Installazione Primary Domain Controller: Difference between revisions

Installare secondo le opzioni standard:

apt-get install samba samba-client acl

Per poter utilizare i diritti sui files, è necessario abilitare le ACL sui filesystem utilizzati per lo storage dei dati samba.

Supponendo do usare una sola partizione, aggiungere l'opzione acl alla partizione:

vi /etc/fstab

/dev/md0        /               ext3    defaults,errors=remount-ro,acl 0       1

Rimontare il filesystem:

mount / -o remount

Verificare che sia attivo il paramtero acl

mount

/dev/md0 on / type ext3 (rw,errors=remount-ro,acl)

Impostare i seguenti parametri:

export DOMAIN_NAME=GSSPA
export SERVER_NAME=GSSERVER

Modificare i seguenti parametri in /etc/samba/samba.conf:

cd /etc/samba
mv smb.conf smb.conf.ori
cat > smb.conf <<EOFile
[global]
        # user and group  management
                add group script = /usr/sbin/groupadd %g
                delete group script = /usr/bin/net groupmap delete ntgroup="%g" ; /usr/sbin/groupdel "%g"
                add user to group script = /usr/bin/gpasswd -a %u %g
                delete user from group script = /usr/bin/gpasswd -d %u %g
                #
                add user script = /usr/sbin/useradd -m %u
                delete user script = /usr/sbin/userdel -r %u
                add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u
                username map = /etc/samba/user.map
                #
                passdb backend = tdbsam
                unix password sync = yes
                passwd program = /usr/bin/passwd %u
                passwd chat = "*Enter new UNIX password*" %n\n "*Retype new UNIX password*" %n\n "*password updated successfully*" .

        # Network role parameter
                netbios name = $SERVER_NAME
                workgroup = $DOMAIN_NAME
                domain master = yes
                domain logons = yes
                security = user
                local master = yes
                os level = 99
                time server = yes
                encrypt passwords = true
                logon home = \\%L\%U
                logon script = user.cmd
                logon path = \\%L\Profiles\%U
                logon drive = P:
        # Administrators users
                admin users = administrator
                printer admin = administrator
# Logging settings
        syslog = 0
        syslog only = no
        log file = /var/log/samba/smbd
#       log level = 3
#       debug timestamp = yes

[homes]
        comment = Home Directories
        valid users = %S
        read only = no
        browseable = no
        path = /files/homes/%S

[homes$]
        comment = Home Directories
        admin users = root, administrator, @domainadmins
        read only = no
        browseable = no
        path = /files/homes

[netlogon]
        comment = Domain Logon Service
        path = /files/netlogon
        admin users = administrator, @domainadmins
        write list = administrator, @domainadmins
        guest ok = yes
        browsable = no

[Profiles]
        comment = Roaming Profile Share
        path = /files/profiles
        read only = No
        profile acls = Yes

[Dati]
        writeable = yes
        path = /files/dati
        admin users = root, administrator, @domainadmins
        inherit permissions = yes
        inherit acls = yes

[Install]
        writeable = yes
        create mode = 775
        path = /files/install
        directory mode = 775
EOFile

mkdir -p /files/install /files/dati /files/profiles /files/netlogon /files/homes

Settare i diritti per i la Profiles:

cd /files/profiles/
chown :users .
chmod g+w .

Riavviare Samba:

/etc/init.d/samba stop; /etc/init.d/samba start

adduser administrator
usermod -G root administrator

smbpasswd -a administrator

Rimuovere le utenze samba inutili.

ATTENZIONE: NON RIMUOVELRE IN ALTRO MODO, PERCHE' VERREBBERO RIMOSSI ANCHE GLI ACCOUNT UNIX !!

smbpasswd -x backup
smbpasswd -x bin
smbpasswd -x daemon
smbpasswd -x Debian-exim
smbpasswd -x games
smbpasswd -x gnats
smbpasswd -x irc
smbpasswd -x list
smbpasswd -x lp
smbpasswd -x mail
smbpasswd -x man
smbpasswd -x news
smbpasswd -x nobody
smbpasswd -x postfix
smbpasswd -x proxy
smbpasswd -x root
smbpasswd -x sshd
smbpasswd -x sync
smbpasswd -x sys
smbpasswd -x uucp
smbpasswd -x www-data

Assicurarsi che le mappature siano azzerate:

net groupmap list

System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-3888806968-3546501424-3282427636-512) -> -1
Domain Guests (S-1-5-21-3888806968-3546501424-3282427636-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-3888806968-3546501424-3282427636-513) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

Se così non fosse:

/etc/init.d/samba stop
rm /var/lib/samba/group_mapping.tdb
/etc/init.d/samba start

Mappare:

net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap modify ntgroup="Domain Users"  unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nogroup

Verificare:

net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-3888806968-3546501424-3282427636-512) -> root
Domain Guests (S-1-5-21-3888806968-3546501424-3282427636-514) -> nogroup
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-3888806968-3546501424-3282427636-513) -> users
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

Controllare che l'unico utente configurato sia Administrator:

pdbedit -L

administrator:1012:Administrator GSSS,,,