Table des matières
Dernière mise-à-jour : 2020/02/21 07:34
SER602 - Gestion Avancée du Serveur SMB/CIFS Samba4
Samba en tant que serveur membre d’un domaine
Important : Pour effectuer les exercices, vous aurez besoin d'avoir accès à un serveur controleur de domaine Windows™ 2008. Si vous êtes stagiaire en salle, votre formateur vous remettra une machine virtuelle Windows™ 2008 Standard.
Notre but ici est de faire d'un serveur samba un serveur membre d'un domaine AD sur un serveur Windows™ 2008 Standard. La procédure a été également testée avec un serveur Windows™ 2008 r2 Enterprise.
Commencez par créer un réseau NAT dans VirtualBox :
Fichier > Paramètres > Réseau > + > NatNetwork > OK
Important : Supprimez votre machine virtuelle CentOS_7 et importez une machine virtuelle vierge. Mettez la machine virtuelle dans le réseau NatNetwork.
Désactivez SELINUX afin de ne pas avoir des erreurs de ce dernier :
[root@centos7 /]# setenforce permissive [root@centos7 /]# getenforce Permissive
Editez ensuite le fichier /etc/sysconfig/selinux ainsi :
[root@centos7 /]# vi /etc/sysconfig/selinux [root@centos7 /]# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Afin d'éviter les problèmes liés au pare-feu arrêtez le service firewalld :
[root@centos7 ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2017-07-30 14:03:15 CEST; 1min 38s ago
Docs: man:firewalld(1)
Main PID: 576 (firewalld)
CGroup: /system.slice/firewalld.service
└─576 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Jul 30 14:03:08 centos7.fenestros.loc systemd[1]: Starting firewalld - dynamic firewall daemon...
Jul 30 14:03:15 centos7.fenestros.loc systemd[1]: Started firewalld - dynamic firewall daemon.
[root@centos7 ~]# systemctl stop firewalld.service
[root@centos7 ~]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
[root@centos7 ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
Jul 30 14:03:08 centos7.fenestros.loc systemd[1]: Starting firewalld - dynamic firewall daemon...
Jul 30 14:03:15 centos7.fenestros.loc systemd[1]: Started firewalld - dynamic firewall daemon.
Jul 30 14:05:09 centos7.fenestros.loc systemd[1]: Stopping firewalld - dynamic firewall daemon...
Jul 30 14:05:10 centos7.fenestros.loc systemd[1]: Stopped firewalld - dynamic firewall daemon.
Modifiez ensuite le fichier /etc/hosts pour définir votre hostname et votre adresse IP :
[root@centos7 ~]# vi /etc/hosts [root@centos7 ~]# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 10.0.2.5 centos7.fenestros.loc
Important: Modifiez l'adresse IP dans votre fichier /etc/hosts en fonction de votre adresse IP réelle.
Maintenant installez le paquet samba-swat :
[root@centos7 ~]# yum install samba-swat Loaded plugins: fastestmirror, langpacks Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast adobe-linux-x86_64 | 2.9 kB 00:00:00 base | 3.6 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 (1/3): adobe-linux-x86_64/primary_db | 2.7 kB 00:00:00 (2/3): updates/7/x86_64/primary_db | 7.8 MB 00:00:03 (3/3): extras/7/x86_64/primary_db | 191 kB 00:00:03 Determining fastest mirrors * base: centos.crazyfrogs.org * extras: mirrors.ircam.fr * updates: mirrors.ircam.fr Resolving Dependencies --> Running transaction check ---> Package samba.x86_64 0:4.4.4-14.el7_3 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================= Package Arch Version Repository Size ======================================================================================================================================= Installing: samba x86_64 4.4.4-14.el7_3 updates 610 k Transaction Summary ======================================================================================================================================= Install 1 Package Total download size: 610 k Installed size: 1.8 M Is this ok [y/d/N]: y
Les paquets ainsi installés sont :
[root@centos7 ~]# rpm -qa | grep samba samba-client-libs-4.4.4-14.el7_3.x86_64 samba-libs-4.4.4-14.el7_3.x86_64 samba-common-tools-4.4.4-14.el7_3.x86_64 samba-common-libs-4.4.4-14.el7_3.x86_64 samba-client-4.4.4-14.el7_3.x86_64 samba-common-4.4.4-14.el7_3.noarch samba-4.4.4-14.el7_3.x86_64
Les deamons smb et nmb ne sont pas démarrés :
[root@centos7 ~]# systemctl status smb ● smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor preset: disabled) Active: inactive (dead) [root@centos7 ~]# systemctl status nmb ● nmb.service - Samba NMB Daemon Loaded: loaded (/usr/lib/systemd/system/nmb.service; disabled; vendor preset: disabled) Active: inactive (dead)
Notez que le démarrage automatique de Samba n'est pas configuré. Configurez donc le démarrage automatique de Samba :
[root@centos7 ~]# systemctl enable smb Created symlink from /etc/systemd/system/multi-user.target.wants/smb.service to /usr/lib/systemd/system/smb.service. [root@centos7 ~]# systemctl enable nmb Created symlink from /etc/systemd/system/multi-user.target.wants/nmb.service to /usr/lib/systemd/system/nmb.service.
Vérifiez que votre samba a été compilé avec le support pour LDAP, Kerberos, AD et Winbind :
[root@centos7 ~]# /usr/sbin/smbd -b | grep LDAP HAVE_LDAP_H HAVE_LDAP HAVE_LDAP_ADD_RESULT_ENTRY HAVE_LDAP_INIT HAVE_LDAP_INITIALIZE HAVE_LDAP_INIT_FD HAVE_LDAP_OPT_SOCKBUF HAVE_LDAP_SASL_WRAPPING HAVE_LDAP_SET_REBIND_PROC HAVE_LIBLDAP LDAP_DEPRECATED LDAP_SET_REBIND_PROC_ARGS [root@centos7 ~]# /usr/sbin/smbd -b | grep KRB HAVE_GSSAPI_GSSAPI_KRB5_H HAVE_KRB5_H HAVE_KRB5_LOCATE_PLUGIN_H HAVE_ADDRTYPE_IN_KRB5_ADDRESS HAVE_DECL_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE HAVE_DECL_KRB5_GET_CREDENTIALS_FOR_USER HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X HAVE_GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT HAVE_GSS_KRB5_IMPORT_CRED HAVE_GSS_MECH_KRB5 HAVE_INITIALIZE_KRB5_ERROR_TABLE HAVE_KRB5 HAVE_KRB5_AUTH_CON_SETUSERUSERKEY HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA HAVE_KRB5_CC_RETRIEVE_CRED HAVE_KRB5_C_MAKE_CHECKSUM HAVE_KRB5_C_STRING_TO_KEY HAVE_KRB5_C_VERIFY_CHECKSUM HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER HAVE_KRB5_ENCRYPT_BLOCK HAVE_KRB5_ENCTYPE_TO_STRING HAVE_KRB5_ENCTYPE_TO_STRING_WITH_SIZE_T_ARG HAVE_KRB5_FREE_CHECKSUM_CONTENTS HAVE_KRB5_FREE_DATA_CONTENTS HAVE_KRB5_FREE_HOST_REALM HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS HAVE_KRB5_FREE_UNPARSED_NAME HAVE_KRB5_FWD_TGT_CREDS HAVE_KRB5_GET_CREDENTIALS_FOR_USER HAVE_KRB5_GET_HOST_REALM HAVE_KRB5_GET_INIT_CREDS_KEYTAB HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC HAVE_KRB5_GET_INIT_CREDS_OPT_FREE HAVE_KRB5_GET_PERMITTED_ENCTYPES HAVE_KRB5_GET_PROFILE HAVE_KRB5_GET_PROMPT_TYPES HAVE_KRB5_GET_RENEWED_CREDS HAVE_KRB5_KEYTAB_ENTRY_KEY HAVE_KRB5_KEYUSAGE_APP_DATA_CKSUM HAVE_KRB5_KT_FREE_ENTRY HAVE_KRB5_MK_REQ_EXTENDED HAVE_KRB5_PRINCIPAL2SALT HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM HAVE_KRB5_PRINC_COMPONENT HAVE_KRB5_PRINC_REALM HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES HAVE_KRB5_SET_DEFAULT_TGS_KTYPES HAVE_MAGIC_IN_KRB5_ADDRESS HAVE_TICKET_POINTER_IN_KRB5_AP_REQ KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT USING_SYSTEM_KRB5 [root@centos7 ~]# /usr/sbin/smbd -b | grep ADS WITH_ADS [root@centos7 ~]# /usr/sbin/smbd -b | grep WINBIND WITH_WINBIND
Windows Server 2008
La machine virtuelle Windows™ Server 2008 a été configurée de la façon suivante :
- FQDN : server.fenestros.loc
- DOMAINE : fenestros.loc
- IP : 10.0.2.200/24
- MDP : Fenestr0$
- ROLES DEJA AJOUTES : Gestion des identités pour Unix (Gestionnaire de Serveur > Développez Rôles > Clic droit sur Services de domaine Active Directory > Ajouter des Services de Rôle > Gestion des Identités pour Unix > Installer)
Important : Importez la machine virtuelle Windows™ 2008 Server. Mettez la machine virtuelle server dans le réseau NatNetwork et démarrez-le.
LAB #1 - Samba en tant que serveur membre d’un domaine
Obtenir un ticket Kerberos pour le serveur Linux
Dans la machine virtuelle CentOS 7, éditez le fichier /etc/krb5.conf :
[root@centos7 ~]# vi /etc/krb5.conf
[root@centos7 ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FENESTROS.LOC
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
[realms]
FENESTROS.LOC = {
kdc = server.fenestros.loc:88
admin_server = server.fenestros.loc:749
default_domain = fenestros.loc
}
[domain_realm]
.fenestros.loc = FENESTROS.LOC
fenestros.loc = FENESTROS.LOC
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Important - Les directives kdc et admin_server dans la secion [realms] doivent être modifiées par rapport au FQDN de votre serveur Windows ™ 2008. Pour plus d'information sur le fichier /etc/krb5.conf, consultez le manuel krb5.conf.
Éditez ensuite le fichier /etc/hosts afin d'établir la correspondance entre l'adresse IP du serveur Windows™ et son FQDN :
[root@centos7 ~]# vi /etc/hosts [root@centos7 ~]# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 10.0.2.5 centos7.fenestros.loc 10.0.2.200 server.fenestros.loc
Important : La dernière ligne de ce fichier doit être modifiée en fonction du FQDN et de l'adresse IP de votre serveur Windows™ 2008.
Testez ensuite la connexion au domaine afin d'obtenir un ticket ( ou jeton ) kerberos :
[root@centos7 ~]# kinit Administrateur Password for Administrateur@FENESTROS.LOC: Fenestr0$
Important - La commande kinit sert à obtenir et mettre en cache un ticket ( ou jeton ) kerberos. Pour plus d'informations concernant la commande kinit, consultez la page du manuel : man kinit.
Visualisez ensuite le ticket :
[root@centos7 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrateur@FENESTROS.LOC Valid starting Expires Service principal 30/07/17 14:58:54 31/07/17 00:58:54 krbtgt/FENESTROS.LOC@FENESTROS.LOC renew until 06/08/17 14:58:50
Important - La commande klist sert à afficher les tickets ( ou jetons ) kerberos dans le cache. Pour plus d'informations concernant la commande klist, consultez la page du manuel : man klist.
Configuration de samba
Éditez ensuite le fichier /etc/samba/smb.conf :
[root@centos7 ~]# vi /etc/samba/smb.conf [root@centos7 ~]# cat /etc/samba/smb.conf [global] workgroup = FENESTROS realm = FENESTROS.LOC preferred master = no server string = Serveur Samba security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 interfaces = 127.0.0.1 enp0s3 bind interfaces only = true winbind separator = @ idmap config *:backend = tdb idmap config *:range = 40001-75000 idmap config FENESTROS:backend = idmap_rid:FENESTROS= 40001-75000 idmap config FENESTROS:schema_mode = rfc2307 idmap config FENESTROS:range = 500-40000
Les directives les plus importantes dans ce fichier sont :
- realm = FENESTROS.LOC - cette directive définit le nom du domaine Windows™,
- winbind separator = @ - cette directive sert à définir le séparateur du nom du domaine et de l'utilisateur lors de la connexion (p.e. DOMAIN@utilisateur),
- idmap config *:backend = tdb - cette directive spécifie le plugin idmap utilisé pour gérer le stockage des correspondances SID/uid/gid. Dans ce cas, une base de données Trivial Data Base,
- idmap config *:range = 40001-75000 - cette directive indique la plage de numéros UID & GID Linux que les utilisateurs du domaine Windows™ utiliseront,
- idmap gid = 10000-25000 - cette directive indique la plage de numéros GID Linux que les utilisateurs du domaine Windows™ utiliseront.
- idmap config FENESTROS:backend = idmap_rid:FENESTROS=10000-25000 - cette directive est nécessaire pour permettre samba de procéder à la création d'une cartographie des équivalences entre les SID de Windows™ et les UID et GID d'UNIX.
Ajoutez ensuite la ligne suivante à votre fichier /etc/security/limits.conf :
* - nofile 16384
Cette modification est nécessaire pour les clients Windows™ 7. L'étoile représente une entrée par défaut. Le mot clef nofile indique le nombre de fichiers maximum ouverts dont la valeur est fixée à 16384. Cette valeur est en effet celle des serveurs Windows™. Sans cette modification la commande testparm retourne une ligne du type :
rlimit_max: rlimit_max (8192) below minimum Windows limit (16384)
ou
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
En fait, le serveur samba modifie la valeur automatiquement pour éviter des erreurs out of handles lors de certaines opérations de copie de fichiers par les clients Windows™ 7. Cependant, il est conseillé de faire la modification comme même.
Vous obtiendrez alors :
[root@centos7 ~]# vi /etc/security/limits.conf [root@centos7 ~]# cat /etc/security/limits.conf # /etc/security/limits.conf # #This file sets the resource limits for the users logged in via PAM. #It does not affect resource limits of the system services. # #Also note that configuration files in /etc/security/limits.d directory, #which are read in alphabetical order, override the settings in this #file in case the domain is the same or more specific. #That means for example that setting a limit for wildcard domain here #can be overriden with a wildcard setting in a config file in the #subdirectory, but a user specific setting here can be overriden only #with a user specific setting in the subdirectory. # #Each line describes a limit for a user in the form: # #<domain> <type> <item> <value> # #Where: #<domain> can be: # - a user name # - a group name, with @group syntax # - the wildcard *, for default entry # - the wildcard %, can be also used with %group syntax, # for maxlogin limit # #<type> can have the two values: # - "soft" for enforcing the soft limits # - "hard" for enforcing hard limits # #<item> can be one of the following: # - core - limits the core file size (KB) # - data - max data size (KB) # - fsize - maximum filesize (KB) # - memlock - max locked-in-memory address space (KB) # - nofile - max number of open file descriptors # - rss - max resident set size (KB) # - stack - max stack size (KB) # - cpu - max CPU time (MIN) # - nproc - max number of processes # - as - address space limit (KB) # - maxlogins - max number of logins for this user # - maxsyslogins - max number of logins on the system # - priority - the priority to run user process with # - locks - max number of file locks the user can hold # - sigpending - max number of pending signals # - msgqueue - max memory used by POSIX message queues (bytes) # - nice - max nice priority allowed to raise to values: [-20, 19] # - rtprio - max realtime priority # #<domain> <type> <item> <value> # #* soft core 0 #* hard rss 10000 #@student hard nproc 20 #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 #@student - maxlogins 4 * - nofile 16384 # End of file
Vérifiez votre fichier smb.conf :
[root@centos7 ~]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] bind interfaces only = Yes interfaces = 127.0.0.1 enp0s3 realm = FENESTROS.LOC server string = Serveur Samba workgroup = FENESTROS preferred master = No log file = /var/log/samba/%m max log size = 50 security = ADS winbind separator = @ idmap config fenestros:range = 500-40000 idmap config fenestros:schema_mode = rfc2307 idmap config fenestros:backend = idmap_rid:FENESTROS= 40001-75000 idmap config *:range = 40001-75000 idmap config * : backend = tdb
Démarrez le service samba :
[root@centos7 ~]# systemctl start smb
Mettre le serveur Samba dans le domaine
Mettez le serveur samba dans le domaine :
[root@centos7 ~]# net rpc join -S SERVEUR_FQDN -I SERVEUR_IP -U administrateur%SERVEUR_MDP [Entrée]
Par exemple :
[root@centos7 ~]# net rpc join -S server.fenestros.loc -I 10.0.2.200 -U administrateur Enter administrateur's password:Fenestr0$ Using short domain name -- FENESTROS Joined 'CENTOS7' to realm 'fenestros.loc'
Arrêtez ensuite le serveur samba :
[root@centos7 ~]# systemctl stop smb
Modifier le fichier /etc/nsswitch.conf
Faire une sauvegarde de votre fichier /etc/nsswitch.conf :
[root@centos7 ~]# cp /etc/nsswitch.conf /etc/nsswitch.conf.old
Editez ensuite le fichier /etc/nsswitch.conf et modifiez uniquement les lignes suivantes :
- nsswitch.conf
passwd: compat winbind group: compat winbind shadow: compat hosts: files dns wins networks: files dns protocols: db files services: db files ethers: db files rpc: db files
[root@centos7 ~]# vi /etc/nsswitch.conf [root@centos7 ~]# cat /etc/nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: compat winbind group: compat winbind shadow: compat #passwd: files sss #shadow: files sss #group: files sss #initgroups: files #hosts: db files nisplus nis dns #hosts: files dns myhostname hosts: files dns wins # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files networks: files dns protocols: db files services: db files ethers: db files rpc: db files #ethers: files netmasks: files #networks: files #protocols: files #rpc: files #services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus
Vérifier les service winbind
Installez le service winbind ainsi que les clients :
[root@centos7 ~]# yum install samba-winbind samba-winbind-clients
Démarrez ensuite le service winbind :
[root@centos7 ~]# systemctl status winbind
● winbind.service - Samba Winbind Daemon
Loaded: loaded (/usr/lib/systemd/system/winbind.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@centos7 ~]# systemctl enable winbind
Created symlink from /etc/systemd/system/multi-user.target.wants/winbind.service to /usr/lib/systemd/system/winbind.service.
[root@centos7 ~]# systemctl start winbind
[root@centos7 ~]# systemctl status winbind
● winbind.service - Samba Winbind Daemon
Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2017-07-30 15:20:58 CEST; 2s ago
Main PID: 8619 (winbindd)
Status: "winbindd: ready to serve connections..."
CGroup: /system.slice/winbind.service
├─8619 /usr/sbin/winbindd
└─8620 /usr/sbin/winbindd
Jul 30 15:20:57 centos7.fenestros.loc systemd[1]: Starting Samba Winbind Daemon...
Jul 30 15:20:58 centos7.fenestros.loc winbindd[8619]: [2017/07/30 15:20:58.167888, 0] ../source3/winbindd/winbindd_cache.c:32...cache)
Jul 30 15:20:58 centos7.fenestros.loc winbindd[8619]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
Jul 30 15:20:58 centos7.fenestros.loc winbindd[8619]: [2017/07/30 15:20:58.174374, 0] ../lib/util/become_daemon.c:124(daemon_ready)
Jul 30 15:20:58 centos7.fenestros.loc systemd[1]: Started Samba Winbind Daemon.
Jul 30 15:20:58 centos7.fenestros.loc winbindd[8619]: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
Jul 30 15:20:58 centos7.fenestros.loc winbindd[8620]: [2017/07/30 15:20:58.221519, 0] ../source3/libsmb/cliconnect.c:1895(cli..._send)
Jul 30 15:20:58 centos7.fenestros.loc winbindd[8620]: Kinit for FENESTROS.LOC to access cifs/server.fenestros.loc@FENESTROS....tabase
Hint: Some lines were ellipsized, use -l to show in full.
Ainsi que le service samba :
[root@centos7 ~]# systemctl start smb
Vérifiez ensuite que le service winbind fonctionne en interrogeant le serveur 2008 :
[root@centos7 ~]# wbinfo -u FENESTROS@administrateur FENESTROS@invité FENESTROS@krbtgt [root@centos7 ~]# wbinfo -g FENESTROS@ordinateurs du domaine FENESTROS@contrôleurs de domaine FENESTROS@administrateurs du schéma FENESTROS@administrateurs de l’entreprise FENESTROS@éditeurs de certificats FENESTROS@admins du domaine FENESTROS@utilisateurs du domaine FENESTROS@invités du domaine FENESTROS@propriétaires créateurs de la stratégie de groupe FENESTROS@serveurs ras et ias FENESTROS@groupe de réplication dont le mot de passe rodc est autorisé FENESTROS@groupe de réplication dont le mot de passe rodc est refusé FENESTROS@contrôleurs de domaine en lecture seule FENESTROS@contrôleurs de domaine d’entreprise en lecture seule FENESTROS@dnsadmins FENESTROS@dnsupdateproxy
Dernièrement, renseignez-vous sur le serveur 2008 :
[root@centos7 ~]# net ads info LDAP server: 10.0.2.200 LDAP server name: server.fenestros.loc Realm: FENESTROS.LOC Bind Path: dc=FENESTROS,dc=LOC LDAP port: 389 Server time: Sun, 30 Jul 2017 15:24:49 CEST KDC server: 10.0.2.200 Server time offset: 0 Last machine account password change: Sun, 30 Jul 2017 15:12:07 CEST
Terminer la configuration de samba
Modifiez maintenant votre fichier /etc/samba/smb.conf :
- smb.conf
[global] workgroup = FENESTROS password server = server.fenestros.loc realm = FENESTROS.LOC security = ADS idmap config *:backend = tdb idmap config *:range = 10000-50000 idmap config FENESTROS:backend = idmap_rid:FENESTROS=10000-50000 idmap config FENESTROS:schema_mode = rfc2307 idmap config FENESTROS:range = 500-40000 winbind separator = @ template homedir = /home/%D/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = true local master = no preferred master = no os level = 0 server string = Serveur Samba encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 interfaces = 127.0.0.1 enp0s3 bind interfaces only = true winbind cache time = 15 winbind enum users = yes winbind enum groups = yes winbind nss info = rfc2307 obey pam restrictions = yes allow trusted domains = no
Les directives les plus importantes dans ce fichier sont :
- template homedir = /home/%D/%U - cette directive stipule que les utilisateurs du domaine auront leurs répertoires personnels créé dans /home/FENESTROS,
- winbind use default domain = true - cette directive permet aux utilisateurs d’omettre le nom du domaine lors de leur connexion,
- winbind offline logon = true - cette directive permet aux utilisateurs de se connecter au serveur Linux même quand ils ne sont pas connectés au domaine. Les coordonnées de connexion de l'utilisateur sont stockés dans le fichier winbindd_cache.tdb. Il est important de noter que dans certaines distributions, si le service winbind est redémarré, le cache n'est pas persistant et l'utilisateur sera rejeté,
- winbind cache time = 15 - cette directive stipule le nombre de secondes que les coordonnées de connexion des utilisateurs sont stockés localement avant que winbind les re-demande au serveur de domaine,
- winbind enum users = yes et winbind enum groups = yes - ces directives permettent l’utilisation des fonctions NSS getpwent et getgrent afin d'énumérer la liste des utilisateurs et groupes du domaine. Ces fonctions sont considérés d'être très inefficaces et ont été remplacées par les fonctions getpwnam( ) et getgrnam( ). La raison de la présence de ces deux directives est d'assurer la compatibilité avec des vielles versions de logiciels tiers. Si vous n'en avez pas besoin, il est recommandé de les configurer en no. A noter que les commandes wbinfo -u et wbinfo -g ne dépendent pas de NSS et fonctionneront toujours.
Redémarrez les services winbind et samba :
[root@centos7 ~]# systemctl restart winbind [root@centos7 ~]# systemctl restart smb
Vérifiez maintenant que les mots de passe sont authentifiés par le serveur Windows™ 2008 :
[root@centos7 ~]# getent passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin systemd-bus-proxy:x:999:997:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:998:996:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:997:995:User for polkitd:/:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin colord:x:996:993:User for colord:/var/lib/colord:/sbin/nologin libstoragemgmt:x:995:992:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin setroubleshoot:x:994:991::/var/lib/setroubleshoot:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin chrony:x:993:990::/var/lib/chrony:/sbin/nologin unbound:x:992:989:Unbound DNS resolver:/etc/unbound:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin geoclue:x:991:988:User for geoclue:/var/lib/geoclue:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin sssd:x:990:987:User for sssd:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin gdm:x:42:42::/var/lib/gdm:/sbin/nologin gnome-initial-setup:x:989:984::/run/gnome-initial-setup/:/sbin/nologin avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin trainee:x:1000:1000:trainee:/home/trainee:/bin/bash vboxadd:x:988:1::/var/run/vboxadd:/bin/false administrateur:*:40003:40006:Administrateur:/home/FENESTROS/administrateur:/bin/bash invité:*:40001:40005:Invité:/home/FENESTROS/invité:/bin/bash krbtgt:*:40002:40006:krbtgt:/home/FENESTROS/krbtgt:/bin/bash
Créez maintenant le répertoire /home/FENESTROS qui sera utilisé pour contenir les répertoires personnels des utilisateurs de l'AD :
[root@centos7 ~]# mkdir /home/FENESTROS
Accordez le permissions adéquates :
[root@centos7 ~]# chmod 777 /home/FENESTROS
Modifier PAM
Ajoutez la ligne suivante au fichier /etc/pam.d/system-auth :
session required pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022
pam_oddjob_mkhomedir est utilisé par le système afin de créer le répertoire personnel d'un utilisateur autorisé si le répertoire n'existe pas. Si le répertoire personnel n'existe pas et pam_oddjob_mkhomedir ne fonctionne pas, la connexion de l'utilisateur sera rejeté.
Vous obtiendrez :
[root@centos7 ~]# vi /etc/pam.d/system-auth [root@centos7 ~]# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session required pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022 -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
Redémarrez le service winbind et démarrez le service oddjobd :
[root@centos7 ~]# systemctl restart winbind
[root@centos7 ~]# systemctl status oddjobd
● oddjobd.service - privileged operations for unprivileged applications
Loaded: loaded (/usr/lib/systemd/system/oddjobd.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@centos7 ~]# systemctl enable oddjobd
Created symlink from /etc/systemd/system/multi-user.target.wants/oddjobd.service to /usr/lib/systemd/system/oddjobd.service.
[root@centos7 ~]# systemctl start oddjobd
[root@centos7 ~]# systemctl status oddjobd
● oddjobd.service - privileged operations for unprivileged applications
Loaded: loaded (/usr/lib/systemd/system/oddjobd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2017-07-31 13:45:56 CEST; 10s ago
Main PID: 28054 (oddjobd)
CGroup: /system.slice/oddjobd.service
└─28054 /usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 300
Jul 31 13:45:56 centos7.fenestros.loc systemd[1]: Started privileged operations for unprivileged applications.
Jul 31 13:45:56 centos7.fenestros.loc systemd[1]: Starting privileged operations for unprivileged applications...
Samba4 et Active Directory
Important : Supprimez votre machine virtuelle CentOS 7 et importez une machine virtuelle vierge.
Présentation
Rappelez-vous que Samba4 apporte les nouveautés suivantes :
- Support de l'authentification et de l'administration d'Active Directory,
- Support complet de NTFS,
- Annuaire LDAP,
- Serveur Kerberos,
- Serveur DNS,
- Support du nouveau protocole RPC et de Python.
Préparation de la Machine Virtuelle
Pouyr commencer :
- Mettez la machine virtuelle CentOS_7 dans le réseau NatNetwork.
- Lancez la machine virtuelle CentOS 7. Configurez le démmarrage en graphical.target et re-démarrez la.
Désactivez SELINUX afin de ne pas avoir des erreurs de ce dernier :
[root@centos7 /]# setenforce permissive [root@centos7 /]# getenforce Permissive
Editez ensuite le fichier /etc/sysconfig/selinux ainsi :
[root@centos7 /]# vi /etc/sysconfig/selinux [root@centos7 /]# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Afin d'éviter les problèmes liés au pare-feu arrêtez le service firewalld :
[root@centos7 ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2017-07-31 15:21:08 CEST; 3min 30s ago
Docs: man:firewalld(1)
Main PID: 633 (firewalld)
CGroup: /system.slice/firewalld.service
└─633 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Jul 31 15:21:01 centos7.fenestros.loc systemd[1]: Starting firewalld - dynami...
Jul 31 15:21:08 centos7.fenestros.loc systemd[1]: Started firewalld - dynamic...
Hint: Some lines were ellipsized, use -l to show in full.
[root@centos7 ~]# systemctl stop firewalld.service
[root@centos7 ~]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
Créez un profile en IP fixe, activez-le, ajoutez le DNS et re-démarrez le service NetworkManager.service :
[root@centos7 ~]# nmcli connection add con-name ip_fixe ifname enp0s3 type ethernet ip4 10.0.2.6/24 gw4 10.0.2.2 Connection 'ip_fixe' (7c801069-d035-4f2f-8496-a96385b83bcd) successfully added. [root@centos7 ~]# nmcli connection up ip_fixe Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1) [root@centos7 ~]# nmcli connection mod ip_fixe ipv4.dns 8.8.8.8 [root@centos7 ~]# systemctl restart NetworkManager.service
Modifiez ensuite le fichier /etc/hosts pour définir votre hostname et votre adresse IP :
[root@centos7 ~]# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 10.0.2.6 centos7.fenestros.loc
A Faire - Modifiez l'adresse IP dans votre fichier /etc/hosts en fonction de votre adresse IP réelle.
LAB #2 - Samba en tant qu'un AD
Attention - La version de Samba4 dans les dépôts de CentOS 7 ne contient pas le binaire samba-tool pour provisionner l'AD Voir cet article. Pour cette raison, nous allons compiler samba à partir des sources.
Installer Samba 4 à partir des Sources
Pour commencer, ajoutez le dépôt EPEL :
[root@centos7 ~]# yum install epel-release -y Loaded plugins: fastestmirror, langpacks Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast adobe-linux-x86_64 | 2.9 kB 00:00 base | 3.6 kB 00:00 extras | 3.4 kB 00:00 updates | 3.4 kB 00:00 (1/3): adobe-linux-x86_64/primary_db | 2.7 kB 00:00 (2/3): extras/7/x86_64/primary_db | 191 kB 00:00 (3/3): updates/7/x86_64/primary_db | 7.8 MB 00:02 Determining fastest mirrors * base: ftp.ciril.fr * extras: ftp.ciril.fr * updates: centos.mirror.ate.info Resolving Dependencies --> Running transaction check ---> Package epel-release.noarch 0:7-9 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: epel-release noarch 7-9 extras 14 k Transaction Summary ================================================================================ Install 1 Package Total download size: 14 k Installed size: 24 k Downloading packages: epel-release-7-9.noarch.rpm | 14 kB 00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : epel-release-7-9.noarch 1/1 Verifying : epel-release-7-9.noarch 1/1 Installed: epel-release.noarch 0:7-9 Complete!
Installez maintenant les outils nécessaires pour compiler samba4 :
[root@centos7 ~]# yum install perl gcc libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel setroubleshoot-server libaio-devel setroubleshoot-plugins policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils libxslt docbook-style-xsl openldap-devel pam-devel bzip2 vim wget Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: ftp.ciril.fr * epel: pkg.adfinis-sygroup.ch * extras: ftp.ciril.fr * updates: centos.mirror.ate.info Package 4:perl-5.16.3-291.el7.x86_64 already installed and latest version Package gcc-4.8.5-11.el7.x86_64 already installed and latest version Package gdb-7.6.1-94.el7.x86_64 already installed and latest version Package 1:pkgconfig-0.27.1-4.el7.x86_64 already installed and latest version Package krb5-workstation-1.14.1-27.el7_3.x86_64 already installed and latest version Package setroubleshoot-server-3.2.27.2-3.el7.x86_64 already installed and latest version Package setroubleshoot-plugins-3.0.64-2.1.el7.noarch already installed and latest version Package policycoreutils-python-2.5-11.el7_3.x86_64 already installed and latest version Package libsemanage-python-2.5-5.1.el7_3.x86_64 already installed and latest version No package setools-libs-python available. Package setools-libs-3.3.8-1.1.el7.x86_64 already installed and latest version Package libxslt-1.1.28-5.el7.x86_64 already installed and latest version Package bzip2-1.0.6-13.el7.x86_64 already installed and latest version Package 2:vim-enhanced-7.4.160-1.el7_3.1.x86_64 already installed and latest version Package wget-1.14-13.el7.x86_64 already installed and latest version Resolving Dependencies --> Running transaction check ---> Package bind-utils.x86_64 32:9.9.4-38.el7_3.3 will be updated ---> Package bind-utils.x86_64 32:9.9.4-50.el7_3.1 will be an update --> Processing Dependency: bind-libs = 32:9.9.4-50.el7_3.1 for package: 32:bind-utils-9.9.4-50.el7_3.1.x86_64 ---> Package cups-devel.x86_64 1:1.6.3-26.el7 will be installed --> Processing Dependency: openssl-devel for package: 1:cups-devel-1.6.3-26.el7.x86_64 --> Processing Dependency: krb5-devel for package: 1:cups-devel-1.6.3-26.el7.x86_64 ---> Package cyrus-sasl-devel.x86_64 0:2.1.26-20.el7_2 will be installed --> Processing Dependency: cyrus-sasl(x86-64) = 2.1.26-20.el7_2 for package: cyrus-sasl-devel-2.1.26-20.el7_2.x86_64 ---> Package docbook-style-xsl.noarch 0:1.78.1-3.el7 will be installed --> Processing Dependency: docbook-dtd-xml for package: docbook-style-xsl-1.78.1-3.el7.noarch ---> Package gnutls-devel.x86_64 0:3.3.24-1.el7 will be installed --> Processing Dependency: gnutls-dane(x86-64) = 3.3.24-1.el7 for package: gnutls-devel-3.3.24-1.el7.x86_64 --> Processing Dependency: gnutls-c++(x86-64) = 3.3.24-1.el7 for package: gnutls-devel-3.3.24-1.el7.x86_64 --> Processing Dependency: pkgconfig(p11-kit-1) for package: gnutls-devel-3.3.24-1.el7.x86_64 --> Processing Dependency: pkgconfig(nettle) for package: gnutls-devel-3.3.24-1.el7.x86_64 --> Processing Dependency: pkgconfig(libtasn1) for package: gnutls-devel-3.3.24-1.el7.x86_64 --> Processing Dependency: pkgconfig(hogweed) for package: gnutls-devel-3.3.24-1.el7.x86_64 --> Processing Dependency: libgnutlsxx.so.28()(64bit) for package: gnutls-devel-3.3.24-1.el7.x86_64 --> Processing Dependency: libgnutls-dane.so.0()(64bit) for package: gnutls-devel-3.3.24-1.el7.x86_64 ---> Package keyutils-libs-devel.x86_64 0:1.5.8-3.el7 will be installed ---> Package libacl-devel.x86_64 0:2.2.51-12.el7 will be installed ---> Package libaio-devel.x86_64 0:0.3.109-13.el7 will be installed ---> Package libattr-devel.x86_64 0:2.4.46-12.el7 will be installed ---> Package libblkid-devel.x86_64 0:2.23.2-33.el7_3.2 will be installed --> Processing Dependency: pkgconfig(uuid) for package: libblkid-devel-2.23.2-33.el7_3.2.x86_64 ---> Package libidn-devel.x86_64 0:1.28-4.el7 will be installed ---> Package libpcap-devel.x86_64 14:1.5.3-8.el7 will be installed ---> Package libsepol-devel.x86_64 0:2.5-6.el7 will be installed ---> Package libxml2-devel.x86_64 0:2.9.1-6.el7_2.3 will be installed --> Processing Dependency: xz-devel for package: libxml2-devel-2.9.1-6.el7_2.3.x86_64 ---> Package openldap-devel.x86_64 0:2.4.40-13.el7 will be installed ---> Package pam-devel.x86_64 0:1.1.8-18.el7 will be installed ---> Package popt-devel.x86_64 0:1.13-16.el7 will be installed ---> Package python-devel.x86_64 0:2.7.5-48.el7 will be installed ---> Package readline-devel.x86_64 0:6.2-9.el7 will be installed --> Processing Dependency: ncurses-devel for package: readline-devel-6.2-9.el7.x86_64 ---> Package sqlite-devel.x86_64 0:3.7.17-8.el7 will be installed ---> Package zlib-devel.x86_64 0:1.2.7-17.el7 will be installed --> Running transaction check ---> Package bind-libs.x86_64 32:9.9.4-38.el7_3.3 will be updated ---> Package bind-libs.x86_64 32:9.9.4-50.el7_3.1 will be an update --> Processing Dependency: bind-license = 32:9.9.4-50.el7_3.1 for package: 32:bind-libs-9.9.4-50.el7_3.1.x86_64 ---> Package cyrus-sasl.x86_64 0:2.1.26-20.el7_2 will be installed ---> Package docbook-dtds.noarch 0:1.0-60.el7 will be installed --> Processing Dependency: sgml-common for package: docbook-dtds-1.0-60.el7.noarch ---> Package gnutls-c++.x86_64 0:3.3.24-1.el7 will be installed ---> Package gnutls-dane.x86_64 0:3.3.24-1.el7 will be installed ---> Package krb5-devel.x86_64 0:1.14.1-27.el7_3 will be installed --> Processing Dependency: libverto-devel for package: krb5-devel-1.14.1-27.el7_3.x86_64 --> Processing Dependency: libselinux-devel for package: krb5-devel-1.14.1-27.el7_3.x86_64 --> Processing Dependency: libcom_err-devel for package: krb5-devel-1.14.1-27.el7_3.x86_64 ---> Package libtasn1-devel.x86_64 0:3.8-3.el7 will be installed ---> Package libuuid-devel.x86_64 0:2.23.2-33.el7_3.2 will be installed ---> Package ncurses-devel.x86_64 0:5.9-13.20130511.el7 will be installed ---> Package nettle-devel.x86_64 0:2.7.1-8.el7 will be installed --> Processing Dependency: gmp-devel(x86-64) for package: nettle-devel-2.7.1-8.el7.x86_64 ---> Package openssl-devel.x86_64 1:1.0.1e-60.el7_3.1 will be installed ---> Package p11-kit-devel.x86_64 0:0.20.7-3.el7 will be installed ---> Package xz-devel.x86_64 0:5.2.2-1.el7 will be installed --> Running transaction check ---> Package bind-license.noarch 32:9.9.4-38.el7_3.3 will be updated --> Processing Dependency: bind-license = 32:9.9.4-38.el7_3.3 for package: 32:bind-libs-lite-9.9.4-38.el7_3.3.x86_64 ---> Package bind-license.noarch 32:9.9.4-50.el7_3.1 will be an update ---> Package gmp-devel.x86_64 1:6.0.0-12.el7_1 will be installed ---> Package libcom_err-devel.x86_64 0:1.42.9-9.el7 will be installed ---> Package libselinux-devel.x86_64 0:2.5-6.el7 will be installed --> Processing Dependency: pkgconfig(libpcre) for package: libselinux-devel-2.5-6.el7.x86_64 ---> Package libverto-devel.x86_64 0:0.2.5-4.el7 will be installed ---> Package sgml-common.noarch 0:0.6.3-39.el7 will be installed --> Running transaction check ---> Package bind-libs-lite.x86_64 32:9.9.4-38.el7_3.3 will be updated ---> Package bind-libs-lite.x86_64 32:9.9.4-50.el7_3.1 will be an update ---> Package pcre-devel.x86_64 0:8.32-15.el7_2.1 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: cups-devel x86_64 1:1.6.3-26.el7 base 130 k cyrus-sasl-devel x86_64 2.1.26-20.el7_2 base 310 k docbook-style-xsl noarch 1.78.1-3.el7 base 2.0 M gnutls-devel x86_64 3.3.24-1.el7 base 1.4 M keyutils-libs-devel x86_64 1.5.8-3.el7 base 37 k libacl-devel x86_64 2.2.51-12.el7 base 71 k libaio-devel x86_64 0.3.109-13.el7 base 13 k libattr-devel x86_64 2.4.46-12.el7 base 35 k libblkid-devel x86_64 2.23.2-33.el7_3.2 updates 73 k libidn-devel x86_64 1.28-4.el7 base 124 k libpcap-devel x86_64 14:1.5.3-8.el7 base 117 k libsepol-devel x86_64 2.5-6.el7 base 74 k libxml2-devel x86_64 2.9.1-6.el7_2.3 base 1.0 M openldap-devel x86_64 2.4.40-13.el7 base 800 k pam-devel x86_64 1.1.8-18.el7 base 184 k popt-devel x86_64 1.13-16.el7 base 22 k python-devel x86_64 2.7.5-48.el7 base 393 k readline-devel x86_64 6.2-9.el7 base 138 k sqlite-devel x86_64 3.7.17-8.el7 base 104 k zlib-devel x86_64 1.2.7-17.el7 base 50 k Updating: bind-utils x86_64 32:9.9.4-50.el7_3.1 updates 202 k Installing for dependencies: cyrus-sasl x86_64 2.1.26-20.el7_2 base 88 k docbook-dtds noarch 1.0-60.el7 base 226 k gmp-devel x86_64 1:6.0.0-12.el7_1 base 181 k gnutls-c++ x86_64 3.3.24-1.el7 base 32 k gnutls-dane x86_64 3.3.24-1.el7 base 33 k krb5-devel x86_64 1.14.1-27.el7_3 updates 651 k libcom_err-devel x86_64 1.42.9-9.el7 base 31 k libselinux-devel x86_64 2.5-6.el7 base 186 k libtasn1-devel x86_64 3.8-3.el7 base 70 k libuuid-devel x86_64 2.23.2-33.el7_3.2 updates 85 k libverto-devel x86_64 0.2.5-4.el7 base 12 k ncurses-devel x86_64 5.9-13.20130511.el7 base 713 k nettle-devel x86_64 2.7.1-8.el7 base 471 k openssl-devel x86_64 1:1.0.1e-60.el7_3.1 updates 1.2 M p11-kit-devel x86_64 0.20.7-3.el7 base 22 k pcre-devel x86_64 8.32-15.el7_2.1 base 479 k sgml-common noarch 0.6.3-39.el7 base 55 k xz-devel x86_64 5.2.2-1.el7 base 46 k Updating for dependencies: bind-libs x86_64 32:9.9.4-50.el7_3.1 updates 1.0 M bind-libs-lite x86_64 32:9.9.4-50.el7_3.1 updates 730 k bind-license noarch 32:9.9.4-50.el7_3.1 updates 83 k Transaction Summary ================================================================================ Install 20 Packages (+18 Dependent packages) Upgrade 1 Package (+ 3 Dependent packages) Total download size: 14 M Is this ok [y/d/N]: y
Téléchargez maintenant samba4 :
[root@centos7 ~]# cd /tmp [root@centos7 tmp]# wget https://download.samba.org/pub/samba/stable/samba-4.6.6.tar.gz --2017-07-31 16:17:27-- https://download.samba.org/pub/samba/stable/samba-4.6.6.tar.gz Resolving download.samba.org (download.samba.org)... 144.76.82.156, 2a01:4f8:192:486::443:2 Connecting to download.samba.org (download.samba.org)|144.76.82.156|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 21120791 (20M) [application/gzip] Saving to: ‘samba-4.6.6.tar.gz’ 100%[=============================================================================================>] 21,120,791 167KB/s in 77s 2017-07-31 16:18:45 (268 KB/s) - ‘samba-4.6.6.tar.gz’ saved [21120791/21120791]
Décompressez et désarchivez le fichier :
[root@centos7 tmp]# tar -zxvf samba-4.6.6.tar.gz
Compilez samba4 :
[root@centos7 tmp]# cd samba-4.6.6 [root@centos7 samba-4.6.6]# ./configure --enable-debug --enable-selftest --with-ads --with-systemd --with-winbind [root@centos7 samba-4.6.6]# make && make install
Créez maintenant le fichier /etc/systemd/system/samba.service :
[root@centos7 samba-4.6.6]# vi /etc/systemd/system/samba.service [root@centos7 samba-4.6.6]# cat /etc/systemd/system/samba.service [Unit] Description= Samba 4 Active Directory After=syslog.target After=network.target [Service] Type=forking PIDFile=/usr/local/samba/var/run/samba.pid ExecStart=/usr/local/samba/sbin/samba [Install] WantedBy=multi-user.target
Activez le service :
[root@centos7 samba-4.6.6]# systemctl enable samba Created symlink from /etc/systemd/system/multi-user.target.wants/samba.service to /etc/systemd/system/samba.service.
Vérifiez le démarrage automatique de Samba :
[root@centos7 samba-4.6.6]# systemctl status samba ● samba.service - Samba 4 Active Directory Loaded: loaded (/etc/systemd/system/samba.service; enabled; vendor preset: disabled) Active: inactive (dead)
Configuration de l'OS
L'arboresence de samba4 se trouve dans /usr/local/samba :
[root@centos7 samba-4.6.6]# cd /usr/local/samba [root@centos7 samba]# ls bin etc include lib lib64 libexec private sbin share var
Les binaires de samba4 se trouvent dans /usr/local/samba/bin :
[root@centos7 samba]# cd bin [root@centos7 bin]# ls -l total 22988 -rwxr-xr-x. 1 root root 249120 Jul 31 16:45 cifsdd -rwxr-xr-x. 1 root root 35680 Jul 31 16:46 dbwrap_tool -rwxr-xr-x. 1 root root 68576 Jul 31 16:45 eventlogadm -rwxr-xr-x. 1 root root 4619 Jul 31 16:34 findsmb -rwxr-xr-x. 1 root root 357488 Jul 31 16:45 gentest -rwxr-xr-x. 1 root root 23744 Jul 31 16:45 ldbadd -rwxr-xr-x. 1 root root 17912 Jul 31 16:45 ldbdel -rwxr-xr-x. 1 root root 24688 Jul 31 16:45 ldbedit -rwxr-xr-x. 1 root root 28088 Jul 31 16:45 ldbmodify -rwxr-xr-x. 1 root root 16528 Jul 31 16:45 ldbrename -rwxr-xr-x. 1 root root 26720 Jul 31 16:45 ldbsearch -rwxr-xr-x. 1 root root 227520 Jul 31 16:45 locktest -rwxr-xr-x. 1 root root 221520 Jul 31 16:45 masktest -rwxr-xr-x. 1 root root 18288 Jul 31 16:46 mvxattr -rwxr-xr-x. 1 root root 236488 Jul 31 16:45 ndrdump -rwxr-xr-x. 1 root root 1916488 Jul 31 16:47 net -rwxr-xr-x. 1 root root 228856 Jul 31 16:45 nmblookup -rwxr-xr-x. 1 root root 139576 Jul 31 16:46 ntlm_auth -rwxr-xr-x. 1 root root 52760 Jul 31 16:45 oLschema2ldif -rwxr-xr-x. 1 root root 77696 Jul 31 16:46 pdbedit -rwxr-xr-x. 1 root root 23300 Jul 31 16:34 pidl -rwxr-xr-x. 1 root root 91888 Jul 31 16:46 profiles -rwxr-xr-x. 1 root root 43240 Jul 31 16:46 regdiff -rwxr-xr-x. 1 root root 47192 Jul 31 16:45 regpatch -rwxr-xr-x. 1 root root 74896 Jul 31 16:45 regshell -rwxr-xr-x. 1 root root 48648 Jul 31 16:45 regtree -rwxr-xr-x. 1 root root 2309320 Jul 31 16:46 rpcclient -rwxr-xr-x. 1 root root 215376 Jul 31 16:46 samba-regedit -rwxr-xr-x. 1 root root 1689 Jul 31 16:34 samba-tool -rwxr-xr-x. 1 root root 65448 Jul 31 16:46 sharesec -rwxr-xr-x. 1 root root 84320 Jul 31 16:45 smbcacls -rwxr-xr-x. 1 root root 205016 Jul 31 16:45 smbclient -rwxr-xr-x. 1 root root 97336 Jul 31 16:45 smbcontrol -rwxr-xr-x. 1 root root 51320 Jul 31 16:46 smbcquotas -rwxr-xr-x. 1 root root 45104 Jul 31 16:45 smbget -rwxr-xr-x. 1 root root 76072 Jul 31 16:46 smbpasswd -rwxr-xr-x. 1 root root 30008 Jul 31 16:46 smbspool -rwxr-xr-x. 1 root root 84024 Jul 31 16:47 smbstatus -rwxr-xr-x. 1 root root 4896 Jan 9 2017 smbtar -rwxr-xr-x. 1 root root 15578248 Jul 31 16:47 smbtorture -rwxr-xr-x. 1 root root 42912 Jul 31 16:46 smbtree -rwxr-xr-x. 1 root root 23920 Jul 31 16:45 tdbbackup -rwxr-xr-x. 1 root root 18056 Jul 31 16:45 tdbdump -rwxr-xr-x. 1 root root 17552 Jul 31 16:45 tdbrestore -rwxr-xr-x. 1 root root 38168 Jul 31 16:45 tdbtool -rwxr-xr-x. 1 root root 46488 Jul 31 16:46 testparm -rwxr-xr-x. 1 root root 107456 Jul 31 16:45 wbinfo
Pour pouvoir utiliser ces commandes, il convient d'ajouter le chemin à $PATH :
[root@centos7 bin]# PATH=/usr/local/samba/bin:$PATH [root@centos7 bin]# export PATH [root@centos7 bin]# echo $PATH /usr/local/samba/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
Afin de rendre cette mofification permenante pour root, il faut éditer le fichier ~/.bash_profile :
[root@centos7 bin]# cd ~ [root@centos7 ~]# vi .bash_profile [root@centos7 ~]# cat .bash_profile # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=/usr/local/samba/bin:$PATH:$HOME/bin export PATH
Configuration de base de Samba4
Editez le fichier /etc/krb5.conf et mettre en commenataire la ligne includedir /etc/krb5.conf.d/ :
[root@centos7 ~]# vi /etc/krb5.conf
[root@centos7 ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
# includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
Prcédez à une domain provision en utilisant la commande /usr/local/samba/bin/samba-tool :
Important : Une domain provision est la construction de votre domain de base et la construction du fichier smb.conf.
