Differences

This shows you the differences between two versions of the page.

--- docpublic:systemes:samba4dc [2015/05/10 17:23]
procacci@tem-tsp.eu [domain user]
+++ docpublic:systemes:samba4dc [2015/06/06 14:46] (current)
procacci@tem-tsp.eu [Samba 4 DC]
@@ Line 4: / Line 4: @@
   * https://wiki.samba.org/index.php/Samba_4.x_Readme_First
+pourquoi debian vs centos MIT/heimdal
+  * https://blog.cryptomilk.org/2014/07/09/samba-ad-dc-in-fedora-and-rhel/
+  * http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
+  * http://community.spiceworks.com/topic/535153-centos-7-samba-domain-controller
+  * https://portal.enterprisesamba.com/
 ==== samba 4 ldap ====
@@ Line 16: / Line 22: @@
   * https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
+  * http://www.linux-magazine.com/Online/Features/What-s-New-in-Samba-4
+  * https://www-fourier.ujf-grenoble.fr/informatique/doku.php?id=samba4#kerberos_5
+  * http://doc.ubuntu-fr.org/utilisateurs/qedinux/samba_ad_dc_members
+  * https://www.esup-portail.org/wiki/display/CASKERB/Mise+en+place+d%27un+serveur+Samba
+  * https://wiki.archlinux.org/index.php/Active_Directory_Integration#Adding_a_machine_keytab_file_and_activating_password-free_kerberized_ssh_to_the_machine
 ==== packages samba ====
@@ Line 140: / Line 151: @@
 </code>
+==== creation d'un domain =====
+<code>
+root@debie:~# samba-tool domain provision --use-rfc2307 --interactive
+Realm: DOM.4BO.FR
+ Domain [DOM]: DOM
+ Server Role (dc, member, standalone) [dc]: dc
+ DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
+ DNS forwarder IP address (write 'none' to disable forwarding) [208.67.222.222]: none
+Administrator password:
+Retype password:
+ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed - ProvisioningError: guess_names: 'realm =' was not specified in supplied /etc/samba/smb.conf.  Please remove the smb.conf file and let provision generate it
+</code>
+=> il faut retirer le fichier /etc/samba/smb.conf et s'assurer que smbd et nmbd ne tournent pas .
+<code>
+root@debie:~# /etc/init.d/smbd stop
+root@debie:~# /etc/init.d/nmbd stop
+</code>
+<code>
+root@debie:/etc/samba#  samba-tool domain provision --use-rfc2307 --interactive
+Realm [DOM.4BO.FR]: DOM.4BO.FR
+ Domain [DOM]: DOM
+ Server Role (dc, member, standalone) [dc]: dc
+ DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
+ DNS forwarder IP address (write 'none' to disable forwarding) [208.67.222.222]: none
+Administrator password:
+Retype password:
+Looking up IPv4 addresses
+Looking up IPv6 addresses
+Setting up share.ldb
+Setting up secrets.ldb
+Setting up the registry
+Setting up the privileges database
+Setting up idmap db
+Setting up SAM db
+Setting up sam.ldb partitions and settings
+Setting up sam.ldb rootDSE
+Pre-loading the Samba 4 and AD schema
+Adding DomainDN: DC=dom,DC=4bo,DC=fr
+Adding configuration container
+Setting up sam.ldb schema
+Setting up sam.ldb configuration data
+Setting up display specifiers
+Modifying display specifiers
+Adding users container
+Modifying users container
+Adding computers container
+Modifying computers container
+Setting up sam.ldb data
+Setting up well known security principals
+Setting up sam.ldb users and groups
+Setting up self join
+Adding DNS accounts
+Creating CN=MicrosoftDNS,CN=System,DC=dom,DC=4bo,DC=fr
+Creating DomainDnsZones and ForestDnsZones partitions
+Populating DomainDnsZones and ForestDnsZones partitions
+Setting up sam.ldb rootDSE marking as synchronized
+Fixing provision GUIDs
+A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
+Setting up fake yp server settings
+Once the above files are installed, your Samba4 server will be ready to use
+Server Role:           active directory domain controller
+Hostname:              debie
+NetBIOS Domain:        DOM
+DNS Domain:            dom.4bo.fr
+DOMAIN SID:            S-1-5-21-1003881674-2133527201-3413129890
+</code>
+===== DNS ====
+verification des records DNS en utilisant le DNS du localhost
+<code>
+root@debie:/etc/samba# host -t SRV _ldap._tcp.dom.4bo.fr. 192.168.1.9
+Using domain server:
+Name: 192.168.1.9
+Address: 192.168.1.9#53
+Aliases:
+_ldap._tcp.dom.4bo.fr has SRV record 0 100 389 debie.dom.4bo.fr.
