⚠

Auto-generated content — pending SME review

This content was auto-generated from Fusion SMB documentation and is pending SME review. Please verify accuracy before using in partner-facing contexts.

Proof-of-Concept Guide

This page guides you through setting up a production-representative proof-of-concept with Active Directory integration, multiple shares with different security configurations, and access control. Use this to validate Fusion SMB in a prospect's environment.

PoC Objectives

A successful PoC should demonstrate:

Active Directory integration — domain join, Kerberos authentication, user/group resolution
Share management — creating, updating, and removing shares via config file and CLI
Security configuration — encryption, signing, ACLs, and file security modes
Access control — share permissions, host-based restrictions, and access-based enumeration
Manageability — runtime configuration changes, persistent config mode, MMC support

Prerequisites

Component	Requirement
Fusion SMB server	Installed and running (see Demo Environment Setup)
Active Directory	Functional AD domain with a reachable domain controller
DNS	Server can resolve the AD domain (verify with `nslookup`)
Test users	At least 2 AD user accounts and 1 AD group for testing

Phase 1: Active Directory Integration

Join the Domain

Install AD prerequisites:

sudo apt -y install sssd-ad sssd-tools realmd adcli krb5-user sssd-krb5

Set the server hostname to its FQDN:

sudo hostnamectl set-hostname fusion-srv.yourdomain.com

Configure Kerberos (/etc/krb5.conf):

[libdefaults]
    default_realm = YOURDOMAIN.COM
    rdns = false

Verify domain discovery:

sudo adcli info yourdomain.com

Configure SSSD (/etc/sssd/sssd.conf):

[sssd]
domains = yourdomain.com
config_file_version = 2
services = nss

[domain/yourdomain.com]
ad_domain = yourdomain.com
krb5_realm = YOURDOMAIN.COM
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = false
access_provider = ad

sudo chmod 600 /etc/sssd/sssd.conf

Join the domain:

sudo adcli join --domain YOURDOMAIN.COM \
    --service-name=cifs \
    --computer-name FUSION-SRV \
    --host-fqdn fusion-srv.YOURDOMAIN.COM -v

Enable SSSD and verify:

sudo systemctl enable sssd && sudo systemctl restart sssd
id testuser  # Should return UID, GID, and group memberships

On the domain controller, set the UPN for the computer account:

Set-ADComputer -Identity FUSION-SRV -UserPrincipalName cifs/FUSION-SRV@YOURDOMAIN.COM

Configure Fusion SMB for AD

Update /etc/tsmb.conf:

[global]
    userdb_type = ad
    domain = yourdomain.com
    server_name = fusion-srv
    runstate_dir = /var/lib/tsmb
    listen = ANY,0.0.0.0,IPv4,445,DIRECT_TCP

    # Logging for diagnostics
    log_destination = file
    log_level = 40
    log_params = path=/var/log/tsmb.log,long,timestamp,time_usec=false,tid,trace,sensitive_data=strip
[/global]

Validate AD Integration

Verify DNS SRV records:

nslookup -q=srv _kerberos._tcp.yourdomain.com
nslookup -q=srv _kpasswd._tcp.yourdomain.com

Verify Kerberos ticket:

sudo kinit -k -V cifs/FUSION-SRV@YOURDOMAIN.COM -t /etc/krb5.keytab

Start Fusion SMB and test client authentication from Windows using domain credentials.
Check logs for successful LDAP connection:

grep "Connected to ldap" /var/log/tsmb.log

Reference: Active Directory Integration on docs.tuxera.com

Create Multiple Shares

Demonstrate different share configurations:

# Engineering share — full access for engineering group
[share]
    netname = Engineering
    path = /export/engineering
    permissions = engineering:full
    security = hybrid
    map_acls = xattr:raw
[/share]

# Finance share — encrypted, restricted access
[share]
    netname = Finance
    path = /export/finance
    permissions = finance:full,everyone:read
    encrypt_data = true
    security = windows
    map_acls = xattr:raw
[/share]

# Public share — read-only, hidden from enumeration for unauthorized users
[share]
    netname = Public
    path = /export/public
    permissions = everyone:read
    access_based_enumeration = true
[/share]

Create the directories:

sudo mkdir -p /export/{engineering,finance,public}

While the server is running, demonstrate CLI-based management:

# Add a share at runtime
sudo tsmb-cfg share add -n Temp -p /export/temp

# Update a share
sudo tsmb-cfg share update -n Temp --hidden true

# Remove a share
sudo tsmb-cfg share del -n Temp

If the server was started with -p (persistent mode), these changes are saved to the config file automatically.

Reference: Share Management on docs.tuxera.com

Phase 3: Security Configuration

Encryption in Transit

Enable encryption globally or per share:

[global]
    # Require encryption for all shares
    encrypt_data = true
    reject_unencrypted_access = true
[/global]

Or enable selectively per share:

[share]
    netname = Sensitive
    path = /export/sensitive
    encrypt_data = true
[/share]

Message Signing

Require message signing for enhanced security:

[global]
    require_message_signing = true
[/global]

Windows 11 24H2 Note

Windows 11 24H2 and Windows Server 2025 require SMB signing by default. This may impact performance compared to earlier Windows versions. If the prospect raises this, explain it is a Microsoft-side change affecting all SMB servers, and signing can be disabled on the client if performance is prioritized over this specific security measure.

File Security Modes

Demonstrate the four security modes:

Mode	Behavior	Best For
hybrid	ACLs stored in xattr, with POSIX fallback	Mixed environments
windows	Full Windows ACL behavior	AD-joined environments
posix	Standard UNIX rwx permissions	Linux-native workflows
none	No file-level checks, share permissions only	Simple setups

Access Control Features

Host-based access control:

[share]
    netname = Internal
    path = /export/internal
    hosts_allow = 10.0.0.0/8
    hosts_deny = 10.0.99.0/24
[/share]

Veto files:

[share]
    netname = Documents
    path = /export/docs
    files_allow = *.docx|*.xlsx|*.pdf
    files_deny = *.exe|*.bat
[/share]

Access-based enumeration (users only see what they can access):

[global]
    access_based_share_enumeration = true
[/global]

[share]
    netname = Projects
    path = /export/projects
    access_based_enumeration = true
[/share]

Reference: Authorization and Access Management and SMB Protocol-Level Security on docs.tuxera.com

Phase 4: Validation Checklist

Use this checklist to validate the PoC:

Domain join successful — id <domain-user> returns UID/GID
Kerberos tickets obtainable — kinit -k -V succeeds
Clients authenticate with domain credentials
Multiple shares visible with correct permissions
Encryption is active on configured shares (verify in logs)
Access-based enumeration hides unauthorized shares
Runtime share changes via CLI take effect immediately
Performance meets expectations (run fio benchmark from Demo Environment)

Common PoC Issues

Issue	Resolution
`kinit` fails	Verify DNS, hostname, and krb5.conf realm (must be uppercase)
Client can't find server	Verify TCP 445 is open, server_name matches computer account
Permission denied on share	Check permissions parameter format: `user:level` or `group:level`
Slow performance	Check if signing is enforced (Win11 24H2 default), verify storage throughput

Next Steps

Architecture & Integration — design HA/clustering for production
Sizing & Requirements — estimate hardware for the prospect's workload
Full AD integration guide at docs.tuxera.com

✍Knowledge Check

1. What tool is used to join a Fusion SMB server to an Active Directory domain?

2. Which configuration setting forces all clients to use encrypted connections?

3. What does the -p flag do when starting tsmb-server?

PoC Objectives​

Prerequisites​

Phase 1: Active Directory Integration​

Join the Domain​

Configure Fusion SMB for AD​

Validate AD Integration​

Phase 2: Share Management​

Create Multiple Shares​

Runtime Share Management​

Phase 3: Security Configuration​

Encryption in Transit​

Message Signing​

File Security Modes​

Access Control Features​

Phase 4: Validation Checklist​

Common PoC Issues​

Next Steps​