Installing and configuring Samba 4 as Master/Slave with Bind9 DLZ and Sysvol Replication on Debian Jessie (Ongoing)
The things in portuguese are my scratch therefore don't use please….
What's up folks, here I show you how to install and configuring the Samba 4 working as PDC and how to configure the BDC as well, I shall use the BIND_DLZ as backend. I going to cover the Sysvol replication but it's only a workaround as (Samba AD currently doesn't provide support for SysVol replication.) as we cannot forget we need to configure the backup and restore too. Let's roll up our sleeves and start to work.
NOTE: I shall work with the samba 4 4.2.2 the current stable today: 04/05/2015
NOTE: If you use Bind as Backend for your Samba AD, it must not run chroot, because it must be able to live access files and databases from your Samba installation.
What I will use here:
- Debian Jessie
- IP: 192.168.25.100/24
- name: samba1
- domain: douglas.lan
- Debian Jessie
- IP: 192.168.25.101/24
- name: samba2
- domain: douglas.lan
We shall need to install some packets and configure some environment variables in order to work with our system properly therefore I've created a script to configure such things the web link is follows: http://wiki.douglasqsantos.com.br/doku.php/confinicialjessie_en fell free to change it as needed.
Note: The repositories in the script are from Brazil that is the most fast to me, so fell free to change for your country.
After download the script need to convert it from dos to unix as follows
dos2unix ConfInicialJessie.sh
After that change the permissions
chmod +x ConfInicialJessie.sh
Now need just execute and wait
./ConfInicialJessie.sh
Configuring the Samba Master
Let's update our repositories and upgrade all the packets
aptitude update && aptitude dist-upgrade -y
Now let's change two variables in the environment to non-interactive
export DEBIAN_PRIORITY=critical export DEBIAN_FRONTEND=noninteractive
Now we need to install some prerequisites that will able the samba4 works properly.
aptitude install libpam0g-dev git gcc make wget libacl1-dev libblkid-dev libreadline-dev python-dev libcups2-dev libcupsfilters-dev libfam-dev \ libcupscgi1-dev libcupsimage2-dev libcupsmime1-dev libcupsppdc1-dev libaio-dev acl-dev python-gnupg libpython-dev libghc-gnutls-dev \ acl heimdal-clients libattr1-dev libacl1-dev libattr1-dev libblkid-dev libgnutls28-dev libreadline-dev python-dnspython gdb pkg-config libfam-dev \ libpopt-dev libldap2-dev dnsutils libbsd-dev attr docbook-xsl python-pycurl python-software-properties libwind0-heimdal libarchive-dev \ quota unattended-upgrades libpam-heimdal bison debhelper flex gettext html2text intltool-debian libbison-dev libgettextpo0 libldb-dev \ libldb1 libparse-yapp-perl libpython3.4 libsmbclient libsmbclient-dev libsubunit-dev libsubunit-perl libsubunit0 libtalloc-dev libtalloc2 \ libtdb-dev libtdb1 libtevent-dev libtevent0 libunistring0 libwbclient-dev libwbclient0 libxslt1.1 po-debconf python-all python-all-dev python-ldb \ python-ldb-dev python-pkg-resources python-subunit python-talloc python-talloc-dev python-tdb python-testtools subunit xsltproc libunwind-dev \ libgcrypt-dev libdbus-1-dev libedbus-dev libmodbus-dev python-dbus-dev libcephfs-dev libavahi-core-dev python-avahi libavahi-cil-dev dmapi-dev \ heimdal-dev heimdal-multidev libasn1-8-heimdal libgssapi3-heimdal libhcrypto4-heimdal libhdb9-heimdal libheimbase1-heimdal libheimntlm0-heimdal \ libhx509-5-heimdal libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-heimdal libkdc2-heimdal libkrb5-26-heimdal libroken18-heimdal -y
Now we need to enable the acl,user_xattr and barrier support in the / partition or another one that we need the samba works such as /var or /srv.
vim /etc/fstab [...] /dev/mapper/VolGroup-lv_root / ext4 defaults,acl,user_xattr,barrier=1 1 1 /dev/mapper/vg01-var /var ext4 defaults,acl,user_xattr,barrier=1 0 2
Now we need to remount the partitions with the changes or reboot the server to get the newest changes.
mount -o remount / mount -o remount /var
The Debian Jessie is different from both CentOS 6 or Debian Wheezy if we try to get the information about the acl or xattr the system will return nothing about it let's try.
mount | egrep acl
We can check if this attributes are loaded in the kernel as follows.
cat /boot/config-$(uname -r) | egrep -i acl CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_REISERFS_FS_POSIX_ACL=y CONFIG_JFS_POSIX_ACL=y CONFIG_XFS_POSIX_ACL=y CONFIG_BTRFS_FS_POSIX_ACL=y CONFIG_FS_POSIX_ACL=y CONFIG_TMPFS_POSIX_ACL=y # CONFIG_HFSPLUS_FS_POSIX_ACL is not set CONFIG_JFFS2_FS_POSIX_ACL=y CONFIG_F2FS_FS_POSIX_ACL=y CONFIG_NFS_V3_ACL=y CONFIG_NFSD_V2_ACL=y CONFIG_NFSD_V3_ACL=y CONFIG_NFS_ACL_SUPPORT=m CONFIG_CEPH_FS_POSIX_ACL=y CONFIG_CIFS_ACL=y CONFIG_9P_FS_POSIX_ACL=y
As we saw the acl is built-in in the kernel what's why we got nothing with the mount command.
Let's run a test with acl and xttr.
Let' acess the /usr directory
cd /usr
Now let's create a simple file
touch test.txt
Now let's change the attributes to our file
setfattr -n user.test -v test test.txt setfattr -n security.test -v test2 test.txt
Now let's get the information about the changes
getfattr -d test.txt # file: test.txt user.test="test"
Now let's get information about the attribute security
getfattr -n security.test -d test.txt # file: test.txt security.test="test2"
Now let's access the directory that will storage the samba sources
cd /usr/src
Now we need to get the samba version 4.2.2
wget -c http://ftp.samba.org/pub/samba/stable/samba-4.2.2.tar.gz
Now we need to extract the sources
tar -xvf samba-4.1.3.tar.gz
Let's access the directory
cd samba-4.2.2
Now we need run the check prerequisites as follows
./configure --enable-debug --enable-selftest
Now we need to compile the samba this process take a while.
make
Now we can install the samba4 with a simple command line.
make install
Now we need to adjust the PATH
echo "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/local/samba/sbin:/usr/local/samba/bin">> /root/.bashrc
Now we need to reload the PATH
source /root/.bashrc
Now we need to prepare the BIND_DLZ
Installing and Configuring BIND_DLZ
Let's install the prerequisites to work with BIND
aptitude install autopoint autotools-dev bison debhelper dh-apparmor geoip-bin gettext hardening-wrapper html2text intltool-debian libgeoip-dev dh-autoreconf \ libbison-dev libcap-dev libdb-dev libdb5.3-dev libgeoip-dev libgettextpo0 libltdl-dev libmail-sendmail-perl libsys-hostname-long-perl dpkg-dev dh-systemd \ libtool libunistring0 libxml2-dev po-debconf debhelper libssl-dev libtool bison libdb-dev libldap2-dev libxml2-dev hardening-wrapper libkrb5-dev -y
Now we need to get the bind9 sources
cd /usr/src apt-get source bind9
Now we need to access the bind9 source folder
cd bind9-*
Now we need to change the variables enable support to kerberos and dlopen as follows
vim debian/rules [...] ./configure --prefix=/usr \ --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info \ --sysconfdir=/etc/bind \ --localstatedir=/var \ --enable-threads \ --enable-largefile \ --with-libtool \ --enable-shared \ --enable-static \ --with-openssl=/usr \ --with-gssapi=/usr \ --with-gnu-ld \ --with-geoip=/usr \ --with-atf=no \ --enable-ipv6 \ --enable-rrl \ --enable-filter-aaaa \ --with-libxml2 \ --with-gssapi=/usr/include/gssapi \ --with-dlopen=yes \ --with-dlz-ldap=yes \ --with-dlz-filesystem=yes \ $(EXTRA_FEATURES)
Now we need to create the deb packet it will take awhile.
dpkg-buildpackage
Now we need to install the packets
cd .. dpkg -i *.deb
Now we need to create a directory and adjust the permissions
mkdir /var/cache/bind/{data,dynamic} chown -R bind:bind /var/cache/bind/ chmod -R 775 /var/cache/bind/dynamic
Now let's make a copy of the original file
cp /etc/bind/named.conf.options /etc/bind/named.conf.options.old
Agora vamos configurar o Bind
vim /etc/bind/named.conf.options #/etc/bind/named.conf.options options { listen-on port 53 { 127.0.0.1; 192.168.25.0/24; }; listen-on-v6 port 53 { ::1; }; directory "/var/cache/bind"; dump-file "/var/cache/bind/data/cache_dump.db"; statistics-file "/var/cache/bind/data/named_stats.txt"; memstatistics-file "/var/cache/bind/data/named_mem_stats.txt"; allow-query { 192.168.25.0/24; 127.0.0.1/32; }; allow-update { 127.0.0.1/32; }; allow-recursion { 192.168.25.0/24; 127.0.0.1/32; }; forwarders { 8.8.8.8; 8.8.4.4; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Dynamic keys */ managed-keys-directory "/var/cache/bind/dynamic"; /* Enable support for secure GSS-TSIG updates */ tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; };
Now we need do modify the named.conf and add the configuration file for samba
vim /etc/bind/named.conf [...] include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/usr/local/samba/private/named.conf";
Now we need to configure the resolv.conf
vim /etc/resolv.conf domain douglas.lan search douglas.lan nameserver 192.168.25.100
Provisioning the domain and Testing
Now we need to provisioning our domain, let's check the options available
samba-tool domain provision -h Usage: samba-tool domain provision [options] Provision a domain. Options: -h, --help show this help message and exit --interactive Ask for names --domain=DOMAIN set domain --domain-guid=GUID set domainguid (otherwise random) --domain-sid=SID set domainsid (otherwise random) --ntds-guid=GUID set NTDS object GUID (otherwise random) --invocationid=GUID set invocationid (otherwise random) --host-name=HOSTNAME set hostname --host-ip=IPADDRESS set IPv4 ipaddress --host-ip6=IP6ADDRESS set IPv6 ipaddress --site=SITENAME set site name --adminpass=PASSWORD choose admin password (otherwise random) --krbtgtpass=PASSWORD choose krbtgt password (otherwise random) --machinepass=PASSWORD choose machine password (otherwise random) --dns-backend=NAMESERVER-BACKEND The DNS server backend. SAMBA_INTERNAL is the builtin name server (default), BIND9_FLATFILE uses bind9 text database to store zone information, BIND9_DLZ uses samba4 AD to store zone information, NONE skips the DNS setup entirely (not recommended) --dnspass=PASSWORD choose dns password (otherwise random) --ldapadminpass=PASSWORD choose password to set between Samba and it's LDAP backend (otherwise random) --root=USERNAME choose 'root' unix username --nobody=USERNAME choose 'nobody' user --users=GROUPNAME choose 'users' group --quiet Be quiet --blank do not add users or groups, just the structure --ldap-backend-type=LDAP-BACKEND-TYPE Test initialisation support for unsupported LDAP backend type (fedora-ds or openldap) DO NOT USE --server-role=ROLE The server role (domain controller | dc | member server | member | standalone). Default is dc. --function-level=FOR-FUN-LEVEL The domain and forest function level (2000 | 2003 | 2008 | 2008_R2 - always native). Default is (Windows) 2008R2 Native. --next-rid=NEXTRID The initial nextRid value (only needed for upgrades). Default is 1000. --partitions-only Configure Samba's partitions, but do not modify them (ie, join a BDC) --targetdir=DIR Set target directory --ol-mmr-urls=LDAPSERVER List of LDAP-URLS [ ldap://<FQHN>:<PORT>/ (where <PORT> has to be different than 389!) ] separated with comma (",") for use with OpenLDAP-MMR (Multi-Master- Replication), e.g.: "ldap://s4dc1:9000,ldap://s4dc2:9000" --use-xattrs=USE_XATTRS Define if we should use the native fs capabilities or a tdb file for storing attributes likes ntacl, auto tries to make an inteligent guess based on the user rights and system capabilities --use-ntvfs Use NTVFS for the fileserver (default = no) --use-rfc2307 Use AD to store posix attributes (default = no) Samba Common Options: -s FILE, --configfile=FILE Configuration file -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL debug level --option=OPTION set smb.conf option from command line --realm=REALM set the realm name Version Options: -V, --version Display version number
Now let's provisioning the domain
samba-tool domain provision --domain=DOUGLAS --adminpass=smb@134* \ --dns-backend=BIND9_DLZ --server-role=dc \ --function-level=2008_R2 --use-xattr=yes \ --use-rfc2307 --realm=douglas.lan Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=douglas,DC=lan Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=douglas,DC=lan Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: samba1 NetBIOS Domain: DOUGLAS DNS Domain: douglas.lan DOMAIN SID: S-1-5-21-2627875541-338730943-4229738209
If you got some error and need to do the provisioning again execute the follow commands and run the provisioning again.
rm -rf /usr/local/samba/etc rm -rf /usr/local/samba/private rm -rf /usr/local/samba/var/locks/sysvol
Now we need to change the samba configuration, but first we need to make a copy of smb.conf
cp -Rfa /usr/local/samba/etc/smb.conf{,.bkp}
Now let's make some changes in our configuration file
vim /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = DOUGLAS realm = douglas.lan netbios name = SAMBA1 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate ### RPC ### rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external ### IDMAP ### idmap_ldb:use rfc2307 = yes idmap config * : backend = tdb idmap config *:range = 70001-80000 idmap config LAB:backend = ad idmap config LAB:schema_mode = rfc2307 idmap config LAB:range = 500-40000 ### WINBIND ### winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes map archive = No map readonly = no store dos attributes = Yes vfs objects = dfs_samba4, acl_xattr ### The template is necessary to authenticate with winbind template shell = /bin/bash ### Disabling printers ### printcap name = /dev/null load printers = no disable spoolss = yes printing = bsd ### LOGS ### log file = /var/log/samba/smbd.log max log size = 50 log level = 2 vfs objects = recycle full_audit ### RECYCLE BIN ### recycle:repository = Recycle recycle:exclude = *.tmp *.TMP *.temp *.TEMP ~* recycle:keeptree = yes ### AUDIT ### full_audit:success = rmdir mkdir open write rename unlink full_audit:failure = rmdir mkdir open write rename unlink full_audit:prefix = %U|%I|%m|%S full_audit:failure = none full_audit:facility = local5 full_audit:priority = notice veto files = /*.mp3/*.wav/*.exe/*.cmd/*.adm/*.inf/*.ini/*.pif delete veto files = yes dos filemode = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/lab.lan/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No
Now we need to create the directory that will store the samba log files
mkdir -p /var/log/samba
Now we need to create a symbolic link to keytab
ln -s /usr/local/samba/private/dns.keytab /etc/krb5.keytab
Now let's start the samba service
/usr/local/samba/sbin/samba
Now let's disable the administrator password expire
samba-tool user setexpiry administrator --noexpiry Expiry for user 'administrator' disabled.
Now let's check the samba client version
smbclient --version Version 4.2.2
Now let's display the shares
smbclient -L localhost -U% Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.2.2) Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2] Server Comment --------- ------- Workgroup Master --------- -------
Now let's test the shares with an authenticated account
smbclient -L //localhost/netlogon -U douglas/administrator%'smb@134*' -c 'ls' Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.2.2) Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2] Server Comment --------- ------- Workgroup Master --------- -------
Now let's display the samba configuration with testparm
testparm Load smb config files from /usr/local/samba/etc/smb.conf Processing section "[netlogon]" Processing section "[sysvol]" Loaded services file OK. Server role: ROLE_ACTIVE_DIRECTORY_DC Press enter to see a dump of your service definitions # Global parameters [global] workgroup = DOUGLAS realm = douglas.lan server role = active directory domain controller passdb backend = samba_dsdb log file = /var/log/samba/smbd.log max log size = 50 load printers = No printcap name = /dev/null disable spoolss = Yes template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate winbindd:use external pipes = true full_audit:priority = notice full_audit:facility = local5 full_audit:prefix = %U|%I|%m|%S full_audit:failure = none full_audit:success = rmdir mkdir open write rename unlink recycle:keeptree = yes recycle:exclude = *.tmp *.TMP *.temp *.TEMP ~* recycle:repository = Recycle idmap config lab:range = 500-40000 idmap config lab:schema_mode = rfc2307 idmap config lab:backend = ad idmap config *:range = 70001-80000 idmap_ldb:use rfc2307 = yes rpc_server:default = external rpc_server:svcctl = embedded rpc_server:srvsvc = embedded rpc_server:eventlog = embedded rpc_server:ntsvcs = embedded rpc_server:winreg = embedded rpc_server:spoolss = embedded rpc_daemon:spoolssd = embedded rpc_server:tcpip = no idmap config * : backend = tdb printing = bsd delete veto files = Yes veto files = /*.mp3/*.wav/*.exe/*.cmd/*.adm/*.inf/*.ini/*.pif map archive = No map readonly = no store dos attributes = Yes dos filemode = Yes vfs objects = recycle full_audit [netlogon] path = /usr/local/samba/var/locks/sysvol/douglas.lan/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No
Now let's check the samba process that is running
ps aux | egrep samba root 11326 0.0 2.5 524812 51900 ? Ss 17:18 0:00 /usr/local/samba/sbin/samba root 11327 0.0 1.6 524812 34440 ? S 17:18 0:00 /usr/local/samba/sbin/samba root 11328 0.0 1.7 524812 36544 ? S 17:18 0:00 /usr/local/samba/sbin/samba root 11329 0.0 2.0 528964 42176 ? S 17:18 0:00 /usr/local/samba/sbin/samba root 11330 0.0 2.7 484536 56336 ? Ss 17:18 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 11331 0.0 1.6 524812 34440 ? S 17:18 0:00 /usr/local/samba/sbin/samba root 11332 0.0 1.9 524812 40460 ? S 17:18 0:00 /usr/local/samba/sbin/samba root 11333 0.0 1.7 524812 35976 ? S 17:18 0:00 /usr/local/samba/sbin/samba root 11334 0.0 1.9 524812 39740 ? S 17:18 0:00 /usr/local/samba/sbin/samba root 11335 0.0 1.8 524776 38028 ? S 17:18 0:00 /usr/local/samba/sbin/samba root 11336 0.0 1.8 528236 38176 ? S 17:18 0:00 /usr/local/samba/sbin/samba root 11337 0.0 1.6 524812 34440 ? S 17:18 0:00 /usr/local/samba/sbin/samba root 11338 0.0 2.1 524776 44972 ? S 17:18 0:00 /usr/local/samba/sbin/samba root 11339 0.0 1.7 524812 36372 ? S 17:18 0:00 /usr/local/samba/sbin/samba root 11400 0.0 0.1 12968 2364 pts/0 S+ 17:27 0:00 grep -E --color=auto samba
Now let's restar the bind9 service
systemctl restart bind9
Now let's check the bind9 status
systemctl status bind9 ● bind9.service - BIND Domain Name Server Loaded: loaded (/lib/systemd/system/bind9.service; enabled) Drop-In: /run/systemd/generator/bind9.service.d └─50-insserv.conf-$named.conf Active: active (running) since Qui 2015-06-04 17:41:58 BRT; 896ms ago Docs: man:named(8) Process: 11770 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS) Main PID: 11775 (named) CGroup: /system.slice/bind9.service └─11775 /usr/sbin/named -f -u bind Jun 04 17:41:59 samba1 named[11775]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Jun 04 17:41:59 samba1 named[11775]: command channel listening on 127.0.0.1#953 Jun 04 17:41:59 samba1 named[11775]: command channel listening on ::1#953 Jun 04 17:41:59 samba1 named[11775]: managed-keys-zone: loaded serial 2 Jun 04 17:41:59 samba1 named[11775]: zone 0.in-addr.arpa/IN: loaded serial 1 Jun 04 17:41:59 samba1 named[11775]: zone 127.in-addr.arpa/IN: loaded serial 1 Jun 04 17:41:59 samba1 named[11775]: zone 255.in-addr.arpa/IN: loaded serial 1 Jun 04 17:41:59 samba1 named[11775]: zone localhost/IN: loaded serial 2 Jun 04 17:41:59 samba1 named[11775]: all zones loaded Jun 04 17:41:59 samba1 named[11775]: running
Now let's check the dns resolution
nslookup douglas.lan Server: 127.0.0.1 Address: 127.0.0.1#53 Name: douglas.lan Address: 192.168.25.100
Now we need to make a copy of the krb5.conf
cp -Rfa /etc/krb5.conf{,.bkp}
Now let's remove the original file
rm -rf /etc/krb5.conf
Now we need to create symbolic link from samba directory
ln -sf /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
Now we need to configure the file
vim /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOUGLAS.LAN dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Now let's try to create a ticket on kerberos
kinit administrator@DOUGLAS.LAN administrator@DOUGLAS.LAN's Password:
Now let's list our ticket
klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: administrator@DOUGLAS.LAN Issued Expires Principal Jun 4 17:48:15 2015 Jun 5 03:48:12 2015 krbtgt/DOUGLAS.LAN@DOUGLAS.LAN
Now let's run a test in samba authentication with kerberos ticket
smbclient -k //samba1.douglas.lan/sysvol -c 'ls' Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2] . D 0 Thu Jun 4 14:27:54 2015 .. D 0 Thu Jun 4 17:18:50 2015 douglas.lan D 0 Thu Jun 4 14:27:53 2015 9653896 blocks of size 1024. 5923120 blocks available
Let's check the another share
smbclient -k //samba1.douglas.lan/netlogon -c 'ls' Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2] . D 0 Thu Jun 4 14:27:45 2015 .. D 0 Thu Jun 4 14:27:53 2015 9653896 blocks of size 1024. 5923088 blocks available
NOTE: If you try to access the samba share using the kerberos kicket and try to use localhost rather than the samba1 you will get the follow error
smbclient -k //localhost/netlogon -c 'ls' ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/localhost@DOUGLAS.LAN (Server not found in Kerberos database) cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Server not found in Kerberos database session setup failed: NT_STATUS_UNSUCCESSFUL
As we can see the server was not found in kerberos database, whether we check the klist
klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: administrator@DOUGLAS.LAN Issued Expires Principal Jun 4 17:48:15 2015 Jun 5 03:48:12 2015 krbtgt/DOUGLAS.LAN@DOUGLAS.LAN Jun 4 17:50:05 2015 Jun 5 03:48:12 2015 cifs/samba1.douglas.lan@DOUGLAS.LAN
The cifs/samba1.douglas.lan@DOUGLAS.LAN this is the Server in kerberos rather than cifs/localhost@DOUGLAS.LAN that we got trying to use localhost to access the share with kerberos.
Installing and Configuring NTP Server
Now we need to install and configure the NTP service to have the clock accurate
Now let's install the ntp server
aptitude install ntp -y
Now we need to make a copy of ntp.conf
cp -Rfa /etc/ntp.conf{,.bkp}
Now Let's change the configuration
vim /etc/ntp.conf #/etc/ntp.conf server 127.127.1.0 fudge 127.127.1.0 stratum 10 server a.ntp.br iburst prefer server b.ntp.br iburst prefer server c.ntp.br iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict a.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery restrict b.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery restrict c.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery
Now let's restart the ntp service
systemctl restart ntp
Now let's display the ntp status
ntpq -p 127.0.0.1 remote refid st t when poll reach delay offset jitter ============================================================================== LOCAL(0) .LOCL. 10 l 101 64 6 0.000 0.000 0.002 +a.ntp.br 200.160.7.186 2 u 29 64 5 13.397 -19.867 9.921 *b.ntp.br 200.20.186.76 2 u 26 64 7 18.728 -22.845 7.553 +c.ntp.br 200.160.7.186 2 u 30 64 7 38.183 -24.685 8.156
Now we need to change the permission to ntp_signd as follows
chgrp ntp /usr/local/samba/var/lib/ntp_signd
Creating the Samba4 Launch Script
Now we need to create the samba4 launch script
vim /etc/init.d/samba #! /bin/sh ### BEGIN INIT INFO # Provides: samba4 # Required-Start: $network $local_fs $remote_fs # Required-Stop: $network $local_fs $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: start Samba daemons ### END INIT INFO # # Start/stops the Samba daemon (samba). # Adapted from the Samba 3 packages. # PIDDIR=/usr/local/samba/var/run SAMBAPID=$PIDDIR/samba.pid # clear conflicting settings from the environment unset TMPDIR # See if the daemon and the config file are there test -x /usr/local/samba/sbin/samba -a -r /usr/local/samba/etc/smb.conf || exit 0 . /lib/lsb/init-functions case "$1" in start) log_daemon_msg "Starting Samba 4 daemon" "samba" # Make sure we have our PIDDIR, even if it's on a tmpfs install -o root -g root -m 755 -d $PIDDIR if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then log_end_msg 1 exit 1 fi log_end_msg 0 ;; stop) log_daemon_msg "Stopping Samba 4 daemon" "samba" /usr/bin/killall -9 samba >> /dev/null ; log_end_msg 1; exit 1 log_end_msg 0 ;; restart|force-reload) $0 stop sleep 1 $0 start ;; *) echo "Usage: /etc/init.d/samba {start|stop|restart|force-reload}" exit 1 ;; esac exit 0
Now we need to change the permissions
chmod +x /etc/init.d/samba
Now we need to insert it in the boot time
insserv -f -v samba
Now let's stop the samba service to run a test with our new script
killall samba
Now let's start the samba service to test
/etc/init.d/samba start [ ok ] Starting samba (via systemctl): samba.service.
Now let's show the samba processes
ps aux | egrep samba root 942 1.2 2.5 524780 51576 ? Ss 19:18 0:00 /usr/local/samba/sbin/samba -D root 960 0.0 1.6 524780 34480 ? S 19:18 0:00 /usr/local/samba/sbin/samba -D root 961 0.0 1.7 524780 36588 ? S 19:18 0:00 /usr/local/samba/sbin/samba -D root 962 1.3 2.7 484652 56492 ? Ss 19:18 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 963 0.0 1.8 524780 38596 ? S 19:18 0:00 /usr/local/samba/sbin/samba -D root 964 0.0 1.6 524780 34480 ? S 19:18 0:00 /usr/local/samba/sbin/samba -D root 965 0.1 1.9 524780 40276 ? S 19:18 0:00 /usr/local/samba/sbin/samba -D root 966 0.0 1.7 524780 36040 ? S 19:18 0:00 /usr/local/samba/sbin/samba -D root 967 0.0 2.1 531048 43432 ? S 19:18 0:00 /usr/local/samba/sbin/samba -D root 968 0.1 1.8 524780 37868 ? S 19:18 0:00 /usr/local/samba/sbin/samba -D root 969 0.0 1.8 527608 37516 ? S 19:18 0:00 /usr/local/samba/sbin/samba -D root 970 0.0 1.6 524780 34484 ? S 19:18 0:00 /usr/local/samba/sbin/samba -D root 971 0.5 2.2 524920 45356 ? S 19:18 0:00 /usr/local/samba/sbin/samba -D root 972 0.0 1.7 524780 36000 ? S 19:18 0:00 /usr/local/samba/sbin/samba -D root 977 0.0 0.1 12968 2368 pts/0 S+ 19:18 0:00 grep -E --color=auto samba
As we can see everything is ok so far
Let's check the shares
smbclient -L localhost -U% Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.2.2) Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2] Server Comment --------- ------- Workgroup Master --------- -------
Now let's check with an authenticated account
smbclient -L //localhost/netlogon -UAdministrator%'smb@134*' -c 'ls' Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.2.2) Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2] Server Comment --------- ------- Workgroup Master --------- -------
Testing Bind_DLZ and Kerberos
Now we need to create some symbolic links to enable winbind to work properly as follows for system working in 32 bits
ln -s /usr/local/samba/lib/libnss_winbind.so /usr/lib/libnss_winbind.so ln -s /usr/local/samba/lib/libnss_winbind.so.2 /usr/lib/libnss_winbind.so.2 ldconfig
Now we need to create some symbolic links to enable winbind to work properly as follows for system working in 64 bits
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /usr/lib/x86_64-linux-gnu/libnss_winbind.so ln -s /usr/lib/x86_64-linux-gnu/libnss_winbind.so /usr/lib/x86_64-linux-gnu/libnss_winbind.so.2 ldconfig
Now we need to configure the nsswitch.conf
vim /etc/nsswitch.conf [...] passwd: compat winbind [...] group: compat winbind
The Samba 4 is working properly so far
If you need to get the RSAT(Admin pack) get in the follow web links:
- http://www.microsoft.com/en-us/download/details.aspx?id=6315 (Windows XP/Server 2003)
Let's run a test with winbind
wbinfo -t checking the trust secret for domain DOUGLAS via RPC calls succeeded
Let's display the groups in Samba 4 database
wbinfo -g Enterprise Read-Only Domain Controllers Domain Admins Domain Users Domain Guests Domain Computers Domain Controllers Schema Admins Enterprise Admins Group Policy Creator Owners Read-Only Domain Controllers DnsUpdateProxy
Let's display the users
wbinfo -u Administrator Guest krbtgt dns-samba1
Now we need to check the dns updates let's run a test
samba_dnsupdate --verbose IPs: ['192.168.25.100'] Looking for DNS entry A samba1.douglas.lan 192.168.25.100 as samba1.douglas.lan. Looking for DNS entry A douglas.lan 192.168.25.100 as douglas.lan. Looking for DNS entry SRV _ldap._tcp.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.douglas.lan. Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.douglas.lan samba1.douglas.lan 389 Looking for DNS entry SRV _ldap._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.dc._msdcs.douglas.lan. Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 389 Looking for DNS entry SRV _ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan. Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan samba1.douglas.lan 389 Looking for DNS entry SRV _kerberos._tcp.douglas.lan samba1.douglas.lan 88 as _kerberos._tcp.douglas.lan. Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._tcp.douglas.lan samba1.douglas.lan 88 Looking for DNS entry SRV _kerberos._udp.douglas.lan samba1.douglas.lan 88 as _kerberos._udp.douglas.lan. Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._udp.douglas.lan samba1.douglas.lan 88 Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 88 as _kerberos._tcp.dc._msdcs.douglas.lan. Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 88 Looking for DNS entry SRV _kpasswd._tcp.douglas.lan samba1.douglas.lan 464 as _kpasswd._tcp.douglas.lan. Checking 0 100 464 samba1.douglas.lan. against SRV _kpasswd._tcp.douglas.lan samba1.douglas.lan 464 Looking for DNS entry SRV _kpasswd._udp.douglas.lan samba1.douglas.lan 464 as _kpasswd._udp.douglas.lan. Checking 0 100 464 samba1.douglas.lan. against SRV _kpasswd._udp.douglas.lan samba1.douglas.lan 464 Looking for DNS entry CNAME d6a2ff47-5541-4197-b729-3fb4b82e5b42._msdcs.douglas.lan samba1.douglas.lan as d6a2ff47-5541-4197-b729-3fb4b82e5b42._msdcs.douglas.lan. Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.Default-First-Site-Name._sites.douglas.lan. Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 389 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan. Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 389 Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 88 as _kerberos._tcp.Default-First-Site-Name._sites.douglas.lan. Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 88 Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan. Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 88 Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.pdc._msdcs.douglas.lan. Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.pdc._msdcs.douglas.lan samba1.douglas.lan 389 Looking for DNS entry A gc._msdcs.douglas.lan 192.168.25.100 as gc._msdcs.douglas.lan. Looking for DNS entry SRV _gc._tcp.douglas.lan samba1.douglas.lan 3268 as _gc._tcp.douglas.lan. Checking 0 100 3268 samba1.douglas.lan. against SRV _gc._tcp.douglas.lan samba1.douglas.lan 3268 Looking for DNS entry SRV _ldap._tcp.gc._msdcs.douglas.lan samba1.douglas.lan 3268 as _ldap._tcp.gc._msdcs.douglas.lan. Checking 0 100 3268 samba1.douglas.lan. against SRV _ldap._tcp.gc._msdcs.douglas.lan samba1.douglas.lan 3268 Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 3268 as _gc._tcp.Default-First-Site-Name._sites.douglas.lan. Checking 0 100 3268 samba1.douglas.lan. against SRV _gc._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 3268 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan samba1.douglas.lan 3268 as _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan. Checking 0 100 3268 samba1.douglas.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan samba1.douglas.lan 3268 Looking for DNS entry A DomainDnsZones.douglas.lan 192.168.25.100 as DomainDnsZones.douglas.lan. Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.DomainDnsZones.douglas.lan. Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.DomainDnsZones.douglas.lan samba1.douglas.lan 389 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan. Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan samba1.douglas.lan 389 Looking for DNS entry A ForestDnsZones.douglas.lan 192.168.25.100 as ForestDnsZones.douglas.lan. Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.ForestDnsZones.douglas.lan. Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.ForestDnsZones.douglas.lan samba1.douglas.lan 389 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan. Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan samba1.douglas.lan 389 No DNS updates needed
Now let's create a reverse zone
samba-tool dns zonecreate douglas.lan 25.168.192.in-addr.arpa -UAdministrator --password=smb@134* SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER Zone 25.168.192.in-addr.arpa created successfully
Note: I'm trying to discovery how to fix the (SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER) but so far I have no answer yet, I've sent an email to Andrew Tridge of Samba project as soon he answer me I'm going to post the fix.
Now let's create the reverse dns record to samba1
samba-tool dns add samba1 25.168.192.in-addr.arpa 100 PTR samba1.douglas.lan -Uadministrator --password=smb@134* Record added successfully
Now let's check the reverse
dig -x 192.168.25.100 ; <<>> DiG 9.9.5-9-Debian <<>> -x 192.168.25.100 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1108 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;100.25.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 100.25.168.192.in-addr.arpa. 900 IN PTR samba1.douglas.lan. ;; AUTHORITY SECTION: 25.168.192.in-addr.arpa. 3600 IN NS samba1.douglas.lan. ;; ADDITIONAL SECTION: samba1.douglas.lan. 900 IN A 192.168.25.100 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jun 04 19:40:48 BRT 2015 ;; MSG SIZE rcvd: 118
We can run a test with host as well
host 192.168.25.100 100.25.168.192.in-addr.arpa domain name pointer samba1.douglas.lan.
Now we need to update all the records to make sure that everything is working as needed
samba_dnsupdate --verbose --all-names IPs: ['192.168.25.100'] Calling nsupdate for A samba1.douglas.lan 192.168.25.100 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: samba1.douglas.lan. 900 IN A 192.168.25.100 Calling nsupdate for A douglas.lan 192.168.25.100 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: douglas.lan. 900 IN A 192.168.25.100 Calling nsupdate for SRV _ldap._tcp.douglas.lan samba1.douglas.lan 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan. Calling nsupdate for SRV _ldap._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.dc._msdcs.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan. Calling nsupdate for SRV _ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan samba1.douglas.lan 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan. Calling nsupdate for SRV _kerberos._tcp.douglas.lan samba1.douglas.lan 88 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.douglas.lan. 900 IN SRV 0 100 88 samba1.douglas.lan. Calling nsupdate for SRV _kerberos._udp.douglas.lan samba1.douglas.lan 88 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._udp.douglas.lan. 900 IN SRV 0 100 88 samba1.douglas.lan. Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 88 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.dc._msdcs.douglas.lan. 900 IN SRV 0 100 88 samba1.douglas.lan. Calling nsupdate for SRV _kpasswd._tcp.douglas.lan samba1.douglas.lan 464 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._tcp.douglas.lan. 900 IN SRV 0 100 464 samba1.douglas.lan. Calling nsupdate for SRV _kpasswd._udp.douglas.lan samba1.douglas.lan 464 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._udp.douglas.lan. 900 IN SRV 0 100 464 samba1.douglas.lan. Calling nsupdate for CNAME d6a2ff47-5541-4197-b729-3fb4b82e5b42._msdcs.douglas.lan samba1.douglas.lan (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: d6a2ff47-5541-4197-b729-3fb4b82e5b42._msdcs.douglas.lan. 900 IN CNAME samba1.douglas.lan. Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan. Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan. Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 88 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.Default-First-Site-Name._sites.douglas.lan. 900 IN SRV 0 100 88 samba1.douglas.lan. Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 88 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan. 900 IN SRV 0 100 88 samba1.douglas.lan. Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.douglas.lan samba1.douglas.lan 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.pdc._msdcs.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan. Calling nsupdate for A gc._msdcs.douglas.lan 192.168.25.100 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: gc._msdcs.douglas.lan. 900 IN A 192.168.25.100 Calling nsupdate for SRV _gc._tcp.douglas.lan samba1.douglas.lan 3268 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.douglas.lan. 900 IN SRV 0 100 3268 samba1.douglas.lan. Calling nsupdate for SRV _ldap._tcp.gc._msdcs.douglas.lan samba1.douglas.lan 3268 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.gc._msdcs.douglas.lan. 900 IN SRV 0 100 3268 samba1.douglas.lan. Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 3268 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.Default-First-Site-Name._sites.douglas.lan. 900 IN SRV 0 100 3268 samba1.douglas.lan. Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan samba1.douglas.lan 3268 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan. 900 IN SRV 0 100 3268 samba1.douglas.lan. Calling nsupdate for A DomainDnsZones.douglas.lan 192.168.25.100 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: DomainDnsZones.douglas.lan. 900 IN A 192.168.25.100 Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.douglas.lan samba1.douglas.lan 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.DomainDnsZones.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan. Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan samba1.douglas.lan 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan. Calling nsupdate for A ForestDnsZones.douglas.lan 192.168.25.100 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: ForestDnsZones.douglas.lan. 900 IN A 192.168.25.100 Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.douglas.lan samba1.douglas.lan 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.ForestDnsZones.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan. Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan samba1.douglas.lan 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.
Now let's test the records about SRV
Let's do a search about Ldap service
host -t SRV _ldap._tcp.douglas.lan. _ldap._tcp.douglas.lan has SRV record 0 100 389 samba1.douglas.lan.
Let's do a search about Kerberos service
host -t SRV _kerberos._udp.douglas.lan. _kerberos._udp.douglas.lan has SRV record 0 100 88 nodo1.douglas.lan.
Let's do a search about record type A of samba1
host -t A samba1.douglas.lan samba1.douglas.lan has address 192.168.25.100
Let's display the records in keytab
klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 DNS/samba1.douglas.lan@DOUGLAS.LAN 1 dns-samba1@DOUGLAS.LAN 1 DNS/samba1.douglas.lan@DOUGLAS.LAN 1 dns-samba1@DOUGLAS.LAN 1 DNS/samba1.douglas.lan@DOUGLAS.LAN 1 dns-samba1@DOUGLAS.LAN 1 DNS/samba1.douglas.lan@DOUGLAS.LAN 1 dns-samba1@DOUGLAS.LAN 1 DNS/samba1.douglas.lan@DOUGLAS.LAN 1 dns-samba1@DOUGLAS.LAN
PAM Configuration
Now we need to configure the PAM, here I'll allow only users from group it-admin to login in the PDC. The group it-admin need to be create in Samba and need to get a valid shell.
Now we need to create a symbolic link from samba security directory to default security directory in the System, Here I'm using the 64 bit system that's why we need to use the /lib/x86_64-linux-gnu otherwise we need to create to another directory. If you don't know where is stored the another libraries of PAM do a search about “pam_umask.so” and put the symbolic link there.
ln -sf /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so
Now we need to configure the files.
Let's start configuring the common-auth that controls authentication settings common to all services.
vim /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth sufficient pam_winbind.so auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config
Let's configure the common-account that controls authorization settings common to all services.
vim /etc/pam.d/common-account # # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # # here are the per-package modules (the "Primary" block) account sufficient pam_winbind.so account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) account required pam_krb5.so minimum_uid=1000 # end of pam-auth-update config
Let's configure the common-session that controls session related modules common to all services
vim /etc/pam.d/common-session # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session required pam_mkhomedir.so skel=/etc/skel umask=0027 session required pam_winbind.so session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=1000 session required pam_unix.so # end of pam-auth-update config
Let's configure the sshd that controls configuration for the Secure Shell service
vim /etc/pam.d/sshd # PAM configuration for the Secure Shell service # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so #Allow connection from those groups account sufficient pam_succeed_if.so user ingroup root account requisite pam_succeed_if.so user ingroup it-admin # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic noupdate session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple # Standard Un*x password updating. @include common-password
Let's configure the login that controls configuration for shadow 'login' service
vim /etc/pam.d/login # # The PAM configuration file for the Shadow `login' service # # Enforce a minimal delay in case of failure (in microseconds). # (Replaces the `FAIL_DELAY' setting from login.defs) # Note that other modules may require another minimal delay. (for example, # to disable any delay, you should add the nodelay option to pam_unix) auth optional pam_faildelay.so delay=3000000 # Outputs an issue file prior to each login prompt (Replaces the # ISSUE_FILE option from login.defs). Uncomment for use # auth required pam_issue.so issue=/etc/issue # Disallows root logins except on tty's listed in /etc/securetty # (Replaces the `CONSOLE' setting from login.defs) # # With the default control of this module: # [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] # root will not be prompted for a password on insecure lines. # if an invalid username is entered, a password is prompted (but login # will eventually be rejected) # # You can change it to a "requisite" module if you think root may mis-type # her login and should not be prompted for a password in that case. But # this will leave the system as vulnerable to user enumeration attacks. # # You can change it to a "required" module if you think it permits to # guess valid user names of your system (invalid user names are considered # as possibly being root on insecure lines), but root passwords may be # communicated over insecure lines. auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so # Disallows other than root logins when /etc/nologin exists # (Replaces the `NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so #Allow connection from those groups account sufficient pam_succeed_if.so user ingroup root account requisite pam_succeed_if.so user ingroup it-admin # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without out this it is possible # that a module could execute code in the wrong domain. # When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.) session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. # # parsing /etc/environment needs "readenv=1" session required pam_env.so readenv=1 # locale variables are also kept into /etc/default/locale in etch # reading this file *in addition to /etc/environment* does not hurt session required pam_env.so readenv=1 envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # This allows certain extra groups to be granted to a user # based on things like time of day, tty, service, and user. # Please edit /etc/security/group.conf to fit your needs # (Replaces the `CONSOLE_GROUPS' option in login.defs) auth optional pam_group.so # Uncomment and edit /etc/security/time.conf if you need to set # time restrainst on logins. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs # as well as /etc/porttime) # account requisite pam_time.so # Uncomment and edit /etc/security/access.conf if you need to # set access limits. # (Replaces /etc/login.access file) # account required pam_access.so # Sets up user limits according to /etc/security/limits.conf # (Replaces the use of /etc/limits in old login) session required pam_limits.so # Prints the last login info upon succesful login # (Replaces the `LASTLOG_ENAB' option from login.defs) session optional pam_lastlog.so # Prints the message of the day upon succesful login. # (Replaces the `MOTD_FILE' option in login.defs) # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so # Prints the status of the user's mailbox upon succesful login # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). # # This also defines the MAIL environment variable # However, userdel also needs MAIL_DIR and MAIL_FILE variables # in /etc/login.defs to make sure that removing a user # also removes the user's mail spool file. # See comments in /etc/login.defs session optional pam_mail.so standard # Standard Un*x account and session @include common-account @include common-session @include common-password # SELinux needs to intervene at login time to ensure that the process # starts in the proper default security context. Only sessions which are # intended to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.)
Now let's configure the sudo to enable the it-admin group work as root user.
visudo [...] "%DOUGLAS\it-admin" ALL=(ALL) ALL
Now let's create the it-admin group
samba-tool group add it-admin --group-scope=Global --group-type=Security --description="IT Administration" Added group it-admim
Now we can get a list with all groups like this
samba-tool group list Allowed RODC Password Replication Group Enterprise Read-Only Domain Controllers Denied RODC Password Replication Group Pre-Windows 2000 Compatible Access Windows Authorization Access Group Certificate Service DCOM Access Network Configuration Operators Terminal Server License Servers Incoming Forest Trust Builders Read-Only Domain Controllers Group Policy Creator Owners Performance Monitor Users Cryptographic Operators Distributed COM Users Performance Log Users Remote Desktop Users Account Operators Event Log Readers RAS and IAS Servers Backup Operators Domain Controllers Server Operators Enterprise Admins Print Operators Administrators Domain Computers Cert Publishers DnsUpdateProxy Domain Admins Domain Guests Schema Admins Domain Users Replicator IIS_IUSRS DnsAdmins Guests it-admin Users
Now we need to create a new user to put into it-admin
samba-tool user create douglas.q.santos smb@134* User 'douglas.q.santos' created successfully
Now let's add the user douglas.q.santos into group it-admin
samba-tool group addmembers it-admin douglas.q.santos Added members to group it-admin
Now we can get the user from it-admin
samba-tool group listmembers it-admin douglas.q.santos
Everything is working as needed so far.
Now we need to restart the server to reload all the new configurations
reboot
After the reboot we can try logon in with douglas.q.santos or logon with root and change to another user as follows
root@samba1:~# su - douglas.q.santos Creating directory '/home/DOUGLAS/douglas.q.santos'. mesg: /dev/pts/0: Operation not permitted DOUGLAS\douglas.q.santos@samba1:~$
Now let's back to root user and let's check the winbind connection.
wbinfo -t checking the trust secret for domain DOUGLAS via RPC calls succeeded
Let's get the user from Samba
wbinfo -u Administrator Guest krbtgt dns-samba1 douglas.q.santos
Now let's try logon in the server via SSH
ssh douglas.q.santos@192.168.25.100 -p 22 douglas.q.santos@192.168.25.100's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. DOUGLAS\douglas.q.santos@samba1:~$
Now let's test the sudo
DOUGLAS\douglas.q.santos@samba1:~$ sudo -i We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for DOUGLAS\douglas.q.santos: root@samba1:~#
Now let's check the auth.log file
tail -f /var/log/auth.log Jun 7 11:33:39 samba1 sshd[1426]: pam_succeed_if(sshd:account): requirement "user ingroup sudo" not met by user "DOUGLAS\douglas.q.santos" Jun 7 11:33:39 samba1 sshd[1426]: pam_succeed_if(sshd:account): requirement "user ingroup it-admin" was met by user "DOUGLAS\douglas.q.santos" Jun 7 11:33:39 samba1 sshd[1426]: pam_winbind(sshd:account): user 'DOUGLAS\douglas.q.santos' granted access Jun 7 11:33:39 samba1 sshd[1426]: Accepted password for douglas.q.santos from 192.168.25.254 port 50681 ssh2 Jun 7 11:33:39 samba1 sshd[1426]: pam_unix(sshd:session): session opened for user DOUGLAS\douglas.q.santos by (uid=0) Jun 7 11:33:44 samba1 sudo: DOUGLAS\douglas.q.santos : TTY=pts/1 ; PWD=/home/DOUGLAS/douglas.q.santos ; USER=root ; COMMAND=/bin/su - Jun 7 11:33:44 samba1 su[1436]: pam_winbind(su:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND Jun 7 11:33:44 samba1 su[1436]: Successful su for root by root Jun 7 11:33:44 samba1 su[1436]: + /dev/pts/1 root:root Jun 7 11:33:44 samba1 su[1436]: pam_unix(su:session): session opened for user root by DOUGLAS\douglas.q.santos(uid=0)
Everything is ok so far.
Samba 4 Backup
The backup script is not installed when we run the command make install therefore we need to copy it to some location like /bin
Let's put as the samba source are in /usr/src/samba-4.2.2
Let's copy the script
cp /usr/src/samba-4.2.2/source4/scripting/bin/samba_backup /usr/sbin
Now we need to change the permissions
chown root:root /usr/sbin/samba_backup chmod 750 /usr/sbin/samba_backup
Now we need to adjust some variables in the script
vim /usr/sbin/samba_backup [...] FROMWHERE=/usr/local/samba WHERE=/usr/local/backups [...] DAYS=15
Above we have:
- FROMWHERE → Where samba was installed
- WHERE → The location where the script will store the backup
- DAYS → The number of days we need to keep the backups
Now we need to create the directory that will store the backups
mkdir /usr/local/backups
Now let's change the permission of the directory
chmod 750 /usr/local/backups
Now we can run the script
/usr/sbin/samba_backup
After the script finish the task we will get something like bellow.
ls -l /usr/local/backups total 12164 -rw-r--r-- 1 root staff 1310 Jun 11 10:35 etc.2015-06-11.tar.bz2 -rw-r--r-- 1 root staff 12447369 Jun 11 10:35 samba4_private.2015-06-11.tar.bz2 -rw-r--r-- 1 root staff 546 Jun 11 10:35 sysvol.2015-06-11.tar.bz2
Of the script runs without any error, There will be 3 files:
- etc.{Timestamp}.tar.bz2
- samba4_private.{Timestamp}.tar.bz2
- sysvol.{Timestamp}.tar.bz2
We can schedule the script to run everyday at 2 A.M like bellow.
crontab -e 0 2 * * * /usr/sbin/samba_backup
Now we've already have the schedule for samba backup
Samba 4 Restore
Note:
- The backup and restore must be from the same version of samba in another words from 4.2.2 to 4.2.2
- The restore must be executed in a machine with the same name and ip of the backup was created.
- It's best practice always restore a backup in the same OS like from Debian to Debian. (I try to backup from a CentOS and restore in a Debian and it doesn't work).
- Always after the restore is a good advice test all shares, permissions and stuffs like take to make sure that everything is ok to work before to put in production.
- If the system got a crash you need first of all is reconfigure all samba server and restore the backup considering all the another things above.
Before restore the samba we need to assure that the samba is down.
Let's stop the samba
/etc/init.d/samba stop
Now let's check if the samba is down
ps aux | egrep samba root 2404 0.0 0.1 12964 2356 pts/0 S+ 14:47 0:00 grep -E --color=auto samba
Now let's remove the files and directories as needed.
rm -rf /usr/local/samba/etc rm -rf /usr/local/samba/private rm -rf /usr/local/samba/var/locks/sysvol
Now we need to restore the samba, let's access the backup directory and extract the files.
cd /usr/local/backups tar -jxf etc.2015-06-11.tar.bz2 -C /usr/local/samba tar -jxf samba4_private.2015-06-11.tar.bz2 -C /usr/local/samba tar -jxf sysvol.2015-06-11.tar.bz2 -C /usr/local/samba
Now we need to rename the files with extension *.ldb.bak in the directory private to *.ldb
find /usr/local/samba/private/ -type f -name '*.ldb.bak' -print0 | while read -d $'\0' f ; do mv "$f" "${f%.bak}" ; done
Now we need to restore the acls
samba-tool ntacl sysvolreset
If you are using the BIND_DLZ as backend we need to fix the hard links
samba_upgradedns --dns-backend=BIND9_DLZ
Now let's start the samba
/etc/init.d/samba start
Now let's display our users
wbinfo -u Administrator Guest krbtgt dns-samba1 douglas.q.santos
Now let's display our groups
wbinfo -g Enterprise Read-Only Domain Controllers Domain Admins Domain Users Domain Guests Domain Computers Domain Controllers Schema Admins Enterprise Admins Group Policy Creator Owners Read-Only Domain Controllers DnsUpdateProxy it-admin
Everything is working properly as before.
Configuring a Windows 8 Client
Now let's join a Windows 8 Client to our Samba Domain.
Configuring the DNS Client:
- In the Windows Machine press Windows Key + R and type: ncpa.cpl
- Now right click in the Ethernet and choose Properties
- Here select Internet Protocol Version 4 (TCP/IPv4) and select Properties here we need to put the Preferred DNS server as: 192.168.25.100
- Now click in OK and Close and close the Network connections
Joining in the Domain:
- In the Windows Machine press Windows Key + R and type: sysdm.cpl
- Here select Change… And in Domain put douglas.lan
- Now click in OK.
- Now we need to put the user as: administrator and its password and Select OK if everything is ok we will get the message box bellow.
- Now Click OK we will get another message box with a warning about that we need to restart the machine to apply the changes and click OK and Close
- Now select Restart Now.
- After restart choose Switch User the (right arrow into a circle). In the username put: douglas\administrator and put its password and Enter
Now we can install the RSAT we can get it in:
- http://www.microsoft.com/en-us/download/details.aspx?id=6315 (Windows XP/Server 2003)
How to Install Admin Tools On Windows 8 – (Remote Server Administration Tools – RSAT)
Accessing the Active Directory Users and Computers
- In the Windows Machine press Windows Key + R and type: dsa.msc
Accessing the DNS Manager
- In the Windows Machine press Windows Key + R and type: dnsmgmt.msc
- Here select The following computer: 192.168.25.100 and click OK
- After that we will get the DNS Manager we can manager the dns records here instead of via Shell.
Creating Shares
The creating of samba shares is more easier than in the samba 3 in my point of view, we can create the share and managing them via Windows.
Note: We must be the owner of the directory or must belong of the group owner to display or managing the permissions.
Let's enable the administrator of domain to managing the shares via Windows.
net rpc rights grant 'DOUGLAS\Domain Admins' SeDiskOperatorPrivilege -U administrator Enter administrator's password: Successfully granted rights.
If you want to assign all the permission to a user e.g for the group 'DOUGLAS\Domain Admins' we can do it as follows.
net rpc rights grant 'DOUGLAS\Domain Admins' SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege -U administrator Enter administrator's password: Successfully granted rights.
Now let's create a new share.
vim /usr/local/samba/etc/smb.conf [...] [Demo] path = /srv/samba/Demo/ read only = no
Now let's create the directory
mkdir -p /srv/samba/Demo/
Now we need to reload the samba configuration
smbcontrol all reload-config
Now in the Windows with a user that belongs of Domain Admins group here I shall use administrator
- Now click Windows key + R and type: compmgmt.msc
- Now with the right click in Computer Management select Connect to another computer…
- Now in Another computer put: 192.168.25.100 and click OK
- Now browser until System Tools/Shared Folders/Share and select our new share called Demo
- Now with right click in Demo select Properties
- Now in the tab Share Permissions. Here we can configure who will be able to access the share.
- Now in the tab Security we can managing who will be able to read/execute/modify the files and folders.
- Now is only to select ok and close the window.
Roaming Profile
Now let's configure the Roaming profile
Let's create the directory that will store the profiles.
mkdir -p /srv/samba/Profiles/
Now let's add one more share in samba configuration file.
vim /usr/local/samba/etc/smb.conf [...] [Profiles] path = /srv/samba/Profiles/ read only = no
Now we need to reload the samba configuration
smbcontrol all reload-config
Now let's check the shares in a Windows machine.
- Click Windows key + R and type: \\samba1
- Now with right click in the Profiles share select Properties/Security
- Now select Advanced and Permissions
- Leave only Administrator and add Owner Rights and Domain Users
Now we need to configure the permission as follows:
Name | Permission | Applies to |
---|---|---|
Administrator | Full Control | This Folder, subfolders and files |
Domain Users | Traverse folder/execute file, List folder/read date, Create folders/append data | This folder only |
CREATOR OWNER | Full Control | Subfolders and files only |
After that:
- Apply
- OK
- OK
- OK
Now we need to configure the roaming profile to an user to run a test.
- Click Windows key + R and type: dsa.msc
- Now select the user that you wanna to configure the roaming profile
- Right click in it and select properties
- Now select profile.
- Now in Profile path: \\samba1.douglas.lan\Profiles\%username%
- Now select OK
Now we can logon with that user and check if the profile was created in:
- /srv/samba/Profiles/
After login with the user douglas.q.santos we shall get something like bellow.
ls -l /srv/samba/Profiles total 8 drwxrwx---+ 2 DOUGLAS\douglas.q.santos users 4096 Jun 11 16:44 douglas.q.santos.V2
Logon Script
Now we will create the logon script that need to be stored in /usr/local/samba/var/locks/sysvol/douglas.lan/scripts
Let's create a basic one only to map the shared Demo
Note: Here I will use the user douglas.q.santos and this user need to has the permission to access the share or belongs to a groups that has the permission
vim /usr/local/samba/var/locks/sysvol/douglas.lan/scripts/sharedemo.bat net use x: \\samba1.douglas.lan\Demo
Now we need to change the permissions
chmod +x /usr/local/samba/var/locks/sysvol/douglas.lan/scripts/sharedemo.bat
Now we need to convert the script to Microsoft format
unix2dos /usr/local/samba/var/locks/sysvol/douglas.lan/scripts/sharedemo.bat
- Now Windows key + R and type: dsa.msc
- Now select the user that you want to configure I will use the douglas.q.santos that I configured the roaming profile
- Right click in the user and select Properties
- Now select Profile
- In Logon script put: sharedemo.bat
- Now click in Apply and OK
Now let's logon with the user douglas.q.santos, after the login we will get something like below.
I shall continue from here as soon as possible.
Configuração do SLAVE
Vamos atualizar os repositórios e vamos fazer um upgrade do sistema
yum check-update && yum update -y
Agora vamos instalar as dependências para podemos compilar o samba
yum install openldap-devel pam-devel git gcc make wget libacl-devel libblkid-devel gnutls-devel readline-devel python-devel cups-devel \ libaio-devel quota-devel ctdb-devel krb5-devel krb5-workstation acl setroubleshoot-server setroubleshoot-plugins policycoreutils-python \ libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel \ keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils bind-sdb bind-devel bind-libs bind avahi-devel mingw32-iconv gamin \ libcap-devel rpc2-devel glusterfs-devel python-dns -y
Agora vamos ajustar o fstab para que ele de suporte a acl,user_xattr e barrier eu vou habilitar isso na partição / se você tiver várias partições é bom habilitar em todas que você queira habilitar os compartilhamentos.
vim /etc/fstab [...] /dev/mapper/VolGroup-lv_root / ext4 defaults,acl,user_xattr,barrier=1 1 1
Agora vamos remontar a raiz
mount -o remount /
Agora vamos listar os atributos da raiz
mount | egrep acl /dev/mapper/VolGroup-lv_root on / type ext4 (rw,acl,user_xattr,barrier=1)
Agora os atributos já estão carregados.
Agora vamos obter o samba vamos acessar o diretório que vai armazenar os fontes
cd /usr/src
Agora vamos obter os fontes
wget -c http://ftp.samba.org/pub/samba/stable/samba-4.1.3.tar.gz
Agora vamos desempacotar o samba
tar -xzvf samba-4.1.3.tar.gz
Agora vamos acessar o diretório dos fontes
cd samba-4.1.3
Agora vamos criar a configuração para o samba
./configure --enable-debug --enable-selftest
Agora vamos mandar compilar o samba este processo demora um pouco
make
Agora vamos mandar instalar o samba
make install
Agora vamos acertar a PATH do usuário root no caso dele estar utilizando o shell Bash
echo "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/local/samba/sbin:/usr/local/samba/bin">> /root/.bashrc
Agora precisamos importar a nova PATH
source /root/.bashrc
Agora vamos acertar a PATH do usuário root no caso dele estar utilizando o shell zsh
echo "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/local/samba/sbin:/usr/local/samba/bin">> /root/.zshrc
Agora precisamos importar a nova PATH
source /root/.zshrc
Agora vamos ajustar o resolv.conf ele vai utilizar o nome do nosso domínio e o ip do pdc.
vim /etc/resolv.conf domain douglas.lan search douglas.lan nameserver 192.168.0.25
Agora vamos ajustar a interface de rede para utilizar o nosso novo DNS
vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" BOOTPROTO="static" BROADCAST="192.168.0.255" DNS1="192.168.0.26" GATEWAY="192.168.0.1" IPADDR="192.168.0.25" NETMASK="255.255.255.0" NM_CONTROLLED="yes" ONBOOT="yes" TYPE="Ethernet"
Agora vamos configurar o Bind
vim /etc/named.conf //named.conf options { listen-on port 53 { 127.0.0.1; 192.168.0.0/24; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { 192.168.0.0/24; localhost; }; recursion yes; forwarders { 8.8.8.8; 8.8.4.4; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; /* keytab para samba4 */ tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; /*Arquivo de configuração do samba4 que informa a localização do bind_dlz */ include "/usr/local/samba/private/named.conf";
Agora vamos ajustar a configuração do krb5.conf
vim /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOUGLAS.LAN dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Vamos abrir um ticket no kerberos para verificarmos a nossa configuração
kinit administrator Password for administrator@DOUGLAS.LAN: Warning: Your password will expire in 41 days on Mon Oct 7 12:02:11 2013
Agora vamos inserir o nosso servidor como bdc
Agora vamos provisionar o nosso domínio
samba-tool domain join douglas.lan DC -U administrator --realm=douglas.lan --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'douglas.lan' Found DC nodo1.douglas.lan Password for [DOUGLAS\administrator]: workgroup is DOUGLAS realm is douglas.lan checking sAMAccountName Deleted CN=NODO2,OU=Domain Controllers,DC=douglas,DC=lan Deleted CN=NTDS Settings,CN=NODO2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=douglas,DC=lan Deleted CN=NODO2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=douglas,DC=lan Adding CN=NODO2,OU=Domain Controllers,DC=douglas,DC=lan Adding CN=NODO2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=douglas,DC=lan Adding CN=NTDS Settings,CN=NODO2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=douglas,DC=lan Adding SPNs to CN=NODO2,OU=Domain Controllers,DC=douglas,DC=lan Setting account password for NODO2$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=douglas,DC=lan Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=douglas,DC=lan] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=douglas,DC=lan] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=douglas,DC=lan] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=douglas,DC=lan] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=douglas,DC=lan] objects[402/1625] linked_values[0/0] Partition[CN=Configuration,DC=douglas,DC=lan] objects[804/1625] linked_values[0/0] Partition[CN=Configuration,DC=douglas,DC=lan] objects[1206/1625] linked_values[0/0] Partition[CN=Configuration,DC=douglas,DC=lan] objects[1608/1625] linked_values[0/0] Partition[CN=Configuration,DC=douglas,DC=lan] objects[1625/1625] linked_values[28/0] Replicating critical objects from the base DN of the domain Partition[DC=douglas,DC=lan] objects[98/98] linked_values[25/0] Partition[DC=douglas,DC=lan] objects[375/277] linked_values[26/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=douglas,DC=lan Partition[DC=DomainDnsZones,DC=douglas,DC=lan] objects[40/40] linked_values[0/0] Replicating DC=ForestDnsZones,DC=douglas,DC=lan Partition[DC=ForestDnsZones,DC=douglas,DC=lan] objects[18/18] linked_values[0/0] Partition[DC=ForestDnsZones,DC=douglas,DC=lan] objects[36/18] linked_values[0/0] Committing SAM database Sending DsReplicateUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain DOUGLAS (SID S-1-5-21-2011945809-1847694634-1467046014) as a DC
Agora vamos inserir o named na incialização do sistema
chkconfig --add named chkconfig named on
Agora vamos criar o script de inicialização
vim /etc/init.d/samba #!/bin/sh # # chkconfig: - 91 35 # description: Starts and stops the Samba smbd daemon \ # used to provide SMB network services. # # pidfile: /var/run/samba/smbd.pid # config: /etc/samba/smb.conf # Source function library. if [ -f /etc/init.d/functions ] ; then . /etc/init.d/functions elif [ -f /etc/rc.d/init.d/functions ] ; then . /etc/rc.d/init.d/functions else exit 1 fi # Avoid using root's TMPDIR unset TMPDIR # Source networking configuration. . /etc/sysconfig/network if [ -f /etc/sysconfig/samba ]; then . /etc/sysconfig/samba fi # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 1 # Check that smb.conf exists. [ -f /usr/local/samba/etc/smb.conf ] || exit 6 RETVAL=0 start() { KIND="SMB" echo -n $"Starting $KIND services: " /usr/local/samba/sbin/samba RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /usr/local/samba/var/lock/smb || \ RETVAL=1 return $RETVAL } stop() { KIND="SMB" echo -n $"Shutting down $KIND services: " killproc smbd RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /usr/local/samba/var/lock/smb return $RETVAL } restart() { stop start } reload() { echo -n $"Reloading smb.conf file: " killproc smbd -HUP RETVAL=$? echo return $RETVAL } rhstatus() { status -l smb smbd return $? } # Allow status as non-root. if [ "$1" = status ]; then rhstatus exit $? fi # Check that we can write to it... so non-root users stop here [ -w /usr/local/samba/etc/smb.conf ] || exit 4 case "$1" in start) start ;; stop) stop ;; restart) restart ;; reload) reload ;; status) rhstatus ;; condrestart) [ -f /var/lock/subsys/smb ] && restart || : ;; *) echo $"Usage: $0 {start|stop|restart|reload|status|condrestart}" exit 2 esac exit $?
Agora vamos dar permissão para o nosso script e vamos inserir ele na incialização
chmod +x /etc/init.d/samba chkconfig --add samba chkconfig samba on
Agora vamos inicializar o named e o samba
/etc/init.d/named start /etc/init.d/samba start
Agora vamos consultar o daemon do samba
ps aux | egrep samba root 1268 7.0 8.2 525140 41276 ? Ss 18:50 0:00 /usr/local/samba/sbin/samba root 1271 0.0 5.7 525140 28648 ? S 18:50 0:00 /usr/local/samba/sbin/samba root 1272 0.0 5.8 525140 29500 ? S 18:50 0:00 /usr/local/samba/sbin/samba root 1273 0.1 6.2 529292 31152 ? S 18:50 0:00 /usr/local/samba/sbin/samba root 1274 0.0 5.6 525140 28608 ? S 18:50 0:00 /usr/local/samba/sbin/samba root 1275 8.8 6.1 525140 30768 ? S 18:50 0:00 /usr/local/samba/sbin/samba root 1276 0.0 5.8 525140 29204 ? S 18:50 0:00 /usr/local/samba/sbin/samba root 1277 7.0 8.6 576100 43440 ? Ss 18:50 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground root 1278 0.0 6.1 525140 30716 ? S 18:50 0:00 /usr/local/samba/sbin/samba root 1279 0.5 6.2 529292 31316 ? S 18:50 0:00 /usr/local/samba/sbin/samba root 1280 0.1 5.9 527652 29864 ? S 18:50 0:00 /usr/local/samba/sbin/samba root 1281 0.0 5.7 525140 28748 ? S 18:50 0:00 /usr/local/samba/sbin/samba root 1282 0.0 5.9 525140 29712 ? S 18:50 0:00 /usr/local/samba/sbin/samba root 1283 0.0 5.9 525140 29708 ? S 18:50 0:00 /usr/local/samba/sbin/samba root 1291 0.0 5.7 575584 29052 ? S 18:50 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground
Como pode ser visto ele está rodando ok.
Agora vamos listar a versão do nosso samba
smbclient --version Version 4.1.3
Agora vamos mandar listar os compartilhamentos
smbclient -L localhost -U% Domain=[DOUGLAS] OS=[Unix] Server=[Samba 4.1.3] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.3) Domain=[DOUGLAS] OS=[Unix] Server=[Samba 4.1.3] Server Comment --------- ------- Workgroup Master --------- -------
Agora vamos mandar listar o netlogon com o usuário administrator
smbclient //localhost/netlogon -UAdministrator%'sen@134*' -c 'ls' Domain=[DOUGLAS] OS=[Unix] Server=[Samba 4.1.3] . D 0 Mon Aug 26 18:35:20 2013 .. D 0 Mon Aug 26 18:35:20 2013 34426 blocks of size 262144. 23857 blocks available
Agora vamos mandar listar a configuração do nosso samba
testparm Load smb config files from /usr/local/samba/etc/smb.conf rlimit_max: increasing rlimit_max (4096) to minimum Windows limit (16384) Processing section "[netlogon]" Processing section "[sysvol]" Loaded services file OK. Server role: ROLE_ACTIVE_DIRECTORY_DC Press enter to see a dump of your service definitions [global] workgroup = DOUGLAS realm = douglas.lan server role = active directory domain controller passdb backend = samba_dsdb server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external idmap config * : backend = tdb map archive = No map readonly = no store dos attributes = Yes vfs objects = dfs_samba4, acl_xattr [netlogon] path = /usr/local/samba/var/locks/sysvol/douglas.lan/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No
Agora vamos ajustar o limits.conf para não aparecer os avisos no samba
vim /etc/security/limits.conf #colocar no final do arquivo root hard nofile 131072 root soft nofile 65536 mioutente hard nofile 32768 mioutente soft nofile 16384
Agora vamos testar a resolução de nome
nslookup douglas.lan Server: 192.168.0.25 Address: 192.168.0.25#53 Name: douglas.lan Address: 192.168.0.25 Name: douglas.lan Address: 192.168.0.26
Agora vamos ajustar a configuração do kerberos
Vamos fazer backup do arquivo de configuração
mv /etc/krb5.conf /etc/krb5.conf.old
Vamos criar um link para o sistema reconhecer o arquivo de configuração do samba como default
ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf
Agora vamos ajustar a configuração do krb5.conf
vim /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOUGLAS.LAN dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Agora vamos criar um link para o keytab do kerberos
ln -s /usr/local/samba/private/dns.keytab /etc/krb5.keytab
Agora vamos ajustar a configuração do samba para que ele consiga mapear via winbind
vim /usr/local/samba/etc/smb.conf [global] workgroup = DOUGLAS realm = douglas.lan netbios name = NODO2 server role = active directory domain controller passdb backend = samba_dsdb server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external #IDMAP idmap_ldb:use rfc2307 = yes idmap config * : backend = tdb idmap config *:range = 70001-80000 idmap config DOUGLAS:backend = ad idmap config DOUGLAS:schema_mode = rfc2307 idmap config DOUGLAS:range = 500-40000 #WINBIND winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes map archive = No map readonly = no store dos attributes = Yes vfs objects = dfs_samba4, acl_xattr #o template shell é necessário para logar com a autenticação via winbind template shell = /bin/bash #DESABILITANDO AS IMPRESSORAS printcap name = /dev/null load printers = no disable spoolss = yes printing = bsd ### LOGS log file = /var/log/samba/smbd.log max log size = 50 log level = 2 vfs objects = recycle full_audit ### LIXEIRA recycle:repository = Lixeira recycle:exclude = *.tmp *.TMP *.temp *.TEMP ~* recycle:keeptree = yes full_audit:success = rmdir mkdir open write rename unlink full_audit:failure = rmdir mkdir open write rename unlink full_audit:prefix = %U|%I|%m|%S full_audit:failure = none full_audit:facility = local5 full_audit:priority = notice veto files = /*.mp3/*.wav/*.exe/*.cmd/*.adm/*.inf/*.ini/*.pif delete veto files = yes dos filemode = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/douglas.lan/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No
Agora vamos criar o diretório para armazenar os logs
mkdir -p /var/log/samba
Agora precisamos ajustar as bibliotecas do winbind para os sistemas de 32bits precisamos fazer da seguinte forma
ln -s /usr/local/samba/lib/libnss_winbind.so /lib ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 ldconfig
Para os sistemas de 64bits precisamos fazer da seguinte forma
ln -s /usr/local/samba/lib/libnss_winbind.so /lib64 ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2 ldconfig
Agora vamos ajustar o nsswitch.conf
vim /etc/nsswitch.conf [...] passwd: files winbind [...] group: files winbind
Agora vamos inicializar um ticket para o administrator
kinit administrator Password for administrator@DOUGLAS.LAN: Warning: Your password will expire in 41 days on Mon Oct 7 12:02:11 2013
Agora vamos listar o nosso ticket
klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@DOUGLAS.LAN Valid starting Expires Service principal 08/26/13 18:54:21 08/27/13 04:54:21 krbtgt/DOUGLAS.LAN@DOUGLAS.LAN renew until 08/27/13 18:54:17
O nosso kerberos está ok.
Vamos instalar o ntp
yum install ntp -y
Agora vamos fazer um backup do arquivo de configuração default do ntp.conf
cp /etc/ntp.conf /etc/ntp.conf.old
Agora vamos configurar o ntp
vim /etc/ntp.conf server 127.127.1.0 fudge 127.127.1.0 stratum 10 server a.ntp.br iburst prefer server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict a.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
Agora vamos iniciar ele
/etc/init.d/ntpd start
Agora vamos consultar o seu sincronismo
ntpq -p 127.0.0.1 remote refid st t when poll reach delay offset jitter ============================================================================== LOCAL(0) .LOCL. 10 l - 64 1 0.000 0.000 0.000 a.ntp.br .INIT. 16 u - 64 0 0.000 0.000 0.000 a.st1.ntp.br .INIT. 16 u - 64 0 0.000 0.000 0.000 roma.coe.ufrj.b .INIT. 16 u - 64 0 0.000 0.000 0.000
Agora vamos inserir o ntp na incialização
chkconfig --add ntpd chkconfig ntpd on
Agora vamos atualizar o nosso ntp
ntpdate -u a.ntp.br
Agora vamos ajustar o grupo do arquivo ntp_signd
chgrp ntp /usr/local/samba/var/lib/ntp_signd
O nosso samba já está ok.
Agora podemos obter os RSAT(Admin pack) em:
- http://www.microsoft.com/en-us/download/details.aspx?id=6315 (Windows XP/Server 2003)
- Para instalar o RSAT no Windows 8: http://www.canaldainfo.com.br/index.php/windows-8rsat/
Agora vamos testar o winbind
wbinfo -t checking the trust secret for domain DOUGLAS via RPC calls succeeded
Agora vamos listar os grupos
wbinfo -g Enterprise Read-Only Domain Controllers Domain Admins Domain Users Domain Guests Domain Computers Domain Controllers Schema Admins Enterprise Admins Group Policy Creator Owners Read-Only Domain Controllers DnsUpdateProxy ti-admin
Agora vamos listar os usuários
wbinfo -u Administrator Guest krbtgt dns-nodo1 douglas.santos
Agora vamos testar o update de dns no samba
samba_dnsupdate --verbose IPs: ['192.168.0.26'] Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389) as we are not a PDC Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSFOREST} ${HOSTNAME} 389) as we are not a PDC Looking for DNS entry A douglas.lan 192.168.0.26 as douglas.lan. Looking for DNS entry A nodo2.douglas.lan 192.168.0.26 as nodo2.douglas.lan. Looking for DNS entry A gc._msdcs.douglas.lan 192.168.0.26 as gc._msdcs.douglas.lan. Looking for DNS entry CNAME ccc206ae-bc66-4a4e-a282-06aa4613cadd._msdcs.douglas.lan nodo2.douglas.lan as ccc206ae-bc66-4a4e-a282-06aa4613cadd._msdcs.douglas.lan. Looking for DNS entry SRV _kpasswd._tcp.douglas.lan nodo2.douglas.lan 464 as _kpasswd._tcp.douglas.lan. Checking 0 100 464 nodo2.douglas.lan. against SRV _kpasswd._tcp.douglas.lan nodo2.douglas.lan 464 Looking for DNS entry SRV _kpasswd._udp.douglas.lan nodo2.douglas.lan 464 as _kpasswd._udp.douglas.lan. Checking 0 100 464 nodo1.douglas.lan. against SRV _kpasswd._udp.douglas.lan nodo2.douglas.lan 464 Checking 0 100 464 nodo2.douglas.lan. against SRV _kpasswd._udp.douglas.lan nodo2.douglas.lan 464 Looking for DNS entry SRV _kerberos._tcp.douglas.lan nodo2.douglas.lan 88 as _kerberos._tcp.douglas.lan. Checking 0 100 88 nodo1.douglas.lan. against SRV _kerberos._tcp.douglas.lan nodo2.douglas.lan 88 Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._tcp.douglas.lan nodo2.douglas.lan 88 Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 88 as _kerberos._tcp.dc._msdcs.douglas.lan. Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 88 Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 88 as _kerberos._tcp.default-first-site-name._sites.douglas.lan. Checking 0 100 88 nodo1.douglas.lan. against SRV _kerberos._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 88 Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 88 Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 88 as _kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan. Checking 0 100 88 nodo1.douglas.lan. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 88 Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 88 Looking for DNS entry SRV _kerberos._udp.douglas.lan nodo2.douglas.lan 88 as _kerberos._udp.douglas.lan. Checking 0 100 88 nodo1.douglas.lan. against SRV _kerberos._udp.douglas.lan nodo2.douglas.lan 88 Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._udp.douglas.lan nodo2.douglas.lan 88 Looking for DNS entry SRV _ldap._tcp.douglas.lan nodo2.douglas.lan 389 as _ldap._tcp.douglas.lan. Checking 0 100 389 nodo2.douglas.lan. against SRV _ldap._tcp.douglas.lan nodo2.douglas.lan 389 Looking for DNS entry SRV _ldap._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 389 as _ldap._tcp.dc._msdcs.douglas.lan. Checking 0 100 389 nodo1.douglas.lan. against SRV _ldap._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 389 Checking 0 100 389 nodo2.douglas.lan. against SRV _ldap._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 389 Looking for DNS entry SRV _ldap._tcp.gc._msdcs.douglas.lan nodo2.douglas.lan 3268 as _ldap._tcp.gc._msdcs.douglas.lan. Checking 0 100 3268 nodo2.douglas.lan. against SRV _ldap._tcp.gc._msdcs.douglas.lan nodo2.douglas.lan 3268 Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 389 as _ldap._tcp.default-first-site-name._sites.douglas.lan. Checking 0 100 389 nodo1.douglas.lan. against SRV _ldap._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 389 Checking 0 100 389 nodo2.douglas.lan. against SRV _ldap._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 389 Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 389 as _ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan. Checking 0 100 389 nodo1.douglas.lan. against SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 389 Checking 0 100 389 nodo2.douglas.lan. against SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 389 Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan nodo2.douglas.lan 3268 as _ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan. Checking 0 100 3268 nodo2.douglas.lan. against SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan nodo2.douglas.lan 3268 Looking for DNS entry SRV _ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan nodo2.douglas.lan 389 as _ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan. Checking 0 100 389 nodo2.douglas.lan. against SRV _ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan nodo2.douglas.lan 389 Looking for DNS entry SRV _gc._tcp.douglas.lan nodo2.douglas.lan 3268 as _gc._tcp.douglas.lan. Checking 0 100 3268 nodo2.douglas.lan. against SRV _gc._tcp.douglas.lan nodo2.douglas.lan 3268 Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 3268 as _gc._tcp.default-first-site-name._sites.douglas.lan. Checking 0 100 3268 nodo1.douglas.lan. against SRV _gc._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 3268 Checking 0 100 3268 nodo2.douglas.lan. against SRV _gc._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 3268 No DNS updates needed
Agora vamos mandar atualizar todos os registros
samba_dnsupdate --verbose --all-names IPs: ['192.168.0.26'] Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389) as we are not a PDC Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSFOREST} ${HOSTNAME} 389) as we are not a PDC Calling nsupdate for A douglas.lan 192.168.0.26 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: douglas.lan. 900 IN A 192.168.0.26 Calling nsupdate for A nodo2.douglas.lan 192.168.0.26 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: nodo2.douglas.lan. 900 IN A 192.168.0.26 Calling nsupdate for A gc._msdcs.douglas.lan 192.168.0.26 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: gc._msdcs.douglas.lan. 900 IN A 192.168.0.26 Calling nsupdate for CNAME ccc206ae-bc66-4a4e-a282-06aa4613cadd._msdcs.douglas.lan nodo2.douglas.lan Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: ccc206ae-bc66-4a4e-a282-06aa4613cadd._msdcs.douglas.lan. 900 IN CNAME nodo2.douglas.lan. Calling nsupdate for SRV _kpasswd._tcp.douglas.lan nodo2.douglas.lan 464 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._tcp.douglas.lan. 900 IN SRV 0 100 464 nodo2.douglas.lan. Calling nsupdate for SRV _kpasswd._udp.douglas.lan nodo2.douglas.lan 464 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._udp.douglas.lan. 900 IN SRV 0 100 464 nodo2.douglas.lan. Calling nsupdate for SRV _kerberos._tcp.douglas.lan nodo2.douglas.lan 88 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.douglas.lan. 900 IN SRV 0 100 88 nodo2.douglas.lan. Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 88 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.dc._msdcs.douglas.lan. 900 IN SRV 0 100 88 nodo2.douglas.lan. Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 88 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.default-first-site-name._sites.douglas.lan. 900 IN SRV 0 100 88 nodo2.douglas.lan. Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 88 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan. 900 IN SRV0 100 88 nodo2.douglas.lan. Calling nsupdate for SRV _kerberos._udp.douglas.lan nodo2.douglas.lan 88 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._udp.douglas.lan. 900 IN SRV 0 100 88 nodo2.douglas.lan. Calling nsupdate for SRV _ldap._tcp.douglas.lan nodo2.douglas.lan 389 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.douglas.lan. 900 IN SRV 0 100 389 nodo2.douglas.lan. Calling nsupdate for SRV _ldap._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 389 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.dc._msdcs.douglas.lan. 900 IN SRV 0 100 389 nodo2.douglas.lan. Calling nsupdate for SRV _ldap._tcp.gc._msdcs.douglas.lan nodo2.douglas.lan 3268 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.gc._msdcs.douglas.lan. 900 IN SRV 0 100 3268 nodo2.douglas.lan. Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 389 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.default-first-site-name._sites.douglas.lan. 900 IN SRV 0 100 389 nodo2.douglas.lan. Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 389 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan. 900 IN SRV 0 100 389 nodo2.douglas.lan. Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan nodo2.douglas.lan 3268 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan. 900 IN SRV 0 100 3268 nodo2.douglas.lan. Calling nsupdate for SRV _ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan nodo2.douglas.lan 389 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan. 900IN SRV 0 100 389 nodo2.douglas.lan. Calling nsupdate for SRV _gc._tcp.douglas.lan nodo2.douglas.lan 3268 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.douglas.lan. 900 IN SRV 0 100 3268 nodo2.douglas.lan. Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 3268 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.default-first-site-name._sites.douglas.lan. 900 IN SRV 0 100 3268 nodo2.douglas.lan.
