Friday, April 19, 2013

Samba 4 - Active Directory Domain Controller in centos 6.2.

Samba 4 - Active Directory Domain Controller in Centos 6.2

=================================
Hostname: server.mycwwtest.com 
IP Address: 172.16.23.43.
DNS: 172.16.23.43.
=================================

Installation of Samba V. 4.5.
-----------------------------

Query your rpm database to find any instances of older samba packages:
# rpm -qa | grep samba

We have to change the hostname:

#vi /etc/sysconfig/network
HOSTNAME= server.mycwwtest.com

Add the hostname in hosts.

#vi /etc/hosts

172.16.23.43 server.mycwwtest.com server

Edit resolv.conf:
# vi /etc/resolv.conf
nameserver 172.16.23.43
search mycwwtest.com

We are not using selinux hence Disable selinux:

# vi /etc/sysconfig/selinux
 SELINUX=disabled
# setenforce 0
If there are any older samba packages remove them with YUM:
# yum remove samba-winbind-client samba-common samba-client
Install the following packages required for installing and building Samba 4:
#yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs
pam_krb5 git gcc libacl-devel libblkid-devel gnutls-devel  readline-devel
python-devel gdb pkgconfig zlib-devel setroubleshoot-server  
setroubleshoot-plugins policycoreutils-python libsemanage-python 
setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel 
libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel 
keyutils-libs-devel cyrus-sasl-devel make wget python-devel gnutls-devel 
openssl-devel libacl-devel krb5-server krb5-libs krb5-workstation bind 
bind-libs bind-utils

We are going to use internal Kerberos and bind so we have to stop the services.
#/etc/init.d/kadmin stop
#/etc/init.d/named stop
#/etc/init.d/krb5kdc stop
#chkconfig kadmin off
#chkconfig named off
#chkconfig krb5kdc off

You can download any stable version or checkout the current version from git repository of samba(git://git.samba.org/samba.git samba-master).
Now I am using a stable version.
# wget http://ftp.samba.org/pub/samba/samba-4.0.5.tar.gz
# tar -xzvf samba-4.0.5.tar.gz
# cd samba-4.0.5/
# ./configure --enable-selftest
# make && make install

You will have to add the PATH variable for samba4 in your machine.

# export PATH=$PATH:/usr/local/samba/sbin:/usr/local/samba/bin

Provision Samba 4

The provision step sets up a basic user database, and is used when you are setting up your Samba4 server in its own domain.

# /usr/local/samba/bin/samba-tool domain provision –-use-rfc2307 --interactive
The 'domain provision' tool should pick defaults for you automatically. Change to your configurations if necessary:

Realm [MYCWWTEST.COM]:
Domain [MYCWWTEST]: (press Enter)
Server Role (dc, member, standalone) [dc]: (press Enter)
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: (press Enter)
DNS forwarder IP address (write 'none' to disable forwarding) [172.16.23.43]:8.8.8.8
Administrator password: 
Retype password:
 
Edit named configuration:

# vi /etc/named.conf

options {
listen-on port 53 { any; };
forwarders {192.168.1.8; };
allow-query { any; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";  ==(add this line)
};
include "/usr/local/samba/private/named.conf"; ==(add this line)

Configure Kerberos

In CentOS 6.3 or 6.4, kerberos is handled by the '/etc/krb5.conf' file. Make a backup copy of this original file, and then replace the existing file, if any, with the sample from /usr/local/samba/share/setup/krb5.conf.

cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

Start Samba 4 AD DC

Start the samba daemon:

# /usr/local/samba/sbin/samba

If you would like Samba to start at boot, append the following to your

'/etc/rc.d/rc.local' file:
/usr/local/samba/sbin/samba

Testing Samba as an Active Directory DC

Verify you are indeed running the correct version of Samba. Your version should start with version 4 (note: samba daemon must be running):

# /usr/local/samba/sbin/samba -V
Version 4.0.5

Verify you are running the correct samba-client version:

# /usr/local/samba/bin/smbclient --version
Version 4.0.5

Now run this command to list the shares on your Samba4 server:

# /usr/local/samba/bin/smbclient -L localhost -U%

Domain=[MYCWWTEST] OS=[Unix] Server=[Samba 4.0.5] 
 
        Sharename       Type      Comment 
        ---------       ----      ------- 
        netlogon        Disk      
        sysvol          Disk      
        IPC$            IPC       IPC Service (Samba 4.0.5) 
Domain=[MYCWWTEST] OS=[Unix] Server=[Samba 4.0.5] 
 
        Server               Comment 
        ---------            ------- 
 
        Workgroup            Master 
        ---------            -------
 
Testing ports

# netstat -tapn | grep samba (check port 53/88/389/636 are listening by samba)
tcp    0    0    0.0.0.0:53      0.0.0.0:*    LISTEN    26182/samba
tcp    0    0    0.0.0.0:88      0.0.0.0:*    LISTEN    26182/samba
tcp    0    0    0.0.0.0:389     0.0.0.0:*    LISTEN    26182/samba
tcp    0    0    0.0.0.0:636     0.0.0.0:*    LISTEN    26182/samba


Testing Kerberos
The simplest test is to use the 'kinit' command as follows:

# kinit administrator@MYCWWTEST.COM
Password for administrator@MYDOMAIN.COM:
Warning: Your password will expire in 41 days on Sun Feb 3 14:21:51 2013
 
'kinit' will not give you any output. To verify that Kerberos is working, and that you received a ticket, run the following:

# klist -e

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@ MYCWWTEST.COM
 
Valid starting Expires Service principal
12/23/12 15:39:28 12/24/12 01:39:28 krbtgt/ MYCWWTEST.COM@MYCWWTEST.COM
renew until 12/24/12 15:39:19
 

Testing DNS

Make sure that samba is running and then test to make sure that DNS is working properly. Run the following commands and compare the output to what is shown:


#dig server.mycwwtest.com
#dig mycwwtest.com
#dig –x 172.16.23.43

# host -t SRV _ldap._tcp.mycwwtest.com.
_ldap._tcp. mycwwtest.com has SRV record 0 100 389 server.mycwwtest.com.

# host -t SRV _kerberos._udp.mycwwtest.com.
_kerberos._udp. mycwwtest.com has SRV record 0 100 88 server.mycwwtest.com.

# host -t A server.mycwwtest.com.
server.mycwwtest.com.com has address 172.16.23.43
#nslookup server.mycwwtest.com 172.16.23.43
#nslookup –type=srv _kerberos._udp.mycwwtest.com.
#nslookup –type=srv _kerberos._tcp.mycwwtest.com.
 
NTP (Network Time Protocol)

Make sure that 'ntpd' is running and installed. If 'ntpd' is not installed you can install it with YUM:

# yum install ntp

Configuring NTP:

# vi /etc/ntp.conf
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
restrict default kod nomodify notrap nopeer mssntp

Enable ntpd:

# /etc/init.d/ntpd start

Also, use the 'chkconfig' command to have ntpd run at boot:

# chkconfig ntpd on


Configure Windows Client to Join Domain

The following will describe how to add a Windows 7 client to the samba DC. For other versions of Windows the same principle should be the same.
To simplify and to limit errors with DHCP, we will assign a static IP address to our Windows 7 client NIC. Configure your network device as follows:




Click 'OK' to save the changes.

Now bring up a command prompt in windows and ping the Samba DC:
ping 172.16.23.43
Verify that DNS is working correctly by pinging the FQDN:
ping server.mycwwtest.com

run è cmd è nslookup è server.mycwwtest.com
run è cmd è nslookup è mycwwtest.com
run è cmd è nslookup è 172.16.23.43


If you get replies from both then this is a good sign and should mean that your Samba DC is functional. Also, you may need to reboot Windows for network settings to take effect.

Join Windows 7 Client to the Domain


1. Right-click 'My Computer' icon and choose 'Properties'
2. From the left-side pane click 'Advanced system settings'
3. Choose the 'Computer Name' tab and click 'Change...'
4. Select option 'Domain', and insert MYCWWTEST.COM. If this fails just try MYCWWTEST.
 

5. When it requests a username and password, type 'Administrator' as the username and then enter your password. (password = the password you used when you ran the 'samba-tool domain provision' command)
6. You should get a message box stating 'Welcome to the MYCWWTEST.COM domain'
7. Click OK on this message box and the Properties window, and you will then be instructed to restart your computer.
8. After restarting you should be presented with the normal login dialog. Click on 'Switch User' button.
9. Choose 'Other user' and then enter in the following:
 Press 'Enter' or the arrow button.




















10. You should then authenticate and then login to Windows

Install Windows Remote Administration Tools

To install the GUI tools to manage the domain you must install the Remote Server Administration Tools. This will allow you easily manage the domain using Active Directory.
Windows 7
1. Download the Windows Remote Server Administration Tools
2. Follow the 'Install RSAT' instructions
3. Enable the necessary components in 'Control Panel -> Programs -> Turn Windows features on or off -> Remote Server Administration Tools'


















4. You may need to add the Administrative Tools to your start menu. Right-click 'Start button' and select 'Properties -> Start Menu tab - Customize... -> System administrative tools - Display on the All Programs menu'




Configure roaming profile in samba 4 on centos 6.2

A roaming profile is a feature of Domain server which allows users to access their personal data on any computer which is joined under the same domain on the same network. So basically the users are logging into their profile whose location is defined on the domain server. So every time a user logs in they are redirected to their profile location so this action becomes computer independent.

#mkdir  /usr/local/samba/var/profiles

Now make an entry of this directory in smb.conf to make it sharable among the domain users

# vi /usr/local/samba/etc/smb.conf
   [profiles]
       path = /usr/local/samba/var/profiles
       read only = no
# /etc/init.d/samba4 restart
# killall samba
# kinit administrator@MYCWWTEST.COM

Once your samba is restarted you can check the updates shared directory on your server

# smbclient -L localhost -U%
        Sharename       Type       Comment
        ---------       ----       -------
        netlogon        Disk
        sysvol          Disk
        profiles        Disk
        IPC$            IPC        IPC Service

Now go to your windows client machine where you have installed the remote administration tool for your domain server. 

Go to run  dsa.msc














Go to the user for whom you want to implement roaming profile and add the path followed by the username of the user of the profile directory under the profile tab of the properties section as shown below :














Now run this command to update the policies on the users.
















Go to your server and you can find a directory by the name of the user must have been created under profile directory

 # cd /usr/local/samba/var/profiles
 # ls -l
 drwxr-xr-x 32 450012 users   4096 Jan  2 15:35 user1

 


 
Posted by at 1 comment:
Subscribe to: Posts (Atom)