Description

 

Samba Active Directory  Domain Controller on CentOS 6.x , we  will

have  Windows  2008  r2  AD functionality. We will be  able to manage

the AD from our dedicated Windows client.

 

STEP 1. - Install base system

 

Download CentOS 6.5 iso from CentOS  website (x86 or x64) : CentOS

6.5 ISO's  Install  base system. Partitioning , software  or  hardware

raid is up to the  user.  In this example hostname is :samba4.home.lan

and ip address is : 192.168.186.200

 

STEP 2. - Disable SeLINUX , IPtables

 

Now we disable SeLINUX like this :

chkconfig iptables off

chkconfig ip6tables off

vi /etc/selinux/config

 

Press i , look for SELINUX= line and change it to SELINUX=disabled

Once you are done editing press ESC , then type :wq then  press ENTER.

Now we must reboot the server in order for SeLINUX to be disabled.

Type into console :

reboot

 

STEP 3. - Update System

Type into console :

yum update

 

STEP 4. - Enable SAMBA 4 repository

 

We use this repo, because CentOS 6 Samba does not come with

samba-tool for some unknown reason.

touch /etc/yum.repos.d/SOGo.repo
vi /etc/yum.repos.d/SOGo.repo

 

Press i , then type in the following :

[sogo-rhel6]
name=Inverse SOGo Repository
baseurl=http://inverse.ca/downloads/SOGo/RHEL6/$basearch
gpgcheck=0

 

Once done editing press ESC , then type :wq and press ENTER.

 

STEP 5. - Samba installation , configuration

 

yum install samba4

 

Once it is done you must run the following command :

samba-tool domain provision --user-rfc2307 --interactive

 

A few  questions will be asked ,  but only one must be changed Domain name

home.lan .All  other settings  should be left at default values. You  will  need

to  specify  the  Administrator  password , Samba requires you to enter at least

one  uppercase character  , some  regular characters , and at least one  number.

Now Samba will generate all the necessary db files , setup the necessary  groups

, users  etc  for this domain. Next we will create the directory for our Roaming

Profiles

mkdir /home/Profiles

 

And we make sure that our /etc/samba4/smb.conf looks like this :

[global]
     workgroup = HOME
     realm = HOME.LAN
     netbios name = SAMBA4
     server role = active directory domain controller
     dns forwarder = 8.8.8.8
     idmap_ldb:use rfc2307 = yes

 [netlogon]
     path = /var/lib/samba4/sysvol/home.lan/scripts
     read only = No

 [sysvol]
    path = /var/lib/samba4/sysvol
    read only = No

 [Profiles]
    path = /home/Profiles/
    read only = No

 

You will only need to add [Profiles] to your config file, everything else

should already be there, I'm just posting my config file just in case.

 

STEP 6. - Configure Kerberos , Hosts, Resolv

 

Samba already  generated the  necessary Kerberos conf file for us , we only

need to move it to the right place, we also backup original

Kerberos conf file.

mv /etc/krb5.conf /etc/krb5.conf.original
cp /var/lib/samba4/private/krb5.conf /etc/krb5.conf

 

Next  step  is  to  alter our hosts file , it should look like this for the

current test system :

/etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.186.200 samba4.home.lan samba4
::1  localhost localhost.localdomain localhost6 localhost6.localdomain6

 

Then the resolv.conf should look like this for the current test system :

/etc/resolv.conf

domain homa.lan
search home.lan
nameserver 192.168.186.200 8.8.8.8

 

8.8.8.8 - this is  Google,  for  TESTING ONLY ,  please  play nice and use

your own DNS server , or the ISP's later.

 

STEP 7. - Test Kerberos

 

In this step we will test if Kerberos is running properly . First Samba must

be started, you cannot start it with  the  init  script, so you will need to

type this into the terminal :

samba

 

Samba should be up and running without any errors.

Now let's test Kerberos by issuing the following command :

kinit administrator

 

It will ask  you  for  Domain  Administrator password , once it's entered and

you've pressed ENTER it should display on our CentOS 6.5 system the following

message : Warning : Your password will expire in 41 days... This means Samba4

is up and  running , Kerberos is doing it's stuff , we are almost good to go.

