網頁

2013年9月30日 星期一

Samba 4.x --- Install(via tar or git) configure and provision AD DS on CentOS 6.x

Since Samba 4 releases, its function is as a compatible Active Directory Domain Controller that come with Kerberos logon and authentication, LDAP directory, dynamic DNS and remote procedure call and so on. (# 1)The following section will introduce How to install and configure Samba 4 as Active Directory Domain Controller on CentOS 6.x x64 version.

Prerequisite
To login the system by root account and update the yum repositories and packages by using the yum update command.ScreenShot006If the process complete, please reboot for applying the update.

To disable SELinux for reducing complications issueScreenHunter_03To change FQDN name in the /etc/sysconfig/network file that depend on our requirementScreenHunter_12To install the related packages with dependencies for installing and building Samba 4 tarball by using the yum -y install gcc make wget python-devel gnutls-devel openssl-devel libacl-devel krb5-server krb5-libs krb5-workstation bind bind-libs bind-utils command (# 2)ScreenHunter_04To query the rpm database to find any older samba package by using the rpm –qa | grep samba or yum list installed | grep samba commandScreenShot007If the old samba package is found (# 3), please remove it by using the yum remove samba-winbind-client samba-winbind samba-common samba command

Download, compile & install Samba 4
Option (1):To download manually the latest Samba tarball from the Samba WebsiteScreenHunter_02To unpack and decompress this download tarball by using the command tar –zxvf smaba-x.x.x.tar.gzScreenHunter_05ScreenHunter_06Option (2): To download the last Samba via the git protocol by using the git clone git://git.samba.org/samba.git samba-master commandScreenShot011or the git clone http://gitweb.samba.org/samba.git samba-master command (# 4)ScreenShot017So does the samba-master directory will be created.

After finish any option, we have to switch to the extracted directory next to configure it by executing the command ./configure - -enable-selftestScreenHunter_02ScreenHunter_23To build Samba by using the command makeScreenHunter_24ScreenHunter_08To install Samba by using the command make installScreenHunter_09ScreenHunter_10So does that the Samba will be installed to the /usr/local/samba directory (# 5)

Provision Samba 4.0.x
To provision a new domain by executing the command /usr/local/samba/bin/samba-tool domain provision and change the default setting if necessary (# 6)ScreenHunter_03
Configure Samba 4 with Bind as DNS backend
To setup Bind 9 folder permission as follows:
ScreenHunter_02Edit Bind9 configuration
To append include "/usr/local/samba/private/named.conf"; at the end of the file and add tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; to the options by editing /etc/named.confScreenHunter_02Configure rndc
To generate rndc.key in the /etc directory by executing the rndc-confgen –a –r /dev/urandom command it this key never appear.
To generate rndc.conf in the /etc directory by running the rndc-confgen > /etc/rndc.conf commandScreenShot002To correct rndc.key secret value is the same as one in the /etc/rndc.conf fileScreenShot003And by editing the /etc/named.conf file, we need to add some value that the content is the same as one in the /etc/rndc.conf file (# 7)ScreenShot007If the above process finish, we will rename or delete rndc.conf file to avoid the confusion.

Add Reverse Zone Record
Due to this is the fist DNS Server that is built with Samba Server, we have to add some record as Reverse Zone for configuring Primary(Master) Name Server by editing /etc/named.conf fileScreenHunter_07Create Zone file
Based on our mention in the additional record of the /etc/named.conf file, we will create rev.dwlab.mooo.com file in the /var/named directory and add the entries for reverse zone.ScreenHunter_03Also create rev.localhost file in the /var/named directory and add the entries for reverse zone.ScreenHunter_04
Start Bind Service

To start named service by executing the service named start or /etc/init.d/named start command manuallyScreenHunter_08ScreenHunter_10or initialize named service at boot time by using chkconfig – levels 235 named on commandScreenHunter_11
Verify DNS function

To set the samba will use the own internal DNS firstly by editing the /etc/sysconfig/network-script/ifcfg-eth0 fileScreenShot001To confirm whether named daemon is started by using the service named status command
ScreenShot002To verify whether the forward and reverse lookup is right by executing nslookup commandScreenHunter_09
Install and Configure NTP
Due to the time synchronization between DC and Client is very important, we need to enable NTP daemon in each Samba 4 as AD role.
How to do it? please refer to this article NTP --- Install & Configure NTP daemon on Minimal CentOS 6.x to realize it in detail

Configure Kerberos
Due to the kerberos in CentOS 6.3 or later is handled by the /etc/krb5.conf file,we will backup this original file and replace it with the /usr/local/samba/setup/krb5.conf fileScreenShot002To edit the /etc/krb5.conf file and replace ${REALM} with the value you chose for the '--realm' parameter of the provision command earlierScreenShot003
Configure & Start Samba 4
Start Samba 4 manually
To start manually the samba daemon by using the /usr/local/samba/sbin/samba commandScreenShot014or create and configure samba init script by using the vi /etc/init.d/samba4 command with the following contents.ScreenShot013ScreenShot017ScreenShot018To set this init script permission to 755 by using the chmod 755 /etc/init.d/samba4 commandScreenShot016To start manually the samba daemon by using the /etc/init.d/samba4 start commandScreenShot013
Start Samba 4 automatically
To start it at boot by appending the /usr/local/samba/sbin/samba command to the /etc/rc.d/rc.local file

To initialize samba daemon start at boot by using the chkconfig - - levels 235 samba4 on command if we ever create a samba init script.ScreenShot015
Configure iptables rule
To realize which listening port require for AD/Samba4 by using the netstat –lntup | grep –e samba –e smbd commandScreenShot004or for DNS by using the netstat –lntup | grep –e named commandScreenShot005or for NTP by using the netstat –lntup | grep –e ntpd commandScreenShot006So do we can summarize what port number needs as follows:
             53, TCP & UDP (DNS)
             88, TCP & UDP (Kerberos authentication)
            123, TCP & UDP (NTP)
            135, TCP (MS RPC)
            137, UDP (NetBIOS name service)
            138, UDP (NetBIOS datagram service)
            139, TCP (NetBIOS session service)
            389, TCP & UDP (LDAP)
            445, TCP (MS-DS AD/SMB CIFS)
            464, TCP & UDP (Kerberos change/set password)
            636, TCP (LDAP SSL)
            3268, TCP (LDAP Global Catalog)
            3269, TCP (LDAP Global Catalog SSL)

To add the above port number to the iptables rule by executing the following commandScreenShot010or directly add iptables rules to the /etc/sysconfig/iptables file
Don’t forget to execute the service iptables save and service iptables restart command for applying the new rule right now. (# 8)

Verify Samba 4 AD DC

Test Samba
To confirm the samba version by using the /usr/local/samba/sbin/samba –V commandScreenShot014To confirm the samba-client version by using the /usr/local/samba/bin/smbclient - - version commandScreenShot015To confirm the samba share function by using the /usr/local/samba/bin/smbclient -L localhost -U% commandScreenShot016
Test DNS
To confirm the DNS record for ldap, kerberos and samba by using the following command.ScreenShot017
Test Kerberos
To confirm whether kerberos authentication is working by using the kinit administrator@DWLAB.MOOO.COM command (# 9)ScreenShot020If the output is as the above message, we can confirm whether can receive a ticket by using the klist commandScreenShot022
Until now, we have already finished building the Samba 4 AD DC!

Reference :
(# 1) If we has interesting to realize what the new changes in Samba 4, please refer to this Samba WiKi
(# 2) Which the development library and program need to be installed? Maybe we can refer to this web site Samba 4/OS Requirements to find the solution.
(# 3) If the samba ever is installed by yum, we will see what packages have already been existed now by using the rpm –qa | grep samba or yum list installed | grep samba commandScreenShot007(# 4) In general, the git protocol is the preferred choice because the download data is compressed.
(# 5) When we need to install the necessary missing packages for fix error that run configure, make, make install command,please remember to do make clean command before running make again
(# 6) If we need to re-run the provision command, we have to remove the /usr/local/samba/etc/smb.conf file ,and Samba database by using the command rm –rf /usr/local/samba/private/*
(# 7) If no add these values, maybe we will get the error message as follows when run the service named status commandScreenShot001(# 8) What is the different rule in the /etc/sysconfig/iptables file after applying rule?
AS-ISScreenShot008TO-BEScreenShot012ScreenShot013(# 9) please note the domain realm have to be uppercase letters as DWLAB.MOOO.COM.  If key in lowercase letters as dwlab.moo.com, we will get the error message as follows:ScreenShot021Another, the administrator password is generated in the provision process. If we forget the password, we can reset it by using the /usr/local/samba/bin/samba-tool user setpassword administrator commandScreenShot018

沒有留言:

張貼留言

Since 2010 Design by Davidwa
©Copyright Davidwa Inc. All rights reserved.