Installazione di un Domain Member Server Samba

From RVM Wiki
Revision as of 18:06, 18 February 2013 by Gabriele.vivinetto (talk | contribs)
Jump to navigation Jump to search

Domain Controller Windows 2008

  • Se il dominio non è compatibile NT, allora bisogna usare la procedura ADS
  • Dati esempio:
192.168.11.100  Windows AD Server
REDIRECTOR.NAME Nome dominio
  • Installare i pacchetti necessari per l'autenticazione Kerberos:
sudo apt-get install libkrb53 krb5-config krb5-user samba winbind ntpdate ntp
  • Fermare i servizi:
sudo /etc/init.d/samba stop
sudo /etc/init.d/winbind stop
sudo /etc/init.d/ntp stop
  • Configurare Kerberos
sudoedit /etc/krb5.conf

[libdefaults]
    default_realm = REDIRECTOR.NAME
 
# The following krb5.conf variables are only for MIT Kerberos.
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
 
# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
 
#   default_tgs_enctypes = des3-hmac-sha1
#   default_tkt_enctypes = des3-hmac-sha1
#   permitted_enctypes = des3-hmac-sha1
 
# The following libdefaults parameters are only for Heimdal Kerberos.
    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true
    dns_lookup_realm = false
    dns_lookup_kdc = false
 
[realms]
    REDIRECTOR.NAME = {
        kdc = 192.168.11.100:88
        admin_server = 192.168.11.100
    }
 
[domain_realm]
    .redirector.name = REDIRECTOR.NAME
    redirector.name = REDIRECTOR.NAME
 
[login]
    krb4_convert = true
    krb4_get_tickets = false
  • Sincronizzare l'ora:
sudo ntpdate 192.168.11.100
  • Aggiungere il PDC come server ntp:
sudoedit /etc/ntp.conf

server 192.168.11.100
  • Avviare ntp:
sudo /etc/init.d/ntp start
  • Verificare di riuscire a contattare tutti i server ntp dichiarati:
sudo ntpq -p
  • Impostare come server DNS il PDC:
sudoedit /etc/resolv.conf

nameserver 192.168.11.100
  • Modificare la configurazione di samba:
 Global parameters
[global]
    workgroup = REDIRECTOR
    realm = REDIRECTOR.NAME
    server string = %h server (Samba %v)
    load printers = no
    security = ads
    local master = no
    domain master = no
    preferred master = no
    wins server = 192.168.11.100
    dns proxy = no
    winbind uid = 10000-20000
    winbind gid = 10000-20000
    winbind use default domain = yes
    interfaces = eth0 lo
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    panic action = /usr/share/samba/panic-action %d
    invalid users = root
    template homedir = /home/%D/%U
    template shell = /bin/bash
    winbind offline logon = yes
    winbind refresh tickets = yes
  • Configurare nsswitch:
sudoedit /etc/nsswitch.con

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
 
passwd:         compat winbind
group:          compat winbind
shadow:         compat
 
hosts:          files dns wins
networks:       files
 
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
 
netgroup:       nis
  • Abilitare le modifiche:
sudo ldconfig
  • Fare il join del dominio:
sudo net ads join -U Administrator
  • Riavviare i servizi:
sudo /etc/init.d/samba stop
sudo /etc/init.d/winbind stop
sudo /etc/init.d/samba start
sudo /etc/init.d/winbind start
  • Verificare che i nomi degli user windows si vedano:
sudo wbinfo -u
  • Dichiarare una share, ed assegnare le permissionc orrette alla directory
sudo chown REDIRECTOR_NAME\Administrator: /path/to/share
  • Accedere alla share dal PDC: non deve chiedere la password

Riferimenti

Domain Controller Windows 2000/2003

ATTENZIONE: La versione samba di LENNY non riesce a fare il join di un dominio samba il cui PDC è ETCH !

  • Installazione pacchetti
sudo aptitude install samba winbind
  • Abilitazione degli account windows per essere visti da Linux
sudoedit /etc/nsswitch.conf

passwd:         compat winbind
group:          compat winbind
  • Configurazione di samba
sudoedit /etc/samba/smb.conf

[global]
   workgroup = WINDOWSDOMAIN
   server string = Server Description
   netbios name = SAMBASERVERNAME

   log file = /var/log/samba/samba.log
   #log level = 1
   syslog = 0

   security = domain
   passdb backend = tdbsam
   encrypt passwords = yes


   idmap uid = 10000-20000
   idmap gid = 10000-20000

   winbind enum users = yes
   winbind enum groups = yes

   load printers = no

[Samba_Share]
   comment = Samba Share Description
   writable = yes
   path = /path/to/shared/directory
  • Riavvio di samba e winbind
sudo invoke-rc.d samba restart
sudo invoke-rc.d winbind restart
  • Join della macchina samba al dominio windows
sudo net rpc join -S WINDOWSPDC -U administrator
  • Test per vedere se winbind funziona, deve listare anche le utentze del dominio windows
wbinfo -u

wbinfo -g
  • Test per vedere se gli account windows sono visti da linux
getent passwd

getent group


Riferimenti

Retrieved from "https://kb.rvmgroup.it/index.php?title=Installazione_di_un_Domain_Member_Server_Samba&oldid=8808"