Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen gezeigt.

--- lpi2:samba-ad [2020/12/11 14:44]
ingo_wichmann [Samba Tool]
+++ lpi2:samba-ad [2024/11/07 12:37] (aktuell)
ingo_wichmann [NTP installieren]
@@ Zeile 1: / Zeile 1: @@
 ====== Samba4 ======
-Siehe auch: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
+Siehe auch: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
-Installation mit debian 8 getestet.
+Installation mit debian 10 getestet.
-  hostnamectl set-hostname vm2
+===== Vorraussetzungen =====
-DHCP abschalten, auf statische IP-Adresse umstellen:
+  * Statische IP-Adresse (per DHCP oder in lokaler Konfigurationsdatei) (( z.B.
 <file txt /etc/network/interfaces>
 auto eth0
 iface eth0 inet static
-  address 192.168.215.2
+  address 192.168.215.2/24
-  netmask 255.255.255.0
   gateway 192.168.215.1
 </file>
+))
+  * FQDN der Form servername.domain.tld wird von ''hostname -f'' richtig angezeigt
+  * ActiveDirectory Ports nicht von anderen Diensten belegt ((
+  lsof -i :53,88,135,139,389,445,464,636,3268,3269,49152,49153,49154
+-> leer
+))
+(( [[admin_grundlagen:lxd|LXD]] Konfiguration:
+  lxc network set lxdbr0 dns.domain kurs.linuxhotel.de
+  lxc init images:debian/10 test1
+  lxc config set test1 security.privileged=true
+  lxc network attach lxdbr0 test1 eth0 eth0
+  lxc config device set test1 eth0 ipv4.address 192.168.239.10
+  lxc start test1
+  lxc exec test1 -- /bin/bash
+))
 ===== Pakete =====
-  apt-get install samba winbind libnss-winbind
+  apt install samba winbind
-Zum debuggen:
-  apt-get install smbclient ldb-tools krb5-user ldap-utils
+++++ Vorsicht mit Samba-Paketen vor Debian 12 (bookworm) |
-((
-Alternativ: Pakete von sernet
+Michael Tokarev <mjt@tls.msk.ru> schrieb am 20.7.2023 auf der Debian LTS Mailingliste:
+//"It come to my attention that a discussion is happening about samba
+and LTS (and the same applies to oldstable too).
+The thing is: samba packages in bullseye and before, in my opinion,
+are hopeless.  I know it because I know the state of debian packaging
+it was.  For years (for a few debian releases), samba maintenance was
+more on auto-pilot. Most changes were made by applying a minimal change,
+not the right change. The result was.. horrible.
+Now, the Samba team basically re-designed whole VFS layer in 4.16, to
+fix a few serious issues with symlinks.  This is not backportable to
+anything, and it changes quite big portion of the codebase, so subsequent
+fixes even in seemingly unrelated areas don't apply anymore (not all
+of them ofc).
+Upstream stopped supporting 4.13 (bullseye) version of samba even before
+bullseye release iirc.  There were numerous alternative samba repositories
+all around the world to plug the gap between debian-provided samba and
+actual samba.
+There are numerous other security issues, compatibility issues with
+previous windows releases, and other stuff which basically makes samba
+in bullseye (already, not to mention buster!) basically unusable.
+Trying to fix an issue or two there will work. This particular issue
+with Jul-23 windows10/11 update is trivial to fix, the same change
+applies (with minimal context fix) to 4.7 version of samba too.
+But I urge not doing this. This will bring false sense of security.
+People will think samba in buster or bullseye is worth to keep since
+it is being "supported", - it is not due to other numerous issues.
+It is like with old crypto, - you fix a buffer overflow in some DES
+implementation, but it does not mean DES can be used in 2023.
+If there's a need for samba in buster, it can be fixed. See for
+example my repository at http://www.corpit.ru/mjt/packages/samba/ -
+it provides amd64 binaries of all current samba packages on actual
+Debian and Ubuntu releases, - I spent quite some time to ensure it
+all works fine on different environments and the original debian
+packages can be built on older debian releases and on various
+ubuntu releases.  This currently does not include buster, but it
+is kinda trivial to fix.  My repository happens to become quite
+popular (by the amount of downloads, amount of screaming once I
+turned it off for 5 minutes for a reboot, and amount of questions
+I received after the Jul-23 windows update), - so something like
+this is needed (or was, anyway, for older releases).
+Buster and bullseye versions of samba are not supported.  Please
+don't use band-aid on a dead horse."//
+++++
+++++ Alternativ: Pakete von sernet |
   wget https://download.sernet.de/pub/sernet-samba-keyring_1.4_all.deb
   dpkg -i sernet-samba-keyring_1.4_all.deb
@@ Zeile 39: / Zeile 107: @@
   aptitude search sernet
   apt-get install sernet-samba-ad
-))
+++++
+===== Dienste stoppen =====
-  service samba stop
+  systemctl stop samba-ad-dc
-  service samba-ad-dc stop
+  systemctl disable --now nmbd.service
-  service smbd stop
+  systemctl disable --now smbd.service
-  service nmbd stop
+  systemctl disable --now winbind.service
-  service winbind stop
   mv /etc/samba/smb.conf{,.orig}
@@ Zeile 53: / Zeile 121: @@
 Übersicht über ''samba-tool'' Unterbefehle:
   samba-tool
   samba-tool domain provision --help
-  samba-tool domain provision --use-rfc2307
+  samba-tool domain provision --domain kurs --realm kurs.linuxhotel.de --adminpass v0gelsang,
+oder
+  samba-tool domain provision
 ((
 oder:
-  samba-tool domain provision --use-xattrs=yes
+  samba-tool domain provision --use-rfc2307 --use-xattrs=yes
+  Alternative zu --use-xattrs=yes siehe https://wiki.samba.org/index.php/Samba4/s3fs
 ))
 ((bei Problemen, z.B. Passwort zu einfach:
   rm  /etc/samba/smb.conf
-))
-(( Alternative zu --use-xattrs=yes siehe https://wiki.samba.org/index.php/Samba4/s3fs
 ))
   Realm: KURS.LINUXHOTEL.DE
@@ Zeile 93: / Zeile 162: @@
   testparm
-  service nmbd start
+  systemctl unmask samba-ad-dc
-  service smbd start
+  systemctl enable --now samba-ad-dc
-  service samba-ad-dc start
-Offene Ports checken:
+Optional, zum debuggen:
-  lsof -a -c samba -i
+  apt install smbclient ldb-tools krb5-user ldap-utils dnsutils
+===== testen =====
+Offene Ports checken:((
+^ Service ^ Port ^  Protocol ^
+| DNS | 53  | tcp/udp |
+| Kerberos  | 88  | tcp/udp |
+| ntp | 123 | udp |
+| End Point Mapper (DCE/RPC Locator Service)  | 135  | tcp |
+| NetBIOS Name Service  | 137  | udp |
+| NetBIOS Datagram  | 138  | udp |
+| NetBIOS Session  | 139  | tcp |
+| LDAP  | 389  | tcp/udp |
+| SMB over TCP  | 445  | tcp |
+| Kerberos kpasswd  | 464  | tcp/udp |
+| LDAPS | 636  | tcp |
+| Global Catalog  | 3268  | tcp |
+| Global Catalog SSL | 3269  | tcp |
+| Dynamic RPC Ports | 49152-65535  | tcp  |
+))
+  lsof -Pi :53,88,135,137,138,139,389,445,464,636,3268,3269
 DNS testen:
   dig _ldap._tcp.kurs.linuxhotel.de SRV
+  dig _kerberos._tcp.kurs.linuxhotel.de SRV
 Benutzer anzeigen:
@@ Zeile 108: / Zeile 196: @@
 Kerberos testen:
+  cp -b /var/lib/samba/private/krb5.conf /etc/krb5.conf
+  kinit Administrator
+oder
   kinit Administrator@KURS.LINUXHOTEL.DE
   klist
@@ Zeile 118: / Zeile 209: @@
 LDAP testen:
-  ldbsearch -H /var/lib/samba/private/sam.ldb
 <file txt ~/.ldaprc>
@@ Zeile 127: / Zeile 216: @@
 TLS_REQCERT ALLOW
 </file>
+  ldapsearch -x -W
-  ldapsearch -x -W
+  ldbsearch -H /var/lib/samba/private/sam.ldb
 ===== Benutzer anlegen =====
@@ Zeile 142: / Zeile 232: @@
 Benutzer anlegen:
-  samba-tool user add heinz villa
+  samba-tool user add heinz
-===== NTP installieren =====
-siehe https://wiki.samba.org/index.php/Time_Synchronisation
-  apt-get install ntp
-  cd /var/lib/samba/
-  chgrp ntp ntp_signd/
-''/etc/ntp.conf'' :
-<file>
-# By default, exchange time with everybody, but don't allow configuration.
-restrict -4 default kod notrap nomodify nopeer noquery mssntp
-restrict -6 default kod notrap nomodify nopeer noquery mssntp
-ntpsigndsocket  /var/lib/samba/ntp_signd/
-</file>
-  service ntp restart
-  watch ntpq -np
 ===== Beitreten der Domäne mit Windows 7 =====
@@ Zeile 171: / Zeile 247: @@
 ===== Kerberos =====
-  cat /var/lib/samba/private/krb5.conf
-  ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf
-  apt-get install krb5-user
   kinit Administrator
   kdestroy

Linuxhotel Wiki

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Unterschiede

Seiten-Werkzeuge