*Empty MediaWiki Message*
This commit is contained in:
parent
067c1cd3c6
commit
5329103d91
|
@ -1,16 +1,260 @@
|
|||
== global.hq.c3d2.de - Samba Active Directory für DynDNS Update mit GSS-TSIG ==
|
||||
|
||||
== lxc Container - Server Installation ==
|
||||
= global.hq.c3d2.de - Samba Active Directory für DynDNS Update mit GSS-TSIG =
|
||||
|
||||
== lxc Container ==
|
||||
* Debian 7
|
||||
* Samba 4.1.13 / Kerberos 5
|
||||
* IPv4: 217.115.11.136
|
||||
* IPv6: 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7
|
||||
|
||||
= DNS =
|
||||
== DNS ==
|
||||
* global.hq.c3d2.de
|
||||
|
||||
= DNS NameServer/SRV Records =
|
||||
== DNS NameServer/SRV Records ==
|
||||
* space.c3d2.de. IN NS global.hq.c3d2.de.
|
||||
* _dns-update._tcp.c3d2.de. IN SRV 5 0 53 space.c3d2.de.
|
||||
* _dns-update._udp.c3d2.de. IN SRV 5 0 53 space.c3d2.de.
|
||||
|
||||
== Server Installation ==
|
||||
|
||||
<pre>
|
||||
apt-get install samba
|
||||
|
||||
service samba stop
|
||||
rm /etc/samba/smb.conf
|
||||
rm -rfv /var/lib/samba
|
||||
mkdir /var/lib/samba
|
||||
mkdir /var/lib/samba/private
|
||||
</pre>
|
||||
|
||||
=== neue Samba Provisionierung ===
|
||||
|
||||
<pre>
|
||||
/usr/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --function-level=2008_R2 --realm=SPACE.C3D2.DE --domain=SPACE --adminpass='GEHEIM' --server-role='dc' --dns-backend=SAMBA_INTERNAL
|
||||
</pre>
|
||||
|
||||
Samba läuft mit virtuellen sysvol NTACLs, zukünftig fehlende +s3fs Daemon Unterstützung da --use-xattrs=yes nicht in dem lxc Container mit btrfs unterstützt wird!
|
||||
|
||||
<pre>
|
||||
[root@global:~]# /usr/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --function-level=2008_R2 --realm=SPACE.C3D2.DE --domain=SPACE --adminpass='GEHEIM' --server-role='dc' --dns-backend=SAMBA_INTERNAL
|
||||
You are not root or your system do not support xattr, using tdb backend for attributes.
|
||||
not using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.
|
||||
Looking up IPv4 addresses
|
||||
Looking up IPv6 addresses
|
||||
Setting up share.ldb
|
||||
Setting up secrets.ldb
|
||||
Setting up the registry
|
||||
Setting up the privileges database
|
||||
Setting up idmap db
|
||||
Setting up SAM db
|
||||
Setting up sam.ldb partitions and settings
|
||||
Setting up sam.ldb rootDSE
|
||||
Pre-loading the Samba 4 and AD schema
|
||||
Adding DomainDN: DC=space,DC=c3d2,DC=de
|
||||
Adding configuration container
|
||||
Setting up sam.ldb schema
|
||||
Setting up sam.ldb configuration data
|
||||
Setting up display specifiers
|
||||
Modifying display specifiers
|
||||
Adding users container
|
||||
Modifying users container
|
||||
Adding computers container
|
||||
Modifying computers container
|
||||
Setting up sam.ldb data
|
||||
Setting up well known security principals
|
||||
Setting up sam.ldb users and groups
|
||||
Setting up self join
|
||||
Adding DNS accounts
|
||||
Creating CN=MicrosoftDNS,CN=System,DC=space,DC=c3d2,DC=de
|
||||
Creating DomainDnsZones and ForestDnsZones partitions
|
||||
Populating DomainDnsZones and ForestDnsZones partitions
|
||||
Setting up sam.ldb rootDSE marking as synchronized
|
||||
Fixing provision GUIDs
|
||||
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
|
||||
Setting up fake yp server settings
|
||||
Once the above files are installed, your Samba4 server will be ready to use
|
||||
Server Role: active directory domain controller
|
||||
Hostname: global
|
||||
NetBIOS Domain: SPACE
|
||||
DNS Domain: space.c3d2.de
|
||||
DOMAIN SID: S-1-5-21-0123456789-123456789-0123456789
|
||||
[root@global:~]#
|
||||
</pre>
|
||||
|
||||
=== smb.conf - Anpassung ===
|
||||
|
||||
<pre>
|
||||
vi /etc/samba/smb.conf
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
# Global parameters
|
||||
[global]
|
||||
workgroup = SPACE
|
||||
realm = SPACE.C3D2.DE
|
||||
netbios name = GLOBAL
|
||||
server role = active directory domain controller
|
||||
|
||||
idmap_ldb:use rfc2307 = yes # LDAP Provisionierung nach RFC2307
|
||||
posix:eadb = /var/lib/samba/private/eadb.tdb
|
||||
|
||||
### dns forwarder = 172.22.99.251
|
||||
|
||||
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb
|
||||
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
|
||||
|
||||
### ### ### PLITC ### ### ###
|
||||
|
||||
server string = %h - Global.HQ.C3D2.de
|
||||
|
||||
### interfaces = 217.115.11.136 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7
|
||||
### bind interfaces only = No
|
||||
|
||||
# allow dynamic dns update / true = nonsecure + signed
|
||||
allow dns updates = signed
|
||||
|
||||
# freebsd specific
|
||||
nsupdate command = /usr/sbin/samba_dnsupdate
|
||||
|
||||
### ### # server options
|
||||
|
||||
### server min protocol = SMB2_02 (ab Windows 7)
|
||||
server min protocol = SMB2
|
||||
server max protocol = SMB3
|
||||
|
||||
disable netbios = yes
|
||||
smb ports = 445
|
||||
|
||||
server signing = auto
|
||||
|
||||
# protocol stream encryption for smbclient
|
||||
smb encrypt = auto
|
||||
|
||||
### ### # client options (for local services / smbclient etc.)
|
||||
|
||||
### client min protocol = SMB2_02
|
||||
client min protocol = SMB2
|
||||
client max protocol = SMB3
|
||||
|
||||
|
||||
client ldap sasl wrapping = seal
|
||||
|
||||
client signing = auto
|
||||
client schannel = auto
|
||||
|
||||
lanman auth = No
|
||||
ntlm auth = No
|
||||
client use spnego = Yes
|
||||
client ntlmv2 auth = Yes
|
||||
client lanman auth = No
|
||||
client plaintext auth = No
|
||||
|
||||
### ### ### PLITC ### ### ###
|
||||
|
||||
[netlogon]
|
||||
path = /var/lib/samba/sysvol/space.c3d2.de/scripts
|
||||
read only = No
|
||||
|
||||
[sysvol]
|
||||
path = /var/lib/samba/sysvol
|
||||
read only = No
|
||||
|
||||
### ### ### PLITC ### ### ###
|
||||
#
|
||||
# EOF
|
||||
</pre>
|
||||
|
||||
=== Samba Checks ===
|
||||
|
||||
<pre>
|
||||
samba-tool testparm
|
||||
samba-tool dbcheck
|
||||
samba-tool ntacl sysvolcheck
|
||||
</pre>
|
||||
|
||||
=== btrfs snapshot ===
|
||||
|
||||
<pre>
|
||||
btrfs subvolume snapshot /var/lib/lxc/global/rootfs /var/lib/lxc/global/rootfs-snap-smb4-`date -u +%Y.%m.%d-%H.%M.%S`
|
||||
</pre>
|
||||
|
||||
=== krb5.conf - Anpassung ===
|
||||
|
||||
<pre>
|
||||
vi /var/lib/samba/private/krb5.conf
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
[libdefaults]
|
||||
default_realm = SPACE.C3D2.DE
|
||||
dns_lookup_realm = true
|
||||
dns_lookup_kdc = true
|
||||
default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
|
||||
|
||||
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
|
||||
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
|
||||
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
|
||||
|
||||
forwardable = true
|
||||
proxiable = true
|
||||
|
||||
ticket_lifetime = 86400
|
||||
|
||||
[realms]
|
||||
SPACE.C3D2.DE = {
|
||||
kdc = localhost:88
|
||||
admin_server = localhost:749
|
||||
default_domain = space.c3d2.de
|
||||
}
|
||||
|
||||
[domain_realm]
|
||||
.space.c3d2.de = SPACE.C3D2.DE
|
||||
space.c3d2.de = SPACE.C3D2.DE
|
||||
|
||||
[logging]
|
||||
default = FILE:/var/log/samba/krb5libs.log
|
||||
kdc = FILE:/var/log/samba/krb5kdc.log
|
||||
admin_server = FILE:/var/log/samba/kadmind.log
|
||||
|
||||
; [kdc]
|
||||
; allow-anonymous = false
|
||||
; require-preauth = true
|
||||
; enable-kerberos4 = false
|
||||
|
||||
; # EOF
|
||||
<pre>
|
||||
|
||||
=== Samba Server starten ===
|
||||
|
||||
<pre>
|
||||
service samba start
|
||||
</pre>
|
||||
|
||||
=== dns testen ===
|
||||
|
||||
<pre>
|
||||
[root@vps11:~]# dig SRV @global.hq.c3d2.de _kerberos._tcp.space.c3d2.de
|
||||
zsh: correct '@global.hq.c3d2.de' to 'global.hq.c3d2.de' [nyae]? n
|
||||
|
||||
; <<>> DiG 9.8.4-P2 <<>> SRV @global.hq.c3d2.de _kerberos._tcp.space.c3d2.de
|
||||
; (2 servers found)
|
||||
;; global options: +cmd
|
||||
;; Got answer:
|
||||
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9702
|
||||
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
|
||||
;; WARNING: recursion requested but not available
|
||||
|
||||
;; QUESTION SECTION:
|
||||
;_kerberos._tcp.space.c3d2.de. IN SRV
|
||||
|
||||
;; ANSWER SECTION:
|
||||
_kerberos._tcp.space.c3d2.de. 900 IN SRV 0 100 88 global.space.c3d2.de.
|
||||
|
||||
;; Query time: 1 msec
|
||||
;; SERVER: 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7#53(2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7)
|
||||
;; WHEN: Sat Jan 11 06:01:49 2014
|
||||
;; MSG SIZE rcvd: 73
|
||||
|
||||
[root@vps11:~]#
|
||||
</pre>
|
||||
|
||||
'''Thats it!'''
|
||||
|
|
Loading…
Reference in New Issue
Block a user