Scribd
Upload
252 views

Samba4 Configuration: (Root@dc1 ) # CD /opt

The document provides instructions for configuring Samba 4 as an Active Directory domain controller. It includes steps for downloading, compiling, and installing Samba 4, running provisioning tools to set up the AD domain, testing the configuration by adding users and accessing shares, and joining additional Samba servers to the domain.

Uploaded by

Gurdev Singh
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
252 views

Samba4 Configuration: (Root@dc1 ) # CD /opt

The document provides instructions for configuring Samba 4 as an Active Directory domain controller. It includes steps for downloading, compiling, and installing Samba 4, running provisioning tools to set up the AD domain, testing the configuration by adding users and accessing shares, and joining additional Samba servers to the domain.

Uploaded by

Gurdev Singh
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Samba4 Configuration

########################SAMBA-4_PDC_Configuration Document####################### 1. Download samba-4.0.5.tar.gz 2. Copy the tar in /opt then untar this.(copy location is optional depands on you) [root@dc1 ~]# cd /opt/ [root@dc1 opt]# tar xvzf samba-4.0.5.tar.gz [root@dc1 opt]# cd samba-4.0.5 [root@dc1 samba-4.0.5]# ./configure [root@dc1 samba-4.0.5]# make [root@dc1 samba-4.0.5]# make install [root@dc1 samba-4.0.5]# /usr/local/samba/bin/samba-tool domain provision realm [EXAMPLE.COM]: "Set Your Realm Name or for Default Press Enter" Domain [EXAMPLE]: "Set Your Domain Name or for Default Press Enter" Server Role (dc, member, standalone) [dc]: "Set Your Server Role or for Default Press Enter" DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: "Set Your DNS Backend or for Default Press Enter" DNS forwarder IP address (write 'none' to disable forwarding) [192.168.2.167]: "Set Your DNS forwarde or for Default Press Enter" Administrator password: XXXXXX Retype password: XXXXXX Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=example,DC=com Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts

Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: dc1 NetBIOS Domain: EXAMPLE DNS Domain: example.com DOMAIN SID: S-1-5-21-2017079700-2022653858-2759080141 ################################################################################### NOTE: Set the Python path [root@dc1 opt]# vim /etc/profile export PYTHONPATH="/usr/local/samba/lib64/python2.6/site-packages" [root@dc1 opt]# source /etc/profile ###################### run the samba binary to start the server############################# [root@dc1 opt]# /usr/local/samba/sbin/samba [root@dc1 opt]# ps -elf |grep samba [root@dc1 opt]# netstat -tunlp |grep samba ##########################Create a user on samba.################################# [root@dc1 opt]# /usr/local/samba/bin/samba-tool user add <username> #############################Samba Client Testing################################ [root@dc1 ~]# smbclient -L localhost -U vijay Enter vijay's password: Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.0.5] Sharename Type Comment -----------------netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.0.5) Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.0.5] Server --------Comment -------

Workgroup Master --------------======================================================================== [root@dc1 ]# host -t A dc1.example.com. #####If this fails, you have to add the A record by hand. Run on your existing DC: [root@dc1 ~]# /usr/local/samba/bin/samba-tool dns add IP-of-your-DNS-server samba.example.com dc1 A IP-of-the-DC-you-had-joined -Uadministrator [root@dc1 ]# host -t A dc1.example.com. dc1.example.com has address 192.168.0.17

###########Also you should check, if the objectGUID is resolvable to the new hostname. For that, run : [root@dc1 ~]# /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid #to find out the objectGUID of the new server. The command should give you an output like : # record 1 dn: CN=NTDS Settings,CN=dc1,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=example,DC=com objectGUID: 3361edce-6c05-4efc-b4e0-1bd8d61e56cb [root@dc1 ~]# /usr/local/samba/bin/samba-tool dns add IP-of-your-DNS _msdcs.example.com 3361edce-6c05-4efc-b4e0-1bd8d61e56cb CNAME dc1.example.com -Uadministrator ####verify user's list on DC: [root@dc1 ~]# /usr/local/samba/bin/samba-tool user list Administrator krbtgt_36218 krbtgt Guest vijay abhi #For this we need to join kerbrose realm [root@dc1 ~]# vim /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.COM = { kdc = dc1.example.com admin_server = dc1.example.com } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM [root@dc1 ~]# kinit administrator Password for [email protected]:

"set true from false"

"Set KDC Server Name" "Set admin_server Name"

"Password of Kerbrose Server admin"

################################################################################### [root@dc1 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 04/19/13 18:38:26 04/20/13 04:38:26 krbtgt/[email protected] renew until 04/26/13 18:38:22 [root@samba2~]# vim /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.COM = { kdc = dc1.example.com admin_server = dc1.example.com } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM [root@samba2~]# kinit administrator Password for [email protected]:

"set true from false"

"Set KDC Server Name" "Set admin_server Name"

"Password of Kerbrose Server admin"

################################################################################### [root@dc1 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 04/19/13 18:38:26 04/20/13 04:38:26 krbtgt/[email protected] renew until 04/26/13 18:38:22

Samba Share Configuration


[root@samba2 ~]# vim /etc/resolve.conf domain example.com

search example.com nameserver dns_server_IP [root@samba2 ~]# authconfig-tui

=========================================================================

=========================================================================

=========================================================================

=========================================================================

[/usr/bin/net join -w EXAMPLE -S 192.168.122.97 -U Administrator] Enter Administrator's password:<...> [2013/05/16 22:15:30.924790, 0] libads/sasl.c:823(ads_sasl_spnego_bind) kinit succeeded Enter Administrator's password:<...> Joined domain EXAMPLE. Starting Winbind services: [ OK ] ======================================================================== [root@samba2 ~]# wbinfo -p Ping to winbindd succeeded [root@samba2 ~]# wbinfo -t checking the trust secret for domain EXAMPLE via RPC calls succeeded [root@samba2 ~]# wbinfo -u sambauser111 sambauser112 sambauser113 sambauser114 sambauser115 [root@samba2 ~]# wbinfo -i sambauser111 sambauser111:*:16779166:16777216:sambauser111:/home/EXAMPLE/sambauser111:/sbin/nologin [root@samba2 ~]# wbinfo -g allowed rodc password replication group enterprise read-only domain controllers denied rodc password replication group read-only domain controllers group policy creator owners ras and ias servers

domain controllers enterprise admins domain computers cert publishers dnsupdateproxy domain admins domain guests schema admins domain users dnsadmins ========================================================================= NOTE: You have to compile samba4 for libnss.winbind.so.2 lib.s0.2 library (Its optional) ========================================================================= after completing the compilation you need to create a soft link of that library. [root@samba2 ~]# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so [root@samba2 ~]# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 [root@samba2 ~]# ldconfig -v |grep winbind libnss_winbind.so -> libnss_winbind.so.2 libnss_winbind.so.2 -> libnss_winbind.so.2 [root@samba2 ~]# getent passwd sambauser111:*:16779166:16777216:sambauser111:/home/EXAMPLE/sambauser111:/sbin/nologin sambauser112:*:16779167:16777216:sambauser112:/home/EXAMPLE/sambauser112:/sbin/nologin sambauser113:*:16779168:16777216:sambauser113:/home/EXAMPLE/sambauser113:/sbin/nologin sambauser114:*:16779169:16777216:sambauser114:/home/EXAMPLE/sambauser114:/sbin/nologin sambauser115:*:16779170:16777216:sambauser115:/home/EXAMPLE/sambauser115:/sbin/nologin sambauser116:*:16779171:16777216:sambauser116:/home/EXAMPLE/sambauser116:/sbin/nologin [root@samba2 ~]# getent group allowed rodc password replication group:*:16777233: enterprise read-only domain controllers:*:16777234: denied rodc password replication group:*:16777218:krbtgt read-only domain controllers:*:16777235: group policy creator owners:*:16777217:administrator ras and ias servers:*:16777236: domain controllers:*:16777237: enterprise admins:*:16777219:administrator domain computers:*:16777238: cert publishers:*:16777239: dnsupdateproxy:*:16777240: domain admins:*:16777221:administrator domain guests:*:16777232: schema admins:*:16777220:administrator domain users:*:16777216: dnsadmins:*:16777241: ======================================================================== Now You have to create user's home directory and set parameter in smb.conf ======================================================================== [root@samba2 ~]# vim /etc/samba/smb.conf [homes] comment = Home Directories

path = /home/EXAMPLE/%S browseable = yes writeable = yes valid users = %S [root@samba2 ~]# mkdir /home/EXAMPLE [root@samba2 ~]# mkdir /home/EXAMPLE/sambauser111 [root@samba2 ~]# chown sambauser111: /home/EXAMPLE/sambauser111 [root@samba2 ~]# chmod 700 /home/EXAMPLE/sambauser111 [root@samba2 ~]# ll -d /home/EXAMPLE/sambauser111 drwx------ 2 sambauser111 domain users 4096 May 16 22:37 /home/EXAMPLE/sambauser111 [root@samba2 ~]# smbclient //localhost/homes -U sambauser111 Enter sambauser111's password: Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.5.10-125.el6] smb: \> ====================================================================== Now login on windows machine and try to access user's home directories ======================================================================

You might also like