Professional Documents
Culture Documents
RHEL - CentOS
Server Information
Installation Directory: /var/lib/samba
Server Hostname: fs-1.angkorcam.com
DNS Domain Name: angkorcam.com
NT4 Domain Name: angkorcam.com
IP Address: 192.168.122.7
Server Role: FS
ntp - configuration
[root@tsorn theary]# ssh root@fs-1
[root@fs-1 ~]# cp /etc/ntp.conf /etc/ntp.conf.orig
[root@fs-1 ~]# vim /etc/ntp.conf
+---------------------------------------------------------------------------------------+
# Cambodia Time #
server 2.kh.pool.ntp.org
server 1.asia.pool.ntp.org
server 2.asia.pool.ntp.org
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# service ntpd start
+---------------------------------------------------------------------------------------+
Starting ntpd:
[ OK ]
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# chkconfig ntpd on
[root@fs-1 ~]# ntpq -p
+---------------------------------------------------------------------------------------+
remote
refid
st t when poll reach delay offset jitter
==============================================================================
ns1.cidc.com.kh 95.222.122.210 2 u
1 64
1
2.686 -148.44 0.099
ns2.cidc.com.kh 137.189.4.10
2 u
2 64
1
3.130 -140.56 0.000
27.114.150.13 160.45.10.8
2 u
1 64
1 121.144 -100.21 0.000
211.39.136.4
.INIT.
16 u
- 64
0
0.000
0.000 0.000
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# date
+---------------------------------------------------------------------------------------+
Wed Apr 2 14:57:10 ICT 2014
+---------------------------------------------------------------------------------------+
firewall - configuration
domain angkorcam.com
nameserver 192.168.122.5
nameserver 192.168.122.6
+---------------------------------------------------------------------------------------+
File System Support (EXT4)
To use the advanced features of Samba4 you need a file system that supports both
the "user" and "system" xattr namespaces.
[root@fs-1 ~]# vim /etc/fstab
+---------------------------------------------------------------------------------------+
/dev/mapper/vg_dc-lv_dc /usr
ext4
defaults,user_xattr,acl,
barrier=1
1 1
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# CONFIG_EXT4_FS_XATTR=y
[root@fs-1 ~]# CONFIG_EXT4_FS_SECURITY=y
[root@fs-1 ~]# CONFIG_EXT4_FS_POSIX_ACL=y
prepare yum REPO
[root@fs-1 ~]# vim /etc/yum.repos.d/rhel6_dvd.repo
+---------------------------------------------------------------------------------------+
[rhel6_dvd]
name= DVD Redhat Enterprise Linux 6
baseurl=file:///media/cdrom/
enabled=1
gpgcheck=0
+---------------------------------------------------------------------------------------+
Mounting the ISO
[root@fs-1 ~]# mkdir /media/cdrom
[root@fs-1 ~]# vim /etc/fstab
+---------------------------------------------------------------------------------------+
/dev/sr0
/media/cdrom
iso9660 defaults
0 0
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# mount -a
+---------------------------------------------------------------------------------------+
mount: block device /dev/sr0 is write-protected, mounting read-only
+---------------------------------------------------------------------------------------+
samba yum repo
Query your rpm database to find any instances of older samba packages
[root@fs-1 ~]# rpm -qa | grep samba
+---------------------------------------------------------------------------------------+
samba4-libs-4.0.0-58.el6.rc4.x86_64
samba-client-3.6.9-164.el6.x86_64
samba-common-3.6.9-164.el6.x86_64
samba-winbind-3.6.9-164.el6.x86_64
samba-winbind-clients-3.6.9-164.el6.x86_64
+---------------------------------------------------------------------------------------+
remove the existing samba packages
[root@fs-1 ~]# yum remove -y samba* pytalloc
[root@fs-1 ~]# yum install -y http://ftp.sernet.de/pub/sernet-build-key-1.1-4.no
arch.rpm
[root@fs-1 ~]# gpg --keyserver wwwkeys.pgp.net --recv-keys F4428B1A;
+---------------------------------------------------------------------------------------+
gpg: requesting key F4428B1A from hkp server wwwkeys.pgp.net
