设置Samba Active Directory DC CentOS 8的15个步骤
在本教程中,我将逐步介绍如何使用CentOS 8 Linux服务器将Samba安装和配置为Active Directory域控制器(AD DC)。我们可能还想看看FreeIPA,它可能不是Windows AD的完整替代品,而是针对Linux/UNIX网络环境的集成身份和身份验证解决方案。我们将获得GUI访问权限,以管理和控制组织中的所有用户身份验证和服务器。
创建Active Directory DC意味着我们需要使许多不同的服务(DNS,Kerberos,LDAP等)完美协调地工作。幸运的是,Samba团队在简化此过程方面做得很出色,但这还不简单。
Samba作为AD DC仅支持:
集成的LDAP服务器作为AD后端。
Heimdal Kerberos密钥分发中心(KDC)。
实验室环境
我已经使用Oracle VirtualBox调出了一个CentOS 8虚拟机来设置我的Samba域控制器。
以下是VM的配置
| 名称 | 设置 |
|---|---|
| FQDN | samba-ad.example.com |
| IP 地址 | 192.168.43.154 |
| 系统 | CentOS 8 |
| 内存 | 6 GB |
| 硬盘 | 30GB |
| vCPU | 4 |
1.准备工作
根据Samba的官方文档,在Samba中安装Active Directory域控制器之前,我们必须完成几个步骤。
1.1检查文件系统支持
要设置具有扩展访问控制列表(ACL)支持的共享,承载共享的文件系统必须启用用户和系统" xattr"名称空间。在Samba Active Directory(AD)域控制器(DC)上,samba-tool会自动针对创建Sysvol共享的文件系统验证此设置。
确保内核启用了以下选项:
CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_EXT4_FS_SECURITY=y
要检查这一点,请首先检查服务器上加载的内核版本
[root@samba-ad ~]# uname -r 4.18.0-147.5.1.el8_1.x86_64
接下来检查此内核版本的引导配置文件
[root@samba-ad ~]# grep -E "CONFIG_EXT4_FS_SECURITY|CONFIG_EXT4_FS_POSIX_ACL" /boot/config-4.18.0-147.5.1.el8_1.x86_64 CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_EXT4_FS_SECURITY=y
1.2配置主机文件
验证DC上的/etc/hosts文件正确地将标准域名(FQDN)和简短的主机名解析为DC的LAN IP地址。例如:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.43.154 samba-ad samba-ad.example.com
1.3执行清理
如果我们以前在此主机上运行过Samba安装,否则可以跳过本节:
验证没有Samba进程在运行:
# ps ax | egrep "samba|smbd|nmbd|winbindd
如果输出列出任何samba,smbd,nmbd或者winbindd进程,请关闭这些进程。
删除现有的smb.conf文件。列出文件的路径:
# smbd -b | grep "CONFIGFILE" CONFIGFILE: /usr/local/samba/etc/samba/smb.conf
删除所有Samba数据库文件,例如* .tdb和* .ldb文件。列出包含Samba数据库的文件夹:
# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" LOCKDIR: /usr/local/samba/var/lock/ STATEDIR: /usr/local/samba/var/locks/ CACHEDIR: /usr/local/samba/var/cache/ PRIVATE_DIR: /usr/local/samba/private/
删除一个现有的/etc/krb5.conf文件:
[root@samba-ad ~]# rm /etc/krb5.conf rm: remove regular file '/etc/krb5.conf'? y
1.4启用必需的存储库
对于CentOS 8,除了CentOS 8默认启用的存储库外,我们还需要跟踪其他存储库。
EPEL仓库不是默认的CentOS安装的一部分,但是我们可以安装epel-releaserpm来安装此仓库
[root@samba-ad ~]# yum -y install epel-release
接下来安装dnf-plugins-core以使用yum config-manager启用仓库,然后从CentOS启用PowerTools仓库。
[root@samba-ad ~]# yum -y install dnf-plugins-core [root@samba-ad ~]# yum config-manager --set-enabled PowerTools
我的服务器上已启用的Repo列表。
[root@samba-ad ~]# yum repolist
用于Samba AD的CentOS 8存储库
2.安装依赖包
安装以下软件包,以在最小的Red Hat Enterprise Linux(RHEL)8或者CentOS 8安装上将Samba构建为Active Directory(AD)域控制器(DC):
[root@samba-ad ~]# yum -y install docbook-style-xsl gcc gdb gnutls-devel gpgme-devel jansson-devel \
keyutils-libs-devel krb5-workstation libacl-devel libaio-devel \
libarchive-devel libattr-devel libblkid-devel libtasn1 libtasn1-tools \
libxml2-devel libxslt lmdb-devel openldap-devel pam-devel perl \
perl-ExtUtils-MakeMaker perl-Parse-Yapp popt-devel python3-cryptography \
python3-dns python3-gpg python36-devel readline-devel rpcgen systemd-devel \
tar zlib-devel
提示:
CentOS 8的samba软件包仅支持将Samba作为域成员和NT4 PDC或者BDC。 Red Hat不提供将Samba作为AD DC运行的软件包,因此我们将使用源代码中的samba将samba配置为活动目录。
3.下载最新的稳定的samba版本
在撰写本教程时,4.12.5是最新的可用稳定samba构建。我们可以手动导航到https://download.samba.org/pub/samba/stable并下载最新的稳定版本。
[root@samba-ad ~]# wget https://download.samba.org/pub/samba/stable/samba-4.12.5.tar.gz
下载Samba4
下载后,解压缩该存档的内容
[root@samba-ad ~]# tar -xzvf samba-4.12.5.tar.gz
切换到包含提取的源的目录:
[root@samba-ad ~]# cd samba-4.12.5
configure脚本位于源目录的根目录中。该脚本的主要目的是创建一个make文件,该文件由make命令使用。 configure脚本使我们可以设置各种选项,例如安装路径。我们将在没有任何其他选项的情况下执行它。
[root@samba-ad ~]# ./configure <Output trimmed>
如果退出配置脚本而没有错误,则将看到以下输出:
'configure' finished successfully (2m32.681s)
如果发现任何错误,请查看官方文档以获取更多帮助
要开始编译,请运行make,如下所示。这可能需要一些时间才能完成,因此我们可以在此期间喝杯咖啡。
提示:
make命令可以并行运行多个作业。例如,要同时运行2个" make"子任务以减少执行时间,请运行:
