Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
85 views

Manual CentOS Active Directory

This document provides instructions for configuring a CentOS 7 server to act as an Active Directory domain controller using Samba. It describes steps for initial server configuration including package installation and updates, assigning a static IP, configuring the hostname and network settings. It also covers firewall configuration, installing and configuring Samba, promoting the server to a domain controller, and configuring BIND for DNS integration with Active Directory.

Uploaded by

Luis Miguel HD
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
85 views

Manual CentOS Active Directory

This document provides instructions for configuring a CentOS 7 server to act as an Active Directory domain controller using Samba. It describes steps for initial server configuration including package installation and updates, assigning a static IP, configuring the hostname and network settings. It also covers firewall configuration, installing and configuring Samba, promoting the server to a domain controller, and configuring BIND for DNS integration with Active Directory.

Uploaded by

Luis Miguel HD
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 12

MANUAL DE CONFIGURACIÓN CENTOS 7 AD – SAMBA

4.8.3

1.- Configuración básica del servidor


Paquetes básicos y utilidades:

# yum install -y bash-completion net-tools vim nano wget

2.- Actualización del server, paquetes y dependencias:


# yum -y groupinstall 'Development Tools'

# wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

# rpm -ivh epel-release-latest-7.noarch.rpm

# yum install -y attr bind-utils docbook-style-xsl gcc gdb krb5-workstation \

libsemanage-python libxslt perl perl-ExtUtils-MakeMaker \

perl-Parse-Yapp perl-Test-Base pkgconfig policycoreutils-python \

python-crypto gnutls-devel libattr-devel keyutils-libs-devel \

libacl-devel libaio-devel libblkid-devel libxml2-devel openldap-devel \

pam-devel pop-devel python-devel readline-devel zlib-devel systemd-devel \

iniparser libldb libtalloc libtdb libtevent \

python-devel gnutls-devel libacl-devel openldap-devel pam-devel \

readline-devel krb5-devel cups-devel jansson-devel gpgme-devel libarchive-devel lmdb

# yum install -y bind

# yum -y update

2.1.- Establecer IP fija al server:


# nano /etc/sysconfig/network-scripts/ifcfg-eth0

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=eth0
UUID=98fb1987-e6a8-41c5-aa94-3587bd884d45
DEVICE=eth0
ONBOOT=yes
IPADDR=192.168.4.199
PREFIX=24
GATEWAY=192.168.4.1
DNS1=192.168.4.199
DN2=8.8.8.8
DOMAIN=accesoc.adir
IPV6_PRIVACY=no
______________________________________________________________

2.2.-Al agregar o cambiar la config dar:


systemctl restart network

2.3.- Verificar nombre actual del server y modificarlo:


# hostname

# hostname -d
accesoc.adir

# hostname –f
seract.accesoc.adir

Seteamos un hostname para nuestro server seract servidor activo


# hostnamectl set-hostname seract

2.4.- Configurar archivo hosts y agregar el nombre e ip del server:


# nano /etc/hosts

Contiene:

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4


#::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.4.199 seract.accesoc.adir seract
______________________________________________________________

2.5.- Configurar archivo resolv.conf:


# nano /etc/resolv.conf

Contiene:
# Generated by NetworkManager
search accesoc.adir
nameserver 192.168.4.199
nameserver 8.8.8.8
_________________________________________________________

2.6.- Hacer inmutable el archivo de config, es decir, este comando hará que no cambie
esta config por nada:
# chattr +i /etc/resolv.conf

3.- Configuración de firewall y Selinux


Verificar estado de firewall:

# systemctl status firewalld

3.1.- Añadir servicios y abrir puertos en firewall para samba:


firewall-cmd --add-service={dns,kerberos,kpasswd,ldap,ldaps,samba} --permanent
firewall-cmd --permanent --add-port=111/tcp
firewall-cmd --permanent --add-port=111/udp
firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --permanent --add-port=88/tcp
firewall-cmd --permanent --add-port=88/udp
firewall-cmd --permanent --add-port=135/tcp
firewall-cmd --permanent --add-port=137/tcp
firewall-cmd --permanent --add-port=137/udp
firewall-cmd --permanent --add-port=138/udp
firewall-cmd --permanent --add-port=139/tcp
firewall-cmd --permanent --add-port=389/tcp
firewall-cmd --permanent --add-port=389/udp
firewall-cmd --permanent --add-port=445/tcp
firewall-cmd --permanent --add-port=464/tcp
firewall-cmd --permanent --add-port=464/udp
firewall-cmd --permanent --add-port=636/tcp
firewall-cmd --permanent --add-port=1024/tcp
firewall-cmd --permanent --add-port=1024/udp
firewall-cmd --permanent --add-port=5000/tcp
firewall-cmd --permanent --add-port=5000/udp
firewall-cmd --permanent --add-port=3500/tcp
firewall-cmd --permanent --add-port=3268/tcp
firewall-cmd --permanent --add-port=3269/tcp
firewall-cmd --permanent --add-port=5353/tcp
firewall-cmd --permanent --add-port=5353/udp
firewall-cmd --permanent --add-port=32774/tcp
firewall-cmd --permanent --add-port=834/tcp
firewall-cmd --permanent --add-port=49152/tcp
firewall-cmd --permanent --add-port=65535/tcp

firewall-cmd --reload

3.2.- Configuración de Selinux (etc/selinux/config): se tiene que deshabilitar selinux


# sestatus

#nano /etc/selinux/config

Contiene:

# This file controls the state of SELinux on the system.


# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
______________________________________________________________

# reboot

4.- Compilación e instalación de samba


Descargar y descomprimir samba:

# curl -O https://download.samba.org/pub/samba/stable/samba-4.8.3.tar.gz
# tar -zxvf samba-4.8.3.tar.gz

4.1 Testeo y configuración de las rutas de instalación de samba:


# ./configure \
--prefix=/usr \
--localstatedir=/var \
--with-configdir=/etc/samba \
--libdir=/usr/lib64 \
--with-modulesdir=/usr/lib64/samba \
--with-pammodulesdir=/lib64/security \
--with-lockdir=/var/lib/samba \
--with-logfilebase=/var/log/samba \
--with-piddir=/run/samba \
--with-privatedir=/etc/samba \
--enable-cups \
--with-acl-support \
--with-ads \
--with-automount \
--enable-fhs \
--with-pam \
--with-quotas \
--with-shared-modules=idmap_rid,idmap_ad,idmap_hash,idmap_adex \
--with-syslog \
--with-utmp \
--with-dnsupdate

4.2.- Configurar el paquete de instalación e instalar samba: toma alrededor de 20min


# make

# make install

4.3.- Crear archivo de configuración de samba


# nano /usr/lib/systemd/system/samba.service

Contiene:

[Unit]
Description=Samba AD Daemon
Wants=network-online.target
After=network.target network-online.target rsyslog.service

[Service]
Type=forking
PIDFile=/run/samba/samba.pid
LimitNOFILE=16384
ExecStart=/usr/sbin/samba --daemon
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target
______________________________________________________________
4.4.- Archivo de permiso de samba:

# nano /etc/tmpfiles.d/samba.conf

Contiene:

d /var/run/samba 0755 root root -

______________________________________________________________

4.5.- Eliminar el archivo krb5.conf


# rm /etc/krb5.conf

5.- Promoviendo controlador de dominio (DC-AD)


# samba-tool domain provision

Realm [ACCESOC.ADIR]: dar enter

Domain [ACCESOC]: dar enter

Server Role (dc, member, standalone) [dc]: enter

DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:


BIND9_DLZ

pedirá contraseña, poner contraseña segura: Des4cc3s0171215

--------

/var/lib/samba/bind-dns/named.conf

---- o

/usr/local/samba/bind-dns/named.conf

--------

5.1.- Modificar archivo named.conf de BIND

# nano /etc/named.conf

Agregar la ip del servidor activo, quedando de la sgte manera:

Contiene:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
listen-on port 53 { 127.0.0.1;192.168.4.199; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; //ESTA LINEA NO ESTABA
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost;192.168.4.199; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */


bindkeys-file "/etc/named.root.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/var/lib/samba/bind-dns/named.conf"; //ESTA LINEA NO ESTABA
__________________________________________________________