Last thing is  to add samba to /etc/rc.d/rc.local so that it is started every

time the system boots up . Add the following line to the end of the file :

/usr/sbin/samba

 

 

STEP 8. - Reboot system , test again if everything is up and running

Type in to console :

reboot

 

Login to system once it is rebooted , and run the following commands one by

one :

ping samba4.home.lan
ping www.google.com
kinit administrator

 

Every one  of  these  commands  should  succeed  ,  then you can proceed to

configuring the clients.

 

STEP 9. - Client Configuration

 

For our initial client we will be using Windows XP Professionnal ,  we will

also install here  the  necessary  tools to be  able to manager our domain.

First thing is  to make  sure the  Windows XP  client is in the same subnet

as the Samba AD, and we  make  sure the  DNS  server  for the client is set

to the ip address of the Samba AD. (see image below)


Next we join this computer to the domain by right clicking  on

My Computer , then Properties , Computer Name tab and click on

Change. (see image below)

 

We select Member of (*) Domain , then enter home.lan press ENTER ,

almost instantly you will be asked for credentials, you must enter

Administrator  as  username , and password selected before. Note :

each time you join or  leave  the  domain you will need the Domain

Administrator account  for it. After this, you will be required to

reboot  the  computer, once  re-booted  make sure you log onto the

domain and not to one of the local users. (see image below)

Make sure that Log on to is HOME

( that is for home.lan , it does  not display the .lan part

, but it's fine ) . In  order to  be able to Administer the

AD from this computer you will need to download and install

the following packages :

 

Windows Server 2003 Service Pack 2 Administration Tools Pack for x86 editions

Windows Server 2003 Support Tools X86 ( for this you must have .NET framework installed )

Group Policy Management Console with Service Pack 1

 

With these tools  installed  you  will  be  able  to do everything

Domain related  from  this  Windows  Computer ,  except for adding

new Samba shares , for that you will need to edit smb.conf by hand.

 

STEP 10. - Enable roaming profiles

 

Switch back to the Samba server , and type this into console :

mkdir -p /home/Profiles/Domain Users

 

Now go back to our Windows Client , and with our Domain Administrative rights

alter the security for the \\samba4.home.lan\Profiles\ folder (see image below)

You right click on Profiles, then Click properties, Security Tab .

Add  Home\Administrator  and  Home\Domain  Users  to this folder ,

set the rights like this (see image below)

Then you go one folder deeper , and do the same for Domain Users folder,

except  here  you  set  full  rights  here  for HOME\Administrator,

HOME\Administrators,  HOME\Domain Users. Next we  will create a new user

for this domain with roaming  profile enabled.  Click  Start , Programs,

Administrative Tools , Active  Directory Users  and Computers (you might

want to make a shortcut of this to the desktop, this tool will be used a

lot) And then add a new user by going to home.lan, right click on Users,

select New and then User. (see image bellow)

All  newly created users are automatically in the group Domain Users , your

fine step here is to set the Profile path for this user . By right clicking

on the newly created user name and selecting properties. (see image below)

Note : robert folder is automatically created on the Samba Domain controller .

Once this is done, you must logout with robert and login again if you already

have more computers joined to  this domain. Then you  can test this by adding

more  computers  to  domain for  example  two  Windows 7  computers, login on

one of them with robert alter stuff on the desktop create a few icons etc... ,

then  logout,  login  on  the  other  Windows  7  computer and you should have

same  desktop .  Note :  WinXP  roaming  profile  is not compatible with Win 7

roaming  profile you can try , but Samba cleverly makes two folders for robert

in that case, one plain robert and one robert v2 .

 

IMPORTANT THINGS TO KNOW ABOUT ACTIVE DIRECTORY

You can  no longer  use Network  Neighborhood  ( it might work, and show a few

computers but it's  not the way). Active Directory is not browsed but searched,

just like you don't browse the  internet , you search it. With AD you centrally

manage everything , that means if you  share something on one computer you also

need to publish that share in AD for it to  be visible  to  other clients. This

might at first seem a bit complex compared to old SAMBA 3 NT domains, but I bet

you will question  yourself  after a day how were you able to live with Samba 3

NT style domain controllers.

 

Interesting videos to watch :

 

How sharing works in Active Directory

Automap network drive with group policy

Deploy applications with group policy

Aditional Samba Videos