Steps:
1. Create a directory where source
would be downloaded:
# cd /home/Administrator/Downloads
2. # mkdir Samba4; cd Samba4
3. # yum install git
4. # git clone
git://git.samba.org/samba.git samba-master
5. # cd samba-master/
6. # git pull
7. # yum install gtkhtml
setroubleshoot-server setroubleshoot-plugins policycoreutils-python
libsemange-python setools-libs-python setools-libs popt-devel
8. # yum install libpcap-devel
sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel
libattr-devel keyutils-lib-devel zlib-devel cyrus-sasl-devel
9. # yum install gcc
10. # yum install python python-devel
11. # yum install bind bind-utils
bind-libs samba-winbind-clients
12. # ./configure.developer
13. # make
14. # make quicktest
15. # make install
16. # yum install bind bind-utils
bind-libs samba-winbind-clients
17. # service named start
18. Check the ports (bind):
# netstat -apn | grep 953
# nmap localhost
19. #./source4/setup/provision
--realm=tux-kol.srv --domain=tux-kol --adminpass= --server-role='domain controller'
20. # mkdir /etc/phpldapadmin
21. # cp
/usr/local/samba/private/phpldapadmin-config.php
/etc/phpldapadmin/config.php
22. Backup the original /etc/krb5.conf
# cp /etc/krb5.conf
/etc/krb5.conf_original
23. Copy the
/usr/local/samba/private/krb5.conf under /etc/
# cp /usr/local/samba/private/krb5.conf
/etc/
24. Start Samba:
# /usr/local/samba/sbin/samba
25. Check Client Version:
# /usr/local/samba/bin/smbclient
--version
Version 4.0.0alpha17-GIT-ff94539
26. Check list of shares available on
the server:
# /usr/local/samba/bin/smbclient -L
localhost -U%
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service
REWRITE: list servers not implemented
27. Test for authentication by
connecting to the netlogon share using the administrator credentials:
# /usr/local/samba/bin/smbclient
//localhost/netlogon -Uadministrator%
smb: \>
Quit by typing "Exit" from
the samba prompt.
28. Created a test share in
/usr/local/samba/etc/smb.conf; then save and exit :
[test]
path = /data/test
read only = no
29. Test if the test share created is
visible:
Stop samba (Right now, stopping the
service by killing the samba process), start it back
Now, check
/usr/local/samba/bin/smbclient -L localhost -U%
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
test Disk
IPC$ IPC IPC Service
REWRITE: list servers not implemented
30. Modify the following files as;
A. /etc/named.conf
options {
listen-on port 53 { any; };
listen-on port 953 { any; };
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
// allow-query { localhost; };
allow-query { any; };
tkey-gssapi-credential
"DNS/tux-kol.srv";
tkey-domain "TUX-KOL.SRV";
};
include
"/usr/local/samba/private/named.conf";
Please note that, in my case the following entries
didn't work in /etc/named.conf file;
* include "/etc/named.root.key";
* managed-keys-directory
"/var/named/dynamic";
B. In /etc/sysconfig/named; following
entries were made for setting up of environmental
variables;
KEYTAB_FILE="/usr/local/samba/private/dns.keytab"
KRB5_KTNAME="/usr/local/samba/private/dns.keytab"
export KEYTAB_FILE
export KRB5_KTNAME
C. In kerberos config file i.e.
/etc/krb5.conf
[logging]
default =
FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server =
FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TUX-KOL.SRV
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
TUX-KOL.SRV = {
kdc = tux-kol.srv
admin_server = tux-kol.srv
}
[domain_realm]
.tux-kol.srv = TUX-KOL.SRV
tux-kol.srv = TUX-KOL.SRV
[kdc]
check-ticket-addresses = false
31. Restarted Bind (Also, set the named
service to start at boot time if not done already):
# service named restart
# chkconfig named on
31. Test if the DNS is working
correctly (With the output pasted below):
First, check if /etc/resolv.conf is
pointing correctly at your local DNS server, if not make the
changes (In /etc/resolv.conf; comment
out existing nameservers and put 127.0.0.1 i.e.
nameserver 127.0.0.1) Then,
do the following tests;
A.
# host -t SRV
_ldap._tcp.tux-kol.srv
_ldap._tcp.tux-kol.srv has SRV
record 0 100 389 localhost.tux-kol.srv.
B.
# host -t SRV
_kerberos._udp.tux-kol.srv.
_kerberos._udp.tux-kol.srv has SRV
record 0 100 88 localhost.tux-kol.srv.
C.
# host -t A tux-kol.srv.
tux-kol.srv has address
172.16.20.116
32. Testing kerberos by doing the
following tests:
A.
# kinit administrator@TUX-KOL.SRV
Password for
administrator@TUX-KOL.SRV:
Warning: Your password will expire in
41 days on Tue Aug 30 13:12:54 2011
B.
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal:
administrator@TUX-KOL.SRV
Valid starting Expires
Service principal
07/19/11 13:49:27 07/19/11 23:49:27
krbtgt/TUX-KOL.SRV@TUX-KOL.SRV
renew until 07/26/11 13:49:15, Etype
(skey, tkt): ArcFour with HMAC/md5, ArcFour
with HMAC/md5
33. Change the required ownerships and
permissions:
chown named.named
/usr/local/samba/private/dns.keytab
chgrp named
/usr/local/samba/private/dns
chgrp named
/usr/local/samba/private/dns.keytab
chmod g+r
/usr/local/samba/private/dns.keytab
chmod 775
/usr/local/samba/private/dns
34. Check DNS dynamic update process:
#
/usr/local/samba/sbin/samba_dnsupdate --verbose
35. Install NTP package and start its
service:
# yum install ntp ntpdate
# service ntpd start
36. Test filesystem support:
# cd /tmp
A. Create a test file:
# touch test.txt
B. Set the attributes:
# setfattr -n user.test -v test
test.txt
# setfattr -n security.test -v test2
test.txt
C. Test if the attributes were set
with getfattr (Output pasted below);
# getfattr -d test.txt
# file: test.txt
user.test="test"
# getfattr -n security.test -d test.txt
# file: test.txt
security.test="test2"
37. Once the above steps run
successfully. Test the DC from a client (Win-XP, Win-7, Win-2003 etc)
Create a test samba user:
/usr/local/samba/bin/samba-tool
newuser testguest just4now
/usr/local/samba/sbin/samba-tool user
add testguest just4now
Tested the authentication from a Win-XP, Win-7, Win-2003 Client using "Administrator" and "testguest" credentials. It has been
authenticated.