# make -j 2
[root@samba-ad ~]# make <Output trimmed>
如果安装没有错误退出,我们将看到以下输出:
Waf: Leaving directory `/root/samba-4.12.5/bin/default' Build commands will be stored in bin/default/compile_commands.json 'build' finished successfully (32m20.012s)
要安装编译的软件,我们需要root权限才能写入目标目录并设置正确的权限。
[root@samba-ad ~]# make install <Output trimmed>
如果安装没有错误退出,我们将看到以下输出:
Waf: Leaving directory `/root/samba-4.12.5/bin/default' Build commands will be stored in bin/default/compile_commands.json 'install' finished successfully (8m56.726s)
4.设置环境变量
如果我们使用configure为samba二进制文件定义了自定义PATH,则可以相应地修改PATH。由于我已经使用默认值配置了samba Active Directory,因此我将执行以下命令以将samba二进制路径添加到PATH变量中,以避免写入samba命令的完整路径
export PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH
执行此操作将仅在当前会话中更新PATH变量,以使其对于root用户永久存在,将其添加到用户root的.bash_profile中;如果我们希望普通用户也能够访问samba命令,则只需添加这在/etc/profile中
更新环境变量
5.设置Samba Active Directory
设置包括设置运行Samba Active Directory域所需的所有基础结构,例如LDAP,Kerberos和DNS服务器。 Samba AD设置过程创建AD数据库并添加初始记录,例如域管理员帐户和必需的DNS条目。
说明:
设置新AD时,建议通过将--use-rfc2307参数传递给samba-tool域提供命令来启用NIS扩展。这使我们可以在AD中存储Unix属性,例如用户ID(UID),主目录路径,组ID(GID)。启用NIS扩展没有任何缺点。但是,在现有域中启用它们需要手动扩展AD模式。
[root@samba-ad samba-4.12.5]# samba-tool domain provision --use-rfc2307 --interactive --option="interfaces= lo eth1" --option="bind interfaces only=yes" Realm [EXAMPLE.COM]: EXAMPLE.COM <-- provide the realm name Domain [EXAMPLE]: EXAMPLE <-- provide the domain name Server Role (dc, member, standalone) [dc]: dc <-- Since we are configuring samba active directory, we use dc DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL <-- We will let samba configure it's own DNS and zone files DNS forwarder IP address (write 'none' to disable forwarding) [192.168.43.154]: 8.8.8.8 <-- We will use google's dns Administrator password: <-- Provide the Administrator user's password Retype password: INFO 2017-08-11 15:40:59,849 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2133: Looking up IPv4 addresses INFO 2017-08-11 15:40:59,849 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2150: Looking up IPv6 addresses INFO 2017-08-11 15:41:01,763 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2305: Setting up secrets.ldb INFO 2017-08-11 15:41:01,798 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2311: Setting up the registry INFO 2017-08-11 15:41:01,839 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2314: Setting up the privileges database INFO 2017-08-11 15:41:01,925 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2317: Setting up idmap db INFO 2017-08-11 15:41:01,984 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2324: Setting up SAM db INFO 2017-08-11 15:41:01,998 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #897: Setting up sam.ldb partitions and settings INFO 2017-08-11 15:41:01,999 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #909: Setting up sam.ldb rootDSE INFO 2017-08-11 15:41:02,011 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1338: Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs INFO 2017-08-11 15:41:02,075 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1416: Adding DomainDN: DC=example,DC=com INFO 2017-08-11 15:41:02,102 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1448: Adding configuration container INFO 2017-08-11 15:41:02,129 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1463: Setting up sam.ldb schema INFO 2017-08-11 15:41:12,465 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1481: Setting up sam.ldb configuration data INFO 2017-08-11 15:41:13,108 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1522: Setting up display specifiers INFO 2017-08-11 15:41:20,575 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1530: Modifying display specifiers