poniedziałek, 22 czerwca 2015

Samba 4

http://mark.orbum.net/2014/02/22/compiling-samba-4-on-debian-wheezy-active-directory-domain-controllers-ho/
http://sourceforge.net/projects/samba4all/files/4.1.9/Ubuntu%2014.04Sernet4.1.9/
cat /etc/lsb-release





samba-tool domain provision --use-rfc2307 --interactive

 samba-tool dns update 10.1.9.14 samba4.ad nginx2 A 192.168.163.10 10.1.9.14 -U Administrator





apt-get install acl attr krb5-user
ignore the kerb details and just accept defaults as will be overwritten later
edit fstab and add user_xattr,acl nano /etc/fstab so you end up with something like the below /dev/mapper/samba1--vg-root / ext4 user_xattr,acl,errors=remount-ro 0 1 https://wiki.samba.org/index.php/OS_Requirements#fstab_2 nano /etc/apt/sources.list.d/samba4-sernet.list paste in my case my account please get your own from https://portal.enterprisesamba.com/ # # SerNet Samba 4.1 Packages # # (ubuntu-trusty) # deb https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/ubuntu trusty main deb-src https://USERNAME:ACCESSKEY@download.sernet.de/packages/samba/4.1/ubuntu trusty main Add repo GPG key wget http://ftp.sernet.de/pub/sernet-samba-keyring_1.4_all.deb dpkg -i sernet-samba-keyring_1.4_all.deb apt-get install apt-transport-https apt-get update apt-get install sernet-samba-ad Samba4 has password minimums so we start with Mysamba4 samba-tool domain provision --domain=SAMBA4 --adminpass=Mysamba4 \ --dns-backend=SAMBA_INTERNAL --server-role=dc \ --function-level=2008_R2 --use-xattr=yes \ --use-rfc2307 --realm=SAMBA4.LAN samba-tool domain passwordsettings set --complexity=off samba-tool domain passwordsettings set --min-pwd-length=5 samba-tool user setpassword Administrator changed to samba4 so both sudo and samba password =samba4 nano /etc/default/sernet-samba to change startup mode to ad SAMBA_START_MODE="ad" reboot Add reverse zone for server on local subnet (192.168.1.3 being my server set by dhcp) samba-tool dns zonecreate 192.168.1.3 1.168.192.in-addr.arpa --username=administrator Add ptr for server (3 being IP for 1.168.192 subnet) samba-tool dns add 192.168.1.3 1.168.192.in-addr.arpa 3 PTR SAMBA1.SAMBA4.LAN --username=administrator #Check /etc/samba/smb.conf and change forwarder address to your dns server nano /etc/samba/smb.conf (192.168.1.1 being router dns) ************************************************************* dns forwarder = 192.168.1.1 ************************************************************** #Reload Samba smbcontrol all reload-config #Ok some checks to see if all is ok smbclient -L localhost -U% *********************************************************** root@samba1:~# smbclient -L localhost -U% Domain=[SAMBA4] OS=[Unix] Server=[Samba 4.1.6-SerNet-Debian-7.wheezy] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.6-SerNet-Debian-7.wheezy) Domain=[SAMBA4] OS=[Unix] Server=[Samba 4.1.6-SerNet-Debian-7.wheezy] Server Comment --------- ------- Workgroup Master --------- ------- ***************************************************************************** smbclient //localhost/netlogon -UAdministrator -c 'ls' ***************************************************************************** root@samba1:~# smbclient //localhost/netlogon -UAdministrator -c 'ls' Enter Administrator's password: Domain=[SAMBA4] OS=[Unix] Server=[Samba 4.1.6-SerNet-Debian-7.wheezy] . D 0 Fri Mar 28 15:12:07 2014 .. D 0 Fri Mar 28 15:12:12 2014 48812 blocks of size 131072. 37202 blocks available ******************************************************************************** host -t SRV _ldap._tcp.samba4.lan. ****************************************************************************** root@samba1:~# host -t SRV _ldap._tcp.samba4.lan. _ldap._tcp.samba4.lan has SRV record 0 100 389 samba1.samba4.lan. ****************************************************************************** host -t SRV _kerberos._udp.samba4.lan. ****************************************************************************** root@samba1:~# host -t SRV _kerberos._udp.samba4.lan. _kerberos._udp.samba4.lan has SRV record 0 100 88 samba1.samba4.lan. ********************************************************************************* host -t A samba1.samba4.lan. ****************************************************************************** root@samba1:~# host -t A samba1.samba4.lan. samba1.samba4.lan has address 192.168.1.8 ****************************************************************************** netstat -tapn | grep samba ****************************************************************************** root@samba1:~# netstat -tapn | grep samba tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 2170/samba tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 2176/samba tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 2170/samba tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 2168/samba tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 2164/samba tcp 0 0 0.0.0.0:3268 0.0.0.0:* LISTEN 2168/samba tcp 0 0 0.0.0.0:3269 0.0.0.0:* LISTEN 2168/samba tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2168/samba tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 2164/samba ****************************************************************************** kinit Administrator@SAMBA4.LAN ********************************************************************* Password for Administrator@SAMBA4.LAN: Warning: Your password will expire in 41 days on Sat May 10 01:14:36 2014 ********************************************************************** klist ********************************************************************* root@samba1:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@SAMBA4.LAN Valid starting Expires Service principal 29/03/14 00:22:41 29/03/14 10:22:41 krbtgt/SAMBA4.LAN@SAMBA4.LAN renew until 30/03/14 00:22:37 ************************************************************************ #If all is not ok the first remove the samba created config and then go back to #samba-tool domain provision .... rm /etc/samba/smb.conf rm -R /var/lib/samba/private/* rm -R /var/lib/samba/sysvol/* Install webmin apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python wget http://prdownloads.sourceforge.net/webadmin/webmin_1.690_all.deb dpkg --install webmin_1.690_all.deb
Autor: o Brak komentarzy:

piątek, 19 czerwca 2015

Ubuntu SSH + AD

Installing and Configuring Kerberos, Samba, and Winbind on Ubuntu Server 5

Steps

Step 1: Install the Required Packages

Note: Enter Y when asked if you want to install the additional packages


apt-get install krb5-user
apt-get install winbind samba

Step 2: Edit the /etc/krb5.conf File


Code:
[logging]
    default = FILE10000:/var/log/krb5lib.log
[libdefaults]
    ticket_lifetime = 24000
    default_realm = DOMAIN.INTERNAL
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
    DOMAIN.INTERNAL = {
        kdc = domainserver.domain.internal
        admin_server = domainserver.domain.internal
        default_domain = DOMAIN.INTERNAL
}
[domain_realm]
    .domain.internal = DOMAIN.INTERNAL
    domain.internal = DOMAIN.INTERNAL
Step 3: Edit /etc/samba/smb/conf

Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!!

1) Make the edits. The configuration shown is the bare minimum and doesn't share anything.

Code:
[global]
        security = ads
        netbios name = CMHRG02
        realm = DOMAIN.INTERNAL
        password server = domainserver.domain.internal
        workgroup = DOMAIN
        idmap uid = 500-10000000
        idmap gid = 500-10000000
        winbind separator = +
        winbind enum users = no
        winbind enum groups = no
        winbind use default domain = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        domain master = no
2) Test the configuration with the testparm command

Step 4: Edit /etc/nsswitch.conf to look like the example below

Code:
passwd:         compat winbind
group:          compat winbind
shadow:         compat
hosts:          files dns wins
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis
Step 5: Modify the PAM settings

1) /etc/pam.d/common-account should contain only the following lines

Code:
account sufficient pam_winbind.so
account required  pam_unix.so
2) /etc/pam.d/common-auth should contain only the following lines

Code:
auth    sufficient      pam_winbind.so
auth    required        pam_unix.so nullok_secure use_first_pass
3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below

Code:
password   required   pam_unix.so nullok obscure min=4 max=50 md5
4) Make sure the /etc/pam.d/common-session file contains the following line

Code:
session required        pam_mkhomedir.so umask=0022 skel=/etc/skel
Step 6: Make a directory to hold domain user home directories

Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file

Code:
mkdir /home/DOMAIN
Step 7: Initialize Kerberos

1)
Code:
kinit domain_admin_account@DOMAIN.INTERNAL
Next check to be sure you got a ticket from the domain controller

2)
Code:
klist
Step 8: Join the system to the

Code:
net ads join -U domainadminuser@DOMAIN.INTERNAL
Step 9: Restart Samba-related Services (Or reboot the server)

Note: The order is important

Code:
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
Step 10: Restart SSH and Test Connectivity

Note: If you rebooted the server in the previous step, just try and login.

Code:
/etc/init.d/ssh restart

ssh useraccount@server
If you can login using your active directory username and password then everything is working!

Step 11: Configure SUDO

1) First create a group in Active Directory called UnixAdmins and add the names of people whom you want to be able to use sudo to admin the server.

2) Next, add the UnixAdmins group to the /etc/sudoers so these users can use sudo

Code:
%UnixAdmins ALL=(ALL) ALL


HELPFUL COMMAND LINES

1) List the derived UNIX GID values for Active Directory groups

Code:
for gid in $(wbinfo -r ); \
do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done
2) See the Active Directory SID for a particular named user

Code:
wbinfo –n
Autor: o Brak komentarzy:
Subskrybuj: Posty (Atom)