À partir de la version 4.0, Samba peut fonctionner en tant que contrôleur de domaine (DC) Active Directory (AD). Dans ce tutoriel, je vais vous montrer comment configurer Samba 4 en tant que contrôleur de domaine avec les clients Windows 10, CentOS 7 et CentOS 6.
Dans ce tutoriel, je vais compiler Samba 4 à partir des sources. Si vous recherchez une installation basée sur Samba 4 RPM et une configuration SELinux pour Samba 4, veuillez consulter mon nouveau tutoriel Samba 4 ici.
J'utiliserai 3 systèmes, un serveur CentOS 7 et un client Windows 10 pour la gestion à distance, un client CentOS 7 et CentOS 6.
- 192.168.1.190 Samba4 AD centos7
- 192.168.1.191 gestion à distance win 10
- 192.168.1.22 - Authentification client - centos 7
- 192.168.1.192 - Authentification client - centos 6
Installation de Samba 4
192.168.1.190 Samba4 AD centos 7
La base est un CentOS 7 avec une installation minimale et SELinux désactivé.
[[email protected] ~]# sestatus
SELinux status: disabled
[[email protected] ~]#
Créez une entrée dans le fichier /etc/hosts.
[[email protected] ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.190 samba4.sunil.cc samba4
[[email protected] ~]#
Installez le dépôt epel.
[[email protected] ~]# yum install epel-release -y
Installez tous les packages nécessaires à la compilation de samba4.
[[email protected] ~]# yum install perl gcc libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel setroubleshoot-server libaio-devel setroubleshoot-plugins\ policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel\ cyrus-sasl-devel cups-devel bind-utils libxslt docbook-style-xsl openldap-devel pam-devel bzip2 vim wget -y
Téléchargez maintenant le package samba4. J'utilise samba-4.6.0 qui est le dernier lors de cette configuration.
[[email protected] ~]# wget https://download.samba.org/pub/samba/stable/samba-4.6.0.tar.gz
Maintenant, installons samba4.
[[email protected] ~]# tar -zxvf samba-4.6.0.tar.gz [[email protected] ~]# cd samba-4.6.0 [[email protected] samba-4.6.0]# ./configure --enable-debug --enable-selftest --with-ads --with-systemd --with-winbind [[email protected] samba-4.6.0]# make && make install
L'installation prendra environ 10 minutes selon la vitesse du système.
Nous allons maintenant faire le provisionnement du domaine.
[[email protected] samba]# samba-tool domain provision --use-rfc2307 --interactive
Realm [SUNIL.CC]:
Domain [SUNIL]:
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [4.2.2.1]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=sunil,DC=cc
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
ERROR(ldb): uncaught exception - operations error at ../source4/dsdb/samdb/ldb_modules/password_hash.c:2820
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 471, in run
nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2175, in provision
skip_sysvolacl=skip_sysvolacl)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1787, in provision_fill
next_rid=next_rid, dc_rid=dc_rid)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1447, in fill_samdb
"KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/common.py", line 55, in setup_add_ldif
ldb.add_ldif(data, controls)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py", line 225, in add_ldif
self.add(msg, controls)
[[email protected] samba]# Il y aura des erreurs lors de l'approvisionnement du domaine.
Pour les corriger, veuillez commenter la ligne ci-dessous dans /etc/krb5.conf.
-------- #includedir /etc/krb5.conf.d/ --------
Exécutez à nouveau le provisionnement du domaine et maintenant le domaine sera créé sans erreur.
[[email protected] etc]# samba-tool domain provision --use-rfc2307 --interactive Realm [SUNIL.CC]: Domain [SUNIL]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [4.2.2.1]: Administrator password: Retype password: Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=sunil,DC=cc Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=sunil,DC=cc Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: samba4 NetBIOS Domain: SUNIL DNS Domain: sunil.cc DOMAIN SID: S-1-5-21-2936486394-2075362935-551615353 [[email protected] etc]#
Assurez-vous que les ports sont ouverts dans le pare-feu.
[[email protected] etc]#firewall-cmd --add-port=53/tcp --permanent;firewall-cmd --add-port=53/udp --permanent;firewall-cmd --add-port=88/tcp --permanent;firewall-cmd --add-port=88/udp --permanent; \ firewall-cmd --add-port=135/tcp --permanent;firewall-cmd --add-port=137-138/udp --permanent;firewall-cmd --add-port=139/tcp --permanent; \ firewall-cmd --add-port=389/tcp --permanent;firewall-cmd --add-port=389/udp --permanent;firewall-cmd --add-port=445/tcp --permanent; \ firewall-cmd --add-port=464/tcp --permanent;firewall-cmd --add-port=464/udp --permanent;firewall-cmd --add-port=636/tcp --permanent; \ firewall-cmd --add-port=1024-5000/tcp --permanent;firewall-cmd --add-port=3268-3269/tcp --permanent [[email protected] ~]# firewall-cmd --reload
Créez un script de démarrage pour démarrer automatiquement le service lors du redémarrage.
