Samba AD DC(域控制器)的配置

■Samba AD DC(域控制器)的配置
为了使用Active Directory,要事前确认下面项目.
・AD DC服务器的主机名:centos7-samba
・域名:TESTAD
・完整域名:TESTAD.LOCAL

1、事前准备
①CentOS7上主机名的配置
# echo centos7-samba > /etc/hostname
上面的命令实行后、重起让主机名生效。

②因为yum 源里没有现成的samba的Domain Controler,所以通过源码安装
①先安装Samba 在make时依赖的软件包
# yum install perl gcc attr libacl-devel libblkid-devel \
gnutls-devel readline-devel python-devel gdb pkgconfig \
krb5-workstation zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python perl-ExtUtils-MakeMaker perl-Parse-Yapp \
perl-Test-Base popt-devel libxml2-devel libattr-devel \
keyutils-libs-devel cups-devel bind-utils libxslt \
docbook-style-xsl openldap-devel autoconf pam-devel \
python2-crypto libtomcrypt libtommath libidn-devel libpcap-devel
②系统cups包没有情况下、cups也要安装,并启动cups服务。
# yum install cups
# systemctl start cups

2、Samba的安装(4.1.12为例,可换成新版4.4.10)
# wget https://download.samba.org/pub/samba/stable/samba-4.1.12.tar.gz
# tar -zxvf samba-4.1.12.tar.gz
# cd samba-4.1.12
# ./configure && make && make install

3、Samba的配置
# /usr/local/samba/bin/samba-tool domain provision –use-rfc2307 –interactive –function-level=2008_R2
Realm: TESTAD.LOCAL        (输入最开始设定的域名)
Domain [TESTAD]:         (Enter键)
Server Role (dc, member, standalone) [dc]:                     (Enter键)
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:     (Enter键)
DNS forwarder IP address (write ‘none’ to disable forwarding) [192.168.122.21]:     (Enter键)
Administrator password:     (管理密码、密码要复合复杂度要求,7文字以上)
Retype password:     (管理密码(再次输入))
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=testad,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=testad,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              centos7-samba
NetBIOS Domain:        TESTAD
DNS Domain:            testad.local
DOMAIN SID:            S-1-5-21-4219608262-2753158698-2115138841
到此为止域的配置就结束了。
当要重新进行域的配置时,最好用下的命令把旧域的配置文件删除。
# rm -f  /usr/local/samba/etc/smb.conf
# rm -f  /usr/local/samba/private/*
# rm -f  /usr/local/samba/var/locks/sysvol/*

4、3的命令中生成smb.conf的内容如下、
# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
workgroup = TESTAD
realm = TESTAD.LOCAL
netbios name = centos7-samba
server role = active directory domain controller
dns forwarder = 192.168.122.21
idmap_ldb:use rfc2307 = yes

[netlogon]
path = /usr/local/samba/var/locks/sysvol/testad.local/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

5、Samba的起動
# /usr/local/samba/sbin/samba

6、确认服务器上可以使用的共享目录
# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[TESTAD] OS=[Unix] Server=[Samba 4.1.12]

Sharename       Type      Comment
———       —-      ——-
netlogon        Disk
sysvol          Disk
IPC$            IPC       IPC Service (Samba 4.1.12)
Domain=[TESTAD] OS=[Unix] Server=[Samba 4.1.12]

Server               Comment
———            ——-

Workgroup            Master
———            ——-

7、域作成以后、如果DNS不正常,DC的功能不能使用、所以要进行DNS的设置。
以下的命令、把域控DNS服务器的ip地址设为自已。
# echo “nameserver 127.0.0.1” > /etc/resolv.conf
做完上面配置后、执下面的命令确认一下DNS服务是否。
①DNS的ZONE的确认
# /usr/local/samba/bin/samba-tool dns zonelist 127.0.0.1 -U administrator
Password for [TESTAD\administrator]:
2 zone(s) found

pszZoneName                 : testad.local
Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType                    : DNS_ZONE_TYPE_PRIMARY
Version                     : 50
dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn                   : DomainDnsZones.testad.local

pszZoneName                 : _msdcs.testad.local
Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType                    : DNS_ZONE_TYPE_PRIMARY
Version                     : 50
dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
pszDpFqdn                   : ForestDnsZones.testad.local

②DNS的记录的确认
# host -t SRV _ldap._tcp.TESTAD.LOCAL
_ldap._tcp.TESTAD.LOCAL has SRV record 0 100 389 centos7-samba.testad.local.
# host -t SRV _kerberos._udp.TESTAD.LOCAL
_kerberos._udp.TESTAD.LOCAL has SRV record 0 100 88 centos7-samba.testad.local.
# host -t A centos7-samba.testad.local
centos7-samba.testad.local has address 192.168.122.84

