Differences

This shows you the differences between two versions of the page.

Link to this comparison view

instalando_e_configurando_o_samba4_com_suporte_a_adminpack_no_debian_wheezy_pt_br [2019/08/08 15:23] (current)
Line 1: Line 1:
 +====== Instalando e Configurando o Samba4 com suporte a AdminPack no Debian Wheezy  ======
  
 +
 +E ai galera, aqui eu vou abordar a instalação e a configuração do Samba4 com suporte a Administração do domínio utilizando o AdminPack da Microsoft e vamos configurar também a utilização do Bind_DLZ como backend de DNS.
 +
 +**OBS:** O Dns não pode trabalhar em modo chroot pois o bind não consegue acessar os arquivos e o banco de dados do Samba: http://wiki.samba.org/index.php/Dns-backend_bind#Known_issues_and_ways_to_fix.2Fworkaround
 +
 +Eu achei que ficou muito bom e limpa a instalação e configuração então vamos trabalhar :D
 +
 +Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialwheezy_en para que não falte nenhum pacote ou configuração.
 +
 +O que eu vou utilizar:
 +  * **Servidor Samba**
 +    * IP: 192.168.0.49/24
 +    * **Nome:** debian
 +    * **Domínio:** lab.lan
 +  * **Cliente xp**
 +    * **IP:** 192.168.0.4/24
 +    * **Nome:** xp
 +    * **Domínio:** lab.lan 
 +
 +Agora vamos mandar atualizar os repositórios e vamos mandar fazer um upgrade do sistema
 +<sxh bash>
 +aptitude update && aptitude dist-upgrade -y
 +</sxh>
 +
 +Vamos ajustar algumas variaveis do ambiente
 +<sxh bash>
 +export DEBIAN_PRIORITY=critical 
 +export DEBIAN_FRONTEND=noninteractive
 +</sxh>
 +
 +Agora vamos mandar instalar as suas dependências
 +<sxh bash>
 +aptitude install libpam0g-dev git gcc make wget libacl1-dev libblkid-dev libreadline-dev python-dev libcups2-dev \
 + libcupscgi1-dev libcupsdriver1-dev libcupsimage2-dev libcupsmime1-dev libcupsppdc1-dev libcupsys2-dev libaio-dev acl-dev \
 +acl heimdal-clients libattr1-dev  libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev  python-dnspython gdb pkg-config libfam-dev  \
 +libpopt-dev libldap2-dev dnsutils libbsd-dev attr docbook-xsl libcups2-dev python-gnupginterface python-pycurl python-software-properties \
 +quota unattended-upgrades libpam-heimdal bison debhelper flex gettext  html2text intltool-debian  libbison-dev libgettextpo0 libldb-dev \
 +libldb1 libparse-yapp-perl libpython2.6  libsmbclient libsmbclient-dev libsubunit-dev libsubunit-perl libsubunit0 libtalloc-dev libtalloc2 \
 +libtdb-dev libtdb1 libtevent-dev libtevent0 libunistring0 libwbclient-dev libwbclient0 libxslt1.1 po-debconf python-all python-all-dev python-ldb \
 +python-ldb-dev python-pkg-resources python-subunit python-talloc python-talloc-dev python-tdb python-testtools python2.6-dev  subunit xsltproc \
 +heimdal-dev heimdal-multidev libasn1-8-heimdal libgssapi3-heimdal libhcrypto4-heimdal libhdb9-heimdal libheimbase1-heimdal libheimntlm0-heimdal \
 +libhx509-5-heimdal libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-heimdal libkdc2-heimdal libkrb5-26-heimdal libroken18-heimdal libwind0-heimdal -y
 +</sxh>
 +
 +Agora vamos voltar as variáveis ao default
 +<sxh bash>
 +unset DEBIAN_PRIORITY
 +unset DEBIAN_FRONTEND
 +</sxh>
 +
 +Agora precisamos fazer um ajuste no sistema de arquivo aonde esta a partição /usr, precisamos inserir depois de defaults a palavra chave acl e user_xattr.
 +<sxh bash>
 +vim /etc/fstab
 +[...]
 +UUID=35689fda-e60e-4a5c-823b-3076e36a7586 /usr            ext4    defaults,acl,user_xattr,barrier=1        0       2
 +</sxh>
 +
 +Agora vamos mandar remontar a partição
 +<sxh bash>
 +mount -o remount /usr
 +</sxh>
 +
 +Agora vamos conferir se foi carregado o atributo de acl
 +<sxh bash>
 +mount | egrep xattr
 +/dev/disk/by-uuid/1b505238-9622-44bb-9ff1-1a5b72f9636e on / type ext4 (rw,relatime,errors=remount-ro,user_xattr,barrier=1,data=ordered)
 +/dev/sda9 on /home type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered)
 +/dev/sda8 on /tmp type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered)
 +/dev/sda5 on /usr type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered)
 +/dev/sda6 on /var type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered)
 +</sxh>
 +
 +Em alguns casos o sistema não carrega a acl com isso tem que ser reiniciado o servidor para ele recarregar, porém no Debian Wheezy ele fica interno no kernel e não como um módulo.
 +
 +Vamos listar as opções do kernel
 +<sxh bash>
 +egrep -i acl /boot/config-3.2.0-4-amd64
 +CONFIG_EXT2_FS_POSIX_ACL=y
 +CONFIG_EXT3_FS_POSIX_ACL=y
 +CONFIG_EXT4_FS_POSIX_ACL=y
 +CONFIG_REISERFS_FS_POSIX_ACL=y
 +CONFIG_JFS_POSIX_ACL=y
 +CONFIG_XFS_POSIX_ACL=y
 +CONFIG_BTRFS_FS_POSIX_ACL=y
 +CONFIG_FS_POSIX_ACL=y
 +CONFIG_GENERIC_ACL=y
 +CONFIG_TMPFS_POSIX_ACL=y
 +CONFIG_JFFS2_FS_POSIX_ACL=y
 +CONFIG_NFS_V3_ACL=y
 +CONFIG_NFSD_V2_ACL=y
 +CONFIG_NFSD_V3_ACL=y
 +CONFIG_NFS_ACL_SUPPORT=m
 +CONFIG_CIFS_ACL=y
 +CONFIG_9P_FS_POSIX_ACL=y
 +</sxh>
 +
 +Agora vamos testar o sistema de arquivos precisamos criar um arquivo e setar as flags de attr
 +
 +Vamos acessar o diretório /usr
 +<sxh bash>
 +cd /usr
 +</sxh>
 +
 +O primeiro teste de setattr da erro se for em sistema de arquivos ext3.
 +<sxh bash>
 +touch test.txt
 +setfattr -n user.test -v test test.txt
 +setfattr -n security.test -v test2 test.txt
 +</sxh>
 +
 +Agora testar o atributo user
 +<sxh bash>
 +getfattr -d test.txt
 +# file: test.txt
 +user.test="test"
 +</sxh>
 +
 +Agora vamos testar o atributo security
 +<sxh bash>
 +getfattr -n security.test -d test.txt
 +# file: test.txt
 +security.test="test2"
 +</sxh>
 +
 +Caso o sistema de arquivos não de suporte ao xattr podemos emular ele adicionando a seguinte linha no smb.conf
 +<sxh bash>
 + posix:eadb = /usr/local/samba/eadb.tdb
 +</sxh>
 +
 +Agora vamos obter o samba vamos acessar o diretório que vai armazenar os fontes
 +<sxh bash>
 +cd /usr/src
 +</sxh>
 +
 +Agora vamos obter os fontes
 +<sxh bash>
 +wget -c http://ftp.samba.org/pub/samba/stable/samba-4.1.4.tar.gz
 +</sxh>
 +
 +Agora vamos desempacotar o samba
 +<sxh bash>
 +tar -xzvf samba-4.1.4.tar.gz
 +</sxh>
 +
 +Agora vamos acessar o diretório dos fontes
 +<sxh bash>
 +cd samba-4.1.4
 +</sxh>
 +
 +Agora vamos mandar configurar ele
 +<sxh bash>
 +./configure --enable-debug --enable-selftest
 +</sxh>
 +
 +Agora vamos mandar compilar ele
 +<sxh bash>
 +make
 +</sxh>
 +
 +Agora vamos mandar instalar ele
 +<sxh bash>
 +make install
 +</sxh>
 +
 +Agora vamos acertar a PATH do usuário root no caso dele estar utilizando o shell Bash
 +<sxh bash>
 +echo "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/local/samba/sbin:/usr/local/samba/bin" >> /root/.bashrc
 +</sxh>
 +
 +Agora precisamos importar a nova PATH
 +<sxh bash>
 +source /root/.bashrc
 +</sxh>
 +
 +Agora vamos acertar a PATH do usuário root no caso dele estar utilizando o shell zsh
 +<sxh bash>
 +echo "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/local/samba/sbin:/usr/local/samba/bin" >> /root/.zshrc
 +</sxh>
 +
 +Agora precisamos importar a nova PATH
 +<sxh bash>
 +source /root/.zshrc
 +</sxh>
 +
 +
 +Agora vamos instalar as dependência para o BIND_DLZ
 +<sxh bash>
 +aptitude install  autopoint autotools-dev bison debhelper dh-apparmor geoip-bin gettext hardening-wrapper html2text intltool-debian \
 +libbison-dev libcap-dev libdb-dev libdb5.1-dev libgeoip-dev libgettextpo0 libltdl-dev libmail-sendmail-perl libsys-hostname-long-perl \
 +libtool libunistring0 libxml2-dev po-debconf -y
 +</sxh>
 +
 +Agora vamos obter os fontes do Bind
 +<sxh bash>
 +cd /usr/src
 +apt-get source bind9 
 +</sxh>
 +
 +Agora vamos acessar os fontes do bind
 +<sxh bash>
 +cd bind9-*
 +</sxh>
 +
 +Agora vamos ajustar as opções para preparar o pacote temos a seguinte função configure-stamp que tem que ser modificada para dar suporte ao kerberos e o dlopen.
 +<sxh bash>
 +vim debian/rules 
 +[...]
 +configure: configure-stamp
 +configure-stamp:
 +        dh_testdir
 +        ./configure --prefix=/usr \
 +                --mandir=\$${prefix}/share/man \
 +                --infodir=\$${prefix}/share/info \
 +                --sysconfdir=/etc/bind \
 +                --localstatedir=/var \
 +                --enable-threads \
 +                --enable-largefile \
 +                --with-libtool \
 +                --enable-shared \
 +                --enable-static \
 +                --with-openssl=/usr \
 +                --with-gssapi=/usr \
 +                --with-gnu-ld \
 +                --with-geoip=/usr \
 +                --enable-ipv6 \
 +                --with-gssapi=/usr/include/gssapi   \
 +                --with-dlopen=yes \
 +                $(EXTRA_FEATURES)
 +</sxh>
 +
 +Agora vamos gerar o pacote .deb
 +<sxh bash>
 +dpkg-buildpackage 
 +</sxh>
 +
 +Agora vamos instalar os pacotes que geramos
 +<sxh bash>
 +cd ..
 +dpkg -i *.deb 
 +</sxh>
 +
 +Agora vamos criar um diretório e vamos ajustar as permissões dele para o bind
 +<sxh bash>
 +mkdir /var/cache/bind/data
 +chown -R bind:bind /var/cache/bind/data
 +</sxh>
 +
 +Agora vamos fazer um backup do arquivo de configuração do bind
 +<sxh bash>
 +cp /etc/bind/named.conf.options /etc/bind/named.conf.options.old
 +</sxh>
 +
 +Agora vamos ajustar o named.conf.options
 +<sxh bash>
 +vim /etc/bind/named.conf.options
 +// named.conf
 +//
 +
 +options {
 +  listen-on port 53 { 127.0.0.1; 192.168.1.0/24; };
 +  listen-on-v6 port 53 { ::1; };
 +  directory   "/var/cache/bind";
 +  dump-file   "/var/cache/bind/data/cache_dump.db";
 +  statistics-file "/var/cache/bind/data/named_stats.txt";
 +  memstatistics-file "/var/cache/bind/data/named_mem_stats.txt";
 +  allow-query      { 192.168.1.0/24; 127.0.0.1/32; };
 +  allow-update    { 192.168.1.0/24; 127.0.0.1/32; };
 +  allow-recursion { 192.168.1.0/24; 127.0.0.1/32; };
 +  forwarders { 8.8.8.8; 8.8.4.4; };
 +
 +  dnssec-enable yes;
 +  dnssec-validation yes;
 +  dnssec-lookaside auto;
 +
 +  /* Path to ISC DLV key */
 +  bindkeys-file "/etc/named.iscdlv.key";
 +
 +  managed-keys-directory "/var/cache/bind/dynamic";
 +
 + /* keytab para samba4 */
 + tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
 +
 +};
 +
 +logging {
 +  channel default_debug {
 +          file "data/named.run";
 +          severity dynamic;
 +  };
 +};
 +</sxh>
 +
 +Agora vamos adicionar o arquivo que de referência da nossa zona do AD no named.conf
 +<sxh bash>
 +vim /etc/bind/named.conf
 +[...]
 +include "/etc/bind/named.conf.options";
 +include "/etc/bind/named.conf.local";
 +include "/etc/bind/named.conf.default-zones";
 +include "/usr/local/samba/private/named.conf";
 +</sxh>
 +
 +Agora vamos ajustar o /etc/resolv.conf
 +<sxh bash>
 +vim /etc/resolv.conf
 +domain lab.lan
 +search lab.lan
 +nameserver 192.168.0.1
 +</sxh>
 +
 +Agora vamos ajustar o /etc/hosts
 +<sxh bash>
 +vim /etc/hosts
 +127.0.0.1 localhost
 +127.0.1.1 debian.lab.lan  debian
 +192.168.0.49  debian.lab.lan  debian
 +[...]
 +</sxh>
 +
 +Agora vamos criar o nosso domínio
 +<sxh bash>
 +samba-tool domain provision --domain=LAB --adminpass=sen@134* \
 +--dns-backend=BIND9_DLZ --server-role=dc \
 +--function-level=2008_R2 --use-xattr=yes \
 +--use-rfc2307 --realm=lab.lan
 +</sxh>
 +
 +Caso tenha algum erro e precise fazer o provisionamento novamente remova os arquivos e diretórios
 +<sxh bash>
 +rm -rf /usr/local/samba/etc
 +rm -rf /usr/local/samba/private
 +rm -rf /usr/local/samba/var/locks/sysvol
 +</sxh>
 +Aqui o nosso domínio já está configurado.
 +
 +Agora vamos ajustar o samba
 +<sxh bash>
 +vim /usr/local/samba/etc/smb.conf
 +# Global parameters
 +[global]
 +  workgroup = LAB
 +  realm = lab.lan
 +  netbios name = PDC
 +  server role = active directory domain controller
 +  server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
 +  ### RPC ###
 +  rpc_server:tcpip = no
 +  rpc_daemon:spoolssd = embedded
 +  rpc_server:spoolss = embedded
 +  rpc_server:winreg = embedded
 +  rpc_server:ntsvcs = embedded
 +  rpc_server:eventlog = embedded
 +  rpc_server:srvsvc = embedded
 +  rpc_server:svcctl = embedded
 +  rpc_server:default = external
 +  ### IDMAP ###
 +  idmap_ldb:use rfc2307 = yes
 +  idmap config * : backend = tdb
 +  idmap config *:range = 70001-80000
 +  idmap config LAB:backend = ad
 +  idmap config LAB:schema_mode = rfc2307
 +  idmap config LAB:range = 500-40000
 +  #WINBIND
 +  winbind nss info = rfc2307
 +  winbind trusted domains only = no
 +  winbind use default domain = yes
 +  winbind enum users  = yes
 +  winbind enum groups = yes
 +  map archive = No
 +  map readonly = no
 +  store dos attributes = Yes
 +  vfs objects = dfs_samba4, acl_xattr
 +  #o template shell é necessário para logar com a autenticação via winbind
 +  template shell = /bin/bash
 +  #DESABILITANDO AS IMPRESSORAS
 +  printcap name = /dev/null
 +  load printers = no
 +  disable spoolss = yes
 +  printing = bsd
 +  ### LOGS
 +  log file = /var/log/samba/smbd.log
 +  max log size = 50
 +  log level = 2
 +  vfs objects = recycle full_audit
 +  ### LIXEIRA
 +  recycle:repository = Lixeira
 +  recycle:exclude = *.tmp *.TMP *.temp *.TEMP ~*
 +  recycle:keeptree = yes
 +  full_audit:success = rmdir mkdir open write rename unlink
 +  full_audit:failure = rmdir mkdir open write rename unlink
 +  full_audit:prefix = %U|%I|%m|%S
 +  full_audit:failure = none
 +  full_audit:facility = local5
 +  full_audit:priority = notice
 +  veto files = /*.mp3/*.wav/*.exe/*.cmd/*.adm/*.inf/*.ini/*.pif
 +  delete veto files = yes
 +  dos filemode = yes
 +
 +[netlogon]
 +  path = /usr/local/samba/var/locks/sysvol/lab.lan/scripts
 +  read only = No
 +
 +[sysvol]
 +  path = /usr/local/samba/var/locks/sysvol
 +  read only = No
 +</sxh>
 +
 +Agora vamos criar o diretório para armazenar os logs
 +<sxh bash>
 +mkdir -p /var/log/samba
 +</sxh>
 +
 +Agora vamos criar um link para o keytab do kerberos
 +<sxh bash>
 +ln -s /usr/local/samba/private/dns.keytab /etc/krb5.keytab 
 +</sxh>
 +
 +Agora vamos iniciar o samba
 +<sxh bash>
 +/usr/local/samba/sbin/samba
 +</sxh>
 +
 +Vamos tirar a validade da senha do administrator
 +<sxh bash>
 +samba-tool user setexpiry administrator --noexpiry
 +</sxh>
 +
 +Agora vamos checar a versão do nosso smbclient
 +<sxh bash>
 +smbclient --version
 +Version 4.1.4
 +</sxh>
 +
 +Agora vamos listar os compartilhamentos
 +<sxh bash>
 +smbclient -L localhost -U%
 +Domain=[LAB] OS=[Unix] Server=[Samba 4.1.4]
 +
 +  Sharename       Type      Comment
 +  ---------       ----      -------
 +  netlogon        Disk      
 +  sysvol          Disk      
 +  IPC$            IPC       IPC Service (Samba 4.1.4)
 +Domain=[LAB] OS=[Unix] Server=[Samba 4.1.4]
 +
 +  Server               Comment
 +  ---------            -------
 +
 +  Workgroup            Master
 +  ---------            -------
 +</sxh>
 +
 +Agora vamos testar a autenticação nos compartilhamentos
 +<sxh bash>
 +smbclient //localhost/netlogon -UAdministrator%'sen@134*' -c 'ls'
 +Domain=[LAB] OS=[Unix] Server=[Samba 4.1.4]
 +  .                                          0  Mon Aug 19 14:15:45 2013
 +  ..                                  D        0  Mon Aug 19 14:16:33 2013
 +
 +    44993 blocks of size 65536. 8004 blocks available
 +</sxh>
 +
 +Vamos verificar a configuração do samba
 +<sxh bash>
 +testparm
 +Load smb config files from /usr/local/samba/etc/smb.conf
 +rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
 +Processing section "[netlogon]"
 +Processing section "[sysvol]"
 +Loaded services file OK.
 +Server role: ROLE_ACTIVE_DIRECTORY_DC
 +Press enter to see a dump of your service definitions
 +
 +[global]
 +  workgroup = LAB
 +  realm = lab.lan
 +  server role = active directory domain controller
 +  passdb backend = samba_dsdb
 +  log file = /var/log/samba/smbd.log
 +  max log size = 50
 +  load printers = No
 +  printcap name = /dev/null
 +  disable spoolss = Yes
 +  template shell = /bin/bash
 +  winbind enum users = Yes
 +  winbind enum groups = Yes
 +  winbind use default domain = Yes
 +  winbind nss info = rfc2307
 +  server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
 +  full_audit:priority = notice
 +  full_audit:facility = local5
 +  full_audit:prefix = %U|%I|%m|%S
 +  full_audit:failure = none
 +  full_audit:success = rmdir mkdir open write rename unlink
 +  recycle:keeptree = yes
 +  recycle:exclude = *.tmp *.TMP *.temp *.TEMP ~*
 +  recycle:repository = Lixeira
 +  idmap config LAB:range = 500-40000
 +  idmap config LAB:schema_mode = rfc2307
 +  idmap config LAB:backend = ad
 +  idmap config *:range = 70001-80000
 +  idmap_ldb:use rfc2307 = yes
 +  rpc_server:default = external
 +  rpc_server:svcctl = embedded
 +  rpc_server:srvsvc = embedded
 +  rpc_server:eventlog = embedded
 +  rpc_server:ntsvcs = embedded
 +  rpc_server:winreg = embedded
 +  rpc_server:spoolss = embedded
 +  rpc_daemon:spoolssd = embedded
 +  rpc_server:tcpip = no
 +  idmap config * : backend = tdb
 +  printing = bsd
 +  print command = lpr -r -P'%p' %s
 +  lpq command = lpq -P'%p'
 +  lprm command = lprm -P'%p' %j
 +  delete veto files = Yes
 +  veto files = /*.mp3/*.wav/*.exe/*.cmd/*.adm/*.inf/*.ini/*.pif
 +  map archive = No
 +  map readonly = no
 +  store dos attributes = Yes
 +  dos filemode = Yes
 +  vfs objects = recycle, full_audit
 +
 +[netlogon]
 +  path = /usr/local/samba/var/locks/sysvol/lab.lan/scripts
 +  read only = No
 +
 +[sysvol]
 +  path = /usr/local/samba/var/locks/sysvol
 +  read only = No
 +</sxh>
 +
 +Agora vamos acertar o arquivo /etc/security/limits.conf para não ficar mostrando erro no samba
 +<sxh bash>
 +vim /etc/security/limits.conf
 +#colocar no final do arquivo
 +root hard nofile 131072
 +root soft nofile 65536
 +mioutente hard nofile 32768
 +mioutente soft nofile 16384
 +</sxh>
 +
 +Agora vamos listar os processos do samba
 +<sxh bash>
 +ps aux | egrep samba
 +root      1231  0.0  8.8 512872 44888 ?        Ss   09:55   0:00 /usr/local/samba/sbin/samba
 +root      1233  0.0  6.3 512872 32084 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
 +root      1234  0.0  6.4 512872 32964 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
 +root      1235  0.0  6.6 512872 33732 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
 +root      1236  0.0  6.3 512872 32056 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
 +root      1237  0.0  6.5 512872 33440 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
 +root      1238  0.0  6.4 512872 32652 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
 +root      1239  0.0  6.7 512872 34188 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
 +root      1240  0.0  6.5 512872 33472 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
 +root      1241  0.0  6.6 516332 33776 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
 +root      1242  0.0  6.3 512872 32172 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
 +root      1243  0.0  7.9 512872 40388 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
 +root      1244  0.0  6.5 512872 33132 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
 +root      1245  0.0  9.0 470044 46176 ?        Ss   09:55   0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 +root      1247  0.0  6.7 513292 34192 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
 +root      1250  0.0  6.3 470052 32320 ?        S    09:55   0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 +root      1295  0.0  0.1   7792   880 pts/0    S+   10:03   0:00 egrep samba
 +</sxh>
 +
 +Agora vamos ajustar o /etc/resolv.conf para ser utilizado o ip do nosso servidor samba
 +<sxh bash>
 +vim /etc/resolv.conf
 +domain lab.lan
 +search lab.lan
 +nameserver 192.168.0.131
 +</sxh>
 +
 +Agora vamos reiniciar o bind
 +<sxh bash>
 +/etc/init.d/bind9 restart
 +</sxh>
 +
 +Agora vamos testar com o nslookup
 +<sxh bash>
 +nslookup lab.lan
 +Server:   192.168.0.131
 +Address:  192.168.0.131#53
 +
 +Name: lab.lan
 +Address: 192.168.0.131
 +</sxh>
 +
 +Agora vamos ajustar o arquivo do kerberos
 +
 +Vamos fazer um backup dele
 +<sxh bash>
 +cp /etc/krb5.conf /etc/krb5.conf.old
 +</sxh>
 +
 +Agora vamos remover o original
 +<sxh bash>
 +rm -rf /etc/krb5.conf
 +</sxh>
 +
 +Agora vamos criar um link do arquivo do kerberos utilizado pelo samba
 +<sxh bash>
 +ln -sf /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
 +</sxh>
 +
 +Agora vamos ajustar a sua configuração
 +<sxh bash>
 +vim /etc/krb5.conf
 +[libdefaults]
 +  default_realm = LAB.LAN
 +  dns_lookup_realm = false
 +  dns_lookup_kdc = true
 +</sxh>
 +
 +Agora vamos inicializar um ticket do kerberos para o usuário administrator
 +<sxh bash>
 +kinit administrator@LAB.LAN
 +Password for administrator@LAB.LAN: 
 +Warning: Your password will expire in 41 days on Mon Sep 30 14:16:22 2013
 +</sxh>
 +
 +Agora vamos listar o nosso ticket
 +<sxh bash>
 +klist
 +Ticket cache: FILE:/tmp/krb5cc_0
 +Default principal: administrator@LAB.LAN
 +
 +Valid starting       Expires              Service principal
 +19-08-2013 14:24:03  20-08-2013 00:24:03  krbtgt/LAB.LAN@LAB.LAN
 +  renew until 20-08-2013 14:24:00
 +</sxh>
 +
 +Agora vamos testar a nossa autenticação no samba utilizando o token do kerberos
 +<sxh bash>
 +smbclient -k //pdc.lab.lan/netlogon -c 'ls'
 +Domain=[LAB] OS=[Unix] Server=[Samba 4.1.4]
 +  .                                          0  Mon Aug 19 14:15:45 2013
 +  ..                                  D        0  Mon Aug 19 14:16:33 2013
 +
 +    44993 blocks of size 65536. 8004 blocks available
 +</sxh>
 +
 +Para utilizar o token do kerberos precisamos passar o nome do nosso dc no meu caso debian.lab.lan caso passe somente localhost vamos ter o seguinte erro.
 +<sxh bash>
 +smbclient -k //localhost/netlogon -c 'ls'
 +ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/localhost@LAB.LAN (Server not found in Kerberos database)
 +cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Server not found in Kerberos database
 +session setup failed: NT_STATUS_UNSUCCESSFUL
 +</sxh>
 +
 +Este erro é comentado no seguinte link http://lists.samba.org/archive/samba-technical/2011-June/078134.html
 +
 +Agora vamos configurar o servidor ntp
 +<sxh bash>
 +aptitude install ntp -y
 +</sxh>
 +
 +Agora vamos fazer um backup do nosso arquivo de configuração
 +<sxh bash>
 +cp /etc/ntp.conf /etc/ntp.conf.old
 +</sxh>
 +
 +Agora vamos deixar ele da seguinte forma
 +<sxh bash>
 +vim /etc/ntp.conf
 +server 127.127.1.0
 +fudge  127.127.1.0 stratum 10
 +server a.ntp.br iburst prefer
 +server 0.pool.ntp.org  iburst prefer
 +server 1.pool.ntp.org  iburst prefer
 +driftfile /var/lib/ntp/ntp.drift
 +logfile /var/log/ntp
 +ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
 +restrict default kod nomodify notrap nopeer mssntp
 +restrict 127.0.0.1
 +restrict a.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery
 +restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
 +restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
 +</sxh>
 +
 +Agora vamos reiniciar o serviço
 +<sxh bash>
 +/etc/init.d/ntp restart
 +</sxh>
 +
 +
 +Agora vamos consultar o serviço ntp
 +<sxh bash>
 +ntpq -p 127.0.0.1
 +     remote           refid      st t when poll reach   delay   offset  jitter
 +==============================================================================
 + LOCAL(0)        .LOCL.          10 l   26   64    1    0.000    0.000   0.000
 ++a.ntp.br        200.160.7.186    2 u   15   64    1   11.543    4.363   0.306
 + 0.pool.ntp.org  .INIT.          16 u    -   64    0    0.000    0.000   0.000
 +*1.pool.ntp.org  200.160.7.186    2 u   13   64    1    6.470    5.146   0.305
 +</sxh>
 +
 +Agora vamos ajustar a permissão do ntp
 +<sxh bash>
 +chgrp ntp /usr/local/samba/var/lib/ntp_signd
 +</sxh>
 +
 +Agora vamos criar o script de inicialização do samba
 +<sxh bash>
 +vim /etc/init.d/samba
 +#! /bin/sh
 +
 +### BEGIN INIT INFO
 +# Provides:          samba4
 +# Required-Start:    $network $local_fs $remote_fs
 +# Required-Stop:     $network $local_fs $remote_fs
 +# Default-Start:     2 3 4 5
 +# Default-Stop:      0 1 6
 +# Short-Description: start Samba daemons
 +### END INIT INFO
 +
 +#
 +# Start/stops the Samba daemon (samba).
 +# Adapted from the Samba 3 packages.
 +#
 +
 +PIDDIR=/usr/local/samba/var/run
 +SAMBAPID=$PIDDIR/samba.pid
 +
 +# clear conflicting settings from the environment
 +unset TMPDIR
 +
 +# See if the daemon and the config file are there
 +test -x /usr/local/samba/sbin/samba -a -r /usr/local/samba/etc/smb.conf || exit 0
 +
 +. /lib/lsb/init-functions
 +
 +case "$1" in
 +  start)
 +    log_daemon_msg "Starting Samba 4 daemon" "samba"
 +    # Make sure we have our PIDDIR, even if it's on a tmpfs
 +    install -o root -g root -m 755 -d $PIDDIR
 +
 +    if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then
 +      log_end_msg 1
 +      exit 1
 +    fi
 +
 +    log_end_msg 0
 +    ;;
 +  stop)
 +    log_daemon_msg "Stopping Samba 4 daemon" "samba"
 +
 +    start-stop-daemon --stop --quiet --name samba $SAMBAPID
 +    # Wait a little and remove stale PID file
 +    sleep 1
 +    if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
 +    then
 +      # Stale PID file (samba was succesfully stopped),
 +      # remove it (should be removed by samba itself IMHO.)
 +      rm -f $SAMBAPID
 +    fi
 +
 +    log_end_msg 0
 +
 +    ;;
 +  restart|force-reload)
 +    $0 stop
 +    sleep 1
 +    $0 start
 +    ;;
 +  *)
 +    echo "Usage: /etc/init.d/samba {start|stop|restart|force-reload}"
 +    exit 1
 +    ;;
 +esac
 +
 +exit 0
 +</sxh>
 +
 +Vamos ajustar a permissão do script
 +<sxh bash>
 +chmod +x /etc/init.d/samba
 +</sxh>
 +
 +Agora vamos colocar o script na inicialização do sistema
 +<sxh bash>
 +insserv -f -v samba
 +</sxh>
 +
 +
 +Agora vamos consultar se o nosso BIND_DLZ está funcionando
 +<sxh bash>
 +samba_dnsupdate --verbose
 +IPs: ['192.168.0.52']
 +Looking for DNS entry A lab.lan 192.168.0.52 as lab.lan.
 +Looking for DNS entry A debian.lab.lan 192.168.0.52 as debian.lab.lan.
 +Looking for DNS entry A gc._msdcs.lab.lan 192.168.0.52 as gc._msdcs.lab.lan.
 +Looking for DNS entry CNAME 4600bb8b-c1f6-47b0-ae75-a31c9ef70281._msdcs.lab.lan debian.lab.lan as 4600bb8b-c1f6-47b0-ae75-a31c9ef70281._msdcs.lab.lan.
 +Looking for DNS entry SRV _kpasswd._tcp.lab.lan debian.lab.lan 464 as _kpasswd._tcp.lab.lan.
 +Checking 0 100 464 debian.lab.lan. against SRV _kpasswd._tcp.lab.lan debian.lab.lan 464
 +Looking for DNS entry SRV _kpasswd._udp.lab.lan debian.lab.lan 464 as _kpasswd._udp.lab.lan.
 +Checking 0 100 464 debian.lab.lan. against SRV _kpasswd._udp.lab.lan debian.lab.lan 464
 +Looking for DNS entry SRV _kerberos._tcp.lab.lan debian.lab.lan 88 as _kerberos._tcp.lab.lan.
 +Checking 0 100 88 debian.lab.lan. against SRV _kerberos._tcp.lab.lan debian.lab.lan 88
 +Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.lab.lan debian.lab.lan 88 as _kerberos._tcp.dc._msdcs.lab.lan.
 +Checking 0 100 88 debian.lab.lan. against SRV _kerberos._tcp.dc._msdcs.lab.lan debian.lab.lan 88
 +Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 88 as _kerberos._tcp.default-first-site-name._sites.lab.lan.
 +Checking 0 100 88 debian.lab.lan. against SRV _kerberos._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 88
 +Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.lab.lan debian.lab.lan 88 as _kerberos._tcp.default-first-site-name._sites.dc._msdcs.lab.lan.
 +Checking 0 100 88 debian.lab.lan. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.lab.lan debian.lab.lan 88
 +Looking for DNS entry SRV _kerberos._udp.lab.lan debian.lab.lan 88 as _kerberos._udp.lab.lan.
 +Checking 0 100 88 debian.lab.lan. against SRV _kerberos._udp.lab.lan debian.lab.lan 88
 +Looking for DNS entry SRV _ldap._tcp.lab.lan debian.lab.lan 389 as _ldap._tcp.lab.lan.
 +Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.lab.lan debian.lab.lan 389
 +Looking for DNS entry SRV _ldap._tcp.dc._msdcs.lab.lan debian.lab.lan 389 as _ldap._tcp.dc._msdcs.lab.lan.
 +Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.dc._msdcs.lab.lan debian.lab.lan 389
 +Looking for DNS entry SRV _ldap._tcp.gc._msdcs.lab.lan debian.lab.lan 3268 as _ldap._tcp.gc._msdcs.lab.lan.
 +Checking 0 100 3268 debian.lab.lan. against SRV _ldap._tcp.gc._msdcs.lab.lan debian.lab.lan 3268
 +Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.lab.lan debian.lab.lan 389 as _ldap._tcp.pdc._msdcs.lab.lan.
 +Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.pdc._msdcs.lab.lan debian.lab.lan 389
 +Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 389 as _ldap._tcp.default-first-site-name._sites.lab.lan.
 +Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 389
 +Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.lab.lan debian.lab.lan 389 as _ldap._tcp.default-first-site-name._sites.dc._msdcs.lab.lan.
 +Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.lab.lan debian.lab.lan 389
 +Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.lab.lan debian.lab.lan 3268 as _ldap._tcp.default-first-site-name._sites.gc._msdcs.lab.lan.
 +Checking 0 100 3268 debian.lab.lan. against SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.lab.lan debian.lab.lan 3268
 +Looking for DNS entry SRV _ldap._tcp.86f256e1-a77b-4a83-bddd-96acf7a0c89f.domains._msdcs.lab.lan debian.lab.lan 389 as _ldap._tcp.86f256e1-a77b-4a83-bddd-96acf7a0c89f.domains._msdcs.lab.lan.
 +Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.86f256e1-a77b-4a83-bddd-96acf7a0c89f.domains._msdcs.lab.lan debian.lab.lan 389
 +Looking for DNS entry SRV _gc._tcp.lab.lan debian.lab.lan 3268 as _gc._tcp.lab.lan.
 +Checking 0 100 3268 debian.lab.lan. against SRV _gc._tcp.lab.lan debian.lab.lan 3268
 +Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 3268 as _gc._tcp.default-first-site-name._sites.lab.lan.
 +Checking 0 100 3268 debian.lab.lan. against SRV _gc._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 3268
 +No DNS updates needed
 +</sxh>
 +
 +Agora vamos criar a zona reversa
 +<sxh bash>
 +samba-tool dns zonecreate lab.lan 1.168.192.in-addr.arpa -UAdministrator --password=sen@134*
 +</sxh>
 +
 +Vamos criar o reverso do nosso pdc
 +<sxh bash>
 +samba-tool dns add pdc 1.168.192.in-addr.arpa 49 PTR pdc.lab.lan -Uadministrator --password=sen@134*
 +</sxh>
 +Agora vamos criar um compartilhamento básico de impressão
 +
 +Agora vamos criar o diretório de spool de impressão e vamos ajustar as suas permissões
 +<sxh bash>
 +mkdir /usr/local/samba/var/spool
 +chmod 1777 /usr/local/samba/var/spool
 +</sxh>
 +
 +Agora vamos adicionar na configuração do samba o nosso compartilhamento de impressão
 +<sxh bash>
 +vim /usr/local/samba/etc/smb.conf
 +# Global parameters
 +[...]
 +
 +[printers]
 +    comment = All Printers
 +    path = /usr/local/samba/var/spool
 +    browseable = Yes
 +    read only = No
 +    printable = Yes
 +</sxh>
 +
 +Agora precisamos criar os diretório para armazenar os drivers das impressoras que o cliente windows sempre vai tentar procurar quando for instalar uma impressora
 +<sxh bash>
 +mkdir -p /usr/local/samba/var/print/{COLOR,IA64,W32ALPHA,W32MIPS,W32PPC,W32X86,WIN40,x64}
 +</sxh>
 +
 +Agora vamos criar mais um compartilhamento no samba
 +<sxh bash>
 +vim /usr/local/samba/etc/smb.conf
 +# Global parameters
 +[...]
 +
 +[printers]
 +    comment = All Printers
 +    path = /usr/local/samba/var/spool
 +    browseable = Yes
 +    read only = No
 +    printable = Yes
 +
 +[print$]
 +    comment = Point and Print Printer Drivers
 +    path = /usr/local/samba/var/print
 +    read only = No
 +</sxh>
 +
 +Agora vamos mandar recarregar o samba
 +<sxh bash>
 +killall -HUP samba
 +</sxh>
 +
 +Para adicionar uma impressora
 +  * Logue no computador cliente com o usuário Administrador do dominio
 +  * Click Iniciar -> Run digite '\\debian.lab.lan\'
 +  * Na lista de compartilhamentos, de um duplo click em 'Impressoras e Fax'
 +  * Click em Arquivo -> Propriedades do servidor
 +  * Na guia Drivers, Click em 'Adicionar...', depois 'Next'
 +
 +
 +{{:sambaserverdrivers.jpg?500|}}
 +
 +  * No menu de opções, escolha o driver da sua impressora que deseja instalar, e selecione 'Next'
 +
 +{{:sambaserverchoosedriver.jpg?500|}}
 +
 +Agora escolha os driver para a sua arquitetura. Caso não tenha o driver para a sua arquitetura vai ser solicitado inserir uma midia com os driver
 +
 +{{:sambaserverchoosearch.jpg?500|}}
 +
 +  * Agora feche a tela de drivers
 +  * Agora click com o botão direito em drivers de impressora e selecione propriedades
 +  * Na guia avançado, escolha o driver que já foi instalado
 +
 +Inserindo uma máquina XP no domínio Samba4
 +
 +Vamos chamar a configuração da interface
 +  * Menu iniciar/run digite ncpa.cpl
 +
 +Vamos deixar o endereço DNS para o ip do servidor samba
 +
 +Vai ter que ficar como abaixo.
 +
 +{{:interface.png?500|}}
 +
 +Agora vamos testar o dns
 +<sxh bash>
 +nslookup debian.lab.lan
 +*** Não é possível encontrar o nome de servidor para o endereço 192.168.0.131: No information
 +*** Os servidores padrão não estão disponíveis
 +Servidor: UnKnown
 +Address: 192.168.0.131
 +
 +Nome = debian.lab.lan
 +Address: 192.168.0.131
 +</sxh>
 +
 +
 +Agora precisamos deixar o nosso servidor com o horário e timezone igual ao do servidor samba
 +
 +Vamos chamar a configuração
 +  * Menu Iniciar/run aqui digite timedate.cpl
 +
 +{{:dataehora.png?500|}}
 +
 +Aqui ajute o seu horario
 +
 +Na guia fuso horário escolha o da sua localização
 +
 +{{:fusohorario.png?500|}}
 +
 +Agora vamos fazer o join do domínio
 +
 +    * Menu iniciar/run aqui digite sysdm.cpl
 +
 +
 +  * Aqui selecione a guia Nome do computador.
 +  * Agora selecione alterar
 +
 +Aqui em domínio vamos informar lab.lan
 +
 +{{:join1xp.png?500|}} 
 +
 +Agora selecione ok
 +
 +Vamos ter uma tela como abaixo, informe o usuário administrator e a senha que foi definida para ele na criação do domínio samba.
 +
 +{{:autenticacaojoin1.png?500|}}
 +
 +Se tudo der certo vamos ter a seguinte mensagem
 +
 +{{:boajoin.png?500|}}
 +
 +Quando selecionarmos ok vamos ter a seguinte mensagem.
 +
 +{{:alteracaoxp.png?500|}}
 +
 +Agora é só selecionar ok e ok novamente e sim para reiniciar a máquina.
 +
 +Quando iniciar vamos ter a seguinte tela
 +
 +{{:ctrldel.png?500|}}
 +
 +Agora precisamos informar ctrl + alt + del
 +
 +{{:loginxp.png?500|}}
 +
 +Aqui em fazer logon em selecione LAB
 +
 +O usuário vai ser administrator e a senha dele.
 +
 +Instalando o Windows Remote Administration Tools no Windows
 +
 +Links para obtermos o Windows Remote Administration Tools:
 +  * http://www.microsoft.com/en-us/download/details.aspx?id=39296 (Windows 8.1)
 +  * http://www.microsoft.com/download/details.aspx?id=28972 (Windows 8)
 +  * http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en (Vista)
 +  * http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en (Windows 7)
 +  * http://www.microsoft.com/en-us/download/details.aspx?id=6315 (Windows XP/Server 2003)
 +
 +OBS: Na instalação do RSAT no Windows 8/7/Vista depois de instalado temos que ir em programas no painel de controle "Habilitar recursos do Windows" precisamos habilitar as ferramentas administrativas.
 +
 +Depois de obter o pacote precisamos mandar rodar ele
 +
 +{{:rsat1.png?500|}}
 +
 +Instalando
 +
 +{{:rsat2.png?500|}}
 +
 +Instalação Concluída
 +
 +{{:rsat4.png?500|}}
 +
 +Ferramentas instaladas
 +
 +{{:ferramentasadministrativas.png?500|}}
 +
 +Agora vamos chamar o MMC Usuários e computadores do Active Directory em Ferramentas administrativas ou pelo run dsa.msc
 +
 +Vamos ter algo como abaixo.
 +
 +{{:dsamsc1.png?500|}}
 +
 +Aqui podemos fazer a criação de usuários, grupos, computadores criação de GPOS
 +
 +Exemplo de Objetos que podemos criar
 +
 +{{:objetosad.png?500|}}
 +
 +Exemplo da tela de criação de usuários
 +
 +{{:criacaousuarioad.png?500|}}
 +
 +Exemplo da tela de GPOs
 +
 +{{:gpos.png?500|}}
 +
 +Podemos também fazer a administração do DNS via MMC nas ferramentas administrativas chame o DNS
 +
 +{{:conexaodns.png?500|}}
 +
 +Exemplo da tela de configuração de DNS
 +
 +{{:mmcdns.png?500|}}
 +
 +
 +
 +Podemos também fazer a criação de usuários via comando
 +<sxh bash>
 +samba-tool user add nerso
 +New Password: 
 +Retype Password: 
 +User 'nerso' created successfully
 +</sxh>
 +
 +Agora vamos ver nos usuários do AD
 +
 +{{:dsamscnerso.png?500|}}
 +
 +Agora vamos ajustar o perfil móvel
 +
 +Vamos ajustar o arquivo de configuração do samba
 +<sxh bash>
 +vim /usr/local/samba/etc/smb.conf
 +# Global parameters
 +[global]
 +        workgroup = LAB
 +        realm = LAB.LAN
 +        netbios name = DEBIAN
 +        server role = active directory domain controller
 +        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
 +
 +[netlogon]
 +        path = /usr/local/samba/var/locks/sysvol/lab.lan/scripts
 +        read only = No
 +
 +[sysvol]
 +        path = /usr/local/samba/var/locks/sysvol
 +        read only = No
 +
 +[printers]
 +    comment = All Printers
 +    path = /usr/local/samba/var/spool
 +    browseable = Yes
 +    read only = No
 +    printable = Yes
 +
 +[print$]
 +    comment = Point and Print Printer Drivers
 +    path = /usr/local/samba/var/print
 +    read only = No
 +
 +[profiles]
 +      path = /usr/local/samba/var/profiles
 +      read only = no
 +</sxh>
 +
 +Vamos criar o diretório para armazenar os profiles
 +<sxh bash>
 +mkdir /usr/local/samba/var/profiles
 +</sxh>
 +
 +Agora vamos acertar as permissões
 +<sxh bash>
 +chmod -R 1777 /usr/local/samba/var/profiles
 +</sxh>
 +
 +Agora vamos mandar recarregar o samba
 +<sxh bash>
 +killall -HUP samba
 +</sxh>
 +
 +Agora vamos ajustar o perfil do usuário douglas.santos
 +
 +{{:perfilmovel.png?500|}}
 +
 +Agora vamos logar com o usuário.
 +
 +Quando efetuarmos logon no servidor vai ser criado uma pasta com o nome do nosso usuário em /usr/local/samba/var/profiles
 +<sxh bash>
 +ls -l /usr/local/samba/var/profiles
 +total 8
 +drwxrws---+ 2 3000019 staff 4096 Fev 24 13:19 douglas.santos/
 +</sxh>
 +
 +Note que o nosso arquivo tem o sinal de + ou seja está habilitado acl, vamos listar elas
 +<sxh bash>
 +getfacl -p /usr/local/samba/var/profiles/douglas.santos
 +# file: /usr/local/samba/var/profiles/douglas.santos
 +# owner: 3000019
 +# group: staff
 +# flags: -s-
 +user::rwx
 +group::---
 +group:staff:---
 +group:3000002:rwx
 +group:3000019:rwx
 +mask::rwx
 +other::---
 +default:user::rwx
 +default:user:3000019:rwx
 +default:group::---
 +default:group:staff:---
 +default:group:3000002:rwx
 +default:group:3000019:rwx
 +default:mask::rwx
 +default:other::---
 +</sxh>
 +
 +Agora quando efetuarmos logoff os arquivos vão ser salvos dentro do diretório
 +<sxh bash>
 +ls -l /usr/local/samba/var/profiles/douglas.santos
 +total 624
 +drwxrws---+ 2 3000019 users   4096 Fev 23 13:44 Ambiente\ de\ impressão/
 +drwxrws---+ 2 3000019 users   4096 Fev 23 13:44 Ambiente\ de\ rede/
 +drwxrws---+ 2 3000019 users   4096 Fev 23 16:50 Cookies/
 +drwxrws---+ 4 3000019 users   4096 Fev 24 13:19 Dados\ de\ aplicativos/
 +drwxrws---+ 2 3000019 users   4096 Fev 23 13:44 Desktop/
 +drwxrws---+ 3 3000019 users   4096 Fev 24 13:19 Favoritos/
 +drwxrws---+ 3 3000019 users   4096 Fev 23 13:44 Menu\ Iniciar/
 +drwxrws---+ 4 3000019 users   4096 Fev 24 13:19 Meus\ documentos/
 +drwxrws---+ 2 3000019 users   4096 Fev 23 16:48 Modelos/
 +-rwxrwx---+ 1 3000019 users 524288 Fev 24 13:22 NTUSER.DAT*
 +-rwxrwx---+ 1 3000019 users   1024 Fev 24 13:22 NTUSER.DAT.LOG*
 +-rwxrwx---+ 1 3000019 users    300 Fev 24 13:22 ntuser.ini*
 +drwxrws---+ 2 3000019 users   4096 Fev 24 13:19 Recent/
 +drwxrws---+ 2 3000019 users   4096 Fev 24 13:19 SendTo/
 +</sxh>
 +
 +ajustando a autenticação
 +<sxh bash>
 +vim /etc/nsswitch.conf 
 +# /etc/nsswitch.conf
 +#
 +# Example configuration of GNU Name Service Switch functionality.
 +# If you have the `glibc-doc-reference' and `info' packages installed, try:
 +# `info libc "Name Service Switch"' for information about this file.
 +
 +passwd:         compat winbind
 +group:            compat winbind
 +shadow:         compat
 +
 +hosts:          files dns
 +networks:       files
 +
 +protocols:      db files
 +services:       db files
 +ethers:         db files
 +rpc:            db files
 +
 +netgroup:       nis
 +
 +</sxh>
 +
 +Ajustando a pam
 +<sxh bash>
 +ln -sf /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so
 +</sxh>
 +
 +Para os sistemas de 64bits precisamos fazer da seguinte forma
 +<sxh bash>
 +ln -s /usr/local/samba/lib/libnss_winbind.so.2 /usr/lib/x86_64-linux-gnu/libnss_winbind.so
 +ln -s /usr/lib/x86_64-linux-gnu/libnss_winbind.so /usr/lib/x86_64-linux-gnu/libnss_winbind.so.2
 +ldconfig
 +</sxh>
 +
 +Agora vamos consultar se está carregado no sistema
 +<sxh bash>
 +ldconfig -v | grep winbind
 +ldconfig: Path `/lib/x86_64-linux-gnu' given more than once
 +ldconfig: Path `/usr/lib/x86_64-linux-gnu' given more than once
 +  libnss_winbind.so -> libnss_winbind.so.2
 +</sxh>
 +
 +Agora vamos listar os usuários locais e do domínio
 +<sxh bash>
 +root:x:0:0:root:/root:/bin/bash
 +daemon:x:1:1:daemon:/usr/sbin:/bin/sh
 +bin:x:2:2:bin:/bin:/bin/sh
 +sys:x:3:3:sys:/dev:/bin/sh
 +sync:x:4:65534:sync:/bin:/bin/sync
 +games:x:5:60:games:/usr/games:/bin/sh
 +man:x:6:12:man:/var/cache/man:/bin/sh
 +lp:x:7:7:lp:/var/spool/lpd:/bin/sh
 +mail:x:8:8:mail:/var/mail:/bin/sh
 +news:x:9:9:news:/var/spool/news:/bin/sh
 +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
 +proxy:x:13:13:proxy:/bin:/bin/sh
 +www-data:x:33:33:www-data:/var/www:/bin/sh
 +backup:x:34:34:backup:/var/backups:/bin/sh
 +list:x:38:38:Mailing List Manager:/var/list:/bin/sh
 +irc:x:39:39:ircd:/var/run/ircd:/bin/sh
 +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
 +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 +libuuid:x:100:101::/var/lib/libuuid:/bin/sh
 +Debian-exim:x:101:103::/var/spool/exim4:/bin/false
 +statd:x:102:65534::/var/lib/nfs:/bin/false
 +sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
 +douglas:x:1000:1000:douglas,,,:/home/douglas:/bin/bash
 +postfix:x:104:107::/var/spool/postfix:/bin/false
 +messagebus:x:105:109::/var/run/dbus:/bin/false
 +bind:x:106:110::/var/cache/bind:/bin/false
 +ntp:x:107:111::/home/ntp:/bin/false
 +LAB\Administrator:*:0:100::/home/LAB/Administrator:/bin/bash
 +LAB\Guest:*:3000011:3000012::/home/LAB/Guest:/bin/bash
 +LAB\krbtgt:*:3000017:100::/home/LAB/krbtgt:/bin/bash
 +LAB\dns-pdc:*:3000018:100::/home/LAB/dns-pdc:/bin/bash
 +</sxh>
 +
 +Agora vamos consultar informações do usuário Administrator
 +<sxh bash>
 +id Administrator
 +uid=0(root) gid=100(users) grupos=0(root),100(users),3000004(LAB\Group Policy Creator Owners),3000006(LAB\Enterprise Admins),3000008(LAB\Domain Admins),3000007(LAB\Schema Admins)
 +</sxh>
 +
 +Agora vamos ajustar a pam do servidor PDC
 +
 +<sxh bash>
 +vim /etc/pam.d/common-auth
 +#
 +# /etc/pam.d/common-auth - authentication settings common to all services
 +#
 +# This file is included from other service-specific PAM config files,
 +# and should contain a list of the authentication modules that define
 +# the central authentication scheme for use on the system
 +# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
 +# traditional Unix authentication mechanisms.
 +#
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules.  See
 +# pam-auth-update(8) for details.
 +
 +# here are the per-package modules (the "Primary" block)
 +auth  sufficient  pam_winbind.so
 +auth  [success=2 default=ignore]  pam_krb5.so minimum_uid=1000
 +auth  [success=1 default=ignore]  pam_unix.so nullok_secure try_first_pass
 +# here's the fallback if no module succeeds
 +auth  requisite     pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +auth  required      pam_permit.so
 +# and here are more per-package modules (the "Additional" block)
 +# end of pam-auth-update config
 +</sxh>
 +
 +<sxh bash>
 +vim /etc/pam.d/common-account 
 +#
 +# /etc/pam.d/common-account - authorization settings common to all services
 +#
 +# This file is included from other service-specific PAM config files,
 +# and should contain a list of the authorization modules that define
 +# the central access policy for use on the system.  The default is to
 +# only deny service to users whose accounts are expired in /etc/shadow.
 +#
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules.  See
 +# pam-auth-update(8) for details.
 +#
 +
 +# here are the per-package modules (the "Primary" block)
 +account sufficient pam_winbind.so
 +account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so
 +# here's the fallback if no module succeeds
 +account requisite     pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +account required      pam_permit.so
 +# and here are more per-package modules (the "Additional" block)
 +account required      pam_krb5.so minimum_uid=1000
 +# end of pam-auth-update config
 +</sxh>
 +
 +<sxh bash>
 +vim /etc/pam.d/common-session
 +#
 +# /etc/pam.d/common-session - session-related modules common to all services
 +#
 +# This file is included from other service-specific PAM config files,
 +# and should contain a list of modules that define tasks to be performed
 +# at the start and end of sessions of *any* kind (both interactive and
 +# non-interactive).
 +#
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules.  See
 +# pam-auth-update(8) for details.
 +
 +# here are the per-package modules (the "Primary" block)
 +session required pam_mkhomedir.so skel=/etc/skel umask=0027
 +session required pam_winbind.so
 +session [default=1]     pam_permit.so
 +# here's the fallback if no module succeeds
 +session requisite     pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +session required      pam_permit.so
 +# and here are more per-package modules (the "Additional" block)
 +session optional      pam_krb5.so minimum_uid=1000
 +session required  pam_unix.so
 +# end of pam-auth-update config
 +</sxh>
 +
 +<sxh bash>
 +vim /etc/pam.d/sshd
 +# PAM configuration for the Secure Shell service
 +
 +# Read environment variables from /etc/environment and
 +# /etc/security/pam_env.conf.
 +auth       required     pam_env.so # [1]
 +# In Debian 4.0 (etch), locale-related environment variables were moved to
 +# /etc/default/locale, so read that as well.
 +auth       required     pam_env.so envfile=/etc/default/locale
 +
 +# Standard Un*x authentication.
 +@include common-auth
 +
 +# Disallow non-root logins when /etc/nologin exists.
 +account    required     pam_nologin.so
 +#Allow connection from those groups
 +account    sufficient   pam_succeed_if.so user ingroup root
 +account    requisite    pam_succeed_if.so user ingroup ti-admin
 +
 +# Uncomment and edit /etc/security/access.conf if you need to set complex
 +# access limits that are hard to express in sshd_config.
 +# account  required     pam_access.so
 +
 +# Standard Un*x authorization.
 +@include common-account
 +
 +# Standard Un*x session setup and teardown.
 +@include common-session
 +
 +# Print the message of the day upon successful login.
 +# This includes a dynamically generated part from /run/motd.dynamic
 +# and a static (admin-editable) part from /etc/motd.
 +session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
 +session    optional     pam_motd.so # [1]
 +
 +# Print the status of the user's mailbox upon successful login.
 +session    optional     pam_mail.so standard noenv # [1]
 +
 +# Set up user limits from /etc/security/limits.conf.
 +session    required     pam_limits.so
 +
 +# Set up SELinux capabilities (need modified pam)
 +# session  required     pam_selinux.so multiple
 +
 +# Standard Un*x password updating.
 +@include common-password
 +</sxh>
 +
 +<sxh bash>
 +vim /etc/pam.d/login 
 +#
 +# The PAM configuration file for the Shadow `login' service
 +#
 +
 +# Enforce a minimal delay in case of failure (in microseconds).
 +# (Replaces the `FAIL_DELAY' setting from login.defs)
 +# Note that other modules may require another minimal delay. (for example,
 +# to disable any delay, you should add the nodelay option to pam_unix)
 +auth       optional   pam_faildelay.so  delay=3000000
 +
 +# Outputs an issue file prior to each login prompt (Replaces the
 +# ISSUE_FILE option from login.defs). Uncomment for use
 +# auth       required   pam_issue.so issue=/etc/issue
 +
 +# Disallows root logins except on tty's listed in /etc/securetty
 +# (Replaces the `CONSOLE' setting from login.defs)
 +#
 +# With the default control of this module:
 +#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
 +# root will not be prompted for a password on insecure lines.
 +# if an invalid username is entered, a password is prompted (but login
 +# will eventually be rejected)
 +#
 +# You can change it to a "requisite" module if you think root may mis-type
 +# her login and should not be prompted for a password in that case. But
 +# this will leave the system as vulnerable to user enumeration attacks.
 +#
 +# You can change it to a "required" module if you think it permits to
 +# guess valid user names of your system (invalid user names are considered
 +# as possibly being root on insecure lines), but root passwords may be
 +# communicated over insecure lines.
 +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
 +
 +# Disallows other than root logins when /etc/nologin exists
 +# (Replaces the `NOLOGINS_FILE' option from login.defs)
 +auth       requisite  pam_nologin.so
 +
 +#Allow connection from those groups
 +account    sufficient   pam_succeed_if.so user ingroup root
 +account    requisite    pam_succeed_if.so user ingroup ti-admin
 +
 +# SELinux needs to be the first session rule. This ensures that any 
 +# lingering context has been cleared. Without out this it is possible 
 +# that a module could execute code in the wrong domain.
 +# When the module is present, "required" would be sufficient (When SELinux
 +# is disabled, this returns success.)
 +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 +
 +# This module parses environment configuration file(s)
 +# and also allows you to use an extended config
 +# file /etc/security/pam_env.conf.
 +
 +# parsing /etc/environment needs "readenv=1"
 +session       required   pam_env.so readenv=1
 +# locale variables are also kept into /etc/default/locale in etch
 +# reading this file *in addition to /etc/environment* does not hurt
 +session       required   pam_env.so readenv=1 envfile=/etc/default/locale
 +
 +# Standard Un*x authentication.
 +@include common-auth
 +
 +# This allows certain extra groups to be granted to a user
 +# based on things like time of day, tty, service, and user.
 +# Please edit /etc/security/group.conf to fit your needs
 +# (Replaces the `CONSOLE_GROUPS' option in login.defs)
 +auth       optional   pam_group.so
 +
 +# Uncomment and edit /etc/security/time.conf if you need to set
 +# time restrainst on logins.
 +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
 +# as well as /etc/porttime)
 +# account    requisite  pam_time.so
 +
 +# Uncomment and edit /etc/security/access.conf if you need to
 +# set access limits.
 +# (Replaces /etc/login.access file)
 +# account  required       pam_access.so
 +
 +# Sets up user limits according to /etc/security/limits.conf
 +# (Replaces the use of /etc/limits in old login)
 +session    required   pam_limits.so
 +
 +# Prints the last login info upon succesful login
 +# (Replaces the `LASTLOG_ENAB' option from login.defs)
 +session    optional   pam_lastlog.so
 +
 +# Prints the message of the day upon succesful login.
 +# (Replaces the `MOTD_FILE' option in login.defs)
 +# This includes a dynamically generated part from /run/motd.dynamic
 +# and a static (admin-editable) part from /etc/motd.
 +session    optional   pam_motd.so  motd=/run/motd.dynamic
 +session    optional   pam_motd.so
 +
 +# Prints the status of the user's mailbox upon succesful login
 +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
 +#
 +# This also defines the MAIL environment variable
 +# However, userdel also needs MAIL_DIR and MAIL_FILE variables
 +# in /etc/login.defs to make sure that removing a user 
 +# also removes the user's mail spool file.
 +# See comments in /etc/login.defs
 +session    optional   pam_mail.so standard
 +
 +# Standard Un*x account and session
 +@include common-account
 +@include common-session
 +@include common-password
 +
 +# SELinux needs to intervene at login time to ensure that the process
 +# starts in the proper default security context. Only sessions which are
 +# intended to run in the user's context should be run after this.
 +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
 +# When the module is present, "required" would be sufficient (When SELinux
 +# is disabled, this returns success.)
 +</sxh>
 +
 +
 +Ajustando o sudo
 +<sxh bash>
 +visudo 
 +%ti-admin        ALL=(ALL:ALL) ALL
 +</sxh>
 +
 +====== Configurando um Cliente Debian Wheezy para autenticar no Samba 4 =====
 +
 +Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialwheezy_en para que não falte nenhum pacote ou configuração.
 +
 +Vamos atualizar os repositórios e fazer um upgrade do sistema
 +<sxh bash>
 +aptitude update && aptitude dist-upgrade -y
 +</sxh>
 +
 +Agora vamos ajustar as variáveis de ambiente do Debian
 +<sxh bash>
 +export DEBIAN_PRIORITY=critical
 +export DEBIAN_FRONTEND=noninteractive
 +</sxh>
 +
 +Agora vamos instalar as dependências
 +<sxh bash>
 +aptitude install samba samba-common smbclient winbind krb5-config libpam-krb5 cifs-utils  krb5-user -y
 +</sxh>
 +
 +Agora vamos voltar as variáveis de ambiente do Debian
 +<sxh bash>
 +unset DEBIAN_PRIORITY
 +unset DEBIAN_FRONTEND
 +</sxh>
 +
 +Agora vamos ajustar o resolv.conf
 +<sxh bash>
 +vim /etc/resolv.conf
 +domain lab.lan
 +search lab.lan
 +nameserver 192.168.0.25
 +nameserver 192.168.0.26
 +</sxh>
 +
 +Agora vamos ajustar o horário do nosso servidor
 +<sxh bash>
 +ntpdate -u a.ntp.br
 +</sxh>
 +
 +Agora vamos ajustar o arquivo de configuração do kerberos
 +<sxh bash>
 +vim /etc/krb5.conf
 +[libdefaults]
 +default_realm = LAB.LAN
 +krb4_config = /etc/krb.conf
 +krb4_realms = /etc/krb.realms
 +kdc_timesync = 1
 +ccache_type = 4
 +forwardable = true
 +proxiable = true
 +v4_instance_resolve = false
 +v4_name_convert = {
 +host = {
 +rcmd = host
 +ftp = ftp
 +}
 +plain = {
 +something = something-else
 +}
 +}
 +fcc-mit-ticketflags = true
 +[realms]
 +LAB.LAN = {
 +kdc = 192.168.0.25
 +kdc = 192.168.0.26
 +admin_server = 192.168.0.25:749
 +default_server = 192.168.0.25
 +}
 +[domain_realm]
 +.lab.lan=LAB.LAN
 +lab.lan=LAB.LAN
 +[login]
 +krb4_convert = true
 +krb4_get_tickets = false
 +[kdc]
 +profile = /etc/krb5kdc/kdc.conf
 +[appdefaults]
 +pam = {
 +debug = false
 +ticket_lifetime = 36000
 +renew_lifetime = 36000
 +forwardable = true
 +krb4_convert = false
 +}
 +[logging]
 +default = file:/var/log/krb5libs.log
 +kdc = file:/var/log/krb5kdc.log
 +admin_server = file:/var/log/kadmind.log
 +</sxh>
 +
 +Agora vamos ajustar o limits.conf
 +<sxh bash>
 +vim /etc/security/limits.conf
 +[...]
 +#colocar no final do arquivo
 +root hard nofile 131072
 +root soft nofile 65536
 +mioutente hard nofile 32768
 +mioutente soft nofile 16384
 +</sxh>
 +
 +Agora vamos ajustar o smb.conf
 +<sxh bash>
 +vim /etc/samba/smb.conf
 +[global]
 +        workgroup = LAB
 +        security = ADS
 +        realm = LAB.LAN
 +        netbios name = DEBIAN
 +        encrypt passwords = yes
 +        idmap config * : backend = tdb
 +        idmap config * : range = 10000-30000
 +        idmap config LAB:backend = ad
 +        idmap config LAB:schema_mode = rfc2307
 +        auth methods = winbind
 +        winbind nss info = rfc2307
 +        winbind trusted domains only = no
 +        winbind use default domain = yes
 +        winbind enum users  = yes
 +        winbind enum groups = yes
 +        template shell = /bin/bash
 +</sxh>
 +
 +Agora vamos ajustar o nsswitch.conf
 +<sxh bash>
 +vim /etc/nsswitch.conf
 +[...]
 +passwd:         compat winbind
 +group:            compat winbind
 +</sxh>
 +
 +Agora vamos reiniciar os serviços
 +<sxh bash>
 +/etc/init.d/samba restart
 +/etc/init.d/winbind restart
 +</sxh>
 +
 +Agora vamos fazer o join no domínio
 +<sxh bash>
 +net ads join lab.lan -U administrator
 +</sxh>
 +
 +Agora vamos reiniciar os serviços
 +<sxh bash>
 +/etc/init.d/samba restart
 +/etc/init.d/winbind restart
 +</sxh>
 +
 +Agora vamos ajustar a PAM
 +
 +<sxh bash>
 +vim /etc/pam.d/common-auth
 +#
 +# /etc/pam.d/common-auth - authentication settings common to all services
 +#
 +# This file is included from other service-specific PAM config files,
 +# and should contain a list of the authentication modules that define
 +# the central authentication scheme for use on the system
 +# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
 +# traditional Unix authentication mechanisms.
 +#
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules.  See
 +# pam-auth-update(8) for details.
 +
 +# here are the per-package modules (the "Primary" block)
 +auth  sufficient  pam_winbind.so
 +auth  [success=2 default=ignore]  pam_krb5.so minimum_uid=1000
 +auth  [success=1 default=ignore]  pam_unix.so nullok_secure try_first_pass
 +# here's the fallback if no module succeeds
 +auth  requisite     pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +auth  required      pam_permit.so
 +# and here are more per-package modules (the "Additional" block)
 +# end of pam-auth-update config
 +</sxh>
 +
 +<sxh bash>
 +vim /etc/pam.d/common-account 
 +#
 +# /etc/pam.d/common-account - authorization settings common to all services
 +#
 +# This file is included from other service-specific PAM config files,
 +# and should contain a list of the authorization modules that define
 +# the central access policy for use on the system.  The default is to
 +# only deny service to users whose accounts are expired in /etc/shadow.
 +#
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules.  See
 +# pam-auth-update(8) for details.
 +#
 +
 +# here are the per-package modules (the "Primary" block)
 +account sufficient pam_winbind.so
 +account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so
 +# here's the fallback if no module succeeds
 +account requisite     pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +account required      pam_permit.so
 +# and here are more per-package modules (the "Additional" block)
 +account required      pam_krb5.so minimum_uid=1000
 +# end of pam-auth-update config
 +</sxh>
 +
 +<sxh bash>
 +vim /etc/pam.d/common-session
 +#
 +# /etc/pam.d/common-session - session-related modules common to all services
 +#
 +# This file is included from other service-specific PAM config files,
 +# and should contain a list of modules that define tasks to be performed
 +# at the start and end of sessions of *any* kind (both interactive and
 +# non-interactive).
 +#
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules.  See
 +# pam-auth-update(8) for details.
 +
 +# here are the per-package modules (the "Primary" block)
 +session required pam_mkhomedir.so skel=/etc/skel umask=0027
 +session required pam_winbind.so
 +session [default=1]     pam_permit.so
 +# here's the fallback if no module succeeds
 +session requisite     pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +session required      pam_permit.so
 +# and here are more per-package modules (the "Additional" block)
 +session optional      pam_krb5.so minimum_uid=1000
 +session required  pam_unix.so
 +# end of pam-auth-update config
 +</sxh>
 +
 +<sxh bash>
 +vim /etc/pam.d/sshd
 +# PAM configuration for the Secure Shell service
 +
 +# Read environment variables from /etc/environment and
 +# /etc/security/pam_env.conf.
 +auth       required     pam_env.so # [1]
 +# In Debian 4.0 (etch), locale-related environment variables were moved to
 +# /etc/default/locale, so read that as well.
 +auth       required     pam_env.so envfile=/etc/default/locale
 +
 +# Standard Un*x authentication.
 +@include common-auth
 +
 +# Disallow non-root logins when /etc/nologin exists.
 +account    required     pam_nologin.so
 +#Allow connection from those groups
 +account    sufficient   pam_succeed_if.so user ingroup root
 +account    requisite    pam_succeed_if.so user ingroup ti-admin
 +
 +# Uncomment and edit /etc/security/access.conf if you need to set complex
 +# access limits that are hard to express in sshd_config.
 +# account  required     pam_access.so
 +
 +# Standard Un*x authorization.
 +@include common-account
 +
 +# Standard Un*x session setup and teardown.
 +@include common-session
 +
 +# Print the message of the day upon successful login.
 +# This includes a dynamically generated part from /run/motd.dynamic
 +# and a static (admin-editable) part from /etc/motd.
 +session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
 +session    optional     pam_motd.so # [1]
 +
 +# Print the status of the user's mailbox upon successful login.
 +session    optional     pam_mail.so standard noenv # [1]
 +
 +# Set up user limits from /etc/security/limits.conf.
 +session    required     pam_limits.so
 +
 +# Set up SELinux capabilities (need modified pam)
 +# session  required     pam_selinux.so multiple
 +
 +# Standard Un*x password updating.
 +@include common-password
 +</sxh>
 +
 +<sxh bash>
 +vim /etc/pam.d/login 
 +#
 +# The PAM configuration file for the Shadow `login' service
 +#
 +
 +# Enforce a minimal delay in case of failure (in microseconds).
 +# (Replaces the `FAIL_DELAY' setting from login.defs)
 +# Note that other modules may require another minimal delay. (for example,
 +# to disable any delay, you should add the nodelay option to pam_unix)
 +auth       optional   pam_faildelay.so  delay=3000000
 +
 +# Outputs an issue file prior to each login prompt (Replaces the
 +# ISSUE_FILE option from login.defs). Uncomment for use
 +# auth       required   pam_issue.so issue=/etc/issue
 +
 +# Disallows root logins except on tty's listed in /etc/securetty
 +# (Replaces the `CONSOLE' setting from login.defs)
 +#
 +# With the default control of this module:
 +#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
 +# root will not be prompted for a password on insecure lines.
 +# if an invalid username is entered, a password is prompted (but login
 +# will eventually be rejected)
 +#
 +# You can change it to a "requisite" module if you think root may mis-type
 +# her login and should not be prompted for a password in that case. But
 +# this will leave the system as vulnerable to user enumeration attacks.
 +#
 +# You can change it to a "required" module if you think it permits to
 +# guess valid user names of your system (invalid user names are considered
 +# as possibly being root on insecure lines), but root passwords may be
 +# communicated over insecure lines.
 +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
 +
 +# Disallows other than root logins when /etc/nologin exists
 +# (Replaces the `NOLOGINS_FILE' option from login.defs)
 +auth       requisite  pam_nologin.so
 +
 +#Allow connection from those groups
 +account    sufficient   pam_succeed_if.so user ingroup root
 +account    requisite    pam_succeed_if.so user ingroup ti-admin
 +
 +# SELinux needs to be the first session rule. This ensures that any 
 +# lingering context has been cleared. Without out this it is possible 
 +# that a module could execute code in the wrong domain.
 +# When the module is present, "required" would be sufficient (When SELinux
 +# is disabled, this returns success.)
 +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 +
 +# This module parses environment configuration file(s)
 +# and also allows you to use an extended config
 +# file /etc/security/pam_env.conf.
 +
 +# parsing /etc/environment needs "readenv=1"
 +session       required   pam_env.so readenv=1
 +# locale variables are also kept into /etc/default/locale in etch
 +# reading this file *in addition to /etc/environment* does not hurt
 +session       required   pam_env.so readenv=1 envfile=/etc/default/locale
 +
 +# Standard Un*x authentication.
 +@include common-auth
 +
 +# This allows certain extra groups to be granted to a user
 +# based on things like time of day, tty, service, and user.
 +# Please edit /etc/security/group.conf to fit your needs
 +# (Replaces the `CONSOLE_GROUPS' option in login.defs)
 +auth       optional   pam_group.so
 +
 +# Uncomment and edit /etc/security/time.conf if you need to set
 +# time restrainst on logins.
 +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
 +# as well as /etc/porttime)
 +# account    requisite  pam_time.so
 +
 +# Uncomment and edit /etc/security/access.conf if you need to
 +# set access limits.
 +# (Replaces /etc/login.access file)
 +# account  required       pam_access.so
 +
 +# Sets up user limits according to /etc/security/limits.conf
 +# (Replaces the use of /etc/limits in old login)
 +session    required   pam_limits.so
 +
 +# Prints the last login info upon succesful login
 +# (Replaces the `LASTLOG_ENAB' option from login.defs)
 +session    optional   pam_lastlog.so
 +
 +# Prints the message of the day upon succesful login.
 +# (Replaces the `MOTD_FILE' option in login.defs)
 +# This includes a dynamically generated part from /run/motd.dynamic
 +# and a static (admin-editable) part from /etc/motd.
 +session    optional   pam_motd.so  motd=/run/motd.dynamic
 +session    optional   pam_motd.so
 +
 +# Prints the status of the user's mailbox upon succesful login
 +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
 +#
 +# This also defines the MAIL environment variable
 +# However, userdel also needs MAIL_DIR and MAIL_FILE variables
 +# in /etc/login.defs to make sure that removing a user 
 +# also removes the user's mail spool file.
 +# See comments in /etc/login.defs
 +session    optional   pam_mail.so standard
 +
 +# Standard Un*x account and session
 +@include common-account
 +@include common-session
 +@include common-password
 +
 +# SELinux needs to intervene at login time to ensure that the process
 +# starts in the proper default security context. Only sessions which are
 +# intended to run in the user's context should be run after this.
 +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
 +# When the module is present, "required" would be sufficient (When SELinux
 +# is disabled, this returns success.)
 +</sxh>
 +
 +
 +Ajustando o sudo
 +<sxh bash>
 +visudo 
 +%ti-admin        ALL=(ALL:ALL) ALL
 +</sxh>
 +
 +Agora vamos testar a conexão com o winbind
 +<sxh bash>
 +wbinfo -t
 +checking the trust secret for domain LAB via RPC calls succeeded
 +</sxh>
 +
 +Agora vamos listar os usuários do domínio
 +<sxh bash>
 +wbinfo -u
 +douglas.santos
 +administrator
 +dns-nodo1
 +krbtgt
 +guest
 +</sxh>
 +
 +Vamos listar os grupos
 +<sxh bash>
 +wbinfo -g
 +allowed rodc password replication group
 +enterprise read-only domain controllers
 +denied rodc password replication group
 +ti-admin
 +read-only domain controllers
 +group policy creator owners
 +ras and ias servers
 +domain controllers
 +enterprise admins
 +domain computers
 +cert publishers
 +dnsupdateproxy
 +domain admins
 +domain guests
 +schema admins
 +domain users
 +dnsadmins
 +</sxh>
 +
 +Agora vamos testar o acesso via ssh para esse cliente
 +<sxh bash>
 +ssh douglas.santos@192.168.0.52
 +douglas.santos@192.168.0.52's password: 
 +Creating directory '/home/LAB/douglas.santos'.
 +Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64
 +
 +The programs included with the Debian GNU/Linux system are free software;
 +the exact distribution terms for each program are described in the
 +individual files in /usr/share/doc/*/copyright.
 +
 +Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 +permitted by applicable law.
 +[10:35:45] douglas.santos@debian [~] $ 
 +</sxh>
 +
 +Nos logs de autenticação vamos ter algo como abaixo
 +<sxh bash>
 +tail -f /var/log/auth.log
 +Aug 27 10:35:44 debian sshd[4852]: pam_krb5(sshd:auth): user douglas.santos authenticated as douglas.santos@LAB.LAN
 +Aug 27 10:35:44 debian sshd[4852]: Accepted password for douglas.santos from 192.168.0.130 port 51197 ssh2
 +Aug 27 10:35:44 debian sshd[4852]: pam_unix(sshd:session): session opened for user douglas.santos by (uid=0)
 +</sxh>
 +
 +O cliente esta autenticando com sucesso :D
 +
 +
 +Ajustando o sudo
 +<sxh bash>
 +visudo 
 +%ti-admin        ALL=(ALL:ALL) ALL
 +</sxh>
 +
 +====== Configurando um Cliente CentOS para autenticar no Samba 4 ======
 +
 +Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialcentos6_en para que não falte nenhum pacote ou configuração.
 +
 +
 +Vamos instalar as dependências para ele poder fazer parte do domínio samba 4
 +<sxh bash>
 +yum install samba samba-winbind samba-winbind-devel samba-client samba-common \
 + pam_krb5 cifs-utils samba-winbind-krb5-locator samba-doc krb5-workstation -y
 +</sxh>
 +
 +Agora vamos inserir os serviços na incialização do sistema
 +<sxh bash>
 +chkconfig --add nmb
 +chkconfig --add smb
 +chkconfig --add winbind
 +</sxh>
 +
 +Agora vamos ativar eles
 +<sxh bash>
 +chkconfig nmb on
 +chkconfig smb on
 +chkconfig winbind on
 +</sxh>
 +
 +Agora vamos ajustar o resolv.conf do cliente
 +<sxh bash>
 +vim /etc/resolv.conf
 +domain lab.lan
 +search lab.lan
 +nameserver 192.168.0.25
 +nameserver 192.168.0.26
 +</sxh>
 +
 +Agora vamos ajustar a interface de rede
 +<sxh bash>
 +vim /etc/sysconfig/network-scripts/ifcfg-eth0
 +DEVICE="eth0"
 +BOOTPROTO="static"
 +BROADCAST="192.168.0.255"
 +DNS1="192.168.0.25"
 +DNS2="192.168.0.26"
 +GATEWAY="192.168.0.1"
 +IPADDR="192.168.0.27"
 +NETMASK="255.255.255.0"
 +NM_CONTROLLED="yes"
 +ONBOOT="yes"
 +TYPE="Ethernet"
 +</sxh>
 +
 +Agora vamos ajustar o horário do servidor pois como vamos trabalhar com winbind e kerberos não podemos ter diferença de horario
 +<sxh bash>
 +ntpdate -u a.ntp.br
 +</sxh>
 +
 +Agora vamos ajustar o kerberos
 +<sxh bash>
 +vim /etc/krb5.conf
 +[libdefaults]
 +default_realm = LAB.LAN
 +krb4_config = /etc/krb.conf
 +krb4_realms = /etc/krb.realms
 +kdc_timesync = 1
 +ccache_type = 4
 +forwardable = true
 +proxiable = true
 +v4_instance_resolve = false
 +v4_name_convert = {
 +host = {
 +rcmd = host
 +ftp = ftp
 +}
 +plain = {
 +something = something-else
 +}
 +}
 +fcc-mit-ticketflags = true
 +[realms]
 +LAB.LAN = {
 +kdc = 192.168.0.25
 +kdc = 192.168.0.26
 +admin_server = 192.168.0.25:749
 +default_server = 192.168.0.25
 +}
 +[domain_realm]
 +.lab.lan=LAB.LAN
 +lab.lan=LAB.LAN
 +[login]
 +krb4_convert = true
 +krb4_get_tickets = false
 +[kdc]
 +profile = /etc/krb5kdc/kdc.conf
 +[appdefaults]
 +pam = {
 +debug = false
 +ticket_lifetime = 36000
 +renew_lifetime = 36000
 +forwardable = true
 +krb4_convert = false
 +}
 +[logging]
 +default = file:/var/log/krb5libs.log
 +kdc = file:/var/log/krb5kdc.log
 +admin_server = file:/var/log/kadmind.log
 +</sxh>
 +
 +Agora vamos acertar o limits.conf
 +<sxh bash>
 +vim /etc/security/limits.conf
 +[...]
 +#colocar no final do arquivo
 +root hard nofile 131072
 +root soft nofile 65536
 +mioutente hard nofile 32768
 +mioutente soft nofile 16384
 +</sxh>
 +
 +Agora vamos ajustar o smb.conf
 +<sxh bash>
 +vim /etc/samba/smb.conf
 +[global]
 +        workgroup = LAB
 +        security = ADS
 +        realm = LAB.LAN
 +        netbios name = CENTOS
 +        encrypt passwords = yes
 +        idmap config * : backend = tdb
 +        idmap config * : range = 10000-30000
 +        idmap config LAB:backend = ad
 +        idmap config LAB:schema_mode = rfc2307
 +        auth methods = winbind
 +        winbind nss info = rfc2307
 +        winbind trusted domains only = no
 +        winbind use default domain = yes
 +        winbind enum users  = yes
 +        winbind enum groups = yes
 +        template shell = /bin/bash
 +</sxh>
 +
 +Agora vamos ajustar o nsswitch.conf
 +<sxh bash>
 +vim /etc/nsswitch.conf
 +[...]
 +passwd:     files winbind
 +shadow:     files
 +group:        files winbind
 +</sxh>
 +
 +Vamos iniciar os serviços
 +<sxh bash>
 +/etc/init.d/nmb start
 +/etc/init.d/smb start
 +/etc/init.d/winbind start
 +</sxh>
 +
 +Agora vamos ajustar a PAM
 +
 +Vamos ajustar para que quando o usuário faça login seja criado o seu diretório home
 +<sxh bash>
 +vim /etc/pam.d/system-auth
 +#%PAM-1.0
 +# This file is auto-generated.
 +# User changes will be destroyed the next time authconfig is run.
 +auth        required      pam_env.so
 +auth        sufficient    pam_unix.so nullok try_first_pass
 +auth        requisite     pam_succeed_if.so uid >= 500 quiet
 +auth        required      pam_deny.so
 +
 +account     required      pam_unix.so
 +account     sufficient    pam_localuser.so
 +account     sufficient    pam_succeed_if.so uid < 500 quiet
 +account     required      pam_permit.so
 +
 +password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 +password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 +password    required      pam_deny.so
 +
 +session     optional      pam_keyinit.so revoke
 +session     required      pam_limits.so
 +session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 +session     required      pam_unix.so
 +session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0027
 +</sxh>
 +
 +Agora vamos ajustar o login utilizando o winbind aqui eu liberei somente o grupo root e o ti-admin para efetuar login em máquinas Linux
 +<sxh bash>
 +vim /etc/pam.d/login
 +#%PAM-1.0 
 +auth       sufficient    pam_winbind.so
 +auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
 +auth       include      system-auth
 + 
 + 
 +account    sufficient     pam_succeed_if.so user ingroup root
 +account    required    pam_winbind.so
 +account    required     pam_nologin.so
 +account    include      system-auth
 +#Grupos que vão poder efetuar login no servidor
 +account    requisite    pam_succeed_if.so user ingroup ti-admin
 + 
 +password   include      system-auth
 +# pam_selinux.so close should be the first session rule 
 + 
 +session    required     pam_selinux.so close
 +session    required     pam_mkhomedir.so        skel=/etc/skel umask=0027
 +session    include      system-auth
 +session    required     pam_loginuid.so
 +session    optional     pam_console.so
 +# pam_selinux.so open should only be followed by sessions to be executed in the user context 
 +session    required     pam_selinux.so open
 +session    optional     pam_keyinit.so force revoke
 +</sxh>
 +
 +Agora vamos ajustar o acesso via ssh utilizando o winbind aqui eu liberei somente o grupo root e o ti-admin para efetuar login em máquinas Linux
 +<sxh bash>
 +vim /etc/pam.d/sshd
 +#%PAM-1.0 
 +auth       sufficient    pam_winbind.so
 +auth       include      system-auth
 + 
 +account    sufficient   pam_succeed_if.so user ingroup root
 +account    required     pam_winbind.so
 +account    required     pam_nologin.so
 +account    include      system-auth
 +#Grupos que vão poder logar via ssh
 +account    requisite    pam_succeed_if.so user ingroup ti-admin
 + 
 +password   include      system-auth
 + 
 +session    required     pam_mkhomedir.so        skel=/etc/skel umask=0027
 +session    optional     pam_keyinit.so force revoke
 +session    include      system-auth
 +session    required     pam_loginuid.so
 +</sxh>
 +
 +Agora vamos verificar se estamos conseguindo criar um ticker do kerberos
 +<sxh bash>
 +kinit administrator
 +Password for administrator@LAB.LAN: 
 +Warning: Your password will expire in 41 days on Mon Oct  7 12:02:11 2013
 +</sxh>
 +
 +Agora vamos listar o nosso ticket
 +<sxh bash>
 +klist
 +Ticket cache: FILE:/tmp/krb5cc_0
 +Default principal: administrator@LAB.LAN
 +
 +Valid starting     Expires            Service principal
 +08/27/13 10:02:54  08/27/13 20:02:54  krbtgt/LAB.LAN@LAB.LAN
 +  renew until 08/28/13 10:02:51
 +</sxh>
 +
 +Agora vamos fazer o join no domínio
 +<sxh bash>
 +net ads join lab.lan -U administrator
 +</sxh>
 +
 +Esse erro de DNS ainda estou tentando arrumar.
 +
 +Agora vamos reiniciar os serviços
 +<sxh bash>
 +/etc/init.d/nmb restart
 +/etc/init.d/smb restart
 +/etc/init.d/winbind restart
 +</sxh>
 +
 +Agora vamos testar a conexão com o winbind
 +<sxh bash>
 +wbinfo -t
 +checking the trust secret for domain LAB via RPC calls succeeded
 +</sxh>
 +
 +Agora vamos listar os usuários do domínio
 +<sxh bash>
 +wbinfo -u
 +douglas.santos
 +administrator
 +dns-nodo1
 +krbtgt
 +guest
 +</sxh>
 +
 +Vamos listar os grupos
 +<sxh bash>
 +wbinfo -g
 +allowed rodc password replication group
 +enterprise read-only domain controllers
 +denied rodc password replication group
 +ti-admin
 +read-only domain controllers
 +group policy creator owners
 +ras and ias servers
 +domain controllers
 +enterprise admins
 +domain computers
 +cert publishers
 +dnsupdateproxy
 +domain admins
 +domain guests
 +schema admins
 +domain users
 +dnsadmins
 +</sxh>
 +
 +Agora vamos testar o acesso via ssh para esse cliente
 +<sxh bash>
 +ssh douglas.santos@192.168.0.27
 +douglas.santos@192.168.0.27's password: 
 +Creating directory '/home/LAB/douglas.santos'.
 +[10:40:01] douglas.santos@centos [~] $ 
 +</sxh>
 +
 +Agora vamos ver os logs de acesso do centos
 +<sxh bash>
 +tail -f /var/log/secure
 +Aug 27 10:38:55 centos sshd[13906]: pam_winbind(sshd:auth): getting password (0x00000000)
 +Aug 27 10:38:56 centos sshd[13906]: pam_winbind(sshd:auth): user 'douglas.santos' granted access
 +Aug 27 10:39:32 centos sshd[13906]: pam_succeed_if(sshd:account): requirement "user ingroup root" not met by user "douglas.santos"
 +Aug 27 10:39:32 centos sshd[13906]: pam_winbind(sshd:account): user 'douglas.santos' granted access
 +Aug 27 10:39:35 centos sshd[13906]: pam_succeed_if(sshd:account): requirement "user ingroup ti-admin" was met by user "douglas.santos"
 +Aug 27 10:39:35 centos sshd[13906]: Accepted password for douglas.santos from 192.168.0.130 port 46470 ssh2
 +Aug 27 10:39:50 centos sshd[13906]: pam_unix(sshd:session): session opened for user douglas.santos by (uid=0)
 +</sxh>
 +
 +O cliente está configurado com sucesso :D
 +
 +====== Referências ======
 +  - http://wiki.samba.org/index.php/Samba4
 +  - http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
 +  - http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
 +  - http://lists.samba.org/archive/samba-technical/2011-June/078134.html
 +  - http://lists.samba.org/
 +  - https://wiki.samba.org/index.php/Samba_4/OS_Requirements
 +  - http://wiki.samba.org/index.php/Dns-backend_bind
 +  - https://wiki.samba.org/index.php/Samba4/Winbind
Print/export
QR Code
QR Code instalando_e_configurando_o_samba4_com_suporte_a_adminpack_no_debian_wheezy_pt_br (generated for current page)