> CentOS > CentOS教程 >

Centos7.1最小化安装搭建Active Directory Service的域控制器

实验平台

I3二代,8G内存,WIN764位系统,安装Virtualbox4.3.26,建立CENTOS7.1虚拟机,挂载minimal光盘安装系统。

同时下载准备了一个Centos everything的7G DVD光盘,方便安装依赖包,不用实时联网YUM安装。

 

一、最小化安装CENTOS7.1,过程略。

二、登陆Centos7.1系统,安装依赖。我喜欢用下载的Centos DVD安装软件,比网络快。

 

1. 如果要从WIN7系统用PUTTY等软件SSH连接虚拟机,要配置好固定IP,打开SSH。我是用securecrt连的虚拟机,网络选了一个网卡桥接本机网卡动态IP,一个选host-only网络,IP段设置192.168.6.*。

Last login: Thu Apr 16 04:20:06 2015 from 192.168.6.1

2.挂载everything的光盘
[root@localhost ~]# mount /dev/cdrom /mnt 
mount: /dev/sr0 is write-protected, mounting read-only

3.进入/etc/yum.repos.d/目录,批量改名备份repo文件

[root@localhost ~]# cd /etc/yum.repos.d/
[root@localhost yum.repos.d]# find . -type f |xargs -i mv {} {}.bkp
[root@localhost yum.repos.d]# ls
CentOS-Base.repo.bkp  CentOS-Debuginfo.repo.bkp  CentOS-Sources.repo.bkp
CentOS-CR.repo.bkp    CentOS-fasttrack.repo.bkp  CentOS-Vault.repo.bkp

4.用编辑器新建立一个光盘安装源。
[root@localhost yum.repos.d]# vi CentOS-Media.repo
[c7-media]
name=CentOS-$releasever- Media
baseurl=file:///mnt
gpgcheck=0
enabled=1
                                                                                                 
"CentOS-Media.repo" 5L, 83C written

5.从光盘安装"development tools"

[root@localhost yum.repos.d]# yum groupinstall "development tools"

安装过程略

 

6.安装一些依赖

[root@localhost samba-4.2.1]# yum -y install libacl-devel libblkid-devel gnutls-devel readline-devel python-devel autoconf gdb bind rsyslog-gssapi cyrus-sasl-gssapi

 

还有几个RPM包我用RPM命令是后面编译报错再安装的,也可以在上面的YUM一次安装

[root@localhost samba-4.2.1]# rpm -ivh /mnt/Packages/python-devel-2.7.5-16.el7.x86_64.rpm 
warning: /mnt/Packages/python-devel-2.7.5-16.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing...                          ################################# [100%]
        package python-devel-2.7.5-16.el7.x86_64 is already installed
[root@localhost samba-4.2.1]# rpm -ivh /mnt/Packages/cyrus-sasl-2.1.26-17.el7.x86_64.rpm 
warning: /mnt/Packages/cyrus-sasl-2.1.26-17.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:cyrus-sasl-2.1.26-17.el7         ################################# [100%]
[root@localhost samba-4.2.1]# rpm -ivh /mnt/Packages/cyrus-sasl-devel-2.1.26-17.el7.x86_64.rpm 
warning: /mnt/Packages/cyrus-sasl-devel-2.1.26-17.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:cyrus-sasl-devel-2.1.26-17.el7   ################################# [100%]
[root@localhost samba-4.2.1]# rpm -ivh /mnt/Packages/openldap-devel-2.4.39-6.el7.x86_64.rpm          
warning: /mnt/Packages/openldap-devel-2.4.39-6.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:openldap-devel-2.4.39-6.el7      ################################# [100%]

 

三、下载编译Samda

7.下载SAMBA4.2.1源码包,用SECUREFXP上传到/tmp目录,wget实在太慢了。

8.现在进入/tmp目录,解压准备编译samba4.2.1

[root@localhost ~]# cd /tmp
[root@localhost tmp]# ls
ks-script-BL7c5a  samba-latest.tar.gz  yum.log
[root@localhost tmp]# tar -xvf samba-latest.tar.gz
[root@localhost tmp]# ls
ks-script-BL7c5a  samba-4.2.1  samba-latest.tar.gz  yum.log
[root@localhost tmp]# cd samba-4.2.1/

编译之前要运行buildtools/scripts/目录下的autogen-waf.sh

[root@localhost samba-4.2.1]# cd buildtools/scripts/
[root@localhost scripts]# ./autogen-waf.sh 

Setting up for waf build
Looking for the buildtools directory
Found buildtools in ./../../buildtools
Setting up configure
Setting up Makefile
done. Now run ./configure or ./configure.developer then make.

 

回到解压的目录,开始编译samba

[root@localhost scripts]# cd /tmp/samba-4.2.1/
[root@localhost samba-4.2.1]# ./configure

编译过程略......
'configure' finished successfully (1m8.178s)

 

到这里编译完成.

9.开始make安装

[root@localhost samba-4.2.1]# make && make install

安装过程略......
Waf: Leaving directory `/tmp/samba-4.2.1/bin'
'install' finished successfully (3m22.415s)

至此samba4.2.1源码编译安装完成。

 

10.修改主机名为DC1,把FQDN完全域名写上,好处是等下提升为域控免输域名了。

[root@localhost samba-4.2.1]#vi /etc/hostname 
DC1.contoso.com

 

四、提升为域控

11.虚拟机可以关机做个快照,然后启动,登陆,开始把这台linux主机提升为域控制器。

 

[root@DC1 ~]# cd /usr/local/samba/bin 

 

[root@DC1 bin]# ./samba-tool domain provision 

Realm [CONTOSO.COM]: 

Domain [CONTOSO]: 

Server Role (dc, member, standalone) [dc]: 

DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE  #这里选的BIND9的DNS,也可以安装Samba自带的DNS. 

Administrator password: 输入域控管理员密码,密码一定要复杂,大小写字母+数字,如Ab123456&
Retype password: 再输入一遍Ab123456&

Looking up IPv4 addresses More than one IPv4 address found. Using 192.168.6.3 

Looking up IPv6 address 

No IPv6 addresswill be assigned 

Setting up secrets.ldb 

Setting up the registry 

Setting up the privileges database 

Setting up idmap db 

Setting up sam.ldb partitions and settings 

Setting up sam.ldb rootDSE 

Pre-loading the Samba 4 and AD schema 

Adding DomainDN: DC=contoso,DC=com 

Adding configuration container 

Setting up sam.ldb schema 

Setting up sam.ldb configuration data 

Setting up display specifiers 

Modifying display specifiers 

Adding users container 

Modifying users container 

Adding computers container 

Modifying computers container 

Setting up sam.ldb data 

Setting up well known security principals 

Setting up sam.ldb users and groups 

Setting up self join 

Adding DNS accounts 

Creating CN=MicrosoftDNS,CN=System,DC=contoso,DC=com 

rndc: neither /etc/rndc.conf nor /etc/rndc.key was found 

rndc: neither /etc/rndc.conf nor /etc/rndc.key was found 

See /usr/local/samba/private/named.conf for an example configuration include file for BIND 

and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates 

Setting up sam.ldb rootDSE marking as synchronized 

Fixing provision GUIDs 

A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf

Once the above files are installed, your Samba4 server will be ready to use 

Server Role:           active directory domain controller 

Hostname:              DC1 

NetBIOS Domain:        CONTOSO 

DNS Domain:            contoso.com 

DOMAIN SID:            S-1-5-21-3366851103-1622988557-2824442447 

[root@DC1 bin]#

 

 

一定要见到DOMAIN SID才算配置成功


启动samba
[root@DC1 bin]# /usr/local/samba/sbin/samba

查看版本

[root@DC1 bin]# /usr/local/samba/bin/smbclient --version

Version 4.2.1



测试

[root@DC1 bin]# /usr/local/samba/bin/smbclient -L localhost -U%

Domain=[CONTOSO] 

OS=[Unix] 

Server=[Samba 4.2.1]      

Sharename       Type      Comment      

---------       ----      -------   

 netlogon        Disk      

 sysvol          Disk       

 IPC$            IPC      IPC Service (Samba 4.2.1)

Domain=[CONTOSO] OS=[Unix] Server=[Samba 4.2.1]  

  Server               Comment    

  ---------            -------    

  Workgroup            Master    

  ---------            -------


 

[root@DC1 bin]# /usr/local/samba/bin/smbclient //localhost/netlogon -Uadministrator

Enter administrator's password: 

Domain=[CONTOSO] OS=[Unix] Server=[Samba 4.2.1]

smb: \> q

[root@DC1 bin]#

 

检查一下BIND

[root@DC1 bin]# rpm -qa|grep bind

bind-libs-lite-9.9.4-18.el7.x86_64

bind-license-9.9.4-18.el7.noarch

bind-libs-9.9.4-18.el7.x86_64

bind-9.9.4-18.el7.x86_64



在/etc/named.conf文件中可以看到bind9的目录是/var/named,进入该目录:
[root@DC1 etc]# cd /var/named


复制一份named.localhost作为contoso.com.zone,然后修改,作为contoso.com的正向解析文件。

[root@DC1 named]# cp named.localhost contoso.com.zone

[root@DC1 named]# vim contoso.com.zone

$TTL 1D@       IN SOA  @ contoso.com. (         

                    0       ; serial            

                    1D      ; refresh           

                    1H      ; retry             

                    1W      ; expire            

                    3H )    ; minimum           

IN NS   DC1.contoso.com.

@       IN A    192.168.6.3

DC1     IN A    192.168.6.3



以上就是修改后的,双网卡的虚机,IP可能是另外一个的,要修改。


再把samba产生的DNS文件的后面部分复制过来。但是不要复制gc._msdcs这一条,我测试报错,删除了能启动bind

[root@DC1 ~]# cd /usr/local/samba/private/dns

[root@DC1 dns]# ls

contoso.com.zone

[root@DC1 dns]# vim contoso.com.zone



复制下面部分
 

79aef472-c658-49c0-a2b4-3988bc00338a._msdcs     IN CNAME        DC1

;

; global catalog servers

_gc._tcp                IN SRV 0 100 3268       DC1

_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268       DC1

_ldap._tcp.gc._msdcs    IN SRV 0 100 3268       DC1

_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs     IN SRV 0 100 3268 DC1

;

; ldap servers_ldap._tcp              IN SRV 0 100 389        DC1

_ldap._tcp.dc._msdcs    IN SRV 0 100 389        DC1

_ldap._tcp.pdc._msdcs   IN SRV 0 100 389        DC1

_ldap._tcp.8b2afba7-4d3a-4b88-8b45-381cf145c623.domains._msdcs          IN SRV 0 100 389 DC1

_ldap._tcp.Default-First-Site-Name._sites               IN SRV 0 100 389 DC1

_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs     IN SRV 0 100 389 DC1

;

; krb5 servers_kerberos._tcp          IN SRV 0 100 88         DC1

_kerberos._tcp.dc._msdcs        IN SRV 0 100 88 DC1

_kerberos._tcp.Default-First-Site-Name._sites   IN SRV 0 100 88 DC1

_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 DC1_kerberos._udp          IN SRV 0 100 88         DC1

; MIT kpasswd likes to lookup this name on password change

_kerberos-master._tcp           IN SRV 0 100 88         DC1

_kerberos-master._udp           IN SRV 0 100 88         DC1

;

; kpasswd_kpasswd._tcp           IN SRV 0 100 464        DC1

_kpasswd._udp           IN SRV 0 100 464        DC1

;

; heimdal 'find realm for host' hack

_kerberos               IN TXT  CONTOSO.COM



然后粘贴到/var/named/contoso.com.zone修改过的后面。具体操作中,可以在SecureCRT里克隆会话,进到目录,打开文件,拖选要复制的,然后切换到原来的会话点右键就粘贴上了,然后按ESC,:wq保存退出。


打开/etc/named.rfc1912.zones, 后面添加如下字段,增加正向解析区域

 

[root@DC1 etc]# vim /etc/named.rfc1912.zones

zone "contoso.com" IN {

      type master;

      file "contoso.com.zone";

      allow-update { none; };

};



启动BIND服务,如果报错,需要检查etc/named.rfc1912.zones和contoso.com.zone文件配置
 

[root@DC1 dns]# systemctl start named.service

[root@DC1 dns]# systemctl status named.service


 

测试解析,需要host命令。默认未安装。

[root@DC1 named]# host -t SRV _ldap._tcp.contoso.com.

-bash: host: 未找到命令



重新挂载光盘安装。

[root@DC1 named]# mount /dev/cdrom /mnt

mount: /dev/sr0 写保护,将以只读方式挂载


[root@DC1 named]# yum -y install bind-utils    


然后测试

 

[root@DC1 ~]# host -t SRV _ldap._tcp.contoso.com

_ldap._tcp.contoso.com has SRV record 0 100 389 DC1.contoso.com.


[root@DC1 ~]# host -t SRV _kerberos._udp.contoso.com               _kerberos._udp.contoso.com has SRV record 0 100 88 DC1.contoso.com.
 

[root@DC1 ~]# host -t A dc1.contoso.com.     

dc1.contoso.com has address 192.168.6.3       



然后再开WIN7虚拟机,配置同网段IP如192.168.6.5, DNS配置192.168.6.3。 先用PING测试能ping通域名,如果不通尝试清除IPTABLES防火墙规则:

[root@DC1 ~]# iptables -F

到此服务器端所有的配置完成,可以在WIN7系统下载WINDOWS服务器远程管理工具包。
安装后添加组件,在控制面板--管理工具里看到域控的管理工具,能远程管理了。


 

(责任编辑:IT)