>_Samba4.1 Domain member controller – Slave 1.1

Neste presente tutorial, vou abordar a configuração do Samba 4.1 como Domain member controller – Slave. Buscando toda base de dados em servidores Active Directory Windows 2008 R2.

OBS: Não irei abordar configuração de Firewall e Selinux, apenas irei comentar sobre a instalação e configuração do Samba4.1.

Cenário:

samba4-1

Domínio:
dtd.intranet

Matriz:
1 Servidor Windows Server 2008R2 – IP 192.168.1.41 já em Produção
1 Servidor Windows Server 2008R2 – IP 192.168.1.43 já em Produção

Filial:
1 Servidor CentOS 6.5 x64 – IP 192.168.6.1

Passo 1 – Configuração da internface de rede eth0

# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=84:C9:B2:47:28:40
TYPE=Ethernet
UUID=71f382cf-01ae-4487-92cf-15816163ff5e
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR=192.168.6.1
NETMASK=255.255.254.0

Passo 2 – Configuração do arquivo resolv.conf, apontando os dns dos servidores da Matriz e do próprio servidor Samba4.1 (localhost)

# vim /etc/resolv.conf
domain dtd.intranet
search dtd.intranet
nameserver 192.168.1.41
nameserver 192.168.1.43
nameserver 127.0.0.1

Passo 3 – Instalação dos pacotes necessários para compilação do Samba4.1

# yum install  openldap-devel pam-devel git gcc make wget  libacl-devel libblkid-devel gnutls-devel readline-devel python-devel cups-devel \
libaio-devel quota-devel ctdb-devel krb5-devel krb5-workstation acl setroubleshoot-server setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils bind-sdb bind-devel bind-libs bind avahi-devel mingw32-iconv gamin \
libcap-devel rpc2-devel glusterfs-devel python-dns -y

Passo 4 – Atualização do servidor

# yum update -y

Passo 5 – Desabilitando o Winbind da inicialização

# chkconfig winbind off

Passo 6 – Acertando o horário do Servidor Samba4.1 com os servidores da Matriz

# net time set -I dtd.intranet

Passo 7 – Download do Samba4.1

# wget ftp://ftp.samba.org/pub/samba/stable/samba-4.1.3.tar.gz -P /opt
# cd /opt
# tar -xvf samba-4.1.3.tar.gz 
# cd samba-4.1.3

Passo 8 – Compilação do Samba4.1

# ./configure --enable-debug --enable-selftest
# make ; make install

Passo 9 – Configuração e instalação do Dns local do servidor Samba4.1

# yum install bind.x86_64
# cp /etc/named.conf /etc/named.conf.old

Passo 10 – Configurando o arquivo named.conf

# vim /etc/named.conf
options {
        auth-nxdomain yes;
        listen-on port 53 { 127.0.0.1; 192.168.6.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 192.168.6.0/23; 192.168.0.0/22; };
        allow-recursion { localhost; 192.168.6.0/23; 192.168.0.0/22; };
        forwarders { 8.8.8.8; 8.8.4.4; };
        recursion yes;
        allow-transfer { none; };
        notify no;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Passo 11 – Iniciando o servidor DNS

# service named start
# chkconfig named on

Passo 12 – Configurando o Samba4.1, como membro Domain Controller

# cd /usr/local/samba/bin/
# ./samba-tool domain join dtd.intranet DC -U administrator --realm=dtd.intranet --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'dtd.intranet'
Found DC SRVDOM2.dtd.intranet
Password for [WORKGROUP\administrator]:

Passo 13 – Ajustando os arquivos de acordo com o Samba4.1

# mv /etc/samba/smb.conf /etc/samba/smb.conf.old
# mv /etc/krb5.conf /etc/krb5.conf.old
# ln -s /usr/local/samba/etc/smb.conf /etc/samba/
# ln -s /usr/local/samba/private/krb5.conf /etc/
# vim /etc/nsswitch.conf 
passwd:     files compat winbind
group:      files compat winbind

Passo 14 – Ajustando as bibliotecas

# cd /lib64/
# rm -rf libnss_winbind.so.2 
# ln -s /usr/local/samba/lib/libnss_winbind.so /lib64
# ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
# ldconfig

