Active Directory Domain Controller ?? CentOS 6.5 ??????????? ? Microsoft

????? 2 ??????? ??????????:
eth0 ????????? ???? 192.168.20.1
eth1 ???????? 100.200.1.1
?????????? ?????? example.com

????????? ???????????

????????? SELinux
vim /etc/sysconfig/selinux:

selinux=disabled

setenforce 0

??????????? /etc/fstab ????????? ????? ? ????? ???????? (https://wiki.samba.org/index.php/Samba_4/OS_Requirements#ext3.2Fext4_File_System):
user_xattr
acl
barrier=1

????????:

/dev/sdd1 / ext4 defaults,discard,user_xattr,acl,barrier=1 1 1

shutdown -r now

????????????? ??????????? samba 4 (https://wiki.samba.org/index.php/Samba_4/OS_Requirements#Red_Hat_Enterprise_Linux_or_CentOS):
yum update
yum -y install gcc libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel setroubleshoot-server libaio-devel setroubleshoot-plugins policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils

??????????? Kerberos
cp /usr/local/samba/private/krb5.conf /etc/
vi /etc/krb5.conf:

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true

[kdc]
check-ticket-addresses = false

????????????? ????????? ?????????? ?????? samba 4 ?? ?????? ?????? 4.1.5:
cd /usr/src
wget http://www.samba.org/samba/ftp/stable/samba-4.1.5.tar.gz
tar xzf samba-4.1.5.tar.gz
cd samba-4.1.5
./configure --enable-debug --enable-selftest
make
make install

?????? ?????????? ??????:
rm /etc/smb.conf
/usr/local/samba/bin/samba-tool domain provision --realm=EXAMPLE.COM --domain=MYADDC --adminpass=******** --server-role=dc --dns-backend=BIND9_FLATFILE

????? ?????:
realm — ?????? ??? ??????????? ??????
domain — ???????? ??? ??????????? ??????
adminpass — ?????? ??? ??????? ?????? ?????????????? (Administrator) ??????????? ??????
dns-backend — ??? ?????????? ?????? ????? ???????? ? DNS ????????, ? ????? ?????? ?????? ??????? ????????? ???? DNS ??????? bind

?????? ????? ???? DNS ?? ?????, ??????? ????????????? samba
??? ???????? ????
mv /usr/local/samba/private/dns/example.com.zone /usr/local/samba/private/dns/example.com.wan
??? ????????? ????
cp /usr/local/samba/private/dns/example.com.wan /usr/local/samba/private/dns/example.com.lan
sed -i ‘s|100.200.1.1|192.168.20.1|g’ /usr/local/samba/private/dns/example.com.lan

vi /etc/named.conf:

options {
listen-on port 53 { 127.0.0.1;100.200.1.1;192.168.20.1; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
allow-recursion {
127.0.0.1;
192.168.20.0/24;
};
notify yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
version "my dns server";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
category lame-servers { null; };
};
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
include "/usr/local/samba/private/named.conf";

vi /usr/local/samba/private/named.conf:

#????????? ????
view "internal" {
match-clients {
127.0.0.1;
192.168.20.0/24;
};
zone "example.com." IN {
type master;
file "/usr/local/samba/private/dns/example.com.lan";
include "/usr/local/samba/private/named.conf.update";
check-names ignore;
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
};
#???????? ????
view "external" {
match-clients { any; };
allow-query { any; };
zone "example.com." IN {
type master;
file "/usr/local/samba/private/dns/example.com.wan";
include "/usr/local/samba/private/named.conf.update";
check-names ignore;
};
};

service named restart

????????????? ?? ???? DNS ??????
vi /etc/resolv.conf:

search example.com
domain example.com
nameserver 127.0.0.1

?????? ?????? ??????????? samba 4 (http://wiki.samba.org/index.php/Samba4/InitScript):
vi /etc/init.d/samba4:

#!/bin/bash

. /etc/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

prog=samba
prog_dir=/usr/local/samba/sbin/
lockfile=/var/lock/subsys/$prog

start() {
[ "$NETWORKING" = "no" ] && exit 1
# [ -x /usr/sbin/ntpd ] || exit 5

# Start daemons.
echo -n $"Starting samba4: "
daemon $prog_dir/$prog -D
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $lockfile
return $RETVAL
}

stop() {
[ "$EUID" != "0" ] && exit 4
echo -n $"Shutting down samba4: "
killproc $prog_dir/$prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $lockfile
return $RETVAL
}

# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $prog
;;
restart)
stop
start
;;
reload)
echo "Not implemented yet."
exit 3
;;
*)
echo $"Usage: $0 {start|stop|status|restart|reload}"
exit 2
esac

chmod +x /etc/init.d/samba4
chkconfig samba4 on
service samba4 start

???? ????? ??????, ????????? samba ? debug ?????? ? ??????? ?? ??? ????????:
/usr/local/samba/sbin/samba -i --debuglevel=9

??? ???????? ?????????? ????????? ???? samba ? ???? ?????????
vi /root/.bash_profile:

PATH=$PATH:$HOME:/usr/local/samba/sbin:/usr/local/samba/bin

????????????? ?????? ???????
yum -y install ntp
vi /etc/ntp.conf:

server 0.ua.pool.ntp.org
server 1.ua.pool.ntp.org
server 2.ua.pool.ntp.org
server 3.ua.pool.ntp.org
ntpsigndsocket /usr/local/samba/ntp_signd/
restrict default mssntp

service ntpd restart
chkconfig ntpd on

????????? ????? ? ????????? (https://wiki.samba.org/index.php/Samba_port_usage#Port_usage_when_Samba_runs_as_DC)

iptables -I INPUT 1 -s 192.168.20.0/24 -d 192.168.20.1 -i eth0 -p tcp -m state --state NEW -m multiport --dports 53,88,135,139,389,445,464,636,1024:5000,3268,3269,5353 -j ACCEPT
iptables -I INPUT 2 -d 100.200.1.1 -i eth1 -p tcp -m state --state NEW -m multiport --dports 53,88,135,139,389,445,464,636,1024:5000,3268,3269,5353 -j ACCEPT
iptables -I INPUT 3 -s 192.168.20.0/24 -d 192.168.20.1 -i eth0 -p udp -m multiport --dports 88,137,138,389,464,5353 -j ACCEPT
iptables -I INPUT 4 -d 100.200.1.1 -i eth1 -p udp -m multiport --dports 88,137,138,389,464,5353 -j ACCEPT
service iptables save

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *