Samba 4
Samba 4
Samba 4
samba-winbind-clients
samba-winbind
samba-client
samba-
Agora vamos ajustar o fstab para que ele de suporte a acl,user_xattr e barrier eu
vou habilitar isso na partio / se voc tiver vrias parties bom habilitar em
todas que voc queira habilitar os compartilhamentos.
vim /etc/fstab
[...]
/dev/mapper/VolGroup-lv_root /
defaults,acl,user_xattr,barrier=1
ext4
1 1
Exemplo:
UUID=02e71e2a-9e29-4199-80e8-a7f2d2aa45b6
UUID=efb1edd8-4317-4b75-ad0e-60eacdb8c764
UUID=39d30164-34fb-43aa-b47b-ef85f0c055af
UUID=2cee0f7b-d665-41f6-9c3a-2703933ff4b4
UUID=9cee9aee-9703-4cd1-ba2a-08544d1c23ca
UUID=f694aad6-72e9-48f2-acbc-17f443560a21
UUID=023c4c12-0b48-4049-97d6-58bbac20e71f
tmpfs
/dev/shm
devpts
/dev/pts
sysfs
/sys
proc
/proc
/ ext4
defaults,acl,user_xattr,barrier=1
/boot ext4
defaults
/share ext4
defaults,acl,user_xattr,barrier=1
/users ext4
defaults,acl,user_xattr,barrier=1
/usr
ext4
defaults,acl,user_xattr,barrier=1
/usr/local ext4 defaults,acl,user_xattr,barrier=1
swap
swap
defaults
tmpfs
defaults
0 0
devpts gid=5,mode=620 0 0
sysfs
defaults
0 0
proc
defaults
0 0
1 1
1
1
1
1
1
0
2
2
2
2
2
0
mount -o remount /
E as demais:
wget -c http://ftp.samba.org/pub/samba/stable/samba-4.1.6.tar.gz
Agora vamos desempacotar o samba
tar -xzvf samba-4.1.6.tar.gz
Agora vamos acessar o diretrio dos fontes
cd samba-4.1.6
Agora vamos criar a configurao para o samba
./configure --enable-debug --enable-selftest
Agora vamos mandar compilar o samba este processo demora um pouco
make
Agora vamos mandar instalar o samba
make install
Agora vamos acertar a PATH do usurio root no caso dele estar utilizando o shell
Bash
echo -e export PATH=$PATH:/usr/local/samba/bin:/usr/local/samba/sbin
>> /etc/profile
Agora precisamos importar a nova PATH
source /etc/profile
Criar o diretrio de log:
mkdir /var/log/samba
touch /var/log/samba/smbd.log
Essas conf acimas s sero validadas na prximo login para que o path seja
exportado nessa sesso atual execute o comando abaixo
export PATH=$PATH:/usr/local/samba/bin:/usr/local/samba/sbin
Agora vamos acertar a PATH do usurio root no caso dele estar utilizando o shell
zsh
echo "export
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr
/bin/X11:/usr/local/samba/sbin:/usr/local/samba/bin" >> /root/.zshrc
Agora precisamos importar a nova PATH
source /root/.zshrc
Agora vamos ajustar o resolv.conf ele vai utilizar o nome do nosso domnio e o ip
do pdc.
vim /etc/resolv.conf
domain empresa.net
search empresa.net
nameserver 192.168.0.190
Agora vamos ajustar a interface de rede para utilizar o nosso novo DNS
vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
BOOTPROTO="static"
BROADCAST="192.168.218.255"
DNS1="192.168.218.190"
GATEWAY="192.168.218.190"
IPADDR="192.168.0.25"
NETMASK="255.255.255.0"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"
Alterar o resolv.conf (DNS) uma vez que o novo ACTIVE ser o servidor DNS
backend adicionando o search para o domnio e o nameserver para o prprio ip do
servidor. Lembrar
de
remover
da configurao da
placa de
rede
(/etc/sysconfig/network-scripts/ifcfg-ethX) o parmetro de DNS para que ao restart
do servio network ele no reescreva o resolv.conf.
