[Linux] Installation Samba4 - PDC - iZero

Installation de Samba4 en tant que contrôleur de domaine sur Centos

Version de l’OS: 6.8
Version de Samba4: 4.5.0

pré-requis

Voir l’article Préparation d’une machine Centos 6.x

1.Installation

Installer les paquets nécessaire

<span style="color: #000000;">$ sudo yum -y install make wget openssl-devel krb5-server krb5-libs bind bind-libs gcc libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel setroubleshoot-server libaio-devel setroubleshoot-plugins policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils e2fsprogs-devel gcc-c++ pam-devel ctdb-devel openldap-devel libsmbclient   setools-libs-python setools-libs</span>

$ sudo yum -y install make wget openssl-devel krb5-server krb5-libs bind bind-libs gcc libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel setroubleshoot-server libaio-devel setroubleshoot-plugins policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils e2fsprogs-devel gcc-c++ pam-devel ctdb-devel openldap-devel libsmbclient setools-libs-python setools-libs

Télécharger la source de samba. version actuelle de test 4.5.0

$ sudo wget http://ftp.samba.org/pub/samba/samba-latest.tar.gz

1	$ sudo wget http://ftp.samba.org/pub/samba/samba-latest.tar.gz

Dé-zipper la source, faire un test et compiler

$ sudo tar zxvf samba-latest.tar.gz

1	$ sudo tar zxvf samba-latest.tar.gz

$ cd samba-4.5.0
$ sudo ./configure

1 2	$ cd samba-4.5.0 $ sudo ./configure

Si pas d’erreur, compiler

$ sudo make && make install

1	$ sudo make && make install

samba1

2.Configuration

/!\ avant tout supprimer /usr/local/samba/etc/smb.conf si présent avant de lancer samba-tool

Lancer le approvisionnement (équivalent dcpromo sous Windows)

$ sudo /usr/local/samba/bin/samba-tool domain provision

1	$ sudo /usr/local/samba/bin/samba-tool domain provision

Realm [DOMAIN.LOCAL]: <span style="color: #000080;"><span style="color: #ff0000;"><-- press Enter sauf si non différent</span></span>
Domain [DOMAIN]: <span style="color: #000080;"><span style="color: #ff0000;"><-- press Enter sauf si non différent</span></span>
Server Role (dc, member, standalone) [dc]: <span style="color: #000080;"><span style="color: #ff0000;"><-- press Enter sauf si type d'installation différent</span></span>
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: <span style="color: #000080;"><span style="color: #ff0000;"><-- press Enter sauf si type d'installation différent</span></span>
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.3.101]: <span style="color: #000080;"><span style="color: #ff0000;"><-- press Enter sauf si forwarder différent</span></span>
Administrator password: <span style="color: #000080;"><span style="color: #ff0000;"><-- taper mot de passe avec complexité obligatoire</span></span>
Retype password: <<span style="color: #000080;"><span style="color: #ff0000;">-- retaper</span></span>

Realm [DOMAIN.LOCAL]: <-- press Enter sauf si non différent

Domain [DOMAIN]: <-- press Enter sauf si non différent

Server Role (dc, member, standalone) [dc]: <-- press Enter sauf si type d'installation différent

DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: <-- press Enter sauf si type d'installation différent

DNS forwarder IP address (write 'none' to disable forwarding) [192.168.3.101]: <-- press Enter sauf si forwarder différent

Administrator password: <-- taper mot de passe avec complexité obligatoire

Retype password: <-- retaper

samba2

Puis redemarrer le serveur

$ sudo reboot

1	$ sudo reboot

Démarrer Samba

/!\ les services smb, nmb ou winbind ne doivent pas être démarrés

$ sudo /usr/local/samba/sbin/samba

1	$ sudo /usr/local/samba/sbin/samba

Vérifier le fichier resolv.conf, il doit ressembler a ceci

$ sudo vim /etc/resolv.conf

1	$ sudo vim /etc/resolv.conf

domain domain.local
search domain.local
nameserver 192.168.3.101

domain domain.local

search domain.local

nameserver 192.168.3.101

Configurer Kerberos, créez un lien symbolique

$ sudo ln -sf /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

1	$ sudo ln -sf /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

Éditez le fichier /etc/krb5.conf et remplacez $(REALM) par DOMAIN.LOCAL (en majuscule)

1	Éditez le fichier /etc/krb5.conf et remplacez $(REALM) par DOMAIN.LOCAL (en majuscule)

samba3

Redémarrer le serveur, puis une fois démarrer le service samba

$ sudo reboot

1	$ sudo reboot

$ sudo /usr/local/samba/sbin/samba

1	$ sudo /usr/local/samba/sbin/samba

/!\ avant de faire les tests, il faut renseigner la zone direct du serveur DNS

$ sudo vim /var/named/nomdelazone

1	$ sudo vim /var/named/nomdelazone

_ldap._tcp.domain.local.                                    IN SRV  10 0 389        nomduserveursamba
_kerberos._udp.domain.local.                                IN SRV  10 0 389        nomduserveursamba
gc._msdcs                                               IN CNAME                nomduserveursamba
27f515e4-f5af-4396-bc93-130013076ab7._msdcs             IN CNAME                nomduserveursamba

_gc._tcp                                                IN SRV 0 100 3268       nomduserveursamba
_gc._tcp.Default-First-Site-Name._sites                 IN SRV 0 100 3268       nomduserveursamba
_ldap._tcp.gc._msdcs                                    IN SRV 0 100 389        nomduserveursamba
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs     IN SRV 0 100 389        nomduserveursamba

_ldap._tcp                                              IN SRV 0 100 389        nomduserveursamba
_ldap._tcp.dc._msdcs                                    IN SRV 0 100 389        nomduserveursamba
_ldap._tcp.pdc._msdcs                                   IN SRV 0 100 389        nomduserveursamba
_ldap._tcp.b168ccf1-d862-4146-8cea-0021f3c88feb         IN SRV 0 100 389        nomduserveursamba
_ldap._tcp.b168ccf1-d862-4146-8cea-0021f3c88feb.domains._msdcs          IN SRV 0 100 389 nomduserveursamba
_ldap._tcp.Default-First-Site-Name._sites               IN SRV 0 100 389         nomduserveursamba
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs     IN SRV 0 100 389        nomduserveursamba

_kerberos._tcp                                          IN SRV 0 100 88         nomduserveursamba
_kerberos._tcp.dc._msdcs                                IN SRV 0 100 88         nomduserveursamba
_kerberos._tcp.Default-First-Site-Name._sites           IN SRV 0 100 88         nomduserveursamba
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88         nomduserveursamba
_kerberos._udp                                          IN SRV 0 100 88         nomduserveursamba

_kerberos-master._tcp                                   IN SRV 0 100 88         nomduserveursamba
_kerberos-master._udp                                   IN SRV 0 100 88         nomduserveursamba

_kpasswd._tcp                                           IN SRV 0 100 464        nomduserveursamba
_kpasswd._udp                                           IN SRV 0 100 464        nomduserveursamba
_kerberos                                               IN TXT  samba1

_ldap._tcp.domain.local. IN SRV 10 0 389 nomduserveursamba

_kerberos._udp.domain.local. IN SRV 10 0 389 nomduserveursamba

gc._msdcs IN CNAME nomduserveursamba

27f515e4-f5af-4396-bc93-130013076ab7._msdcs IN CNAME nomduserveursamba

_gc._tcp IN SRV 0 100 3268 nomduserveursamba

_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 nomduserveursamba

_ldap._tcp.gc._msdcs IN SRV 0 100 389 nomduserveursamba

_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 389 nomduserveursamba

_ldap._tcp IN SRV 0 100 389 nomduserveursamba

_ldap._tcp.dc._msdcs IN SRV 0 100 389 nomduserveursamba

_ldap._tcp.pdc._msdcs IN SRV 0 100 389 nomduserveursamba

_ldap._tcp.b168ccf1-d862-4146-8cea-0021f3c88feb IN SRV 0 100 389 nomduserveursamba

_ldap._tcp.b168ccf1-d862-4146-8cea-0021f3c88feb.domains._msdcs IN SRV 0 100 389 nomduserveursamba

_ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 nomduserveursamba

_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 nomduserveursamba

_kerberos._tcp IN SRV 0 100 88 nomduserveursamba

_kerberos._tcp.dc._msdcs IN SRV 0 100 88 nomduserveursamba

_kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 nomduserveursamba

_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 nomduserveursamba

_kerberos._udp IN SRV 0 100 88 nomduserveursamba

_kerberos-master._tcp IN SRV 0 100 88 nomduserveursamba

_kerberos-master._udp IN SRV 0 100 88 nomduserveursamba

_kpasswd._tcp IN SRV 0 100 464 nomduserveursamba

_kpasswd._udp IN SRV 0 100 464 nomduserveursamba

_kerberos IN TXT samba1

samba4

test1

$ host -t SRV _ldap._tcp.domain.local

1	$ host -t SRV _ldap._tcp.domain.local

renvoi
_ldap._tcp.domain.local has SRV record 10 0 389 nomduserveursamba.domain.local.
_ldap._tcp.domain.local has SRV record 0 100 389 nomduserveursamba.domain.local.

test2

$ host -t SRV _kerberos._udp.domain.local

1	$ host -t SRV _kerberos._udp.domain.local

renvoi
_kerberos._udp.domain.local has SRV record 0 100 88 nomduserveursamba.domain.local.
_kerberos._udp.domain.local has SRV record 10 0 389 nomduserveursamba.domain.local.

test3

$ host -t A nomduserveursamba.domain.local

1	$ host -t A nomduserveursamba.domain.local

renvoi
nomduserveursamba.domain.local has address 192.168.3.101

Puis test de connexion Kerberos

$ sudo kinit administrator@DOMAIN.LOCAL (majuscule)
$ sudo klist -e

1 2	$ sudo kinit administrator@DOMAIN.LOCAL (majuscule) $ sudo klist -e

Si il retourne une erreur de type kinit: Generic preauthentication failure while getting initial credentials, recréer le mot de passe

$ sudo /usr/local/samba/bin/samba-tool user setpassword Administrator

1	$ sudo /usr/local/samba/bin/samba-tool user setpassword Administrator

3.Synchroniser avec un serveur de temps
remplacer les serveurs par les Fr

$ sudo vim vim /etc/ntp.conf

1	$ sudo vim vim /etc/ntp.conf

server 0.fr.pool.ntp.org iburst dynamic
server 1.fr.pool.ntp.org iburst dynamic
server 2.fr.pool.ntp.org iburst dynamic
server 3.fr.pool.ntp.org iburst dynamic

server 0.fr.pool.ntp.org iburst dynamic

server 1.fr.pool.ntp.org iburst dynamic

server 2.fr.pool.ntp.org iburst dynamic

server 3.fr.pool.ntp.org iburst dynamic

Puis démarrer le serveur ntp et le rendre auto

$ sudo /etc/init.d/ntpd start
$ sudo chkconfig ntpd on

1 2	$ sudo /etc/init.d/ntpd start $ sudo chkconfig ntpd on

4.Test et création utilisateurs

Créer la zone de recherche inversée

$ sudo /usr/local/samba/bin/samba-tool dns zonecreate nomduserveursamba3.168.192.in-addr.arpa

1	$ sudo /usr/local/samba/bin/samba-tool dns zonecreate nomduserveursamba3.168.192.in-addr.arpa

Vérifier le niveau de version du contrôleur (sous samba 4.1.1 il apparaissait en 2003)

$ sudo /usr/local/samba/bin/samba-tool domain level show

1	$ sudo /usr/local/samba/bin/samba-tool domain level show

Domain and forest function level for domain 'DC=domain,DC=local'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2

Domain and forest function level for domain 'DC=domain,DC=local'

Forest function level: (Windows) 2008 R2

Domain function level: (Windows) 2008 R2

Lowest function level of a DC: (Windows) 2008 R2

Désactiver le changement de mot de passe du compte administrator (tousles 42j sinon)

$ sudo /usr/local/samba/bin/samba-tool user setexpiry administrator --noexpiry

1	$ sudo /usr/local/samba/bin/samba-tool user setexpiry administrator --noexpiry

samba5

Création utilisateur en ligne de commande

<del>$ sudo /usr/local/samba/bin/samba-tool user add utilisateur1</del> (<span style="color: #ff0000;">user add deprecated</span>)
$ sudo /usr/local/samba/bin/samba-tool user create

1 2	<del>$ sudo /usr/local/samba/bin/samba-tool user add utilisateur1</del> (<span style="color: #ff0000;">user add deprecated</span>) $ sudo /usr/local/samba/bin/samba-tool user create

Puis modifier le mdp, celui ci doit respecter les exigences de complexiés de Windows 2008

samba6

5.Administration depuis Windows
Via un poste Windows Seven avec le compte administrator, télécharger les outils RSAT
http://www.microsoft.com/fr-fr/download/details.aspx?id=7887

Installation par défaut, ensuite activation dans ajout/suppression de programmes dans le panneau de configuration

samba7

samba8

samba9

samba10

samba11

samba12

samba13

samba14

samba15

samba16

samba17

samba18

samba19

samba20

samba21

6.Création d’un script pour d’init pour le démarrage automatique de Samba

$ sudo vim /usr/local/samba/sbin/samba

1	$ sudo vim /usr/local/samba/sbin/samba

#!/bin/bash
#
# samba4        This shell script takes care of starting and stopping
#               samba4 daemons.
#
# chkconfig: - 58 74
# description: Samba 4.0 will be the next version of the Samba suite
# and incorporates all the technology found in both the Samba4 alpha
# series and the stable 3.x series. The primary additional features
# over Samba 3.6 are support for the Active Directory logon protocols
# used by Windows 2000 and above.

### BEGIN INIT INFO
# Provides: samba4
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Should-Start: $syslog $named
# Should-Stop: $syslog $named
# Short-Description: start and stop samba4
# Description: Samba 4.0 will be the next version of the Samba suite
# and incorporates all the technology found in both the Samba4 alpha
# series and the stable 3.x series. The primary additional features
# over Samba 3.6 are support for the Active Directory logon protocols
# used by Windows 2000 and above.
### END INIT INFO

# Source function library.
. /etc/init.d/functions


# Source networking configuration.
. /etc/sysconfig/network


prog=samba
prog_dir=/usr/local/samba/sbin/
lockfile=/var/lock/subsys/$prog


start() {
        [ "$NETWORKING" = "no" ] && exit 1
#       [ -x /usr/sbin/ntpd ] || exit 5

                # Start daemons.
                echo -n $"Starting samba4: "
                daemon $prog_dir/$prog -D
        RETVAL=$?
                echo
        [ $RETVAL -eq 0 ] && touch $lockfile
        return $RETVAL
}


stop() {
        [ "$EUID" != "0" ] && exit 4
                echo -n $"Shutting down samba4: "
        killproc $prog_dir/$prog
        RETVAL=$?
                echo
        [ $RETVAL -eq 0 ] && rm -f $lockfile
        return $RETVAL
}


# See how we were called.
case "$1" in
start)
        start
        ;;
stop)
        stop
        ;;
status)
        status $prog
        ;;
restart)
        stop
        start
        ;;
reload)
        echo "Not implemented yet."
        exit 3
        ;;
*)
        echo $"Usage: $0 {start|stop|status|restart|reload}"
        exit 2
esac