gpg: key F4428B1A: public key "Samba Support <Samba@SerNet.DE>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:
imported: 1
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# gpg --fingerprint F4428B1A
+---------------------------------------------------------------------------------------+
pub 1024D/F4428B1A 2008-03-11 [expires: 2015-11-19]
Key fingerprint = 7975 0C31 87AF 92DD AC46 086F D992 1B1C F442 8B1A
uid
Samba Support <Samba@SerNet.DE>
+---------------------------------------------------------------------------------------+
# vim /etc/yum.repos.d/sernet-samba-4.1.repo
+---------------------------------------------------------------------------------------+
[sernet-samba-4.1]
name=SerNet Samba 4.1 Packages (rhel-6)
type=rpm-md
baseurl=https://theary:X6s3uoetyoUApLeH1MJlJdgD6ekYAJCJ@download.sernet.de/packa
ges/samba/4.1/rhel/6/
gpgcheck=1
gpgkey=https://theary:X6s3uoetyoUApLeH1MJlJdgD6ekYAJCJ@download.sernet.de/packag
es/samba/4.1/rhel/6/repodata/repomd.xml.key
enabled=1
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# yum repolist
+-------------------------------------------------------------------------------
---------+
repo id
repo name
status
rhel6_dvd
DVD Redhat Enterprise Linux 6
3,690
sernet-samba-4.1
SerNet Samba 4.1 Packages (rhel-6)
21
repolist: 3,711
+---------------------------------------------------------------------------------------+
Samba 4 Installation
[root@fs-1 ~]# yum install sernet-samba* sernet-samba-ad* -y
[root@fs-1 ~]# rpm -qa | grep sernet-samba
+---------------------------------------------------------------------------------------+
sernet-samba-client-4.1.6-7.el6.x86_64
sernet-samba-libsmbclient-devel-4.1.6-7.el6.x86_64
sernet-samba-common-4.1.6-7.el6.x86_64
sernet-samba-libsmbclient0-4.1.6-7.el6.x86_64
sernet-samba-4.1.6-7.el6.x86_64
sernet-samba-ad-4.1.6-7.el6.x86_64
sernet-samba-libwbclient-devel-4.1.6-7.el6.x86_64
sernet-samba-libs-4.1.6-7.el6.x86_64
sernet-samba-winbind-4.1.6-7.el6.x86_64
sernet-samba-debuginfo-4.1.6-7.el6.x86_64
+---------------------------------------------------------------------------------------+
[root@fs-1
[root@fs-1
[root@fs-1
[root@fs-1
[root@fs-1
~]#
~]#
~]#
~]#
~]#
chkconfig
chkconfig
chkconfig
chkconfig
chkconfig
sernet-samba-ad on
sernet-samba-nmbd on
sernet-samba-smbd on
sernet-samba-winbindd on
| grep sernet-samba
+---------------------------------------------------------------------------------------+
sernet-samba-ad 0:off 1:off 2:on
3:on
4:on
5:on
6:off
sernet-samba-nmbd
0:off 1:off 2:on
3:on
4:on
5:on
6:off
sernet-samba-smbd
0:off 1:off 2:on
3:on
4:on
5:on
6:off
sernet-samba-winbindd 0:off 1:off 2:on
3:on
4:on
5:on
6:off
+---------------------------------------------------------------------------------------+
By default if we dont specify the installation directory (prefix) it is /var/lib/sa
mba/
Setting up Kerberos
[root@fs-1 ~]# mv /etc/krb5.conf /etc/krb5.conf.orig
[root@fs-1 ~]# vim /etc/krb5.conf
+---------------------------------------------------------------------------------------+
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ANGKORCAM.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
};
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# chgrp named /etc/krb5.conf
Setting up a basic smb.conf
[root@fs-1
[root@fs-1
[root@fs-1
[root@fs-1
~]#
~]#
~]#
~]#
mkdir /data
mkdir /data/it
mkdir /data/hr
vim /etc/samba/smb.conf
+---------------------------------------------------------------------------------------+
[global]
workgroup = ANGKORCAM
security = ADS
realm = ANGKORCAM.COM
encrypt passwords = yes
idmap
idmap
idmap
idmap
idmap
idmap
config
config
config
config
config
config
*:backend = tdb
*:range = 70001-80000
ANGKORCAM:backend = rid
ANGKORCAM:default = yes
ANGKORCAM:schema_mode = rfc2307
ANGKORCAM:range = 500-40000
[it$]
comment = IT department
path = /data/it
read only = no
[hr$]
comment = Human Resource
path = /data/hr
read only = no
+---------------------------------------------------------------------------------------+
Joining the member server to the domain
