Vous êtes sur la page 1sur 24

Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

English | Deutsch Log in or Sign up

Tutorial search

Ad Scan your Web-Server for Malware with


ISPProtect now. Get Free Trial.

Samba 4 Domain
Controller
Installation on
CentOS 7

On this page

Installation of Samba 4
Adding the Windows host to
the domain
Installing RSAT tool in
Windows 10
Client authentication with
Samba 4 on CentOS 7
Client authentication with
Samba 4 on CentOS 6

Starting from version 4.0, Samba is able


to run as an Active Directory (AD)
domain controller (DC). In this tutorial, I
will show you how to configure Samba 4
as a domain controller with Windows 10,
CentOS 7 and CentOS 6 clients.

In this tutorial, I will compile Samba 4

1 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

from source. If you are seeking for a


Samba 4 RPM based installation and
SELinux configuration for Samba 4,
please see my new Samba 4 tutorial
here.

I will be using 3 Systems, one CentOS 7


server and a Windows 10 client for
remote management, a CentOS 7 and
CentOS 6 client.

192.168.1.190 Samba4 AD centos7


192.168.1.191 remote management win
10
192.168.1.22 - client Authentication -
centos 7
192.168.1.192 - client Authentication -
centos 6

Installation of Samba 4

192.168.1.190 Samba4 AD centos 7

Basis is a CentOS 7 with a minimal


install and SELinux disabled.

[root@samba4 ~]# sestatus


SELinux status: disabled
[root@samba4 ~]#

Make an entry in the /etc/hosts file.

2 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

[
r
o
o
t
@
s
a
m
b
a
4

~
]
#

c
a
t

/
e
t
c
/
h
o
s
t
s
1
2
7
.
0
.
0
.
1

l
o
c
a
l
h
o
s
t

l
o
c
a
l
h
o
s
t
.
l
o
c
a
l
d
o
m
a

3 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

in localhost4 localhost4.localdomai
n4
::1 localhost localhost.loc
aldomain localhost6 localhost6.loca
ldomain6
192.168.1.190 samba4.sunil.cc sam
ba4
[root@samba4 ~]#

Install the epel repo.

[root@samba4 ~]# yum install epel-


release -y

Install all the packages needed to


compile samba4.

[root@samba4 ~]# yum install perl g


cc libacl-devel libblkid-devel gnut
ls-devel readline-devel python-deve
l gdb pkgconfig krb5-workstation zl
ib-devel setroubleshoot-server liba
io-devel setroubleshoot-plugins\
policycoreutils-python libsemanage-
python setools-libs-python setools-
libs popt-devel libpcap-devel sqlit
e-devel libidn-devel libxml2-devel
libacl-devel libsepol-devel libattr
-devel keyutils-libs-devel\
cyrus-sasl-devel cups-devel bind-ut
ils libxslt docbook-style-xsl openl
dap-devel pam-devel bzip2 vim wget
-y

Now download samba4 package . I use


samba-4.6.0 which is latest during this
setup.

[root@samba4 ~]# wget https://down


load.samba.org/pub/samba/stable/sam
ba-4.6.0.tar.gz

Now lets install samba4.

[root@samba4 ~]# tar -zxvf samba-


4.6.0.tar.gz
[root@samba4 ~]# cd samba-4.6.0
[root@samba4 samba-4.6.0]# ./conf
igure --enable-debug --enable-selft
est --with-ads --with-systemd --wit
h-winbind
[root@samba4 samba-4.6.0]# make &
& make install

4 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

The installation will take about 10


minutes depending on the system
speed.

Now we will do the domain provisioning.

[root@samba4 samba]# samba-tool dom


ain provision --use-rfc2307 --inter
active
Realm [SUNIL.CC]:
Domain [SUNIL]:
Server Role (dc, member, standalon
e) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9
_FLATFILE, BIND9_DLZ, NONE) [SAMBA_
INTERNAL]:
DNS forwarder IP address (write 'n
one' to disable forwarding) [4.2.2.
1]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and s
ettings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD sche
ma
Adding DomainDN: DC=sunil,DC=cc
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration da
ta
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security prin
cipals
Setting up sam.ldb users and groups
ERROR(ldb): uncaught exception - op
erations error at ../source4/dsdb/s
amdb/ldb_modules/password_hash.c:28
20
File "/usr/local/samba/lib64/pyth
on2.7/site-packages/samba/netcmd/__
init__.py", line 176, in _run
return self.run(*args, **kwargs
)
File "/usr/local/samba/lib64/pyth
on2.7/site-packages/samba/netcmd/do
main.py", line 471, in run
nosync=ldap_backend_nosync, lda

5 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

p_dryrun_mode=ldap_dryrun_mode)
File "/usr/local/samba/lib64/pyth
on2.7/site-packages/samba/provision
/__init__.py", line 2175, in provis
ion
skip_sysvolacl=skip_sysvolacl)
File "/usr/local/samba/lib64/pyth
on2.7/site-packages/samba/provision
/__init__.py", line 1787, in provis
ion_fill
next_rid=next_rid, dc_rid=dc_ri
d)
File "/usr/local/samba/lib64/pyth
on2.7/site-packages/samba/provision
/__init__.py", line 1447, in fill_s
amdb
"KRBTGTPASS_B64": b64encode(krb
tgtpass.encode('utf-16-le'))
File "/usr/local/samba/lib64/pyth
on2.7/site-packages/samba/provision
/common.py", line 55, in setup_add_
ldif
ldb.add_ldif(data, controls)
File "/usr/local/samba/lib64/pyth
on2.7/site-packages/samba/__init__.
py", line 225, in add_ldif
self.add(msg, controls)

[root@samba4 samba]#

There will be some errors when we do


the provisioning of domain.

