SAMBA域控加WINDOWS管理

CentOS7最小化安装后用BIND9和SAMBA4.1.13搭建Active Directory Service的域控制器

平台

主机:Sony CPCSA26GG,I7-2620M,内存8G,128G SSD。BIOS开启CPU硬件虚拟化支持。
主机系统:WIN7 X64 旗舰版+Oracle Virtualbox 4.3.12,VB host-only 网卡IP设置192.168.6.1。
客户机:CentOS7 x86_64 7.0 最小化安装,不带桌面环境,IP设置192.168.6.3。

安装

安装完以后用putty或者SecureCRT连接SSH登陆centos,方便复制粘贴命令。

Last login: Sat Oct 25 13:00:04 2014
[root@centos7mini ~]#

先配置用光盘做源来安装development tools,也可以虚机设置两块网卡,一块桥接笔记本网卡连互联网直接yum。 注意,用双网卡的话,SAMBA产生的DNS文件会使用连互联网的网卡,要自己修改。

[root@centos7mini ~]# cd /etc/yum.repos.d/
[root@centos7mini yum.repos.d]# ls
CentOS-Base.repo  CentOS-Debuginfo.repo  CentOS-Sources.repo  CentOS-Vault.repo
[root@centos7mini yum.repos.d]# mv CentOS-Base.repo base.repo.bkp
[root@centos7mini yum.repos.d]# mv CentOS-Sources.repo source.repo.bkp
[root@centos7mini yum.repos.d]# vi media.repo
[DVD]
name=CentOS Media
baseurl=file:///media/cdrom
gpgcheck=0
enabled=1

然后按ESC键,:wq保存退出。然后建立光盘挂载目录:

[root@centos7mini ~]# mkdir /media/cdrom

挂载光盘:

[root@centos7mini yum.repos.d]# mount /dev/cdrom /media/cdrom
mount: /dev/sr0 写保护,将以只读方式挂载

安装development tools:

[root@centos7mini yum.repos.d]# yum -y groupinstall "development tools"

安装一下samba需要的组件,libacl-devel最重要,BIND9也一起用光盘里的RPM包安装。

[root@centos7mini yum.repos.d]# yum -y install libacl-devel libblkid-devel gnutls-devel readline-devel python-devel bind autoconf gdb rsyslog-gssapi cyrus-sasl-gssapi
已安装:
bind.x86_64 32:9.9.4-14.el7                      cyrus-sasl-gssapi.x86_64 0:2.1.26-17.el7           
gnutls-devel.x86_64 0:3.1.18-8.el7               libacl-devel.x86_64 0:2.2.51-12.el7                
libblkid-devel.x86_64 0:2.23.2-16.el7            readline-devel.x86_64 0:6.2-9.el7                  
rsyslog-gssapi.x86_64 0:7.4.7-6.el7             
作为依赖被安装:
bind-libs.x86_64 32:9.9.4-14.el7                     gnutls-c++.x86_64 0:3.1.18-8.el7              
gnutls-dane.x86_64 0:3.1.18-8.el7                    ldns.x86_64 0:1.6.16-7.el7                    
libattr-devel.x86_64 0:2.4.46-12.el7                 libevent.x86_64 0:2.0.21-4.el7                
libtasn1-devel.x86_64 0:3.3-3.el7                    libuuid-devel.x86_64 0:2.23.2-16.el7          
ncurses-devel.x86_64 0:5.9-13.20130511.el7           p11-kit-devel.x86_64 0:0.18.7-4.el7           
unbound-libs.x86_64 0:1.4.20-19.el7                  zlib-devel.x86_64 0:1.2.7-13.el7              
完毕!

把SAMBA源码包下载,然后通过SecureFX或者winscp上传到/tmp目录下,编译之前需要先从光盘安装python-devel.否则configure报错。 注意不能用光盘自带的RPM包安装samba,虽然有samba-dc的包,安装后测试没有samba-tools来配置域控,或许可以全用配置文件来做。

[root@centos7mini yum.repos.d]# rpm -ivh /media/cdrom/Packages/python-devel-2.7.5-16.el7.x86_64.rpm 
警告:python-devel-2.7.5-16.el7.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID f4a80eb5: NOKEY
准备中...                          ################################# [100%]
正在升级/安装...
 1:python-devel-2.7.5-16.el7        ################################# [100%]

进目录解压

[root@centos7mini yum.repos.d]# cd /tmp
[root@centos7mini tmp]# ls
samba-latest.tar.gz
[root@centos7mini tmp]# tar -xvf samba-latest.tar.gz 

解压之后先要运行autogen-waf.sh,否则./configure提示没有./buildtools/bin/waf文件或者目录:

python: can't open file './buildtools/bin/waf': [Errno 2] No such file or directory
[root@centos7mini tmp]# samba-4.1.13/buildtools/scripts/autogen-waf.sh 
Setting up for waf build
Looking for the buildtools directory
Found buildtools in ./../../buildtools
Setting up configure
Setting up Makefile
done. Now run ./configure or ./configure.developer then make.

然后进目录开始编译,安装

[root@centos7mini scripts]# cd /tmp/samba-4.1.13/
[root@centos7mini samba-4.1.13]# ./configure  
      
......
省略

然后make,安装,这个过程很长,大内存和SSD能加快速度,本次用时20分钟,在4G内存X200虚拟机上面测试超过6个小时。

[root@centos7mini samba-4.1.13]# make && make install
省略5000行
......
......
Waf: Leaving directory `/tmp/samba-4.1.13/bin'
'install' finished successfully (2m23.687s)

到这里安装完成。

配置

修改主机名为DC1,把FQDN完全域名写上,好处是等下提升为域控免输域名了。

[root@centos7mini etc]# vi /etc/hostname 
DC1.contoso.com

然后关机,可以给虚拟机做个快照,因为配置出错要重新弄的话,把编译的时间节省

[root@DC1 samba-4.1.13]# poweroff

重新开机后登陆,配置域控

Last login: Fri Oct 31 10:41:42 2014 from 192.168.6.1
[root@DC1 ~]# cd /usr/local/samba/bin
[root@DC1 bin]# ./samba-tool domain provision
Realm [CONTOSO.COM]: 
 Domain [CONTOSO]: 
 Server Role (dc, member, standalone) [dc]: 
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE  #这里选的BIND9,也可以默认用自带的DNS
Administrator password: 输入域控管理员密码,密码一定要复杂,大小写字母+数字,如Ab123456&
Retype password: 再输入一遍Ab123456&
Looking up IPv4 addresses
More than one IPv4 address found. Using 192.168.6.3
Looki 6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=contoso,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=contoso,DC=com
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
O nce the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              DC1
NetBIOS Domain:        CONTOSO
DNS Domain:            contoso.com
DOMAIN SID:            S-1-5-21-3366851103-1622988557-2824442447
[root@DC1 bin]# 

一定要见到DOMAIN SID才算配置成功

启动samba

[root@DC1 bin]# /usr/local/samba/sbin/samba

查看版本

[root@DC1 bin]# /usr/local/samba/bin/smbclient --version
Version 4.1.13

测试

[root@DC1 bin]# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[CONTOSO] OS=[Unix] Server=[Samba 4.1.13]
      Sharename       Type      Comment
      ---------       ----      -------
      netlogon        Disk      
      sysvol          Disk      
      IPC$            IPC       IPC Service (Samba 4.1.13)
Domain=[CONTOSO] OS=[Unix] Server=[Samba 4.1.13]
      Server               Comment
      ---------            -------
      Workgroup            Master
      ---------            -------
[root@DC1 bin]# /usr/local/samba/bin/smbclient //localhost/netlogon -Uadministrator
Enter administrator's password: 
Domain=[CONTOSO] OS=[Unix] Server=[Samba 4.1.13]
smb: \> q
[root@DC1 bin]# 

DNS

检查一下BIND

[root@DC1 bin]# rpm -qa|grep bind
bind-libs-lite-9.9.4-14.el7.x86_64
bind-license-9.9.4-14.el7.noarch
bind-libs-9.9.4-14.el7.x86_64
bind-9.9.4-14.el7.x86_64

在/etc/named.conf文件中可以看到bind9的目录是/var/named,进入该目录:

[root@DC1 etc]# cd /var/named

复制一份named.localhost作为contoso.com.zone,然后修改,作为contoso.com的正向解析文件。

[root@DC1 named]# cp named.localhost contoso.com.zone
[root@DC1 named]# vim contoso.com.zone
$TTL 1D
@       IN SOA  @ contoso.com. (
                                      0       ; serial
                                      1D      ; refresh
                                      1H      ; retry
                                      1W      ; expire
                                      3H )    ; minimum
        IN NS   DC1.contoso.com.
@       IN A    192.168.6.3
DC1     IN A    192.168.6.3

以上就是修改后的,双网卡的虚机,IP可能是另外一个的,要修改。

再把samba产生的DNS文件的后面部分复制过来。但是不要复制gc._msdcs这一条,我测试报错,删除了能启动bind

[root@DC1 ~]# cd /usr/local/samba/private/dns
[root@DC1 dns]# ls
contoso.com.zone
[root@DC1 dns]# vim contoso.com.zone

复制下面部分

79aef472-c658-49c0-a2b4-3988bc00338a._msdcs     IN CNAME        DC1
;
; global catalog servers
_gc._tcp                IN SRV 0 100 3268       DC1
_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268       DC1
_ldap._tcp.gc._msdcs    IN SRV 0 100 3268       DC1
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs     IN SRV 0 100 3268 DC1
;
; ldap servers
_ldap._tcp              IN SRV 0 100 389        DC1
_ldap._tcp.dc._msdcs    IN SRV 0 100 389        DC1
_ldap._tcp.pdc._msdcs   IN SRV 0 100 389        DC1
_ldap._tcp.8b2afba7-4d3a-4b88-8b45-381cf145c623.domains._msdcs          IN SRV 0 100 389 DC1
_ldap._tcp.Default-First-Site-Name._sites               IN SRV 0 100 389 DC1
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs     IN SRV 0 100 389 DC1
;
; krb5 servers
_kerberos._tcp          IN SRV 0 100 88         DC1
_kerberos._tcp.dc._msdcs        IN SRV 0 100 88 DC1
_kerberos._tcp.Default-First-Site-Name._sites   IN SRV 0 100 88 DC1
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 DC1
_kerberos._udp          IN SRV 0 100 88         DC1
; MIT kpasswd likes to lookup this name on password change
_kerberos-master._tcp           IN SRV 0 100 88         DC1
_kerberos-master._udp           IN SRV 0 100 88         DC1
;
; kpasswd
_kpasswd._tcp           IN SRV 0 100 464        DC1
_kpasswd._udp           IN SRV 0 100 464        DC1
;
; heimdal 'find realm for host' hack
_kerberos               IN TXT  CONTOSO.COM

然后粘贴到/var/named/contoso.com.zone修改过的后面。具体操作中,可以在SecureCRT里克隆会话,进到目录,打开文件,拖选要复制的,然后切换到原来的会话点右键就粘贴上了,然后按ESC,:wq保存退出。

打开/etc/named.rfc1912.zones, 后面添加如下字段,增加正向解析区域

[root@DC1 etc]# vim /etc/named.rfc1912.zones
zone "contoso.com" IN {
      type master;
      file "contoso.com.zone";
      allow-update { none; };
};

启动BIND服务,如果报错,需要检查etc/named.rfc1912.zones和contoso.com.zone文件配置

[root@DC1 dns]# systemctl start named.service 
 systemctl status named.service

测试解析,需要host命令。默认未安装。

[root@DC1 named]# host -t SRV _ldap._tcp.contoso.com.
-bash: host: 未找到命令

重新挂载光盘安装。

[root@DC1 named]# mount /dev/cdrom /media/cdrom
mount: /dev/sr0 写保护,将以只读方式挂载

[root@DC1 named]# yum -y install bind-utils

然后测试

[root@DC1 ~]# host -t SRV _ldap._tcp.contoso.com
_ldap._tcp.contoso.com has SRV record 0 100 389 DC1.contoso.com.
[root@DC1 ~]# host -t SRV _kerberos._udp.contoso.com 
_kerberos._udp.contoso.com has SRV record 0 100 88 DC1.contoso.com.
[root@DC1 ~]# host -t A dc1.contoso.com.     
dc1.contoso.com has address 192.168.6.3

然后再开WIN7虚拟机,配置同网段IP如192.168.6.5, DNS配置192.168.6.3。 先用PING测试能ping通域名,如果不通尝试清除IPTABLES防火墙规则:

[root@DC1 ~]# iptables -F

然后WIN7测试加域成功,加域的方法不知道的请自行百度,加入域以后在WIN7里可以下载安装远程管理工具包来管理域控了。

http://hi.baidu.com/paul_ycb/item/94b9755c88137f968d12ed5e