Inhaltsverzeichnis

Samba4

Samba4

Siehe auch: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Installation mit debian 10 getestet.

Vorraussetzungen

Statische IP-Adresse (per DHCP oder in lokaler Konfigurationsdatei) ¹⁾
FQDN der Form servername.domain.tld wird von hostname -f richtig angezeigt
ActiveDirectory Ports nicht von anderen Diensten belegt ²⁾

³⁾

Pakete

apt install samba winbind

Vorsicht mit Samba-Paketen vor Debian 12 (bookworm)

Michael Tokarev mjt@tls.msk.ru schrieb am 20.7.2023 auf der Debian LTS Mailingliste:

„It come to my attention that a discussion is happening about samba and LTS (and the same applies to oldstable too). The thing is: samba packages in bullseye and before, in my opinion, are hopeless. I know it because I know the state of debian packaging it was. For years (for a few debian releases), samba maintenance was more on auto-pilot. Most changes were made by applying a minimal change, not the right change. The result was.. horrible. Now, the Samba team basically re-designed whole VFS layer in 4.16, to fix a few serious issues with symlinks. This is not backportable to anything, and it changes quite big portion of the codebase, so subsequent fixes even in seemingly unrelated areas don't apply anymore (not all of them ofc). Upstream stopped supporting 4.13 (bullseye) version of samba even before bullseye release iirc. There were numerous alternative samba repositories all around the world to plug the gap between debian-provided samba and actual samba. There are numerous other security issues, compatibility issues with previous windows releases, and other stuff which basically makes samba in bullseye (already, not to mention buster!) basically unusable. Trying to fix an issue or two there will work. This particular issue with Jul-23 windows10/11 update is trivial to fix, the same change applies (with minimal context fix) to 4.7 version of samba too. But I urge not doing this. This will bring false sense of security. People will think samba in buster or bullseye is worth to keep since it is being „supported“, - it is not due to other numerous issues. It is like with old crypto, - you fix a buffer overflow in some DES implementation, but it does not mean DES can be used in 2023. If there's a need for samba in buster, it can be fixed. See for example my repository at http://www.corpit.ru/mjt/packages/samba/ - it provides amd64 binaries of all current samba packages on actual Debian and Ubuntu releases, - I spent quite some time to ensure it all works fine on different environments and the original debian packages can be built on older debian releases and on various ubuntu releases. This currently does not include buster, but it is kinda trivial to fix. My repository happens to become quite popular (by the amount of downloads, amount of screaming once I turned it off for 5 minutes for a reboot, and amount of questions I received after the Jul-23 windows update), - so something like this is needed (or was, anyway, for older releases). Buster and bullseye versions of samba are not supported. Please don't use band-aid on a dead horse.“

Alternativ: Pakete von sernet

wget https://download.sernet.de/pub/sernet-samba-keyring_1.4_all.deb
dpkg -i sernet-samba-keyring_1.4_all.deb
apt-get install apt-transport-https

/etc/apt/sources.list.d/samba :

deb https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/debian wheezy main
deb-src https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/debian wheezy main

USERNAME und ACCESSKEY von http://www.enterprisesamba.com/

apt-get update
apt-get upgrade
apt-cache policy samba
aptitude search sernet
apt-get install sernet-samba-ad

Dienste stoppen

systemctl stop samba-ad-dc
systemctl disable --now nmbd.service
systemctl disable --now smbd.service
systemctl disable --now winbind.service

mv /etc/samba/smb.conf{,.orig}

Samba Tool

Übersicht über samba-tool Unterbefehle:

samba-tool
samba-tool domain provision --help
samba-tool domain provision --domain kurs --realm kurs.linuxhotel.de --adminpass v0gelsang,

oder

samba-tool domain provision

⁴⁾ ⁵⁾

Realm: KURS.LINUXHOTEL.DE
Domain [KURS]: KURS
Server Role: dc
DNS backend: SAMBA_INTERNAL
DNS forwarder IP address: 192.168.1.17
Administrator password: v0gelsang,

/etc/resolv.conf

domain kurs.linuxhotel.de
search kurs.linuxhotel.de linuxhotel.de
nameserver 127.0.0.1

Samba AD starten

⁶⁾

Neue smb.conf anzeigen:

testparm

systemctl unmask samba-ad-dc
systemctl enable --now samba-ad-dc

Optional, zum debuggen:

apt install smbclient ldb-tools krb5-user ldap-utils dnsutils

testen

Offene Ports checken:⁷⁾

lsof -Pi :53,88,135,137,138,139,389,445,464,636,3268,3269

DNS testen:

dig _ldap._tcp.kurs.linuxhotel.de SRV
dig _kerberos._tcp.kurs.linuxhotel.de SRV

Benutzer anzeigen:

pdbedit -L
samba-tool user list

Kerberos testen:

cp -b /var/lib/samba/private/krb5.conf /etc/krb5.conf
kinit Administrator

oder

kinit Administrator@KURS.LINUXHOTEL.DE
klist

CIFS testen:

nmblookup -S vm2
smbclient -k -L vm2
smbclient -k //vm2/sysvol
klist

LDAP testen:

~/.ldaprc

URI ldaps://localhost
BINDDN cn=Administrator,cn=users,dc=kurs,dc=linuxhotel,dc=de
BASE dc=kurs,dc=linuxhotel,dc=de
TLS_REQCERT ALLOW

ldapsearch -x -W

ldbsearch -H /var/lib/samba/private/sam.ldb

Benutzer anlegen

Nur in Testumgebungen:

samba-tool domain passwordsettings --help
samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --min-pwd-length=1
samba-tool user --help

Benutzerliste ansehen:

samba-tool user list

Benutzer anlegen:

samba-tool user add heinz

Beitreten der Domäne mit Windows 7

Arbeitsplatznetzwerk auswählen
DNS-Server einstellen
Domäne beitreten

Benutzer: Administrator Password: wie oben im samba-tool eingegeben

Als Benutzer heinz an der Domäne example.com anmelden

Kerberos

kinit Administrator
kdestroy
kinit heinz
ls /tmp/krb5cc_0

¹⁾

z.B.

/etc/network/interfaces

auto eth0
iface eth0 inet static
  address 192.168.215.2/24
  gateway 192.168.215.1

²⁾

lsof -i :53,88,135,139,389,445,464,636,3268,3269,49152,49153,49154

→ leer

³⁾

LXD Konfiguration:

lxc network set lxdbr0 dns.domain kurs.linuxhotel.de

lxc init images:debian/10 test1
lxc config set test1 security.privileged=true
lxc network attach lxdbr0 test1 eth0 eth0
lxc config device set test1 eth0 ipv4.address 192.168.239.10
lxc start test1
lxc exec test1 -- /bin/bash

⁴⁾

oder:

samba-tool domain provision --use-rfc2307 --use-xattrs=yes
Alternative zu --use-xattrs=yes siehe https://wiki.samba.org/index.php/Samba4/s3fs

⁵⁾

bei Problemen, z.B. Passwort zu einfach:

rm  /etc/samba/smb.conf

⁶⁾

/etc/default/sernet-samba :

SAMBA_START_MODE="ad"
# SAMBA_IGNORE_NSUPDATE_G defines whether the samba daemon should be started
# when 'nsupdate -g' is not available. Setting this to "yes" would mean that
# samba will be started even without 'nsupdate -g'. This will lead to severe
# problems without a proper workaround!
SAMBA_IGNORE_NSUPDATE_G="no"

⁷⁾

Service	Port	Protocol
DNS	53	tcp/udp
Kerberos	88	tcp/udp
ntp	123	udp
End Point Mapper (DCE/RPC Locator Service)	135	tcp
NetBIOS Name Service	137	udp
NetBIOS Datagram	138	udp
NetBIOS Session	139	tcp
LDAP	389	tcp/udp
SMB over TCP	445	tcp
Kerberos kpasswd	464	tcp/udp
LDAPS	636	tcp
Global Catalog	3268	tcp
Global Catalog SSL	3269	tcp
Dynamic RPC Ports	49152-65535	tcp

Linuxhotel Wiki

Benutzer-Werkzeuge

Webseiten-Werkzeuge