Samba 4 Active Directory DC

Installing Samba 4 onto CentOS

• Install a minimal install of CentOS
• change the hostname

vi /etc/sysconfig/network

• Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
• manually edit or add network-scripts if not there

cd /etc/sysconfig/network-scripts/
vi ifcfg-eth0

• Make sure these options are included

DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp

• restart the network

service network restart

• run yum update
• install vim or an editor of your choice, vi comes included with minimal
• SELinux must be disabled:

vim /etc/sysconfig/selinux

• change "SELINUX=enforcing" to "SELINUX=disabled"
• restart the computer

shutdown -r now

• install a couple packages that will be required for building and installing samba

yum install glibc glibc-devel gcc python* libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel

• install git, git will be used to download samba

yum install git-core
git clone http://gitweb.samba.org/samba.git ~/samba-master

• reboot server so all packages and updates are applied

shutdown -r now

• login and build the samba install

cd ~/samba-master
./configure --enable-debug --enable-selftest

• if it completes successfully

make
make install

Creating script for starting and stopping samba service

cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq

• change daemon location from /sbin/samba to /usr/loca/samba/sbin/samba, as well as killproc location
• Delete RDISCOPT variable, remove usage from daemon command
• change what gets echoed to the screen

Enabling Samba 4 as DC

• add samba path to $PATH

echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc

• run command

/usr/local/samba/bin/samba-tool domain provision

• the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
• once the provision tool has finished successfully restart the server

shutdown -r now

• once system has started enable samba 4 and add it start at boot

/usr/local/samba/sbin/samba
vim /etc/rc.d/rc.local

• append "/usr/local/samba/sbin/samba" without quotations to the end of the file and then save
• samba version as well as samba client version can be checked using the following commands

/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

Configuring DNS

• DNS forwarding was set up on the domain provision ing using the samba-tool

cat /usr/local/samba/etc/smb.conf

• there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
• edit resolv.conf

vim /etc/resolv.conf

• edit to look exactly like:

domain mydomain.com
nameserver 128.***.***.** 

• where "128.***.***.***" is the ipaddress of the centos server
• next go back and edit ifcfg-eth0 in network-scripts

vim /etc/sysconfig/network-scripts/ifcfg-eth0

• change the file to look like this

DEVICE="eth0"
BOOTPROTO="none"
DNS1="128.***.***.**" #this is host ipaddress
GATEWAY=128.**.***.*
HWADDR="84:B4:C1:0A:**:**"
IPADDR="128.***.***.**"
IPV6INIT="no"
NM_CONTROLLED="yes"
ONBOOT="yes"
PREFIX="24"
TYPE="Ethernet"

• reboot so that all changes may take effect

shutdown -r now

• login and test that the DNS is working properly

host -t SRV _ldap._tcp.mydomain.com

• where mydomain.com is then name of the domain you are on
• output should look like, where samba is the hostname of your server

_ldap._tcp.mydomain.com has SRV record 0 100 389 samba.mydomain.com

• test with

host -t SRV _kerberos._udp.mydomain.com

• output

_kerberos._udp.mydomain.com has SRV record 0 100 88 samba.mydomain.com

• last test

host -t A samba.mydomain.com.

• output should return your ip adddress

samba.mydomain.com has address 192.168.0.2

• if test did not produce those outputs DNS has not been configured properly

Disable Firewall(re-enable with appropriate settings later)

service iptables start
service iptables stop
chkconfig iptables off

settings:

-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT

//additional
-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT

Kerberos

• make a backup of original kerberos file and replace it with the copy generated by samba

mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

• edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS

vim /etc/krb5.conf

• test Kerberos using the kinit command

kinit administrator@MYDOMAIN.COM

• if Kerberos is working you will be asked for your password
• verify that it is working by running klist, output should look something along the lines of

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

NTP

• install ntp

yum install ntp

• start ntp

/etc/init.d/ntpd start

• add ntp to start up

chkconfig ntpd on

Add Windows computer to domain

• manually edit network settings to point DNS to samba4 server
• assign static ip so there are no problems with joining computers to domain
• ping samba4 server at ip address to verify you can see it

ping 128.***.***.****

• ping FQDN to verify DNS is working

ping samba4.mydomain.com

• should get replies form both verifying that you can communicate with server and that DNS is functioning
• run the date command in your server

date

• Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few seconds apart
• Right click on "My Computer" and click "Properties"
• Under "Computer name, domain, and workgroup settings" click change settings
• Under "Member of" check "Domain"
• Type in the name of your domain in full uppercase letters, ex.
  • MYDOMAIN.COM
• When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
• Once you have joined the domain restart the computer and you can now log in to the domain

Adding Profile path to Samba

• make a folder where the profiles will be stored

mkdir /usr/local/samba/var/profiles 

• Add the following to smb.conf to inlcude that location

vim /usr/local/samba/var/profiles

[profiles]
path = /usr/local/samba/etc/smb.conf
read only = No

• restart samba

/usr/local/samba/bin/smbcontrol all reload-config

• once restarted check the shares on your samba server, profiles should appear under there

smbclient -L localhost -U%

Change Security on Profiles folder

• login to the domain as administrator onto a windows 7 computer
• open up my computer and navigate to "\\servername" , ex. "\\samba4"
• Right Click on the folder and select properties
• Change security to allow Domain Administrators Full Control
• add Domain Users to Security with options, Traverse folder/execute file. List Folder/read data, Create folder/append data

Install RSAT

• Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
• Install, Once installed open up control panel and then open up programs, then programs and features
• on the left pane click "Turn Windows features on or off"
• Select all under Remote Server Administration Tool, then click okay

Adding User and profile path

• From a windows computer with RSAT installed run: dsa.msc
• create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
• then run: gpupdate \force
• Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

Folder Sync

• create a share for where users folder redirection swill go, want on a NFS, demoing on local drive

[users]
       path = /data/users
       comment = temp user folders for folder redirection, move to NFS
       read only = No

• make the folder or have the NFS mouted

mkdir -p /data/users

• login into windows computer using a domain administrator and change permissions on users folder, remove all inherited properties, add:

References

• http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
• http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
• http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
• http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles