====== Samba4 ======
Siehe auch: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Installation mit debian 10 getestet.

===== Vorraussetzungen =====

  * Statische IP-Adresse (per DHCP oder in lokaler Konfigurationsdatei) (( z.B.
<file txt /etc/network/interfaces>
auto eth0
iface eth0 inet static
  address 192.168.215.2/24
  gateway 192.168.215.1
</file>
))
  * FQDN der Form servername.domain.tld wird von ''hostname -f'' richtig angezeigt
  * ActiveDirectory Ports nicht von anderen Diensten belegt ((
  lsof -i :53,88,135,139,389,445,464,636,3268,3269,49152,49153,49154
-> leer
))

(( [[admin_grundlagen:lxd|LXD]] Konfiguration:
  lxc network set lxdbr0 dns.domain kurs.linuxhotel.de
  
  lxc init images:debian/10 test1
  lxc config set test1 security.privileged=true
  lxc network attach lxdbr0 test1 eth0 eth0
  lxc config device set test1 eth0 ipv4.address 192.168.239.10
  lxc start test1
  lxc exec test1 -- /bin/bash
))
===== Pakete =====

  apt install samba winbind

++++ Vorsicht mit Samba-Paketen vor Debian 12 (bookworm) | 

Michael Tokarev <mjt@tls.msk.ru> schrieb am 20.7.2023 auf der Debian LTS Mailingliste:

//"It come to my attention that a discussion is happening about samba
and LTS (and the same applies to oldstable too).

The thing is: samba packages in bullseye and before, in my opinion,
are hopeless.  I know it because I know the state of debian packaging
it was.  For years (for a few debian releases), samba maintenance was
more on auto-pilot. Most changes were made by applying a minimal change,
not the right change. The result was.. horrible.

Now, the Samba team basically re-designed whole VFS layer in 4.16, to
fix a few serious issues with symlinks.  This is not backportable to
anything, and it changes quite big portion of the codebase, so subsequent
fixes even in seemingly unrelated areas don't apply anymore (not all
of them ofc).

Upstream stopped supporting 4.13 (bullseye) version of samba even before
bullseye release iirc.  There were numerous alternative samba repositories
all around the world to plug the gap between debian-provided samba and
actual samba.

There are numerous other security issues, compatibility issues with
previous windows releases, and other stuff which basically makes samba
in bullseye (already, not to mention buster!) basically unusable.

Trying to fix an issue or two there will work. This particular issue
with Jul-23 windows10/11 update is trivial to fix, the same change
applies (with minimal context fix) to 4.7 version of samba too.

But I urge not doing this. This will bring false sense of security.
People will think samba in buster or bullseye is worth to keep since
it is being "supported", - it is not due to other numerous issues.

It is like with old crypto, - you fix a buffer overflow in some DES
implementation, but it does not mean DES can be used in 2023.

If there's a need for samba in buster, it can be fixed. See for
example my repository at http://www.corpit.ru/mjt/packages/samba/ -
it provides amd64 binaries of all current samba packages on actual
Debian and Ubuntu releases, - I spent quite some time to ensure it
all works fine on different environments and the original debian
packages can be built on older debian releases and on various
ubuntu releases.  This currently does not include buster, but it
is kinda trivial to fix.  My repository happens to become quite
popular (by the amount of downloads, amount of screaming once I
turned it off for 5 minutes for a reboot, and amount of questions
I received after the Jul-23 windows update), - so something like
this is needed (or was, anyway, for older releases).

Buster and bullseye versions of samba are not supported.  Please
don't use band-aid on a dead horse."//
++++

++++ Alternativ: Pakete von sernet |
  wget https://download.sernet.de/pub/sernet-samba-keyring_1.4_all.deb
  dpkg -i sernet-samba-keyring_1.4_all.deb
  apt-get install apt-transport-https

''/etc/apt/sources.list.d/samba'' :
<file>
deb https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/debian wheezy main
deb-src https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/debian wheezy main
</file>
USERNAME und ACCESSKEY von http://www.enterprisesamba.com/

  apt-get update
  apt-get upgrade
  apt-cache policy samba
  aptitude search sernet
  apt-get install sernet-samba-ad
++++
===== Dienste stoppen =====

  systemctl stop samba-ad-dc
  systemctl disable --now nmbd.service
  systemctl disable --now smbd.service
  systemctl disable --now winbind.service
  
  mv /etc/samba/smb.conf{,.orig}
  
===== Samba Tool =====

Übersicht über ''samba-tool'' Unterbefehle:
  samba-tool
  samba-tool domain provision --help
  samba-tool domain provision --domain kurs --realm kurs.linuxhotel.de --adminpass v0gelsang,
oder
  samba-tool domain provision
((
oder:
  samba-tool domain provision --use-rfc2307 --use-xattrs=yes
  Alternative zu --use-xattrs=yes siehe https://wiki.samba.org/index.php/Samba4/s3fs
))
((bei Problemen, z.B. Passwort zu einfach:
  rm  /etc/samba/smb.conf
))
  Realm: KURS.LINUXHOTEL.DE
  Domain [KURS]: KURS
  Server Role: dc
  DNS backend: SAMBA_INTERNAL
  DNS forwarder IP address: 192.168.1.17
  Administrator password: v0gelsang,

<file txt /etc/resolv.conf>
domain kurs.linuxhotel.de
search kurs.linuxhotel.de linuxhotel.de
nameserver 127.0.0.1
</file>

===== Samba AD starten =====
((
''/etc/default/sernet-samba'' :
<file>
SAMBA_START_MODE="ad"
# SAMBA_IGNORE_NSUPDATE_G defines whether the samba daemon should be started
# when 'nsupdate -g' is not available. Setting this to "yes" would mean that
# samba will be started even without 'nsupdate -g'. This will lead to severe
# problems without a proper workaround!
SAMBA_IGNORE_NSUPDATE_G="no"
</file>
))

Neue ''smb.conf'' anzeigen:
  testparm

  systemctl unmask samba-ad-dc
  systemctl enable --now samba-ad-dc

Optional, zum debuggen:
  apt install smbclient ldb-tools krb5-user ldap-utils dnsutils
===== testen =====

Offene Ports checken:((
^ Service ^ Port ^  Protocol ^
| DNS | 53  | tcp/udp |
| Kerberos  | 88  | tcp/udp |
| ntp | 123 | udp |
| End Point Mapper (DCE/RPC Locator Service)  | 135  | tcp |
| NetBIOS Name Service  | 137  | udp |
| NetBIOS Datagram  | 138  | udp |
| NetBIOS Session  | 139  | tcp |
| LDAP  | 389  | tcp/udp |
| SMB over TCP  | 445  | tcp |
| Kerberos kpasswd  | 464  | tcp/udp |
| LDAPS | 636  | tcp |
| Global Catalog  | 3268  | tcp |
| Global Catalog SSL | 3269  | tcp |
| Dynamic RPC Ports | 49152-65535  | tcp  |
))
  lsof -Pi :53,88,135,137,138,139,389,445,464,636,3268,3269
DNS testen:
  dig _ldap._tcp.kurs.linuxhotel.de SRV
  dig _kerberos._tcp.kurs.linuxhotel.de SRV

Benutzer anzeigen:
  pdbedit -L
  samba-tool user list

Kerberos testen:
  cp -b /var/lib/samba/private/krb5.conf /etc/krb5.conf
  kinit Administrator
oder
  kinit Administrator@KURS.LINUXHOTEL.DE
  klist

CIFS testen:
  nmblookup -S vm2
  smbclient -k -L vm2
  smbclient -k //vm2/sysvol
  klist

LDAP testen:

<file txt ~/.ldaprc>
URI ldaps://localhost
BINDDN cn=Administrator,cn=users,dc=kurs,dc=linuxhotel,dc=de
BASE dc=kurs,dc=linuxhotel,dc=de
TLS_REQCERT ALLOW
</file>
  ldapsearch -x -W

  ldbsearch -H /var/lib/samba/private/sam.ldb

===== Benutzer anlegen =====

Nur in Testumgebungen:
  samba-tool domain passwordsettings --help
  samba-tool domain passwordsettings set --complexity=off
  samba-tool domain passwordsettings set --min-pwd-length=1
  samba-tool user --help
  
Benutzerliste ansehen:
  samba-tool user list

Benutzer anlegen:
  samba-tool user add heinz



===== Beitreten der Domäne mit Windows 7 =====
  * Arbeitsplatznetzwerk auswählen
  * DNS-Server einstellen
  * Domäne beitreten

Benutzer: ''Administrator''
Password: wie oben im samba-tool eingegeben

Als Benutzer heinz an der Domäne example.com anmelden

===== Kerberos =====
  kinit Administrator
  kdestroy
  kinit heinz
  ls /tmp/krb5cc_0