-Agregar en la 2da línea dentro de options { , debajo de listen-on

tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

-Agregar en la última linea la ruta absoluta donde se encuentra el archivo: named.conf

include "/var/lib/samba/bind-dns/named.conf";

__________________________________________________________

5.2.- Configurar permisos y pertenencias de archivos:

# chgrp named /var/lib/samba/bind-dns/dns.keytab

#chmod g+r /var/lib/samba/bind-dns/dns.keytab

#chgrp named /var/lib/samba/bind-dns/named.conf

#chmod g+r /var/lib/samba/bind-dns/named.conf

5.3.- Comprobar la NIC:


# nmcli connection modify eth0 ipv4.dns 127.0.0.1

# nmcli connection down eth0; nmcli connection up eth0


# systemctl restart named

# systemctl enable named

# samba-tool domain provision

# cp /etc/samba/krb5.conf /etc/

# systemctl restart samba

# systemctl enable samba

# systemctl status samba

si sale error code 110 Failed DNS update

samba_upgradedns --dns-backend=BIND9_DLZ

reiniciar samba otra vez y validar ok

# samba-tool domain level show

solo informa

5.4.- Comprobar DNS en samba:

# samba_dnsupdate --verbose

# host -t A hostname.seconddomain.firstdomain

Ej: host -t A seract.accesoc.adir

“seract.accesoc.adir has address 192.168.4.199”

# samba_upgradedns --dns-backend=BIND9_DLZ

# samba_dnsupdate --verbose
6.- En Windows: Unir cliente al dominio e instalar RSAT

****Cliente-PC****

-agregar dns del server activo ej: 192.168.4.199

-testear si llega al dominio

ping seract, ok

-luego cambiar el dominio de la PC

carpeta>equipo>propiedades>Cambiar-configuracion>cambiar> poner el dominio creador ej:


accesoc.adir

-reboot

**Ingresar con el usuario administrator en el dominio:

Administrator
Des4cc3s0171215

Creará un nuevo perfil Administrator

****Cliente-Administrator****

Luego en el powershell como ejecutar como administrador los sgtes comandos:

RSAT (Regression suite automation tool): herramientas para administrar equipos y servidores de
forma remota
funciona para w10 1808 o "1809"

#Get-Command -Noun WindowsCapability

#Get-WindowsCapability -Name RSAT* -Online

validará si está instalado o no las herramientas de las RSAT


#Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State

instalará las herramientas disponibles RSAT


#Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online

#Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State

Como ej: se creará un usuario y se restringirá el acceso al panel de control y config del sistema:

Ir a Administrador del servidor:

-Usuarios y equipos de Active Directory:


se crea el usuario jjulca clave "Acceso123"

-Administración de directivas de grupo

ir a tu dominio > Nueva GPO - poner un nombre ej Panel de control

seleccionar panel de control y dar editar

Ir a Directivas>Plantillas administrativas>Panel de control> Seleccionar doble click al elemento


"Prohibir el acceso a Configuración de PC

y a Panel de control" > en la pestaña activar la opcion Habilitada - aplicar y Aceptar.

cerrar sesión o cambiar de usuario en pc

****Cliente****

iniciar con el usuario creado: jjulca Acceso123

y probar a entrar al poner de control y no se podrá acceder

7.- Administración de Samba via CLI:


# samba-tool user list
# samba-tool user create nameuser
# samba-tool user delete nameuser
# samba-tool user setpassword nameuser
# samba-tool user setexpiry nameuser --days=9
# samba-tool user disable nameuser
# samba-tool user enable nameuser

# samba-tool group list


# samba-tool group listmembers "Domain Users"
# samba-tool group add namegroup
# samba-tool group addmembers namegroup username

# samba-tool group removemembers namegroup nameuser

# samba-tool group delete nameuser

8.- Carpetas compartidas:


# mkdir publico

# chmod 777 /publico

# nano /etc/samba/smb.conf
Contiene:

map to guest = Bad User


[PUBLICO]

path = /publico/
writable = yes
guest ok = yes
guest only = yes
create mode = 0777
directory mode = 0777
____________________________________

*****DEBUGS

https://wiki.samba.org/index.php/
BIND9_DLZ_DNS_Back_End#Reconfiguring_the_BIND9_DLZ_Back_End

You might also like