-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathSamba_DC
213 lines (206 loc) · 20.7 KB
/
Samba_DC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
Установка/настройка контроллера домена Samba DC на OC Linux RedOS 7.3.2 Workstation
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
При создании виртуаки рекомендуется выделить: Sockets: 2; Cores: 2; Memory(MiB): 8192.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
После установки рабочей станции, обязательно нужно прописать статику(пример):
IP-адрес: 192.168.88.165; Mask: 255.255.255.0(24); Gateway: 192.168.88.1; Серверы DNS: 77.88.8.88(ya.ru); Поисковый домен: test.local
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
ifdown ens18 && ifup ens18 |#|#| Перезапуск сетевого интерфейса.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
yum update -y && yum upgrade -y |#|#| Поиск и обновление пакетов.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
reboot |#|#| Перезагрузка системы.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
yum install samba-client*.x86_64 samba-common.noarch samba-common*x86_64 samba-dc*.x86_64 samba-libs*.x86_64 samba-winbind*.x86_64 -y |#|#| Установка необходимых пакетов
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
smbd -b | grep HAVE_LIBKADM5SRV_MIT |#|#| Проверка Samba на наличие Kerberos Heimdal. Если команда выдаёт "HAVE_LIBKADM5SRV_MIT", тогда нужно установить Samba с поддержкой Kerberos Heimdal.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
mv /etc/krb5.conf /etc/krb5.conf.bak |#|#| Переименование дефолтного файла Kerberos.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak |#|#| Переименование дефолтного файла Samba.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
smbd -V |#|#| Команда проверки установленной версии Samba.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
nano /etc/selinux/config |#|#| В файле config нужно поменять статус SElinux. Заменить текст SELINUX=enforcing на SELINUX=permissive.
setenforce 0
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
hostnamectl set-hostname dc1.test.local |#|#| Смена имени сервера.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
nano /etc/hosts |#|#| В файле hosts нужно добавить ниже IP-адрес сервера, его полное и короткое имя.
Пример: 192.168.88.165 dc1.test.local dc1
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
systemctl restart NetworkManager |#|#| Перезагразка сетевого интерфейса.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
cat /etc/resolv.conf |#|#| Проверка файла resolv.conf в прописанными dns-адресами.
Вывод должнен быть таким:
# Generated by NetworkManager
search test.local
nameserver 77.88.8.88
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
samba-tool domain provision --use-rfc2307 --interactive |#|#| Запуск конфигурирования Samba в роли контроллера домена в интерактивном режиме.
------------
Realm [TEST.LOCAL]:
Domain [TEST]:
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [77.88.8.88]: 192.168.88.165
Administrator password:
Retype password:
INFO 2023-02-03 12:55:46,492 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #2108: Looking up IPv4 addresses
INFO 2023-02-03 12:55:46,494 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #2125: Looking up IPv6 addresses
WARNING 2023-02-03 12:55:46,495 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #2132: No IPv6 address will be assigned
INFO 2023-02-03 12:55:46,755 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #2274: Setting up share.ldb
INFO 2023-02-03 12:55:46,771 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #2278: Setting up secrets.ldb
INFO 2023-02-03 12:55:46,783 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #2283: Setting up the registry
INFO 2023-02-03 12:55:46,825 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #2286: Setting up the privileges database
INFO 2023-02-03 12:55:46,847 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #2289: Setting up idmap db
INFO 2023-02-03 12:55:46,862 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #2296: Setting up SAM db
INFO 2023-02-03 12:55:46,867 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #880: Setting up sam.ldb partitions and settings
INFO 2023-02-03 12:55:46,868 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #892: Setting up sam.ldb rootDSE
INFO 2023-02-03 12:55:46,871 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #1305: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
INFO 2023-02-03 12:55:46,909 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #1383: Adding DomainDN: DC=test,DC=local
INFO 2023-02-03 12:55:46,922 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #1415: Adding configuration container
INFO 2023-02-03 12:55:46,933 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #1430: Setting up sam.ldb schema
INFO 2023-02-03 12:55:49,421 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #1448: Setting up sam.ldb configuration data
INFO 2023-02-03 12:55:49,554 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #1489: Setting up display specifiers
INFO 2023-02-03 12:55:51,254 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #1497: Modifying display specifiers and extended rights
INFO 2023-02-03 12:55:51,287 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #1504: Adding users container
INFO 2023-02-03 12:55:51,288 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #1510: Modifying users container
INFO 2023-02-03 12:55:51,289 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #1513: Adding computers container
INFO 2023-02-03 12:55:51,290 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #1519: Modifying computers container
INFO 2023-02-03 12:55:51,291 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #1523: Setting up sam.ldb data
INFO 2023-02-03 12:55:51,397 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #1553: Setting up well known security principals
INFO 2023-02-03 12:55:51,435 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #1567: Setting up sam.ldb users and groups
INFO 2023-02-03 12:55:51,552 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #1575: Setting up self join
Repacking database from v1 to v2 format (first record CN=ms-SPP-Installation-Id,CN=Schema,CN=Configuration,DC=test,DC=local)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=interSiteTransport-Display,CN=C04,CN=DisplaySpecifiers,CN=Configuration,DC=test,DC=local)
Repacking database from v1 to v2 format (first record CN=ipsecNFA{59319BE2-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=test,DC=local)
INFO 2023-02-03 12:55:52,602 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/sambadns.py #1200: Adding DNS accounts
INFO 2023-02-03 12:55:52,619 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/sambadns.py #1234: Creating CN=MicrosoftDNS,CN=System,DC=test,DC=local
INFO 2023-02-03 12:55:52,634 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/sambadns.py #1247: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2023-02-03 12:55:52,677 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/sambadns.py #1252: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record DC=j.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local)
Repacking database from v1 to v2 format (first record DC=_kerberos._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.test.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=test,DC=local)
INFO 2023-02-03 12:55:52,849 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #2012: Setting up sam.ldb rootDSE marking as synchronized
INFO 2023-02-03 12:55:52,852 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #2017: Fixing provision GUIDs
INFO 2023-02-03 12:55:53,923 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #2348: A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
INFO 2023-02-03 12:55:53,923 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #2350: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
INFO 2023-02-03 12:55:53,967 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #2082: Setting up fake yp server settings
INFO 2023-02-03 12:55:54,024 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #487: Once the above files are installed, your Samba AD server will be ready to use
INFO 2023-02-03 12:55:54,024 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #492: Server Role: active directory domain controller
INFO 2023-02-03 12:55:54,024 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #493: Hostname: dc1
INFO 2023-02-03 12:55:54,024 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #494: NetBIOS Domain: TEST
INFO 2023-02-03 12:55:54,024 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #495: DNS Domain: test.local
INFO 2023-02-03 12:55:54,024 pid:4043 /usr/lib64/python3.8/site-packages/samba/provision/__init__.py #496: DOMAIN SID: S-1-5-21-25273870-955602320-113037211
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
После окончания конфигурирования контроллера домена, нужно зайти в настройки сетевого интерфейса и встроке "Серверы DNS" поменять адрес 77.88.8.88 на 192.168.88.165.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
nano /etc/samba/smb.conf |#|#| В файле smb.conf, раздел [global] нужно привести к следующему виду:
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
[global]
log level = 3
dns forwarder = 192.168.88.165
netbios name = DC1
realm= TEST.LOCAL
server role = active directory domain controller
workgroup= TEST
idmap_ldb:use rfc2307 = yes
vfs objects = dfs_samba4 acl_xattr
map acl inherit = yes
store dos attributes = yes
allow dns updates = nonsecure
nsupdate command = /usr/bin/nsupdate -g
dsdb:schema update allowed = true
security = user
map to guest = bad user
wins support = no
dns proxy = no
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/test.local/scripts
read only = No
[public]
path = /samba/public
guest ok = yes
force user = nobody
browsable = yes
writable = yes
[private]
path = /samba/private
valid users = @smbgrp
guest ok = no
browsable = yes
writable = yes
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
testparm |#|#| Команда для проверки работоспособности файла "smb.conf" в каталоге "/etc/samba/"
При хорошем раскладе вывод должен быть таким:
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Load smb config files fr om /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_ACTIVE_DIRECTORY_DC
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
cp /var/lib/samba/private/krb5.conf /etc/ |#|#| Копирование сконфигурированного файла Kerberos.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
nano /etc/krb5.conf |#|#| Файл нужно привести к следующему виду:
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
[libdefaults]
default_realm = TEST.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
TEST.LOCAL = {
default_domain = test.local
}
[domain_realm]
dc1 = TEST.LOCAL
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
systemctl status samba.service |#|#| Проверка статуса Samba.
systemctl start samba.service |#|#| Запуск службы Samba.
systemctl enable samba.service --now |#|#| Добавление в автозапуск сервиса Samba
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
reboot |#|#| Перезапуск системы
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
ping ya.ru |#|#| Команда проверки dns
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
ps ax | egrep "samba|smbd|nmbd|winbindd" |#|#| Команда проверки запущенных процессов
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
wbinfo --ping-dc |#|#| Команда для проверки подключения службы Winbind к контроллеру домена
При упешном подключении Winbind
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
wbinfo -u |#|#| Команда для показа доменных пользователей
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
wbinfo -g |#|#| Команда для показа доменных групп
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
yum install -y redadm |#|#| Команда для установки Web-интерфейса, для управления для управления доменом Samba
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
nano /etc/redadm/server.conf |#|#| Команда для настройки конфигурационного файла Samba-сервера
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Пример настройки конфигурационного файла:
-----------------------------------------
[SETTINGS]
name= test.local |#|#| Имя вашего домена
ldap_url= ldaps://192.168.88.165:636 |#|#| ldaps-адрес к нужному контроллеру домена, в нашем случае это Samba DC
cert_path= /etc/pki/ca-trust/source/anchors/ca.pem |#|#| адрес сертификата TLS(SSL) (создается автоматически при установке, можете указать свой)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
nano /etc/redadm/client.conf
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
[SETTINGS]
IP=192.168.88.165 |#|#| IP-адрес вашего сервера RedAdm, к которому будут подключаться клиенты
PORT=8989 |#|#| Порт, к которому будут подключаться клиенты РЕД АДМ
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
systemctl enable redadm.service redis.service redadm-celery-worker.service redadm-celery-beat.service --now |#|#| Команда для добавления в автозагрузку
сервисов ПО RedAdm
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
systemctl restart redadm
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Вход осуществляется с помощью доменной учетной записи Linux RedOS 7.3.2 Workstation
Ссылка для входа: http://ip-address:8989
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
На этом установка и настройка КД Samba DC окончена! Спасибо за внимание)