8、Kerberos的配置
以下进行、Kerberos的配置。实行下面的命令、复制模板配置文件。
# cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
cp: `/etc/krb5.conf’ 替换? y
测试一下Keroberos的功能。(形式:kinit administrator@完整域名大写
# kinit administrator@TESTAD.LOCAL
Password for administrator@TESTAD.LOCAL:
Warning: Your password will expire in 41 days on 2015年09月07日 星期一 15时57分48秒
如果出现下面的错误信息、检查一下DNS域名是否输入错误,是否已经大写。
# kinit administrator@testad.local
Password for administrator@testad.local:
kinit: KDC reply did not match expectations while getting initial credentials

9、Firewalled・SELinux的配置
防火墙有効化的情况下,执行下面的命令开放相应的端口。
# firewall-cmd –permanent –zone=public –add-service=samba
# firewall-cmd –permanent –zone=public –add-service=kerberos
# firewall-cmd –permanent –zone=public –add-service=ldap
# firewall-cmd –permanent –zone=public –add-service=ldaps
# firewall-cmd –permanent –zone=public –add-service=dns
# firewall-cmd –permanent –zone=public –add-service=ntp
# firewall-cmd –permanent –zone=public –add-port=135/tcp
# firewall-cmd –permanent –zone=public –add-port=464/tcp
# firewall-cmd –permanent –zone=public –add-port=1024/tcp
# firewall-cmd –permanent –zone=public –add-port=3268/tcp
# firewall-cmd –permanent –zone=public –add-port=3269/tcp
# firewall-cmd –permanent –zone=public –add-port=137/udpp
# firewall-cmd –permanent –zone=public –add-port=138/udp
# firewall-cmd –permanent –zone=public –add-port=389/udp
# firewall-cmd –reload

如果启用了SELinux,还要执行下面的命令。
# setsebool -P samba_domain_controller on
# setsebool -P samba_export_all_ro on
# setsebool -P samba_export_all_rw on
# setsebool -P samba_enable_home_dirs on

如果不需要防火墙,可以通过下面的命令关闭防火墙。
# systemctl stop firewalld
# systemctl disable firewalld
如果不需要SELinux,可能通过下面的命令使SELinux无效。
# setenforce 0
# sed -i.bak “/SELINUX/s/enforcing/disabled/g” /etc/selinux/config

10、登录域
Windows 客户端上DNS服务器的地址配为 DC服务器地址之后操作、「计算机名/域名的更改」域(TESTAD)登录。

在rhel7.3上,如果执行samba-tool domain provision时出现以下的错误解决方法为

注释掉 /etc/krb5.conf 的 includedir /etc/krb5.conf.d/这一行。

问题:

ERROR(ldb): uncaught exception – operations error at ../source4/dsdb/samdb/ldb_modules/password_hash.c:2241
File “/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py”, line 175, in _run
return self.run(*args, **kwargs)
File “/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py”, line 461, in run
nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
File “/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py”, line 2171, in provision
skip_sysvolacl=skip_sysvolacl)
File “/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py”, line 1794, in provision_fill
next_rid=next_rid, dc_rid=dc_rid)
File “/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py”, line 1452, in fill_samdb
“KRBTGTPASS_B64”: b64encode(krbtgtpass.encode(‘utf-16-le’))
File “/usr/local/samba/lib64/python2.7/site-packages/samba/provision/common.py”, line 55, in setup_add_ldif
ldb.add_ldif(data, controls)
File “/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py”, line 225, in add_ldif
self.add(msg, controls)
原因:
/etc/krb5.conf 的 includedir /etc/krb5.conf.d/ 不正确

把这一行注释掉.

# vi /etc/krb5.conf

<略>
#includedir /etc/krb5.conf.d/     ←注释
<略>

11 直接访问samba内置openldap数据的方法

修改smb.conf添加

ldap server require strong auth = No

然后重启smbd

执行命令
ldapsearch -h TESTAD.LOCAL -x  -LLL -D “cn=Administrator,cn=Users,dc=testad,dc=local” -W -b “cn=Users,dc=testad,dc=local”

12 将samba做的自启动服务

编辑文件

/etc/systemd/system/samba-ad-dc.service

----samba-ad-dc.service内容开始-------
[Unit]
Description=Samba4 AD DC
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=simple
ExecStart=/usr/local/samba/sbin/samba -i
PIDFile=/var/run/samba/samba.pid

[Install]
WantedBy=multi-user.target
----samba-ad-dc.service内容结束-------

执行命令,创建开机启动服务,并启动服务,查看服务状态。

systemctl enable samba-ad-dc
systemctl start samba-ad-dc
systemctl status samba-ad-dc

13 Samba4的密码策略管理命令

现在策略查看命令

# samba-tool domain passwordsettings show
Password informations for domain ‘DC=officepcv1,DC=unix-power,DC=net’

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

Windows的ActiveDirectory 密码策略对应说明

项目                                   说明
Password complexity      密码的复杂性 ( 英文数字符号混合、3文字以上、不能包含用户名等 )限制
Store plaingtext passwords     密码是否用原文存储
Password history length     过去的密码的历史长度
Minimum password length      最小密码长度
Minimum password age      密码禁止修改的时间 ( 0可立刻修改)
Maximum password age     密码有効期限 ( 0无期限 )
Account lockout duration     密码输入错误在达到一次次数时锁定的时间(分)
Account lockout threshold     密码锁定后的尝试次数 ( 0不锁定 )
Reset account lockout after     密码尝试次数清0的时间(分)

上面参数可通过下面的命令修改(例)。

※密码复杂性检查设为无效
# samba-tool domain passwordsettings set –complexity=off:

※密码的最小长度设为6
# samba-tool domain passwordsettings set –min-pwd-length=6

※密码変更禁止期間设为0
# samba-tool domain passwordsettings set –min-pwd-age=0

※密码有効期限设为无限期
# samba-tool domain passwordsettings set –max-pwd-age=0

※密码锁定时间设为60分
# samba-tool domain passwordsettings set –account-lockout-duration=60

※密码锁定前的尝试次数设为5
# samba-tool domain passwordsettings set –account-lockout-threshold=5

※密码尝试次数清0的時间高为5分钟
# samba-tool domain passwordsettings set –reset-account-lockout-after=5

发表在 Samba | Samba AD DC(域控制器)的配置已关闭评论

Linux 如何用Eclipse CDT调试多进程C(C++)程序。Debug fork() in eclipse cdt (翻译)

1) Put a breakpoint onto lines you want debugin.

在你想调试的地方设置断点

2) In debug configuration enable “non-stop mode” and “automatically debug forked process”.

在调置设置窗口,将”non-stop mode” 和 “automatically debug forked process”打钩.

3) Start debug session. You will hit a breakpoint either in child or parent. . Now see debug view.

开始调试。程序停在了你的设置的断点处。还可以在调试窗口,看到生成的进程。

参考网址:

http://stackoverflow.com/questions/15467162/debug-fork-in-eclipse-cdt

发表在 知识积累 | Linux 如何用Eclipse CDT调试多进程C(C++)程序。Debug fork() in eclipse cdt (翻译)已关闭评论

Java在WEB项目中获取文件路径

jsp中获得文件路径

1、根目录所对应的绝对路径:request.getRequestURI();

2、文件的绝对路径:application.getRealPath(request.getRequestURI())

3、当前web应用的绝对路径:application.getRealPath(“/”)

4、取得请求文件的上层目录:

newFile(application.getRealPath(request.getRequestURI())).getParent()
servlet中获得文件路径

1、根目录所对应的绝对路径:request.getServletPath()

2、文件的绝对路径:

request.getSession().getServletContext().getRealPath(request.getRequestURI())

3、当前web应用的绝对路径:servletConfig.getServletContext().getRealPath(“/”)

注:ServletContext对象获得几种方式:

javax.servlet.http.HttpSession.getServletContext()

javax.servlet.jsp.PageContext.getServletContext()

javax.servlet.ServletConfig.getServletContext()
java中获得文件路径

1、Thread.currentThread().getContextClassLoader().getResource(“”).toURI().getPath()

2、MyClass.class.getClassLoader().getResource(“”).toURI().getPath()

3、ClassLoader.getSystemResource(“”).toURI().getPath()

4、MyClass.class.getResource(“”).toURI().getPath()

5、MyClass.class.getResource(“/”).toURI().getPath()//已验证

6、newFile(“/”).getAbsolutePath().toURI().getPath()

7、System.getProperty(“user.dir”).toURI().getPath()

读取配置文件
private String fileName=”/biz_configuration.properties”;
public CnDB() {
Properties p = new Properties();
try {
InputStream in = CnDB.class.getResourceAsStream(fileName);
p.load(in);
in.close();
if(p.containsKey(“jdbc.driverClassName”)){
this.driver = p.getProperty(“jdbc.driverClassName”);
}
if(p.containsKey(“jdbc.url”)){
this.url = p.getProperty(“jdbc.url”);
}
} catch (IOException ex) {
log.error(“配置文件” + fileName + “读取异常:” + ex);
}
}

发表在 知识积累 | Java在WEB项目中获取文件路径已关闭评论

CentOS 7安装谷歌拼音中文输入法

谷歌拼音输入法官方代码
http://code.google.com/p/libgooglepinyin/
下载地址
http://code.google.com/p/libgooglepinyin/downloads/list

我的下载为
libgooglepinyin-0.1.1.tar.bz2
ibus-googlepinyin-0.1.2.tar.bz2

原英文安装介绍
http://code.google.com/p/libgooglepinyin/wiki/INSTALL

实机安装命令如下
安装依赖包
yum install libpinyin.x86_64 libpinyin-data.x86_64 libpinyin-devel.x86_64
yum install ibus-devel.x86_64
yum install ibus-pygtk2.noarch

到下载目录 解压
cd /tmp
tar xvf libgooglepinyin-0.1.2.tar.bz2
tar xvf ibus-googlepinyin-0.1.2.tar.bz2
cd libgooglepinyin-0.1.2/
mkdir build
cd build/
cmake .. -DCMAKE_INSTALL_PREFIX=/usr
make
sudo make install

cd ../../ibus-googlepinyin/
mkdir build
cd build/
cmake .. -DCMAKE_INSTALL_PREFIX=/usr
make
sudo make install

执行下面的命令测试(无错误输入为成功,按ctrl+c 结束)
/usr/share/ibus-googlepinyin/main.py

重启ibus服务
ibus restart

现在可以通过图型界面添加谷歌输入法了。

发表在 知识积累 | CentOS 7安装谷歌拼音中文输入法已关闭评论

在Linux CentOS7.1 下配置ASP.NET(Apache + Mono)

环境配置方法
说明:#开始的为注释

安装操作系统 centos7.1
#依次执行下面的命令
yum update -y
yum install httpd vim yum-utils
#设置selinux为无效模式
setenforce 0
vim /etc/sysconfig/selinux
#修改内容:SELINUX=enforcing-> SELINUX=permissive
#关闭firewalld,并关闭默认开机启动。
systemctl stop firewalld
systemctl disable firewalld
#如果上网需要代理,可参考下面的格式设置
export http_proxy=http://192.168.1.2:3128
yum install -y http://mirrors.zju.edu.cn/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
rpm –import “http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF”
yum-config-manager –add-repo http://download.mono-project.com/repo/centos/
yum install mono  mono-complete referenceassemblies-pcl -y
yum install -y apache2-mod_mono.x86_64
#支持dotnet4 framework
vim /etc/httpd/conf.d/mod_mono.conf
#mod_mono.conf添加内容的:
MonoServerPath default /usr/bin/mod-mono-server4
AddMonoApplications default “/:/var/www/html”
<Location />
SetHandler mono
Require all granted
</Location>
#重启apache服务
systemctl restart httpd
以上设置web默认主页的位置:/var/www/html

***由于字符显示问题参数两个连续的半角「-」可能显示为一条「–」**

发表在 知识积累 | 在Linux CentOS7.1 下配置ASP.NET(Apache + Mono)已关闭评论

SSH登录卡死在expecting SSH2_MSG_KEX_DH_GEX_GROUP-解决方法之一

目标主机是一个OpenStack 的centos6,从其它一些centos6,5的主机可以正常(password auth)登录到目标主机;
然而从centos7的却无法登录到目标主机
调试信息显示
SSH登录卡死在expecting SSH2_MSG_KEX_DH_GEX_GROUP
登录时DEBUG信息如下:
ssh -v root@192.168.108.201
OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 51: Applying options for *
debug1: Connecting to 192.168.108.201 [192.168.108.201] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

经过百度查找资料,发现可以通过修改/etc/ssh/ssh_config使
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
这一行生效来解决这个问题。

解决方法之二
说是openstack部署在两台物理计算节点机上的两台虚机之间通过ssh执行大数据输出的命令时有hang的情况,
经研究、分析、搜索、试验、最后原因在于MTU:
修改前mtu 1500改为 mtu 1454
命令
ifconfig
eth0: flags=4163 mtu 1500
ip link set eth0 mtu 1454

openstack 方面的设置项
In /etc/neutron/dhcp_agent.ini:

[DEFAULT]

dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf
In /etc/neutron/dnsmasq-neutron.conf:

dhcp-option-force=26,1454
Now

killall dnsmasq
service neutron-dhcp-agent restart

发表在 知识积累 | SSH登录卡死在expecting SSH2_MSG_KEX_DH_GEX_GROUP-解决方法之一已关闭评论