1 环境准备
Rocky Linux镜像下载地址:
https://download.rockylinux.org/pub/rocky/8/isos/x86_64/Rocky-8.6-x86_64-dvd1.iso
镜像大小10G左右,需要花点时间。
2 在Vmware Workstation上创建并安装镜像
系统: Rocky Linux 8.6
磁盘:40G
内存:4G
网络模式:NAT
安装类型:选择GUI
网络选择静态配置
更改主机名为,本例为:ad1.test.com
安装过程忽略。
3 配置
3.1 编辑hosts文件
vi /etc/hosts
插入下列行
3.2 备份旧的配置文件
mv /etc/samba/smb.conf /etc/samba/smb.conf.old
mv /etc/krb5.conf /etc/krb5.conf.old
3.3 下载samba
3.3.1 获取压缩包
wget https://download.samba.org/pub/samba/stable/samba-4.16.2.tar.gz
3.3.2 加压
tar -xzf samba-4.16.2.tar.gz samba-4.16.2
3.3.3 安装epel
cd samba-4.16.2
dnf -y install epel-release #安装epel(Extra Packages for Enterprise Linux)repo
dnf -y update #更新epel-release
dnf config-manager --set-enabled powertools #开启powertool repo
dnf repolist #执行该命令可以看到一下信息
dnf makecache
上述完成后先保存一个快照!!!
3.4 安装samba相关的包
[root@ad1 Shass]# dnf -y install docbook-style-xsl python3-markdown bison\
dbus-devel flex gcc gdb gnutls-devel jansson-devel\
keyutils-libs-devel krb5-workstation libacl-devel libaio-devel\
libarchive-devel libattr-devel libblkid-devel libtasn1\
libtasn1-tools libxml2-devel libxslt lmdb-devel\
openldap-devel pam-devel perl perl-ExtUtils-MakeMaker\
perl-Parse-Yapp popt-devel python3-cryptography python3-dns\
python3-gpg python36-devel readline-devel rpcgen systemd-devel\
tar zlib-devel json perl-JSON gpgme-devel screen
3.4.1 更新所有文件
[root@ad1 samba-4.16.2]# dnf -y update #更新所有包,确保都是最新版本
3.4.2 运行配置脚本
[root@ad1 samba-4.16.2]# ./configure #运行配置脚本
3.4.3 编译
[root@ad1 samba-4.16.2]# make -j 2 #使用2个线程进行处理,加快处理时间
这个过程需要些时间,过程中会提示一些错误或警告,但只需要关心编译是否停止,若中途停止了,需要进行故障排除,可以将错误信息复制到百度或是谷歌找到相应解决办法,本过程还算成功,一次性编译通过。
3.4.4 安装
[root@ad1 samba-4.16.2]# make -j 2 install #安装所有软件到相应目录
3.5 设置环境变量路径
上面的操作已经安装好了samba,现在需要进行环境变量路径的设置,用于做两件事:
- 当你登录到终端会话时路径会自动更新,确保你有正确的路径。
- 正确访问上述安装的那些samba文件
[root@ad1 samba-4.16.2]# export PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH
[root@ad1 samba-4.16.2]# vim ~/.bash_profile #编辑root用户目录下的.bash_profile文件
#将原PATH语句替换为下列行:
PATH=$PATH:$HOME/bin:/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH
[root@ad1 samba-4.16.2]# vim ../.bash_profile #编辑普通用户(Shass),目录下的.bash_profile文件
#在文件末尾追加下列行:
PATH=$PATH:$HOME/bin:/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH
export PATH
[root@ad1 samba-4.16.2]# source ~/.bash_profile
[root@ad1 samba-4.16.2]# source ../.bash_profile
3.5.1 使用samba配置域
在此之前需要查看自己的网卡名称是否正确:
[root@ad1 samba-4.16.2]# samba-tool domain provision --use-rfc2307 --interactive --option="interfaces= lo ens160" --option="bind interfaces only=yes"
Realm [TEST.COM]: #默认
Domain [TEST]: #默认
Server Role (dc, member, standalone) [dc]: #创建为域控制器角色
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: #默认
DNS forwarder IP address (write 'none' to disable forwarding) [211.140.13.188]: #使用可用的DNS服务器
Administrator password: #设置管理员密码(最少7个字符,包括到小写、数字、符号)
Retype password:
INFO 2022-07-17 16:54:19,351 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2108: Looking up IPv4 addresses
INFO 2022-07-17 16:54:19,353 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2125: Looking up IPv6 addresses
WARNING 2022-07-17 16:54:19,354 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2132: No IPv6 address will be assigned
INFO 2022-07-17 16:54:19,664 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2274: Setting up share.ldb
INFO 2022-07-17 16:54:19,681 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2278: Setting up secrets.ldb
INFO 2022-07-17 16:54:19,696 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2283: Setting up the registry
INFO 2022-07-17 16:54:19,736 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2286: Setting up the privileges database
INFO 2022-07-17 16:54:19,759 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2289: Setting up idmap db
INFO 2022-07-17 16:54:19,777 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2296: Setting up SAM db
INFO 2022-07-17 16:54:19,782 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #880: Setting up sam.ldb partitions and settings
INFO 2022-07-17 16:54:19,783 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #892: Setting up sam.ldb rootDSE
INFO 2022-07-17 16:54:19,789 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1305: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
INFO 2022-07-17 16:54:19,842 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1383: Adding DomainDN: DC=test,DC=com
INFO 2022-07-17 16:54:19,857 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1415: Adding configuration container
INFO 2022-07-17 16:54:19,867 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1430: Setting up sam.ldb schema
INFO 2022-07-17 16:54:24,060 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1448: Setting up sam.ldb configuration data
INFO 2022-07-17 16:54:24,259 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1489: Setting up display specifiers
INFO 2022-07-17 16:54:27,308 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1497: Modifying display specifiers and extended rights
INFO 2022-07-17 16:54:27,361 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1504: Adding users container
INFO 2022-07-17 16:54:27,363 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1510: Modifying users container
INFO 2022-07-17 16:54:27,364 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1513: Adding computers container
INFO 2022-07-17 16:54:27,366 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1519: Modifying computers container
INFO 2022-07-17 16:54:27,367 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up sam.ldb data
INFO 2022-07-17 16:54:27,530 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Setting up well known security principals
INFO 2022-07-17 16:54:27,600 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1567: Setting up sam.ldb users and groups
INFO 2022-07-17 16:54:28,006 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1575: Setting up self join
Repacking database from v1 to v2 format (first record CN=ms-WMI-int8Min,CN=Schema,CN=Configuration,DC=test,DC=com)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=Partitions,CN=Configuration,DC=test,DC=com)
Repacking database from v1 to v2 format (first record CN=6bcd568a-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=test,DC=com)
INFO 2022-07-17 16:54:29,625 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1196: Adding DNS accounts
INFO 2022-07-17 16:54:29,648 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1230: Creating CN=MicrosoftDNS,CN=System,DC=test,DC=com
INFO 2022-07-17 16:54:29,673 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1243: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2022-07-17 16:54:29,720 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1248: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record DC=b.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=com)
Repacking database from v1 to v2 format (first record CN=NTDS Quotas,DC=ForestDnsZones,DC=test,DC=com)
INFO 2022-07-17 16:54:29,900 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2012: Setting up sam.ldb rootDSE marking as synchronized
INFO 2022-07-17 16:54:29,907 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2017: Fixing provision GUIDs
INFO 2022-07-17 16:54:31,135 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2349: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
INFO 2022-07-17 16:54:31,135 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2350: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2022-07-17 16:54:31,281 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2082: Setting up fake yp server settings
INFO 2022-07-17 16:54:31,355 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #488: Once the above files are installed, your Samba AD server will be ready to use
INFO 2022-07-17 16:54:31,355 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #492: Server Role: active directory domain controller
INFO 2022-07-17 16:54:31,355 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #493: Hostname: ad1
INFO 2022-07-17 16:54:31,355 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #494: NetBIOS Domain: TEST
INFO 2022-07-17 16:54:31,355 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: DNS Domain: test.com
INFO 2022-07-17 16:54:31,355 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: DOMAIN SID: S-1-5-21-1898860315-1359266147-2468962152
3.5.2 编辑resolv.conf文件
[root@ad1 samba-4.16.2]# vi /etc/resolv.conf
nameserver 192.168.X.X #将原来的DNS地址替换为本地主机地址
3.6 启动Samba服务
[root@ad1 samba-4.16.2]# samba
3.6.1设置samba自启动
[root@ad1 samba-4.16.2]# cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
[root@ad1 samba-4.16.2]# host -t SRV _ldap._tcp.test.com.
[root@ad1 samba-4.16.2]# host -t SRV _kerberos._udp.test.com.
[root@ad1 samba-4.16.2]# host -t A ad1.test.com.
[root@ad1 samba-4.16.2]# mkdir /scripts #创建自启动脚本
[root@ad1 samba-4.16.2]# vi /scripts/smbservice.sh #创建并编辑脚本文件
#写入以下内容:
$!/bin/bash
/usr/local/samba/sbin/samba
[root@ad1 samba-4.16.2]# chmod +x /scripts/smbservice.sh #添加可执行权限
[root@ad1 samba-4.16.2]# vim /etc/rc.d/rc.local #将脚本写入开机启动文件中
#追加下行:
/scripts/smbservice.sh
[root@ad1 samba-4.16.2]# chmod +x /etc/rc.d/rc.local #添加可执行权限
[root@ad1 samba-4.16.2]# shutdown now -r #重启查看samba启动情况
#重启后执行ps命令查看samba是否自启动
[root@ad1 Shass]# ps -ax | grep samba
1360 ? Ss 0:00 /usr/local/samba/sbin/samba
1568 ? S 0:00 /usr/local/samba/sbin/samba
1572 ? S 0:00 /usr/local/samba/sbin/samba
1573 ? S 0:00 /usr/local/samba/sbin/samba
1577 ? S 0:00 /usr/local/samba/sbin/samba
1578 ? S 0:00 /usr/local/samba/sbin/samba
1579 ? S 0:00 /usr/local/samba/sbin/samba
1581 ? Ss 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
1585 ? S 0:00 /usr/local/samba/sbin/samba
1588 ? S 0:00 /usr/local/samba/sbin/samba
1590 ? S 0:00 /usr/local/samba/sbin/samba
1593 ? S 0:00 /usr/local/samba/sbin/samba
1595 ? S 0:01 /usr/local/samba/sbin/samba
1597 ? S 0:00 /usr/local/samba/sbin/samba
1599 ? S 0:00 /usr/local/samba/sbin/samba
1602 ? S 0:00 /usr/local/samba/sbin/samba
1603 ? S 0:00 /usr/local/samba/sbin/samba
1604 ? S 0:00 /usr/local/samba/sbin/samba
1605 ? S 0:00 /usr/local/samba/sbin/samba
1608 ? S 0:00 /usr/local/samba/sbin/samba
1609 ? S 0:00 /usr/local/samba/sbin/samba
1610 ? S 0:00 /usr/local/samba/sbin/samba
1611 ? S 0:00 /usr/local/samba/sbin/samba
1613 ? S 0:00 /usr/local/samba/sbin/samba
1614 ? S 0:00 /usr/local/samba/sbin/samba
1616 ? S 0:00 /usr/local/samba/sbin/samba
1617 ? S 0:00 /usr/local/samba/sbin/samba
1618 ? S 0:00 /usr/local/samba/sbin/samba
1619 ? S 0:00 /usr/local/samba/sbin/samba
1620 ? S 0:00 /usr/local/samba/sbin/samba
1624 ? S 0:00 /usr/local/samba/sbin/samba
1625 ? S 0:00 /usr/local/samba/sbin/samba
1626 ? S 0:00 /usr/local/samba/sbin/samba
1627 ? S 0:00 /usr/local/samba/sbin/samba
1629 ? S 0:00 /usr/local/samba/sbin/samba
1631 ? S 0:00 /usr/local/samba/sbin/samba
1632 ? S 0:00 /usr/local/samba/sbin/samba
1634 ? S 0:00 /usr/local/samba/sbin/samba
1638 ? S 0:00 /usr/local/samba/sbin/samba
1639 ? S 0:00 /usr/local/samba/sbin/samba
1643 ? Ss 0:00 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
1644 ? S 0:00 /usr/local/samba/sbin/samba
1645 ? S 0:00 /usr/local/samba/sbin/samba
1649 ? S 0:00 /usr/local/samba/sbin/samba
1650 ? S 0:00 /usr/local/samba/sbin/samba
1651 ? S 0:00 /usr/local/samba/sbin/samba
1654 ? S 0:00 /usr/local/samba/sbin/samba
1684 ? S 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
1685 ? S 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
1727 ? S 0:00 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
1903 ? S 0:00 /usr/local/samba/sbin/samba
1905 ? S 0:00 /usr/local/samba/sbin/samba
1906 ? S 0:00 /usr/local/samba/sbin/samba
1909 ? S 0:00 /usr/local/samba/sbin/samba
1910 ? S 0:00 /usr/local/samba/sbin/samba
1912 ? S 0:00 /usr/local/samba/sbin/samba
1913 ? S 0:00 /usr/local/samba/sbin/samba
1917 ? S 0:00 /usr/local/samba/sbin/samba
2333 pts/0 S+ 0:00 grep --color=auto samba
自启动成功!!!
4 安装并配置DHCP服务
安装DHCP服务为后面的测试主机分配地址
[root@ad1 Shass]# dnf -y install dhcp-server #安装DHCP服务
[root@ad1 Shass]# vim /etc/dhcp/dhcpd.conf #编辑配置文件
#添加以下内容:
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;
#X跟域控制器同属一个网段
subnet 192.168.X.0 netmask 255.255.255.0 {
range 192.168.X.50 192.168.X.100;
option routers 192.168.X.254; #网关
option subnet-mask 255.255.255.0;
option domain-name-servers 192.168.X.123; #域控制器作为DNS服务器
option domain-name "test.com";
option domain-search "test.com";
}
[root@ad1 Shass]# systemctl enable --now dhcpd.service #开机运行并立即启动DHCP服务
5 关闭防火墙安装iptables
[root@ad1 Shass]# systemctl stop firewalld
[root@ad1 Shass]# systemctl mask firewalld
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
[root@ad1 Shass]# dnf -y install iptables-services #安装iptables
[root@ad1 Shass]# systemctl enable iptables --now
5.1 编辑IP tables配置文件
[root@ad1 Shass]# vi /etc/sysconfig/iptables
#在COMMIT前追加以下内容:
-A INPUT -p tcp -s 192.168.X.0/24 -m state --state NEW -m multiport --dports 53,88,135,139,389,445,464,636,3268,49152:65535 -j ACCEPT
-A INPUT -p udp -s 192.168.X.0/24 -m state --state NEW -m multiport --dports 53,123,137,138,389,636 -j ACCEPT
#其中地址信息为你的域控制器所属网段.
[root@ad1 Shass]# systemctl restart iptables #重启服务
6 创建共享目录
[root@ad1 Shass]# mkdir /users
[root@ad1 Shass]# chmod 770 /users
[root@ad1 Shass]# chown root:3000000 /users #设置所有者为root所属组为3000000,这个组号samba规定的.
[root@ad1 Shass]# mkdir /share
[root@ad1 Shass]# chmod -R 770 /share
[root@ad1 Shass]# chown root:3000000 /share
7 编辑samba配置文件
[root@ad1 Shass]# vim /usr/local/samba/etc/smb.conf
#添加下列内容:
[users]
path = /users
read only = No
[share]
path = /share
read only = No
7.1 在samba中设置本机为DNS
samba-tool dns add 192.168.111.123 test.com www A 192.168.111.123 -U administrator
输入前面3.5.1节设置的密码。
8 将主机成员加入域中
本文准备了一台win10
8.1 win10从Rock AD上自动获取IP
在此之前需要关闭VMware的DHCP服务
8.2 将win10加入Rocky域中
输入之前使用samba创建的管理员和密码:
输入域名:
再一次输入域管理员账户密码以及域名:
选择默认选项:
然后会提示重启,重启后可以看到win10已成功加入test.com域中:
如果长时间加入域失败,可以尝试把iptables.service服务关闭!!!
8.3 查看域共享文件
在地址栏中输入\ad1便可以访问共享文件,其中users和share是前面第7节
经过以上配置,基于Rocky Linux 8.6 的域控制器就已经搭建好了,后文主要介绍了用户以及文件夹权限授予的例子,感兴趣的可以继续往下看。
9 安装应用
在此之前若与管理用户进入win10应用和功能提示如下图信息时:
则打开计算机的“本地安全策略”,找到“本地策略”→“安全选项”→“用户账户控制:用于内置管理员账户的管理员批准模式”,选择“已启用”,然后重启电脑即可解决。
9.1 添加Active directory域服务和轻型目录服务工具
等待安装完毕。
打开该程序可以看到test.com域:
9.2 添加组织单位及用户和组
添加名为“Test.com Users&Groups”的组织单位,同时在该组织下添加右侧的组和用户,并将John纳入HR组中。
结合后文权限设置主要实现以下目的:
- 不同用户登录会产生各自用户名的文件夹
- 不同用户只能访问users目录下自己用户名的文件夹
- John Smith和Larry Browndou都可以访问share的普通文件夹
- 只有John Smith可以访问share目录下的HR特定文件夹
9.3 变更共享文件权限(share)
将share的访问主体以及权限更改为如下所示(删除原来不必要的主体):
9.3.1 在share下创建子文件夹
所有文件夹都继承了sheare的权限属性:
9.3.2 禁用Security-HR文件的继承
9.3.3 重新添加如下所示的主体及权限
9.4 变更共享文件夹权限(users)
9.5 编写登陆脚本
9.5.1 将配置脚本绑定到用户配置文件
10 测试用户权限
10.1 注销用户登录John Smith查看权限
10.1.1 \\ad1\users的访问情况
- 访问\ad1\users\jsmith
可以访问,文件的增删改都可以。
- 访问\ad1\users\lbrown
无权限!
10.1.2 \\ad1\share\的访问情况
都可以访问(增删改)
10.2 注销用户登录Larry Brown查看权限
10.2.1 \\ad1\users的访问情况
只能访问自己用户名的文件(增删改):
10.2.2 \\ad1\share的访问情况
除了Security-HR以外的文件都可以访问
就写到这里吧,感谢大家的阅读!