Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
Beide Seiten, vorherige Überarbeitung Vorherige Überarbeitung | Nächste Überarbeitung Beide Seiten, nächste Überarbeitung | ||
lpi2:samba-ad [2017/05/12 13:35] |
lpi2:samba-ad [2019/12/19 11:17] 127.0.0.1 Externe Bearbeitung |
||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== Samba4 ====== | ||
+ | Siehe auch: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO | ||
+ | |||
+ | Installation mit debian 8 getestet. | ||
+ | |||
+ | hostnamectl set-hostname vm2 | ||
+ | |||
+ | DHCP abschalten, auf statische IP-Adresse umstellen: | ||
+ | |||
+ | <file txt /etc/network/interfaces> | ||
+ | auto eth0 | ||
+ | iface eth0 inet static | ||
+ | address 192.168.215.2 | ||
+ | netmask 255.255.255.0 | ||
+ | gateway 192.168.215.1 | ||
+ | </file> | ||
+ | |||
+ | ===== Pakete ===== | ||
+ | |||
+ | apt-get install samba winbind libnss-winbind | ||
+ | Zum debuggen: | ||
+ | apt-get install smbclient ldb-tools krb5-user ldap-utils | ||
+ | (( | ||
+ | Alternativ: Pakete von sernet | ||
+ | wget https://download.sernet.de/pub/sernet-samba-keyring_1.4_all.deb | ||
+ | dpkg -i sernet-samba-keyring_1.4_all.deb | ||
+ | apt-get install apt-transport-https | ||
+ | |||
+ | ''/etc/apt/sources.list.d/samba'' : | ||
+ | <file> | ||
+ | deb https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/debian wheezy main | ||
+ | deb-src https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/debian wheezy main | ||
+ | </file> | ||
+ | USERNAME und ACCESSKEY von http://www.enterprisesamba.com/ | ||
+ | |||
+ | apt-get update | ||
+ | apt-get upgrade | ||
+ | apt-cache policy samba | ||
+ | aptitude search sernet | ||
+ | apt-get install sernet-samba-ad | ||
+ | )) | ||
+ | |||
+ | service samba stop | ||
+ | service samba-ad-dc stop | ||
+ | service smbd stop | ||
+ | service nmbd stop | ||
+ | service winbind stop | ||
+ | | ||
+ | mv /etc/samba/smb.conf{,.orig} | ||
+ | | ||
+ | ===== Samba Tool ===== | ||
+ | |||
+ | Übersicht über ''samba-tool'' Unterbefehle: | ||
+ | samba-tool | ||
+ | samba-tool domain provision --help | ||
+ | samba-tool domain provision | ||
+ | (( | ||
+ | oder: | ||
+ | samba-tool domain provision --use-xattrs=yes | ||
+ | )) | ||
+ | ((bei Problemen, z.B. Passwort zu einfach: | ||
+ | rm /etc/samba/smb.conf | ||
+ | )) | ||
+ | (( Alternative zu --use-xattrs=yes siehe https://wiki.samba.org/index.php/Samba4/s3fs | ||
+ | )) | ||
+ | Realm: KURS.LINUXHOTEL.DE | ||
+ | Domain [KURS]: KURS | ||
+ | Server Role: dc | ||
+ | DNS backend: SAMBA_INTERNAL | ||
+ | DNS forwarder IP address: 192.168.1.17 | ||
+ | Administrator password: v0gelsang, | ||
+ | |||
+ | <file txt /etc/resolv.conf> | ||
+ | domain kurs.linuxhotel.de | ||
+ | search kurs.linuxhotel.de linuxhotel.de | ||
+ | nameserver 127.0.0.1 | ||
+ | </file> | ||
+ | |||
+ | ===== Samba AD starten ===== | ||
+ | (( | ||
+ | ''/etc/default/sernet-samba'' : | ||
+ | <file> | ||
+ | SAMBA_START_MODE="ad" | ||
+ | # SAMBA_IGNORE_NSUPDATE_G defines whether the samba daemon should be started | ||
+ | # when 'nsupdate -g' is not available. Setting this to "yes" would mean that | ||
+ | # samba will be started even without 'nsupdate -g'. This will lead to severe | ||
+ | # problems without a proper workaround! | ||
+ | SAMBA_IGNORE_NSUPDATE_G="no" | ||
+ | </file> | ||
+ | )) | ||
+ | |||
+ | Neue ''smb.conf'' anzeigen: | ||
+ | testparm | ||
+ | |||
+ | service nmbd start | ||
+ | service smbd start | ||
+ | service samba-ad-dc start | ||
+ | |||
+ | Offene Ports checken: | ||
+ | lsof -a -c samba -i | ||
+ | |||
+ | DNS testen: | ||
+ | dig _ldap._tcp.kurs.linuxhotel.de SRV | ||
+ | |||
+ | Benutzer anzeigen: | ||
+ | pdbedit -L | ||
+ | samba-tool user list | ||
+ | |||
+ | Kerberos testen: | ||
+ | kinit Administrator@KURS.LINUXHOTEL.DE | ||
+ | klist | ||
+ | |||
+ | CIFS testen: | ||
+ | nmblookup -S vm2 | ||
+ | smbclient -k -L vm2 | ||
+ | smbclient -k //vm2/sysvol | ||
+ | klist | ||
+ | |||
+ | LDAP testen: | ||
+ | |||
+ | ldbsearch -H /var/lib/samba/private/sam.ldb | ||
+ | |||
+ | <file txt ~/.ldaprc> | ||
+ | URI ldaps://localhost | ||
+ | BINDDN cn=Administrator,cn=users,dc=kurs,dc=linuxhotel,dc=de | ||
+ | BASE dc=kurs,dc=linuxhotel,dc=de | ||
+ | TLS_REQCERT ALLOW | ||
+ | </file> | ||
+ | |||
+ | ldapsearch -x -W | ||
+ | |||
+ | ===== Benutzer anlegen ===== | ||
+ | |||
+ | Nur in Testumgebungen: | ||
+ | samba-tool domain passwordsettings --help | ||
+ | samba-tool domain passwordsettings set --complexity=off | ||
+ | samba-tool domain passwordsettings set --min-pwd-length=1 | ||
+ | samba-tool user --help | ||
+ | | ||
+ | Benutzerliste ansehen: | ||
+ | samba-tool user list | ||
+ | |||
+ | Benutzer anlegen: | ||
+ | samba-tool user add heinz villa | ||
+ | |||
+ | ===== NTP installieren ===== | ||
+ | siehe https://wiki.samba.org/index.php/Time_Synchronisation | ||
+ | apt-get install ntp | ||
+ | cd /var/lib/samba/ | ||
+ | chgrp ntp ntp_signd/ | ||
+ | |||
+ | ''/etc/ntp.conf'' : | ||
+ | <file> | ||
+ | # By default, exchange time with everybody, but don't allow configuration. | ||
+ | restrict -4 default kod notrap nomodify nopeer noquery mssntp | ||
+ | restrict -6 default kod notrap nomodify nopeer noquery mssntp | ||
+ | ntpsigndsocket /var/lib/samba/ntp_signd/ | ||
+ | </file> | ||
+ | service ntp restart | ||
+ | watch ntpq -np | ||
+ | |||
+ | ===== Beitreten der Domäne mit Windows 7 ===== | ||
+ | * Arbeitsplatznetzwerk auswählen | ||
+ | * DNS-Server einstellen | ||
+ | * Domäne beitreten | ||
+ | |||
+ | Benutzer: ''Administrator'' | ||
+ | Password: wie oben im samba-tool eingegeben | ||
+ | |||
+ | Als Benutzer heinz an der Domäne example.com anmelden | ||
+ | |||
+ | ===== Kerberos ===== | ||
+ | cat /var/lib/samba/private/krb5.conf | ||
+ | ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf | ||
+ | apt-get install krb5-user | ||
+ | kinit Administrator | ||
+ | kdestroy | ||
+ | kinit heinz | ||
+ | ls /tmp/krb5cc_0 | ||