Settin up Active Directory
-
6. Join Active Directory (recommended for enterprise authentication)
Use realmd (which wraps adcli/SSSD/krb5) to join the domain. This creates a machine account and configures SSSD for AD authentication. Replace EXAMPLE.COM and administrator with your domain and admin user. After join, verify Kerberos tickets. AD join/SSSD flow is the recommended modern approach. :contentReference[oaicite:1]{index=1}
sudo realm discover EXAMPLE.COM
sudo realm join --user=administrator EXAMPLE.COM
sudo kinit administrator@EXAMPLE.COM
klist
-
7. Samba as an AD member / winbind vs sssd
Two common patterns: (A) Use Samba + winbind for Windows SID mapping; (B) Use SSSD + idmap for Unix mapping and let SSSD handle authentication. On RHEL/Rocky SSSD + Samba works well for file servers when properly configured. If you prefer winbind, install and enable it and use
net ads join.# If using winbind approach (optional) sudo dnf install -y samba-winbind-clients samba-winbind sudo net ads join -U administrator sudo systemctl enable --now winbind
-
8. Test AD users access to Samba share
Create an AD group for share access (e.g., FILE_SERVERS\share_users) and add AD users. On the server, check id resolution and test SMB authentication from a Windows client or with smbclient.
getent passwd 'EXAMPLE\\someuser'
sudo smbclient //localhost/share -U 'EXAMPLE\\someuser'
-
9. Kerberos for Samba (optional advanced: s4:kerberos service principals)
If you need Kerberos keytab usage for Samba (for certain AD setups), ensure the host has a valid machine keytab at
/etc/krb5.keytab. Realmd/net ads join normally creates the necessary machine account and keytab. Test withklist -kand check smb service principal withkvno.sudo klist -k
sudo kvno host/fileserver.example.com
-
10. Samba advanced: VFS modules, file locking and oplocks
For mixed Windows/Linux high-performance workloads, enable appropriate VFS modules and tune locking/oplocks to avoid data corruption on applications that share files. Consider
vfs objects = acl_xattr full_auditand ensure ACL support (POSIX+NFSv4 ACLs) on underlying FS.sudo sed -i '/\\[share\\]/a vfs objects = acl_xattr full_audit' /etc/samba/smb.conf
sudo systemctl restart smb
-
11. NFSv4 server: configure and export with Kerberos security
NFSv4 with Kerberos (sec=krb5 / krb5i / krb5p) provides authentication and integrity/confidentiality for Linux clients. Both server and clients must be domain-joined / have Kerberos working. Export with the NFSv4 pseudo-fs layout and set
sec=krb5in the client’s mount options. :contentReference[oaicite:2]{index=2}sudo systemctl enable --now nfs-server rpcbind
sudo tee /etc/exports <<'EOF' /srv/nfs/data *(rw,sync,sec=krb5:krb5i:krb5p,fsid=0,no_subtree_check) EOF
sudo exportfs -rav
-
12. NFS id mapping (idmapd) for UID/GID consistency
Configure
/etc/idmapd.confwith your domain and ensure consistent domain across NFS clients and server so user identity mapping works (especially for NFSv4). Restart rpcidmapd.sudo sed -i 's/^#Domain = localdomain/Domain = example.com/' /etc/idmapd.conf
sudo systemctl restart nfs-idmapd
-
13. NFS ACLs and tools
For NFSv4 ACLs use
nfs4_setfacl/nfs4_getfaclfromnfs4-acl-tools. This keeps ACLs consistent across exports.sudo dnf install -y nfs4-acl-tools
nfs4_setfacl -s A::DOMAIN\\someuser:rwxtncy /srv/nfs/data
-
14. Quota management (XFS project quotas — recommended for directory quotas)
On Rocky 9 XFS is common; for directory/project quotas enable XFS project quotas and use
xfs_quota. You can enforce per-project limits (useful to limit customers/tenants). See XFS quota docs for details. :contentReference[oaicite:3]{index=3}# mount with pquota (if not already) sudo mount -o remount,pquota /srv
sudo tee -a /etc/projects <<'EOF' 100:/srv/nfs/data EOF
sudo tee -a /etc/projid <<'EOF' dataquota:100 EOF
sudo xfs_quota -x -c 'project -s dataquota' /srv
sudo xfs_quota -x -c 'limit -p bsoft=50g bhard=55g dataquota' /srv
-
15. Quota management (ext4 or user/group quotas)
For ext4 or user/group quotas, install the quota tools and enable quotas in
/etc/fstabwithusrquota,grpquota, then remount and usequotaon/edquota.sudo dnf install -y quota
# Example fstab entry (edit with care) UUID=... /srv ext4 defaults,usrquota,grpquota 0 2
sudo mount -o remount /srv
sudo quotacheck -cum /srv
sudo quotaon /srv
-
16. SELinux booleans and service access
Enable SELinux booleans needed by Samba and NFS. Examples: allow Samba to share home dirs and allow NFS exports. Adjust only the minimum required booleans. See SELinux docs for explanation. :contentReference[oaicite:4]{index=4}
sudo setsebool -P samba_enable_home_dirs on
sudo setsebool -P httpd_use_nfs on
sudo setsebool -P nfs_export_all_rw on
-
17. Automounts, systemd and performance tuning
Tune server kernel and NFS/Samba parameters for performance: increase file handle caches, tweak
nfsdthreads, and tune Samba socket options. Use/etc/sysctl.d/and service unit overrides for persistent settings. Monitor with iostat, nfsstat, smbstatus.sudo sysctl -w net.core.somaxconn=1024
sudo systemctl edit nfs-server --full
-
18. Verification & troubleshooting
Commands to verify status, SELinux denials, and Kerberos tickets. Use audit logs to debug SELinux denials.
sudo systemctl status smb nmb nfs-server rpcbind sssd
smbstatus
sudo ausearch -m avc -ts recent
klist
sudo tail -f /var/log/messages /var/log/secure /var/log/audit/audit.log
-
19. Backup, HA and clustering notes
For enterprise file services consider: (a) replicate/back up data (rsync, DRBD, or storage array replication), (b) use clustered file systems or shared storage for Samba/NFS backends, and (c) use fencing/split-brain prevention for HA. Keep Kerberos keytabs and AD machine accounts documented and rotated per policy.
-
20. Quick checklist before production
Checklist: DNS A and PTR records ✓; time sync (chrony/ntp) ✓; AD domain join and Kerberos ticketing ✓; SELinux contexts and booleans set ✓; quotas tested ✓; monitoring/alerts configured ✓.
Contents