Aktuelle Version vom 8. September 2014, 13:30 Uhr

auf dem domain controller

kinit administrator
samba-tool dns add localhost  xinux.lan dewey A 192.168.244.152

Installation

Interface anpassen

vi /etc/network/interfaces

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
 address 192.168.244.152
 netmask 255.255.248.0
 gateway 192.168.240.100
 dns-nameservers 192.168.240.200
 dns-search xinux.org

hosts anpassen

vi /etc/hosts
127.0.0.1       localhost
192.168.244.152 dewey dewey.xinux.org 
echo dewey.xinux.org > /etc/hostname
reboot

samba4 installieren

apt-get install samba smbclient winbind ntp libnss-winbind krb5-user acl

/etc/samba/smb.conf

[global]
   workgroup = XINUX
   security = ADS
   realm = XINUX.LAN
   encrypt passwords = yes

   idmap config XINUX:backend = ad
   idmap config *:backend = tdb
   idmap config * : range = 1000000-1999999
   idmap config XINUX:schema_mode = rfc2307
   idmap config XINUX:range = 10000-99999

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes

/etc/krb5.conf

[libdefaults]
...
[realms]
        XINUX.LAN = {
                kdc = gondor.xinux.lan
                admin_server = gondor.xinux.lan
                }

....

domaine beitreten

net ads join -U administrator
Enter administrator's password:
Using short domain name -- XINUX
Joined 'DEWEY' to dns domain 'xinux.lan'

nsswitch.conf ändern

passwd:         compat winbind
group:          compat winbind

winbind restart

service winbind restart

ist winbind is "pingbar

root@fenetre:~# wbinfo -p
Ping to winbindd succeeded

anzeigen der userliste

root@fenetre:~# wbinfo -u
Administrator
Guest
krbtgt

funtioniert nsswitch

 
getent passwd | grep 700
administrator:*:70001:70005:Administrator:/home/XINUX/administrator:/bin/false
dns-gondor:*:70002:70005:dns-gondor:/home/XINUX/dns-gondor:/bin/false
krbtgt:*:70003:70005:krbtgt:/home/XINUX/krbtgt:/bin/false
thomas:*:70004:70005:thomas:/home/XINUX/thomas:/bin/false
guest:*:70005:70006:Guest:/home/XINUX/guest:/bin/false
squid:*:70006:70005:squid:/home/XINUX/squid:/bin/false

https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

@@ Zeile 1: / Zeile 1: @@
+=auf dem domain controller=
+ kinit administrator
+ samba-tool dns add localhost  xinux.lan dewey A 192.168.244.152
 =Installation=
 ==Interface anpassen==
@@ Zeile 29: / Zeile 33: @@
     workgroup = XINUX
     security = ADS
-    realm = XINUX.ORG
+    realm = XINUX.LAN
     encrypt passwords = yes
+   idmap config XINUX:backend = ad
     idmap config *:backend = tdb
-    idmap config *:range = 70001-80000
+    idmap config * : range = 1000000-1999999
-    idmap config SAMDOM:backend = ad
+    idmap config XINUX:schema_mode = rfc2307
-   idmap config SAMDOM:schema_mode = rfc2307
+    idmap config XINUX:range = 10000-99999
-    idmap config SAMDOM:range = 500-40000
     winbind nss info = rfc2307
@@ Zeile 50: / Zeile 54: @@
 ...
 [realms]
-         XINUX.ORG = {
+         XINUX.LAN = {
-                 kdc = gondor.xinux.org
+                 kdc = gondor.xinux.lan
-                 admin_server = gondor.xinux.org
+                 admin_server = gondor.xinux.lan
+                }
 ....
 </pre>
-==smbversion, share und auth check==
+==domaine beitreten==
-===smbversion===
-Diese sollten übereinstimmen:
- root@fenetre:~# samba -V
- Version 4.1.6-Ubuntu
- root@fenetre:~# smbclient -V
- Version 4.1.6-Ubuntu
-===shares anzeigen:===
 <pre>
-root@fenetre:~# smbclient -L localhost -U%
+net ads join -U administrator
-Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
+Enter administrator's password:
+Using short domain name -- XINUX
-	Sharename       Type      Comment
+Joined 'DEWEY' to dns domain 'xinux.lan'
-	---------       ----      -------
-	netlogon        Disk
-	sysvol          Disk
-	IPC$            IPC       IPC Service (Samba 4.1.6-Ubuntu)
-Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
-	Server               Comment
-	---------            -------
-	Workgroup            Master
-	---------            -------
-	WORKGROUP
 </pre>
-===Authentication check:===
-<pre>
-root@fenetre:~# smbclient //localhost/netlogon -UAdministrator%"Z0pp0Trump" -c 'ls'
-Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
-  .                                   D        0  Thu Apr 24 15:51:50 2014
-  ..                                  D        0  Thu Apr 24 15:51:54 2014
-blocks of size 524288. 47502 blocks available
-</pre>
-==DNS setzen==
-===Forwarder eintragen===
- sudo vi  /etc/samba/smb.conf
-füge hinzu: (Man kann natürlich auch seinen eigenen DNS angeben)
- dns forwarder = 192.168.240.21
-===Check===
-<pre>
-DOMAIN="xinux.lan"
-CONTROLLER="fenetre"
-host -t SRV _ldap._tcp.$DOMAIN
-_ldap._tcp.xinux.lan has SRV record 0 100 389 fenetre.xinux.lan.
-host -t SRV _kerberos._udp.$DOMAIN
-_kerberos._udp.xinux.lan has SRV record 0 100 88 fenetre.xinux.lan.
-host -t A $CONTROLLER.$DOMAIN
-fenetre.xinux.lan has address 192.168.240.199
-</pre>
-==Kerberos==
- cp /var/lib/samba/private/krb5.conf  /usr/share/samba/setup/krb5.conf
-==Share hinzufügen==
- mkfs.ext4 /dev/vdb1
- mkdir /share
- echo "/dev/vdb1  /share   ext4 user_xattr,acl 0 0" >> /etc/fstab
- mount -a
- mkdir -m 770 /share
- chmod g+s /share
- chown root:users /share
- vi /etc/samba/smb.conf
-füge das ein:
- [share]
-  directory_mode: parameter = 0700
-  read only = no
-  path = /share
-  csc policy = documents
-==Share testen==
- root@fenetre:~# smbclient -L localhost -U% | grep share
- Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
- Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
- 	share           Disk
-==Winbind==
-===winbind link setzen===
- ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
 ===nsswitch.conf ändern===
   passwd:         compat winbind
   group:          compat winbind
+===winbind restart===
+ service winbind restart
 ===ist winbind is "pingbar===
   root@fenetre:~# wbinfo -p
@@ Zeile 161: / Zeile 89: @@
 ===funtioniert nsswitch===
- root@fenetre:~# getent passwd | grep XINUX
+<pre>
- XINUX\Administrator:*:0:100::/home/XINUX/Administrator:/bin/false
+getent passwd | grep 700
- XINUX\Guest:*:3000011:3000012::/home/XINUX/Guest:/bin/false
+administrator:*:70001:70005:Administrator:/home/XINUX/administrator:/bin/false
- XINUX\krbtgt:*:3000017:100::/home/XINUX/krbtgt:/bin/false
+dns-gondor:*:70002:70005:dns-gondor:/home/XINUX/dns-gondor:/bin/false
+krbtgt:*:70003:70005:krbtgt:/home/XINUX/krbtgt:/bin/false
+thomas:*:70004:70005:thomas:/home/XINUX/thomas:/bin/false
-==Misc==
+guest:*:70005:70006:Guest:/home/XINUX/guest:/bin/false
-===Adminpasswort läuft nicht ab===
+squid:*:70006:70005:squid:/home/XINUX/squid:/bin/false
- samba-tool user setexpiry administrator --noexpiry
+</pre>
-===Kennwortrichtlinie in Samba 4 Domain deaktivieren===
- samba-tool domain passwordsettings set --complexity=off
- samba-tool domain passwordsettings set --history-length=0
- samba-tool domain passwordsettings set --min-pwd-age=0
- samba-tool domain passwordsettings set --max-pwd-age=0
- samba-tool domain passwordsettings set --min-pwd-length 0
-===Adminpasswort setzen===
- samba-tool user setpassword Administrator
-===Kennwortrichtlinie in Samba 4 Domain anzeigen===
- samba-tool domain passwordsettings show
-=SeDiskOperatorPrivilege=
- net rpc rights grant 'XINUX\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
-===Vorhandene Rechte lassen sich so Anzeige===
- net rpc rights list accounts -Uadministrator
-=[[Userverwaltung]]=
-=howto=
-https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
-=installation=
+*https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
-*http://ubuntuforums.org/showthread.php?t=2146198

Ubuntu-ads-member: Unterschied zwischen den Versionen

Aktuelle Version vom 8. September 2014, 13:30 Uhr

Inhaltsverzeichnis

auf dem domain controller

Installation

Interface anpassen

hosts anpassen

samba4 installieren

/etc/samba/smb.conf

/etc/krb5.conf

domaine beitreten

nsswitch.conf ändern

winbind restart

ist winbind is "pingbar

anzeigen der userliste

funtioniert nsswitch

Navigationsmenü

Suche