這兩日,實作SAMBA4 拿來做AD,已成功使我的WIN7可以加入以LINUX為AD 網域控制器的網域裡了!!
以下分享一些我的設定過程!! 如果出現問題,請看LOG,再見招拆招,不要直接就劈頭問我怎麼了??
主要參考網上文章,計有以下幾篇:
1. http://sc8log.blogspot.tw/2016/11/ubuntu-1604-samba-43-domain-controller.html
2. http://blogging.dragon.org.uk/samba4-ad-dc-on-ubuntu-14-04/
3. https://www.server-world.info/en/note?os=Ubuntu_16.04&p=samba&f=4
我的環境:
LINUX: UBUNTU 16.04 LTP版本
1. 變更主機名稱及HOSTS FILE
edit /etc/hostname, /etc/hosts, 以我為例, hostname: dc1, hosts裡,127.0.0.1 localhost, 192.168.0.25 dc1 dc1.urcloud.biz
2. user_xattr,acl 是否啟用?
執行dumpe2fs /dev/sda1 | grep ‘Default mount options’ 若無則需編輯/etc/fstab檔案,UBUNTU 16.04內定已啟用,所以就無需去編了..
3. 安裝相關套件:
sudo apt-get install samba smbclient build-essential libacl1-dev libattr1-dev
libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev
python-dnspython gdb pkg-config libpopt-dev libldap2-dev
dnsutils libbsd-dev krb5-user docbook-xsl libcups2-dev ldb-tools ntp winbind
安裝時,系統會詢問幾個問題,我的回答如下:
Configuring Kerberos Authentication: URCLOUD.BIZ (請注意要大寫)
hostname of Kerberos servers in the BLACK.DRAGON.LAB: dc1.urcloud.biz
hostname of the Administrative (password changing) servers: dc1.urcloud.biz
4. 開始create domain:
sudo samba-tool domain provision –use-rfc2307 –interactive
這是以互動方式問答創建網域!!以下是我回答的方式.
Realm: URCLOUD.BIZ
Domain: URCLOUD
Server Role: dc
DNS Backend: BIND_DLZ
Administrator password: (需符合複雜性原則的密碼)
5. 編輯/etc/samba/smb.conf
將以下貼在idmap_ldb:use rfc2307 = yes這一行後面,然後存檔
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
log file = /var/log/samba/samba.log
max log size = 100000
6. 安裝bind9
apt install bind9
7. DNS設定調整(此步驟很重要,弄不好,DOMAIN不能運作)
vi /etc/bind/named.conf
增加:
include “/usr/local/samba/private/named.conf”;
vi /etc/bind/named.conf.option
以下按著貼上,貼在適當位罝..
acl “LocalIP” { 192.168.0.0/16; 172.16.10.0/24; 127.0.0.1; }; #開放 Local IP 可查詢 DNS
options {
directory “/var/cache/bind”;
forward first;
forwarders {
8.8.4.4;
168.95.1.1;
8.8.8.8;
};
listen-on {
LocalIP;
};
allow-recursion { LocalIP; };
allow-update { LocalIP; };
allow-query { LocalIP; };
allow-transfer { localhost; LocalIP; };
tkey-gssapi-keytab “/var/lib/samba/private/dns.keytab”; //允許 Client 動態更新 DNS 記錄
dnssec-enable no;
//dnssec-validation auto; //內部使用,先關閉
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
//listen-on port 53 { 127.0.0.1; };
listen-on port 53 { any; };
listen-on-v6 { none; };
};
8.調整DNS相關檔案權限
chown root.bind /var/lib/samba/private/named.conf
chgrp bind /var/lib/samba/private
chmod 640 /var/lib/samba/private/dns.keytab
chown root:bind /var/lib/samba/private/dns.keytab
chmod 644 /var/lib/samba/private/krb5.conf
chown root.bind /var/lib/samba/private/krb5.conf
edit /etc/apparmor.d/local/usr.sbin.named
加入以下指令
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns.keytab kwr,
/var/lib/samba/** m,
/var/lib/samba/private/dns/** krw,
/var/tmp/** krw,
/dev/urandom rw,
然後RELOAD一下這個服務
systemctl reload apparmor
到這裡就重啟BIND9
systemctl restart bind9
注意看LOG,有沒什麼錯誤訊息
9. 連結kerberos設定檔到/etc下,並變更權限:
mv /etc/krb5.conf /etc/krb5.conf.orig
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
chgrp bind /var/lib/samba/private/krb5.conf /etc/krb5.conf
10. 重開機…
這個時候,你應該可以找台WINDOWS CLIENT加入網域,也應該會成功,不過,如果你再試一下
samba_dnsupdate –verbose –all-names
應該會看到一個不能自動更新的錯誤訊息,dns_tkey_negotiategss: TKEY is unacceptable
這著實花了我一點功夫去解決!!也留點功課給您這位大大!! ^_^