samba4 AD configuration

http://en.gentoo-wiki.com/wiki/Samba4_as_Active_Directory_Server

https://wiki.samba.org/index.php/Samba4/HOWTO

http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/

http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller

https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

[root@desktop52 ~]# cat /etc/redhat-release
CentOS release 6.4 (Final)

Requirement:

[root@desktop52 ~]# yum remove samba-common samba-client samba-winbind-clients
[root@desktop52 ~]#yum install gcc libacl-devel python libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils bind bind-utils bind-libs

[root@desktop52 ~]#tar -zxvf samba-4.0.8.tar.gz
[root@desktop52 ~]#cd samba-4.0.8
[root@desktop52 ~]#./configure –enable-debug –enable-selftest
[root@desktop52 ~]#make
[root@desktop52 ~]#make install
[root@desktop52 ~]# /usr/local/samba/bin/samba-tool domain provision –use-rfc2307 –interactive
Realm [BIPINPATEL.COM]: DESKTOP52.BIPINPATEL.COM
Domain [DESKTOP52]: bipinpatel.com
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=desktop52,DC=bipinpatel,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=desktop52,DC=bipinpatel,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: desktop52
NetBIOS Domain: BIPINPATEL.COM
DNS Domain: desktop52.bipinpatel.com
DOMAIN SID: S-1-5-21-280238313-2852668962-961281365

[root@desktop52 ~]#

The dns backend BIND9_DLZ uses samba4 AD to store zone information

##[root@desktop52 ~]# rndc-confgen -a -r /dev/urandom // not required

[root@desktop52 ~]# cat /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.0.52; };
allow-query { localhost; any; };

tkey-gssapi-keytab “/usr/local/samba/private/dns.keytab”;

};
include “/usr/local/samba/private/named.conf”;

[root@desktop52 ~]# /etc/init.d/named restart
Stopping named: [ OK ]
Starting named: [ OK ]
[root@desktop52 ~]# dig desktop52.bipinpatel.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> desktop52.bipinpatel.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12339
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;desktop52.bipinpatel.com. IN A

;; ANSWER SECTION:
desktop52.bipinpatel.com. 900 IN A 192.168.0.52

;; AUTHORITY SECTION:
desktop52.bipinpatel.com. 900 IN NS desktop52.desktop52.bipinpatel.com.

;; ADDITIONAL SECTION:
desktop52.desktop52.bipinpatel.com. 900 IN A 192.168.0.52

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 30 15:07:02 2013
;; MSG SIZE rcvd: 98

[root@desktop52 ~]#

[root@desktop52 ~]# cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
cp: overwrite `/etc/krb5.conf’? y

[root@desktop52 ~]# wget http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.6p5.tar.gz
[root@desktop52 ~]# tar -zxvf ntp-4.2.6p5.tar.gz
[root@desktop52 ~]# cd ntp-4.2.6p5
[root@desktop52 ntp-4.2.6p5]# ./configure –enable-ntp-signd
[root@desktop52 ntp-4.2.6p5]# make
[root@desktop52 ntp-4.2.6p5]# make install
[root@desktop52 ~]# cat /etc/ntp.conf
server 127.127.1.0
fudge 127.127.1.0 stratum 10
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery

[root@desktop52 ~]# chown named:named /usr/local/samba/private/dns
[root@desktop52 ~]# chown named:named /usr/local/samba/private/dns.keytab
[root@desktop52 ~]# chmod 775 /usr/local/samba/private/dns
[root@desktop52 ~]# cat /etc/init.d/samba4
#! /bin/bash
#
# samba4 Bring up/down samba4 service
#
# chkconfig: – 90 10
# description: Activates/Deactivates all samba4 interfaces configured to
# start at boot time.
#
### BEGIN INIT INFO
# Provides:
# Should-Start:
# Short-Description: Bring up/down samba4
# Description: Bring up/down samba4
### END INIT INFO
# Source function library.
. /etc/init.d/functions

if [ -f /etc/sysconfig/samba4 ]; then
. /etc/sysconfig/samba4
fi

CWD=$(pwd)
prog=”samba4″

start() {
# Attach irda device
echo -n $”Starting $prog: ”
/usr/local/samba/sbin/samba
sleep 2
if ps ax | grep -v “grep” | grep -q /samba/sbin/samba ; then success $”samba4 startup”; else failure $”samba4 startup”; fi
echo
}
stop() {
# Stop service.
echo -n $”Shutting down $prog: ”
killall samba
sleep 2
if ps ax | grep -v “grep” | grep -q /samba/sbin/samba ; then failure $”samba4 shutdown”; else success $”samba4 shutdown”; fi
echo
}
status() {
/usr/local/samba/sbin/samba –show-build
}

# See how we were called.
case “$1″ in
start)
start
;;
stop)
stop
;;
status)
status irattach
;;
restart|reload)
stop
start
;;
*)
echo $”Usage: $0 {start|stop|restart|status}”
exit 1
esac

exit 0
[root@desktop52 ~]# chmod 755 /etc/init.d/samba4

[root@desktop52 ~]# cat /etc/init.d/ntpd
#! /bin/bash
#
# ntp Bring up/down ntp service
#
#chkconfig: – 99 30
#description: Bring up/down ntp
#
### BEGIN INIT INFO
# Provides:
# Should-Start:
# Short-Description: Bring up/down ntp
# Description: Bring up/down ntp
### END INIT INFO
# Source function library.
. /etc/init.d/functions

CWD=$(pwd)
NTPD=/usr/local/bin/ntpd
prog=”ntp”
start() {
# Attach irda device
echo -n $”Starting $prog: ”
$NTPD -p /var/run/ntpd.pid
sleep 2
if ps ax | grep -v “grep” | grep -q $NTPD ; then success $”ntp startup”; else failure $”ntp startup”; fi
echo
}
stop() {
# Stop service.
echo -n $”Shutting down $prog: ”
kill -9 `cat /var/run/ntpd.pid` > /dev/null 2>&1
sleep 2
if ps ax | grep -v “grep” | grep -q $NTPD ; then failure $”ntp shutdown”; else success $”ntp shutdown”; fi
echo
}
# See how we were called.
case “$1″ in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
;;
*)
echo $”Usage: $0 {start|stop|restart}”
exit 1
esac
exit 0

[root@desktop52 ~]# chmod 755 /etc/init.d/ntpd

     forwarder dns

[root@design ~]# cat /usr/local/samba/etc/smb.conf

dns forwarder = 8.8.8.8

Configure roaming profile in samba 4

1. You will need to create a share for the profiles, typically named profiles. Edit the /usr/local/samba/etc/smb.conf to include:

[profiles]
path = /usr/local/samba/var/profiles
read only = no

2. Create the directory above using:

$ sudo mkdir /usr/local/samba/var/profiles

3. In Windows, start Active Directory Users and Computers, select all the users, right click, and hit properties

4. Under the profile tab, in the Profile path, type the path to your share along with %USERNAME% as follows:

\\sambaserver.samdom.example.com\profiles\%USERNAME%

5. click OK, logout and login as one of those users. When you logout again, you should see that the profile has been synced onto the samba server.

           Setup a Printer share

 Basic Print Sharing

  1. Create a print spool directory, and set the permissions properly. This is where Samba will store temporary files related to print documents:

mkdir /usr/local/samba/var/spool

chmod 1777 /usr/local/samba/var/spool

  1. Configure samba to use it, by adding the following to /usr/local/samba/etc/smb.conf:

[printers]

    comment = All Printers

    path = /usr/local/samba/var/spool

    browseable = Yes

    read only = No

    printable = Yes

              Point and Print Drivers

For the sake of convenience, Windows clients can query the server that is sharing a printer for a print driver. To enable this functionality in Samba, we have to create a special print$ file share.

  1. Create the print file share directory, and architecture sub-directories:

mkdir -p /usr/local/samba/var/print/{COLOR,IA64,W32ALPHA,W32MIPS,W32PPC,W32X86,WIN40,x64}

  1. Configure samba to use it, by adding the following to /usr/local/samba/etc/smb.conf:

[print$]

    comment = Point and Print Printer Drivers

    path = /usr/local/samba/var/print

    read only = No

  1. Log in as a Domain Administrator on a client computer

  2. Click Start -> Run ‘\\samba\’

  3. In the list of shares, Double-Click ‘Printers and Faxes’

  4. Click File -> Server Properties

  5. On the Drivers Tab, Click ‘Add…’, then ‘Next’

        http://wikiupload.samba.org/images/6/63/SambaServerDrivers.jpg

  6. In the following prompts, choose the driver you would like to install, and click ‘Next’

         http://wikiupload.samba.org/images/0/00/SambaServerChooseDriver.jpg

  7. Choose the architectures you are installing the drivers for. Be aware if you choose an architecture that the client computer does not have the driver for you will be prompted to provide a disk with the drivers.

        http://wikiupload.samba.org/images/0/00/SambaServerChooseArch.jpg

  8. Close the Server Driver Dialog box

  9. Right-click on the printer the driver is for and choose Properties

 10. On the Advanced tab, change the Driver drop-down box to the driver you just installed

[root@desktop52 var]# /usr/local/samba/bin/smbclient -L localhost -U%

Domain=[BIPINPATEL.COM] OS=[Unix] Server=[Samba 4.0.8]

Sharename Type Comment
——— —- ——-
netlogon Disk
sysvol Disk
profiles Disk
IPC$ IPC IPC Service (Samba 4.0.8)
Domain=[BIPINPATEL.COM] OS=[Unix] Server=[Samba 4.0.8]

Server Comment
——— ——-

Workgroup Master
——— ——-
[root@desktop52 var]#
[root@desktop52 ~]# /etc/init.d/named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
[root@desktop52 ~]# /etc/init.d/ntpd restart
Shutting down ntp: cat: /var/run/ntpd.pid: No such file or directory
[ OK ]
Starting ntp: [ OK ]
[root@desktop52 ~]#
[root@desktop52 ~]# /etc/init.d/ntpd restart
Shutting down ntp: [ OK ]
Starting ntp: [ OK ]
[root@desktop52 ~]# /etc/init.d/samba4 restart
Shutting down samba4: samba: no process killed
[ OK ]
Starting samba4: [ OK ]
[root@desktop52 ~]#
[root@desktop52 ~]# /etc/init.d/samba4 restart
Shutting down samba4: [ OK ]
Starting samba4: [ OK ]
[root@desktop52 ~]# chkconfig –level 235 samba4 on
[root@desktop52 ~]# chkconfig –level 235 ntpd on
[root@desktop52 ~]# chkconfig –level 235 named on

[root@desktop52 ~]# iptables -I INPUT -m udp -p udp –dport 53 -m comment –comment “DNS” -j ACCEPT
[root@desktop52 ~]#
[root@desktop52 ~]# iptables -I INPUT -m udp -p udp –dport 123 -m comment –comment “NTP” -j ACCEPT
[root@desktop52 ~]# iptables -I INPUT -m udp -p udp –dport 135 -m comment –comment “RPC UDP” -j ACCEPT
[root@desktop52 ~]# iptables -I INPUT -m udp -p udp –dport 138 -m comment –comment “NetBIOS Netlogon and Browsing” -j ACCEPT
[root@desktop52 ~]# iptables -I INPUT -m udp -p udp –dport 389 -m comment –comment “LDAP UDP” -j ACCEPT
[root@desktop52 ~]#
[root@desktop52 ~]# iptables -I INPUT -m state –state NEW -m tcp -p tcp –dport 88 -m comment –comment “Kerberos” -j ACCEPT
[root@desktop52 ~]# iptables -I INPUT -m state –state NEW -m tcp -p tcp –dport 464 -m comment –comment “Kerberos Password Management” -j ACCEPT
[root@desktop52 ~]# iptables -I INPUT -m state –state NEW -m tcp -p tcp –dport 139 -m comment –comment “NetBIOS Session” -j ACCEPT
[root@desktop52 ~]# iptables -I INPUT -m state –state NEW -m tcp -p tcp –dport 445 -m comment –comment “SMB CIFS” -j ACCEPT
[root@desktop52 ~]#
[root@desktop52 ~]# iptables -I INPUT -m state –state NEW -m tcp -p tcp –dport 389 -m comment –comment “LDAP TCP” -j ACCEPT
[root@desktop52 ~]# iptables -I INPUT -m state –state NEW -m tcp -p tcp –dport 636 -m comment –comment “LDAP SSL” -j ACCEPT
[root@desktop52 ~]# iptables -I INPUT -m state –state NEW -m tcp -p tcp –dport 3268 -m comment –comment “LDAP Global Catalog” -j ACCEPT
[root@desktop52 ~]# iptables -I INPUT -m state –state NEW -m tcp -p tcp –dport 3269 -m comment –comment “LDAP Global Catalog SSL” -j ACCEPT
[root@desktop52 ~]#
[root@desktop52 ~]# /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@desktop52 ~]#

we can also make rpm of ntp using spec file, here one example of that:

# Install NTP >root4.2.6
yum -y remove ntp ntpdate
yum -y install libcap-devel openssl-devel libedit-devel wget
mkdir -p ~/install_files/ntp
cd ~/install_files/ntp
wget http://vault.centos.org/6.3/os/Source/SPackages/ntp-4.2.4p8-2.el6.centos.src.rpm
rpm -i ntp-4.2.4p8-2.el6.centos.src.rpm
cd ~/rpmbuild/SOURCES
wget http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.6p5.tar.gz
cd ~/rpmbuild/SPECS
cp ntp.spec ntp.spec.bak

sed -i ‘s/Version: 4.2.4p8/Version: 4.2.6p5/g’ ntp.spec

sed -i ‘s/–enable-linuxcaps/–enable-linuxcaps –enable-ntp-signd/g’ ntp.spec

sed -i ‘s/%patch/#%patch/g’ ntp.spec

sed -i ‘s/%{_sbindir}\/tickadj/%{_sbindir}\/tickadj\n%{_sbindir}\/sntp/g’ ntp.spec

rpmbuild -ba ntp.spec
cd ~/rpmbuild/RPMS/$(uname -p)/
rpm -i ntp-4.2.6p5-2.el6.$(uname -p).rpm ntpdate-4.2.6p5-2.el6.$(uname -p).rpm

Testing Connectivity to Your Samba AD DC

[root@desktop52 ~]# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[BIPINPATEL.COM] OS=[Unix] Server=[Samba 4.0.8]

Sharename Type Comment
——— —- ——-
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.0.8)
Domain=[BIPINPATEL.COM] OS=[Unix] Server=[Samba 4.0.8]

Server Comment
——— ——-

Workgroup Master
——— ——-
[root@desktop52 ~]#

[root@desktop52 ~]# /usr/local/samba/bin/smbclient //localhost/netlogon -U Administrator
Enter Administrator’s password:
Domain=[BIPINPATEL.COM] OS=[Unix] Server=[Samba 4.0.8]
smb: \> ls
. D 0 Fri Aug 30 14:58:08 2013
.. D 0 Fri Aug 30 14:58:19 2013

57961 blocks of size 524288. 32285 blocks available
smb: \> quit
[root@desktop52 ~]#

Testing DNS
[root@desktop52 ~]# host -t SRV _ldap._tcp.desktop52.bipinpatel.com.
_ldap._tcp.desktop52.bipinpatel.com has SRV record 0 100 389 desktop52.desktop52.bipinpatel.com.

[root@desktop52 ~]# host -t SRV _kerberos._udp.desktop52.bipinpatel.com.
_kerberos._udp.desktop52.bipinpatel.com has SRV record 0 100 88 desktop52.desktop52.bipinpatel.com.
[root@desktop52 ~]#

[root@desktop52 ~]# host -t A desktop52.bipinpatel.com
desktop52.bipinpatel.com has address 192.168.0.52
[root@desktop52 ~]#
Testing Kerberos
[root@desktop52 ~]#
[root@desktop52 ~]# kinit administrator@DESKTOP52.BIPINPATEL.COM
Password for administrator@DESKTOP52.BIPINPATEL.COM:
Warning: Your password will expire in 41 days on Fri Oct 11 14:58:17 2013
[root@desktop52 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DESKTOP52.BIPINPATEL.COM

Valid starting Expires Service principal
08/30/13 16:04:30 08/31/13 02:04:30 krbtgt/DESKTOP52.BIPINPATEL.COM@DESKTOP52.BIPINPATEL.COM
renew until 08/31/13 16:04:27
[root@desktop52 ~]#
First take windows machine into domain and make sure primary dns is your samba4
server ip.
The Windows 7 client should now sync its clock to the DC. From Windows
7 run:
C:> w32tm /resync /rediscover
This should report successful completion. If not check:
C:> w32tm /query /configuration
The time provider should be type NT5DS. If not try:
C:> w32tm /config /syncfromflags:domhier /update
C:> net stop w32time && net start w32time
When it’s working the command
C:> w32tm /monitor
will report on the time source of the DC.

win 7

http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en

enabled feature in microsoft

just install then go to control panal

http://windows.microsoft.com/is-IS/windows7/Group-Policy-management-for-IT-pros

http://www.grouppolicy.biz/2010/03/how-to-download-and-install-the-group-policy-management-console-gpmc/

type  dsa.msc   for active directory user and computer

“gpmc.msc”     group policy management

gpupdare /force    forcefully update group policy

for win-xp

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=86b71a4f-4122-44af-be79-3f101e533d95

http://download.microsoft.com/download/3/e/4/3e438f5e-24ef-4637-abd1-981341d349c7/WindowsServer2003-KB892777-SupportTools-x86-ENU.exe

http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

  • The GPMC does not run on 64-bit versions of Microsoft Windows.

download dotnet framework 1.1 for group policy

gpedit

gpupdate /fource

https://wiki.samba.org/index.php/Samba_4_OS_Requirements

https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO

http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html

Advertisements

About bpn4it

Feel Free in Linux. Bipin Patel bpn4it@gmail.com Ahmadabad, Gujarat, India
This entry was posted in Bipin hands-on. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s