Sernet Suse
preparation
/etc/resolv.conf
nameserver 192.168.240.200 search xinux.lan
/etc/hostname
susi.xinux.lan
/etc/hosts
127.0.0.1 localhost 192.168.240.29 susi.xinux.lan susi
/etc/sysconfig/network/ifcfg-eth0
BOOTPROTO='static' BROADCAST='' ETHTOOL_OPTIONS='' IPADDR='192.168.240.29/21' MTU='' NAME='' NETMASK='' NETWORK='' REMOTE_IPADDR='' STARTMODE='auto' DHCLIENT_SET_DEFAULT_ROUTE='yes'
/etc/sysconfig/network/routes
default 192.168.240.100 - -
create an account
https://portal.enterprisesamba.com/
add this to /etc/zypp/repos.d/sernet-samba-4.2.repo
change USERNAME and ACCESSKEY
[sernet-samba-4.2] name=SerNet Samba 4.2 Packages (sles-12) type=rpm-md baseurl=https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.2/sles/12/ gpgcheck=1 gpgkey=https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.2/sles/12/repodata/repomd.xml.key enabled=1
The SerNet build key
wget https://download.sernet.de/pub/sernet-build-key-1.1-5.noarch.rpm rpm -i sernet-build-key-1.1-5.noarch.rpm
update
- zypper refresh
- zypper update
install
zypper install sernet-samba-ad
clean
rm /etc/samba/smb.conf /var/lib/samba/private/sam.ldb
provision
- samba-tool domain provision
Realm [XINUX.LAN]: Domain [XINUX]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [192.168.255.250]: Administrator password: Retype password: Looking up IPv4 addresses Looking up IPv6 addresses More than one IPv6 address found. Using fd11:8fd3:475e:0:20c:29ff:fe99:fc27 Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=xinux,DC=lan Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=xinux,DC=lan Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: susi NetBIOS Domain: XINUX DNS Domain: xinux.lan DOMAIN SID: S-1-5-21-3500209156-804325877-3868805387
/etc/resolv.conf
nameserver 192.168.240.29 search xinux.lan
enable AD Services
- sed -ie "/SAMBA_START_MODE/s/none/ad/" /etc/default/sernet-samba
start samba ad
service sernet-samba-ad start Starting SAMBA AD services : *
smbclient -L localhost -U%
test the serverports
- netstat -ltp
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:domain *:* LISTEN 3133/samba tcp 0 0 *:ssh *:* LISTEN 1543/sshd tcp 0 0 *:kerberos *:* LISTEN 3125/samba tcp 0 0 *:otv *:* LISTEN 1543/sshd tcp 0 0 localhost:smtp *:* LISTEN 1374/master tcp 0 0 *:ldaps *:* LISTEN 3123/samba tcp 0 0 *:microsoft-ds *:* LISTEN 3128/smbd tcp 0 0 *:1024 *:* LISTEN 3120/samba tcp 0 0 *:msft-gc *:* LISTEN 3123/samba tcp 0 0 *:msft-gc-ssl *:* LISTEN 3123/samba tcp 0 0 *:ldap *:* LISTEN 3123/samba tcp 0 0 *:epmap *:* LISTEN 3120/samba tcp 0 0 *:netbios-ssn *:* LISTEN 3128/smbd tcp 0 0 *:kpasswd *:* LISTEN 3125/samba tcp 0 0 *:domain *:* LISTEN 3133/samba tcp 0 0 *:ssh *:* LISTEN 1543/sshd tcp 0 0 *:kerberos *:* LISTEN 3125/samba tcp 0 0 *:otv *:* LISTEN 1543/sshd tcp 0 0 localhost:smtp *:* LISTEN 1374/master tcp 0 0 *:ldaps *:* LISTEN 3123/samba tcp 0 0 *:microsoft-ds *:* LISTEN 3128/smbd tcp 0 0 *:1024 *:* LISTEN 3120/samba tcp 0 0 *:msft-gc *:* LISTEN 3123/samba tcp 0 0 *:msft-gc-ssl *:* LISTEN 3123/samba tcp 0 0 *:ldap *:* LISTEN 3123/samba tcp 0 0 *:epmap *:* LISTEN 3120/samba tcp 0 0 *:netbios-ssn *:* LISTEN 3128/smbd tcp 0 0 *:kpasswd *:* LISTEN 3125/samba
Is the Domain reachable
- smbclient -L localhost -UAdministrator%'12X!nux99'
Domain=[XINUX] OS=[Windows 6.1] Server=[Samba 4.2.14-SerNet-SuSE-23.suse132] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.2.14-SerNet-SuSE-23.suse132)
test dns
- DOMAIN="xinux.lan"
- CONTROLLER="susi"
ldap
- host -t SRV _ldap._tcp.$DOMAIN
_ldap._tcp.xinux.org has SRV record 0 100 389 gondor.xinux.org.
kerberos
- host -t SRV _kerberos._udp.$DOMAIN
_kerberos._udp.xinux.org has SRV record 0 100 88 gondor.xinux.org.
hostname
- host -t A $CONTROLLER.$DOMAIN
gondor.xinux.org has address 192.168.240.200
nsswitch
change /etc/nsswitch.conf
passwd: compat winbind group: compat winbind
user wbinfo
- wbinfo -u
administrator krbtgt guest
group wbinfo
- wbinfo -g
enterprise read-only domain controllers domain admins domain users domain guests domain computers domain controllers schema admins enterprise admins group policy creator owners read-only domain controllers dnsupdateproxy
trust wbinfo
- wbinfo -t
checking the trust secret for domain XINUX via RPC calls succeeded
test passwd
getent passwd | grep XINUX XINUX\Administrator:*:0:100::/home/XINUX/Administrator:/bin/false XINUX\Guest:*:3000011:3000012::/home/XINUX/Guest:/bin/false XINUX\krbtgt:*:3000016:100::/home/XINUX/krbtgt:/bin/false
test group
getent group | grep XINUX XINUX\Enterprise Read-Only Domain Controllers:*:3000017: XINUX\Domain Admins:*:3000008: XINUX\Domain Users:*:100: XINUX\Domain Guests:*:3000012: XINUX\Domain Computers:*:3000018: XINUX\Domain Controllers:*:3000019: XINUX\Schema Admins:*:3000007: XINUX\Enterprise Admins:*:3000006: XINUX\Group Policy Creator Owners:*:3000004: XINUX\Read-Only Domain Controllers:*:3000020: XINUX\DnsUpdateProxy:*:3000021:
kerberos
install heimdal-clients
- zypper install krb5-client
copy config
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
test kerberos
kinit
kinit Administrator Administrator@XINUX.LAN's Password:
klist
- kinit Administrator
Credentials cache: FILE:/tmp/krb5cc_0
Principal: Administrator@XINUX.ORG
Issued Expires Principal
Jun 25 14:31:42 2014 Jun 26 00:31:34 2014 krbtgt/XINUX.ORG@XINUX.ORG
- klist
Ticket cache: DIR::/run/user/0/krb5cc/tkt Default principal: Administrator@XINUX.LAN Valid starting Expires Service principal 12.12.2016 16:29:18 13.12.2016 02:29:18 krbtgt/XINUX.LAN@XINUX.LAN
renew until 13.12.2016 16:29:12
ldap
/etc/samba/smb.conf
[global] ... tls verify peer = no_check ldap server require strong auth = no
test over ldapserver localhost
ldbsearch -H ldaps://localhost "cn=administrator" -U administrator
timeserver
install
apt-get install ntp
/etc/ntp.conf
server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/lib/samba/ntp_signd/ restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
/var/lib/samba/ntp_signd
chgrp ntp /var/lib/samba/ntp_signd chmod g+rx /var/lib/samba/ntp_signd