Instalando e Configurando o Samba4 com suporte a AdminPack no Debian Wheezy
E ai galera, aqui eu vou abordar a instalação e a configuração do Samba4 com suporte a Administração do domínio utilizando o AdminPack da Microsoft e vamos configurar também a utilização do Bind_DLZ como backend de DNS.
OBS: O Dns não pode trabalhar em modo chroot pois o bind não consegue acessar os arquivos e o banco de dados do Samba: http://wiki.samba.org/index.php/Dns-backend_bind#Known_issues_and_ways_to_fix.2Fworkaround
Eu achei que ficou muito bom e limpa a instalação e configuração então vamos trabalhar :D
Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialwheezy_en para que não falte nenhum pacote ou configuração.
O que eu vou utilizar:
- Servidor Samba
- IP: 192.168.0.49/24
- Nome: debian
- Domínio: lab.lan
- Cliente xp
- IP: 192.168.0.4/24
- Nome: xp
- Domínio: lab.lan
Agora vamos mandar atualizar os repositórios e vamos mandar fazer um upgrade do sistema
aptitude update && aptitude dist-upgrade -y
Vamos ajustar algumas variaveis do ambiente
export DEBIAN_PRIORITY=critical export DEBIAN_FRONTEND=noninteractive
Agora vamos mandar instalar as suas dependências
aptitude install libpam0g-dev git gcc make wget libacl1-dev libblkid-dev libreadline-dev python-dev libcups2-dev \ libcupscgi1-dev libcupsdriver1-dev libcupsimage2-dev libcupsmime1-dev libcupsppdc1-dev libcupsys2-dev libaio-dev acl-dev \ acl heimdal-clients libattr1-dev libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dnspython gdb pkg-config libfam-dev \ libpopt-dev libldap2-dev dnsutils libbsd-dev attr docbook-xsl libcups2-dev python-gnupginterface python-pycurl python-software-properties \ quota unattended-upgrades libpam-heimdal bison debhelper flex gettext html2text intltool-debian libbison-dev libgettextpo0 libldb-dev \ libldb1 libparse-yapp-perl libpython2.6 libsmbclient libsmbclient-dev libsubunit-dev libsubunit-perl libsubunit0 libtalloc-dev libtalloc2 \ libtdb-dev libtdb1 libtevent-dev libtevent0 libunistring0 libwbclient-dev libwbclient0 libxslt1.1 po-debconf python-all python-all-dev python-ldb \ python-ldb-dev python-pkg-resources python-subunit python-talloc python-talloc-dev python-tdb python-testtools python2.6-dev subunit xsltproc \ heimdal-dev heimdal-multidev libasn1-8-heimdal libgssapi3-heimdal libhcrypto4-heimdal libhdb9-heimdal libheimbase1-heimdal libheimntlm0-heimdal \ libhx509-5-heimdal libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-heimdal libkdc2-heimdal libkrb5-26-heimdal libroken18-heimdal libwind0-heimdal -y
Agora vamos voltar as variáveis ao default
unset DEBIAN_PRIORITY unset DEBIAN_FRONTEND
Agora precisamos fazer um ajuste no sistema de arquivo aonde esta a partição /usr, precisamos inserir depois de defaults a palavra chave acl e user_xattr.
vim /etc/fstab [...] UUID=35689fda-e60e-4a5c-823b-3076e36a7586 /usr ext4 defaults,acl,user_xattr,barrier=1 0 2
Agora vamos mandar remontar a partição
mount -o remount /usr
Agora vamos conferir se foi carregado o atributo de acl
mount | egrep xattr /dev/disk/by-uuid/1b505238-9622-44bb-9ff1-1a5b72f9636e on / type ext4 (rw,relatime,errors=remount-ro,user_xattr,barrier=1,data=ordered) /dev/sda9 on /home type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered) /dev/sda8 on /tmp type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered) /dev/sda5 on /usr type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered) /dev/sda6 on /var type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered)
Em alguns casos o sistema não carrega a acl com isso tem que ser reiniciado o servidor para ele recarregar, porém no Debian Wheezy ele fica interno no kernel e não como um módulo.
Vamos listar as opções do kernel
egrep -i acl /boot/config-3.2.0-4-amd64 CONFIG_EXT2_FS_POSIX_ACL=y CONFIG_EXT3_FS_POSIX_ACL=y CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_REISERFS_FS_POSIX_ACL=y CONFIG_JFS_POSIX_ACL=y CONFIG_XFS_POSIX_ACL=y CONFIG_BTRFS_FS_POSIX_ACL=y CONFIG_FS_POSIX_ACL=y CONFIG_GENERIC_ACL=y CONFIG_TMPFS_POSIX_ACL=y CONFIG_JFFS2_FS_POSIX_ACL=y CONFIG_NFS_V3_ACL=y CONFIG_NFSD_V2_ACL=y CONFIG_NFSD_V3_ACL=y CONFIG_NFS_ACL_SUPPORT=m CONFIG_CIFS_ACL=y CONFIG_9P_FS_POSIX_ACL=y
Agora vamos testar o sistema de arquivos precisamos criar um arquivo e setar as flags de attr
Vamos acessar o diretório /usr
cd /usr
O primeiro teste de setattr da erro se for em sistema de arquivos ext3.
touch test.txt setfattr -n user.test -v test test.txt setfattr -n security.test -v test2 test.txt
Agora testar o atributo user
getfattr -d test.txt # file: test.txt user.test="test"
Agora vamos testar o atributo security
getfattr -n security.test -d test.txt # file: test.txt security.test="test2"
Caso o sistema de arquivos não de suporte ao xattr podemos emular ele adicionando a seguinte linha no smb.conf
posix:eadb = /usr/local/samba/eadb.tdb
Agora vamos obter o samba vamos acessar o diretório que vai armazenar os fontes
cd /usr/src
Agora vamos obter os fontes
wget -c http://ftp.samba.org/pub/samba/stable/samba-4.1.4.tar.gz
Agora vamos desempacotar o samba
tar -xzvf samba-4.1.4.tar.gz
Agora vamos acessar o diretório dos fontes
cd samba-4.1.4
Agora vamos mandar configurar ele
./configure --enable-debug --enable-selftest
Agora vamos mandar compilar ele
make
Agora vamos mandar instalar ele
make install
Agora vamos acertar a PATH do usuário root no caso dele estar utilizando o shell Bash
echo "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/local/samba/sbin:/usr/local/samba/bin" >> /root/.bashrc
Agora precisamos importar a nova PATH
source /root/.bashrc
Agora vamos acertar a PATH do usuário root no caso dele estar utilizando o shell zsh
echo "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/local/samba/sbin:/usr/local/samba/bin" >> /root/.zshrc
Agora precisamos importar a nova PATH
source /root/.zshrc
Agora vamos instalar as dependência para o BIND_DLZ
aptitude install autopoint autotools-dev bison debhelper dh-apparmor geoip-bin gettext hardening-wrapper html2text intltool-debian \ libbison-dev libcap-dev libdb-dev libdb5.1-dev libgeoip-dev libgettextpo0 libltdl-dev libmail-sendmail-perl libsys-hostname-long-perl \ libtool libunistring0 libxml2-dev po-debconf -y
Agora vamos obter os fontes do Bind
cd /usr/src apt-get source bind9
Agora vamos acessar os fontes do bind
cd bind9-*
Agora vamos ajustar as opções para preparar o pacote temos a seguinte função configure-stamp que tem que ser modificada para dar suporte ao kerberos e o dlopen.
vim debian/rules
[...]
configure: configure-stamp
configure-stamp:
dh_testdir
./configure --prefix=/usr \
--mandir=\$${prefix}/share/man \
--infodir=\$${prefix}/share/info \
--sysconfdir=/etc/bind \
--localstatedir=/var \
--enable-threads \
--enable-largefile \
--with-libtool \
--enable-shared \
--enable-static \
--with-openssl=/usr \
--with-gssapi=/usr \
--with-gnu-ld \
--with-geoip=/usr \
--enable-ipv6 \
--with-gssapi=/usr/include/gssapi \
--with-dlopen=yes \
$(EXTRA_FEATURES)
Agora vamos gerar o pacote .deb
dpkg-buildpackage
Agora vamos instalar os pacotes que geramos
cd .. dpkg -i *.deb
Agora vamos criar um diretório e vamos ajustar as permissões dele para o bind
mkdir /var/cache/bind/data chown -R bind:bind /var/cache/bind/data
Agora vamos fazer um backup do arquivo de configuração do bind
cp /etc/bind/named.conf.options /etc/bind/named.conf.options.old
Agora vamos ajustar o named.conf.options
vim /etc/bind/named.conf.options
// named.conf
//
options {
listen-on port 53 { 127.0.0.1; 192.168.1.0/24; };
listen-on-v6 port 53 { ::1; };
directory "/var/cache/bind";
dump-file "/var/cache/bind/data/cache_dump.db";
statistics-file "/var/cache/bind/data/named_stats.txt";
memstatistics-file "/var/cache/bind/data/named_mem_stats.txt";
allow-query { 192.168.1.0/24; 127.0.0.1/32; };
allow-update { 192.168.1.0/24; 127.0.0.1/32; };
allow-recursion { 192.168.1.0/24; 127.0.0.1/32; };
forwarders { 8.8.8.8; 8.8.4.4; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/cache/bind/dynamic";
/* keytab para samba4 */
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
Agora vamos adicionar o arquivo que de referência da nossa zona do AD no named.conf
vim /etc/bind/named.conf [...] include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/usr/local/samba/private/named.conf";
Agora vamos ajustar o /etc/resolv.conf
vim /etc/resolv.conf domain lab.lan search lab.lan nameserver 192.168.0.1
Agora vamos ajustar o /etc/hosts
vim /etc/hosts 127.0.0.1 localhost 127.0.1.1 debian.lab.lan debian 192.168.0.49 debian.lab.lan debian [...]
Agora vamos criar o nosso domínio
samba-tool domain provision --domain=LAB --adminpass=sen@134* \ --dns-backend=BIND9_DLZ --server-role=dc \ --function-level=2008_R2 --use-xattr=yes \ --use-rfc2307 --realm=lab.lan
Caso tenha algum erro e precise fazer o provisionamento novamente remova os arquivos e diretórios
rm -rf /usr/local/samba/etc rm -rf /usr/local/samba/private rm -rf /usr/local/samba/var/locks/sysvolAqui o nosso domínio já está configurado.
Agora vamos ajustar o samba
vim /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = LAB realm = lab.lan netbios name = PDC server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate ### RPC ### rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external ### IDMAP ### idmap_ldb:use rfc2307 = yes idmap config * : backend = tdb idmap config *:range = 70001-80000 idmap config LAB:backend = ad idmap config LAB:schema_mode = rfc2307 idmap config LAB:range = 500-40000 #WINBIND winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes map archive = No map readonly = no store dos attributes = Yes vfs objects = dfs_samba4, acl_xattr #o template shell é necessário para logar com a autenticação via winbind template shell = /bin/bash #DESABILITANDO AS IMPRESSORAS printcap name = /dev/null load printers = no disable spoolss = yes printing = bsd ### LOGS log file = /var/log/samba/smbd.log max log size = 50 log level = 2 vfs objects = recycle full_audit ### LIXEIRA recycle:repository = Lixeira recycle:exclude = *.tmp *.TMP *.temp *.TEMP ~* recycle:keeptree = yes full_audit:success = rmdir mkdir open write rename unlink full_audit:failure = rmdir mkdir open write rename unlink full_audit:prefix = %U|%I|%m|%S full_audit:failure = none full_audit:facility = local5 full_audit:priority = notice veto files = /*.mp3/*.wav/*.exe/*.cmd/*.adm/*.inf/*.ini/*.pif delete veto files = yes dos filemode = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/lab.lan/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No
Agora vamos criar o diretório para armazenar os logs
mkdir -p /var/log/samba
Agora vamos criar um link para o keytab do kerberos
ln -s /usr/local/samba/private/dns.keytab /etc/krb5.keytab
Agora vamos iniciar o samba
/usr/local/samba/sbin/samba
Vamos tirar a validade da senha do administrator
samba-tool user setexpiry administrator --noexpiry
Agora vamos checar a versão do nosso smbclient
smbclient --version Version 4.1.4
Agora vamos listar os compartilhamentos
smbclient -L localhost -U% Domain=[LAB] OS=[Unix] Server=[Samba 4.1.4] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.4) Domain=[LAB] OS=[Unix] Server=[Samba 4.1.4] Server Comment --------- ------- Workgroup Master --------- -------
Agora vamos testar a autenticação nos compartilhamentos
smbclient //localhost/netlogon -UAdministrator%'sen@134*' -c 'ls'
Domain=[LAB] OS=[Unix] Server=[Samba 4.1.4]
. D 0 Mon Aug 19 14:15:45 2013
.. D 0 Mon Aug 19 14:16:33 2013
44993 blocks of size 65536. 8004 blocks available
Vamos verificar a configuração do samba
testparm Load smb config files from /usr/local/samba/etc/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[netlogon]" Processing section "[sysvol]" Loaded services file OK. Server role: ROLE_ACTIVE_DIRECTORY_DC Press enter to see a dump of your service definitions [global] workgroup = LAB realm = lab.lan server role = active directory domain controller passdb backend = samba_dsdb log file = /var/log/samba/smbd.log max log size = 50 load printers = No printcap name = /dev/null disable spoolss = Yes template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate full_audit:priority = notice full_audit:facility = local5 full_audit:prefix = %U|%I|%m|%S full_audit:failure = none full_audit:success = rmdir mkdir open write rename unlink recycle:keeptree = yes recycle:exclude = *.tmp *.TMP *.temp *.TEMP ~* recycle:repository = Lixeira idmap config LAB:range = 500-40000 idmap config LAB:schema_mode = rfc2307 idmap config LAB:backend = ad idmap config *:range = 70001-80000 idmap_ldb:use rfc2307 = yes rpc_server:default = external rpc_server:svcctl = embedded rpc_server:srvsvc = embedded rpc_server:eventlog = embedded rpc_server:ntsvcs = embedded rpc_server:winreg = embedded rpc_server:spoolss = embedded rpc_daemon:spoolssd = embedded rpc_server:tcpip = no idmap config * : backend = tdb printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j delete veto files = Yes veto files = /*.mp3/*.wav/*.exe/*.cmd/*.adm/*.inf/*.ini/*.pif map archive = No map readonly = no store dos attributes = Yes dos filemode = Yes vfs objects = recycle, full_audit [netlogon] path = /usr/local/samba/var/locks/sysvol/lab.lan/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No
Agora vamos acertar o arquivo /etc/security/limits.conf para não ficar mostrando erro no samba
vim /etc/security/limits.conf #colocar no final do arquivo root hard nofile 131072 root soft nofile 65536 mioutente hard nofile 32768 mioutente soft nofile 16384
Agora vamos listar os processos do samba
ps aux | egrep samba root 1231 0.0 8.8 512872 44888 ? Ss 09:55 0:00 /usr/local/samba/sbin/samba root 1233 0.0 6.3 512872 32084 ? S 09:55 0:00 /usr/local/samba/sbin/samba root 1234 0.0 6.4 512872 32964 ? S 09:55 0:00 /usr/local/samba/sbin/samba root 1235 0.0 6.6 512872 33732 ? S 09:55 0:00 /usr/local/samba/sbin/samba root 1236 0.0 6.3 512872 32056 ? S 09:55 0:00 /usr/local/samba/sbin/samba root 1237 0.0 6.5 512872 33440 ? S 09:55 0:00 /usr/local/samba/sbin/samba root 1238 0.0 6.4 512872 32652 ? S 09:55 0:00 /usr/local/samba/sbin/samba root 1239 0.0 6.7 512872 34188 ? S 09:55 0:00 /usr/local/samba/sbin/samba root 1240 0.0 6.5 512872 33472 ? S 09:55 0:00 /usr/local/samba/sbin/samba root 1241 0.0 6.6 516332 33776 ? S 09:55 0:00 /usr/local/samba/sbin/samba root 1242 0.0 6.3 512872 32172 ? S 09:55 0:00 /usr/local/samba/sbin/samba root 1243 0.0 7.9 512872 40388 ? S 09:55 0:00 /usr/local/samba/sbin/samba root 1244 0.0 6.5 512872 33132 ? S 09:55 0:00 /usr/local/samba/sbin/samba root 1245 0.0 9.0 470044 46176 ? Ss 09:55 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 1247 0.0 6.7 513292 34192 ? S 09:55 0:00 /usr/local/samba/sbin/samba root 1250 0.0 6.3 470052 32320 ? S 09:55 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 1295 0.0 0.1 7792 880 pts/0 S+ 10:03 0:00 egrep samba
Agora vamos ajustar o /etc/resolv.conf para ser utilizado o ip do nosso servidor samba
vim /etc/resolv.conf domain lab.lan search lab.lan nameserver 192.168.0.131
Agora vamos reiniciar o bind
/etc/init.d/bind9 restart
Agora vamos testar com o nslookup
nslookup lab.lan Server: 192.168.0.131 Address: 192.168.0.131#53 Name: lab.lan Address: 192.168.0.131
Agora vamos ajustar o arquivo do kerberos
Vamos fazer um backup dele
cp /etc/krb5.conf /etc/krb5.conf.old
Agora vamos remover o original
rm -rf /etc/krb5.conf
Agora vamos criar um link do arquivo do kerberos utilizado pelo samba
ln -sf /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
Agora vamos ajustar a sua configuração
vim /etc/krb5.conf [libdefaults] default_realm = LAB.LAN dns_lookup_realm = false dns_lookup_kdc = true
Agora vamos inicializar um ticket do kerberos para o usuário administrator
kinit administrator@LAB.LAN Password for administrator@LAB.LAN: Warning: Your password will expire in 41 days on Mon Sep 30 14:16:22 2013
Agora vamos listar o nosso ticket
klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@LAB.LAN Valid starting Expires Service principal 19-08-2013 14:24:03 20-08-2013 00:24:03 krbtgt/LAB.LAN@LAB.LAN renew until 20-08-2013 14:24:00
Agora vamos testar a nossa autenticação no samba utilizando o token do kerberos
smbclient -k //pdc.lab.lan/netlogon -c 'ls'
Domain=[LAB] OS=[Unix] Server=[Samba 4.1.4]
. D 0 Mon Aug 19 14:15:45 2013
.. D 0 Mon Aug 19 14:16:33 2013
44993 blocks of size 65536. 8004 blocks available
Para utilizar o token do kerberos precisamos passar o nome do nosso dc no meu caso debian.lab.lan caso passe somente localhost vamos ter o seguinte erro.
smbclient -k //localhost/netlogon -c 'ls' ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/localhost@LAB.LAN (Server not found in Kerberos database) cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Server not found in Kerberos database session setup failed: NT_STATUS_UNSUCCESSFUL
Este erro é comentado no seguinte link http://lists.samba.org/archive/samba-technical/2011-June/078134.html
Agora vamos configurar o servidor ntp
aptitude install ntp -y
Agora vamos fazer um backup do nosso arquivo de configuração
cp /etc/ntp.conf /etc/ntp.conf.old
Agora vamos deixar ele da seguinte forma
vim /etc/ntp.conf server 127.127.1.0 fudge 127.127.1.0 stratum 10 server a.ntp.br iburst prefer server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict a.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
Agora vamos reiniciar o serviço
/etc/init.d/ntp restart
Agora vamos consultar o serviço ntp
ntpq -p 127.0.0.1
remote refid st t when poll reach delay offset jitter
==============================================================================
LOCAL(0) .LOCL. 10 l 26 64 1 0.000 0.000 0.000
+a.ntp.br 200.160.7.186 2 u 15 64 1 11.543 4.363 0.306
0.pool.ntp.org .INIT. 16 u - 64 0 0.000 0.000 0.000
*1.pool.ntp.org 200.160.7.186 2 u 13 64 1 6.470 5.146 0.305
Agora vamos ajustar a permissão do ntp
chgrp ntp /usr/local/samba/var/lib/ntp_signd
Agora vamos criar o script de inicialização do samba
vim /etc/init.d/samba
#! /bin/sh
### BEGIN INIT INFO
# Provides: samba4
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start Samba daemons
### END INIT INFO
#
# Start/stops the Samba daemon (samba).
# Adapted from the Samba 3 packages.
#
PIDDIR=/usr/local/samba/var/run
SAMBAPID=$PIDDIR/samba.pid
# clear conflicting settings from the environment
unset TMPDIR
# See if the daemon and the config file are there
test -x /usr/local/samba/sbin/samba -a -r /usr/local/samba/etc/smb.conf || exit 0
. /lib/lsb/init-functions
case "$1" in
start)
log_daemon_msg "Starting Samba 4 daemon" "samba"
# Make sure we have our PIDDIR, even if it's on a tmpfs
install -o root -g root -m 755 -d $PIDDIR
if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then
log_end_msg 1
exit 1
fi
log_end_msg 0
;;
stop)
log_daemon_msg "Stopping Samba 4 daemon" "samba"
start-stop-daemon --stop --quiet --name samba $SAMBAPID
# Wait a little and remove stale PID file
sleep 1
if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
then
# Stale PID file (samba was succesfully stopped),
# remove it (should be removed by samba itself IMHO.)
rm -f $SAMBAPID
fi
log_end_msg 0
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
;;
*)
echo "Usage: /etc/init.d/samba {start|stop|restart|force-reload}"
exit 1
;;
esac
exit 0
Vamos ajustar a permissão do script
chmod +x /etc/init.d/samba
Agora vamos colocar o script na inicialização do sistema
insserv -f -v samba
Agora vamos consultar se o nosso BIND_DLZ está funcionando
samba_dnsupdate --verbose IPs: ['192.168.0.52'] Looking for DNS entry A lab.lan 192.168.0.52 as lab.lan. Looking for DNS entry A debian.lab.lan 192.168.0.52 as debian.lab.lan. Looking for DNS entry A gc._msdcs.lab.lan 192.168.0.52 as gc._msdcs.lab.lan. Looking for DNS entry CNAME 4600bb8b-c1f6-47b0-ae75-a31c9ef70281._msdcs.lab.lan debian.lab.lan as 4600bb8b-c1f6-47b0-ae75-a31c9ef70281._msdcs.lab.lan. Looking for DNS entry SRV _kpasswd._tcp.lab.lan debian.lab.lan 464 as _kpasswd._tcp.lab.lan. Checking 0 100 464 debian.lab.lan. against SRV _kpasswd._tcp.lab.lan debian.lab.lan 464 Looking for DNS entry SRV _kpasswd._udp.lab.lan debian.lab.lan 464 as _kpasswd._udp.lab.lan. Checking 0 100 464 debian.lab.lan. against SRV _kpasswd._udp.lab.lan debian.lab.lan 464 Looking for DNS entry SRV _kerberos._tcp.lab.lan debian.lab.lan 88 as _kerberos._tcp.lab.lan. Checking 0 100 88 debian.lab.lan. against SRV _kerberos._tcp.lab.lan debian.lab.lan 88 Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.lab.lan debian.lab.lan 88 as _kerberos._tcp.dc._msdcs.lab.lan. Checking 0 100 88 debian.lab.lan. against SRV _kerberos._tcp.dc._msdcs.lab.lan debian.lab.lan 88 Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 88 as _kerberos._tcp.default-first-site-name._sites.lab.lan. Checking 0 100 88 debian.lab.lan. against SRV _kerberos._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 88 Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.lab.lan debian.lab.lan 88 as _kerberos._tcp.default-first-site-name._sites.dc._msdcs.lab.lan. Checking 0 100 88 debian.lab.lan. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.lab.lan debian.lab.lan 88 Looking for DNS entry SRV _kerberos._udp.lab.lan debian.lab.lan 88 as _kerberos._udp.lab.lan. Checking 0 100 88 debian.lab.lan. against SRV _kerberos._udp.lab.lan debian.lab.lan 88 Looking for DNS entry SRV _ldap._tcp.lab.lan debian.lab.lan 389 as _ldap._tcp.lab.lan. Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.lab.lan debian.lab.lan 389 Looking for DNS entry SRV _ldap._tcp.dc._msdcs.lab.lan debian.lab.lan 389 as _ldap._tcp.dc._msdcs.lab.lan. Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.dc._msdcs.lab.lan debian.lab.lan 389 Looking for DNS entry SRV _ldap._tcp.gc._msdcs.lab.lan debian.lab.lan 3268 as _ldap._tcp.gc._msdcs.lab.lan. Checking 0 100 3268 debian.lab.lan. against SRV _ldap._tcp.gc._msdcs.lab.lan debian.lab.lan 3268 Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.lab.lan debian.lab.lan 389 as _ldap._tcp.pdc._msdcs.lab.lan. Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.pdc._msdcs.lab.lan debian.lab.lan 389 Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 389 as _ldap._tcp.default-first-site-name._sites.lab.lan. Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 389 Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.lab.lan debian.lab.lan 389 as _ldap._tcp.default-first-site-name._sites.dc._msdcs.lab.lan. Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.lab.lan debian.lab.lan 389 Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.lab.lan debian.lab.lan 3268 as _ldap._tcp.default-first-site-name._sites.gc._msdcs.lab.lan. Checking 0 100 3268 debian.lab.lan. against SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.lab.lan debian.lab.lan 3268 Looking for DNS entry SRV _ldap._tcp.86f256e1-a77b-4a83-bddd-96acf7a0c89f.domains._msdcs.lab.lan debian.lab.lan 389 as _ldap._tcp.86f256e1-a77b-4a83-bddd-96acf7a0c89f.domains._msdcs.lab.lan. Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.86f256e1-a77b-4a83-bddd-96acf7a0c89f.domains._msdcs.lab.lan debian.lab.lan 389 Looking for DNS entry SRV _gc._tcp.lab.lan debian.lab.lan 3268 as _gc._tcp.lab.lan. Checking 0 100 3268 debian.lab.lan. against SRV _gc._tcp.lab.lan debian.lab.lan 3268 Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 3268 as _gc._tcp.default-first-site-name._sites.lab.lan. Checking 0 100 3268 debian.lab.lan. against SRV _gc._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 3268 No DNS updates needed
Agora vamos criar a zona reversa
samba-tool dns zonecreate lab.lan 1.168.192.in-addr.arpa -UAdministrator --password=sen@134*
Vamos criar o reverso do nosso pdc
samba-tool dns add pdc 1.168.192.in-addr.arpa 49 PTR pdc.lab.lan -Uadministrator --password=sen@134*Agora vamos criar um compartilhamento básico de impressão
Agora vamos criar o diretório de spool de impressão e vamos ajustar as suas permissões
mkdir /usr/local/samba/var/spool chmod 1777 /usr/local/samba/var/spool
Agora vamos adicionar na configuração do samba o nosso compartilhamento de impressão
vim /usr/local/samba/etc/smb.conf
# Global parameters
[...]
[printers]
comment = All Printers
path = /usr/local/samba/var/spool
browseable = Yes
read only = No
printable = Yes
Agora precisamos criar os diretório para armazenar os drivers das impressoras que o cliente windows sempre vai tentar procurar quando for instalar uma impressora
mkdir -p /usr/local/samba/var/print/{COLOR,IA64,W32ALPHA,W32MIPS,W32PPC,W32X86,WIN40,x64}
Agora vamos criar mais um compartilhamento no samba
vim /usr/local/samba/etc/smb.conf
# Global parameters
[...]
[printers]
comment = All Printers
path = /usr/local/samba/var/spool
browseable = Yes
read only = No
printable = Yes
[print$]
comment = Point and Print Printer Drivers
path = /usr/local/samba/var/print
read only = No
Agora vamos mandar recarregar o samba
killall -HUP samba
Para adicionar uma impressora
- Logue no computador cliente com o usuário Administrador do dominio
- Click Iniciar → Run digite '\\debian.lab.lan\'
- Na lista de compartilhamentos, de um duplo click em 'Impressoras e Fax'
- Click em Arquivo → Propriedades do servidor
- Na guia Drivers, Click em 'Adicionar…', depois 'Next'
- No menu de opções, escolha o driver da sua impressora que deseja instalar, e selecione 'Next'
Agora escolha os driver para a sua arquitetura. Caso não tenha o driver para a sua arquitetura vai ser solicitado inserir uma midia com os driver
- Agora feche a tela de drivers
- Agora click com o botão direito em drivers de impressora e selecione propriedades
- Na guia avançado, escolha o driver que já foi instalado
Inserindo uma máquina XP no domínio Samba4
Vamos chamar a configuração da interface
- Menu iniciar/run digite ncpa.cpl
Vamos deixar o endereço DNS para o ip do servidor samba
Vai ter que ficar como abaixo.
Agora vamos testar o dns
nslookup debian.lab.lan *** Não é possível encontrar o nome de servidor para o endereço 192.168.0.131: No information *** Os servidores padrão não estão disponíveis Servidor: UnKnown Address: 192.168.0.131 Nome = debian.lab.lan Address: 192.168.0.131
Agora precisamos deixar o nosso servidor com o horário e timezone igual ao do servidor samba
Vamos chamar a configuração
- Menu Iniciar/run aqui digite timedate.cpl
Aqui ajute o seu horario
Na guia fuso horário escolha o da sua localização
Agora vamos fazer o join do domínio
- Menu iniciar/run aqui digite sysdm.cpl
- Aqui selecione a guia Nome do computador.
- Agora selecione alterar
Aqui em domínio vamos informar lab.lan
Agora selecione ok
Vamos ter uma tela como abaixo, informe o usuário administrator e a senha que foi definida para ele na criação do domínio samba.
Se tudo der certo vamos ter a seguinte mensagem
Quando selecionarmos ok vamos ter a seguinte mensagem.
Agora é só selecionar ok e ok novamente e sim para reiniciar a máquina.
Quando iniciar vamos ter a seguinte tela
Agora precisamos informar ctrl + alt + del
Aqui em fazer logon em selecione LAB
O usuário vai ser administrator e a senha dele.
Instalando o Windows Remote Administration Tools no Windows
Links para obtermos o Windows Remote Administration Tools:
- http://www.microsoft.com/en-us/download/details.aspx?id=6315 (Windows XP/Server 2003)
OBS: Na instalação do RSAT no Windows 8/7/Vista depois de instalado temos que ir em programas no painel de controle “Habilitar recursos do Windows” precisamos habilitar as ferramentas administrativas.
Depois de obter o pacote precisamos mandar rodar ele
Instalando
Instalação Concluída
Ferramentas instaladas
Agora vamos chamar o MMC Usuários e computadores do Active Directory em Ferramentas administrativas ou pelo run dsa.msc
Vamos ter algo como abaixo.
Aqui podemos fazer a criação de usuários, grupos, computadores criação de GPOS
Exemplo de Objetos que podemos criar
Exemplo da tela de criação de usuários
Exemplo da tela de GPOs
Podemos também fazer a administração do DNS via MMC nas ferramentas administrativas chame o DNS
Exemplo da tela de configuração de DNS
Podemos também fazer a criação de usuários via comando
samba-tool user add nerso New Password: Retype Password: User 'nerso' created successfully
Agora vamos ver nos usuários do AD
Agora vamos ajustar o perfil móvel
Vamos ajustar o arquivo de configuração do samba
vim /usr/local/samba/etc/smb.conf
# Global parameters
[global]
workgroup = LAB
realm = LAB.LAN
netbios name = DEBIAN
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
[netlogon]
path = /usr/local/samba/var/locks/sysvol/lab.lan/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[printers]
comment = All Printers
path = /usr/local/samba/var/spool
browseable = Yes
read only = No
printable = Yes
[print$]
comment = Point and Print Printer Drivers
path = /usr/local/samba/var/print
read only = No
[profiles]
path = /usr/local/samba/var/profiles
read only = no
Vamos criar o diretório para armazenar os profiles
mkdir /usr/local/samba/var/profiles
Agora vamos acertar as permissões
chmod -R 1777 /usr/local/samba/var/profiles
Agora vamos mandar recarregar o samba
killall -HUP samba
Agora vamos ajustar o perfil do usuário douglas.santos
Agora vamos logar com o usuário.
Quando efetuarmos logon no servidor vai ser criado uma pasta com o nome do nosso usuário em /usr/local/samba/var/profiles
ls -l /usr/local/samba/var/profiles total 8 drwxrws---+ 2 3000019 staff 4096 Fev 24 13:19 douglas.santos/
Note que o nosso arquivo tem o sinal de + ou seja está habilitado acl, vamos listar elas
getfacl -p /usr/local/samba/var/profiles/douglas.santos # file: /usr/local/samba/var/profiles/douglas.santos # owner: 3000019 # group: staff # flags: -s- user::rwx group::--- group:staff:--- group:3000002:rwx group:3000019:rwx mask::rwx other::--- default:user::rwx default:user:3000019:rwx default:group::--- default:group:staff:--- default:group:3000002:rwx default:group:3000019:rwx default:mask::rwx default:other::---
Agora quando efetuarmos logoff os arquivos vão ser salvos dentro do diretório
ls -l /usr/local/samba/var/profiles/douglas.santos total 624 drwxrws---+ 2 3000019 users 4096 Fev 23 13:44 Ambiente\ de\ impressão/ drwxrws---+ 2 3000019 users 4096 Fev 23 13:44 Ambiente\ de\ rede/ drwxrws---+ 2 3000019 users 4096 Fev 23 16:50 Cookies/ drwxrws---+ 4 3000019 users 4096 Fev 24 13:19 Dados\ de\ aplicativos/ drwxrws---+ 2 3000019 users 4096 Fev 23 13:44 Desktop/ drwxrws---+ 3 3000019 users 4096 Fev 24 13:19 Favoritos/ drwxrws---+ 3 3000019 users 4096 Fev 23 13:44 Menu\ Iniciar/ drwxrws---+ 4 3000019 users 4096 Fev 24 13:19 Meus\ documentos/ drwxrws---+ 2 3000019 users 4096 Fev 23 16:48 Modelos/ -rwxrwx---+ 1 3000019 users 524288 Fev 24 13:22 NTUSER.DAT* -rwxrwx---+ 1 3000019 users 1024 Fev 24 13:22 NTUSER.DAT.LOG* -rwxrwx---+ 1 3000019 users 300 Fev 24 13:22 ntuser.ini* drwxrws---+ 2 3000019 users 4096 Fev 24 13:19 Recent/ drwxrws---+ 2 3000019 users 4096 Fev 24 13:19 SendTo/
ajustando a autenticação
vim /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Ajustando a pam
ln -sf /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so
Para os sistemas de 64bits precisamos fazer da seguinte forma
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /usr/lib/x86_64-linux-gnu/libnss_winbind.so ln -s /usr/lib/x86_64-linux-gnu/libnss_winbind.so /usr/lib/x86_64-linux-gnu/libnss_winbind.so.2 ldconfig
Agora vamos consultar se está carregado no sistema
ldconfig -v | grep winbind ldconfig: Path `/lib/x86_64-linux-gnu' given more than once ldconfig: Path `/usr/lib/x86_64-linux-gnu' given more than once libnss_winbind.so -> libnss_winbind.so.2
Agora vamos listar os usuários locais e do domínio
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian-exim:x:101:103::/var/spool/exim4:/bin/false statd:x:102:65534::/var/lib/nfs:/bin/false sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin douglas:x:1000:1000:douglas,,,:/home/douglas:/bin/bash postfix:x:104:107::/var/spool/postfix:/bin/false messagebus:x:105:109::/var/run/dbus:/bin/false bind:x:106:110::/var/cache/bind:/bin/false ntp:x:107:111::/home/ntp:/bin/false LAB\Administrator:*:0:100::/home/LAB/Administrator:/bin/bash LAB\Guest:*:3000011:3000012::/home/LAB/Guest:/bin/bash LAB\krbtgt:*:3000017:100::/home/LAB/krbtgt:/bin/bash LAB\dns-pdc:*:3000018:100::/home/LAB/dns-pdc:/bin/bash
Agora vamos consultar informações do usuário Administrator
id Administrator uid=0(root) gid=100(users) grupos=0(root),100(users),3000004(LAB\Group Policy Creator Owners),3000006(LAB\Enterprise Admins),3000008(LAB\Domain Admins),3000007(LAB\Schema Admins)
Agora vamos ajustar a pam do servidor PDC
vim /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth sufficient pam_winbind.so auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config
vim /etc/pam.d/common-account # # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # # here are the per-package modules (the "Primary" block) account sufficient pam_winbind.so account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) account required pam_krb5.so minimum_uid=1000 # end of pam-auth-update config
vim /etc/pam.d/common-session # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session required pam_mkhomedir.so skel=/etc/skel umask=0027 session required pam_winbind.so session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=1000 session required pam_unix.so # end of pam-auth-update config
vim /etc/pam.d/sshd # PAM configuration for the Secure Shell service # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so #Allow connection from those groups account sufficient pam_succeed_if.so user ingroup root account requisite pam_succeed_if.so user ingroup ti-admin # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic noupdate session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple # Standard Un*x password updating. @include common-password
vim /etc/pam.d/login # # The PAM configuration file for the Shadow `login' service # # Enforce a minimal delay in case of failure (in microseconds). # (Replaces the `FAIL_DELAY' setting from login.defs) # Note that other modules may require another minimal delay. (for example, # to disable any delay, you should add the nodelay option to pam_unix) auth optional pam_faildelay.so delay=3000000 # Outputs an issue file prior to each login prompt (Replaces the # ISSUE_FILE option from login.defs). Uncomment for use # auth required pam_issue.so issue=/etc/issue # Disallows root logins except on tty's listed in /etc/securetty # (Replaces the `CONSOLE' setting from login.defs) # # With the default control of this module: # [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] # root will not be prompted for a password on insecure lines. # if an invalid username is entered, a password is prompted (but login # will eventually be rejected) # # You can change it to a "requisite" module if you think root may mis-type # her login and should not be prompted for a password in that case. But # this will leave the system as vulnerable to user enumeration attacks. # # You can change it to a "required" module if you think it permits to # guess valid user names of your system (invalid user names are considered # as possibly being root on insecure lines), but root passwords may be # communicated over insecure lines. auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so # Disallows other than root logins when /etc/nologin exists # (Replaces the `NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so #Allow connection from those groups account sufficient pam_succeed_if.so user ingroup root account requisite pam_succeed_if.so user ingroup ti-admin # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without out this it is possible # that a module could execute code in the wrong domain. # When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.) session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. # # parsing /etc/environment needs "readenv=1" session required pam_env.so readenv=1 # locale variables are also kept into /etc/default/locale in etch # reading this file *in addition to /etc/environment* does not hurt session required pam_env.so readenv=1 envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # This allows certain extra groups to be granted to a user # based on things like time of day, tty, service, and user. # Please edit /etc/security/group.conf to fit your needs # (Replaces the `CONSOLE_GROUPS' option in login.defs) auth optional pam_group.so # Uncomment and edit /etc/security/time.conf if you need to set # time restrainst on logins. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs # as well as /etc/porttime) # account requisite pam_time.so # Uncomment and edit /etc/security/access.conf if you need to # set access limits. # (Replaces /etc/login.access file) # account required pam_access.so # Sets up user limits according to /etc/security/limits.conf # (Replaces the use of /etc/limits in old login) session required pam_limits.so # Prints the last login info upon succesful login # (Replaces the `LASTLOG_ENAB' option from login.defs) session optional pam_lastlog.so # Prints the message of the day upon succesful login. # (Replaces the `MOTD_FILE' option in login.defs) # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so # Prints the status of the user's mailbox upon succesful login # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). # # This also defines the MAIL environment variable # However, userdel also needs MAIL_DIR and MAIL_FILE variables # in /etc/login.defs to make sure that removing a user # also removes the user's mail spool file. # See comments in /etc/login.defs session optional pam_mail.so standard # Standard Un*x account and session @include common-account @include common-session @include common-password # SELinux needs to intervene at login time to ensure that the process # starts in the proper default security context. Only sessions which are # intended to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.)
Ajustando o sudo
visudo %ti-admin ALL=(ALL:ALL) ALL
Configurando um Cliente Debian Wheezy para autenticar no Samba 4
Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialwheezy_en para que não falte nenhum pacote ou configuração.
Vamos atualizar os repositórios e fazer um upgrade do sistema
aptitude update && aptitude dist-upgrade -y
Agora vamos ajustar as variáveis de ambiente do Debian
export DEBIAN_PRIORITY=critical export DEBIAN_FRONTEND=noninteractive
Agora vamos instalar as dependências
aptitude install samba samba-common smbclient winbind krb5-config libpam-krb5 cifs-utils krb5-user -y
Agora vamos voltar as variáveis de ambiente do Debian
unset DEBIAN_PRIORITY unset DEBIAN_FRONTEND
Agora vamos ajustar o resolv.conf
vim /etc/resolv.conf domain lab.lan search lab.lan nameserver 192.168.0.25 nameserver 192.168.0.26
Agora vamos ajustar o horário do nosso servidor
ntpdate -u a.ntp.br
Agora vamos ajustar o arquivo de configuração do kerberos
vim /etc/krb5.conf
[libdefaults]
default_realm = LAB.LAN
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
LAB.LAN = {
kdc = 192.168.0.25
kdc = 192.168.0.26
admin_server = 192.168.0.25:749
default_server = 192.168.0.25
}
[domain_realm]
.lab.lan=LAB.LAN
lab.lan=LAB.LAN
[login]
krb4_convert = true
krb4_get_tickets = false
[kdc]
profile = /etc/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = file:/var/log/krb5libs.log
kdc = file:/var/log/krb5kdc.log
admin_server = file:/var/log/kadmind.log
Agora vamos ajustar o limits.conf
vim /etc/security/limits.conf [...] #colocar no final do arquivo root hard nofile 131072 root soft nofile 65536 mioutente hard nofile 32768 mioutente soft nofile 16384
Agora vamos ajustar o smb.conf
vim /etc/samba/smb.conf
[global]
workgroup = LAB
security = ADS
realm = LAB.LAN
netbios name = DEBIAN
encrypt passwords = yes
idmap config * : backend = tdb
idmap config * : range = 10000-30000
idmap config LAB:backend = ad
idmap config LAB:schema_mode = rfc2307
auth methods = winbind
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
Agora vamos ajustar o nsswitch.conf
vim /etc/nsswitch.conf [...] passwd: compat winbind group: compat winbind
Agora vamos reiniciar os serviços
/etc/init.d/samba restart /etc/init.d/winbind restart
Agora vamos fazer o join no domínio
net ads join lab.lan -U administrator
Agora vamos reiniciar os serviços
/etc/init.d/samba restart /etc/init.d/winbind restart
Agora vamos ajustar a PAM
vim /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth sufficient pam_winbind.so auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config
vim /etc/pam.d/common-account # # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # # here are the per-package modules (the "Primary" block) account sufficient pam_winbind.so account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) account required pam_krb5.so minimum_uid=1000 # end of pam-auth-update config
vim /etc/pam.d/common-session # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session required pam_mkhomedir.so skel=/etc/skel umask=0027 session required pam_winbind.so session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=1000 session required pam_unix.so # end of pam-auth-update config
vim /etc/pam.d/sshd # PAM configuration for the Secure Shell service # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so #Allow connection from those groups account sufficient pam_succeed_if.so user ingroup root account requisite pam_succeed_if.so user ingroup ti-admin # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic noupdate session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple # Standard Un*x password updating. @include common-password
vim /etc/pam.d/login # # The PAM configuration file for the Shadow `login' service # # Enforce a minimal delay in case of failure (in microseconds). # (Replaces the `FAIL_DELAY' setting from login.defs) # Note that other modules may require another minimal delay. (for example, # to disable any delay, you should add the nodelay option to pam_unix) auth optional pam_faildelay.so delay=3000000 # Outputs an issue file prior to each login prompt (Replaces the # ISSUE_FILE option from login.defs). Uncomment for use # auth required pam_issue.so issue=/etc/issue # Disallows root logins except on tty's listed in /etc/securetty # (Replaces the `CONSOLE' setting from login.defs) # # With the default control of this module: # [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] # root will not be prompted for a password on insecure lines. # if an invalid username is entered, a password is prompted (but login # will eventually be rejected) # # You can change it to a "requisite" module if you think root may mis-type # her login and should not be prompted for a password in that case. But # this will leave the system as vulnerable to user enumeration attacks. # # You can change it to a "required" module if you think it permits to # guess valid user names of your system (invalid user names are considered # as possibly being root on insecure lines), but root passwords may be # communicated over insecure lines. auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so # Disallows other than root logins when /etc/nologin exists # (Replaces the `NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so #Allow connection from those groups account sufficient pam_succeed_if.so user ingroup root account requisite pam_succeed_if.so user ingroup ti-admin # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without out this it is possible # that a module could execute code in the wrong domain. # When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.) session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. # # parsing /etc/environment needs "readenv=1" session required pam_env.so readenv=1 # locale variables are also kept into /etc/default/locale in etch # reading this file *in addition to /etc/environment* does not hurt session required pam_env.so readenv=1 envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # This allows certain extra groups to be granted to a user # based on things like time of day, tty, service, and user. # Please edit /etc/security/group.conf to fit your needs # (Replaces the `CONSOLE_GROUPS' option in login.defs) auth optional pam_group.so # Uncomment and edit /etc/security/time.conf if you need to set # time restrainst on logins. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs # as well as /etc/porttime) # account requisite pam_time.so # Uncomment and edit /etc/security/access.conf if you need to # set access limits. # (Replaces /etc/login.access file) # account required pam_access.so # Sets up user limits according to /etc/security/limits.conf # (Replaces the use of /etc/limits in old login) session required pam_limits.so # Prints the last login info upon succesful login # (Replaces the `LASTLOG_ENAB' option from login.defs) session optional pam_lastlog.so # Prints the message of the day upon succesful login. # (Replaces the `MOTD_FILE' option in login.defs) # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so # Prints the status of the user's mailbox upon succesful login # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). # # This also defines the MAIL environment variable # However, userdel also needs MAIL_DIR and MAIL_FILE variables # in /etc/login.defs to make sure that removing a user # also removes the user's mail spool file. # See comments in /etc/login.defs session optional pam_mail.so standard # Standard Un*x account and session @include common-account @include common-session @include common-password # SELinux needs to intervene at login time to ensure that the process # starts in the proper default security context. Only sessions which are # intended to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.)
Ajustando o sudo
visudo %ti-admin ALL=(ALL:ALL) ALL
Agora vamos testar a conexão com o winbind
wbinfo -t checking the trust secret for domain LAB via RPC calls succeeded
Agora vamos listar os usuários do domínio
wbinfo -u douglas.santos administrator dns-nodo1 krbtgt guest
Vamos listar os grupos
wbinfo -g allowed rodc password replication group enterprise read-only domain controllers denied rodc password replication group ti-admin read-only domain controllers group policy creator owners ras and ias servers domain controllers enterprise admins domain computers cert publishers dnsupdateproxy domain admins domain guests schema admins domain users dnsadmins
Agora vamos testar o acesso via ssh para esse cliente
ssh douglas.santos@192.168.0.52 douglas.santos@192.168.0.52's password: Creating directory '/home/LAB/douglas.santos'. Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. [10:35:45] douglas.santos@debian [~] $
Nos logs de autenticação vamos ter algo como abaixo
tail -f /var/log/auth.log Aug 27 10:35:44 debian sshd[4852]: pam_krb5(sshd:auth): user douglas.santos authenticated as douglas.santos@LAB.LAN Aug 27 10:35:44 debian sshd[4852]: Accepted password for douglas.santos from 192.168.0.130 port 51197 ssh2 Aug 27 10:35:44 debian sshd[4852]: pam_unix(sshd:session): session opened for user douglas.santos by (uid=0)
O cliente esta autenticando com sucesso :D
Ajustando o sudo
visudo %ti-admin ALL=(ALL:ALL) ALL
Configurando um Cliente CentOS para autenticar no Samba 4
Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialcentos6_en para que não falte nenhum pacote ou configuração.
Vamos instalar as dependências para ele poder fazer parte do domínio samba 4
yum install samba samba-winbind samba-winbind-devel samba-client samba-common \ pam_krb5 cifs-utils samba-winbind-krb5-locator samba-doc krb5-workstation -y
Agora vamos inserir os serviços na incialização do sistema
chkconfig --add nmb chkconfig --add smb chkconfig --add winbind
Agora vamos ativar eles
chkconfig nmb on chkconfig smb on chkconfig winbind on
Agora vamos ajustar o resolv.conf do cliente
vim /etc/resolv.conf domain lab.lan search lab.lan nameserver 192.168.0.25 nameserver 192.168.0.26
Agora vamos ajustar a interface de rede
vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" BOOTPROTO="static" BROADCAST="192.168.0.255" DNS1="192.168.0.25" DNS2="192.168.0.26" GATEWAY="192.168.0.1" IPADDR="192.168.0.27" NETMASK="255.255.255.0" NM_CONTROLLED="yes" ONBOOT="yes" TYPE="Ethernet"
Agora vamos ajustar o horário do servidor pois como vamos trabalhar com winbind e kerberos não podemos ter diferença de horario
ntpdate -u a.ntp.br
Agora vamos ajustar o kerberos
vim /etc/krb5.conf
[libdefaults]
default_realm = LAB.LAN
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
LAB.LAN = {
kdc = 192.168.0.25
kdc = 192.168.0.26
admin_server = 192.168.0.25:749
default_server = 192.168.0.25
}
[domain_realm]
.lab.lan=LAB.LAN
lab.lan=LAB.LAN
[login]
krb4_convert = true
krb4_get_tickets = false
[kdc]
profile = /etc/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = file:/var/log/krb5libs.log
kdc = file:/var/log/krb5kdc.log
admin_server = file:/var/log/kadmind.log
Agora vamos acertar o limits.conf
vim /etc/security/limits.conf [...] #colocar no final do arquivo root hard nofile 131072 root soft nofile 65536 mioutente hard nofile 32768 mioutente soft nofile 16384
Agora vamos ajustar o smb.conf
vim /etc/samba/smb.conf
[global]
workgroup = LAB
security = ADS
realm = LAB.LAN
netbios name = CENTOS
encrypt passwords = yes
idmap config * : backend = tdb
idmap config * : range = 10000-30000
idmap config LAB:backend = ad
idmap config LAB:schema_mode = rfc2307
auth methods = winbind
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
Agora vamos ajustar o nsswitch.conf
vim /etc/nsswitch.conf [...] passwd: files winbind shadow: files group: files winbind
Vamos iniciar os serviços
/etc/init.d/nmb start /etc/init.d/smb start /etc/init.d/winbind start
Agora vamos ajustar a PAM
Vamos ajustar para que quando o usuário faça login seja criado o seu diretório home
vim /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0027
Agora vamos ajustar o login utilizando o winbind aqui eu liberei somente o grupo root e o ti-admin para efetuar login em máquinas Linux
vim /etc/pam.d/login #%PAM-1.0 auth sufficient pam_winbind.so auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth account sufficient pam_succeed_if.so user ingroup root account required pam_winbind.so account required pam_nologin.so account include system-auth #Grupos que vão poder efetuar login no servidor account requisite pam_succeed_if.so user ingroup ti-admin password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_mkhomedir.so skel=/etc/skel umask=0027 session include system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session optional pam_keyinit.so force revoke
Agora vamos ajustar o acesso via ssh utilizando o winbind aqui eu liberei somente o grupo root e o ti-admin para efetuar login em máquinas Linux
vim /etc/pam.d/sshd #%PAM-1.0 auth sufficient pam_winbind.so auth include system-auth account sufficient pam_succeed_if.so user ingroup root account required pam_winbind.so account required pam_nologin.so account include system-auth #Grupos que vão poder logar via ssh account requisite pam_succeed_if.so user ingroup ti-admin password include system-auth session required pam_mkhomedir.so skel=/etc/skel umask=0027 session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
Agora vamos verificar se estamos conseguindo criar um ticker do kerberos
kinit administrator Password for administrator@LAB.LAN: Warning: Your password will expire in 41 days on Mon Oct 7 12:02:11 2013
Agora vamos listar o nosso ticket
klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@LAB.LAN Valid starting Expires Service principal 08/27/13 10:02:54 08/27/13 20:02:54 krbtgt/LAB.LAN@LAB.LAN renew until 08/28/13 10:02:51
Agora vamos fazer o join no domínio
net ads join lab.lan -U administrator
Esse erro de DNS ainda estou tentando arrumar.
Agora vamos reiniciar os serviços
/etc/init.d/nmb restart /etc/init.d/smb restart /etc/init.d/winbind restart
Agora vamos testar a conexão com o winbind
wbinfo -t checking the trust secret for domain LAB via RPC calls succeeded
Agora vamos listar os usuários do domínio
wbinfo -u douglas.santos administrator dns-nodo1 krbtgt guest
Vamos listar os grupos
wbinfo -g allowed rodc password replication group enterprise read-only domain controllers denied rodc password replication group ti-admin read-only domain controllers group policy creator owners ras and ias servers domain controllers enterprise admins domain computers cert publishers dnsupdateproxy domain admins domain guests schema admins domain users dnsadmins
Agora vamos testar o acesso via ssh para esse cliente
ssh douglas.santos@192.168.0.27 douglas.santos@192.168.0.27's password: Creating directory '/home/LAB/douglas.santos'. [10:40:01] douglas.santos@centos [~] $
Agora vamos ver os logs de acesso do centos
tail -f /var/log/secure Aug 27 10:38:55 centos sshd[13906]: pam_winbind(sshd:auth): getting password (0x00000000) Aug 27 10:38:56 centos sshd[13906]: pam_winbind(sshd:auth): user 'douglas.santos' granted access Aug 27 10:39:32 centos sshd[13906]: pam_succeed_if(sshd:account): requirement "user ingroup root" not met by user "douglas.santos" Aug 27 10:39:32 centos sshd[13906]: pam_winbind(sshd:account): user 'douglas.santos' granted access Aug 27 10:39:35 centos sshd[13906]: pam_succeed_if(sshd:account): requirement "user ingroup ti-admin" was met by user "douglas.santos" Aug 27 10:39:35 centos sshd[13906]: Accepted password for douglas.santos from 192.168.0.130 port 46470 ssh2 Aug 27 10:39:50 centos sshd[13906]: pam_unix(sshd:session): session opened for user douglas.santos by (uid=0)
O cliente está configurado com sucesso :D