Installazione di un Domain Member Server Samba
Domain Controller Windows 2008
- Se il dominio non è compatibile NT, allora bisogna usare la procedura ADS
- Dati esempio:
192.168.11.100 Windows AD Server REDIRECTOR.NAME Nome dominio
- Installare i pacchetti necessari per l'autenticazione Kerberos:
sudo apt-get install libkrb53 krb5-config krb5-user samba winbind ntpdate ntp
- Fermare i servizi:
sudo /etc/init.d/samba stop sudo /etc/init.d/winbind stop sudo /etc/init.d/ntp stop
- Configurare Kerberos
sudoedit /etc/krb5.conf
[libdefaults]
default_realm = REDIRECTOR.NAME
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
REDIRECTOR.NAME = {
kdc = 192.168.11.100:88
admin_server = 192.168.11.100
}
[domain_realm]
.redirector.name = REDIRECTOR.NAME
redirector.name = REDIRECTOR.NAME
[login]
krb4_convert = true
krb4_get_tickets = false
- Sincronizzare l'ora:
sudo ntpdate 192.168.11.100
- Aggiungere il PDC come server ntp:
sudoedit /etc/ntp.conf
server 192.168.11.100
- Avviare ntp:
sudo /etc/init.d/ntp start
- Verificare di riuscire a contattare tutti i server ntp dichiarati:
sudo ntpq -p
- Impostare come server DNS il PDC:
sudoedit /etc/resolv.conf
nameserver 192.168.11.100
- Modificare la configurazione di samba:
sudoedit /etc/samba/smb.conf
workgroup = DOMAIN
security = ADS
realm = DOMAIN.PRIV
min protocol = SMB2
server signing = auto
client signing = auto
min domain uid = 0
winbind refresh tickets = Yes
vfs objects = acl_xattr
acl_xattr:ignore system acl = yes
map acl inherit = Yes
store dos attributes = Yes
inherit acls = yes
inherit owner = yes
inherit permissions = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
username map = /etc/samba/user.map
#To disable printing completely, add these lines:
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log file = /var/log/samba/%m.log
log level = 1
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config GAPARTNERS : backend = rid
idmap config GAPARTNERS : range = 10000-999999
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
- Configurare nsswitch:
sudoedit /etc/nsswitch.conf
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat hosts: files dns wins networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
- Abilitare le modifiche:
sudo ldconfig
- Fare il join del dominio:
sudo net ads join -U Administrator
- Riavviare i servizi:
sudo /etc/init.d/samba stop sudo /etc/init.d/winbind stop sudo /etc/init.d/samba start sudo /etc/init.d/winbind start
- Verificare che i nomi degli user windows si vedano:
sudo wbinfo -u
- Dichiarare una share, ed assegnare le permission corrette alla directory
sudo chown REDIRECTOR_NAME\Administrator: /path/to/share
- Accedere alla share dal PDC: non deve chiedere la password
Riferimenti
Domain Controller Windows 2000/2003
ATTENZIONE: La versione samba di LENNY non riesce a fare il join di un dominio samba il cui PDC è ETCH !
- Installazione pacchetti
sudo aptitude install samba winbind
- Abilitazione degli account windows per essere visti da Linux
sudoedit /etc/nsswitch.conf
passwd: compat winbind group: compat winbind
- Configurazione di samba
sudoedit /etc/samba/smb.conf
[global] workgroup = WINDOWSDOMAIN server string = Server Description netbios name = SAMBASERVERNAME log file = /var/log/samba/samba.log #log level = 1 syslog = 0 security = domain passdb backend = tdbsam encrypt passwords = yes idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes load printers = no [Samba_Share] comment = Samba Share Description writable = yes path = /path/to/shared/directory
- Riavvio di samba e winbind
sudo invoke-rc.d samba restart sudo invoke-rc.d winbind restart
- Join della macchina samba al dominio windows
sudo net rpc join -S WINDOWSPDC -U administrator
- Test per vedere se winbind funziona, deve listare anche le utentze del dominio windows
wbinfo -u wbinfo -g
- Test per vedere se gli account windows sono visti da linux
getent passwd getent group