1 Environment preparation
Rocky Linux image download address:
https://download.rockylinux.org/pub/rocky/8/isos/x86_64/Rocky-8.6-x86_64-dvd1
. The size of the iso image is about 10G, and it will take some time.
2 Create and install the image on Vmware Workstation
System: Rocky Linux 8.6
Disk: 40G
Memory: 4G
Network Mode: NAT
Installation Type: Select GUI
Network Select Static Configuration
Change the host name, in this example: ad1.test.com
is ignored during the installation process.
3 configuration
3.1 Edit hosts file
vi /etc/hosts
Insert the following lines
3.2 Backup old configuration files
mv /etc/samba/smb.conf /etc/samba/smb.conf.old
mv /etc/krb5.conf /etc/krb5.conf.old
3.3 download samba
3.3.1 Get compressed package
wget https://download.samba.org/pub/samba/stable/samba-4.16.2.tar.gz
3.3.2 Pressurization
tar -xzf samba-4.16.2.tar.gz samba-4.16.2
3.3.3 install epel
cd samba-4.16.2
dnf -y install epel-release #安装epel(Extra Packages for Enterprise Linux)repo
dnf -y update #更新epel-release
dnf config-manager --set-enabled powertools #开启powertool repo
dnf repolist #执行该命令可以看到一下信息
dnf makecache
Save a snapshot first when the above is done! ! !
3.4 Install samba-related packages
[root@ad1 Shass]# dnf -y install docbook-style-xsl python3-markdown bison\
dbus-devel flex gcc gdb gnutls-devel jansson-devel\
keyutils-libs-devel krb5-workstation libacl-devel libaio-devel\
libarchive-devel libattr-devel libblkid-devel libtasn1\
libtasn1-tools libxml2-devel libxslt lmdb-devel\
openldap-devel pam-devel perl perl-ExtUtils-MakeMaker\
perl-Parse-Yapp popt-devel python3-cryptography python3-dns\
python3-gpg python36-devel readline-devel rpcgen systemd-devel\
tar zlib-devel json perl-JSON gpgme-devel screen
3.4.1 Update all files
[root@ad1 samba-4.16.2]# dnf -y update #更新所有包,确保都是最新版本
3.4.2 Run configuration script
[root@ad1 samba-4.16.2]# ./configure #运行配置脚本
3.4.3 Compile
[root@ad1 samba-4.16.2]# make -j 2 #使用2个线程进行处理,加快处理时间
This process takes some time, and some errors or warnings will be prompted during the process, but you only need to care about whether the compilation stops. If it stops halfway, you need to troubleshoot. You can copy the error message to Baidu or Google to find the corresponding solution. This process It was a success, and the one-time compilation passed.
3.4.4 Installation
[root@ad1 samba-4.16.2]# make -j 2 install #安装所有软件到相应目录
3.5 Set environment variable path
The above operations have installed samba, and now you need to set the environment variable path to do two things:
- The path is automatically updated when you log into a terminal session, make sure you have the correct path.
- Correct access to those samba files installed above
[root@ad1 samba-4.16.2]# export PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH
[root@ad1 samba-4.16.2]# vim ~/.bash_profile #编辑root用户目录下的.bash_profile文件
#将原PATH语句替换为下列行:
PATH=$PATH:$HOME/bin:/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH
[root@ad1 samba-4.16.2]# vim ../.bash_profile #编辑普通用户(Shass),目录下的.bash_profile文件
#在文件末尾追加下列行:
PATH=$PATH:$HOME/bin:/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH
export PATH
[root@ad1 samba-4.16.2]# source ~/.bash_profile
[root@ad1 samba-4.16.2]# source ../.bash_profile
3.5.1 Using samba to configure the domain
Before that, you need to check whether your network card name is correct:
[root@ad1 samba-4.16.2]# samba-tool domain provision --use-rfc2307 --interactive --option="interfaces= lo ens160" --option="bind interfaces only=yes"
Realm [TEST.COM]: #默认
Domain [TEST]: #默认
Server Role (dc, member, standalone) [dc]: #创建为域控制器角色
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: #默认
DNS forwarder IP address (write 'none' to disable forwarding) [211.140.13.188]: #使用可用的DNS服务器
Administrator password: #设置管理员密码(最少7个字符,包括到小写、数字、符号)
Retype password:
INFO 2022-07-17 16:54:19,351 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2108: Looking up IPv4 addresses
INFO 2022-07-17 16:54:19,353 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2125: Looking up IPv6 addresses
WARNING 2022-07-17 16:54:19,354 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2132: No IPv6 address will be assigned
INFO 2022-07-17 16:54:19,664 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2274: Setting up share.ldb
INFO 2022-07-17 16:54:19,681 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2278: Setting up secrets.ldb
INFO 2022-07-17 16:54:19,696 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2283: Setting up the registry
INFO 2022-07-17 16:54:19,736 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2286: Setting up the privileges database
INFO 2022-07-17 16:54:19,759 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2289: Setting up idmap db
INFO 2022-07-17 16:54:19,777 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2296: Setting up SAM db
INFO 2022-07-17 16:54:19,782 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #880: Setting up sam.ldb partitions and settings
INFO 2022-07-17 16:54:19,783 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #892: Setting up sam.ldb rootDSE
INFO 2022-07-17 16:54:19,789 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1305: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
INFO 2022-07-17 16:54:19,842 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1383: Adding DomainDN: DC=test,DC=com
INFO 2022-07-17 16:54:19,857 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1415: Adding configuration container
INFO 2022-07-17 16:54:19,867 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1430: Setting up sam.ldb schema
INFO 2022-07-17 16:54:24,060 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1448: Setting up sam.ldb configuration data
INFO 2022-07-17 16:54:24,259 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1489: Setting up display specifiers
INFO 2022-07-17 16:54:27,308 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1497: Modifying display specifiers and extended rights
INFO 2022-07-17 16:54:27,361 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1504: Adding users container
INFO 2022-07-17 16:54:27,363 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1510: Modifying users container
INFO 2022-07-17 16:54:27,364 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1513: Adding computers container
INFO 2022-07-17 16:54:27,366 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1519: Modifying computers container
INFO 2022-07-17 16:54:27,367 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1523: Setting up sam.ldb data
INFO 2022-07-17 16:54:27,530 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1553: Setting up well known security principals
INFO 2022-07-17 16:54:27,600 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1567: Setting up sam.ldb users and groups
INFO 2022-07-17 16:54:28,006 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1575: Setting up self join
Repacking database from v1 to v2 format (first record CN=ms-WMI-int8Min,CN=Schema,CN=Configuration,DC=test,DC=com)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=Partitions,CN=Configuration,DC=test,DC=com)
Repacking database from v1 to v2 format (first record CN=6bcd568a-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=test,DC=com)
INFO 2022-07-17 16:54:29,625 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1196: Adding DNS accounts
INFO 2022-07-17 16:54:29,648 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1230: Creating CN=MicrosoftDNS,CN=System,DC=test,DC=com
INFO 2022-07-17 16:54:29,673 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1243: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2022-07-17 16:54:29,720 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1248: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record DC=b.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=com)
Repacking database from v1 to v2 format (first record CN=NTDS Quotas,DC=ForestDnsZones,DC=test,DC=com)
INFO 2022-07-17 16:54:29,900 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2012: Setting up sam.ldb rootDSE marking as synchronized
INFO 2022-07-17 16:54:29,907 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2017: Fixing provision GUIDs
INFO 2022-07-17 16:54:31,135 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2349: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
INFO 2022-07-17 16:54:31,135 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2350: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2022-07-17 16:54:31,281 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2082: Setting up fake yp server settings
INFO 2022-07-17 16:54:31,355 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #488: Once the above files are installed, your Samba AD server will be ready to use
INFO 2022-07-17 16:54:31,355 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #492: Server Role: active directory domain controller
INFO 2022-07-17 16:54:31,355 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #493: Hostname: ad1
INFO 2022-07-17 16:54:31,355 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #494: NetBIOS Domain: TEST
INFO 2022-07-17 16:54:31,355 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: DNS Domain: test.com
INFO 2022-07-17 16:54:31,355 pid:36158 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: DOMAIN SID: S-1-5-21-1898860315-1359266147-2468962152
3.5.2 Edit resolv.conf file
[root@ad1 samba-4.16.2]# vi /etc/resolv.conf
nameserver 192.168.X.X #将原来的DNS地址替换为本地主机地址
3.6 Start Samba service
[root@ad1 samba-4.16.2]# samba
3.6.1 Set samba to start automatically
[root@ad1 samba-4.16.2]# cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
[root@ad1 samba-4.16.2]# host -t SRV _ldap._tcp.test.com.
[root@ad1 samba-4.16.2]# host -t SRV _kerberos._udp.test.com.
[root@ad1 samba-4.16.2]# host -t A ad1.test.com.
[root@ad1 samba-4.16.2]# mkdir /scripts #创建自启动脚本
[root@ad1 samba-4.16.2]# vi /scripts/smbservice.sh #创建并编辑脚本文件
#写入以下内容:
$!/bin/bash
/usr/local/samba/sbin/samba
[root@ad1 samba-4.16.2]# chmod +x /scripts/smbservice.sh #添加可执行权限
[root@ad1 samba-4.16.2]# vim /etc/rc.d/rc.local #将脚本写入开机启动文件中
#追加下行:
/scripts/smbservice.sh
[root@ad1 samba-4.16.2]# chmod +x /etc/rc.d/rc.local #添加可执行权限
[root@ad1 samba-4.16.2]# shutdown now -r #重启查看samba启动情况
#重启后执行ps命令查看samba是否自启动
[root@ad1 Shass]# ps -ax | grep samba
1360 ? Ss 0:00 /usr/local/samba/sbin/samba
1568 ? S 0:00 /usr/local/samba/sbin/samba
1572 ? S 0:00 /usr/local/samba/sbin/samba
1573 ? S 0:00 /usr/local/samba/sbin/samba
1577 ? S 0:00 /usr/local/samba/sbin/samba
1578 ? S 0:00 /usr/local/samba/sbin/samba
1579 ? S 0:00 /usr/local/samba/sbin/samba
1581 ? Ss 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
1585 ? S 0:00 /usr/local/samba/sbin/samba
1588 ? S 0:00 /usr/local/samba/sbin/samba
1590 ? S 0:00 /usr/local/samba/sbin/samba
1593 ? S 0:00 /usr/local/samba/sbin/samba
1595 ? S 0:01 /usr/local/samba/sbin/samba
1597 ? S 0:00 /usr/local/samba/sbin/samba
1599 ? S 0:00 /usr/local/samba/sbin/samba
1602 ? S 0:00 /usr/local/samba/sbin/samba
1603 ? S 0:00 /usr/local/samba/sbin/samba
1604 ? S 0:00 /usr/local/samba/sbin/samba
1605 ? S 0:00 /usr/local/samba/sbin/samba
1608 ? S 0:00 /usr/local/samba/sbin/samba
1609 ? S 0:00 /usr/local/samba/sbin/samba
1610 ? S 0:00 /usr/local/samba/sbin/samba
1611 ? S 0:00 /usr/local/samba/sbin/samba
1613 ? S 0:00 /usr/local/samba/sbin/samba
1614 ? S 0:00 /usr/local/samba/sbin/samba
1616 ? S 0:00 /usr/local/samba/sbin/samba
1617 ? S 0:00 /usr/local/samba/sbin/samba
1618 ? S 0:00 /usr/local/samba/sbin/samba
1619 ? S 0:00 /usr/local/samba/sbin/samba
1620 ? S 0:00 /usr/local/samba/sbin/samba
1624 ? S 0:00 /usr/local/samba/sbin/samba
1625 ? S 0:00 /usr/local/samba/sbin/samba
1626 ? S 0:00 /usr/local/samba/sbin/samba
1627 ? S 0:00 /usr/local/samba/sbin/samba
1629 ? S 0:00 /usr/local/samba/sbin/samba
1631 ? S 0:00 /usr/local/samba/sbin/samba
1632 ? S 0:00 /usr/local/samba/sbin/samba
1634 ? S 0:00 /usr/local/samba/sbin/samba
1638 ? S 0:00 /usr/local/samba/sbin/samba
1639 ? S 0:00 /usr/local/samba/sbin/samba
1643 ? Ss 0:00 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
1644 ? S 0:00 /usr/local/samba/sbin/samba
1645 ? S 0:00 /usr/local/samba/sbin/samba
1649 ? S 0:00 /usr/local/samba/sbin/samba
1650 ? S 0:00 /usr/local/samba/sbin/samba
1651 ? S 0:00 /usr/local/samba/sbin/samba
1654 ? S 0:00 /usr/local/samba/sbin/samba
1684 ? S 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
1685 ? S 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
1727 ? S 0:00 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
1903 ? S 0:00 /usr/local/samba/sbin/samba
1905 ? S 0:00 /usr/local/samba/sbin/samba
1906 ? S 0:00 /usr/local/samba/sbin/samba
1909 ? S 0:00 /usr/local/samba/sbin/samba
1910 ? S 0:00 /usr/local/samba/sbin/samba
1912 ? S 0:00 /usr/local/samba/sbin/samba
1913 ? S 0:00 /usr/local/samba/sbin/samba
1917 ? S 0:00 /usr/local/samba/sbin/samba
2333 pts/0 S+ 0:00 grep --color=auto samba
Since the startup is successful! ! !
4 Install and configure DHCP service
Install the DHCP service to assign addresses for the following test hosts
[root@ad1 Shass]# dnf -y install dhcp-server #安装DHCP服务
[root@ad1 Shass]# vim /etc/dhcp/dhcpd.conf #编辑配置文件
#添加以下内容:
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;
#X跟域控制器同属一个网段
subnet 192.168.X.0 netmask 255.255.255.0 {
range 192.168.X.50 192.168.X.100;
option routers 192.168.X.254; #网关
option subnet-mask 255.255.255.0;
option domain-name-servers 192.168.X.123; #域控制器作为DNS服务器
option domain-name "test.com";
option domain-search "test.com";
}
[root@ad1 Shass]# systemctl enable --now dhcpd.service #开机运行并立即启动DHCP服务
5 Turn off the firewall and install iptables
[root@ad1 Shass]# systemctl stop firewalld
[root@ad1 Shass]# systemctl mask firewalld
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
[root@ad1 Shass]# dnf -y install iptables-services #安装iptables
[root@ad1 Shass]# systemctl enable iptables --now
5.1 Edit IP tables configuration file
[root@ad1 Shass]# vi /etc/sysconfig/iptables
#在COMMIT前追加以下内容:
-A INPUT -p tcp -s 192.168.X.0/24 -m state --state NEW -m multiport --dports 53,88,135,139,389,445,464,636,3268,49152:65535 -j ACCEPT
-A INPUT -p udp -s 192.168.X.0/24 -m state --state NEW -m multiport --dports 53,123,137,138,389,636 -j ACCEPT
#其中地址信息为你的域控制器所属网段.
[root@ad1 Shass]# systemctl restart iptables #重启服务
6 Create a shared directory
[root@ad1 Shass]# mkdir /users
[root@ad1 Shass]# chmod 770 /users
[root@ad1 Shass]# chown root:3000000 /users #设置所有者为root所属组为3000000,这个组号samba规定的.
[root@ad1 Shass]# mkdir /share
[root@ad1 Shass]# chmod -R 770 /share
[root@ad1 Shass]# chown root:3000000 /share
7 Edit the samba configuration file
[root@ad1 Shass]# vim /usr/local/samba/etc/smb.conf
#添加下列内容:
[users]
path = /users
read only = No
[share]
path = /share
read only = No
7.1 Set the machine as DNS in samba
samba-tool dns add 192.168.111.123 test.com www A 192.168.111.123 -U administrator
Enter the password set in Section 3.5.1 above.
8 Join the host member to the domain
This article prepared a win10
8.1 win10 automatically obtains IP from Rock AD
Before this, VMware's DHCP service needs to be turned off
8.2 Add win10 to the Rocky domain
Enter the administrator and password previously created using samba:
Enter the domain name:
Enter the domain administrator account password and domain name again:
select the default option:
then you will be prompted to restart. After restarting, you can see that win10 has successfully joined the test.com domain:
If you fail to join the domain for a long time, you can try to close the iptables.service service! ! !
8.3 View domain shared files
Enter \ad1 in the address bar to access the shared file, where users and share are the previous section 7.
After the above configuration, the domain controller based on Rocky Linux 8.6 has been set up. The following article mainly introduces users and folder permissions Granted examples, those who are interested can continue to look down.
9 Install the app
Before that, if you enter the win10 application and function with the administrative user and you are prompted with the following information:
Then open the computer's "Local Security Policy", find "Local Policy" → "Security Options" → "User Account Control: For built-in administrator accounts Administrator Approval Mode for ", select "Enabled", and then restart the computer to solve it.
9.1 Adding Active Directory Domain Services and Lightweight Directory Services Tools
Wait for the installation to complete.
Open the program to see the test.com domain:
9.2 Add organizational units and users and groups
Add an organizational unit named "Test.com Users&Groups", and add the groups and users on the right under this organization, and include John in the HR group.
Combined with the following permission settings, the main purpose is to achieve the following:
- Different user logins will generate folders with their own usernames
- Different users can only access the folder with their own username in the users directory
- Both John Smith and Larry Browndou can access the common folder of share
- Only John Smith can access the HR-specific folders under the share directory
9.3 Change shared file permissions (share)
Change the access subject and permissions of share to the following (delete unnecessary subjects):
9.3.1 Create a subfolder under share
All folders inherit the permission attribute of sheare:
9.3.2 Disable inheritance of Security-HR files
9.3.3 Re-add the principals and permissions as shown below
9.4 Change shared folder permissions (users)
9.5 Writing login scripts
9.5.1 Binding configure scripts to user profiles
10 Test user permissions
10.1 Logout the user to log in to John Smith to view permissions
10.1.1 Access to \\ad1\users
- You can visit \ad1\users\jsmith
, and you can add, delete, or modify files.
No permission to access \ad1\users\lbrown !
10.1.2 Access to \\ad1\share\
All can be accessed (addition, deletion, modification)
10.2 Logout the user to log in to Larry Brown to view permissions
10.2.1 Access to \\ad1\users
You can only access files with your own username (additions, deletions, and modifications):
10.2.2 Access to \\ad1\share
All files except Security-HR can be accessed
That's all for now, thank you for reading!