Agora vamos efetuar uma consulta de dns para registros de serviços
Vamos consultar o serviço do ldap
host -t SRV _ldap._tcp.douglas.lan. _ldap._tcp.douglas.lan has SRV record 0 100 389 nodo2.douglas.lan. _ldap._tcp.douglas.lan has SRV record 0 100 389 nodo1.douglas.lan.
Vamos consultar o serviço do kerberos
host -t SRV _kerberos._udp.douglas.lan. _kerberos._udp.douglas.lan has SRV record 0 100 88 nodo1.douglas.lan. _kerberos._udp.douglas.lan has SRV record 0 100 88 nodo2.douglas.lan.
Agora vamos consultar o registro do tipo A do nosso server
host -t A nodo2.douglas.lan nodo2.douglas.lan has address 192.168.0.26
Agora vamos listar a keytab do kerberos
klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 DNS/nodo2.douglas.lan@DOUGLAS.LAN 1 dns-nodo2@DOUGLAS.LAN 1 DNS/nodo2.douglas.lan@DOUGLAS.LAN 1 dns-nodo2@DOUGLAS.LAN 1 DNS/nodo2.douglas.lan@DOUGLAS.LAN 1 dns-nodo2@DOUGLAS.LAN 1 DNS/nodo2.douglas.lan@DOUGLAS.LAN 1 dns-nodo2@DOUGLAS.LAN 1 DNS/nodo2.douglas.lan@DOUGLAS.LAN 1 dns-nodo2@DOUGLAS.LAN
Agora vamos consultar os tickets ativos
klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@DOUGLAS.LAN Valid starting Expires Service principal 08/26/13 18:54:21 08/27/13 04:54:21 krbtgt/DOUGLAS.LAN@DOUGLAS.LAN renew until 08/27/13 18:54:17, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
Agora vamos consultar se os nossos dois servidores estão no sysvol
ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid # record 1 dn: CN=NTDS Settings,CN=NODO1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=douglas,DC=lan objectGUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4 # record 2 dn: CN=NTDS Settings,CN=NODO2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=douglas,DC=lan objectGUID: ccc206ae-bc66-4a4e-a282-06aa4613cadd # returned 2 records # 2 entries # 0 referrals
Agora vamos consultar a replicação
samba-tool drs showrepl Default-First-Site-Name\NODO2 DSA Options: 0x00000001 DSA object GUID: ccc206ae-bc66-4a4e-a282-06aa4613cadd DSA invocationId: 08233b5e-5d9f-469f-b350-641b18278b60 ==== INBOUND NEIGHBORS ==== CN=Schema,CN=Configuration,DC=douglas,DC=lan Default-First-Site-Name\NODO1 via RPC DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4 Last attempt @ Mon Aug 26 19:01:06 2013 BRT was successful 0 consecutive failure(s). Last success @ Mon Aug 26 19:01:06 2013 BRT DC=DomainDnsZones,DC=douglas,DC=lan Default-First-Site-Name\NODO1 via RPC DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4 Last attempt @ Mon Aug 26 19:01:06 2013 BRT was successful 0 consecutive failure(s). Last success @ Mon Aug 26 19:01:06 2013 BRT CN=Configuration,DC=douglas,DC=lan Default-First-Site-Name\NODO1 via RPC DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4 Last attempt @ Mon Aug 26 19:01:06 2013 BRT was successful 0 consecutive failure(s). Last success @ Mon Aug 26 19:01:06 2013 BRT DC=ForestDnsZones,DC=douglas,DC=lan Default-First-Site-Name\NODO1 via RPC DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4 Last attempt @ Mon Aug 26 19:01:06 2013 BRT was successful 0 consecutive failure(s). Last success @ Mon Aug 26 19:01:06 2013 BRT DC=douglas,DC=lan Default-First-Site-Name\NODO1 via RPC DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4 Last attempt @ Mon Aug 26 19:01:07 2013 BRT was successful 0 consecutive failure(s). Last success @ Mon Aug 26 19:01:07 2013 BRT ==== OUTBOUND NEIGHBORS ==== CN=Schema,CN=Configuration,DC=douglas,DC=lan Default-First-Site-Name\NODO1 via RPC DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=douglas,DC=lan Default-First-Site-Name\NODO1 via RPC DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=douglas,DC=lan Default-First-Site-Name\NODO1 via RPC DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=douglas,DC=lan Default-First-Site-Name\NODO1 via RPC DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=douglas,DC=lan Default-First-Site-Name\NODO1 via RPC DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS ==== Connection -- Connection name: d6fcfc72-89b0-4f4c-88c2-bf887510b6af Enabled : TRUE Server DNS name : nodo1.douglas.lan Server DN name : CN=NTDS Settings,CN=NODO1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=douglas,DC=lan TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection!
A nossa replicação está ok
Ajustando a PAM no SLAVE
Agora vamos a configuração da PAM, com isso vamos poder autenticar os usuários do domínio no Linux eu vou deixar habilitado somente o grupo do root e o ti-admin que terá que ser criado no AD para autenticar no Linux e obter um shell.
Vamos criar um link para a biblioteca de autenticação do winbind que foi compilada para sistemas 64bits
ln -sf /usr/local/samba/lib/security/pam_winbind.so /lib64/security/pam_winbind.so
Vamos criar um link para a biblioteca de autenticação do winbind que foi compilada para sistemas 32bits
ln -sf /usr/local/samba/lib/security/pam_winbind.so /lib/security/pam_winbind.so
Vamos alterar o system-auth para que quando o usuário for logar no sistema seja criado o diretório home dele com o conteúdo do diretório /etc/skel
vim /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0027
Agora vamos ajustar o login
vim /etc/pam.d/login #%PAM-1.0 auth sufficient pam_winbind.so auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth account sufficient pam_succeed_if.so user ingroup root account required pam_winbind.so account required pam_nologin.so account include system-auth #Grupos que vão poder efetuar login no servidor account requisite pam_succeed_if.so user ingroup ti-admin password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_mkhomedir.so skel=/etc/skel umask=0027 session include system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session optional pam_keyinit.so force revoke
Agora vamos ajustar o ssh
vim /etc/pam.d/sshd #%PAM-1.0 auth sufficient pam_winbind.so auth include system-auth account sufficient pam_succeed_if.so user ingroup root account required pam_winbind.so account required pam_nologin.so account include system-auth #Grupos que vão poder logar via ssh account requisite pam_succeed_if.so user ingroup ti-admin password include system-auth session required pam_mkhomedir.so skel=/etc/skel umask=0027 session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
Como esse servidor é uma replica do pdc devemos já ter os usuários e grupos somente vamos consultar eles
Vamos consultar os usuários
wbinfo -u Administrator Guest krbtgt dns-nodo1 douglas.santos
Agora vamos consultar os grupos
wbinfo -g Enterprise Read-Only Domain Controllers Domain Admins Domain Users Domain Guests Domain Computers Domain Controllers Schema Admins Enterprise Admins Group Policy Creator Owners Read-Only Domain Controllers DnsUpdateProxy ti-admin
Agora vamos reiniciar o servidor
reboot
Agora depois que logou novamente vamos consultar a conexão do winbind
wbinfo -t checking the trust secret for domain DOUGLAS via RPC calls succeeded
Eu já estou com o meu usuário douglas.santos e ele pertence ao grupo ti-admin agora vamos testar a conexão via ssh
ssh douglas.santos@192.168.0.26 douglas.santos@192.168.0.26's password: Creating directory '/home/DOUGLAS/douglas.santos'. [19:08:04] DOUGLAS\douglas.santos@nodo2 [~] $
Agora se conferirmos os logs do secure vamos ter algo como
tail -f /var/log/secure Aug 26 19:08:03 nodo2 sshd[1222]: pam_winbind(sshd:auth): getting password (0x00000000) Aug 26 19:08:03 nodo2 sshd[1222]: pam_winbind(sshd:auth): user 'douglas.santos' granted access Aug 26 19:08:03 nodo2 sshd[1222]: pam_succeed_if(sshd:account): requirement "user ingroup root" not met by user "DOUGLAS\douglas.santos" Aug 26 19:08:04 nodo2 sshd[1222]: pam_winbind(sshd:account): user 'DOUGLAS\douglas.santos' granted access Aug 26 19:08:04 nodo2 sshd[1222]: pam_succeed_if(sshd:account): requirement "user ingroup ti-admin" was met by user "DOUGLAS\douglas.santos" Aug 26 19:08:04 nodo2 sshd[1222]: Accepted password for douglas.santos from 192.168.0.130 port 48754 ssh2 Aug 26 19:08:04 nodo2 sshd[1222]: pam_unix(sshd:session): session opened for user DOUGLAS\douglas.santos by (uid=0)
Como podemos notar a nossa autenticação está ok.
Replicação do Sysvol
Aqui eu vou abordar como é recomendado pela equipe do samba pra efetuar a replicação do sysvol que por enquanto não é automática.
No servidor Master no meu caso o nodo1 vamos instalar o rsync e o xinetd
yum install xinetd rsync -y
Agora vamos colocar o xinetd na incialização do sistema
chkconfig --add xinetd chkconfig xinetd on
Agora vamos acertar a configuração do rsync para o xinetd
vim /etc/xinetd.d/rsync # default: off # description: The rsync server is a good addition to an ftp server, as it \ # allows crc checksumming etc. service rsync { disable = no only_from = 192.168.0.0/24 socket_type = stream wait = no user = root server = /usr/bin/rsync server_args = --daemon log_on_failure += USERID }
Agora vamos criar o nosso arquivo de configuração do rsync.conf que vai conter o compartilhamento do sysvol
vim /etc/rsyncd.conf [SysVol] path = /usr/local/samba/var/locks/sysvol/ comment = Samba Sysvol Share uid = root gid = root read only = yes auth users = sysvol-replication secrets file = /usr/local/samba/etc/rsyncd.secret
Note que ali vamos utilizar um usuário e uma senha agora vamos criar o arquivo contendo a senha
vim /usr/local/samba/etc/rsyncd.secret sysvol-replication:pa$$w0rd
Agora vamos ajustar as permissões do arquivo senão o rsync não vai liberar o compartilhamento
chmod 440 /usr/local/samba/etc/rsyncd.secret
Agora vamos reiniciar o xinetd
/etc/init.d/xinetd restart
Vamos consultar o tamanho do sysvol do servidor master
du -sh /usr/local/samba/var/locks/sysvol 100K /usr/local/samba/var/locks/sysvol
Agora vamos consultar o tamanho do sysvol do servidor slave
du -sh /usr/local/samba/var/locks/sysvol 12K /usr/local/samba/var/locks/sysvol
Note que temos uma diferença grande.
Agora vamos configurar o servidor slave
Vamos instalar o rsync
yum install rsync -y
Agora vamos criar o arquivo contendo a senha para acessar o servidor master
vim /usr/local/samba/etc/rsync-sysvol.secret pa$$w0rd
Agora vamos acertar as permissões do arquivo de senha
chmod 440 /usr/local/samba/etc/rsync-sysvol.secret
Agora vamos fazer testar o sincronismo do sysvol
rsync --dry-run -XAavz --delete-after --password-file=/usr/local/samba/etc/rsync-sysvol.secret rsync://sysvol-replication@192.168.0.25/SysVol/ /usr/local/samba/var/locks/sysvol/ receiving file list ... done ./ douglas.lan/ douglas.lan/Policies/ douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/ douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/ douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/ douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/ douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE/ douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER/ douglas.lan/scripts/ douglas.lan/scripts/sharedemo.bat sent 109 bytes received 876 bytes 656.67 bytes/sec total size is 77 speedup is 0.08 (DRY RUN)
Note que não tivemos erro nenhum com isso podemos omitir agora a opção –dry-run
Agora vamos fazer a replicação
rsync -XAavz --delete-after --password-file=/usr/local/samba/etc/rsync-sysvol.secret rsync://sysvol-replication@192.168.0.25/SysVol/ /usr/local/samba/var/locks/sysvol/ receiving file list ... done ./ douglas.lan/ douglas.lan/Policies/ douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/ douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/ douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/ douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/ douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE/ douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER/ douglas.lan/scripts/ douglas.lan/scripts/sharedemo.bat sent 173 bytes received 2308 bytes 4962.00 bytes/sec total size is 77 speedup is 0.03
Agora vamos consultar o tamanho do sysvol do servidor master
du -sh /usr/local/samba/var/locks/sysvol 100K /usr/local/samba/var/locks/sysvol
Agora vamos consultar o tamanho do sysvol do servidor slave
du -sh /usr/local/samba/var/locks/sysvol 100K /usr/local/samba/var/locks/sysvol
Agora vamos deixar uma rotina no crontab do servidor slave para sempre efetuar o sincronismo
crontab -e */5 * * * * rsync -XAavz --delete-after --password-file=/usr/local/samba/etc/rsync-sysvol.secret rsync://sysvol-replication@192.168.0.25/SysVol/ /usr/local/samba/var/locks/sysvol
Esse sincronismo pode ser feito para todos os DCs menos para o PDC.
Configurando um Cliente CentOS para autenticar no Samba 4
Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialcentos6_en para que não falte nenhum pacote ou configuração.
Vamos instalar as dependências para ele poder fazer parte do domínio samba 4
yum install samba samba-winbind samba-winbind-devel samba-client samba-common \ pam_krb5 cifs-utils samba-winbind-krb5-locator samba-doc krb5-workstation -y
Agora vamos inserir os serviços na incialização do sistema
chkconfig --add nmb chkconfig --add smb chkconfig --add winbind
Agora vamos ativar eles
chkconfig nmb on chkconfig smb on chkconfig winbind on
Agora vamos ajustar o resolv.conf do cliente
vim /etc/resolv.conf domain douglas.lan search douglas.lan nameserver 192.168.0.25 nameserver 192.168.0.26
Agora vamos ajustar a interface de rede
vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" BOOTPROTO="static" BROADCAST="192.168.0.255" DNS1="192.168.0.25" DNS2="192.168.0.26" GATEWAY="192.168.0.1" IPADDR="192.168.0.27" NETMASK="255.255.255.0" NM_CONTROLLED="yes" ONBOOT="yes" TYPE="Ethernet"
Agora vamos ajustar o horário do servidor pois como vamos trabalhar com winbind e kerberos não podemos ter diferença de horario
ntpdate -u a.ntp.br
Agora vamos ajustar o kerberos
vim /etc/krb5.conf [libdefaults] default_realm = DOUGLAS.LAN krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] DOUGLAS.LAN = { kdc = 192.168.0.25 kdc = 192.168.0.26 admin_server = 192.168.0.25:749 default_server = 192.168.0.25 } [domain_realm] .douglas.lan=DOUGLAS.LAN douglas.lan=DOUGLAS.LAN [login] krb4_convert = true krb4_get_tickets = false [kdc] profile = /etc/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [logging] default = file:/var/log/krb5libs.log kdc = file:/var/log/krb5kdc.log admin_server = file:/var/log/kadmind.log
Agora vamos acertar o limits.conf
vim /etc/security/limits.conf [...] #colocar no final do arquivo root hard nofile 131072 root soft nofile 65536 mioutente hard nofile 32768 mioutente soft nofile 16384
Agora vamos ajustar o smb.conf
vim /etc/samba/smb.conf [global] workgroup = DOUGLAS security = ADS realm = DOUGLAS.LAN netbios name = CENTOS encrypt passwords = yes idmap config * : backend = tdb idmap config * : range = 10000-30000 idmap config DOUGLAS:backend = ad idmap config DOUGLAS:schema_mode = rfc2307 auth methods = winbind winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template shell = /bin/bash
Agora vamos ajustar o nsswitch.conf
vim /etc/nsswitch.conf [...] passwd: files winbind shadow: files group: files winbind
Vamos iniciar os serviços
/etc/init.d/nmb start /etc/init.d/smb start /etc/init.d/winbind start
Agora vamos ajustar a PAM
Vamos ajustar para que quando o usuário faça login seja criado o seu diretório home
vim /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0027
Agora vamos ajustar o login utilizando o winbind aqui eu liberei somente o grupo root e o ti-admin para efetuar login em máquinas Linux
vim /etc/pam.d/login #%PAM-1.0 auth sufficient pam_winbind.so auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth account sufficient pam_succeed_if.so user ingroup root account required pam_winbind.so account required pam_nologin.so account include system-auth #Grupos que vão poder efetuar login no servidor account requisite pam_succeed_if.so user ingroup ti-admin password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_mkhomedir.so skel=/etc/skel umask=0027 session include system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session optional pam_keyinit.so force revoke
Agora vamos ajustar o acesso via ssh utilizando o winbind aqui eu liberei somente o grupo root e o ti-admin para efetuar login em máquinas Linux
vim /etc/pam.d/sshd #%PAM-1.0 auth sufficient pam_winbind.so auth include system-auth account sufficient pam_succeed_if.so user ingroup root account required pam_winbind.so account required pam_nologin.so account include system-auth #Grupos que vão poder logar via ssh account requisite pam_succeed_if.so user ingroup ti-admin password include system-auth session required pam_mkhomedir.so skel=/etc/skel umask=0027 session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
Agora vamos verificar se estamos conseguindo criar um ticker do kerberos
kinit administrator Password for administrator@DOUGLAS.LAN: Warning: Your password will expire in 41 days on Mon Oct 7 12:02:11 2013
Agora vamos listar o nosso ticket
klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@DOUGLAS.LAN Valid starting Expires Service principal 08/27/13 10:02:54 08/27/13 20:02:54 krbtgt/DOUGLAS.LAN@DOUGLAS.LAN renew until 08/28/13 10:02:51
Agora vamos fazer o join no domínio
net ads join douglas.lan -U administrator
Esse erro de DNS ainda estou tentando arrumar.
Agora vamos reiniciar os serviços
/etc/init.d/nmb restart /etc/init.d/smb restart /etc/init.d/winbind restart
Agora vamos testar a conexão com o winbind
wbinfo -t checking the trust secret for domain DOUGLAS via RPC calls succeeded
Agora vamos listar os usuários do domínio
wbinfo -u douglas.santos administrator dns-nodo1 krbtgt guest
Vamos listar os grupos
wbinfo -g allowed rodc password replication group enterprise read-only domain controllers denied rodc password replication group ti-admin read-only domain controllers group policy creator owners ras and ias servers domain controllers enterprise admins domain computers cert publishers dnsupdateproxy domain admins domain guests schema admins domain users dnsadmins
Agora vamos testar o acesso via ssh para esse cliente
ssh douglas.santos@192.168.0.27 douglas.santos@192.168.0.27's password: Creating directory '/home/DOUGLAS/douglas.santos'. [10:40:01] douglas.santos@centos [~] $
Agora vamos ver os logs de acesso do centos
tail -f /var/log/secure Aug 27 10:38:55 centos sshd[13906]: pam_winbind(sshd:auth): getting password (0x00000000) Aug 27 10:38:56 centos sshd[13906]: pam_winbind(sshd:auth): user 'douglas.santos' granted access Aug 27 10:39:32 centos sshd[13906]: pam_succeed_if(sshd:account): requirement "user ingroup root" not met by user "douglas.santos" Aug 27 10:39:32 centos sshd[13906]: pam_winbind(sshd:account): user 'douglas.santos' granted access Aug 27 10:39:35 centos sshd[13906]: pam_succeed_if(sshd:account): requirement "user ingroup ti-admin" was met by user "douglas.santos" Aug 27 10:39:35 centos sshd[13906]: Accepted password for douglas.santos from 192.168.0.130 port 46470 ssh2 Aug 27 10:39:50 centos sshd[13906]: pam_unix(sshd:session): session opened for user douglas.santos by (uid=0)
O cliente está configurado com sucesso :D
Configurando um Cliente Debian Wheezy para autenticar no Samba 4
Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialwheezy_en para que não falte nenhum pacote ou configuração.
Vamos atualizar os repositórios e fazer um upgrade do sistema
aptitude update && aptitude dist-upgrade -y
Agora vamos ajustar as variáveis de ambiente do Debian
export DEBIAN_PRIORITY=critical export DEBIAN_FRONTEND=noninteractive
Agora vamos instalar as dependências
aptitude install samba samba-common smbclient winbind krb5-config libpam-krb5 cifs-utils krb5-user -y
Agora vamos voltar as variáveis de ambiente do Debian
unset DEBIAN_PRIORITY unset DEBIAN_FRONTEND
Agora vamos ajustar o resolv.conf
vim /etc/resolv.conf domain douglas.lan search douglas.lan nameserver 192.168.0.25 nameserver 192.168.0.26
Agora vamos ajustar o horário do nosso servidor
ntpdate -u a.ntp.br
Agora vamos ajustar o arquivo de configuração do kerberos
vim /etc/krb5.conf [libdefaults] default_realm = DOUGLAS.LAN krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] DOUGLAS.LAN = { kdc = 192.168.0.25 kdc = 192.168.0.26 admin_server = 192.168.0.25:749 default_server = 192.168.0.25 } [domain_realm] .douglas.lan=DOUGLAS.LAN douglas.lan=DOUGLAS.LAN [login] krb4_convert = true krb4_get_tickets = false [kdc] profile = /etc/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [logging] default = file:/var/log/krb5libs.log kdc = file:/var/log/krb5kdc.log admin_server = file:/var/log/kadmind.log
Agora vamos ajustar o limits.conf
vim /etc/security/limits.conf [...] #colocar no final do arquivo root hard nofile 131072 root soft nofile 65536 mioutente hard nofile 32768 mioutente soft nofile 16384
Agora vamos ajustar o smb.conf
vim /etc/samba/smb.conf [global] workgroup = DOUGLAS security = ADS realm = DOUGLAS.LAN netbios name = DEBIAN encrypt passwords = yes idmap config * : backend = tdb idmap config * : range = 10000-30000 idmap config DOUGLAS:backend = ad idmap config DOUGLAS:schema_mode = rfc2307 auth methods = winbind winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template shell = /bin/bash
Agora vamos ajustar o nsswitch.conf
vim /etc/nsswitch.conf [...] passwd: compat winbind group: compat winbind
Agora vamos reiniciar os serviços
/etc/init.d/samba restart /etc/init.d/winbind restart
Agora vamos fazer o join no domínio
net ads join douglas.lan -U administrator
Agora vamos reiniciar os serviços
/etc/init.d/samba restart /etc/init.d/winbind restart
Agora vamos ajustar a PAM
Vamos ajustar a autenticação
vim /etc/pam.d/common-password password sufficient pam_unix.so password requisite pam_krb5.so minimum_uid=1000 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so
Vamos ajustar o controle de sessão do usuário para criar o diretório home quando ele efetuar o login
vim /etc/pam.d/common-session session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session optional pam_winbind.so session optional pam_mkhomedir.so skel=/etc/skel umask=0027
Agora vamos testar a conexão com o winbind
wbinfo -t checking the trust secret for domain DOUGLAS via RPC calls succeeded
Agora vamos listar os usuários do domínio
wbinfo -u douglas.santos administrator dns-nodo1 krbtgt guest
Vamos listar os grupos
wbinfo -g allowed rodc password replication group enterprise read-only domain controllers denied rodc password replication group ti-admin read-only domain controllers group policy creator owners ras and ias servers domain controllers enterprise admins domain computers cert publishers dnsupdateproxy domain admins domain guests schema admins domain users dnsadmins
Agora vamos testar o acesso via ssh para esse cliente
ssh douglas.santos@192.168.0.52 douglas.santos@192.168.0.52's password: Creating directory '/home/DOUGLAS/douglas.santos'. Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. [10:35:45] douglas.santos@debian [~] $
Nos logs de autenticação vamos ter algo como abaixo
tail -f /var/log/auth.log Aug 27 10:35:44 debian sshd[4852]: pam_krb5(sshd:auth): user douglas.santos authenticated as douglas.santos@DOUGLAS.LAN Aug 27 10:35:44 debian sshd[4852]: Accepted password for douglas.santos from 192.168.0.130 port 51197 ssh2 Aug 27 10:35:44 debian sshd[4852]: pam_unix(sshd:session): session opened for user douglas.santos by (uid=0)
O cliente esta autenticando com sucesso :D