Instalando repositórios:
# rpm -Uvh http://fedora.uib.no/epel/6/i386/epel-release-6-8.noarch.rpm
# yum clean all
# yum -y update
Desativando o Firewall e o SELinux:
# chkconfig iptables off
# chkconfig ip6tables off
# setenforce 0
# vi /etc/selinux/config
selinux=disabled
Instalando dependências e pacotes necessários:
# yum -y install flex bison squid squidGuard samba samba-client samba-common samba-winbind pam_krb5 bind-utils httpd
Ajustando a inicialização dos programas:
# chkconfig httpd on
# chkconfig squid on
# chkconfig smb on
# chkconfig nmb on
# chkconfig winbind on
Ajustando resolução de nomes:
Obs.: faça primeiro um backup do arquivo original:
# cp -Rfa /etc/resolv.conf{,.bkp}
# vi /etc/resolv.conf
search dominio.local
nameserver 192.168.100.11 # IP DO SERVIDOR AD OU SAMBA 4
Executando testes:
# nslookup dominio.local
Server: 192.168.100.11
Address: 192.168.100.11#53
Name: dominio.local
Address: 192.168.100.11
Ajustando a hora:
# yum -y install ntpdate
# ntpdate -u ntp.usp.br # Se tiver NTP da rede local aponte para o IP/nome dele
Configurando Kerberos
Fazer backup do arquivo de configuração:
# cp -Rfa /etc/krb5.conf{,.bkp}
# rm -rf /etc/krb5.conf
# vi /etc/krb5.conf
[libdefaults]
default_realm = dominio.local
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
dominio.local = {
kdc = 192.168.100.11
admin_server = 192.168.100.11:749
default_server = 192.168.100.11
}
[domain_realm]
.dominio.local=dominio.local
dominio.local=dominio.local
[login]
krb4_convert = true
krb4_get_tickets = false
[kdc]
profile = /etc/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = file:/var/log/krb5libs.log
kdc = file:/var/log/krb5kdc.log
admin_server = file:/var/log/kadmind.log
Para que não ocorra erros no Samba:
# vi /etc/security/limits.conf
Insira as informações abaixo no final do arquivo:
root hard nofile 131072
root soft nofile 65536
mioutente hard nofile 32768
mioutente soft nofile 16384
Ajustando Samba
Backup do arquivo de configuração:
# cp -Rfa /etc/samba/smb.conf{,.bkp}
# rm -rf /etc/samba/smb.conf
# vi /etc/samba/smb.conf
[global]
workgroup = DOMINIO
realm = DOMINIO.LOCAL
netbios name = CentOS
server string = Servidor Proxy CentOS
security = ADS
auth methods = winbind
password server = 192.168.100.11 # IP DO SAMBA 4
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
printcap name = cups
disable spoolss = Yes
local master = No
domain master = Yes
idmap uid = 10000-30000
idmap gid = 10000-30000
winbind cache time = 15
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
Faça um backup do arquivo
/etc/nsswitch.conf:
# cp /etc/nsswitch.conf{,.bkp}
Ajustar conforme arquivo abaixo:
# vi /etc/nsswitch.conf
[...]
passwd: files winbind
shadow: files
group: files winbind
[...]
Ajustando privilégios:
# gpasswd -a squid wbpriv
Iniciando serviços:
# /etc/init.d/nmb start
# /etc/init.d/smb start
# /etc/init.d/winbind start
Ingressando o servidor no domínio:
# net ads join dominio.local -U administrador
Enter administrador's password: [A SENHA DO ADMINISTRADOR DO SAMBA 4]
Using short domain name -- DOMINIO
Joined 'CENTOS' to realm 'DOMINIO.LOCAL'
Reinicie os serviços
# /etc/init.d/smb restart
# /etc/init.d/nmb restart
# /etc/init.d/winbind restart
Verifique a comunicação:
# wbinfo -t
checking the trust secret for domain DOMINIO via RPC calls succeeded
# wbinfo -u
administrator
johnny
krbtgt
guest
# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
internet-ti
internet-comercial
internet-diretoria