Installazione di Samba 4.5 AD in Debian

From RVM Wiki
Revision as of 16:01, 29 September 2021 by Gabriele.vivinetto (talk | contribs) (Created page with " vi /etc/hosts <pre> 127.0.0.1 localhost 192.168.6.105 pubdc01.pub.priv pubdc01 ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters </pr...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search 
vi /etc/hosts


127.0.0.1	localhost
192.168.6.105	pubdc01.pub.priv	pubdc01
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters



apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils 

ps ax | egrep "samba|smbd|nmbd|winbindd"

systemctl stop smbd.service 
systemctl stop nmbd.service 
systemctl stop winbind.service 
  
smbd -b | grep "CONFIGFILE"
rm /etc/samba/smb.conf

smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"

cd /var/run/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

cd /var/lib/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

cd /var/cache/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

cd /var/lib/samba/private
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

rm /etc/krb5.conf

samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=ad.gapartners.eu --domain=GAP --adminpass=Passw0rd

vi /etc/samba/smb.conf 

[global]
dns forwarder = 8.8.8.8

systemctl enable samba-ad-dc
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc

 samba-tool dns zonecreate pubdc01 6.168.192.in-addr.arpa -U Administrator
 
rm /etc/krb5.conf 
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
 
samba-tool dns add pubdc01 pub.priv proxy.pub.priv. A 192.168.6.254 -U Administrator

apt-get install smbclient 

smbclient -L localhost -N
smbclient //localhost/netlogon -UAdministrator -c 'ls'

vi /etc/resolv.conf 

nameserver 192.168.6.105
search pub.priv
domain pub.priv



host -t SRV _ldap._tcp.pub.priv.
host -t SRV  _kerberos._udp.pub.priv.
host -t A pubdc01.pub.priv.

kinit administrator
klist

reboot

apt-get install psmisc

sudo apt-get install ntp ntpdate

vi /etc/ntp.conf

ntpsigndsocket /var/lib/samba/ntp_signd/
tinker panic 0


chown root:ntp /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd/
ls /var/lib/samba/ntp_signd/

systemctl restart ntp.service

reboot

Per aggiungere Windows 10 velocemente al dominio: 

sysdm.cpl

Disabilitare cmplessità password (LE GPO non funzionano per questo!!!) 

#Disable password expiration for the Administrator account.

samba-tool user setexpiry Administrator --noexpiry

  1. Show domain level password options.

samba-tool domain passwordsettings show

  1. Disable password complexity at the domain level.

samba-tool domain passwordsettings set --complexity=off

  1. Disable password history at the domain level.

samba-tool domain passwordsettings set --history-length=0

  1. Disable password min-age at the domain level.

samba-tool domain passwordsettings set --min-pwd-age=0

  1. Disable password max-age at the domain level.

samba-tool domain passwordsettings set --max-pwd-age=0

  1. Disable minimum password length at the domain level.

samba-tool domain passwordsettings set --min-pwd-length=0

https://oitibs.com/samba4-domain-password-policy/

Cambiare password: 

smbpasswd administrator

Aggiungere il record PTR per il DC da console windows per testarla

File sharing

Installare un altra macchina che farà da file server. Non configurare fileserver su DC

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 


vi /etc/hosts


127.0.0.1	localhost
192.168.6.106	pubsrv01.pub.priv	pubdc01
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters



apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils 

ps ax | egrep "samba|smbd|nmbd|winbindd"

systemctl stop smbd.service 
systemctl stop nmbd.service 
systemctl stop winbind.service 
  
ps ax | egrep "samba|smbd|nmbd|winbindd"


smbd -b | grep "CONFIGFILE"
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"

cd /var/run/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

cd /var/lib/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

cd /var/cache/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

cd /var/lib/samba/private
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

mv /etc/krb5.conf /etc/krb5.conf.bak

Settare dns a DC precedente 

vi /etc/resolv.conf

nameserver 192.168.6.105
search pub.priv
domain pub.priv


Test dns diretto: 

nslookup pubdc01.pub.priv

Test dns inverso: 

nslookup 192.168.6.105

Config Kerberos: 

vi /etc/krb5.conf
[libdefaults]

default_realm = PUB.PRIV dns_lookup_realm = false dns_lookup_kdc = true

Clock: lasciare systemd-timesyncd 

vi /etc/systemd/timesyncd.conf

[Time]
NTP=pubdc01.pub-priv
FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org

