Saturday, October 14, 2017
With the last version of samba 4 comes with Active
directory logon and administration protocols, including typical active directory
support and full interoperability with Microsoft Active Directory servers. This
is possible with the combination of a LDAP directory, kerberos authentication,
BIND DNS server and the remote procedure calls RPC.
When running as an Active Directory DC, you only need to run 'samba' (not smbd/nmbd/winbindd), as the required services are co-coordinated by this master binary. The tool to administer the Active Directory services is called 'samba-tool'.
I have a CentOS 6 x86_64 Minimal install. This post covers the initial installation and configuration of samba 4 as Active Directory domain controller on Centos 6 using BIND 9 as DNS backend and NTP server used by the clients.
1) Disable SELinux
[root@ad ~]# vi /etc/sysconfig/selinux
selinux=disabled
2) Install the pre-requisites (or dependencies) for Samba 4 installation
[root@ad ~]# yum -y install wget gcc make wget python-devel gnutls-devel openssl-devel libacl-devel krb5-server krb5-libs krb5-workstation bind bind-libs bind-utils ntp
3) Configure NTP to use the local time server
[root@ad ~]# vi /etc/ntp.conf
Comment line numbers 22,23,24 and uncomment the below lines in the configuration file
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
4) Download and compile Samba 4 from the following link
[root@ad ~]# wget ftp://ftp.samba.org/pub/samba/samba-4.1.0.tar.gz
[root@ad ~]# tar -xvzf samba-4.1.0.tar.gz
[root@ad ~]# cd samba-4.1.0
[root@ad samba-4.1.0]# ./configure --enable-selftest --enable-debug
[root@ad samba-4.1.0]# make
[root@ad samba-4.1.0]# make install
5) Configuring Samba 4 to be a domain controller using samba-tool command
[root@ad ~]# /usr/local/samba/bin/samba-tool domain provision
Realm [ORANGE.COM]: ORANGE.COM (All Caps)
Domain [ORANGE]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.124.252]: none
Administrator password: secret!1234
Retype password: secret!1234
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=orange,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=orange,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: ad
NetBIOS Domain: ORANGE
DNS Domain: orange.com
DOMAIN SID: S-1-5-21-3335388306-1463729434-941727365
6) Configuring BIND as Samba Active Directory backend
Note: Bind must be installed on the same machine as Samba 4 is installed.
The dns backend BIND9_DLZ uses Samba 4 AD to store zone information
[root@ad ~]# rndc-confgen -a -r /dev/urandom
wrote key file "/etc/rndc.key"
A DNS keytab file was automatically created during provisioning/updating. Add the following' tkey-gssapi-keytab' option to the 'options' section of named.conf file.
[root@ad ~]# vim /etc/named.conf
options {
listen-on port 53 { 192.168.1.100; };
allow-query { any; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
include "/usr/local/samba/private/named.conf";
include "/etc/rndc.key";
6) Change the resolv.conf file to the IP address of Samba server
[root@ad ~]# vim /etc/resolv.conf
domain orange.com
nameserver 192.168.1.100
7) Configure the kerberos configuration file as below
[root@ad ~]# cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
[root@ad ~]# vim /etc/krb5.conf
[libdefaults]
default_realm = ORANGE.COM (All Caps)
dns_lookup_realm = false
dns_lookup_kdc = true
8) Set the permissions for named on the below files
[root@ad ~]# chgrp named /etc/krb5.conf
[root@ad ~]# chown named:named /usr/local/samba/private/dns
[root@ad ~]# chown named:named /usr/local/samba/private/dns.keytab
[root@ad ~]# chmod 775 /usr/local/samba/private/dns
9) Configuring the Samba 4 init.d script and set permissions to it.
[root@ad ~]# vim /etc/init.d/samba4
#! /bin/bash
#
# samba4 Bring up/down samba4 service
#
# chkconfig: - 90 10
# description: Activates/Deactivates all samba4 interfaces configured to
# start at boot time.
#
### BEGIN INIT INFO
# Provides:
# Should-Start:
# Short-Description: Bring up/down samba4
# Description: Bring up/down samba4
### END INIT INFO
# Source function library.
. /etc/init.d/functions
if [ -f /etc/sysconfig/samba4 ]; then
. /etc/sysconfig/samba4
fi
CWD=$(pwd)
prog="samba4"
start() {
# Attach irda device
echo -n $"Starting $prog: "
/usr/local/samba/sbin/samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then success $"samba4 startup"; else failure $"samba4 startup"; fi
echo
}
stop() {
# Stop service.
echo -n $"Shutting down $prog: "
killall samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then failure $"samba4 shutdown"; else success $"samba4 shutdown"; fi
echo
}
status() {
/usr/local/samba/sbin/samba --show-build
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status irattach
;;
restart|reload)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0
[root@ad ~]# chmod 755 /etc/init.d/samba4
10) Configure the services to start at boot and start the below services.
[root@ad ~]# chkconfig ntpd on
[root@ad ~]# chkconfig named on
[root@ad ~]# chkconfig samba4 on
[root@ad ~]# service ntpd start
[root@ad ~]# service named on
[root@ad ~]# service samba4 on
11) If iptables is enabled then the below ports need to allowed through firewall.
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 53 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 123 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 135 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 138 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 389 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 88 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 139 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 389 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 445 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 464 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 636 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 1024:1032 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 3268 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 3269 -j ACCEPT
[root@ad ~]# service iptables save
12) Reboot the system to check services are working after reboot are not.
[root@ad ~]# reboot
13) Join a Windows PC to this domain controller
14) Troubleshooting incase debugging dynamic DNS updates are not working
[root@ad ~]# /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names
15) Port numbers used in iptables and their use.
53 - UDP - DNS (Domain Naming System)
123 - UDP - NTP (Network Time Protocol)
135 - UDP - RPC (Remote Procedure Calls)
138 - UDP - NetBIOS Logon
389 - UDP - LDAP UDP (LightWeight Directory Access Protocol)
88 - TCP - Kerberos
139 - TCP - NetBIOS Session
389 - TCP - LDAP TCP (LightWeight Directory Access Protocol)
445 - TCP - SMB CIFS (Server Message Block / Common Internet File System)
464 - TCP - Kerberos Password Management
636 - TCP - LDAP SSL (LightWeight Directory Access Protocol)
3268 - TCP - LDAP Global Catalog
3269 - TCP - LDAP Global Catalog SSL
=======================================================================
When running as an Active Directory DC, you only need to run 'samba' (not smbd/nmbd/winbindd), as the required services are co-coordinated by this master binary. The tool to administer the Active Directory services is called 'samba-tool'.
I have a CentOS 6 x86_64 Minimal install. This post covers the initial installation and configuration of samba 4 as Active Directory domain controller on Centos 6 using BIND 9 as DNS backend and NTP server used by the clients.
1) Disable SELinux
[root@ad ~]# vi /etc/sysconfig/selinux
selinux=disabled
2) Install the pre-requisites (or dependencies) for Samba 4 installation
[root@ad ~]# yum -y install wget gcc make wget python-devel gnutls-devel openssl-devel libacl-devel krb5-server krb5-libs krb5-workstation bind bind-libs bind-utils ntp
3) Configure NTP to use the local time server
[root@ad ~]# vi /etc/ntp.conf
Comment line numbers 22,23,24 and uncomment the below lines in the configuration file
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
4) Download and compile Samba 4 from the following link
[root@ad ~]# wget ftp://ftp.samba.org/pub/samba/samba-4.1.0.tar.gz
[root@ad ~]# tar -xvzf samba-4.1.0.tar.gz
[root@ad ~]# cd samba-4.1.0
[root@ad samba-4.1.0]# ./configure --enable-selftest --enable-debug
[root@ad samba-4.1.0]# make
[root@ad samba-4.1.0]# make install
5) Configuring Samba 4 to be a domain controller using samba-tool command
[root@ad ~]# /usr/local/samba/bin/samba-tool domain provision
Realm [ORANGE.COM]: ORANGE.COM (All Caps)
Domain [ORANGE]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.124.252]: none
Administrator password: secret!1234
Retype password: secret!1234
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=orange,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=orange,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: ad
NetBIOS Domain: ORANGE
DNS Domain: orange.com
DOMAIN SID: S-1-5-21-3335388306-1463729434-941727365
6) Configuring BIND as Samba Active Directory backend
Note: Bind must be installed on the same machine as Samba 4 is installed.
The dns backend BIND9_DLZ uses Samba 4 AD to store zone information
[root@ad ~]# rndc-confgen -a -r /dev/urandom
wrote key file "/etc/rndc.key"
A DNS keytab file was automatically created during provisioning/updating. Add the following' tkey-gssapi-keytab' option to the 'options' section of named.conf file.
[root@ad ~]# vim /etc/named.conf
options {
listen-on port 53 { 192.168.1.100; };
allow-query { any; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
include "/usr/local/samba/private/named.conf";
include "/etc/rndc.key";
6) Change the resolv.conf file to the IP address of Samba server
[root@ad ~]# vim /etc/resolv.conf
domain orange.com
nameserver 192.168.1.100
7) Configure the kerberos configuration file as below
[root@ad ~]# cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
[root@ad ~]# vim /etc/krb5.conf
[libdefaults]
default_realm = ORANGE.COM (All Caps)
dns_lookup_realm = false
dns_lookup_kdc = true
8) Set the permissions for named on the below files
[root@ad ~]# chgrp named /etc/krb5.conf
[root@ad ~]# chown named:named /usr/local/samba/private/dns
[root@ad ~]# chown named:named /usr/local/samba/private/dns.keytab
[root@ad ~]# chmod 775 /usr/local/samba/private/dns
9) Configuring the Samba 4 init.d script and set permissions to it.
[root@ad ~]# vim /etc/init.d/samba4
#! /bin/bash
#
# samba4 Bring up/down samba4 service
#
# chkconfig: - 90 10
# description: Activates/Deactivates all samba4 interfaces configured to
# start at boot time.
#
### BEGIN INIT INFO
# Provides:
# Should-Start:
# Short-Description: Bring up/down samba4
# Description: Bring up/down samba4
### END INIT INFO
# Source function library.
. /etc/init.d/functions
if [ -f /etc/sysconfig/samba4 ]; then
. /etc/sysconfig/samba4
fi
CWD=$(pwd)
prog="samba4"
start() {
# Attach irda device
echo -n $"Starting $prog: "
/usr/local/samba/sbin/samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then success $"samba4 startup"; else failure $"samba4 startup"; fi
echo
}
stop() {
# Stop service.
echo -n $"Shutting down $prog: "
killall samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then failure $"samba4 shutdown"; else success $"samba4 shutdown"; fi
echo
}
status() {
/usr/local/samba/sbin/samba --show-build
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status irattach
;;
restart|reload)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0
[root@ad ~]# chmod 755 /etc/init.d/samba4
10) Configure the services to start at boot and start the below services.
[root@ad ~]# chkconfig ntpd on
[root@ad ~]# chkconfig named on
[root@ad ~]# chkconfig samba4 on
[root@ad ~]# service ntpd start
[root@ad ~]# service named on
[root@ad ~]# service samba4 on
11) If iptables is enabled then the below ports need to allowed through firewall.
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 53 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 123 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 135 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 138 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 389 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 88 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 139 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 389 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 445 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 464 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 636 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 1024:1032 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 3268 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 3269 -j ACCEPT
[root@ad ~]# service iptables save
12) Reboot the system to check services are working after reboot are not.
[root@ad ~]# reboot
13) Join a Windows PC to this domain controller
14) Troubleshooting incase debugging dynamic DNS updates are not working
[root@ad ~]# /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names
15) Port numbers used in iptables and their use.
