Debian Samba4 ADS Domaincontroller: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 73: Zeile 73:
  
 
===shares anzeigen:===
 
===shares anzeigen:===
 +
*smbclient -L localhost -U%
 
<pre>
 
<pre>
root@fenetre:~# smbclient -L localhost -U%
 
Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
 
 
 
Sharename      Type      Comment
 
Sharename      Type      Comment
 
---------      ----      -------
 
---------      ----      -------
 +
sysvol          Disk     
 
netlogon        Disk       
 
netlogon        Disk       
sysvol          Disk     
+
IPC$            IPC      IPC Service (Samba 4.17.12-Debian)
IPC$            IPC      IPC Service (Samba 4.1.6-Ubuntu)
+
SMB1 disabled -- no workgroup available
Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
 
 
 
Server              Comment
 
---------            -------
 
 
 
Workgroup            Master
 
---------            -------
 
WORKGROUP
 
 
</pre>
 
</pre>
  

Version vom 14. Oktober 2024, 18:32 Uhr

Hostname: dc1.samba34.linuggs.de

Interface anpassen

  • vi /etc/network/interfaces
auto lo
iface lo inet loopback

# The primary network interface
auto enp0s3
iface enp0s3 inet static
  address 172.26.55.22/24
  gateway 172.26.55.1

iface enp0s3 inet6 static
  address 2a02:24d8:71:3037::22/64
  gateway 2a02:24d8:71:3037::1

Hosts anpassen

  • vi /etc/hosts
127.0.0.1       localhost
172.26.55.22    dc1.samba34.linuggs.de dc1
2a02:24d8:71:3037::22 dc1.samba34.linuggs.de dc1
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Hostname setzen

  • hostnamectl set-hostname dc1.samba34.linuggs.de

resolv.conf anpassen

  • vi /etc/resolv.conf
nameserver 2a02:24d8:71:3040::1
nameserver 172.30.34.254
search samba34.linuggs.de

reboot

Samba 4 installieren

  • apt install samba smbclient winbind ntp libnss-winbind krb5-user acl

Domain anlegen

Vorher löschen
  • rm /etc/samba/smb.conf /var/lib/samba/private/sam.ldb
Los geht es
  • samba-tool domain provision --realm=samba34.linuggs.de --domain=samba34 --adminpass="123Start$" --server-role=dc --dns-backend=SAMBA_INTERNAL --use-rfc2307

Reboot

reboot

Start und Enable

  • systemctl unmask samba-ad-dc
  • systemctl start samba-ad-dc
  • systemctl enable samba-ad-dc

smbversion, share und auth check

smbversion

Diese sollten übereinstimmen:

  • samba -V
Version 4.17.12-Debian
  • smbclient -V
Version 4.17.12-Debian


shares anzeigen:

  • smbclient -L localhost -U%
	Sharename       Type      Comment
	---------       ----      -------
	sysvol          Disk      
	netlogon        Disk      
	IPC$            IPC       IPC Service (Samba 4.17.12-Debian)
SMB1 disabled -- no workgroup available

Authentication check:

root@fenetre:~# smbclient //localhost/netlogon -UAdministrator%"Z0pp0Trump" -c 'ls'
Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
  .                                   D        0  Thu Apr 24 15:51:50 2014
  ..                                  D        0  Thu Apr 24 15:51:54 2014

		52706 blocks of size 524288. 47502 blocks available

DNS setzen

Resolv

  • /etc/resolv.conf
nameserver 192.168.240.199
search xinux.lan

Check

Forwarder eintragen

sudo vi  /etc/samba/smb.conf

füge hinzu: (Man kann natürlich auch seinen eigenen DNS angeben) 

dns forwarder = 192.168.240.21

Check

DOMAIN="xinux.lan"
CONTROLLER="fenetre"
host -t SRV _ldap._tcp.$DOMAIN
_ldap._tcp.xinux.lan has SRV record 0 100 389 fenetre.xinux.lan.

host -t SRV _kerberos._udp.$DOMAIN
_kerberos._udp.xinux.lan has SRV record 0 100 88 fenetre.xinux.lan.

host -t A $CONTROLLER.$DOMAIN
fenetre.xinux.lan has address 192.168.240.199

Kerberos

*kerberos client samba

Share hinzufügen

mkfs.ext4 /dev/vdb1
mkdir /share
echo "/dev/vdb1  /share   ext4 user_xattr,acl 0 0" >> /etc/fstab 
mount -a

mkdir -m 770 /share
chmod g+s /share
chown root:users /share

vi /etc/samba/smb.conf

füge das ein: 

[share]
 directory_mode: parameter = 0700
 read only = no
 path = /share
 csc policy = documents

Share testen

root@fenetre:~# smbclient -L localhost -U% | grep share
Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
	share           Disk

Winbind

winbind link setzen

ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so

nsswitch.conf ändern

passwd:         compat winbind
group:          compat winbind

ist winbind is "pingbar

root@fenetre:~# wbinfo -p
Ping to winbindd succeeded

anzeigen der userliste

root@fenetre:~# wbinfo -u
Administrator
Guest
krbtgt

smb.conf ergänzen

[global]
  ...
  winbind enum users = yes
  winbind enum groups = yes

Service neustarten

  • systemctl restart samba-ad-dc.service

funtioniert nsswitch

root@fenetre:~# getent passwd | grep XINUX
XINUX\Administrator:*:0:100::/home/XINUX/Administrator:/bin/false
XINUX\Guest:*:3000011:3000012::/home/XINUX/Guest:/bin/false
XINUX\krbtgt:*:3000017:100::/home/XINUX/krbtgt:/bin/false


Misc

Adminpasswort läuft nicht ab

samba-tool user setexpiry administrator --noexpiry

Kennwortrichtlinie in Samba 4 Domain deaktivieren

samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --history-length=0
samba-tool domain passwordsettings set --min-pwd-age=0
samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-length 0

Adminpasswort setzen

samba-tool user setpassword Administrator

Kennwortrichtlinie in Samba 4 Domain anzeigen

samba-tool domain passwordsettings show

Userverwaltung

2 DC mit Replicatiom

howto

https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

installation

Abgerufen von „http://wiki.ixheim.de/index.php?title=Debian_Samba4_ADS_Domaincontroller&oldid=57678