Debian Samba4 ADS Domaincontroller: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 169: | Zeile 169: | ||
===funtioniert nsswitch=== | ===funtioniert nsswitch=== | ||
| − | + | *getent passwd | grep SAMBA34 | |
| − | + | SAMBA34\administrator:*:0:100::/home/SAMBA34/administrator:/bin/false | |
| − | + | SAMBA34\guest:*:3000011:100::/home/SAMBA34/guest:/bin/false | |
| − | + | SAMBA34\krbtgt:*:3000017:100::/home/SAMBA34/krbtgt:/bin/false | |
| − | |||
==Misc== | ==Misc== | ||
Version vom 14. Oktober 2024, 19:51 Uhr
Hostname: dc1.samba34.linuggs.de
Interface anpassen
- vi /etc/network/interfaces
auto lo iface lo inet loopback # The primary network interface auto enp0s3 iface enp0s3 inet static address 172.26.55.22/24 gateway 172.26.55.1 iface enp0s3 inet6 static address 2a02:24d8:71:3037::22/64 gateway 2a02:24d8:71:3037::1
Hosts anpassen
- vi /etc/hosts
127.0.0.1 localhost 172.26.55.22 dc1.samba34.linuggs.de dc1 2a02:24d8:71:3037::22 dc1.samba34.linuggs.de dc1 ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
Hostname setzen
- hostnamectl set-hostname dc1.samba34.linuggs.de
resolv.conf anpassen
- vi /etc/resolv.conf
nameserver 2a02:24d8:71:3040::1 nameserver 172.30.34.254 search samba34.linuggs.de
reboot
Samba 4 installieren
- apt install samba smbclient winbind ntp libnss-winbind krb5-user acl
Domain anlegen
- Vorher löschen
- rm /etc/samba/smb.conf /var/lib/samba/private/sam.ldb
- Los geht es
- samba-tool domain provision --realm=samba34.linuggs.de --domain=samba34 --adminpass="123Start$" --server-role=dc --dns-backend=SAMBA_INTERNAL --use-rfc2307
Reboot
reboot
Start und Enable
- systemctl unmask samba-ad-dc
- systemctl start samba-ad-dc
- systemctl enable samba-ad-dc
smbversion
Diese sollten übereinstimmen:
- samba -V
Version 4.17.12-Debian
- smbclient -V
Version 4.17.12-Debian
- smbclient -L localhost -U%
Sharename Type Comment --------- ---- ------- sysvol Disk netlogon Disk IPC$ IPC IPC Service (Samba 4.17.12-Debian) SMB1 disabled -- no workgroup available
Authentication check:
- smbclient //localhost/netlogon -UAdministrator%"123Start$" -c 'ls'
. D 0 Mon Oct 14 20:28:15 2024 .. D 0 Mon Oct 14 20:28:16 2024 19022504 blocks of size 1024. 16474524 blocks available
DNS setzen
Resolv
- cat /etc/resolv.conf
nameserver ::1 nameserver 127.0.0.1 search samba34.linuggs.de
Check
- nslookup dc1
Server: ::1 Address: ::1#53 Name: dc1.samba34.linuggs.de Address: 172.26.55.22 Name: dc1.samba34.linuggs.de Address: 2a02:24d8:71:3037::22
Forwarder eintragen
- vi /etc/samba/smb.conf
dns forwarder = 172.30.34.254 2a02:24d8:71:3040::1
Check
- Variablen setzen
- DOMAIN="samba34.linuggs.de"
- CONTROLLER="dc1"
- Diverse Records
- host -t SRV _ldap._tcp.$DOMAIN
_ldap._tcp.samba34.linuggs.de has SRV record 0 100 389 dc1.samba34.linuggs.de.
- host -t SRV _kerberos._udp.$DOMAIN
_kerberos._udp.samba34.linuggs.de has SRV record 0 100 88 dc1.samba34.linuggs.de.
- host -t A $CONTROLLER.$DOMAIN
dc1.samba34.linuggs.de has address 172.26.55.22
- host -t AAAA $CONTROLLER.$DOMAIN
dc1.samba34.linuggs.de has IPv6 address 2a02:24d8:71:3037::22
Kerberos
- vi /etc/krb5.conf
[libdefaults]
default_realm = SAMBA34.LINUGGS.DE
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
SAMBA34.LINUGGS.DE = {
kdc = dc1.samba34.linuggs.de
admin_server = dc1.samba34.linuggs.de
}
Winbind
winbind link setzen
ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
nsswitch.conf ändern
passwd: compat winbind group: compat winbind
ist winbind is "pingbar
root@fenetre:~# wbinfo -p Ping to winbindd succeeded
anzeigen der userliste
root@fenetre:~# wbinfo -u Administrator Guest krbtgt
smb.conf ergänzen
[global] ... winbind enum users = yes winbind enum groups = yes
Service neustarten
- systemctl restart samba-ad-dc.service
funtioniert nsswitch
- getent passwd | grep SAMBA34
SAMBA34\administrator:*:0:100::/home/SAMBA34/administrator:/bin/false SAMBA34\guest:*:3000011:100::/home/SAMBA34/guest:/bin/false SAMBA34\krbtgt:*:3000017:100::/home/SAMBA34/krbtgt:/bin/false
Misc
Adminpasswort läuft nicht ab
samba-tool user setexpiry administrator --noexpiry
Kennwortrichtlinie in Samba 4 Domain deaktivieren
samba-tool domain passwordsettings set --complexity=off samba-tool domain passwordsettings set --history-length=0 samba-tool domain passwordsettings set --min-pwd-age=0 samba-tool domain passwordsettings set --max-pwd-age=0 samba-tool domain passwordsettings set --min-pwd-length 0
Adminpasswort setzen
samba-tool user setpassword Administrator
Kennwortrichtlinie in Samba 4 Domain anzeigen
samba-tool domain passwordsettings show
Userverwaltung
2 DC mit Replicatiom
howto
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO