Installazione di Samba 4.5 AD in Debian
Installazione Domain Controller
Preparazione Host
vi /etc/hosts
127.0.0.1 localhost 192.168.6.105 pubdc01.pub.priv pubdc01 ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils
ps ax | egrep "samba|smbd|nmbd|winbindd"
systemctl stop smbd.service systemctl stop nmbd.service systemctl stop winbind.service smbd -b | grep "CONFIGFILE" rm /etc/samba/smb.conf
smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
cd /var/run/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;
cd /var/lib/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;
cd /var/cache/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;
cd /var/lib/samba/private
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;
rm /etc/krb5.conf
samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=ad.gapartners.eu --domain=GAP --adminpass=Passw0rd
vi /etc/samba/smb.conf [global] dns forwarder = 8.8.8.8
systemctl enable samba-ad-dc systemctl unmask samba-ad-dc systemctl enable samba-ad-dc systemctl start samba-ad-dc
samba-tool dns zonecreate pubdc01 6.168.192.in-addr.arpa -U Administrator rm /etc/krb5.conf cp /var/lib/samba/private/krb5.conf /etc/krb5.conf samba-tool dns add pubdc01 pub.priv proxy.pub.priv. A 192.168.6.254 -U Administrator apt-get install smbclient smbclient -L localhost -N smbclient //localhost/netlogon -UAdministrator -c 'ls'
vi /etc/resolv.conf
nameserver 192.168.6.105 search pub.priv domain pub.priv
host -t SRV _ldap._tcp.pub.priv. host -t SRV _kerberos._udp.pub.priv. host -t A pubdc01.pub.priv. kinit administrator klist
reboot
apt-get install psmisc
Time sync Server and Client
TODO: migrare a chrony
sudo apt-get install ntp ntpdate vi /etc/ntp.conf
ntpsigndsocket /var/lib/samba/ntp_signd/ tinker panic 0 chown root:ntp /var/lib/samba/ntp_signd/ chmod 750 /var/lib/samba/ntp_signd/ ls /var/lib/samba/ntp_signd/ systemctl restart ntp.service reboot
Per aggiungere Windows 10 velocemente al dominio:
sysdm.cpl
- Disabilitare complessità password (LE GPO non funzionano per questo!!!)
#Disable password expiration for the Administrator account. samba-tool user setexpiry Administrator --noexpiry #Show domain level password options. samba-tool domain passwordsettings show #Disable password complexity at the domain level. samba-tool domain passwordsettings set --complexity=off #Disable password history at the domain level. samba-tool domain passwordsettings set --history-length=0 #Disable password min-age at the domain level. samba-tool domain passwordsettings set --min-pwd-age=0 #Disable password max-age at the domain level. samba-tool domain passwordsettings set --max-pwd-age=0 #Disable minimum password length at the domain level. samba-tool domain passwordsettings set --min-pwd-length=0
https://oitibs.com/samba4-domain-password-policy/
Cambiare password:
smbpasswd administrator
Aggiungere il record PTR per il DC da console windows per testarla
Domain Member per File sharing
- Installare un'altra macchina che farà da file server. Non configurare fileserver su DC
vi /etc/hosts
127.0.0.1 localhost 192.168.6.106 pubsrv01.pub.priv pubdc01 ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
- Installare i pacchetti
apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils
ps ax | egrep "samba|smbd|nmbd|winbindd"
systemctl stop smbd.service systemctl stop nmbd.service systemctl stop winbind.service ps ax | egrep "samba|smbd|nmbd|winbindd" smbd -b | grep "CONFIGFILE" mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
- Eliminare i vecchi DB:
for DIR in $(smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" | tr -s ' '| cut -f 3 --delimiter=' '); do echo CLEANING $DIR; cd $DIR; find . -name \*.tdb -exec /bin/rm -f '{}' \;; find . -name \*.ldb -exec /bin/rm -f '{}' \;; done
- Eliminare la config di kerberos
mv /etc/krb5.conf /etc/krb5.conf.bak
- Settare dns a DC precedente
vi /etc/resolv.conf
nameserver 192.168.6.105 search pub.priv domain pub.priv
- Test dns diretto:
nslookup pubdc01.pub.priv
- Test dns inverso:
nslookup 192.168.6.105
- Configurare Kerberos:
vi /etc/krb5.conf
[libdefaults] default_realm = PUB.PRIV dns_lookup_realm = false dns_lookup_kdc = true
- Verificare risoluzione proprio nome host deve dare ip giusto
getent hosts pubsrv02
Time Sync
Chrony
- Installare chrony
apt install chrony ntpdate --purge
- Fare sync manuale
ntpdate -bu pool.ntp.org
- Configurare chrony aggiungendo le righe:
vi /etc/chrony/chrony.conf
#pool 2.debian.pool.ntp.org iburst
- Per ogni DC nel dominio:
export DC="crodc04.croalliance.priv"
echo "server ${DC} iburst" > /etc/chrony/sources.d/${DC}.sources
- Applicare:
systemctl restart chrony
Old systemd-timesyncd
- DEPRECATO: usare chrony. Lasciato solo come riferimento
- Clock: lasciare systemd-timesyncd
vi /etc/systemd/timesyncd.conf
[Time] NTP=pubdc01.pub-priv FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org
systemctl enable systemd-timesyncd systemctl restart systemd-timesyncd systemctl status systemd-timesyncd
journalctl -u systemd-timesyncd
- Verificare
timedatectl status
Configurazione Samba
- Configurare Samba
export WORKGROUP=EXAMPLE
export REALM=EXAMPLE.COM
cat > /etc/samba/smb.conf <<EOFile
[global]
workgroup = $WORKGROUP
security = ADS
realm = $REALM
min protocol = SMB2
server signing = auto
client signing = auto
min domain uid = 0 # Vale solo da 4.13.13
winbind refresh tickets = Yes
# If you use the Samba vfs module acl_xattr, you can use the full Windows ACL features
# but you will not be able to manage the ACLs on the OS of the Samba host directly and
# you will not have the permissions enforced by the filesystem.
vfs objects = acl_xattr,dfs_samba4
map acl inherit = yes
# On a Samba Active Directory (AD) domain controller (DC), extended ACL support is automatically
# enabled globally. You must not enable the support manually.
# If you are setting the shares permissions from Windows (recommended),
# you should add this line to your share
# This will make Samba ignore the system ACL's (ugo)
acl_xattr:ignore system acl = yes
map acl inherit = Yes
store dos attributes = Yes
# ^^^ non serve dopo samba 4.5 ?
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
username map = /etc/samba/user.map
# To disable printing completely, add these lines:
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
EOFile
cat > /etc/samba/user.map <<EOFile !root = ${WORKGROUP}\Administrator EOFile
Configurazione Winbind
La configurazione di Winbind è NECESSARIA, altrimenti solo Administrator accederà alle share di rete, tutti gli altri avranno
NT_STATUS_LOGON_FAILURE
vi /etc/samba/smb.conf
cat >> /etc/samba/smb.conf <<EOFile
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the ${WORKGROUP} domain
idmap config ${WORKGROUP} : backend = rid
idmap config ${WORKGROUP} : range = 10000-999999
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
EOFile
- Riavviare
smbcontrol all reload-config
- Configuring the Name Service Switch
- Append the winbind entry to the following databases in the
vi /etc/nsswitch.conf
passwd: files winbind group: files winbind
- Riavviare
systemctl enable smbd systemctl restart smbd systemctl enable nmbd systemctl restart nmbd systemctl enable winbind systemctl restart winbind
systemctl status smbd
systemctl status nmbd
systemctl status winbind
Autenticarsi:
kinit administrator@${REALM}
* ORA FARE IL JOIN
samba-tool domain join ${REALM} MEMBER -U administrator
systemctl enable smbd.service nmbd.service winbind.service systemctl start smbd.service nmbd.service winbind.service
Testing the Winbindd Connectivity
Sending a Winbindd Ping
To verify if the Winbindd service is able to connect to Active Directory (AD) Domain Controllers (DC) or a primary domain controller (PDC), enter:
wbinfo --ping-dc
checking the NETLOGON for domain[SAMDOM] dc connection to "DC.SAMDOM.EXAMPLE.COM" succeeded
- To look up the domain user SAMDOM\demo01:
getent passwd ${WORKGROUP}\\administrator
SAMDOM\demo01:*:10000:10000:demo01:/home/demo01:/bin/bash
- To look up the domain group Domain Users:
getent group "${WORKGROUP}\\Domain Users"
SAMDOM\domain users:x:10000:
- Assigning File Permissions to Domain Users and Groups
chown "${WORKGROUP}\\administrator:${WORKGROUP}\\Domain Admins" file.txt
Filesystem
- Impostazione per ZFS
zfs set acltype=posix aclmode=restricted aclinherit=passthrough xattr=sa DATA/dati
- Creare un file e dargli degli attributi
touch test.txt setfattr -n user.test -v test test.txt setfattr -n security.test -v test2 test.txt
- Verificare:
getfattr -d test.txt
# file: test.txt user.test="test"
- Verificare:
getfattr -n security.test -d test.txt
# file: test.txt security.test="test2"
- Creare un file e dargli elle ACL:
touch test.txt setfacl -m g:adm:rwx test.txt
- Verificare:
getfacl test.txt
# file: test.txt # owner: root # group: root user::rw- group::r-- group:adm:rwx mask::rwx other::r--
- Impostare ora i diritti delal directory che si condividerà:
chown root:root /media/samba/prova chmod 0770 /media/samba/prova
- Aggiungere la share alla configurazione
vi /etc/samba/smb.conf
[Prova]
path = /media/samba/prova
read only = no
- Riavviare
smbcontrol all reload-config
Impostazione share utenti
- Creare il dataset:
zfs create DATA/utenti
- Impostare le propietà le permission:
zfs set acltype=posix aclmode=restricted aclinherit=passthrough xattr=sa DATA/utenti chmod 0770 /media/samba/prova
- Dichiarare la share :
vi /etc/samba/smb.conf
[Utenti]
path = /media/samba/utenti
read only = no
- Ricaricare la config:
smbcontrol all reload-config
- Da una console Windows, come MYDOMAIN\Administrator (ignorare l'errore):
compmgmt.msc /computer:\\mydomaincontroller
Gestione computer \ Utilità di sistema \ Cartelle Condivise \ Condivisioni
- Tasto destro proprietà su
Utenti
- La tab "Autorizzazioni condivisione" deve contenere SOLAMENTE
Everyone - Full Control
- Nella tab "Sicurezza"
Principal Access Applies to
Domain Users* Read & execute This folder only
CREATOR OWNER Full control Subfolders and files only
Domain Admins Full control This folder, subfolders and files
- Impostare il drive e il percorso nel'utenza
P: \\MYFILESERVER\Utenti\%USERNAME%
- Quando l'utente si logga, viene creata la cartella e mappata.
