Attention: All pages of this wiki depend on the pages that come before it, in order as they are listed on the Main Page. Please check for Dependencies.
Please also look at What You Need to Know Before Using This Wiki

Install Samba Active Directory

From COCNM
Jump to: navigation, search

Server Prep

  • apt-get install build-essential libattr1-dev libblkid-dev libgnutls-dev libreadline-gplv2-dev python-dev autoconf python-dnspython gdb pkg-config bind9utils libpopt-dev krb5-config krb5-user libkrb5-dev python-dev libacl1-dev xsltproc docbook apache2-mpm-itk docbook-xsl
  • edit /etc/fstab, make sure root mountpoint has acl enabled (ext4 relatime,acl,errors=remount-ro 0 1)

Obtain and Install

  • Download latest copy of samba from http://ftp.samba.org/pub/samba/
  • cd /usr/src/
  • wget http://ftp.samba.org/pub/samba/samba-4.0.7.tar.gz
  • tar zxf samba-4.0.7.tar.gz
  • cd samba-4.0.7/
  • ./configure
  • make
  • make install
  • samba-tool domain provision --realm=computerisms.com --domain=computerisms --host-name=houselian --host-ip=192.168.26.10 --adminpass='The1TrueB0b' --server-role='domain controller' --dns-backend=BIND9_DLZ
  • mv /etc/krb5.conf /etc/krb5.conf.orig
  • cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
  • sed -i '1,/^MANDATORY_MANPATH/ {/^MANDATORY_MANPATH/i\
    MANDATORY_MANPATH /usr/local/samba/share/man
    }' /etc/manpath.config

Start Samba

  • ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
  • ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so.2
  • mkdir -p -m 1755 /var/service/samba
  • mkdir -p -m 0755 /var/service/samba/log
  • vi /var/service/samba/run
  • ln -s /var/service/multilog.run /var/service/samba/log/run
  • chmod 755 /var/service/samba/run
  • cd /service/
  • ln -s /var/service/samba/
  • sv <= make sure samba is running

Configure Samba and Related Services

Configure Shares

  • chgrp -R users /home/data/{people,Departments,Common}
  • chmod 2770 /home/data/{people,Departments,Common}

Redirect Domain to External Web Server

  • rm /etc/apache2/sites-enabled/000-default
  • rm /etc/apache2/sites-available/default*
  • rm /var/www/index.html
  • vi /etc/apache2/ports.conf
  • vi /etc/apache2/sites-available/computerisms.com.conf
  • a2ensite computerisms.com
  • /etc/init.d/apache2 reload
  • samba-tool dns add houselian computerisms.com www A 64.251.25.76
  • ensure the external webserver is configured with ServerAlias www.computerisms.com

Configure Bind to Allow Samba to Start After Reboot

Test Everything

  • smbclient --version
    Version 4.0.7 <= Confirm output is correct
  • smbclient -L localhost -U% <= Confirm shares show up as follows:
Domain=[COMPUTERISMS] OS=[Unix] Server=[Samba 4.0.7]

	Sharename       Type      Comment
	---------       ----      -------
	netlogon        Disk      
	sysvol          Disk      
	Departments     Disk      Departmental Storage
	IPC$            IPC       IPC Service (Samba 4.0.7)
Domain=[COMPUTERISMS] OS=[Unix] Server=[Samba 4.0.7]

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
  • smbclient //localhost/netlogon -U'administrator%The1TrueB0b'
    smb: \> quit <= Confirm this brings you to an smb: prompt
  • host -t SRV _ldap._tcp.computerisms.com.
    _ldap._tcp.computerisms.com has SRV record 0 100 389 houselian.computerisms.com. <= Confirm output matches this record
  • host -t SRV _kerberos._udp.computerisms.com.
    _kerberos._udp.computerisms.com has SRV record 0 100 88 houselian.computerisms.com. <= Confirm output matches this record
  • host -t A houselian.computerisms.com.
    houselian.computerisms.com has address 192.168.26.10 <= Confirm output matches this record
  • klist <= Confirm spelling and dates are correct:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@COMPUTERISMS.COM

Valid starting    Expires           Service principal
22/07/2013 16:29  23/07/2013 02:29  krbtgt/COMPUTERISMS.COM@COMPUTERISMS.COM
	renew until 23/07/2013 16:29
  • ntpq -c "rv 0 clock" 192.168.26.10
    clock=d5984c91.369e0a26 Mon, Jul 22 2013 17:28:01.213 <= Confirm output is correct
  • dig computerisms.ca @192.168.26.10 <= Confirm you can resolve non-local domains

Configure Administrative and Authentication Accounts

  • samba-tool user setexpiry --noexpiry Administrator
  • samba-tool user add bob.miller --given-name=Bob --surname=Miller
  • samba-tool group addmembers 'Domain Admins' 'bob.miller'
  • samba-tool user setexpiry --noexpiry bob.miller
  • samba-tool user add authenticator
  • samba-tool user setexpiry --noexpiry authenticator

Join Adminlian to the Domain

  • start=>right-click Computer=>properties=>change settings link=>change button=>set domain to COMPUTERISMS.COM=>ok=>Authenticate with account bob.miller=>ok=>close=>restart now
  • at logon screen=>switch users=>enter username COMPUTERISMS\bob.miller and correct password
  • download and install rsat from http://www.microsoft.com/en-us/download/details.aspx?id=7887
  • After RSAT is installed, go into control panel=>programs=>windows features, and enabled RSAT tools.
    • At the very least you will need most of the stuff under role administration tools

Testing and Setup

  • Open ADUC=>Create Group listarchive=>Add user bob.miller to it

Write Logon Scripts

Install the CA by GPO

  • This works for IE (most of the time), but not outlook (yet), and each browser has its own cert store
  • use winscp to obtain the Computerisms.Certificate.Authority.p12, put it on adminlian's desktop
  • open group policy management=>Forest=>Domains=>Computerisms.com=>right-click Default Domain Policy=>Edit
  • Computer Configuration=>Policies=>Windows Settings=>Security Settings=>Public Key Policies=>right-click Trusted Root Certification Authorities=>Import
  • Next=>Browse to Desktop=>Show all Files=>Select Computerisms.Certificate.Authority.p12=>next=>Enter Password=>Next=>Place in Trusted Root Certifcation Authorities=>Next=>Finish
  • click ok. Log out and back in. open IE and browse to anywhere.computerisms.com
    • If cert warning is still presented, check event viewer
      • Windows unable to read the gpt.ini file => run samba-tool ntacl sysvolreset

Notes and Examples

  • Syntax example: ldbsearch -H ldap://192.168.26.10:389 -b "CN=Users,DC=computerisms,DC=com" -U administrator@COMPUTERISMS.COM cn=*