Aps restart da placa de rede sem o parmetro de DNS aplicar no resolv.conf
O servidor ir resolver o DNS por ele mesmo.
cat /etc/resolv.conf
search dominioempresa.net
nameserver 192.168.218.190
Aps start do samba, podemos testar com o comando host com a chave _ldap._tcp
trazendo o sucesso da resoluo do registro de DNS (dns resolvendo
corretamente).
/usr/local/samba/sbin/samba
host -t SRV _ldap._tcp.dominioempresa.net
_ldap._tcp.dominioempresa.net
has
SRV
dominio.dominioempresa.net.
record
100
389
vim /usr/local/samba/private/krb5.conf
[libdefaults]
default_realm = DOMINIOEMPRESA.NET
dns_lookup_realm = false
dns_lookup_kdc = true
Vamos criar um link para o sistema reconhecer o arquivo de configurao do samba
como default
rm /etc/krb5.conf
ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf
Checando os compartilhamentos com o comando smbclient no server local
(netlogon e sysvol devem estar criados para o funcionamento).
/usr/local/samba/bin/smbclient -L localhost -U%
Domain=[DOMINIOEMPRESA] OS=[Unix] Server=[Samba 4.1.6]
Sharename
--------netlogon
sysvol
IPC$
Domain=[DOMINIOEMPRESA]
Type
---Disk
Disk
IPC
OS=[Unix]
Comment
------IPC Service (Samba 4.1.6)
Server=[Samba 4.1.6]
Server
---------
Comment
-------
Workgroup
---------
Master
-------
return $RETVAL
}
stop() {
[ "$EUID" != "0" ] && exit 4
echo -n $"Shutting down samba4: "
killproc $prog_dir/$prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $lockfile
return $RETVAL
kill `ps aux | grep samba | grep -v "grep" | awk '{print $2}'`
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $prog
;;
restart)
stop
sleep 2
start
;;
reload)
/usr/local/samba/bin/smbcontrol all reload-config
echo
-e
"Reload
do
servico
samba4""
"'\033[37;0m[\033[m''\033[32;3m OK \033[m''\033[37;0m]\033[m'
exit 3
;;
*)
echo $"Usage: $0 {start|stop|status|restart|reload}"
exit 2
esac
Agora vamos dar permisso para o nosso script e vamos inserir ele na incializao
chmod +x /etc/init.d/samba4
cd /etc/init.d
chkconfig --add samba4
chkconfig samba4 on
12:08
0:00
12:08
0:00
12:08
0:00
12:08
0:00
12:08
0:00
Ss
12:08
/usr/local/samba/sbin/samba
/usr/local/samba/sbin/samba
/usr/local/samba/sbin/samba
/usr/local/samba/sbin/samba
/usr/local/samba/sbin/samba
0:00 /usr/local/samba/sbin/smbd --
12:08
0:00
12:08
0:00
12:08
0:00
12:08
0:00
12:08
0:00
12:08
0:00
12:08
0:00
12:08
0:00
S
12:08
/usr/local/samba/sbin/samba
/usr/local/samba/sbin/samba
/usr/local/samba/sbin/samba
/usr/local/samba/sbin/samba
/usr/local/samba/sbin/samba
/usr/local/samba/sbin/samba
/usr/local/samba/sbin/samba
/usr/local/samba/sbin/samba
0:00 /usr/local/samba/sbin/smbd --
Windows
limit
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No
Agora vamos ajustar o limits.conf para no aparecer os avisos no samba
vim /etc/security/limits.conf
#colocar no final do arquivo
root hard nofile 131072
root soft nofile 65536
mioutente hard nofile 32768
mioutente soft nofile 16384
Agora vamos testar a resoluo de nome
nslookup dominioempresa.net
Server:
192.168.218.190
Address:
192.168.218.190#53
Name:
dominioempresa.net
Address: 192.168.218.190
Agora vamos ajustar a configurao do samba para que ele consiga mapear via
winbind
vim /usr/local/samba/etc/smb.conf
[global]
workgroup = DOUGLAS
realm = douglas.lan
netbios name = NODO1
server role = active directory domain controller
passdb backend = samba_dsdb
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
#IDMAP
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
idmap config *:range = 70001-80000
idmap config DOUGLAS:backend = ad
idmap config DOUGLAS:schema_mode = rfc2307
idmap config DOUGLAS:range = 500-40000
#WINBIND
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
ldconfig
Agora vamos ajustar o nsswitch.conf adicionando na frente dos parmetros
vim /etc/nsswitch.conf
[...]
