SAMBA Cross-Domain Trust File Server

From Michael's Information Zone
Jump to navigation Jump to search

Purpose

Existing file server is not configured properly. Will be moving this non-critical data to a new server running in AWS. Since I can live with some downtime if needed, it is much cheaper to use a small AWS instance than to use the expensive Windows based file service AWS offers.

Host

Host is t3a.small CentOS7 instance running on EC2. At the time of this writing CentOS8 is not available on the AWS store.
Though not a critical system, it will be holding sensitive data and I want native SELinux.

Config

Work in progress

Packages and Domain

  • Prep base OS with automatic updates and a firewall. Make sure to edit the yum-cron config to install security only, and to install updates after downloading.
sudo yum upgrade -y
  • Edit /etc/dhcp/dhclient.conf to include domain specific settings, then reboot.
prepend domain-search "domain1.tld", "domain2.tld";
prepend domain-name-servers 192.168.1.100, 192.168.1.101;
sudo reboot -h now

sudo yum -y install epel-release yum-cron firewalld
sudo systemctl enable --now firewalld
sudo systemctl enable --now yum-cron
sudo hostnamectl set-hostname myfileserver
sudo reboot -h now
  • Install kerberose and related packages, will join later.
sudo yum install -y realmd krb5-workstation oddjob oddjob-mkhomedir sssd samba-common samba-common-tools samba
sudo systemctl enable --now sssd
sudo realm join -U <username> domain1.tld

Disk

  • Create partition, mount data disk, create fstab entry. The below is for general reference only and omits finding the UUID and what options to use.
sudo fdisk /dev/nvme1n1
sudo mkfs.xfs /dev/nvme1n1p1
sudo mount /dev/disk/by-uuid/556cfbd6-18cf-4721-934c-f35835ee89c8 /mnt/data/

Apply selinux context. 

sudo semanage fcontext -a -t samba_share_t "/mnt/data(/.*)?"
sudo

Samba Config

[1] [2]

  • This smb.conf global entry was created using the referenced wiki.samba.org links, as well as referencing a smb.conf file from a FreeNAS server.
[global]
        workgroup = DOMAIN1
        security = ADS
        realm = DOMAIN1.TLD
        idmap config * : backend = tdb
        idmap config * : range = 1
        idmap config *: backend = tdb
        idmap config *: range = 1500-19999
        idmap config DOMAIN1: backend = rid
        idmap config DOMAIN1: range = 20000-79999
        idmap config DOMAIN2: backend = rid
        idmap config DOMAIN2: range = 80000-100000
        allow trusted domains = yes
        winbind refresh tickets = Yes
        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes
  • Start services
sudo systemctl enable --now smb
sudo systemctl enable --now nmb

sudo smbcontrol all reload-config
  1. https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
  2. https://wiki.samba.org/index.php/Idmap_config_ad
Retrieved from "https://wiki.1701technology.com/index.php?title=SAMBA_Cross-Domain_Trust_File_Server&oldid=1348"