- /etc/network/interfaces
auto eth0 iface eth0 inet static address 192.168.215.2/24 gateway 192.168.215.1
Siehe auch: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
Installation mit debian 10 getestet.
apt install samba winbind
systemctl stop samba-ad-dc systemctl disable --now nmbd.service systemctl disable --now smbd.service systemctl disable --now winbind.service mv /etc/samba/smb.conf{,.orig}
Übersicht über samba-tool
Unterbefehle:
samba-tool samba-tool domain provision --help samba-tool domain provision
Realm: KURS.LINUXHOTEL.DE Domain [KURS]: KURS Server Role: dc DNS backend: SAMBA_INTERNAL DNS forwarder IP address: 192.168.1.17 Administrator password: v0gelsang,
domain kurs.linuxhotel.de search kurs.linuxhotel.de linuxhotel.de nameserver 127.0.0.1
Neue smb.conf
anzeigen:
testparm
systemctl unmask samba-ad-dc systemctl enable --now samba-ad-dc
Optional, zum debuggen:
apt install smbclient ldb-tools krb5-user ldap-utils dnsutils
Offene Ports checken:
lsof -a -c samba -i
DNS testen:
dig _ldap._tcp.kurs.linuxhotel.de SRV
Benutzer anzeigen:
pdbedit -L samba-tool user list
Kerberos testen:
kinit Administrator@KURS.LINUXHOTEL.DE klist
CIFS testen:
nmblookup -S vm2 smbclient -k -L vm2 smbclient -k //vm2/sysvol klist
LDAP testen:
URI ldaps://localhost BINDDN cn=Administrator,cn=users,dc=kurs,dc=linuxhotel,dc=de BASE dc=kurs,dc=linuxhotel,dc=de TLS_REQCERT ALLOW
ldapsearch -x -W
ldbsearch -H /var/lib/samba/private/sam.ldb
Nur in Testumgebungen:
samba-tool domain passwordsettings --help samba-tool domain passwordsettings set --complexity=off samba-tool domain passwordsettings set --min-pwd-length=1 samba-tool user --help
Benutzerliste ansehen:
samba-tool user list
Benutzer anlegen:
samba-tool user add heinz
TODO: das macht man heute mit chrony
siehe https://wiki.samba.org/index.php/Time_Synchronisation
apt-get install ntp cd /var/lib/samba/ chgrp ntp ntp_signd/
/etc/ntp.conf
:
# By default, exchange time with everybody, but don't allow configuration. restrict -4 default kod notrap nomodify nopeer noquery mssntp restrict -6 default kod notrap nomodify nopeer noquery mssntp ntpsigndsocket /var/lib/samba/ntp_signd/
service ntp restart watch ntpq -np
Benutzer: Administrator
Password: wie oben im samba-tool eingegeben
Als Benutzer heinz an der Domäne example.com anmelden
cat /var/lib/samba/private/krb5.conf ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf apt-get install krb5-user kinit Administrator kdestroy kinit heinz ls /tmp/krb5cc_0
auto eth0 iface eth0 inet static address 192.168.215.2/24 gateway 192.168.215.1
lsof -i :53 -nP 135137 138 139 22 3268 3269 389 445 464 49152 49153 49154 53 57800 636 68 88
lxc network set lxdbr0 dns.domain kurs.linuxhotel.de lxc init images:debian/10 test1 lxc config set test1 security.privileged=true lxc network attach lxdbr0 test1 eth0 eth0 lxc config device set test1 eth0 ipv4.address 192.168.239.10 lxc start test1 lxc exec test1 -- /bin/bash
wget https://download.sernet.de/pub/sernet-samba-keyring_1.4_all.deb dpkg -i sernet-samba-keyring_1.4_all.deb apt-get install apt-transport-https
/etc/apt/sources.list.d/samba
:
deb https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/debian wheezy main deb-src https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/debian wheezy mainUSERNAME und ACCESSKEY von http://www.enterprisesamba.com/
apt-get update apt-get upgrade apt-cache policy samba aptitude search sernet apt-get install sernet-samba-ad
samba-tool domain provision --use-rfc2307 --use-xattrs=yes Alternative zu --use-xattrs=yes siehe https://wiki.samba.org/index.php/Samba4/s3fs
rm /etc/samba/smb.conf
/etc/default/sernet-samba
:
SAMBA_START_MODE="ad" # SAMBA_IGNORE_NSUPDATE_G defines whether the samba daemon should be started # when 'nsupdate -g' is not available. Setting this to "yes" would mean that # samba will be started even without 'nsupdate -g'. This will lead to severe # problems without a proper workaround! SAMBA_IGNORE_NSUPDATE_G="no"