Installazione di Samba 4.5 AD in Debian

vi /etc/hosts

127.0.0.1	localhost
192.168.6.105	pubdc01.pub.priv	pubdc01
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils 

ps ax | egrep "samba|smbd|nmbd|winbindd"

systemctl stop smbd.service 
systemctl stop nmbd.service 
systemctl stop winbind.service 
  
smbd -b | grep "CONFIGFILE"
rm /etc/samba/smb.conf

smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"

cd /var/run/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

cd /var/lib/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

cd /var/cache/samba
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

cd /var/lib/samba/private
find . -name \*.tdb -exec /bin/rm -f '{}' \;
find . -name \*.ldb -exec /bin/rm -f '{}' \;

rm /etc/krb5.conf

samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=ad.gapartners.eu --domain=GAP --adminpass=Passw0rd

vi /etc/samba/smb.conf 

[global]
dns forwarder = 8.8.8.8

systemctl enable samba-ad-dc
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc

samba-tool dns zonecreate pubdc01 6.168.192.in-addr.arpa -U Administrator
 
rm /etc/krb5.conf 
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
 
samba-tool dns add pubdc01 pub.priv proxy.pub.priv. A 192.168.6.254 -U Administrator

apt-get install smbclient 

smbclient -L localhost -N
smbclient //localhost/netlogon -UAdministrator -c 'ls'

vi /etc/resolv.conf 

nameserver 192.168.6.105
search pub.priv
domain pub.priv

host -t SRV _ldap._tcp.pub.priv.
host -t SRV  _kerberos._udp.pub.priv.
host -t A pubdc01.pub.priv.

kinit administrator
klist

reboot

apt-get install psmisc

NTP ha dei problemi in Debian. Usare chrony.

Installare chrony sul DC:

apt install chrony ipcalc

Configurarlo:

cat > /etc/chrony/conf.d/samba.conf <<EOFile

bindcmdaddress $(ip -o -4 addr show | grep -v ' lo ' | awk '{print $4}' | cut -d/ -f1 | head -n 1)

allow $(ip -o -4 addr show | grep -v ' lo ' | awk '{print $4}' | head -n 1 | awk -F'/' '{print $1"/"$2}')

hwclockfile /etc/adjtime

ntpsigndsocket /var/lib/samba/ntp_signd/

EOFile

Verificare la corretta ip address e network:

cat /etc/chrony/conf.d/samba.conf

Applicare permission alla DIRECTORY del socket:

chown root:_chrony  /var/lib/samba/ntp_signd/

chmod 750 /var/lib/samba/ntp_signd/

Fare restart e verificare in log che ci sia +SIGND e MS-SNTP authentication enabled

systemctl restart chrony

journalctl -f -u chrony

Su un client Windows fare il join del dominio Per aggiungere Windows 10 velocemente al dominio:

sysdm.cpl

• Verificare il successo del time sync:

net stop w32time

w32tm /unregister

w32tm /register

net start w32time

w32tm /resync /force

 
#Disable password expiration for the Administrator account.
samba-tool user setexpiry Administrator --noexpiry
 
#Show domain level password options.
samba-tool domain passwordsettings show
 
#Disable password complexity at the domain level.
samba-tool domain passwordsettings set --complexity=off
 
#Disable password history at the domain level.
samba-tool domain passwordsettings set --history-length=0
 
#Disable password min-age at the domain level.
samba-tool domain passwordsettings set --min-pwd-age=0
 
#Disable password max-age at the domain level.
samba-tool domain passwordsettings set --max-pwd-age=0
 
#Disable minimum password length at the domain level.
samba-tool domain passwordsettings set --min-pwd-length=0

https://oitibs.com/samba4-domain-password-policy/

Cambiare password:

smbpasswd administrator

Aggiungere il record PTR per il DC da console windows per testarla

• Installare un'altra macchina che farà da file server. Non configurare fileserver su DC

• Vedi https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

vi /etc/hosts

127.0.0.1	localhost
192.168.6.106	pubsrv01.pub.priv	pubdc01
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

• Installare i pacchetti

apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils ldb-tools 

ps ax | egrep "samba|smbd|nmbd|winbindd"

systemctl stop smbd.service 
systemctl stop nmbd.service 
systemctl stop winbind.service 
  
ps ax | egrep "samba|smbd|nmbd|winbindd"


smbd -b | grep "CONFIGFILE"
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

