Pages

Monday, 11 August 2014

SAMBA4 as an Active Directory Domain Controller on RHEL 6.x /CentOS 6.x



Step 1. Update your system 

  # yum update

Step 2: Install the following packages 

# yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs pam_krb5

Step 3: Remove the older version packages from system 

# rpm -qa | grep samba


# yum remove samba-winbind-client samba-common samba-client

Step 4: Now Download and Compile samba4 package. 

# wget http://ftp.samba.org/pub/samba/samba-latest.tar.gz

# tar -xzvf samba-latest.tar.gz

# cd samba*

# ./configure --enable-debug --enable-selftest

# make

# make install

Step 5: Now Configure Samba4 as a Active Directory Domain Controller

# /usr/local/samba/bin/samba-tool domain provision

Realm [EXAMPLE.COM]: Domain [EXAMPLE]: (press Enter)
Server Role (dc, member, standalone) [dc]: (press Enter)
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: (press Enter)
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.0.1]: 8.8.8.8
Administrator password: <your_secret_admin_password>
Retype password: <your_secret_admin_password_again>

NOTE-: You can provide your own Information according to your requirement. 


Step 6: If above was successful, stdout should look similar to this:

Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at  
        /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: samba
NetBIOS Domain: EXAMPLE
DNS Domain: example.com
DOMAIN SID: S-1-5-xx-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx


Step 7: Now Reboot your system 

# shutdown -r now


Step 8: Start the samba daemon:

# /usr/local/samba/sbin/samba

        If you would like Samba to start at boot, append the following to your '/etc/rc.d/rc.local' file:

/usr/local/samba/sbin/samba

Step 9: Testing Samba as an Active Directory DC

# /usr/local/samba/sbin/samba -V

Version 4.1.0pre1-GIT-c1fb37d

Verify you are running the correct samba-client version:

# /usr/local/samba/bin/smbclient --version

Version 4.1.0pre1-GIT-c1fb37d

Now run this command to list the shares on your Samba4 server:

# /usr/local/samba/bin/smbclient -L localhost -U%

Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-c1fb37d]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC

IPC Service (Samba 4.1.0pre1-GIT-c1fb37d)
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-c1fb37d]

Server Comment
------- ---------
Workgroup Master
------- ---------

Step 10: Configure DNS Client 

Edit your '/etc/resolv.conf' file to look like this:

# Generated by NetworkManager
domain example.com
nameserver 192.168.0.2

Step 11: Testing DNS

# host -t SRV _ldap._tcp.example.com.
_ldap._tcp.example.com has SRV record 0 100 389 master.example.com.

# host -t SRV _kerberos._udp.example.com.
_kerberos._udp.example.com has SRV record 0 100 88 master.example.com.

# host -t A master.example.com.
master.example.com has address 192.168.0.2


Step 12: Configure the Firewall according to your need. in my case I am stoping my firewall. 

#service iptables stop
#chkconfig iptables off

Step 13: Configuring Kerberos 

# cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

# vim /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true

Step 14: Testing Kerberos

# kinit administrator@EXAMPLE.COM
Password for administrator@EXAMPLE.COM:

To verify that Kerberos is working, and that you received a ticket, run the following:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@EXAMPLE.COM
Valid starting Expires Service principal
12/23/12 15:39:28 12/24/12 01:39:28 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 12/24/12 15:39:19


Step 15: NTP (Network Time Protocol)

# yum install ntp

# /etc/init.d/ntpd start

# chkconfig ntpd on


NOTE: CORRECT TIME IS IMPORTANT FOR KERBEROS TO FUNCTION CORRECTLY. MAKE SURE NTPD IS RUNNING ON THE SAMBA SERVER AND THAT YOU SET THE WINDOWS CLIENT TO THE MOST ACCURATE TIME POSSIBLE! THE WINDOWS CLIENT TIME SHOULD BE SET TO THE EXACT TIME OF THE SAMBA 4 SERVER WITHIN A FEW SECONDS IF
POSSIBLE.


Step 16: Now you can join your Windows Client to this Domain Controller.

Step 17: Now you can install RSAT tools on Windows Machine to Manage SAMBA4 Active Directory Domain Controller. 



If you have any problem to follow above steps, Please Click Here to watch my video.....!

4 comments:

  1. Nice Job... Do you know that know you don't need to compile??? You can use the SerNET repos with the latest version... http://enterprisesamba.com/ you'll need a free account to use the repo, you can get it here https://portal.enterprisesamba.com/

    ReplyDelete
  2. Hi Suresh,

    I want to intergrate samba domain users with svn application for authentication, could you please help me how to do that

    ReplyDelete
  3. Hi Suresh,

    Great one, Can you please help me in configuration for authenticate to samba4 for linux users.

    ReplyDelete
  4. I am really impressed your written a blog. Hope we are eagerly waiting for such post from your side. HATS OFF for the valuable information shared!
    Linux Training in Electronic City

    ReplyDelete