i wanna share my HowTo for SAMBA4 AC/DC with Samba 4.6.6 and Dynamic DNS Updates.
I managed it with the Gentoo wiki a Book for Samba 4.3 and some diffrent random Pages accros the web.
My Howto is more like a copy paste instruction then a full Howto where is all explained.
But with that i got a running envoiroment where all works what i wrote here
The complete Test enviorment works properly well and stable since 4 Weeks.
Feel Free to ask if something is not clear
i dont take any warranty if you do this in live envoirments
you do it all by yourself
cheers
jodalein
typos? Have fun with it
Systems:
XEN Host:
Kernel 4.12.2
GCC 6.3.0
XEN 4.8.1-r2
libressl
Server1 and Server 2
Kernel Kernel 4.12.2
Samba 4.6.6
GCC 6.3.0
libressl
Windows Client to Configure the AD via RAST Tools (Windows10 1703)
Gentoo Client
Kernel 4.12.8
GCC 6.4.0
Samba 4.6.7
Requirments:
configure /etc/dhcp/dhcpd.conf
configure /etc/bind/named.conf
but if you have a NT Style Domain take the dhcp/bind configs for testing, some modify needed)
cant copy example config at moment cause not cleaned for public
*maybe comming later*
## USE flags
emerge -pv samba bind bind-tools
Code: Select all
net-fs/samba-4.6.6::gentoo USE="acl addc addns ads client cluster cups fam gnutls ldap pam python syslog systemd winbind -dmapi -gpg -iprint -quota (-selinux) (-system-heimdal) -system-mitkrb5 {-test} -zeroconf" ABI_X86="32 (64) (-x32)" PYTHON_TARGETS="python2_7" 0 KiB
net-dns/bind-9.11.1_p3::gentoo USE="berkdb caps dlz gssapi idn ipv6 ldap libressl postgres ssl static-libs zlib -dnstap -doc -filter-aaaa -fixed-rrset -geoip -gost -json -lmdb -mysql -nslint -odbc -python -rpz (-seccomp) (-selinux) -threads -urandom -xml" PYTHON_TARGETS="python2_7 python3_5 python3_6 -python3_4" 0 KiB
net-dns/bind-tools-9.11.1_p3::gentoo USE="gssapi idn ipv6 libressl readline seccomp ssl -doc -gost -urandom -xml" 0 KiBemerge -a samba bind bind-tools
## Create Samba Domain
https://wiki.samba.org/index.php/Settin ... Controller
read the wiki before start here
samba-tool domain provision --use-rfc2307 --interactive
REALM
DOMAIN
BIND9_DLZ
ROOTPWBYYOURCHOISE
systemctl enable samba
systemctl start samba
## create inital domain admin
samba-tool user create $USER --given-name=$USER --surname=$USERNAME
samba-tool user enable $USER
samba-tool group addmembers "Domain Admins" $USER
samba-tool group listmembers administrators
## ACL allow for domain admins
net rpc rights grant "EXAMPLE\domain admins" SeDiskOperatorPrivilege -U administrator
## resov.conf
/etc/resolv.conf.tail
Code: Select all
# Generated by resolvconf
search FQDN.DOMAIN.TLD
domain FQDN.DOMAIN.TLD
nameserver 127.0.0.1ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
## kinit test
kinit administrator@DOMAIN
## check if ticket exists
klist
## rsyncd for sysvol
ssh key share with second DC
nano /etc/rsyncd.conf
Code: Select all
[SysVol]
path = /var/lib/samba/sysvol/
comment = Samba Sysvol Share
hosts allow = 192.168.1.174
uid = root
gid = root
read only = yes
systemctl enable rsyncd
systemctl start rsyncd
rm /etc/ntp.conf
nano /etc/ntp.conf
Code: Select all
server 127.127.1.0
fudge 127.12.7.1.0 stratum 10
server 0.gentoo.pool.ntp.org iburst prefer
server 1.gentoo.pool.ntp.org iburst prefer
server 2.gentoo.pool.ntp.org iburst prefer
server 3.gentoo.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/lib/samba/ntp_signd/
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict [::1]
restrict 0.gentoo.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.gentoo.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 2.gentoo.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 3 gentoo.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquerychmod g+rx /var/lib/samba/ntp_signd
systemctl restart ntpd
## check ntp
ntpq -p
## nsswitch.conf
vi /etc/nsswitch.conf
Code: Select all
passwd: compat winbind
shadow: compat
group: compat winbind
# tryed at Member server but was not really sucessful
# at ADDC all works fine
mkdir -p /var/spool/samba
chmod 1777 /var/spool/samba
mkdir -p /var/lib/samba/drivers/
chgrp -R 'domain admins' /var/lib/samba/drivers/
chmod -R g+w /var/lib/samba/drivers/
net rpc rights grant 'domain admins' SePrintOperatorPrivilege -U Administrator
net conf addshare printers /var/spool/samba writeable=y guest_ok=n "Druckerspooling"
net conf setparm pritners "browsable" "yes"
net conf setparm pritners "printable" "yes"
net conf setparm pritners "create mask" "0700"
## Add Printers
Add Printers to cups # i think u know how this works
## usefull help for printers
grep Info /etc/cups/printers.conf|cut -d" " -f2> /root/printers.txt
## bashcript for printers.conf generation
# quick and dirty but works for me
Code: Select all
!/bin/bash
printerlist=$(cat /root/printers.txt)
for i in printerlist;do
echo "[$i]" >> /etc/samba/printers.conf
echo " path = /var/spool/samba/" >> /etc/samba/printers.conf
echo " printable = yes">> /etc/samba/printers.conf
echo " printer name = $i">> /etc/samba/printers.conf
echo " read only = No">> /etc/samba/printers.conf
echo " create mask = 0700">> /etc/samba/printers.conf
echo " browsable = yes">> /etc/samba/printers.conf
echo " Use client driver = no">> /etc/samba/printers.conf
donevi /etc/samba/smb.conf
Code: Select all
[GLOBAL]
....
include = /etc/samba/printers.conf
.... vi /etc/samba/smb.conf
Code: Select all
[GLOBAL]
....
load printers = no
spoolss: architecture = Windows x64
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
spoolssd:prefork_min_children = 5
spoolssd:prefork_max_children = 25
spoolssd:prefork_spawn_rate = 5
spoolssd:prefork_max_allowed_clients = 100
spoolssd:prefork_child_min_life = 60
....
## Printserver (windows)
read the wiki before start here
https://wiki.samba.org/index.php/Settin ... int_Server
https://wiki.samba.org/index.php/Settin ... ws_Clients
## Profiles
read the wiki before start here
https://wiki.samba.org/index.php/Roamin ... r_Profiles
mkdir -p /path/for/you/profiles
chgrp -R "Domain Users" /path/for/you/profiles
chmod 2750 /path/for/you/profiles
net conf addshare profiles /profiles writeable=y guest_ok=no "User Profiles"
net conf setparm profiles "browsable" "no"
net conf setparm profiles "profile acls" "yes"
net rpc registry enumerate HKLM\\software\\samba\\smbconf\\profiles -Uadministrator -S FQDN.DOMAIN.TLD
create the GPOs like in the wiki
smbcontrol all reload-config
## Homes
read the wiki before start here
https://wiki.samba.org/index.php/User_Home_Folders
mkdir -p /path/for/you/home/
chgrp -R "Domain Users" /path/for/you/home/
chmod 2750 /path/for/you/home/
net conf addshare users /path/for/you/home/ writeable=y guest_ok=no "Home-Dirs"
net conf setparm users "browsable" "no"
net conf setparm users "create mask" "700"
net conf setparm users "directory mask" "700"
net rpc registry enumerate HKLM\\software\\samba\\smbconf\\users -Uadministrator -S FQDN.DOMAIN.TLD
more infos follow the wiki
smbcontrol all reload-config
## Shares
read the wiki before start here
https://wiki.samba.org/index.php/Settin ... ndows_ACLs
chown root:"Domain Admins" /path/for/you
chmod -R 0770 /path/for/you/customers
## Password Rules
Code: Select all
samba-tool domain passwordsettings show
samba-tool user setexpiry Administrator --noexpiry
samba-tool domain passwordsettings set --history-length=10
samba-tool domain passwordsettings set --min-pwd-age=80
samba-tool domain passwordsettings set --max-pwd-age=90
samba-tool domain passwordsettings set --min-pwd-length=8
Code: Select all
linux client remote
smbpasswd -r SERVER -U username
as user X
smbpasswd -r SERVER
vi /etc/bind/named.conf
Code: Select all
options{
....
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
....
}
include "/var/lib/samba/private/named.conf";PTR entry
http://sdb.univention.de/1254
The clients can also tigger the PTR registration themselves if Use this
connection's DNS suffix in DNS registration is selected in adapter properties.
The GPO which does the exact same thing is located in
Computer Configuration
-> Administrative Templates
-> Network
-> DNS Client and is called Register
DNS records with connection-specific DNS suffix.
Info area
## GPOs
acls must be ownd by:
BUILTIN\administrators
uid: 3000008
TEST strings
## get msdcs uuids
ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
## Verifying the File Server
smbclient -L localhost -U%
smbclient //localhost/netlogon -UAdministrator -c 'ls'
## GPOs
# my experince after add new gpos or change some at gpos
# run the check everytime if there is an error.
# most failuers are wrong acls...
# Repair it
## Rerpair
samba-tool ntacl sysvolreset
## check
samba-tool ntacl sysvolcheck
## FSMO roles
samba-tool fsmo show
## check DB for failuers
samba-tool dbcheck --cross-ncs --fix
## Info site with a lot help
http://wiki.indie-it.com/wiki/Samba
## Info area END
##########################################################################
smb.conf at Server1
# Global parameters
Code: Select all
[global]
netbios name = EXAMPLE
realm = EXAMPLE
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = EXAMPLE
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
# log level = 5
winbind refresh tickets= yes
template shell = /bin/bash
template shell = /bin/bash
template homedir = /part/for/you/home/%ACCOUNTNAME%
## print sssd pool
load printers = no
spoolss: architecture = Windows x64
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
spoolssd:prefork_min_children = 5
spoolssd:prefork_max_children = 25
spoolssd:prefork_spawn_rate = 5
spoolssd:prefork_max_allowed_clients = 100
spoolssd:prefork_child_min_life = 60
include = /etc/samba/printers.conf
[netlogon]
path = /var/lib/samba/sysvol/example/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[printers]
path = /var/spool/samba/
printable = yes
read only = No
create mask = 0700
browsable = No
Use client driver = no
[print$]
path=/var/lib/samba/drivers
create mask = 0755
inherit permissions = Yes
write list = adrfuchs , Administrator
writable = yes
[users]
path = /path/for/you/home
comment = Home-Dirs
guest ok = no
read only = no
hide unreadable = yes
browseable = no
create mask = 700
directory mask = 700
[profiles]
path = /path/for/you/profiles
comment = User Profiles
guest ok = no
read only = no
browseable = no
profile acls = yes
[public]
path = /path/for/you/public
read only = no
browseable = yes
[internal]
path = /path/for/you/internal
read only = no
browseable = yes
[customers]
path = /path/for/you/customers
read only = no
browseable = yes##########################################################################
DC 2 Server2
Backup DC
## set krb5.conf
nano /etc/krb5.conf
Code: Select all
[libdefaults]
default_realm = EXAMPLE
dns_lookup_realm = true
dns_lookup_kdc = trueor
Code: Select all
scp root@server1:/var/lib/samba/private/krb5.conf /etc/vi /etc/samba/smb.conf > add dns forwarder
Code: Select all
dns forwarder = IPSERVER1/etc/resolv.conf
Code: Select all
# Generated by resolvconf
search EXAMPLE
nameserver 127.0.0.1
# nameserver IPSERVER1 # enabeld once for domain join after that remove or disable itCode: Select all
samba-tool domain join EXAMPLE DC -U administrator
PASSWORDsystemctl start samba
## DRS Test
# check at booth servers
samba-tool drs showrepl
## test the replication
samba-tool user create $USER
New Password:
Retype Password:
User '$USER' created successfully
## check the db
samba-tool dbcheck
if booth servers have the same ammount of entrys all works well
## Rsync sysvol
Code: Select all
echo "*/5 * * * * root rsync -XAavz --delete-after rsync://root@IPSERVER1:/SysVol/ /var/lib/samba/sysvol/">> /etc/crontab## NTP
like server1 look up
##########################################################################
smb.conf Server2
Code: Select all
# Global parameters
[global]
netbios name = XINEOHP
realm = EXAMPLE
workgroup = EXAMPLE
server role = active directory domain controller
dns forwarder = IPSERVER1
[netlogon]
path = /var/lib/samba/sysvol/EXAMPLE/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No ##############################################################################
Gentoo Client with lxdm kerberos integration and samba share auto mount at login
mostly is copied from https://wiki.gentoo.org/wiki/Kerberos_W ... perability
## client smb.conf
smb.conf
Code: Select all
[global]
workgroup = EXAMPLE
realm = EXAMPLE
security = ADS
server string = (Samba %v)
obey pam restrictions = Yes
guest account = nobody
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind refresh tickets = true
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
lanman auth = No
max protocol = SMB3
min protocol = NT1
# syslog = 1
log level = 0 winbind:6 auth:7
log file = /var/log/samba/%m.log
max log size = 100
debug uid = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# printcap name = cups
# dns proxy = No
idmap config * : backend = tdb
idmap config *:range = 10000-19999
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 1000000 - 1999999
template homedir = /home/%U
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind offline logon = Yes
winbind expand groups = 2
ea support = Yes
store dos attributes = Yes
dos filemode = Yes
unix extensions = no
follow symlinks = yes
wide links = yes
veto files = /.*/
net ads info
net ads join -U AD_username_with_computer_account_create_rights
net ads testjoin
getent passwd
systemctl start winbindd
systemctl enable winbindd
!!! PLEASE CARE WHAT ARE YOU DOING HERE!!!
## i changed local users group to ad users group to enable easy sudo rights for users
## if there is a better way please tell me
vi /etc/group
Code: Select all
#users:x:100:
users:x:1000513: ## Pam settings
krb5_ccache_type=FILE for login if no Domain / eth available
/etc/pam.d/system-auth
Code: Select all
auth required pam_env.so
auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE
auth sufficient pam_unix.so likeauth nullok try_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account sufficient pam_winbind.so
account required pam_unix.so
password required pam_cracklib.so retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password optional pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_unix.so
session required pam_systemd.so debug## krb5.conf
# yes again
nano /etc/krb5.conf
Code: Select all
[libdefaults]
default_realm = EXAMPLE
dns_lookup_realm = false
dns_lookup_kdc = true## Pam winbind config
vi /etc/security/pam_winbind.conf
Code: Select all
[global]
# turn on debugging
debug = yes
# turn on extended PAM state debugging
debug_state = yes
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes
# authenticate using kerberos
krb5_auth = yes
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
krb5_ccache_type = file
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
# create homedirectory on the fly
mkhomedir = yesNow Login with your AD account
(i use sddm and with lxde)
open your prefered terminal > klist
if it now shows you a kerberos ticket "you did it"
** HURRAY**
samba with AD/DC at gentoo with an gentoo Domain Client
second test
open your prefered file browser
smb://ipserver1/
smb://ipserver1/internal
e.g.
if you can access these shares without any Password question
** HURRAY** AGAIN
## samba auto mount
# (little goody to replace smb4k and kwallet for our employees
visudo
Code: Select all
%users ALL=(ALL) NOPASSWD:/bin/mount
%users ALL=(ALL) NOPASSWD:/bin/umount
Code: Select all
#!/bin/bash
#
# to do, create logoff script for umount at logoff or user swap
#
useruid=$(wbinfo -i $USER|cut -d : -f 3)
## create mount folders
if [ ! -d /home/$USER/internal ]; then
mkdir /home/$USER/internal
fi
if [ ! -d /home/$USER/customers ]; then
mkdir /home/$USER/customers
fi
## mount the shares
sudo mount -t cifs -o username=$USER,uid=$useruid,forceuid,gid=1000513,forcegid,sec=krb5i,cruid=$USER //IPSERVER1/internal /home/$USER/internal
sudo mount -t cifs -o username=$USER,uid=$useruid,forceuid,gid=1000513,forcegid,sec=krb5i,cruid=$USER //IPSERVER1/customers /home/$USER/customers
exitADD
## nice little GUI for Password change via gentoo
vi /etc/portage/make.conf
add to global use
Code: Select all
USE=" tk"emerge --newuse world
this tool need python-2.7 as active
eslect python list *
eselecth python set (2.7 version)
https://github.com/alfem/adpassword
Code: Select all
git clone https://github.com/alfem/adpassword.gitCode: Select all
cd adpassword && python setup.py build && python setup.py install 
