With the last version of samba 4 comes with Active directory logon and administration protocols, including typical active directory support and full interoperability with Microsoft Active Directory servers. This is possible with the combination of a LDAP directory, heimdal kerberos authentication, dynamic DNS server and the necessary remote procedure calls RPC.
For complete list of the new changes you can see the next url: http://wiki.samba.org/index.php/Samba4
This post covers the initial installation and configuration of samba 4 as Active Directory domain controller, on Centos 6 using bind 9 as DNS backend and NTPD (4.2.6) server used by the clients.
– Change the hostname:
# vi /etc/sysconfig/network HOSTNAME=centos-dc
– Disable selinux:
# vi /etc/sysconfig/selinux SELINUX=disabled # setenforce 0
– Install some dependencies:
# yum -y install gcc make wget python-devel gnutls-devel openssl-devel libacl-devel krb5-server krb5-libs krb5-workstation bind bind-libs bind-utils
– Download and compile samba4:
# wget http://ftp.samba.org/pub/samba/samba-latest.tar.gz # tar -xzvf samba-latest.tar.gz # cd samba-latest/ # ./configure --enable-selftest # make && make install
– Provisioning a new domain:
# /usr/local/samba/bin/samba-tool domain provision --realm=opentodo.net --domain=OPENTODO --adminpass 'P@ssw0rd' --server-role=dc --dns-backend=BIND9_DLZ
The dns backend BIND9_DLZ uses samba4 AD to store zone information
– Edit named configuration:
# rndc-confgen -a -r /dev/urandom
# vi /etc/named.conf
options {
listen-on port 53 { any; };
forwarders {192.168.1.8; };
allow-query { any; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
include "/usr/local/samba/private/named.conf";
– Edit resolv.conf:
# vi /etc/resolv.conf nameserver 127.0.0.1 domain opentodo.net
– Edit kerberos server configuration:
# vi /etc/krb5.conf [libdefaults] default_realm = OPENTODO.NET dns_lookup_realm = false dns_lookup_kdc = true
– Download and install the last version of ntp (4.2.6 comes with ntp sign support):
# wget http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.6p5.tar.gz # tar -xzvf ntp-4.2.6p5.tar.gz # cd ntp-4.2.6p5 # ./configure --enable-ntp-signd # make && make install
– Configuring NTP:
# vi /etc/ntp.conf server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
– Setting up the correct permissions:
# chown named:named /usr/local/samba/private/dns # chown named:named /usr/local/samba/private/dns.keytab # chmod 775 /usr/local/samba/private/dns
– Configuring samba init script:
# vi /etc/init.d/samba4
#! /bin/bash
#
# samba4 Bring up/down samba4 service
#
# chkconfig: - 90 10
# description: Activates/Deactivates all samba4 interfaces configured to
# start at boot time.
#
### BEGIN INIT INFO
# Provides:
# Should-Start:
# Short-Description: Bring up/down samba4
# Description: Bring up/down samba4
### END INIT INFO
# Source function library.
. /etc/init.d/functions
if [ -f /etc/sysconfig/samba4 ]; then
. /etc/sysconfig/samba4
fi
CWD=$(pwd)
prog="samba4"
start() {
# Attach irda device
echo -n $"Starting $prog: "
/usr/local/samba/sbin/samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then success $"samba4 startup"; else failure $"samba4 startup"; fi
echo
}
stop() {
# Stop service.
echo -n $"Shutting down $prog: "
killall samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then failure $"samba4 shutdown"; else success $"samba4 shutdown"; fi
echo
}
status() {
/usr/local/samba/sbin/samba --show-build
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status irattach
;;
restart|reload)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0
# chmod 755 /etc/init.d/samba4
– Configuring ntp init script:
