File Server Samba 4 Domain Controller

RHEL - CentOS
Server Information
Installation Directory: /var/lib/samba
Server Hostname: fs-1.angkorcam.com
DNS Domain Name: angkorcam.com
NT4 Domain Name: angkorcam.com
IP Address: 192.168.122.7
Server Role: FS
ntp - configuration
[root@tsorn theary]# ssh root@fs-1
[root@fs-1 ~]# cp /etc/ntp.conf /etc/ntp.conf.orig
[root@fs-1 ~]# vim /etc/ntp.conf
+---------------------------------------------------------------------------------------+
# Cambodia Time #
server 2.kh.pool.ntp.org
server 1.asia.pool.ntp.org
server 2.asia.pool.ntp.org
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# service ntpd start
+---------------------------------------------------------------------------------------+
Starting ntpd:
[ OK ]
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# chkconfig ntpd on
[root@fs-1 ~]# ntpq -p
+---------------------------------------------------------------------------------------+
remote
refid
st t when poll reach delay offset jitter
==============================================================================
ns1.cidc.com.kh 95.222.122.210 2 u
1 64
1
2.686 -148.44 0.099
ns2.cidc.com.kh 137.189.4.10
2 u
2 64
1
3.130 -140.56 0.000
27.114.150.13 160.45.10.8
2 u
1 64
1 121.144 -100.21 0.000
211.39.136.4
.INIT.
16 u
- 64
0
0.000
0.000 0.000
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# date
+---------------------------------------------------------------------------------------+
Wed Apr 2 14:57:10 ICT 2014
+---------------------------------------------------------------------------------------+
firewall - configuration

[root@fs-1 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/conf

ig
[root@fs-1 ~]# cat /etc/selinux/config
+---------------------------------------------------------------------------------------+
SELINUX=disabled
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# service iptables stop
+---------------------------------------------------------------------------------------+
iptables: Setting chains to policy ACCEPT: filter
[ OK ]
iptables: Flushing firewall rules:
[ OK ]
iptables: Unloading modules:
[ OK ]
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# service ip6tables stop
+---------------------------------------------------------------------------------------+
ip6tables: Setting chains to policy ACCEPT: filter
[ OK ]
ip6tables: Flushing firewall rules:
[ OK ]
ip6tables: Unloading modules:
[ OK ]
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# chkconfig iptables off
[root@fs-1 ~]# chkconfig ip6tables off
[root@fs-1 ~]# chkconfig | grep ip
+---------------------------------------------------------------------------------------+
ip6tables
0:off 1:off 2:off 3:off 4:off 5:off 6:off
iptables
0:off 1:off 2:off 3:off 4:off 5:off 6:off
+---------------------------------------------------------------------------------------+
Host file configuration
[root@fs-1 ~]# vim /etc/hosts
+---------------------------------------------------------------------------------------+
## samba_v4 lan ##
192.168.122.5 dc-1.angkorcam.com
dc-1
192.168.122.6 dc-2.angkorcam.com
dc-2
192.168.122.7 fs-1.angkorcam.com
fs-1
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# vim /etc/resolv.conf
+---------------------------------------------------------------------------------------+
search angkorcam.com

domain angkorcam.com
nameserver 192.168.122.5
nameserver 192.168.122.6
+---------------------------------------------------------------------------------------+
File System Support (EXT4)
To use the advanced features of Samba4 you need a file system that supports both
the "user" and "system" xattr namespaces.
[root@fs-1 ~]# vim /etc/fstab
+---------------------------------------------------------------------------------------+
/dev/mapper/vg_dc-lv_dc /usr
ext4
defaults,user_xattr,acl,
barrier=1
1 1
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# CONFIG_EXT4_FS_XATTR=y
[root@fs-1 ~]# CONFIG_EXT4_FS_SECURITY=y
[root@fs-1 ~]# CONFIG_EXT4_FS_POSIX_ACL=y
prepare yum REPO
[root@fs-1 ~]# vim /etc/yum.repos.d/rhel6_dvd.repo
+---------------------------------------------------------------------------------------+
[rhel6_dvd]
name= DVD Redhat Enterprise Linux 6
baseurl=file:///media/cdrom/
enabled=1
gpgcheck=0
+---------------------------------------------------------------------------------------+
Mounting the ISO
[root@fs-1 ~]# mkdir /media/cdrom
[root@fs-1 ~]# vim /etc/fstab
+---------------------------------------------------------------------------------------+
/dev/sr0
/media/cdrom
iso9660 defaults
0 0
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# mount -a
+---------------------------------------------------------------------------------------+
mount: block device /dev/sr0 is write-protected, mounting read-only
+---------------------------------------------------------------------------------------+
samba yum repo

Query your rpm database to find any instances of older samba packages
[root@fs-1 ~]# rpm -qa | grep samba
+---------------------------------------------------------------------------------------+
samba4-libs-4.0.0-58.el6.rc4.x86_64
samba-client-3.6.9-164.el6.x86_64
samba-common-3.6.9-164.el6.x86_64
samba-winbind-3.6.9-164.el6.x86_64
samba-winbind-clients-3.6.9-164.el6.x86_64
+---------------------------------------------------------------------------------------+
remove the existing samba packages
[root@fs-1 ~]# yum remove -y samba* pytalloc
[root@fs-1 ~]# yum install -y http://ftp.sernet.de/pub/sernet-build-key-1.1-4.no
arch.rpm
[root@fs-1 ~]# gpg --keyserver wwwkeys.pgp.net --recv-keys F4428B1A;
+---------------------------------------------------------------------------------------+
gpg: requesting key F4428B1A from hkp server wwwkeys.pgp.net
gpg: key F4428B1A: public key "Samba Support <Samba@SerNet.DE>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:
imported: 1
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# gpg --fingerprint F4428B1A
+---------------------------------------------------------------------------------------+
pub 1024D/F4428B1A 2008-03-11 [expires: 2015-11-19]
Key fingerprint = 7975 0C31 87AF 92DD AC46 086F D992 1B1C F442 8B1A
uid
Samba Support <Samba@SerNet.DE>
+---------------------------------------------------------------------------------------+
# vim /etc/yum.repos.d/sernet-samba-4.1.repo
+---------------------------------------------------------------------------------------+
[sernet-samba-4.1]
name=SerNet Samba 4.1 Packages (rhel-6)
type=rpm-md
baseurl=https://theary:X6s3uoetyoUApLeH1MJlJdgD6ekYAJCJ@download.sernet.de/packa
ges/samba/4.1/rhel/6/
gpgcheck=1
gpgkey=https://theary:X6s3uoetyoUApLeH1MJlJdgD6ekYAJCJ@download.sernet.de/packag
es/samba/4.1/rhel/6/repodata/repomd.xml.key
enabled=1
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# yum repolist
+-------------------------------------------------------------------------------

---------+
repo id
repo name
status
rhel6_dvd
DVD Redhat Enterprise Linux 6
3,690
sernet-samba-4.1
SerNet Samba 4.1 Packages (rhel-6)
21
repolist: 3,711
+---------------------------------------------------------------------------------------+
Samba 4 Installation
[root@fs-1 ~]# yum install sernet-samba* sernet-samba-ad* -y
[root@fs-1 ~]# rpm -qa | grep sernet-samba
+---------------------------------------------------------------------------------------+
sernet-samba-client-4.1.6-7.el6.x86_64
sernet-samba-libsmbclient-devel-4.1.6-7.el6.x86_64
sernet-samba-common-4.1.6-7.el6.x86_64
sernet-samba-libsmbclient0-4.1.6-7.el6.x86_64
sernet-samba-4.1.6-7.el6.x86_64
sernet-samba-ad-4.1.6-7.el6.x86_64
sernet-samba-libwbclient-devel-4.1.6-7.el6.x86_64
sernet-samba-libs-4.1.6-7.el6.x86_64
sernet-samba-winbind-4.1.6-7.el6.x86_64
sernet-samba-debuginfo-4.1.6-7.el6.x86_64
+---------------------------------------------------------------------------------------+
[root@fs-1
[root@fs-1
[root@fs-1
[root@fs-1
[root@fs-1

~]#
~]#
~]#
~]#
~]#

chkconfig
chkconfig
chkconfig
chkconfig
chkconfig

sernet-samba-ad on
sernet-samba-nmbd on
sernet-samba-smbd on
sernet-samba-winbindd on
| grep sernet-samba

+---------------------------------------------------------------------------------------+
sernet-samba-ad 0:off 1:off 2:on
3:on
4:on
5:on
6:off
sernet-samba-nmbd
0:off 1:off 2:on
3:on
4:on
5:on
6:off
sernet-samba-smbd
0:off 1:off 2:on
3:on
4:on
5:on
6:off
sernet-samba-winbindd 0:off 1:off 2:on
3:on
4:on
5:on
6:off
+---------------------------------------------------------------------------------------+
By default if we dont specify the installation directory (prefix) it is /var/lib/sa
mba/
Setting up Kerberos
[root@fs-1 ~]# mv /etc/krb5.conf /etc/krb5.conf.orig
[root@fs-1 ~]# vim /etc/krb5.conf
+---------------------------------------------------------------------------------------+
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = ANGKORCAM.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
};
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# chgrp named /etc/krb5.conf
Setting up a basic smb.conf
[root@fs-1
[root@fs-1
[root@fs-1
[root@fs-1

~]#
~]#
~]#
~]#

mkdir /data
mkdir /data/it
mkdir /data/hr
vim /etc/samba/smb.conf

+---------------------------------------------------------------------------------------+
[global]
workgroup = ANGKORCAM
security = ADS
realm = ANGKORCAM.COM
encrypt passwords = yes
idmap
idmap
idmap
idmap
idmap
idmap

config
config
config
config
config
config

*:backend = tdb
*:range = 70001-80000
ANGKORCAM:backend = rid
ANGKORCAM:default = yes
ANGKORCAM:schema_mode = rfc2307
ANGKORCAM:range = 500-40000

winbind nss info = rfc2307

winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
template shell = /bin/bash
template homedir = /home/%D/%U
[data$]
comment = ROOT shared dir
path = /data
read only = no

