linux host.
- Samba runs in a mode that is supported in FIPS mode.
Procedure
Enable the FIPS mode on RHEL:
# fips-mode-setup --enableReboot the server:
# rebootUse the
testparmutility to verify the configuration:# testparm -sIf the command displays any errors or incompatibilities, fix them to ensure that Samba works correctly.
1.18. Tuning the performance of a Samba server
Learn what settings can improve the performance of Samba in certain situations, and which settings can have a negative performance impact.
1.18.1. Prerequisites
- Samba is set up as a file or print server.
1.18.2. Setting the SMB protocol version
Each new SMB version adds features and improves the performance of the protocol. The recent Windows and Windows Server operating systems always supports the latest protocol version. If Samba also uses the latest protocol version, Windows clients connecting to Samba benefit from the performance improvements. In Samba, the default value of the server max protocol is set to the latest supported stable SMB protocol version.
To always have the latest stable SMB protocol version enabled, do not set the server max protocol parameter. If you set the parameter manually, you will need to modify the setting with each new version of the SMB protocol, to have the latest protocol version enabled.
The following procedure explains how to use the default value in the server max protocol parameter.
Procedure
-
Remove the
server max protocolparameter from the[global]section in the/etc/samba/smb.conffile. Reload the Samba configuration
# smbcontrol all reload-config
1.18.4. Settings that can have a negative performance impact
By default, the kernel in Red Hat Enterprise Linux is tuned for high network performance. For example, the kernel uses an auto-tuning mechanism for buffer sizes. Setting the socket options parameter in the /etc/samba/smb.conf file overrides these kernel settings. As a result, setting this parameter decreases the Samba network performance in most cases.
To use the optimized settings from the Kernel, remove the socket options parameter from the [global] section in the /etc/samba/smb.conf.
1.19. Configuring Samba to be compatible with clients that require an SMB version lower than the default
Samba uses a reasonable and secure default value for the minimum server message block (SMB) version it supports. However, if you have clients that require an older SMB version, you can configure Samba to support it.
1.19.1. Setting the minimum SMB protocol version supported by a Samba server
In Samba, the server min protocol parameter in the /etc/samba/smb.conf file defines the minimum server message block (SMB) protocol version the Samba server supports. You can change the minimum SMB protocol version. For more information, see the smb.conf(5) man page on your system.
By default, Samba on RHEL 8.2 and later supports only SMB2 and newer protocol versions. Red Hat recommends to not use the deprecated SMB1 protocol. However, if your environment requires SMB1, you can manually set the server min protocol parameter to NT1 to re-enable SMB1.
Prerequisites
- Samba is installed and configured.
Procedure
Edit the
/etc/samba/smb.conffile, add theserver min protocolparameter, and set the parameter to the minimum SMB protocol version the server should support. For example, to set the minimum SMB protocol version toSMB3, add:server min protocol = SMB3Restart the
smbservice:# systemctl restart smb
1.20. Frequently used Samba command-line utilities
This chapter describes frequently used commands when working with a Samba server.
1.20.1. Using the net ads join and net rpc join commands
Using the join subcommand of the net utility, you can join Samba to an AD or NT4 domain. To join the domain, you must create the /etc/samba/smb.conf file manually, and optionally update additional configurations, such as PAM.
Red Hat recommends using the realm utility to join a domain. The realm utility automatically updates all involved configuration files.
Procedure
Manually create the
/etc/samba/smb.conffile with the following settings:For an AD domain member:
[global] workgroup = domain_name security = ads passdb backend = tdbsam realm = AD_REALMFor an NT4 domain member:
[global] workgroup = domain_name security = user passdb backend = tdbsam
-
Add an ID mapping configuration for the
*default domain and for the domain you want to join to the[global] section in the/etc/samba/smb.conffile. Verify the
/etc/samba/smb.conffile:# testparmJoin the domain as the domain administrator:
To join an AD domain:
# net ads join -U "DOMAIN\administrator"To join an NT4 domain:
# net rpc join -U "DOMAIN\administrator"
Append the
winbindsource to thepasswdandgroupdatabase entry in the/etc/nsswitch.conffile:passwd: files winbind group: files winbindEnable and start the
winbindservice:# systemctl enable --now winbindOptional: Configure PAM using the
authselectutility.For details, see the
authselect(8)man page on your system.Optional: For AD environments, configure the Kerberos client.
For details, see the documentation of your Kerberos client.