53 - UDP - DNS (Domain Naming System)
123 - UDP - NTP (Network Time Protocol)
135 - UDP - RPC (Remote Procedure Calls)
138 - UDP - NetBIOS Logon
389 - UDP - LDAP UDP (LightWeight Directory Access Protocol)
88 - TCP - Kerberos
139 - TCP - NetBIOS Session
389 - TCP - LDAP TCP (LightWeight Directory Access Protocol)
445 - TCP - SMB CIFS (Server Message Block / Common Internet File System)
464 - TCP - Kerberos Password Management
636 - TCP - LDAP SSL (LightWeight Directory Access Protocol)
3268 - TCP - LDAP Global Catalog
3269 - TCP - LDAP Global Catalog SSL
Configute Samba4 Active Directory Domain Controller.
The Samba4 package provided from official repository does not provide the DC function yet, so Download Samba4 RPM package from the EnterpriseSAMBA.com ( http://enterprisesamba.com/ ) which is introduced by Samba official site ( https://www.samba.org/ ).
|
| [1] |
Register
your user info on the site below first to download Samba4 RPM package.
https://portal.enterprisesamba.com/ |
| [2] |
After
registration, access to the URL above again and click 'Login' to login the
site.
|
| [3] |
After
login, remember your username and accesskey which is displayed on the site. It's
necessarry to set in repo file for yum later.
|
| [4] |
Scroll
down the page and download 'sernet-samba-4.1.repo' for CentOS 6 to your PC or
server. Next, upload it to the server you will install Samba4 and move it under
the '/etc/yum.repos.d'.
|
| [5] | Set your username and accesskey in repo file. |
|
# change to your username and
accesskey
[sernet-samba-4.1] name=SerNet Samba 4.1 Packages (centos-6) type=rpm-md baseurl=https://
USERNAME:ACCESSKEY
@download.sernet.de/packages/samba/4.1/centos/6/gpgcheck=1 gpgkey=https://
USERNAME:ACCESSKEY
@download.sernet.de/packages/samba/4.1/centos/6/repodata/repomd.xml.keyenabled=1 |
| [6] | Install Samba4. |
| [root@smb ~]#
yum -y
install sernet-samba sernet-samba-ad
|
| [7] | Configure Samba AD DC. |
| [root@smb ~]#
samba-tool domain provision
# specify Realm
Realm [SRV.WORLD]:
SRV.WORLD
# specify Domain name
Domain [SERVER]:
SMB01
# Enter with default because it sets
DC
Server Role (dc, member, standalone) [dc]:
# Enter with default because it uses Built-in
DNS
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
# confirm DNS setting and Enter if it's
OK
DNS forwarder IP address (write 'none' to disable forwarding) [10.0.0.1]:
# set admin password
# Do not set trivial password, if you input it,
configuration wizard shows error and stops.
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
...
...
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: smb
NetBIOS Domain: SMB01
DNS Domain: srv.world
DOMAIN SID: S-1-5-21-1368991612-3962103640-954018680
# line 7: change
SAMBA_START_MODE="
ad
"
cp /var/lib/samba/private/krb5.conf
/etc/krb5.conf
[root@smb ~]#
/etc/rc.d/init.d/sernet-samba-ad
start
Starting SAMBA AD services : [ OK ] [root@smb ~]#
chkconfig sernet-samba-ad
on
[root@smb ~]#
chkconfig sernet-samba-smbd
off
[root@smb ~]#
chkconfig sernet-samba-nmbd
off
[root@smb ~]#
chkconfig sernet-samba-winbindd
off
|
| [8] | Raise the domain level to 2008 R2. |
[root@smb
~]#
samba-tool domain level raise --domain-level 2008_R2
--forest-level 2008_R2
Domain function level changed! Forest function level changed! All changes applied successfully!
# show domain level
[root@smb ~]#
samba-tool domain level show
Domain and forest function level for domain 'DC=srv,DC=world'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2
|
These sites may have features such as comments sections, Apps to watch the leatest web series for free allowing readers to engage in discussions and share their thoughts on the articles they read.
ReplyDelete