2014-01-11 06:04:32 +01:00
= global.hq.c3d2.de =
2014-01-11 06:07:00 +01:00
== Samba Active Directory für DynDNS Updates mit GSS-TSIG ==
2014-01-11 06:21:25 +01:00
Ziel: Einfacher DynDNS Update Dient (mit Kerberos / [http://en.wikipedia.org/wiki/Generic_Security_Service_Algorithm_for_Secret_Key_Transaction GSS-TSIG]
2014-01-11 05:42:35 +01:00
2014-01-11 06:04:00 +01:00
== lxc Container ==
2014-01-11 05:42:35 +01:00
* Debian 7
* Samba 4.1.13 / Kerberos 5
* IPv4: 217.115.11.136
* IPv6: 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7
2014-01-11 06:04:00 +01:00
== DNS ==
2014-01-11 05:42:35 +01:00
* global.hq.c3d2.de
2014-01-11 06:06:39 +01:00
== DNS Nameserver / SRV Records ==
2014-01-11 05:42:35 +01:00
* space.c3d2.de. IN NS global.hq.c3d2.de.
* _dns-update._tcp.c3d2.de. IN SRV 5 0 53 space.c3d2.de.
* _dns-update._udp.c3d2.de. IN SRV 5 0 53 space.c3d2.de.
2014-01-11 06:04:00 +01:00
== Server Installation ==
<pre>
apt-get install samba
service samba stop
2014-01-11 06:12:35 +01:00
2014-01-11 06:04:00 +01:00
rm /etc/samba/smb.conf
rm -rfv /var/lib/samba
mkdir /var/lib/samba
mkdir /var/lib/samba/private
</pre>
2014-01-11 06:06:39 +01:00
== neue Samba Provisionierung ==
2014-01-11 06:04:00 +01:00
<pre>
/usr/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --function-level=2008_R2 --realm=SPACE.C3D2.DE --domain=SPACE --adminpass='GEHEIM' --server-role='dc' --dns-backend=SAMBA_INTERNAL
</pre>
Samba läuft mit virtuellen sysvol NTACLs, zukünftig fehlende +s3fs Daemon Unterstützung da --use-xattrs=yes nicht in dem lxc Container mit btrfs unterstützt wird!
<pre>
[root@global:~]# /usr/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --function-level=2008_R2 --realm=SPACE.C3D2.DE --domain=SPACE --adminpass='GEHEIM' --server-role='dc' --dns-backend=SAMBA_INTERNAL
You are not root or your system do not support xattr, using tdb backend for attributes.
not using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.
Looking up IPv4 addresses
Looking up IPv6 addresses
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=space,DC=c3d2,DC=de
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=space,DC=c3d2,DC=de
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: global
NetBIOS Domain: SPACE
DNS Domain: space.c3d2.de
DOMAIN SID: S-1-5-21-0123456789-123456789-0123456789
[root@global:~]#
</pre>
2014-01-11 06:06:39 +01:00
== smb.conf - Anpassung ==
2014-01-11 06:04:00 +01:00
<pre>
vi /etc/samba/smb.conf
</pre>
<pre>
# Global parameters
[global]
workgroup = SPACE
realm = SPACE.C3D2.DE
netbios name = GLOBAL
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes # LDAP Provisionierung nach RFC2307
posix:eadb = /var/lib/samba/private/eadb.tdb
### dns forwarder = 172.22.99.251
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
2014-01-11 06:14:15 +01:00
### ### ### C3D2 ### ### ###
2014-01-11 06:04:00 +01:00
server string = %h - Global.HQ.C3D2.de
### interfaces = 217.115.11.136 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7
### bind interfaces only = No
# allow dynamic dns update / true = nonsecure + signed
allow dns updates = signed
2014-01-11 06:10:11 +01:00
# debian specific
2014-01-11 06:04:00 +01:00
nsupdate command = /usr/sbin/samba_dnsupdate
### ### # server options
### server min protocol = SMB2_02 (ab Windows 7)
server min protocol = SMB2
server max protocol = SMB3
disable netbios = yes
smb ports = 445
server signing = auto
# protocol stream encryption for smbclient
smb encrypt = auto
### ### # client options (for local services / smbclient etc.)
### client min protocol = SMB2_02
client min protocol = SMB2
client max protocol = SMB3
client ldap sasl wrapping = seal
client signing = auto
client schannel = auto
lanman auth = No
ntlm auth = No
client use spnego = Yes
client ntlmv2 auth = Yes
client lanman auth = No
client plaintext auth = No
2014-01-11 06:14:15 +01:00
### ### ### C3D2 ### ### ###
2014-01-11 06:04:00 +01:00
[netlogon]
path = /var/lib/samba/sysvol/space.c3d2.de/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
2014-01-11 06:14:15 +01:00
### ### ### C3D2 ### ### ###
2014-01-11 06:04:00 +01:00
#
# EOF
</pre>
2014-01-11 06:06:39 +01:00
== Samba Checks ==
2014-01-11 06:04:00 +01:00
<pre>
samba-tool testparm
samba-tool dbcheck
samba-tool ntacl sysvolcheck
</pre>
2014-01-11 06:06:39 +01:00
== krb5.conf - Anpassung ==
2014-01-11 06:04:00 +01:00
<pre>
vi /var/lib/samba/private/krb5.conf
</pre>
<pre>
[libdefaults]
default_realm = SPACE.C3D2.DE
dns_lookup_realm = true
dns_lookup_kdc = true
default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
forwardable = true
proxiable = true
ticket_lifetime = 86400
[realms]
SPACE.C3D2.DE = {
kdc = localhost:88
admin_server = localhost:749
default_domain = space.c3d2.de
}
[domain_realm]
.space.c3d2.de = SPACE.C3D2.DE
space.c3d2.de = SPACE.C3D2.DE
[logging]
default = FILE:/var/log/samba/krb5libs.log
kdc = FILE:/var/log/samba/krb5kdc.log
admin_server = FILE:/var/log/samba/kadmind.log
; [kdc]
; allow-anonymous = false
; require-preauth = true
; enable-kerberos4 = false
; # EOF
2014-01-11 06:17:11 +01:00
</pre>
2014-01-11 06:06:39 +01:00
2014-01-11 06:21:25 +01:00
== BTRFS Snapshot ==
2014-01-11 06:06:39 +01:00
<pre>
btrfs subvolume snapshot /var/lib/lxc/global/rootfs /var/lib/lxc/global/rootfs-snap-smb4-`date -u +%Y.%m.%d-%H.%M.%S`
</pre>
== Samba Server starten ==
2014-01-11 06:04:00 +01:00
<pre>
service samba start
</pre>
2014-01-11 06:17:11 +01:00
== DNS - SRV Record - testen ==
2014-01-11 06:04:00 +01:00
<pre>
[root@vps11:~]# dig SRV @global.hq.c3d2.de _kerberos._tcp.space.c3d2.de
zsh: correct '@global.hq.c3d2.de' to 'global.hq.c3d2.de' [nyae]? n
; <<>> DiG 9.8.4-P2 <<>> SRV @global.hq.c3d2.de _kerberos._tcp.space.c3d2.de
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9702
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;_kerberos._tcp.space.c3d2.de. IN SRV
;; ANSWER SECTION:
_kerberos._tcp.space.c3d2.de. 900 IN SRV 0 100 88 global.space.c3d2.de.
;; Query time: 1 msec
;; SERVER: 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7#53(2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7)
;; WHEN: Sat Jan 11 06:01:49 2014
;; MSG SIZE rcvd: 73
[root@vps11:~]#
</pre>
'''Thats it!'''