passwd: files winbind
[...]
group: files winbind
Agora vamos inicializar um ticket para o administrator
kinit administrator@DOMINIOEMMAIUSCULO.LAN
Password for administrator@DOUGLAS.LAN:
Warning: Your password will expire in 41 days on Mon Oct
2013
7 12:02:11
ntpq -p 127.0.0.1
remote
refid
st t when poll reach
delay
offset jitter
==============================================================================
LOCAL(0)
.LOCL.
10 l
64
1
0.000
0.000
0.000
a.ntp.br
.INIT.
16 u
64
0
0.000
0.000
0.000
a.st1.ntp.br
.INIT.
16 u
64
0
0.000
0.000
0.000
roma.coe.ufrj.b .INIT.
16 u
64
0
0.000
0.000
0.000
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy
Agora vamos listar os usurios
wbinfo -u
Administrator
Guest
krbtgt
dns-nodo1
Agora vamos testar o update de dns no samba
samba_dnsupdate --verbose
IPs: ['192.168.0.25']
Looking for DNS entry A douglas.lan 192.168.0.25 as douglas.lan.
Looking
for
DNS
entry
A
nodo1.douglas.lan
192.168.0.25
as
nodo1.douglas.lan.
Looking for DNS entry A gc._msdcs.douglas.lan 192.168.0.25 as
gc._msdcs.douglas.lan.
Looking
for
DNS
entry
CNAME
eae04ba1-3ca2-4ec6-b08c4962ca4f04b4._msdcs.douglas.lan nodo1.douglas.lan as eae04ba1-3ca24ec6-b08c-4962ca4f04b4._msdcs.douglas.lan.
Looking for DNS entry SRV _kpasswd._tcp.douglas.lan nodo1.douglas.lan
464 as _kpasswd._tcp.douglas.lan.
Checking
0
100
464
nodo1.douglas.lan.
against
SRV
_kpasswd._tcp.douglas.lan nodo1.douglas.lan 464
Looking for DNS entry SRV _kpasswd._udp.douglas.lan nodo1.douglas.lan
464 as _kpasswd._udp.douglas.lan.
Checking
0
100
464
nodo1.douglas.lan.
against
SRV
_kpasswd._udp.douglas.lan nodo1.douglas.lan 464
Looking for DNS entry SRV _kerberos._tcp.douglas.lan nodo1.douglas.lan
88 as _kerberos._tcp.douglas.lan.
Checking
0
100
88
nodo1.douglas.lan.
against
SRV
_kerberos._tcp.douglas.lan nodo1.douglas.lan 88
Looking
for
DNS
entry
SRV
_kerberos._tcp.dc._msdcs.douglas.lan
nodo1.douglas.lan 88 as _kerberos._tcp.dc._msdcs.douglas.lan.
Checking
0
100
88
nodo1.douglas.lan.
against
SRV
_kerberos._tcp.dc._msdcs.douglas.lan nodo1.douglas.lan 88
Looking
for
DNS
entry
SRV
_kerberos._tcp.default-first-sitename._sites.douglas.lan
nodo1.douglas.lan
88
as
_kerberos._tcp.default-first-site-name._sites.douglas.lan.
Checking
0
100
88
nodo1.douglas.lan.
against
SRV
_kerberos._tcp.default-first-site-name._sites.douglas.lan
nodo1.douglas.lan 88
Looking
for
DNS
entry
SRV
_kerberos._tcp.default-first-sitename._sites.dc._msdcs.douglas.lan
nodo1.douglas.lan
88
as
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan.
