Benutzer-Werkzeuge
lpi2:samba-ad
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
| Beide Seiten, vorherige Überarbeitung Vorherige Überarbeitung | Vorherige Überarbeitung | ||
|
lpi2:samba-ad [2017/05/12 13:35] |
lpi2:samba-ad [2024/03/22 17:12] (aktuell) ingo_wichmann [testen] |
||
|---|---|---|---|
| Zeile 1: | Zeile 1: | ||
| + | ====== Samba4 ====== | ||
| + | Siehe auch: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller | ||
| + | |||
| + | Installation mit debian 10 getestet. | ||
| + | |||
| + | ===== Vorraussetzungen ===== | ||
| + | |||
| + | * Statische IP-Adresse (per DHCP oder in lokaler Konfigurationsdatei) (( z.B. | ||
| + | <file txt /etc/network/interfaces> | ||
| + | auto eth0 | ||
| + | iface eth0 inet static | ||
| + | address 192.168.215.2/24 | ||
| + | gateway 192.168.215.1 | ||
| + | </file> | ||
| + | )) | ||
| + | * FQDN der Form servername.domain.tld wird von ''hostname -f'' richtig angezeigt | ||
| + | * ActiveDirectory Ports nicht von anderen Diensten belegt (( | ||
| + | lsof -i :53,88,135,139,389,445,464,636,3268,3269,49152,49153,49154 | ||
| + | -> leer | ||
| + | )) | ||
| + | |||
| + | (( [[admin_grundlagen:lxd|LXD]] Konfiguration: | ||
| + | lxc network set lxdbr0 dns.domain kurs.linuxhotel.de | ||
| + | | ||
| + | lxc init images:debian/10 test1 | ||
| + | lxc config set test1 security.privileged=true | ||
| + | lxc network attach lxdbr0 test1 eth0 eth0 | ||
| + | lxc config device set test1 eth0 ipv4.address 192.168.239.10 | ||
| + | lxc start test1 | ||
| + | lxc exec test1 -- /bin/bash | ||
| + | )) | ||
| + | ===== Pakete ===== | ||
| + | |||
| + | apt install samba winbind | ||
| + | |||
| + | ++++ Vorsicht mit Samba-Paketen vor Debian 12 (bookworm) | | ||
| + | |||
| + | Michael Tokarev <mjt@tls.msk.ru> schrieb am 20.7.2023 auf der Debian LTS Mailingliste: | ||
| + | |||
| + | //"It come to my attention that a discussion is happening about samba | ||
| + | and LTS (and the same applies to oldstable too). | ||
| + | |||
| + | The thing is: samba packages in bullseye and before, in my opinion, | ||
| + | are hopeless. I know it because I know the state of debian packaging | ||
| + | it was. For years (for a few debian releases), samba maintenance was | ||
| + | more on auto-pilot. Most changes were made by applying a minimal change, | ||
| + | not the right change. The result was.. horrible. | ||
| + | |||
| + | Now, the Samba team basically re-designed whole VFS layer in 4.16, to | ||
| + | fix a few serious issues with symlinks. This is not backportable to | ||
| + | anything, and it changes quite big portion of the codebase, so subsequent | ||
| + | fixes even in seemingly unrelated areas don't apply anymore (not all | ||
| + | of them ofc). | ||
| + | |||
| + | Upstream stopped supporting 4.13 (bullseye) version of samba even before | ||
| + | bullseye release iirc. There were numerous alternative samba repositories | ||
| + | all around the world to plug the gap between debian-provided samba and | ||
| + | actual samba. | ||
| + | |||
| + | There are numerous other security issues, compatibility issues with | ||
| + | previous windows releases, and other stuff which basically makes samba | ||
| + | in bullseye (already, not to mention buster!) basically unusable. | ||
| + | |||
| + | Trying to fix an issue or two there will work. This particular issue | ||
| + | with Jul-23 windows10/11 update is trivial to fix, the same change | ||
| + | applies (with minimal context fix) to 4.7 version of samba too. | ||
| + | |||
| + | But I urge not doing this. This will bring false sense of security. | ||
| + | People will think samba in buster or bullseye is worth to keep since | ||
| + | it is being "supported", - it is not due to other numerous issues. | ||
| + | |||
| + | It is like with old crypto, - you fix a buffer overflow in some DES | ||
| + | implementation, but it does not mean DES can be used in 2023. | ||
| + | |||
| + | If there's a need for samba in buster, it can be fixed. See for | ||
| + | example my repository at http://www.corpit.ru/mjt/packages/samba/ - | ||
| + | it provides amd64 binaries of all current samba packages on actual | ||
| + | Debian and Ubuntu releases, - I spent quite some time to ensure it | ||
| + | all works fine on different environments and the original debian | ||
| + | packages can be built on older debian releases and on various | ||
| + | ubuntu releases. This currently does not include buster, but it | ||
| + | is kinda trivial to fix. My repository happens to become quite | ||
| + | popular (by the amount of downloads, amount of screaming once I | ||
| + | turned it off for 5 minutes for a reboot, and amount of questions | ||
| + | I received after the Jul-23 windows update), - so something like | ||
| + | this is needed (or was, anyway, for older releases). | ||
| + | |||
| + | Buster and bullseye versions of samba are not supported. Please | ||
| + | don't use band-aid on a dead horse."// | ||
| + | ++++ | ||
| + | |||
| + | ++++ Alternativ: Pakete von sernet | | ||
| + | wget https://download.sernet.de/pub/sernet-samba-keyring_1.4_all.deb | ||
| + | dpkg -i sernet-samba-keyring_1.4_all.deb | ||
| + | apt-get install apt-transport-https | ||
| + | |||
| + | ''/etc/apt/sources.list.d/samba'' : | ||
| + | <file> | ||
| + | deb https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/debian wheezy main | ||
| + | deb-src https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/debian wheezy main | ||
| + | </file> | ||
| + | USERNAME und ACCESSKEY von http://www.enterprisesamba.com/ | ||
| + | |||
| + | apt-get update | ||
| + | apt-get upgrade | ||
| + | apt-cache policy samba | ||
| + | aptitude search sernet | ||
| + | apt-get install sernet-samba-ad | ||
| + | ++++ | ||
| + | ===== Dienste stoppen ===== | ||
| + | |||
| + | systemctl stop samba-ad-dc | ||
| + | systemctl disable --now nmbd.service | ||
| + | systemctl disable --now smbd.service | ||
| + | systemctl disable --now winbind.service | ||
| + | | ||
| + | mv /etc/samba/smb.conf{,.orig} | ||
| + | | ||
| + | ===== Samba Tool ===== | ||
| + | |||
| + | Übersicht über ''samba-tool'' Unterbefehle: | ||
| + | samba-tool | ||
| + | samba-tool domain provision --help | ||
| + | samba-tool domain provision --domain kurs --realm kurs.linuxhotel.de --adminpass v0gelsang, | ||
| + | oder | ||
| + | samba-tool domain provision | ||
| + | (( | ||
| + | oder: | ||
| + | samba-tool domain provision --use-rfc2307 --use-xattrs=yes | ||
| + | Alternative zu --use-xattrs=yes siehe https://wiki.samba.org/index.php/Samba4/s3fs | ||
| + | )) | ||
| + | ((bei Problemen, z.B. Passwort zu einfach: | ||
| + | rm /etc/samba/smb.conf | ||
| + | )) | ||
| + | Realm: KURS.LINUXHOTEL.DE | ||
| + | Domain [KURS]: KURS | ||
| + | Server Role: dc | ||
| + | DNS backend: SAMBA_INTERNAL | ||
| + | DNS forwarder IP address: 192.168.1.17 | ||
| + | Administrator password: v0gelsang, | ||
| + | |||
| + | <file txt /etc/resolv.conf> | ||
| + | domain kurs.linuxhotel.de | ||
| + | search kurs.linuxhotel.de linuxhotel.de | ||
| + | nameserver 127.0.0.1 | ||
| + | </file> | ||
| + | |||
| + | ===== Samba AD starten ===== | ||
| + | (( | ||
| + | ''/etc/default/sernet-samba'' : | ||
| + | <file> | ||
| + | SAMBA_START_MODE="ad" | ||
| + | # SAMBA_IGNORE_NSUPDATE_G defines whether the samba daemon should be started | ||
| + | # when 'nsupdate -g' is not available. Setting this to "yes" would mean that | ||
| + | # samba will be started even without 'nsupdate -g'. This will lead to severe | ||
| + | # problems without a proper workaround! | ||
| + | SAMBA_IGNORE_NSUPDATE_G="no" | ||
| + | </file> | ||
| + | )) | ||
| + | |||
| + | Neue ''smb.conf'' anzeigen: | ||
| + | testparm | ||
| + | |||
| + | systemctl unmask samba-ad-dc | ||
| + | systemctl enable --now samba-ad-dc | ||
| + | |||
| + | Optional, zum debuggen: | ||
| + | apt install smbclient ldb-tools krb5-user ldap-utils dnsutils | ||
| + | ===== testen ===== | ||
| + | |||
| + | Offene Ports checken:(( | ||
| + | ^ Service ^ Port ^ Protocol ^ | ||
| + | | DNS | 53 | tcp/udp | | ||
| + | | Kerberos | 88 | tcp/udp | | ||
| + | | ntp | 123 | udp | | ||
| + | | End Point Mapper (DCE/RPC Locator Service) | 135 | tcp | | ||
| + | | NetBIOS Name Service | 137 | udp | | ||
| + | | NetBIOS Datagram | 138 | udp | | ||
| + | | NetBIOS Session | 139 | tcp | | ||
| + | | LDAP | 389 | tcp/udp | | ||
| + | | SMB over TCP | 445 | tcp | | ||
| + | | Kerberos kpasswd | 464 | tcp/udp | | ||
| + | | LDAPS | 636 | tcp | | ||
| + | | Global Catalog | 3268 | tcp | | ||
| + | | Global Catalog SSL | 3269 | tcp | | ||
| + | | Dynamic RPC Ports | 49152-65535 | tcp | | ||
| + | )) | ||
| + | lsof -Pi :53,88,135,137,138,139,389,445,464,636,3268,3269 | ||
| + | DNS testen: | ||
| + | dig _ldap._tcp.kurs.linuxhotel.de SRV | ||
| + | dig _kerberos._tcp.kurs.linuxhotel.de SRV | ||
| + | |||
| + | Benutzer anzeigen: | ||
| + | pdbedit -L | ||
| + | samba-tool user list | ||
| + | |||
| + | Kerberos testen: | ||
| + | cp -b /var/lib/samba/private/krb5.conf /etc/krb5.conf | ||
| + | kinit Administrator | ||
| + | oder | ||
| + | kinit Administrator@KURS.LINUXHOTEL.DE | ||
| + | klist | ||
| + | |||
| + | CIFS testen: | ||
| + | nmblookup -S vm2 | ||
| + | smbclient -k -L vm2 | ||
| + | smbclient -k //vm2/sysvol | ||
| + | klist | ||
| + | |||
| + | LDAP testen: | ||
| + | |||
| + | <file txt ~/.ldaprc> | ||
| + | URI ldaps://localhost | ||
| + | BINDDN cn=Administrator,cn=users,dc=kurs,dc=linuxhotel,dc=de | ||
| + | BASE dc=kurs,dc=linuxhotel,dc=de | ||
| + | TLS_REQCERT ALLOW | ||
| + | </file> | ||
| + | ldapsearch -x -W | ||
| + | |||
| + | ldbsearch -H /var/lib/samba/private/sam.ldb | ||
| + | |||
| + | ===== Benutzer anlegen ===== | ||
| + | |||
| + | Nur in Testumgebungen: | ||
| + | samba-tool domain passwordsettings --help | ||
| + | samba-tool domain passwordsettings set --complexity=off | ||
| + | samba-tool domain passwordsettings set --min-pwd-length=1 | ||
| + | samba-tool user --help | ||
| + | | ||
| + | Benutzerliste ansehen: | ||
| + | samba-tool user list | ||
| + | |||
| + | Benutzer anlegen: | ||
| + | samba-tool user add heinz | ||
| + | |||
| + | ===== NTP installieren ===== | ||
| + | TODO: das macht man heute mit chrony | ||
| + | |||
| + | siehe https://wiki.samba.org/index.php/Time_Synchronisation | ||
| + | apt-get install ntp | ||
| + | cd /var/lib/samba/ | ||
| + | chgrp ntp ntp_signd/ | ||
| + | |||
| + | ''/etc/ntp.conf'' : | ||
| + | <file> | ||
| + | # By default, exchange time with everybody, but don't allow configuration. | ||
| + | restrict -4 default kod notrap nomodify nopeer noquery mssntp | ||
| + | restrict -6 default kod notrap nomodify nopeer noquery mssntp | ||
| + | ntpsigndsocket /var/lib/samba/ntp_signd/ | ||
| + | </file> | ||
| + | service ntp restart | ||
| + | watch ntpq -np | ||
| + | |||
| + | ===== Beitreten der Domäne mit Windows 7 ===== | ||
| + | * Arbeitsplatznetzwerk auswählen | ||
| + | * DNS-Server einstellen | ||
| + | * Domäne beitreten | ||
| + | |||
| + | Benutzer: ''Administrator'' | ||
| + | Password: wie oben im samba-tool eingegeben | ||
| + | |||
| + | Als Benutzer heinz an der Domäne example.com anmelden | ||
| + | |||
| + | ===== Kerberos ===== | ||
| + | kinit Administrator | ||
| + | kdestroy | ||
| + | kinit heinz | ||
| + | ls /tmp/krb5cc_0 | ||
lpi2/samba-ad.txt · Zuletzt geändert: 2024/03/22 17:12 von ingo_wichmann
Seiten-Werkzeuge
Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-Noncommercial-Share Alike 4.0 International
