Pre-requisites
Make sure the hostname of the system is set correctly and all firewalls and selinux are disabled (Or configured for the ports specified at the bottom)
Install the packages
pam-devel is necessary if you want to build libnss_winbind.so.2 and use pam/winbind for local auth
yum -y install gcc make wget python-devel gnutls-devel openssl-devel libacl-devel krb5-server krb5-libs krb5-workstation bind bind-libs bind-utils pam-devel ntp openldap-devel ncurses-develDownload and compile Samba
You can replace -j3 with n+1 CPUs you have available on the system.
wget https://www.samba.org/samba/ftp/stable/samba-4.3.1.tar.gz
tar xvzf samba-4.3.1.tar.gz
cd samba-4.3.1
./configure --enable-selftest
make -j3 && make -j3 installRun Samba domain creation and configuration
This will create your domain as domain.com using bind as the backend and setting rfc2307 attributes in AD so you can store and retrieve UID/GID in AD.
/usr/local/samba/bin/samba-tool domain provision --realm=domain.com --domain=DOMAIN --server-role=dc --dns-backend=BIND9_DLZ --adminpass "myadpassword" --use-rfc2307Create an init script for Samba
Edit /etc/init.d/samba4
#! /bin/bash
#
# samba4 start and stop samba service
#
# chkconfig: - 90 10
# description: Activates/Deactivates all samba4 interfaces configured to start at boot time.
#
# config: /usr/local/samba/etc/smb.conf
### BEGIN INIT INFO
# Provides:
# Required-Start: $local_fs $network
# Required-Stop: $local_fs $network
# Should-Start:
# Short-Description: start and stop samba service
# Description: start and stop samba service
### END INIT INFO
# Source function library.
. /etc/init.d/functions
if [ -f /etc/sysconfig/samba4 ]; then
. /etc/sysconfig/samba4
fi
RETVAL=0
CWD=$(pwd)
prog="samba"
prog_path="/usr/local/samba/sbin"
lockfile=/var/lock/subsys/$prog
start() {
#Samba is already running, exit
[ -e $lockfile ] && exit 1
#Start service
echo -n $"Starting $prog: "
daemon $prog_path/$prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $lockfile
return $RETVAL
}
stop() {
# Stop service.
echo -n $"Shutting down $prog: "
killproc $prog_path/$prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $lockfile
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
RETVAL=$?
;;
stop)
stop
RETVAL=$?
;;
status)
status smbd
status samba
RETVAL=$?
;;
restart|reload)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit $RETVALchmod 755 /etc/init.d/samba4Configure Bind/DNS
Configure Bind to allow recursion (external resolving) to local subnets and point to the kerberos key that the samba-tool command generated. Also include the Samba Bind database.
acl "trusted" {
192.168.1.0/24;
127.0.0.0/8;
::1/128;
};
options {
listen-on port 53 { any; };
allow-query { any; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
allow-recursion {
/* Only trusted addresses are allowed to use recursion. */
trusted;
};
notify yes;
};
include "/usr/local/samba/private/named.conf";/usr/local/samba/private/named.conf looks like below. CentOS 6 comes with Bind 9.8 which is the default.
dlz "AD DNS Zone" {
# For BIND 9.8.0
database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
# For BIND 9.9.0
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
};Start named and make sure it is on by default
chkconfig named on
/etc/init.d/named startChange /etc/resolv.conf to point to itself for DNS
domain domain.com
nameserver 127.0.0.1Configure kerberos
edit /etc/krb5.conf. Case is important on the REALM here
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = trueConfigure NTP
Edit /etc/ntp.conf. I commented out the IPv6 stuff as it was causing errors in the logs, not necessary but makes the log nicer. Note the sections on ntpsigndsocket and mssntp, these are required for Windows machines to successfully sync time with this AD server.
restrict default nomodify notrap nopeer noquery
#restrict -6 default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
# Hosts on local network are less restricted.
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap kod nopeer mssntp
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
server 0.gentoo.pool.ntp.org version 3 prefer
server 1.gentoo.pool.ntp.org version 3 prefer
server 2.gentoo.pool.ntp.org version 3 prefer
server 3.gentoo.pool.ntp.org version 3 prefer
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()\'ing
# it to the file.
driftfile /var/lib/ntp/drift
# Logging
logfile /var/log/ntp
logconfig =syncevents +clockeventsStart ntpd and make sure it is on by default
chkconfig ntpd on
/etc/init.d/ntpd startStart it up
Start samba4 and make sure it is on by default
chkconfig samba4 on
/etc/init.d/samba4 startFirewall
Open the following ports: UDP 53, 123, 135, 138, 389 TCP 88, 464, 139, 445, 389, 636, 3268, 3269 53 - DNS 88 - Kerberos 123 - NTP 135 - RCP 138 - NetBIOS 139 - NetBIOS session 389 - LDAP 445 - MS directory services 464 - Kerberos passwd 636 - SSL LDAP 3268 - Global catalog 3269 - SSL Global catalog