Checking
0
100
88
nodo1.douglas.lan.
against
SRV
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan
nodo1.douglas.lan 88
Looking for DNS entry SRV _kerberos._udp.douglas.lan nodo1.douglas.lan
88 as _kerberos._udp.douglas.lan.
Checking
0
100
88
nodo1.douglas.lan.
against
SRV
_kerberos._udp.douglas.lan nodo1.douglas.lan 88
Looking for DNS entry SRV _ldap._tcp.douglas.lan nodo1.douglas.lan 389
as _ldap._tcp.douglas.lan.
Checking
0
100
389
nodo1.douglas.lan.
against
SRV
_ldap._tcp.douglas.lan nodo1.douglas.lan 389
Looking
for
DNS
entry
SRV
_ldap._tcp.dc._msdcs.douglas.lan
nodo1.douglas.lan 389 as _ldap._tcp.dc._msdcs.douglas.lan.
Checking
0
100
389
nodo1.douglas.lan.
against
SRV
_ldap._tcp.dc._msdcs.douglas.lan nodo1.douglas.lan 389
Looking
for
DNS
entry
SRV
_ldap._tcp.gc._msdcs.douglas.lan
nodo1.douglas.lan 3268 as _ldap._tcp.gc._msdcs.douglas.lan.
Checking
0
100
3268
nodo1.douglas.lan.
against
SRV
_ldap._tcp.gc._msdcs.douglas.lan nodo1.douglas.lan 3268
Looking
for
DNS
entry
SRV
_ldap._tcp.pdc._msdcs.douglas.lan
nodo1.douglas.lan 389 as _ldap._tcp.pdc._msdcs.douglas.lan.
Checking
0
100
389
nodo1.douglas.lan.
against
SRV
_ldap._tcp.pdc._msdcs.douglas.lan nodo1.douglas.lan 389
Looking
for
DNS
entry
SRV
_ldap._tcp.default-first-sitename._sites.douglas.lan nodo1.douglas.lan 389 as _ldap._tcp.defaultfirst-site-name._sites.douglas.lan.
Checking 0 100 389 nodo1.douglas.lan. against SRV _ldap._tcp.defaultfirst-site-name._sites.douglas.lan nodo1.douglas.lan 389
Looking
for
DNS
entry
SRV
_ldap._tcp.default-first-sitename._sites.dc._msdcs.douglas.lan
nodo1.douglas.lan
389
as
_ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan.
Checking 0 100 389 nodo1.douglas.lan. against SRV _ldap._tcp.defaultfirst-site-name._sites.dc._msdcs.douglas.lan nodo1.douglas.lan 389
Looking
for
DNS
entry
SRV
_ldap._tcp.default-first-sitename._sites.gc._msdcs.douglas.lan
nodo1.douglas.lan
3268
as
_ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan.
Checking 0 100 3268 nodo1.douglas.lan. against SRV _ldap._tcp.defaultfirst-site-name._sites.gc._msdcs.douglas.lan nodo1.douglas.lan 3268
Looking
for
DNS
entry
SRV
_ldap._tcp.15cf6198-7655-4ba1-95632682bf9b6483.domains._msdcs.douglas.lan
nodo1.douglas.lan
389
as
_ldap._tcp.15cf6198-7655-4ba1-95632682bf9b6483.domains._msdcs.douglas.lan.
Checking 0 100 389 nodo1.douglas.lan. against SRV _ldap._tcp.15cf61987655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan
nodo1.douglas.lan 389
Looking for DNS entry SRV _gc._tcp.douglas.lan nodo1.douglas.lan 3268
as _gc._tcp.douglas.lan.
Checking
0
100
3268
nodo1.douglas.lan.
against
SRV
_gc._tcp.douglas.lan nodo1.douglas.lan 3268
Looking
for
DNS
entry
SRV
_gc._tcp.default-first-sitename._sites.douglas.lan nodo1.douglas.lan 3268 as _gc._tcp.defaultfirst-site-name._sites.douglas.lan.
Checking 0 100 3268 nodo1.douglas.lan. against SRV _gc._tcp.defaultfirst-site-name._sites.douglas.lan nodo1.douglas.lan 3268
No DNS updates needed
Agora vamos mandar atualizar todos os registros
samba_dnsupdate --verbose --all-names
IPs: ['192.168.0.25']
Calling nsupdate for A douglas.lan 192.168.0.25
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
douglas.lan.
900
IN
192.168.0.25
Calling
nsupdate
for
SRV
_kerberos._tcp.default-first-sitename._sites.douglas.lan nodo1.douglas.lan 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.douglas.lan. 900 IN SRV
0 100 88 nodo1.douglas.lan.
Calling
nsupdate
for
SRV
_kerberos._tcp.default-first-sitename._sites.dc._msdcs.douglas.lan nodo1.douglas.lan 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan.
900 IN SRV0 100 88 nodo1.douglas.lan.
Calling nsupdate for SRV _kerberos._udp.douglas.lan nodo1.douglas.lan
88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.douglas.lan. 900
IN
SRV
0
100
88
nodo1.douglas.lan.
Calling nsupdate for SRV _ldap._tcp.douglas.lan nodo1.douglas.lan 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.douglas.lan.
900
IN
SRV
0
100
389
nodo1.douglas.lan.
Calling
nsupdate
for
SRV
_ldap._tcp.dc._msdcs.douglas.lan
nodo1.douglas.lan 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.douglas.lan. 900 IN SRV 0
100
389
nodo1.douglas.lan.
Calling
nsupdate
for
SRV
_ldap._tcp.gc._msdcs.douglas.lan
nodo1.douglas.lan 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.douglas.lan. 900 IN SRV 0
100
3268
nodo1.douglas.lan.
Calling
nsupdate
for
SRV
_ldap._tcp.pdc._msdcs.douglas.lan
nodo1.douglas.lan 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.pdc._msdcs.douglas.lan. 900 IN SRV 0
100
389
nodo1.douglas.lan.
Calling
nsupdate
for
SRV
_ldap._tcp.default-first-sitename._sites.douglas.lan nodo1.douglas.lan 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.douglas.lan. 900 IN SRV 0
100 389 nodo1.douglas.lan.
Calling
nsupdate
for
SRV
_ldap._tcp.default-first-sitename._sites.dc._msdcs.douglas.lan nodo1.douglas.lan 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan.
900
IN
SRV 0 100 389 nodo1.douglas.lan.
Calling
nsupdate
for
SRV
_ldap._tcp.default-first-sitename._sites.gc._msdcs.douglas.lan nodo1.douglas.lan 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan.
900
IN
SRV 0 100 3268 nodo1.douglas.lan.
Calling
nsupdate
for
SRV
_ldap._tcp.15cf6198-7655-4ba1-95632682bf9b6483.domains._msdcs.douglas.lan nodo1.douglas.lan 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.15cf6198-7655-4ba1-95632682bf9b6483.domains._msdcs.douglas.lan.
900IN
SRV
0
100
389
nodo1.douglas.lan.
Calling nsupdate for SRV _gc._tcp.douglas.lan nodo1.douglas.lan 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.douglas.lan. 900
IN
SRV
0
100
3268
nodo1.douglas.lan.
Calling
nsupdate
for
SRV
_gc._tcp.default-first-sitename._sites.douglas.lan nodo1.douglas.lan 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.douglas.lan. 900 IN SRV
0
100 3268 nodo1.douglas.lan.
Agora vamos efetuar uma consulta de dns para registros de servios
Vamos consultar o servio do ldap
host -t SRV _ldap._tcp.douglas.lan.
2 - Clique com o boto direito no Meu Computador -> Propriedades -> Alterar
Nome do Computador -> coloque o nome do dominio: dominioempresa , ser
solicitado o nome de usurio e senha do admin, Administrator e a senha
cadastrada anteriormente.
