實驗平臺
I3二代,8G內存,WIN764位系統,安裝Virtualbox4.3.26,建立CENTOS7.1虛擬機,掛載minimal光盤安裝系統。
同時下載準備了一個Centos everything的7G DVD光盤,方便安裝依賴包,不用實時聯網YUM安裝。
一、最小化安裝CENTOS7.1,過程略。
二、登陸Centos7.1系統,安裝依賴。我喜歡用下載的Centos DVD安裝軟件,比網絡快。
1. 如果要從WIN7系統用PUTTY等軟件SSH連接虛擬機,要配置好固定IP,打開SSH。我是用securecrt連的虛擬機,網絡選了一個網卡橋接本機網卡動態IP,一個選host-only網絡,IP段設置192.168.6.*。
Last login: Thu Apr 16 04:20:06 2015 from 192.168.6.1
2.掛載everything的光盤
[root@localhost ~]# mount /dev/cdrom /mnt
mount: /dev/sr0 is write-protected, mounting read-only
3.進入/etc/yum.repos.d/目錄,批量改名備份repo文件
[root@localhost ~]# cd /etc/yum.repos.d/
[root@localhost yum.repos.d]# find . -type f |xargs -i mv {} {}.bkp
[root@localhost yum.repos.d]# ls
CentOS-Base.repo.bkp CentOS-Debuginfo.repo.bkp CentOS-Sources.repo.bkp
CentOS-CR.repo.bkp CentOS-fasttrack.repo.bkp CentOS-Vault.repo.bkp
4.用編輯器新建立一個光盤安裝源。
[root@localhost yum.repos.d]# vi CentOS-Media.repo
[c7-media]
name=CentOS-$releasever- Media
baseurl=file:///mnt
gpgcheck=0
enabled=1
:wq保存退出。
5.從光盤安裝"development tools"
[root@localhost yum.repos.d]# yum groupinstall "development tools"
安裝過程略
6.安裝一些依賴
[root@localhost samba-4.2.1]# yum -y install libacl-devel libblkid-devel gnutls-devel readline-devel python-devel autoconf gdb bind rsyslog-gssapi cyrus-sasl-gssapi
還有幾個RPM包我用RPM命令是後面編譯報錯再安裝的,也可以在上面的YUM一次安裝
[root@localhost samba-4.2.1]# rpm -ivh /mnt/Packages/python-devel-2.7.5-16.el7.x86_64.rpm
warning: /mnt/Packages/python-devel-2.7.5-16.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing... ################################# [100%]
package python-devel-2.7.5-16.el7.x86_64 is already installed
[root@localhost samba-4.2.1]# rpm -ivh /mnt/Packages/cyrus-sasl-2.1.26-17.el7.x86_64.rpm
warning: /mnt/Packages/cyrus-sasl-2.1.26-17.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:cyrus-sasl-2.1.26-17.el7 ################################# [100%]
[root@localhost samba-4.2.1]# rpm -ivh /mnt/Packages/cyrus-sasl-devel-2.1.26-17.el7.x86_64.rpm
warning: /mnt/Packages/cyrus-sasl-devel-2.1.26-17.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:cyrus-sasl-devel-2.1.26-17.el7 ################################# [100%]
[root@localhost samba-4.2.1]# rpm -ivh /mnt/Packages/openldap-devel-2.4.39-6.el7.x86_64.rpm
warning: /mnt/Packages/openldap-devel-2.4.39-6.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:openldap-devel-2.4.39-6.el7 ################################# [100%]
三、下載編譯Samda
7.下載SAMBA4.2.1源碼包,用SECUREFXP上傳到/tmp目錄,wget實在太慢了。
8.現在進入/tmp目錄,解壓準備編譯samba4.2.1
[root@localhost ~]# cd /tmp
[root@localhost tmp]# ls
ks-script-BL7c5a samba-latest.tar.gz yum.log
[root@localhost tmp]# tar -xvf samba-latest.tar.gz
[root@localhost tmp]# ls
ks-script-BL7c5a samba-4.2.1 samba-latest.tar.gz yum.log
[root@localhost tmp]# cd samba-4.2.1/
編譯之前要運行buildtools/scripts/目錄下的autogen-waf.sh
[root@localhost samba-4.2.1]# cd buildtools/scripts/
[root@localhost scripts]# ./autogen-waf.sh
Setting up for waf build
Looking for the buildtools directory
Found buildtools in ./../../buildtools
Setting up configure
Setting up Makefile
done. Now run ./configure or ./configure.developer then make.
回到解壓的目錄,開始編譯samba
[root@localhost scripts]# cd /tmp/samba-4.2.1/
[root@localhost samba-4.2.1]# ./configure
編譯過程略......
'configure' finished successfully (1m8.178s)
到這裏編譯完成.
9.開始make安裝
[root@localhost samba-4.2.1]# make && make install
安裝過程略......
Waf: Leaving directory `/tmp/samba-4.2.1/bin'
'install' finished successfully (3m22.415s)
至此samba4.2.1源碼編譯安裝完成。
10.修改主機名爲DC1,把FQDN完全域名寫上,好處是等下提升爲域控免輸域名了。
[root@localhost samba-4.2.1]#vi /etc/hostname
DC1.contoso.com
四、提升爲域控
11.虛擬機可以關機做個快照,然後啓動,登陸,開始把這臺linux主機提升爲域控制器。
[root@DC1 ~]# cd /usr/local/samba/bin
[root@DC1 bin]# ./samba-tool domain provision
Realm [CONTOSO.COM]:
Domain [CONTOSO]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE #這裏選的BIND9的DNS,也可以安裝Samba自帶的DNS.
Administrator password: 輸入域控管理員密碼,密碼一定要複雜,大小寫字母+數字,如Ab123456&
Retype password: 再輸入一遍Ab123456&
Looking up IPv4 addresses
More than one IPv4 address found. Using 192.168.6.3
Looking up IPv6 address
No IPv6 addresswill be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=contoso,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=contoso,DC=com
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: DC1
NetBIOS Domain: CONTOSO
DNS Domain: contoso.com
DOMAIN SID: S-1-5-21-3366851103-1622988557-2824442447
[root@DC1 bin]#
一定要見到DOMAIN SID纔算配置成功
啓動samba
[root@DC1 bin]# /usr/local/samba/sbin/samba
查看版本
[root@DC1 bin]# /usr/local/samba/bin/smbclient --version
Version 4.2.1
測試
[root@DC1 bin]# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[CONTOSO]
OS=[Unix]
Server=[Samba 4.2.1]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.2.1)
Domain=[CONTOSO] OS=[Unix] Server=[Samba 4.2.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@DC1 bin]# /usr/local/samba/bin/smbclient //localhost/netlogon -Uadministrator
Enter administrator's password:
Domain=[CONTOSO] OS=[Unix] Server=[Samba 4.2.1]
smb: \> q
[root@DC1 bin]#
檢查一下BIND
[root@DC1 bin]# rpm -qa|grep bind
bind-libs-lite-9.9.4-18.el7.x86_64
bind-license-9.9.4-18.el7.noarch
bind-libs-9.9.4-18.el7.x86_64
bind-9.9.4-18.el7.x86_64
在/etc/named.conf文件中可以看到bind9的目錄是/var/named,進入該目錄:
[root@DC1 etc]# cd /var/named
複製一份named.localhost作爲contoso.com.zone,然後修改,作爲contoso.com的正向解析文件。
[root@DC1 named]# cp named.localhost contoso.com.zone
[root@DC1 named]# vim contoso.com.zone
$TTL 1D@ IN SOA @ contoso.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS DC1.contoso.com.
