Samba 4 Domain Controller Installation On CentOS 7

Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...
English | Deutsch Log in or Sign up
Tutorial search
Ad Scan your Web-Server for Malware with

ISPProtect now. Get Free Trial.
Samba 4 Domain
Controller
Installation on
CentOS 7
On this page
Installation of Samba 4
Adding the Windows host to
the domain
Installing RSAT tool in
Windows 10
Client authentication with
Samba 4 on CentOS 7
Samba 4 on CentOS 6
Starting from version 4.0, Samba is able

to run as an Active Directory (AD)
domain controller (DC). In this tutorial, I
will show you how to configure Samba 4
as a domain controller with Windows 10,
CentOS 7 and CentOS 6 clients.
In this tutorial, I will compile Samba 4
1 sur 24 28/02/2018 à 18:34

from source. If you are seeking for a

Samba 4 RPM based installation and
SELinux configuration for Samba 4,
please see my new Samba 4 tutorial
here.
I will be using 3 Systems, one CentOS 7

server and a Windows 10 client for
remote management, a CentOS 7 and
CentOS 6 client.
192.168.1.190 Samba4 AD centos7

192.168.1.191 remote management win
10
192.168.1.22 - client Authentication -
centos 7
192.168.1.192 - client Authentication -
centos 6
Installation of Samba 4
192.168.1.190 Samba4 AD centos 7
Basis is a CentOS 7 with a minimal

install and SELinux disabled.
[root@samba4 ~]# sestatus

SELinux status: disabled
[root@samba4 ~]#
Make an entry in the /etc/hosts file.
2 sur 24 28/02/2018 à 18:34

[
r
o
o
t
@
s
a
m
b
a
4
~
]
#
c
a
t
/
e
t
c
/
h
o
s
t
s
1
2
7
.
0
.
0
.
1
l
o
c
a
l
h
o
s
t
l
o
c
a
l
h
o
s
t
.
l
o
c
a
l
d
o
m
a
3 sur 24 28/02/2018 à 18:34

in localhost4 localhost4.localdomai
n4
::1 localhost localhost.loc
aldomain localhost6 localhost6.loca
ldomain6
192.168.1.190 samba4.sunil.cc sam
ba4
[root@samba4 ~]#
Install the epel repo.
[root@samba4 ~]# yum install epel-

release -y
Install all the packages needed to

compile samba4.
[root@samba4 ~]# yum install perl g

cc libacl-devel libblkid-devel gnut
ls-devel readline-devel python-deve
l gdb pkgconfig krb5-workstation zl
ib-devel setroubleshoot-server liba
io-devel setroubleshoot-plugins\
policycoreutils-python libsemanage-
python setools-libs-python setools-
libs popt-devel libpcap-devel sqlit
e-devel libidn-devel libxml2-devel
libacl-devel libsepol-devel libattr
-devel keyutils-libs-devel\
cyrus-sasl-devel cups-devel bind-ut
ils libxslt docbook-style-xsl openl
dap-devel pam-devel bzip2 vim wget
-y
Now download samba4 package . I use

samba-4.6.0 which is latest during this
setup.
[root@samba4 ~]# wget https://down

load.samba.org/pub/samba/stable/sam
ba-4.6.0.tar.gz
Now lets install samba4.
[root@samba4 ~]# tar -zxvf samba-

4.6.0.tar.gz
[root@samba4 ~]# cd samba-4.6.0
[root@samba4 samba-4.6.0]# ./conf
igure --enable-debug --enable-selft
est --with-ads --with-systemd --wit
h-winbind
[root@samba4 samba-4.6.0]# make &
& make install
4 sur 24 28/02/2018 à 18:34

The installation will take about 10

minutes depending on the system
speed.
Now we will do the domain provisioning.
[root@samba4 samba]# samba-tool dom

ain provision --use-rfc2307 --inter
active
Realm [SUNIL.CC]:
Domain [SUNIL]:
Server Role (dc, member, standalon
e) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9
_FLATFILE, BIND9_DLZ, NONE) [SAMBA_
INTERNAL]:
DNS forwarder IP address (write 'n
one' to disable forwarding) [4.2.2.
1]:
Administrator password:
Retype password:
Looking up IPv4 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and s
ettings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD sche
ma
Adding DomainDN: DC=sunil,DC=cc
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration da
ta
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security prin
cipals
Setting up sam.ldb users and groups
ERROR(ldb): uncaught exception - op
erations error at ../source4/dsdb/s
amdb/ldb_modules/password_hash.c:28
20
File "/usr/local/samba/lib64/pyth
on2.7/site-packages/samba/netcmd/__
init__.py", line 176, in _run
return self.run(*args, **kwargs
)
on2.7/site-packages/samba/netcmd/do
main.py", line 471, in run
nosync=ldap_backend_nosync, lda
5 sur 24 28/02/2018 à 18:34

