配置 DNS
确保机器中安装了 DNS 包
# yum -y install bind
在 named.conf 中进行以下更改
# vi /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
# bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/usr/local/samba/private/named.conf";
现在你需要编辑 /usr/local/samba/private/named.conf文件,所以备份这个文件并在相同的位置创建一个新的 named.conf 并包含以下详细信息
# vi /usr/local/samba/private/named.conf
# This file should be included in your main BIND configuration file
## For example with
# include "/usr/local/samba/private/named.conf";
zone "example.com." IN {
type master;
file "/usr/local/samba/private/example.com.zone";
/*
* Attention: Not all BIND versions support "ms-self". The instead use
* of allow-update { any; }; is another, but less secure possibility.
*/
update-policy {
/*
* A rather long description here, as the "ms-self" option does
* not appear in any docs yet (it can only be found in the
* source code).
*
* The short of it is that each host is allowed to update its
* own A and AAAA records, when the update request is properly
* signed by the host itself.
*
* The long description is (look at the
* dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
* its definition in lib/dns/gssapictx.c for details):
*
* A GSS-TSIG update request will be signed by a given signer
* (e.g. machine-name$@EXAMPLE.COM). The signer name is split into
* the machine component (e.g. "machine-name") and the realm
* component (e.g. "EXAMPLE.COM"). The update is allowed if the
* following conditions are met:
*
* 1) The machine component of the signer name matches the first
* (host) component of the FQDN that is being updated.
*
* 2) The realm component of the signer name matches the realm
* in the grant statement below (EXAMPLE.COM).
*
* 3) The domain component of the FQDN that is being updated
* matches the realm in the grant statement below.
*
* If the 3 conditions above are satisfied, the update succeeds.
*/
grant EXAMPLE.COM ms-self * A AAAA;
};
};
# The reverse zone configuration is optional. The following example assumes a
# subnet of 192.168.123.0/24:
/*
zone "123.168.192.in-addr.arpa" in {
type master;
file "123.168.192.in-addr.arpa.zone";
update-policy {
grant *.COM wildcard *.123.168.192.in-addr.arpa. PTR;
};
};
*/
# Note that the reverse zone file is not created during the provision process.
# The most recent BIND versions (9.5.0a5 or later) support secure GSS-TSIG
# updates. If you are running an earlier version of BIND, or if you do not wish
# to use secure GSS-TSIG updates, you may remove the update-policy sections in
# both examples above.
# vi /usr/local/samba/private/example.com.zone
; -*- zone -*
; generated by provision.pl
$ORoirN example.com.
$TTL 1W
@ IN SOA @ hostmaster (
2012052216 ; serial
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum
IN NS server1 IN A 10.10.10.10
;
server1 IN A 10.10.10.10
gc._msdcs IN CNAME server1
8de12608-9880-4c52-ad21-8a1bf5ef7e41._msdcs IN CNAME server1
;
; global catalog servers
_gc._tcp IN SRV 0 100 3268 server1
_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 server1
_ldap._tcp.gc._msdcs IN SRV 0 100 389 server1
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 389 server1
;
; ldap servers
_ldap._tcp IN SRV 0 100 389 server1
_ldap._tcp.dc._msdcs IN SRV 0 100 389 server1
_ldap._tcp.pdc._msdcs IN SRV 0 100 389 server1
_ldap._tcp.d709eaf9-d010-4f94-916c-ca3e8e179e24 IN SRV 0 100 389 server1
_ldap._tcp.d709eaf9-d010-4f94-916c-ca3e8e179e24.domains._msdcs IN SRV 0 100 389 server1
_ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 server1
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 server1
;
; krb5 servers
_kerberos._tcp IN SRV 0 100 88 server1
_kerberos._tcp.dc._msdcs IN SRV 0 100 88 server1
_kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 server1
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 server1
_kerberos._udp IN SRV 0 100 88 server1
; MIT kpasswd likes to lookup this name on password change
_kerberos-master._tcp IN SRV 0 100 88 server1
_kerberos-master._udp IN SRV 0 100 88 server1
;
; kpasswd
_kpasswd._tcp IN SRV 0 100 464 server1
_kpasswd._udp IN SRV 0 100 464 server1
;
; heimdal 'find realm for host' hack
_kerberos IN TXT EXAMPLE.COM
samba IN A 10.10.10.10
在 resolv.conf 和 ifcfg-eth0 中更改指向 IP 的 DNS 服务器,然后重新启动网卡和命名服务
# service named restart
检查 DNS 是否正常工作,如果我们收到以下回复,那么我们就可以开始了:
# host -t SRV _ldap._tcp.example.com. _ldap._tcp.example.com has SRV record 0 100 389 server1.example.com. # host -t SRV _kerberos._udp.example.com. _kerberos._udp.example.com has SRV record 0 100 88 server1.example.com. # host -t A samba.example.com. samba.example.com has address 10.10.10.10
现在备份现有的 krb5.conf 并将其替换为以下内容
确保系统中安装了 kerberos 软件包
# yum -y install krb5-workstation
# mv /etc/krb5.conf /etc/krb5.conf.orig
# vi /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = server1.example.com:88
admin_server = server1.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
现在检查你的 kerberos
# kinit administrator@EXAMPLE.COM password for administrator@EXAMPLE.COM:
输入密码,服务器上的配置部分就完成了。
检查防火墙和 selinux 设置,我已禁用这两个选项。
客户端:Windows XP 和 Windows 7
使用服务器 IP 更改客户端机器的 DNS,并确保客户端机器的时区与服务器相同。
从这里我们可以按照此页面将客户端计算机配置为域的一部分并管理所有用户的组策略。
https://wiki.samba.org/index.php/Samba4/HOWTO
实验室环境
服务器:CentOS 6.2
主机名:server1.example.com
IP 地址:10.10.10.10
DNS:10.10.10.10
Samba4 的主要功能已经包括:
- 支持支持 Windows XP、Windows7 和 Mac OS X 客户端的“Active Directory”登录和管理协议
- 支持组策略定义
- 新的“全覆盖”测试套件
- 用于共享后端的完整 NTFS 语义
- 具有 AD 语义的内部 LDAP 服务器
- 内部 Kerberos 服务器,包括 PAC 支持
- 用于 AD DNS 支持的 Bind9 集成(使用 DLS)
- 完全异步的内部结构
- 灵活的流程模型
- 从微型到超大型安装的更好的可扩展性
- 新的 RPC 基础架构 (PIDL)
- 灵活的数据库架构 (LDB)
- Python 支持 - 广泛用于客户端和管理工具
- 通用安全子系统 (GENSEC)
- 超过 50% 的自动生成代码!
运行 samba 服务
以 root 用户身份从终端执行
# samba
测试 samba4
# smbclient --version
这应该会显示一个以“Version 4.0.XXXXX”开头的版本
现在试试这个命令:
# smbclient -L localhost -U%
并检查我们是否得到了所有共享目录(包括 sysvol 和 netlogon)的正确回复。
“netlogon”和“sysvol”共享是 Active Directory 服务器操作所需的基本共享。
要测试身份验证是否有效,我们应该尝试使用我们之前设置的管理员密码连接到 netlogon 共享。
# smbclient //localhost/netlogon -Uadministrator%PASSWORD
named.conf和krb5.conf位于/usr/local/samba中的默认位置
开始配置之前的准备工作
安装下面rpm软件包
# yum -y install git gcc libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig zlib-devel setroubleshoot-server setroubleshoot-plugins policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel
安装所有这些软件包后,继续下一步。
现在我们需要下载 samba4 包。
# git clone git://git.samba.org/samba.git samba-master; cd samba-master # cd samba-master # ./configure.developer # make # make install
如果此步骤完成且没有任何错误,则继续提供步骤
/usr/local/samba/sbin/provision --realm=example.com --domain=EXAMPLE --adminpass=SOMEPASSWORD --server-role=dc
完成此步骤后,我们将看到上面提到的配置选项。
现在是时候启动 samba 服务器了。
注意:确保除了刚刚安装的 samba 服务器之外没有安装任何其他 samba 服务器。
我们必须在机器中为 Samba4 添加 PATH 变量。
# export PATH=$PATH:/usr/local/samba/sbin:/usr/local/samba/bin
将此路径保存在 .bash_profile 中,以便在重新启动后登录时不需要每次export它。
日期:2020-06-02 22:16:56 来源:oir作者:oir