[root@centos7 ~]# /usr/local/samba/bin/samba-tool domain provision Realm [FENESTROS.LOC]: centosdom.fenestros.loc Domain [centosdom]: fenestros Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]: Administrator password: Retype password: Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=centosdom,DC=fenestros,DC=loc Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=centosdom,DC=fenestros,DC=loc Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: centos7 NetBIOS Domain: FENESTROS DNS Domain: centosdom.fenestros.loc DOMAIN SID: S-1-5-21-1643477231-2082225216-628174941
Important : Dans l'exemple ci-dessus le mot de passe P@$$w0rd est visible. Dans la réalité, il ne l'est pas. Il est important de noter que les règles concernant les mots de passe sont les suivantes : longueur minimale de 8 caractères dont au moins un majuscule et un chiffre.
Consultez maintenant le fichier /usr/local/samba/etc/smb.conf créé par le processus ci-dessus :
[root@centos7 ~]# cat /usr/local/samba/etc/smb.conf # Global parameters [global] netbios name = CENTOS7 realm = CENTOSDOM.FENESTROS.LOC workgroup = FENESTROS dns forwarder = 8.8.8.8 server role = active directory domain controller [netlogon] path = /usr/local/samba/var/locks/sysvol/centosdom.fenestros.loc/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No
Important : Notez la présence des deux partages système créés par la commande /usr/local/samba/bin/samba-tool domain provision.
Démarrez maintenant samba4 :
[root@centos7 ~]# /usr/local/samba/sbin/samba
Visualiser les partages avec la commande smbclient :
[root@centos7 ~]# /usr/local/samba/bin/smbclient -L localhost -U% Domain=[FENESTROS] OS=[] Server=[] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.6.6) Domain=[FENESTROS] OS=[] Server=[] Server Comment --------- ------- Workgroup Master --------- -------
Testez le mecanisme d'authentification en utilisant de nouveau la commande smbclient :
[root@centos7 ~]# smbclient //localhost/netlogon -UAdministrator%'P@$$w0rd' -c 'ls' Domain=[FENESTROS] OS=[] Server=[] . D 0 Tue Aug 1 09:42:03 2017 .. D 0 Tue Aug 1 09:49:01 2017 10229760 blocks of size 1024. 5316272 blocks available
Consultez maintenant la liste des processus samba :
[root@centos7 ~]# ps aux | grep samba root 18755 0.1 1.7 577544 36516 ? Ss 09:51 0:00 /usr/local/samba/sbin/samba root 18761 0.0 1.1 577544 23252 ? S 09:51 0:00 /usr/local/samba/sbin/samba root 18762 0.2 1.4 582268 28836 ? S 09:51 0:00 /usr/local/samba/sbin/samba root 18763 0.0 1.1 577544 24464 ? S 09:51 0:00 /usr/local/samba/sbin/samba root 18764 0.0 1.1 577544 23132 ? S 09:51 0:00 /usr/local/samba/sbin/samba root 18765 1.0 1.2 577544 25840 ? S 09:51 0:01 /usr/local/samba/sbin/samba root 18766 0.0 1.1 577544 23572 ? S 09:51 0:00 /usr/local/samba/sbin/samba root 18767 0.0 1.2 577544 25472 ? S 09:51 0:00 /usr/local/samba/sbin/samba root 18768 0.1 1.2 577544 24624 ? S 09:51 0:00 /usr/local/samba/sbin/samba root 18769 0.0 1.1 577544 23240 ? S 09:51 0:00 /usr/local/samba/sbin/samba root 18770 0.0 1.1 577544 23236 ? S 09:51 0:00 /usr/local/samba/sbin/samba root 18771 0.0 1.6 577544 33184 ? S 09:51 0:00 /usr/local/samba/sbin/samba root 18772 0.0 1.1 577544 24224 ? S 09:51 0:00 /usr/local/samba/sbin/samba root 18773 0.0 1.2 577964 25400 ? S 09:51 0:00 /usr/local/samba/sbin/samba root 18774 0.1 1.9 629596 39864 ? Ss 09:51 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 18775 0.1 1.8 596408 38168 ? Ss 09:51 0:00 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground root 18784 0.0 1.1 623884 22940 ? S 09:51 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 18785 0.0 1.1 623908 23072 ? S 09:51 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 18786 0.0 1.2 602180 26244 ? S 09:51 0:00 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground root 18789 0.0 1.1 597356 24096 ? S 09:51 0:00 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground root 18795 0.0 1.2 602616 26092 ? S 09:51 0:00 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground root 18796 0.0 1.1 630104 23640 ? S 09:51 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 19600 0.0 0.0 114692 968 pts/0 R+ 09:53 0:00 grep --color=auto samba
Notez que selon systemctl, samba n'est pas démarré :
[root@centos7 ~]# systemctl status samba ● samba.service - Samba 4 Active Directory Loaded: loaded (/etc/systemd/system/samba.service; enabled; vendor preset: disabled) Active: inactive (dead)
Tuez tous les processus de samba :
[root@centos7 ~]# killall samba [root@centos7 ~]# ps aux | grep samba root 20478 0.0 0.0 114692 968 pts/0 R+ 09:56 0:00 grep --color=auto samba
Démarrez maintenant samba en utilisant systemctl et vérifiez son bon fonctionnement :
[root@centos7 ~]# systemctl start samba [root@centos7 ~]# ps aux | grep samba root 21578 5.3 1.7 577544 36512 ? Ss 09:59 0:00 /usr/local/samba/sbin/samba root 21586 0.0 1.1 577544 23248 ? S 09:59 0:00 /usr/local/samba/sbin/samba root 21587 0.3 1.3 581696 26864 ? S 09:59 0:00 /usr/local/samba/sbin/samba root 21588 0.3 1.1 577544 24460 ? S 09:59 0:00 /usr/local/samba/sbin/samba root 21589 0.0 1.1 577544 23128 ? S 09:59 0:00 /usr/local/samba/sbin/samba root 21590 19.0 1.2 577544 25560 ? S 09:59 0:00 /usr/local/samba/sbin/samba root 21591 0.0 1.1 577544 23560 ? S 09:59 0:00 /usr/local/samba/sbin/samba root 21592 0.0 1.2 579668 26432 ? S 09:59 0:00 /usr/local/samba/sbin/samba root 21593 0.0 1.1 577544 24444 ? S 09:59 0:00 /usr/local/samba/sbin/samba root 21594 0.0 1.1 577544 23236 ? S 09:59 0:00 /usr/local/samba/sbin/samba root 21595 0.0 1.1 577544 23232 ? S 09:59 0:00 /usr/local/samba/sbin/samba root 21596 0.0 1.1 577544 24124 ? S 09:59 0:00 /usr/local/samba/sbin/samba root 21597 0.0 1.1 577544 24100 ? S 09:59 0:00 /usr/local/samba/sbin/samba root 21598 0.0 1.2 580088 26336 ? S 09:59 0:00 /usr/local/samba/sbin/samba root 21600 10.3 2.6 699364 53812 ? S 09:59 0:00 python /usr/local/samba/sbin/samba_dnsupdate root 21602 5.3 1.9 629688 39664 ? Ss 09:59 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 21603 7.0 1.8 596260 37736 ? Ss 09:59 0:00 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground root 21616 0.0 1.1 624200 22944 ? S 09:59 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 21617 0.0 1.1 624200 22784 ? S 09:59 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 21619 0.0 1.2 604620 25948 ? S 09:59 0:00 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground root 21620 0.0 1.1 630212 23632 ? S 09:59 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 21633 0.0 0.0 114692 968 pts/0 R+ 09:59 0:00 grep --color=auto samba [root@centos7 ~]# /usr/local/samba/bin/smbclient -L localhost -U% Domain=[FENESTROS] OS=[] Server=[] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.6.6) Domain=[FENESTROS] OS=[] Server=[] Server Comment --------- ------- Workgroup Master --------- -------
Configurer le Pare-feu
Notez que pour configurer firewalld celui-ci doit être démarré :
[root@centos7 ~]# firewall-cmd --add-port=53/tcp --permanent
FirewallD is not running
[root@centos7 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@centos7 ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@centos7 ~]# systemctl start firewalld
[root@centos7 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2017-08-01 10:05:18 CEST; 14s ago
Docs: man:firewalld(1)
Main PID: 23675 (firewalld)
CGroup: /system.slice/firewalld.service
└─23675 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Aug 01 10:05:18 centos7.fenestros.loc systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 01 10:05:18 centos7.fenestros.loc systemd[1]: Started firewalld - dynamic firewall daemon.
Créez maintenant les règles pour ouvrir les ports requis par samba :
[root@centos7 ~]# firewall-cmd --add-port=53/tcp --permanent success [root@centos7 ~]# firewall-cmd --add-port=53/udp --permanent success [root@centos7 ~]# firewall-cmd --add-port=88/tcp --permanent success [root@centos7 ~]# firewall-cmd --add-port=88/udp --permanent success [root@centos7 ~]# firewall-cmd --add-port=135/tcp --permanent success [root@centos7 ~]# firewall-cmd --add-port=137-138/udp --permanent success [root@centos7 ~]# firewall-cmd --add-port=139/tcp --permanent success [root@centos7 ~]# firewall-cmd --add-port=389/tcp --permanent success [root@centos7 ~]# firewall-cmd --add-port=389/udp --permanent success [root@centos7 ~]# firewall-cmd --add-port=445/tcp --permanent success [root@centos7 ~]# firewall-cmd --add-port=464/tcp --permanent success [root@centos7 ~]# firewall-cmd --add-port=464/udp --permanent success [root@centos7 ~]# firewall-cmd --add-port=636/tcp --permanent success [root@centos7 ~]# firewall-cmd --add-port=1024-5000/tcp --permanent success [root@centos7 ~]# firewall-cmd --add-port=3268-3269/tcp --permanent success
Dernièrement, rechargez la configuration afin de l'appliquer :
[root@centos7 ~]# firewall-cmd --reload success
Configurer le DNS
Configurez maintenant votre fichier /etc/resolv.conf afin d'utiliser le serveur DNS de samba4 :
[root@centos7 ~]# nmcli connection mod ip_fixe ipv4.dns 10.0.2.6 [root@centos7 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ip_fixe TYPE=Ethernet BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ip_fixe UUID=7c801069-d035-4f2f-8496-a96385b83bcd DEVICE=enp0s3 ONBOOT=yes DNS1=10.0.2.6 IPADDR=10.0.2.6 PREFIX=24 GATEWAY=10.0.2.2 IPV6_PEERDNS=yes IPV6_PEERROUTES=yes [root@centos7 ~]# systemctl restart NetworkManager.service [root@centos7 ~]# cat /etc/resolv.conf # Generated by NetworkManager search fenestros.loc nameserver 10.0.2.6
Re-démarrez samba et vérifiez que votre serveur DNS vous répond lors d'une requête :
[root@centos7 ~]# systemctl restart samba
[root@centos7 ~]# systemctl status samba
● samba.service - Samba 4 Active Directory
Loaded: loaded (/etc/systemd/system/samba.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2017-08-01 14:37:33 CEST; 9s ago
Process: 15800 ExecStart=/usr/local/samba/sbin/samba (code=exited, status=0/SUCCESS)
Main PID: 15805 (samba)
CGroup: /system.slice/samba.service
├─15805 /usr/local/samba/sbin/samba
├─15810 /usr/local/samba/sbin/samba
├─15811 /usr/local/samba/sbin/samba
├─15812 /usr/local/samba/sbin/samba
├─15813 /usr/local/samba/sbin/samba
├─15814 /usr/local/samba/sbin/samba
├─15815 /usr/local/samba/sbin/samba
├─15816 /usr/local/samba/sbin/samba
├─15817 /usr/local/samba/sbin/samba
├─15818 /usr/local/samba/sbin/samba
├─15819 /usr/local/samba/sbin/samba
├─15820 /usr/local/samba/sbin/samba
├─15821 /usr/local/samba/sbin/samba
├─15822 /usr/local/samba/sbin/samba
├─15823 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
├─15825 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─15835 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
├─15836 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─15837 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─15847 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
├─15848 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
└─15849 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Aug 01 14:37:33 centos7.fenestros.loc samba[15814]: [2017/08/01 14:37:33.677779, 0] ../source4/lib/tls/tlscert.c:72(tls_cert_generate)
Aug 01 14:37:33 centos7.fenestros.loc samba[15814]: Attempting to autogenerate TLS self-signed keys for https for hostname 'CENTOS7.centos...os.loc'
Aug 01 14:37:34 centos7.fenestros.loc winbindd[15823]: [2017/08/01 14:37:34.166967, 0] ../source3/winbindd/winbindd_cache.c:3171(initialize..._cache)
Aug 01 14:37:34 centos7.fenestros.loc winbindd[15823]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
Aug 01 14:37:35 centos7.fenestros.loc winbindd[15823]: [2017/08/01 14:37:35.832250, 0] ../lib/util/become_daemon.c:124(daemon_ready)
Aug 01 14:37:35 centos7.fenestros.loc winbindd[15823]: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
Aug 01 14:37:38 centos7.fenestros.loc samba[15814]: [2017/08/01 14:37:38.186065, 0] ../source4/lib/tls/tlscert.c:167(tls_cert_generate)
Aug 01 14:37:38 centos7.fenestros.loc samba[15814]: TLS self-signed keys generated OK
Aug 01 14:37:38 centos7.fenestros.loc smbd[15825]: [2017/08/01 14:37:38.382995, 0] ../lib/util/become_daemon.c:124(daemon_ready)
Aug 01 14:37:38 centos7.fenestros.loc smbd[15825]: STATUS=daemon 'smbd' finished starting up and ready to serve connections
Hint: Some lines were ellipsized, use -l to show in full.
[root@centos7 ~]# nslookup www.linuxelearning.com
Server: 10.0.2.6
Address: 10.0.2.6#53
Non-authoritative answer:
Name: www.linuxelearning.com
Address: 213.186.33.17
Testez le DNS avec Samba
Testez maintenant le serveur DNS avec Samba. Vous devez obtenir un résultat similaire à celui-ci :
[root@centos7 ~]# host -t SRV _ldap._tcp.centosdom.fenestros.loc _ldap._tcp.centosdom.fenestros.loc has SRV record 0 100 389 centos7.centosdom.fenestros.loc. [root@centos7 ~]# [root@centos7 ~]# host -t SRV _kerberos._udp.centosdom.fenestros.loc _kerberos._udp.centosdom.fenestros.loc has SRV record 0 100 88 centos7.centosdom.fenestros.loc. [root@centos7 ~]# [root@centos7 ~]# host -t A centos7.centosdom.fenestros.loc centos7.centosdom.fenestros.loc has address 10.0.2.6
Important - Notez que la dernière commande doit retourner votre adresse IP.
Configurer Kerberos
Premièrement, identifiez votre realm :
[root@centos7 ~]# /usr/local/samba/bin/samba-tool testparm --suppress-prompt | grep realm realm = CENTOSDOM.FENESTROS.LOC
Lors de l'installation de Samba, un fichier de configuration type de Kerberos a été sauvegardé dans /usr/local/samba/share/setup/ :
[root@centos7 ~]# cat /usr/local/samba/share/setup/krb5.conf
[libdefaults]
default_realm = ${REALM}
dns_lookup_realm = false
dns_lookup_kdc = true
Editez ce fichier en fonction de votre realm :
[root@centos7 ~]# vi /usr/local/samba/share/setup/krb5.conf [root@centos7 ~]# cat /usr/local/samba/share/setup/krb5.conf [libdefaults] default_realm = CENTOSDOM.FENESTROS.LOC dns_lookup_realm = false dns_lookup_kdc = true
Important - Notez que le nom du realm est en MAJUSCULES.
Sauvegardez votre fichier /etc/krb5.conf existant puis remplacez-le avec le fichier type que vous venez de modifier :
[root@centos7 ~]# cp /etc/krb5.conf /root [root@centos7 ~]# cp /usr/local/samba/share/setup/krb5.conf /etc cp: overwrite ‘/etc/krb5.conf’? y
Testez Kerberos
Testez ensuite la connexion au domaine afin d'obtenir un ticket ( ou jeton ) kerberos :
[root@centos7 ~]# kinit administrator@CENTOSDOM.FENESTROS.LOC Password for administrator@CENTOSDOM.FENESTROS.LOC: P@$$w0rd Warning: Your password will expire in 41 days on Tue 12 Sep 2017 14:31:14 CEST
Important - La commande kinit sert à obtenir et mettre en cache un ticket ( ou jeton ) kerberos. Pour plus d'informations concernant la commande kinit, consultez la page du manuel : man kinit. Notez que le mot de passe P@$$w0rd ne sera pas visible.
