Home » Centos/RHEL » SAMBA 4 AD-DC on Centos

SAMBA 4 AD-DC on Centos

In this article you will learn to install and configure SAMBA-4 as an Active Directory Domain Controller (SAMBA 4 AD-DC)on Centos/RHEL server. I have successfully tested it on Centos 6 version.

1. Login as root on ssh and update your server

#yum update

[whohit]SAMBA 4 AD-DC on Centos[/whohit]
Change the hostname:

# vi /etc/sysconfig/network

HOSTNAME=centos-dc
– Disable selinux:

# vi /etc/sysconfig/selinux

SELINUX=disabled

# setenforce 0

– Install some dependencies:

# yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs pam_krb5

Query your rpm database to find any instances of older samba packages:

#rpm -qa | grep samba

If there are any older samba packages remove them with YUM:

#yum remove samba-winbind-client samba-common samba-client

Download and compile samba4:
GIT download

#git clone git://git.samba.org/samba.git samba-master

Reboot the server as a precaution so that all packages or kernel updates will be applied:

# shutdown -r now

Login again as root and then build samba:

#cd samba-master
# ./configure –enable-debug –enable-selftest
# make && make install

Source Code download

#wget http://ftp.samba.org/pub/samba/samba-latest.tar.gz
# tar -xzvf samba-4.0.0.tar.gz
# cd samba-4.0.0/
# ./configure –enable-selftest
# make && make install

Provisioning a new domain:

#/usr/local/samba/bin/samba-tool domain provision –realm=linuxpcfix.net –domain=LINUXPCFIX –adminpass ‘P@ssw0rd’ –server-role=dc –dns-backend= SAMBA_INTERNAL

OR

# /usr/local/samba/bin/samba-tool domain provision

The ‘domain provision’ tool should pick defaults for you automatically. Change to your configurations if necessary:

Realm [LINUXPCFIX.COM]: Domain [LINUXPCFIX]: (press Enter)
Server Role (dc, member, standalone) [dc]: (press Enter)
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: (press Enter)
DNS forwarder IP address (write ‘none’ to disable forwarding) [192.168.0.1]: 208.67.222.222
Administrator password: <your_secret_admin_password>
Retype password:

If above was successful, stdout should look similar to this:

Creating CN=MicrosoftDNS,CN=System,DC=linuxpcfix,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Server Role: active directory domain controller
Hostname: centos-dc
NetBIOS Domain: LINUXPCFIX
DNS Domain: LINUXPCFIX.COM
DOMAIN SID: S-1-5-21-2081349998-2553416643-1860129950

Start Samba 4
Start the samba daemon:

#/usr/local/samba/sbin/samba

If you would like Samba to start at boot, append the following to your ‘/etc/rc.d/rc.local’ file:

#/usr/local/samba/sbin/samba


Verifying Samba as an Active Directory DC:

#/usr/local/samba/sbin/samba -V

Version 4.1.0pre1-GIT-c1fb37d
Verify you are running the correct samba-client version:

#/usr/local/samba/bin/smbclient –version

Version 4.1.0pre1-GIT-c1fb37d
Now run this command to list the shares on your Samba4 server:

#/usr/local/samba/bin/smbclient -L localhost -U%

Configure DNS
Here is an example of my current ‘/usr/local/samba/etc/smb.conf’ file:

# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
workgroup = MYDOMAIN
realm = LINUXPCFIX.COM
netbios name = LINUXPCFIX
server role = active directory domain controller
dns forwarder = 208.67.222.222
[netlogon]
path = /usr/local/samba/var/locks/sysvol/linuxpcfix.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

Edit resolv.conf:

nameserver 127.0.0.1
domain linuxpcfix.com

Testing DNS
Make sure that samba is running and then test to make sure that DNS is working properly. Run the following commands and compare the output to what is shown:

# host -t SRV _ldap._tcp. LINUXPC.COM.
_ldap._tcp. LINUXPC.COM has SRV record 0 100 389 LINUXPC.COM

# host -t SRV _kerberos._udp. LINUXPC.COM.
_kerberos._udp.LINUXPC.COM com has SRV record 0 100 88 LINUXPC.COM.

# host -t A LINUXPC.COM.
LINUXPC.COM has address 192.168.0.2


Edit kerberos server configuration:

# cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
#vi /etc/krb5.conf
# cat /etc/krb5.conf
[libdefaults]
default_realm = LINUXPCFIX.COM
dns_lookup_realm = false
dns_lookup_kdc = true

Testing Kerberos

# kinit administrator@LINUXPCFIX.COM
Password for administrator@ LINUXPCFIX.COM:

NOTE: You must specify your domain realm LINUXPCFIX.COM in uppercase letters!!
‘kinit’ will not give you any output. To verify that Kerberos is working, and that you received a ticket, run the following:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@LINUXPCFIX.COM

Valid starting Expires Service principal
12/23/12 15:39:28 09/24/13 02:49:20 krbtgt/LINUXPCFIX.COM @LINUXPCFIX.COM
renew until 09/24/13 14:49:20

NTP (Network Time Protocol)
Make sure that ‘ntpd’ is running and installed. If ‘ntpd’ is not installed you can install it with YUM:

# yum install ntp

Enable ntpd:

# /etc/init.d/ntpd start

Also, use the ‘chkconfig’ command to have ntpd run at boot:

# chkconfig ntpd on

NOTE: CORRECT TIME IS IMPORTANT FOR KERBEROS TO FUNCTION CORRECTLY. MAKE SURE NTPD IS RUNNING ON THE SAMBA SERVER

Setup Windows Client to Join Domain
The following will describe how to add a Windows 7 client to the SAMBA 4 AD-DC. For other versions of Windows the same principle should be the same.
Configure your network device as follows:
ip_settings
Click ‘OK’ to save the changes.
Now bring up a command prompt in windows and ping the Samba DC:
ping 192.168.0.2
Verify that DNS is working correctly by pinging the FQDN:
ping samba.mydomain.com
If you get replies from both then this is a good sign and should mean that your Samba DC is functional. Also, you may need to reboot Windows for network settings to take effect.

Setup Windows 7 Client to the Domain
1. Right-click ‘My Computer’ icon and choose ‘Properties’
2. From the left-side pane click ‘Advanced system settings’
3. Choose the ‘Computer Name’ tab and click ‘Change…’
4. Select option ‘Domain’, and insert LINUXPCFIX.COM If this fails just try MYDOMAIN.
win_domain_config
5. When it requests a username and password, type ‘Administrator’ as the username and then enter your password. (password = the password you used when you ran the ‘samba-tool domain provision’ command)
6. You should get a message box stating ‘Welcome to the LINUXPCFIC.COM domain’
7. Click OK on this message box and the Properties window, and you will then be instructed to restart your computer.
8. After restarting you should be presented with the normal login dialog. Click on ‘Switch User’ button.
9. Choose ‘Other user’ and then enter in the following:

win7_domain_login
Press ‘Enter’ or the arrow button.
10. You should then authenticate and then login to Windows.

About

I am founder and webmaster of www.linuxpcfix.com and working as a Sr. Linux Administrator (Expertise on Linux/Unix & Cloud Server) and have been in the industry from last 7 years.

One thought on “SAMBA 4 AD-DC on Centos

  1. Hello,
    I have already done these step successfully but i am unable to login on Domain controller by Domain User(administrator) and Now only login by local user but i required to login by domain user.it is possible or not ?
    if possible than how ?

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*

Time limit is exhausted. Please reload the CAPTCHA.

Categorized Tag Cloud