| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
docpublic:systemes:samba4dc [2015/05/23 20:56]
procacci@tem-tsp.eu [Kerberos] |
docpublic:systemes:samba4dc [2015/06/06 14:46] (current)
procacci@tem-tsp.eu [Samba 4 DC] |
| * https://wiki.samba.org/index.php/Samba_4.x_Readme_First | * https://wiki.samba.org/index.php/Samba_4.x_Readme_First |
| |
| | pourquoi debian vs centos MIT/heimdal |
| | |
| | * https://blog.cryptomilk.org/2014/07/09/samba-ad-dc-in-fedora-and-rhel/ |
| | * http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/ |
| | * http://community.spiceworks.com/topic/535153-centos-7-samba-domain-controller |
| | * https://portal.enterprisesamba.com/ |
| ==== samba 4 ldap ==== | ==== samba 4 ldap ==== |
| |
| |
| * https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO | * https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO |
| | * http://www.linux-magazine.com/Online/Features/What-s-New-in-Samba-4 |
| | * https://www-fourier.ujf-grenoble.fr/informatique/doku.php?id=samba4#kerberos_5 |
| | * http://doc.ubuntu-fr.org/utilisateurs/qedinux/samba_ad_dc_members |
| | * https://www.esup-portail.org/wiki/display/CASKERB/Mise+en+place+d%27un+serveur+Samba |
| | * https://wiki.archlinux.org/index.php/Active_Directory_Integration#Adding_a_machine_keytab_file_and_activating_password-free_kerberized_ssh_to_the_machine |
| ==== packages samba ==== | ==== packages samba ==== |
| |
| |
| |
| ===== change password ===== | ===== KRB change password ===== |
| |
| http://www.golinuxhub.com/2013/03/changing-password-of-administrator-in.html | http://www.golinuxhub.com/2013/03/changing-password-of-administrator-in.html |
| | |
| | ==== kerberos ticket debug ==== |
| | |
| | <code> |
| | |
| | root@debie:/etc# KRB5_TRACE=/dev/stdout kinit Administrator@DOM.4BO.FR |
| | [4230] 1432418201.868726: Getting initial credentials for Administrator@DOM.4BO.FR |
| | [4230] 1432418201.869645: Sending request (177 bytes) to DOM.4BO.FR |
| | [4230] 1432418201.879583: Resolving hostname debie.sdom.3iboo.fr. |
| | [4230] 1432418201.889971: Sending initial UDP request to dgram 2a01:a35:2e61:f890:21b:66ff:feb6:a4b8:88 |
| | [4230] 1432418201.925713: Received answer (295 bytes) from dgram 2a01:a35:2e61:f890:21b:66ff:feb6:a4b8:88 |
| | [4230] 1432418201.929666: Response was not from master KDC |
| | [4230] 1432418201.929725: Received error from KDC: -1765328359/Additional pre-authentication required |
| | [4230] 1432418201.929818: Processing preauth types: 16, 15, 2, 138, 136, 11, 19 |
| | [4230] 1432418201.929848: Selected etype info: etype rc4-hmac, salt "", params "" |
| | Password for Administrator@DOM.4BO.FR: |
| | [4230] 1432418225.405906: AS key obtained for encrypted timestamp: rc4-hmac/9FEF |
| | [4230] 1432418225.406093: Encrypted timestamp (for 1432418225.401641): plain 301AA011180F32303135303532333231353730355AA10502030620E9, encrypted 55B72339C01F7AE53FAAFB50ECCE12D51C9A61F28789E2CEE9A2FA375EB95C3E96B69F12B50A048AD84A418699BB67D0EDA37551 |
| | [4230] 1432418225.406171: Preauth module encrypted_timestamp (2) (real) returned: 0/Success |
| | [4230] 1432418225.406189: Produced preauth for next request: 2 |
| | [4230] 1432418225.406246: Sending request (251 bytes) to DOM.4BO.FR |
| | [4230] 1432418225.418784: Resolving hostname debie.sdom.3iboo.fr. |
| | [4230] 1432418225.428392: Sending initial UDP request to dgram 2a01:a35:2e61:f890:21b:66ff:feb6:a4b8:88 |
| | [4230] 1432418225.511409: Received answer (1388 bytes) from dgram 2a01:a35:2e61:f890:21b:66ff:feb6:a4b8:88 |
| | [4230] 1432418225.515178: Response was not from master KDC |
| | [4230] 1432418225.515236: Salt derived from principal: DOM.4BO.FRAdministrator |
| | [4230] 1432418225.515265: AS key determined by preauth: rc4-hmac/9FEF |
| | [4230] 1432418225.515360: Decrypted AS reply; session key is: rc4-hmac/D86A |
| | [4230] 1432418225.515400: FAST negotiation: available |
| | [4230] 1432418225.515453: Initializing FILE:/tmp/krb5cc_0 with default princ Administrator@DOM.4BO.FR |
| | [4230] 1432418225.515728: Removing Administrator@DOM.4BO.FR -> krbtgt/DOM.4BO.FR@DOM.4BO.FR from FILE:/tmp/krb5cc_0 |
| | [4230] 1432418225.515747: Storing Administrator@DOM.4BO.FR -> krbtgt/DOM.4BO.FR@DOM.4BO.FR in FILE:/tmp/krb5cc_0 |
| | [4230] 1432418225.515912: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/DOM.4BO.FR@DOM.4BO.FR: fast_avail: yes |
| | [4230] 1432418225.515966: Removing Administrator@DOM.4BO.FR -> krb5_ccache_conf_data/fast_avail/krbtgt\/DOM.4BO.FR\@DOM.4BO.FR@X-CACHECONF: from FILE:/tmp/krb5cc_0 |
| | [4230] 1432418225.515986: Storing Administrator@DOM.4BO.FR -> krb5_ccache_conf_data/fast_avail/krbtgt\/DOM.4BO.FR\@DOM.4BO.FR@X-CACHECONF: in FILE:/tmp/krb5cc_0 |
| | [4230] 1432418225.516145: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/DOM.4BO.FR@DOM.4BO.FR: pa_type: 2 |
| | [4230] 1432418225.516190: Removing Administrator@DOM.4BO.FR -> krb5_ccache_conf_data/pa_type/krbtgt\/DOM.4BO.FR\@DOM.4BO.FR@X-CACHECONF: from FILE:/tmp/krb5cc_0 |
| | [4230] 1432418225.516209: Storing Administrator@DOM.4BO.FR -> krb5_ccache_conf_data/pa_type/krbtgt\/DOM.4BO.FR\@DOM.4BO.FR@X-CACHECONF: in FILE:/tmp/krb5cc_0 |
| | Warning: Your password will expire in 41 days on sam. 04 juil. 2015 23:03:44 CEST |
| | </code> |
| | |
| |
| <code> | <code> |
| Changed password OK | Changed password OK |
| </code> | </code> |
| | |
| | retirer l'expiration pour l'administrateur |
| | |
| | http://ubuntuforums.org/showthread.php?t=2146198 |
| | |
| | <code> |
| | root@debie:~# /usr/bin/samba-tool user setexpiry Administrator --noexpiry |
| | Processing section "[netlogon]" |
| | Processing section "[sysvol]" |
| | pm_process() returned Yes |
| | Expiry for user 'Administrator' disabled. |
| | </code> |
| | |
| ==== ntpd ==== | ==== ntpd ==== |
| |
| </code> | </code> |
| |
| | ===== windows client Password change ===== |
| |
| | juste apres integrer un poste client W7 dans le domaine, le changement de password user de domain via CTRL+ALT+SUPP echoue |
| | |
| | cf log serveur |
| | |
| | <code> |
| | [2015/05/25 12:36:56.110925, 3, pid=9389, effective(0, 0), real(0, 0)] ../source4/kdc/kpasswdd.c:45(kpasswdd_make_error_reply) |
| | kpasswdd: Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed. |
| | </code> |
| | |
| | apparement il faut attendre 24H minimum avant de pouvoir le changer d'apres la politique par defaut |
| | |
| | <code> |
| | root@debie:~# samba-tool domain passwordsettings show |
| | Processing section "[netlogon]" |
| | Processing section "[sysvol]" |
| | pm_process() returned Yes |
| | Password informations for domain 'DC=dom,DC=4bo,DC=fr' |
| | |
| | Password complexity: on |
| | Store plaintext passwords: off |
| | Password history length: 24 |
| | Minimum password length: 7 |
| | Minimum password age (days): 1 |
| | Maximum password age (days): 42 |
| | </code> |
| | |
| | cf http://www.eenyhelp.com/answer/samba-samba4-users-can-not-change-their-password-using-ctrl-plus-alt-plus-del-help-214381202.html |
| | |
| | History lengh 24 -> 2 |
| | |
| | <code> |
| | root@debie:/var/log/samba# samba-tool domain passwordsettings show | grep history |
| | Password history length: 24 |
| | |
| | |
| | root@debie:/var/log/samba# samba-tool domain passwordsettings set --history-length=2 |
| | Processing section "[netlogon]" |
| | Processing section "[sysvol]" |
| | pm_process() returned Yes |
| | Password history length changed! |
| | All changes applied successfully! |
| | root@debie:/var/log/samba# samba-tool domain passwordsettings show |
| | Processing section "[netlogon]" |
| | Processing section "[sysvol]" |
| | pm_process() returned Yes |
| | Password informations for domain 'DC=dom,DC=4bo,DC=fr' |
| | |
| | Password complexity: on |
| | Store plaintext passwords: off |
| | Password history length: 2 |
| | Minimum password length: 7 |
| | Minimum password age (days): 1 |
| | Maximum password age (days): 42 |
| | |
| | </code> |
| ==== domain user ==== | ==== domain user ==== |
| |