1.20.2. Using the net rpc rights command
In Windows, you can assign privileges to accounts and groups to perform special operations, such as setting ACLs on a share or upload printer drivers. On a Samba server, you can use the net rpc rights command to manage privileges.
Listing privileges you can set
To list all available privileges and their owners, use the net rpc rights list command. For example:
# net rpc rights list -U "DOMAIN\administrator"Enter DOMAIN\administrator's password:
SeMachineAccountPrivilege Add machines to domain
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeRemoteShutdownPrivilege Force shutdown from a remote system
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeDiskOperatorPrivilege Manage disk shares
SeSecurityPrivilege System securityGranting privileges
To grant a privilege to an account or group, use the net rpc rights grant command.
For example, grant the SePrintOperatorPrivilege privilege to the DOMAIN\printadmin group:
# net rpc rights grant "DOMAIN\printadmin" SePrintOperatorPrivilege -U "DOMAIN\administrator"Enter DOMAIN\administrator's password:
Successfully granted rights.Revoking privileges
To revoke a privilege from an account or group, use the net rpc rights revoke command.
For example, to revoke the SePrintOperatorPrivilege privilege from the DOMAIN\printadmin group:
# net rpc rights remoke "DOMAIN\printadmin" SePrintOperatorPrivilege -U "DOMAIN\administrator"Enter DOMAIN\administrator's password:
Successfully revoked rights.1.20.4. Using the net user command
The net user command enables you to perform the following actions on an AD DC or NT4 PDC:
- List all user accounts
- Add users
- Remove Users
Specifying a connection method, such as ads for AD domains or rpc for NT4 domains, is only required when you list domain user accounts. Other user-related subcommands can auto-detect the connection method.
Pass the -U user_name parameter to the command to specify a user that is allowed to perform the requested action.
Listing domain user accounts
To list all users in an AD domain:
# net ads user -U "DOMAIN\administrator"To list all users in an NT4 domain:
# net rpc user -U "DOMAIN\administrator"Adding a user account to the domain
On a Samba domain member, you can use the net user add command to add a user account to the domain.
For example, add the user account to the domain:
Add the account:
# net user add user password -U "DOMAIN\administrator"User user addedOptional: Use the remote procedure call (RPC) shell to enable the account on the AD DC or NT4 PDC. For example:
# net rpc shell -U DOMAIN\administrator -S DC_or_PDC_nameTalking to domain DOMAIN (S-1-5-21-1424831554-512457234-5642315751) net rpc> user edit disabled user: no Set user's disabled flag from [yes] to [no] net rpc> exit
Deleting a user account from the domain
On a Samba domain member, you can use the net user delete command to remove a user account from the domain.
For example, to remove the user account from the domain:
# net user delete user -U "DOMAIN\administrator"User user deleted1.20.5. Using the rpcclient utility
The rpcclient utility enables you to manually execute client-side Microsoft Remote Procedure Call (MS-RPC) functions on a local or remote SMB server. However, most of the features are integrated into separate utilities provided by Samba. Use rpcclient only for testing MS-PRC functions.
Prerequisites
-
The
samba-clientpackage is installed.
Procedure
You can use the
rpcclientutility to:Manage the printer Spool Subsystem (SPOOLSS) by assigning a driver to a printer:
# rpcclient server_name -U "DOMAIN\administrator" -c 'setdriver "printer_name" "driver_name"'Enter DOMAIN\administrators password: Successfully set printer_name to driver driver_name.Retrieve information about an SMB server by listing all file shares and shared printers:
# rpcclient server_name -U "DOMAIN\administrator" -c 'netshareenum'Enter DOMAIN\administrators password: netname: Example_Share remark: path: C:\srv\samba\example_share\ password: netname: Example_Printer remark: path: C:\var\spool\samba\ password:Perform actions using the Security Account Manager Remote (SAMR) protocol by listing Users on an SMB Server:
# rpcclient server_name -U "DOMAIN\administrator" -c 'enumdomusers'Enter DOMAIN\administrators password: user:[user1] rid:[0x3e8] user:[user2] rid:[0x3e9]If you run the command against a standalone server or a domain member, it lists the users in the local database. Running the command against an AD DC or NT4 PDC lists the domain users.
For more information, please see the
rpcclient(1)man page on your system.
1.20.6. Using the samba-regedit application
Certain settings, such as printer configurations, are stored in the registry on the Samba server. You can use the ncurses-based samba-regedit application to edit the registry of a Samba server.
Prerequisites
-
The
samba-clientpackage is installed.