@ IN A 192.168.6.3
DC1 IN A 192.168.6.3
以上就是修改後的,雙網卡的虛機,IP可能是另外一個的,要修改。
再把samba產生的DNS文件的後面部分複製過來。但是不要複製gc._msdcs這一條,我測試報錯,刪除了能啓動bind
[root@DC1 ~]# cd /usr/local/samba/private/dns
[root@DC1 dns]# ls
contoso.com.zone
[root@DC1 dns]# vim contoso.com.zone
複製下面部分
79aef472-c658-49c0-a2b4-3988bc00338a._msdcs IN CNAME DC1
;
; global catalog servers
_gc._tcp IN SRV 0 100 3268 DC1
_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 DC1
_ldap._tcp.gc._msdcs IN SRV 0 100 3268 DC1
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 3268 DC1
;
; ldap servers_ldap._tcp IN SRV 0 100 389 DC1
_ldap._tcp.dc._msdcs IN SRV 0 100 389 DC1
_ldap._tcp.pdc._msdcs IN SRV 0 100 389 DC1
_ldap._tcp.8b2afba7-4d3a-4b88-8b45-381cf145c623.domains._msdcs IN SRV 0 100 389 DC1
_ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 DC1
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 DC1
;
; krb5 servers_kerberos._tcp IN SRV 0 100 88 DC1
_kerberos._tcp.dc._msdcs IN SRV 0 100 88 DC1
_kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 DC1
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 DC1_kerberos._udp IN SRV 0 100 88 DC1
; MIT kpasswd likes to lookup this name on password change
_kerberos-master._tcp IN SRV 0 100 88 DC1
_kerberos-master._udp IN SRV 0 100 88 DC1
;
; kpasswd_kpasswd._tcp IN SRV 0 100 464 DC1
_kpasswd._udp IN SRV 0 100 464 DC1
;
; heimdal 'find realm for host' hack
_kerberos IN TXT CONTOSO.COM
然後粘貼到/var/named/contoso.com.zone修改過的後面。具體操作中,可以在SecureCRT裏克隆會話,進到目錄,打開文件,拖選要複製的,然後切換到原來的會話點右鍵就粘貼上了,然後按ESC,:wq保存退出。
打開/etc/named.rfc1912.zones, 後面添加如下字段,增加正向解析區域
[root@DC1 etc]# vim /etc/named.rfc1912.zones
zone "contoso.com" IN {
type master;
file "contoso.com.zone";
allow-update { none; };
};
啓動BIND服務,如果報錯,需要檢查etc/named.rfc1912.zones和contoso.com.zone文件配置
[root@DC1 dns]# systemctl start named.service
[root@DC1 dns]# systemctl status named.service
測試解析,需要host命令。默認未安裝。
[root@DC1 named]# host -t SRV _ldap._tcp.contoso.com.
-bash: host: 未找到命令
重新掛載光盤安裝。
[root@DC1 named]# mount /dev/cdrom /mnt
mount: /dev/sr0 寫保護,將以只讀方式掛載
[root@DC1 named]# yum -y install bind-utils
然後測試
[root@DC1 ~]# host -t SRV _ldap._tcp.contoso.com
_ldap._tcp.contoso.com has SRV record 0 100 389 DC1.contoso.com.
[root@DC1 ~]# host -t SRV _kerberos._udp.contoso.com _kerberos._udp.contoso.com has SRV record 0 100 88 DC1.contoso.com.
[root@DC1 ~]# host -t A dc1.contoso.com.
dc1.contoso.com has address 192.168.6.3
到此服務器端所有的配置完成。
然後再開WIN7虛擬機,配置同網段IP如192.168.6.5, DNS配置192.168.6.3。 先用PING測試能ping通域名,如果不通嘗試清除IPTABLES防火牆規則:
[root@DC1 ~]# iptables -F
Ping通後可以把WIN7加到contoso域裏面,重啓用contoso\administrator登陸。可以在WIN7系統下載WINDOWS服務器遠程管理工具包。安裝後添加組件,在控制面板--管理工具裏看到域控的管理工具,能遠程管理了。