User Tools

Site Tools

Trace: gateway_centos_7 nas_centos7
nas_centos7

This is an old revision of the document!

Table of Contents

NAS functionality on CentOS 7

This document describes a Samba 4 AD domain controller installation.

Minimal

Installation

Do a minimal installation of CentOS 7. I am using a VM in this example. 

yum install open-vm-tools

Configuration

useradd -g users -c "Herwarth Heitmann" -m -d /home/herwarth herwarth
passwd herwarth
/etc/ssh/sshd_config
PermitRootLogin no
systemctl restart sshd
systemctl disable kdump
/etc/sudoers.d/users
herwarth ALL=(ALL) ALL

Set the FQDN in /etc/hostname. Set the FQDN with IP in /etc/hosts

Samba

I know it is crap but we need to disable SElinux… Perhaps I am going to write my own policy later…

/etc/sysconfig/selinux
SELINUX=disabled

We have to use thrid-party rpm's because the default packages do not support Samba with AD domain controller functionality due to a Kerberos issue.

We need to create an account at sernet.de and add our user credentials in the repo file.

/etc/yum.repos.d/sernet-samba-4.1.repo
[sernet-samba-4.1]
name=SerNet Samba 4.1 Packages (rhel-7)
type=rpm-md
baseurl=https://<USERNAME>:<PASSWORD>@download.sernet.de/packages/samba/4.1/rhel/7/
gpgcheck=1
gpgkey=https://<USERNAME>:<PASSWORD>@download.sernet.de/packages/samba/4.1/rhel/7/repodata/repomd.xml.key
enabled=1

Installation

yum install sernet-samba-ad  sernet-samba

Configuration

samba-tool domain provision --use-rfc2307 --interactive
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf
/etc/default/sernet-samba
.
.
SAMBA_START_MODE="ad"
.
.
chkconfig sernet-samba-nmbd off
chkconfig sernet-samba-smbd off
chkconfig sernet-samba-winbindd off
samba-tool domain level raise --domain-level 2008_R2 --forest-level 2008_R2
samba-tool domain level show

Homedir on server

/etc/samba/smb.conf
[users]
        path = /mnt/storage/users
        comment = user folders for redirection
        read only = No

Create the Folder Redirection GPO

For the following to work it is assumed that you have configured your Samba 4 AD DC and have created some Organizational Units for your domain. You should also have a test user created and RSAT installed on your Windows client.

  1. Log on to a Windows 7/8 client computer as a domain administrator that has been bound to the domain.
  2. Launch the 'Group Policy Management' console:
  3. Start → All Programs → Administrative Tools → Group Policy Management
  4. Either select an already existing GPO that is applied to an OU or create a new one. Right-click the GPO and choose 'Edit'. Then go to:
  5. User Configuration → Policies → Windows Settings → Folder Redirection
  6. Right-click on 'Documents' and select 'Properties'. On the 'Target' tab configure as follows:
  7. Setting: Basic - Redirect everyone's folder to the same location
  8. Target folder location: Create a folder for each user under the root path. Root Path: \\samba.mydomain.com\Users

NOTE: You should notice a preview at the bottom showing 'For user Clair, this folder will be redirected to: \\samba.mydomain.com\Users\Clair\Documents'

  1. At the top select the 'Settings' tab and uncheck the 'Grant the User Exclusive Rights to Documents' check box. Leave the remaining check boxes unchanged.
  2. Click OK to complete the folder redirection configuration. A pop-up opens that states that this policy will not display the Folder Redirection node if an administrator or user attempts to configure or view this group policy using policy management tools from Windows 2000, Windows XP, or Windows Server 2003. Click Yes to accept this warning and configure the folder redirection.
  3. Back in the 'Group Policy Management Editor' window, close the GPO.
  4. Make sure that the GPO has 'Authenticated Users' (or another security group you're using) listed in 'Security Filtering'.
  5. Link the new GPO policy (if not done already) to an OU with a user account that can be used to test this policy. This user must log on to a Windows Vista/7/8 computer to allow proper processing of this policy.
  6. Log on to a Windows Vista/7/8 system with the test user account. After the profile completes loading, click the Start button, and locate and right-click the Documents folder and then select Properties. Select the Location tab and verify the path. For example, for a user named Tom, the path should be \\samba.mydomain.com\Users\Tom\Documents.

Your folder redirection should now work. If you continue to have your 'Documents' folder path showing C:\Users\xxx and not the server share, it is most likely due to permissions on the root 'Users' folder. The NTFS permissions must be set correctly on the server share or folder redirection will fail.

Having the correct permissions set on the server share also protects users from accessing another user's files. If you set the permissions correctly as outlined in this howto you should be able to test this successfully.

Firewall configuration

Remove all default rules

firewall-cmd --permanent --zone=home --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=home --remove-service=ipp-client
firewall-cmd --permanent --zone=home --remove-service=mdns
firewall-cmd --permanent --zone=home --remove-service=samba-client
firewall-cmd --permanent --zone=home --remove-service=ssh
firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=internal --remove-service=ipp-client
firewall-cmd --permanent --zone=internal --remove-service=mdns
firewall-cmd --permanent --zone=internal --remove-service=samba-client
firewall-cmd --permanent --zone=internal --remove-service=ssh
firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=work --remove-service=ipp-client
firewall-cmd --permanent --zone=work --remove-service=ssh
firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --permanent --zone=external --remove-masquerade
firewall-cmd --permanent --zone=external --remove-service=ssh
firewall-cmd --permanent --zone=dmz --remove-service=ssh

Create new zones

firewall-cmd --permanent --new-zone=zorgnet

Add subnets to zones

firewall-cmd --permanent --zone=public --add-source=0.0.0.0/0
firewall-cmd --permanent --zone=public --add-source=::/0
firewall-cmd --permanent --zone=zorgnet --add-source=10.108.108.0/24

Enable services on zones

firewall-cmd --permanent --zone=zorgnet --add-service=ssh
firewall-cmd --permanent --zone=zorgnet --add-service=ntp
firewall-cmd --permanent --zone=zorgnet --add-service=dns
firewall-cmd --permanent --zone=zorgnet --add-service=samba
firewall-cmd --permanent --zone=zorgnet --add-service=kerberos
firewall-cmd --permanent --zone=zorgnet --add-service=ldap
firewall-cmd --permanent --zone=zorgnet --add-service=ldaps
firewall-cmd --permanent --zone=zorgnet --add-port=135/tcp
firewall-cmd --permanent --zone=zorgnet --add-port=3268/tcp
firewall-cmd --permanent --zone=zorgnet --add-port=3269/tcp
firewall-cmd --permanent --zone=zorgnet --add-port=1024/tcp
firewall-cmd --permanent --zone=zorgnet --add-port=24542/tcp

Set default zone

firewall-cmd --set-default-zone=zorgnet
systemctl enable firewalld
systemctl start firewalld
nas_centos7.1427551212.txt.gz · Last modified: by herwarth

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki