Ubuntu-samba4: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) (→Resolv) |
|||
Zeile 51: | Zeile 51: | ||
''' realm, domain und adminpass''' sollten/können angepasst werden! | ''' realm, domain und adminpass''' sollten/können angepasst werden! | ||
samba-tool domain provision --realm=xinux.lan --domain=xinux --adminpass="Z0pp0Trump" --server-role=dc --dns-backend=BIND9_DLZ --use-rfc2307 | samba-tool domain provision --realm=xinux.lan --domain=xinux --adminpass="Z0pp0Trump" --server-role=dc --dns-backend=BIND9_DLZ --use-rfc2307 | ||
+ | |||
+ | *Bei adminpass am besten das hier stehende übernehmen und erst später wie in dieser Anleitung beschrieben ändern, da man sonst die Passwortvorgaben verletzen könnte. Wenn dies passiert richtet sich der Sambaserver nicht korrekt ein. | ||
==Reboot== | ==Reboot== |
Version vom 15. April 2016, 08:35 Uhr
Installation
Interface anpassen
vi /etc/network/interfaces
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.240.199 netmask 255.255.248.0 gateway 192.168.240.100 dns-nameservers 192.168.240.199 8.8.8.8 dns-search xinux.lan
hosts anpassen
vi /etc/hosts 127.0.0.1 localhost 192.168.240.199 fenetre fenetre.xinux.lan echo fenetre.xinux.lan > /etc/hostname reboot
samba4 installieren
apt-get install samba smbclient winbind ntp libnss-winbind krb5-user acl
Domain anlegen
vorher das löschen:
rm /etc/samba/smb.conf /var/lib/samba/private/sam.ldb
realm, domain und adminpass sollten/können angepasst werden!
samba-tool domain provision --realm=xinux.lan --domain=xinux --adminpass="Z0pp0Trump" --server-role=dc --dns-backend=SAMBA_INTERNAL --use-rfc2307
oder
install bind
apt-get remove apparmor reboot apt-get install bind9 echo 'include "/var/lib/samba/private/named.conf";' >> /etc/bind/named.conf
/etc/bind/named.conf.options
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
/var/lib/samba/private/named.conf
dlz "AD DNS Zone" {
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
};
realm, domain und adminpass sollten/können angepasst werden!
samba-tool domain provision --realm=xinux.lan --domain=xinux --adminpass="Z0pp0Trump" --server-role=dc --dns-backend=BIND9_DLZ --use-rfc2307
- Bei adminpass am besten das hier stehende übernehmen und erst später wie in dieser Anleitung beschrieben ändern, da man sonst die Passwortvorgaben verletzen könnte. Wenn dies passiert richtet sich der Sambaserver nicht korrekt ein.
Reboot
reboot
smbversion
Diese sollten übereinstimmen:
root@fenetre:~# samba -V Version 4.1.6-Ubuntu root@fenetre:~# smbclient -V Version 4.1.6-Ubuntu
root@fenetre:~# smbclient -L localhost -U% Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.6-Ubuntu) Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu] Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP
Authentication check:
root@fenetre:~# smbclient //localhost/netlogon -UAdministrator%"Z0pp0Trump" -c 'ls' Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu] . D 0 Thu Apr 24 15:51:50 2014 .. D 0 Thu Apr 24 15:51:54 2014 52706 blocks of size 524288. 47502 blocks available
DNS setzen
Resolv
- /etc/resolv.conf
nameserver 192.168.240.199 search xinux.lan
Check
Forwarder eintragen
sudo vi /etc/samba/smb.conf
füge hinzu: (Man kann natürlich auch seinen eigenen DNS angeben)
dns forwarder = 192.168.240.21
Check
DOMAIN="xinux.lan" CONTROLLER="fenetre" host -t SRV _ldap._tcp.$DOMAIN _ldap._tcp.xinux.lan has SRV record 0 100 389 fenetre.xinux.lan. host -t SRV _kerberos._udp.$DOMAIN _kerberos._udp.xinux.lan has SRV record 0 100 88 fenetre.xinux.lan. host -t A $CONTROLLER.$DOMAIN fenetre.xinux.lan has address 192.168.240.199
Kerberos
*kerberos client samba
mkfs.ext4 /dev/vdb1 mkdir /share echo "/dev/vdb1 /share ext4 user_xattr,acl 0 0" >> /etc/fstab mount -a
mkdir -m 770 /share chmod g+s /share chown root:users /share
vi /etc/samba/smb.conf
füge das ein:
[share] directory_mode: parameter = 0700 read only = no path = /share csc policy = documents
root@fenetre:~# smbclient -L localhost -U% | grep share Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu] Domain=[XINUX] OS=[Unix] Server=[Samba 4.1.6-Ubuntu] share Disk
Winbind
winbind link setzen
ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
nsswitch.conf ändern
passwd: compat winbind group: compat winbind
ist winbind is "pingbar
root@fenetre:~# wbinfo -p Ping to winbindd succeeded
anzeigen der userliste
root@fenetre:~# wbinfo -u Administrator Guest krbtgt
funtioniert nsswitch
root@fenetre:~# getent passwd | grep XINUX XINUX\Administrator:*:0:100::/home/XINUX/Administrator:/bin/false XINUX\Guest:*:3000011:3000012::/home/XINUX/Guest:/bin/false XINUX\krbtgt:*:3000017:100::/home/XINUX/krbtgt:/bin/false
Misc
Adminpasswort läuft nicht ab
samba-tool user setexpiry administrator --noexpiry
Kennwortrichtlinie in Samba 4 Domain deaktivieren
samba-tool domain passwordsettings set --complexity=off samba-tool domain passwordsettings set --history-length=0 samba-tool domain passwordsettings set --min-pwd-age=0 samba-tool domain passwordsettings set --max-pwd-age=0 samba-tool domain passwordsettings set --min-pwd-length 0
Adminpasswort setzen
samba-tool user setpassword Administrator
Kennwortrichtlinie in Samba 4 Domain anzeigen
samba-tool domain passwordsettings show
Zwei DC mit Replikation einrichten
Situation
Existierender DC Name: rumba IP: 192.168.242.201 Ist DNS: Ja Domain Informationen DNS Domain Name: xinux.test Kerberos realm: XINUX.TEST Domain Admin: administrator Admin-PW: password Hinzuzufügender DC Name: tango IP: 192.168.242.200
Vorbereitungen
- Beide Rechner sollten im selben Netz sein und sich pingen können
- etc/hosts anpassen: Der Rechner muss sich unter seiner IP finden, bei localhost den Namen löschen
127.0.0.1 localhosttango tango.xinux.test192.168.242.200 tango tango.xinux.test
- DNS anpassen: searchdomain eintragen und den existierenden DC als DNS angeben
nameserver 192.168.242.201 search xinux.test
- DNS testen:
host -t A rumba.xinux.test rumba.xinux.test has address 192.168.242.201
Kerberos
In der krb5.conf müssen folgende Einträge stehen:
[libdefaults] dns_lookup_realm = false dns_lookup_kdc = true default_realm = XINUX.TEST
Testen ob man ein Kerberosticket bekommt
root@tango:~# kinit administrator Password for administrator@XINUX.TEST: root@tango:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@XINUX.TEST Valid starting Expires Service principal 10.09.2015 11:08:57 10.09.2015 21:08:57 krbtgt/XINUX.TEST@XINUX.TEST
renew until 11.09.2015 11:08:44
Der Domain beitreten
- ACHTUNG Für das Administrator-Passwort gelten die Standardrichtlinien von SAMBA4!
- Weiterführende Infos: samba-tool domain join --help
root@tango:~# samba-tool domain join XINUX.TEST DC -Uadministrator --realm=XINUX.TEST --dns-backend=SAMBA_INTERNAL
Ausgabe:
Finding a writeable DC for domain 'XINUX.TEST' Found DC rumba.xinux.test Password for [WORKGROUP\administrator]: workgroup is XINUX realm is xinux.test checking sAMAccountName Adding CN=TANGO,OU=Domain Controllers,DC=xinux,DC=test Adding CN=TANGO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xinux,DC=test Adding CN=NTDS Settings,CN=TANGO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xinux,DC=test Adding SPNs to CN=TANGO,OU=Domain Controllers,DC=xinux,DC=test Setting account password for TANGO$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=xinux,DC=test Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=xinux,DC=test] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=xinux,DC=test] objects[402/1616] linked_values[0/0] Partition[CN=Configuration,DC=xinux,DC=test] objects[804/1616] linked_values[0/0] Partition[CN=Configuration,DC=xinux,DC=test] objects[1206/1616] linked_values[0/0] Partition[CN=Configuration,DC=xinux,DC=test] objects[1608/1616] linked_values[0/0] Partition[CN=Configuration,DC=xinux,DC=test] objects[1616/1616] linked_values[28/0] Replicating critical objects from the base DN of the domain Partition[DC=xinux,DC=test] objects[97/97] linked_values[23/0] Partition[DC=xinux,DC=test] objects[365/268] linked_values[23/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=xinux,DC=test Partition[DC=DomainDnsZones,DC=xinux,DC=test] objects[46/46] linked_values[0/0] Replicating DC=ForestDnsZones,DC=xinux,DC=test Partition[DC=ForestDnsZones,DC=xinux,DC=test] objects[18/18] linked_values[0/0] Partition[DC=ForestDnsZones,DC=xinux,DC=test] objects[36/18] linked_values[0/0] Committing SAM database Sending DsReplicateUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain XINUX (SID S-1-5-21-3964088599-1372953937-1397556401) as a DC
Anzeige der Replikation
DC1:
root@rumba:~# samba-tool drs showrepl Default-First-Site-Name\RUMBA DSA Options: 0x00000001 DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d DSA invocationId: fc6eaa8e-a1cf-4af8-b919-f0af6abddb27 ==== INBOUND NEIGHBORS ==== DC=DomainDnsZones,DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ Thu Sep 10 11:30:34 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:30:34 2015 CEST DC=ForestDnsZones,DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ Thu Sep 10 11:30:34 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:30:34 2015 CEST DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ Thu Sep 10 11:30:59 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:30:59 2015 CEST CN=Schema,CN=Configuration,DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ Thu Sep 10 11:30:34 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:30:34 2015 CEST CN=Configuration,DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ Thu Sep 10 11:30:35 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:30:35 2015 CEST ==== OUTBOUND NEIGHBORS ==== DC=DomainDnsZones,DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=xinux,DC=test Default-First-Site-Name\TANGO via RPC DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS ==== Connection -- Connection name: f31d9725-b1a6-4450-93d4-8b62fabf609f Enabled : TRUE Server DNS name : TANGO.xinux.test Server DN name : CN=NTDS Settings,CN=TANGO,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xinux,DC=test TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection!
DC2:
root@tango:~# samba-tool drs showrepl Default-First-Site-Name\TANGO DSA Options: 0x00000001 DSA object GUID: 9038189e-b307-48dc-bca3-fc76bc63ec38 DSA invocationId: 1278e3ce-dadf-4e44-be9a-43c591e8318d ==== INBOUND NEIGHBORS ==== CN=Schema,CN=Configuration,DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ Thu Sep 10 11:28:15 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:28:15 2015 CEST DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ Thu Sep 10 11:28:15 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:28:15 2015 CEST DC=DomainDnsZones,DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ Thu Sep 10 11:31:28 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:31:28 2015 CEST DC=ForestDnsZones,DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ Thu Sep 10 11:28:15 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:28:15 2015 CEST CN=Configuration,DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ Thu Sep 10 11:28:15 2015 CEST was successful 0 consecutive failure(s). Last success @ Thu Sep 10 11:28:15 2015 CEST ==== OUTBOUND NEIGHBORS ==== CN=Schema,CN=Configuration,DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=xinux,DC=test Default-First-Site-Name\RUMBA via RPC DSA object GUID: d91df6e8-fc0f-4d96-8407-1f66f5b5c47d Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS ==== Connection -- Connection name: 2770037b-6291-442b-9b94-89c8d6c780c0 Enabled : TRUE Server DNS name : rumba.xinux.test Server DN name : CN=NTDS Settings,CN=RUMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xinux,DC=test TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection!
SeDiskOperatorPrivilege
net rpc rights grant 'XINUX\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
Vorhandene Rechte lassen sich so Anzeige
net rpc rights list accounts -Uadministrator
Userverwaltung
howto
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO