vi /etc/hosts

127.0.0.1	localhost
192.168.6.105	pubdc01.pub.priv	pubdc01
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils 

ps ax | egrep "samba|smbd|nmbd|winbindd"

systemctl stop smbd.service 
systemctl stop nmbd.service 
systemctl stop winbind.service 
  
smbd -b | grep "CONFIGFILE"
rm /etc/samba/smb.conf

smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"

cd /var/run/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

cd /var/lib/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

cd /var/cache/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

cd /var/lib/samba/private
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

rm /etc/krb5.conf

samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=ad.gapartners.eu --domain=GAP --adminpass=Passw0rd

vi /etc/samba/smb.conf 

[global]
dns forwarder = 8.8.8.8

systemctl enable samba-ad-dc
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc

 samba-tool dns zonecreate pubdc01 6.168.192.in-addr.arpa -U Administrator
 
rm /etc/krb5.conf 
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
 
samba-tool dns add pubdc01 pub.priv proxy.pub.priv. A 192.168.6.254 -U Administrator

apt-get install smbclient 

smbclient -L localhost -N
smbclient //localhost/netlogon -UAdministrator -c 'ls'

vi /etc/resolv.conf 

nameserver 192.168.6.105
search pub.priv
domain pub.priv

host -t SRV _ldap._tcp.pub.priv.
host -t SRV  _kerberos._udp.pub.priv.
host -t A pubdc01.pub.priv.

kinit administrator
klist

reboot

apt-get install psmisc

sudo apt-get install ntp ntpdate

vi /etc/ntp.conf

ntpsigndsocket /var/lib/samba/ntp_signd/
tinker panic 0


chown root:ntp /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd/
ls /var/lib/samba/ntp_signd/

systemctl restart ntp.service

reboot

Per aggiungere Windows 10 velocemente al dominio:

sysdm.cpl

Disabilitare cmplessità password (LE GPO non funzionano per questo!!!)

#Disable password expiration for the Administrator account.

samba-tool user setexpiry Administrator --noexpiry

1. Show domain level password options.

samba-tool domain passwordsettings show

1. Disable password complexity at the domain level.

samba-tool domain passwordsettings set --complexity=off

1. Disable password history at the domain level.

samba-tool domain passwordsettings set --history-length=0

1. Disable password min-age at the domain level.

samba-tool domain passwordsettings set --min-pwd-age=0

1. Disable password max-age at the domain level.

samba-tool domain passwordsettings set --max-pwd-age=0

1. Disable minimum password length at the domain level.

samba-tool domain passwordsettings set --min-pwd-length=0

https://oitibs.com/samba4-domain-password-policy/

Cambiare password:

smbpasswd administrator

Aggiungere il record PTR per il DC da console windows per testarla

• Installare un'altra macchina che farà da file server. Non configurare fileserver su DC

• Vedi https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

vi /etc/hosts

127.0.0.1	localhost
192.168.6.106	pubsrv01.pub.priv	pubdc01
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils 

ps ax | egrep "samba|smbd|nmbd|winbindd"

systemctl stop smbd.service 
systemctl stop nmbd.service 
systemctl stop winbind.service 
  
ps ax | egrep "samba|smbd|nmbd|winbindd"


smbd -b | grep "CONFIGFILE"
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"

cd /var/run/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

cd /var/lib/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

cd /var/cache/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

cd /var/lib/samba/private
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

mv /etc/krb5.conf /etc/krb5.conf.bak

• Settare dns a DC precedente

vi /etc/resolv.conf

nameserver 192.168.6.105
search pub.priv
domain pub.priv

• Test dns diretto:

nslookup pubdc01.pub.priv

• Test dns inverso:

nslookup 192.168.6.105

• Configurare Kerberos:

vi /etc/krb5.conf

[libdefaults]

default_realm = PUB.PRIV dns_lookup_realm = false dns_lookup_kdc = true

• Clock: lasciare systemd-timesyncd

vi /etc/systemd/timesyncd.conf

[Time]
NTP=pubdc01.pub-priv
FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org

systemctl enable systemd-timesyncd
systemctl restart systemd-timesyncd
systemctl status systemd-timesyncd

journalctl -u systemd-timesyncd

• Verificare

timedatectl status

• Verificare risoluzione proprio nome host deve dare ip giusto

getent hosts pubsrv02

• Configurare Samba

vi /etc/samba/smb.conf

[global]
    workgroup = GAPARTNERS
    security = ADS
    realm = AD.GAPARTNERS.EU
    min protocol = SMB2
    server signing = auto
    client signing = auto
    min domain uid = 0 # Vale solo da 4.13.13

    winbind refresh tickets = Yes
	# If you use the Samba vfs module acl_xattr, you can use the full Windows ACL features
	# but you will not be able to manage the ACLs on the OS of the Samba host directly and
	# you will not have the permissions enforced by the filesystem.

	vfs objects = acl_xattr
	map acl inherit = yes
	# On a Samba Active Directory (AD) domain controller (DC), extended ACL support is automatically 
	# enabled globally. You must not enable the support manually.

	# If you are setting the shares permissions from Windows (recommended),
	# you should add this line to your share
	# This will make Samba ignore the system ACL's (ugo)
	acl_xattr:ignore system acl = yes

    map acl inherit = Yes
    store dos attributes = Yes 
        # ^^^ non serve dopo samba 4.5 ?
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
   
    username map = /etc/samba/user.map

    # To disable printing completely, add these lines:
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

vi /etc/samba/user.map

!root = GAPARTNERS\Administrator

La configurazione di Winbind è NECESSARIA, altrimenti solo Administrator accederàa lle share di rete, tutti gli altri avranno

NT_STATUS_LOGON_FAILURE

 vi /etc/samba/smb.conf

[global]
#....
log file = /var/log/samba/%m.log
log level = 1

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the GAPARTNERS domain
idmap config GAPRTNERS : backend = rid
idmap config GAPARTNERS : range = 10000-999999
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U

• Riavviare

smbcontrol all reload-config

• Configuring the Name Service Switch

• Append the winbind entry to the following databases in the

vi /etc/nsswitch.conf

passwd: files winbind
group:  files winbind

• Riavviare

systemctl enable smbd
systemctl restart smbd
systemctl enable nmbd
systemctl restart nmbd
systemctl enable winbind
systemctl restart winbind

systemctl status smbd

systemctl status nmbd

systemctl status winbind

ORA FARE IL JOIN

net ads join -U administrator

systemctl enable smbd.service nmbd.service winbind.service
systemctl start smbd.service nmbd.service winbind.service

Sending a Winbindd Ping

To verify if the Winbindd service is able to connect to Active Directory (AD) Domain Controllers (DC) or a primary domain controller (PDC), enter:

wbinfo --ping-dc

checking the NETLOGON for domain[SAMDOM] dc connection to "DC.SAMDOM.EXAMPLE.COM" succeeded

• To look up the domain user SAMDOM\demo01:

getent passwd SAMDOM\\demo01

SAMDOM\demo01:*:10000:10000:demo01:/home/demo01:/bin/bash

• To look up the domain group Domain Users:

getent group "SAMDOM\\Domain Users"

SAMDOM\domain users:x:10000:

• Assigning File Permissions to Domain Users and Groups

chown "SAMDOM\\demo01:SAMDOM\\domain users" file.txt

TODO https://wiki.samba.org/index.php/Samba_File_Serving https://wiki.samba.org/index.php/Print_Server_Support

https://michlstechblog.info/blog/samba-setup-an-active-directory/

FILESYSTEM

Impostazione per ZFS

zfs set acltype=posix aclmode=restricted aclinherit=passthrough xattr=sa DATA/dati

• Creare un file e dargli degli attirbuti

touch test.txt
setfattr -n user.test -v test test.txt
setfattr -n security.test -v test2 test.txt

• Verificare:

getfattr -d test.txt

# file: test.txt
user.test="test"

• Verificare:

getfattr -n security.test -d test.txt

# file: test.txt
security.test="test2"

• Creare un file e dargli elle ACL:

touch test.txt
setfacl -m g:adm:rwx test.txt

• Verificare:

getfacl test.txt

# file: test.txt
# owner: root
# group: root
user::rw-
group::r--
group:adm:rwx
mask::rwx
other::r--

• Impostare ora i diritti delal directory che si condividerà:

chown root:root /media/samba/prova
chmod 0770 /media/samba/prova

• Aggiungere la share alla configurazione

vi /etc/samba/smb.conf

[Prova]
       path = /media/samba/prova
       read only = no

• Riavviare

smbcontrol all reload-config

• Creare il dataset:

zfs create DATA/utenti

• Impostare le propietà le permission:

zfs set acltype=posix aclmode=restricted aclinherit=passthrough xattr=sa DATA/utenti
chmod 0770 /media/samba/prova