Procedure
To start the application, enter:
# samba-regeditUse the following keys:
- Cursor up and cursor down: Navigate through the registry tree and the values.
- Enter: Opens a key or edits a value.
-
Tab: Switches between the
KeyandValuepane. - Ctrl+C: Closes the application.
1.20.7. Using the smbcontrol utility
The smbcontrol utility enables you to send command messages to the smbd, nmbd, winbindd, or all of these services. These control messages instruct the service, for example, to reload its configuration.
Prerequisites
-
The
samba-common-toolspackage is installed.
Procedure
Reload the configuration of the
smbd,nmbd,winbinddservices by sending thereload-configmessage type to thealldestination:# smbcontrol all reload-configFor more information, see the
smbcontrol(1)man page on your system.
1.20.8. Using the smbpasswd utility
The smbpasswd utility manages user accounts and passwords in the local Samba database. For more information, see the smbpasswd(8) man page on your system.
Prerequisites
-
The
samba-common-toolspackage is installed.
Procedure
If you run the command as a user,
smbpasswdchanges the Samba password of the user who run the command. For example:[user@server ~]$ smbpasswd New SMB password: password Retype new SMB password: passwordIf you run
smbpasswdas therootuser, you can use the utility, for example, to:Create a new user:
[root@server ~]# smbpasswd -a user_name New SMB password: password Retype new SMB password: password Added user user_name.NoteBefore you can add a user to the Samba database, you must create the account in the local operating system.
Enable a Samba user:
[root@server ~]# smbpasswd -e user_name Enabled user user_name.Disable a Samba user:
[root@server ~]# smbpasswd -x user_name Disabled user user_nameDelete a user:
[root@server ~]# smbpasswd -x user_name Deleted user user_name.
1.20.9. Using the smbstatus utility
The smbstatus utility reports on:
-
Connections per PID of each
smbddaemon to the Samba server. This report includes the user name, primary group, SMB protocol version, encryption, and signing information. -
Connections per Samba share. This report includes the PID of the
smbddaemon, the IP of the connecting machine, the time stamp when the connection was established, encryption, and signing information. - A list of locked files. The report entries include further details, such as opportunistic lock (oplock) types
Prerequisites
-
The
sambapackage is installed. -
The
smbdservice is running.
Procedure
Run the
smbstatusutility:# smbstatusSamba version 4.15.2 PID Username Group Machine Protocol Version Encryption Signing ....------------------------------------------------------------------------------------------------------------------------- 963 DOMAIN\administrator DOMAIN\domain users client-pc (ipv4:192.0.2.1:57786) SMB3_02 - AES-128-CMAC Service pid Machine Connected at Encryption Signing: ....--------------------------------------------------------------------------- example 969 192.0.2.1 Thu Nov 1 10:00:00 2018 CEST - AES-128-CMAC Locked files: Pid Uid DenyMode Access R/W Oplock SharePath Name Time ....-------------------------------------------------------------------------------------------------------- 969 10000 DENY_WRITE 0x120089 RDONLY LEASE(RWH) /srv/samba/example file.txt Thu Nov 1 10:00:00 2018For more information, see the
smbstatus(1)man page on your system.
1.20.10. Using the smbtar utility
The smbtar utility backs up the content of an SMB share or a subdirectory of it and stores the content in a tar archive. Alternatively, you can write the content to a tape device. For more information, see the smbtar(1) man page on your system.
Prerequisites
-
The
samba-clientpackage is installed.
Procedure
Use the following command to back up the content of the
demodirectory on the//server/example/share and store the content in the/root/example.tararchive:# smbtar -s server -x example -u user_name -p password -t /root/example.tar
1.20.11. Using the wbinfo utility
The wbinfo utility queries and returns information created and used by the winbindd service. For more information, see the wbinfo(1) man page on your system.
Prerequisites
-
The
samba-winbind-clientspackage is installed.
Procedure
You can use
wbinfo, for example, to:List domain users:
# wbinfo -uAD\administrator AD\guest ...List domain groups:
# wbinfo -gAD\domain computers AD\domain admins AD\domain users ...Display the SID of a user:
# wbinfo --name-to-sid="AD\administrator"S-1-5-21-1762709870-351891212-3141221786-500 SID_USER (1)Display information about domains and trusts:
# wbinfo --trusted-domains --verboseDomain Name DNS Domain Trust Type Transitive In Out BUILTIN None Yes Yes Yes server None Yes Yes Yes DOMAIN1 domain1.example.com None Yes Yes Yes DOMAIN2 domain2.example.com External No Yes Yes
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}