With the last version of samba 4 comes with Active directory logon and administration protocols, including typical active directory support and full interoperability with Microsoft Active Directory servers. This is possible with the combination of a LDAP directory, kerberos authentication, BIND DNS server and the remote procedure calls RPC.
When running as an Active Directory DC, you only need to run 'samba' (not smbd/nmbd/winbindd), as the required services are co-coordinated by this master binary. The tool to administer the Active Directory services is called 'samba-tool'.
I have a CentOS 6 x86_64 Minimal install. This post covers the initial installation and configuration of samba 4 as Active Directory domain controller on Centos 6 using BIND 9 as DNS backend and NTP server used by the clients.
1) Disable SELinux
[root@ad ~]# vi /etc/sysconfig/selinux
selinux=disabled
2) Install the pre-requisites (or dependencies) for Samba 4 installation
[root@ad ~]# yum -y install wget gcc make wget python-devel gnutls-devel openssl-devel libacl-devel krb5-server krb5-libs krb5-workstation bind bind-libs bind-utils ntp
3) Configure NTP to use the local time server
[root@ad ~]# vi /etc/ntp.conf
Comment line numbers 22,23,24 and uncomment the below lines in the configuration file
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
4) Download and compile Samba 4 from the following link
[root@ad ~]# wget ftp://ftp.samba.org/pub/samba/samba-4.1.0.tar.gz
[root@ad ~]# tar -xvzf samba-4.1.0.tar.gz
[root@ad ~]# cd samba-4.1.0
[root@ad samba-4.1.0]# ./configure --enable-selftest --enable-debug
[root@ad samba-4.1.0]# make
[root@ad samba-4.1.0]# make install
5) Configuring Samba 4 to be a domain controller using samba-tool command
[root@ad ~]# /usr/local/samba/bin/samba-tool domain provision
Realm [ITGURUINDIA.COM]: ITGURUINDIA.COM (All Caps)
Domain [ITGURUINDIA]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.124.252]: none
Administrator password: secret!1234
Retype password: secret!1234
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=itguruindia,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=itguruindia,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: ad
NetBIOS Domain: ITGURUINDIA
DNS Domain: itguruindia.com
DOMAIN SID: S-1-5-21-3335388306-1463729434-941727365
6) Configuring BIND as Samba Active Directory backend
Note: Bind must be installed on the same machine as Samba 4 is installed.
The dns backend BIND9_DLZ uses Samba 4 AD to store zone information
[root@ad ~]# rndc-confgen -a -r /dev/urandom
wrote key file "/etc/rndc.key"
A DNS keytab file was automatically created during provisioning/updating. Add the following' tkey-gssapi-keytab' option to the 'options' section of named.conf file.
[root@ad ~]# vim /etc/named.conf
options {
listen-on port 53 { 192.168.1.100; };
allow-query { any; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
include "/usr/local/samba/private/named.conf";
include "/etc/rndc.key";
6) Change the resolv.conf file to the IP address of Samba server
[root@ad ~]# vim /etc/resolv.conf
domain Iitguruindia.com
nameserver 192.168.1.100
7) Configure the kerberos configuration file as below
[root@ad ~]# cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
[root@ad ~]# vim /etc/krb5.conf
[libdefaults]
default_realm = ITGURUINDIA.COM (All Caps)
dns_lookup_realm = false
dns_lookup_kdc = true
8) Set the permissions for named on the below files
[root@ad ~]# chgrp named /etc/krb5.conf
[root@ad ~]# chown named:named /usr/local/samba/private/dns
[root@ad ~]# chown named:named /usr/local/samba/private/dns.keytab
[root@ad ~]# chmod 775 /usr/local/samba/private/dns
9) Configuring the Samba 4 init.d script and set permissions to it.
