263 lines
7.2 KiB
Plaintext
263 lines
7.2 KiB
Plaintext
= global.hq.c3d2.de =
|
|
== Samba Active Directory für DynDNS Update mit GSS-TSIG ==
|
|
|
|
== lxc Container ==
|
|
* Debian 7
|
|
* Samba 4.1.13 / Kerberos 5
|
|
* IPv4: 217.115.11.136
|
|
* IPv6: 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7
|
|
|
|
== DNS ==
|
|
* global.hq.c3d2.de
|
|
|
|
== DNS Nameserver / SRV Records ==
|
|
* space.c3d2.de. IN NS global.hq.c3d2.de.
|
|
* _dns-update._tcp.c3d2.de. IN SRV 5 0 53 space.c3d2.de.
|
|
* _dns-update._udp.c3d2.de. IN SRV 5 0 53 space.c3d2.de.
|
|
|
|
== Server Installation ==
|
|
|
|
<pre>
|
|
apt-get install samba
|
|
|
|
service samba stop
|
|
rm /etc/samba/smb.conf
|
|
rm -rfv /var/lib/samba
|
|
mkdir /var/lib/samba
|
|
mkdir /var/lib/samba/private
|
|
</pre>
|
|
|
|
== neue Samba Provisionierung ==
|
|
|
|
<pre>
|
|
/usr/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --function-level=2008_R2 --realm=SPACE.C3D2.DE --domain=SPACE --adminpass='GEHEIM' --server-role='dc' --dns-backend=SAMBA_INTERNAL
|
|
</pre>
|
|
|
|
Samba läuft mit virtuellen sysvol NTACLs, zukünftig fehlende +s3fs Daemon Unterstützung da --use-xattrs=yes nicht in dem lxc Container mit btrfs unterstützt wird!
|
|
|
|
<pre>
|
|
[root@global:~]# /usr/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --function-level=2008_R2 --realm=SPACE.C3D2.DE --domain=SPACE --adminpass='GEHEIM' --server-role='dc' --dns-backend=SAMBA_INTERNAL
|
|
You are not root or your system do not support xattr, using tdb backend for attributes.
|
|
not using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.
|
|
Looking up IPv4 addresses
|
|
Looking up IPv6 addresses
|
|
Setting up share.ldb
|
|
Setting up secrets.ldb
|
|
Setting up the registry
|
|
Setting up the privileges database
|
|
Setting up idmap db
|
|
Setting up SAM db
|
|
Setting up sam.ldb partitions and settings
|
|
Setting up sam.ldb rootDSE
|
|
Pre-loading the Samba 4 and AD schema
|
|
Adding DomainDN: DC=space,DC=c3d2,DC=de
|
|
Adding configuration container
|
|
Setting up sam.ldb schema
|
|
Setting up sam.ldb configuration data
|
|
Setting up display specifiers
|
|
Modifying display specifiers
|
|
Adding users container
|
|
Modifying users container
|
|
Adding computers container
|
|
Modifying computers container
|
|
Setting up sam.ldb data
|
|
Setting up well known security principals
|
|
Setting up sam.ldb users and groups
|
|
Setting up self join
|
|
Adding DNS accounts
|
|
Creating CN=MicrosoftDNS,CN=System,DC=space,DC=c3d2,DC=de
|
|
Creating DomainDnsZones and ForestDnsZones partitions
|
|
Populating DomainDnsZones and ForestDnsZones partitions
|
|
Setting up sam.ldb rootDSE marking as synchronized
|
|
Fixing provision GUIDs
|
|
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
|
|
Setting up fake yp server settings
|
|
Once the above files are installed, your Samba4 server will be ready to use
|
|
Server Role: active directory domain controller
|
|
Hostname: global
|
|
NetBIOS Domain: SPACE
|
|
DNS Domain: space.c3d2.de
|
|
DOMAIN SID: S-1-5-21-0123456789-123456789-0123456789
|
|
[root@global:~]#
|
|
</pre>
|
|
|
|
== smb.conf - Anpassung ==
|
|
|
|
<pre>
|
|
vi /etc/samba/smb.conf
|
|
</pre>
|
|
|
|
<pre>
|
|
# Global parameters
|
|
[global]
|
|
workgroup = SPACE
|
|
realm = SPACE.C3D2.DE
|
|
netbios name = GLOBAL
|
|
server role = active directory domain controller
|
|
|
|
idmap_ldb:use rfc2307 = yes # LDAP Provisionierung nach RFC2307
|
|
posix:eadb = /var/lib/samba/private/eadb.tdb
|
|
|
|
### dns forwarder = 172.22.99.251
|
|
|
|
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb
|
|
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
|
|
|
|
### ### ### PLITC ### ### ###
|
|
|
|
server string = %h - Global.HQ.C3D2.de
|
|
|
|
### interfaces = 217.115.11.136 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7
|
|
### bind interfaces only = No
|
|
|
|
# allow dynamic dns update / true = nonsecure + signed
|
|
allow dns updates = signed
|
|
|
|
# freebsd specific
|
|
nsupdate command = /usr/sbin/samba_dnsupdate
|
|
|
|
### ### # server options
|
|
|
|
### server min protocol = SMB2_02 (ab Windows 7)
|
|
server min protocol = SMB2
|
|
server max protocol = SMB3
|
|
|
|
disable netbios = yes
|
|
smb ports = 445
|
|
|
|
server signing = auto
|
|
|
|
# protocol stream encryption for smbclient
|
|
smb encrypt = auto
|
|
|
|
### ### # client options (for local services / smbclient etc.)
|
|
|
|
### client min protocol = SMB2_02
|
|
client min protocol = SMB2
|
|
client max protocol = SMB3
|
|
|
|
|
|
client ldap sasl wrapping = seal
|
|
|
|
client signing = auto
|
|
client schannel = auto
|
|
|
|
lanman auth = No
|
|
ntlm auth = No
|
|
client use spnego = Yes
|
|
client ntlmv2 auth = Yes
|
|
client lanman auth = No
|
|
client plaintext auth = No
|
|
|
|
### ### ### PLITC ### ### ###
|
|
|
|
[netlogon]
|
|
path = /var/lib/samba/sysvol/space.c3d2.de/scripts
|
|
read only = No
|
|
|
|
[sysvol]
|
|
path = /var/lib/samba/sysvol
|
|
read only = No
|
|
|
|
### ### ### PLITC ### ### ###
|
|
#
|
|
# EOF
|
|
</pre>
|
|
|
|
== Samba Checks ==
|
|
|
|
<pre>
|
|
samba-tool testparm
|
|
samba-tool dbcheck
|
|
samba-tool ntacl sysvolcheck
|
|
</pre>
|
|
|
|
== krb5.conf - Anpassung ==
|
|
|
|
<pre>
|
|
vi /var/lib/samba/private/krb5.conf
|
|
</pre>
|
|
|
|
<pre>
|
|
[libdefaults]
|
|
default_realm = SPACE.C3D2.DE
|
|
dns_lookup_realm = true
|
|
dns_lookup_kdc = true
|
|
default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
|
|
|
|
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
|
|
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
|
|
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
|
|
|
|
forwardable = true
|
|
proxiable = true
|
|
|
|
ticket_lifetime = 86400
|
|
|
|
[realms]
|
|
SPACE.C3D2.DE = {
|
|
kdc = localhost:88
|
|
admin_server = localhost:749
|
|
default_domain = space.c3d2.de
|
|
}
|
|
|
|
[domain_realm]
|
|
.space.c3d2.de = SPACE.C3D2.DE
|
|
space.c3d2.de = SPACE.C3D2.DE
|
|
|
|
[logging]
|
|
default = FILE:/var/log/samba/krb5libs.log
|
|
kdc = FILE:/var/log/samba/krb5kdc.log
|
|
admin_server = FILE:/var/log/samba/kadmind.log
|
|
|
|
; [kdc]
|
|
; allow-anonymous = false
|
|
; require-preauth = true
|
|
; enable-kerberos4 = false
|
|
|
|
; # EOF
|
|
<pre>
|
|
|
|
|
|
== btrfs snapshot ==
|
|
|
|
<pre>
|
|
btrfs subvolume snapshot /var/lib/lxc/global/rootfs /var/lib/lxc/global/rootfs-snap-smb4-`date -u +%Y.%m.%d-%H.%M.%S`
|
|
</pre>
|
|
|
|
== Samba Server starten ==
|
|
|
|
<pre>
|
|
service samba start
|
|
</pre>
|
|
|
|
== dns testen ==
|
|
|
|
<pre>
|
|
[root@vps11:~]# dig SRV @global.hq.c3d2.de _kerberos._tcp.space.c3d2.de
|
|
zsh: correct '@global.hq.c3d2.de' to 'global.hq.c3d2.de' [nyae]? n
|
|
|
|
; <<>> DiG 9.8.4-P2 <<>> SRV @global.hq.c3d2.de _kerberos._tcp.space.c3d2.de
|
|
; (2 servers found)
|
|
;; global options: +cmd
|
|
;; Got answer:
|
|
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9702
|
|
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
|
|
;; WARNING: recursion requested but not available
|
|
|
|
;; QUESTION SECTION:
|
|
;_kerberos._tcp.space.c3d2.de. IN SRV
|
|
|
|
;; ANSWER SECTION:
|
|
_kerberos._tcp.space.c3d2.de. 900 IN SRV 0 100 88 global.space.c3d2.de.
|
|
|
|
;; Query time: 1 msec
|
|
;; SERVER: 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7#53(2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7)
|
|
;; WHEN: Sat Jan 11 06:01:49 2014
|
|
;; MSG SIZE rcvd: 73
|
|
|
|
[root@vps11:~]#
|
|
</pre>
|
|
|
|
'''Thats it!'''
|