[root@fs-1 ~]# net ads join -U administrator
+---------------------------------------------------------------------------------------+
Enter administrator s password:
Using short domain name -- ANGKORCAM
Joined FS-1 to dns domain angkorcam.com
+---------------------------------------------------------------------------------------+
Starting the daemons
[root@fs-1 ~]# cp /etc/default/sernet-samba /etc/default/sernet-samba.orig
[root@fs-1 ~]# vim /etc/default/sernet-samba
+---------------------------------------------------------------------------------------+
SAMBA_START_MODE="classic"
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# service sernet-samba-smbd start
+---------------------------------------------------------------------------------------+
Starting SAMBA smbd :
[ OK ]
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# service sernet-samba-nmbd start
+---------------------------------------------------------------------------------------+
Starting SAMBA nmbd :
[ OK ]
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# service sernet-samba-winbindd start
+---------------------------------------------------------------------------------------+
Starting SAMBA winbindd :
[ OK ]
+---------------------------------------------------------------------------------------+
Realm: ANGKORCAM.COM
Bind Path: dc=ANGKORCAM,dc=COM
LDAP port: 389
Server time: Fri, 04 Apr 2014 16:34:34 ICT
KDC server: 192.168.122.5
Server time offset: 1
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# getent passwd
+---------------------------------------------------------------------------------------+
administrator:*:1000:1013:Administrator:/home/ANGKORCAM/administrator:/bin/bash
theary.sorn:*:1607:1013:theary.sorn:/home/ANGKORCAM/theary.sorn:/bin/bash
dns-dc-2:*:1606:1013:dns-DC-2:/home/ANGKORCAM/dns-dc-2:/bin/bash
dns-dc-1:*:1601:1013:dns-dc-1:/home/ANGKORCAM/dns-dc-1:/bin/bash
krbtgt:*:1002:1013:krbtgt:/home/ANGKORCAM/krbtgt:/bin/bash
guest:*:1001:1014:Guest:/home/ANGKORCAM/guest:/bin/bash
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# getent group
+---------------------------------------------------------------------------------------+
allowed rodc password replication group:x:1071:
enterprise read-only domain controllers:x:998:
denied rodc password replication group:x:1072:krbtgt
read-only domain controllers:x:1021:
group policy creator owners:x:1020:administrator
ras and ias servers:x:1053:
domain controllers:x:1016:
enterprise admins:x:1019:administrator
domain computers:x:1015:
cert publishers:x:1017:
dnsupdateproxy:x:1603:
domain admins:x:1012:administrator
domain guests:x:1014:
schema admins:x:1018:administrator
domain users:x:1013:
dnsadmins:x:1602:
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# id administrator
+---------------------------------------------------------------------------------------+
uid=1000(administrator) gid=1013(domain users) groups=1013(domain users),1020(gr
oup policy creator owners),1072(denied rodc password replication group),1019(ent
erprise admins),1018(schema admins),1012(domain admins)
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# id theary.sorn
+-------------------------------------------------------------------------------
---------+
uid=1607(theary.sorn) gid=1013(domain users) groups=1013(domain users)
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# net rpc rights list accounts -Uadministrator
+---------------------------------------------------------------------------------------+
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
+---------------------------------------------------------------------------------------+
[root@fs-1 ~]# net rpc rights grant ANGKORCAM\Domain Admins
ilege -Uadministrator
SeDiskOperatorPriv
+---------------------------------------------------------------------------------------+
Enter administrator s password:
Successfully granted rights.
+---------------------------------------------------------------------------------------+
By: Theary SORN