Gerenciador de Usurio.
2 - Clique com o boto direito no Meu computador -> Propriedades -> Alterar
configuraes -> Altere o nome do dominio para linuxextreme
Diferente do windows xp , o windows 7 s precisa de um arquivo para download.
http://www.microsoft.com/en-us/download/details.aspx?id=7887
Aps a instalao
No painel de controle -> Programas e Recursos -> Ativar e Desativar recursos do
windows e adicione as opes do Remote administration tools como na imagem
abaixo.
Administrando o SAMBA 4
Para alterar a complexidade de senha do SAMBA4 utilize o poderoso comando
samba-tool.
Mudar o histrico de senhas que impede que o usurio utilize uma senha repetida
(usurio no vai poder repetir nenhuma das ltimas 5 senhas)
# samba-tool domain passwordsettings set --history-length=5
Para mudar a senha de um usurio do domnio dentro do windows xp basta logar
com o usurio, pressionar ctrl+alt+del e clicar em alterar senha.
Verificando entradas do DNS
# samba-tool dns query 127.0.0.1 dominio.intra @ ALL -U administrator
NOTAS:
1 Configurao do usurio ter efeito depois de sair e fazer o login.
2 Configurao do computador ter efeito quando voc reiniciar o computador.
3 Polticas GPO de senha no so lidos pelo Samba ao atribuir senhas, para
mudar a poltica que o Samba usa, voc deve usar samba-tool domain
passwordsettings
Para isso ser necessrio possuir os arquivos de instalao do Samba4, aqueles que
normalmente baixamos em /usr/src.
Configurao:
etc.{Timestamp}.tar.bz2
samba4_private.{Timestamp}.tar.bz2
sysvol.{Timestamp}.tar.bz
Se o backup rodou sem erros e os arquivos acima foram gerados com sucesso, crie
um agendamento de backup no cron.
# crontab e
Adicione a linha abaixo para efetuar o backup dirio as 02:00:
0 2 * * * /usr/sbin/samba_backup
Restore:
- Neste cenrio, vamos simular que o Domain Controller sofreu um dano
irreversvel, sendo necessrio subir um novo servidor em um novo hardware. O
procedimento que eu segui deu certo e funcionou perfeitamente, seguindo o
conceito que o novo servidor ir substituir por completo o antigo hardware. E que
os arquivos de backup esto salvos em um local seguro (Fita, CD, Pendrive, etc.)
Antes de prosseguir, configure a nova maquina com as configuraes abaixo:
- Instalao do Samba4:
Instale a mesma verso do SAMBA da verso anterior. (no meu caso verso
4.0.5).
- Arquivos de Backup:
Copie os arquivos de backup que devem estar salvos em lugar seguro para
/usr/local/samba/backups
Obs: executei essas configuraes e consegui restaurar as configuraes
PERFEITAMENTE.
 
- Executar o Restore no novo servidor:
# cd /usr/local/samba/backups
Descompacte os arquivos de backup em seus respectivos locais:
# tar -jxf etc.{Timestamp}.tar.bz2 -C /usr/local/samba/
# tar -jxf samba4_private.{Timestamp}.tar.bz2 -C /usr/local/samba/
# tar -jxf sysvol.{Timestamp}.tar.bz2 -C /usr/local/samba/
Renomeie os arquivos *.ldb.bak que esto em /usr/local/samba/private para *.ldb.
Com o comando abaixo:
# find /usr/local/samba/private/ -type f -name '*.ldb.bak' -print0 | while read -d
$'{TEXTO}' f ; do mv "$f" "${f%.bak}" ; done
Se o backup no conter ACLs estendidas, execute o comando abaixo:
# samba-tool ntacl sysvolreset
Neste ponto o backup j est recuperado. Inicie o samba e faa alguns testes:
# /etc/init.d/samba start
*IMPORTANTE: Neste cenrio o mdulo DNS o SAMBA Internal, sendo assim, no
necessrio efetuar mais nenhuma configurao pois o novo PDC j estar
funcionando perfeitamente.
