Samba 4 AD Domain Controller auf Fedora
Vorbereitung
Dracut aktualisiert überschreibt resolf.conf DNS einträge
https://www.centos.org/forums/viewtopic.php?t=64258
Dropbear Keys müssen manuell mit dem Parameter -m PEM erzeugt und in der Konfiguration eingebunden werden:
https://github.com/dracut-crypt-ssh/dracut-crypt-ssh/issues/32
https://github.com/dracut-crypt-ssh/dracut-crypt-ssh/blob/master/README.md
semanage muss nachinstalliert werden:
yum install policycoreutils-python-utils
curl http://azzurro.ezplanet.net/el7/EzPlanet.repo -o /etc/yum.repos.d/EzPlanet.repo
http://www.ezplanet.net/xwiki/bin/view/EzPlanetRepo/
yum update
yum install ntp krb5-workstation samba-dc samba-client
yum remove NetworkManager
https://www.youtube.com/watch?v=rv8ZLhdrA0U
(https://cockpit-project.org/)
(https://fedoramagazine.org/upgrading-fedora-30-to-fedora-31/)
SELinux policy rules müssen manuell gesetzt werden.
https://bugzilla.redhat.com/show_bug.cgi?id=1757071
Zeit mit Zeitserver aktualisieren
https://www.tecmint.com/synchronize-time-with-ntp-in-linux/
dnf install samba-dc
(samba-tool domain provision)
systemd start samba
kinit muss nachinstalliert werden
yum -y install krb5-workstation
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
mv /etc/krb5.conf /etc/krb5.conf.bak
vi /etc/hosts
10.99.0.1 DC1.samdom.example.com DC1
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
systemctl enable samba
systemctl start samba
kinit administrator
samba-tool dns zonecreate <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa
Portfreigabe
firewall-cmd --permanent --zone=internal --add-service=dns;
firewall-cmd --permanent --zone=internal --add-service=kerberos;
firewall-cmd --permanent --zone=internal --add-service=ntp;
firewall-cmd --permanent --zone=internal --add-port=135/tcp;
firewall-cmd --permanent --zone=internal --add-service=samba;
firewall-cmd --permanent --zone=internal --add-port=389/tcp;
firewall-cmd --permanent --zone=internal --add-port=389/udp;
firewall-cmd --permanent --zone=internal --add-port=464/tcp;
firewall-cmd --permanent --zone=internal --add-port=464/udp;
firewall-cmd --permanent --zone=internal --add-service=ldaps;
firewall-cmd --permanent --zone=internal --add-port=3268/tcp;
firewall-cmd --permanent --zone=internal --add-port=3269/tcp;
firewall-cmd --permanent --zone=internal --add-port=49152-65535/tcp;
Doku Übersicht
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
https://wiki.samba.org/index.php/User_Documentation
https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
Kennwortrichtlinien anpassen
https://www.oehl.tv/kennwortrichtlinien-anpassen/
Ab Samba 4.9
https://wiki.samba.org/index.php/Password_Settings_Objects
RSAT howto
https://www.youtube.com/watch?v=6tSH4q4Do2Q
Einsteiger
https://www.youtube.com/watch?v=LywlHL3zcjc
Mac integration
https://www.youtube.com/watch?v=7LotgO6C_CM
Funktions-Level von Samba
https://wiki.samba.org/index.php/Raising_the_Functional_Levels
yum install patch python-markdown
samba-tool domain schemaupgrade --schema=2012
Zum nachlesen
AD hinzufügen und und entfernen
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC
https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles#Transferring_an_FSMO_Role
https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles
https://groups.google.com/forum/#!topic/linux.samba/4zHdXBhQtzo
Backup and Restore
https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC#Online_DC_backup
BitLocker in Samba AD
http://samba.2283325.n4.nabble.com/samba4-windows-10-pro-bitlocker-key-managment-td4696100.html
https://www.reddit.com/r/sysadmin/comments/bwa0tu/store_bitlocker_recovery_keys_in_samba4_ad/
https://theitbros.com/config-active-directory-store-bitlocker-recovery-keys/
https://www.top-password.com/blog/use-gpo-to-save-bitlocker-recovery-key-in-active-directory/
https://kidcartouche.blogspot.com/2013/03/bitlocker-drive-encryption-and-samba4.html
https://www.drwindows.de/windows-anleitungen-faq/51768-bitlocker-windows-8-windows-10-ohne-tpm.html
Samba Member mit 8.8.8.8 DNS SErver
https://www.linuxforen.de/forums/showthread.php?210901-kinit-findet-realm-nicht
Dovecot Postfix LDAP (SSL & TimeSync)
https://www.debinux.de/2014/11/dovecot-postfix-mit-ldap-zum-active-directory/
Read MemberOf
GSAPPI
https://wiki.samba.org/index.php/Authenticating_Dovecot_against_Active_Directory
NTLM
https://wiki.dovecot.org/HowTo/ActiveDirectoryNtlm
https://wiki.dovecot.org/Authentication/Mechanisms/Winbind
anmeldung testen mit: kinit username
https://dovecot.org/list/dovecot/2005-April/076799.html
https://blog.andreev.it/?p=2720
https://www.tummy.com/software/vpostmaster/recipes/dovecotsasl.html
http://dovecot.2317879.n4.nabble.com/Need-to-authenticate-Outlook-and-NTLM-td66483.html
https://www.experts-exchange.com/questions/28596234/get-dovecot-working-with-ntlm.html
passdb {
driver = pam
}
pr
https://dovecot.org/list/dovecot/2011-September/131263.html
auth default
https://dovecot.org/doc/dovecot-example.conf
service auth {
user = root
}
http://dovecot.2317879.n4.nabble.com/Need-to-authenticate-Outlook-and-NTLM-td66483.html
Dracut überschreibt ifcfg-eth0
https://www.centos.org/forums/viewtopic.php?t=64258
Demo
Kommentare