github twitter email rss
配置 Samba4 作为 AD域控制器
Jun 6, 2014
1 minute read

Enviroment : * archlinux * samba 4.1.8

  1. 安装需要的包

    pacman -S dnsutils krb5 ntp openldap samba
    
  2. 配置fstab使域可以兼容,unix, osx系统的加入

    /dev/...          /srv/samba/demo          ext4          user_xattr,acl,barrier=1          1 1
    
  3. 使用samba-tool 生成Samba 4的配置文件

    samba-tool domain provision --use-rfc2307 --interactive --use-xattrs=yes
    

    交互式的依次输入,域名、主机名、管理员密码, 其他默认即可


  1. 配置服务

    使用下面的命令生成ntpd服务

    ```bash
    mv /etc/ntp.conf{,.default}
    cat > /etc/ntp.conf << "EOF"
    # Begin /etc/ntp.conf
    
    # Associate to the public NTP pool servers
    server 0.pool.ntp.org
    server 1.pool.ntp.org
    server 2.pool.ntp.org
    
    # Location of drift file
    driftfile /var/lib/ntp/ntp.drift
    
    # Location of the log file
    logfile /var/log/ntp
    
    # Location of the update directory
    ntpsigndsocket /var/lib/samba/ntp_signd/
    
    # Restrictions
    restrict default kod nomodify notrap nopeer mssntp
    restrict 127.0.0.1
    restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
    restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
    restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
    
    # End /etc/ntp.conf
    EOF
    install -d /var/lib/samba/ntp_signd
    chown root:ntp /var/lib/samba/ntp_signd
    chmod 0750 /var/lib/samba/ntp_signd
    systemctl enable ntpd.service
    systemctl start ntpd
    ```
    

    使用本机ip做为dns

    cat >> /etc/resolvconf.conf << "EOF"
    search_domains=internal.domain.tld
    name_servers=xxx.xxx.xxx.xxx 
    EOF
    resolvconf -u
    

    krb密码策略

    mv /etc/krb5.conf{,.default}
    cp /var/lib/samba/private/krb5.conf /etc
    

    启动Samba服务

    rm -rf /var/lib/samba/ntp_signd
    systemctl enable samba.service
    systemctl start samba
    

    修复ntp可能产生的权限问题

    chgrp ntp /var/lib/samba/ntp_signd
    systemctl restart ntpd
    

    启用LDB模块

    echo "export LDB_MODULES_PATH=\"\${LDB_MODULES_PATH}:/usr/lib/samba/ldb\"" > /etc/profile.d/sambaldb.sh
    chmod 0755 /etc/profile.d/sambaldb.sh
    

5.测试配置是否成功 dns

    host -t SRV _ldap._tcp.internal.domain.com.
    host -t SRV _kerberos._udp.internal.domain.com.
    host -t A server.internal.domain.com.
返回如果如下表示成功:

    _ldap._tcp.internal.domain.com has SRV record 0 100 389 server.internal.domain.com.
    _kerberos._udp.internal.domain.com has SRV record 0 100 88      server.internal.domain.com.
    server.internal.domain.com has address xxx.xxx.xxx.xxx
NT登录验证

    smbclient //localhost/netlogon -U Administrator -c 'ls'
Kerberos

    kinit administrator@INTERNAL.DOMAIN.COM //注意此处大写
回显如下:

    Warning: Your password will expire in 41 days on Wed 08 Jan 2014 11:59:11 PM CST
确认是否得到验证的ticket:

    klist
回显如下:

    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: administrator@INTERNAL.DOMAIN.COM

    Valid starting       Expires              Service principal
    11/28/2013 00:22:17  11/28/2013 10:22:17        krbtgt/INTERNAL.DOMAIN.COM@INTERNAL.DOMAIN.COM
        renew until 11/29/2013 00:22:14

最后使用smbclient测试ticket有效情况:

    smbclient //server/netlogon -k -c 'ls'

_quoted from Samba 4 Active Directory Domain Controller_


Back to posts


comments powered by Disqus