Difference between revisions of "AD Samba4 Centos 7"

From Stadm
Jump to navigationJump to search
(One intermediate revision by the same user not shown)
Line 10: Line 10:
Current operating system Samba 4 is run on: Centos 7
Current operating system Samba 4 is run on: Centos 7
*'''Note''': Until this message removed consider the following a work in progress
=Samba 4 Active Directory Domain Controller=
=Samba 4 Active Directory Domain Controller=
==Install CentOS==
==Install CentOS==
Line 62: Line 62:
  make install
  make install
*libgnutls needs to be linked like so:
*libgnutls needs to be linked like so(upgrade specific install):
  ln -s /usr/lib64/libgnutls.so.28 /usr/lib64/libgnutls.so.26
  ln -s /usr/lib64/libgnutls.so.28 /usr/lib64/libgnutls.so.26
*The kerberos file needs to be configured properly
*The kerberos file needs to be configured properly

Latest revision as of 12:46, 19 April 2016


The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.16

This page serves to show how to Setup Samba 4 on a Centos 7 machine and migrate over from Centos 6.

Current operating system Samba 4 is run on: Centos 7

Samba 4 Active Directory Domain Controller

Install CentOS

  • Install a minimal version of Centos 7 on a VM or dev box

Samba 4 Requirements

  • Here is a minimal list of packages needed to compile Samba 4 with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
libxslt docbook-style-xsl openldap-devel pam-devel bzip2
  • Here are optional packages that are used in this guide
yum install vim wget


  • we are coming from a working environment running on centos 6, we are going to restore our databases to /usr/local/samba and then compile and install Samba 4 over them
  • I have tried installing samba first and then restoring form backup however samba was having issues with wind the Winbind.so binary, a recompile and install fixed that issue, however by restoring first we avoid having to reinstall samba after restore
  • These folders probably wont be there if you havent installed samba before, check to see before running command
rm -rf /usr/local/samba/etc
rm -rf /usr/local/samba/private
rm -rf /usr/local/samba/var/locks/sysvol
  • If /usr/local/samba does not exist(because samba has never been installed before) make the /usr/local/samba directory
mkdir /usr/local/samba
  • change directories to where you have your backups and do a restore
cd /usr/local/backups
tar -jxf etc.{Timestamp}.tar.bz2 -C /usr/local/samba/
tar -jxf samba4_private.{Timestamp}.tar.bz2 -C /usr/local/samba/
tar -jxf sysvol.{Timestamp}.tar.bz2 -C /usr/local/samba/
find /usr/local/samba/private/ -type f -name '*.ldb.bak' -print0 | while read -d $'\0' f ; do mv "$f" "${f%.bak}" ; done
  • Our profiles are stored on an NFS server, copy over the auto.home file where our profiles are stored
scp root@AD1.DOMAIN.EDU:/etc/auto.home /etc/
  • restart autofs
systemctl restart autofs

Installing Samba

wget http://www.samba.org/samba/ftp/stable/samba-4.1.16.tar.gz
  • Extract the archive if not done so already
tar -zxvf samba-4.1.16.tar.gz
cd ~/samba-4.1.16
./configure --enable-debug --enable-selftest --with-ads --with-systemd --with-winbind
  • If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
  • Finally compile and then install
make install
  • libgnutls needs to be linked like so(upgrade specific install):
ln -s /usr/lib64/libgnutls.so.28 /usr/lib64/libgnutls.so.26
  • The kerberos file needs to be configured properly
vim /etc/krb5.conf
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = DOMAIN.EDU
  • add samba directory to bashrc file
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
  • disable selinux for now
vim /etc/sysconfig/selinux
  • change enforcing=enabled to
  • reboot the computer
shutdown -r now

Adding Samba to Systemd

  • create a samba.service file at /etc/systemd/system/samba.service
vim /etc/systemd/system/samba.service
Description= Samba 4 Active Directory



Adding winbind to nsswitch.conf

  • add winbind to /etc/nsswitch.conf
vim /etc/nsswitch.conf
passwd:     files winbind sss
shadow:     files sss
group:      files winbind sss
  • link winbind so that nssswitch can find and enumerate domain
ln -s  /usr/local/samba/lib/libnss_winbind.so.2  /lib64/libnss_winbind.so
ln  -s /lib64/libnss_winbind.so  /lib64/libnss_winbind.so.2

Adding Backup Script

cp ~/samba-4.1.16/source4/scripting/bin/samba_backup /usr/local/samba/sbin
chown root:root /usr/local/samba/sbin/samba_backup
chmod 750 /usr/local/samba/sbin/samba_backup
  • make backup directory
mkdir /usr/local/backups
  • You can now run the samba backup script
  • or just add it to cron for weekly backups
crontab -e
  • insert the following
#Run a weekly backup on Rumba for samba4 Active Directory
0 3 * * 0 /usr/local/samba/bin/samba_backup >> /root/backup_logs/samba_bak.log 2>&1

Start/Stop Samba service

  • start the Samba service
systemctl start samba
  • enable the samba service on startup
systemctl enable samba
  • check the status of samba
systemctl status samba
  • If you need to stop the samba service use
systemctl stop samba


  • We prefer iptables so we are turning off firewalld and enabling iptables instead
systemctl stop firewalld     # stop firewalld temporarily
systemctl mask firewalld    # not sure what mask does, but I assume its similar to disable
yum install iptables-services  # install iptables-services package
systemctl enable iptables    # Enable the service at boot-time
  • add in your rules into /ets/sysconfig/iptables (do this while iptables is off)
systemctl start iptables     # start iptables
  • the following will save the rules located at /etc/sysconfig/iptables
service iptables save   # save iptables rules in /etc/sysconfig/iptables, overwriting current set