Aktuelle Version vom 16. Oktober 2024, 06:38 Uhr

Hostname: dc1.samba34.linuggs.de

Interface anpassen

vi /etc/network/interfaces

auto lo
iface lo inet loopback

# The primary network interface
auto enp0s3
iface enp0s3 inet static
  address 172.26.55.22/24
  gateway 172.26.55.1

iface enp0s3 inet6 static
  address 2a02:24d8:71:3037::22/64
  gateway 2a02:24d8:71:3037::1

Hosts anpassen

vi /etc/hosts

127.0.0.1       localhost
172.26.55.22    dc1.samba34.linuggs.de dc1
2a02:24d8:71:3037::22 dc1.samba34.linuggs.de dc1
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Hostname setzen

hostnamectl set-hostname dc1.samba34.linuggs.de

resolv.conf anpassen

vi /etc/resolv.conf

nameserver 2a02:24d8:71:3040::1
nameserver 172.30.34.254
search samba34.linuggs.de

reboot

Samba 4 installieren

apt install samba smbclient winbind ntp libnss-winbind krb5-user acl

Domain anlegen

Vorher löschen

rm /etc/samba/smb.conf /var/lib/samba/private/sam.ldb

Los geht es

samba-tool domain provision --realm=samba34.linuggs.de --domain=samba34 --adminpass="123Start$" --server-role=dc --dns-backend=SAMBA_INTERNAL --use-rfc2307

Reboot

reboot

Start und Enable

systemctl unmask samba-ad-dc
systemctl start samba-ad-dc
systemctl enable samba-ad-dc

smbversion, share und auth check

smbversion

Diese sollten übereinstimmen:

samba -V

Version 4.17.12-Debian

smbclient -V

Version 4.17.12-Debian

shares anzeigen:

smbclient -L localhost -U%

	Sharename       Type      Comment
	---------       ----      -------
	sysvol          Disk      
	netlogon        Disk      
	IPC$            IPC       IPC Service (Samba 4.17.12-Debian)
SMB1 disabled -- no workgroup available

Authentication check:

smbclient //localhost/netlogon -UAdministrator%"123Start$" -c 'ls'

  .                                   D        0  Mon Oct 14 20:28:15 2024
  ..                                  D        0  Mon Oct 14 20:28:16 2024

		19022504 blocks of size 1024. 16474524 blocks available

DNS setzen

Resolv

cat /etc/resolv.conf

nameserver ::1
nameserver 127.0.0.1
search samba34.linuggs.de

Check

nslookup dc1

Server:		::1
Address:	::1#53

Name:	dc1.samba34.linuggs.de
Address: 172.26.55.22
Name:	dc1.samba34.linuggs.de
Address: 2a02:24d8:71:3037::22

Forwarder eintragen

vi /etc/samba/smb.conf

dns forwarder = 172.30.34.254 2a02:24d8:71:3040::1

Check

Variablen setzen

DOMAIN="samba34.linuggs.de"
CONTROLLER="dc1"

Diverse Records

host -t SRV _ldap._tcp.$DOMAIN

_ldap._tcp.samba34.linuggs.de has SRV record 0 100 389 dc1.samba34.linuggs.de.

host -t SRV _kerberos._udp.$DOMAIN

_kerberos._udp.samba34.linuggs.de has SRV record 0 100 88 dc1.samba34.linuggs.de.

host -t A $CONTROLLER.$DOMAIN

dc1.samba34.linuggs.de has address 172.26.55.22

host -t AAAA $CONTROLLER.$DOMAIN

dc1.samba34.linuggs.de has IPv6 address 2a02:24d8:71:3037::22

Kerberos

vi /etc/krb5.conf

[libdefaults]
        default_realm = SAMBA34.LINUGGS.DE
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
        SAMBA34.LINUGGS.DE = {
                kdc = dc1.samba34.linuggs.de
                admin_server = dc1.samba34.linuggs.de
        }

Winbind

nsswitch.conf ändern

passwd:         compat winbind
group:          compat winbind

ist winbind is "pingbar

wbinfo -p

Ping to winbindd succeeded

anzeigen der userliste

wbinfo -u

Administrator
Guest
krbtgt

/etc/samba/smb.conf ergänzen

[global]
        netbios name = DC1
        realm = SAMBA34.LINUGGS.DE
        server role = active directory domain controller
        workgroup = SAMBA34
        dns forwarder = 172.30.34.254 2a02:24d8:71:3040::1
        idmap_ldb:use rfc2307 = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind nss info = template
        template shell = /bin/bash
        template homedir = /home/%U
        winbind use default domain = yes
        

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No 

[netlogon]
        path = /var/lib/samba/sysvol/samba34.linuggs.de/scripts
        read only = No

DC-smb.conf-Erklärung

Service neustarten

systemctl restart samba-ad-dc.service

funtioniert nsswitch

getent passwd | grep SAMBA34

SAMBA34\administrator:*:0:100::/home/administrator:/bin/bash
SAMBA34\guest:*:3000011:100::/home/guest:/bin/bash
SAMBA34\krbtgt:*:3000017:100::/home/krbtgt:/bin/bash

Tests

Gucken welche Ports geöffnen

TCP

ss -lntp

UDP

ss -lnup

Prozesse

apt install psmisc
pstree

Misc

Adminpasswort läuft nicht ab

samba-tool user setexpiry administrator --noexpiry

Kennwortrichtlinie in Samba 4 Domain deaktivieren

samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --history-length=0
samba-tool domain passwordsettings set --min-pwd-age=0
samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-length 0

Adminpasswort setzen

samba-tool user setpassword Administrator

Kennwortrichtlinie in Samba 4 Domain anzeigen

samba-tool domain passwordsettings show

Samba Verwaltung

Samba Verwaltung

2 DC mit Replicatiom

2 DC mit Replicatiom

RSAT

RSAT

howto

https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

installation

http://ubuntuforums.org/showthread.php?t=2146198

@@ Zeile 7: / Zeile 7: @@
 iface lo inet loopback
-auto eth0
+# The primary network interface
-iface eth0 inet static
+auto enp0s3
-   address 172.26.55.22/64
+iface enp0s3 inet static
+   address 172.26.55.22/24
    gateway 172.26.55.1
-iface eth0 inet6 static
+iface enp0s3 inet6 static
-   address 2a02:24d8:71:3037::/64
+   address 2a02:24d8:71:3037::22/64
    gateway 2a02:24d8:71:3037::1
 </pre>
@@ Zeile 42: / Zeile 44: @@
 reboot
-==samba4 installieren==
+== Samba 4 installieren ==
- apt-get install samba smbclient winbind ntp libnss-winbind krb5-user acl
+*apt install samba smbclient winbind ntp libnss-winbind krb5-user acl
-==Domain anlegen==
+== Domain anlegen ==
-vorher das löschen:
+;Vorher löschen
- rm /etc/samba/smb.conf /var/lib/samba/private/sam.ldb
+*rm /etc/samba/smb.conf /var/lib/samba/private/sam.ldb
+;Los geht es
-''' realm, domain und adminpass''' sollten/können angepasst werden!
+*samba-tool domain provision --realm=samba34.linuggs.de --domain=samba34 --adminpass="123Start$" --server-role=dc --dns-backend=SAMBA_INTERNAL --use-rfc2307
- samba-tool domain provision --realm=xinux.lan --domain=xinux --adminpass="Z0pp0Trump" --server-role=dc --dns-backend=SAMBA_INTERNAL --use-rfc2307
-*Bei adminpass am besten das hier stehende übernehmen und erst später wie in dieser Anleitung beschrieben ändern, da man sonst die Passwortvorgaben verletzen könnte. Wenn dies passiert richtet sich der Sambaserver nicht korrekt ein.
-oder
-===install bind===
- apt-get remove apparmor
- reboot
- apt-get install bind9
- echo 'include "/var/lib/samba/private/named.conf";' >> /etc/bind/named.conf
-====/etc/bind/named.conf.options====
- tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
-====/var/lib/samba/private/named.conf====
-dlz "AD DNS Zone" {
-     database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
-};
-''' realm, domain und adminpass''' sollten/können angepasst werden!
- samba-tool domain provision --realm=xinux.lan --domain=xinux --adminpass="Z0pp0Trump" --server-role=dc --dns-backend=BIND9_DLZ --use-rfc2307
-*Bei adminpass am besten das hier stehende übernehmen und erst später wie in dieser Anleitung beschrieben ändern, da man sonst die Passwortvorgaben verletzen könnte. Wenn dies passiert richtet sich der Sambaserver nicht korrekt ein.
 ==Reboot==
- reboot
+*reboot
-==start und enable==
+==Start und Enable==
 *systemctl unmask  samba-ad-dc
 *systemctl start  samba-ad-dc
@@ Zeile 85: / Zeile 63: @@
 ==smbversion, share und auth check==
 ===smbversion===
 Diese sollten übereinstimmen:
- root@fenetre:~# samba -V
+*samba -V
-  Version 4.1.6-Ubuntu
+  Version 4.17.12-Debian
- root@fenetre:~# smbclient -V
+*smbclient -V
-  Version 4.1.6-Ubuntu
+  Version 4.17.12-Debian
 ===shares anzeigen:===
+*smbclient -L localhost -U%
 <pre>
-root@fenetre:~# smbclient -L localhost -U%
-Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
 	Sharename       Type      Comment
 	---------       ----      -------
+	sysvol          Disk
 	netlogon        Disk
-	sysvol          Disk
+	IPC$            IPC       IPC Service (Samba 4.17.12-Debian)
-	IPC$            IPC       IPC Service (Samba 4.1.6-Ubuntu)
+SMB1 disabled -- no workgroup available
-Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
-	Server               Comment
-	---------            -------
-	Workgroup            Master
-	---------            -------
-	WORKGROUP
 </pre>
 ===Authentication check:===
+*smbclient //localhost/netlogon -UAdministrator%"123Start$" -c 'ls'
 <pre>
-root@fenetre:~# smbclient //localhost/netlogon -UAdministrator%"Z0pp0Trump" -c 'ls'
+   .                                   D        0  Mon Oct 14 20:28:15 2024
-Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
+   ..                                  D        0  Mon Oct 14 20:28:16 2024
-   .                                   D        0  Thu Apr 24 15:51:50 2014
-   ..                                  D        0  Thu Apr 24 15:51:54 2014
-blocks of size 524288. 47502 blocks available
+		19022504 blocks of size 1024. 16474524 blocks available
 </pre>
 ==DNS setzen==
 ===Resolv===
-*/etc/resolv.conf
+*cat  /etc/resolv.conf
-  nameserver 192.168.240.199
+  nameserver ::1
-  search xinux.lan
+ nameserver 127.0.0.1
+  search samba34.linuggs.de
 ===Check===
+*nslookup dc1
+<pre>
+Server:		::1
+Address:	::1#53
+Name:	dc1.samba34.linuggs.de
+Address: 172.26.55.22
+Name:	dc1.samba34.linuggs.de
+Address: 2a02:24d8:71:3037::22
+</pre>
 ===Forwarder eintragen===
- sudo vi  /etc/samba/smb.conf
+*vi  /etc/samba/smb.conf
-füge hinzu: (Man kann natürlich auch seinen eigenen DNS angeben)
+  dns forwarder = 172.30.34.254 2a02:24d8:71:3040::1
-  dns forwarder = 192.168.240.21
 ===Check===
+;Variablen setzen
+*DOMAIN="samba34.linuggs.de"
+*CONTROLLER="dc1"
+;Diverse Records
+*host -t SRV _ldap._tcp.$DOMAIN
+ _ldap._tcp.samba34.linuggs.de has SRV record 0 100 389 dc1.samba34.linuggs.de.
+*host -t SRV _kerberos._udp.$DOMAIN
+ _kerberos._udp.samba34.linuggs.de has SRV record 0 100 88 dc1.samba34.linuggs.de.
+*host -t A $CONTROLLER.$DOMAIN
+ dc1.samba34.linuggs.de has address 172.26.55.22
+*host -t AAAA $CONTROLLER.$DOMAIN
+ dc1.samba34.linuggs.de has IPv6 address 2a02:24d8:71:3037::22
+==Kerberos==
+*vi /etc/krb5.conf
 <pre>
-DOMAIN="xinux.lan"
+[libdefaults]
-CONTROLLER="fenetre"
+        default_realm = SAMBA34.LINUGGS.DE
-host -t SRV _ldap._tcp.$DOMAIN
+        dns_lookup_realm = false
-_ldap._tcp.xinux.lan has SRV record 0 100 389 fenetre.xinux.lan.
+        dns_lookup_kdc = true
-host -t SRV _kerberos._udp.$DOMAIN
-_kerberos._udp.xinux.lan has SRV record 0 100 88 fenetre.xinux.lan.
-host -t A $CONTROLLER.$DOMAIN
-fenetre.xinux.lan has address 192.168.240.199
+[realms]
+        SAMBA34.LINUGGS.DE = {
+                kdc = dc1.samba34.linuggs.de
+                admin_server = dc1.samba34.linuggs.de
+        }
 </pre>
-==Kerberos==
- *[[kerberos client samba]]
-==Share hinzufügen==
- mkfs.ext4 /dev/vdb1
- mkdir /share
- echo "/dev/vdb1  /share   ext4 user_xattr,acl 0 0" >> /etc/fstab
- mount -a
- mkdir -m 770 /share
- chmod g+s /share
- chown root:users /share
- vi /etc/samba/smb.conf
-füge das ein:
- [share]
-  directory_mode: parameter = 0700
-  read only = no
-  path = /share
-  csc policy = documents
-==Share testen==
- root@fenetre:~# smbclient -L localhost -U% | grep share
- Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
- Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
- 	share           Disk
 ==Winbind==
-===winbind link setzen===
- ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
