Ubuntu-ads-member: Unterschied zwischen den Versionen

Aus xinux.net
Zur Navigation springen Zur Suche springen
Zeile 1: Zeile 1:
 +
=auf dem domain controller==
 +
kinit administrator
 +
samba-tool dns add localhost  xinux.org dewey A 192.168.244.152
 +
 
=Installation=
 
=Installation=
 
==Interface anpassen==
 
==Interface anpassen==
Zeile 55: Zeile 59:
 
....
 
....
 
</pre>
 
</pre>
 
==smbversion, share und auth check==
 
 
===smbversion===
 
Diese sollten übereinstimmen:
 
root@fenetre:~# samba -V
 
Version 4.1.6-Ubuntu
 
root@fenetre:~# smbclient -V
 
Version 4.1.6-Ubuntu
 
 
===shares anzeigen:===
 
<pre>
 
root@fenetre:~# smbclient -L localhost -U%
 
Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
 
 
Sharename      Type      Comment
 
---------      ----      -------
 
netlogon        Disk     
 
sysvol          Disk     
 
IPC$            IPC      IPC Service (Samba 4.1.6-Ubuntu)
 
Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
 
 
Server              Comment
 
---------            -------
 
 
Workgroup            Master
 
---------            -------
 
WORKGROUP
 
</pre>
 
 
===Authentication check:===
 
<pre>
 
root@fenetre:~# smbclient //localhost/netlogon -UAdministrator%"Z0pp0Trump" -c 'ls'
 
Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
 
  .                                  D        0  Thu Apr 24 15:51:50 2014
 
  ..                                  D        0  Thu Apr 24 15:51:54 2014
 
 
52706 blocks of size 524288. 47502 blocks available
 
</pre>
 
 
==DNS setzen==
 
===Forwarder eintragen===
 
sudo vi  /etc/samba/smb.conf
 
füge hinzu: (Man kann natürlich auch seinen eigenen DNS angeben)
 
dns forwarder = 192.168.240.21
 
 
===Check===
 
<pre>
 
DOMAIN="xinux.lan"
 
CONTROLLER="fenetre"
 
host -t SRV _ldap._tcp.$DOMAIN
 
_ldap._tcp.xinux.lan has SRV record 0 100 389 fenetre.xinux.lan.
 
 
host -t SRV _kerberos._udp.$DOMAIN
 
_kerberos._udp.xinux.lan has SRV record 0 100 88 fenetre.xinux.lan.
 
 
host -t A $CONTROLLER.$DOMAIN
 
fenetre.xinux.lan has address 192.168.240.199
 
 
</pre>
 
 
==Kerberos==
 
cp /var/lib/samba/private/krb5.conf  /usr/share/samba/setup/krb5.conf
 
 
==Share hinzufügen==
 
mkfs.ext4 /dev/vdb1
 
mkdir /share
 
echo "/dev/vdb1  /share  ext4 user_xattr,acl 0 0" >> /etc/fstab
 
mount -a
 
 
mkdir -m 770 /share
 
chmod g+s /share
 
chown root:users /share
 
 
vi /etc/samba/smb.conf
 
füge das ein:
 
 
[share]
 
  directory_mode: parameter = 0700
 
  read only = no
 
  path = /share
 
  csc policy = documents
 
 
==Share testen==
 
root@fenetre:~# smbclient -L localhost -U% | grep share
 
Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
 
Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
 
share          Disk
 
==Winbind==
 
===winbind link setzen===
 
ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
 
  
 
===nsswitch.conf ändern===
 
===nsswitch.conf ändern===
 
  passwd:        compat winbind
 
  passwd:        compat winbind
 
  group:          compat winbind
 
  group:          compat winbind
 +
 
===ist winbind is "pingbar===  
 
===ist winbind is "pingbar===  
 
  root@fenetre:~# wbinfo -p
 
  root@fenetre:~# wbinfo -p

Version vom 16. Juli 2014, 19:40 Uhr

auf dem domain controller=

kinit administrator
samba-tool dns add localhost  xinux.org dewey A 192.168.244.152

Installation

Interface anpassen

vi /etc/network/interfaces

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
 address 192.168.244.152
 netmask 255.255.248.0
 gateway 192.168.240.100
 dns-nameservers 192.168.240.200
 dns-search xinux.org

hosts anpassen

vi /etc/hosts
127.0.0.1       localhost
192.168.244.152 dewey dewey.xinux.org 
echo dewey.xinux.org > /etc/hostname
reboot

samba4 installieren

apt-get install samba smbclient winbind ntp libnss-winbind krb5-user acl

/etc/samba/smb.conf

[global]
   workgroup = XINUX
   security = ADS
   realm = XINUX.ORG
   encrypt passwords = yes

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config SAMDOM:backend = ad
   idmap config SAMDOM:schema_mode = rfc2307
   idmap config SAMDOM:range = 500-40000

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes

/etc/krb5.conf

[libdefaults]
...
[realms]
        XINUX.ORG = {
                kdc = gondor.xinux.org
                admin_server = gondor.xinux.org
....

nsswitch.conf ändern

passwd:         compat winbind
group:          compat winbind

ist winbind is "pingbar

root@fenetre:~# wbinfo -p
Ping to winbindd succeeded

anzeigen der userliste

root@fenetre:~# wbinfo -u
Administrator
Guest
krbtgt

funtioniert nsswitch

root@fenetre:~# getent passwd | grep XINUX
XINUX\Administrator:*:0:100::/home/XINUX/Administrator:/bin/false
XINUX\Guest:*:3000011:3000012::/home/XINUX/Guest:/bin/false
XINUX\krbtgt:*:3000017:100::/home/XINUX/krbtgt:/bin/false


Misc

Adminpasswort läuft nicht ab

samba-tool user setexpiry administrator --noexpiry

Kennwortrichtlinie in Samba 4 Domain deaktivieren

samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --history-length=0
samba-tool domain passwordsettings set --min-pwd-age=0
samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-length 0

Adminpasswort setzen

samba-tool user setpassword Administrator

Kennwortrichtlinie in Samba 4 Domain anzeigen

samba-tool domain passwordsettings show

SeDiskOperatorPrivilege

net rpc rights grant 'XINUX\Domain Admins' SeDiskOperatorPrivilege -Uadministrator

Vorhandene Rechte lassen sich so Anzeige

net rpc rights list accounts -Uadministrator

Userverwaltung

howto

https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

installation

Abgerufen von „https://xinux.net/index.php?title=Ubuntu-ads-member&oldid=4628