MAC-BASED PORT SECURITY ON EXTREME SWITCH

MAC-BASED PORT SECURITY

Type-1) Mac-based port security using local database

## mac based port security using local database ###

##create mac based netlogin for single port ##
create vlan Netlogin-test
configure netlogin vlan Netlogin-test
configure netlogin mac authentication database-order local
configure netlogin add mac-list 00:2a:00:00:ab
create netlogin local-user 002A0000AB 002A0000AB
enable netlogin mac
enable netlogin ports 40 mac

Note:- you need to create database manually

##create mac based netlogin for 10 port ##
create vlan Netlogin-test
configure netlogin vlan Netlogin-test
configure netlogin mac authentication database-order local
configure netlogin add mac-list 00:2a:00:00:ab ------> you can specify specific ports for this mac address
create netlogin local-user 002A0000AB 002A0000AB
enable netlogin mac
enable netlogin ports 30 - 40 mac

Note:- the above mac address pc can be connected to 10 ports in the switch. similarly you can have multiple pc on multiple ports..


### Removing netlogin ##################
delete netlogin local-user
configure netlogin delete mac-list
disable netlogin port 40 mac
disable netlogin mac
unconfigured netlogin vlan
delete vlan Netlogin-test
#########################################


### to check MAC ADDRESS IN ROUTER ####
show fdb ports all
show fdb ports 40
############################################



Type-2) Mac-based port security using Radius Server

#############################################################
##radius server configuration for Port block (MAC-BASED)######
Requirement Radius Server & Client software is default load to EXOS
#####
###Radius Server config in Centos 6###

#yum install freeradius freeradius-mysql freeradius-utils mysql-server
#service mysqld start
#/usr/bin/mysql_secure_installation
-- configure the mysql to your requirement ---
#mysql -u root -p
mysql>CREATE DATABASE radius;
mysql>GRANT ALL PRIVILEGES ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
mysql>flush privileges;
mysql> use radius;
mysql>SOURCE /etc/raddb/sql/mysql/schema.sql
mysql>exit

#vi /etc/raddb/sql.conf
-- enter your mysql database details you just created, Example: ---

# Connection info:
server = "localhost"
#port = 3306
login = "radius"
password = "radpass"

# Database table configuration for everything except Oracle
radius_db = "radius"

#vi /etc/raddb/radiusd.conf
--- ensure that the line uncommented ---

$INCLUDE sql.conf

Edit /etc/raddb/sites-available/default and uncomment the line containing ‘sql’ in the authorize{} section
and ‘sql’ in the accounting {} section, also uncomment ‘sql’ under session {}.

Additionally, edit /etc/raddb/sites-available/inner-tunnel and
uncomment the line containing ‘sql’ under “authorize {}” and under session {}.

#vi /etc/raddb/clients.conf

secret = trace1234

#service radiusd restart
#vi /etc/raddb/clients.conf
--- enter the client ip in this file ---

Note:- whenever you make changes to client file restart the radius server

#service radiusd restart
#mysql -u root -p
mysql>use radius;
mysql>INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`) VALUES (1,'test','User-Password',':=','test');

---to remove entery ----
mysql>delete from radcheck where id=1;
mysql>exit

-- check radius is working fine --
#radtest test test 127.0.0.1 0 trace1234

#chkconfig radiusd on
#chkconfig mysqld on

#### router config #####


create vlan portsecurity
configure netlogin vlan "portsecurity"
configure netlogin mac authentication database-order radius
configure radius netlogin primary shared-secret trace1234
configure radius netlogin primary server 10.15.0.148 client-ip 10.1.0.205 vr "VR-Default" ---> VR-Default is the virtual router to check sh vlan
configure netlogin add mac-list 00:2a:00:00:ab
enable radius netlogin
enable netlogin mac
enable netlogin port 40 mac


Note:- you need to create mac-list manually & store username and password in radius server.


#####################################################################

#### Remove netlogin radius config on router ######

configure netlogin delete mac-list EC:A8:6B:F5:13:A9
disable netlogin ports 40 mac
disable netlogin mac
unconfigure radius netlogin server primary
unconfigure netlogin vlan
unconfigure netlogin vlan
#####################################################



Type-3) Mac-based port security using MAC-LOCKDOWN

### MAC-LOCKDOWN ##########

--- connect PC to port 40 so that it takes the mac --
show fdb ports 40
--- once it shows the mac run below command to lock mac to that port ---
configure ports 40 vlan "Default" lock-learning

---- if want more PC to be connected to the same port after locking add it manually in fdb ---
create fdbentry 00:00:00:00:00:00 "Default" ports 40

--- To remove fdb entry ---
delete fdbentry 00:00:00:00:00:00 "Default"

--- to unlock --
configure ports 40 vlan "Default" unlock-learning
##############################################

Dumping MYSQL Database from Master and Restoring it to Slave

Dumping MYSQL Database from Master and Restoring it to Slave

xtrabackup (online snapshot of mysql database without locking the tables)

#rpm -ivh http://www.percona.com/downloads/percona-release/percona-release-0.0-1.x86_64.rpm

#yum -y install percona-xtrabackup.x86_64

option 1
the below command both have to be done simultanously

#nice -n20 innobackupex --parallel=5 /home/admin/downloads/mysql/
#nice -n20 innobackupex --apply-log /home/admin/downloads/mysql/2012-12-26_16-02-25


zip the contents of the above folder with tar -zcvf and download the same to the slave server
mv the existing mysql directory if exists and create a new one with the same permissions and unzip the contents into this directory, thereafter chown it to mysql.mysql -R
copy the contents of backup-my.cnf to the my.cnf file on the slave machine replace if already existing
cat xtrabackup_binlog_info file in the mysql data directory
type mysql followed by enter and

CHANGE MASTER TO MASTER_HOST='server-IP',MASTER_USER='dbadmin',MASTER_PASSWORD='db9436mst',MASTER_LOG_FILE='master-bin.000972',MASTER_LOG_POS=16498231,MASTER_CONNECT_RETRY=5;

Linux Configure Firewall Using Shorewall Under RHEL / CentOS

Linux Configure Firewall Using Shorewall Under RHEL / CentOS

What is Shorewall?

Usually, you write a complicated set of firewall rules using /etc/sysconfig/iptables or shell scripts. However, with shorewall you describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables, iptables-restore, ip and tc utilities, Shorewall configures Netfilter and the Linux networking subsystem to match your requirements. Shorewall is not a simple and easy to use GUI tool.
Install shorewall on CentOS or RHEL
First, turn on EPEL repo and type the following yum command to install shorewall package

# yum install shorewall

A note about config files
1. The default configuration directory is located at /etc/shorewall/.
2. Shorewall global configuration file is located at /etc/shorewall/shorewall.conf. This file sets options that apply to Shorewall as a whole.
3. The /etc/shorewall/zones file declares your network zones. Rules about what traffic to allow and what traffic to deny are expressed in terms of zones.
4. The /etc/shorewall/interfaces file serves to define the firewall's network interfaces to Shorewall.
5. The /etc/shorewall/policy file defines the high-level policy for connections between zones defined in /etc/shorewall/zones.
6. To provide exceptions to policies, add rules to /etc/shorewall/rules. Use this file to open or close ports and so on.
7. To blacklist IPs, applications, MAC address, and subnets use the /etc/shorewall/blacklist file.

Rule status and ordering
The ordering of shorewall is very important as when a rule has been matched that action is performed and then no other action is performed.
1. For each connection request entering the firewall, the request is first checked against the /etc/shorewall/rules file.
2. If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the request is applied.
3. If there is a default action defined for the policy in /etc/shorewall/shorewall.conf then that action is invoked before the policy is enforced.

Configuration
Shorewall uses the concept of zones. You need to define the network using a set of zones as follows for the two network-interface configuration:
Configure /etc/shorewall/zones
Edit the file /etc/shorewall/zones, enter:
# vi /etc/shorewall/zones
Update the file as follows:
fw firewall
wan ipv4
lan ipv4


Shorewall recognizes the firewall system as its own zone. The name of the zone designating the firewall itself (usually 'fw' as shown in the above file) is stored in the shell variable $FW which may be used throughout the Shorewall configuration to refer to the firewall zone. The wan and lan are our standard IPv4 Shorewall zone type and is the default if you leave this column empty.
Configure /etc/shorewall/interfaces
Next, you need define the hosts in a zone. You can associate the zone with a network interface using the /etc/shorewall/interfaces file. In the two-interface sample, the two zones are defined using that file as follows. Edit the file /etc/shorewall/interfaces, enter:

# vi /etc/shorewall/interfaces

Append the following entires:

wan eth1 - routefilter,blacklist,tcpflags,logmartians,nosmurfs
lan eth0


The above file defines the net zone as all IPv4 hosts interfacing to the firewall. The wan zone as all IPv4 hosts interfacing through eth1 and the lan as all IPv4 hosts interfacing through eth0. The wan interface eth1 has additional advanced protection from the common internet attacks:
1. routefilter - Turn on kernel route filtering for this interface i.e. turn on anti-spoofing measurements.
2. blacklist - Check packets arriving on this interface against the /etc/shorewall/blacklist file. The blacklist file is used to perform static blacklisting. You can blacklist by source address (IP or MAC), or by application.
3. tcpflags - Packets arriving on this interface are checked for certain illegal combinations of TCP flags such as x mas or null or invalid packets. Packets found to have such a combination of flags are dropped (see the settings of TCP_FLAGS_DISPOSITION option in shorewall.conf) after having been logged in /var/log/messages file (see the setting of TCP_FLAGS_LOG_LEVEL in shorewall.conf).
4. logmartians - Turn on kernel martian logging (logging of packets with impossible source addresses). It is strongly suggested that if you set routefilter on an interface that you also set logmartians.
5. nosmurfs - Filter packets for smurfs (packets with a broadcast address as the source) i.e. turn on anti-smurf protection.

Configure /etc/shorewall/policy
You express your default policy for connections from one zone to another zone in the /etc/shorewall/policy. file. The basic choices for policy are:
1. ACCEPT - Accept the connection.
2. DROP - Ignore the connection request.
3. REJECT - Return an appropriate error to the connection request.
4. Connection request logging may be specified as part of a policy and it is conventional (and highly recommended) to log DROP and REJECT policies.
Edit the file /etc/shorewall/policy, enter:

# vi /etc/shorewall/policy

Append the policy:

## allow lan to all and firewall to all (outgoing to internet) but no traffic from wan/internet to lan or firewall itself
lan all ACCEPT
$FW all ACCEPT
wan all DROP info
# this must be last rule
all all REJECT info

Save and close the file.

Configure /etc/shorewall/rules
Entries in this file govern connection establishment by defining exceptions to the policies layed out in /etc/shorewall/policy file. Use this file to open or close TCP/UDP ports. You can allows access to applications server such as FTP, HTTP, HTTPS and many more as defined in /usr/share/shorewall/macro.* files. The syntax is as follows:

For example, to open port 22 from wan (internet) to firewall, enter:
ACCEPT wan $FW tcp 22

You have a policy of ignoring all connection attempts from the wan zone (from the Internet), the above exception to that policy allows you to connect to the SSH server running on your firewall. You can now open port 80 and 443 that allows to connect to the reverse proxy server running on firewall:

## open port 443 from the wan to the nginx running on 202.54.1.1:443 on your firewall.
HTTPS/ACCEPT wan $FW:202.54.1.1 - 443
## open port 80 from the wan to the nginx running on 202.54.1.1:80 and 202.54.1.2:80 on your firewall.
HTTP/ACCEPT wan $FW:202.54.1.1,202.54.1.2 - 80


Configure /etc/shorewall/blacklist
Edit the file /etc/shorewall/blacklist, enter:
# vi /etc/shorewall/blacklist
Block 202.53.1.0/24 subnet and 190.1.2.3 IP address:
202.53.1.0/24
190.1.2.3
Save and close the file.