[root@ad ~]# vim /etc/init.d/samba4
#! /bin/bash
#
# samba4 Bring up/down samba4 service
#
# chkconfig: - 90 10
# description: Activates/Deactivates all samba4 interfaces configured to
# start at boot time.
#
### BEGIN INIT INFO
# Provides:
# Should-Start:
# Short-Description: Bring up/down samba4
# Description: Bring up/down samba4
### END INIT INFO
# Source function library.
. /etc/init.d/functions
if [ -f /etc/sysconfig/samba4 ]; then
. /etc/sysconfig/samba4
fi
CWD=$(pwd)
prog="samba4"
start() {
# Attach irda device
echo -n $"Starting $prog: "
/usr/local/samba/sbin/samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then success $"samba4 startup"; else failure $"samba4 startup"; fi
echo
}
stop() {
# Stop service.
echo -n $"Shutting down $prog: "
killall samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then failure $"samba4 shutdown"; else success $"samba4 shutdown"; fi
echo
}
status() {
/usr/local/samba/sbin/samba --show-build
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status irattach
;;
restart|reload)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0
[root@ad ~]# chmod 755 /etc/init.d/samba4
10) Configure the services to start at boot and start the below services.
[root@ad ~]# chkconfig ntpd on
[root@ad ~]# chkconfig named on
[root@ad ~]# chkconfig samba4 on
[root@ad ~]# service ntpd start
[root@ad ~]# service named on
[root@ad ~]# service samba4 on
11) If iptables is enabled then the below ports need to allowed through firewall.
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 53 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 123 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 135 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 138 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 389 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 88 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 139 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 389 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 445 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 464 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 636 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 1024:1032 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 3268 -j ACCEPT
[root@ad ~]# iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 3269 -j ACCEPT
[root@ad ~]# service iptables save
12) Reboot the system to check services are working after reboot are not.
[root@ad ~]# reboot
13) Join a Windows PC to this domain controller
14) Troubleshooting incase debugging dynamic DNS updates are not working
[root@ad ~]# /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names
15) Port numbers used in iptables and their use.
53 - UDP - DNS (Domain Naming System)
123 - UDP - NTP (Network Time Protocol)
135 - UDP - RPC (Remote Procedure Calls)
138 - UDP - NetBIOS Logon
389 - UDP - LDAP UDP (LightWeight Directory Access Protocol)
88 - TCP - Kerberos
139 - TCP - NetBIOS Session
389 - TCP - LDAP TCP (LightWeight Directory Access Protocol)
445 - TCP - SMB CIFS (Server Message Block / Common Internet File System)
464 - TCP - Kerberos Password Management
636 - TCP - LDAP SSL (LightWeight Directory Access Protocol)
3268 - TCP - LDAP Global Catalog
3269 - TCP - LDAP Global Catalog SSL
Are you a newbie in the world of Gemini digital wallet? Do you want to understand the function of Gemini wallet? To get each and single information about Gemini, all you can dial Gemini customer service number 833-993-0690 and get in touch with the professionals who are available day and night and are always there at the service of the users. Whether its day or Gemini Support Number
ReplyDeletenight, you can always speak to the customer care professionals and they will be ready to assist you at any point of time. Their motto is to serve the users.
Being a Gemini exchange digital user, it is quite obvious that getting trapped in the issues or errors is quite normal. Sometimes users fix the issue on their own but sometime they do require customer professional assistance. To get appropriate assistance from the adroit professionals to get rid of your errors, you have to dial Gemini support number immediately. They are trained in this customer field therefore you can’t doubt their services. So, Gemini Support Number feel free to contact customer care anytime as per your needs and requirements. They provide best support to the users.
ReplyDeleteYou will have to then specify the name of the user and the password of the password-protected user account. The Administrators Permissions should be configured on the server for each user. Get detailed info about active directory on this website .
ReplyDeleteDo you need Personal Finance?
ReplyDeleteBusiness Cash Finance?
Unsecured Finance
Fast and Simple Finance?
Quick Application Process?
Finance. Services Rendered include,
*Debt Consolidation Finance
*Business Finance Services
*Personal Finance services Help
contact us today and get the best lending service
personal cash business cash just email us below
Contact Us: financialserviceoffer876@gmail.com
call or add us on what's app +918929509036
Hi Guy's
ReplyDeleteFresh & valid spammed USA SSN+Dob Leads with DL available in bulk.