• Dichiarare la share :

vi /etc/samba/smb.conf

[Utenti]
       path = /media/samba/utenti
       read only = no

• Ricaricare la config:

smbcontrol all reload-config

• Da una console Windows, come MYDOMAIN\Administrator (ignorare l'errore):

compmgmt.msc /computer:\\mydomaincontroller

Gestione computer \ Utilità di sistema \ Cartelle Condivise \ Condivisioni

• Tasto destro proprietà su

Utenti

• La tab "Autorizzazioni condivisione" deve contenere SOLAMENTE

Everyone - Full Control

• Nella tab "Sicurezza"

       Principal 	Access 	        Applies to
       Domain Users* 	Read & execute 	This folder only
       CREATOR OWNER 	Full control 	Subfolders and files only
       Domain Admins 	Full control 	This folder, subfolders and files

• Impostare il drive e il percorso nel'utenza

P: \\MYFILESERVER\Utenti\%USERNAME%

• Quando l'utente si logga, viene creata la cartella e mappata.

• Windows User Home Folders - SambaWiki

• Creare il dataset:

zfs create DATA/profili
zfs set acltype=posix aclmode=restricted aclinherit=passthrough xattr=sa mountpoint=/media/samba/profili DATA/profili
chmod 0770 /media/samba/profili
chown  "GAPARTNERS\\Administrator:GAPARTNERS\\Domain Admins" /media/samba/profili

• Setting up the Share on the Samba File Server

• Create a new share.

vi /etc/samba/smb.conf

[profiles]
        comment = Users profiles
        path = /srv/samba/profiles/
        # browseable = No 
        # IMPOSTRARE DOPO ALTRIMENTI NON SI VEDE NELAL GESTIONE SHARE
        read only = No
        csc policy = disable
        vfs objects = acl_xattr

• Ricaricare la config:

 smbcontrol all reload-config

• Nella gestione delel Shares, impostare nella share permission

Everyone Full Control

• Nella gestione delel Shares, impostare nelle security

Principal	Access	Applies to
Domain Users *	Traverse folder / execute file List folder / read data Create folder / append data	This folder only
CREATOR OWNER	Full control	Subfolders and files only
Domain Admins	Full control	This folder, subfolders and files
SYSTEM **	Full control	This folder, subfolders and files

* You can alternatively set other groups, to enable the group members to store their user profile on the share. When using different groups, apply the permissions as displayed for Domain Users in the previous example.

** For details, see The SYSTEM Account.

Verify that permission inheritance is disabled on the root of the share. If any permission entry in the Advanced Security Settings window displays a path in the Inherited from column, click the Disable inheritance button. On Windows 7, unselect the Include inheritable permissions from this object's parent check box to set the same setting.

• Roaming Windows User Profiles - SambaWiki

• Farlo con GPO

• Configuring Windows Profile Folder Redirections - SambaWiki

• Openzfs non supporta nfs4acl which is essentially a clone of the Windows ACL

The Linux NFS4 client does support NFS4 ACLs. They can be viewed and managed through the nfs4-acl-tools package, ( mettere nfs sopra zfs ?)

Vedere se va https://mywushublog.com/2012/05/zfs-and-acls-with-samba/

       [samba_zfs_share]

vfs objects = zfsacl path = /test/zfs_mount nfs4: mode = simple nfs4: acedup = merge

https://michlstechblog.info/blog/samba-join-an-additional-domain-controller-to-samba-active-directory/

• Group Policies

To configure Group Policies Administrative Templates copy the content of your Windows 10 C:\windows\PolicyDefinition Folder to all Domain Controllers sysvol folder. Samba do currently not support the replication of the sysvol folder. You must implement your own replication via rsync or robocopy

C:\> mkdir \\frankendc1.franken.local\sysvol\Policies\PolicyDefinition
C:\> mkdir \\frankendc2.franken.local\sysvol\Policies\PolicyDefinition
C:\> robocopy /s C:\Windows\PolicyDefinition \\frankendc1.franken.local\sysvol\Policies\PolicyDefinition
C:\> robocopy /s C:\Windows\PolicyDefinition \\frankendc2.franken.local\sysvol\Policies\PolicyDefinition