Difference between revisions of "AD Samba4"

From Stadm
Jump to navigationJump to search
 
(61 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
[[Category:Samba]]
 
[[Category:Samba]]
 
[[Category:Samba4AD]]
 
[[Category:Samba4AD]]
+
 
=Samba 4 Active Directory Install=
+
==Purpose==
==Installing Samba 4 onto CentOS==
+
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12
*Install a minimal install of CentOS
+
 
*change the hostname
+
Current operating system Samba 4 is run on: Centos 6.5
  vi /etc/sysconfig/network
+
 
 +
Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
 +
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
 +
*https://wiki.samba.org/index.php/User_Documentation
 +
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.
 +
 
 +
=Samba 4 Active Directory Domain Controller=
 +
==Install CentOS==
 +
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
 +
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
 +
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
 +
*http://isoredirect.centos.org/centos/6/isos/x86_64/
 +
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
 +
*See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7
 +
 
 +
==Samba 4 Requirements==
 +
Here are the OS Requirements as listed by the Samba Team:
 +
*https://wiki.samba.org/index.php/OS_Requirements
 +
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.
 +
 
 +
Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
 +
  yum install gcc libacl-devel libblkid-devel gnutls-devel \
 +
  readline-devel python-devel gdb pkgconfig krb5-workstation \
 +
  zlib-devel setroubleshoot-server libaio-devel \
 +
  setroubleshoot-plugins policycoreutils-python \
 +
  libsemanage-python setools-libs-python setools-libs \
 +
  popt-devel libpcap-devel sqlite-devel libidn-devel \
 +
  libxml2-devel libacl-devel libsepol-devel libattr-devel \
 +
  keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
 +
  glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
 +
  openldap-devel openldap-clients openldap-servers openldap-servers-sql \
 +
  openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
 +
  setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
 +
  krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
 +
*Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl
 +
 
 +
*Here is a more minimal list to compile with AD support
 +
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
 +
>    readline-devel python-devel gdb pkgconfig krb5-workstation \
 +
>    zlib-devel setroubleshoot-server libaio-devel \
 +
>    setroubleshoot-plugins policycoreutils-python \
 +
>    libsemanage-python setools-libs-python setools-libs \
 +
>    popt-devel libpcap-devel sqlite-devel libidn-devel \
 +
>    libxml2-devel libacl-devel libsepol-devel libattr-devel \
 +
>    keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
 +
>    libxslt docbook-style-xsl openldap-devel pam-devel
 +
 
 +
Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
 +
  vim /etc/sysconfig/network
 
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
 
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
*manually edit or add network-scripts if not there
+
*Manually edit or add network-scripts if not there
 
  cd /etc/sysconfig/network-scripts/
 
  cd /etc/sysconfig/network-scripts/
  vi ifcfg-eth0
+
  vim ifcfg-eth0
 
*Make sure these options are included
 
*Make sure these options are included
 
  DEVICE=eth0
 
  DEVICE=eth0
Line 20: Line 68:
 
  NM_CONTROLLED=yes
 
  NM_CONTROLLED=yes
 
  BOOTPROTO=dhcp
 
  BOOTPROTO=dhcp
*restart the network
+
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
 +
*Restart the network service
 
  service network restart
 
  service network restart
*run yum update
+
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
*install vim or an editor of your choice, vi comes included with minimal
+
*To disable selinux
*SELinux must be disabled:
 
 
  vim /etc/sysconfig/selinux
 
  vim /etc/sysconfig/selinux
*change "SELINUX=enforcing" to "SELINUX=disabled"
+
*Change "SELINUX=enforcing" to "SELINUX=disabled"
*restart the computer
+
*Restart the computer
 
  shutdown -r now
 
  shutdown -r now
*install a couple packages that will be required for building and installing samba
+
 
yum install glibc glibc-devel gcc python* libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
+
==Installing Samba==
openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel *ldap* *gnutls* *acl* cups sqlite-devel\
+
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel
+
*For developers:
*install git, git will be used to download samba
+
*install git
*NOTE:scp instead of git from local computer, use version 4.2 8f8e843, version 4.2 91186fc from GIT not fully functional anymore
 
 
  yum install git-core
 
  yum install git-core
  git clone http://gitweb.samba.org/samba.git ~/samba-master
+
  git clone git://git.samba.org/samba.git ~/samba-master
*master git now located at(3-17-14)
+
*For stable Samba version visit: http://www.samba.org/
  git://git.samba.org/samba.git.
+
*or(as of 09-26-14):
*reboot server so all packages and updates are applied
+
  wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
  shutdown -r now
+
*Extract the archive if not done so already
*login and build the samba install
+
  tar -zxvf samba-4.1.12.tar.gz
 +
*Build the samba install, replace samba-master with samba-[Version#]
 
  cd ~/samba-master
 
  cd ~/samba-master
 
  ./configure --enable-debug --enable-selftest
 
  ./configure --enable-debug --enable-selftest
*if it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
+
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
 +
*Finally compile and then install
 
  make
 
  make
 
  make install
 
  make install
  
==Creating script for starting and stopping samba service==
+
==Creating Samba Service==
 +
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
 
  cd /etc/init.d
 
  cd /etc/init.d
 
  cp rdisc samba
 
  cp rdisc samba
Line 54: Line 104:
 
  :%s/rdisc/samba/g
 
  :%s/rdisc/samba/g
 
  :wq
 
  :wq
*change daemon location from /sbin/samba to /usr/loca/samba/sbin/samba, as well as killproc location
+
*Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
 
*Delete RDISCOPT variable, remove usage from daemon command
 
*Delete RDISCOPT variable, remove usage from daemon command
*change what gets echoed to the screen
+
*Change what gets echoed to the screen
 +
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba
 +
 
 +
Move the file samba to /etc/init.d/
 +
*Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
 +
rm /etc/portreserve/slapd
 +
*You may have to restart your server to get portreserve to release port 636
  
 
==Enabling Samba 4 as DC==
 
==Enabling Samba 4 as DC==
*add samba path to $PATH
+
*Add samba path to $PATH, this only works for bash
 
  echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
 
  echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
 
  echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
 
  echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
*run command  
+
*Run command  
 
  /usr/local/samba/bin/samba-tool domain provision
 
  /usr/local/samba/bin/samba-tool domain provision
 
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
 
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
*once the provision tool has finished successfully restart the server
+
*it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
  shutdown -r now
+
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
*once system has started enable samba 4 and add it start at boot, change to start with chkconfig after service script is created
+
Realm: AD1.domain.edu
  /usr/local/samba/sbin/samba
+
  Domain [AD1]:
  vim /etc/rc.d/rc.local
+
  Server Role (dc, member, standalone) [dc]:
*append "/usr/local/samba/sbin/samba" without quotations to the end of the file and then save
+
  DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
 +
  DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
 +
Administrator password:
 +
Retype password:
 +
Looking up IPv4 addresses
 +
Looking up IPv6 addresses
 +
No IPv6 address will be assigned
 +
Setting up share.ldb
 +
Setting up secrets.ldb
 +
Setting up the registry
 +
Setting up the privileges database
 +
Setting up idmap db
 +
Setting up SAM db
 +
Setting up sam.ldb partitions and settings
 +
Setting up sam.ldb rootDSE
 +
Pre-loading the Samba 4 and AD schema
 +
Adding DomainDN: DC=ad1,DC=domain,DC=edu
 +
Adding configuration container
 +
Setting up sam.ldb schema
 +
Setting up sam.ldb configuration data
 +
Setting up display specifiers
 +
Modifying display specifiers
 +
Adding users container
 +
Modifying users container
 +
Adding computers container
 +
Modifying computers container
 +
Setting up sam.ldb data
 +
Setting up well known security principals
 +
Setting up sam.ldb users and groups
 +
Setting up self join
 +
Adding DNS accounts
 +
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
 +
Creating DomainDnsZones and ForestDnsZones partitions
 +
Populating DomainDnsZones and ForestDnsZones partitions
 +
Setting up sam.ldb rootDSE marking as synchronized
 +
Fixing provision GUIDs
 +
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
 +
Once the above files are installed, your Samba4 server will be ready to use
 +
Server Role:          active directory domain controller
 +
Hostname:              dumbo
 +
NetBIOS Domain:        AD1
 +
  DNS Domain:            ad1.domain.edu
 +
DOMAIN SID:            S-1-5-21-3942629588-2438417362-1542489463
 +
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
 +
mv /etc/krb5.conf /etc/krb5.conf.bak
 +
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
 +
*your krb5.conf file should look like
 +
[libdefaults]
 +
default_realm = AD1.DOMAIN.EDU
 +
dns_lookup_realm = false
 +
dns_lookup_kdc = true
 +
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
 +
service samba status
 +
Now that we have everything in place start the samba service:
 +
service samba start
 +
We can check a couple ways to make sure samba is up and running, go check out the log files located at
 +
cd /usr/local/samba/var/
 +
tail log.samba
 +
tail log.smbd
 +
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
 +
[2014/09/26 16:32:48,  0] ../source3/smbd/server.c:1189(main)
 +
  smbd version 4.1.12 started.
 +
  Copyright Andrew Tridgell and the Samba Team 1992-2013
 +
[2014/09/26 16:32:49.031941,  0] ../lib/util/become_daemon.c:136(daemon_ready)
 +
And one more way just to check for the paranoid:
 +
ps aux | grep -v grep | grep samba
 +
Output should spit out a bunch of running processes
 +
[root@dumbo var]# ps aux | grep -v grep | grep samba
 +
root      1626  0.0  2.3 538864 44768 ?        Ss  10:56  0:00 /usr/local/samba/sbin/samba
 +
root      1628  0.0  1.6 538864 31916 ?        S    10:56  0:00 /usr/local/samba/sbin/samba
 +
root      1629  0.0  1.6 538864 32676 ?        S    10:56  0:00 /usr/local/samba/sbin/samba
 +
root      1630  0.0  1.7 538864 33544 ?        S    10:56  0:00 /usr/local/samba/sbin/samba
 +
root      1631  0.0  1.6 538864 31884 ?        S    10:56  0:00 /usr/local/samba/sbin/samba
 +
root      1632  0.0  2.4 587472 46564 ?        Ss  10:56  0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 +
root      1633  0.0  1.7 538864 33880 ?        S    10:56  0:00 /usr/local/samba/sbin/samba
 +
root      1634  0.0  1.6 538864 32472 ?        S    10:56  0:00 /usr/local/samba/sbin/samba
 +
root      1635  0.0  1.8 545120 36128 ?        S    10:56  0:00 /usr/local/samba/sbin/samba
 +
root      1636  0.0  1.7 538864 33324 ?        S    10:56  0:11 /usr/local/samba/sbin/samba
 +
root      1637  0.0  1.7 541692 33180 ?        S    10:56  0:00 /usr/local/samba/sbin/samba
 +
  root      1638  0.0  1.6 538864 31996 ?        S    10:56  0:00 /usr/local/samba/sbin/samba
 +
  root      1639  0.0  2.1 539024 41976 ?        S    10:56  0:04 /usr/local/samba/sbin/samba
 +
root      1640  0.0  1.7 538864 33012 ?        S    10:56  0:00 /usr/local/samba/sbin/samba
 +
root      1641  0.0  1.8 541388 35248 ?        S    10:56  0:00 /usr/local/samba/sbin/samba
 +
root      1644  0.0  1.7 587996 32820 ?        S    10:56  0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 +
Once you have verified samba has started without any errors you should add it to the startup
 +
chkconfig samba on
 
*samba version as well as samba client version can be checked using the following commands
 
*samba version as well as samba client version can be checked using the following commands
 
  /usr/local/samba/sbin/samba -V
 
  /usr/local/samba/sbin/samba -V
Line 76: Line 217:
  
 
==Configuring DNS==
 
==Configuring DNS==
*DNS forwarding was set up on the domain provision ing using the samba-tool
+
*DNS forwarding was set up on the domain provisioning using the samba-tool script
 
  cat /usr/local/samba/etc/smb.conf
 
  cat /usr/local/samba/etc/smb.conf
 
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
 
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
*edit resolv.conf
+
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
vim /etc/resolv.conf
+
*Edit your network script to include itself as a DNS server
*edit to look exactly like:
 
domain mydomain.com
 
nameserver 128.***.***.**
 
*where "128.***.***.***" is the ipaddress of the centos server
 
*next go back and edit ifcfg-eth0 in network-scripts
 
 
  vim /etc/sysconfig/network-scripts/ifcfg-eth0
 
  vim /etc/sysconfig/network-scripts/ifcfg-eth0
*change the file to look like this
+
*Add in the line
DEVICE="eth0"
+
  DNS1="127.0.0.1"
BOOTPROTO="none"
+
*Restart the network service so that the correct DNS is now used
  DNS1="128.***.***.**" #this is host ipaddress
+
  service network restart
  GATEWAY=128.**.***.*
+
*Check to see server sees itself as a DNS server
HWADDR="84:B4:C1:0A:**:**"
+
cat /etc/resolv.conf
  IPADDR="128.***.***.**"
+
*There should be a line that says
IPV6INIT="no"
+
  nameserver 127.0.0.1
NM_CONTROLLED="yes"
+
*Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
  ONBOOT="yes"
+
  host -t SRV _ldap._tcp.ad1.domain.edu
  PREFIX="24"
+
  host -t SRV _kerberos._udp.ad1.domain.edu
  TYPE="Ethernet"
+
  host -t A dumbo.ad1.domain.edu
*reboot so that all changes may  take effect
+
*Should return:
shutdown -r now
+
  [root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
*login and test that the DNS is working properly
+
  _ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
  host -t SRV _ldap._tcp.mydomain.com
+
  [root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
*where mydomain.com is then name of the domain you are on
+
  _kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
*output should look like, where samba is the hostname of your server 
+
  [root@dumbo var]# host -t A dumbo.ad1.domain.edu
  _ldap._tcp.mydomain.com has SRV record 0 100 389 samba.mydomain.com
+
  dumbo.ad1.domain.edu has address 10.0.2.15
*test with
+
*If the test did not produce those outputs DNS has not been configured properly
  host -t SRV _kerberos._udp.mydomain.com
+
*These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
*output
+
*you can see these values at /usr/local/samba/private/dns_update_list
  _kerberos._udp.mydomain.com has SRV record 0 100 88 samba.mydomain.com
+
cat /usr/local/samba/private/dns_update_list
*last test
+
# this is a list of DNS entries which will be put into DNS using
  host -t A samba.mydomain.com.
+
# dynamic DNS update. It is processed by the samba_dnsupdate script
*output should return your ip adddress
+
A                      ${HOSTNAME}                                          $IP
  samba.mydomain.com has address 192.168.0.2
+
AAAA                  ${HOSTNAME}                                          $IP
*if test did not produce those outputs DNS has not been configured properly
+
 +
# RW domain controller
 +
${IF_RWDC}A            ${DNSDOMAIN}                                          $IP
 +
${IF_RWDC}AAAA        ${DNSDOMAIN}                                          $IP
 +
${IF_RWDC}SRV          _ldap._tcp.${DNSDOMAIN}                              ${HOSTNAME} 389
 +
${IF_RWDC}SRV          _ldap._tcp.dc._msdcs.${DNSDOMAIN}                    ${HOSTNAME} 389
 +
${IF_RWDC}SRV          _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST}  ${HOSTNAME} 389
 +
${IF_RWDC}SRV          _kerberos._tcp.${DNSDOMAIN}                          ${HOSTNAME} 88
 +
${IF_RWDC}SRV          _kerberos._udp.${DNSDOMAIN}                          ${HOSTNAME} 88
 +
${IF_RWDC}SRV          _kerberos._tcp.dc._msdcs.${DNSDOMAIN}                ${HOSTNAME} 88
 +
${IF_RWDC}SRV          _kpasswd._tcp.${DNSDOMAIN}                            ${HOSTNAME} 464
 +
${IF_RWDC}SRV          _kpasswd._udp.${DNSDOMAIN}                            ${HOSTNAME} 464
 +
# RW and RO domain controller
 +
${IF_DC}CNAME          ${NTDSGUID}._msdcs.${DNSFOREST}                      ${HOSTNAME}
 +
${IF_DC}SRV            _ldap._tcp.${SITE}._sites.${DNSDOMAIN}                ${HOSTNAME} 389
 +
${IF_DC}SRV            _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}      ${HOSTNAME} 389
 +
${IF_DC}SRV            _kerberos._tcp.${SITE}._sites.${DNSDOMAIN}            ${HOSTNAME} 88
 +
${IF_DC}SRV            _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}  ${HOSTNAME} 88
 +
 +
# The PDC emulator
 +
${IF_PDC}SRV          _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                    ${HOSTNAME} 389
 +
 +
# RW GC servers
 +
${IF_RWGC}A            gc._msdcs.${DNSFOREST}                                $IP
 +
${IF_RWGC}AAAA        gc._msdcs.${DNSFOREST}                                $IP
 +
${IF_RWGC}SRV          _gc._tcp.${DNSFOREST}                                ${HOSTNAME} 3268
 +
${IF_RWGC}SRV          _ldap._tcp.gc._msdcs.${DNSFOREST}                    ${HOSTNAME} 3268
 +
# RW and RO GC servers
 +
${IF_GC}SRV            _gc._tcp.${SITE}._sites.${DNSFOREST}                  ${HOSTNAME} 3268
 +
${IF_GC}SRV            _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST}      ${HOSTNAME} 3268
 +
 +
# RW DNS servers
 +
${IF_RWDNS_DOMAIN}A    DomainDnsZones.${DNSDOMAIN}                          $IP
 +
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN}                          $IP
 +
${IF_RWDNS_DOMAIN}SRV  _ldap._tcp.DomainDnsZones.${DNSDOMAIN}                ${HOSTNAME} 389
 +
# RW and RO DNS servers
 +
${IF_DNS_DOMAIN}SRV    _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
 +
 +
# RW DNS servers
 +
${IF_RWDNS_FOREST}A    ForestDnsZones.${DNSFOREST}                          $IP
 +
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST}                          $IP
 +
${IF_RWDNS_FOREST}SRV  _ldap._tcp.ForestDnsZones.${DNSFOREST}                ${HOSTNAME} 389
 +
# RW and RO DNS servers
 +
${IF_DNS_FOREST}SRV    _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
  
 
==Firewall==
 
==Firewall==
*settings:
+
Samba Ports needed here:
 +
*https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
 +
*settings(old?):
 
  -A INPUT -p tcp --dport 53 -j ACCEPT
 
  -A INPUT -p tcp --dport 53 -j ACCEPT
 
  -A INPUT -p udp --dport 53 -j ACCEPT
 
  -A INPUT -p udp --dport 53 -j ACCEPT
Line 159: Line 340:
  
 
==NTP==
 
==NTP==
*install ntp
+
*Check this guide for installing and debugging NTP for domain joined machines:
 +
**http://wiki.eri.ucsb.edu/stadm/Samba4_NTP
 +
*Quick setup
 
  yum install ntp
 
  yum install ntp
*start ntp
+
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
  /etc/init.d/ntpd start
+
chmod 750 /usr/local/samba/var/lib/ntp_signd
*add ntp to start up
+
*Edit
 +
  vim /etc/ntp.conf
 +
*add
 +
restrict default mssntp kod nomodify notrap nopeer noquery
 +
ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
 +
*add to startup and start
 +
systemctl enable ntpd
 +
systemctl start ntp
 +
*or(Centos 6/SysVinit)
 
  chkconfig ntpd on
 
  chkconfig ntpd on
 +
service ntpd start
 +
 
=Windows Domain=
 
=Windows Domain=
 
==Add Windows computer to domain==
 
==Add Windows computer to domain==
Line 176: Line 369:
 
*run the date command in your server
 
*run the date command in your server
 
  date
 
  date
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few seconds apart
+
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few minutes apart
 
*Right click on "My Computer" and click "Properties"
 
*Right click on "My Computer" and click "Properties"
 
*Under "Computer name, domain, and workgroup settings" click change settings
 
*Under "Computer name, domain, and workgroup settings" click change settings
Line 186: Line 379:
  
 
==Adding Profile path to Samba==
 
==Adding Profile path to Samba==
 +
*Samba wiki's:
 +
**https://wiki.samba.org/index.php/User_home_drives
 +
**https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
 +
 
*make a folder where the profiles will be stored
 
*make a folder where the profiles will be stored
  mkdir /usr/local/samba/var/profiles
+
  mkdir /usr/local/domain
 
*Add the following to smb.conf to inlcude that location
 
*Add the following to smb.conf to inlcude that location
  vim /usr/local/samba/var/profiles
+
  vim /usr/local/samba/etc/smb.conf
+
*insert the follwing
 
  [profiles]
 
  [profiles]
  path = /usr/local/samba/etc/smb.conf
+
  path = /usr/local/domain
 
  read only = No
 
  read only = No
 +
hide files = /desktop.ini/$RECYCLE.BIN/
 
*restart samba
 
*restart samba
 
  /usr/local/samba/bin/smbcontrol all reload-config
 
  /usr/local/samba/bin/smbcontrol all reload-config
Line 200: Line 398:
  
 
==Change Security on Profiles folder==
 
==Change Security on Profiles folder==
*login to the domain as administrator onto a windows 7 computer
+
Follow:
*open up my computer and navigate to "\\servername" , ex. "\\samba4"
+
*https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
*Right Click on the folder and select properties
+
*https://wiki.samba.org/index.php/User_home_drives
*Change security to allow Domain Administrators Full Control
+
 
*add Domain Users to Security with options, Traverse folder/execute file. List Folder/read data, Create folder/append data
 
 
==Install RSAT==
 
==Install RSAT==
 
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
 
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
Line 213: Line 410:
 
*From a windows computer with RSAT installed run: dsa.msc
 
*From a windows computer with RSAT installed run: dsa.msc
 
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
 
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
*then run: gpupdate \force
+
*then run: gpupdate /force
 +
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
 +
*If you're having Group Policy Issues you can view what has been applied by gpresult
 +
*From windows command line run:
 +
gpresult /H filename.html
 +
*or if you only want Computer Configuration(must be run as an administrator)
 +
gpresult /SCOPE COMPUTER /H filename.html
 
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
 
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
  
Line 285: Line 488:
 
  file://mydomain.edu
 
  file://mydomain.edu
 
*click, close, OK, OK, and Apply
 
*click, close, OK, OK, and Apply
 +
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file) 
 +
*Navigate to  Computer Configuration => Preferences => Windows Settings => Registry
 +
*create a new registry item
 +
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
 +
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
 +
*set Value Data to 4
 +
**0-7:
 +
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
 +
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
 +
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
 +
*save and apply
  
 
==Map a Network Drive with GPO==
 
==Map a Network Drive with GPO==
Line 293: Line 507:
 
  Reconnect:Checked
 
  Reconnect:Checked
 
  Use:"*" (pick any drive letter)
 
  Use:"*" (pick any drive letter)
  Hide/Show this drive:No Change
+
  Hide/Show this drive:Show this Drive
 
  Hide/Show all drives:No Change
 
  Hide/Show all drives:No Change
 
*click Okay  
 
*click Okay  
 
*samba must be restarted for GPO to take effect
 
*samba must be restarted for GPO to take effect
 
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..
 
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..
==Windows Update GPO==
+
 
 +
==Windows Update GPO/WSUS==
 
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
 
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
 
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
 
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
Line 306: Line 521:
 
*still testing, enable the following
 
*still testing, enable the following
 
  Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
 
  Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
 +
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
 +
Automatic Updates Detection Frequency: enabled 12 hours
 +
Allow non administrators to receive update notifications : enabled
 
  Allow Automatic Updates immediate installation: Enabled
 
  Allow Automatic Updates immediate installation: Enabled
 
  No auto-restart with logged on user for scheduled automatic updates installations: Enabled
 
  No auto-restart with logged on user for scheduled automatic updates installations: Enabled
 
  Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
 
  Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
==SSSD==
+
  Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
  vim /etc/sssd/sssd.conf
+
  Allow signed updates from an intranet Microsoft update service location: enabled
[domain/default]
 
ldap_tls_reqcert = allow
 
ldap_id_use_start_tls = True
 
cache_credentials = True
 
ldap_search_base = dc=domain,dc=edu
 
krb5_realm = $REALM
 
id_provider = ldap
 
auth_provider = ldap
 
  chpass_provider = ldap
 
ldap_uri = ldap://domain.edu
 
ldap_tls_cacertdir = /etc/openldap/cacerts
 
ldap_schema = rfc2307bis
 
ldap_user_fullname = displayName
 
ldap_user_search_base = ou=idmap,dc=domain,dc=edu
 
ldap_group_search_base = ou=Group,dc=domain,dc=edu
 
ldap_group_member = member
 
ldap_group_nesting_level = 4
 
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
 
ldap_tls_reqcert = demand
 
ldap_default_bind_dn = cn=Manager,dc=domain,dc=edu
 
ldap_default_authtok_type = password
 
ldap_default_authtok = ******
 
debug_level = 8
 
[sssd]
 
services = nss, pam
 
config_file_version = 2
 
domains = default
 
[nss] 
 
 
 
[pam]
 
  
 
==ACL==
 
==ACL==
Line 354: Line 542:
 
  setfacl -m "g:groupname:permissions" folder
 
  setfacl -m "g:groupname:permissions" folder
 
*https://wiki.archlinux.org/index.php/Access_Control_Lists
 
*https://wiki.archlinux.org/index.php/Access_Control_Lists
 +
*get and set acls(x is location you want acls from, y is location you want acls to)
 +
getfacl x | setfacl -R –-set-file=- y
 +
 +
==Misc==
 +
*after a yum update portreserve may have been updated and interferes with samba
 +
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
 +
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
 +
cd /etc/portreserve
 +
rm slapd
 +
*deleting regedit user profile
 +
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
 +
*Network level Authentication GPO
 +
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/
  
 
==ID Mapping/Group Mapping==
 
==ID Mapping/Group Mapping==
 
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
 
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
 
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
 
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
 +
==Extending Schema for UIDs==
 +
*https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
 +
*https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions
  
 
==save==
 
==save==
Line 374: Line 578:
 
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
 
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
 
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
 
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
 +
*http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
 +
*http://support.microsoft.com/kb/2189014
 +
*https://www.samba.org/samba/docs/using_samba/ch07.html
 +
*https://www.samba.org/samba/docs/using_samba/ch08.html

Latest revision as of 11:46, 19 April 2016


Purpose

The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:

If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

Samba 4 Active Directory Domain Controller

Install CentOS

Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:

If you prefer to use a gui or a full install go check out the CentOS mirrors list:

I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.

Samba 4 Requirements

Here are the OS Requirements as listed by the Samba Team:

Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:

 yum install gcc libacl-devel libblkid-devel gnutls-devel \
  readline-devel python-devel gdb pkgconfig krb5-workstation \
  zlib-devel setroubleshoot-server libaio-devel \
  setroubleshoot-plugins policycoreutils-python \
  libsemanage-python setools-libs-python setools-libs \
  popt-devel libpcap-devel sqlite-devel libidn-devel \
  libxml2-devel libacl-devel libsepol-devel libattr-devel \
  keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
  glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
  openldap-devel openldap-clients openldap-servers openldap-servers-sql \
  openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
  setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
  krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
  • Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl
  • Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
>    readline-devel python-devel gdb pkgconfig krb5-workstation \
>    zlib-devel setroubleshoot-server libaio-devel \
>    setroubleshoot-plugins policycoreutils-python \
>    libsemanage-python setools-libs-python setools-libs \
>    popt-devel libpcap-devel sqlite-devel libidn-devel \
>    libxml2-devel libacl-devel libsepol-devel libattr-devel \
>    keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
>    libxslt docbook-style-xsl openldap-devel pam-devel

Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts

vim /etc/sysconfig/network
  • Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
  • Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
  • Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
service network restart

For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki

  • To disable selinux
vim /etc/sysconfig/selinux
  • Change "SELINUX=enforcing" to "SELINUX=disabled"
  • Restart the computer
shutdown -r now

Installing Samba

Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment

  • For developers:
  • install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
  • Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
  • Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
  • If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
  • Finally compile and then install
make
make install

Creating Samba Service

Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.

cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
  • Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
  • Delete RDISCOPT variable, remove usage from daemon command
  • Change what gets echoed to the screen

Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba

Move the file samba to /etc/init.d/

  • Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
  • You may have to restart your server to get portreserve to release port 636

Enabling Samba 4 as DC

  • Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
  • Run command
/usr/local/samba/bin/samba-tool domain provision
  • the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
  • it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
Realm: AD1.domain.edu
 Domain [AD1]:
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
 DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad1,DC=domain,DC=edu
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              dumbo
NetBIOS Domain:        AD1
DNS Domain:            ad1.domain.edu
DOMAIN SID:            S-1-5-21-3942629588-2438417362-1542489463

After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf

mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf 
  • your krb5.conf file should look like
[libdefaults]
	default_realm = AD1.DOMAIN.EDU
	dns_lookup_realm = false
	dns_lookup_kdc = true

Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:

service samba status

Now that we have everything in place start the samba service:

service samba start

We can check a couple ways to make sure samba is up and running, go check out the log files located at

cd /usr/local/samba/var/
tail log.samba
tail log.smbd

Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like

[2014/09/26 16:32:48,  0] ../source3/smbd/server.c:1189(main)
  smbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2014/09/26 16:32:49.031941,  0] ../lib/util/become_daemon.c:136(daemon_ready)

And one more way just to check for the paranoid:

ps aux | grep -v grep | grep samba

Output should spit out a bunch of running processes

[root@dumbo var]# ps aux | grep -v grep | grep samba
root      1626  0.0  2.3 538864 44768 ?        Ss   10:56   0:00 /usr/local/samba/sbin/samba
root      1628  0.0  1.6 538864 31916 ?        S    10:56   0:00 /usr/local/samba/sbin/samba
root      1629  0.0  1.6 538864 32676 ?        S    10:56   0:00 /usr/local/samba/sbin/samba
root      1630  0.0  1.7 538864 33544 ?        S    10:56   0:00 /usr/local/samba/sbin/samba
root      1631  0.0  1.6 538864 31884 ?        S    10:56   0:00 /usr/local/samba/sbin/samba
root      1632  0.0  2.4 587472 46564 ?        Ss   10:56   0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root      1633  0.0  1.7 538864 33880 ?        S    10:56   0:00 /usr/local/samba/sbin/samba
root      1634  0.0  1.6 538864 32472 ?        S    10:56   0:00 /usr/local/samba/sbin/samba
root      1635  0.0  1.8 545120 36128 ?        S    10:56   0:00 /usr/local/samba/sbin/samba
root      1636  0.0  1.7 538864 33324 ?        S    10:56   0:11 /usr/local/samba/sbin/samba
root      1637  0.0  1.7 541692 33180 ?        S    10:56   0:00 /usr/local/samba/sbin/samba
root      1638  0.0  1.6 538864 31996 ?        S    10:56   0:00 /usr/local/samba/sbin/samba
root      1639  0.0  2.1 539024 41976 ?        S    10:56   0:04 /usr/local/samba/sbin/samba
root      1640  0.0  1.7 538864 33012 ?        S    10:56   0:00 /usr/local/samba/sbin/samba
root      1641  0.0  1.8 541388 35248 ?        S    10:56   0:00 /usr/local/samba/sbin/samba
root      1644  0.0  1.7 587996 32820 ?        S    10:56   0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground

Once you have verified samba has started without any errors you should add it to the startup

chkconfig samba on
  • samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

Configuring DNS

  • DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
  • there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning

The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)

  • Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
  • Add in the line
DNS1="127.0.0.1"
  • Restart the network service so that the correct DNS is now used
service network restart
  • Check to see server sees itself as a DNS server
cat /etc/resolv.conf
  • There should be a line that says
nameserver 127.0.0.1 
  • Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu
host -t SRV _kerberos._udp.ad1.domain.edu
host -t A dumbo.ad1.domain.edu
  • Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
_ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
_kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t A dumbo.ad1.domain.edu
dumbo.ad1.domain.edu has address 10.0.2.15
  • If the test did not produce those outputs DNS has not been configured properly
  • These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
  • you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A                      ${HOSTNAME}                                           $IP
AAAA                   ${HOSTNAME}                                           $IP

# RW domain controller
${IF_RWDC}A            ${DNSDOMAIN}                                          $IP
${IF_RWDC}AAAA         ${DNSDOMAIN}                                          $IP
${IF_RWDC}SRV          _ldap._tcp.${DNSDOMAIN}                               ${HOSTNAME} 389
${IF_RWDC}SRV          _ldap._tcp.dc._msdcs.${DNSDOMAIN}                     ${HOSTNAME} 389
${IF_RWDC}SRV          _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST}  ${HOSTNAME} 389
${IF_RWDC}SRV          _kerberos._tcp.${DNSDOMAIN}                           ${HOSTNAME} 88
${IF_RWDC}SRV          _kerberos._udp.${DNSDOMAIN}                           ${HOSTNAME} 88
${IF_RWDC}SRV          _kerberos._tcp.dc._msdcs.${DNSDOMAIN}                 ${HOSTNAME} 88
${IF_RWDC}SRV          _kpasswd._tcp.${DNSDOMAIN}                            ${HOSTNAME} 464
${IF_RWDC}SRV          _kpasswd._udp.${DNSDOMAIN}                            ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME          ${NTDSGUID}._msdcs.${DNSFOREST}                       ${HOSTNAME}
${IF_DC}SRV            _ldap._tcp.${SITE}._sites.${DNSDOMAIN}                ${HOSTNAME} 389
${IF_DC}SRV            _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}      ${HOSTNAME} 389
${IF_DC}SRV            _kerberos._tcp.${SITE}._sites.${DNSDOMAIN}            ${HOSTNAME} 88
${IF_DC}SRV            _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}  ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV           _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                    ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A            gc._msdcs.${DNSFOREST}                                $IP
${IF_RWGC}AAAA         gc._msdcs.${DNSFOREST}                                $IP
${IF_RWGC}SRV          _gc._tcp.${DNSFOREST}                                 ${HOSTNAME} 3268
${IF_RWGC}SRV          _ldap._tcp.gc._msdcs.${DNSFOREST}                     ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV            _gc._tcp.${SITE}._sites.${DNSFOREST}                  ${HOSTNAME} 3268
${IF_GC}SRV            _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST}      ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A    DomainDnsZones.${DNSDOMAIN}                           $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN}                           $IP
${IF_RWDNS_DOMAIN}SRV  _ldap._tcp.DomainDnsZones.${DNSDOMAIN}                ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV    _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A    ForestDnsZones.${DNSFOREST}                           $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST}                           $IP
${IF_RWDNS_FOREST}SRV  _ldap._tcp.ForestDnsZones.${DNSFOREST}                ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV    _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

Firewall

Samba Ports needed here:

-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT
 
-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

Kerberos

  • make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
  • edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
  • test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
  • if Kerberos is working you will be asked for your password
  • verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

NTP

yum install ntp
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
chmod 750 /usr/local/samba/var/lib/ntp_signd
  • Edit
vim /etc/ntp.conf
  • add
restrict default mssntp kod nomodify notrap nopeer noquery
ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
  • add to startup and start
systemctl enable ntpd
systemctl start ntp
  • or(Centos 6/SysVinit)
chkconfig ntpd on
service ntpd start

Windows Domain

Add Windows computer to domain

  • manually edit network settings to point DNS to samba4 server
  • assign static ip so there are no problems with joining computers to domain
  • ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
  • ping FQDN to verify DNS is working
ping samba4.mydomain.com
  • should get replies form both verifying that you can communicate with server and that DNS is functioning
  • run the date command in your server
date
  • Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few minutes apart
  • Right click on "My Computer" and click "Properties"
  • Under "Computer name, domain, and workgroup settings" click change settings
  • Under "Member of" check "Domain"
  • Type in the name of your domain in full uppercase letters, ex.
    • MYDOMAIN.COM
  • When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
  • Once you have joined the domain restart the computer and you can now log in to the domain

Adding Profile path to Samba

  • make a folder where the profiles will be stored
mkdir /usr/local/domain
  • Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
  • insert the follwing
[profiles]
path = /usr/local/domain
read only = No
hide files = /desktop.ini/$RECYCLE.BIN/
  • restart samba
/usr/local/samba/bin/smbcontrol all reload-config
  • once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

Change Security on Profiles folder

Follow:

Install RSAT

  • Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
  • Install, Once installed open up control panel and then open up programs, then programs and features
  • on the left pane click "Turn Windows features on or off"
  • Select all under Remote Server Administration Tool, then click okay

Adding User and profile path

  • From a windows computer with RSAT installed run: dsa.msc
  • create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
  • then run: gpupdate /force
  • Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
  • If you're having Group Policy Issues you can view what has been applied by gpresult
  • From windows command line run:
gpresult /H filename.html
  • or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
  • Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

Folder Security

  • create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
       path = usr/local/samba/var/data/users
       comment = temp user folders for folder redirection, move to NFS
       read only = No
  • make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
  • login into windows computer using a domain administrator to change permissions on users folder
  • navigate to users folder on windows computer \\domainame.edu
  • right click on users folder and select properties, go to security tab, click on advanced, click change permissions
  • remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
  • add:
    • Administrator: Full Control : This Folder, Subfolder, and Files
    • Domain Admins: Full Control : This Folder, Subfolder, and Files
    • SYSTEM: Full Control : This Folder, Subfolder, and Files
    • CREATOR OWNER: Full Control : Subfolder, and Files
    • Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
  • restart service and check that settings stay
  • using getfacl
getfacl /data/users
  • returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---

Folder Redirection with GPO

  • Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
  • service samba restart
  • Create OU in AD and add a couple users
  • Open up Group Policy Management
  • Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
  • edit linked GPO
  • Go to User Configuration => Policies => Windows Settings => Folder Redirection
  • Click each folder and change setting under "Target" tab to:
    • Setting: Basic - Redirect everyone's folder to the same location
    • Target Folder Location: Create a folder for each user under the root path
    • Root path:\\MYDOMAIN.EDU\users
  • under the "Settings" tab
    • Uncheck "Grant the user exclusive rights to (name_of_folder)"
    • under policy removal: Leave the folder in the new location when policy is removed should remain checked
  • Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
  • Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
  • Double Click Security Zones and Content Ratings
  • A windows may pop up before you can edit settings click "continue"
  • click modify settings, click on Local intranet, click Sites, click Advanced
  • add:
file://mydomain.edu
  • click, close, OK, OK, and Apply
  • Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
  • Navigate to Computer Configuration => Preferences => Windows Settings => Registry
  • create a new registry item
  • add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
  • in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
  • set Value Data to 4
    • 0-7:
      • 1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
      • 2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
      • 4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
  • save and apply

Map a Network Drive with GPO

  • Go to User Configuration => Preferences => Windows Settings => Drive Maps
  • Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
  • click Okay
  • samba must be restarted for GPO to take effect
  • make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

Windows Update GPO/WSUS

  • Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
  • Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
  • copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
  • Edit GPO
  • Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
  • still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

ACL

  • set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
  • view privileges
net rpc rights list accounts -Uadministrator
setfacl -m "g:groupname:permissions" folder
getfacl x | setfacl -R –-set-file=- y

Misc

  • after a yum update portreserve may have been updated and interferes with samba
  • holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
  • go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
  • deleting regedit user profile

http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx

  • Network level Authentication GPO

http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

ID Mapping/Group Mapping

Extending Schema for UIDs

save

http://pig.made-it.com/samba-ldap-member.html http://doub.home.xs4all.nl/samba-ldap/index.html http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss https://wiki.samba.org/index.php/Samba4/Domain_Member http://directory.fedoraproject.org/wiki/Howto:Samba http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

References