Porm, se o mdulo DNS for o BIND9, ser necessrio alm de executar o passos
acima, executar os procedimentos do LINK:
https://wiki.samba.org/index.php/DNS#A_note_on_DNS_problems_with_BIND9_D
LZ
[home]
path = /srv/samba/home/
read only = No
Don't name the share [homes], as this is a special section (see the
smb.conf manpage)! The [homes] section can't handle the automatic folder
creation, we'll setup below!
Create the folder that will contain the home directories later. The
permissions will be set later.
# mkdir /srv/samba/home/
Se voc tem a exigncia, que seus usurios precisam acessar sua pasta
pessoal localmente no servidor, tambm, adicionalmente, ou adicionar um
grupo que contm essas contas de usurio. Porque, se o usurio efetuar
login localmente no servidor, no existe um "Usurio Autenticado"! As
permisses para esse grupo addional tem que ser o mesmo do que para
"usurios autenticados"
V at a a aba SEGURANA
Administrator:
Creator Owner:
Domain Admins:
System:
Full Control
Full Control
Full Control
Full Control
# file: /share/home/mrocha/
# owner: EMPRESA\134mrocha
# group: EMPRESA\134Domain\040Admins
user::rwx
user:root:rwx
user:3000005:rwx
user:3000018:rwx
group::rwx
group:EMPRESA\134Domain\040Admins:rwx
group:3000018:rwx
group:3000029:rwx
mask::rwx
other::--default:user::rwx
default:user:root:rwx
default:user:3000005:rwx
default:user:3000018:rwx
default:user:EMPRESA\134mrocha:rwx
default:group::--default:group:EMPRESA\134Domain\040Admins:rwx
default:group:3000018:rwx
As some of the xIDs are may not be resolved, you can search for them in the local ID mapping
database of Samba for them. Example:
default:mask::rwx
default:other::---
Descrio
[netlogon]
comment = The domain logon service
path = /share/netlogon
# valid users = @"Domain Users"
valid users = %U
browseable = no
guest ok = yes
writeable = no
read only = yes
[root@dominio ~]# cat /share/netlogon/proxyauth
allow
[root@dominio ~]# chmod 777 /share/netlogon/proxyauth
Abaixo iremos realizer um teste do usuario e senha. Onde escrevo USUARIO SENHA substitui
por dados reais. Aps dar um enter no comando escreva com um espao o Usuario e senha e
posterior de enter e espere.
Quando eu escrevo um usurio e senha corretos tenho a mensagem de OK ao final.
Observao para o domnio no qual omite o .net, .com, etc..
(root@proxy)~# /usr/local/libexec/squid/smb_auth -W DOMINIOEMPRESA -d
USUARIO SENHA
Domain name: DOMINIOEMPRESA
Pass-through authentication: no
Query address options:
Domain controller IP address: 192.168.218.190
Domain controller NETBIOS name: DOMINIO
Contents of //DOMINIO/NETLOGON/proxyauth: allow
OK
Quando introduzo um usuario e senha incorretos tenho a mensagem de ERR ao final.
Descrio
Softwares e Verses
Squid 2.5.X
Samba client 3.x
Editar o smb.conf
workgroup = mydomain
password server = myPDC
security = ads
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
# tirar outras opcoes de dominio master
Entrar no dominio.
1080 ?
