Samba AD DC (Domain Controller) configuration
HTTP: // lihaitao.cn/?p=299
Shandong predecessors wrote blog
quite good. . Another day to do the experiment.
■ Samba AD DC (domain controller) is configured
to use Active Directory, advance to confirm the following items.
* AD DC server host name: centos7-Samba
-domain: TESTAD
· full domain name: TESTAD.LOCAL
1, advance preparation
①CentOS7 the hostname configuration
# echo centos7-samba> / etc / hostname
after the implementation of the above command, restart so that the host name to take effect.
② yum because there is no ready source of samba Domain Controler, so by source installation
① install Samba dependent upon make package
# yum install perl-devel gcc attr libacl libblkid-devel \
GnuTLS-devel Python readline-devel-devel pkgconfig gdb \
krb5-zlib-devel setroubleshoot is enabled by Workstation Server-libaio-devel \
setroubleshoot is enabled by the policycoreutils-Python-plugins \
libsemanage Python-perl-perl-ExtUtils-MakeMaker the Parse-Yapp \
perl-popt the Test-Base-devel libxml2-devel libattr- devel \
keyutils cups-libs-devel the bind-utils-devel libxslt \
docbook-style-xsl OpenLDAP-devel autoconf PAM-devel \
python2-Crypto libtomcrypt libtommath libidn-devel libpcap-devel
② system cups package is not the case, cups must installation, and start the cups service.
Yum install the CUPS #
# systemctl Start the CUPS
2, Samba installation (4.1.12 for example, can be replaced by a new version 4.4.10)
# wget https://download.samba.org/pub/samba/stable/samba-4.1.12.tar.gz
# tar - Samba-4.1.12.tar.gz zxvf
# cd Samba-4.1.12
# ./configure && && the make the make install
3, Samba configuration
# / usr / local / Samba / bin / Samba Domain-Tool ProVision -use the rfc2307-Level = 2008_R2 -interactive -function-
Realm: TESTAD.LOCAL (initially set input domain)
the Domain [TESTAD] : (Enter key)
Server Role (DC, Member, Standalone) [DC]: (Enter key)
the DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, nONE) [SAMBA_INTERNAL]: (Enter key)
the DNS Forwarder the IP address (Write 'none' to disable forwarding) [192.168.122.21]: (enter key)
Administrator password: (password management, password complexity requirements to complex, more than 7 characters)
the Retype password: (admin password (re-enter))
the Looking up IPv4 Addresses
the Looking up IPv6 Addresses
No IPv6 address by Will BE Assigned
Setting up secrets.ldb
Setting up at The Registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=testad,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=testad,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: centos7-samba
NetBIOS Domain: TESTAD
DNS Domain: testad.local
DOMAIN SID: S-1-5-21-4219608262-2753158698-2115138841
arranged on the far end of the domain.
When you want to re-configure a domain, the best use of the command to delete the old domain's configuration file.
-F /usr/local/samba/etc/smb.conf RM #
# RM -f / usr / local / Samba / Private / *
# RM -f / usr / local / Samba / var / Locks / SYSVOL / *
4,3 smb.conf command generated in the following contents,
# /usr/local/samba/etc/smb.conf CAT
# Free Join Parameters
[Global]
Workgroup = TESTAD
The realm = TESTAD.LOCAL
NetBIOS name = centos7 Samba-
Server Role the Controller the Active Directory Domain =
dns Forwarder = 192.168.122.21
idmap_ldb: use rfc2307 = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/testad.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
5, Samba start
# / usr / local / samba / sbin / samba
6, the server can confirm the shared directory
# / usr / local / Samba / bin / the smbclient -L localhost -U%
the Domain = [TESTAD] the OS = [the Unix] Server = [the Samba 4.1.12]
Sharename Type Comment
——— —- ——-
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.1.12)
Domain=[TESTAD] OS=[Unix] Server=[Samba 4.1.12]
Server Comment
——— ——-
Workgroup Master
——— ——-
7, after creating the domain, if DNS is not normal, the DC function can not be used, so a DNS setting.
The following command, the ip address of the domain controller DNS server set themselves.
# Echo "nameserver 127.0.0.1"> /etc/resolv.conf
done after the above configuration, execute the following command to confirm whether the DNS service.
Confirmation of ①DNS ZONE
# / usr / local / Samba / bin / Samba-DNS zonelist 127.0.0.1 -U Administrator Tool
Password for [TESTAD \ Administrator]:
2 Zone (S) found
pszZoneName : testad.local
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.testad.local
pszZoneName : _msdcs.testad.local
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.testad.local
②DNS的记录的确认
# host -t SRV _ldap._tcp.TESTAD.LOCAL
_ldap._tcp.TESTAD.LOCAL has SRV record 0,100,389 centos7-samba.testad.local.
# Host -t SRV _kerberos._udp.TESTAD.LOCAL
_kerberos._udp.TESTAD.LOCAL has SRV record 0 100 88 centos7-samba.testad.local.
# Host -t-A centos7 samba.testad.local
centos7-samba.testad.local has the address 192.168.122.84
. 8, Kerberos configuration
below in, Kerberos configuration. The implementation of the following command, copy the template configuration file.
Cp /usr/local/samba/private/krb5.conf /etc/krb5.conf #
cp: `/etc/krb5.conf 'replace y?
Test Keroberos function. (Form: kinit administrator @ full domain name in uppercase
# [email protected] the kinit
Password for [email protected]:
Warning: Your password by Will The expire in 41 Days ON 2015 Nian 09 Yue 07 Monday 15:57:48
If there is the following error message, check the DNS domain name is entered incorrectly, whether capitalized.
# [email protected] the kinit
Password for [email protected]:
the kinit: Reply DID not match the KDC Expectations the while the Getting Initial Credentials
9, Firewalled · SELinux configuration of
the firewall is activated, execute the following command to open the corresponding port.
Firewall-cmd -permanent -zone # = = Samba public -add-Service-
# Firewall-cmd = -permanent -zone public -add = Kerberos-Service-
# Firewall-cmd = -permanent -zone -add-public-Service LDAP =
# Firewall -permanent -zone public -add = -cmd-Service-LDAPS =
# = Firewall-cmd -permanent -zone -add-public DNS-Service =
# = Firewall-cmd -permanent -zone public -add-NTP-Service =
# Firewall-cmd -add = -zone public--permanent Port = 135 / TCP
# Firewall-cmd = -permanent -zone public -add-Port = 464 / TCP
# Firewall-cmd = -permanent -zone public -add-Port = 1024 / TCP
Firewall-cmd -permanent -zone # = public -add-Port = 3268 / TCP
# Firewall-cmd = -permanent -zone public -add-Port = 3269 / TCP
# firewall-cmd –permanent –zone=public –add-port=137/udpp
# firewall-cmd –permanent –zone=public –add-port=138/udp
# firewall-cmd –permanent –zone=public –add-port=389/udp
# firewall-cmd –reload
If SELinux is enabled, but also execute the following command.
-P samba_domain_controller ON setsebool #
# setsebool -P samba_export_all_ro ON
# setsebool -P samba_export_all_rw ON
# setsebool -P samba_enable_home_dirs ON
If you do not need a firewall, the firewall can be turned off by the following command.
Systemctl STOP firewalld #
# systemctl disable firewalld
If not SELinux, possibly through the following command to make SELinux ineffective.
The setenforce 0 #
# -i.bak Sed "/ the SELINUX / S / enforcing / Disabled / G" / etc / SELinux / config
10, logon domain
Windows client on the DNS server address after the operation with a DC server address, "computer name / domain name change" domain (TESTAD) login.
On rhel7.3, the following error occurs if the solution to perform samba-tool domain provision for the
Includedir /etc/krb5.conf.d/ comment out this line of /etc/krb5.conf.
problem:
ERROR(ldb): uncaught exception – operations error at ../source4/dsdb/samdb/ldb_modules/password_hash.c:2241
File “/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py”, line 175, in _run
return self.run(*args, **kwargs)
File “/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py”, line 461, in run
nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
File “/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py”, line 2171, in provision
skip_sysvolacl=skip_sysvolacl)
File “/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py”, line 1794, in provision_fill
next_rid=next_rid, dc_rid=dc_rid)
File “/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py”, line 1452, in fill_samdb
“KRBTGTPASS_B64”: b64encode(krbtgtpass.encode(‘utf-16-le’))
File “/usr/local/samba/lib64/python2.7/site-packages/samba/provision/common.py”, line 55, in setup_add_ldif
ldb.add_ldif(data, controls)
File “/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py”, line 225, in add_ldif
self.add(msg, controls)
原因:
/etc/krb5.conf 的 includedir /etc/krb5.conf.d/ 不正确
This line commented out.
# We /etc/krb5.conf
<Omitted>
#includedir /etc/krb5.conf.d/ ← Notes
<omitted>
11 direct access to the samba built openldap data method
Modify smb.conf add
ldap server require strong auth = No
Then restart smbd
执行命令
ldapsearch -h TESTAD.LOCAL -x -LLL -D “cn=Administrator,cn=Users,dc=testad,dc=local” -W -b “cn=Users,dc=testad,dc=local”
12 samba made since the launch of the service
Edit the file
/etc/systemd/system/samba-ad-dc.service
---- samba-ad-dc.service content starts -------
[Unit]
the Description the AD = the DC samba4
the After remote-fs.target nss-lookup.target = network.target
[Service]
Type=simple
ExecStart=/usr/local/samba/sbin/samba -i
PIDFile=/var/run/samba/samba.pid
[Install]
WantedBy=multi-user.target
----samba-ad-dc.service内容结束-------
Execute commands, create start-up service, and start the service, check the service status.
systemctl enable samba-ad-dc
systemctl start samba-ad-dc
systemctl status samba-ad-dc
13 Samba4 password policy management commands
Check command strategy now
# samba-tool domain passwordsettings show
Password informations for domain ‘DC=officepcv1,DC=unix-power,DC=net’
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30
Windows password policy correspond description of ActiveDirectory
Item Description
complexity Password complexity password (alphanumeric symbols mixed, more than 3 characters, can not contain the user name, etc.) limit
Store plaingtext passwords password are using the original storage
length history length past the password Password History
Minimum password length minimum password length
Minimum password Do not modify the password age time (0 can be modified at once)
the Maximum password age password Youxiaoqixian (0 Undated)
the Account Lockout dURATION enter the wrong password when it reaches a number of locked time (minutes)
attempts after the Account lockout threshold password lock ( 0 does not lock)
the Reset password attempts in the After the Account Lockout cleared time (minutes)
The above parameters can be modified (e) the following command.
※ password complexity checking invalidated
# samba-tool domain passwordsettings set -complexity = off:
※ minimum password length is set. 6
# Samba Domain-Tool PasswordSettings SET = -min. 6-length-pwd
※ password Bian more ban is set to 0 during the
# samba-tool domain passwordsettings set -min -pwd-age = 0
※ password is set indefinitely Youxiaoqixian
# samba-tool domain passwordsettings set -max -pwd-age = 0
※ password lock time is 60 minutes
# samba-tool domain passwordsettings set -account -lockout-duration = 60
※ password attempts before locking set 5
# Samba-Tool Domain PasswordSettings the SET -account-Lockout-threshold = 5
※ Password Attempts clear high time 0 to 5 minutes
# samba-tool domain passwordsettings set -reset -account-lockout-after = 5