Ubuntu-samba4: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Jan (Diskussion | Beiträge) |
Jan (Diskussion | Beiträge) |
||
Zeile 234: | Zeile 234: | ||
root@tango:~# samba-tool domain join XINUX.TEST DC -Uadministrator --realm=XINUX.TEST --dns-backend=SAMBA_INTERNAL | root@tango:~# samba-tool domain join XINUX.TEST DC -Uadministrator --realm=XINUX.TEST --dns-backend=SAMBA_INTERNAL | ||
+ | |||
+ | |||
+ | Ausgabe: | ||
+ | <pre> | ||
+ | Finding a writeable DC for domain 'XINUX.TEST' | ||
+ | Found DC rumba.xinux.test | ||
+ | Password for [WORKGROUP\administrator]: | ||
+ | workgroup is XINUX | ||
+ | realm is xinux.test | ||
+ | checking sAMAccountName | ||
+ | Adding CN=TANGO,OU=Domain Controllers,DC=xinux,DC=test | ||
+ | Adding CN=TANGO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xinux,DC=test | ||
+ | Adding CN=NTDS Settings,CN=TANGO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xinux,DC=test | ||
+ | Adding SPNs to CN=TANGO,OU=Domain Controllers,DC=xinux,DC=test | ||
+ | Setting account password for TANGO$ | ||
+ | Enabling account | ||
+ | Calling bare provision | ||
+ | No IPv6 address will be assigned | ||
+ | Provision OK for domain DN DC=xinux,DC=test | ||
+ | Starting replication | ||
+ | Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[402/1550] linked_values[0/0] | ||
+ | Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[804/1550] linked_values[0/0] | ||
+ | Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[1206/1550] linked_values[0/0] | ||
+ | Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[1550/1550] linked_values[0/0] | ||
+ | Analyze and apply schema objects | ||
+ | Partition[CN=Configuration,DC=xinux,DC=test] objects[402/1616] linked_values[0/0] | ||
+ | Partition[CN=Configuration,DC=xinux,DC=test] objects[804/1616] linked_values[0/0] | ||
+ | Partition[CN=Configuration,DC=xinux,DC=test] objects[1206/1616] linked_values[0/0] | ||
+ | Partition[CN=Configuration,DC=xinux,DC=test] objects[1608/1616] linked_values[0/0] | ||
+ | Partition[CN=Configuration,DC=xinux,DC=test] objects[1616/1616] linked_values[28/0] | ||
+ | Replicating critical objects from the base DN of the domain | ||
+ | Partition[DC=xinux,DC=test] objects[97/97] linked_values[23/0] | ||
+ | Partition[DC=xinux,DC=test] objects[365/268] linked_values[23/0] | ||
+ | Done with always replicated NC (base, config, schema) | ||
+ | Replicating DC=DomainDnsZones,DC=xinux,DC=test | ||
+ | Partition[DC=DomainDnsZones,DC=xinux,DC=test] objects[46/46] linked_values[0/0] | ||
+ | Replicating DC=ForestDnsZones,DC=xinux,DC=test | ||
+ | Partition[DC=ForestDnsZones,DC=xinux,DC=test] objects[18/18] linked_values[0/0] | ||
+ | Partition[DC=ForestDnsZones,DC=xinux,DC=test] objects[36/18] linked_values[0/0] | ||
+ | Committing SAM database | ||
+ | Sending DsReplicateUpdateRefs for all the replicated partitions | ||
+ | Setting isSynchronized and dsServiceName | ||
+ | Setting up secrets database | ||
+ | Joined domain XINUX (SID S-1-5-21-3964088599-1372953937-1397556401) as a DC | ||
+ | </pre> | ||
=SeDiskOperatorPrivilege= | =SeDiskOperatorPrivilege= |
Version vom 10. September 2015, 09:18 Uhr
Installation
Interface anpassen
vi /etc/network/interfaces
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.240.199 netmask 255.255.248.0 gateway 192.168.240.100 dns-nameservers 192.168.240.199 8.8.8.8 dns-search xinux.lan
hosts anpassen
vi /etc/hosts 127.0.0.1 localhost 192.168.240.199 fenetre fenetre.xinux.lan echo fenetre.xinux.lan > /etc/hostname reboot
samba4 installieren
apt-get install samba smbclient winbind ntp libnss-winbind krb5-user acl
Domain anlegen
vorher das löschen:
rm /etc/samba/smb.conf /var/lib/samba/private/sam.ldb
realm, domain und adminpass sollten/können angepasst werden!
samba-tool domain provision --realm=xinux.lan --domain=xinux --adminpass="Z0pp0Trump" --server-role=dc --dns-backend=SAMBA_INTERNAL --use-rfc2307
oder
install bind
apt-get remove apparmor reboot apt-get install bind9 echo 'include "/var/lib/samba/private/named.conf";' >> /etc/bind/named.conf
/etc/bind/named.conf.options
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
/var/lib/samba/private/named.conf
dlz "AD DNS Zone" {
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
};
realm, domain und adminpass sollten/können angepasst werden!
samba-tool domain provision --realm=xinux.lan --domain=xinux --adminpass="Z0pp0Trump" --server-role=dc --dns-backend=BIND9_DLZ --use-rfc2307
Reboot
reboot
smbversion
Diese sollten übereinstimmen:
root@fenetre:~# samba -V Version 4.1.6-Ubuntu root@fenetre:~# smbclient -V Version 4.1.6-Ubuntu
root@fenetre:~# smbclient -L localhost -U% Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.6-Ubuntu) Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu] Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP
Authentication check:
root@fenetre:~# smbclient //localhost/netlogon -UAdministrator%"Z0pp0Trump" -c 'ls' Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu] . D 0 Thu Apr 24 15:51:50 2014 .. D 0 Thu Apr 24 15:51:54 2014 52706 blocks of size 524288. 47502 blocks available
DNS setzen
Forwarder eintragen
sudo vi /etc/samba/smb.conf
füge hinzu: (Man kann natürlich auch seinen eigenen DNS angeben)
dns forwarder = 192.168.240.21
Check
DOMAIN="xinux.lan" CONTROLLER="fenetre" host -t SRV _ldap._tcp.$DOMAIN _ldap._tcp.xinux.lan has SRV record 0 100 389 fenetre.xinux.lan. host -t SRV _kerberos._udp.$DOMAIN _kerberos._udp.xinux.lan has SRV record 0 100 88 fenetre.xinux.lan. host -t A $CONTROLLER.$DOMAIN fenetre.xinux.lan has address 192.168.240.199
Kerberos
*kerberos client samba
mkfs.ext4 /dev/vdb1 mkdir /share echo "/dev/vdb1 /share ext4 user_xattr,acl 0 0" >> /etc/fstab mount -a
mkdir -m 770 /share chmod g+s /share chown root:users /share
vi /etc/samba/smb.conf
füge das ein:
[share] directory_mode: parameter = 0700 read only = no path = /share csc policy = documents
root@fenetre:~# smbclient -L localhost -U% | grep share Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu] Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu] share Disk
Winbind
winbind link setzen
ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
nsswitch.conf ändern
passwd: compat winbind group: compat winbind
ist winbind is "pingbar
root@fenetre:~# wbinfo -p Ping to winbindd succeeded
anzeigen der userliste
root@fenetre:~# wbinfo -u Administrator Guest krbtgt
funtioniert nsswitch
root@fenetre:~# getent passwd | grep XINUX XINUX\Administrator:*:0:100::/home/XINUX/Administrator:/bin/false XINUX\Guest:*:3000011:3000012::/home/XINUX/Guest:/bin/false XINUX\krbtgt:*:3000017:100::/home/XINUX/krbtgt:/bin/false
Misc
Adminpasswort läuft nicht ab
samba-tool user setexpiry administrator --noexpiry
Kennwortrichtlinie in Samba 4 Domain deaktivieren
samba-tool domain passwordsettings set --complexity=off samba-tool domain passwordsettings set --history-length=0 samba-tool domain passwordsettings set --min-pwd-age=0 samba-tool domain passwordsettings set --max-pwd-age=0 samba-tool domain passwordsettings set --min-pwd-length 0
Adminpasswort setzen
samba-tool user setpassword Administrator
Kennwortrichtlinie in Samba 4 Domain anzeigen
samba-tool domain passwordsettings show
Zwei DC mit Replikation einrichten
Situation
Existierender DC Name: rumba IP: 192.168.242.201 Ist DNS: Ja Domain Informationen DNS Domain Name: xinux.test Kerberos realm: XINUX.TEST Domain Admin: administrator Admin-PW: password Hinzuzufügender DC Name: tango IP: 192.168.242.200
Vorbereitungen
- Beide Rechner sollten im selben Netz sein und sich pingen können
- etc/hosts anpassen: Der Rechner muss sich unter seiner IP finden, bei localhost den Namen löschen
127.0.0.1 localhosttango tango.xinux.test192.168.242.200 tango tango.xinux.test
- DNS anpassen: searchdomain eintragen und den existierenden DC als DNS angeben
nameserver 192.168.242.201 search xinux.test
- DNS testen:
host -t A rumba.xinux.test rumba.xinux.test has address 192.168.242.201
Kerberos
In der krb5.conf müssen folgende Einträge stehen:
[libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = XINUX.TEST
Testen ob man ein Kerberosticket bekommt
root@tango:~# kinit administrator Password for administrator@XINUX.TEST: root@tango:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@XINUX.TEST Valid starting Expires Service principal 10.09.2015 11:08:57 10.09.2015 21:08:57 krbtgt/XINUX.TEST@XINUX.TEST
renew until 11.09.2015 11:08:44
Der Domain beitreten
- ACHTUNG Für das Administrator-Passwort gelten die Standardrichtlinien von SAMBA4!
root@tango:~# samba-tool domain join XINUX.TEST DC -Uadministrator --realm=XINUX.TEST --dns-backend=SAMBA_INTERNAL
Ausgabe:
Finding a writeable DC for domain 'XINUX.TEST' Found DC rumba.xinux.test Password for [WORKGROUP\administrator]: workgroup is XINUX realm is xinux.test checking sAMAccountName Adding CN=TANGO,OU=Domain Controllers,DC=xinux,DC=test Adding CN=TANGO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xinux,DC=test Adding CN=NTDS Settings,CN=TANGO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xinux,DC=test Adding SPNs to CN=TANGO,OU=Domain Controllers,DC=xinux,DC=test Setting account password for TANGO$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=xinux,DC=test Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=xinux,DC=test] objects[402/1616] linked_values[0/0] Partition[CN=Configuration,DC=xinux,DC=test] objects[804/1616] linked_values[0/0] Partition[CN=Configuration,DC=xinux,DC=test] objects[1206/1616] linked_values[0/0] Partition[CN=Configuration,DC=xinux,DC=test] objects[1608/1616] linked_values[0/0] Partition[CN=Configuration,DC=xinux,DC=test] objects[1616/1616] linked_values[28/0] Replicating critical objects from the base DN of the domain Partition[DC=xinux,DC=test] objects[97/97] linked_values[23/0] Partition[DC=xinux,DC=test] objects[365/268] linked_values[23/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=xinux,DC=test Partition[DC=DomainDnsZones,DC=xinux,DC=test] objects[46/46] linked_values[0/0] Replicating DC=ForestDnsZones,DC=xinux,DC=test Partition[DC=ForestDnsZones,DC=xinux,DC=test] objects[18/18] linked_values[0/0] Partition[DC=ForestDnsZones,DC=xinux,DC=test] objects[36/18] linked_values[0/0] Committing SAM database Sending DsReplicateUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain XINUX (SID S-1-5-21-3964088599-1372953937-1397556401) as a DC
SeDiskOperatorPrivilege
net rpc rights grant 'XINUX\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
Vorhandene Rechte lassen sich so Anzeige
net rpc rights list accounts -Uadministrator
Userverwaltung
howto
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO