Centos7.1最小化安装搭建Active Directory Service的域控制器
时间:2015-04-22 13:17 来源:blog.51cto.com 作者:IT
实验平台
I3二代,8G内存,WIN764位系统,安装Virtualbox4.3.26,建立CENTOS7.1虚拟机,挂载minimal光盘安装系统。
同时下载准备了一个Centos everything的7G DVD光盘,方便安装依赖包,不用实时联网YUM安装。
一、最小化安装CENTOS7.1,过程略。
二、登陆Centos7.1系统,安装依赖。我喜欢用下载的Centos DVD安装软件,比网络快。
1. 如果要从WIN7系统用PUTTY等软件SSH连接虚拟机,要配置好固定IP,打开SSH。我是用securecrt连的虚拟机,网络选了一个网卡桥接本机网卡动态IP,一个选host-only网络,IP段设置192.168.6.*。
Last login: Thu Apr 16 04:20:06 2015 from 192.168.6.1
2.挂载everything的光盘
[root@localhost ~]# mount /dev/cdrom /mnt
mount: /dev/sr0 is write-protected, mounting read-only
3.进入/etc/yum.repos.d/目录,批量改名备份repo文件
[root@localhost ~]# cd /etc/yum.repos.d/
[root@localhost yum.repos.d]# find . -type f |xargs -i mv {} {}.bkp
[root@localhost yum.repos.d]# ls
CentOS-Base.repo.bkp CentOS-Debuginfo.repo.bkp CentOS-Sources.repo.bkp
CentOS-CR.repo.bkp CentOS-fasttrack.repo.bkp CentOS-Vault.repo.bkp
4.用编辑器新建立一个光盘安装源。
[root@localhost yum.repos.d]# vi CentOS-Media.repo
[c7-media]
name=CentOS-$releasever- Media
baseurl=file:///mnt
gpgcheck=0
enabled=1
"CentOS-Media.repo" 5L, 83C written
5.从光盘安装"development tools"
[root@localhost yum.repos.d]# yum groupinstall "development tools"
安装过程略
6.安装一些依赖
[root@localhost samba-4.2.1]# yum -y install libacl-devel libblkid-devel gnutls-devel readline-devel python-devel autoconf gdb bind rsyslog-gssapi cyrus-sasl-gssapi
还有几个RPM包我用RPM命令是后面编译报错再安装的,也可以在上面的YUM一次安装
[root@localhost samba-4.2.1]# rpm -ivh /mnt/Packages/python-devel-2.7.5-16.el7.x86_64.rpm
warning: /mnt/Packages/python-devel-2.7.5-16.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing... ################################# [100%]
package python-devel-2.7.5-16.el7.x86_64 is already installed
[root@localhost samba-4.2.1]# rpm -ivh /mnt/Packages/cyrus-sasl-2.1.26-17.el7.x86_64.rpm
warning: /mnt/Packages/cyrus-sasl-2.1.26-17.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:cyrus-sasl-2.1.26-17.el7 ################################# [100%]
[root@localhost samba-4.2.1]# rpm -ivh /mnt/Packages/cyrus-sasl-devel-2.1.26-17.el7.x86_64.rpm
warning: /mnt/Packages/cyrus-sasl-devel-2.1.26-17.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:cyrus-sasl-devel-2.1.26-17.el7 ################################# [100%]
[root@localhost samba-4.2.1]# rpm -ivh /mnt/Packages/openldap-devel-2.4.39-6.el7.x86_64.rpm
warning: /mnt/Packages/openldap-devel-2.4.39-6.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:openldap-devel-2.4.39-6.el7 ################################# [100%]
三、下载编译Samda
7.下载SAMBA4.2.1源码包,用SECUREFXP上传到/tmp目录,wget实在太慢了。
8.现在进入/tmp目录,解压准备编译samba4.2.1
[root@localhost ~]# cd /tmp
[root@localhost tmp]# ls
ks-script-BL7c5a samba-latest.tar.gz yum.log
[root@localhost tmp]# tar -xvf samba-latest.tar.gz
[root@localhost tmp]# ls
ks-script-BL7c5a samba-4.2.1 samba-latest.tar.gz yum.log
[root@localhost tmp]# cd samba-4.2.1/
编译之前要运行buildtools/scripts/目录下的autogen-waf.sh
[root@localhost samba-4.2.1]# cd buildtools/scripts/
[root@localhost scripts]# ./autogen-waf.sh
Setting up for waf build
Looking for the buildtools directory
Found buildtools in ./../../buildtools
Setting up configure
Setting up Makefile
done. Now run ./configure or ./configure.developer then make.
回到解压的目录,开始编译samba
[root@localhost scripts]# cd /tmp/samba-4.2.1/
[root@localhost samba-4.2.1]# ./configure
编译过程略......
'configure' finished successfully (1m8.178s)
到这里编译完成.
9.开始make安装
[root@localhost samba-4.2.1]# make && make install
安装过程略......
Waf: Leaving directory `/tmp/samba-4.2.1/bin'
'install' finished successfully (3m22.415s)
至此samba4.2.1源码编译安装完成。
10.修改主机名为DC1,把FQDN完全域名写上,好处是等下提升为域控免输域名了。
[root@localhost samba-4.2.1]#vi /etc/hostname
DC1.contoso.com
四、提升为域控
11.虚拟机可以关机做个快照,然后启动,登陆,开始把这台linux主机提升为域控制器。
[root@DC1 ~]# cd /usr/local/samba/bin
[root@DC1 bin]# ./samba-tool domain provision
Realm [CONTOSO.COM]:
Domain [CONTOSO]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE #这里选的BIND9的DNS,也可以安装Samba自带的DNS.
Administrator password: 输入域控管理员密码,密码一定要复杂,大小写字母+数字,如Ab123456&
Retype password: 再输入一遍Ab123456&
Looking up IPv4 addresses More than one IPv4 address found. Using 192.168.6.3
Looking up IPv6 address
No IPv6 addresswill be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=contoso,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=contoso,DC=com
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: DC1
NetBIOS Domain: CONTOSO
DNS Domain: contoso.com
DOMAIN SID: S-1-5-21-3366851103-1622988557-2824442447
[root@DC1 bin]#
一定要见到DOMAIN SID才算配置成功
启动samba
[root@DC1 bin]# /usr/local/samba/sbin/samba
查看版本
[root@DC1 bin]# /usr/local/samba/bin/smbclient --version
Version 4.2.1
测试
[root@DC1 bin]# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[CONTOSO]
OS=[Unix]
Server=[Samba 4.2.1]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.2.1)
Domain=[CONTOSO] OS=[Unix] Server=[Samba 4.2.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@DC1 bin]# /usr/local/samba/bin/smbclient //localhost/netlogon -Uadministrator
Enter administrator's password:
Domain=[CONTOSO] OS=[Unix] Server=[Samba 4.2.1]
smb: \> q
[root@DC1 bin]#
检查一下BIND
[root@DC1 bin]# rpm -qa|grep bind
bind-libs-lite-9.9.4-18.el7.x86_64
bind-license-9.9.4-18.el7.noarch
bind-libs-9.9.4-18.el7.x86_64
bind-9.9.4-18.el7.x86_64
在/etc/named.conf文件中可以看到bind9的目录是/var/named,进入该目录:
[root@DC1 etc]# cd /var/named
复制一份named.localhost作为contoso.com.zone,然后修改,作为contoso.com的正向解析文件。
[root@DC1 named]# cp named.localhost contoso.com.zone
[root@DC1 named]# vim contoso.com.zone
$TTL 1D@ IN SOA @ contoso.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS DC1.contoso.com.
@ IN A 192.168.6.3
DC1 IN A 192.168.6.3
以上就是修改后的,双网卡的虚机,IP可能是另外一个的,要修改。
再把samba产生的DNS文件的后面部分复制过来。但是不要复制gc._msdcs这一条,我测试报错,删除了能启动bind
[root@DC1 ~]# cd /usr/local/samba/private/dns
[root@DC1 dns]# ls
contoso.com.zone
[root@DC1 dns]# vim contoso.com.zone
复制下面部分
79aef472-c658-49c0-a2b4-3988bc00338a._msdcs IN CNAME DC1
;
; global catalog servers
_gc._tcp IN SRV 0 100 3268 DC1
_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 DC1
_ldap._tcp.gc._msdcs IN SRV 0 100 3268 DC1
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 3268 DC1
;
; ldap servers_ldap._tcp IN SRV 0 100 389 DC1
_ldap._tcp.dc._msdcs IN SRV 0 100 389 DC1
_ldap._tcp.pdc._msdcs IN SRV 0 100 389 DC1
_ldap._tcp.8b2afba7-4d3a-4b88-8b45-381cf145c623.domains._msdcs IN SRV 0 100 389 DC1
_ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 DC1
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 DC1
;
; krb5 servers_kerberos._tcp IN SRV 0 100 88 DC1
_kerberos._tcp.dc._msdcs IN SRV 0 100 88 DC1
_kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 DC1
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 DC1_kerberos._udp IN SRV 0 100 88 DC1
; MIT kpasswd likes to lookup this name on password change
_kerberos-master._tcp IN SRV 0 100 88 DC1
_kerberos-master._udp IN SRV 0 100 88 DC1
;
; kpasswd_kpasswd._tcp IN SRV 0 100 464 DC1
_kpasswd._udp IN SRV 0 100 464 DC1
;
; heimdal 'find realm for host' hack
_kerberos IN TXT CONTOSO.COM
然后粘贴到/var/named/contoso.com.zone修改过的后面。具体操作中,可以在SecureCRT里克隆会话,进到目录,打开文件,拖选要复制的,然后切换到原来的会话点右键就粘贴上了,然后按ESC,:wq保存退出。
打开/etc/named.rfc1912.zones, 后面添加如下字段,增加正向解析区域
[root@DC1 etc]# vim /etc/named.rfc1912.zones
zone "contoso.com" IN {
type master;
file "contoso.com.zone";
allow-update { none; };
};
启动BIND服务,如果报错,需要检查etc/named.rfc1912.zones和contoso.com.zone文件配置
[root@DC1 dns]# systemctl start named.service
[root@DC1 dns]# systemctl status named.service
测试解析,需要host命令。默认未安装。
[root@DC1 named]# host -t SRV _ldap._tcp.contoso.com.
