Samba 4 AD Domain Controller auf Fedora

Vorbereitung

Dracut aktualisiert überschreibt resolf.conf DNS einträge

https://www.centos.org/forums/viewtopic.php?t=64258

Dropbear Keys müssen manuell mit dem Parameter -m PEM erzeugt und in der Konfiguration eingebunden werden:

https://github.com/dracut-crypt-ssh/dracut-crypt-ssh/issues/32

https://github.com/dracut-crypt-ssh/dracut-crypt-ssh/blob/master/README.md

semanage muss nachinstalliert werden:

yum install policycoreutils-python-utils
curl http://azzurro.ezplanet.net/el7/EzPlanet.repo -o /etc/yum.repos.d/EzPlanet.repo

http://www.ezplanet.net/xwiki/bin/view/EzPlanetRepo/

yum update

yum install ntp krb5-workstation samba-dc samba-client

yum remove NetworkManager

https://www.youtube.com/watch?v=rv8ZLhdrA0U

(https://cockpit-project.org/)

(https://fedoramagazine.org/upgrading-fedora-30-to-fedora-31/)

 

SELinux policy rules müssen manuell gesetzt werden.

https://bugzilla.redhat.com/show_bug.cgi?id=1757071

 

Zeit mit Zeitserver aktualisieren

https://www.tecmint.com/synchronize-time-with-ntp-in-linux/

dnf install samba-dc
(samba-tool domain provision)
systemd start samba

kinit muss nachinstalliert werden

yum -y install krb5-workstation

 

mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
mv /etc/krb5.conf /etc/krb5.conf.bak

 

vi /etc/hosts
10.99.0.1 DC1.samdom.example.com DC1

 

cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

systemctl enable samba

systemctl start samba

kinit administrator

samba-tool dns zonecreate <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa

 

Portfreigabe

firewall-cmd --permanent --zone=internal --add-service=dns;
firewall-cmd --permanent --zone=internal --add-service=kerberos;
firewall-cmd --permanent --zone=internal --add-service=ntp;
firewall-cmd --permanent --zone=internal --add-port=135/tcp;
firewall-cmd --permanent --zone=internal --add-service=samba;
firewall-cmd --permanent --zone=internal --add-port=389/tcp;
firewall-cmd --permanent --zone=internal --add-port=389/udp;
firewall-cmd --permanent --zone=internal --add-port=464/tcp;
firewall-cmd --permanent --zone=internal --add-port=464/udp;
firewall-cmd --permanent --zone=internal --add-service=ldaps;
firewall-cmd --permanent --zone=internal --add-port=3268/tcp;
firewall-cmd --permanent --zone=internal --add-port=3269/tcp;
firewall-cmd --permanent --zone=internal --add-port=49152-65535/tcp;

Doku Übersicht

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

https://wiki.samba.org/index.php/User_Documentation

https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage

Kennwortrichtlinien anpassen

https://www.oehl.tv/kennwortrichtlinien-anpassen/

Ab Samba 4.9

https://wiki.samba.org/index.php/Password_Settings_Objects

RSAT howto

https://www.youtube.com/watch?v=6tSH4q4Do2Q

Einsteiger

https://www.youtube.com/watch?v=LywlHL3zcjc

Mac integration

https://www.youtube.com/watch?v=7LotgO6C_CM

Funktions-Level von Samba

https://wiki.samba.org/index.php/Raising_the_Functional_Levels

yum install patch python-markdown

samba-tool domain schemaupgrade --schema=2012

Zum nachlesen

https://www.admin-magazin.de/Das-Heft/2013/02/Samba-4-als-Ersatz-fuer-Microsoft-Active-Directory/(offset)/6

AD hinzufügen und und entfernen

https://wiki.samba.org/index.php/Active_Directory_Sites#Scenario_B:_Moving_an_existing_Domain_Controller_to_a_site

https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory

https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC

https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles#Transferring_an_FSMO_Role

https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles

https://groups.google.com/forum/#!topic/linux.samba/4zHdXBhQtzo

 

Backup and Restore

https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC#Online_DC_backup

BitLocker in Samba AD

http://samba.2283325.n4.nabble.com/samba4-windows-10-pro-bitlocker-key-managment-td4696100.html

https://www.reddit.com/r/sysadmin/comments/bwa0tu/store_bitlocker_recovery_keys_in_samba4_ad/

https://theitbros.com/config-active-directory-store-bitlocker-recovery-keys/

https://blogs.technet.microsoft.com/askcore/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7/

https://www.top-password.com/blog/use-gpo-to-save-bitlocker-recovery-key-in-active-directory/

https://jackstromberg.com/2015/02/tutorial-configuring-bitlocker-to-store-recovery-keys-in-active-directory/

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj635854(v=ws.11)?redirectedfrom=MSDN

https://kidcartouche.blogspot.com/2013/03/bitlocker-drive-encryption-and-samba4.html

https://www.drwindows.de/windows-anleitungen-faq/51768-bitlocker-windows-8-windows-10-ohne-tpm.html

https://www.heise.de/tipps-tricks/BitLocker-auf-Windows-10-Festplatte-richtig-verschluesseln-4325375.html

 

Samba Member mit 8.8.8.8 DNS SErver

https://www.linuxforen.de/forums/showthread.php?210901-kinit-findet-realm-nicht

Dovecot Postfix LDAP (SSL & TimeSync)

https://www.debinux.de/2014/11/dovecot-postfix-mit-ldap-zum-active-directory/

https://warlord0blog.wordpress.com/2015/09/03/dovecot-postfix-virtual-mailboxes-and-active-directory/

Read MemberOf

https://serverfault.com/questions/167371/what-permissions-are-required-for-enumerating-users-groups-in-active-directory

 

GSAPPI

https://wiki.samba.org/index.php/Authenticating_Dovecot_against_Active_Directory

 

NTLM

https://wiki.dovecot.org/HowTo/ActiveDirectoryNtlm

https://wiki.dovecot.org/Authentication/Mechanisms/Winbind

anmeldung testen mit: kinit username

https://dovecot.org/list/dovecot/2005-April/076799.html

https://blog.andreev.it/?p=2720

 

 

https://www.tummy.com/software/vpostmaster/recipes/dovecotsasl.html

http://dovecot.2317879.n4.nabble.com/Need-to-authenticate-Outlook-and-NTLM-td66483.html

https://www.experts-exchange.com/questions/28596234/get-dovecot-working-with-ntlm.html

passdb {
  driver = pam
}
pr

https://dovecot.org/list/dovecot/2011-September/131263.html

auth default

https://dovecot.org/doc/dovecot-example.conf

service auth {
user = root
}

http://dovecot.2317879.n4.nabble.com/Need-to-authenticate-Outlook-and-NTLM-td66483.html

 

Dracut überschreibt ifcfg-eth0

https://www.centos.org/forums/viewtopic.php?t=64258

Demo

https://www.samba.org/tridge/Samba4Demo/?C=N;O=D

Kommentare

Was ist die Summe aus 4 und 3?