Ssl
10:04
0:00
$ wbinfo -t
Secret is good
$ wbinfo -a mydomain\\myuser%mypasswd
plaintext password authentication succeeded
error code was NT_STATUS_OK (0x0)
challenge/response password authentication succeeded
error code was NT_STATUS_OK (0x0)
MSNT
Editar o /etc/squid/msntauth.conf
Editar o squid.conf:
auth_param
auth_param
auth_param
auth_param
basic
basic
basic
basic
program /usr/local/squid/libexec/msnt_auth
children 5
realm Usurio e Senha
credentialsttl 5 minutes
NTLM
$ /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
myuser mypasswd
OK
$ /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
mydomain+myuser mypasswd
OK
Inserir no squid.conf:
#Auth AD
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid2.5-basic
auth_param basic children 5
auth_param basic realm Linux Proxy Server
auth_param basic credentialsttl 2 hours
1.34b
3.6.23
3.6.23
3.6.23
3.6.23
3.6.23
samba3-utils
3.6.23
samba3-winbind 3.6.23
samba3-winbind-32bit 3.6.23
yast2-samba-client
2.14.4
yast2-samba-server
2.14.3
cat /etc/krb5.conf
[libdefaults]
default_realm = DOMINIOEMPRESA.NET
clockskew = 300
[realms]
DOMINIOEMPRESA.NET = {
kdc = dominio.dominioempresa.net
default_domain = dominioempresa.net
admin_server = DOMINIO.DOMINIOEMPRESA.NET
}
EXAMPLE.COM = {
kdc = dominio.dominioempresa.net
admin_server = dominio.dominioempresa.net
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
use_shmem = sshd
}
[domain_realm]
.DOMINIOEMPRESA.NET = DOMINIOEMPRESA.NET
.DOMINIOEMPRESA = DOMINIOEMPRESA.NET
.dominioempresa.net = DOMINIOEMPRESA.NET
[global]
security = ADS
realm = DOMINIOEMPRESA.NET
workgroup = DOMINIOEMPRESA
idmap uid = 500-40000
[htdocs]
comment = Aplicacoes
path = /opt/apache/htdocs
read only = No
writable = yes
create mask = 0777
directory mask = 0777
[www]
comment = Aplicacoes
path = /opt/apache/htdocs
read only = No
writable = yes
create mask = 0777
directory mask = 0777
cat /etc/nsswitch.conf
passwd: files winbind
group: files winbind
#passwd: compat winbind
#group: compat winbind
hosts: files dns
networks:
files dns
services:
protocols:
rpc:
files
files
files
ethers: files
netmasks:
netgroup:
publickey:
files
files nis
files
bootparams:
automount:
aliases:
files
files nis
files
cat /etc/hosts
127.0.0.1
localhost
# fqdn do servidor de dominio
192.168.218.190 DOMINIO.DOMINIOEMPRESA.NET DOMINIO
# fqdn do prprio server suse
192.168.218.204 hmgcasp.dominioempresa.net hmgcasp
hostname -f
hmgcasp.dominioempresa.net
cat /etc/resolv.conf
nameserver 192.168.218.190
search dominioempresa.net
smbclient -V
Version 3.6.23
smbd -V
Version 3.6.23
Se tudo deu certo sera solicitado o nome de user e senha admin do dominio.
wbinfo -u
asantos
anascimento
rbarreiro
wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
cat /etc/resolv.conf
nameserver 192.168.218.190
search dominioempresa.net
smbd -V
Version 3.6.9-167.el6_5
smbclient -V
Version 3.6.9-167.el6_5
cat /etc/samba/smb.conf
[global]
security = ads
realm= DOMINIOEMPRESA.NET
workgroup = DOMINIOEMPRESA
idmap uid = 500-40000
idmap gid =
500-40000
cat /etc/krb5.conf
[libdefaults]
default_realm = DOMINIOEMPRESA.NET
[realms]
DOMINIOEMPRESA.NET = {
kdc = dominio.dominioempresa.net
default_domain = DOMINIOEMPRESA.NET
admin_server = dominio.mistoli.net
}
[domain_realm]
.dominioempresa.net = DOMINIOEMPRESA.NET
chkconfig
chkconfig
chkconfig
chkconfig
files winbind
files
files winbind
--add nmb
--add smb
--add winbind
nmb on
chkconfig smb on
chkconfig winbind on
/etc/init.d/nmb restart
/etc/init.d/smb restart
/etc/init.d/winbind restart
wbinfo -u
douglas.santos
administrator
dns-nodo1
krbtgt
guest
Vamos listar os grupos
wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
ti-admin
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
Comandos