AD Samba4

From Stadm
Revision as of 12:08, 26 July 2013 by Stadm1 (talk | contribs) (→‎NTP)
Jump to navigationJump to search


Samba 4 Active Directory DC

Installing Samba 4 onto CentOS

  • Install a minimal install of CentOS
  • change the hostname
hostname samba
  • manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vi ifcfg-eth0
  • Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
  • restart the network
service network restart
  • run yum update
  • install vim or an editor of your choice, vi comes included with minimal
  • SELinux must be disabled:
vim /etc/sysconfig/selinux
  • change "SELINUX=enforcing" to "SELINUX=disabled"
  • restart the computer
shutdown -r now
  • install a couple packages that will be required for building and installing samba
yum install glibc glibc-devel gcc python* libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel openssl-devel bind bind-libs bind-utils
  • install git, git will be used to download samba
yum install git-core
git clone http://gitweb.samba.org/samba.git ~/samba-master
  • reboot server so all packages and updates are applied
shutdown -r now
  • login and build the samba install
cd ~/samba-master
./configure --enable-debug --enable-selftest
  • if it completes successfully
make
make install

Enabling Samba 4 as DC

  • run command
/usr/local/samba/bin/samba-tool domain provision
  • the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
  • once the provision tool has finished successfully restart the server
shutdown -r now
  • once system has started enable samba 4 and add it start at boot
/usr/local/samba/sbin/samba
vim /etc/rc.d/rc.local
  • append "/usr/local/samba/sbin/samba" without quotations to the end of the file and then save
  • samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

Configuring DNS

  • not sure if needed, have not tested without DNS forwarding
  • DNS forwarding was set up on the domain provision ing using the samba-tool
cat /usr/local/samba/etc/smb.conf
  • there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
  • edit resolv.conf
vim /etc/resolv.conf
  • edit to look like:
domain mydomain.com
nameserver 128.***.***.** 
  • where "128.***.***.***" is the ipaddress of the centos server
  • next go back and edit ifcfg-eth0 in network-scripts
vim /etc/sysconfig/network-scripts/ifcfg-eth0
  • change the file to look like this
DEVICE="eth0"
BOOTPROTO="none"
DEFROUTE="yes"
DNS1="128.***.***.**" #this is host ipaddress
GATEWAY=128.**.***.*
HWADDR="86:C4:C1:0D:29:AD"
IPADDR="128.***.***.**"
IPV4_FAILURE_FATAL="yes"
IPV6INIT="no"
NAME="System eth0"
NM_CONTROLLED="yes"
ONBOOT="yes"
PREFIX="24"
TYPE="Ethernet"
  • reboot so that all changes may take effect
shutdown -r now
  • login and test that the DNS is working properly
host -t SRV _ldap._tcp.mydomain.com
  • where mydomain.com is then name of the domain you are on
  • output should look like, where samba is the hostname of your server
_ldap._tcp.mydomain.com has SRV record 0 100 389 samba.mydomain.com
  • test with
host -t SRV _kerberos._udp.mydomain.com
  • output
_kerberos._udp.mydomain.com has SRV record 0 100 88 samba.mydomain.com
  • last test
host -t A samba.mydomain.com.
  • output should return your ip adddress
samba.mydomain.com has address 192.168.0.2
  • if test did not produce those outputs DNS has not been configured properly

Kerberos

  • make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
  • edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning
vim /etc/krb5.conf
  • test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
  • if Kerberos is working you will be asked for your password
  • verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

NTP

  • install ntp
yum install ntp
  • start ntp
/etc/init.d/ntpd start
  • add ntp to start up
chkconfig ntpd on