and extended rights INFO 2017-08-11 15:41:20,714 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1537: Adding users container INFO 2017-08-11 15:41:20,719 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1543: Modifying users container INFO 2017-08-11 15:41:20,722 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1546: Adding computers container INFO 2017-08-11 15:41:20,727 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1552: Modifying computers container INFO 2017-08-11 15:41:20,730 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1556: Setting up sam.ldb data INFO 2017-08-11 15:41:21,320 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1586: Setting up well known security principals INFO 2017-08-11 15:41:21,476 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1600: Setting up sam.ldb users and groups INFO 2017-08-11 15:41:22,590 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #1608: Setting up self join Repacking database from v1 to v2 format (first record CN=ms-net-ieee-80211-GP-PolicyGUID,CN=Schema,CN=Configuration,DC=example,DC=com) Repack: re-packed 10000 records so far Repacking database from v1 to v2 format (first record CN=IntellimirrorSCP-Display,CN=816,CN=DisplaySpecifiers,CN=Configuration,DC=example,DC=com) Repacking database from v1 to v2 format (first record CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com) INFO 2017-08-11 15:41:27,599 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1130: Adding DNS accounts INFO 2017-08-11 15:41:27,649 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1164: Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com INFO 2017-08-11 15:41:27,740 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1177: Creating DomainDnsZones and ForestDnsZones partitions INFO 2017-08-11 15:41:27,885 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py #1182: Populating DomainDnsZones and ForestDnsZones partitions Repacking database from v1 to v2 format (first record DC=_msdcs,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com) Repacking database from v1 to v2 format (first record DC=@,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com) INFO 2017-08-11 15:41:28,439 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2037: Setting up sam.ldb rootDSE marking as synchronized INFO 2017-08-11 15:41:28,449 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2042: Fixing provision GUIDs INFO 2017-08-11 15:41:32,080 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2377: A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf INFO 2017-08-11 15:41:32,080 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2378: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! INFO 2017-08-11 15:41:32,531 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #2107: Setting up fake yp server settings INFO 2017-08-11 15:41:32,795 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #490: Once the above files are installed, your Samba AD server will be ready to use INFO 2017-08-11 15:41:32,796 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #494: Server Role: active directory domain controller INFO 2017-08-11 15:41:32,796 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #495: Hostname: samba-ad INFO 2017-08-11 15:41:32,796 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #496: NetBIOS Domain: EXAMPLE INFO 2017-08-11 15:41:32,797 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #497: DNS Domain: example.com INFO 2017-08-11 15:41:32,797 pid:53118 /usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py #498: DOMAIN SID: S-1-5-21-2126248986-2501897089-2532841763
6.配置DNS解析器
AD中的域成员使用DNS查找服务,例如LDAP和Kerberos。为此,他们需要使用能够解析AD DNS区域的DNS服务器。
在DC上,在搜索中设置AD DNS域,并在/etc/resolv.conf文件的nameserver参数中设置DC的IP。例如:
[root@samba-ad samba-4.12.5]# cat /etc/resolv.conf # Generated by NetworkManager search example.com nameserver 192.168.43.154
7.启动Samba服务
以root用户身份从终端执行
# samba
尽管我们可以创建systemd单位文件,但是我们没有任何systemd服务来管理samba服务。
一旦执行了以上命令,它将启动samba服务
[root@samba-ad ~]# ps -ef | grep samba
启动Samba Active Directory服务
8.验证Samba服务
启动Samba服务后,我们可以检查一切是否按预期进行。如果执行testparm,我们将看到我们的服务器被识别为Active Directory DC。
[root@samba-ad ~]# testparm
Load smb config files from /usr/local/samba/etc/smb.conf
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
dns forwarder = 8.8.8.8
passdb backend = samba_dsdb
realm = EXAMPLE.COM
server role = active directory domain controller
workgroup = EXAMPLE
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
vfs objects = dfs_samba4 acl_xattr
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/example.com/scripts
read only = No
测试samba4
# smbclient --version Version 4.12.5
这应该向我们显示以4.0.XXXXX版开头的版本
现在尝试以下命令:
# smbclient -L localhost -U%
并检查所有共享目录(包括sysvol和netlogon)是否得到正确答复。 " netlogon"和" sysvol"共享是Active Directory服务器操作所需的基本共享。
为了测试身份验证是否有效,我们应该尝试使用之前设置的管理员密码连接到netlogon共享。
[root@samba-ad samba-4.12.5]# smbclient //localhost/netlogon -Uadministrator%Abhideep@12 -c 'ls'
. D 0 Tue Aug 11 15:32:02 2017
.. D 0 Tue Aug 11 15:32:23 2017
22185808 blocks of size 1024. 4609788 blocks available
9.创建反向区域
我们可以选择添加反向查找区域。
[root@samba-ad samba-4.12.5]# samba-tool dns zonecreate 192.168.43.154 43.168.192.in-addr.arpa -U administrator Password for [EXAMPLE\administrator]: Zone 43.168.192.in-addr.arpa created successfully
如果需要多个反向区域(多个子网),只需再次运行以上命令,但使用另一个子网的数据即可。
反向区域直接处于活动状态,而无需重新启动Samba或者BIND。
10.配置网络时间同步
如果我们希望Active Directory正常运行,则必须同步时间。我们将使用chronyd进行时间同步
将Chrony配置为NTP服务器和客户端(CentOS/RHEL 8)的步骤
11.配置Kerberos
在AD中,Kerberos用于验证用户,计算机和服务。在配置期间,Samba为DC创建了一个Kerberos配置文件。将此文件复制到操作系统的Kerberos配置。例如:
[root@samba-ad samba-4.12.5]# cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
预先创建的Kerberos配置使用DNS服务(SRV)资源记录来定位KDC。
12.验证DNS
域中基于tcp的_ldapSRV记录:
[root@samba-ad samba-4.12.5]# host -t SRV _ldap._tcp.example.com. _ldap._tcp.example.com has SRV record 0 100 389 samba-ad.example.com.
域中基于udp的_kerberosSRV资源记录:
[root@samba-ad samba-4.12.5]# host -t SRV _kerberos._udp.example.com. _kerberos._udp.example.com has SRV record 0 100 88 samba-ad.example.com.
域控制器的" A"记录:
[root@samba-ad samba-4.12.5]# host -t A samba-ad.example.com. samba-ad.example.com has address 192.168.43.154
13.验证Kerberos
为域管理员帐户请求Kerberos票证:
[root@samba-ad samba-4.12.5]# kinit Administrator Password for [email protected]: Warning: Your password will expire in 41 days on Tue 22 Sep 2017 03:41:22 PM IST
列出缓存的Kerberos票证:
[root@samba-ad samba-4.12.5]# klist
列出Kerberos票证
14.配置防火墙
我们在CentOS 8环境中使用firewalld,因此我们将使用firewalld启用Samba Active Directory的端口和服务。
[root@samba-ad ~]# firewall-cmd --add-service={dns,ldap,ldaps,kerberos}
success
[root@samba-ad ~]# firewall-cmd --add-port={389/udp,135/tcp,135/udp,138/udp,138/tcp,137/tcp,137/udp,139/udp,139/tcp,445/tcp,445/udp,3268/udp,3268/tcp,3269/tcp,3269/udp,49152/tcp}
success
15.管理Samba AD域控制器
我们已经使用samba-tool配置了新的Samba Active Directory域。但是,除此之外,我们还能使用此多功能工具做更多的事情。例如,我们可以列出当前用户。
[root@samba-ad ~]# samba-tool user list krbtgt Administrator Guest
我们还可以创建其他用户
[root@samba-ad ~]# samba-tool user create hynman New Password: Retype Password: User 'hynman' created successfully
现在验证用户列表
[root@samba-ad ~]# samba-tool user list hynman krbtgt Administrator Guest
列出可用的组
[root@samba-ad ~]# samba-tool user list
我们也可以将刚刚创建的用户添加到"域管理员"组中
[root@samba-ad ~]# samba-tool group addmembers "Domain Admins" hynman Added members to group Domain Admins
验证Domain Admins组中的成员列表
[root@samba-ad ~]# samba-tool group listmembers "Domain Admins" hynman Administrator
