Samba Active Directory Domain Controller, CentOS 6 + Samba 4 Options

[Robert83]

Hello Everyone,

This one is going to be a SAMBA Active Directory on CentOS 6.x

STEP 1. - Install base system

Download CentOS 6.x iso from CentOS website ( sorry admin does not allow links )
Install system any way you like , with your partitioning layout does not matter .

In this example hostname is : samba4.home.lan and ip address is : 192.168.186.200

STEP 2 - Disable SeLINUX , Iptables

Now we disable SeLINUX like this :

CODE

chkconfig iptables off
chkconfig ip6tables off
vi /etc/selinux/config

Press i
Look for SELINUX= line and change it to SELINUX=disabled
Once you are done editing press ESC , then type :wq then press ENTER
Now we must reboot the server in order for SeLINUX to be disabled.

CODE

reboot

STEP 3. - Update System

CODE

yum update

STEP 4. - Enable SAMBA 4 repo

Why use different repo ? answer : CentOS 6 Samba misses a lot of tools, this is way better, and much much easier to setup , and works just as well.

CODE

touch /etc/yum.repos.d/SOGo.repo
vi /etc/yum.repos.d/SOGo.repo

Press i , then type in the following :

CODE

[sogo-rhel6]
name=Inverse SOGo Repository
baseurl=http://inverse.ca/downloads/SOGo/RHEL6/$basearch
gpgcheck=0

Once done editing press ESC , then type :wq and press ENTER

STEP 5 - Samba installation , configuration

CODE

yum install samba4

Once it is done you run the following command :

CODE

samba-tool domain provision --user-rfc2307 --interactive

Here a bunch of questions will be asked , but you only need to alter one for our setup :

Domain name : home.lan ( !!! in this example!!! )

After this all settings can be left at default, which means you should still read what it is asking, not just hit ENTER,ENTER,ENTER

Somewhere at the end it will ask for domain password, this is the Administrator password, so this at least should be complex
the system requires you to enter at least one uppercase character, some regular characters , and at least one number.
For example : Tksh48k .

Now samba will generate all the necessary db files , setup the necessary groups , users etc for this domain.

Next step we create the directory for our Roaming Profiles

CODE

mkdir /home/Profiles

And make sure our /etc/samba4/smb.conf looks like this :

CODE

[global]
     workgroup = HOME
     realm = HOME.LAN
     netbios name = SAMBA4
     server role = active directory domain controller
     dns forwarder = 8.8.8.8
     idmap_ldb:use rfc2307 = yes

[netlogon]
     path = /var/lib/samba4/sysvol/home.lan/scripts
     read only = No

[sysvol]
    path = /var/lib/samba4/sysvol
    read only = No

[Profiles]
    path = /home/Profiles/
    read only = No

If memory servers right you only need to add [Profiles] to your config file, everything else should already be there, I'm just posting my config
just in case.

STEP 6 - Configure Kerberos , Hosts, Resolv

Samba already generated the necessary Kerberos conf file for us , we only need to move it to the right place, but just in case something bad
could happen, we backup original Kerberos conf file.

CODE

mv /etc/krb5.conf /etc/krb5.conf.original
cp /var/lib/samba4/private/krb5.conf /etc/krb5.conf

Next step is to alter our hosts file it should look like this for the current test system :

/etc/hosts

CODE

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.186.200 samba4.home.lan samba4
::1  localhost localhost.localdomain localhost6 localhost6.localdomain6

Then the resolv conf should look like this for the current test system :

/etc/resolv.conf

CODE

domain homa.lan
search home.lan
nameserver 192.168.186.200 8.8.8.8

8.8.8.8 - this is Google, for TESTING ONLY , please play nice and later use your own DNS server, or the ISP's .


TO BE CONTINUED ...

[Robert83]

Step 7 - Test Kerberos

In this step we will test if Kerberos is running properly .

First samba must be started, but it cannot be started with the init script , you can try but it will complain , so trust me and
do this instead.

- start samba

CODE

  samba

if you did everything as told and I made no type here, samba should be up and running without any errors...

- test kerberos

CODE

  kinit administrator

it will display the following :
type administrator password : - type in previously give admin password Tksh48k ( don't use this everywhere )

and you should receive something like this on CentOS 6

Warrning : Your password will expire in 41 days...

This means Samba4 is up and running , Kerberos is doing it's stuff , we are almost good to go.

Last thing is to add samba to /etc/rc.d/rc.local so that it is started every time the system boots up . (cannot be started with init scripts!)

So go ahead and edit your /etc/rc.d/rc.local file to look like this
( just add this line to the end of the file )

CODE

  /usr/sbin/samba

Step 8 - Reboot system , test again if everything is up and running

CODE

reboot

Login to system once rebooted

CODE

ping samba4.home.lan
ping www.google.com
kinit administrator

Every one of these commands should succeed , then proceed to next Step

TO BE CONTINUED ...

[Robert83]

Step 9 - Client configuration

VERY IMPORTANT : all clients in network must use 192.168.186.200 (ip address of samba ad) as primary dns server

Okay so lets join our first client, for whatever reason I tested it first with a Windows XP client , make sure it's in the samba subnet as the
AD , and make sure it is using AD ip as primary DNS, try to ping samba4.home.lan from WinXP client it should answer with
192.168.186.200

Next step is Right Click on My Computer , then Properties , Computer Name , click on Change
And select Domain , type in home.lan , click OK .
You will be asked for username , password , type in Administrator and the password , click OK , after a while you should
receive a message that you have successfully joined the domain home.lan

Reboot the WinXP computer, and login to domain home.lan (or home) with Administrator and password.

Now let's assume will will use this computer as a dedicated computer for managing all our domain related stuff .
(since I'm not able to link here pff , I will tell you the names of the software you need to download in order to be able to do that )

Windows 2003 Service Pack2 Administration tools pack for x86 editions
Windows Server 2003 Service Pack 1 32 bit Support Tools - ( .NET framework required, update WinXP first... )
Group Policy Management Console with Service Pack 1

Once you have all this installed you should have quiet a lot of tools available to you in
START - PROGRAMS - ADMINISTRATIVE TOOLS

What you will use most of the time is probably these two
Active Directory Users and Computers
and
Group Policy Management

Step 10 - Enable roaming profiles

On the Samba AD machine run :

CODE

mkdir -p /home/Profiles/Domain Users
smbcontroll all reload-config

From WindowsXP computer with Domain Administrative rights

Alter Security for Profiles folder
Domain Admin full access
Domain Users Read access

For Profiles/Domain Users
Domain Admin and Domain Users Full access

From AD Manager for User Robert Set profile path to
\\samba4.home.lan\Profiles\Domain Users\Robert

Login with robert... alter something on desktop, create a folder or something, logout.
Login again , check /home/Profiles/Domain Users/robert folder , data should be in there...
Now you can add another WinXP computer to the domain, login there with robert, you should be greeted with same desktop .

IMPORTANT THINGS TO KNOW ABOUT AD
FORGET ABOUT NETWORK NEIGHBORHOOD , YOU CANNOT BROWSE THE NETWORK, AND IT IS OKAY , WITH AD YOU SEARCH THE NETWORK
JUST LIKE THE INTERNET YOU DON'T BROWSE IT YOU SEARCH IT.
WITH AD YOU CENTRALLY MANAGE SHARED DRIVES, PRINTERS, YOU CAN SHARE ON COMPUTER A SHARE BUT YOU NEED TO PUBLISH IT WITH
AD FOR OTHER COMPUTERS TO BE VISIBLE.

THE FOLLOWING VIDEOS (pfff links again) SHOULD BE WATCHED

use www.google.com (note : all of them are youtube videos, and quiet helpfull to get you started )

Server 2008 Lesson 15 - Listing Shared Folders and Printers in
PC TechStream How To Map Network Drives With Group Policy Preferences In
Installing Software Using GPO


As you will see AD is quiet a complex beast, and I highly recommend watching these videos, PC TechStream ones are quiet good , you will learn a few
things, and you will also realize what at first seems complex gets quiet straghtforward after a while, and you will realize that it is much better then
SAMBA 3 NT Style domains.


Thank you for reading this GUIDE , hope it works for you.

Sincerely
Robert Becskei