= global.hq.c3d2.de = == Samba Active Directory für DynDNS Updates mit GSS-TSIG == ; Ziel: einfacher DynDNS Update Dienst (mit [[wikipedia:Kerberos protocol|Kerberos]] & [[wikipedia:Generic Security Service Algorithm for Secret Key Transaction | GSS-TSIG]] Absicherung) für '''Wunschname'''''.space.c3d2.de'' {{NiftyDiv| Farbe=#aafd72| Inhalt= [[pentapad:global.hq.c3d2.de]] als aktuelle DNS Reservierungsliste }} == Client Installation / Einrichtung == benötigt werden: * Samba(4) * Kerberos(5) * Kerberos(5) Client Package (klist/kinit etc.) * DNSUtils * [https://github.com/plitc/samba-nsupdate/blob/master/do-nsupdate.sh do-nsupdate.sh] Mini-Skript (Linux/Mac/FreeBSD) Samba muss '''nicht''' auf dem Client-Rechner (als Dienst) konfiguriert werden! === Installation === {{NiftyDiv| Farbe=#b4d9fa| Inhalt= do-nsupdate.sh ab Version 15 werden fehlende Komponenten automatisch nachinstalliert }} ==== Allgemein ==== git clone https://github.com/plitc/samba-nsupdate.git cp ~/samba-nsupdate/do-nsupdate.conf $HOME/do-nsupdate.conf chmod 775 $HOME/do-nsupdate.sh $HOME/do-nsupdate.sh ==== (Debian) Linux ==== apt-get install samba krb5-user krb5-clients dnsutils ==== (Free)BSD ==== cd /usr/ports/net/samba4/ && make install clean optional cd /usr/ports/security/krb5/ && make install clean ==== MacOS ==== benötigt: * min. 10.9.x (für SMB2 Support) Active-Directory Mitgliedschaft erforderlich! ==== Windows ==== benötigt: * min. Vista (SMB2 entspricht SMB2.0 Vista SP1+ Windows 2008) * nsupdate erfolgt über $COMPUTERNAME Konto Active-Directory Mitgliedschaft erforderlich! === do-nsupdate.sh Benutzung === # Mini-Skript herunterladen # bearbeiten (mit Texteditor eigener Wahl) # ausführen KERBEROSADMINUSER="username@SPACE.C3D2.DE" ADMACHINENAME="wunschname.space.c3d2.de" ADSERVERNAME="space.c3d2.de" ADSERVERZONE="space.c3d2.de" ADMACHINETTL="3600" chmod 775 do-nsupdate.sh ./do-nsupdate.sh === do-nsupdate.sh Beispiel === [daniel@freebie:~]$ ./do-nsupdate.sh username@SPACE.C3D2.DE's Password: Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; ZONE SECTION: ;space.c3d2.de. IN SOA ;; UPDATE SECTION: wunschname.space.c3d2.de. 0 ANY A wunschname.space.c3d2.de. 3600 IN A XXX.XXX.XXX.XXX wunschname.space.c3d2.de. 0 ANY AAAA wunschname.space.c3d2.de. 3600 IN AAAA ZZZZ:ZZZZ:ZZZZ::YYYY So lässt sich schnell ein DNS Update durchführen um fix im neuen Netz seine Dienste bereitstellen zu können. '''That's it!''' {{NiftyDiv| Farbe=#b4d9fa| Inhalt= == Active Directory - Verzeichnis Administratoren == derzeit: [[user:daniel.plominski|daniel]] ... weitere Freiwillige? ... }} {{NiftyDiv| Farbe=#f4b9c4| Inhalt= == Active Directory - User hinzufügen == samba-tool user add USERNAME samba-tool group addmembers DnsAdmins USERNAME }} == lxc Container == * Debian Jessie * Samba 4.1.3 / Kerberos 5 * IPv4: 217.115.11.136 * IPv6: 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7 === DNS === * global.hq.c3d2.de === DNS Nameserver / Records === * space.c3d2.de. IN NS global.hq.c3d2.de. * _dns-update._tcp IN SRV 5 0 53 space.c3d2.de. * _dns-update._udp IN SRV 5 0 53 space.c3d2.de. * space IN MX 10 mail.c3d2.de. * space IN TXT "v=spf1 mx -all" * b._dns-sd._udp 60 PTR space.c3d2.de. * db._dns-sd._udp 60 PTR space.c3d2.de. * dr._dns-sd._udp 60 PTR space.c3d2.de. * lb._dns-sd._udp 60 PTR space.c3d2.de. * r._dns-sd._udp 60 PTR space.c3d2.de. == Server Installation == apt-get install samba service samba stop rm /etc/samba/smb.conf rm -rfv /var/lib/samba mkdir /var/lib/samba mkdir /var/lib/samba/private === neue Samba Provisionierung === /usr/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --function-level=2008_R2 --realm=SPACE.C3D2.DE --domain=SPACE --adminpass='GEHEIM' --server-role='dc' --dns-backend=SAMBA_INTERNAL Samba läuft mit virtuellen sysvol NTACLs, zukünftig fehlende +s3fs Daemon Unterstützung da --use-xattrs=yes nicht in dem lxc Container mit btrfs unterstützt wird! [root@global:~]# /usr/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --function-level=2008_R2 --realm=SPACE.C3D2.DE --domain=SPACE --adminpass='GEHEIM' --server-role='dc' --dns-backend=SAMBA_INTERNAL You are not root or your system do not support xattr, using tdb backend for attributes. not using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs. Looking up IPv4 addresses Looking up IPv6 addresses Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=space,DC=c3d2,DC=de Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=space,DC=c3d2,DC=de Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: global NetBIOS Domain: SPACE DNS Domain: space.c3d2.de DOMAIN SID: S-1-5-21-0123456789-123456789-0123456789 === smb.conf - Anpassung === vi /etc/samba/smb.conf # Global parameters [global] workgroup = SPACE realm = SPACE.C3D2.DE netbios name = GLOBAL server role = active directory domain controller idmap_ldb:use rfc2307 = yes # LDAP Provisionierung nach RFC2307 posix:eadb = /var/lib/samba/private/eadb.tdb ### dns forwarder = 172.22.99.251 # soll kein public resolver werden server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc ### ### ### C3D2 ### ### ### server string = %h - Global.HQ.C3D2.de ### interfaces = 217.115.11.136 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7 ### bind interfaces only = No # allow dynamic dns update / true = nonsecure + signed allow dns updates = signed # debian specific nsupdate command = /usr/sbin/samba_dnsupdate ### ### # server options ### server min protocol = SMB2_02 (ab Windows 7) server min protocol = SMB2 server max protocol = SMB3 disable netbios = yes smb ports = 445 server signing = auto # protocol stream encryption for smbclient smb encrypt = auto ### ### # client options (for local services / smbclient etc.) ### client min protocol = SMB2_02 client min protocol = SMB2 client max protocol = SMB3 client ldap sasl wrapping = seal client signing = auto client schannel = auto lanman auth = No ntlm auth = No client use spnego = Yes client ntlmv2 auth = Yes client lanman auth = No client plaintext auth = No ### ### ### C3D2 ### ### ### [netlogon] path = /var/lib/samba/sysvol/space.c3d2.de/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ### ### ### C3D2 ### ### ### # # EOF === Samba Checks === samba-tool testparm samba-tool dbcheck samba-tool ntacl sysvolcheck === krb5.conf - Anpassung === vi /var/lib/samba/private/krb5.conf [libdefaults] default_realm = SPACE.C3D2.DE dns_lookup_realm = true dns_lookup_kdc = true default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 forwardable = true proxiable = true ticket_lifetime = 86400 [realms] SPACE.C3D2.DE = { kdc = localhost:88 admin_server = localhost:749 default_domain = space.c3d2.de } [domain_realm] .space.c3d2.de = SPACE.C3D2.DE space.c3d2.de = SPACE.C3D2.DE [logging] default = FILE:/var/log/samba/krb5libs.log kdc = FILE:/var/log/samba/krb5kdc.log admin_server = FILE:/var/log/samba/kadmind.log ; [kdc] ; allow-anonymous = false ; require-preauth = true ; enable-kerberos4 = false ; # EOF === BTRFS Snapshot === btrfs subvolume snapshot /var/lib/lxc/global/rootfs /var/lib/lxc/global/rootfs-snap-smb4-`date -u +%Y.%m.%d-%H.%M.%S` === Samba Server starten === service samba start == Tests == === DNS - SRV Record === [root@vps11:~]# dig SRV @global.hq.c3d2.de _kerberos._tcp.space.c3d2.de zsh: correct '@global.hq.c3d2.de' to 'global.hq.c3d2.de' [nyae]? n ; <<>> DiG 9.8.4-P2 <<>> SRV @global.hq.c3d2.de _kerberos._tcp.space.c3d2.de ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9702 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;_kerberos._tcp.space.c3d2.de. IN SRV ;; ANSWER SECTION: _kerberos._tcp.space.c3d2.de. 900 IN SRV 0 100 88 global.space.c3d2.de. ;; Query time: 1 msec ;; SERVER: 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7#53(2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7) ;; WHEN: Sat Jan 11 06:01:49 2014 ;; MSG SIZE rcvd: 73 === Kerberos Ticket === [daniel@freebie:~]$ klist Credentials cache: FILE:/tmp/krb5cc_1001 Principal: username@SPACE.C3D2.DE Issued Expires Principal Jan 11 06:11:43 Jan 11 16:11:42 krbtgt/SPACE.C3D2.DE@SPACE.C3D2.DE Jan 11 06:11:43 Jan 11 16:11:42 DNS/global.space.c3d2.de@SPACE.C3D2.DE '''That's it!''' == Server Optimierungen == {{Broken |Reason= IPv6 Beispiel-Tables von squeeze/wheezy funktionieren derzeit im lxc Container unter jessie nicht }} === Firewall: IPv6 Rules === sudo apt-get install iptables sudo vi /root/set_firewall_ipv6.sh #!/bin/bash # A bash shell script for ip6tables to protect single hosting / dedicated / vps / colo server running CentOS / Debian / RHEL / or any other Linux distribution. # ------------------------------------------------------------------------- # Copyright (c) 2007 nixCraft project # This script is licensed under GNU GPL version 2.0 or above # ------------------------------------------------------------------------- # This script is part of nixCraft shell script collection (NSSC) # Visit http://bash.cyberciti.biz/ for more information. # ---------------------------------------------------------------------- # Last updated on Jan-23, 2008 : Added support for tcp packets # Last updated on Oct-01, 2012 : Daniel Plominski (PLITC) # --------------------------------------------------------------------------- IPT6="/sbin/ip6tables" # Interfaces PUB_IF="eth0" PUB_LO="lo0" ### PUB_ETH1="eth1" ### PUB_ETH2="eth2" ### PUB_ETH3="eth3" # Custom chain names CHAINS="chk_tcp6_packets_chain chk_tcp_inbound chk_udp_inbound chk_icmp_packets" echo "Starting IPv6 firewall..." # first clean old mess $IPT6 -F $IPT6 -X $IPT6 -Z for table in $( sudo chmod 555 /root/set_firewall_ipv6.sh sudo chattr +i /root/set_firewall_ipv6.sh vi /etc/rc.local #!/bin/sh -e # /root/set_firewall_ipv6.sh # exit 0 === Firewallregeln aktivieren === /root/set_firewall_ipv6.sh ip6tables -S [[Kategorie:Infrastruktur]]