p_dryrun_mode=ldap_dryrun_mode)
on2.7/site-packages/samba/provision
/__init__.py", line 2175, in provis
ion
skip_sysvolacl=skip_sysvolacl)
/__init__.py", line 1787, in provis
ion_fill
next_rid=next_rid, dc_rid=dc_ri
d)
/__init__.py", line 1447, in fill_s
amdb
"KRBTGTPASS_B64": b64encode(krb
tgtpass.encode('utf-16-le'))
/common.py", line 55, in setup_add_
ldif
ldb.add_ldif(data, controls)
on2.7/site-packages/samba/__init__.
py", line 225, in add_ldif
self.add(msg, controls)
[root@samba4 samba]#
There will be some errors when we do

the provisioning of domain.
To fix them, please comment out the

below line in /etc/krb5.conf.
--------
#includedir /etc/krb5.conf.d/
--------
Run the domain provisioning again and

now the domain will get created without
errors.
[root@samba4 etc]# samba-tool dom

ain provision --use-rfc2307 --inter
active
Realm [SUNIL.CC]:
Domain [SUNIL]:
Server Role (dc, member, standalon
e) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9
_FLATFILE, BIND9_DLZ, NONE) [SAMBA_
INTERNAL]:
DNS forwarder IP address (write 'n
one' to disable forwarding) [4.2.2.
1]:
Administrator password:
Retype password:
6 sur 24 28/02/2018 à 18:34


No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and s
ettings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD sche
ma
Adding DomainDN: DC=sunil,DC=cc
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration da
ta
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security prin
cipals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,
DC=sunil,DC=cc
Creating DomainDnsZones and ForestD
nsZones partitions
Populating DomainDnsZones and Fores
tDnsZones partitions
Setting up sam.ldb rootDSE marking
as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable f
or Samba AD has been generated at /
usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed,
your Samba4 server will be ready to
use
Server Role: active direc
tory domain controller
Hostname: samba4
NetBIOS Domain: SUNIL
DNS Domain: sunil.cc
DOMAIN SID: S-1-5-21-293
6486394-2075362935-551615353
[root@samba4 etc]#
Make sure the ports are open in the

firewall.
[root@samba4 etc]#firewall-cmd --ad

d-port=53/tcp --permanent;firewall-
cmd --add-port=53/udp --permanent;f
irewall-cmd --add-port=88/tcp --per
manent;firewall-cmd --add-port=88/u
dp --permanent; \
firewall-cmd --add-port=135/tcp --p
ermanent;firewall-cmd --add-port=13
7 sur 24 28/02/2018 à 18:34

7-138/udp --permanent;firewall-cmd
--add-port=139/tcp --permanent; \
9/udp --permanent;firewall-cmd --ad
d-port=445/tcp --permanent; \
4/udp --permanent;firewall-cmd --ad
d-port=636/tcp --permanent; \
firewall-cmd --add-port=1024-5000/t
cp --permanent;firewall-cmd --add-p
ort=3268-3269/tcp --permanent
[root@samba4 ~]# firewall-cmd --rel
oad
Create a startup script to autostart the

service during reboot.
[root@samba4 ~]# cat /etc/systemd/s

ystem/samba.service
[Unit]
Description= Samba 4 Active Directo
ry
After=syslog.target
After=network.target
[Service]
Type=forking
PIDFile=/usr/local/samba/var/run/sa
mba.pid
ExecStart=/usr/local/samba/sbin/sam
ba
[Install]
WantedBy=multi-user.target
[root@samba4 ~]#
[root@samba4 ~]# systemctl enable s

amba
Created symlink from /etc/systemd/s
ystem/multi-user.target.wants/samba
.service to /etc/systemd/system/sam
ba.service.
[root@samba4 ~]# systemctl start sa
mba
Adding the Windows host

to the domain
192.168.1.191 remote
management win 10
Make sure the host is added with a

static ipaddress.
8 sur 24 28/02/2018 à 18:34

Adding the host to the domain.
9 sur 24 28/02/2018 à 18:34

To manage Samba4 from Windows, we

need to have the Microsoft Remote
Server Tools (RSAT) installed.
The wiki page has the

links https://wiki.samba.org/index.php
/Installing_RSAT
Installing RSAT tool in

Windows 10
Run the installer.
10 sur 24 28/02/2018 à 18:34

After reboot go to run and type in

dsa.msc
Click on sunil.cc domain and right click

new -> Users.
11 sur 24 28/02/2018 à 18:34

Creating a test user.

Samba 4 on CentOS 7
192.168.1.22 - client Authentication on

CentOS 7
12 sur 24 28/02/2018 à 18:34

Installation of packages:
[root@centos7 ~]# yum -y install

realmd sssd oddjob oddjob-mkhomedir
adcli samba-common
Check connectivity with samba4:
[root@centos7 ~]# realm discover

SUNIL.CC
sunil.cc
type: kerberos
realm-name: SUNIL.CC
domain-name: sunil.cc
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedi
r
required-package: sssd
required-package: adcli
required-package: samba-common-to
ols
login-formats: %U
login-policy: allow-realm-logins
[root@centos7 ~]#
Joining the domain.
[root@centos7 ~]# realm join SUNIL

.CC
Password for Administrator:
[root@centos7 ~]#
Check whether we are able to get the

user from samba4.
[root@centos7 ~]# id SUNIL\\testuse

r
uid=1570001104(testuser@sunil.cc) g
id=1570000513(domain users@sunil.cc
) groups=1570000513(domain users@su
nil.cc)
[root@centos7 ~]#
Configure sssd.
[root@centos7 ~]# cat /etc/sssd/sss

d.conf
13 sur 24 28/02/2018 à 18:34

[sssd]
domains = sunil.cc
config_file_version = 2
services = nss, pam
[domain/sunil.cc]
ad_domain = sunil.cc
krb5_realm = SUNIL.CC
realmd_tags = manages-system joined
-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = Tr
ue
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
[root@centos7 ~]#
Restart sssd.
[root@centos7 ~]# systemctl restart

sssd
[root@centos7 ~]# systemctl enable
sssd
Check the user.
[root@centos7 ~]# id sambauser@suni

l.cc
uid=1570001105(sambauser@sunil.cc)
gid=1570000513(domain users@sunil.c
c) groups=1570000513(domain users@s
unil.cc),1570000512(domain admins@s
unil.cc),1570000572(denied rodc pas
sword replication group@sunil.cc)
[root@centos7 ~]#
To get the user without domain name.
[root@centos7 ~]# vim /etc/sssd/sss

d.conf
-----------
------------
use_fully_qualified_names = False
-----------
-----------
Restart sssd and check id command.
[root@centos7 ~]# systemctl restart

sssd
[root@centos7 ~]# id sambauser
14 sur 24 28/02/2018 à 18:34

uid=1570001105(sambauser) gid=15700
00513(domain users) groups=15700005
13(domain users),1570000512(domain
admins),1570000572(denied rodc pass
word replication group)
[root@centos7 ~]#

Samba 4 on CentOS 6
192.168.1.192 - client Authentication on

CentOS 6.
Installation of packages.
[root@centos6 db]# yum install

pam pam_ldap pam_krb5 sssd sssd-lda
p sssd-common authconfig oddjob odd
job-mkhomedir openldap openldap-cli
ents krb5-workstation adcli -y
Change the kerberos config file.
[root@centos6 db]# cat /etc/krb5

.conf
[logging]
default = FILE:/var/log/krb5libs.l
og
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmi
nd.log
[libdefaults]
default_realm = SUNIL.CC
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
SUNIL.CC = {
kdc = samba4.sunil.cc
admin_server = samba4.sunil.cc
}
[domain_realm]
.sunil.cc = SUNIL.CC
sunil.cc = SUNIL.CC
[root@centos6 db]#
We will use adcli command to join the
15 sur 24 28/02/2018 à 18:34

domain.
[root@centos6 db]# adcli info su

nil.cc
[domain]
domain-name = sunil.cc
domain-short = SUNIL
domain-forest = sunil.cc
domain-controller = samba4.sunil.cc
domain-controller-site = Default-Fi
rst-Site-Name
domain-controller-flags = pdc gc ld
ap ds kdc timeserv closest writable
good-timeserv full-secret
domain-controller-usable = yes
domain-controllers = samba4.sunil.c
c
[computer]
computer-site = Default-First-Site-
Name
[root@centos6 db]#
[root@centos6 db]# adcli join sunil
.cc
Password for Administrator@SUNIL.CC
:
[root@centos6 db]#
Make sure the kerberos ticket is created.
[root@centos6 db]# klist -ke
Configure authentication.
[root@centos6 db]# authconfig --

enablesssd --enablesssdauth --enabl
emkhomedir --update
Modify the sssd config now to do the

authentication.
[root@centos6 db]# cat /etc/sssd

/sssd.conf
[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = sunil.cc
[domain/sunil.cc]
id_provider = ad
# Uncomment if service discovery is
not working
# ad_server = server.win.example.co
m
default_shell = /bin/bash
16 sur 24 28/02/2018 à 18:34

fallback_homedir = /home/%u
[root@centos6 db]#
Restart sssd service.
[root@centos6 db]# chkconfig sss

d on
[root@centos6 db]# service sssd res
tart
Stopping sssd:
[ OK ]
Starting sssd:
[ OK ]
[root@centos6 db]#
Validating user.
[root@centos6 db]# id sambauser

uid=1570001105(sambauser) gid=15700
00513(domain users) groups=15700005
13(domain users),1570000512(domain
admins),1570000572(denied rodc pass
word replication group)
[root@centos6 db]#
view as pdf | print
Share this page: Tweet Follow
17 sur 24 28/02/2018 à 18:34

18 sur 24 28/02/2018 à 18:34

19 sur 24 28/02/2018 à 18:34

20 sur 24 28/02/2018 à 18:34

21 sur 24 28/02/2018 à 18:34

22 sur 24 28/02/2018 à 18:34

23 sur 24 28/02/2018 à 18:34

Xenforo skin by Xenfocus Contribute Contact Help Imprint Tutorials Top
Howtoforge © projektfarm GmbH. Terms
24 sur 24 28/02/2018 à 18:34

Samba 4 Domain Controller Installation On CentOS 7

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Samba 4 Domain Controller Installation On CentOS 7

Transféré par

Droits d'auteur :

Formats disponibles

Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

English | Deutsch Log in or Sign up

Ad Scan your Web-Server for Malware with

Starting from version 4.0, Samba is able

In this tutorial, I will compile Samba 4

1 sur 24 28/02/2018 à 18:34

from source. If you are seeking for a

I will be using 3 Systems, one CentOS 7

192.168.1.190 Samba4 AD centos7

192.168.1.190 Samba4 AD centos 7

Basis is a CentOS 7 with a minimal

[root@samba4 ~]# sestatus

Make an entry in the /etc/hosts file.

2 sur 24 28/02/2018 à 18:34

3 sur 24 28/02/2018 à 18:34

Install the epel repo.

[root@samba4 ~]# yum install epel-

Install all the packages needed to

[root@samba4 ~]# yum install perl g

Now download samba4 package . I use

[root@samba4 ~]# wget https://down

Now lets install samba4.

[root@samba4 ~]# tar -zxvf samba-

4 sur 24 28/02/2018 à 18:34

The installation will take about 10

Now we will do the domain provisioning.

[root@samba4 samba]# samba-tool dom

5 sur 24 28/02/2018 à 18:34

There will be some errors when we do

To fix them, please comment out the

Run the domain provisioning again and

[root@samba4 etc]# samba-tool dom

6 sur 24 28/02/2018 à 18:34

Looking up IPv6 addresses

Make sure the ports are open in the

[root@samba4 etc]#firewall-cmd --ad

7 sur 24 28/02/2018 à 18:34

Create a startup script to autostart the

[root@samba4 ~]# cat /etc/systemd/s

[root@samba4 ~]# systemctl enable s

Adding the Windows host

Make sure the host is added with a

8 sur 24 28/02/2018 à 18:34

Adding the host to the domain.

9 sur 24 28/02/2018 à 18:34

To manage Samba4 from Windows, we

The wiki page has the

Installing RSAT tool in

Run the installer.

10 sur 24 28/02/2018 à 18:34

After reboot go to run and type in

Click on sunil.cc domain and right click

11 sur 24 28/02/2018 à 18:34

Creating a test user.

Client authentication with

192.168.1.22 - client Authentication on

12 sur 24 28/02/2018 à 18:34

[root@centos7 ~]# yum -y install

Check connectivity with samba4:

[root@centos7 ~]# realm discover

Joining the domain.

[root@centos7 ~]# realm join SUNIL

Check whether we are able to get the