Difference between revisions of "WIP S"

From Stadm
Jump to navigationJump to search
(Created page with "'''This is a dummy page, stuff will be wrong on this page, used for editing before pushing out to other wikis'''")
 
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
'''This is a dummy page, stuff will be wrong on this page, used for editing before pushing out to other wikis'''
 
'''This is a dummy page, stuff will be wrong on this page, used for editing before pushing out to other wikis'''
 +
==Purpose==
 +
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12
 +
 +
Current operating system Samba 4 is run on: Centos 6.5
 +
 +
Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
 +
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
 +
*https://wiki.samba.org/index.php/User_Documentation
 +
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page. 
 +
 +
*'''Note''': Until this message removed consider the following a work in progress
 +
=Install=
 +
==Install CentOS==
 +
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
 +
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
 +
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
 +
*http://isoredirect.centos.org/centos/6/isos/x86_64/
 +
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
 +
 +
==Samba 4 Requirements==
 +
Here are the OS Requirements as listed by the Samba Team:
 +
*https://wiki.samba.org/index.php/OS_Requirements
 +
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.
 +
 +
Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
 +
  yum install gcc libacl-devel libblkid-devel gnutls-devel \
 +
  readline-devel python-devel gdb pkgconfig krb5-workstation \
 +
  zlib-devel setroubleshoot-server libaio-devel \
 +
  setroubleshoot-plugins policycoreutils-python \
 +
  libsemanage-python setools-libs-python setools-libs \
 +
  popt-devel libpcap-devel sqlite-devel libidn-devel \
 +
  libxml2-devel libacl-devel libsepol-devel libattr-devel \
 +
  keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
 +
  glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
 +
  openldap-devel openldap-clients openldap-servers openldap-servers-sql \
 +
  openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
 +
  setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
 +
  krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
 +
Once CentOS is installed, give it hostname as well as static IP Address, this can be done thorugh DHCP or by manually editing CentOS network scripts
 +
vim /etc/sysconfig/network
 +
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
 +
*Manually edit or add network-scripts if not there
 +
cd /etc/sysconfig/network-scripts/
 +
vim ifcfg-eth0
 +
*Make sure these options are included
 +
DEVICE=eth0
 +
HWADDR=**:**:**:**:**:**
 +
TYPE=ETHERNET
 +
ONBOOT=yes
 +
NM_CONTROLLED=yes
 +
BOOTPROTO=dhcp
 +
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
 +
*Restart the network service
 +
service network restart
 +
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
 +
*To disable selinux
 +
vim /etc/sysconfig/selinux
 +
*Change "SELINUX=enforcing" to "SELINUX=disabled"
 +
*Restart the computer
 +
shutdown -r now
 +
==Installing Samba==
 +
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
 +
*For developers:
 +
*install git
 +
yum install git-core
 +
git clone git://git.samba.org/samba.git ~/samba-master
 +
*For stable Samba version visit: http://www.samba.org/
 +
*or(as of 09-26-14):
 +
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
 +
*Extract the archive if not done so already
 +
tar -zxvf samba-4.1.12.tar.gz
 +
*Build the samba install, replace samba-master with samba-[Version#]
 +
cd ~/samba-master
 +
./configure --enable-debug --enable-selftest
 +
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
 +
*Finally compile and then install
 +
make
 +
make install
 +
 +
==Creating script for starting and stopping samba service==
 +
cd /etc/init.d
 +
cp rdisc samba
 +
vim samba
 +
:%s/rdisc/samba/g
 +
:wq
 +
*change daemon location from /sbin/samba to /usr/loca/samba/sbin/samba, as well as killproc location
 +
*Delete RDISCOPT variable, remove usage from daemon command
 +
*change what gets echoed to the screen
 +
 +
==Enabling Samba 4 as DC==
 +
*add samba path to $PATH
 +
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
 +
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
 +
*run command
 +
/usr/local/samba/bin/samba-tool domain provision
 +
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
 +
*once the provision tool has finished successfully restart the server
 +
shutdown -r now
 +
*once system has started enable samba 4 and add it start at boot, change to start with chkconfig after service script is created
 +
/usr/local/samba/sbin/samba
 +
vim /etc/rc.d/rc.local
 +
*append "/usr/local/samba/sbin/samba" without quotations to the end of the file and then save
 +
*samba version as well as samba client version can be checked using the following commands
 +
/usr/local/samba/sbin/samba -V
 +
/usr/local/samba/bin/smbclient --version
 +
 +
==Configuring DNS==
 +
*DNS forwarding was set up on the domain provision ing using the samba-tool
 +
cat /usr/local/samba/etc/smb.conf
 +
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
 +
*edit resolv.conf
 +
vim /etc/resolv.conf
 +
*edit to look exactly like:
 +
domain mydomain.com
 +
nameserver 128.***.***.**
 +
*where "128.***.***.***" is the ipaddress of the centos server
 +
*next go back and edit ifcfg-eth0 in network-scripts
 +
vim /etc/sysconfig/network-scripts/ifcfg-eth0
 +
*change the file to look like this
 +
DEVICE="eth0"
 +
BOOTPROTO="none"
 +
DNS1="128.***.***.**" #this is host ipaddress
 +
GATEWAY=128.**.***.*
 +
HWADDR="84:B4:C1:0A:**:**"
 +
IPADDR="128.***.***.**"
 +
IPV6INIT="no"
 +
NM_CONTROLLED="yes"
 +
ONBOOT="yes"
 +
PREFIX="24"
 +
TYPE="Ethernet"
 +
*reboot so that all changes may  take effect
 +
shutdown -r now
 +
*login and test that the DNS is working properly
 +
host -t SRV _ldap._tcp.mydomain.com
 +
*where mydomain.com is then name of the domain you are on
 +
*output should look like, where samba is the hostname of your server 
 +
_ldap._tcp.mydomain.com has SRV record 0 100 389 samba.mydomain.com
 +
*test with
 +
host -t SRV _kerberos._udp.mydomain.com
 +
*output
 +
_kerberos._udp.mydomain.com has SRV record 0 100 88 samba.mydomain.com
 +
*last test
 +
host -t A samba.mydomain.com.
 +
*output should return your ip adddress
 +
samba.mydomain.com has address 192.168.0.2
 +
*if test did not produce those outputs DNS has not been configured properly
 +
 +
==Firewall==
 +
*settings:
 +
-A INPUT -p tcp --dport 53 -j ACCEPT
 +
-A INPUT -p udp --dport 53 -j ACCEPT
 +
-A INPUT -p udp --dport 137:138 -j ACCEPT
 +
-A INPUT -p tcp --dport 139 -j ACCEPT
 +
-A INPUT -p tcp --dport 445 -j ACCEPT
 +
-A INPUT -p tcp --dport 135 -j ACCEPT
 +
-A INPUT -p tcp --dport 88 -j ACCEPT
 +
-A INPUT -p udp --dport 88 -j ACCEPT
 +
-A INPUT -p tcp --dport 464 -j ACCEPT
 +
-A INPUT -p tcp --dport 389 -j ACCEPT
 +
-A INPUT -p udp --dport 389 -j ACCEPT
 +
-A INPUT -p tcp --dport 1024 -j ACCEPT
 +
 
 +
-A INPUT -p tcp --dport 636 -j ACCEPT
 +
-A INPUT -p tcp --dport 3268 -j ACCEPT
 +
-A INPUT -p tcp --dport 3269 -j ACCEPT
 +
-A INPUT -p udp --dport 445 -j ACCEPT
 +
-A INPUT -p tcp --dport 25 -j ACCEPT
 +
-A INPUT -p tcp --dport 135 -j ACCEPT
 +
-A INPUT -p tcp --dport 5722 -j ACCEPT
 +
-A INPUT -p udp --dport 464 -j ACCEPT
 +
-A INPUT -p tcp --dport 137 -j ACCEPT
 +
 +
==Kerberos==
 +
*make a backup of original kerberos file and replace it with the copy generated by samba
 +
mv /etc/krb5.conf /etc/krb5.conf.bak
 +
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
 +
*edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
 +
vim /etc/krb5.conf
 +
*test Kerberos using the kinit command
 +
kinit administrator@MYDOMAIN.COM
 +
*if Kerberos is working you will be asked for your password
 +
*verify that it is working by running klist, output should look something along the lines of
 +
Ticket cache: FILE:/tmp/krb5cc_0
 +
Default principal: administrator@MYDOMAIN.COM
 +
 +
Valid starting Expires Service principal
 +
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
 +
renew until 07/26/13 15:23:31
 +
 +
==NTP==
 +
*install ntp
 +
yum install ntp
 +
*start ntp
 +
/etc/init.d/ntpd start
 +
*add ntp to start up
 +
chkconfig ntpd on
 +
 +
=Windows Domain=
 +
==Add Windows computer to domain==
 +
*manually edit network settings to point DNS to samba4 server
 +
*assign static ip so there are no problems with joining computers to domain
 +
*ping samba4 server at ip address to verify you can see it
 +
ping 128.***.***.****
 +
*ping FQDN to verify DNS is working
 +
ping samba4.mydomain.com
 +
*should get replies form both verifying that you can communicate with server and that DNS is functioning
 +
*run the date command in your server
 +
date
 +
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few seconds apart
 +
*Right click on "My Computer" and click "Properties"
 +
*Under "Computer name, domain, and workgroup settings" click change settings
 +
*Under "Member of" check "Domain"
 +
*Type in the name of your domain in full uppercase letters, ex.
 +
**MYDOMAIN.COM
 +
*When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
 +
*Once you have joined the domain restart the computer and you can now log in to the domain
 +
 +
==Adding Profile path to Samba==
 +
*make a folder where the profiles will be stored
 +
mkdir /usr/local/samba/var/profiles
 +
*Add the following to smb.conf to inlcude that location
 +
vim /usr/local/samba/var/profiles
 +
 +
[profiles]
 +
path = /usr/local/samba/etc/smb.conf
 +
read only = No
 +
*restart samba
 +
/usr/local/samba/bin/smbcontrol all reload-config
 +
*once restarted check the shares on your samba server, profiles should appear under there
 +
smbclient -L localhost -U%
 +
 +
==Change Security on Profiles folder==
 +
*login to the domain as administrator onto a windows 7 computer
 +
*open up my computer and navigate to "\\servername" , ex. "\\samba4"
 +
*Right Click on the folder and select properties
 +
*Change security to allow Domain Administrators Full Control
 +
*add Domain Users to Security with options, Traverse folder/execute file. List Folder/read data, Create folder/append data
 +
==Install RSAT==
 +
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
 +
*Install, Once installed open up control panel and then open up programs, then programs and features
 +
*on the left pane click "Turn Windows features on or off"
 +
*Select all under Remote Server Administration Tool, then click okay
 +
==Adding User and profile path==
 +
*From a windows computer with RSAT installed run: dsa.msc
 +
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
 +
*then run: gpupdate /force
 +
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
 +
*If you're having Group Policy Issues you can view what has been applied by gpresult
 +
*From command line run:
 +
gpresult /H filename.html
 +
*or if you only want Computer Configuration(must be run as an administrator)
 +
gpresult /SCOPE COMPUTER /H filename.html
 +
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
 +
 +
==Folder Security==
 +
*create a share for where users folder redirections will go, want on a NFS, demoing on local drive
 +
[users]
 +
        path = usr/local/samba/var/data/users
 +
        comment = temp user folders for folder redirection, move to NFS
 +
        read only = No
 +
*make the folder or have the NFS mouted
 +
mkdir -p usr/local/samba/var/data/users
 +
chown root:3000000 usr/local/samba/var/data/users
 +
chmod 755 usr/local/samba/var/data/users
 +
*login into windows computer using a domain administrator to change permissions on users folder
 +
*navigate to users folder on windows computer \\domainame.edu
 +
*right click on users folder and select properties, go to security tab, click on advanced, click change permissions
 +
*remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked 
 +
*add:
 +
**Administrator: Full Control : This Folder, Subfolder, and Files
 +
**Domain Admins: Full Control : This Folder, Subfolder, and Files
 +
**SYSTEM: Full Control : This Folder, Subfolder, and Files
 +
**CREATOR OWNER: Full Control : Subfolder, and Files
 +
**Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
 +
*restart service and check that settings stay
 +
*using getfacl
 +
getfacl /data/users
 +
*returns
 +
# file: users
 +
# owner: root
 +
# group: root
 +
user::rwx
 +
user:root:rwx
 +
group::---
 +
group:root:---
 +
group:3000002:rwx
