Debian Samba4 ADS Domaincontroller: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(116 dazwischenliegende Versionen von 7 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
=Installation=
+
== Hostname: dc1.samba34.linuggs.de ==
==Interface anpassen==
+
=== Interface anpassen ===
vi /etc/network/interfaces
+
*vi /etc/network/interfaces
 +
 
 
<pre>
 
<pre>
 
auto lo
 
auto lo
 
iface lo inet loopback
 
iface lo inet loopback
  
auto eth0
+
# The primary network interface
iface eth0 inet static
+
auto enp0s3
address 192.168.240.199
+
iface enp0s3 inet static
netmask 255.255.248.0
+
  address 172.26.55.22/24
gateway 192.168.240.100
+
  gateway 172.26.55.1
dns-nameservers 192.168.240.199 8.8.8.8
 
dns-search xinux.lan
 
</pre>
 
  
==hosts anpassen==
+
iface enp0s3 inet6 static
vi /etc/hosts
+
  address 2a02:24d8:71:3037::22/64
127.0.0.1       localhost
+
  gateway 2a02:24d8:71:3037::1
192.168.240.199 fenetre fenetre.xinux.lan
 
echo fenetre.xinux.lan > /etc/hostname
 
/etc/init.d/networking restart
 
  
==Pakete und libs installieren==
+
</pre>
  
sudo apt-get update && apt-get upgrade -y
+
=== Hosts anpassen ===
sudo apt-get install git build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev libpam0g-dev ntp -y
+
*vi /etc/hosts
 +
<pre>
 +
127.0.0.1      localhost
 +
172.26.55.22    dc1.samba34.linuggs.de dc1
 +
2a02:24d8:71:3037::22 dc1.samba34.linuggs.de dc1
 +
::1    localhost ip6-localhost ip6-loopback
 +
ff02::1 ip6-allnodes
 +
ff02::2 ip6-allrouters
 +
</pre>
  
You'll be asked for kerberos informations.
+
=== Hostname setzen ===
When asked for the default realm etc, enter mydomain.lan and DC01 as the host.  
+
*hostnamectl set-hostname dc1.samba34.linuggs.de
  
==samba4 downloaden und installieren==
+
=== resolv.conf anpassen ===
 +
*vi /etc/resolv.conf
  
git clone -b v4-0-stable git://git.samba.org/samba.git samba4
+
<pre>
 +
nameserver 2a02:24d8:71:3040::1
 +
nameserver 172.30.34.254
 +
search samba34.linuggs.de
 +
</pre>
  
cd samba4
+
reboot
  
./configure --enable-debug --enable-selftest
+
== Samba 4 installieren ==
 +
*apt install samba smbclient winbind ntp libnss-winbind krb5-user acl
  
make
+
== Domain anlegen ==
 +
;Vorher löschen
 +
*rm /etc/samba/smb.conf /var/lib/samba/private/sam.ldb
  
make install
+
;Los geht es
 +
*samba-tool domain provision --realm=samba34.linuggs.de --domain=samba34 --adminpass="123Start$" --server-role=dc --dns-backend=SAMBA_INTERNAL --use-rfc2307
  
==Links setzen==
+
==Reboot==
 +
*reboot
  
ln -s /usr/local/samba/sbin/* /usr/local/sbin
+
==Start und Enable==
ln -s /usr/local/samba/bin/* /usr/local/bin
+
*systemctl unmask samba-ad-dc
 
+
*systemctl start samba-ad-dc
==Domain anlegen==
+
*systemctl enable samba-ad-dc
vorher das löschen:
 
  rm /usr/local/samba/etc/smb.conf
 
 
 
''' realm, domain und adminpass''' sollten/können angepasst werden!
 
  /usr/local/samba/bin/samba-tool domain provision --realm=mydomain.lan --domain=mydomain --adminpass="your_password" --server-role=dc --dns-backend=SAMBA_INTERNAL
 
 
 
==Start von samba==
 
  /usr/local/samba/sbin/samba
 
  
 
==smbversion, share und auth check==
 
==smbversion, share und auth check==
 
 
===smbversion===
 
===smbversion===
 
Diese sollten übereinstimmen:
 
Diese sollten übereinstimmen:
/usr/local/samba/sbin/samba -V
+
*samba -V
  /usr/local/samba/bin/smbclient -V
+
  Version 4.17.12-Debian
 +
*smbclient -V
 +
Version 4.17.12-Debian
 +
 
  
 
===shares anzeigen:===
 
===shares anzeigen:===
/usr/local/samba/bin/smbclient -L localhost -U%
+
*smbclient -L localhost -U%
 
 
Sollte so aussehen:
 
 
<pre>
 
<pre>
Sharename     Type      Comment    
+
Sharename       Type      Comment
---------       ----       -------      
+
---------       ----     -------
netlogon        Disk  
+
sysvol          Disk    
sysvol            Disk  
+
netlogon        Disk    
IPC$             IPC         IPC Service (Samba 4.0.5)
+
IPC$           IPC       IPC Service (Samba 4.17.12-Debian)
 +
SMB1 disabled -- no workgroup available
 
</pre>
 
</pre>
  
 
===Authentication check:===
 
===Authentication check:===
Passwort in dem Command ändern!
+
*smbclient //localhost/netlogon -UAdministrator%"123Start$" -c 'ls'
/usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%"your_password" -c 'ls'
 
 
<pre>
 
<pre>
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.0.5] 
+
  .                                  D        0  Mon Oct 14 20:28:15 2024
.                                  D        0  Fri May 17 21:40:08 2013    
+
   ..                                  D        0  Mon Oct 14 20:28:16 2024
..                                  D        0  Fri May 17 21:42:36 2013
+
 
 +
19022504 blocks of size 1024. 16474524 blocks available
 
</pre>
 
</pre>
  
 
==DNS setzen==
 
==DNS setzen==
===Forwarder eintragen===
+
===Resolv===
  echo  domain MYDOMAIN.LAN >> /etc/resolv.conf
+
*cat /etc/resolv.conf  
  sudo vi /usr/local/samba/etc/smb.conf
+
  nameserver ::1
 
+
  nameserver 127.0.0.1
füge hinzu: (Man kann natürlich auch seinen eigenen DNS angeben)
+
  search samba34.linuggs.de
  dns forwarder = 8.8.8.8 (I use google DNS here again)
 
  
 
===Check===
 
===Check===
 +
*nslookup dc1
 
<pre>
 
<pre>
host -t SRV _ldap._tcp.mydomain.lan
+
Server: ::1
_ldap._tcp.mydomain.lan has SRV record 0 100 389 DC01.mydomain.lan.
+
Address: ::1#53
  
 +
Name: dc1.samba34.linuggs.de
 +
Address: 172.26.55.22
 +
Name: dc1.samba34.linuggs.de
 +
Address: 2a02:24d8:71:3037::22
 +
</pre>
  
host -t SRV _kerberos._udp.mydomain.lan
+
===Forwarder eintragen===
_kerberos._udp.mydomain.lan has SRV record 0 100 88 DC01.mydomain.lan
+
*vi  /etc/samba/smb.conf
 +
dns forwarder = 172.30.34.254 2a02:24d8:71:3040::1
  
host -t A DC01.mydomain.lan
+
===Check===
DC01.mydomain.lan has address 192.168.0.100.
+
;Variablen setzen
</pre>
+
*DOMAIN="samba34.linuggs.de"
 +
*CONTROLLER="dc1"
 +
;Diverse Records
 +
*host -t SRV _ldap._tcp.$DOMAIN
 +
_ldap._tcp.samba34.linuggs.de has SRV record 0 100 389 dc1.samba34.linuggs.de.
 +
*host -t SRV _kerberos._udp.$DOMAIN
 +
_kerberos._udp.samba34.linuggs.de has SRV record 0 100 88 dc1.samba34.linuggs.de.
 +
*host -t A $CONTROLLER.$DOMAIN
 +
dc1.samba34.linuggs.de has address 172.26.55.22
 +
*host -t AAAA $CONTROLLER.$DOMAIN
 +
dc1.samba34.linuggs.de has IPv6 address 2a02:24d8:71:3037::22
  
Wenn '''"host mydomain.lan not found 3(NXDOMAIN)"''' ausgegeben wird, ist Samba nicht richtig gestartet!
+
==Kerberos==
 +
*vi /etc/krb5.conf
 +
<pre>
 +
[libdefaults]
 +
        default_realm = SAMBA34.LINUGGS.DE
 +
        dns_lookup_realm = false
 +
        dns_lookup_kdc = true
  
