Md. Shahzad Alam Md. Shahzad Alam Author
Title: Samba 4 – Active Directory Domain Controller on Centos -6.x
Author: Md. Shahzad Alam
Rating 5 of 5 Des:
Introduction of Samba- 4 Samba 4 is an open source and free software suit that brings Active Directory functionality to the open sou...


Introduction of Samba- 4

Samba 4 is an open source and free software suit that brings Active Directory functionality to the open source SMB/CIFS (Server Message Block/Common Internet File System) file and print server. Samba 4 can serve as an Active Directory Domain Controller, provide DNS services, handle Kerberos-based authentication, and administer group policy.

Samba4 Server Features

1).Can act as ADDC(Active Directory Domain Controller)
2). Can create Local Profile in samba-4
3). Can create Roaming Profile in samba-4
4). Auto logon scripts
5). Centralized system administration using Group policy

Server Information

Operrating System: Centos6.3 64 bit
IP Address: 192.168.0.69
FQDN : server.kvit.in
Domain Name: kvit.in
Selinux : Disabled
DNS Forwarding IP Address:8.8.8.8 ( Change to yours)

Installation step

Install all dependencies package to build system samba-4

[root@server ~]# yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs pam_krb5 libldap2-dev openldap-devel wget

Query old available rpm package of samba

[root@server ~]# rpm -qa | grep samba

If package are available remove them with YUM

[root@server ~]# yum remove samba-winbind-client samba-common samba-client

Install git to dowload the latest Samba 4 version

[root@server ~]# yum install git-core

Download the latest version of samba from git repository

[root@server ~]# git clone git://git.samba.org/samba.git samba-master

Reboot the server as a precaution so that all packages or kernel updates will be applied

[root@server ~]#shutdown -r now

Login again as root to build samba and then compile samba package

[root@server ~]#cd samba-master
[root@server ~]#./configure –enable-debug –enable-selftest
[root@server ~]#make

If everything reports okay you can then install samba

[root@server ~]#make install

You should now have samba installed to ‘/usr/local/samba

Provision Samba 4 steps: The provision step sets up a basic user database, and is used when you are setting up your Samba4 server in its own domain.

Issue this command from root:

[root@server ~]# /usr/local/samba/bin/samba-tool domain provision
Realm [KVIT.IN]: (press Enter)
Domain [KVIT]: (press Enter)
Server Role (dc, member, standalone) [dc]: (press Enter)
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: (press Enter)
DNS forwarder IP address (write ‘none’ to disable forwarding) [8.8.8.8]: (press Enter)
Administrator password:********* (Set Here DC Administrator password)
Retype password: *********

Result will show like this

Creating CN=MicrosoftDNS,CN=System,DC=kvit,DC=in
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: server
NetBIOS Domain: KVIT
DNS Domain: kvit.in
DOMAIN SID: S-1-5-21-1541916875-3099074859-2332263890

Note: You may need to remove the ‘/usr/local/samba/etc/smb.conf’ file if you are re-running the provision command. If you encounter any errors when running the provision command, you may need to install the necessary missing packages or fix errors and then run ‘./configure’, ‘make’ and ‘make install’ commands again as stated above. Remember to do a ‘make clean’ in the root of your ‘samba-master’ directory before running ‘make’ again.

If the provision setup was successful reboot the server

[root@server ~]#shutdown -r now

Start samba daemon manually

[root@server ~]# /usr/local/samba/sbin/samba

If you like to start samba at boot time, Add /usr/local/samba/sbin/samba’ in /etc/rc.local file.
[root@server ~]#vim /etc/rc.local
/usr/local/samba/sbin/samba

Verify you are indeed running the correct version

[root@server ~]# /usr/local/samba/sbin/samba -V
Version 4.3.0pre1-GIT-d098b6c

Now run this command to list the shares on your Samba4 server

[root@server ~]# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[KVIT] OS=[Windows 6.1] Server=[Samba 4.3.0pre1-GIT-d098b6c]
Sharename Type Comment
——— —- ——-
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.3.0pre1-GIT-d098b6c)
Domain=[KVIT] OS=[Windows 6.1] Server=[Samba 4.3.0pre1-GIT-d098b6c]
Server Comment
——— ——-
Workgroup Master
——— ——-

Configure DNS Now

Interface settings

[root@server ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=”eth0″
BOOTPROTO=”static”
ONBOOT=”yes”
TYPE=”Ethernet”
GATEWAY=”192.168.0.254″
IPADDR=”192.168.0.69″
NETMASK=255.255.255.0

Edit your /etc/resolv.conf‘ file

[root@server ~]# vim /etc/resolv.conf
domain kvit.in
nameserver 192.168.0.69

Here is configuration file of samba 4 /usr/local/samba/etc/smb.conf

[root@server ~]# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
workgroup = KVIT
realm = KVIT.IN
netbios name = SERVER
server role = active directory domain controller
dns forwarder = 8.8.8.8
[netlogon]
path = /usr/local/samba/var/locks/sysvol/kvit.in/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

Test DNS Now

[root@server ~]# nslookup kvit.in
Server: 192.168.0.69
Address: 192.168.0.69#53
Name: kvit.in
Address: 192.168.0.69

[root@server ~]# host -t SRV _ldap._tcp.kvit.in.
_ldap._tcp.kvit.in has SRV record 0 100 389 server.kvit.in.

[root@server ~]# host -t SRV _kerberos._udp.kvit.in.
_kerberos._udp.kvit.in has SRV record 0 100 88 server.kvit.in.

[root@server ~]# host -t A server.kvit.in.
server.kvit.in has address 192.168.0.69

Now, Flush and save Iptables

[root@server ~]# iptables -F
[root@server ~]# service iptables save
[root@server ~]# service iptables restart

Configure Kerberos file

In CentOS 6.3 or 6.4, kerberos is handled by the ‘/etc/krb5.conf’ file. Make a backup copy of this original file, and then replace the existing file, if any, with the sample from /usr/local/samba/share/setup/krb5.conf.

[root@server ~]# cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
Edit file like below:
[root@server ~]# cat /etc/krb5.conf
[libdefaults]
default_realm = KVIT.IN
dns_lookup_realm = false
dns_lookup_kdc = true

Testing Kerberos

[root@server ~]# kinit administrator@KVIT.IN

‘kinit’ will not give you any output. To verify that Kerberos is working, and that you received a ticket, run the following

[root@server ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@KVIT.IN
Valid starting     Expires            Service principal
04/26/15 01:04:46  04/26/15 11:04:46  krbtgt/KVIT.IN@KVIT.IN
renew until 04/27/15 01:04:41

NTP (Network Time Protocol)

Make sure that ‘ntpd’ is running and installed. If ‘ntpd’ is not installed you can install it with YUM:

[root@server ~]# yum install ntp
[root@server ~]#/etc/init.d/ntpd start

Also, use the ‘chkconfig’ command to have ntpd run at boot:

[root@server ~]#chkconfig ntpd on

[root@server ~]# /usr/local/samba/sbin/samba

Put samba 4 command in bashrc

[root@server ~]# vi ~/.bashrc
export PATH=$PATH:/usr/local/samba/sbin:/usr/local/samba/bin

Reboot the the server to update bashrc file

or,

[root@server ~]# bash
Now restart samba daemon like this

[root@server ~]# samba

Check the process of samba service

[root@server ~]# ps -ef | grep samba

Join windows system in Domain

Client machine settings
IP address settings of your Windows 7 client NIC
ip settings

Click ‘OK’ to save the changes.

Now bring up a command prompt in windows and ping the Samba DC:

ping 192.168.0.69

Verify that DNS is working correctly by pinging the FQDN:

ping server.kvit.in

If you get replies from both then this is a good sign and should mean that your Samba DC is functional. Also, you may need to reboot Windows for network settings to take effect.

Configure data and time on client system
Date and time



Join windows client in to domain
1). Right-click ‘My Computer’ icon and choose ‘Properties’
2). From the left-side pane click ‘Advanced system settings’
3). Choose the ‘Computer Name’ tab and click ‘Change…’

4). Select option ‘Domain’, and insert KVIT.IN. If this fails just try KVIT
join in domain


5). When it requests a username and password, type ‘Administrator’ as the username and then enter your password. (password = the password you used when you ran the ‘samba-tool domain provision’ command)
6). You should get a message box stating ‘Welcome to the KVIT.IN domain’
7). Click OK on this message box and the Properties window, and you will then be instructed to restart your computer.
8). After restarting you should be presented with the normal login dialog. Click on ‘Switch User’ button.

9). Choose ‘Other user’ and then enter in the following.
login


Press ‘Enter’ or the arrow button.
10). You should then authenticate and then login to Windows.
Install windows Remote Administration tool
To install the GUI tools to manage the domain you must install the Remote Server Administration Tools . This will allow you easily manage the domain using Active Directory.

12).Enable the necessary components in ‘Control Panel -> Programs -> Turn Windows features on or off -> Remote Server Administration Tools’
Enable remote tool


13). Now open AD Console and create one or more domain user

Go to Run type : dsa.msc ( For AD console)
AD Console

14). Now create a domain user to login in to system
R/c on User ==> New ==> User:
First Name: Shahzad
Last Name: Alam
User Logon name: shahzad
Set user password: ******* (Minimum password length should be 7 and complex)
Now, login in to client machine with new domain user
local user login


About Author

Advertisement

Post a Comment

  1. Most of the users today don't require a significant knowledge of the server side programming for the administration of their system. Learn more about active directory user import on this link .

    ReplyDelete
  2. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. word combiner for names

    ReplyDelete

 
Top