 +
group:3000003:rwx
 +
group:3000008:rwx
 +
mask::rwx
 +
other::---
 +
default:user::rwx
 +
default:user:root:rwx
 +
default:group::---
 +
default:group:root:---
 +
default:group:3000002:rwx
 +
default:group:3000008:rwx
 +
default:mask::rwx
 +
default:other::---
 +
==Folder Redirection with GPO==
 +
*Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
 +
*service samba restart
 +
*Create OU in AD and add a couple users
 +
*Open up Group Policy Management
 +
*Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
 +
*edit linked GPO
 +
*Go to User Configuration => Policies => Windows Settings => Folder Redirection
 +
*Click each folder and change setting under "Target" tab to:
 +
**Setting: Basic - Redirect everyone's folder to the same location
 +
**Target Folder Location: Create a folder for each user under the root path
 +
**Root path:\\MYDOMAIN.EDU\users
 +
*under the "Settings" tab
 +
**Uncheck "Grant the user exclusive rights to (name_of_folder)"
 +
**under policy removal: Leave the folder in the new location when policy is removed should remain checked
 +
*Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
 +
*Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
 +
**NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
 +
**reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
 +
*Double Click Security Zones and Content Ratings
 +
*A windows may pop up before you can edit settings click "continue"
 +
*click modify settings, click on Local intranet, click Sites, click Advanced
 +
*add:
 +
file://mydomain.edu
 +
*click, close, OK, OK, and Apply
 +
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file) 
 +
*Navigate to  Computer Configuration => Preferences => Windows Settings => Registry
 +
*create a new registry item
 +
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
 +
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
 +
*set Value Data to 4
 +
**0-7:
 +
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
 +
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
 +
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
 +
*save and apply
 +
 +
==Map a Network Drive with GPO==
 +
*Go to User Configuration => Preferences => Windows Settings => Drive Maps
 +
*Create new mapped drive with:
 +
Action:Create
 +
Location: \\mydomainname.edu\folder\location
 +
Reconnect:Checked
 +
Use:"*" (pick any drive letter)
 +
Hide/Show this drive:Show this Drive
 +
Hide/Show all drives:No Change
 +
*click Okay
 +
*samba must be restarted for GPO to take effect
 +
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..
 +
 +
==Windows Update GPO==
 +
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
 +
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
 +
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
 +
*Edit GPO
 +
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
 +
*still testing, enable the following
 +
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
 +
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
 +
Automatic Updates Detection Frequency: enabled 12 hours
 +
Allow non administrators to receive update notifications : enabled
 +
Allow Automatic Updates immediate installation: Enabled
 +
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
 +
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
 +
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
 +
Allow signed updates from an intranet Microsoft update service location: enabled
 +
 +
==SSSD==
 +
vim /etc/sssd/sssd.conf
 +
[domain/default]
 +
ldap_tls_reqcert = allow
 +
ldap_id_use_start_tls = True
 +
cache_credentials = True
 +
ldap_search_base = dc=domain,dc=edu
 +
krb5_realm = $REALM
 +
id_provider = ldap
 +
auth_provider = ldap
 +
chpass_provider = ldap
 +
ldap_uri = ldap://domain.edu
 +
ldap_tls_cacertdir = /etc/openldap/cacerts
 +
ldap_schema = rfc2307bis
 +
ldap_user_fullname = displayName
 +
ldap_user_search_base = ou=idmap,dc=domain,dc=edu
 +
ldap_group_search_base = ou=Group,dc=domain,dc=edu
 +
ldap_group_member = member
 +
ldap_group_nesting_level = 4
 +
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
 +
ldap_tls_reqcert = demand
 +
ldap_default_bind_dn = cn=Manager,dc=domain,dc=edu
 +
ldap_default_authtok_type = password
 +
ldap_default_authtok = ******
 +
debug_level = 8
 +
[sssd]
 +
services = nss, pam
 +
config_file_version = 2
 +
domains = default
 +
[nss] 
 +
 +
[pam]
 +
 +
==ACL==
 +
*set privileges
 +
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
 +
*view privileges
 +
net rpc rights list accounts -Uadministrator
 +
*https://wiki.samba.org/index.php/Setup_and_configure_file_shares
 +
*http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
 +
*http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
 +
*http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
 +
*add group acl to folder or file
 +
setfacl -m "g:groupname:permissions" folder
 +
*https://wiki.archlinux.org/index.php/Access_Control_Lists
 +
*get and set acls
 +
getfacl x | setfacl -R –setfile = -y
 +
 +
==Misc==
 +
*after a yum update portreserve may have been updated and interferes with samba
 +
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
 +
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
 +
cd /etc/portreserve
 +
rm slapd
 +
*deleting regedit user profile
 +
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
 +
*Network level Authentication GPO
 +
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

Latest revision as of 12:47, 26 September 2014

This is a dummy page, stuff will be wrong on this page, used for editing before pushing out to other wikis

Purpose

The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:

If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

  • Note: Until this message removed consider the following a work in progress

Install

Install CentOS

Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:

If you prefer to use a gui or a full install go check out the CentOS mirrors list:

I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.

Samba 4 Requirements

Here are the OS Requirements as listed by the Samba Team:

Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:

 yum install gcc libacl-devel libblkid-devel gnutls-devel \
  readline-devel python-devel gdb pkgconfig krb5-workstation \
  zlib-devel setroubleshoot-server libaio-devel \
  setroubleshoot-plugins policycoreutils-python \
  libsemanage-python setools-libs-python setools-libs \
  popt-devel libpcap-devel sqlite-devel libidn-devel \
  libxml2-devel libacl-devel libsepol-devel libattr-devel \
  keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
  glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
  openldap-devel openldap-clients openldap-servers openldap-servers-sql \
  openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
  setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
  krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget

Once CentOS is installed, give it hostname as well as static IP Address, this can be done thorugh DHCP or by manually editing CentOS network scripts

vim /etc/sysconfig/network
  • Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
  • Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
  • Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
service network restart

For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki

  • To disable selinux
vim /etc/sysconfig/selinux
  • Change "SELINUX=enforcing" to "SELINUX=disabled"
  • Restart the computer
shutdown -r now

Installing Samba

Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment

  • For developers:
  • install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
  • Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
  • Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
  • If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
  • Finally compile and then install
make
make install

Creating script for starting and stopping samba service

cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
  • change daemon location from /sbin/samba to /usr/loca/samba/sbin/samba, as well as killproc location
  • Delete RDISCOPT variable, remove usage from daemon command
  • change what gets echoed to the screen

Enabling Samba 4 as DC

  • add samba path to $PATH
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
  • run command
/usr/local/samba/bin/samba-tool domain provision
  • the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
  • once the provision tool has finished successfully restart the server
shutdown -r now
  • once system has started enable samba 4 and add it start at boot, change to start with chkconfig after service script is created
/usr/local/samba/sbin/samba
vim /etc/rc.d/rc.local
  • append "/usr/local/samba/sbin/samba" without quotations to the end of the file and then save
  • samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

Configuring DNS

  • DNS forwarding was set up on the domain provision ing using the samba-tool
cat /usr/local/samba/etc/smb.conf
  • there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
  • edit resolv.conf
vim /etc/resolv.conf
  • edit to look exactly like:
domain mydomain.com
nameserver 128.***.***.** 
  • where "128.***.***.***" is the ipaddress of the centos server
  • next go back and edit ifcfg-eth0 in network-scripts
vim /etc/sysconfig/network-scripts/ifcfg-eth0
  • change the file to look like this
DEVICE="eth0"
BOOTPROTO="none"
DNS1="128.***.***.**" #this is host ipaddress
GATEWAY=128.**.***.*
HWADDR="84:B4:C1:0A:**:**"
IPADDR="128.***.***.**"
IPV6INIT="no"
NM_CONTROLLED="yes"
ONBOOT="yes"
PREFIX="24"
TYPE="Ethernet"
  • reboot so that all changes may take effect
shutdown -r now
  • login and test that the DNS is working properly
host -t SRV _ldap._tcp.mydomain.com
  • where mydomain.com is then name of the domain you are on
  • output should look like, where samba is the hostname of your server
_ldap._tcp.mydomain.com has SRV record 0 100 389 samba.mydomain.com
  • test with
host -t SRV _kerberos._udp.mydomain.com
  • output
_kerberos._udp.mydomain.com has SRV record 0 100 88 samba.mydomain.com
  • last test
host -t A samba.mydomain.com.
  • output should return your ip adddress
samba.mydomain.com has address 192.168.0.2
  • if test did not produce those outputs DNS has not been configured properly

Firewall

  • settings:
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT
 
-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

Kerberos

  • make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
  • edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
  • test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
  • if Kerberos is working you will be asked for your password
  • verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

NTP

  • install ntp
yum install ntp
  • start ntp
/etc/init.d/ntpd start
  • add ntp to start up
chkconfig ntpd on

Windows Domain

Add Windows computer to domain

  • manually edit network settings to point DNS to samba4 server
  • assign static ip so there are no problems with joining computers to domain
  • ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
  • ping FQDN to verify DNS is working
ping samba4.mydomain.com
  • should get replies form both verifying that you can communicate with server and that DNS is functioning
  • run the date command in your server
date
  • Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few seconds apart
  • Right click on "My Computer" and click "Properties"
  • Under "Computer name, domain, and workgroup settings" click change settings
  • Under "Member of" check "Domain"
  • Type in the name of your domain in full uppercase letters, ex.
    • MYDOMAIN.COM
  • When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
  • Once you have joined the domain restart the computer and you can now log in to the domain

Adding Profile path to Samba

  • make a folder where the profiles will be stored
mkdir /usr/local/samba/var/profiles 
  • Add the following to smb.conf to inlcude that location
vim /usr/local/samba/var/profiles

[profiles]
path = /usr/local/samba/etc/smb.conf
read only = No
  • restart samba
/usr/local/samba/bin/smbcontrol all reload-config
  • once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

Change Security on Profiles folder

  • login to the domain as administrator onto a windows 7 computer
  • open up my computer and navigate to "\\servername" , ex. "\\samba4"
  • Right Click on the folder and select properties
  • Change security to allow Domain Administrators Full Control
  • add Domain Users to Security with options, Traverse folder/execute file. List Folder/read data, Create folder/append data

Install RSAT

  • Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
  • Install, Once installed open up control panel and then open up programs, then programs and features
  • on the left pane click "Turn Windows features on or off"
  • Select all under Remote Server Administration Tool, then click okay

Adding User and profile path

  • From a windows computer with RSAT installed run: dsa.msc
  • create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
  • then run: gpupdate /force
  • Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
  • If you're having Group Policy Issues you can view what has been applied by gpresult
  • From command line run:
gpresult /H filename.html
  • or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
  • Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

Folder Security

  • create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
       path = usr/local/samba/var/data/users
       comment = temp user folders for folder redirection, move to NFS
       read only = No
  • make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
  • login into windows computer using a domain administrator to change permissions on users folder
  • navigate to users folder on windows computer \\domainame.edu
  • right click on users folder and select properties, go to security tab, click on advanced, click change permissions
  • remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
  • add:
    • Administrator: Full Control : This Folder, Subfolder, and Files
    • Domain Admins: Full Control : This Folder, Subfolder, and Files
    • SYSTEM: Full Control : This Folder, Subfolder, and Files
    • CREATOR OWNER: Full Control : Subfolder, and Files
    • Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
  • restart service and check that settings stay
  • using getfacl
getfacl /data/users
  • returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---

Folder Redirection with GPO

  • Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
  • service samba restart
  • Create OU in AD and add a couple users
  • Open up Group Policy Management
  • Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
  • edit linked GPO
  • Go to User Configuration => Policies => Windows Settings => Folder Redirection
  • Click each folder and change setting under "Target" tab to:
    • Setting: Basic - Redirect everyone's folder to the same location
    • Target Folder Location: Create a folder for each user under the root path
    • Root path:\\MYDOMAIN.EDU\users
  • under the "Settings" tab
    • Uncheck "Grant the user exclusive rights to (name_of_folder)"
    • under policy removal: Leave the folder in the new location when policy is removed should remain checked
  • Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
  • Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
  • Double Click Security Zones and Content Ratings
  • A windows may pop up before you can edit settings click "continue"
  • click modify settings, click on Local intranet, click Sites, click Advanced
  • add:
file://mydomain.edu
  • click, close, OK, OK, and Apply
  • Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
  • Navigate to Computer Configuration => Preferences => Windows Settings => Registry
  • create a new registry item
  • add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
  • in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
  • set Value Data to 4
    • 0-7:
      • 1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
      • 2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
      • 4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
  • save and apply

Map a Network Drive with GPO

  • Go to User Configuration => Preferences => Windows Settings => Drive Maps
  • Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
  • click Okay
  • samba must be restarted for GPO to take effect
  • make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

Windows Update GPO

  • Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
  • Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
  • copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
  • Edit GPO
  • Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
  • still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

SSSD

vim /etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = allow
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=domain,dc=edu
krb5_realm = $REALM
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://domain.edu
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_search_base = ou=idmap,dc=domain,dc=edu
ldap_group_search_base = ou=Group,dc=domain,dc=edu
ldap_group_member = member
ldap_group_nesting_level = 4
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_tls_reqcert = demand
ldap_default_bind_dn = cn=Manager,dc=domain,dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = ******
debug_level = 8
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]  
[pam]

ACL

  • set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
  • view privileges
net rpc rights list accounts -Uadministrator
setfacl -m "g:groupname:permissions" folder
getfacl x | setfacl -R –setfile = -y

Misc

  • after a yum update portreserve may have been updated and interferes with samba
  • holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
  • go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
  • deleting regedit user profile

http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx

  • Network level Authentication GPO

http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/