Riferimenti
Share per Roaming profiles
- Creare il dataset:
zfs create DATA/profili zfs set acltype=posix aclmode=restricted aclinherit=passthrough xattr=sa mountpoint=/media/samba/profili DATA/profili chmod 0770 /media/samba/profili chown "GAPARTNERS\\Administrator:GAPARTNERS\\Domain Admins" /media/samba/profili
- Setting up the Share on the Samba File Server
- Create a new share.
vi /etc/samba/smb.conf
[profiles]
comment = Users profiles
path = /srv/samba/profiles/
# browseable = No
# IMPOSTRARE DOPO ALTRIMENTI NON SI VEDE NELAL GESTIONE SHARE
read only = No
csc policy = disable
vfs objects = acl_xattr
- Ricaricare la config:
smbcontrol all reload-config
- Nella gestione delel Shares, impostare nella share permission
Everyone
Full Control
- Nella gestione delle Shares, impostare nelle security
Principal Access Applies to Domain Users * Traverse folder / execute file
List folder / read data
Create folder / append dataThis folder only CREATOR OWNER Full control Subfolders and files only Domain Admins Full control This folder, subfolders and files SYSTEM ** Full control This folder, subfolders and files
Nel caso il profilo non si caricasse in locale:
- eliminare la copia del profilo locale
C:\Users\NomeUtente
- eliminare la chiave di registry del profilo in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList
- Verify that permission inheritance is disabled on the root of the share. If any permission entry in the
Advanced Security Settingswindow displays a path in theInherited fromcolumn, click theDisable inheritancebutton. On Windows 7, unselect theInclude inheritable permissions from this object's parentcheck box to set the same setting.
- Verify that permission inheritance is disabled on the root of the share. If any permission entry in the
Riferimenti
- Roaming Windows User Profiles - SambaWiki
- [Samba Windows Profiles Not Being Created]
Configuring Windows Profile Folder Redirections
- Farlo con GPO
Riferimenti
Note da verificare
- Openzfs non supporta nfs4acl which is essentially a clone of the Windows ACL
The Linux NFS4 client does support NFS4 ACLs. They can be viewed and managed through the nfs4-acl-tools package, ( mettere nfs sopra zfs ?)
Vedere se va https://mywushublog.com/2012/05/zfs-and-acls-with-samba/
[samba_zfs_share]
vfs objects = zfsacl path = /test/zfs_mount nfs4: mode = simple nfs4: acedup = merge
- Group Policies
To configure Group Policies Administrative Templates copy the content of your Windows 10 C:\windows\PolicyDefinition Folder to all Domain Controllers sysvol folder. Samba do currently not support the replication of the sysvol folder. You must implement your own replication via rsync or robocopy
C:\> mkdir \\frankendc1.franken.local\sysvol\Policies\PolicyDefinition C:\> mkdir \\frankendc2.franken.local\sysvol\Policies\PolicyDefinition C:\> robocopy /s C:\Windows\PolicyDefinition \\frankendc1.franken.local\sysvol\Policies\PolicyDefinition C:\> robocopy /s C:\Windows\PolicyDefinition \\frankendc2.franken.local\sysvol\Policies\PolicyDefinition
TODO
- https://wiki.samba.org/index.php/Samba_File_Serving
- https://wiki.samba.org/index.php/Print_Server_Support
- https://michlstechblog.info/blog/samba-setup-an-active-directory/
Riferimenti
- SambaWiki
- Applying a password strategy with Samba-AD — Samba-AD 4.14 documentation
- About GPOs (Group Policy Objects) — Samba-AD 4.14 documentation
- Samba: Setup an Active Directory
- Samba: Join an additional Domain Controller to Samba Active Directory
- How to configure Roaming Profiles and Folder Redirection