==Kerberos==
+
[realms]
ändere '''$(REALM)''' zu '''MYDOMAIN.LAN'''
+
        SAMBA34.LINUGGS.DE = {
vi /usr/local/samba/share/setup/krb5.conf
+
                kdc = dc1.samba34.linuggs.de
 +
                admin_server = dc1.samba34.linuggs.de
 +
        }
 +
</pre>
  
==Share hinzufügen==
+
==Winbind==
 +
===nsswitch.conf ändern===
 +
passwd:        compat winbind
 +
group:          compat winbind
 +
===ist winbind is "pingbar===
 +
*wbinfo -p
 +
Ping to winbindd succeeded
  
  mkdir -m 770 /share
+
===anzeigen der userliste===
  chmod g+s /share
+
*wbinfo -u
  chown root:users /share
+
  Administrator
 +
  Guest
 +
  krbtgt
  
  vi /usr/local/samba/etc/smb.conf
+
===/etc/samba/smb.conf ergänzen===
füg das ein:
+
  [global]
 +
        netbios name = DC1
 +
        realm = SAMBA34.LINUGGS.DE
 +
        server role = active directory domain controller
 +
        workgroup = SAMBA34
 +
        '''dns forwarder = 172.30.34.254 2a02:24d8:71:3040::1'''
 +
        idmap_ldb:use rfc2307 = yes
 +
        '''winbind enum users = yes'''
 +
        '''winbind enum groups = yes'''
 +
        '''winbind nss info = template'''
 +
        '''template shell = /bin/bash'''
 +
        '''template homedir = /home/%U'''
 +
        '''winbind use default domain = yes'''
 +
       
 +
 +
[sysvol]
 +
        path = /var/lib/samba/sysvol
 +
        read only = No
 +
 +
[netlogon]
 +
        path = /var/lib/samba/sysvol/samba34.linuggs.de/scripts
 +
        read only = No
  
[share]
+
[[DC-smb.conf-Erklärung]]
directory_mode: parameter = 0700
 
read only = no
 
path = /share
 
csc policy = documents
 
  
==Misc==
+
===Service neustarten===
===ntp===
+
*systemctl restart samba-ad-dc.service
vi /etc/ntp.conf
 
  
füge einen von hier hinzu:
+
===funtioniert nsswitch===
  http://www.pool.ntp.org/zone/de
+
*getent passwd | grep SAMBA34
 +
SAMBA34\administrator:*:0:100::/home/administrator:/bin/bash
 +
  SAMBA34\guest:*:3000011:100::/home/guest:/bin/bash
 +
SAMBA34\krbtgt:*:3000017:100::/home/krbtgt:/bin/bash
  
service ntp restart
+
===Tests===
ntpdate 0.de.pool.ntp.org
+
====Gucken welche Ports geöffnen====
ntpq -p
+
;TCP
 +
*ss -lntp
 +
;UDP
 +
*ss -lnup
 +
====Prozesse====
 +
*apt install psmisc
 +
*pstree
  
 +
==Misc==
 
===Adminpasswort läuft nicht ab===
 
===Adminpasswort läuft nicht ab===
/usr/local/samba/bin/samba-tool user setexpiry administrator --noexpiry
+
*samba-tool user setexpiry administrator --noexpiry
  
===samba upstart script===
+
===Kennwortrichtlinie in Samba 4 Domain deaktivieren===
 +
*samba-tool domain passwordsettings set --complexity=off
 +
*samba-tool domain passwordsettings set --history-length=0
 +
*samba-tool domain passwordsettings set --min-pwd-age=0
 +
*samba-tool domain passwordsettings set --max-pwd-age=0
 +
*samba-tool domain passwordsettings set --min-pwd-length 0
  
vi /etc/init.d/samba
+
===Adminpasswort setzen===
 
+
  samba-tool user setpassword Administrator
description "SMB/CIFS File and Active Directory Server"
 
author      "Jelmer Vernooij <jelmer@ubuntu.com>"
 
 
start on (local-filesystems and net-device-up)
 
stop on runlevel [!2345]
 
 
expect fork
 
normal exit 0
 
 
pre-start script
 
[ -r /etc/default/samba4 ] && . /etc/default/samba4
 
install -o root -g root -m 755 -d /var/run/samba
 
install -o root -g root -m 755 -d /var/log/samba
 
end script
 
 
 
exec samba -D
 
 
 
===Kennwortrichtlinie in Samba 4 Domain deaktivieren===
 
  samba-tool domain passwordsettings set --complexity=off
 
samba-tool domain passwordsettings set --history-length=0
 
samba-tool domain passwordsettings set --min-pwd-age=0
 
samba-tool domain passwordsettings set --max-pwd-age=0
 
samba-tool domain passwordsettings set --min-pwd-length 0
 
  
 
===Kennwortrichtlinie in Samba 4 Domain anzeigen===
 
===Kennwortrichtlinie in Samba 4 Domain anzeigen===
samba-tool domain passwordsettings show
+
samba-tool domain passwordsettings show
==Freigaben einrichten==
 
Die Partition muss mit den Optionen user_xattr und acl  gemountet sein ...
 
/dev/vdb /mnt    ext4 user_xattr,acl 1 1
 
=SeDiskOperatorPrivilege=
 
net rpc rights grant 'WILLUX\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
 
 
 
===Vorhandene Rechte lassen sich so Anzeige===
 
net rpc rights list accounts -Uadministrator
 
==Winbind==
 
===winbind links setzen===
 
*Architektur ermitteln
 
gcc -print-multiarch
 
*Links ersetzen
 
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/$(gcc -print-multiarch)/libnss_winbind.so
 
ln -s /lib/$(gcc -print-multiarch)/libnss_winbind.so /lib/x86_64-linux-gnu/libnss_winbind.so.2
 
*aus den paketen
 
ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
 
  
===nsswitch.conf ändern===
+
=Samba Verwaltung=
passwd:        compat winbind
+
*[[Samba Verwaltung]]
group:          compat winbind
 
===ist winbind is "pingbar===
 
/usr/local/samba/bin/wbinfo -p
 
Ping to winbindd succeeded
 
===anzeigen der userliste===
 
/usr/local/samba/bin/wbinfo -u
 
Administrator
 
Guest
 
krbtgt
 
===funtioniert nsswitch===
 
getent passwd
 
...
 
WILLUX\Administrator:*:0:100::/home/WILLUX/Administrator:/bin/false
 
WILLUX\Guest:*:3000011:3000012::/home/WILLUX/Guest:/bin/false
 
WILLUX\krbtgt:*:3000017:100::/home/WILLUX/krbtgt:/bin/false
 
  
=[[Userverwaltung]]=
+
=2 DC mit Replicatiom=
 +
*[[2 DC mit Replicatiom]]
 +
=RSAT=
 +
*[[RSAT]]
  
 
=howto=
 
=howto=

Aktuelle Version vom 16. Oktober 2024, 06:38 Uhr

Hostname: dc1.samba34.linuggs.de

Interface anpassen

  • vi /etc/network/interfaces
auto lo
iface lo inet loopback

# The primary network interface
auto enp0s3
iface enp0s3 inet static
  address 172.26.55.22/24
  gateway 172.26.55.1

iface enp0s3 inet6 static
  address 2a02:24d8:71:3037::22/64
  gateway 2a02:24d8:71:3037::1

Hosts anpassen

  • vi /etc/hosts
127.0.0.1       localhost
172.26.55.22    dc1.samba34.linuggs.de dc1
2a02:24d8:71:3037::22 dc1.samba34.linuggs.de dc1
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Hostname setzen

  • hostnamectl set-hostname dc1.samba34.linuggs.de

resolv.conf anpassen

  • vi /etc/resolv.conf
nameserver 2a02:24d8:71:3040::1
nameserver 172.30.34.254
search samba34.linuggs.de

reboot

Samba 4 installieren

  • apt install samba smbclient winbind ntp libnss-winbind krb5-user acl

Domain anlegen

Vorher löschen
  • rm /etc/samba/smb.conf /var/lib/samba/private/sam.ldb
Los geht es
  • samba-tool domain provision --realm=samba34.linuggs.de --domain=samba34 --adminpass="123Start$" --server-role=dc --dns-backend=SAMBA_INTERNAL --use-rfc2307

Reboot

  • reboot

Start und Enable

  • systemctl unmask samba-ad-dc
  • systemctl start samba-ad-dc
  • systemctl enable samba-ad-dc

smbversion, share und auth check

smbversion

Diese sollten übereinstimmen:

  • samba -V
Version 4.17.12-Debian
  • smbclient -V
Version 4.17.12-Debian


shares anzeigen:

