← Projects

Samba AD File Server

Status: Completed Origin: Enterprise Infrastructure Since: 2026.01
Ubuntu 24.04SambaActive DirectoryProxmox VESNMPXFS

Overview

Built a production Ubuntu 24.04 Samba file server joined to Active Directory, replacing a legacy "split-brain" configuration where files were scattered across multiple Windows 10 machines with inconsistent permissions and no proper backup strategy. The server runs as an AD member on Proxmox 9.1.2 with 4TB XFS storage.

OS Ubuntu 24.04 LTS
Storage 4TB XFS at /srv/fileshare
Role AD member file server
Hypervisor Proxmox VE 9.1.2
Open Source

This automation toolkit is open source. Check out the code, fork it, or give it a star if you find it useful.

View Repository 27 Commits README Star on GitHub

Automation Toolkit

I built an open-source automation toolkit that handles the entire deployment: VM provisioning, domain join, and share configuration with a single command.

Bash One-Liner Install (run on Proxmox host) 
bash -c "$(wget -qLO - https://raw.githubusercontent.com/solomonneas/samba-ad-migration/main/samba-ad.sh)"
📦
VM Creation Proxmox VM with cloud-init, Ubuntu 24.04, thin-provisioned data disk
🔐
AD Domain Join Samba + Winbind integration, Kerberos auth, domain user resolution
📁
Share Configuration SMB share with AD permissions, accessible via UNC path
🔄
Data Migration Robocopy script preserving permissions and timestamps

SMB3 Security Hardening

⚠️
Why This Matters

Without signing/encryption, SMB traffic can be intercepted or modified (man-in-the-middle attacks).

Added to /etc/samba/smb.conf [global] section:

Setting Purpose
server signing = mandatory All packets must be signed (prevents tampering)
server min protocol = SMB3 Blocks legacy SMB1/SMB2 (security risks)
smb encrypt = desired Encrypts traffic when client supports it
💡
Compatibility

All modern Windows (8+), macOS (10.12+), and Linux clients support SMB3. Only breaks ancient XP machines or old network scanners.

SNMP Monitoring Setup

Enabled remote monitoring of CPU, memory, disk, and network stats via SNMP v2c for integration with network monitoring systems.

ini /etc/snmp/snmpd.conf 
agentAddress udp:161,udp6:[::1]:161
rocommunity public default
sysLocation    Proxmox 9.1.2 VM
sysContact     Administrator

view all included .1
includeAllDisks 10%
load 12 10 5

extend cpu /bin/cat /proc/stat
extend memory /bin/cat /proc/meminfo

Useful OIDs

Metric OID
System Info 1.3.6.1.2.1.1
CPU Load 1.3.6.1.4.1.2021.10
Memory 1.3.6.1.4.1.2021.4
Disk 1.3.6.1.4.1.2021.9
Network Interfaces 1.3.6.1.2.1.2
Bash Test SNMP connectivity 
snmpwalk -v2c -c public fileserv.domain.local 1.3.6.1.2.1.1

Audit Logging

File operations on the Samba share are logged for compliance and forensics, tracking who did what and when.

Events Logged

connect/disconnect User session tracking
mkdir/rmdir Directory creation and deletion
unlink File deletions
rename File and folder renames
write/pwrite failures Failed write attempts
ini Samba audit config (/etc/samba/smb.conf) 
vfs objects = acl_xattr full_audit
full_audit:prefix = %u|%I|%S
full_audit:failure = connect disconnect mkdir rmdir rename unlink write pwrite
full_audit:success = connect disconnect mkdir rmdir rename unlink
full_audit:facility = local5
full_audit:priority = notice
ini Rsyslog config (/etc/rsyslog.d/samba-audit.conf) 
local5.notice /var/log/samba/audit.log

Log Format

username|IP_address|share_name|action|result|file_path
Log Example audit entry 
jsmith|10.2.66.59|Shared|unlink|ok|Students files/old_doc.docx

Useful Commands

Bash Audit log queries 
# Watch live activity
sudo tail -f /var/log/samba/audit.log

# Find who deleted a file
sudo grep "unlink" /var/log/samba/audit.log | grep "filename"

# Find all actions by a user
sudo grep "jsmith|" /var/log/samba/audit.log

Swap Configuration

Even with 8GB RAM, swap provides a safety net for memory spikes and prevents the OOM killer from terminating services during high load.

Bash Create 4GB swap file 
# Create swap file
sudo fallocate -l 4G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

# Make persistent
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

# Verify
free -h  # Should show: Swap: 4.0Gi

Final Samba Configuration

ini /etc/samba/smb.conf 
[global]
   workgroup = CORP
   realm = CORP.LOCAL
   security = ads

   server signing = mandatory
   server min protocol = SMB3
   smb encrypt = desired

   idmap config * : backend = tdb
   idmap config * : range = 3000-7999
   idmap config CORP : backend = rid
   idmap config CORP : range = 10000-999999

   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes
   template shell = /bin/bash
   template homedir = /home/%U

   vfs objects = acl_xattr full_audit
   map acl inherit = yes
   store dos attributes = yes

   full_audit:prefix = %u|%I|%S
   full_audit:failure = connect disconnect mkdir rmdir rename unlink write pwrite
   full_audit:success = connect disconnect mkdir rmdir rename unlink
   full_audit:facility = local5
   full_audit:priority = notice

[Shared]
   path = /srv/fileshare
   read only = no
   guest ok = no
   valid users = "@CORP\Domain Users"
   admin users = "@CORP\Domain Admins"
   create mask = 0770
   directory mask = 0770
   force group = "CORP\Domain Users"

Technical Challenges Solved

Cloud-init Password Auth Custom user-data with quoted password hash (the $6$ prefix breaks YAML parsing)
APT Lock Race Condition Added cloud-init status --wait before package operations

Drive Mapping (Replaced DFS)

The old environment used a DFS namespace to abstract file server paths. During the migration I ripped that out entirely. DFS adds complexity and caching headaches (30-minute referral TTL, client cache flushing) for a single-server environment that doesn't need it. Replaced it with straightforward GPO drive mappings using item-level targeting by security group.

X:\ Faculty & Staff Maps to the full file server. Faculty and staff see all department shares, administrative folders, and shared resources. Item-level target: Faculty/Staff security group
Y:\ Students Maps to the student folder only. Students can access their class files and shared student resources, nothing else. Item-level target: Student security group
GPO Group Policy Preferences Drive Maps 
# User Configuration > Preferences > Windows Settings > Drive Maps
#
# Faculty/Staff:
#   Action: Replace | Letter: X: | Path: \\fileserv\shares
#   Item-level targeting: Security Group = "Faculty-Staff"
#
# Students:
#   Action: Replace | Letter: Y: | Path: \\fileserv\students
#   Item-level targeting: Security Group = "Students"
💡 GPO Preferences with item-level targeting beats login scripts. The drive mapping is visible in gpresult /h reports, applies at policy refresh (not just login), and you can target by group, OU, or machine without writing conditional logic.

Service Commands

Bash Common operations 
# Restart after config changes
sudo systemctl restart smbd nmbd

# Check AD join status
sudo net ads testjoin

# Test config syntax
testparm -s
Result

File server now has SNMP monitoring, enforced SMB3 security, 4GB swap safety net, and audit logging for compliance/forensics.