Visualisez ensuite le ticket :
[root@centos7 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@CENTOSDOM.FENESTROS.LOC Valid starting Expires Service principal 01/08/17 14:44:09 02/08/17 00:44:09 krbtgt/CENTOSDOM.FENESTROS.LOC@CENTOSDOM.FENESTROS.LOC renew until 02/08/17 14:44:01
Important - La commande klist sert à afficher les tickets ( ou jetons ) kerberos dans le cache. Pour plus d'informations concernant la commande klist, consultez la page du manuel : man klist.
Créer un Partage
Important - Arretez votre machine virtuelle et y ajouter un disque supplémentaire de type vmdk, de taille 8Go et nommé share. Démarrez votre machine virtuelle CentOS_7.
Creéz une seule partition sur le nouveau disque :
[root@centos7 ~]# fdisk /dev/sdb
Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0xa423c6ab.
Command (m for help): p
Disk /dev/sdb: 8589 MB, 8589934592 bytes, 16777216 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0xa423c6ab
Device Boot Start End Blocks Id System
Command (m for help): n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p): p
Partition number (1-4, default 1):
First sector (2048-16777215, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-16777215, default 16777215):
Using default value 16777215
Partition 1 of type Linux and of size 8 GiB is set
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
Creéz maintenant un système de fichiers ext4 sur /dev/sdb1 :
[root@centos7 ~]# mkfs.ext4 /dev/sdb1 mke2fs 1.42.9 (28-Dec-2013) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 524288 inodes, 2096896 blocks 104844 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=2147483648 64 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632 Allocating group tables: done Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done
Modifiez votre fichier /etc/fstab afin de monter automatiquement /dev/sdb1 avec des options user_xattr et acl :
[root@centos7 ~]# ls -l /dev/disk/by-uuid/ | grep sdb1 lrwxrwxrwx. 1 root root 10 Aug 1 14:58 891354b2-7b30-4393-9869-cfd095900200 -> ../../sdb1 [root@centos7 ~]# vi /etc/fstab [root@centos7 ~]# cat /etc/fstab # # /etc/fstab # Created by anaconda on Sat Apr 30 11:27:02 2016 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # UUID=e65fe7da-cda8-4f5a-a827-1b5cabe94bed / xfs defaults 0 0 UUID=2d947276-66e8-41f4-8475-b64b67d7a249 /boot xfs defaults 0 0 UUID=3181601a-7295-4ef0-a92c-f21f76b18e64 swap swap defaults 0 0 UUID=891354b2-7b30-4393-9869-cfd095900200 /share ext4 user_xattr,acl 0 0
Montez la partition sur le point de montage /share :
[root@centos7 ~]# mkdir /share [root@centos7 ~]# mount -a [root@centos7 ~]# mount sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=1010008k,nr_inodes=252502,mode=755) securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000) tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755) tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,seclabel,mode=755) cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd) pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime) cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb) cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory) cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct,cpu) cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event) cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer) cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_prio,net_cls) cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices) cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset) cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio) cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids) configfs on /sys/kernel/config type configfs (rw,relatime) /dev/sda2 on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota) selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime) systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=34,pgrp=1,timeout=300,minproto=5,maxproto=5,direct) mqueue on /dev/mqueue type mqueue (rw,relatime,seclabel) debugfs on /sys/kernel/debug type debugfs (rw,relatime) hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,seclabel) nfsd on /proc/fs/nfsd type nfsd (rw,relatime) tmpfs on /tmp type tmpfs (rw,seclabel) /dev/sda1 on /boot type xfs (rw,relatime,seclabel,attr2,inode64,noquota) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime) fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime) tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=204868k,mode=700,uid=1000,gid=1000) gvfsd-fuse on /run/user/1000/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000) tmpfs on /run/user/0 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=204868k,mode=700) /dev/sdb1 on /share type ext4 (rw,relatime,seclabel,data=ordered)
Modifiez /usr/local/samba/etc/smb.conf :
[root@centos7 ~]# vi /usr/local/samba/etc/smb.conf
[root@centos7 ~]# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
netbios name = CENTOS7
realm = CENTOSDOM.FENESTROS.LOC
workgroup = FENESTROS
dns forwarder = 8.8.8.8
server role = active directory domain controller
[netlogon]
path = /usr/local/samba/var/locks/sysvol/centosdom.fenestros.loc/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[share]
path = /share
read only = No
Redémarrez samba4 :
[root@centos7 ~]# systemctl restart samba
[root@centos7 ~]# systemctl status samba
● samba.service - Samba 4 Active Directory
Loaded: loaded (/etc/systemd/system/samba.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2017-08-02 09:10:42 CEST; 8s ago
Process: 2570 ExecStart=/usr/local/samba/sbin/samba (code=exited, status=0/SUCCESS)
Main PID: 2571 (samba)
CGroup: /system.slice/samba.service
├─2571 /usr/local/samba/sbin/samba
├─2576 /usr/local/samba/sbin/samba
├─2577 /usr/local/samba/sbin/samba
├─2578 /usr/local/samba/sbin/samba
├─2579 /usr/local/samba/sbin/samba
├─2580 /usr/local/samba/sbin/samba
├─2581 /usr/local/samba/sbin/samba
├─2582 /usr/local/samba/sbin/samba
├─2583 /usr/local/samba/sbin/samba
├─2584 /usr/local/samba/sbin/samba
├─2585 /usr/local/samba/sbin/samba
├─2586 /usr/local/samba/sbin/samba
├─2587 /usr/local/samba/sbin/samba
├─2588 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
├─2589 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─2592 /usr/local/samba/sbin/samba
├─2593 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─2594 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─2595 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
└─2597 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Aug 02 09:10:42 centos7.fenestros.loc samba[2571]: [2017/08/02 09:10:42.518909, 0] ../source4/smbd/server.c:487(binary_smbd_main)
Aug 02 09:10:42 centos7.fenestros.loc samba[2571]: samba: using 'standard' process model
Aug 02 09:10:42 centos7.fenestros.loc samba[2571]: [2017/08/02 09:10:42.569470, 0] ../lib/util/become_daemon.c:124(daemon_ready)
Aug 02 09:10:42 centos7.fenestros.loc samba[2571]: STATUS=daemon 'samba' finished starting up and ready to serve connections
Aug 02 09:10:42 centos7.fenestros.loc winbindd[2588]: [2017/08/02 09:10:42.826363, 0] ../source3/winbindd/winbindd_cache.c:3171(initialize_..._cache)
Aug 02 09:10:42 centos7.fenestros.loc winbindd[2588]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
Aug 02 09:10:43 centos7.fenestros.loc winbindd[2588]: [2017/08/02 09:10:43.568911, 0] ../lib/util/become_daemon.c:124(daemon_ready)
Aug 02 09:10:43 centos7.fenestros.loc winbindd[2588]: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
Aug 02 09:10:43 centos7.fenestros.loc smbd[2589]: [2017/08/02 09:10:43.735365, 0] ../lib/util/become_daemon.c:124(daemon_ready)
Aug 02 09:10:43 centos7.fenestros.loc smbd[2589]: STATUS=daemon 'smbd' finished starting up and ready to serve connections
Hint: Some lines were ellipsized, use -l to show in full.
Pour gérer les permissions des partages à partir de Windows, vous avez besoin du privilège SeDiskOperatorPrivilege :
[root@centos7 ~]# net rpc rights grant 'BUILTIN\Administrators' SeDiskOperatorPrivilege -Uadministrator Enter administrator's password:P@$$w0rd Successfully granted rights.
Dernièrement vérifiez que le privilège est disponible :
[root@centos7 ~]# net rpc rights list accounts -Uadministrator Enter administrator's password:P@$$w0rd BUILTIN\Print Operators SeLoadDriverPrivilege SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Account Operators SeInteractiveLogonRight BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Administrators SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeSystemtimePrivilege SeShutdownPrivilege SeRemoteShutdownPrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeInteractiveLogonRight SeNetworkLogonRight SeRemoteInteractiveLogonRight SeDiskOperatorPrivilege BUILTIN\Server Operators SeBackupPrivilege SeSystemtimePrivilege SeRemoteShutdownPrivilege SeRestorePrivilege SeShutdownPrivilege SeInteractiveLogonRight BUILTIN\Pre-Windows 2000 Compatible Access SeRemoteInteractiveLogonRight SeChangeNotifyPrivilege
Joindre un Système Windows 10 au Domaine
Commencez par importer la machine virtuelle de Windows™ 10 puis configurez le réseau en tant que Réseau NAT > NatNetwork.
Configurez la machine virtuelle en IP fixe :
- Adresse IP : 10.0.2.7
- Masque de sous-réseau : 255.255.255.0
- Passerelle par défaut : 10.0.2.2 ( la passerelle de VirtualBox )
- Serveur DNS préféré : 10.0.2.6 ( l'adresse IP de votre serveur samba )
Vérifiez l'accès à Internet et la communication avec le serveur Samba :
Mettez la machine virtuelle dans le domiane FENESTROS :
IMPORTANT - NE RE-DEMARREZ PAS LA MACHINE VIRTUELLE.
Gérer le domaine depuis le Système Windows 10
Afin de gérer le domaine FENESTROS de samba, nous avons besoin des outils Microsoft Remote Server Tools (RSAT). Téléchargez ces outils à partir de l'adresse https://wiki.samba.org/index.php/Installing_RSAT.
Installez ensuite les outils :
Redémarrez la machine virtuelle Windows™ 10 et ouvrez une session sur le domaine FENESTROS avec administrator/P@$$w0rd.
Exécutez ensuite dsa.msc :
Cliquez droit sur centosdom.fentros.loc puis sur Nouveau > Utilisateur :
Créez l'utilisateur linuxuser avec le mot de passe Wind0ws :
<html>
Copyright © 2020 Hugh Norris.<br><br>
</html>
