Samba AD File Server

[+] Status: Completed [+] Origin: Enterprise Infrastructure [+] Date: 2026.01
>> TECH_STACK:
[Ubuntu 24.04][Samba][Active Directory][Proxmox VE][SNMP][XFS]

Built a production Ubuntu 24.04 Samba file server joined to Active Directory, replacing a legacy "split-brain" configuration where files were scattered across multiple Windows 10 machines with inconsistent permissions and no proper backup strategy. The server runs as an AD member on Proxmox 9.1.2 with 4TB XFS storage.

OS Ubuntu 24.04 LTS
Storage 4TB XFS at /srv/fileshare
Role AD member file server
Hypervisor Proxmox VE 9.1.2
Open Source

This automation toolkit is open source. Check out the code, fork it, or give it a star if you find it useful.

View Repository 27 Commits Star on GitHub

// Automation Toolkit

I built an open-source automation toolkit that handles the entire deployment: VM provisioning, domain join, and share configuration with a single command.

Bash One-Liner Install (run on Proxmox host) 
bash -c "$(wget -qLO - https://raw.githubusercontent.com/solomonneas/samba-ad-migration/main/samba-ad.sh)"
📦
VM Creation Proxmox VM with cloud-init, Ubuntu 24.04, thin-provisioned data disk
🔐
AD Domain Join Samba + Winbind integration, Kerberos auth, domain user resolution
📁
Share Configuration SMB share with AD permissions, accessible via UNC path
🔄
Data Migration Robocopy script preserving permissions and timestamps

// SMB3 Security Hardening

⚠️
Why This Matters

Without signing/encryption, SMB traffic can be intercepted or modified (man-in-the-middle attacks).

Added to /etc/samba/smb.conf [global] section:

Setting Purpose
server signing = mandatory All packets must be signed (prevents tampering)
server min protocol = SMB3 Blocks legacy SMB1/SMB2 (security risks)
smb encrypt = desired Encrypts traffic when client supports it
💡
Compatibility

All modern Windows (8+), macOS (10.12+), and Linux clients support SMB3. Only breaks ancient XP machines or old network scanners.

// SNMP Monitoring Setup

Enabled remote monitoring of CPU, memory, disk, and network stats via SNMP v2c for integration with network monitoring systems.

ini /etc/snmp/snmpd.conf 
agentAddress udp:161,udp6:[::1]:161
rocommunity public default
sysLocation    Proxmox 9.1.2 VM
sysContact     Administrator

view all included .1
includeAllDisks 10%
load 12 10 5

extend cpu /bin/cat /proc/stat
extend memory /bin/cat /proc/meminfo

Useful OIDs

Metric OID
System Info 1.3.6.1.2.1.1
CPU Load 1.3.6.1.4.1.2021.10
Memory 1.3.6.1.4.1.2021.4
Disk 1.3.6.1.4.1.2021.9
Network Interfaces 1.3.6.1.2.1.2
Bash Test SNMP connectivity 
snmpwalk -v2c -c public fileserv.domain.local 1.3.6.1.2.1.1

// Audit Logging

File operations on the Samba share are logged for compliance and forensics, tracking who did what and when.

Events Logged

connect/disconnect User session tracking
mkdir/rmdir Directory creation and deletion
unlink File deletions
rename File and folder renames
write/pwrite failures Failed write attempts
ini Samba audit config (/etc/samba/smb.conf) 
vfs objects = acl_xattr full_audit
full_audit:prefix = %u|%I|%S
full_audit:failure = connect disconnect mkdir rmdir rename unlink write pwrite
full_audit:success = connect disconnect mkdir rmdir rename unlink
full_audit:facility = local5
full_audit:priority = notice
ini Rsyslog config (/etc/rsyslog.d/samba-audit.conf) 
local5.notice /var/log/samba/audit.log

Log Format

username|IP_address|share_name|action|result|file_path
Log Example audit entry 
jsmith|10.2.66.59|Shared|unlink|ok|Students files/old_doc.docx

Useful Commands

Bash Audit log queries 
# Watch live activity
sudo tail -f /var/log/samba/audit.log

# Find who deleted a file
sudo grep "unlink" /var/log/samba/audit.log | grep "filename"

# Find all actions by a user
sudo grep "jsmith|" /var/log/samba/audit.log

// Swap Configuration

Even with 8GB RAM, swap provides a safety net for memory spikes and prevents the OOM killer from terminating services during high load.

Bash Create 4GB swap file 
# Create swap file
sudo fallocate -l 4G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

# Make persistent
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

# Verify
free -h  # Should show: Swap: 4.0Gi

// Final Samba Configuration

ini /etc/samba/smb.conf 
[global]
   workgroup = CORP
   realm = CORP.LOCAL
   security = ads

   server signing = mandatory
   server min protocol = SMB3
   smb encrypt = desired

   idmap config * : backend = tdb
   idmap config * : range = 3000-7999
   idmap config CORP : backend = rid
   idmap config CORP : range = 10000-999999

   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes
   template shell = /bin/bash
   template homedir = /home/%U

   vfs objects = acl_xattr full_audit
   map acl inherit = yes
   store dos attributes = yes

   full_audit:prefix = %u|%I|%S
   full_audit:failure = connect disconnect mkdir rmdir rename unlink write pwrite
   full_audit:success = connect disconnect mkdir rmdir rename unlink
   full_audit:facility = local5
   full_audit:priority = notice

[Shared]
   path = /srv/fileshare
   read only = no
   guest ok = no
   valid users = "@CORP\Domain Users"
   admin users = "@CORP\Domain Admins"
   create mask = 0770
   directory mask = 0770
   force group = "CORP\Domain Users"

// Technical Challenges Solved

Cloud-init Password Auth Custom user-data with quoted password hash (the $6$ prefix breaks YAML parsing)
APT Lock Race Condition Added cloud-init status --wait before package operations

// Client Drive Mapping

Two shared drives mapped to all domain workstations via GPO login script. X: for department files, Y: for shared resources.

Batch GPO Login Script (map-drives.bat) 
@echo off
:: Map X: drive - Department Files
net use X: /delete /yes 2>nul
net use X: \\fileserv\Department /persistent:yes

:: Map Y: drive - Shared Resources
net use Y: /delete /yes 2>nul
net use Y: \\fileserv\Shared /persistent:yes
PowerShell GPO Drive Map (alternative, Group Policy Preferences) 
# Computer Configuration > Preferences > Windows Settings > Drive Maps
# Action: Replace | Drive Letter: X: | Location: \\fileserv\Department
# Action: Replace | Drive Letter: Y: | Location: \\fileserv\Shared
# Item-level targeting: Security Group = "Domain Users"

Both methods work. The login script is simpler to debug, but GPO Drive Maps give you item-level targeting per security group, OU, or machine type.

// Service Commands

Bash Common operations 
# Restart after config changes
sudo systemctl restart smbd nmbd

# Check AD join status
sudo net ads testjoin

# Test config syntax
testparm -s
Result

File server now has SNMP monitoring, enforced SMB3 security, 4GB swap safety net, and audit logging for compliance/forensics.