# vi /etc/init.d/ntp
#! /bin/bash
#
# ntp Bring up/down ntp service
#
#chkconfig: - 99 30
#description: Bring up/down ntp
#
### BEGIN INIT INFO
# Provides:
# Should-Start:
# Short-Description: Bring up/down ntp
# Description: Bring up/down ntp
### END INIT INFO
# Source function library.
. /etc/init.d/functions
CWD=$(pwd)
NTPD=/usr/local/bin/ntpd
prog="ntp"
start() {
# Attach irda device
echo -n $"Starting $prog: "
$NTPD -p /var/run/ntpd.pid
sleep 2
if ps ax | grep -v "grep" | grep -q $NTPD ; then success $"ntp startup"; else failure $"ntp startup"; fi
echo
}
stop() {
# Stop service.
echo -n $"Shutting down $prog: "
kill -9 `cat /var/run/ntpd.pid` > /dev/null 2>&1
sleep 2
if ps ax | grep -v "grep" | grep -q $NTPD ; then failure $"ntp shutdown"; else success $"ntp shutdown"; fi
echo
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
# chmod 755 /etc/init.d/ntp
– Start services:
# /etc/init.d/named start # /etc/init.d/ntp start # /etc/init.d/samba4 start
– Initialize services at boot time:
# chkconfig --levels 235 samba4 on # chkconfig --levels 235 ntp on # chkconfig --levels 235 named on
– Adding iptables rules:
# vi /etc/sysconfig/iptables -A INPUT -m udp -p udp --dport 53 -m comment --comment "DNS" -j ACCEPT -A INPUT -m udp -p udp --dport 123 -m comment --comment "NTP" -j ACCEPT -A INPUT -m udp -p udp --dport 135 -m comment --comment "RPC UDP" -j ACCEPT -A INPUT -m udp -p udp --dport 138 -m comment --comment "NetBIOS Netlogon and Browsing" -j ACCEPT -A INPUT -m udp -p udp --dport 389 -m comment --comment "LDAP UDP" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -m comment --comment "Kerberos" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -m comment --comment "Kerberos Password Management" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -m comment --comment "NetBIOS Session" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -m comment --comment "SMB CIFS" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -m comment --comment "LDAP TCP" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -m comment --comment "LDAP SSL" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3268 -m comment --comment "LDAP Global Catalog" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3269 -m comment --comment "LDAP Global Catalog SSL" -j ACCEPT # service iptables restart
Sources
http://wiki.samba.org/index.php/Samba4/HOWTO
https://fedoraproject.org/w/index.php?title=Features/Samba4
– NTP init script and iptables rules edited by Marc (see the comments), Thanks!!
Thanks for your post! I found a few useful items while reading this article.
When using the above script for NTP, I got the following when attempting `chkconfig –levels 235 ntp on`
“service ntp does not support chkconfig”
Little bit of hacking with the samba script allowed me to make a pretty and useful ntp startup script. The part that chkconfig looks for is this line:
# chkconfig: – 55 10
(I chose 55 as the start due to some searching on the interwebs)
The above line allows chkconfig to create the proper symlinks for the start/stop locations in rc#.d.
Here is the pretty startup script:
====START SCRIPT=====
#! /bin/bash
#
# ntp Bring up/down ntp service
#
# chkconfig: – 55 10
# description: Bring up/down ntp
#
### BEGIN INIT INFO
# Provides:
# Should-Start:
# Short-Description: Bring up/down ntp
# Description: Bring up/down ntp
### END INIT INFO
# Source function library.
. /etc/init.d/functions
CWD=$(pwd)
NTPD=/usr/local/bin/ntpd
prog=”ntp”
start() {
# Attach irda device
echo -n $”Starting $prog: ”
$NTPD -p /var/run/ntpd.pid
sleep 2
if ps ax | grep -v “grep” | grep -q $NTPD ; then success $”ntp startup”; else failure $”ntp startup”; fi
echo
}
stop() {
# Stop service.
echo -n $”Shutting down $prog: ”
kill -9 `cat /var/run/ntpd.pid` > /dev/null 2>&1
sleep 2
if ps ax | grep -v “grep” | grep -q $NTPD ; then failure $”ntp shutdown”; else success $”ntp shutdown”; fi