• Eliminare i vecchi DB:

for DIR in $(smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" | tr -s ' '| cut -f 3 --delimiter=' '); do echo CLEANING $DIR; cd $DIR; find . -name \*.tdb -exec /bin/rm -f '{}' \;; find . -name \*.ldb -exec /bin/rm -f '{}' \;; done

• Eliminare la config di kerberos

mv /etc/krb5.conf /etc/krb5.conf.bak

• Settare dns a DC precedente

vi /etc/resolv.conf

nameserver 192.168.6.105
search pub.priv
domain pub.priv

• Test dns diretto:

nslookup pubdc01.pub.priv

• Test dns inverso:

nslookup 192.168.6.105

• Configurare Kerberos:

vi /etc/krb5.conf

 [libdefaults]
	default_realm = PUB.PRIV
	dns_lookup_realm = false
	dns_lookup_kdc = true

• Verificare risoluzione proprio nome host deve dare ip giusto

getent hosts pubsrv02

Installare questo daemon per far sì che il fileserver sia visibile quando si fa il browsing di rete:

apt install wsdd

• christgau/wsdd: A Web Service Discovery host daemon.

• Installare chrony

apt install chrony ntpdate --purge

• Fare sync manuale

ntpdate -bu pool.ntp.org

• Configurare chrony aggiungendo le righe:

vi /etc/chrony/chrony.conf

#pool 2.debian.pool.ntp.org iburst

• Per ogni DC nel dominio:

export DC="crodc04.croalliance.priv"

echo "server ${DC} iburst" > /etc/chrony/sources.d/${DC}.sources

• Applicare:

systemctl restart chrony

• DEPRECATO: usare chrony. Lasciato solo come riferimento
• Clock: lasciare systemd-timesyncd

vi /etc/systemd/timesyncd.conf

[Time]
NTP=pubdc01.pub-priv
FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org

systemctl enable systemd-timesyncd
systemctl restart systemd-timesyncd
systemctl status systemd-timesyncd

journalctl -u systemd-timesyncd

• Verificare

timedatectl status

• Configurare Samba

export WORKGROUP=EXAMPLE

export REALM=EXAMPLE.COM

cat > /etc/samba/smb.conf <<EOFile
[global]
    workgroup = $WORKGROUP
    security = ADS
    realm = $REALM
    min protocol = SMB2
    server signing = auto
    client signing = auto
    min domain uid = 0 # Vale solo da 4.13.13

    winbind refresh tickets = Yes
	# If you use the Samba vfs module acl_xattr, you can use the full Windows ACL features
	# but you will not be able to manage the ACLs on the OS of the Samba host directly and
	# you will not have the permissions enforced by the filesystem.

	vfs objects = acl_xattr,dfs_samba4
	map acl inherit = yes
	# On a Samba Active Directory (AD) domain controller (DC), extended ACL support is automatically 
	# enabled globally. You must not enable the support manually.

	# If you are setting the shares permissions from Windows (recommended),
	# you should add this line to your share
	# This will make Samba ignore the system ACL's (ugo)
	acl_xattr:ignore system acl = yes

    map acl inherit = Yes
    store dos attributes = Yes 
        # ^^^ non serve dopo samba 4.5 ?
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
   
    username map = /etc/samba/user.map

    # To disable printing completely, add these lines:
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
EOFile

cat  > /etc/samba/user.map <<EOFile
!root = ${WORKGROUP}\Administrator
EOFile

La configurazione di Winbind è NECESSARIA, altrimenti solo Administrator accederà alle share di rete, tutti gli altri avranno

NT_STATUS_LOGON_FAILURE

 vi /etc/samba/smb.conf

cat >> /etc/samba/smb.conf <<EOFile

    # Default ID mapping configuration for local BUILTIN accounts
    # and groups on a domain member. The default (*) domain:
    # - must not overlap with any domain ID mapping configuration!
    # - must use a read-write-enabled back end, such as tdb.
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    # - You must set a DOMAIN backend configuration
    # idmap config for the ${WORKGROUP} domain
    idmap config ${WORKGROUP} : backend = rid
    idmap config ${WORKGROUP} : range = 10000-999999
    # Template settings for login shell and home directory
    template shell = /bin/bash
    template homedir = /home/%U
EOFile

• Riavviare

smbcontrol all reload-config

• Configuring the Name Service Switch

• Append the winbind entry to the following databases in the

vi /etc/nsswitch.conf

passwd: files winbind
group:  files winbind

• Riavviare, tranne winbind

systemctl enable smbd
systemctl restart smbd
systemctl enable nmbd
systemctl restart nmbd
systemctl enable winbind

systemctl status smbd

systemctl status nmbd

Autenticarsi:

kinit administrator@${REALM}

• ORA FARE IL JOIN

samba-tool domain join ${REALM} MEMBER -U administrator

systemctl enable smbd.service nmbd.service winbind.service
systemctl restart smbd.service nmbd.service winbind.service

Sending a Winbindd Ping

To verify if the Winbindd service is able to connect to Active Directory (AD) Domain Controllers (DC) or a primary domain controller (PDC), enter:

wbinfo --ping-dc

checking the NETLOGON for domain[SAMDOM] dc connection to "DC.SAMDOM.EXAMPLE.COM" succeeded

• To look up the domain user SAMDOM\demo01:

getent passwd ${WORKGROUP}\\administrator

SAMDOM\demo01:*:10000:10000:demo01:/home/demo01:/bin/bash

• To look up the domain group Domain Users:

getent group "${WORKGROUP}\\Domain Users"

SAMDOM\domain users:x:10000:

• Assigning File Permissions to Domain Users and Groups

chown "${WORKGROUP}\\administrator:${WORKGROUP}\\Domain Admins" file.txt

• Impostazione per ZFS

zfs set acltype=posix aclmode=restricted aclinherit=passthrough xattr=sa DATA/dati

• Creare un file e dargli degli attributi

touch test.txt
setfattr -n user.test -v test test.txt
setfattr -n security.test -v test2 test.txt

• Verificare:

getfattr -d test.txt

# file: test.txt
user.test="test"

• Verificare:

getfattr -n security.test -d test.txt

# file: test.txt
security.test="test2"

• Creare un file e dargli elle ACL:

touch test.txt
setfacl -m g:adm:rwx test.txt

• Verificare:

getfacl test.txt

# file: test.txt
# owner: root
# group: root
user::rw-
group::r--
group:adm:rwx
mask::rwx
other::r--

• Impostare ora i diritti delal directory che si condividerà:

chown root:root /media/samba/prova
chmod 0770 /media/samba/prova

• Aggiungere la share alla configurazione

vi /etc/samba/smb.conf

[Prova]
       path = /media/samba/prova
       read only = no

• Riavviare

smbcontrol all reload-config

• Testare l'accesso alla share da un client
• Se fallisce, verificare i log

journalctl -f -u smbd -u winbind -u nmbd

• Se si ottiene l'errore

samdb_connect failed

• Creare un file sam.lbd vuoto e riavviare i daemon:

ldbadd -H /var/lib/samba/private/sam.ldb </dev/null

smbcontrol all reload-config

• Creare il dataset:

zfs create DATA/samba/data -o mountpoint=/media/samba/data

• Impostare le proprietà le permission:

zfs set acltype=posix aclmode=restricted aclinherit=passthrough xattr=sa DATA/samba/data

• Se non si mette 0777, gli user non possono entrare o modificare files, nonostante le ACL:

chmod 0777 /media/samba/data

• Impostare permission

chown -R MYDOMAIN\\Administrator:MYDOMAIN\\Domain\ Admins /media/samba/d

• Impostare la definizione della share:

vi /etc/samba/smb.conf

[Data]
    writeable = yes
    path = /media/samba/data
    inherit permissions = yes
    inherit acls = yes
    vfs objects = shadow_copy2, full_audit, dfs_samba4, acl_xattr
        acl_xattr:ignore system acls = yes
        acl_xattr:default acl style = windows
        full_audit:prefix = %u|%I
        full_audit:success = unlinkat renameat mkdirat create_file
        shadow: snapdir = .zfs/snapshot
        shadow: sort = desc
        shadow: format = %Y-%m-%d-%H%M%S
        shadow: localtime = yes

• Ricaricare la config:

smbcontrol all reload-config

• Da una console Windows, come MYDOMAIN\Administrator (ignorare l'errore):

compmgmt.msc /computer:\\mydomainmember

Gestione computer \ Utilità di sistema \ Cartelle Condivise \ Condivisioni

• Tasto destro proprietà su

Data

• La tab "Autorizzazioni condivisione" deve contenere SOLAMENTE

Everyone - Full Control

• Dichiarare la share :

vi /etc/samba/smb.conf

[Utenti]
       path = /media/samba/utenti
       read only = no

• Da commgnt, nelle permissiond elle shares, nella tab "Sicurezza"

       Principal 	Access 	        Applies to
       Domain Users* 	Read & execute 	This folder only
       CREATOR OWNER 	Full control 	Subfolders and files only
       Domain Admins 	Full control 	This folder, subfolders and files

• Impostare il drive e il percorso nell'utenza

P: \\MYFILESERVER\Utenti\%USERNAME%

• Quando l'utente si logga, viene creata la cartella e mappata.

• Windows User Home Folders - SambaWiki

• Creare il dataset:

zfs create DATA/profili
zfs set acltype=posix aclmode=restricted aclinherit=passthrough xattr=sa mountpoint=/media/samba/profili DATA/profili
chmod 0770 /media/samba/profili
chown  "GAPARTNERS\\Administrator:GAPARTNERS\\Domain Admins" /media/samba/profili

• Setting up the Share on the Samba File Server

• Create a new share.

vi /etc/samba/smb.conf

[profiles]
        comment = Users profiles
        path = /srv/samba/profiles/
        # browseable = No 
        # IMPOSTRARE DOPO ALTRIMENTI NON SI VEDE NELAL GESTIONE SHARE
        read only = No
        csc policy = disable
        vfs objects = acl_xattr

• Ricaricare la config:

 smbcontrol all reload-config

• Nella gestione delel Shares, impostare nella share permission

Everyone 

Full Control

• Nella gestione delle Shares, impostare nelle security

Principal	Access	Applies to
Domain Users *	Traverse folder / execute file List folder / read data Create folder / append data	This folder only
CREATOR OWNER	Full control	Subfolders and files only
Domain Admins	Full control	This folder, subfolders and files
SYSTEM **	Full control	This folder, subfolders and files

Nel caso il profilo non si caricasse in locale:

• eliminare la copia del profilo locale

C:\Users\NomeUtente

• eliminare la chiave di registry del profilo in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList

Verify that permission inheritance is disabled on the root of the share. If any permission entry in the Advanced Security Settings window displays a path in the Inherited from column, click the Disable inheritance button. On Windows 7, unselect the Include inheritable permissions from this object's parent check box to set the same setting.

• Roaming Windows User Profiles - SambaWiki
• [Samba Windows Profiles Not Being Created]

• Farlo con GPO

• Configuring Windows Profile Folder Redirections - SambaWiki

• Openzfs non supporta nfs4acl which is essentially a clone of the Windows ACL

The Linux NFS4 client does support NFS4 ACLs. They can be viewed and managed through the nfs4-acl-tools package, ( mettere nfs sopra zfs ?)

Vedere se va https://mywushublog.com/2012/05/zfs-and-acls-with-samba/

       [samba_zfs_share]

vfs objects = zfsacl path = /test/zfs_mount nfs4: mode = simple nfs4: acedup = merge

https://michlstechblog.info/blog/samba-join-an-additional-domain-controller-to-samba-active-directory/

• Group Policies

To configure Group Policies Administrative Templates copy the content of your Windows 10 C:\windows\PolicyDefinition Folder to all Domain Controllers sysvol folder. Samba do currently not support the replication of the sysvol folder. You must implement your own replication via rsync or robocopy

C:\> mkdir \\frankendc1.franken.local\sysvol\Policies\PolicyDefinition
C:\> mkdir \\frankendc2.franken.local\sysvol\Policies\PolicyDefinition
C:\> robocopy /s C:\Windows\PolicyDefinition \\frankendc1.franken.local\sysvol\Policies\PolicyDefinition
C:\> robocopy /s C:\Windows\PolicyDefinition \\frankendc2.franken.local\sysvol\Policies\PolicyDefinition

• https://wiki.samba.org/index.php/Samba_File_Serving
• https://wiki.samba.org/index.php/Print_Server_Support
• https://michlstechblog.info/blog/samba-setup-an-active-directory/

• SambaWiki
• Applying a password strategy with Samba-AD — Samba-AD 4.14 documentation
• About GPOs (Group Policy Objects) — Samba-AD 4.14 documentation
• Samba: Setup an Active Directory
• Samba: Join an additional Domain Controller to Samba Active Directory
• How to configure Roaming Profiles and Folder Redirection