Debian Samba4 ADS Domaincontroller: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 165: Zeile 165:
 
         '''dns forwarder = 172.30.34.254 2a02:24d8:71:3040::1'''
 
         '''dns forwarder = 172.30.34.254 2a02:24d8:71:3040::1'''
 
         idmap_ldb:use rfc2307 = yes
 
         idmap_ldb:use rfc2307 = yes
        '''winbind use default domain = yes'''
 
 
         '''winbind enum users = yes'''
 
         '''winbind enum users = yes'''
 
         '''winbind enum groups = yes'''
 
         '''winbind enum groups = yes'''

Version vom 16. Oktober 2024, 06:31 Uhr

Hostname: dc1.samba34.linuggs.de

Interface anpassen

  • vi /etc/network/interfaces
auto lo
iface lo inet loopback

# The primary network interface
auto enp0s3
iface enp0s3 inet static
  address 172.26.55.22/24
  gateway 172.26.55.1

iface enp0s3 inet6 static
  address 2a02:24d8:71:3037::22/64
  gateway 2a02:24d8:71:3037::1

Hosts anpassen

  • vi /etc/hosts
127.0.0.1       localhost
172.26.55.22    dc1.samba34.linuggs.de dc1
2a02:24d8:71:3037::22 dc1.samba34.linuggs.de dc1
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Hostname setzen

  • hostnamectl set-hostname dc1.samba34.linuggs.de

resolv.conf anpassen

  • vi /etc/resolv.conf
nameserver 2a02:24d8:71:3040::1
nameserver 172.30.34.254
search samba34.linuggs.de

reboot

Samba 4 installieren

  • apt install samba smbclient winbind ntp libnss-winbind krb5-user acl

Domain anlegen

Vorher löschen
  • rm /etc/samba/smb.conf /var/lib/samba/private/sam.ldb
Los geht es
  • samba-tool domain provision --realm=samba34.linuggs.de --domain=samba34 --adminpass="123Start$" --server-role=dc --dns-backend=SAMBA_INTERNAL --use-rfc2307

Reboot

  • reboot

Start und Enable

  • systemctl unmask samba-ad-dc
  • systemctl start samba-ad-dc
  • systemctl enable samba-ad-dc

smbversion, share und auth check

smbversion

Diese sollten übereinstimmen:

  • samba -V
Version 4.17.12-Debian
  • smbclient -V
Version 4.17.12-Debian


shares anzeigen:

  • smbclient -L localhost -U%
	Sharename       Type      Comment
	---------       ----      -------
	sysvol          Disk      
	netlogon        Disk      
	IPC$            IPC       IPC Service (Samba 4.17.12-Debian)
SMB1 disabled -- no workgroup available

Authentication check:

  • smbclient //localhost/netlogon -UAdministrator%"123Start$" -c 'ls'
  .                                   D        0  Mon Oct 14 20:28:15 2024
  ..                                  D        0  Mon Oct 14 20:28:16 2024

		19022504 blocks of size 1024. 16474524 blocks available

DNS setzen

Resolv

  • cat /etc/resolv.conf
nameserver ::1
nameserver 127.0.0.1
search samba34.linuggs.de

Check

  • nslookup dc1
Server:		::1
Address:	::1#53

Name:	dc1.samba34.linuggs.de
Address: 172.26.55.22
Name:	dc1.samba34.linuggs.de
Address: 2a02:24d8:71:3037::22

Forwarder eintragen

  • vi /etc/samba/smb.conf
dns forwarder = 172.30.34.254 2a02:24d8:71:3040::1

Check

Variablen setzen
  • DOMAIN="samba34.linuggs.de"
  • CONTROLLER="dc1"
Diverse Records
  • host -t SRV _ldap._tcp.$DOMAIN
_ldap._tcp.samba34.linuggs.de has SRV record 0 100 389 dc1.samba34.linuggs.de.
  • host -t SRV _kerberos._udp.$DOMAIN
_kerberos._udp.samba34.linuggs.de has SRV record 0 100 88 dc1.samba34.linuggs.de.
  • host -t A $CONTROLLER.$DOMAIN
dc1.samba34.linuggs.de has address 172.26.55.22
  • host -t AAAA $CONTROLLER.$DOMAIN
dc1.samba34.linuggs.de has IPv6 address 2a02:24d8:71:3037::22

Kerberos

  • vi /etc/krb5.conf
[libdefaults]
        default_realm = SAMBA34.LINUGGS.DE
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
        SAMBA34.LINUGGS.DE = {
                kdc = dc1.samba34.linuggs.de
                admin_server = dc1.samba34.linuggs.de
        }

Winbind

nsswitch.conf ändern

passwd:         compat winbind
group:          compat winbind

ist winbind is "pingbar

  • wbinfo -p
Ping to winbindd succeeded

anzeigen der userliste

  • wbinfo -u
Administrator
Guest
krbtgt

/etc/samba/smb.conf ergänzen

[global]
        netbios name = DC1
        realm = SAMBA34.LINUGGS.DE
        server role = active directory domain controller
        workgroup = SAMBA34
        dns forwarder = 172.30.34.254 2a02:24d8:71:3040::1
        idmap_ldb:use rfc2307 = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind nss info = template
        template shell = /bin/bash
        template homedir = /home/%U
        winbind use default domain = yes
        

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No 

[netlogon]
        path = /var/lib/samba/sysvol/samba34.linuggs.de/scripts
        read only = No

DC-smb.conf-Erklärung

Service neustarten

  • systemctl restart samba-ad-dc.service

funtioniert nsswitch

  • getent passwd | grep SAMBA34
SAMBA34\administrator:*:0:100::/home/SAMBA34/administrator:/bin/false
SAMBA34\guest:*:3000011:100::/home/SAMBA34/guest:/bin/false
SAMBA34\krbtgt:*:3000017:100::/home/SAMBA34/krbtgt:/bin/false

Tests

Gucken welche Ports geöffnen

TCP
  • ss -lntp
UDP
  • ss -lnup

Prozesse

  • pstree

Misc

Adminpasswort läuft nicht ab

  • samba-tool user setexpiry administrator --noexpiry

Kennwortrichtlinie in Samba 4 Domain deaktivieren

  • samba-tool domain passwordsettings set --complexity=off
  • samba-tool domain passwordsettings set --history-length=0
  • samba-tool domain passwordsettings set --min-pwd-age=0
  • samba-tool domain passwordsettings set --max-pwd-age=0
  • samba-tool domain passwordsettings set --min-pwd-length 0

Adminpasswort setzen

samba-tool user setpassword Administrator

Kennwortrichtlinie in Samba 4 Domain anzeigen

samba-tool domain passwordsettings show

Samba Verwaltung

2 DC mit Replicatiom

RSAT

howto

https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

installation

Abgerufen von „http://wiki.ixheim.de/index.php?title=Debian_Samba4_ADS_Domaincontroller&oldid=57746