echo
}
# See how we were called.
case “$1″ in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
;;
*)
echo $”Usage: $0 {start|stop|restart}”
exit 1
esac
exit 0
=====END SCRIPT=====
As for iptables, I like to have comments for what the ports are:
=====START IPTABLES=====
-A INPUT -m udp -p udp –dport 53 -m comment –comment “DNS” -j ACCEPT
-A INPUT -m udp -p udp –dport 123 -m comment –comment “NTP” -j ACCEPT
-A INPUT -m udp -p udp –dport 135 -m comment –comment “RPC UDP” -j ACCEPT
-A INPUT -m udp -p udp –dport 138 -m comment –comment “NetBIOS Netlogon and Browsing” -j ACCEPT
-A INPUT -m udp -p udp –dport 389 -m comment –comment “LDAP UDP” -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 88 -m comment –comment “Kerberos” -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 464 -m comment –comment “Kerberos Password Management” -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 139 -m comment –comment “NetBIOS Session” -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 445 -m comment –comment “SMB CIFS” -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 389 -m comment –comment “LDAP TCP” -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 636 -m comment –comment “LDAP SSL” -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 3268 -m comment –comment “LDAP Global Catalog” -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 3269 -m comment –comment “LDAP Global Catalog SSL” -j ACCEPT
=====END IPTABLES=====
Good luck to you on this, and I again thank you for the posting, as it got me pointed in the right direction 🙂
First of all Very Thanks Marc for your correction!! The init script for ntp was incomplete and your script is more solid than mine, I edited the post to include your script. I also include your iptables rules commented very important to clarify the ports that we have opened! Very useful the chkconfig documented in the man page: http://linux.about.com/library/cmd/blcmdl8_chkconfig.htm
Thanks a lot for your time and do this post more consistent to help another people!!!
congratulations on the script! I have a doubt boys!
in – Edit named configuration:
…
forwarders {192.168.1.8; };
..
The ip “192.168.1.8” is my GATEWAY??
or should ip the my CentOS?
sorry for bad english! i am brazilian! ;]
Hi Mike!! Thanks for your comment! The ip address 192.168.1.8 is used in the dns configuration is the address of a dns server to request the domains that this server can’t resolve (forwarder).
Hi Ivan
Is the IP=192.168.1.8 separate DNS server ?
Hi troy0x,
Yes the ip address mentioned is a server to resolve dns queries that the local server cannot resolve, like other internet domains.
So i need to setup DNS server ???
Do you have a specific page link to setup DNS server ??
and why i need to setup the separate DNS server ??
Very nice and thorough tutorial, but seem to be having a problem with bind, just wondering if anyone has seen this before. After bind is all sorted out it fails to load with the error message: samba_dlz: Failed to connect to /usr/local/samba/private/dns/sam.ldb. Any help would be much appreciated!
Thanks Chris!! which version of bind are you using? You can see the version executing named -v
I believe I was using 9.8.2, can’t get any more detailed than that I am afraid, I did not manage to solve this problem but did find a way around that worked perfectly, not meaning to detract from your tutorial but for those with the same problem as me, I used the samba interior dns server and this tutorial: alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller.
Regardless of me using a different route, you have written a very easy to follow tutorial that did help me a lot. The only flaw I can think of is you don’t make it clear to ensure selinux is off before continuing, restarting at that point or using setenforce -permissive (guessing that command from memory) will do the trick.
Cheers
Chris
You can use this chunk of script (just copy & paste it) to download, build and install ntp RPMS from source. With this there is no need to create an ntp init script as it’s included with the RPM.
# Install NTP >root4.2.6
yum -y remove ntp ntpdate
yum -y install libcap-devel openssl-devel libedit-devel wget
mkdir -p ~/install_files/ntp
cd ~/install_files/ntp
wget http://vault.centos.org/6.3/os/Source/SPackages/ntp-4.2.4p8-2.el6.centos.src.rpm
rpm -i ntp-4.2.4p8-2.el6.centos.src.rpm
cd ~/rpmbuild/SOURCES
wget http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.6p5.tar.gz
cd ~/rpmbuild/SPECS
cp ntp.spec ntp.spec.bak
sed -i ‘s/Version: 4.2.4p8/Version: 4.2.6p5/g’ ntp.spec
sed -i ‘s/–enable-linuxcaps/–enable-linuxcaps –enable-ntp-signd/g’ ntp.spec
sed -i ‘s/%patch/#%patch/g’ ntp.spec
sed -i ‘s/%{_sbindir}/tickadj/%{_sbindir}/tickadjn%{_sbindir}/sntp/g’ ntp.spec
rpmbuild -ba ntp.spec
cd ~/rpmbuild/RPMS/$(uname -p)/
rpm -i ntp-4.2.6p5-2.el6.$(uname -p).rpm ntpdate-4.2.6p5-2.el6.$(uname -p).rpm
Hi, I can’t start up the named service:
[root@ad bind9]# service named start
Starting named: [FAILED]
Here’s my messages log:
Mar 26 21:56:14 localhost named[3618]: Loading ‘AD DNS Zone’ using driver dlopen
Mar 26 21:56:14 localhost named[3618]: dlz_dlopen failed to open library ‘/usr/local/samba/lib/bind9/dlz_bind9.so’ – /usr/local/samba/lib/bind9/dlz_bind9.so: failed to map segment from shared object: Permission denied
Mar 26 21:56:14 localhost named[3618]: dlz_dlopen of ‘AD DNS Zone’ failed
Mar 26 21:56:14 localhost named[3618]: SDLZ driver failed to load.
Mar 26 21:56:14 localhost named[3618]: DLZ driver failed to load.
Mar 26 21:56:14 localhost named[3618]: loading configuration: failure
Mar 26 21:56:14 localhost named[3618]: exiting (due to fatal error)
[root@ad bind9]#
I’m using CentOS6.4. How can I fix this?
Thanks!
Oooops, nevermind, I forgot to disable selinux. Thanks!
Jejeje no problem!! If you prefer you can setup selinux rules:
http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Step_11:_Permissions.2C_SELinux_Labeling_and_Policy
Very thankful for your tutorial its useful for me. I did it without any problem in Centos6.
And successfully added windows clients to SAMBA4.
I am unable to add linux SAMBA client to SAMBA4.
Can you provide doc for adding domain member for Linux clients. I tried but failed.
Thanks in advance.. Kapil
Thank you Kapil!! You can try with likewise-open, I used it to authenticate Linux clients to AD servers.
You need to rename /etc/init.d/samba to /etc/init.d/samba4 otherwise the killall samba command in the stop section of the init script will also kill the utility script and give an error when stoping or restarting the samba service.
A very well written todo, thank you.
Changed it!! Thanks for your suggestion!!
Please am much more in love with Linux and i really need help on this samba4 Domain controller thing..I want to master it will your tutorials really helps but can i get it in a pdf form cuz is not always that am on the internet…i will be very grateful and if i could get other tutorials on other types of Linux servers like i would be much more grateful…keep up with your good work and may God richly Bless U….George from Ghana…!!!
Thank You, it help me a lot! It works fine.
Can we import users and machines from old samba versions? I’m updating an old samba version 3.0.26 that uses the file /etc/samba/smbpasswd and I don’t want to join the computers in domain again.
Here is a nice automated samba 4 domain controller implimentation:
http://razdc.com
Pingback:bpn4it | samba4 AD configuration
Hi
# # wget http://ftp.samba.org/pub/samba/samba-4.0.0.tar.gz is giving an error :
resolving http://ftp.samba.org... 216.83.154.106,
connected to http://ftp.samba.org 216.83.154.106|:80 — connected
2001:470:1f05:1a07::1
HTTP request sent , awaiting response …
404 Not found .
2013-10-09 17:39:55 ERROR 404:Not found
http://ftp.samba.org/pub/samba/samba-latest.tar.gz
Updated the url! Thanks Norman! 😉
No problem, thanks for the awesome article Ivan.
Hi Ivan
I have used
#wget http://ftp.samba.org/pub/samba/stable/samba-4.0.10.tar.gz
this is the latest samba4 release
and followoing rest of your instructions .
Hope it will work
regards
barun
do not forget add “acl” in fstab
# cat /etc/fstab
/dev/mapper/vg_dc-lv_root / ext4 defaults,acl 1 1
Firstly great tutorial.
Has anyone else had issues with Clients being denied the right to update dns records.
DC1 named[1019]: client 10.1.1.145#64455: update ‘murrayas.local/IN’ denied
samba_dnsupdate –verbose –all-names works perfectly and all updates are successful. So it looks like its a configuration that is denying clients only seeing as the server is allowed.
Any ideas??
Hi
I’ve been excluded my internal dns and now, I can’t put any machine in domain.
Is it possible add internal dns without do a new domain provision by samba-tool?
My external dns works properly.
In dig command, just show my external IP.
Thanks
Check out RazDC. A fully automated samba4 domain controller with a web interface. Yes, its built on latest centos 6.5 and samba 4.1.
Thank for you greate post, but can you post 1 article about Backup DC?