  • smbclient -L localhost -U%
	Sharename       Type      Comment
	---------       ----      -------
	sysvol          Disk      
	netlogon        Disk      
	IPC$            IPC       IPC Service (Samba 4.17.12-Debian)
SMB1 disabled -- no workgroup available

Authentication check:

  • smbclient //localhost/netlogon -UAdministrator%"123Start$" -c 'ls'
  .                                   D        0  Mon Oct 14 20:28:15 2024
  ..                                  D        0  Mon Oct 14 20:28:16 2024

		19022504 blocks of size 1024. 16474524 blocks available

DNS setzen

Resolv

  • cat /etc/resolv.conf
nameserver ::1
nameserver 127.0.0.1
search samba34.linuggs.de

Check

  • nslookup dc1
Server:		::1
Address:	::1#53

Name:	dc1.samba34.linuggs.de
Address: 172.26.55.22
Name:	dc1.samba34.linuggs.de
Address: 2a02:24d8:71:3037::22

Forwarder eintragen

  • vi /etc/samba/smb.conf
dns forwarder = 172.30.34.254 2a02:24d8:71:3040::1

Check

Variablen setzen
  • DOMAIN="samba34.linuggs.de"
  • CONTROLLER="dc1"
Diverse Records
  • host -t SRV _ldap._tcp.$DOMAIN
_ldap._tcp.samba34.linuggs.de has SRV record 0 100 389 dc1.samba34.linuggs.de.
  • host -t SRV _kerberos._udp.$DOMAIN
_kerberos._udp.samba34.linuggs.de has SRV record 0 100 88 dc1.samba34.linuggs.de.
  • host -t A $CONTROLLER.$DOMAIN
dc1.samba34.linuggs.de has address 172.26.55.22
  • host -t AAAA $CONTROLLER.$DOMAIN
dc1.samba34.linuggs.de has IPv6 address 2a02:24d8:71:3037::22

Kerberos

  • vi /etc/krb5.conf
[libdefaults]
        default_realm = SAMBA34.LINUGGS.DE
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
        SAMBA34.LINUGGS.DE = {
                kdc = dc1.samba34.linuggs.de
                admin_server = dc1.samba34.linuggs.de
        }

Winbind

nsswitch.conf ändern

passwd:         compat winbind
group:          compat winbind

ist winbind is "pingbar

  • wbinfo -p
Ping to winbindd succeeded

anzeigen der userliste

  • wbinfo -u
Administrator
Guest
krbtgt

/etc/samba/smb.conf ergänzen

[global]
        netbios name = DC1
        realm = SAMBA34.LINUGGS.DE
        server role = active directory domain controller
        workgroup = SAMBA34
        dns forwarder = 172.30.34.254 2a02:24d8:71:3040::1
        idmap_ldb:use rfc2307 = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind nss info = template
        template shell = /bin/bash
        template homedir = /home/%U
        winbind use default domain = yes
        

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No 

[netlogon]
        path = /var/lib/samba/sysvol/samba34.linuggs.de/scripts
        read only = No

DC-smb.conf-Erklärung

Service neustarten

  • systemctl restart samba-ad-dc.service

funtioniert nsswitch

  • getent passwd | grep SAMBA34
SAMBA34\administrator:*:0:100::/home/administrator:/bin/bash
SAMBA34\guest:*:3000011:100::/home/guest:/bin/bash
SAMBA34\krbtgt:*:3000017:100::/home/krbtgt:/bin/bash

Tests

Gucken welche Ports geöffnen

TCP
  • ss -lntp
UDP
  • ss -lnup

Prozesse

  • apt install psmisc
  • pstree

Misc

Adminpasswort läuft nicht ab

  • samba-tool user setexpiry administrator --noexpiry

Kennwortrichtlinie in Samba 4 Domain deaktivieren

  • samba-tool domain passwordsettings set --complexity=off
  • samba-tool domain passwordsettings set --history-length=0
  • samba-tool domain passwordsettings set --min-pwd-age=0
  • samba-tool domain passwordsettings set --max-pwd-age=0
  • samba-tool domain passwordsettings set --min-pwd-length 0

Adminpasswort setzen

samba-tool user setpassword Administrator

Kennwortrichtlinie in Samba 4 Domain anzeigen

samba-tool domain passwordsettings show

Samba Verwaltung

2 DC mit Replicatiom

RSAT

howto

https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

installation

Abgerufen von „http://wiki.ixheim.de/index.php?title=Debian_Samba4_ADS_Domaincontroller&oldid=57749