Check the firewall configuration for errors
Type the following command:

# vi /etc/shorewall/shorewall.conf

Find the line:

STARTUP_ENABLED=No

Replace with:

STARTUP_ENABLED=Yes

Save and close the file. Shorewall uses a "compile" then "execute" approach. The Shorewall configuration compiler reads the configuration files and generates a shell script. Errors in the compilation step cause the script to be discarded and the command to be aborted. If the compilation step doesn't find any errors then the shell script is executed. To check for errors, enter:

# shorewall check
How do I start / stop / restart shorewall?
Type the following commands (warning poorly configured firewall rules may block out your remote access including ssh, so be careful when you type the following commands):
# service shorewall start
# service shorewall stop
# service shorewall restart
# service shorewall status
OR
# /etc/init.d/shorewall start
# /etc/init.d/shorewall stop
# /etc/init.d/shorewall restart
# /etc/init.d/shorewall status

To turn on shorewall at boot time, enter:

# chkconfig shorewall on

How do I list firewall rules?
Type the following command:

# shorewall show
# shorewall show | less

How do I see the IP connections currently being tracked by the firewall?

# shorewall show connections

How do I see firewall logs?

# shorewall show hits
# shorewall show hits|less

How do I displays my kernel/iptables capabilities?

# shorewall show capabilities

The shorewall command and firewall configurations allows many more options. I recommend that you read shorewall command man page for more information.

IP Forwarding Using Port

IP Forwarding Using Port

#vi /etc/sysctl.conf

Change the 0 to 1 in the shown line

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

#iptables -I FORWARD -p tcp -d 172.20.1.12 --dport 8888 -j ACCEPT

#iptables -t nat -A PREROUTING -i lo -p tcp --dport 8888 -j DNAT --to-destination 172.20.1.12:8888

#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#service iptables reload

GLusterfs Replication Setup

GLusterfs Replication Setup

Note:- you can create a partition, mount it to the directory which we will create below and then do the following steps. If you don’t create a partition directly create a directory in / it will use the / partition size.
In this tutorial I use three systems, two servers and a client:
server1.example.com: IP address 192.168.0.100 (server)
server2.example.com: IP address 192.168.0.101 (server)
client1.example.com: IP address 192.168.0.102 (client)
Server setup……

#vi /etc/hosts
192.168.0.100 server1.example.com server1
192.168.0.101 server2.example.com server2
192.168.0.102 client1.example.com client1
:wq!
(It is also possible to use IP addresses instead of hostnames in the following setup. If you prefer to use IP addresses, you don't have to care about whether the hostnames can be resolved or not.)

#yum install libibverbs-devel fuse-devel
#wget http://ftp.gluster.com/pub/gluster/glusterfs/2.0/LATEST/glusterfs-2.0.9.tar.gz
Or
#wget http://pkgs.fedoraproject.org/repo/pkgs/glusterfs/glusterfs-2.0.9.tar.gz/0467740f423e32bdf2f66d2cf63467f3/glusterfs-2.0.9.tar.gz

#tar -xvfz glusterfs-2.0.9.tar.gz
#cd glusterfs-2.0.9
#./configure
#make && make install
#ldconfig
#glusterfs --version
#mkdir /data/
#mkdir /etc/glusterfs
#vi /etc/glusterfs/glusterfsd.vol
volume posix
type storage/posix
option directory /data
end-volume

volume locks
type features/locks
subvolumes posix
end-volume

volume brick
type performance/io-threads
option thread-count 8
subvolumes locks
end-volume

volume server
type protocol/server
option transport-type tcp
option auth.addr.brick.allow 192.168.0.102
subvolumes brick
end-volume

:wq!
Please note that it is possible to use wildcards for the IP addresses (like 192.168.*) and that you can specify multiple IP addresses separated by comma (e.g. 192.168.0.102,192.168.0.103).

Afterwards we create the following symlink...
#ln -s /usr/local/sbin/glusterfsd /sbin/glusterfsd
and then the system startup links for the GlusterFS server and start it
#chkconfig --levels 35 glusterfsd on
#/etc/init.d/glusterfsd start
Same configuration for server-2 also…………..

Client setup…….
#yum install libibverbs-devel fuse-devel
Then we load the fuse kernel module...
#modprobe fuse
and create the file /etc/rc.modules with the following contents so that the fuse kernel module will be loaded automatically whenever the system boots
#vi /etc/rc.modules
modprobe fuse
:wq!
# chmod +x /etc/rc.modules
#wget http://ftp.gluster.com/pub/gluster/glusterfs/2.0/LATEST/glusterfs-2.0.9.tar.gz
Or
#wget http://pkgs.fedoraproject.org/repo/pkgs/glusterfs/glusterfs-2.0.9.tar.gz/0467740f423e32bdf2f66d2cf63467f3/glusterfs-2.0.9.tar.gz
#tar -xvfz glusterfs-2.0.9.tar.gz
#cd glusterfs-2.0.9
#./configure
#make && make install
#ldconfig
#mkdir /mnt/glusterfs
#mkdir /etc/glusterfs
#vi /etc/glusterfs/glusterfs.vol
volume remote1
type protocol/client
option transport-type tcp
option remote-host server1.example.com
option remote-subvolume brick
end-volume

volume remote2
type protocol/client
option transport-type tcp
option remote-host server2.example.com
option remote-subvolume brick
end-volume

volume replicate
type cluster/replicate
subvolumes remote1 remote2
end-volume

volume writebehind
type performance/write-behind
option window-size 1MB
subvolumes replicate
end-volume

volume cache
type performance/io-cache
option cache-size 512MB
subvolumes writebehind
end-volume

:wq!
Make sure you use the correct server hostnames or IP addresses in the option remote-host lines!
That's it! Now we can mount the GlusterFS filesystem to /mnt/glusterfs with one of the following two commands:

#glusterfs -f /etc/glusterfs/glusterfs.vol /mnt/glusterfs
or
#mount -t glusterfs /etc/glusterfs/glusterfs.vol /mnt/glusterfs
#mount
#df -h
If you get the following error “Transport endpoint is not connected”. Check the glusterfsd.vol file at server “option auth.addr.brick.allow 192.168.0.102” ip is proper or not then again mount the file system
For permanent mounting make entry in fstab file
#vi /etc/fstab
/etc/glusterfs/glusterfs.vol /mnt/glusterfs glusterfs defaults 0 0

:wq!

For testing you create files and check the replication.. on each server as well as client……….
Testing GLuster…….
Now let's create some test files on the GlusterFS share:
client1.example.com:
#touch /mnt/glusterfs/test1
#touch /mnt/glusterfs/test2
Now let's check the /data/export directory on server1.example.com and server2.example.com. The test1 and test2 files should be present on each node:
server1.example.com/server2.example.com:
#ls -l /data/export
[root@server1 ~]# ls -l /data/export
total 0
-rw-r--r-- 1 root root 0 2010-02-22 16:50 test1
-rw-r--r-- 1 root root 0 2010-02-22 16:50 test2
[root@server1 ~]#
Now we shut down server1.example.com and add/delete some files on the GlusterFS share on client1.example.com.
server1.example.com:
#shutdown -h now
client1.example.com:
#touch /mnt/glusterfs/test3
#touch /mnt/glusterfs/test4
#rm -f /mnt/glusterfs/test2
The changes should be visible in the /data/export directory on server2.example.com:
server2.example.com:
#ls -l /data/export
[root@server2 ~]# ls -l /data/export
total 0
-rw-r--r-- 1 root root 0 2010-02-22 16:50 test1
-rw-r--r-- 1 root root 0 2010-02-22 16:53 test3
-rw-r--r-- 1 root root 0 2010-02-22 16:53 test4
[root@server2 ~]#
Let's boot server1.example.com again and take a look at the /data/export directory:
server1.example.com:
#ls -l /data/export
[root@server1 ~]# ls -l /data/export
total 0
-rw-r--r-- 1 root root 0 2010-02-22 16:50 test1
-rw-r--r-- 1 root root 0 2010-02-22 16:50 test2
[root@server1 ~]#
As you see, server1.example.com hasn't noticed the changes that happened while it was down. This is easy to fix, all we need to do is invoke a read command on the GlusterFS share on client1.example.com, e.g.:
client1.example.com:
#ls -l /mnt/glusterfs/
[root@client1 ~]# ls -l /mnt/glusterfs/
total 0
-rw-r--r-- 1 root root 0 2010-02-22 16:50 test1
-rw-r--r-- 1 root root 0 2010-02-22 16:53 test3
-rw-r--r-- 1 root root 0 2010-02-22 16:53 test4
[root@client1 ~]#
Now take a look at the /data/export directory on server1.example.com again, and you should see that the changes have been replicated to that node:
server1.example.com:
#ls -l /data/export
[root@server1 ~]# ls -l /data/export
total 0
-rw-r--r-- 1 root root 0 2010-02-22 16:50 test1
-rw-r--r-- 1 root root 0 2010-02-22 16:53 test3
-rw-r--r-- 1 root root 0 2010-02-22 16:53 test4
[root@server1 ~]#
Note:- there is no limit for server and client, configuration will be same…….. 

SAMBA 4 ACTIVE-DIRECTORY CONFIGURATION

SAMBA 4 ACTIVE-DIRECTORY CONFIGURATION

Note:- please disable selinux and firewall before doing things remove old version of samba if available .

Here are the steps:
Centos 6 or Higher
Configure DNS Frist
Note DNS Should be working fine….
# yum install bind*
# vi /etc/named.conf
Append below this line “recursion yes;”
forwarders {172.20.1.9; 8.8.8.8; };  your dns ip if available otherwise create fzone and rzone and the entire configuration of dns……
allow-query { localhost; };  change localhost to any
save file and exit
# service named restart
#vi /etc/resolv.conf
Append
nameserver {your ip address}

save and exit

#service named restart
# host -t A domain.sarien.com.

#nslookup domain.sarien.com

It should show your ip address
Note:- create acl line if required……..
# yum remove samba*


# yum install libacl-devel e2fsprogs-devel gnutls-devel readline-devel python-devel gdb gcc gcc-c++ cups-devel pam-devel ctdb-devel openldap-devel libsmbclient libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel setroubleshoot-server setroubleshoot-plugins policycoreutils-python popt-devel libpcap-devel sqlite-devel libidn-devel libsemanage-python setools-libs-python setools-libs libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel

1) Install the needed packages for the Python2.7 first
#yum groupinstall "Development tools"*
#yum install zlib-devel*
#yum install bzip2-devel*
#yum install openssl-devel*
#yum install ncurses-devel*
#yum install readline-devel*

2) Download the Python source code. (You can use also latest version 3.xx)
#wget http://www.python.org/ftp/python/2.7.3/Python-2.7.3.tar.bz2
#tar xvf Python-2.7.3.tar.bz2
#./configure --prefix=/usr/local --with-threads --enable-shared*
#make && make install
         Take note: you can use *make altinstall *(if you want two python
(a big and small, lol), meaning Python2.4 and Python2.7

#ln -s /usr/local/lib/libpython2.7.so.1.0 /usr/lib*

         If you can't find it, please do search.

3) Check the python if the version is correct.
#python  -V

       Python 2.7.3 (default, Jan  23 2013, 16:43:58)
       [GCC 4.1.2 20080704 (Red Hat 4.1.2-46)] on linux2
       Type "help", "copyright", "credits" or "license" for more
information.
       >>>

4) Optional (running before testing using step#3)
#wget  http://pypi.python.org/packages/source/d/distribute/distribute-0.6.27.tar.gz

#tar xvf distribute-0.6.27.tar.gz*
#cd  distribute-0.6.27*
#python2.7 setup.py install*
#easy_install-2.7 virtualenv*

5) Finally check using yum
#yum search elinks


Then refer to the howto in samba for details
#git clean -x -f -d*
#rm -rf /usr/local/samba*


To update python
#export PATH=/PATH/TO/PYTHON2.7/BIN:$PATH
#python -V


# yum install git

# git clone -b v4-0-stable git://git.samba.org/samba.git samba-v4-0-stable

# cd samba-v4-0-stable
# ./configure --enable-debug --enable-selftest
# make
9. If everything reports okay you can then install samba:
# make install

------Samba restart stop start script----

#vi /etc/init.d/samba4

#! /bin/bash
#
# samba4 Bring up/down samba4 service
#
# chkconfig: - 90 10
# description: Activates/Deactivates all samba4 interfaces
# configured to start at boot time.
#
### BEGIN INIT INFO
# Provides:
# Should-Start:
# Short-Description: Bring up/down samba4
# Description: Bring up/down samba4
### END INIT INFO
# Source function library.
. /etc/init.d/functions

if [ -f /etc/sysconfig/samba4 ]; then
. /etc/sysconfig/samba4
fi

CWD=$(pwd)
prog="samba4"
pidfile=/usr/local/samba/var/run/smbd.pid

start() {
# Attach irda device
echo -n $"Starting $prog: "
/usr/local/samba/sbin/samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then success $"samba4 startup"; else failure $"samba4 startup"; fi
echo
}
stop() {
# Stop service.
echo -n $"Shutting down $prog: "
killall samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then failure $"samba4 shutdown"; else success $"samba4 shutdown"; fi
echo
}
status() {
if [ -e "$pidfile" ]
then
echo -n " Process running ..."
cat $pidfile
sleep 1
/usr/local/samba/sbin/samba --show-build
else
echo " Process not runing..."
fi}

# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status irattach
;;
restart|reload)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
exit 1
esac

exit 0

:wq!


# chmod 755 /etc/init.d/samba4
# chown root:root /etc/init.d/samba4
# chkconfig --add samba4


Creating Domain

# /usr/local/samba/bin/samba-tool domain provision
The 'domain provision' tool should pick defaults for you automatically. Change to your configurations if necessary:
Realm [SARIEN.COM]: Domain [SARIEN]: (press Enter)
Server Role (dc, member, standalone) [dc]: (press Enter)
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: (press Enter)
DNS forwarder IP address (write 'none' to disable forwarding) [your dns ip address]:
Administrator password:
Retype password:
If above was successful, stdout should look similar to this:
Creating CN=MicrosoftDNS,CN=System,DC=SARIEN,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: samba
NetBIOS Domain: SARIEN
DNS Domain: SARIEN.com
DOMAIN SID: S-1-5-xx-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx

Note:- if the above process fail delete file /usr/local/samba/etc/smb.conf rerun the command /usr/local/samba/bin/samba-tool domain provision

# /etc/init.d/samba4 start
Or
# service samba4 start

REBOOT THE SYSTEM

----To check----

# /usr/local/samba/sbin/samba –V
Version 4.0.5
# /usr/local/samba/bin/smbclient –version
Version 4.0.5
# /usr/local/samba/bin/smbclient -L localhost -U%
Output-----

Domain=[SARIEN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-c1fb37d]

Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.1.0pre1-GIT-c1fb37d)
Domain=[SARIEN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-c1fb37d]

Server Comment
--------- -------

Workgroup Master
--------- -------

Note:- if the above output does not come it show an error restart samba4


# cat /usr/local/samba/etc/smb.conf

Output-----
# Global parameters
[global]
workgroup = SARIEN
realm = SARIEN.COM
netbios name = SAMBA
server role = active directory domain controller
dns forwarder = {you ip address}

[netlogon]
path = /usr/local/samba/var/locks/sysvol/SARIEN.com/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No


Configure Kerberos
In CentOS 6.3 or 6.4, kerberos is handled by the '/etc/krb5.conf' file. Make a backup copy of this original file, and then replace the existing file, if any, with the sample from /usr/local/samba/share/setup/krb5.conf.
# cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

Edit the file and replace ${REALM} with the value you chose for the '--realm' parameter of the provision command earlier, make sure to enter the realm in uppercase letters. It should look something like this:
# vi /etc/krb5.conf
[libdefaults]
default_realm = SARIEN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
:wq!

Testing Kerberos
The simplest test is to use the 'kinit' command as follows:
# kinit administrator@SARIEN.COM
Password for administrator@SARIEN.COM:
Warning: Your password will expire in 41 days on Sun Feb 3 14:21:51 2013
NOTE: You must specify your domain realm SARIEN.COM in uppercase letters!!
'kinit' will not give you any output. To verify that Kerberos is working, and that you received a ticket, run the following:

If you get the following error--- kinit: Cannot resolve servers for KDC in realm---
Check the resolv.conf file nameserver entry is proper or not…


# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SARIEN.COM

Valid starting Expires Service principal
12/23/12 15:39:28 12/24/12 01:39:28 krbtgt/SARIEN.COM@SARIEN.COM
renew until 12/24/12 15:39:19



NTP (Network Time Protocol)
Make sure that 'ntpd' is running and installed. If 'ntpd' is not installed you can install it with YUM:
# yum install ntp
Enable ntpd:
# /etc/init.d/ntpd start
Also, use the 'chkconfig' command to have ntpd run at boot:
# chkconfig ntpd on
NOTE: CORRECT TIME IS IMPORTANT FOR KERBEROS TO FUNCTION CORRECTLY. MAKE SURE NTPD IS RUNNING ON THE SAMBA SERVER AND THAT YOU SET THE WINDOWS CLIENT TO THE MOST ACCURATE TIME POSSIBLE! THE WINDOWS CLIENT TIME SHOULD BE SET TO THE EXACT TIME OF THE SAMBA 4 SERVER WITHIN A FEW SECONDS IF POSSIBLE.

Now creating users, groups and OU can be done using commandline however you can install Windows Remote Administration Tools onto Windows to perform these activities. Download the Windows Remote Administration Tools from the links provided below


Windows 7

http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en

Windows Vista

http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en (Vista)

Windows XP Administration Tools Pack & Support Tools

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=86b71a4f-4122-44af-be79-3f101e533d95

http://download.microsoft.com/download/3/e/4/3e438f5e-24ef-4637-abd1-981341d349c7/WindowsServer2003-KB892777-SupportTools-x86-ENU.exe



After you create some users, if required can also set up roaming profiles.




# mkdir /usr/local/samba/var/profiles
# vi /usr/local/samba/etc/smb.conf

Append the following to the file

[profiles]
path = /usr/local/samba/var/profiles
read only = no

Now Login to windows, start Active Directory Users and Computers, select all the users, right click, and hit properties. Under the profile tab, in the Profile path, type the path to your share along with %USERNAME% as follows

\\sambaserver.linuxdrops.com\profiles\%USERNAME%

Now login with one of the users and, you should see that the profile has been synced onto the samba server.