>>1$ each SSN+DOB
>>2$ each with SSN+DOB+DL
>>5$ each for premium (also included relative info)
Prices are negotiable in bulk order
Serious buyer contact me no time wasters please
Bulk order will be preferable
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
OTHER STUFF YOU CAN GET
SSN+DOB Fullz
CC's with CVV's (vbv & non-vbv)
USA Photo ID'S (Front & back)
All type of tutorials available
(Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)
SMTP Linux Root
DUMPS with pins track 1 and 2
Socks, rdp's, vpn
Php mailer
Sql injector
Bitcoin cracker
Server I.P's
HQ Emails with passwords
All types of tutorials & much more
Looking for long term business
For trust full vendor, feel free to contact
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
**HACKING TOOLS WITH TUTORIALS & FULLZ AVAILABLE**
ReplyDelete(High Quality, Genuine Seller)
=>Contact 24/7<=
Telegram> @leadsupplier
ICQ> 752822040
Email> exploit.tools4u@gmail.com
Fullz info included
NAME+SSN+DOB+DL+DL-STATE+ADDRESS
Employee & Bank details included
High credit fullz with DL 700+
(bulk order negotiable)
**Payment in all crypto currencies will be accepted**
->You can buy few for testing
->Invalid or wrong info will be replaced
->Serious buyers needed for long term
TOOLS & TUTORIALS AVAILABLE FOR:
"SPAMMING" "HACKING" "CARDING" "CASH OUT"
"KALI LINUX" "BLOCKCHAIN BLUE PRINTS"
**TOOLS & TUTORIALS LIST**
->Ethical Hacking Tools & Tutorials
->Kali Linux
->Keylogger & Keystroke Logger
->Facebook & Google Hacking
->Bitcoin Flasher
->SQL Injector
->Paypal Logins
->Bitcoin Cracker
->SMTP Linux Root
->DUMPS with pins track 1 and 2
->SMTP's, Safe Socks, Rdp's brute, VPN
->Php mailer
->SMS Sender & Email Blaster
->Cpanel
->Server I.P's & Proxies
->Viruses
->Premium Accounts (netflix cracker, paypal logins, pornhub, amazon)
->HQ Email Combo
If you are searching for a valid vendor, it's very prime chance.
You'll never be disappointed.
**You should try at least once**
Telegram> @leadsupplier
ICQ> 752822040
Email> exploit.tools4u@gmail.com
**HACKING TOOLS WITH TUTORIALS & FULLZ AVAILABLE**
ReplyDelete(High Quality, Genuine Seller)
=>Contact 24/7<=
Telegram> @leadsupplier
ICQ> 752822040
Email> exploit.tools4u@gmail.com
Fullz info included
NAME+SSN+DOB+DL+DL-STATE+ADDRESS
Employee & Bank details included
High credit fullz with DL 700+
(bulk order negotiable)
**Payment in all crypto currencies will be accepted**
->You can buy few for testing
->Invalid or wrong info will be replaced
->Serious buyers needed for long term
TOOLS & TUTORIALS AVAILABLE FOR:
"SPAMMING" "HACKING" "CARDING" "CASH OUT"
"KALI LINUX" "BLOCKCHAIN BLUE PRINTS"
**TOOLS & TUTORIALS LIST**
->Ethical Hacking Tools & Tutorials
->Kali Linux
->Keylogger & Keystroke Logger
->Facebook & Google Hacking
->Bitcoin Flasher
->SQL Injector
->Paypal Logins
->Bitcoin Cracker
->SMTP Linux Root
->DUMPS with pins track 1 and 2
->SMTP's, Safe Socks, Rdp's brute, VPN
->Php mailer
->SMS Sender & Email Blaster
->Cpanel
->Server I.P's & Proxies
->Viruses
->Premium Accounts (netflix cracker, paypal logins, pornhub, amazon)
->HQ Email Combo
If you are searching for a valid vendor, it's very prime chance.
You'll never be disappointed.
**You should try at least once**
Telegram> @leadsupplier
ICQ> 752822040
Email> exploit.tools4u@gmail.com
Casino Review for 2022 - Dr.MCD
ReplyDeleteIs Casino 과천 출장마사지 Safe? 김해 출장샵 — Is Casino 여주 출장마사지 Safe? 세종특별자치 출장안마 In the UK, casino games, on and off the board, are provided by 전라남도 출장샵 both online and offline casinos.