 ===nsswitch.conf ändern===
   passwd:         compat winbind
   group:          compat winbind
 ===ist winbind is "pingbar===
- root@fenetre:~# wbinfo -p
+*wbinfo -p
   Ping to winbindd succeeded
 ===anzeigen der userliste===
- root@fenetre:~# wbinfo -u
+*wbinfo -u
   Administrator
   Guest
   krbtgt
-===smb.conf ergänzen===
+===/etc/samba/smb.conf ergänzen===
   [global]
-   ...
+         netbios name = DC1
-   winbind enum users = yes
+         realm = SAMBA34.LINUGGS.DE
-   winbind enum groups = yes
+         server role = active directory domain controller
+         workgroup = SAMBA34
+         '''dns forwarder = 172.30.34.254 2a02:24d8:71:3040::1'''
+         idmap_ldb:use rfc2307 = yes
+         '''winbind enum users = yes'''
+         '''winbind enum groups = yes'''
+         '''winbind nss info = template'''
+         '''template shell = /bin/bash'''
+         '''template homedir = /home/%U'''
+         '''winbind use default domain = yes'''
+ [sysvol]
+         path = /var/lib/samba/sysvol
+         read only = No
+ [netlogon]
+         path = /var/lib/samba/sysvol/samba34.linuggs.de/scripts
+         read only = No
+[[DC-smb.conf-Erklärung]]
 ===Service neustarten===
@@ Zeile 204: / Zeile 187: @@
 ===funtioniert nsswitch===
- root@fenetre:~# getent passwd | grep XINUX
+*getent passwd | grep SAMBA34
-  XINUX\Administrator:*:0:100::/home/XINUX/Administrator:/bin/false
+  SAMBA34\administrator:*:0:100::/home/administrator:/bin/bash
-  XINUX\Guest:*:3000011:3000012::/home/XINUX/Guest:/bin/false
+  SAMBA34\guest:*:3000011:100::/home/guest:/bin/bash
-  XINUX\krbtgt:*:3000017:100::/home/XINUX/krbtgt:/bin/false
+  SAMBA34\krbtgt:*:3000017:100::/home/krbtgt:/bin/bash
+===Tests===
+====Gucken welche Ports geöffnen====
+;TCP
+*ss -lntp
+;UDP
+*ss -lnup
+====Prozesse====
+*apt install psmisc
+*pstree
 ==Misc==
 ===Adminpasswort läuft nicht ab===
- samba-tool user setexpiry administrator --noexpiry
+*samba-tool user setexpiry administrator --noexpiry
 ===Kennwortrichtlinie in Samba 4 Domain deaktivieren===
- samba-tool domain passwordsettings set --complexity=off
+*samba-tool domain passwordsettings set --complexity=off
- samba-tool domain passwordsettings set --history-length=0
+*samba-tool domain passwordsettings set --history-length=0
- samba-tool domain passwordsettings set --min-pwd-age=0
+*samba-tool domain passwordsettings set --min-pwd-age=0
- samba-tool domain passwordsettings set --max-pwd-age=0
+*samba-tool domain passwordsettings set --max-pwd-age=0
- samba-tool domain passwordsettings set --min-pwd-length 0
+*samba-tool domain passwordsettings set --min-pwd-length 0
 ===Adminpasswort setzen===
   samba-tool user setpassword Administrator
@@ Zeile 226: / Zeile 219: @@
   samba-tool domain passwordsettings show
-=[[Userverwaltung]]=
+=Samba Verwaltung=
-=[[2 DC mit Replicatiom]]=
+*[[Samba Verwaltung]]
+=2 DC mit Replicatiom=
+*[[2 DC mit Replicatiom]]
+=RSAT=
+*[[RSAT]]
 =howto=

Debian Samba4 ADS Domaincontroller: Unterschied zwischen den Versionen

Aktuelle Version vom 16. Oktober 2024, 06:38 Uhr

Hostname: dc1.samba34.linuggs.de

Interface anpassen

Hosts anpassen

Hostname setzen

resolv.conf anpassen

Samba 4 installieren

Domain anlegen

Reboot

Start und Enable

smbversion, share und auth check

smbversion

shares anzeigen:

Authentication check:

DNS setzen

Resolv

Check

Forwarder eintragen

Check

Kerberos

Winbind

nsswitch.conf ändern

ist winbind is "pingbar

anzeigen der userliste

/etc/samba/smb.conf ergänzen

Service neustarten

funtioniert nsswitch

Tests

Gucken welche Ports geöffnen

Prozesse

Misc

Adminpasswort läuft nicht ab

Kennwortrichtlinie in Samba 4 Domain deaktivieren

Adminpasswort setzen

Kennwortrichtlinie in Samba 4 Domain anzeigen

Samba Verwaltung

2 DC mit Replicatiom

RSAT

howto

installation

Navigationsmenü

Suche