form
This commit is contained in:
parent
142d9b3824
commit
6f9913b6d6
|
@ -1,13 +1,13 @@
|
|||
|
||||
= global.hq.c3d2.de =
|
||||
|
||||
== Samba Active Directory für DynDNS Updates mit GSS-TSIG ==
|
||||
'''Ziel''': einfacher DynDNS Update Dienst (mit [http://en.wikipedia.org/wiki/Kerberos_protocol Kerberos] & [http://en.wikipedia.org/wiki/Generic_Security_Service_Algorithm_for_Secret_Key_Transaction GSS-TSIG] Absicherung) für '''Wunschname'''''.space.c3d2.de''
|
||||
; Ziel: einfacher DynDNS Update Dienst (mit [[wikipedia:Kerberos protocol|Kerberos]] & [[wikipedia:Generic Security Service Algorithm for Secret Key Transaction | GSS-TSIG]] Absicherung) für '''Wunschname'''''.space.c3d2.de''
|
||||
|
||||
{{NiftyDiv|
|
||||
Farbe=#aafd72|
|
||||
Inhalt=
|
||||
|
||||
[https://pentapad.c3d2.de/p/global.hq.c3d2.de aktuelle DNS Reservierungsliste]
|
||||
[[pentapad:global.hq.c3d2.de]] als aktuelle DNS Reservierungsliste
|
||||
}}
|
||||
|
||||
== Client Installation / Einrichtung ==
|
||||
|
@ -18,25 +18,25 @@ benötigt werden:
|
|||
* Kerberos(5) Client Package (klist/kinit etc.)
|
||||
* do-nsupdate.sh Mini-Skript (Linux/[https://github.com/plitc/samba-nsupdate/tree/macos MacOS]/[https://github.com/plitc/samba-nsupdate/tree/freebsd FreeBSD])
|
||||
|
||||
Samba muss '''NICHT''' auf dem Client-Rechner (als Dienst) konfiguriert werden!
|
||||
Samba muss '''nicht''' auf dem Client-Rechner (als Dienst) konfiguriert werden!
|
||||
|
||||
=== (Debian) Linux ===
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
apt-get install samba krb5-user krb5-clients
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
=== (Free) BSD ===
|
||||
=== (Free)BSD ===
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
cd /usr/ports/net/samba4/ && make install clean
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
optional:
|
||||
optional
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
cd /usr/ports/security/krb5/ && make install clean
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
=== MacOS ===
|
||||
|
||||
|
@ -55,25 +55,28 @@ Active-Directory Mitgliedschaft erforderlich!
|
|||
|
||||
=== do-nsupdate.sh Benutzung ===
|
||||
|
||||
Mini-Skript downloaden, mit [http://en.wikipedia.org/wiki/Vim_%28text_editor%29 vim] bearbeiten und ausführen
|
||||
# Mini-Skript herunterladen
|
||||
# bearbeiten (mit Texteditor eigener Wahl)
|
||||
# ausführen
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
KERBEROSADMINUSER="username@SPACE.C3D2.DE"
|
||||
ADMACHINENAME="wunschname.space.c3d2.de"
|
||||
ADSERVERNAME="space.c3d2.de"
|
||||
ADSERVERZONE="space.c3d2.de"
|
||||
ADMACHINETTL="3600"
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
chmod 775 do-nsupdate.sh
|
||||
|
||||
</source>
|
||||
<source lang="bash">
|
||||
./do-nsupdate.sh
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
=== do-nsupdate.sh Beispiel ===
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
[daniel@freebie:~]$ ./do-nsupdate.sh
|
||||
username@SPACE.C3D2.DE's Password:
|
||||
Outgoing update query:
|
||||
|
@ -87,9 +90,9 @@ wunschname.space.c3d2.de. 0 ANY A
|
|||
wunschname.space.c3d2.de. 3600 IN A XXX.XXX.XXX.XXX
|
||||
wunschname.space.c3d2.de. 0 ANY AAAA
|
||||
wunschname.space.c3d2.de. 3600 IN AAAA ZZZZ:ZZZZ:ZZZZ::YYYY
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
So läßt sich schnell ein DNS Update durchführen um fix im neuen Netz seine Dienste bereitstellen zu können
|
||||
So lässt sich schnell ein DNS Update durchführen um fix im neuen Netz seine Dienste bereitstellen zu können.
|
||||
|
||||
'''Thats it!'''
|
||||
|
||||
|
@ -139,26 +142,34 @@ samba-tool group addmembers DnsAdmins USERNAME
|
|||
|
||||
== Server Installation ==
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
apt-get install samba
|
||||
|
||||
</source>
|
||||
<source lang="bash">
|
||||
service samba stop
|
||||
|
||||
</source>
|
||||
<source lang="bash">
|
||||
rm /etc/samba/smb.conf
|
||||
</source>
|
||||
<source lang="bash">
|
||||
rm -rfv /var/lib/samba
|
||||
</source>
|
||||
<source lang="bash">
|
||||
mkdir /var/lib/samba
|
||||
</source>
|
||||
<source lang="bash">
|
||||
mkdir /var/lib/samba/private
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
=== neue Samba Provisionierung ===
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
/usr/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --function-level=2008_R2 --realm=SPACE.C3D2.DE --domain=SPACE --adminpass='GEHEIM' --server-role='dc' --dns-backend=SAMBA_INTERNAL
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
Samba läuft mit virtuellen sysvol NTACLs, zukünftig fehlende +s3fs Daemon Unterstützung da --use-xattrs=yes nicht in dem lxc Container mit btrfs unterstützt wird!
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
[root@global:~]# /usr/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --function-level=2008_R2 --realm=SPACE.C3D2.DE --domain=SPACE --adminpass='GEHEIM' --server-role='dc' --dns-backend=SAMBA_INTERNAL
|
||||
You are not root or your system do not support xattr, using tdb backend for attributes.
|
||||
not using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.
|
||||
|
@ -201,15 +212,15 @@ Hostname: global
|
|||
NetBIOS Domain: SPACE
|
||||
DNS Domain: space.c3d2.de
|
||||
DOMAIN SID: S-1-5-21-0123456789-123456789-0123456789
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
=== smb.conf - Anpassung ===
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
vi /etc/samba/smb.conf
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
<pre>
|
||||
<source lang="text">
|
||||
# Global parameters
|
||||
[global]
|
||||
workgroup = SPACE
|
||||
|
@ -284,23 +295,27 @@ vi /etc/samba/smb.conf
|
|||
### ### ### C3D2 ### ### ###
|
||||
#
|
||||
# EOF
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
=== Samba Checks ===
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
samba-tool testparm
|
||||
</source>
|
||||
<source lang="bash">
|
||||
samba-tool dbcheck
|
||||
</source>
|
||||
<source lang="bash">
|
||||
samba-tool ntacl sysvolcheck
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
=== krb5.conf - Anpassung ===
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
vi /var/lib/samba/private/krb5.conf
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
<pre>
|
||||
<source lang="text">
|
||||
[libdefaults]
|
||||
default_realm = SPACE.C3D2.DE
|
||||
dns_lookup_realm = true
|
||||
|
@ -338,25 +353,25 @@ vi /var/lib/samba/private/krb5.conf
|
|||
; enable-kerberos4 = false
|
||||
|
||||
; # EOF
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
=== BTRFS Snapshot ===
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
btrfs subvolume snapshot /var/lib/lxc/global/rootfs /var/lib/lxc/global/rootfs-snap-smb4-`date -u +%Y.%m.%d-%H.%M.%S`
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
=== Samba Server starten ===
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
service samba start
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
== Tests ==
|
||||
|
||||
=== DNS - SRV Record ===
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
[root@vps11:~]# dig SRV @global.hq.c3d2.de _kerberos._tcp.space.c3d2.de
|
||||
zsh: correct '@global.hq.c3d2.de' to 'global.hq.c3d2.de' [nyae]? n
|
||||
|
||||
|
@ -378,11 +393,11 @@ _kerberos._tcp.space.c3d2.de. 900 IN SRV 0 100 88 global.space.c3d2.de.
|
|||
;; SERVER: 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7#53(2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7)
|
||||
;; WHEN: Sat Jan 11 06:01:49 2014
|
||||
;; MSG SIZE rcvd: 73
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
=== Kerberos Ticket ===
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
[daniel@freebie:~]$ klist
|
||||
Credentials cache: FILE:/tmp/krb5cc_1001
|
||||
Principal: username@SPACE.C3D2.DE
|
||||
|
@ -390,7 +405,7 @@ Credentials cache: FILE:/tmp/krb5cc_1001
|
|||
Issued Expires Principal
|
||||
Jan 11 06:11:43 Jan 11 16:11:42 krbtgt/SPACE.C3D2.DE@SPACE.C3D2.DE
|
||||
Jan 11 06:11:43 Jan 11 16:11:42 DNS/global.space.c3d2.de@SPACE.C3D2.DE
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
'''Thats it!'''
|
||||
|
||||
|
@ -402,15 +417,14 @@ Jan 11 06:11:43 Jan 11 16:11:42 DNS/global.space.c3d2.de@SPACE.C3D2.DE
|
|||
|
||||
=== Firewall: IPv6 Rules ===
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
sudo apt-get install iptables
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
</source>
|
||||
<source lang="bash">
|
||||
sudo vi /root/set_firewall_ipv6.sh
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
<pre>
|
||||
<source lang="text">
|
||||
#!/bin/bash
|
||||
# A bash shell script for ip6tables to protect single hosting / dedicated / vps / colo server running CentOS / Debian / RHEL / or any other Linux distribution.
|
||||
# -------------------------------------------------------------------------
|
||||
|
@ -568,31 +582,33 @@ $IPT6 -A chk_icmp_packets -p icmp -j RETURN
|
|||
|
||||
### ### ### C3D2 ### ### ###
|
||||
# EOF
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
sudo chmod 555 /root/set_firewall_ipv6.sh
|
||||
sudo chattr +i /root/set_firewall_ipv6.sh
|
||||
</pre>
|
||||
</source>
|
||||
<source lang="bash">
|
||||
sudo chattr +i /root/set_firewall_ipv6.sh</source>
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
vi /etc/rc.local
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
<pre>
|
||||
<source lang="text">
|
||||
#!/bin/sh -e
|
||||
#
|
||||
/root/set_firewall_ipv6.sh
|
||||
#
|
||||
exit 0
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
=== Firewallregeln aktivieren ===
|
||||
|
||||
<pre>
|
||||
<source lang="bash">
|
||||
/root/set_firewall_ipv6.sh
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
</source>
|
||||
<source lang="bash">
|
||||
ip6tables -S
|
||||
</pre>
|
||||
</source>
|
||||
|
||||
[[Kategorie:Infrastruktur]]
|
||||
|
|
Loading…
Reference in New Issue
Block a user