Passo 15 – ajustando o servidor DNS, incluindo as linhas em negrito
tkey-gssapi-keytab “/usr/local/samba/private/dns.keytab”;
include “/usr/local/samba/private/named.conf”;

# vim /etc/named.conf
options {
        auth-nxdomain yes;
        listen-on port 53 { 127.0.0.1; 192.168.6.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 192.168.6.0/23; 192.168.0.0/22; };
        allow-recursion { localhost; 192.168.6.0/23; 192.168.0.0/22; };
        forwarders { 8.8.8.8; 8.8.4.4; };
        recursion yes;
        allow-transfer { none; };
        notify no;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/usr/local/samba/private/named.conf";

Passo 16 – Reiniciando o servidor de DNS local

# service named restart

Passo 17 – Iniciando o Samba4.1

# cd /usr/local/samba/sbin/
# ./samba
# ./nmbd 
# ./winbindd

Passo 18 – Verificando se o servidor Samba4.1 foi iniciadoo

# ps aux | grep samba
root     27984  2.2  1.1 541352 44892 ?        Ss   19:43   0:00 ./samba
root     27985  0.0  0.8 541352 32164 ?        S    19:43   0:00 ./samba
root     27986  0.3  0.9 546200 37460 ?        S    19:43   0:00 ./samba
root     27987  3.0  1.2 596616 47176 ?        Ss   19:43   0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root     27988  0.0  0.8 545504 34680 ?        S    19:43   0:00 ./samba
root     27989  0.0  0.8 541352 32116 ?        S    19:43   0:00 ./samba
root     27990  5.1  0.8 541352 34356 ?        S    19:43   0:00 ./samba
root     27991  0.0  0.8 541352 32700 ?        S    19:43   0:00 ./samba
root     27992  0.0  0.8 541352 34292 ?        S    19:43   0:00 ./samba
root     27993  0.0  0.8 545504 34820 ?        S    19:43   0:00 ./samba
root     27994  0.1  0.9 548016 36020 ?        S    19:43   0:00 ./samba
root     27995  0.0  0.8 541352 32232 ?        S    19:43   0:00 ./samba
root     27996  0.0  0.8 541352 33220 ?        S    19:43   0:00 ./samba
root     27997  0.0  0.8 541352 33188 ?        S    19:43   0:00 ./samba
root     28046  0.0  0.8 596100 32616 ?        S    19:43   0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root     28090  0.0  0.0 103252   884 pts/0    S+   19:43   0:00 grep samba

Passo 18 – Realizando teste de DNS

# host -t SRV _ldap._tcp.dtd.intranet.
_ldap._tcp.dtd.intranet has SRV record 0 100 389 vl-maria.dtd.intranet.
_ldap._tcp.dtd.intranet has SRV record 0 100 389 srvdom1.dtd.intranet.
_ldap._tcp.dtd.intranet has SRV record 0 100 389 srvdom2.dtd.intranet.
# nslookup dtd.intranet
Server:		192.168.1.41
Address:	192.168.1.41#53

Name:	dtd.intranet
Address: 192.168.0.3
Name:	dtd.intranet
Address: 192.168.0.2
Name:	dtd.intranet
Address: 192.168.6.1
Name:	dtd.intranet
Address: 192.168.1.41
Name:	dtd.intranet
Address: 192.168.1.43
# host -t A vl-maria.dtd.intranet
vl-maria.dtd.intranet has address 192.168.6.1

