====== Samba4 ======
Siehe auch: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
Installation mit debian 10 getestet.
===== Vorraussetzungen =====
* Statische IP-Adresse (per DHCP oder in lokaler Konfigurationsdatei) (( z.B.
auto eth0
iface eth0 inet static
address 192.168.215.2/24
gateway 192.168.215.1
))
* FQDN der Form servername.domain.tld wird von ''hostname -f'' richtig angezeigt
* ActiveDirectory Ports nicht von anderen Diensten belegt ((
lsof -i :53,88,135,139,389,445,464,636,3268,3269,49152,49153,49154
-> leer
))
(( [[admin_grundlagen:lxd|LXD]] Konfiguration:
lxc network set lxdbr0 dns.domain kurs.linuxhotel.de
lxc init images:debian/10 test1
lxc config set test1 security.privileged=true
lxc network attach lxdbr0 test1 eth0 eth0
lxc config device set test1 eth0 ipv4.address 192.168.239.10
lxc start test1
lxc exec test1 -- /bin/bash
))
===== Pakete =====
apt install samba winbind
++++ Vorsicht mit Samba-Paketen vor Debian 12 (bookworm) |
Michael Tokarev schrieb am 20.7.2023 auf der Debian LTS Mailingliste:
//"It come to my attention that a discussion is happening about samba
and LTS (and the same applies to oldstable too).
The thing is: samba packages in bullseye and before, in my opinion,
are hopeless. I know it because I know the state of debian packaging
it was. For years (for a few debian releases), samba maintenance was
more on auto-pilot. Most changes were made by applying a minimal change,
not the right change. The result was.. horrible.
Now, the Samba team basically re-designed whole VFS layer in 4.16, to
fix a few serious issues with symlinks. This is not backportable to
anything, and it changes quite big portion of the codebase, so subsequent
fixes even in seemingly unrelated areas don't apply anymore (not all
of them ofc).
Upstream stopped supporting 4.13 (bullseye) version of samba even before
bullseye release iirc. There were numerous alternative samba repositories
all around the world to plug the gap between debian-provided samba and
actual samba.
There are numerous other security issues, compatibility issues with
previous windows releases, and other stuff which basically makes samba
in bullseye (already, not to mention buster!) basically unusable.
Trying to fix an issue or two there will work. This particular issue
with Jul-23 windows10/11 update is trivial to fix, the same change
applies (with minimal context fix) to 4.7 version of samba too.
But I urge not doing this. This will bring false sense of security.
People will think samba in buster or bullseye is worth to keep since
it is being "supported", - it is not due to other numerous issues.
It is like with old crypto, - you fix a buffer overflow in some DES
implementation, but it does not mean DES can be used in 2023.
If there's a need for samba in buster, it can be fixed. See for
example my repository at http://www.corpit.ru/mjt/packages/samba/ -
it provides amd64 binaries of all current samba packages on actual
Debian and Ubuntu releases, - I spent quite some time to ensure it
all works fine on different environments and the original debian
packages can be built on older debian releases and on various
ubuntu releases. This currently does not include buster, but it
is kinda trivial to fix. My repository happens to become quite
popular (by the amount of downloads, amount of screaming once I
turned it off for 5 minutes for a reboot, and amount of questions
I received after the Jul-23 windows update), - so something like
this is needed (or was, anyway, for older releases).
Buster and bullseye versions of samba are not supported. Please
don't use band-aid on a dead horse."//
++++
++++ Alternativ: Pakete von sernet |
wget https://download.sernet.de/pub/sernet-samba-keyring_1.4_all.deb
dpkg -i sernet-samba-keyring_1.4_all.deb
apt-get install apt-transport-https
''/etc/apt/sources.list.d/samba'' :
deb https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/debian wheezy main
deb-src https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/debian wheezy main
USERNAME und ACCESSKEY von http://www.enterprisesamba.com/
apt-get update
apt-get upgrade
apt-cache policy samba
aptitude search sernet
apt-get install sernet-samba-ad
++++
===== Dienste stoppen =====
systemctl stop samba-ad-dc
systemctl disable --now nmbd.service
systemctl disable --now smbd.service
systemctl disable --now winbind.service
mv /etc/samba/smb.conf{,.orig}
===== Samba Tool =====
Übersicht über ''samba-tool'' Unterbefehle:
samba-tool
samba-tool domain provision --help
samba-tool domain provision --domain kurs --realm kurs.linuxhotel.de --adminpass v0gelsang,
oder
samba-tool domain provision
((
oder:
samba-tool domain provision --use-rfc2307 --use-xattrs=yes
Alternative zu --use-xattrs=yes siehe https://wiki.samba.org/index.php/Samba4/s3fs
))
((bei Problemen, z.B. Passwort zu einfach:
rm /etc/samba/smb.conf
))
Realm: KURS.LINUXHOTEL.DE
Domain [KURS]: KURS
Server Role: dc
DNS backend: SAMBA_INTERNAL
DNS forwarder IP address: 192.168.1.17
Administrator password: v0gelsang,
domain kurs.linuxhotel.de
search kurs.linuxhotel.de linuxhotel.de
nameserver 127.0.0.1
===== Samba AD starten =====
((
''/etc/default/sernet-samba'' :
SAMBA_START_MODE="ad"
# SAMBA_IGNORE_NSUPDATE_G defines whether the samba daemon should be started
# when 'nsupdate -g' is not available. Setting this to "yes" would mean that
# samba will be started even without 'nsupdate -g'. This will lead to severe
# problems without a proper workaround!
SAMBA_IGNORE_NSUPDATE_G="no"
))
Neue ''smb.conf'' anzeigen:
testparm
systemctl unmask samba-ad-dc
systemctl enable --now samba-ad-dc
Optional, zum debuggen:
apt install smbclient ldb-tools krb5-user ldap-utils dnsutils
===== testen =====
Offene Ports checken:((
^ Service ^ Port ^ Protocol ^
| DNS | 53 | tcp/udp |
| Kerberos | 88 | tcp/udp |
| ntp | 123 | udp |
| End Point Mapper (DCE/RPC Locator Service) | 135 | tcp |
| NetBIOS Name Service | 137 | udp |
| NetBIOS Datagram | 138 | udp |
| NetBIOS Session | 139 | tcp |
| LDAP | 389 | tcp/udp |
| SMB over TCP | 445 | tcp |
| Kerberos kpasswd | 464 | tcp/udp |
| LDAPS | 636 | tcp |
| Global Catalog | 3268 | tcp |
| Global Catalog SSL | 3269 | tcp |
| Dynamic RPC Ports | 49152-65535 | tcp |
))
lsof -Pi :53,88,135,137,138,139,389,445,464,636,3268,3269
DNS testen:
dig _ldap._tcp.kurs.linuxhotel.de SRV
dig _kerberos._tcp.kurs.linuxhotel.de SRV
Benutzer anzeigen:
pdbedit -L
samba-tool user list
Kerberos testen:
cp -b /var/lib/samba/private/krb5.conf /etc/krb5.conf
kinit Administrator
oder
kinit Administrator@KURS.LINUXHOTEL.DE
klist
CIFS testen:
nmblookup -S vm2
smbclient -k -L vm2
smbclient -k //vm2/sysvol
klist
LDAP testen:
URI ldaps://localhost
BINDDN cn=Administrator,cn=users,dc=kurs,dc=linuxhotel,dc=de
BASE dc=kurs,dc=linuxhotel,dc=de
TLS_REQCERT ALLOW
ldapsearch -x -W
ldbsearch -H /var/lib/samba/private/sam.ldb
===== Benutzer anlegen =====
Nur in Testumgebungen:
samba-tool domain passwordsettings --help
samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --min-pwd-length=1
samba-tool user --help
Benutzerliste ansehen:
samba-tool user list
Benutzer anlegen:
samba-tool user add heinz
===== NTP installieren =====
TODO: das macht man heute mit chrony
siehe https://wiki.samba.org/index.php/Time_Synchronisation
apt-get install ntp
cd /var/lib/samba/
chgrp ntp ntp_signd/
''/etc/ntp.conf'' :
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery mssntp
restrict -6 default kod notrap nomodify nopeer noquery mssntp
ntpsigndsocket /var/lib/samba/ntp_signd/
service ntp restart
watch ntpq -np
===== Beitreten der Domäne mit Windows 7 =====
* Arbeitsplatznetzwerk auswählen
* DNS-Server einstellen
* Domäne beitreten
Benutzer: ''Administrator''
Password: wie oben im samba-tool eingegeben
Als Benutzer heinz an der Domäne example.com anmelden
===== Kerberos =====
kinit Administrator
kdestroy
kinit heinz
ls /tmp/krb5cc_0