Linuxhotel Wiki

Wie ging das nochmal?

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Zuletzt angesehen:
lpi2:samba-ad

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen gezeigt.

Link zu der Vergleichsansicht

Beide Seiten, vorherige Überarbeitung Vorherige Überarbeitung
Nächste Überarbeitung 		Vorherige Überarbeitung
lpi2:samba-ad [2021/01/10 09:28]
ingo_wichmann [Vorraussetzungen] 		lpi2:samba-ad [2024/03/22 17:12] (aktuell)
ingo_wichmann [testen]
Zeile 1: Zeile 1:
 ====== Samba4 ====== ====== Samba4 ======
-Siehe auch: https://​wiki.samba.org/​index.php/​Samba_AD_DC_HOWTO+Siehe auch: https://​wiki.samba.org/​index.php/​Setting_up_Samba_as_an_Active_Directory_Domain_Controller
  
 Installation mit debian 10 getestet. Installation mit debian 10 getestet.
Zeile 14: Zeile 14:
 </​file>​ </​file>​
 )) ))
-  * FQDN der Form servername.domain.tld+  * FQDN der Form servername.domain.tld ​wird von ''​hostname -f''​ richtig angezeigt 
 +  * ActiveDirectory Ports nicht von anderen Diensten belegt (( 
 +  lsof -i :​53,​88,​135,​139,​389,​445,​464,​636,​3268,​3269,​49152,​49153,​49154 
 +-> leer 
 +))
  
 (( [[admin_grundlagen:​lxd|LXD]] Konfiguration:​ (( [[admin_grundlagen:​lxd|LXD]] Konfiguration:​
Zeile 29: Zeile 33:
  
   apt install samba winbind   apt install samba winbind
-Optional, zum debuggen+ 
-  ​apt install smbclient ldb-tools krb5-user ldap-utils dnsutils +++++ Vorsicht mit Samba-Paketen vor Debian 12 (bookworm) |  
-(( + 
-Alternativ: Pakete von sernet+Michael Tokarev <​mjt@tls.msk.ru>​ schrieb am 20.7.2023 auf der Debian LTS Mailingliste
 + 
 +//"It come to my attention that a discussion is happening about samba 
 +and LTS (and the same applies to oldstable too). 
 + 
 +The thing is: samba packages in bullseye and before, in my opinion, 
 +are hopeless. ​ I know it because I know the state of debian packaging 
 +it was.  For years (for a few debian releases), samba maintenance was 
 +more on auto-pilot. Most changes were made by applying a minimal change, 
 +not the right change. The result was.. horrible. 
 + 
 +Now, the Samba team basically re-designed whole VFS layer in 4.16, to 
 +fix a few serious issues with symlinks. ​ This is not backportable to 
 +anything, and it changes quite big portion of the codebase, so subsequent 
 +fixes even in seemingly unrelated areas don't apply anymore (not all 
 +of them ofc). 
 + 
 +Upstream stopped supporting 4.13 (bullseye) version of samba even before 
 +bullseye release iirc.  There were numerous alternative samba repositories 
 +all around the world to plug the gap between debian-provided samba and 
 +actual samba. 
 + 
 +There are numerous other security issues, compatibility issues with 
 +previous windows releases, and other stuff which basically makes samba 
 +in bullseye ​(already, not to mention buster!) basically unusable. 
 + 
 +Trying to fix an issue or two there will work. This particular issue 
 +with Jul-23 windows10/​11 update is trivial to fix, the same change 
 +applies ​(with minimal context fix) to 4.7 version of samba too. 
 + 
 +But I urge not doing this. This will bring false sense of security. 
 +People will think samba in buster or bullseye is worth to keep since 
 +it is being "​supported",​ - it is not due to other numerous issues. 
 + 
 +It is like with old crypto, - you fix a buffer overflow in some DES 
 +implementation,​ but it does not mean DES can be used in 2023. 
 + 
 +If there'​s a need for samba in buster, it can be fixed. See for 
 +example my repository at http://​www.corpit.ru/​mjt/​packages/​samba/​ - 
 +it provides amd64 binaries of all current samba packages on actual 
 +Debian and Ubuntu releases, - I spent quite some time to ensure it 
 +all works fine on different environments and the original debian 
 +packages can be built on older debian releases and on various 
 +ubuntu releases. ​ This currently does not include buster, but it 
 +is kinda trivial to fix.  My repository happens to become quite 
 +popular (by the amount of downloads, amount of screaming once I 
 +turned it off for 5 minutes for a reboot, and amount of questions 
 +I received after the Jul-23 windows update), - so something like 
 +this is needed (or was, anyway, for older releases). 
 + 
 +Buster and bullseye versions of samba are not supported. ​ Please 
 +don't use band-aid on a dead horse."//​ 
 +++++ 
 + 
 +++++ Alternativ: Pakete von sernet ​|
   wget https://​download.sernet.de/​pub/​sernet-samba-keyring_1.4_all.deb   wget https://​download.sernet.de/​pub/​sernet-samba-keyring_1.4_all.deb
   dpkg -i sernet-samba-keyring_1.4_all.deb   dpkg -i sernet-samba-keyring_1.4_all.deb
Zeile 49: Zeile 107:
   aptitude search sernet   aptitude search sernet
   apt-get install sernet-samba-ad   apt-get install sernet-samba-ad
-)) +++++
 ===== Dienste stoppen ===== ===== Dienste stoppen =====
  
-  ​service ​samba-ad-dc ​stop+  ​systemctl stop samba-ad-dc
   systemctl disable --now nmbd.service   systemctl disable --now nmbd.service
   systemctl disable --now smbd.service   systemctl disable --now smbd.service
Zeile 64: Zeile 121:
 Übersicht über ''​samba-tool''​ Unterbefehle:​ Übersicht über ''​samba-tool''​ Unterbefehle:​
   samba-tool   samba-tool
-  samba-tool domain provision --help  ​+  samba-tool domain provision --help 
 +  samba-tool domain provision --domain kurs --realm kurs.linuxhotel.de --adminpass v0gelsang,​ 
 +oder
   samba-tool domain provision   samba-tool domain provision
 (( ((
Zeile 106: Zeile 165:
   systemctl enable --now samba-ad-dc   systemctl enable --now samba-ad-dc
  
 +Optional, zum debuggen:
 +  apt install smbclient ldb-tools krb5-user ldap-utils dnsutils
 ===== testen ===== ===== testen =====
  
-Offene Ports checken: +Offene Ports checken:(( 
-  ​lsof -a -c samba -i +^ Service ^ Port ^  Protocol ^ 
 +| DNS | 53  | tcp/udp | 
 +| Kerberos ​ | 88  | tcp/udp | 
 +| ntp | 123 | udp | 
 +| End Point Mapper (DCE/RPC Locator Service) ​ | 135  | tcp | 
 +| NetBIOS Name Service ​ | 137  | udp | 
 +| NetBIOS Datagram ​ | 138  | udp | 
 +| NetBIOS Session ​ | 139  | tcp | 
 +| LDAP  | 389  | tcp/udp | 
 +| SMB over TCP  | 445  | tcp | 
 +| Kerberos kpasswd ​ | 464  | tcp/udp | 
 +| LDAPS | 636  | tcp | 
 +| Global Catalog ​ | 3268  | tcp | 
 +| Global Catalog SSL | 3269  | tcp | 
 +| Dynamic RPC Ports | 49152-65535  | tcp  | 
 +)) 
 +  lsof -Pi :​53,​88,​135,​137,​138,​139,​389,​445,​464,​636,​3268,​3269
 DNS testen: DNS testen:
   dig _ldap._tcp.kurs.linuxhotel.de SRV   dig _ldap._tcp.kurs.linuxhotel.de SRV
 +  dig _kerberos._tcp.kurs.linuxhotel.de SRV
  
 Benutzer anzeigen: Benutzer anzeigen:
Zeile 119: Zeile 196:
  
 Kerberos testen: Kerberos testen:
 +  cp -b /​var/​lib/​samba/​private/​krb5.conf /​etc/​krb5.conf
 +  kinit Administrator
 +oder
   kinit Administrator@KURS.LINUXHOTEL.DE   kinit Administrator@KURS.LINUXHOTEL.DE
   klist   klist
Zeile 129: Zeile 209:
  
 LDAP testen: LDAP testen:
- 
-  ldbsearch -H /​var/​lib/​samba/​private/​sam.ldb 
  
 <file txt ~/​.ldaprc>​ <file txt ~/​.ldaprc>​
Zeile 138: Zeile 216:
 TLS_REQCERT ALLOW TLS_REQCERT ALLOW
 </​file>​ </​file>​
 +  ldapsearch -x -W
  
-  ​ldapsearch ​-x -W+  ​ldbsearch ​-H /​var/​lib/​samba/​private/​sam.ldb
  
 ===== Benutzer anlegen ===== ===== Benutzer anlegen =====
Zeile 184: Zeile 263:
  
 ===== Kerberos ===== ===== Kerberos =====
-  cat /​var/​lib/​samba/​private/​krb5.conf 
-  ln -s /​var/​lib/​samba/​private/​krb5.conf /​etc/​krb5.conf 
-  apt-get install krb5-user 
   kinit Administrator   kinit Administrator
   kdestroy   kdestroy
lpi2/samba-ad.1610270902.txt.gz · Zuletzt geändert: 2021/01/10 09:28 von ingo_wichmann

Seiten-Werkzeuge

Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki