Red-Hat-Enterprise-Linux-8.md

Red Hat Enterprise Linux 8 as an Active Directory Domain Services (AD DS) Member

Assumption is made that this is a newly installed server base environment

Replace DOMAIN with AD DS NetBIOS Name and domain.example.com with AD DS FQDN

DNF

Install EPEL and Development Tools:

$ sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
$ sudo dnf group install "Development Tools"
$ sudo dnf update

Cockpit

Enable Cockpit:

$ sudo systemctl enable --now cockpit.socket

Install Cockpit ZFS Manager

$ git clone https://github.com/optimans/cockpit-zfs-manager.git
$ sudo cp -r cockpit-zfs-manager/zfs /usr/share/cockpit

OpenZFS

Install OpenZFS as per own requirements from OpenZFS: Getting Started: RHEL and CentOS

Samba

Install Samba

$ sudo dnf install -y realmd oddjob-mkhomedir oddjob samba-winbind-clients samba-winbind samba-common-tools
$ sudo dnf install -y samba
$ sudo dnf install -y samba-winbind-krb5-locator krb5-workstation samba-client

$ sudo rm /etc/samba/smb.conf

Join AD DS:

$ sudo realm discover -vvv domain.example.com
$ sudo realm join --client-software=winbind domain.example.com -U Administrator

Start Samba

$ sudo systemctl start smb

Verify information is retrieved from AD DS:

$ sudo getent passwd "DOMAIN\Administrator"
$ sudo getent group "DOMAIN\Domain Users"
$ sudo wbinfo -g
$ sudo wbinfo -u

Edit Samba configuration file and set the AD DS schema mode, ACLs and Previous Versions properties:

$ sudo nano /etc/samba/smb.conf

Append to [global] section

idmap config DOMAIN : schema_mode = rfc2307

vfs objects = acl_xattr shadow_copy2
store dos attributes = yes
map acl inherit = yes
inherit acls = yes
inherit permissions = yes
				
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = %Y.%m.%d-%H.%M.%S
shadow: localtime = yes

admin users = @"DOMAIN\Domain Admins"

Reload Samba configuration:

$ sudo smbcontrol all reload-config

Grant Disk Operator Privileges:

$ sudo net rpc rights grant "DOMAIN\Domain Admins" SeDiskOperatorPrivilege -U "DOMAIN\Administrator"
$ sudo net rpc rights grant "DOMAIN\Enterprise Admins" SeDiskOperatorPrivilege -U "DOMAIN\Administrator"

Enable SELinux booleans:

$ sudo setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
$ sudo getsebool -a | grep samba_export

Create firewall rules for Samba:

$ sudo firewall-cmd --permanent --add-service=samba
$ sudo firewall-cmd --reload

Restart and Enable Samba service:

$ sudo systemctl restart smb
$ sudo systemctl enable smb

Local Authorisation

Edit Kerberos configuration file to enable domain users to authenticate to local services:

$ sudo nano /etc/krb5.conf

Append to end of file

[plugins]
    localauth = {
        module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
        enable_only = winbind
    }

Create sudoers configuration file to allow sudo access to domain groups

$ sudo nano /etc/sudoers.d/DOMAIN

Add to file

DOMAIN\\Domain\ Admins ALL=(ALL) ALL
DOMAIN\\Enterprise\ Admins ALL=(ALL) ALL

Red Hat Enterprise Linux 8 Documentation

• Chapter 2. Using Samba as a Server