systemctl enable systemd-timesyncd
systemctl restart systemd-timesyncd
systemctl status systemd-timesyncd

journalctl -u systemd-timesyncd

Verificare

timedatectl status

Verificare risoluzione priprio nome host 

getent hosts pubsrv02

deve dare ip giusto

Configurare 

vi /etc/samba/smb.conf


[global] 

  workgroup = GAPARTNERS
  security = ADS
  realm = AD.GAPARTNERS.EU

  winbind refresh tickets = Yes

# If you use the Samba vfs module acl_xattr, you can use the full Windows ACL features # but you will not be able to manage the ACLs on the OS of the Samba host directly and # you will not have the permissions enforced by the filesystem.

vfs objects = acl_xattr map acl inherit = yes # On a Samba Active Directory (AD) domain controller (DC), extended ACL support is automatically # enabled globally. You must not enable the support manually.

# If you are setting the shares permissions from Windows (recommended), # you should add this line to your share # This will make Samba ignore the system ACL's (ugo) acl_xattr:ignore system acl = yes 

  map acl inherit = Yes
  store dos attributes = Yes 
       # ^^^ non serve dopo samba 4.5 ?
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab
  
  username map = /etc/samba/user.map

  # To disable printing completely, add these lines:
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes

vi /etc/samba/user.map

!root = GAPARTNERS\Administrator


SALTIAMO WINBIND


ORA FARE IL JOIN 

net ads join -U administrator

systemctl enable smbd.service nmbd.service
systemctl start smbd.service nmbd.service

TODO https://wiki.samba.org/index.php/Samba_File_Serving https://wiki.samba.org/index.php/Print_Server_Support


https://michlstechblog.info/blog/samba-setup-an-active-directory/

FILESYSTEM


Impostazione per ZFS 

zfs set acltype=posix aclmode=restricted aclinherit=passthrough xattr=sa DATA/dati
  • Creare un file e dargli degli attirbuti
touch test.txt
setfattr -n user.test -v test test.txt
setfattr -n security.test -v test2 test.txt
  • Verificare:
getfattr -d test.txt

# file: test.txt
user.test="test"
  • Verificare:
getfattr -n security.test -d test.txt

# file: test.txt
security.test="test2"
  • Creare un file e dargli elle ACL:
touch test.txt
setfacl -m g:adm:rwx test.txt
  • Verificare:
getfacl test.txt

# file: test.txt
# owner: root
# group: root
user::rw-
group::r--
group:adm:rwx
mask::rwx
other::r--
  • Impostare ora i diritti delal directory che si condividerà:
chown root:root /media/samba/prova
chmod 0770 /media/samba/prova
  • Aggiungere la share alla configurazione
vi /etc/samba/smb.conf

[Prova]
       path = /media/samba/prova
       read only = no
  • Riavviare

smbcontrol all reload-config

DA QUI

Openzfs non supporta nfs4acl which is essentially a clone of the Windows ACL The Linux NFS4 client does support NFS4 ACLs. They can be viewed and managed through the nfs4-acl-tools package, ( mettere nfs sopra zfs ?)



Vedere se va https://mywushublog.com/2012/05/zfs-and-acls-with-samba/ 

       [samba_zfs_share]

vfs objects = zfsacl path = /test/zfs_mount nfs4: mode = simple nfs4: acedup = merge



https://michlstechblog.info/blog/samba-join-an-additional-domain-controller-to-samba-active-directory/

Group Policies To configure Group Policies Administrative Templates copy the content of your Windows 10 C:\windows\PolicyDefinition Folder to all Domain Controllers sysvol folder. Samba do currently not support the replication of the sysvol folder. You must implement your own replication via rsync or robocopy 1 2 3 4

C:\> mkdir \\frankendc1.franken.local\sysvol\Policies\PolicyDefinition C:\> mkdir \\frankendc2.franken.local\sysvol\Policies\PolicyDefinition C:\> robocopy /s C:\Windows\PolicyDefinition \\frankendc1.franken.local\sysvol\Policies\PolicyDefinition C:\> robocopy /s C:\Windows\PolicyDefinition \\frankendc2.franken.local\sysvol\Policies\PolicyDefinition

Retrieved from "https://kb.rvmgroup.it/index.php?title=Installazione_di_Samba_4.5_AD_in_Debian&oldid=10617"