gitolite/c3d2-wiki
gitolite/c3d2-wiki
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

form

Browse Source
This commit is contained in:
Vater 2014-01-15 21:40:19 +00:00
parent 142d9b3824
commit 6f9913b6d6
1 changed files with 82 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

148
Server%2Fglobal.mw
View File

@ -1,13 +1,13 @@
= global.hq.c3d2.de =
== Samba Active Directory für DynDNS Updates mit GSS-TSIG ==
'''Ziel''': einfacher DynDNS Update Dienst (mit [http://en.wikipedia.org/wiki/Kerberos_protocol Kerberos] & [http://en.wikipedia.org/wiki/Generic_Security_Service_Algorithm_for_Secret_Key_Transaction GSS-TSIG] Absicherung) für '''Wunschname'''''.space.c3d2.de''
; Ziel: einfacher DynDNS Update Dienst (mit [[wikipedia:Kerberos protocol|Kerberos]] & [[wikipedia:Generic Security Service Algorithm for Secret Key Transaction | GSS-TSIG]] Absicherung) für '''Wunschname'''''.space.c3d2.de''
{{NiftyDiv|
Farbe=#aafd72|
Inhalt=
[https://pentapad.c3d2.de/p/global.hq.c3d2.de aktuelle DNS Reservierungsliste]
[[pentapad:global.hq.c3d2.de]] als aktuelle DNS Reservierungsliste
}}
== Client Installation / Einrichtung ==
@ -18,25 +18,25 @@ benötigt werden:
* Kerberos(5) Client Package (klist/kinit etc.)
* do-nsupdate.sh Mini-Skript (Linux/[https://github.com/plitc/samba-nsupdate/tree/macos MacOS]/[https://github.com/plitc/samba-nsupdate/tree/freebsd FreeBSD])
Samba muss '''NICHT''' auf dem Client-Rechner (als Dienst) konfiguriert werden!
Samba muss '''nicht''' auf dem Client-Rechner (als Dienst) konfiguriert werden!
=== (Debian) Linux ===
<pre>
<source lang="bash">
apt-get install samba krb5-user krb5-clients
</pre>
</source>
=== (Free) BSD ===
=== (Free)BSD ===
<pre>
<source lang="bash">
cd /usr/ports/net/samba4/ && make install clean
</pre>
</source>
optional:
optional
<pre>
<source lang="bash">
cd /usr/ports/security/krb5/ && make install clean
</pre>
</source>
=== MacOS ===
@ -55,25 +55,28 @@ Active-Directory Mitgliedschaft erforderlich!
=== do-nsupdate.sh Benutzung ===
Mini-Skript downloaden, mit [http://en.wikipedia.org/wiki/Vim_%28text_editor%29 vim] bearbeiten und ausführen
# Mini-Skript herunterladen
# bearbeiten (mit Texteditor eigener Wahl)
# ausführen
<pre>
<source lang="bash">
KERBEROSADMINUSER="username@SPACE.C3D2.DE"
ADMACHINENAME="wunschname.space.c3d2.de"
ADSERVERNAME="space.c3d2.de"
ADSERVERZONE="space.c3d2.de"
ADMACHINETTL="3600"
</pre>
</source>
<pre>
<source lang="bash">
chmod 775 do-nsupdate.sh
</source>
<source lang="bash">
./do-nsupdate.sh
</pre>
</source>
=== do-nsupdate.sh Beispiel ===
<pre>
<source lang="bash">
[daniel@freebie:~]$ ./do-nsupdate.sh
username@SPACE.C3D2.DE's Password:
Outgoing update query:
@ -87,9 +90,9 @@ wunschname.space.c3d2.de. 0 ANY A
wunschname.space.c3d2.de. 3600 IN A XXX.XXX.XXX.XXX
wunschname.space.c3d2.de. 0 ANY AAAA
wunschname.space.c3d2.de. 3600 IN AAAA ZZZZ:ZZZZ:ZZZZ::YYYY
</pre>
</source>
So läßt sich schnell ein DNS Update durchführen um fix im neuen Netz seine Dienste bereitstellen zu können
So lässt sich schnell ein DNS Update durchführen um fix im neuen Netz seine Dienste bereitstellen zu können.
'''Thats it!'''
@ -139,26 +142,34 @@ samba-tool group addmembers DnsAdmins USERNAME
== Server Installation ==
<pre>
<source lang="bash">
apt-get install samba
</source>
<source lang="bash">
service samba stop
</source>
<source lang="bash">
rm /etc/samba/smb.conf
</source>
<source lang="bash">
rm -rfv /var/lib/samba
</source>
<source lang="bash">
mkdir /var/lib/samba
</source>
<source lang="bash">
mkdir /var/lib/samba/private
</pre>
</source>
=== neue Samba Provisionierung ===
<pre>
<source lang="bash">
/usr/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --function-level=2008_R2 --realm=SPACE.C3D2.DE --domain=SPACE --adminpass='GEHEIM' --server-role='dc' --dns-backend=SAMBA_INTERNAL
</pre>
</source>
Samba läuft mit virtuellen sysvol NTACLs, zukünftig fehlende +s3fs Daemon Unterstützung da --use-xattrs=yes nicht in dem lxc Container mit btrfs unterstützt wird!
<pre>
<source lang="bash">
[root@global:~]# /usr/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --function-level=2008_R2 --realm=SPACE.C3D2.DE --domain=SPACE --adminpass='GEHEIM' --server-role='dc' --dns-backend=SAMBA_INTERNAL
You are not root or your system do not support xattr, using tdb backend for attributes.
not using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.
@ -201,15 +212,15 @@ Hostname: global
NetBIOS Domain: SPACE
DNS Domain: space.c3d2.de
DOMAIN SID: S-1-5-21-0123456789-123456789-0123456789
</pre>
</source>
=== smb.conf - Anpassung ===
<pre>
<source lang="bash">
vi /etc/samba/smb.conf
</pre>
</source>
<pre>
<source lang="text">
# Global parameters
[global]
workgroup = SPACE
@ -284,23 +295,27 @@ vi /etc/samba/smb.conf
### ### ### C3D2 ### ### ###
#
# EOF
</pre>
</source>
=== Samba Checks ===
<pre>
<source lang="bash">
samba-tool testparm
</source>
<source lang="bash">
samba-tool dbcheck
</source>
<source lang="bash">
samba-tool ntacl sysvolcheck
</pre>
</source>
=== krb5.conf - Anpassung ===
<pre>
<source lang="bash">
vi /var/lib/samba/private/krb5.conf
</pre>
</source>
<pre>
<source lang="text">
[libdefaults]
default_realm = SPACE.C3D2.DE
dns_lookup_realm = true
@ -338,25 +353,25 @@ vi /var/lib/samba/private/krb5.conf
; enable-kerberos4 = false
; # EOF
</pre>
</source>
=== BTRFS Snapshot ===
<pre>
<source lang="bash">
btrfs subvolume snapshot /var/lib/lxc/global/rootfs /var/lib/lxc/global/rootfs-snap-smb4-`date -u +%Y.%m.%d-%H.%M.%S`
</pre>
</source>
=== Samba Server starten ===
<pre>
<source lang="bash">
service samba start
</pre>
</source>
== Tests ==
=== DNS - SRV Record ===
<pre>
<source lang="bash">
[root@vps11:~]# dig SRV @global.hq.c3d2.de _kerberos._tcp.space.c3d2.de
zsh: correct '@global.hq.c3d2.de' to 'global.hq.c3d2.de' [nyae]? n
@ -378,11 +393,11 @@ _kerberos._tcp.space.c3d2.de. 900 IN SRV 0 100 88 global.space.c3d2.de.
;; SERVER: 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7#53(2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7)
;; WHEN: Sat Jan 11 06:01:49 2014
;; MSG SIZE rcvd: 73
</pre>
</source>
=== Kerberos Ticket ===
<pre>
<source lang="bash">
[daniel@freebie:~]$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: username@SPACE.C3D2.DE
@ -390,7 +405,7 @@ Credentials cache: FILE:/tmp/krb5cc_1001
Issued Expires Principal
Jan 11 06:11:43 Jan 11 16:11:42 krbtgt/SPACE.C3D2.DE@SPACE.C3D2.DE
Jan 11 06:11:43 Jan 11 16:11:42 DNS/global.space.c3d2.de@SPACE.C3D2.DE
</pre>
</source>
'''Thats it!'''
@ -402,15 +417,14 @@ Jan 11 06:11:43 Jan 11 16:11:42 DNS/global.space.c3d2.de@SPACE.C3D2.DE
=== Firewall: IPv6 Rules ===
<pre>
<source lang="bash">
sudo apt-get install iptables
</pre>
<pre>
</source>
<source lang="bash">
sudo vi /root/set_firewall_ipv6.sh
</pre>
</source>
<pre>
<source lang="text">
#!/bin/bash
# A bash shell script for ip6tables to protect single hosting / dedicated / vps / colo server running CentOS / Debian / RHEL / or any other Linux distribution.
# -------------------------------------------------------------------------
@ -568,31 +582,33 @@ $IPT6 -A chk_icmp_packets -p icmp -j RETURN
### ### ### C3D2 ### ### ###
# EOF
</pre>
</source>
<pre>
<source lang="bash">
sudo chmod 555 /root/set_firewall_ipv6.sh
sudo chattr +i /root/set_firewall_ipv6.sh
</pre>
</source>
<source lang="bash">
sudo chattr +i /root/set_firewall_ipv6.sh</source>
<pre>
<source lang="bash">
vi /etc/rc.local
</pre>
</source>
<pre>
<source lang="text">
#!/bin/sh -e
#
/root/set_firewall_ipv6.sh
#
exit 0
</pre>
</source>
=== Firewallregeln aktivieren ===
<pre>
<source lang="bash">
/root/set_firewall_ipv6.sh
</pre>
<pre>
</source>
<source lang="bash">
ip6tables -S
</pre>
</source>
[[Kategorie:Infrastruktur]]