Difference between revisions of "AD Samba4"
(61 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
[[Category:Samba]] | [[Category:Samba]] | ||
[[Category:Samba4AD]] | [[Category:Samba4AD]] | ||
− | + | ||
− | =Samba 4 Active Directory Install= | + | ==Purpose== |
− | == | + | The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12 |
− | * | + | |
− | * | + | Current operating system Samba 4 is run on: Centos 6.5 |
− | + | ||
+ | Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation: | ||
+ | *https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO | ||
+ | *https://wiki.samba.org/index.php/User_Documentation | ||
+ | If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page. | ||
+ | |||
+ | =Samba 4 Active Directory Domain Controller= | ||
+ | ==Install CentOS== | ||
+ | Install a minimal install of CentOS 6.5, at time of writing can be downloaded here: | ||
+ | *http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso | ||
+ | If you prefer to use a gui or a full install go check out the CentOS mirrors list: | ||
+ | *http://isoredirect.centos.org/centos/6/isos/x86_64/ | ||
+ | I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires. | ||
+ | *See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7 | ||
+ | |||
+ | ==Samba 4 Requirements== | ||
+ | Here are the OS Requirements as listed by the Samba Team: | ||
+ | *https://wiki.samba.org/index.php/OS_Requirements | ||
+ | Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes. | ||
+ | |||
+ | Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now: | ||
+ | yum install gcc libacl-devel libblkid-devel gnutls-devel \ | ||
+ | readline-devel python-devel gdb pkgconfig krb5-workstation \ | ||
+ | zlib-devel setroubleshoot-server libaio-devel \ | ||
+ | setroubleshoot-plugins policycoreutils-python \ | ||
+ | libsemanage-python setools-libs-python setools-libs \ | ||
+ | popt-devel libpcap-devel sqlite-devel libidn-devel \ | ||
+ | libxml2-devel libacl-devel libsepol-devel libattr-devel \ | ||
+ | keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \ | ||
+ | glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \ | ||
+ | openldap-devel openldap-clients openldap-servers openldap-servers-sql \ | ||
+ | openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \ | ||
+ | setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \ | ||
+ | krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget | ||
+ | *Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl | ||
+ | |||
+ | *Here is a more minimal list to compile with AD support | ||
+ | yum install perl gcc libacl-devel libblkid-devel gnutls-devel \ | ||
+ | > readline-devel python-devel gdb pkgconfig krb5-workstation \ | ||
+ | > zlib-devel setroubleshoot-server libaio-devel \ | ||
+ | > setroubleshoot-plugins policycoreutils-python \ | ||
+ | > libsemanage-python setools-libs-python setools-libs \ | ||
+ | > popt-devel libpcap-devel sqlite-devel libidn-devel \ | ||
+ | > libxml2-devel libacl-devel libsepol-devel libattr-devel \ | ||
+ | > keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \ | ||
+ | > libxslt docbook-style-xsl openldap-devel pam-devel | ||
+ | |||
+ | Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts | ||
+ | vim /etc/sysconfig/network | ||
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server | *Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server | ||
− | * | + | *Manually edit or add network-scripts if not there |
cd /etc/sysconfig/network-scripts/ | cd /etc/sysconfig/network-scripts/ | ||
− | + | vim ifcfg-eth0 | |
*Make sure these options are included | *Make sure these options are included | ||
DEVICE=eth0 | DEVICE=eth0 | ||
Line 20: | Line 68: | ||
NM_CONTROLLED=yes | NM_CONTROLLED=yes | ||
BOOTPROTO=dhcp | BOOTPROTO=dhcp | ||
− | * | + | *For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip) |
+ | *Restart the network service | ||
service network restart | service network restart | ||
− | + | For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki | |
− | + | *To disable selinux | |
− | * | ||
vim /etc/sysconfig/selinux | vim /etc/sysconfig/selinux | ||
− | * | + | *Change "SELINUX=enforcing" to "SELINUX=disabled" |
− | * | + | *Restart the computer |
shutdown -r now | shutdown -r now | ||
− | + | ||
− | + | ==Installing Samba== | |
− | + | Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment | |
− | + | *For developers: | |
− | *install git | + | *install git |
− | |||
yum install git-core | yum install git-core | ||
− | git clone | + | git clone git://git.samba.org/samba.git ~/samba-master |
− | * | + | *For stable Samba version visit: http://www.samba.org/ |
− | + | *or(as of 09-26-14): | |
− | * | + | wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz |
− | + | *Extract the archive if not done so already | |
− | * | + | tar -zxvf samba-4.1.12.tar.gz |
+ | *Build the samba install, replace samba-master with samba-[Version#] | ||
cd ~/samba-master | cd ~/samba-master | ||
./configure --enable-debug --enable-selftest | ./configure --enable-debug --enable-selftest | ||
− | * | + | *If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages |
+ | *Finally compile and then install | ||
make | make | ||
make install | make install | ||
− | ==Creating script for starting and stopping samba | + | ==Creating Samba Service== |
+ | Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba. | ||
cd /etc/init.d | cd /etc/init.d | ||
cp rdisc samba | cp rdisc samba | ||
Line 54: | Line 104: | ||
:%s/rdisc/samba/g | :%s/rdisc/samba/g | ||
:wq | :wq | ||
− | * | + | *Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location |
*Delete RDISCOPT variable, remove usage from daemon command | *Delete RDISCOPT variable, remove usage from daemon command | ||
− | * | + | *Change what gets echoed to the screen |
+ | Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba | ||
+ | |||
+ | Move the file samba to /etc/init.d/ | ||
+ | *Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve | ||
+ | rm /etc/portreserve/slapd | ||
+ | *You may have to restart your server to get portreserve to release port 636 | ||
==Enabling Samba 4 as DC== | ==Enabling Samba 4 as DC== | ||
− | * | + | *Add samba path to $PATH, this only works for bash |
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc | echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc | ||
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc | echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc | ||
− | * | + | *Run command |
/usr/local/samba/bin/samba-tool domain provision | /usr/local/samba/bin/samba-tool domain provision | ||
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking | *the domain-provision tool should pick all defaults automatically, however they can be changed to your liking | ||
− | * | + | *it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8 |
− | + | [root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision | |
− | + | Realm: AD1.domain.edu | |
− | /usr/local/samba/sbin/samba | + | Domain [AD1]: |
− | + | Server Role (dc, member, standalone) [dc]: | |
− | + | DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: | |
+ | DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]: | ||
+ | Administrator password: | ||
+ | Retype password: | ||
+ | Looking up IPv4 addresses | ||
+ | Looking up IPv6 addresses | ||
+ | No IPv6 address will be assigned | ||
+ | Setting up share.ldb | ||
+ | Setting up secrets.ldb | ||
+ | Setting up the registry | ||
+ | Setting up the privileges database | ||
+ | Setting up idmap db | ||
+ | Setting up SAM db | ||
+ | Setting up sam.ldb partitions and settings | ||
+ | Setting up sam.ldb rootDSE | ||
+ | Pre-loading the Samba 4 and AD schema | ||
+ | Adding DomainDN: DC=ad1,DC=domain,DC=edu | ||
+ | Adding configuration container | ||
+ | Setting up sam.ldb schema | ||
+ | Setting up sam.ldb configuration data | ||
+ | Setting up display specifiers | ||
+ | Modifying display specifiers | ||
+ | Adding users container | ||
+ | Modifying users container | ||
+ | Adding computers container | ||
+ | Modifying computers container | ||
+ | Setting up sam.ldb data | ||
+ | Setting up well known security principals | ||
+ | Setting up sam.ldb users and groups | ||
+ | Setting up self join | ||
+ | Adding DNS accounts | ||
+ | Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu | ||
+ | Creating DomainDnsZones and ForestDnsZones partitions | ||
+ | Populating DomainDnsZones and ForestDnsZones partitions | ||
+ | Setting up sam.ldb rootDSE marking as synchronized | ||
+ | Fixing provision GUIDs | ||
+ | A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf | ||
+ | Once the above files are installed, your Samba4 server will be ready to use | ||
+ | Server Role: active directory domain controller | ||
+ | Hostname: dumbo | ||
+ | NetBIOS Domain: AD1 | ||
+ | DNS Domain: ad1.domain.edu | ||
+ | DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463 | ||
+ | After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf | ||
+ | mv /etc/krb5.conf /etc/krb5.conf.bak | ||
+ | cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf | ||
+ | *your krb5.conf file should look like | ||
+ | [libdefaults] | ||
+ | default_realm = AD1.DOMAIN.EDU | ||
+ | dns_lookup_realm = false | ||
+ | dns_lookup_kdc = true | ||
+ | Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by: | ||
+ | service samba status | ||
+ | Now that we have everything in place start the samba service: | ||
+ | service samba start | ||
+ | We can check a couple ways to make sure samba is up and running, go check out the log files located at | ||
+ | cd /usr/local/samba/var/ | ||
+ | tail log.samba | ||
+ | tail log.smbd | ||
+ | Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like | ||
+ | [2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main) | ||
+ | smbd version 4.1.12 started. | ||
+ | Copyright Andrew Tridgell and the Samba Team 1992-2013 | ||
+ | [2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready) | ||
+ | And one more way just to check for the paranoid: | ||
+ | ps aux | grep -v grep | grep samba | ||
+ | Output should spit out a bunch of running processes | ||
+ | [root@dumbo var]# ps aux | grep -v grep | grep samba | ||
+ | root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba | ||
+ | root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba | ||
+ | root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba | ||
+ | root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba | ||
+ | root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba | ||
+ | root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground | ||
+ | root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba | ||
+ | root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba | ||
+ | root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba | ||
+ | root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba | ||
+ | root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba | ||
+ | root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba | ||
+ | root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba | ||
+ | root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba | ||
+ | root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba | ||
+ | root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground | ||
+ | Once you have verified samba has started without any errors you should add it to the startup | ||
+ | chkconfig samba on | ||
*samba version as well as samba client version can be checked using the following commands | *samba version as well as samba client version can be checked using the following commands | ||
/usr/local/samba/sbin/samba -V | /usr/local/samba/sbin/samba -V | ||
Line 76: | Line 217: | ||
==Configuring DNS== | ==Configuring DNS== | ||
− | *DNS forwarding was set up on the domain | + | *DNS forwarding was set up on the domain provisioning using the samba-tool script |
cat /usr/local/samba/etc/smb.conf | cat /usr/local/samba/etc/smb.conf | ||
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning | *there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning | ||
− | + | The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below) | |
− | + | *Edit your network script to include itself as a DNS server | |
− | |||
− | |||
− | |||
− | |||
− | * | ||
vim /etc/sysconfig/network-scripts/ifcfg-eth0 | vim /etc/sysconfig/network-scripts/ifcfg-eth0 | ||
− | * | + | *Add in the line |
− | + | DNS1="127.0.0.1" | |
− | + | *Restart the network service so that the correct DNS is now used | |
− | DNS1=" | + | service network restart |
− | + | *Check to see server sees itself as a DNS server | |
− | + | cat /etc/resolv.conf | |
− | + | *There should be a line that says | |
− | + | nameserver 127.0.0.1 | |
− | + | *Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname) | |
− | + | host -t SRV _ldap._tcp.ad1.domain.edu | |
− | + | host -t SRV _kerberos._udp.ad1.domain.edu | |
− | + | host -t A dumbo.ad1.domain.edu | |
− | + | *Should return: | |
− | + | [root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu | |
− | * | + | _ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu. |
− | host -t SRV _ldap._tcp. | + | [root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu |
− | + | _kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu. | |
− | + | [root@dumbo var]# host -t A dumbo.ad1.domain.edu | |
− | _ldap._tcp. | + | dumbo.ad1.domain.edu has address 10.0.2.15 |
− | + | *If the test did not produce those outputs DNS has not been configured properly | |
− | host -t SRV _kerberos._udp. | + | *These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script |
− | + | *you can see these values at /usr/local/samba/private/dns_update_list | |
− | _kerberos._udp. | + | cat /usr/local/samba/private/dns_update_list |
− | + | # this is a list of DNS entries which will be put into DNS using | |
− | host -t A | + | # dynamic DNS update. It is processed by the samba_dnsupdate script |
− | + | A ${HOSTNAME} $IP | |
− | + | AAAA ${HOSTNAME} $IP | |
− | * | + | |
+ | # RW domain controller | ||
+ | ${IF_RWDC}A ${DNSDOMAIN} $IP | ||
+ | ${IF_RWDC}AAAA ${DNSDOMAIN} $IP | ||
+ | ${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389 | ||
+ | ${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 | ||
+ | ${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389 | ||
+ | ${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88 | ||
+ | ${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88 | ||
+ | ${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88 | ||
+ | ${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464 | ||
+ | ${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464 | ||
+ | # RW and RO domain controller | ||
+ | ${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME} | ||
+ | ${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389 | ||
+ | ${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 | ||
+ | ${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88 | ||
+ | ${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88 | ||
+ | |||
+ | # The PDC emulator | ||
+ | ${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 | ||
+ | |||
+ | # RW GC servers | ||
+ | ${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP | ||
+ | ${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP | ||
+ | ${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268 | ||
+ | ${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268 | ||
+ | # RW and RO GC servers | ||
+ | ${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268 | ||
+ | ${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268 | ||
+ | |||
+ | # RW DNS servers | ||
+ | ${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP | ||
+ | ${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP | ||
+ | ${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389 | ||
+ | # RW and RO DNS servers | ||
+ | ${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389 | ||
+ | |||
+ | # RW DNS servers | ||
+ | ${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP | ||
+ | ${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP | ||
+ | ${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389 | ||
+ | # RW and RO DNS servers | ||
+ | ${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389 | ||
==Firewall== | ==Firewall== | ||
− | *settings: | + | Samba Ports needed here: |
+ | *https://wiki.samba.org/index.php/Samba_AD_DC_port_usage | ||
+ | *settings(old?): | ||
-A INPUT -p tcp --dport 53 -j ACCEPT | -A INPUT -p tcp --dport 53 -j ACCEPT | ||
-A INPUT -p udp --dport 53 -j ACCEPT | -A INPUT -p udp --dport 53 -j ACCEPT | ||
Line 159: | Line 340: | ||
==NTP== | ==NTP== | ||
− | * | + | *Check this guide for installing and debugging NTP for domain joined machines: |
+ | **http://wiki.eri.ucsb.edu/stadm/Samba4_NTP | ||
+ | *Quick setup | ||
yum install ntp | yum install ntp | ||
− | * | + | chown root:ntp /usr/local/samba/var/lib/ntp_signd/ |
− | /etc/ | + | chmod 750 /usr/local/samba/var/lib/ntp_signd |
− | *add | + | *Edit |
+ | vim /etc/ntp.conf | ||
+ | *add | ||
+ | restrict default mssntp kod nomodify notrap nopeer noquery | ||
+ | ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ | ||
+ | *add to startup and start | ||
+ | systemctl enable ntpd | ||
+ | systemctl start ntp | ||
+ | *or(Centos 6/SysVinit) | ||
chkconfig ntpd on | chkconfig ntpd on | ||
+ | service ntpd start | ||
+ | |||
=Windows Domain= | =Windows Domain= | ||
==Add Windows computer to domain== | ==Add Windows computer to domain== | ||
Line 176: | Line 369: | ||
*run the date command in your server | *run the date command in your server | ||
date | date | ||
− | *Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few | + | *Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few minutes apart |
*Right click on "My Computer" and click "Properties" | *Right click on "My Computer" and click "Properties" | ||
*Under "Computer name, domain, and workgroup settings" click change settings | *Under "Computer name, domain, and workgroup settings" click change settings | ||
Line 186: | Line 379: | ||
==Adding Profile path to Samba== | ==Adding Profile path to Samba== | ||
+ | *Samba wiki's: | ||
+ | **https://wiki.samba.org/index.php/User_home_drives | ||
+ | **https://wiki.samba.org/index.php/Shares_with_Windows_ACLs | ||
+ | |||
*make a folder where the profiles will be stored | *make a folder where the profiles will be stored | ||
− | mkdir /usr/local/ | + | mkdir /usr/local/domain |
*Add the following to smb.conf to inlcude that location | *Add the following to smb.conf to inlcude that location | ||
− | vim /usr/local/samba/ | + | vim /usr/local/samba/etc/smb.conf |
− | + | *insert the follwing | |
[profiles] | [profiles] | ||
− | path = /usr/local/ | + | path = /usr/local/domain |
read only = No | read only = No | ||
+ | hide files = /desktop.ini/$RECYCLE.BIN/ | ||
*restart samba | *restart samba | ||
/usr/local/samba/bin/smbcontrol all reload-config | /usr/local/samba/bin/smbcontrol all reload-config | ||
Line 200: | Line 398: | ||
==Change Security on Profiles folder== | ==Change Security on Profiles folder== | ||
− | + | Follow: | |
− | * | + | *https://wiki.samba.org/index.php/Shares_with_Windows_ACLs |
− | * | + | *https://wiki.samba.org/index.php/User_home_drives |
− | + | ||
− | |||
==Install RSAT== | ==Install RSAT== | ||
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887 | *Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887 | ||
Line 213: | Line 410: | ||
*From a windows computer with RSAT installed run: dsa.msc | *From a windows computer with RSAT installed run: dsa.msc | ||
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%" | *create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%" | ||
− | *then run: gpupdate | + | *then run: gpupdate /force |
+ | *Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server | ||
+ | *If you're having Group Policy Issues you can view what has been applied by gpresult | ||
+ | *From windows command line run: | ||
+ | gpresult /H filename.html | ||
+ | *or if you only want Computer Configuration(must be run as an administrator) | ||
+ | gpresult /SCOPE COMPUTER /H filename.html | ||
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server | *Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server | ||
Line 285: | Line 488: | ||
file://mydomain.edu | file://mydomain.edu | ||
*click, close, OK, OK, and Apply | *click, close, OK, OK, and Apply | ||
+ | *Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file) | ||
+ | *Navigate to Computer Configuration => Preferences => Windows Settings => Registry | ||
+ | *create a new registry item | ||
+ | *add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path | ||
+ | *in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users | ||
+ | *set Value Data to 4 | ||
+ | **0-7: | ||
+ | ***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server. | ||
+ | ***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache. | ||
+ | ***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison. | ||
+ | *save and apply | ||
==Map a Network Drive with GPO== | ==Map a Network Drive with GPO== | ||
Line 293: | Line 507: | ||
Reconnect:Checked | Reconnect:Checked | ||
Use:"*" (pick any drive letter) | Use:"*" (pick any drive letter) | ||
− | Hide/Show this drive: | + | Hide/Show this drive:Show this Drive |
Hide/Show all drives:No Change | Hide/Show all drives:No Change | ||
*click Okay | *click Okay | ||
*samba must be restarted for GPO to take effect | *samba must be restarted for GPO to take effect | ||
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc.. | *make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc.. | ||
− | ==Windows Update GPO== | + | |
+ | ==Windows Update GPO/WSUS== | ||
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664 | *Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664 | ||
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\... | *Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\... | ||
Line 306: | Line 521: | ||
*still testing, enable the following | *still testing, enable the following | ||
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00 | Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00 | ||
+ | Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port | ||
+ | Automatic Updates Detection Frequency: enabled 12 hours | ||
+ | Allow non administrators to receive update notifications : enabled | ||
Allow Automatic Updates immediate installation: Enabled | Allow Automatic Updates immediate installation: Enabled | ||
No auto-restart with logged on user for scheduled automatic updates installations: Enabled | No auto-restart with logged on user for scheduled automatic updates installations: Enabled | ||
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes | Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes | ||
− | + | Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better | |
− | + | Allow signed updates from an intranet Microsoft update service location: enabled | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
==ACL== | ==ACL== | ||
Line 354: | Line 542: | ||
setfacl -m "g:groupname:permissions" folder | setfacl -m "g:groupname:permissions" folder | ||
*https://wiki.archlinux.org/index.php/Access_Control_Lists | *https://wiki.archlinux.org/index.php/Access_Control_Lists | ||
+ | *get and set acls(x is location you want acls from, y is location you want acls to) | ||
+ | getfacl x | setfacl -R –-set-file=- y | ||
+ | |||
+ | ==Misc== | ||
+ | *after a yum update portreserve may have been updated and interferes with samba | ||
+ | *holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it | ||
+ | *go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it | ||
+ | cd /etc/portreserve | ||
+ | rm slapd | ||
+ | *deleting regedit user profile | ||
+ | http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx | ||
+ | *Network level Authentication GPO | ||
+ | http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/ | ||
==ID Mapping/Group Mapping== | ==ID Mapping/Group Mapping== | ||
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool | *https://wiki.samba.org/index.php/Adding_users_with_samba_tool | ||
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html | *http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html | ||
+ | ==Extending Schema for UIDs== | ||
+ | *https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC | ||
+ | *https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions | ||
==save== | ==save== | ||
Line 374: | Line 578: | ||
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles | *http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles | ||
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html | *http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html | ||
+ | *http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/ | ||
+ | *http://support.microsoft.com/kb/2189014 | ||
+ | *https://www.samba.org/samba/docs/using_samba/ch07.html | ||
+ | *https://www.samba.org/samba/docs/using_samba/ch08.html |
Latest revision as of 11:46, 19 April 2016
Contents
- 1 Purpose
- 2 Samba 4 Active Directory Domain Controller
- 3 Windows Domain
- 3.1 Add Windows computer to domain
- 3.2 Adding Profile path to Samba
- 3.3 Change Security on Profiles folder
- 3.4 Install RSAT
- 3.5 Adding User and profile path
- 3.6 Folder Security
- 3.7 Folder Redirection with GPO
- 3.8 Map a Network Drive with GPO
- 3.9 Windows Update GPO/WSUS
- 3.10 ACL
- 3.11 Misc
- 3.12 ID Mapping/Group Mapping
- 3.13 Extending Schema for UIDs
- 3.14 save
- 4 References
Purpose
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12
Current operating system Samba 4 is run on: Centos 6.5
Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
- https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
- https://wiki.samba.org/index.php/User_Documentation
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.
Samba 4 Active Directory Domain Controller
Install CentOS
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
- See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7
Samba 4 Requirements
Here are the OS Requirements as listed by the Samba Team:
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.
Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
yum install gcc libacl-devel libblkid-devel gnutls-devel \ readline-devel python-devel gdb pkgconfig krb5-workstation \ zlib-devel setroubleshoot-server libaio-devel \ setroubleshoot-plugins policycoreutils-python \ libsemanage-python setools-libs-python setools-libs \ popt-devel libpcap-devel sqlite-devel libidn-devel \ libxml2-devel libacl-devel libsepol-devel libattr-devel \ keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \ glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \ openldap-devel openldap-clients openldap-servers openldap-servers-sql \ openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \ setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \ krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
- Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl
- Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \ > readline-devel python-devel gdb pkgconfig krb5-workstation \ > zlib-devel setroubleshoot-server libaio-devel \ > setroubleshoot-plugins policycoreutils-python \ > libsemanage-python setools-libs-python setools-libs \ > popt-devel libpcap-devel sqlite-devel libidn-devel \ > libxml2-devel libacl-devel libsepol-devel libattr-devel \ > keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \ > libxslt docbook-style-xsl openldap-devel pam-devel
Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
vim /etc/sysconfig/network
- Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
- Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/ vim ifcfg-eth0
- Make sure these options are included
DEVICE=eth0 HWADDR=**:**:**:**:**:** TYPE=ETHERNET ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=dhcp
- For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
- Restart the network service
service network restart
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
- To disable selinux
vim /etc/sysconfig/selinux
- Change "SELINUX=enforcing" to "SELINUX=disabled"
- Restart the computer
shutdown -r now
Installing Samba
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
- For developers:
- install git
yum install git-core git clone git://git.samba.org/samba.git ~/samba-master
- For stable Samba version visit: http://www.samba.org/
- or(as of 09-26-14):
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
- Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
- Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master ./configure --enable-debug --enable-selftest
- If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
- Finally compile and then install
make make install
Creating Samba Service
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
cd /etc/init.d cp rdisc samba vim samba :%s/rdisc/samba/g :wq
- Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
- Delete RDISCOPT variable, remove usage from daemon command
- Change what gets echoed to the screen
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba
Move the file samba to /etc/init.d/
- Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
- You may have to restart your server to get portreserve to release port 636
Enabling Samba 4 as DC
- Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
- Run command
/usr/local/samba/bin/samba-tool domain provision
- the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
- it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision Realm: AD1.domain.edu Domain [AD1]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]: Administrator password: Retype password: Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=ad1,DC=domain,DC=edu Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: dumbo NetBIOS Domain: AD1 DNS Domain: ad1.domain.edu DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
mv /etc/krb5.conf /etc/krb5.conf.bak cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
- your krb5.conf file should look like
[libdefaults] default_realm = AD1.DOMAIN.EDU dns_lookup_realm = false dns_lookup_kdc = true
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
service samba status
Now that we have everything in place start the samba service:
service samba start
We can check a couple ways to make sure samba is up and running, go check out the log files located at
cd /usr/local/samba/var/ tail log.samba tail log.smbd
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
[2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main) smbd version 4.1.12 started. Copyright Andrew Tridgell and the Samba Team 1992-2013 [2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready)
And one more way just to check for the paranoid:
ps aux | grep -v grep | grep samba
Output should spit out a bunch of running processes
[root@dumbo var]# ps aux | grep -v grep | grep samba root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Once you have verified samba has started without any errors you should add it to the startup
chkconfig samba on
- samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V /usr/local/samba/bin/smbclient --version
Configuring DNS
- DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
- there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
- Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
- Add in the line
DNS1="127.0.0.1"
- Restart the network service so that the correct DNS is now used
service network restart
- Check to see server sees itself as a DNS server
cat /etc/resolv.conf
- There should be a line that says
nameserver 127.0.0.1
- Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu host -t SRV _kerberos._udp.ad1.domain.edu host -t A dumbo.ad1.domain.edu
- Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu _ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu. [root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu _kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu. [root@dumbo var]# host -t A dumbo.ad1.domain.edu dumbo.ad1.domain.edu has address 10.0.2.15
- If the test did not produce those outputs DNS has not been configured properly
- These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
- you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list # this is a list of DNS entries which will be put into DNS using # dynamic DNS update. It is processed by the samba_dnsupdate script A ${HOSTNAME} $IP AAAA ${HOSTNAME} $IP # RW domain controller ${IF_RWDC}A ${DNSDOMAIN} $IP ${IF_RWDC}AAAA ${DNSDOMAIN} $IP ${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389 ${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 ${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389 ${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88 ${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88 ${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88 ${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464 ${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464 # RW and RO domain controller ${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME} ${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389 ${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 ${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88 ${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88 # The PDC emulator ${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 # RW GC servers ${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP ${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP ${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268 ${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268 # RW and RO GC servers ${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268 ${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268 # RW DNS servers ${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP ${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP ${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389 # RW and RO DNS servers ${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389 # RW DNS servers ${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP ${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP ${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389 # RW and RO DNS servers ${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
Firewall
Samba Ports needed here:
- https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
- settings(old?):
-A INPUT -p tcp --dport 53 -j ACCEPT -A INPUT -p udp --dport 53 -j ACCEPT -A INPUT -p udp --dport 137:138 -j ACCEPT -A INPUT -p tcp --dport 139 -j ACCEPT -A INPUT -p tcp --dport 445 -j ACCEPT -A INPUT -p tcp --dport 135 -j ACCEPT -A INPUT -p tcp --dport 88 -j ACCEPT -A INPUT -p udp --dport 88 -j ACCEPT -A INPUT -p tcp --dport 464 -j ACCEPT -A INPUT -p tcp --dport 389 -j ACCEPT -A INPUT -p udp --dport 389 -j ACCEPT -A INPUT -p tcp --dport 1024 -j ACCEPT -A INPUT -p tcp --dport 636 -j ACCEPT -A INPUT -p tcp --dport 3268 -j ACCEPT -A INPUT -p tcp --dport 3269 -j ACCEPT -A INPUT -p udp --dport 445 -j ACCEPT -A INPUT -p tcp --dport 25 -j ACCEPT -A INPUT -p tcp --dport 135 -j ACCEPT -A INPUT -p tcp --dport 5722 -j ACCEPT -A INPUT -p udp --dport 464 -j ACCEPT -A INPUT -p tcp --dport 137 -j ACCEPT
Kerberos
- make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
- edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
- test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
- if Kerberos is working you will be asked for your password
- verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@MYDOMAIN.COM Valid starting Expires Service principal 07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM renew until 07/26/13 15:23:31
NTP
- Check this guide for installing and debugging NTP for domain joined machines:
- Quick setup
yum install ntp chown root:ntp /usr/local/samba/var/lib/ntp_signd/ chmod 750 /usr/local/samba/var/lib/ntp_signd
- Edit
vim /etc/ntp.conf
- add
restrict default mssntp kod nomodify notrap nopeer noquery ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
- add to startup and start
systemctl enable ntpd systemctl start ntp
- or(Centos 6/SysVinit)
chkconfig ntpd on service ntpd start
Windows Domain
Add Windows computer to domain
- manually edit network settings to point DNS to samba4 server
- assign static ip so there are no problems with joining computers to domain
- ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
- ping FQDN to verify DNS is working
ping samba4.mydomain.com
- should get replies form both verifying that you can communicate with server and that DNS is functioning
- run the date command in your server
date
- Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few minutes apart
- Right click on "My Computer" and click "Properties"
- Under "Computer name, domain, and workgroup settings" click change settings
- Under "Member of" check "Domain"
- Type in the name of your domain in full uppercase letters, ex.
- MYDOMAIN.COM
- When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
- Once you have joined the domain restart the computer and you can now log in to the domain
Adding Profile path to Samba
- Samba wiki's:
- make a folder where the profiles will be stored
mkdir /usr/local/domain
- Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
- insert the follwing
[profiles] path = /usr/local/domain read only = No hide files = /desktop.ini/$RECYCLE.BIN/
- restart samba
/usr/local/samba/bin/smbcontrol all reload-config
- once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%
Change Security on Profiles folder
Follow:
- https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
- https://wiki.samba.org/index.php/User_home_drives
Install RSAT
- Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
- Install, Once installed open up control panel and then open up programs, then programs and features
- on the left pane click "Turn Windows features on or off"
- Select all under Remote Server Administration Tool, then click okay
Adding User and profile path
- From a windows computer with RSAT installed run: dsa.msc
- create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
- then run: gpupdate /force
- Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
- If you're having Group Policy Issues you can view what has been applied by gpresult
- From windows command line run:
gpresult /H filename.html
- or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
- Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
Folder Security
- create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users] path = usr/local/samba/var/data/users comment = temp user folders for folder redirection, move to NFS read only = No
- make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users chown root:3000000 usr/local/samba/var/data/users chmod 755 usr/local/samba/var/data/users
- login into windows computer using a domain administrator to change permissions on users folder
- navigate to users folder on windows computer \\domainame.edu
- right click on users folder and select properties, go to security tab, click on advanced, click change permissions
- remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
- add:
- Administrator: Full Control : This Folder, Subfolder, and Files
- Domain Admins: Full Control : This Folder, Subfolder, and Files
- SYSTEM: Full Control : This Folder, Subfolder, and Files
- CREATOR OWNER: Full Control : Subfolder, and Files
- Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
- restart service and check that settings stay
- using getfacl
getfacl /data/users
- returns
# file: users # owner: root # group: root user::rwx user:root:rwx group::--- group:root:--- group:3000002:rwx group:3000003:rwx group:3000008:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:root:--- default:group:3000002:rwx default:group:3000008:rwx default:mask::rwx default:other::---
Folder Redirection with GPO
- Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
- service samba restart
- Create OU in AD and add a couple users
- Open up Group Policy Management
- Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
- edit linked GPO
- Go to User Configuration => Policies => Windows Settings => Folder Redirection
- Click each folder and change setting under "Target" tab to:
- Setting: Basic - Redirect everyone's folder to the same location
- Target Folder Location: Create a folder for each user under the root path
- Root path:\\MYDOMAIN.EDU\users
- under the "Settings" tab
- Uncheck "Grant the user exclusive rights to (name_of_folder)"
- under policy removal: Leave the folder in the new location when policy is removed should remain checked
- Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
- Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
- NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
- reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
- Double Click Security Zones and Content Ratings
- A windows may pop up before you can edit settings click "continue"
- click modify settings, click on Local intranet, click Sites, click Advanced
- add:
file://mydomain.edu
- click, close, OK, OK, and Apply
- Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
- Navigate to Computer Configuration => Preferences => Windows Settings => Registry
- create a new registry item
- add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
- in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
- set Value Data to 4
- 0-7:
- 1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
- 2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
- 4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
- 0-7:
- save and apply
Map a Network Drive with GPO
- Go to User Configuration => Preferences => Windows Settings => Drive Maps
- Create new mapped drive with:
Action:Create Location: \\mydomainname.edu\folder\location Reconnect:Checked Use:"*" (pick any drive letter) Hide/Show this drive:Show this Drive Hide/Show all drives:No Change
- click Okay
- samba must be restarted for GPO to take effect
- make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..
Windows Update GPO/WSUS
- Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
- Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
- copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
- Edit GPO
- Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
- still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00 Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port Automatic Updates Detection Frequency: enabled 12 hours Allow non administrators to receive update notifications : enabled Allow Automatic Updates immediate installation: Enabled No auto-restart with logged on user for scheduled automatic updates installations: Enabled Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better Allow signed updates from an intranet Microsoft update service location: enabled
ACL
- set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
- view privileges
net rpc rights list accounts -Uadministrator
- https://wiki.samba.org/index.php/Setup_and_configure_file_shares
- http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
- http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
- http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
- add group acl to folder or file
setfacl -m "g:groupname:permissions" folder
- https://wiki.archlinux.org/index.php/Access_Control_Lists
- get and set acls(x is location you want acls from, y is location you want acls to)
getfacl x | setfacl -R –-set-file=- y
Misc
- after a yum update portreserve may have been updated and interferes with samba
- holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
- go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve rm slapd
- deleting regedit user profile
- Network level Authentication GPO
ID Mapping/Group Mapping
- https://wiki.samba.org/index.php/Adding_users_with_samba_tool
- http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
Extending Schema for UIDs
- https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
- https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions
save
http://pig.made-it.com/samba-ldap-member.html http://doub.home.xs4all.nl/samba-ldap/index.html http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss https://wiki.samba.org/index.php/Samba4/Domain_Member http://directory.fedoraproject.org/wiki/Howto:Samba http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf
References
- http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
- http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
- http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
- http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
- http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
- http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
- http://support.microsoft.com/kb/2189014
- https://www.samba.org/samba/docs/using_samba/ch07.html
- https://www.samba.org/samba/docs/using_samba/ch08.html