[it$]
comment = IT department
path = /data/it
read only = no
[hr$]
comment = Human Resource
path = /data/hr
read only = no
+---------------------------------------------------------------------------------------+
Joining the member server to the domain
[root@fs-1 ~]# net ads join -U administrator
+---------------------------------------------------------------------------------------+
Enter administrator s password:
Using short domain name -- ANGKORCAM
Joined FS-1 to dns domain angkorcam.com
+---------------------------------------------------------------------------------------+
Starting the daemons
[root@fs-1 ~]# cp /etc/default/sernet-samba /etc/default/sernet-samba.orig
[root@fs-1 ~]# vim /etc/default/sernet-samba
+---------------------------------------------------------------------------------------+
SAMBA_START_MODE="classic"
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# service sernet-samba-smbd start
+---------------------------------------------------------------------------------------+
Starting SAMBA smbd :
[ OK ]
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# service sernet-samba-nmbd start
+---------------------------------------------------------------------------------------+
Starting SAMBA nmbd :
[ OK ]
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# service sernet-samba-winbindd start
+---------------------------------------------------------------------------------------+
Starting SAMBA winbindd :
[ OK ]
+---------------------------------------------------------------------------------------+

The next step is to add winbind

/nsswitch.conf:

to the passwd and

group entry of your /etc

[root@fs-1 ~]# cp /etc/nsswitch.conf /etc/nsswitch.conf.orig

[root@fs-1 ~]# vim /etc/nsswitch.conf
+---------------------------------------------------------------------------------------+
passwd: files winbind
group: files winbind
shadow: files winbind
+---------------------------------------------------------------------------------------+
Testing the winbind user/group mapping
To check if winbind receives user and groups from the domain, run the following
commands:
[root@fs-1 ~]# wbinfo -u
+---------------------------------------------------------------------------------------+
administrator
theary.sorn
dns-dc-2
dns-dc-1
krbtgt
guest
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# wbinfo -g
+---------------------------------------------------------------------------------------+
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# net ads info
+---------------------------------------------------------------------------------------+
LDAP server: 192.168.122.5
LDAP server name: dc-1.angkorcam.com

Realm: ANGKORCAM.COM
Bind Path: dc=ANGKORCAM,dc=COM
LDAP port: 389
Server time: Fri, 04 Apr 2014 16:34:34 ICT
KDC server: 192.168.122.5
Server time offset: 1
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# getent passwd
+---------------------------------------------------------------------------------------+
administrator:*:1000:1013:Administrator:/home/ANGKORCAM/administrator:/bin/bash
theary.sorn:*:1607:1013:theary.sorn:/home/ANGKORCAM/theary.sorn:/bin/bash
dns-dc-2:*:1606:1013:dns-DC-2:/home/ANGKORCAM/dns-dc-2:/bin/bash
dns-dc-1:*:1601:1013:dns-dc-1:/home/ANGKORCAM/dns-dc-1:/bin/bash
krbtgt:*:1002:1013:krbtgt:/home/ANGKORCAM/krbtgt:/bin/bash
guest:*:1001:1014:Guest:/home/ANGKORCAM/guest:/bin/bash
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# getent group
+---------------------------------------------------------------------------------------+
allowed rodc password replication group:x:1071:
enterprise read-only domain controllers:x:998:
denied rodc password replication group:x:1072:krbtgt
read-only domain controllers:x:1021:
group policy creator owners:x:1020:administrator
ras and ias servers:x:1053:
domain controllers:x:1016:
enterprise admins:x:1019:administrator
domain computers:x:1015:
cert publishers:x:1017:
dnsupdateproxy:x:1603:
domain admins:x:1012:administrator
domain guests:x:1014:
schema admins:x:1018:administrator
domain users:x:1013:
dnsadmins:x:1602:
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# id administrator
+---------------------------------------------------------------------------------------+
uid=1000(administrator) gid=1013(domain users) groups=1013(domain users),1020(gr
oup policy creator owners),1072(denied rodc password replication group),1019(ent
erprise admins),1018(schema admins),1012(domain admins)
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# id theary.sorn
+-------------------------------------------------------------------------------

---------+
uid=1607(theary.sorn) gid=1013(domain users) groups=1013(domain users)
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# net rpc rights list accounts -Uadministrator
+---------------------------------------------------------------------------------------+
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# net rpc rights grant ANGKORCAM\Domain Admins
ilege -Uadministrator

SeDiskOperatorPriv

+---------------------------------------------------------------------------------------+
Enter administrator s password:
Successfully granted rights.
+---------------------------------------------------------------------------------------+
By: Theary SORN