Active Directory Domain Controller — Samba4

Предварительная настройка

Пример:
Имя хоста: abbadon Домен: school.lan IP-адрес: 10.135.69.1/24

# cat /etc/hosts

1	# cat /etc/hosts

::1 localhost localhost.my.domain
127.0.0.1 localhost localhost.my.domain
10.155.69.1 abbadon abbadon.school.lan

::1 localhost localhost.my.domain

127.0.0.1 localhost localhost.my.domain

10.155.69.1 abbadon abbadon.school.lan

…

# cat /etc/resolv.conf

1	# cat /etc/resolv.conf

search school.lan
nameserver 10.155.69.1
nameserver 8.8.8.8

search school.lan

nameserver 10.155.69.1

nameserver 8.8.8.8

…

# cat /etc/resolvconf.conf

1	# cat /etc/resolvconf.conf

search_domains="school.lan"
name_servers="10.155.69.1"

1 2	search_domains="school.lan" name_servers="10.155.69.1"

Включаем ACLs на файловой системе

# ee /etc/fstab

1	# ee /etc/fstab

Device	Mountpoint	FStype	Options	Dump	Pass
/dev/da0p2	/	ufs	rw,noatime,acls	1	1
/dev/da0p3	none	swap	sw	0	0

Device Mountpoint FStype Options Dump Pass

/dev/da0p2 / ufs rw,noatime,acls 1 1

/dev/da0p3 none swap sw 0 0

# mount -o acls /

1	# mount -o acls /

Установка Samba4

# pkg ins -y samba412

1	# pkg ins -y samba412

New packages to be INSTALLED:
...
samba412: 4.12.15_2
...

New packages to be INSTALLED:

...

samba412: 4.12.15_2

...

# service samba_server onestart
# sysrc samba_server_enable=yes

1 2	# service samba_server onestart # sysrc samba_server_enable=yes

Подготовка Samba AD в неинтерактивном режиме

# samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=SCHOOL.LAN --domain=SCHOOL --adminpass=ParoL1Admin2DoMena3

1	# samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=SCHOOL.LAN --domain=SCHOOL --adminpass=ParoL1Admin2DoMena3

Настройка DNS Resolver

Создаем обратную зону

# samba-tool dns zonecreate 10.155.69.1 69.155.10.in-addr.arpa -U Administrator
Password for [administrator@SCHOOL.LAN]:
Zone 69.155.10.in-addr.arpa created successfully

# samba-tool dns zonecreate 10.155.69.1 69.155.10.in-addr.arpa -U Administrator

Password for [administrator@SCHOOL.LAN]:

Zone 69.155.10.in-addr.arpa created successfully

Настройка Kerberos

# cp /var/db/samba4/private/krb5.conf /etc/krb5.conf

1	# cp /var/db/samba4/private/krb5.conf /etc/krb5.conf

Тестирование Samba AD DC, DNS, Kerberos

$ smbclient -L localhost -U%
$ smbclient //localhost/netlogon -UAdministrator -c 'ls'
$ host -t SRV _ldap._tcp.school.lan.
$ host -t SRV _kerberos._udp.school.lan.
$ host -t A abbadon.school.lan.
$ kinit administrator@SCHOOL.LAN
$ klist

$ smbclient -L localhost -U%

$ smbclient //localhost/netlogon -UAdministrator -c 'ls'

$ host -t SRV _ldap._tcp.school.lan.

$ host -t SRV _kerberos._udp.school.lan.

$ host -t A abbadon.school.lan.

$ kinit administrator@SCHOOL.LAN

$ klist

Администрирование DNS

Просмотр списка зон DNS

# samba-tool dns zonelist 10.155.69.1 -U administrator

1	# samba-tool dns zonelist 10.155.69.1 -U administrator

Просмотр информации о зоне DNS

# samba-tool dns zoneinfo 10.155.69.1 school.lan -U administrator # samba-tool dns zoneinfo 10.155.69.1 69.155.10.in-addr.arpa -U administrator

1	# samba-tool dns zoneinfo 10.155.69.1 school.lan -U administrator # samba-tool dns zoneinfo 10.155.69.1 69.155.10.in-addr.arpa -U administrator

Просмотр записей в зоне DNS

# samba-tool dns query 10.155.69.1 school.lan @ ALL -U administrator # samba-tool dns query 10.155.69.1 69.155.10.in-addr.arpa @ ALL -U administrator

1	# samba-tool dns query 10.155.69.1 school.lan @ ALL -U administrator # samba-tool dns query 10.155.69.1 69.155.10.in-addr.arpa @ ALL -U administrator

Подробнее…

Microsoft Remote Server Administration Tools for Windows 7 sp1

Windows6.1-KB958830-x64-RefreshPkg
Windows6.1-KB958830-x86-RefreshPkg

Подробнее о групповой политике в Samba4…