Written By :

MacK Man

Category :

Ops

Posted On :

April 10, 2023

Share This :

Join Linux to AD and Share Folders Securely

Introduction

Are you struggling to integrate your Linux-based servers with your Active Directory environment? Joining Linux to AD can be a daunting task, but it’s essential for ensuring smooth file sharing and access control. In this guide, we’ll show you how to join Linux to AD and share folders using Samba. Follow our step-by-step instructions to configure Samba, join the domain, and optimize for seamless file sharing and access control.

Prerequisites

Before proceeding with this tutorial, you will need:

  • A Linux machine running a supported version of Samba (Samba 4.x or later is recommended)
  • An Active Directory domain and administrator account credentials with the permissions to join machines to the domain
  • Basic knowledge of Linux terminal commands

Recommended Specs

For optimal performance, we recommend using a Linux machine with at least 2 CPU cores, 4GB of RAM, and 50GB of available storage.

Step 1: Install Samba and Join Linux to AD Domain

The first step is to install the Samba and Winbind packages on your Linux machine. To do this, open the terminal on your Linux machine and run the following commands:

Ubuntu / Debian

sudo apt-get update
sudo apt-get install samba winbind

CentOS / Fedora / Rocky

sudo yum update
sudo yum install samba-winbind samba-client

Next, join the Linux machine to the AD domain by running the following command:

sudo net ads join -U administrator

Replace “administrator” with a user account that has permission to join the Linux machine to the AD domain. You will be prompted for the password for this user account. Once the Linux machine has successfully joined the AD domain, you can verify the status by running the following command:

sudo net ads info

This command will display information about the domain that the Linux machine has joined.

Step 2: Create a Shared Folder and Set Permissions

The next step is to create a shared folder that can be accessed by members of the AD domain. To create a shared folder, run the following commands:

sudo mkdir /shared-folder
sudo chmod 777 /shared-folder

Replace “/shared-folder” with the name of the folder that you want to create. The “chmod” command sets the permissions on the folder to allow anyone to read, write, and execute files in the folder.

Step 3: Configure Samba

To configure Samba, you need to edit the Samba configuration file /etc/samba/smb.conf. Open the file using your favorite text editor and add the following lines at the end of the file:

[shared-folder]
path = /shared-folder
browsable = yes
create mask = 0664
directory mask = 0775
force group = sambausers

Replace “shared-folder” with the name of the folder you created in step 2.

  • The “browsable” parameter specifies whether the shared folder will be visible to clients browsing the network.
  • The “create mask” parameter sets the default file permissions for files created in the shared folder. The value 0664 allows the owner and group to read and write the files, and others to read the files.
  • The “directory mask” parameter sets the default file permissions for directories created in the shared folder. The value 0775 allows the owner and group to read, write, and execute the directories, and others to read and execute the directories.
  • The “force group” parameter ensures that any files or directories created in the shared folder are owned by the specified group. Replace “sambausers” with the name of the group that you want to grant access to the shared folder.

Now, add the following lines to the [shared-folder] section to create separate permissions for different AD groups:

valid users = @"DOMAIN\AD-GROUP1", @"DOMAIN\AD-GROUP2"
write list = @"DOMAIN\AD-GROUP1"
read list = @"DOMAIN\AD-GROUP2"

Replace “DOMAIN” with your Active Directory domain name, “AD-GROUP1” with the name of the AD group that you want to grant write access to the shared folder, and “AD-GROUP2” with the name of the AD group that you want to grant read-only access to the shared folder.

  • The “valid users” parameter restricts access to the shared folder to members of the specified AD groups. The “@” symbol before the group name indicates that it is an AD group. Separate multiple groups with a comma.
  • The “write list” parameter specifies the AD group that has write access to the shared folder. Members of this group can read, write, and execute files in the shared folder. If you want to allow multiple AD groups to have write access, separate the group names with a comma.
  • The “read list” parameter specifies the AD group that has read-only access to the shared folder. Members of this group can read and execute files in the shared folder, but cannot modify them. If you want to allow multiple AD groups to have read-only access, separate the group names with a comma.

Save the changes and close the file.

Step 4: Restart Samba

Join Linux To AD
Join Linux To AD

Restart the Samba service to apply the changes you made to the configuration file by running the following command:

Ubuntu / Debian / Rocky

sudo systemctl restart smbd

CentOS / Fedora

sudo systemctl restart smb

Step 5: Mounting the Samba Share

From Windows

To mount the Samba share on a Windows machine, follow these steps:

  1. Open File Explorer and click on “This PC”
  2. Click on “Map network drive”
  3. In the “Folder” field, enter the path to the Samba share in the following format: \\<server-ip-or-name>\<share-name>
  4. Check the box next to “Connect using different credentials”
  5. Click on “Finish”
  6. Enter your Linux machine username and password when prompted
  7. Click on “OK”

From Linux

To mount the Samba share on a Linux machine, follow these steps:

  1. Create a mount point by running the following command:
sudo mkdir /mnt/shared-folder
  1. Mount the Samba share by running the following command:
sudo mount -t cifs //<server-ip-or-name>/<share-name> /mnt/shared-folder -o username=<linux-username>,password=<linux-password>,domain=<domain-name>

Replace <server-ip-or-name> with the IP address or hostname of your Linux machine, <share-name> with the name of the shared folder, <linux-username> with your Linux machine username, <linux-password> with your Linux machine password, and <domain-name> with your Active Directory domain name.

Step 6: Optimizing Samba for Faster Performance

Here are some tips for optimizing Samba for faster performance:

  1. Use the latest version of Samba.
  2. Use the “async” I/O mode to improve performance when writing large files.
  3. Use the “wide links” parameter to enable symbolic links to directories outside the Samba share.
  4. Enable oplocks to allow clients to cache files locally for
  5. faster access. 5. Use the “socket options” parameter to optimize the network socket parameters.
  6. Use the “read raw” and “write raw” parameters to disable the Samba internal read and write caching.

To implement these optimizations, add the following lines to the [global] section of the Samba configuration file:

async io = yes
wide links = yes
oplocks = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=65536 SO_SNDBUF=65536
read raw = yes
write raw = yes

Save the changes and restart the Samba service to apply the optimizations.

Conclusion

In this tutorial, we have shown you how to join a Linux machine to AD and share folders using AD permissions in Samba. By following these steps, you can easily integrate your Linux-based servers with your Active Directory environment and ensure that your users have access to the files they need, while also maintaining strict access control. We also provided instructions for mounting the Samba share from a Windows or Linux machine and optimizing Samba for faster performance. Remember to take security into consideration when configuring your Samba shares, and always test your configurations before deploying them to a production environment.

Helpful Links

  1. Check out our DevOps and SRE section
  2. Check out our post on How to Join Linux to AD Domain using Ansible
  3. Samba official documentation: https://www.samba.org/samba/docs/
  4. Samba Wiki: https://wiki.samba.org/index.php/Main_Page
  5. Red Hat documentation on Samba integration with Active Directory: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/samba-ad-integration
  6. Microsoft documentation on Active Directory: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview
  7. TechRepublic article on Samba and Active Directory integration: https://www.techrepublic.com/article/how-to-integrate-samba-file-shares-with-active-directory-for-perfect-network-chemistry/

Leave a Reply