-bash: host: 未找到命令
重新挂载光盘安装。
[root@DC1 named]# mount /dev/cdrom /mnt
mount: /dev/sr0 写保护,将以只读方式挂载
[root@DC1 named]# yum -y install bind-utils
然后测试
[root@DC1 ~]# host -t SRV _ldap._tcp.contoso.com
_ldap._tcp.contoso.com has SRV record 0 100 389 DC1.contoso.com.
[root@DC1 ~]# host -t SRV _kerberos._udp.contoso.com _kerberos._udp.contoso.com has SRV record 0 100 88 DC1.contoso.com.
[root@DC1 ~]# host -t A dc1.contoso.com.
dc1.contoso.com has address 192.168.6.3
然后再开WIN7虚拟机,配置同网段IP如192.168.6.5, DNS配置192.168.6.3。 先用PING测试能ping通域名,如果不通尝试清除IPTABLES防火墙规则:
[root@DC1 ~]# iptables -F
到此服务器端所有的配置完成,可以在WIN7系统下载WINDOWS服务器远程管理工具包。
安装后添加组件,在控制面板--管理工具里看到域控的管理工具,能远程管理了。
(责任编辑:IT)
实验平台 I3二代,8G内存,WIN764位系统,安装Virtualbox4.3.26,建立CENTOS7.1虚拟机,挂载minimal光盘安装系统。 同时下载准备了一个Centos everything的7G DVD光盘,方便安装依赖包,不用实时联网YUM安装。
一、最小化安装CENTOS7.1,过程略。 二、登陆Centos7.1系统,安装依赖。我喜欢用下载的Centos DVD安装软件,比网络快。
1. 如果要从WIN7系统用PUTTY等软件SSH连接虚拟机,要配置好固定IP,打开SSH。我是用securecrt连的虚拟机,网络选了一个网卡桥接本机网卡动态IP,一个选host-only网络,IP段设置192.168.6.*。 Last login: Thu Apr 16 04:20:06 2015 from 192.168.6.1
2.挂载everything的光盘 3.进入/etc/yum.repos.d/目录,批量改名备份repo文件
[root@localhost ~]# cd /etc/yum.repos.d/
4.用编辑器新建立一个光盘安装源。 [root@localhost yum.repos.d]# yum groupinstall "development tools" 安装过程略
6.安装一些依赖 [root@localhost samba-4.2.1]# yum -y install libacl-devel libblkid-devel gnutls-devel readline-devel python-devel autoconf gdb bind rsyslog-gssapi cyrus-sasl-gssapi
还有几个RPM包我用RPM命令是后面编译报错再安装的,也可以在上面的YUM一次安装
[root@localhost samba-4.2.1]# rpm -ivh /mnt/Packages/python-devel-2.7.5-16.el7.x86_64.rpm
三、下载编译Samda 7.下载SAMBA4.2.1源码包,用SECUREFXP上传到/tmp目录,wget实在太慢了。 8.现在进入/tmp目录,解压准备编译samba4.2.1
[root@localhost ~]# cd /tmp 编译之前要运行buildtools/scripts/目录下的autogen-waf.sh
[root@localhost samba-4.2.1]# cd buildtools/scripts/
Setting up for waf build
回到解压的目录,开始编译samba
[root@localhost scripts]# cd /tmp/samba-4.2.1/
编译过程略......
到这里编译完成. 9.开始make安装 [root@localhost samba-4.2.1]# make && make install
安装过程略...... 至此samba4.2.1源码编译安装完成。
10.修改主机名为DC1,把FQDN完全域名写上,好处是等下提升为域控免输域名了。
[root@localhost samba-4.2.1]#vi /etc/hostname
四、提升为域控 11.虚拟机可以关机做个快照,然后启动,登陆,开始把这台linux主机提升为域控制器。
[root@DC1 ~]# cd /usr/local/samba/bin
[root@DC1 bin]# ./samba-tool domain provision Realm [CONTOSO.COM]: Domain [CONTOSO]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE #这里选的BIND9的DNS,也可以安装Samba自带的DNS.
Administrator password: 输入域控管理员密码,密码一定要复杂,大小写字母+数字,如Ab123456& Looking up IPv4 addresses More than one IPv4 address found. Using 192.168.6.3 Looking up IPv6 address No IPv6 addresswill be assigned Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=contoso,DC=com Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=contoso,DC=com rndc: neither /etc/rndc.conf nor /etc/rndc.key was found rndc: neither /etc/rndc.conf nor /etc/rndc.key was found See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: DC1 NetBIOS Domain: CONTOSO DNS Domain: contoso.com DOMAIN SID: S-1-5-21-3366851103-1622988557-2824442447 [root@DC1 bin]#
一定要见到DOMAIN SID才算配置成功
[root@DC1 bin]# /usr/local/samba/bin/smbclient --version Version 4.2.1
[root@DC1 bin]# /usr/local/samba/bin/smbclient -L localhost -U% Domain=[CONTOSO] OS=[Unix] Server=[Samba 4.2.1] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.2.1) Domain=[CONTOSO] OS=[Unix] Server=[Samba 4.2.1] Server Comment --------- ------- Workgroup Master --------- -------
[root@DC1 bin]# /usr/local/samba/bin/smbclient //localhost/netlogon -Uadministrator Enter administrator's password: Domain=[CONTOSO] OS=[Unix] Server=[Samba 4.2.1] smb: \> q [root@DC1 bin]#
检查一下BIND [root@DC1 bin]# rpm -qa|grep bind bind-libs-lite-9.9.4-18.el7.x86_64 bind-license-9.9.4-18.el7.noarch bind-libs-9.9.4-18.el7.x86_64 bind-9.9.4-18.el7.x86_64
[root@DC1 named]# cp named.localhost contoso.com.zone [root@DC1 named]# vim contoso.com.zone $TTL 1D@ IN SOA @ contoso.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS DC1.contoso.com. @ IN A 192.168.6.3 DC1 IN A 192.168.6.3
[root@DC1 ~]# cd /usr/local/samba/private/dns [root@DC1 dns]# ls contoso.com.zone [root@DC1 dns]# vim contoso.com.zone
79aef472-c658-49c0-a2b4-3988bc00338a._msdcs IN CNAME DC1 ; ; global catalog servers _gc._tcp IN SRV 0 100 3268 DC1 _gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 DC1 _ldap._tcp.gc._msdcs IN SRV 0 100 3268 DC1 _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 3268 DC1 ; ; ldap servers_ldap._tcp IN SRV 0 100 389 DC1 _ldap._tcp.dc._msdcs IN SRV 0 100 389 DC1 _ldap._tcp.pdc._msdcs IN SRV 0 100 389 DC1 _ldap._tcp.8b2afba7-4d3a-4b88-8b45-381cf145c623.domains._msdcs IN SRV 0 100 389 DC1 _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 DC1 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 DC1 ; ; krb5 servers_kerberos._tcp IN SRV 0 100 88 DC1 _kerberos._tcp.dc._msdcs IN SRV 0 100 88 DC1 _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 DC1 _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 DC1_kerberos._udp IN SRV 0 100 88 DC1 ; MIT kpasswd likes to lookup this name on password change _kerberos-master._tcp IN SRV 0 100 88 DC1 _kerberos-master._udp IN SRV 0 100 88 DC1 ; ; kpasswd_kpasswd._tcp IN SRV 0 100 464 DC1 _kpasswd._udp IN SRV 0 100 464 DC1 ; ; heimdal 'find realm for host' hack _kerberos IN TXT CONTOSO.COM
[root@DC1 etc]# vim /etc/named.rfc1912.zones zone "contoso.com" IN { type master; file "contoso.com.zone"; allow-update { none; }; };
[root@DC1 dns]# systemctl start named.service [root@DC1 dns]# systemctl status named.service
测试解析,需要host命令。默认未安装。 [root@DC1 named]# host -t SRV _ldap._tcp.contoso.com. -bash: host: 未找到命令
[root@DC1 named]# mount /dev/cdrom /mnt mount: /dev/sr0 写保护,将以只读方式挂载
[root@DC1 ~]# host -t SRV _ldap._tcp.contoso.com _ldap._tcp.contoso.com has SRV record 0 100 389 DC1.contoso.com.
[root@DC1 ~]# host -t A dc1.contoso.com. dc1.contoso.com has address 192.168.6.3
|