Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
Beide Seiten, vorherige Überarbeitung Vorherige Überarbeitung | Vorherige Überarbeitung | ||
lpi2:samba-ad [2017/05/12 13:35] |
lpi2:samba-ad [2024/03/22 17:12] (aktuell) ingo_wichmann [testen] |
||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== Samba4 ====== | ||
+ | Siehe auch: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller | ||
+ | |||
+ | Installation mit debian 10 getestet. | ||
+ | |||
+ | ===== Vorraussetzungen ===== | ||
+ | |||
+ | * Statische IP-Adresse (per DHCP oder in lokaler Konfigurationsdatei) (( z.B. | ||
+ | <file txt /etc/network/interfaces> | ||
+ | auto eth0 | ||
+ | iface eth0 inet static | ||
+ | address 192.168.215.2/24 | ||
+ | gateway 192.168.215.1 | ||
+ | </file> | ||
+ | )) | ||
+ | * FQDN der Form servername.domain.tld wird von ''hostname -f'' richtig angezeigt | ||
+ | * ActiveDirectory Ports nicht von anderen Diensten belegt (( | ||
+ | lsof -i :53,88,135,139,389,445,464,636,3268,3269,49152,49153,49154 | ||
+ | -> leer | ||
+ | )) | ||
+ | |||
+ | (( [[admin_grundlagen:lxd|LXD]] Konfiguration: | ||
+ | lxc network set lxdbr0 dns.domain kurs.linuxhotel.de | ||
+ | | ||
+ | lxc init images:debian/10 test1 | ||
+ | lxc config set test1 security.privileged=true | ||
+ | lxc network attach lxdbr0 test1 eth0 eth0 | ||
+ | lxc config device set test1 eth0 ipv4.address 192.168.239.10 | ||
+ | lxc start test1 | ||
+ | lxc exec test1 -- /bin/bash | ||
+ | )) | ||
+ | ===== Pakete ===== | ||
+ | |||
+ | apt install samba winbind | ||
+ | |||
+ | ++++ Vorsicht mit Samba-Paketen vor Debian 12 (bookworm) | | ||
+ | |||
+ | Michael Tokarev <mjt@tls.msk.ru> schrieb am 20.7.2023 auf der Debian LTS Mailingliste: | ||
+ | |||
+ | //"It come to my attention that a discussion is happening about samba | ||
+ | and LTS (and the same applies to oldstable too). | ||
+ | |||
+ | The thing is: samba packages in bullseye and before, in my opinion, | ||
+ | are hopeless. I know it because I know the state of debian packaging | ||
+ | it was. For years (for a few debian releases), samba maintenance was | ||
+ | more on auto-pilot. Most changes were made by applying a minimal change, | ||
+ | not the right change. The result was.. horrible. | ||
+ | |||
+ | Now, the Samba team basically re-designed whole VFS layer in 4.16, to | ||
+ | fix a few serious issues with symlinks. This is not backportable to | ||
+ | anything, and it changes quite big portion of the codebase, so subsequent | ||
+ | fixes even in seemingly unrelated areas don't apply anymore (not all | ||
+ | of them ofc). | ||
+ | |||
+ | Upstream stopped supporting 4.13 (bullseye) version of samba even before | ||
+ | bullseye release iirc. There were numerous alternative samba repositories | ||
+ | all around the world to plug the gap between debian-provided samba and | ||
+ | actual samba. | ||
+ | |||
+ | There are numerous other security issues, compatibility issues with | ||
+ | previous windows releases, and other stuff which basically makes samba | ||
+ | in bullseye (already, not to mention buster!) basically unusable. | ||
+ | |||
+ | Trying to fix an issue or two there will work. This particular issue | ||
+ | with Jul-23 windows10/11 update is trivial to fix, the same change | ||
+ | applies (with minimal context fix) to 4.7 version of samba too. | ||
+ | |||
+ | But I urge not doing this. This will bring false sense of security. | ||
+ | People will think samba in buster or bullseye is worth to keep since | ||
+ | it is being "supported", - it is not due to other numerous issues. | ||
+ | |||
+ | It is like with old crypto, - you fix a buffer overflow in some DES | ||
+ | implementation, but it does not mean DES can be used in 2023. | ||
+ | |||
+ | If there's a need for samba in buster, it can be fixed. See for | ||
+ | example my repository at http://www.corpit.ru/mjt/packages/samba/ - | ||
+ | it provides amd64 binaries of all current samba packages on actual | ||
+ | Debian and Ubuntu releases, - I spent quite some time to ensure it | ||
+ | all works fine on different environments and the original debian | ||
+ | packages can be built on older debian releases and on various | ||
+ | ubuntu releases. This currently does not include buster, but it | ||
+ | is kinda trivial to fix. My repository happens to become quite | ||
+ | popular (by the amount of downloads, amount of screaming once I | ||
+ | turned it off for 5 minutes for a reboot, and amount of questions | ||
+ | I received after the Jul-23 windows update), - so something like | ||
+ | this is needed (or was, anyway, for older releases). | ||
+ | |||
+ | Buster and bullseye versions of samba are not supported. Please | ||
+ | don't use band-aid on a dead horse."// | ||
+ | ++++ | ||
+ | |||
+ | ++++ Alternativ: Pakete von sernet | | ||
+ | wget https://download.sernet.de/pub/sernet-samba-keyring_1.4_all.deb | ||
+ | dpkg -i sernet-samba-keyring_1.4_all.deb | ||
+ | apt-get install apt-transport-https | ||
+ | |||
+ | ''/etc/apt/sources.list.d/samba'' : | ||
+ | <file> | ||
+ | deb https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/debian wheezy main | ||
+ | deb-src https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/debian wheezy main | ||
+ | </file> | ||
+ | USERNAME und ACCESSKEY von http://www.enterprisesamba.com/ | ||
+ | |||
+ | apt-get update | ||
+ | apt-get upgrade | ||
+ | apt-cache policy samba | ||
+ | aptitude search sernet | ||
+ | apt-get install sernet-samba-ad | ||
+ | ++++ | ||
+ | ===== Dienste stoppen ===== | ||
+ | |||
+ | systemctl stop samba-ad-dc | ||
+ | systemctl disable --now nmbd.service | ||
+ | systemctl disable --now smbd.service | ||
+ | systemctl disable --now winbind.service | ||
+ | | ||
+ | mv /etc/samba/smb.conf{,.orig} | ||
+ | | ||
+ | ===== Samba Tool ===== | ||
+ | |||
+ | Übersicht über ''samba-tool'' Unterbefehle: | ||
+ | samba-tool | ||
+ | samba-tool domain provision --help | ||
+ | samba-tool domain provision --domain kurs --realm kurs.linuxhotel.de --adminpass v0gelsang, | ||
+ | oder | ||
+ | samba-tool domain provision | ||
+ | (( | ||
+ | oder: | ||
+ | samba-tool domain provision --use-rfc2307 --use-xattrs=yes | ||
+ | Alternative zu --use-xattrs=yes siehe https://wiki.samba.org/index.php/Samba4/s3fs | ||
+ | )) | ||
+ | ((bei Problemen, z.B. Passwort zu einfach: | ||
+ | rm /etc/samba/smb.conf | ||
+ | )) | ||
+ | Realm: KURS.LINUXHOTEL.DE | ||
+ | Domain [KURS]: KURS | ||
+ | Server Role: dc | ||
+ | DNS backend: SAMBA_INTERNAL | ||
+ | DNS forwarder IP address: 192.168.1.17 | ||
+ | Administrator password: v0gelsang, | ||
+ | |||
+ | <file txt /etc/resolv.conf> | ||
+ | domain kurs.linuxhotel.de | ||
+ | search kurs.linuxhotel.de linuxhotel.de | ||
+ | nameserver 127.0.0.1 | ||
+ | </file> | ||
+ | |||
+ | ===== Samba AD starten ===== | ||
+ | (( | ||
+ | ''/etc/default/sernet-samba'' : | ||
+ | <file> | ||
+ | SAMBA_START_MODE="ad" | ||
+ | # SAMBA_IGNORE_NSUPDATE_G defines whether the samba daemon should be started | ||
+ | # when 'nsupdate -g' is not available. Setting this to "yes" would mean that | ||
+ | # samba will be started even without 'nsupdate -g'. This will lead to severe | ||
+ | # problems without a proper workaround! | ||
+ | SAMBA_IGNORE_NSUPDATE_G="no" | ||
+ | </file> | ||
+ | )) | ||
+ | |||
+ | Neue ''smb.conf'' anzeigen: | ||
+ | testparm | ||
+ | |||
+ | systemctl unmask samba-ad-dc | ||
+ | systemctl enable --now samba-ad-dc | ||
+ | |||
+ | Optional, zum debuggen: | ||
+ | apt install smbclient ldb-tools krb5-user ldap-utils dnsutils | ||
+ | ===== testen ===== | ||
+ | |||
+ | Offene Ports checken:(( | ||
+ | ^ Service ^ Port ^ Protocol ^ | ||
+ | | DNS | 53 | tcp/udp | | ||
+ | | Kerberos | 88 | tcp/udp | | ||
+ | | ntp | 123 | udp | | ||
+ | | End Point Mapper (DCE/RPC Locator Service) | 135 | tcp | | ||
+ | | NetBIOS Name Service | 137 | udp | | ||
+ | | NetBIOS Datagram | 138 | udp | | ||
+ | | NetBIOS Session | 139 | tcp | | ||
+ | | LDAP | 389 | tcp/udp | | ||
+ | | SMB over TCP | 445 | tcp | | ||
+ | | Kerberos kpasswd | 464 | tcp/udp | | ||
+ | | LDAPS | 636 | tcp | | ||
+ | | Global Catalog | 3268 | tcp | | ||
+ | | Global Catalog SSL | 3269 | tcp | | ||
+ | | Dynamic RPC Ports | 49152-65535 | tcp | | ||
+ | )) | ||
+ | lsof -Pi :53,88,135,137,138,139,389,445,464,636,3268,3269 | ||
+ | DNS testen: | ||
+ | dig _ldap._tcp.kurs.linuxhotel.de SRV | ||
+ | dig _kerberos._tcp.kurs.linuxhotel.de SRV | ||
+ | |||
+ | Benutzer anzeigen: | ||
+ | pdbedit -L | ||
+ | samba-tool user list | ||
+ | |||
+ | Kerberos testen: | ||
+ | cp -b /var/lib/samba/private/krb5.conf /etc/krb5.conf | ||
+ | kinit Administrator | ||
+ | oder | ||
+ | kinit Administrator@KURS.LINUXHOTEL.DE | ||
+ | klist | ||
+ | |||
+ | CIFS testen: | ||
+ | nmblookup -S vm2 | ||
+ | smbclient -k -L vm2 | ||
+ | smbclient -k //vm2/sysvol | ||
+ | klist | ||
+ | |||
+ | LDAP testen: | ||
+ | |||
+ | <file txt ~/.ldaprc> | ||
+ | URI ldaps://localhost | ||
+ | BINDDN cn=Administrator,cn=users,dc=kurs,dc=linuxhotel,dc=de | ||
+ | BASE dc=kurs,dc=linuxhotel,dc=de | ||
+ | TLS_REQCERT ALLOW | ||
+ | </file> | ||
+ | ldapsearch -x -W | ||
+ | |||
+ | ldbsearch -H /var/lib/samba/private/sam.ldb | ||
+ | |||
+ | ===== Benutzer anlegen ===== | ||
+ | |||
+ | Nur in Testumgebungen: | ||
+ | samba-tool domain passwordsettings --help | ||
+ | samba-tool domain passwordsettings set --complexity=off | ||
+ | samba-tool domain passwordsettings set --min-pwd-length=1 | ||
+ | samba-tool user --help | ||
+ | | ||
+ | Benutzerliste ansehen: | ||
+ | samba-tool user list | ||
+ | |||
+ | Benutzer anlegen: | ||
+ | samba-tool user add heinz | ||
+ | |||
+ | ===== NTP installieren ===== | ||
+ | TODO: das macht man heute mit chrony | ||
+ | |||
+ | siehe https://wiki.samba.org/index.php/Time_Synchronisation | ||
+ | apt-get install ntp | ||
+ | cd /var/lib/samba/ | ||
+ | chgrp ntp ntp_signd/ | ||
+ | |||
+ | ''/etc/ntp.conf'' : | ||
+ | <file> | ||
+ | # By default, exchange time with everybody, but don't allow configuration. | ||
+ | restrict -4 default kod notrap nomodify nopeer noquery mssntp | ||
+ | restrict -6 default kod notrap nomodify nopeer noquery mssntp | ||
+ | ntpsigndsocket /var/lib/samba/ntp_signd/ | ||
+ | </file> | ||
+ | service ntp restart | ||
+ | watch ntpq -np | ||
+ | |||
+ | ===== Beitreten der Domäne mit Windows 7 ===== | ||
+ | * Arbeitsplatznetzwerk auswählen | ||
+ | * DNS-Server einstellen | ||
+ | * Domäne beitreten | ||
+ | |||
+ | Benutzer: ''Administrator'' | ||
+ | Password: wie oben im samba-tool eingegeben | ||
+ | |||
+ | Als Benutzer heinz an der Domäne example.com anmelden | ||
+ | |||
+ | ===== Kerberos ===== | ||
+ | kinit Administrator | ||
+ | kdestroy | ||
+ | kinit heinz | ||
+ | ls /tmp/krb5cc_0 | ||