To fix them, please comment out the


below line in /etc/krb5.conf.

--------
#includedir /etc/krb5.conf.d/
--------

Run the domain provisioning again and


now the domain will get created without
errors.

[root@samba4 etc]# samba-tool dom


ain provision --use-rfc2307 --inter
active
Realm [SUNIL.CC]:
Domain [SUNIL]:
Server Role (dc, member, standalon
e) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9
_FLATFILE, BIND9_DLZ, NONE) [SAMBA_
INTERNAL]:
DNS forwarder IP address (write 'n
one' to disable forwarding) [4.2.2.
1]:
Administrator password:
Retype password:
Looking up IPv4 addresses

6 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

Looking up IPv6 addresses


No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and s
ettings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD sche
ma
Adding DomainDN: DC=sunil,DC=cc
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration da
ta
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security prin
cipals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,
DC=sunil,DC=cc
Creating DomainDnsZones and ForestD
nsZones partitions
Populating DomainDnsZones and Fores
tDnsZones partitions
Setting up sam.ldb rootDSE marking
as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable f
or Samba AD has been generated at /
usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed,
your Samba4 server will be ready to
use
Server Role: active direc
tory domain controller
Hostname: samba4
NetBIOS Domain: SUNIL
DNS Domain: sunil.cc
DOMAIN SID: S-1-5-21-293
6486394-2075362935-551615353

[root@samba4 etc]#

Make sure the ports are open in the


firewall.

[root@samba4 etc]#firewall-cmd --ad


d-port=53/tcp --permanent;firewall-
cmd --add-port=53/udp --permanent;f
irewall-cmd --add-port=88/tcp --per
manent;firewall-cmd --add-port=88/u
dp --permanent; \
firewall-cmd --add-port=135/tcp --p
ermanent;firewall-cmd --add-port=13

7 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

7-138/udp --permanent;firewall-cmd
--add-port=139/tcp --permanent; \
firewall-cmd --add-port=389/tcp --p
ermanent;firewall-cmd --add-port=38
9/udp --permanent;firewall-cmd --ad
d-port=445/tcp --permanent; \
firewall-cmd --add-port=464/tcp --p
ermanent;firewall-cmd --add-port=46
4/udp --permanent;firewall-cmd --ad
d-port=636/tcp --permanent; \
firewall-cmd --add-port=1024-5000/t
cp --permanent;firewall-cmd --add-p
ort=3268-3269/tcp --permanent
[root@samba4 ~]# firewall-cmd --rel
oad

Create a startup script to autostart the


service during reboot.

[root@samba4 ~]# cat /etc/systemd/s


ystem/samba.service
[Unit]
Description= Samba 4 Active Directo
ry
After=syslog.target
After=network.target

[Service]
Type=forking
PIDFile=/usr/local/samba/var/run/sa
mba.pid
ExecStart=/usr/local/samba/sbin/sam
ba

[Install]
WantedBy=multi-user.target
[root@samba4 ~]#

[root@samba4 ~]# systemctl enable s


amba
Created symlink from /etc/systemd/s
ystem/multi-user.target.wants/samba
.service to /etc/systemd/system/sam
ba.service.
[root@samba4 ~]# systemctl start sa
mba

Adding the Windows host


to the domain

192.168.1.191 remote
management win 10

Make sure the host is added with a


static ipaddress.

8 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

Adding the host to the domain.

9 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

To manage Samba4 from Windows, we


need to have the Microsoft Remote
Server Tools (RSAT) installed.

The wiki page has the


links https://wiki.samba.org/index.php
/Installing_RSAT

Installing RSAT tool in


Windows 10

Run the installer.

10 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

After reboot go to run and type in


dsa.msc

Click on sunil.cc domain and right click


new -> Users.

11 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

Creating a test user.

Client authentication with


Samba 4 on CentOS 7

192.168.1.22 - client Authentication on


CentOS 7

12 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

Installation of packages:

[root@centos7 ~]# yum -y install


realmd sssd oddjob oddjob-mkhomedir
adcli samba-common

Check connectivity with samba4:

[root@centos7 ~]# realm discover


SUNIL.CC
sunil.cc
type: kerberos
realm-name: SUNIL.CC
domain-name: sunil.cc
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedi
r
required-package: sssd
required-package: adcli
required-package: samba-common-to
ols
login-formats: %U
login-policy: allow-realm-logins
[root@centos7 ~]#

Joining the domain.

[root@centos7 ~]# realm join SUNIL


.CC
Password for Administrator:
[root@centos7 ~]#

Check whether we are able to get the


user from samba4.

[root@centos7 ~]# id SUNIL\\testuse


r
uid=1570001104(testuser@sunil.cc) g
id=1570000513(domain users@sunil.cc
) groups=1570000513(domain users@su
nil.cc)
[root@centos7 ~]#

Configure sssd.

[root@centos7 ~]# cat /etc/sssd/sss


d.conf

13 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

[sssd]
domains = sunil.cc
config_file_version = 2
services = nss, pam

[domain/sunil.cc]
ad_domain = sunil.cc
krb5_realm = SUNIL.CC
realmd_tags = manages-system joined
-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = Tr
ue
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
[root@centos7 ~]#

Restart sssd.

[root@centos7 ~]# systemctl restart


sssd
[root@centos7 ~]# systemctl enable
sssd

Check the user.

[root@centos7 ~]# id sambauser@suni


l.cc
uid=1570001105(sambauser@sunil.cc)
gid=1570000513(domain users@sunil.c
c) groups=1570000513(domain users@s
unil.cc),1570000512(domain admins@s
unil.cc),1570000572(denied rodc pas
sword replication group@sunil.cc)
[root@centos7 ~]#

To get the user without domain name.

[root@centos7 ~]# vim /etc/sssd/sss


d.conf
-----------
------------
use_fully_qualified_names = False
-----------
-----------

Restart sssd and check id command.

[root@centos7 ~]# systemctl restart


sssd
[root@centos7 ~]# id sambauser

14 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

uid=1570001105(sambauser) gid=15700
00513(domain users) groups=15700005
13(domain users),1570000512(domain
admins),1570000572(denied rodc pass
word replication group)
[root@centos7 ~]#

Client authentication with


Samba 4 on CentOS 6

192.168.1.192 - client Authentication on


CentOS 6.

Installation of packages.

[root@centos6 db]# yum install


pam pam_ldap pam_krb5 sssd sssd-lda
p sssd-common authconfig oddjob odd
job-mkhomedir openldap openldap-cli
ents krb5-workstation adcli -y

Change the kerberos config file.

[root@centos6 db]# cat /etc/krb5


.conf
[logging]
default = FILE:/var/log/krb5libs.l
og
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmi
nd.log

[libdefaults]
default_realm = SUNIL.CC
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
SUNIL.CC = {
kdc = samba4.sunil.cc
admin_server = samba4.sunil.cc
}

[domain_realm]
.sunil.cc = SUNIL.CC
sunil.cc = SUNIL.CC
[root@centos6 db]#

We will use adcli command to join the

15 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

domain.

[root@centos6 db]# adcli info su


nil.cc
[domain]
domain-name = sunil.cc
domain-short = SUNIL
domain-forest = sunil.cc
domain-controller = samba4.sunil.cc
domain-controller-site = Default-Fi
rst-Site-Name
domain-controller-flags = pdc gc ld
ap ds kdc timeserv closest writable
good-timeserv full-secret
domain-controller-usable = yes
domain-controllers = samba4.sunil.c
c
[computer]
computer-site = Default-First-Site-
Name
[root@centos6 db]#
[root@centos6 db]# adcli join sunil
.cc
Password for Administrator@SUNIL.CC
:
[root@centos6 db]#

Make sure the kerberos ticket is created.

[root@centos6 db]# klist -ke

Configure authentication.

[root@centos6 db]# authconfig --


enablesssd --enablesssdauth --enabl
emkhomedir --update

Modify the sssd config now to do the


authentication.

[root@centos6 db]# cat /etc/sssd


/sssd.conf
[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = sunil.cc

[domain/sunil.cc]
id_provider = ad
# Uncomment if service discovery is
not working
# ad_server = server.win.example.co
m
default_shell = /bin/bash

16 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

fallback_homedir = /home/%u
[root@centos6 db]#

Restart sssd service.

[root@centos6 db]# chkconfig sss


d on
[root@centos6 db]# service sssd res
tart
Stopping sssd:
[ OK ]
Starting sssd:
[ OK ]
[root@centos6 db]#

Validating user.

[root@centos6 db]# id sambauser


uid=1570001105(sambauser) gid=15700
00513(domain users) groups=15700005
13(domain users),1570000512(domain
admins),1570000572(denied rodc pass
word replication group)
[root@centos6 db]#

view as pdf | print

Share this page: Tweet Follow

17 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

18 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

19 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

20 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

21 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

22 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

23 sur 24 28/02/2018 à 18:34


Samba 4 Domain Controller Installation on CentOS 7 https://www.howtoforge.com/tutorial/samba-4-domain-controller-installa...

Xenforo skin by Xenfocus Contribute Contact Help Imprint Tutorials Top

Howtoforge © projektfarm GmbH. Terms

24 sur 24 28/02/2018 à 18:34