Beruflich Dokumente
Kultur Dokumente
04
BuildingaSamba4ActiveDirectoryDomain
InthisArticle,iwilloutlinetheconfigurationofasmallActiveDirectoryusingSamba4.
TheUbuntuversionsinvolvedis12.04.IassumethatyouhavemodestknowledgeonhowtoconfigureUbuntuonthe
commandlinei.e.iwillnotexplaineverysinglestepindetail.
Networkparameterswewilluseare:
Networkname:demo.local
IPRange:192.168.99.0/24
BaseSystemandSamba4
Step1:InstallaUbuntu12.04System
Step2:ConfiguretheNetworktouseastaticaddress.Edit/etc/network/interfaces:
1
2
3
4
5
6
7
8
9
autoloeth0
ifaceloinetloopback
ifaceeth0inetstatic
address192.168.99.200
netmask255.255.255.0
gateway192.168.99.254
dnsnameservers192.168.99.200192.168.99.254
dnssearchdemo.local
Step3:AddthebasichostentriestoresolvewithoutDNS
Edit/etc/hostsandinsert:
1
2
127.0.0.1localhost
192.168.99.200vupapsam401vupapsam401.demo.local
Step4:InstalltheSamba4Packages
1
aptgetinstallsamba4
Theinstallationwillthrowoutanerrorandaptwillsetthepackagetohalfinstalled.Astheerrorisntrelevanttous,wehaveto
fixthepackagebymanuallysettingthepackagetoinstalled.
1. Edit/var/lib/dpkg/statusandsearchforPackage:samba4
2. Replacehalfconfiguredwithinstalled
NowwearegoingtobuildtheActiveDirectoryDomain:
1
rm/etc/samba/smb.conf
/usr/share/samba/setup/provisionrealm=demo.localdomain=DEMOadminpass='Test123'serv
ThiswillsetupallstuffneededforrunningaDomain(LDAP,Kerberos,)
NextstepistostartSamba:
1
initctlstartsamba4
Step5:Testingoutourinstallation
1
2
aptgetinstallsamba4clients
smbclientLlocalhostU%
Thelastcommandshoulddisplaythecurrentlydefinedandservedsharesontheserver.Shouldlooksomethinglike:
1
2
3
4
5
SharenameTypeComment
netlogonDisk
sysvolDisk
IPC$IPCIPCService
BindNameServer
Wealsoneedanamingserviceinournetworktoresolvehostsandservices.ActiveDirectoryusesDNStodiscoverahuge
amountofservices,soherewego:
Step1:InstallBind
1
aptgetinstallbind9
Step2:ConfigureBind
NowyouneedtoeditthebindconfigurationfiletoincludethenecessaryconfigurationsforSambaActiveDirectoryrelies
heavilyonspecialDNSentriestofindvariousservicesonthenetwork.
Edit/etc/bind/named.confandappendthefollowinglineattheend:
1
include"/var/lib/samba/private/named.conf"
Step3:AdapttheAppArmorconfiguration
AsUbuntuissecuringitsservicesusingAppArmorweneedtomakesurethatBindhastherightstoaccessthefilesprovided
bySamba.
Edit/etc/apparmor.d/usr.sbin.namedandappendthefollowingentries:
1
2
3
4
5
6
/var/lib/samba/private/**rkw,
/var/lib/samba/private/dns/**rkw,
/usr/lib/x86_64linuxgnu/samba/bind9/**rm,
/usr/lib/x86_64linuxgnu/samba/gensec/**rm,
/usr/lib/x86_64linuxgnu/ldb/modules/ldb/**rm,
/usr/lib/x86_64linuxgnu/samba/ldb/**rm,
Nowreloadtheconfigurationtotakeeffect:
1
/etc/init.d/apparmorreload
Step4:StartandtestBind
RunthefollowingcommandtostartBind:
1
/etc/init.d/bind9start
Tomakesurethateverythingworkedasexpected,runthefollowingcommandsandwatchtheiroutput.Itshouldreturnaresult
oneverycommand:
1
2
3
hosttSRV_ldap._tcp.demo.local.
root@vupapsam401:/var/lib/samba/private#hosttSRV_kerberos._tcp.demo.local.
root@vupapsam401:/var/lib/samba/private#hosttAvupapsam401.demo.local.
Theoutputshouldsomethinglike:
1
2
3
_ldap._tcp.biomerx.localhasSRVrecord0100389vupapsam401.demo.local.
_kerberos._tcp.biomerx.localhasSRVrecord010088vupapsam401.demo.local.
vupapsam401.biomerx.localhasaddress192.168.99.200
Step5:AllowdynamicDNSupdates
WewantourclientstobeabletoupdatetheirDNSentriesautomatically.Edit/etc/bind/named.confandappendthefollowing
line:
1
tkeygssapikeytab"/var/lib/samba/private/dns.keytab"
Step6:ConfigureBindasaForwarder
IfyouhaveanotherDNSServer(likeaSOHOROuter)onyourNetworkwhichprovidesDNSServicetoresolveexternalnames
(likewww.google.com),youllneedtoconfigureBindtousethisDNStoresolveentries.
FirstweneedtodisableIPv6inBindbyediting/etc/default/bind9andappending:
1
OPTIONS="4ubind"
Nowmodify/etc/bind/named.conftoincludethefollowingdirectivesintheoptions
section:
1
2
3
4
allowquery{any}
allowrecursion{any}
forwarders{192.168.99.254}
dnssecvalidationno
Kerberos
Step1:InstalltheKerberosUtilities
1
aptgetinstallkrb5user
Whenaskedforthedefaultrealm,enterdemo.localandvupapsam401asthehost.TestoutifKerberosworksbyexecuting:
1
kinitadministrator@DEMO.LOCAL
TheDomainNameneedstobewritteninUPPERCASEletters.Ifthecommandsucceeds,runthefollowingcommandtocheck
ifwehavegottenakerberosticket:
1
kliste
NetworkTimeProtocol
AsSambaprovidesthecorrecttimetoitsdomainmemberswewanttomakesurethatourhosthasthecorrecttime.Wedoso
byinstallingandconfiguringNTPtoretrievethetimefrominternettimeservers.
Step1:InstallNTP
1
aptgetinstallntp
Step2:ConfigureNTP
Edit/etc/ntp.confandreplacetheserverlinewiththeNTPTimeserverofyourchoice.Iusedmybordergatewayasitprovides
NTP:
1
servervupapgate01.demo.local
Now,doainitialtimesetup:
1
2
3
servicentpstop
ntpdateBvupapgate01.demo.local
servicentpstart
Checkifeverythingworkswith:
1
ntpqp
OtherconfigurationitemsandTroubleshooting
ACLSupport
TomakesurethatyouroperatingsystemcansupportAccesscontrollists(Samba
usesthemforstoringWindowspermissions)dothefollowing
1
aptgetinstallattr
TestoutifyourfilesystemsupportsACLs(mostshould):
1
2
3
4
5
touchtest.txt
setfattrnuser.testvtesttest.txt
setfattrnsecurity.testvtest2test.txt
getfattrdtest.txt
getfattrnsecurity.testdtest.txt
DNSServerdeliveryviaDHCP
YouwanttomakesurethatyourDHCPServersetsyourSambaserverastheoneandonlyDNSServerforyourclients
JoiningtheDomain
Makesurethatyouuseuppercaseletters,likeDEMO.LOCALasthedomainname
TestingtheAD
Rundsa.msconyourWindowsclient(afteryouinstalledtheWindowsRemoteServerAdministrationTools)
Ifsomethingdidnotworkasexpected(Domainnotavailable),makesurethatyourDNSresolutionworkssmooth.
Creatingshares
Tocreatesharesyouneedtoperformthefollowingactions:
1 mkdir/data/global
2 chmod777/data/global
Thenaddanentryto/etc/samba/smb.conf:
1
2
3
4
[global]
comment=Globalshareforallusers
path=/data/global
readonly=No
Restartsamba:
1
initctlrestartsamba4
Addingusers
Whenaddingnewuses,settheirhomedirectoryto
1
\\vupapsam401\users\
Thedirectorywillbecreatedautomatically.
AddingnewDNSentries
UsetheDNSSnapInintheManagementConsole
Errorwhilecopying
IfyoucopyfilesfromawindowssystemtosambaandgetsomethinglikeNotenoughmemory,thiscouldbebecauseofNTFS
Streamswithinthefiles(HiddenMetadata).Youcan
removethemwiththetoolstreamsavailableat:
http://technet.microsoft.com/dede/sysinternals/bb897440
andexecutingthefollowingcommand:
1
streamssdC:\data
Permissionproblems
Ifyouhaveproblemswithaccesstofilescreatedbydifferentusers(evenifthepermissionslookcorrect),appendthefollowing
in/etc/samba/smb.conf(inthesharesection):
1
2
directorymask=0777
createmask=0777
andrestartsamba:
1
servicesamba4restart
PrintThisPage