Difference between revisions of "AD Samba4 Centos 7"

From Stadm
Jump to navigationJump to search
 
(13 intermediate revisions by the same user not shown)
Line 10: Line 10:
  
 
Current operating system Samba 4 is run on: Centos 7
 
Current operating system Samba 4 is run on: Centos 7
*'''Note''': Until this message removed consider the following a work in progress
+
 
 
=Samba 4 Active Directory Domain Controller=
 
=Samba 4 Active Directory Domain Controller=
 
==Install CentOS==
 
==Install CentOS==
Line 30: Line 30:
  
 
==Restoring==
 
==Restoring==
*we are coming form a working environment running on centos 6, we are going to restore our databases to /usr/local/samba and then compile and install Samba 4 over them
+
*we are coming from a working environment running on centos 6, we are going to restore our databases to /usr/local/samba and then compile and install Samba 4 over them
 
*I have tried installing samba first and then restoring form backup however samba was having issues with wind the Winbind.so binary, a recompile and install fixed that issue, however by restoring first we avoid having to reinstall samba after restore
 
*I have tried installing samba first and then restoring form backup however samba was having issues with wind the Winbind.so binary, a recompile and install fixed that issue, however by restoring first we avoid having to reinstall samba after restore
 
*These folders probably wont be there if you havent installed samba before, check to see before running command
 
*These folders probably wont be there if you havent installed samba before, check to see before running command
Line 45: Line 45:
  
 
  find /usr/local/samba/private/ -type f -name '*.ldb.bak' -print0 | while read -d $'\0' f ; do mv "$f" "${f%.bak}" ; done
 
  find /usr/local/samba/private/ -type f -name '*.ldb.bak' -print0 | while read -d $'\0' f ; do mv "$f" "${f%.bak}" ; done
 
+
*Our profiles are stored on an NFS server, copy over the auto.home file where our profiles are stored
  ln -s /usr/lib64/libgnutls.so.28 /usr/lib64/libgnutls.so.26
+
  scp root@AD1.DOMAIN.EDU:/etc/auto.home /etc/
 +
*restart autofs
 +
systemctl restart autofs
  
 
==Installing Samba==
 
==Installing Samba==
Line 60: Line 62:
 
  make
 
  make
 
  make install
 
  make install
 +
*libgnutls needs to be linked like so(upgrade specific install):
 +
ln -s /usr/lib64/libgnutls.so.28 /usr/lib64/libgnutls.so.26
 +
*The kerberos file needs to be configured properly
 +
vim /etc/krb5.conf
  
 
vim /etc/krb5.conf
 
 
  dns_lookup_realm = false
 
  dns_lookup_realm = false
 
  dns_lookup_kdc = true
 
  dns_lookup_kdc = true
 
  default_realm = DOMAIN.EDU
 
  default_realm = DOMAIN.EDU
 +
*add samba directory to bashrc file
 +
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
 +
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
 +
 +
*disable selinux for now
 +
vim /etc/sysconfig/selinux
 +
*change enforcing=enabled to
 +
enforcing=disabled
 +
*reboot the computer
 +
shutdown -r now
  
 
==Adding Samba to Systemd==
 
==Adding Samba to Systemd==
 
*create a samba.service file at /etc/systemd/system/samba.service
 
*create a samba.service file at /etc/systemd/system/samba.service
 +
vim /etc/systemd/system/samba.service
 
  [Unit]
 
  [Unit]
 
  Description= Samba 4 Active Directory
 
  Description= Samba 4 Active Directory
Line 82: Line 97:
 
  WantedBy=multi-user.target
 
  WantedBy=multi-user.target
  
 +
==Adding winbind to nsswitch.conf==
 +
*add winbind to /etc/nsswitch.conf
 +
vim /etc/nsswitch.conf
 +
 +
passwd:    files winbind sss
 +
shadow:    files sss
 +
group:      files winbind sss
 +
*link winbind so that nssswitch can find and enumerate domain
 +
ln -s  /usr/local/samba/lib/libnss_winbind.so.2  /lib64/libnss_winbind.so
 +
ln  -s /lib64/libnss_winbind.so  /lib64/libnss_winbind.so.2
 +
 +
==Adding Backup Script==
 +
cp ~/samba-4.1.16/source4/scripting/bin/samba_backup /usr/local/samba/sbin
 +
chown root:root /usr/local/samba/sbin/samba_backup
 +
chmod 750 /usr/local/samba/sbin/samba_backup
 +
*make backup directory
 +
mkdir /usr/local/backups
 +
*You can now run the samba backup script
 +
samba_backup
 +
*or just add it to cron for weekly backups
 +
crontab -e
 +
*insert the following
 +
#Run a weekly backup on Rumba for samba4 Active Directory
 +
0 3 * * 0 /usr/local/samba/bin/samba_backup >> /root/backup_logs/samba_bak.log 2>&1
 +
 +
==Start/Stop Samba service==
 
*start the Samba service
 
*start the Samba service
 
  systemctl start samba
 
  systemctl start samba
Line 88: Line 129:
 
*check the status of samba
 
*check the status of samba
 
  systemctl status samba
 
  systemctl status samba
 +
*If you need to stop the samba service use
 +
systemctl stop samba
  
==Adding winbind to nssswitch.conf==
 
*add winbind to /etc/nssswitch.conf
 
vim /etc/nssswitch.conf
 
 
passwd:    files winbind sss
 
shadow:    files sss
 
group:      files winbind sss
 
*link winbind so that nssswitch can find and enumerate domain users
 
 
==Firewall==
 
==Firewall==
 
*We prefer iptables so we are turning off firewalld and enabling iptables instead
 
*We prefer iptables so we are turning off firewalld and enabling iptables instead

Latest revision as of 11:46, 19 April 2016


Purpose

The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.16

This page serves to show how to Setup Samba 4 on a Centos 7 machine and migrate over from Centos 6.

Current operating system Samba 4 is run on: Centos 7

Samba 4 Active Directory Domain Controller

Install CentOS

  • Install a minimal version of Centos 7 on a VM or dev box

Samba 4 Requirements

  • Here is a minimal list of packages needed to compile Samba 4 with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
libxslt docbook-style-xsl openldap-devel pam-devel bzip2
  • Here are optional packages that are used in this guide
yum install vim wget

Restoring

  • we are coming from a working environment running on centos 6, we are going to restore our databases to /usr/local/samba and then compile and install Samba 4 over them
  • I have tried installing samba first and then restoring form backup however samba was having issues with wind the Winbind.so binary, a recompile and install fixed that issue, however by restoring first we avoid having to reinstall samba after restore
  • These folders probably wont be there if you havent installed samba before, check to see before running command
rm -rf /usr/local/samba/etc
rm -rf /usr/local/samba/private
rm -rf /usr/local/samba/var/locks/sysvol
  • If /usr/local/samba does not exist(because samba has never been installed before) make the /usr/local/samba directory
mkdir /usr/local/samba
  • change directories to where you have your backups and do a restore
cd /usr/local/backups
tar -jxf etc.{Timestamp}.tar.bz2 -C /usr/local/samba/
tar -jxf samba4_private.{Timestamp}.tar.bz2 -C /usr/local/samba/
tar -jxf sysvol.{Timestamp}.tar.bz2 -C /usr/local/samba/
find /usr/local/samba/private/ -type f -name '*.ldb.bak' -print0 | while read -d $'\0' f ; do mv "$f" "${f%.bak}" ; done
  • Our profiles are stored on an NFS server, copy over the auto.home file where our profiles are stored
scp root@AD1.DOMAIN.EDU:/etc/auto.home /etc/
  • restart autofs
systemctl restart autofs

Installing Samba

wget http://www.samba.org/samba/ftp/stable/samba-4.1.16.tar.gz
  • Extract the archive if not done so already
tar -zxvf samba-4.1.16.tar.gz
cd ~/samba-4.1.16
./configure --enable-debug --enable-selftest --with-ads --with-systemd --with-winbind
  • If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
  • Finally compile and then install
make
make install
  • libgnutls needs to be linked like so(upgrade specific install):
ln -s /usr/lib64/libgnutls.so.28 /usr/lib64/libgnutls.so.26
  • The kerberos file needs to be configured properly
vim /etc/krb5.conf
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = DOMAIN.EDU
  • add samba directory to bashrc file
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
  • disable selinux for now
vim /etc/sysconfig/selinux
  • change enforcing=enabled to
enforcing=disabled
  • reboot the computer
shutdown -r now

Adding Samba to Systemd

  • create a samba.service file at /etc/systemd/system/samba.service
vim /etc/systemd/system/samba.service
[Unit]
Description= Samba 4 Active Directory
After=syslog.target
After=network.target

[Service]
Type=forking
PIDFile=/usr/local/samba/var/run/samba.pid
ExecStart=/usr/local/samba/sbin/samba

[Install]
WantedBy=multi-user.target

Adding winbind to nsswitch.conf

  • add winbind to /etc/nsswitch.conf
vim /etc/nsswitch.conf
passwd:     files winbind sss
shadow:     files sss
group:      files winbind sss
  • link winbind so that nssswitch can find and enumerate domain
ln -s  /usr/local/samba/lib/libnss_winbind.so.2  /lib64/libnss_winbind.so
ln  -s /lib64/libnss_winbind.so  /lib64/libnss_winbind.so.2

Adding Backup Script

cp ~/samba-4.1.16/source4/scripting/bin/samba_backup /usr/local/samba/sbin
chown root:root /usr/local/samba/sbin/samba_backup
chmod 750 /usr/local/samba/sbin/samba_backup
  • make backup directory
mkdir /usr/local/backups
  • You can now run the samba backup script
samba_backup
  • or just add it to cron for weekly backups
crontab -e
  • insert the following
#Run a weekly backup on Rumba for samba4 Active Directory
0 3 * * 0 /usr/local/samba/bin/samba_backup >> /root/backup_logs/samba_bak.log 2>&1

Start/Stop Samba service

  • start the Samba service
systemctl start samba
  • enable the samba service on startup
systemctl enable samba
  • check the status of samba
systemctl status samba
  • If you need to stop the samba service use
systemctl stop samba

Firewall

  • We prefer iptables so we are turning off firewalld and enabling iptables instead
systemctl stop firewalld     # stop firewalld temporarily
systemctl mask firewalld    # not sure what mask does, but I assume its similar to disable
yum install iptables-services  # install iptables-services package
systemctl enable iptables    # Enable the service at boot-time
  • add in your rules into /ets/sysconfig/iptables (do this while iptables is off)
systemctl start iptables     # start iptables
  • the following will save the rules located at /etc/sysconfig/iptables
service iptables save   # save iptables rules in /etc/sysconfig/iptables, overwriting current set