What is Samba4 meant to accomplish? In simplest terms, Samba4 is an ambitious, yet achievable, reworking of the Samba code.
Major features for Samba4 already include:
- Support for the 'Active Directory' logon and administration protocols that support Windows XP, Windows7, and Mac OS X clients
- Support for Group Policy definitions
- New 'full coverage' testsuites
- Full NTFS semantics for sharing backends
- An internal LDAP server, with AD semantics
- An internal Kerberos server, including PAC support
- Bind9 integration for AD DNS support (with DLS)
- Fully asynchronous internals
- Flexible process models
- Better scalability from micro to very large installations
- New RPC infrastructure (PIDL)
- A flexible database architecture (LDB)
- Python support - used extensively for client and management tools
- Generic security subsystem (GENSEC)
- Over 50% auto-generated code!
Lab Environment
Server: CentOS 6.2
Hostname: server1.example.com
IP Address: 10.10.10.10
DNS: 10.10.10.10
I won't be able to explain each and every configuration part here for further refrence you can visit this website
For installing the latest version of Samba 4 i.e.4.1 follow the below link
Configure Samba 4.1 in Linux as AD
Prerequisite before starting with the configuration
Install below rpms
# yum -y install git gcc libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig zlib-devel setroubleshoot-server setroubleshoot-plugins policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel
Once all these packages are installed move on to the next step. Now you need to download the samba4 package.
# git clone git://git.samba.org/samba.git samba-master; cd samba-master # cd samba-master # ./configure.developer # make # make install
If this step is completed without any error move on the provision step
/usr/local/samba/sbin/provision --realm=example.com --domain=EXAMPLE --adminpass=SOMEPASSWORD --server-role=dc
Once this step is completed you will see the configured options which you mentioned above. Now time to start your samba server.
NOTE: Make sure you do not have any other samba server installed apart from the one you just installed.
You will have to add the PATH variable for Samba4 in your machine.
# export PATH=$PATH:/usr/local/samba/sbin:/usr/local/samba/bin
Save this path inside .bash_profile so that you do not need to export it every time you login after reboot.
Run your samba services
Execute from the terminal as root user
# samba
Testing samba4
# smbclient --version
This should show you a version starting with "Version 4.0.XXXXX"
Now try this command:
# smbclient -L localhost -U%
and check if you get a proper reply with all the shared directories including sysvol and netlogon.
The 'netlogon' and 'sysvol' shares are basic shares needed for Active Directory server operation.
To test that authentication is working, you should try to connect to the netlogon share using the administrator password you set earlier.
# smbclient //localhost/netlogon -Uadministrator%PASSWORD
samba-download
Once it was downloaded I repeated the above steps i.e. configure, make and make install. Once those process were completed successfully I ran the provision command using the same realm and provision which I had used in the above case. And adding to my surprise this time the example.com.zone, sample named.conf and krb5.conf was there in their default location inside /usr/local/samba
So I copied those files from my test servers to samba server inside the proper location. Here I have pasted my krb5.conf, named.conf and example.conf.zone but since you will be using some other REALM and domain name and if you are also facing the issue as I faced you can follow the same steps which I took here. As it would be hard and risky to manually create those files.
Configure DNS
Make sure DNS package is installed in your machine
# yum -y install bind
Make the following changes in your named.conf
# vi /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
# bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/usr/local/samba/private/named.conf";
Now you need to edit /usr/local/samba/private/named.conf file so take a backup of this file and create a new named.conf inside the same location with following details
# vi /usr/local/samba/private/named.conf
# This file should be included in your main BIND configuration file
#
# For example with
# include "/usr/local/samba/private/named.conf";
zone "example.com." IN {
type master;
file "/usr/local/samba/private/example.com.zone";
/*
* Attention: Not all BIND versions support "ms-self". The instead use
* of allow-update { any; }; is another, but less secure possibility.
*/
update-policy {
/*
* A rather long description here, as the "ms-self" option does
* not appear in any docs yet (it can only be found in the
* source code).
*
* The short of it is that each host is allowed to update its
* own A and AAAA records, when the update request is properly
* signed by the host itself.
*
* The long description is (look at the
* dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
* its definition in lib/dns/gssapictx.c for details):
*
* A GSS-TSIG update request will be signed by a given signer
* (e.g. machine-name$@EXAMPLE.COM). The signer name is split into
* the machine component (e.g. "machine-name") and the realm
* component (e.g. "EXAMPLE.COM"). The update is allowed if the
* following conditions are met:
*
* 1) The machine component of the signer name matches the first
* (host) component of the FQDN that is being updated.
*
* 2) The realm component of the signer name matches the realm
* in the grant statement below (EXAMPLE.COM).
*
* 3) The domain component of the FQDN that is being updated
* matches the realm in the grant statement below.
*
* If the 3 conditions above are satisfied, the update succeeds.
*/
grant EXAMPLE.COM ms-self * A AAAA;
};
};
# The reverse zone configuration is optional. The following example assumes a
# subnet of 192.168.123.0/24:
/*
zone "123.168.192.in-addr.arpa" in {
type master;
file "123.168.192.in-addr.arpa.zone";
update-policy {
grant *.COM wildcard *.123.168.192.in-addr.arpa. PTR;
};
};
*/
# Note that the reverse zone file is not created during the provision process.
# The most recent BIND versions (9.5.0a5 or later) support secure GSS-TSIG
# updates. If you are running an earlier version of BIND, or if you do not wish
# to use secure GSS-TSIG updates, you may remove the update-policy sections in
# both examples above.
# vi /usr/local/samba/private/example.com.zone ; -*- zone -*- ; generated by provision.pl $ORIGIN example.com. $TTL 1W @ IN SOA @ hostmaster ( 2012052216 ; serial 2D ; refresh 4H ; retry 6W ; expiry 1W ) ; minimum IN NS server1 IN A 10.10.10.10 ; server1 IN A 10.10.10.10 gc._msdcs IN CNAME server1 8de12608-9880-4c52-ad21-8a1bf5ef7e41._msdcs IN CNAME server1 ; ; global catalog servers _gc._tcp IN SRV 0 100 3268 server1 _gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 server1 _ldap._tcp.gc._msdcs IN SRV 0 100 389 server1 _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 389 server1 ; ; ldap servers _ldap._tcp IN SRV 0 100 389 server1 _ldap._tcp.dc._msdcs IN SRV 0 100 389 server1 _ldap._tcp.pdc._msdcs IN SRV 0 100 389 server1 _ldap._tcp.d709eaf9-d010-4f94-916c-ca3e8e179e24 IN SRV 0 100 389 server1 _ldap._tcp.d709eaf9-d010-4f94-916c-ca3e8e179e24.domains._msdcs IN SRV 0 100 389 server1 _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 server1 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 server1 ; ; krb5 servers _kerberos._tcp IN SRV 0 100 88 server1 _kerberos._tcp.dc._msdcs IN SRV 0 100 88 server1 _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 server1 _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 server1 _kerberos._udp IN SRV 0 100 88 server1 ; MIT kpasswd likes to lookup this name on password change _kerberos-master._tcp IN SRV 0 100 88 server1 _kerberos-master._udp IN SRV 0 100 88 server1 ; ; kpasswd _kpasswd._tcp IN SRV 0 100 464 server1 _kpasswd._udp IN SRV 0 100 464 server1 ; ; heimdal 'find realm for host' hack _kerberos IN TXT EXAMPLE.COM samba IN A 10.10.10.10
Change your DNS server pointing towards your IP inside resolv.conf and ifcfg-eth0 then restart your network card and named service
# service named restart
Check your DNS if it is working properly or not and if you get the following replies then you are good to go:
# host -t SRV _ldap._tcp.example.com. _ldap._tcp.example.com has SRV record 0 100 389 server1.example.com. # host -t SRV _kerberos._udp.example.com. _kerberos._udp.example.com has SRV record 0 100 88 server1.example.com. # host -t A samba.example.com. samba.example.com has address 10.10.10.10
Now take a backup of your existing krb5.conf and replace it with the following
Make sure kerberos package is installed in your system
# yum -y install krb5-workstation
# mv /etc/krb5.conf /etc/krb5.conf.orig
# vi /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = server1.example.com:88
admin_server = server1.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Now check your kerberos
# kinit administrator@EXAMPLE.COM password for administrator@EXAMPLE.COM:
Enter the password and the part of configuration on server is done.
Check your firewall and selinux settings as in my case I have disabled both the options.
To configure iptables for Samba4 follow the below link
iptables rules for Samba 4 in Red Hat Linux
To configure a secondary domain controller using Samba4
How to configure Samba 4 Secondary Domain Controller
Client: Windows XP and Windows 7
Change the DNS of your client machine with the server IP and make sure the time zone of the client machine is same as the server.
From here you can follow this page to configure your client machine as a part of the domain and manage group policy for all the users.
https://wiki.samba.org/index.php/Samba4/HOWTO