#!/bin/bash

# samba4 This shell script takes care of starting and stopping

# samba4 daemons.

# chkconfig: - 58 74

# description: Samba 4.0 will be the next version of the Samba suite

# and incorporates all the technology found in both the Samba4 alpha

# series and the stable 3.x series. The primary additional features

# over Samba 3.6 are support for the Active Directory logon protocols

# used by Windows 2000 and above.

### BEGIN INIT INFO

# Provides: samba4

# Required-Start: $network $local_fs $remote_fs

# Required-Stop: $network $local_fs $remote_fs

# Should-Start: $syslog $named

# Should-Stop: $syslog $named

# Short-Description: start and stop samba4

# Description: Samba 4.0 will be the next version of the Samba suite

# and incorporates all the technology found in both the Samba4 alpha

# series and the stable 3.x series. The primary additional features

# over Samba 3.6 are support for the Active Directory logon protocols

# used by Windows 2000 and above.

### END INIT INFO

# Source function library.

. /etc/init.d/functions

# Source networking configuration.

. /etc/sysconfig/network

prog=samba

prog_dir=/usr/local/samba/sbin/

lockfile=/var/lock/subsys/$prog

start() {

[ "$NETWORKING" = "no" ] && exit 1

# [ -x /usr/sbin/ntpd ] || exit 5

# Start daemons.

echo -n $"Starting samba4: "

daemon $prog_dir/$prog -D

RETVAL=$?

echo

[ $RETVAL -eq 0 ] && touch $lockfile

return $RETVAL

}

stop() {

[ "$EUID" != "0" ] && exit 4

echo -n $"Shutting down samba4: "

killproc $prog_dir/$prog

RETVAL=$?

echo

[ $RETVAL -eq 0 ] && rm -f $lockfile

return $RETVAL

}

# See how we were called.

case "$1" in

start)

start

;;

stop)

stop

;;

status)

status $prog

;;

restart)

stop

start

;;

reload)

echo "Not implemented yet."

exit 3

;;

echo $"Usage: $0 {start|stop|status|restart|reload}"

exit 2

esac

Rendre le script executale

$ sudo chmod 755 samba4

1	$ sudo chmod 755 samba4

Création d’un lien symbolique vers le niveau d’execution

$ sudo ln -s /etc/init.d/samba4 /etc/rc3.d/S80samba4

1	$ sudo ln -s /etc/init.d/samba4 /etc/rc3.d/S80samba4

Activer le service au démarrage

$ sudo chkconfig samba4 on

1	$ sudo chkconfig samba4 on

Ajouter les outils de samba4 dans $PATH

$ sudo echo "export PATH=$PATH:/usr/local/samba/sbin:/usr/local/samba/bin" >> sudo /root/.bashrc
$ sudo source /root/.bashrc

1 2	$ sudo echo "export PATH=$PATH:/usr/local/samba/sbin:/usr/local/samba/bin" >> sudo /root/.bashrc $ sudo source /root/.bashrc

Quelques infos complémentaires

Vérifier les version de samba et smbclient (doir renvoyer la même version)

$ /usr/local/samba/sbin/samba -V
$ /usr/local/samba/bin/smbclient -V

1 2	$ /usr/local/samba/sbin/samba -V $ /usr/local/samba/bin/smbclient -V

killer les services samba

$ sudo killall samba

1	$ sudo killall samba

Tester les partages administratifs de SysVol, Netlogon, etc…

$ sudo /usr/local/samba/bin/smbclient -L localhost -U%

1	$ sudo /usr/local/samba/bin/smbclient -L localhost -U%

Doit renvoyer

Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.4.2)

Domain=[DOMAIN] OS=[Windows 6.1] Server=[Samba 4.4.2]

Server Comment
--------- -------

Workgroup Master
--------- -------

Sharename Type Comment

--------- ---- -------

netlogon Disk

sysvol Disk

IPC$ IPC IPC Service (Samba 4.4.2)

Domain=[DOMAIN] OS=[Windows 6.1] Server=[Samba 4.4.2]

Server Comment

--------- -------

Workgroup Master

--------- -------

Tester l’authentification :

$ sudo /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator -c ls

1	$ sudo /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator -c ls

Enter Administrator’s password:

Cela renvoie

Domain=[DOMAIN] OS=[Windows 6.1] Server=[Samba 4.2.2]
. D 0 Sun May 1 16:05:28 2016
.. D 0 Sun May 1 16:05:28 2016

Domain=[DOMAIN] OS=[Windows 6.1] Server=[Samba 4.2.2]

. D 0 Sun May 1 16:05:28 2016

.. D 0 Sun May 1 16:05:28 2016

Articles lus : 1 572

No votes yet.

Please wait...

[Linux] Installation Samba4 – PDC

Laisser un commentaire Annuler la réponse