+root@debie:/etc/samba# host -t SRV _kerberos._udp.dom.4bo.fr. 192.168.1.9
+Using domain server:
+Name: 192.168.1.9
+Address: 192.168.1.9#53
+Aliases:
+_kerberos._udp.dom.4bo.fr has SRV record 0 100 88 debie.dom.4bo.fr.
+root@debie:/etc/samba# dig @192.168.1.9 -t SRV  _ldap._tcp.dom.4bo.fr.
+; <<>> DiG 9.9.5-9-Debian <<>> @192.168.1.9 -t SRV _ldap._tcp.dom.4bo.fr.
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13811
+;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
+;; WARNING: recursion requested but not available
+;; QUESTION SECTION:
+;_ldap._tcp.dom.4bo.fr.    IN    SRV
+;; ANSWER SECTION:
+_ldap._tcp.dom.4bo.fr. 900    IN    SRV    0 100 389 debie.dom.4bo.fr.
+;; Query time: 3 msec
+;; SERVER: 192.168.1.9#53(192.168.1.9)
+;; WHEN: Sun May 10 12:56:38 CEST 2015
+;; MSG SIZE  rcvd: 68
+root@debie:/etc/samba# host -t A debie.dom.4bo.fr. 192.168.1.9
+Using domain server:
+Name: 192.168.1.9
+Address: 192.168.1.9#53
+Aliases:
+</code>
@@ Line 158: / Line 293: @@
 </code>
+<code>
+root@debie:/etc/samba# ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
+root@debie:/etc/samba# cat /etc/krb5.conf
+[libdefaults]
+    default_realm = DOM.4BO.FR
+    dns_lookup_realm = false
+    dns_lookup_kdc = true
+</code>
+<code>
+Configuration de l'authentification Kerberos ├──────────────────────────────────────┐
+                                       │ Veuillez indiquer les noms d'hôtes des serveurs Kerberos dans le royaume Kerberos DOM.4BO.FR, séparés par des espaces.  │
+                                       │                                                                                                                            │
+                                       │ Serveurs Kerberos du royaume :                                                                                             │
+                                       │                                                                                                                            │
+                                       │ debie.dom.4bo.fr______________________________________
+Configuration de l'authentification Kerberos ├─────────────────────────────────────────────────┐
+                            │ Veuillez indiquer le nom d'hôte du serveur administratif (permettant les modifications de mot de passe) pour le royaume Kerberos DOM.4BO.FR.  │
+                            │                                                                                                                                                  │
+                            │ Serveur administratif du royaume Kerberos :                                                                                                      │
+                            │                                                                                                                                                  │
+                            │ debie.dom.4bo.fr__________________________________________________________
+ Configuration de l'authentification Kerberos ├────────────────────────────────────────────────────────────────────────────┐
+ │ Quand les utilisateurs tentent d'utiliser Kerberos et indiquent un principal ou un identifiant sans préciser à quel royaume (« realm ») administratif Kerberos ce principal est attaché, le système   │
+ │ ajoute le royaume par défaut. Le royaume par défaut peut également être utilisé comme royaume d'un service Kerberos s'exécutant sur la machine locale. Il est d'usage que le royaume par défaut soit  │
+ │ le nom de domaine DNS local en majuscules.                                                                                                                                                            │
+ │                                                                                                                                                                                                       │
+ │ Royaume (« realm ») Kerberos version 5 par défaut :                                                                                                                                                   │
+ │                                                                                                                                                                                                       │
+ │ DOM.4BO.FR__________________________________________________________________________
+</code>
+Attention, il faut bien avoir sont ip de DC dans le resolv.conf
+<code>
+root@debie:/etc/samba# kinit administrator@DOM.4BO.FR
+Password for administrator@DOM.4BO.FR:
+Warning: Your password will expire in 41 days on dim. 21 juin 2015 11:11:26 CEST
+root@debie:/etc/samba# klist
+Ticket cache: FILE:/tmp/krb5cc_0
+Default principal: administrator@DOM.4BO.FR
+Valid starting       Expires              Service principal
+/05/2015 14:35:08  11/05/2015 00:35:08  krbtgt/DOM.4BO.FR@DOM.4BO.FR
+    renew until 11/05/2015 14:34:58
+</code>
+===== KRB change password =====
+http://www.golinuxhub.com/2013/03/changing-password-of-administrator-in.html
+==== kerberos ticket debug ====
+<code>
+root@debie:/etc# KRB5_TRACE=/dev/stdout kinit Administrator@DOM.4BO.FR
+[4230] 1432418201.868726: Getting initial credentials for Administrator@DOM.4BO.FR
+[4230] 1432418201.869645: Sending request (177 bytes) to DOM.4BO.FR
+[4230] 1432418201.879583: Resolving hostname debie.sdom.3iboo.fr.
+[4230] 1432418201.889971: Sending initial UDP request to dgram 2a01:a35:2e61:f890:21b:66ff:feb6:a4b8:88
+[4230] 1432418201.925713: Received answer (295 bytes) from dgram 2a01:a35:2e61:f890:21b:66ff:feb6:a4b8:88
+[4230] 1432418201.929666: Response was not from master KDC
+[4230] 1432418201.929725: Received error from KDC: -1765328359/Additional pre-authentication required
+[4230] 1432418201.929818: Processing preauth types: 16, 15, 2, 138, 136, 11, 19
+[4230] 1432418201.929848: Selected etype info: etype rc4-hmac, salt "", params ""
+Password for Administrator@DOM.4BO.FR:
+[4230] 1432418225.405906: AS key obtained for encrypted timestamp: rc4-hmac/9FEF
+[4230] 1432418225.406093: Encrypted timestamp (for 1432418225.401641): plain 301AA011180F32303135303532333231353730355AA10502030620E9, encrypted 55B72339C01F7AE53FAAFB50ECCE12D51C9A61F28789E2CEE9A2FA375EB95C3E96B69F12B50A048AD84A418699BB67D0EDA37551
+[4230] 1432418225.406171: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
+[4230] 1432418225.406189: Produced preauth for next request: 2
+[4230] 1432418225.406246: Sending request (251 bytes) to DOM.4BO.FR
+[4230] 1432418225.418784: Resolving hostname debie.sdom.3iboo.fr.
+[4230] 1432418225.428392: Sending initial UDP request to dgram 2a01:a35:2e61:f890:21b:66ff:feb6:a4b8:88
+[4230] 1432418225.511409: Received answer (1388 bytes) from dgram 2a01:a35:2e61:f890:21b:66ff:feb6:a4b8:88
+[4230] 1432418225.515178: Response was not from master KDC
+[4230] 1432418225.515236: Salt derived from principal: DOM.4BO.FRAdministrator
+[4230] 1432418225.515265: AS key determined by preauth: rc4-hmac/9FEF
+[4230] 1432418225.515360: Decrypted AS reply; session key is: rc4-hmac/D86A
+[4230] 1432418225.515400: FAST negotiation: available
+[4230] 1432418225.515453: Initializing FILE:/tmp/krb5cc_0 with default princ Administrator@DOM.4BO.FR
+[4230] 1432418225.515728: Removing Administrator@DOM.4BO.FR -> krbtgt/DOM.4BO.FR@DOM.4BO.FR from FILE:/tmp/krb5cc_0
+[4230] 1432418225.515747: Storing Administrator@DOM.4BO.FR -> krbtgt/DOM.4BO.FR@DOM.4BO.FR in FILE:/tmp/krb5cc_0
+[4230] 1432418225.515912: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/DOM.4BO.FR@DOM.4BO.FR: fast_avail: yes
+[4230] 1432418225.515966: Removing Administrator@DOM.4BO.FR -> krb5_ccache_conf_data/fast_avail/krbtgt\/DOM.4BO.FR\@DOM.4BO.FR@X-CACHECONF: from FILE:/tmp/krb5cc_0
+[4230] 1432418225.515986: Storing Administrator@DOM.4BO.FR -> krb5_ccache_conf_data/fast_avail/krbtgt\/DOM.4BO.FR\@DOM.4BO.FR@X-CACHECONF: in FILE:/tmp/krb5cc_0
+[4230] 1432418225.516145: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/DOM.4BO.FR@DOM.4BO.FR: pa_type: 2
+[4230] 1432418225.516190: Removing Administrator@DOM.4BO.FR -> krb5_ccache_conf_data/pa_type/krbtgt\/DOM.4BO.FR\@DOM.4BO.FR@X-CACHECONF: from FILE:/tmp/krb5cc_0
+[4230] 1432418225.516209: Storing Administrator@DOM.4BO.FR -> krb5_ccache_conf_data/pa_type/krbtgt\/DOM.4BO.FR\@DOM.4BO.FR@X-CACHECONF: in FILE:/tmp/krb5cc_0
+Warning: Your password will expire in 41 days on sam. 04 juil. 2015 23:03:44 CEST
+</code>
+<code>
+root@debie:~# kpasswd
+kpasswd: Cannot find KDC for requested realm getting initial ticket
+root@debie:~# klist -e
+klist: Credentials cache file '/tmp/krb5cc_0' not found
+root@debie:~# samba-tool user setpassword Administrator
+New Password:
+INFO: Current debug levels:
+  all: 10
+  tdb: 10
+....
+  ldb: 10
+Processing section "[netlogon]"
+Processing section "[sysvol]"
+pm_process() returned Yes
+Security token SIDs (1):
+  SID[  0]: S-1-5-18
+ Privileges (0xFFFFFFFFFFFFFFFF):
+  Privilege[  0]: SeMachineAccountPrivilege
+  Privilege[  1]: SeTakeOwnershipPrivilege
+...
+  Privilege[ 24]: SeEnableDelegationPrivilege
+ Rights (0x               0):
+lpcfg_servicenumber: couldn't find ldb
+schema_fsmo_init: we are master[yes] updates allowed[no]
+schema_fsmo_init: we are master[yes] updates allowed[no]
+ldb:acl_modify: unicodePwd
+Sorting rpmd with attid exception 3 rDN=CN DN=CN=Administrator,CN=Users,DC=dom,DC=4bo,DC=fr
+Changed password OK
+</code>
+retirer l'expiration pour l'administrateur
+http://ubuntuforums.org/showthread.php?t=2146198
+<code>
+root@debie:~# /usr/bin/samba-tool user setexpiry Administrator --noexpiry
+Processing section "[netlogon]"
+Processing section "[sysvol]"
+pm_process() returned Yes
+Expiry for user 'Administrator' disabled.
+</code>
 ==== ntpd ====
@@ Line 194: / Line 473: @@
 </code>
+===== windows client Password change =====
+juste apres integrer un poste client W7 dans le domaine, le changement de password user de domain via CTRL+ALT+SUPP echoue
+cf log serveur
+<code>
+[2015/05/25 12:36:56.110925,  3, pid=9389, effective(0, 0), real(0, 0)] ../source4/kdc/kpasswdd.c:45(kpasswdd_make_error_reply)
+  kpasswdd: Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed.
+</code>
+apparement il faut attendre 24H minimum avant de pouvoir le changer d'apres la politique par defaut
+<code>
+root@debie:~# samba-tool domain passwordsettings show
+Processing section "[netlogon]"
+Processing section "[sysvol]"
+pm_process() returned Yes
+Password informations for domain 'DC=dom,DC=4bo,DC=fr'
+Password complexity: on
+Store plaintext passwords: off
+Password history length: 24
+Minimum password length: 7
+Minimum password age (days): 1
+Maximum password age (days): 42
+</code>
+cf http://www.eenyhelp.com/answer/samba-samba4-users-can-not-change-their-password-using-ctrl-plus-alt-plus-del-help-214381202.html
+History lengh 24 -> 2
+<code>
+root@debie:/var/log/samba# samba-tool domain passwordsettings show | grep history
+Password history length: 24
+root@debie:/var/log/samba# samba-tool domain passwordsettings set --history-length=2
+Processing section "[netlogon]"
+Processing section "[sysvol]"
+pm_process() returned Yes
+Password history length changed!
+All changes applied successfully!
+root@debie:/var/log/samba# samba-tool domain passwordsettings show
+Processing section "[netlogon]"
+Processing section "[sysvol]"
+pm_process() returned Yes
+Password informations for domain 'DC=dom,DC=4bo,DC=fr'
+Password complexity: on
+Store plaintext passwords: off
+Password history length: 2
+Minimum password length: 7
+Minimum password age (days): 1
+Maximum password age (days): 42
+</code>
 ==== domain user ====
@@ Line 208: / Line 543: @@
 <code>
 root@debie:/var/log/samba# apt-get install ldb-tools
-<code>
+</code>
 recherche d'un computr fraichement ajouté au domaine
@@ Line 269: / Line 604: @@
 # 3 referrals
 </code>
+===== Remote Server Administration Tools RSAT =====
+ref
+  * https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#Administer_Unix_Attributes_in_Active_Directory
+  * http://social.technet.microsoft.com/wiki/contents/articles/2202.remote-server-administration-tools-rsat-for-windows-client-and-windows-server-dsforum2wiki.aspx
+  * https://www.microsoft.com/en-us/download/details.aspx?id=39296
+  *

docpublic/systemes/samba4dc.1431278621.txt.gz · Last modified: 2015/05/10 17:23 by procacci@tem-tsp.eu

Show page Old revisions

[unknown link type]Back to top