Passo 19 – Testando o update entre o servidor Samba4.1 e os servidores da Matriz

# ./samba_dnsupdate --verbose 
IPs: ['192.168.6.1']
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                   ${HOSTNAME} 389) as we are not a PDC
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSFOREST}                   ${HOSTNAME} 389) as we are not a PDC
Looking for DNS entry A dtd.intranet 192.168.6.1 as dtd.intranet.
Looking for DNS entry A vl-maria.dtd.intranet 192.168.6.1 as vl-maria.dtd.intranet.
Looking for DNS entry A gc._msdcs.dtd.intranet 192.168.6.1 as gc._msdcs.dtd.intranet.
Looking for DNS entry CNAME f7076a62-6bdb-4ac6-8925-20a229fe4d0d._msdcs.dtd.intranet vl-maria.dtd.intranet as f7076a62-6bdb-4ac6-8925-20a229fe4d0d._msdcs.dtd.intranet.
Looking for DNS entry SRV _kpasswd._tcp.dtd.intranet vl-maria.dtd.intranet 464 as _kpasswd._tcp.dtd.intranet.
Checking 0 100 464 srvdom2.dtd.intranet. against SRV _kpasswd._tcp.dtd.intranet vl-maria.dtd.intranet 464
Checking 0 100 464 srvdom1.dtd.intranet. against SRV _kpasswd._tcp.dtd.intranet vl-maria.dtd.intranet 464
Checking 0 100 464 vl-maria.dtd.intranet. against SRV _kpasswd._tcp.dtd.intranet vl-maria.dtd.intranet 464
Looking for DNS entry SRV _kpasswd._udp.dtd.intranet vl-maria.dtd.intranet 464 as _kpasswd._udp.dtd.intranet.
Checking 0 100 464 srvdom2.dtd.intranet. against SRV _kpasswd._udp.dtd.intranet vl-maria.dtd.intranet 464
Checking 0 100 464 srvdom1.dtd.intranet. against SRV _kpasswd._udp.dtd.intranet vl-maria.dtd.intranet 464
Checking 0 100 464 vl-maria.dtd.intranet. against SRV _kpasswd._udp.dtd.intranet vl-maria.dtd.intranet 464
Looking for DNS entry SRV _kerberos._tcp.dtd.intranet vl-maria.dtd.intranet 88 as _kerberos._tcp.dtd.intranet.
Checking 0 100 88 srvdom1.dtd.intranet. against SRV _kerberos._tcp.dtd.intranet vl-maria.dtd.intranet 88
Checking 0 100 88 vl-maria.dtd.intranet. against SRV _kerberos._tcp.dtd.intranet vl-maria.dtd.intranet 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.dtd.intranet vl-maria.dtd.intranet 88 as _kerberos._tcp.dc._msdcs.dtd.intranet.
Checking 0 100 88 srvdom2.dtd.intranet. against SRV _kerberos._tcp.dc._msdcs.dtd.intranet vl-maria.dtd.intranet 88
Checking 0 100 88 srvdom1.dtd.intranet. against SRV _kerberos._tcp.dc._msdcs.dtd.intranet vl-maria.dtd.intranet 88
Checking 0 100 88 vl-maria.dtd.intranet. against SRV _kerberos._tcp.dc._msdcs.dtd.intranet vl-maria.dtd.intranet 88
Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.dtd.intranet vl-maria.dtd.intranet 88 as _kerberos._tcp.default-first-site-name._sites.dtd.intranet.
Checking 0 100 88 srvdom2.dtd.intranet. against SRV _kerberos._tcp.default-first-site-name._sites.dtd.intranet vl-maria.dtd.intranet 88
Checking 0 100 88 srvdom1.dtd.intranet. against SRV _kerberos._tcp.default-first-site-name._sites.dtd.intranet vl-maria.dtd.intranet 88
Checking 0 100 88 vl-maria.dtd.intranet. against SRV _kerberos._tcp.default-first-site-name._sites.dtd.intranet vl-maria.dtd.intranet 88
Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.dtd.intranet vl-maria.dtd.intranet 88 as _kerberos._tcp.default-first-site-name._sites.dc._msdcs.dtd.intranet.
Checking 0 100 88 srvdom2.dtd.intranet. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.dtd.intranet vl-maria.dtd.intranet 88
Checking 0 100 88 srvdom1.dtd.intranet. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.dtd.intranet vl-maria.dtd.intranet 88
Checking 0 100 88 vl-maria.dtd.intranet. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.dtd.intranet vl-maria.dtd.intranet 88
Looking for DNS entry SRV _kerberos._udp.dtd.intranet vl-maria.dtd.intranet 88 as _kerberos._udp.dtd.intranet.
Checking 0 100 88 vl-maria.dtd.intranet. against SRV _kerberos._udp.dtd.intranet vl-maria.dtd.intranet 88
Looking for DNS entry SRV _ldap._tcp.dtd.intranet vl-maria.dtd.intranet 389 as _ldap._tcp.dtd.intranet.
Checking 0 100 389 srvdom1.dtd.intranet. against SRV _ldap._tcp.dtd.intranet vl-maria.dtd.intranet 389
Checking 0 100 389 srvdom2.dtd.intranet. against SRV _ldap._tcp.dtd.intranet vl-maria.dtd.intranet 389
Checking 0 100 389 vl-maria.dtd.intranet. against SRV _ldap._tcp.dtd.intranet vl-maria.dtd.intranet 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.dtd.intranet vl-maria.dtd.intranet 389 as _ldap._tcp.dc._msdcs.dtd.intranet.
Checking 0 100 389 vl-maria.dtd.intranet. against SRV _ldap._tcp.dc._msdcs.dtd.intranet vl-maria.dtd.intranet 389
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.dtd.intranet vl-maria.dtd.intranet 3268 as _ldap._tcp.gc._msdcs.dtd.intranet.
Checking 0 100 3268 srvdom2.dtd.intranet. against SRV _ldap._tcp.gc._msdcs.dtd.intranet vl-maria.dtd.intranet 3268
Checking 0 100 3268 vl-maria.dtd.intranet. against SRV _ldap._tcp.gc._msdcs.dtd.intranet vl-maria.dtd.intranet 3268
Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.dtd.intranet vl-maria.dtd.intranet 389 as _ldap._tcp.default-first-site-name._sites.dtd.intranet.
Checking 0 100 389 srvdom2.dtd.intranet. against SRV _ldap._tcp.default-first-site-name._sites.dtd.intranet vl-maria.dtd.intranet 389
Checking 0 100 389 srvdom1.dtd.intranet. against SRV _ldap._tcp.default-first-site-name._sites.dtd.intranet vl-maria.dtd.intranet 389
Checking 0 100 389 vl-maria.dtd.intranet. against SRV _ldap._tcp.default-first-site-name._sites.dtd.intranet vl-maria.dtd.intranet 389
Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.dtd.intranet vl-maria.dtd.intranet 389 as _ldap._tcp.default-first-site-name._sites.dc._msdcs.dtd.intranet.
Checking 0 100 389 srvdom1.dtd.intranet. against SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.dtd.intranet vl-maria.dtd.intranet 389
Checking 0 100 389 vl-maria.dtd.intranet. against SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.dtd.intranet vl-maria.dtd.intranet 389
Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.dtd.intranet vl-maria.dtd.intranet 3268 as _ldap._tcp.default-first-site-name._sites.gc._msdcs.dtd.intranet.
Checking 0 100 3268 srvdom2.dtd.intranet. against SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.dtd.intranet vl-maria.dtd.intranet 3268
Checking 0 100 3268 srvdom1.dtd.intranet. against SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.dtd.intranet vl-maria.dtd.intranet 3268
Checking 0 100 3268 vl-maria.dtd.intranet. against SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.dtd.intranet vl-maria.dtd.intranet 3268
Looking for DNS entry SRV _ldap._tcp.0c13fffb-2b65-42c6-b2f9-adbc0e4a0750.domains._msdcs.dtd.intranet vl-maria.dtd.intranet 389 as _ldap._tcp.0c13fffb-2b65-42c6-b2f9-adbc0e4a0750.domains._msdcs.dtd.intranet.
Checking 0 100 389 vl-maria.dtd.intranet. against SRV _ldap._tcp.0c13fffb-2b65-42c6-b2f9-adbc0e4a0750.domains._msdcs.dtd.intranet vl-maria.dtd.intranet 389
Looking for DNS entry SRV _gc._tcp.dtd.intranet vl-maria.dtd.intranet 3268 as _gc._tcp.dtd.intranet.
Checking 0 100 3268 vl-maria.dtd.intranet. against SRV _gc._tcp.dtd.intranet vl-maria.dtd.intranet 3268
Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.dtd.intranet vl-maria.dtd.intranet 3268 as _gc._tcp.default-first-site-name._sites.dtd.intranet.
Checking 0 100 3268 vl-maria.dtd.intranet. against SRV _gc._tcp.default-first-site-name._sites.dtd.intranet vl-maria.dtd.intranet 3268
No DNS updates needed

Passo 20 – Atualizando todos os registros

# ./samba_dnsupdate --verbose --all-names
IPs: ['192.168.6.1']
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                   ${HOSTNAME} 389) as we are not a PDC
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSFOREST}                   ${HOSTNAME} 389) as we are not a PDC
Calling nsupdate for A dtd.intranet 192.168.6.1
Outgoing update query:
;; ->>HEADER<>HEADER<>HEADER<>HEADER<>HEADER<>HEADER<>HEADER<>HEADER<>HEADER<>HEADER<>HEADER<>HEADER<>HEADER<>HEADER<>HEADER<>HEADER<>HEADER<>HEADER<>HEADER<>HEADER<

Passo 21 – Acertando a PATH do usuário root

# echo "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/local/samba/sbin:/usr/local/samba/bin" >> /root/.bashrc

Passo 22 – Script de inicialização do Samba4

# vim /etc/init.d/samba4
#!/bin/bash
#
# chkconfig: - 91 35
# description: Starts and stops the Samba smbd daemon \
#	       used to provide SMB network services.
#
# pidfile: /var/run/samba/smbd.pid
# config:  /etc/samba/smb.conf

# Source function library.
if [ -f /etc/init.d/functions ] ; then
  . /etc/init.d/functions
elif [ -f /etc/rc.d/init.d/functions ] ; then
  . /etc/rc.d/init.d/functions
else
  exit 1
fi

# Avoid using root's TMPDIR
unset TMPDIR

# Source networking configuration.
. /etc/sysconfig/network

if [ -f /etc/sysconfig/samba ]; then
   . /etc/sysconfig/samba
fi

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 1

# Check that smb.conf exists.
[ -f /usr/local/samba/etc/smb.conf ] || exit 6

RETVAL=0

start() {
        KIND="SMB"
	echo -n $"Starting $KIND services: "
	/usr/local/samba/sbin/samba
	RETVAL=$?
	echo
	[ $RETVAL -eq 0 ] && touch /usr/local/samba/var/lock/smb || \
	   RETVAL=1
	return $RETVAL
}

stop() {
        KIND="SMB"
	echo -n $"Shutting down $KIND services: "
	killproc smbd
	RETVAL=$?
	echo
	[ $RETVAL -eq 0 ] && rm -f /usr/local/samba/var/lock/smb
	return $RETVAL
}

restart() {
	stop
	start
}

reload() {
        echo -n $"Reloading smb.conf file: "
	killproc smbd -HUP
	RETVAL=$?
	echo
	return $RETVAL
}

rhstatus() {
	status -l smb smbd
	return $?
}

# Allow status as non-root.
if [ "$1" = status ]; then
       rhstatus
       exit $?
fi

# Check that we can write to it... so non-root users stop here
[ -w /usr/local/samba/etc/smb.conf ] || exit 4

case "$1" in
  start)
  	start
	;;
  stop)
  	stop
	;;
  restart)
  	restart
	;;
  reload)
  	reload
	;;
  status)
  	rhstatus
	;;
  condrestart)
  	[ -f /var/lock/subsys/smb ] && restart || :
	;;
  *)
	echo $"Usage: $0 {start|stop|restart|reload|status|condrestart}"
	exit 2
esac

exit $?

Passo 23 – Ativando o script para iniciar junto com o sistema operacional

# chmod +x /etc/init.d/samba4
# chkconfig samba4 on

Passo 24 – Renomeando o antigo script wbinfo para wbinfo.old

# wbinfo  -t
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the trust secret for domain (null) via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret
# mv  /usr/bin/wbinfo /usr/bin/wbinfo.old
# wbinfo -t
checking the trust secret for domain DTD via RPC calls succeeded

Fonte:
https://wiki.samba.org

>_Samba4.1 Domain member controller – Slave 1.1
Tagged on:

Deixe uma resposta

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *

%d blogueiros gostam disto: