Version vom 13. Dezember 2016, 10:59 Uhr

Installation

Interface anpassen

vi /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.240.199
netmask 255.255.248.0
gateway 192.168.240.100
dns-nameservers 192.168.240.199 8.8.8.8
dns-search xinux.lan

hosts anpassen

vi /etc/hosts
127.0.0.1       localhost
192.168.240.199 fenetre fenetre.xinux.lan
echo fenetre.xinux.lan > /etc/hostname
reboot

samba4 installieren

apt-get install samba smbclient winbind ntp libnss-winbind krb5-user acl

Domain anlegen

vorher das löschen:

rm /etc/samba/smb.conf /var/lib/samba/private/sam.ldb

realm, domain und adminpass sollten/können angepasst werden!

samba-tool domain provision --realm=xinux.lan --domain=xinux --adminpass="Z0pp0Trump" --server-role=dc --dns-backend=SAMBA_INTERNAL --use-rfc2307

Bei adminpass am besten das hier stehende übernehmen und erst später wie in dieser Anleitung beschrieben ändern, da man sonst die Passwortvorgaben verletzen könnte. Wenn dies passiert richtet sich der Sambaserver nicht korrekt ein.

oder

install bind

apt-get remove apparmor
reboot
apt-get install bind9 
echo 'include "/var/lib/samba/private/named.conf";' >> /etc/bind/named.conf

/etc/bind/named.conf.options

tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

/var/lib/samba/private/named.conf

dlz "AD DNS Zone" {

    database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";

};

realm, domain und adminpass sollten/können angepasst werden!

samba-tool domain provision --realm=xinux.lan --domain=xinux --adminpass="Z0pp0Trump" --server-role=dc --dns-backend=BIND9_DLZ --use-rfc2307

Bei adminpass am besten das hier stehende übernehmen und erst später wie in dieser Anleitung beschrieben ändern, da man sonst die Passwortvorgaben verletzen könnte. Wenn dies passiert richtet sich der Sambaserver nicht korrekt ein.

Reboot

reboot

smbversion, share und auth check

smbversion

Diese sollten übereinstimmen:

root@fenetre:~# samba -V
Version 4.1.6-Ubuntu
root@fenetre:~# smbclient -V
Version 4.1.6-Ubuntu

shares anzeigen:

root@fenetre:~# smbclient -L localhost -U%
Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]

	Sharename       Type      Comment
	---------       ----      -------
	netlogon        Disk      
	sysvol          Disk      
	IPC$            IPC       IPC Service (Samba 4.1.6-Ubuntu)
Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP

Authentication check:

root@fenetre:~# smbclient //localhost/netlogon -UAdministrator%"Z0pp0Trump" -c 'ls'
Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
  .                                   D        0  Thu Apr 24 15:51:50 2014
  ..                                  D        0  Thu Apr 24 15:51:54 2014

		52706 blocks of size 524288. 47502 blocks available

DNS setzen

Resolv

/etc/resolv.conf

nameserver 192.168.240.199
search xinux.lan

Check

Forwarder eintragen

sudo vi  /etc/samba/smb.conf

füge hinzu: (Man kann natürlich auch seinen eigenen DNS angeben)

dns forwarder = 192.168.240.21

Check

DOMAIN="xinux.lan"
CONTROLLER="fenetre"
host -t SRV _ldap._tcp.$DOMAIN
_ldap._tcp.xinux.lan has SRV record 0 100 389 fenetre.xinux.lan.

host -t SRV _kerberos._udp.$DOMAIN
_kerberos._udp.xinux.lan has SRV record 0 100 88 fenetre.xinux.lan.

host -t A $CONTROLLER.$DOMAIN
fenetre.xinux.lan has address 192.168.240.199

Kerberos

*kerberos client samba

Share hinzufügen

mkfs.ext4 /dev/vdb1
mkdir /share
echo "/dev/vdb1  /share   ext4 user_xattr,acl 0 0" >> /etc/fstab 
mount -a

mkdir -m 770 /share
chmod g+s /share
chown root:users /share

vi /etc/samba/smb.conf

füge das ein:

[share]
 directory_mode: parameter = 0700
 read only = no
 path = /share
 csc policy = documents

Share testen

root@fenetre:~# smbclient -L localhost -U% | grep share
Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
	share           Disk

Winbind

winbind link setzen

ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so

nsswitch.conf ändern

passwd:         compat winbind
group:          compat winbind

ist winbind is "pingbar

root@fenetre:~# wbinfo -p
Ping to winbindd succeeded

anzeigen der userliste

root@fenetre:~# wbinfo -u
Administrator
Guest
krbtgt

smb.conf ergänzen=

[global]
  ...
  winbind enum users = yes
  winbind enum groups = yes

Service neustarten

systemctl restart winbind.service
systemctl restart samba-ad-dc.service

funtioniert nsswitch

root@fenetre:~# getent passwd | grep XINUX
XINUX\Administrator:*:0:100::/home/XINUX/Administrator:/bin/false
XINUX\Guest:*:3000011:3000012::/home/XINUX/Guest:/bin/false
XINUX\krbtgt:*:3000017:100::/home/XINUX/krbtgt:/bin/false

Misc

Adminpasswort läuft nicht ab

samba-tool user setexpiry administrator --noexpiry

Kennwortrichtlinie in Samba 4 Domain deaktivieren

samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --history-length=0
samba-tool domain passwordsettings set --min-pwd-age=0
samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-length 0

Adminpasswort setzen

samba-tool user setpassword Administrator

Kennwortrichtlinie in Samba 4 Domain anzeigen

samba-tool domain passwordsettings show

Userverwaltung

=2 DC mit Replicatiom

howto

https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

installation

http://ubuntuforums.org/showthread.php?t=2146198

@@ Zeile 201: / Zeile 201: @@
   samba-tool domain passwordsettings show
-=Zwei DC mit Replikation einrichten=
-==Situation==
- '''Existierender DC'''
- Name: rumba
- IP: 192.168.242.201
- Ist DNS: Ja
- '''Domain Informationen'''
- DNS Domain Name: xinux.test
- Kerberos realm: XINUX.TEST
- Domain Admin: administrator
- Admin-PW: password
- '''Hinzuzufügender DC'''
- Name: tango
- IP: 192.168.242.200
-==Vorbereitungen==
-*Beide Rechner sollten im selben Netz sein und sich pingen können
-*etc/hosts anpassen: Der Rechner muss sich unter seiner IP finden, bei localhost den Namen löschen
-.0.0.1   localhost   <strike>tango tango.xinux.test</strike>
-.168.242.200   tango tango.xinux.test
-*DNS anpassen: searchdomain eintragen und den existierenden DC als DNS angeben
- nameserver 192.168.242.201
- search xinux.test
-*DNS testen:
- host -t A rumba.xinux.test
- rumba.xinux.test has address 192.168.242.201
-==Kerberos==
-In der krb5.conf müssen folgende Einträge stehen:
- [libdefaults]
-    dns_lookup_realm = false
-    dns_lookup_kdc = true
-    default_realm = XINUX.TEST
-Testen ob man ein Kerberosticket bekommt
- root@tango:~# '''kinit administrator'''
- Password for administrator@XINUX.TEST:
- root@tango:~# '''klist'''
- Ticket cache: FILE:/tmp/krb5cc_0
- Default principal: administrator@XINUX.TEST
- Valid starting       Expires              Service principal
-.09.2015 11:08:57  10.09.2015 21:08:57  krbtgt/XINUX.TEST@XINUX.TEST
-	 renew until 11.09.2015 11:08:44
-==Der Domain beitreten==
-*'''ACHTUNG''' Für das Administrator-Passwort gelten die Standardrichtlinien von SAMBA4!
-*Weiterführende Infos: samba-tool domain join --help
- root@tango:~# samba-tool domain join XINUX.TEST DC -Uadministrator --realm=XINUX.TEST --dns-backend=SAMBA_INTERNAL
-Ausgabe:
-<pre>
-Finding a writeable DC for domain 'XINUX.TEST'
-Found DC rumba.xinux.test
-Password for [WORKGROUP\administrator]:
-workgroup is XINUX
-realm is xinux.test
-checking sAMAccountName
-Adding CN=TANGO,OU=Domain Controllers,DC=xinux,DC=test
-Adding CN=TANGO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xinux,DC=test
-Adding CN=NTDS Settings,CN=TANGO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xinux,DC=test
-Adding SPNs to CN=TANGO,OU=Domain Controllers,DC=xinux,DC=test
-Setting account password for TANGO$
-Enabling account
-Calling bare provision
-No IPv6 address will be assigned
-Provision OK for domain DN DC=xinux,DC=test
-Starting replication
-Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[402/1550] linked_values[0/0]
-Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[804/1550] linked_values[0/0]
-Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[1206/1550] linked_values[0/0]
-Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[1550/1550] linked_values[0/0]
-Analyze and apply schema objects
-Partition[CN=Configuration,DC=xinux,DC=test] objects[402/1616] linked_values[0/0]
-Partition[CN=Configuration,DC=xinux,DC=test] objects[804/1616] linked_values[0/0]
-Partition[CN=Configuration,DC=xinux,DC=test] objects[1206/1616] linked_values[0/0]
-Partition[CN=Configuration,DC=xinux,DC=test] objects[1608/1616] linked_values[0/0]
-Partition[CN=Configuration,DC=xinux,DC=test] objects[1616/1616] linked_values[28/0]
-Replicating critical objects from the base DN of the domain
-Partition[DC=xinux,DC=test] objects[97/97] linked_values[23/0]
-Partition[DC=xinux,DC=test] objects[365/268] linked_values[23/0]
-Done with always replicated NC (base, config, schema)
-Replicating DC=DomainDnsZones,DC=xinux,DC=test
-Partition[DC=DomainDnsZones,DC=xinux,DC=test] objects[46/46] linked_values[0/0]
-Replicating DC=ForestDnsZones,DC=xinux,DC=test
-Partition[DC=ForestDnsZones,DC=xinux,DC=test] objects[18/18] linked_values[0/0]
-Partition[DC=ForestDnsZones,DC=xinux,DC=test] objects[36/18] linked_values[0/0]
-Committing SAM database
-Sending DsReplicateUpdateRefs for all the replicated partitions
-Setting isSynchronized and dsServiceName
-Setting up secrets database
-Joined domain XINUX (SID S-1-5-21-3964088599-1372953937-1397556401) as a DC
-</pre>
-==Anzeige der Replikation==
-DC1:
-<pre>
-root@rumba:~# samba-tool drs showrepl
-Default-First-Site-Name\RUMBA
-DSA Options: 0x00000001
-DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d
-DSA invocationId: fc6eaa8e-a1cf-4af8-b919-f0af6abddb27
-==== INBOUND NEIGHBORS ====
-DC=DomainDnsZones,DC=xinux,DC=test
-	Default-First-Site-Name\TANGO via RPC
-		DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38
-		Last attempt @ Thu Sep 10 11:30:34 2015 CEST was successful
-consecutive failure(s).
-		Last success @ Thu Sep 10 11:30:34 2015 CEST
-DC=ForestDnsZones,DC=xinux,DC=test
-	Default-First-Site-Name\TANGO via RPC
-		DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38
-		Last attempt @ Thu Sep 10 11:30:34 2015 CEST was successful
-consecutive failure(s).
-		Last success @ Thu Sep 10 11:30:34 2015 CEST
-DC=xinux,DC=test
-	Default-First-Site-Name\TANGO via RPC
-		DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38
-		Last attempt @ Thu Sep 10 11:30:59 2015 CEST was successful
-consecutive failure(s).
-		Last success @ Thu Sep 10 11:30:59 2015 CEST
-CN=Schema,CN=Configuration,DC=xinux,DC=test
-	Default-First-Site-Name\TANGO via RPC
-		DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38
-		Last attempt @ Thu Sep 10 11:30:34 2015 CEST was successful
-consecutive failure(s).
-		Last success @ Thu Sep 10 11:30:34 2015 CEST
-CN=Configuration,DC=xinux,DC=test
-	Default-First-Site-Name\TANGO via RPC
-		DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38
-		Last attempt @ Thu Sep 10 11:30:35 2015 CEST was successful
-consecutive failure(s).
-		Last success @ Thu Sep 10 11:30:35 2015 CEST
-==== OUTBOUND NEIGHBORS ====
-DC=DomainDnsZones,DC=xinux,DC=test
-	Default-First-Site-Name\TANGO via RPC
-		DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38
-		Last attempt @ NTTIME(0) was successful
-consecutive failure(s).
-		Last success @ NTTIME(0)
-DC=ForestDnsZones,DC=xinux,DC=test
-	Default-First-Site-Name\TANGO via RPC
-		DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38
-		Last attempt @ NTTIME(0) was successful
-consecutive failure(s).
-		Last success @ NTTIME(0)
-DC=xinux,DC=test
-	Default-First-Site-Name\TANGO via RPC
-		DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38
-		Last attempt @ NTTIME(0) was successful
-consecutive failure(s).
-		Last success @ NTTIME(0)
-CN=Schema,CN=Configuration,DC=xinux,DC=test
-	Default-First-Site-Name\TANGO via RPC
-		DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38
-		Last attempt @ NTTIME(0) was successful
-consecutive failure(s).
-		Last success @ NTTIME(0)
-CN=Configuration,DC=xinux,DC=test
-	Default-First-Site-Name\TANGO via RPC
-		DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38
-		Last attempt @ NTTIME(0) was successful
-consecutive failure(s).
-		Last success @ NTTIME(0)
-==== KCC CONNECTION OBJECTS ====
-Connection --
-	Connection name: f31d9725-b1a6-4450-93d4-8b62fabf609f
-	Enabled        : TRUE
-	Server DNS name : TANGO.xinux.test
-	Server DN name  : CN=NTDS Settings,CN=TANGO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xinux,DC=test
-		TransportType: RPC
-		options: 0x00000001
-Warning: No NC replicated for Connection!
-</pre>
-DC2:
-<pre>
-root@tango:~# samba-tool drs showrepl
-Default-First-Site-Name\TANGO
-DSA Options: 0x00000001
-DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38
-DSA invocationId: 1278e3ce-dadf-4e44-be9a-43c591e8318d
-==== INBOUND NEIGHBORS ====
-CN=Schema,CN=Configuration,DC=xinux,DC=test
-	Default-First-Site-Name\RUMBA via RPC
-		DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d
-		Last attempt @ Thu Sep 10 11:28:15 2015 CEST was successful
-consecutive failure(s).
-		Last success @ Thu Sep 10 11:28:15 2015 CEST
-DC=xinux,DC=test
-	Default-First-Site-Name\RUMBA via RPC
-		DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d
-		Last attempt @ Thu Sep 10 11:28:15 2015 CEST was successful
-consecutive failure(s).
-		Last success @ Thu Sep 10 11:28:15 2015 CEST
-DC=DomainDnsZones,DC=xinux,DC=test
-	Default-First-Site-Name\RUMBA via RPC
-		DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d
-		Last attempt @ Thu Sep 10 11:31:28 2015 CEST was successful
-consecutive failure(s).
-		Last success @ Thu Sep 10 11:31:28 2015 CEST
-DC=ForestDnsZones,DC=xinux,DC=test
-	Default-First-Site-Name\RUMBA via RPC
-		DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d
-		Last attempt @ Thu Sep 10 11:28:15 2015 CEST was successful
-consecutive failure(s).
-		Last success @ Thu Sep 10 11:28:15 2015 CEST
-CN=Configuration,DC=xinux,DC=test
-	Default-First-Site-Name\RUMBA via RPC
-		DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d
-		Last attempt @ Thu Sep 10 11:28:15 2015 CEST was successful
-consecutive failure(s).
-		Last success @ Thu Sep 10 11:28:15 2015 CEST
-==== OUTBOUND NEIGHBORS ====
-CN=Schema,CN=Configuration,DC=xinux,DC=test
-	Default-First-Site-Name\RUMBA via RPC
-		DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d
-		Last attempt @ NTTIME(0) was successful
-consecutive failure(s).
-		Last success @ NTTIME(0)
-DC=xinux,DC=test
-	Default-First-Site-Name\RUMBA via RPC
-		DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d
-		Last attempt @ NTTIME(0) was successful
-consecutive failure(s).
-		Last success @ NTTIME(0)
-DC=DomainDnsZones,DC=xinux,DC=test
-	Default-First-Site-Name\RUMBA via RPC
-		DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d
-		Last attempt @ NTTIME(0) was successful
-consecutive failure(s).
-		Last success @ NTTIME(0)
-DC=ForestDnsZones,DC=xinux,DC=test
-	Default-First-Site-Name\RUMBA via RPC
-		DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d
-		Last attempt @ NTTIME(0) was successful
-consecutive failure(s).
-		Last success @ NTTIME(0)
-CN=Configuration,DC=xinux,DC=test
-	Default-First-Site-Name\RUMBA via RPC
-		DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d
-		Last attempt @ NTTIME(0) was successful
-consecutive failure(s).
-		Last success @ NTTIME(0)
-==== KCC CONNECTION OBJECTS ====
-Connection --
-	Connection name: 2770037b-6291-442b-9b94-89c8d6c780c0
-	Enabled        : TRUE
-	Server DNS name : rumba.xinux.test
-	Server DN name  : CN=NTDS Settings,CN=RUMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xinux,DC=test
-		TransportType: RPC
-		options: 0x00000001
-Warning: No NC replicated for Connection!
-</pre>
-=SeDiskOperatorPrivilege=
- net rpc rights grant 'XINUX\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
-===Vorhandene Rechte lassen sich so Anzeige===
- net rpc rights list accounts -Uadministrator
 =[[Userverwaltung]]=
+=[[2 DC mit Replicatiom]]
 =howto=

Debian Samba4 ADS Domaincontroller: Unterschied zwischen den Versionen

Version vom 13. Dezember 2016, 10:59 Uhr

Installation

Interface anpassen

hosts anpassen

samba4 installieren

Domain anlegen

install bind

/etc/bind/named.conf.options

/var/lib/samba/private/named.conf

Reboot

smbversion, share und auth check

smbversion

shares anzeigen:

Authentication check:

DNS setzen

Resolv

Check

Forwarder eintragen

Check

Kerberos

Share hinzufügen

Share testen

Winbind

winbind link setzen

nsswitch.conf ändern

ist winbind is "pingbar

anzeigen der userliste

smb.conf ergänzen=

Service neustarten

funtioniert nsswitch

Misc

Adminpasswort läuft nicht ab

Kennwortrichtlinie in Samba 4 Domain deaktivieren

Adminpasswort setzen

Kennwortrichtlinie in Samba 4 Domain anzeigen

Userverwaltung

howto

installation

Navigationsmenü

Suche