[[email protected] ~]# cat /etc/systemd/system/samba.service [Unit] Description= Samba 4 Active Directory After=syslog.target After=network.target [Service] Type=forking PIDFile=/usr/local/samba/var/run/samba.pid ExecStart=/usr/local/samba/sbin/samba [Install] WantedBy=multi-user.target [[email protected] ~]# [[email protected] ~]# systemctl enable samba Created symlink from /etc/systemd/system/multi-user.target.wants/samba.service to /etc/systemd/system/samba.service. [[email protected] ~]# systemctl start samba
Ajout de l'hôte Windows au domaine
192.168.1.191 gestion à distance win 10
Assurez-vous que l'hôte est ajouté avec une adresse IP statique.
Ajout de l'hébergeur au domaine.
Pour gérer Samba4 à partir de Windows, nous devons installer Microsoft Remote Server Tools (RSAT).
La page wiki contient les liens https://wiki.samba.org/index.php/Installing_RSAT
Installation de l'outil RSAT dans Windows 10
Exécutez le programme d'installation.
Après le redémarrage, allez sur exécuter et tapez dsa.msc
Cliquez sur le domaine sunil.cc et cliquez avec le bouton droit sur Nouveau > Utilisateurs.
Création d'un utilisateur test.
Authentification client avec Samba 4 sur CentOS 7
192.168.1.22 - Authentification client sur CentOS 7
Installation des packages :
[[email protected] ~]# yum -y install realmd sssd oddjob oddjob-mkhomedir adcli samba-common
Vérifiez la connectivité avec samba4 :
[[email protected] ~]# realm discover SUNIL.CC sunil.cc type: kerberos realm-name: SUNIL.CC domain-name: sunil.cc configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U login-policy: allow-realm-logins [[email protected] ~]#
Rejoindre le domaine.
[[email protected] ~]# realm join SUNIL.CC Password for Administrator: [[email protected] ~]#
Vérifiez si nous pouvons obtenir l'utilisateur de samba4.
[[email protected] ~]# id SUNIL\\testuser uid=1570001104([email protected]) gid=1570000513(domain [email protected]) groups=1570000513(domain [email protected]) [[email protected] ~]#
Configurez sssd.
[[email protected] ~]# cat /etc/sssd/sssd.conf [sssd] domains = sunil.cc config_file_version = 2 services = nss, pam [domain/sunil.cc] ad_domain = sunil.cc krb5_realm = SUNIL.CC realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%[email protected]%d access_provider = ad [[email protected] ~]#
Redémarrez sssd.
[[email protected] ~]# systemctl restart sssd [[email protected] ~]# systemctl enable sssd
Vérifiez l'utilisateur.
[[email protected] ~]# id [email protected] uid=1570001105([email protected]) gid=1570000513(domain [email protected]) groups=1570000513(domain [email protected]),1570000512(domain [email protected]),1570000572(denied rodc password replication [email protected]) [[email protected] ~]#
Pour obtenir l'utilisateur sans nom de domaine.
[[email protected] ~]# vim /etc/sssd/sssd.conf ----------- ------------ use_fully_qualified_names = False ----------- -----------
Redémarrez sssd et vérifiez la commande id.
[[email protected] ~]# systemctl restart sssd [[email protected] ~]# id sambauser uid=1570001105(sambauser) gid=1570000513(domain users) groups=1570000513(domain users),1570000512(domain admins),1570000572(denied rodc password replication group) [[email protected] ~]#
Authentification client avec Samba 4 sur CentOS 6
192.168.1.192 - Authentification client sur CentOS 6.
Installation de packages.
[[email protected] db]# yum install pam pam_ldap pam_krb5 sssd sssd-ldap sssd-common authconfig oddjob oddjob-mkhomedir openldap openldap-clients krb5-workstation adcli -y
Modifiez le fichier de configuration Kerberos.
[[email protected] db]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SUNIL.CC
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
SUNIL.CC = {
kdc = samba4.sunil.cc
admin_server = samba4.sunil.cc
}
[domain_realm]
.sunil.cc = SUNIL.CC
sunil.cc = SUNIL.CC
[[email protected] db]#
Nous utiliserons la commande adcli pour joindre le domaine.
[[email protected] db]# adcli info sunil.cc [domain] domain-name = sunil.cc domain-short = SUNIL domain-forest = sunil.cc domain-controller = samba4.sunil.cc domain-controller-site = Default-First-Site-Name domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret domain-controller-usable = yes domain-controllers = samba4.sunil.cc [computer] computer-site = Default-First-Site-Name [[email protected] db]# [[email protected] db]# adcli join sunil.cc Password for [email protected]: [[email protected] db]#
Assurez-vous que le ticket Kerberos est créé.
[[email protected] db]# klist -ke
Configurez l'authentification.
[[email protected] db]# authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
Modifiez la configuration sssd maintenant pour effectuer l'authentification.
[[email protected] db]# cat /etc/sssd/sssd.conf [sssd] services = nss, pam, ssh, autofs config_file_version = 2 domains = sunil.cc [domain/sunil.cc] id_provider = ad # Uncomment if service discovery is not working # ad_server = server.win.example.com default_shell = /bin/bash fallback_homedir = /home/%u [[email protected] db]#
Redémarrez le service sssd.
[[email protected] db]# chkconfig sssd on [[email protected] db]# service sssd restart Stopping sssd: [ OK ] Starting sssd: [ OK ] [[email protected] db]#
Validation de l'utilisateur.
[[email protected] db]# id sambauser uid=1570001105(sambauser) gid=1570000513(domain users) groups=1570000513(domain users),1570000512(domain admins),1570000572(denied rodc password replication group) [[email protected] db]#