Instalando o Samba 4

Installing and configuring Samba 4 as Master/Slave with Bind9 DLZ and Sysvol Replication on Debian Jessie
2016/05/25 08:14 1/103

(Ongoing)
Installing and configuring Samba 4 as

Master/Slave with Bind9 DLZ and Sysvol
Replication on Debian Jessie (Ongoing)
The things in portuguese are my scratch therefore don't use

please….
What's up folks, here I show you how to install and configuring the Samba 4 working as PDC and how
to configure the BDC as well, I shall use the BIND_DLZ as backend. I going to cover the Sysvol
replication but it's only a workaround as (Samba AD currently doesn't provide support for SysVol
replication.) as we cannot forget we need to configure the backup and restore too. Let's roll up our
sleeves and start to work.
NOTE: I shall work with the samba 4 4.2.2 the current stable today: 04/05/2015
NOTE: If you use Bind as Backend for your Samba AD, it must not run chroot, because it must be able
to live access files and databases from your Samba installation.
What I will use here:
Debian Jessie
IP: 192.168.25.100/24
name: samba1
domain: douglas.lan
Debian Jessie
IP: 192.168.25.101/24
name: samba2
domain: douglas.lan
We shall need to install some packets and configure some environment variables in order to work with
our system properly therefore I've created a script to configure such things the web link is follows:
http://wiki.douglasqsantos.com.br/doku.php/confinicialjessie_en fell free to change it as needed.
Note: The repositories in the script are from Brazil that is the most fast to me, so fell free to change
for your country.
After download the script need to convert it from dos to unix as follows
dos2unix ConfInicialJessie.sh
After that change the permissions
chmod +x ConfInicialJessie.sh
Now need just execute and wait
Douglas Quintiliano dos Santos - http://wiki.douglasqsantos.com.br/

Last
update:
installing_and_configuring_samba4_as_master_slave_with_bind9_dlz_and_sysvol_replication_on_debian_jessie http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_samba4_as_master_slave_with_bind9_dlz_and_sysvol_replication_on_debian_jessie
2016/02/23
12:44
./ConfInicialJessie.sh
Configuring the Samba Master
Let's update our repositories and upgrade all the packets
aptitude update && aptitude dist-upgrade -y
Now let's change two variables in the environment to non-interactive
export DEBIAN_PRIORITY=critical
export DEBIAN_FRONTEND=noninteractive
Now we need to install some prerequisites that will able the samba4 works properly.
aptitude install libpam0g-dev git gcc make wget libacl1-dev libblkid-dev

libreadline-dev python-dev libcups2-dev libcupsfilters-dev libfam-dev \
libcupscgi1-dev libcupsimage2-dev libcupsmime1-dev libcupsppdc1-dev
libaio-dev acl-dev python-gnupg libpython-dev libghc-gnutls-dev \
acl heimdal-clients libattr1-dev libacl1-dev libattr1-dev libblkid-dev
libgnutls28-dev libreadline-dev python-dnspython gdb pkg-config libfam-dev
\
libpopt-dev libldap2-dev dnsutils libbsd-dev attr docbook-xsl python-pycurl
python-software-properties libwind0-heimdal libarchive-dev \
quota unattended-upgrades libpam-heimdal bison debhelper flex gettext
html2text intltool-debian libbison-dev libgettextpo0 libldb-dev \
libldb1 libparse-yapp-perl libpython3.4 libsmbclient libsmbclient-dev
libsubunit-dev libsubunit-perl libsubunit0 libtalloc-dev libtalloc2 \
libtdb-dev libtdb1 libtevent-dev libtevent0 libunistring0 libwbclient-dev
libwbclient0 libxslt1.1 po-debconf python-all python-all-dev python-ldb \
python-ldb-dev python-pkg-resources python-subunit python-talloc python-
talloc-dev python-tdb python-testtools subunit xsltproc libunwind-dev \
libgcrypt-dev libdbus-1-dev libedbus-dev libmodbus-dev python-dbus-dev
libcephfs-dev libavahi-core-dev python-avahi libavahi-cil-dev dmapi-dev \
heimdal-dev heimdal-multidev libasn1-8-heimdal libgssapi3-heimdal
libhcrypto4-heimdal libhdb9-heimdal libheimbase1-heimdal libheimntlm0-
heimdal \
libhx509-5-heimdal libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-
heimdal libkdc2-heimdal libkrb5-26-heimdal libroken18-heimdal -y
Now we need to enable the acl,user_xattr and barrier support in the / partition or another one that we
need the samba works such as /var or /srv.
vim /etc/fstab
[...]
/dev/mapper/VolGroup-lv_root / ext4
defaults,acl,user_xattr,barrier=1 1 1
http://wiki.douglasqsantos.com.br/ Printed on 2016/05/25 08:14

2016/05/25 08:14 3/103
(Ongoing)
/dev/mapper/vg01-var /var ext4
Now we need to remount the partitions with the changes or reboot the server to get the newest
changes.
mount -o remount /
mount -o remount /var
The Debian Jessie is different from both CentOS 6 or Debian Wheezy if we try to get the information
about the acl or xattr the system will return nothing about it let's try.
mount | egrep acl
We can check if this attributes are loaded in the kernel as follows.
cat /boot/config-$(uname -r) | egrep -i acl

CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
# CONFIG_HFSPLUS_FS_POSIX_ACL is not set
CONFIG_JFFS2_FS_POSIX_ACL=y
CONFIG_F2FS_FS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
CONFIG_CEPH_FS_POSIX_ACL=y
CONFIG_CIFS_ACL=y
CONFIG_9P_FS_POSIX_ACL=y
As we saw the acl is built-in in the kernel what's why we got nothing with the mount command.
Let's run a test with acl and xttr.
Let' acess the /usr directory
cd /usr
Now let's create a simple file
touch test.txt
Now let's change the attributes to our file
setfattr -n user.test -v test test.txt

Last
update:
2016/02/23
12:44
setfattr -n security.test -v test2 test.txt
Now let's get the information about the changes
getfattr -d test.txt
# file: test.txt
user.test="test"
Now let's get information about the attribute security
getfattr -n security.test -d test.txt

# file: test.txt
security.test="test2"
Now let's access the directory that will storage the samba sources
cd /usr/src
Now we need to get the samba version 4.2.2
wget -c http://ftp.samba.org/pub/samba/stable/samba-4.2.2.tar.gz
Now we need to extract the sources
tar -xvf samba-4.1.3.tar.gz
Let's access the directory
cd samba-4.2.2
Now we need run the check prerequisites as follows
./configure --enable-debug --enable-selftest
Now we need to compile the samba this process take a while.
make
Now we can install the samba4 with a simple command line.
make install
Now we need to adjust the PATH
echo "export
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X
11:/usr/local/samba/sbin:/usr/local/samba/bin">> /root/.bashrc
Now we need to reload the PATH

2016/05/25 08:14 5/103
(Ongoing)
source /root/.bashrc
Now we need to prepare the BIND_DLZ
Installing and Configuring BIND_DLZ
Let's install the prerequisites to work with BIND
aptitude install autopoint autotools-dev bison debhelper dh-apparmor geoip-

bin gettext hardening-wrapper html2text intltool-debian libgeoip-dev dh-
autoreconf \
libbison-dev libcap-dev libdb-dev libdb5.3-dev libgeoip-dev libgettextpo0
libltdl-dev libmail-sendmail-perl libsys-hostname-long-perl dpkg-dev dh-
systemd \
libtool libunistring0 libxml2-dev po-debconf debhelper libssl-dev libtool
bison libdb-dev libldap2-dev libxml2-dev hardening-wrapper libkrb5-dev -y
Now we need to get the bind9 sources
cd /usr/src
apt-get source bind9
Now we need to access the bind9 source folder
cd bind9-*
Now we need to change the variables enable support to kerberos and dlopen as follows
vim debian/rules
[...]
./configure --prefix=/usr \
--mandir=\$${prefix}/share/man \
--infodir=\$${prefix}/share/info \
--sysconfdir=/etc/bind \
--localstatedir=/var \
--enable-threads \
--enable-largefile \
--with-libtool \
--enable-shared \
--enable-static \
--with-openssl=/usr \
--with-gssapi=/usr \
--with-gnu-ld \
--with-geoip=/usr \
--with-atf=no \
--enable-ipv6 \
--enable-rrl \
--enable-filter-aaaa \

Last
update:
2016/02/23
12:44
--with-libxml2 \
--with-gssapi=/usr/include/gssapi \
--with-dlopen=yes \
--with-dlz-ldap=yes \
--with-dlz-filesystem=yes \
$(EXTRA_FEATURES)
Now we need to create the deb packet it will take awhile.
dpkg-buildpackage
Now we need to install the packets
cd ..
dpkg -i *.deb
Now we need to create a directory and adjust the permissions
mkdir /var/cache/bind/{data,dynamic}
chown -R bind:bind /var/cache/bind/
chmod -R 775 /var/cache/bind/dynamic
Now let's make a copy of the original file
cp /etc/bind/named.conf.options /etc/bind/named.conf.options.old
Agora vamos configurar o Bind
vim /etc/bind/named.conf.options
#/etc/bind/named.conf.options
options {
listen-on port 53 { 127.0.0.1; 192.168.25.0/24; };
listen-on-v6 port 53 { ::1; };
directory "/var/cache/bind";
dump-file "/var/cache/bind/data/cache_dump.db";
statistics-file "/var/cache/bind/data/named_stats.txt";
memstatistics-file "/var/cache/bind/data/named_mem_stats.txt";
allow-query { 192.168.25.0/24; 127.0.0.1/32; };
allow-update { 127.0.0.1/32; };
allow-recursion { 192.168.25.0/24; 127.0.0.1/32; };
forwarders { 8.8.8.8; 8.8.4.4; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Dynamic keys */
managed-keys-directory "/var/cache/bind/dynamic";

2016/05/25 08:14 7/103
(Ongoing)
/* Enable support for secure GSS-TSIG updates */
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
Now we need do modify the named.conf and add the configuration file for samba
vim /etc/bind/named.conf
[...]
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/usr/local/samba/private/named.conf";
Now we need to configure the resolv.conf
vim /etc/resolv.conf
domain douglas.lan
search douglas.lan
nameserver 192.168.25.100
Provisioning the domain and Testing
Now we need to provisioning our domain, let's check the options available
samba-tool domain provision -h

Usage: samba-tool domain provision [options]
Provision a domain.
Options:
-h, --help show this help message and exit
--interactive Ask for names
--domain=DOMAIN set domain
--domain-guid=GUID set domainguid (otherwise random)
--domain-sid=SID set domainsid (otherwise random)
--ntds-guid=GUID set NTDS object GUID (otherwise random)
--invocationid=GUID set invocationid (otherwise random)
--host-name=HOSTNAME set hostname
--host-ip=IPADDRESS set IPv4 ipaddress
--host-ip6=IP6ADDRESS
set IPv6 ipaddress

Last
update:
2016/02/23
12:44
--site=SITENAME set site name

--adminpass=PASSWORD choose admin password (otherwise random)
--krbtgtpass=PASSWORD
choose krbtgt password (otherwise random)
--machinepass=PASSWORD
choose machine password (otherwise random)
--dns-backend=NAMESERVER-BACKEND
The DNS server backend. SAMBA_INTERNAL is the
builtin
name server (default), BIND9_FLATFILE uses bind9
text
database to store zone information, BIND9_DLZ uses
samba4 AD to store zone information, NONE skips the
DNS setup entirely (not recommended)
--dnspass=PASSWORD choose dns password (otherwise random)
--ldapadminpass=PASSWORD
choose password to set between Samba and it's LDAP
backend (otherwise random)
--root=USERNAME choose 'root' unix username
--nobody=USERNAME choose 'nobody' user
--users=GROUPNAME choose 'users' group
--quiet Be quiet
--blank do not add users or groups, just the structure
--ldap-backend-type=LDAP-BACKEND-TYPE
Test initialisation support for unsupported LDAP
backend type (fedora-ds or openldap) DO NOT USE
--server-role=ROLE The server role (domain controller | dc | member
server | member | standalone). Default is dc.
--function-level=FOR-FUN-LEVEL
The domain and forest function level (2000 | 2003 |
2008 | 2008_R2 - always native). Default is
(Windows)
2008R2 Native.
--next-rid=NEXTRID The initial nextRid value (only needed for
upgrades).
Default is 1000.
--partitions-only Configure Samba's partitions, but do not modify them
(ie, join a BDC)
--targetdir=DIR Set target directory
--ol-mmr-urls=LDAPSERVER
List of LDAP-URLS [ ldap://<FQHN>:<PORT>/ (where
<PORT> has to be different than 389!) ] separated
with
comma (",") for use with OpenLDAP-MMR (Multi-Master-
Replication), e.g.:
"ldap://s4dc1:9000,ldap://s4dc2:9000"
--use-xattrs=USE_XATTRS
Define if we should use the native fs capabilities
or
a tdb file for storing attributes likes ntacl, auto
tries to make an inteligent guess based on the user
2016/05/25 08:14 9/103
(Ongoing)
rights and system capabilities
--use-ntvfs Use NTVFS for the fileserver (default = no)
--use-rfc2307 Use AD to store posix attributes (default = no)
Samba Common Options:

-s FILE, --configfile=FILE
Configuration file
-d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
debug level
--option=OPTION set smb.conf option from command line
--realm=REALM set the realm name
Version Options:
-V, --version Display version number
Now let's provisioning the domain
samba-tool domain provision --domain=DOUGLAS --adminpass=smb@134* \

--dns-backend=BIND9_DLZ --server-role=dc \
--function-level=2008_R2 --use-xattr=yes \
--use-rfc2307 --realm=douglas.lan
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=douglas,DC=lan
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=douglas,DC=lan
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions

Last
update:
2016/02/23
12:44
See /usr/local/samba/private/named.conf for an example configuration include

file for BIND
and /usr/local/samba/private/named.txt for further documentation required
for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: samba1
NetBIOS Domain: DOUGLAS
DNS Domain: douglas.lan
DOMAIN SID: S-1-5-21-2627875541-338730943-4229738209
If you got some error and need to do the provisioning again execute the follow commands and run the
provisioning again.
rm -rf /usr/local/samba/etc
rm -rf /usr/local/samba/private
rm -rf /usr/local/samba/var/locks/sysvol
Now we need to change the samba configuration, but first we need to make a copy of smb.conf
cp -Rfa /usr/local/samba/etc/smb.conf{,.bkp}
Now let's make some changes in our configuration file
vim /usr/local/samba/etc/smb.conf
# Global parameters
[global]
workgroup = DOUGLAS
realm = douglas.lan
netbios name = SAMBA1
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
### RPC ###
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
### IDMAP ###
idmap_ldb:use rfc2307 = yes

2016/05/25 08:14 11/103
(Ongoing)
idmap config * : backend = tdb
idmap config *:range = 70001-80000
idmap config LAB:backend = ad
idmap config LAB:schema_mode = rfc2307
idmap config LAB:range = 500-40000
### WINBIND ###
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4, acl_xattr
### The template is necessary to authenticate with winbind
template shell = /bin/bash
### Disabling printers ###
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd
### LOGS ###
log file = /var/log/samba/smbd.log
max log size = 50
log level = 2
vfs objects = recycle full_audit
### RECYCLE BIN ###
recycle:repository = Recycle
recycle:exclude = *.tmp *.TMP *.temp *.TEMP ~*
recycle:keeptree = yes
### AUDIT ###
full_audit:success = rmdir mkdir open write rename unlink
full_audit:failure = rmdir mkdir open write rename unlink
full_audit:prefix = %U|%I|%m|%S
full_audit:failure = none
full_audit:facility = local5
full_audit:priority = notice
veto files = /*.mp3/*.wav/*.exe/*.cmd/*.adm/*.inf/*.ini/*.pif
delete veto files = yes
dos filemode = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/lab.lan/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Now we need to create the directory that will store the samba log files

Last
update:
2016/02/23
12:44
mkdir -p /var/log/samba
Now we need to create a symbolic link to keytab
ln -s /usr/local/samba/private/dns.keytab /etc/krb5.keytab
Now let's start the samba service
/usr/local/samba/sbin/samba
Now let's disable the administrator password expire
samba-tool user setexpiry administrator --noexpiry

Expiry for user 'administrator' disabled.
Now let's check the samba client version
smbclient --version
Version 4.2.2
Now let's display the shares
smbclient -L localhost -U%

Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]
Sharename Type Comment

--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.2.2)
Server Comment
--------- -------
Workgroup Master
--------- -------
Now let's test the shares with an authenticated account
smbclient -L //localhost/netlogon -U douglas/administrator%'smb@134*' -c

'ls'

--------- ---- -------
netlogon Disk
sysvol Disk

2016/05/25 08:14 13/103
(Ongoing)
Server Comment
--------- -------
Workgroup Master
--------- -------
Now let's display the samba configuration with testparm
testparm
Load smb config files from /usr/local/samba/etc/smb.conf
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = DOUGLAS
realm = douglas.lan
passdb backend = samba_dsdb
max log size = 50
load printers = No
disable spoolss = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbindd:use external pipes = true
recycle:repository = Recycle
idmap config lab:range = 500-40000
idmap config lab:schema_mode = rfc2307
idmap config lab:backend = ad

Last
update:
2016/02/23
12:44
printing = bsd
delete veto files = Yes
map archive = No
map readonly = no
dos filemode = Yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/douglas.lan/scripts
read only = No
[sysvol]
read only = No
Now let's check the samba process that is running
ps aux | egrep samba

root 11326 0.0 2.5 524812 51900 ? Ss 17:18 0:00
root 11327 0.0 1.6 524812 34440 ? S 17:18 0:00
root 11328 0.0 1.7 524812 36544 ? S 17:18 0:00
root 11329 0.0 2.0 528964 42176 ? S 17:18 0:00
root 11330 0.0 2.7 484536 56336 ? Ss 17:18 0:00
/usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --
foreground
root 11331 0.0 1.6 524812 34440 ? S 17:18 0:00
root 11332 0.0 1.9 524812 40460 ? S 17:18 0:00
root 11333 0.0 1.7 524812 35976 ? S 17:18 0:00
root 11334 0.0 1.9 524812 39740 ? S 17:18 0:00
root 11335 0.0 1.8 524776 38028 ? S 17:18 0:00

2016/05/25 08:14 15/103
(Ongoing)
root 11336 0.0 1.8 528236 38176 ? S 17:18 0:00
root 11337 0.0 1.6 524812 34440 ? S 17:18 0:00
root 11338 0.0 2.1 524776 44972 ? S 17:18 0:00
root 11339 0.0 1.7 524812 36372 ? S 17:18 0:00
root 11400 0.0 0.1 12968 2364 pts/0 S+ 17:27 0:00 grep -E --
color=auto samba
Now let's restar the bind9 service
systemctl restart bind9
Now let's check the bind9 status
systemctl status bind9

● bind9.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/bind9.service; enabled)
Drop-In: /run/systemd/generator/bind9.service.d
└─50-insserv.conf-$named.conf
Active: active (running) since Qui 2015-06-04 17:41:58 BRT; 896ms ago
Docs: man:named(8)
Process: 11770 ExecStop=/usr/sbin/rndc stop (code=exited,
status=0/SUCCESS)
Main PID: 11775 (named)
CGroup: /system.slice/bind9.service
└─11775 /usr/sbin/named -f -u bind
Jun 04 17:41:59 samba1 named[11775]: automatic empty zone:

8.B.D.0.1.0.0.2.IP6.ARPA
Jun 04 17:41:59 samba1 named[11775]: command channel listening on
127.0.0.1#953
Jun 04 17:41:59 samba1 named[11775]: command channel listening on ::1#953
Jun 04 17:41:59 samba1 named[11775]: managed-keys-zone: loaded serial 2
Jun 04 17:41:59 samba1 named[11775]: zone 0.in-addr.arpa/IN: loaded serial 1
Jun 04 17:41:59 samba1 named[11775]: zone 127.in-addr.arpa/IN: loaded serial
1
Jun 04 17:41:59 samba1 named[11775]: zone 255.in-addr.arpa/IN: loaded serial
1
Jun 04 17:41:59 samba1 named[11775]: zone localhost/IN: loaded serial 2
Jun 04 17:41:59 samba1 named[11775]: all zones loaded
Jun 04 17:41:59 samba1 named[11775]: running
Now let's check the dns resolution
nslookup douglas.lan
Server: 127.0.0.1
Address: 127.0.0.1#53
Last
update:
2016/02/23
12:44
Name: douglas.lan
Address: 192.168.25.100
Now we need to make a copy of the krb5.conf
cp -Rfa /etc/krb5.conf{,.bkp}
Now let's remove the original file
rm -rf /etc/krb5.conf
Now we need to create symbolic link from samba directory
ln -sf /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
Now we need to configure the file
vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOUGLAS.LAN
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Now let's try to create a ticket on kerberos
kinit administrator@DOUGLAS.LAN
administrator@DOUGLAS.LAN's Password:
Now let's list our ticket
klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator@DOUGLAS.LAN

2016/05/25 08:14 17/103
(Ongoing)
Issued Expires Principal
Jun 4 17:48:15 2015 Jun 5 03:48:12 2015 krbtgt/DOUGLAS.LAN@DOUGLAS.LAN
Now let's run a test in samba authentication with kerberos ticket
smbclient -k //samba1.douglas.lan/sysvol -c 'ls'

. D 0 Thu Jun 4 14:27:54 2015
.. D 0 Thu Jun 4 17:18:50 2015
douglas.lan D 0 Thu Jun 4 14:27:53 2015
9653896 blocks of size 1024. 5923120 blocks available
Let's check the another share
smbclient -k //samba1.douglas.lan/netlogon -c 'ls'

. D 0 Thu Jun 4 14:27:45 2015
.. D 0 Thu Jun 4 14:27:53 2015
NOTE: If you try to access the samba share using the kerberos kicket and try to use localhost rather
than the samba1 you will get the follow error
smbclient -k //localhost/netlogon -c 'ls'

ads_krb5_mk_req: smb_krb5_get_credentials failed for
cifs/localhost@DOUGLAS.LAN (Server not found in Kerberos database)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Server not
found in Kerberos database
session setup failed: NT_STATUS_UNSUCCESSFUL
As we can see the server was not found in kerberos database, whether we check the klist
klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator@DOUGLAS.LAN
Issued Expires Principal

Jun 4 17:48:15 2015 Jun 5 03:48:12 2015 krbtgt/DOUGLAS.LAN@DOUGLAS.LAN
Jun 4 17:50:05 2015 Jun 5 03:48:12 2015
cifs/samba1.douglas.lan@DOUGLAS.LAN
The cifs/samba1.douglas.lan@DOUGLAS.LAN this is the Server in kerberos rather than

cifs/localhost@DOUGLAS.LAN that we got trying to use localhost to access the share with kerberos.
Installing and Configuring NTP Server

Last
update:
2016/02/23
12:44
Now we need to install and configure the NTP service to have the clock accurate
Now let's install the ntp server
aptitude install ntp -y
Now we need to make a copy of ntp.conf
cp -Rfa /etc/ntp.conf{,.bkp}
Now Let's change the configuration
vim /etc/ntp.conf
#/etc/ntp.conf
server 127.127.1.0
fudge 127.127.1.0 stratum 10
server a.ntp.br iburst prefer
server b.ntp.br iburst prefer
server c.ntp.br iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict a.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery
restrict b.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery
restrict c.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery
Now let's restart the ntp service
systemctl restart ntp
Now let's display the ntp status
ntpq -p 127.0.0.1
remote refid st t when poll reach delay offset
jitter
============================================================================
==
LOCAL(0) .LOCL. 10 l 101 64 6 0.000 0.000
0.002
+a.ntp.br 200.160.7.186 2 u 29 64 5 13.397 -19.867
9.921
*b.ntp.br 200.20.186.76 2 u 26 64 7 18.728 -22.845
7.553
+c.ntp.br 200.160.7.186 2 u 30 64 7 38.183 -24.685
8.156
Now we need to change the permission to ntp_signd as follows

2016/05/25 08:14 19/103
(Ongoing)
chgrp ntp /usr/local/samba/var/lib/ntp_signd
Creating the Samba4 Launch Script
Now we need to create the samba4 launch script
vim /etc/init.d/samba
#! /bin/sh
### BEGIN INIT INFO

# Provides: samba4
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start Samba daemons
### END INIT INFO
#
# Start/stops the Samba daemon (samba).
# Adapted from the Samba 3 packages.
#
PIDDIR=/usr/local/samba/var/run
SAMBAPID=$PIDDIR/samba.pid
# clear conflicting settings from the environment

unset TMPDIR
# See if the daemon and the config file are there

test -x /usr/local/samba/sbin/samba -a -r /usr/local/samba/etc/smb.conf ||
exit 0
. /lib/lsb/init-functions
case "$1" in
start)
log_daemon_msg "Starting Samba 4 daemon" "samba"
# Make sure we have our PIDDIR, even if it's on a tmpfs
install -o root -g root -m 755 -d $PIDDIR
if ! start-stop-daemon --start --quiet --oknodo --exec

/usr/local/samba/sbin/samba -- -D; then
log_end_msg 1
exit 1
fi
log_end_msg 0
;;

Last
update:
2016/02/23
12:44
stop)
log_daemon_msg "Stopping Samba 4 daemon" "samba"
/usr/bin/killall -9 samba >> /dev/null ; log_end_msg 1; exit 1
log_end_msg 0
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
;;
*)
echo "Usage: /etc/init.d/samba {start|stop|restart|force-reload}"
exit 1
;;
esac
exit 0
Now we need to change the permissions
chmod +x /etc/init.d/samba
Now we need to insert it in the boot time
insserv -f -v samba
Now let's stop the samba service to run a test with our new script
killall samba
Now let's start the samba service to test
/etc/init.d/samba start
[ ok ] Starting samba (via systemctl): samba.service.
Now let's show the samba processes

root 942 1.2 2.5 524780 51576 ? Ss 19:18 0:00
/usr/local/samba/sbin/samba -D
root 960 0.0 1.6 524780 34480 ? S 19:18 0:00
root 961 0.0 1.7 524780 36588 ? S 19:18 0:00
root 962 1.3 2.7 484652 56492 ? Ss 19:18 0:00
/usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --
foreground

2016/05/25 08:14 21/103
(Ongoing)
root 963 0.0 1.8 524780 38596 ? S 19:18 0:00
root 964 0.0 1.6 524780 34480 ? S 19:18 0:00
root 965 0.1 1.9 524780 40276 ? S 19:18 0:00
root 966 0.0 1.7 524780 36040 ? S 19:18 0:00
root 967 0.0 2.1 531048 43432 ? S 19:18 0:00
root 968 0.1 1.8 524780 37868 ? S 19:18 0:00
root 969 0.0 1.8 527608 37516 ? S 19:18 0:00
root 970 0.0 1.6 524780 34484 ? S 19:18 0:00
root 971 0.5 2.2 524920 45356 ? S 19:18 0:00
root 972 0.0 1.7 524780 36000 ? S 19:18 0:00
root 977 0.0 0.1 12968 2368 pts/0 S+ 19:18 0:00 grep -E --
color=auto samba
As we can see everything is ok so far
Let's check the shares


--------- ---- -------
netlogon Disk
sysvol Disk
Server Comment
--------- -------
Workgroup Master
--------- -------
Now let's check with an authenticated account
smbclient -L //localhost/netlogon -UAdministrator%'smb@134*' -c 'ls'


--------- ---- -------
netlogon Disk

Last
update:
2016/02/23
12:44
sysvol Disk
Server Comment
--------- -------
Workgroup Master
--------- -------
Testing Bind_DLZ and Kerberos
Now we need to create some symbolic links to enable winbind to work properly as follows for system
working in 32 bits
ln -s /usr/local/samba/lib/libnss_winbind.so /usr/lib/libnss_winbind.so
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /usr/lib/libnss_winbind.so.2
ldconfig
Now we need to create some symbolic links to enable winbind to work properly as follows for system
working in 64 bits
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /usr/lib/x86_64-linux-
gnu/libnss_winbind.so
ln -s /usr/lib/x86_64-linux-gnu/libnss_winbind.so /usr/lib/x86_64-linux-
gnu/libnss_winbind.so.2
ldconfig
Now we need to configure the nsswitch.conf
vim /etc/nsswitch.conf
[...]
passwd: compat winbind
[...]
group: compat winbind
The Samba 4 is working properly so far
If you need to get the RSAT(Admin pack) get in the follow web links:
http://www.microsoft.com/en-us/download/details.aspx?id=39296 (Windows 8.1)

http://www.microsoft.com/download/details.aspx?id=28972 (Windows 8)
http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D5206
5DE9960&displaylang=en (Vista)
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344
E43997D&displaylang=en (Windows 7)
http://www.microsoft.com/en-us/download/details.aspx?id=6315 (Windows XP/Server 2003)
Let's run a test with winbind

2016/05/25 08:14 23/103
(Ongoing)
wbinfo -t
checking the trust secret for domain DOUGLAS via RPC calls succeeded
Let's display the groups in Samba 4 database
wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy
Let's display the users
wbinfo -u
Administrator
Guest
krbtgt
dns-samba1
Now we need to check the dns updates let's run a test
samba_dnsupdate --verbose
IPs: ['192.168.25.100']
Looking for DNS entry A samba1.douglas.lan 192.168.25.100 as
samba1.douglas.lan.
Looking for DNS entry A douglas.lan 192.168.25.100 as douglas.lan.
Looking for DNS entry SRV _ldap._tcp.douglas.lan samba1.douglas.lan 389 as
_ldap._tcp.douglas.lan.
Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.douglas.lan
samba1.douglas.lan 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.douglas.lan
samba1.douglas.lan 389 as _ldap._tcp.dc._msdcs.douglas.lan.
Checking 0 100 389 samba1.douglas.lan. against SRV
_ldap._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 389
Looking for DNS entry SRV _ldap._tcp.9eac9ae0-2e73-4c8c-
b78e-9554cb9eadee.domains._msdcs.douglas.lan samba1.douglas.lan 389 as
_ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan.
_ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan
Looking for DNS entry SRV _kerberos._tcp.douglas.lan samba1.douglas.lan 88
as _kerberos._tcp.douglas.lan.
Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._tcp.douglas.lan

Last
update:
2016/02/23
12:44
Looking for DNS entry SRV _kerberos._udp.douglas.lan samba1.douglas.lan 88
as _kerberos._udp.douglas.lan.
Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._udp.douglas.lan
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.douglas.lan
samba1.douglas.lan 88 as _kerberos._tcp.dc._msdcs.douglas.lan.
_kerberos._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 88
Looking for DNS entry SRV _kpasswd._tcp.douglas.lan samba1.douglas.lan 464
as _kpasswd._tcp.douglas.lan.
Checking 0 100 464 samba1.douglas.lan. against SRV _kpasswd._tcp.douglas.lan
Looking for DNS entry SRV _kpasswd._udp.douglas.lan samba1.douglas.lan 464
as _kpasswd._udp.douglas.lan.
Checking 0 100 464 samba1.douglas.lan. against SRV _kpasswd._udp.douglas.lan
Looking for DNS entry CNAME d6a2ff47-5541-4197-
b729-3fb4b82e5b42._msdcs.douglas.lan samba1.douglas.lan as
d6a2ff47-5541-4197-b729-3fb4b82e5b42._msdcs.douglas.lan.
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-
Name._sites.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.Default-First-
Site-Name._sites.douglas.lan.
Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.Default-First-
Site-Name._sites.douglas.lan samba1.douglas.lan 389
Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 389 as
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan.
Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 389
Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-
Name._sites.douglas.lan samba1.douglas.lan 88 as _kerberos._tcp.Default-
First-Site-Name._sites.douglas.lan.
Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._tcp.Default-
First-Site-Name._sites.douglas.lan samba1.douglas.lan 88
Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-
Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 88 as
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan.
Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._tcp.Default-
First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 88
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.douglas.lan
samba1.douglas.lan 389 as _ldap._tcp.pdc._msdcs.douglas.lan.
_ldap._tcp.pdc._msdcs.douglas.lan samba1.douglas.lan 389
Looking for DNS entry A gc._msdcs.douglas.lan 192.168.25.100 as
gc._msdcs.douglas.lan.
Looking for DNS entry SRV _gc._tcp.douglas.lan samba1.douglas.lan 3268 as
_gc._tcp.douglas.lan.
Checking 0 100 3268 samba1.douglas.lan. against SRV _gc._tcp.douglas.lan
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.douglas.lan
2016/05/25 08:14 25/103
(Ongoing)
samba1.douglas.lan 3268 as _ldap._tcp.gc._msdcs.douglas.lan.
_ldap._tcp.gc._msdcs.douglas.lan samba1.douglas.lan 3268
Looking for DNS entry SRV _gc._tcp.Default-First-Site-
Name._sites.douglas.lan samba1.douglas.lan 3268 as _gc._tcp.Default-First-
Site-Name._sites.douglas.lan.
Checking 0 100 3268 samba1.douglas.lan. against SRV _gc._tcp.Default-First-
Site-Name._sites.douglas.lan samba1.douglas.lan 3268
Name._sites.gc._msdcs.douglas.lan samba1.douglas.lan 3268 as
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan.
Checking 0 100 3268 samba1.douglas.lan. against SRV _ldap._tcp.Default-
First-Site-Name._sites.gc._msdcs.douglas.lan samba1.douglas.lan 3268
Looking for DNS entry A DomainDnsZones.douglas.lan 192.168.25.100 as
DomainDnsZones.douglas.lan.
Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.douglas.lan
samba1.douglas.lan 389 as _ldap._tcp.DomainDnsZones.douglas.lan.
_ldap._tcp.DomainDnsZones.douglas.lan samba1.douglas.lan 389
Name._sites.DomainDnsZones.douglas.lan samba1.douglas.lan 389 as
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan.
Site-Name._sites.DomainDnsZones.douglas.lan samba1.douglas.lan 389
Looking for DNS entry A ForestDnsZones.douglas.lan 192.168.25.100 as
ForestDnsZones.douglas.lan.
Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.douglas.lan
samba1.douglas.lan 389 as _ldap._tcp.ForestDnsZones.douglas.lan.
_ldap._tcp.ForestDnsZones.douglas.lan samba1.douglas.lan 389
Name._sites.ForestDnsZones.douglas.lan samba1.douglas.lan 389 as
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan.
Site-Name._sites.ForestDnsZones.douglas.lan samba1.douglas.lan 389
No DNS updates needed
Now let's create a reverse zone
samba-tool dns zonecreate douglas.lan 25.168.192.in-addr.arpa -

UAdministrator --password=smb@134*
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_INVALID_PARAMETER
Zone 25.168.192.in-addr.arpa created successfully
Note: I'm trying to discovery how to fix the (SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_INVALID_PARAMETER) but so far I have no answer yet, I've sent an email to Andrew
Tridge of Samba project as soon he answer me I'm going to post the fix.
Now let's create the reverse dns record to samba1

Last
update:
2016/02/23
12:44
samba-tool dns add samba1 25.168.192.in-addr.arpa 100 PTR samba1.douglas.lan

-Uadministrator --password=smb@134*
Record added successfully
Now let's check the reverse
dig -x 192.168.25.100
; <<>> DiG 9.9.5-9-Debian <<>> -x 192.168.25.100

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1108
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;100.25.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
100.25.168.192.in-addr.arpa. 900 IN PTR samba1.douglas.lan.
;; AUTHORITY SECTION:
25.168.192.in-addr.arpa. 3600 IN NS samba1.douglas.lan.
;; ADDITIONAL SECTION:
samba1.douglas.lan. 900 IN A 192.168.25.100
;; Query time: 3 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 04 19:40:48 BRT 2015
;; MSG SIZE rcvd: 118
We can run a test with host as well
host 192.168.25.100
100.25.168.192.in-addr.arpa domain name pointer samba1.douglas.lan.
Now we need to update all the records to make sure that everything is working as needed
samba_dnsupdate --verbose --all-names

IPs: ['192.168.25.100']
Calling nsupdate for A samba1.douglas.lan 192.168.25.100 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
samba1.douglas.lan. 900 IN A 192.168.25.100
Calling nsupdate for A douglas.lan 192.168.25.100 (add)

2016/05/25 08:14 27/103
(Ongoing)
;; UPDATE SECTION:
douglas.lan. 900 IN A 192.168.25.100
Calling nsupdate for SRV _ldap._tcp.douglas.lan samba1.douglas.lan 389 (add)

;; UPDATE SECTION:
_ldap._tcp.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.douglas.lan samba1.douglas.lan

389 (add)
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.
Calling nsupdate for SRV _ldap._tcp.9eac9ae0-2e73-4c8c-

b78e-9554cb9eadee.domains._msdcs.douglas.lan samba1.douglas.lan 389 (add)
;; UPDATE SECTION:
_ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan.
900 IN SRV 0 100 389 samba1.douglas.lan.
Calling nsupdate for SRV _kerberos._tcp.douglas.lan samba1.douglas.lan 88

(add)
;; UPDATE SECTION:
_kerberos._tcp.douglas.lan. 900 IN SRV 0 100 88 samba1.douglas.lan.
Calling nsupdate for SRV _kerberos._udp.douglas.lan samba1.douglas.lan 88

(add)
;; UPDATE SECTION:
_kerberos._udp.douglas.lan. 900 IN SRV 0 100 88 samba1.douglas.lan.
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.douglas.lan

samba1.douglas.lan 88 (add)

Last
update:
2016/02/23
12:44
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.douglas.lan. 900 IN SRV 0 100 88
samba1.douglas.lan.
Calling nsupdate for SRV _kpasswd._tcp.douglas.lan samba1.douglas.lan 464

(add)
;; UPDATE SECTION:
_kpasswd._tcp.douglas.lan. 900 IN SRV 0 100 464 samba1.douglas.lan.
Calling nsupdate for SRV _kpasswd._udp.douglas.lan samba1.douglas.lan 464

(add)
;; UPDATE SECTION:
_kpasswd._udp.douglas.lan. 900 IN SRV 0 100 464 samba1.douglas.lan.
Calling nsupdate for CNAME d6a2ff47-5541-4197-

b729-3fb4b82e5b42._msdcs.douglas.lan samba1.douglas.lan (add)
;; UPDATE SECTION:
d6a2ff47-5541-4197-b729-3fb4b82e5b42._msdcs.douglas.lan. 900 IN CNAME
samba1.douglas.lan.
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-

Name._sites.douglas.lan samba1.douglas.lan 389 (add)
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.douglas.lan. 900 IN SRV 0 100 389
samba1.douglas.lan.

Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 389 (add)
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan. 900 IN SRV
0 100 389 samba1.douglas.lan.
Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-

Name._sites.douglas.lan samba1.douglas.lan 88 (add)
2016/05/25 08:14 29/103
(Ongoing)
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.douglas.lan. 900 IN SRV 0 100
88 samba1.douglas.lan.
Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-

Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 88 (add)
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan. 900 IN
SRV 0 100 88 samba1.douglas.lan.
Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.douglas.lan

;; UPDATE SECTION:
_ldap._tcp.pdc._msdcs.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.
Calling nsupdate for A gc._msdcs.douglas.lan 192.168.25.100 (add)

;; UPDATE SECTION:
gc._msdcs.douglas.lan. 900 IN A 192.168.25.100
Calling nsupdate for SRV _gc._tcp.douglas.lan samba1.douglas.lan 3268 (add)

;; UPDATE SECTION:
_gc._tcp.douglas.lan. 900 IN SRV 0 100 3268 samba1.douglas.lan.
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.douglas.lan samba1.douglas.lan

3268 (add)
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.douglas.lan. 900 IN SRV 0 100 3268 samba1.douglas.lan.
Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._sites.douglas.lan

;; UPDATE SECTION:
_gc._tcp.Default-First-Site-Name._sites.douglas.lan. 900 IN SRV 0 100 3268

Last
update:
2016/02/23
12:44
samba1.douglas.lan.

Name._sites.gc._msdcs.douglas.lan samba1.douglas.lan 3268 (add)
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan. 900 IN SRV
0 100 3268 samba1.douglas.lan.
Calling nsupdate for A DomainDnsZones.douglas.lan 192.168.25.100 (add)

;; UPDATE SECTION:
DomainDnsZones.douglas.lan. 900 IN A 192.168.25.100
Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.douglas.lan

;; UPDATE SECTION:
_ldap._tcp.DomainDnsZones.douglas.lan. 900 IN SRV 0 100 389
samba1.douglas.lan.

Name._sites.DomainDnsZones.douglas.lan samba1.douglas.lan 389 (add)
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan. 900 IN
Calling nsupdate for A ForestDnsZones.douglas.lan 192.168.25.100 (add)

;; UPDATE SECTION:
ForestDnsZones.douglas.lan. 900 IN A 192.168.25.100
Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.douglas.lan

;; UPDATE SECTION:
_ldap._tcp.ForestDnsZones.douglas.lan. 900 IN SRV 0 100 389
samba1.douglas.lan.
2016/05/25 08:14 31/103
(Ongoing)
Name._sites.ForestDnsZones.douglas.lan samba1.douglas.lan 389 (add)
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan. 900 IN
Now let's test the records about SRV
Let's do a search about Ldap service
host -t SRV _ldap._tcp.douglas.lan.

_ldap._tcp.douglas.lan has SRV record 0 100 389 samba1.douglas.lan.
Let's do a search about Kerberos service
host -t SRV _kerberos._udp.douglas.lan.

_kerberos._udp.douglas.lan has SRV record 0 100 88 nodo1.douglas.lan.
Let's do a search about record type A of samba1
host -t A samba1.douglas.lan
samba1.douglas.lan has address 192.168.25.100
Let's display the records in keytab
klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- -----------------------------------------------------------------------
---
1 DNS/samba1.douglas.lan@DOUGLAS.LAN
1 dns-samba1@DOUGLAS.LAN
PAM Configuration
Now we need to configure the PAM, here I'll allow only users from group it-admin to login in the PDC.
The group it-admin need to be create in Samba and need to get a valid shell.

Last
update:
2016/02/23
12:44
Now we need to create a symbolic link from samba security directory to default security directory in
the System, Here I'm using the 64 bit system that's why we need to use the /lib/x86_64-linux-gnu
otherwise we need to create to another directory. If you don't know where is stored the another
libraries of PAM do a search about “pam_umask.so” and put the symbolic link there.
ln -sf /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-

gnu/security/pam_winbind.so
Now we need to configure the files.
Let's start configuring the common-auth that controls authentication settings common to all services.
vim /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)

auth sufficient pam_winbind.so
auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
Let's configure the common-account that controls authorization settings common to all services.
vim /etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to

2016/05/25 08:14 33/103
(Ongoing)
# only deny service to users whose accounts are expired in /etc/shadow.
#
#

account sufficient pam_winbind.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account required pam_krb5.so minimum_uid=1000
Let's configure the common-session that controls session related modules common to all services
vim /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#

session required pam_mkhomedir.so skel=/etc/skel umask=0027
session required pam_winbind.so
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_krb5.so minimum_uid=1000

Last
update:
2016/02/23
12:44
session required pam_unix.so

Let's configure the sshd that controls configuration for the Secure Shell service
vim /etc/pam.d/sshd
# PAM configuration for the Secure Shell service
# Read environment variables from /etc/environment and

# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth required pam_env.so envfile=/etc/default/locale
# Standard Un*x authentication.

@include common-auth
# Disallow non-root logins when /etc/nologin exists.

account required pam_nologin.so
#Allow connection from those groups
account sufficient pam_succeed_if.so user ingroup root
account requisite pam_succeed_if.so user ingroup it-admin
# Uncomment and edit /etc/security/access.conf if you need to set complex

# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.

@include common-account
# Standard Un*x session setup and teardown.

@include common-session
# Print the message of the day upon successful login.

# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic noupdate
session optional pam_motd.so # [1]
# Print the status of the user's mailbox upon successful login.

session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.

session required pam_limits.so
# Set up SELinux capabilities (need modified pam)

# session required pam_selinux.so multiple
# Standard Un*x password updating.

2016/05/25 08:14 35/103
(Ongoing)
@include common-password
Let's configure the login that controls configuration for shadow 'login' service
vim /etc/pam.d/login
#
# The PAM configuration file for the Shadow `login' service
#
# Enforce a minimal delay in case of failure (in microseconds).

# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth optional pam_faildelay.so delay=3000000
# Outputs an issue file prior to each login prompt (Replaces the

# ISSUE_FILE option from login.defs). Uncomment for use
# auth required pam_issue.so issue=/etc/issue
# Disallows root logins except on tty's listed in /etc/securetty

# (Replaces the `CONSOLE' setting from login.defs)
#
# With the default control of this module:
# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad
default=die]
# root will not be prompted for a password on insecure lines.
# if an invalid username is entered, a password is prompted (but login
# will eventually be rejected)
#
# You can change it to a "requisite" module if you think root may mis-type
# her login and should not be prompted for a password in that case. But
# this will leave the system as vulnerable to user enumeration attacks.
#
# You can change it to a "required" module if you think it permits to
# guess valid user names of your system (invalid user names are considered
# as possibly being root on insecure lines), but root passwords may be
# communicated over insecure lines.
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad
default=die] pam_securetty.so
# Disallows other than root logins when /etc/nologin exists

# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so
#Allow connection from those groups

account requisite pam_succeed_if.so user ingroup it-admin
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without out this it is possible
# that a module could execute code in the wrong domain.

Last
update:
2016/02/23
12:44
# When the module is present, "required" would be sufficient (When SELinux

# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
# This module parses environment configuration file(s)

# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Standard Un*x authentication.

@include common-auth
# This allows certain extra groups to be granted to a user

# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth optional pam_group.so
# Uncomment and edit /etc/security/time.conf if you need to set

# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# Uncomment and edit /etc/security/access.conf if you need to

# set access limits.
# (Replaces /etc/login.access file)
# account required pam_access.so
# Sets up user limits according to /etc/security/limits.conf

# (Replaces the use of /etc/limits in old login)
# Prints the last login info upon succesful login

# (Replaces the `LASTLOG_ENAB' option from login.defs)
session optional pam_lastlog.so
# Prints the message of the day upon succesful login.

# (Replaces the `MOTD_FILE' option in login.defs)
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so
# Prints the status of the user's mailbox upon succesful login

2016/05/25 08:14 37/103
(Ongoing)
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session optional pam_mail.so standard
# Standard Un*x account and session

@include common-account
@include common-session
@include common-password
# SELinux needs to intervene at login time to ensure that the process

# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
Now let's configure the sudo to enable the it-admin group work as root user.
visudo
[...]
"%DOUGLAS\it-admin" ALL=(ALL) ALL
Now let's create the it-admin group
samba-tool group add it-admin --group-scope=Global --group-type=Security --

description="IT Administration"
Added group it-admim
Now we can get a list with all groups like this
samba-tool group list

Allowed RODC Password Replication Group
Denied RODC Password Replication Group
Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
Certificate Service DCOM Access
Network Configuration Operators
Terminal Server License Servers
Incoming Forest Trust Builders
Performance Monitor Users
Cryptographic Operators
Distributed COM Users
Last
update:
2016/02/23
12:44
Performance Log Users

Remote Desktop Users
Account Operators
Event Log Readers
RAS and IAS Servers
Backup Operators
Domain Controllers
Server Operators
Enterprise Admins
Print Operators
Administrators
Domain Computers
Cert Publishers
DnsUpdateProxy
Domain Admins
Domain Guests
Schema Admins
Domain Users
Replicator
IIS_IUSRS
DnsAdmins
Guests
it-admin
Users
Now we need to create a new user to put into it-admin
samba-tool user create douglas.q.santos smb@134*

User 'douglas.q.santos' created successfully
Now let's add the user douglas.q.santos into group it-admin
samba-tool group addmembers it-admin douglas.q.santos

Added members to group it-admin
Now we can get the user from it-admin
samba-tool group listmembers it-admin

douglas.q.santos
Everything is working as needed so far.
Now we need to restart the server to reload all the new configurations
reboot
After the reboot we can try logon in with douglas.q.santos or logon with root and change to another
user as follows
root@samba1:~# su - douglas.q.santos

2016/05/25 08:14 39/103
(Ongoing)
Creating directory '/home/DOUGLAS/douglas.q.santos'.
mesg: /dev/pts/0: Operation not permitted
DOUGLAS\douglas.q.santos@samba1:~$
Now let's back to root user and let's check the winbind connection.
wbinfo -t
Let's get the user from Samba
wbinfo -u
Administrator
Guest
krbtgt
dns-samba1
douglas.q.santos
Now let's try logon in the server via SSH
ssh douglas.q.santos@192.168.25.100 -p 22
douglas.q.santos@192.168.25.100's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.
DOUGLAS\douglas.q.santos@samba1:~$
Now let's test the sudo
DOUGLAS\douglas.q.santos@samba1:~$ sudo -i
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.

#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for DOUGLAS\douglas.q.santos:

root@samba1:~#
Now let's check the auth.log file
tail -f /var/log/auth.log
Jun 7 11:33:39 samba1 sshd[1426]: pam_succeed_if(sshd:account): requirement
"user ingroup sudo" not met by user "DOUGLAS\douglas.q.santos"

Last
update:
2016/02/23
12:44
Jun 7 11:33:39 samba1 sshd[1426]: pam_succeed_if(sshd:account): requirement

"user ingroup it-admin" was met by user "DOUGLAS\douglas.q.santos"
Jun 7 11:33:39 samba1 sshd[1426]: pam_winbind(sshd:account): user
'DOUGLAS\douglas.q.santos' granted access
Jun 7 11:33:39 samba1 sshd[1426]: Accepted password for douglas.q.santos
from 192.168.25.254 port 50681 ssh2
Jun 7 11:33:39 samba1 sshd[1426]: pam_unix(sshd:session): session opened
for user DOUGLAS\douglas.q.santos by (uid=0)
Jun 7 11:33:44 samba1 sudo: DOUGLAS\douglas.q.santos : TTY=pts/1 ;
PWD=/home/DOUGLAS/douglas.q.santos ; USER=root ; COMMAND=/bin/su -
Jun 7 11:33:44 samba1 su[1436]: pam_winbind(su:account): valid_user:
wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND
Jun 7 11:33:44 samba1 su[1436]: Successful su for root by root
Jun 7 11:33:44 samba1 su[1436]: + /dev/pts/1 root:root
Jun 7 11:33:44 samba1 su[1436]: pam_unix(su:session): session opened for
user root by DOUGLAS\douglas.q.santos(uid=0)
Everything is ok so far.
Samba 4 Backup
The backup script is not installed when we run the command make install therefore we need to copy
it to some location like /bin
Let's put as the samba source are in /usr/src/samba-4.2.2
Let's copy the script
cp /usr/src/samba-4.2.2/source4/scripting/bin/samba_backup /usr/sbin
chown root:root /usr/sbin/samba_backup

chmod 750 /usr/sbin/samba_backup
Now we need to adjust some variables in the script
vim /usr/sbin/samba_backup
[...]
FROMWHERE=/usr/local/samba
WHERE=/usr/local/backups
[...]
DAYS=15
Above we have:
FROMWHERE → Where samba was installed

WHERE → The location where the script will store the backup

2016/05/25 08:14 41/103
(Ongoing)
DAYS → The number of days we need to keep the backups
Now we need to create the directory that will store the backups
mkdir /usr/local/backups
Now let's change the permission of the directory
chmod 750 /usr/local/backups
Now we can run the script
/usr/sbin/samba_backup
After the script finish the task we will get something like bellow.
ls -l /usr/local/backups
total 12164
-rw-r--r-- 1 root staff 1310 Jun 11 10:35 etc.2015-06-11.tar.bz2
-rw-r--r-- 1 root staff 12447369 Jun 11 10:35
samba4_private.2015-06-11.tar.bz2
-rw-r--r-- 1 root staff 546 Jun 11 10:35 sysvol.2015-06-11.tar.bz2
Of the script runs without any error, There will be 3 files:
etc.{Timestamp}.tar.bz2
samba4_private.{Timestamp}.tar.bz2
sysvol.{Timestamp}.tar.bz2
We can schedule the script to run everyday at 2 A.M like bellow.
crontab -e
0 2 * * * /usr/sbin/samba_backup
Now we've already have the schedule for samba backup
Samba 4 Restore
Note:
The backup and restore must be from the same version of samba in another words from 4.2.2
to 4.2.2
The restore must be executed in a machine with the same name and ip of the backup was
created.
It's best practice always restore a backup in the same OS like from Debian to Debian. (I try to
backup from a CentOS and restore in a Debian and it doesn't work).
Always after the restore is a good advice test all shares, permissions and stuffs like take to
make sure that everything is ok to work before to put in production.

Last
update:
2016/02/23
12:44
If the system got a crash you need first of all is reconfigure all samba server and restore the
backup considering all the another things above.
Before restore the samba we need to assure that the samba is down.
Let's stop the samba
/etc/init.d/samba stop
Now let's check if the samba is down

root 2404 0.0 0.1 12964 2356 pts/0 S+ 14:47 0:00 grep -E --
color=auto samba
Now let's remove the files and directories as needed.
rm -rf /usr/local/samba/etc
rm -rf /usr/local/samba/private
rm -rf /usr/local/samba/var/locks/sysvol
Now we need to restore the samba, let's access the backup directory and extract the files.
cd /usr/local/backups
tar -jxf etc.2015-06-11.tar.bz2 -C /usr/local/samba
tar -jxf samba4_private.2015-06-11.tar.bz2 -C /usr/local/samba
tar -jxf sysvol.2015-06-11.tar.bz2 -C /usr/local/samba
Now we need to rename the files with extension *.ldb.bak in the directory private to *.ldb
find /usr/local/samba/private/ -type f -name '*.ldb.bak' -print0 | while

read -d $'\0' f ; do mv "$f" "${f%.bak}" ; done
Now we need to restore the acls
samba-tool ntacl sysvolreset
If you are using the BIND_DLZ as backend we need to fix the hard links
samba_upgradedns --dns-backend=BIND9_DLZ
Now let's start the samba
Now let's display our users
wbinfo -u
Administrator
Guest

2016/05/25 08:14 43/103
(Ongoing)
krbtgt
dns-samba1
douglas.q.santos
Now let's display our groups
wbinfo -g
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
DnsUpdateProxy
it-admin
Everything is working properly as before.
Configuring a Windows 8 Client
Now let's join a Windows 8 Client to our Samba Domain.
Configuring the DNS Client:
In the Windows Machine press Windows Key + R and type: ncpa.cpl

Last
update:
2016/02/23
12:44
Now right click in the Ethernet and choose Properties
Here select Internet Protocol Version 4 (TCP/IPv4) and select Properties here we need to
put the Preferred DNS server as: 192.168.25.100

2016/05/25 08:14 45/103
(Ongoing)
Now click in OK and Close and close the Network connections
Joining in the Domain:
In the Windows Machine press Windows Key + R and type: sysdm.cpl

Last
update:
2016/02/23
12:44
Here select Change… And in Domain put douglas.lan

2016/05/25 08:14 47/103
(Ongoing)
Now click in OK.
Now we need to put the user as: administrator and its password and Select OK if everything is

Last
update:
2016/02/23
12:44
ok we will get the message box bellow.
Now Click OK we will get another message box with a warning about that we need to restart the
machine to apply the changes and click OK and Close
Now select Restart Now.
After restart choose Switch User the (right arrow into a circle). In the username put:
douglas\administrator and put its password and Enter

2016/05/25 08:14 49/103
(Ongoing)
Now we can install the RSAT we can get it in:

How to Install Admin Tools On Windows 8 – (Remote Server Administration Tools – RSAT)
Accessing the Active Directory Users and Computers
In the Windows Machine press Windows Key + R and type: dsa.msc
Accessing the DNS Manager
In the Windows Machine press Windows Key + R and type: dnsmgmt.msc

Here select The following computer: 192.168.25.100 and click OK

Last
update:
2016/02/23
12:44
After that we will get the DNS Manager we can manager the dns records here instead of via
Shell.
Creating Shares
The creating of samba shares is more easier than in the samba 3 in my point of view, we can create
the share and managing them via Windows.
Note: We must be the owner of the directory or must belong of the group owner to display or
managing the permissions.
Let's enable the administrator of domain to managing the shares via Windows.
net rpc rights grant 'DOUGLAS\Domain Admins' SeDiskOperatorPrivilege -U

administrator
Enter administrator's password:
Successfully granted rights.

2016/05/25 08:14 51/103
(Ongoing)
If you want to assign all the permission to a user e.g for the group 'DOUGLAS\Domain Admins' we can
do it as follows.
net rpc rights grant 'DOUGLAS\Domain Admins' SeMachineAccountPrivilege

SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege
SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege
SeDiskOperatorPrivilege SeSecurityPrivilege SeSystemtimePrivilege
SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege
SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege
SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege
SeCreateGlobalPrivilege SeEnableDelegationPrivilege -U administrator
Enter administrator's password:
Successfully granted rights.
Now let's create a new share.
[...]
[Demo]
path = /srv/samba/Demo/
read only = no
Now let's create the directory
mkdir -p /srv/samba/Demo/
Now we need to reload the samba configuration
smbcontrol all reload-config
Now in the Windows with a user that belongs of Domain Admins group here I shall use administrator
Now click Windows key + R and type: compmgmt.msc

Last
update:
2016/02/23
12:44
Now with the right click in Computer Management select Connect to another computer…
Now in Another computer put: 192.168.25.100 and click OK
Now browser until System Tools/Shared Folders/Share and select our new share called Demo

2016/05/25 08:14 53/103
(Ongoing)
Now with right click in Demo select Properties
Now in the tab Share Permissions. Here we can configure who will be able to access the share.

Last
update:
2016/02/23
12:44
Now in the tab Security we can managing who will be able to read/execute/modify the files and
folders.

2016/05/25 08:14 55/103
(Ongoing)
Now is only to select ok and close the window.
Roaming Profile
Now let's configure the Roaming profile
Let's create the directory that will store the profiles.
mkdir -p /srv/samba/Profiles/
Now let's add one more share in samba configuration file.
[...]
[Profiles]
path = /srv/samba/Profiles/
read only = no
Now we need to reload the samba configuration

Last
update:
2016/02/23
12:44
smbcontrol all reload-config
Now let's check the shares in a Windows machine.
Click Windows key + R and type: \\samba1
Now with right click in the Profiles share select Properties/Security

2016/05/25 08:14 57/103
(Ongoing)
Now select Advanced and Permissions

Leave only Administrator and add Owner Rights and Domain Users
Now we need to configure the permission as follows:
Name Permission Applies to

Administrator Full Control This Folder, subfolders and files
Traverse folder/execute file, List folder/read
Domain Users This folder only
date, Create folders/append data
CREATOR OWNER Full Control Subfolders and files only
After that:
Apply
OK
OK

Last
update:
2016/02/23
12:44
OK
Now we need to configure the roaming profile to an user to run a test.
Click Windows key + R and type: dsa.msc

Now select the user that you wanna to configure the roaming profile
Right click in it and select properties
Now select profile.
Now in Profile path: \\samba1.douglas.lan\Profiles\%username%
Now select OK
Now we can logon with that user and check if the profile was created in:
/srv/samba/Profiles/
After login with the user douglas.q.santos we shall get something like bellow.
ls -l /srv/samba/Profiles
total 8
drwxrwx---+ 2 DOUGLAS\douglas.q.santos users 4096 Jun 11 16:44

2016/05/25 08:14 59/103
(Ongoing)
douglas.q.santos.V2
Logon Script
Now we will create the logon script that need to be stored in

/usr/local/samba/var/locks/sysvol/douglas.lan/scripts
Let's create a basic one only to map the shared Demo
Note: Here I will use the user douglas.q.santos and this user need to has the permission to access the
share or belongs to a groups that has the permission
vim /usr/local/samba/var/locks/sysvol/douglas.lan/scripts/sharedemo.bat
net use x: \\samba1.douglas.lan\Demo
chmod +x /usr/local/samba/var/locks/sysvol/douglas.lan/scripts/sharedemo.bat
Now we need to convert the script to Microsoft format
unix2dos /usr/local/samba/var/locks/sysvol/douglas.lan/scripts/sharedemo.bat
Now Windows key + R and type: dsa.msc

Now select the user that you want to configure I will use the douglas.q.santos that I configured
the roaming profile
Right click in the user and select Properties
Now select Profile
In Logon script put: sharedemo.bat

Last
update:
2016/02/23
12:44
Now click in Apply and OK
Now let's logon with the user douglas.q.santos, after the login we will get something like below.

2016/05/25 08:14 61/103
(Ongoing)
I shall continue from here as soon as possible.
Configuração do SLAVE
Vamos atualizar os repositórios e vamos fazer um upgrade do sistema
yum check-update && yum update -y
Agora vamos instalar as dependências para podemos compilar o samba
yum install openldap-devel pam-devel git gcc make wget libacl-devel

libblkid-devel gnutls-devel readline-devel python-devel cups-devel \
libaio-devel quota-devel ctdb-devel krb5-devel krb5-workstation acl
setroubleshoot-server setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel
libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils bind-sdb bind-
devel bind-libs bind avahi-devel mingw32-iconv gamin \
libcap-devel rpc2-devel glusterfs-devel python-dns -y
Agora vamos ajustar o fstab para que ele de suporte a acl,user_xattr e barrier eu vou habilitar isso na
partição / se você tiver várias partições é bom habilitar em todas que você queira habilitar os
compartilhamentos.

Last
update:
2016/02/23
12:44
vim /etc/fstab
[...]
/dev/mapper/VolGroup-lv_root / ext4
Agora vamos remontar a raiz
mount -o remount /
Agora vamos listar os atributos da raiz
mount | egrep acl

/dev/mapper/VolGroup-lv_root on / type ext4 (rw,acl,user_xattr,barrier=1)
Agora os atributos já estão carregados.
Agora vamos obter o samba vamos acessar o diretório que vai armazenar os fontes
cd /usr/src
Agora vamos obter os fontes
wget -c http://ftp.samba.org/pub/samba/stable/samba-4.1.3.tar.gz
Agora vamos desempacotar o samba
tar -xzvf samba-4.1.3.tar.gz
Agora vamos acessar o diretório dos fontes
cd samba-4.1.3
Agora vamos criar a configuração para o samba
./configure --enable-debug --enable-selftest
Agora vamos mandar compilar o samba este processo demora um pouco
make
Agora vamos mandar instalar o samba
make install
Agora vamos acertar a PATH do usuário root no caso dele estar utilizando o shell Bash
echo "export
11:/usr/local/samba/sbin:/usr/local/samba/bin">> /root/.bashrc

2016/05/25 08:14 63/103
(Ongoing)
Agora precisamos importar a nova PATH
source /root/.bashrc
Agora vamos acertar a PATH do usuário root no caso dele estar utilizando o shell zsh
echo "export
11:/usr/local/samba/sbin:/usr/local/samba/bin">> /root/.zshrc
Agora precisamos importar a nova PATH
source /root/.zshrc
Agora vamos ajustar o resolv.conf ele vai utilizar o nome do nosso domínio e o ip do pdc.
domain douglas.lan
search douglas.lan
Agora vamos ajustar a interface de rede para utilizar o nosso novo DNS
vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
BOOTPROTO="static"
BROADCAST="192.168.0.255"
DNS1="192.168.0.26"
GATEWAY="192.168.0.1"
IPADDR="192.168.0.25"
NETMASK="255.255.255.0"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"
Agora vamos configurar o Bind
vim /etc/named.conf
//named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.0.0/24; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 192.168.0.0/24; localhost; };
recursion yes;

Last
update:
2016/02/23
12:44
forwarders { 8.8.8.8; 8.8.4.4; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */

bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
/* keytab para samba4 */

tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
/*Arquivo de configuração do samba4 que informa a localização do bind_dlz */
include "/usr/local/samba/private/named.conf";
Agora vamos ajustar a configuração do krb5.conf
vim /etc/krb5.conf
[logging]
[libdefaults]
forwardable = yes
[appdefaults]
pam = {

2016/05/25 08:14 65/103
(Ongoing)
debug = false
forwardable = true
}
Vamos abrir um ticket no kerberos para verificarmos a nossa configuração
kinit administrator
Password for administrator@DOUGLAS.LAN:
Warning: Your password will expire in 41 days on Mon Oct 7 12:02:11 2013
Agora vamos inserir o nosso servidor como bdc
Agora vamos provisionar o nosso domínio
samba-tool domain join douglas.lan DC -U administrator --realm=douglas.lan -

-dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'douglas.lan'
Found DC nodo1.douglas.lan
Password for [DOUGLAS\administrator]:
workgroup is DOUGLAS
realm is douglas.lan
checking sAMAccountName
Deleted CN=NODO2,OU=Domain Controllers,DC=douglas,DC=lan
Deleted CN=NTDS Settings,CN=NODO2,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=douglas,DC=lan
Deleted CN=NODO2,CN=Servers,CN=Default-First-Site-
Adding CN=NODO2,OU=Domain Controllers,DC=douglas,DC=lan
Adding CN=NODO2,CN=Servers,CN=Default-First-Site-
Adding CN=NTDS Settings,CN=NODO2,CN=Servers,CN=Default-First-Site-
Adding SPNs to CN=NODO2,OU=Domain Controllers,DC=douglas,DC=lan
Setting account password for NODO2$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=douglas,DC=lan
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=douglas,DC=lan] objects[402/1550]
linked_values[0/0]
linked_values[0/0]
linked_values[0/0]
linked_values[0/0]
Analyze and apply schema objects

Last
update:
2016/02/23
12:44
Partition[CN=Configuration,DC=douglas,DC=lan] objects[402/1625]
linked_values[0/0]
linked_values[0/0]
linked_values[0/0]
linked_values[0/0]
linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=douglas,DC=lan] objects[98/98] linked_values[25/0]
Partition[DC=douglas,DC=lan] objects[375/277] linked_values[26/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=douglas,DC=lan
Partition[DC=DomainDnsZones,DC=douglas,DC=lan] objects[40/40]
linked_values[0/0]
Replicating DC=ForestDnsZones,DC=douglas,DC=lan
Partition[DC=ForestDnsZones,DC=douglas,DC=lan] objects[18/18]
linked_values[0/0]
Partition[DC=ForestDnsZones,DC=douglas,DC=lan] objects[36/18]
linked_values[0/0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain DOUGLAS (SID S-1-5-21-2011945809-1847694634-1467046014) as a
DC
Agora vamos inserir o named na incialização do sistema
chkconfig --add named

chkconfig named on
Agora vamos criar o script de inicialização
vim /etc/init.d/samba
#!/bin/sh
#
# chkconfig: - 91 35
# description: Starts and stops the Samba smbd daemon \
# used to provide SMB network services.
#
# pidfile: /var/run/samba/smbd.pid
# config: /etc/samba/smb.conf
# Source function library.

if [ -f /etc/init.d/functions ] ; then
. /etc/init.d/functions
elif [ -f /etc/rc.d/init.d/functions ] ; then

2016/05/25 08:14 67/103
(Ongoing)
. /etc/rc.d/init.d/functions
else
exit 1
fi
# Avoid using root's TMPDIR

unset TMPDIR
# Source networking configuration.

. /etc/sysconfig/network
if [ -f /etc/sysconfig/samba ]; then
. /etc/sysconfig/samba
fi
# Check that networking is up.

[ ${NETWORKING} = "no" ] && exit 1
# Check that smb.conf exists.

[ -f /usr/local/samba/etc/smb.conf ] || exit 6
RETVAL=0
start() {
KIND="SMB"
echo -n $"Starting $KIND services: "
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /usr/local/samba/var/lock/smb || \
RETVAL=1
return $RETVAL
}
stop() {
KIND="SMB"
echo -n $"Shutting down $KIND services: "
killproc smbd
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /usr/local/samba/var/lock/smb
return $RETVAL
}
restart() {
stop
start
}
reload() {
echo -n $"Reloading smb.conf file: "

Last
update:
2016/02/23
12:44
killproc smbd -HUP

RETVAL=$?
echo
return $RETVAL
}
rhstatus() {
status -l smb smbd
return $?
}
# Allow status as non-root.

if [ "$1" = status ]; then
rhstatus
exit $?
fi
# Check that we can write to it... so non-root users stop here

[ -w /usr/local/samba/etc/smb.conf ] || exit 4
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
status)
rhstatus
;;
condrestart)
[ -f /var/lock/subsys/smb ] && restart || :
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|status|condrestart}"
exit 2
esac
exit $?
Agora vamos dar permissão para o nosso script e vamos inserir ele na incialização
chmod +x /etc/init.d/samba
chkconfig --add samba

2016/05/25 08:14 69/103
(Ongoing)
chkconfig samba on
Agora vamos inicializar o named e o samba
/etc/init.d/named start
Agora vamos consultar o daemon do samba

root 1268 7.0 8.2 525140 41276 ? Ss 18:50 0:00
root 1271 0.0 5.7 525140 28648 ? S 18:50 0:00
root 1272 0.0 5.8 525140 29500 ? S 18:50 0:00
root 1273 0.1 6.2 529292 31152 ? S 18:50 0:00
root 1274 0.0 5.6 525140 28608 ? S 18:50 0:00
root 1275 8.8 6.1 525140 30768 ? S 18:50 0:00
root 1276 0.0 5.8 525140 29204 ? S 18:50 0:00
root 1277 7.0 8.6 576100 43440 ? Ss 18:50 0:00
/usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --
foreground
root 1278 0.0 6.1 525140 30716 ? S 18:50 0:00
root 1279 0.5 6.2 529292 31316 ? S 18:50 0:00
root 1280 0.1 5.9 527652 29864 ? S 18:50 0:00
root 1281 0.0 5.7 525140 28748 ? S 18:50 0:00
root 1282 0.0 5.9 525140 29712 ? S 18:50 0:00
root 1283 0.0 5.9 525140 29708 ? S 18:50 0:00
root 1291 0.0 5.7 575584 29052 ? S 18:50 0:00
/usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --
foreground
Como pode ser visto ele está rodando ok.
Agora vamos listar a versão do nosso samba
smbclient --version
Version 4.1.3
Agora vamos mandar listar os compartilhamentos

Last
update:
2016/02/23
12:44

Domain=[DOUGLAS] OS=[Unix] Server=[Samba 4.1.3]

--------- ---- -------
netlogon Disk
sysvol Disk
Server Comment
--------- -------
Workgroup Master
--------- -------
Agora vamos mandar listar o netlogon com o usuário administrator
smbclient //localhost/netlogon -UAdministrator%'sen@134*' -c 'ls'

. D 0 Mon Aug 26 18:35:20 2013
.. D 0 Mon Aug 26 18:35:20 2013
Agora vamos mandar listar a configuração do nosso samba
testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (4096) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
[global]
workgroup = DOUGLAS
realm = douglas.lan

2016/05/25 08:14 71/103
(Ongoing)
map archive = No
map readonly = no
[netlogon]
read only = No
[sysvol]
read only = No
Agora vamos ajustar o limits.conf para não aparecer os avisos no samba
vim /etc/security/limits.conf
#colocar no final do arquivo
root hard nofile 131072
root soft nofile 65536
mioutente hard nofile 32768
mioutente soft nofile 16384
Agora vamos testar a resolução de nome
nslookup douglas.lan
Server: 192.168.0.25
Address: 192.168.0.25#53
Name: douglas.lan
Address: 192.168.0.25
Name: douglas.lan
Address: 192.168.0.26
Agora vamos ajustar a configuração do kerberos
Vamos fazer backup do arquivo de configuração
mv /etc/krb5.conf /etc/krb5.conf.old
Vamos criar um link para o sistema reconhecer o arquivo de configuração do samba como default
ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf
Agora vamos ajustar a configuração do krb5.conf
vim /etc/krb5.conf
[logging]

Last
update:
2016/02/23
12:44
[libdefaults]
forwardable = yes
[appdefaults]
pam = {
debug = false
forwardable = true
}
Agora vamos criar um link para o keytab do kerberos
ln -s /usr/local/samba/private/dns.keytab /etc/krb5.keytab
Agora vamos ajustar a configuração do samba para que ele consiga mapear via winbind
[global]
workgroup = DOUGLAS
realm = douglas.lan
netbios name = NODO2
#IDMAP
idmap config DOUGLAS:backend = ad
idmap config DOUGLAS:schema_mode = rfc2307

2016/05/25 08:14 73/103
(Ongoing)
idmap config DOUGLAS:range = 500-40000
#WINBIND
map archive = No
map readonly = no
#o template shell é necessário para logar com a autenticação via
winbind
#DESABILITANDO AS IMPRESSORAS
load printers = no
disable spoolss = yes
printing = bsd
### LOGS
max log size = 50
log level = 2
### LIXEIRA
recycle:repository = Lixeira
full_audit:failure = rmdir mkdir open write rename unlink
delete veto files = yes
dos filemode = yes
[netlogon]
read only = No
[sysvol]
read only = No
Agora vamos criar o diretório para armazenar os logs
mkdir -p /var/log/samba
Agora precisamos ajustar as bibliotecas do winbind para os sistemas de 32bits precisamos fazer da

Last
update:
2016/02/23
12:44
seguinte forma
ln -s /usr/local/samba/lib/libnss_winbind.so /lib
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
ldconfig
Para os sistemas de 64bits precisamos fazer da seguinte forma
ln -s /usr/local/samba/lib/libnss_winbind.so /lib64
ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
ldconfig
Agora vamos ajustar o nsswitch.conf
[...]
passwd: files winbind
[...]
group: files winbind
Agora vamos inicializar um ticket para o administrator
kinit administrator
Agora vamos listar o nosso ticket
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DOUGLAS.LAN
Valid starting Expires Service principal

08/26/13 18:54:21 08/27/13 04:54:21 krbtgt/DOUGLAS.LAN@DOUGLAS.LAN
renew until 08/27/13 18:54:17
O nosso kerberos está ok.
Vamos instalar o ntp
yum install ntp -y
Agora vamos fazer um backup do arquivo de configuração default do ntp.conf
cp /etc/ntp.conf /etc/ntp.conf.old
Agora vamos configurar o ntp
vim /etc/ntp.conf
server 127.127.1.0

2016/05/25 08:14 75/103
(Ongoing)
fudge 127.127.1.0 stratum 10
server a.ntp.br iburst prefer
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict a.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
Agora vamos iniciar ele
/etc/init.d/ntpd start
Agora vamos consultar o seu sincronismo
ntpq -p 127.0.0.1
remote refid st t when poll reach delay offset
jitter
============================================================================
==
LOCAL(0) .LOCL. 10 l - 64 1 0.000 0.000
0.000
a.ntp.br .INIT. 16 u - 64 0 0.000 0.000
0.000
a.st1.ntp.br .INIT. 16 u - 64 0 0.000 0.000
0.000
roma.coe.ufrj.b .INIT. 16 u - 64 0 0.000 0.000
0.000
Agora vamos inserir o ntp na incialização
chkconfig --add ntpd

chkconfig ntpd on
Agora vamos atualizar o nosso ntp
ntpdate -u a.ntp.br
Agora vamos ajustar o grupo do arquivo ntp_signd
chgrp ntp /usr/local/samba/var/lib/ntp_signd
O nosso samba já está ok.
Agora podemos obter os RSAT(Admin pack) em:

Last
update:
2016/02/23
12:44
Para instalar o RSAT no Windows 7:

http://social.technet.microsoft.com/wiki/contents/articles/2593.instalando-o-remote-server-admi
nistration-tools-rsat-no-windows-7-sp1-pt-br.aspx
Para instalar o RSAT no Windows 8: http://www.canaldainfo.com.br/index.php/windows-8rsat/
Agora vamos testar o winbind
wbinfo -t
Agora vamos listar os grupos
wbinfo -g
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
DnsUpdateProxy
ti-admin
Agora vamos listar os usuários
wbinfo -u
Administrator
Guest
krbtgt
dns-nodo1
douglas.santos
Agora vamos testar o update de dns no samba
samba_dnsupdate --verbose
IPs: ['192.168.0.26']
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}
${HOSTNAME} 389) as we are not a PDC
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSFOREST}
Looking for DNS entry A douglas.lan 192.168.0.26 as douglas.lan.
2016/05/25 08:14 77/103
(Ongoing)
Looking for DNS entry A nodo2.douglas.lan 192.168.0.26 as nodo2.douglas.lan.
Looking for DNS entry A gc._msdcs.douglas.lan 192.168.0.26 as
gc._msdcs.douglas.lan.
Looking for DNS entry CNAME ccc206ae-bc66-4a4e-
a282-06aa4613cadd._msdcs.douglas.lan nodo2.douglas.lan as ccc206ae-
bc66-4a4e-a282-06aa4613cadd._msdcs.douglas.lan.
Looking for DNS entry SRV _kpasswd._tcp.douglas.lan nodo2.douglas.lan 464 as
_kpasswd._tcp.douglas.lan.
Checking 0 100 464 nodo2.douglas.lan. against SRV _kpasswd._tcp.douglas.lan
nodo2.douglas.lan 464
Looking for DNS entry SRV _kpasswd._udp.douglas.lan nodo2.douglas.lan 464 as
_kpasswd._udp.douglas.lan.
Checking 0 100 464 nodo1.douglas.lan. against SRV _kpasswd._udp.douglas.lan
Checking 0 100 464 nodo2.douglas.lan. against SRV _kpasswd._udp.douglas.lan
Looking for DNS entry SRV _kerberos._tcp.douglas.lan nodo2.douglas.lan 88 as
_kerberos._tcp.douglas.lan.
Checking 0 100 88 nodo1.douglas.lan. against SRV _kerberos._tcp.douglas.lan
Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._tcp.douglas.lan
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.douglas.lan
nodo2.douglas.lan 88 as _kerberos._tcp.dc._msdcs.douglas.lan.
Checking 0 100 88 nodo2.douglas.lan. against SRV
_kerberos._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 88
Looking for DNS entry SRV _kerberos._tcp.default-first-site-
name._sites.douglas.lan nodo2.douglas.lan 88 as _kerberos._tcp.default-
first-site-name._sites.douglas.lan.
Checking 0 100 88 nodo1.douglas.lan. against SRV _kerberos._tcp.default-
first-site-name._sites.douglas.lan nodo2.douglas.lan 88
first-site-name._sites.douglas.lan nodo2.douglas.lan 88
Looking for DNS entry SRV _kerberos._tcp.default-first-site-
name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 88 as
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan.
first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 88
first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 88
Looking for DNS entry SRV _kerberos._udp.douglas.lan nodo2.douglas.lan 88 as
_kerberos._udp.douglas.lan.
Checking 0 100 88 nodo1.douglas.lan. against SRV _kerberos._udp.douglas.lan
Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._udp.douglas.lan
Looking for DNS entry SRV _ldap._tcp.douglas.lan nodo2.douglas.lan 389 as
_ldap._tcp.douglas.lan.
Checking 0 100 389 nodo2.douglas.lan. against SRV _ldap._tcp.douglas.lan
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan

Last
update:
2016/02/23
12:44
389 as _ldap._tcp.dc._msdcs.douglas.lan.
_ldap._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 389
_ldap._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 389
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.douglas.lan nodo2.douglas.lan
3268 as _ldap._tcp.gc._msdcs.douglas.lan.
_ldap._tcp.gc._msdcs.douglas.lan nodo2.douglas.lan 3268
Looking for DNS entry SRV _ldap._tcp.default-first-site-
name._sites.douglas.lan nodo2.douglas.lan 389 as _ldap._tcp.default-first-
site-name._sites.douglas.lan.
Checking 0 100 389 nodo1.douglas.lan. against SRV _ldap._tcp.default-first-
site-name._sites.douglas.lan nodo2.douglas.lan 389
name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 389 as
_ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan.
site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 389
site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 389
name._sites.gc._msdcs.douglas.lan nodo2.douglas.lan 3268 as
_ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan.
site-name._sites.gc._msdcs.douglas.lan nodo2.douglas.lan 3268
Looking for DNS entry SRV
_ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan
nodo2.douglas.lan 389 as
_ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan.
Looking for DNS entry SRV _gc._tcp.douglas.lan nodo2.douglas.lan 3268 as
_gc._tcp.douglas.lan.
Checking 0 100 3268 nodo2.douglas.lan. against SRV _gc._tcp.douglas.lan
Looking for DNS entry SRV _gc._tcp.default-first-site-
name._sites.douglas.lan nodo2.douglas.lan 3268 as _gc._tcp.default-first-
site-name._sites.douglas.lan.
Checking 0 100 3268 nodo1.douglas.lan. against SRV _gc._tcp.default-first-
Checking 0 100 3268 nodo2.douglas.lan. against SRV _gc._tcp.default-first-
No DNS updates needed
Agora vamos mandar atualizar todos os registros

2016/05/25 08:14 79/103
(Ongoing)
samba_dnsupdate --verbose --all-names

IPs: ['192.168.0.26']
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSFOREST}
Calling nsupdate for A douglas.lan 192.168.0.26

;; UPDATE SECTION:
douglas.lan. 900 IN A 192.168.0.26
Calling nsupdate for A nodo2.douglas.lan 192.168.0.26

;; UPDATE SECTION:
nodo2.douglas.lan. 900 IN A 192.168.0.26
Calling nsupdate for A gc._msdcs.douglas.lan 192.168.0.26

;; UPDATE SECTION:
gc._msdcs.douglas.lan. 900 IN A 192.168.0.26
Calling nsupdate for CNAME ccc206ae-bc66-4a4e-

a282-06aa4613cadd._msdcs.douglas.lan nodo2.douglas.lan
;; UPDATE SECTION:
ccc206ae-bc66-4a4e-a282-06aa4613cadd._msdcs.douglas.lan. 900 IN CNAME
nodo2.douglas.lan.
Calling nsupdate for SRV _kpasswd._tcp.douglas.lan nodo2.douglas.lan 464

;; UPDATE SECTION:
_kpasswd._tcp.douglas.lan. 900 IN SRV 0 100 464 nodo2.douglas.lan.
Calling nsupdate for SRV _kpasswd._udp.douglas.lan nodo2.douglas.lan 464

;; UPDATE SECTION:
_kpasswd._udp.douglas.lan. 900 IN SRV 0 100 464 nodo2.douglas.lan.

Last
update:
2016/02/23
12:44
Calling nsupdate for SRV _kerberos._tcp.douglas.lan nodo2.douglas.lan 88

;; UPDATE SECTION:
_kerberos._tcp.douglas.lan. 900 IN SRV 0 100 88 nodo2.douglas.lan.
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.douglas.lan

;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.douglas.lan. 900 IN SRV 0 100 88 nodo2.douglas.lan.
Calling nsupdate for SRV _kerberos._tcp.default-first-site-

name._sites.douglas.lan nodo2.douglas.lan 88
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.douglas.lan. 900 IN SRV 0 100
88 nodo2.douglas.lan.
Calling nsupdate for SRV _kerberos._tcp.default-first-site-

name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 88
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan. 900 IN
SRV0 100 88 nodo2.douglas.lan.
Calling nsupdate for SRV _kerberos._udp.douglas.lan nodo2.douglas.lan 88

;; UPDATE SECTION:
_kerberos._udp.douglas.lan. 900 IN SRV 0 100 88 nodo2.douglas.lan.
Calling nsupdate for SRV _ldap._tcp.douglas.lan nodo2.douglas.lan 389

;; UPDATE SECTION:
_ldap._tcp.douglas.lan. 900 IN SRV 0 100 389 nodo2.douglas.lan.
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan

389
2016/05/25 08:14 81/103
(Ongoing)
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.douglas.lan. 900 IN SRV 0 100 389 nodo2.douglas.lan.
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.douglas.lan nodo2.douglas.lan

3268
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.douglas.lan. 900 IN SRV 0 100 3268
nodo2.douglas.lan.
Calling nsupdate for SRV _ldap._tcp.default-first-site-

name._sites.douglas.lan nodo2.douglas.lan 389
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.douglas.lan. 900 IN SRV 0 100 389
nodo2.douglas.lan.

name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 389
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan. 900 IN
SRV 0 100 389 nodo2.douglas.lan.

name._sites.gc._msdcs.douglas.lan nodo2.douglas.lan 3268
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan. 900 IN
SRV 0 100 3268 nodo2.douglas.lan.
Calling nsupdate for SRV

;; UPDATE SECTION:
_ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan.
900IN SRV 0 100 389 nodo2.douglas.lan.
Calling nsupdate for SRV _gc._tcp.douglas.lan nodo2.douglas.lan 3268

Last
update:
2016/02/23
12:44

;; UPDATE SECTION:
_gc._tcp.douglas.lan. 900 IN SRV 0 100 3268 nodo2.douglas.lan.
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.douglas.lan

;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.douglas.lan. 900 IN SRV 0 100
3268 nodo2.douglas.lan.
Agora vamos efetuar uma consulta de dns para registros de serviços
Vamos consultar o serviço do ldap
host -t SRV _ldap._tcp.douglas.lan.

_ldap._tcp.douglas.lan has SRV record 0 100 389 nodo2.douglas.lan.
_ldap._tcp.douglas.lan has SRV record 0 100 389 nodo1.douglas.lan.
Vamos consultar o serviço do kerberos
host -t SRV _kerberos._udp.douglas.lan.

Agora vamos consultar o registro do tipo A do nosso server
host -t A nodo2.douglas.lan
nodo2.douglas.lan has address 192.168.0.26
Agora vamos listar a keytab do kerberos
klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- -----------------------------------------------------------------------
---
1 DNS/nodo2.douglas.lan@DOUGLAS.LAN
1 dns-nodo2@DOUGLAS.LAN

2016/05/25 08:14 83/103
(Ongoing)
Agora vamos consultar os tickets ativos
klist -e

renew until 08/27/13 18:54:17, Etype (skey, tkt): aes256-cts-hmac-
sha1-96, aes256-cts-hmac-sha1-96
Agora vamos consultar se os nossos dois servidores estão no sysvol
ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs

objectguid
# record 1
dn: CN=NTDS Settings,CN=NODO1,CN=Servers,CN=Default-First-Site-
objectGUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
# record 2
dn: CN=NTDS Settings,CN=NODO2,CN=Servers,CN=Default-First-Site-
objectGUID: ccc206ae-bc66-4a4e-a282-06aa4613cadd
# returned 2 records
# 2 entries
# 0 referrals
Agora vamos consultar a replicação
samba-tool drs showrepl

Default-First-Site-Name\NODO2
DSA Options: 0x00000001
DSA object GUID: ccc206ae-bc66-4a4e-a282-06aa4613cadd
DSA invocationId: 08233b5e-5d9f-469f-b350-641b18278b60
==== INBOUND NEIGHBORS ====
CN=Schema,CN=Configuration,DC=douglas,DC=lan
Default-First-Site-Name\NODO1 via RPC
DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
Last attempt @ Mon Aug 26 19:01:06 2013 BRT was successful
0 consecutive failure(s).
Last success @ Mon Aug 26 19:01:06 2013 BRT
DC=DomainDnsZones,DC=douglas,DC=lan
Last
update:
2016/02/23
12:44

CN=Configuration,DC=douglas,DC=lan
DC=ForestDnsZones,DC=douglas,DC=lan
DC=douglas,DC=lan
==== OUTBOUND NEIGHBORS ====
CN=Schema,CN=Configuration,DC=douglas,DC=lan
Last attempt @ NTTIME(0) was successful
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=douglas,DC=lan
CN=Configuration,DC=douglas,DC=lan
DC=ForestDnsZones,DC=douglas,DC=lan
2016/05/25 08:14 85/103
(Ongoing)
DC=douglas,DC=lan
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: d6fcfc72-89b0-4f4c-88c2-bf887510b6af
Enabled : TRUE
Server DNS name : nodo1.douglas.lan
Server DN name : CN=NTDS Settings,CN=NODO1,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=douglas,DC=lan
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
A nossa replicação está ok
Ajustando a PAM no SLAVE
Agora vamos a configuração da PAM, com isso vamos poder autenticar os usuários do domínio no
Linux eu vou deixar habilitado somente o grupo do root e o ti-admin que terá que ser criado no AD
para autenticar no Linux e obter um shell.
Vamos criar um link para a biblioteca de autenticação do winbind que foi compilada para sistemas
64bits
ln -sf /usr/local/samba/lib/security/pam_winbind.so
/lib64/security/pam_winbind.so
Vamos criar um link para a biblioteca de autenticação do winbind que foi compilada para sistemas
32bits
ln -sf /usr/local/samba/lib/security/pam_winbind.so
/lib/security/pam_winbind.so
Vamos alterar o system-auth para que quando o usuário for logar no sistema seja criado o diretório
home dele com o conteúdo do diretório /etc/skel
vim /etc/pam.d/system-auth
#%PAM-1.0

Last
update:
2016/02/23
12:44
# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so

account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
password requisite pam_cracklib.so try_first_pass retry=3 type=

password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke

session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_mkhomedir.so skel=/etc/skel/ umask=0027
Agora vamos ajustar o login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_securetty.so
auth include system-auth

account required pam_winbind.so
account include system-auth
#Grupos que vão poder efetuar login no servidor
account requisite pam_succeed_if.so user ingroup ti-admin
password include system-auth

# pam_selinux.so close should be the first session rule
session required pam_selinux.so close

session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in
the user context

2016/05/25 08:14 87/103
(Ongoing)
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
Agora vamos ajustar o ssh
vim /etc/pam.d/sshd
#%PAM-1.0

#Grupos que vão poder logar via ssh

Como esse servidor é uma replica do pdc devemos já ter os usuários e grupos somente vamos
consultar eles
Vamos consultar os usuários
wbinfo -u
Administrator
Guest
krbtgt
dns-nodo1
douglas.santos
Agora vamos consultar os grupos
wbinfo -g
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
DnsUpdateProxy
ti-admin

Last
update:
2016/02/23
12:44
Agora vamos reiniciar o servidor
reboot
Agora depois que logou novamente vamos consultar a conexão do winbind
wbinfo -t
Eu já estou com o meu usuário douglas.santos e ele pertence ao grupo ti-admin agora vamos testar a
conexão via ssh
ssh douglas.santos@192.168.0.26
douglas.santos@192.168.0.26's password:
Creating directory '/home/DOUGLAS/douglas.santos'.
[19:08:04] DOUGLAS\douglas.santos@nodo2 [~] $
Agora se conferirmos os logs do secure vamos ter algo como
tail -f /var/log/secure
Aug 26 19:08:03 nodo2 sshd[1222]: pam_winbind(sshd:auth): getting password
(0x00000000)
Aug 26 19:08:03 nodo2 sshd[1222]: pam_winbind(sshd:auth): user
'douglas.santos' granted access
Aug 26 19:08:03 nodo2 sshd[1222]: pam_succeed_if(sshd:account): requirement
"user ingroup root" not met by user "DOUGLAS\douglas.santos"
Aug 26 19:08:04 nodo2 sshd[1222]: pam_winbind(sshd:account): user
'DOUGLAS\douglas.santos' granted access
Aug 26 19:08:04 nodo2 sshd[1222]: pam_succeed_if(sshd:account): requirement
"user ingroup ti-admin" was met by user "DOUGLAS\douglas.santos"
Aug 26 19:08:04 nodo2 sshd[1222]: Accepted password for douglas.santos from
192.168.0.130 port 48754 ssh2
Aug 26 19:08:04 nodo2 sshd[1222]: pam_unix(sshd:session): session opened for
user DOUGLAS\douglas.santos by (uid=0)
Como podemos notar a nossa autenticação está ok.
Replicação do Sysvol
Aqui eu vou abordar como é recomendado pela equipe do samba pra efetuar a replicação do sysvol
que por enquanto não é automática.
No servidor Master no meu caso o nodo1 vamos instalar o rsync e o xinetd
yum install xinetd rsync -y

2016/05/25 08:14 89/103
(Ongoing)
Agora vamos colocar o xinetd na incialização do sistema
chkconfig --add xinetd

chkconfig xinetd on
Agora vamos acertar a configuração do rsync para o xinetd
vim /etc/xinetd.d/rsync
# default: off
# description: The rsync server is a good addition to an ftp server, as it \
# allows crc checksumming etc.
service rsync
{
disable = no
only_from = 192.168.0.0/24
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = --daemon
log_on_failure += USERID
}
Agora vamos criar o nosso arquivo de configuração do rsync.conf que vai conter o compartilhamento
do sysvol
vim /etc/rsyncd.conf
[SysVol]
path = /usr/local/samba/var/locks/sysvol/
comment = Samba Sysvol Share
uid = root
gid = root
read only = yes
auth users = sysvol-replication
secrets file = /usr/local/samba/etc/rsyncd.secret
Note que ali vamos utilizar um usuário e uma senha agora vamos criar o arquivo contendo a senha
vim /usr/local/samba/etc/rsyncd.secret
sysvol-replication:pa$$w0rd
Agora vamos ajustar as permissões do arquivo senão o rsync não vai liberar o compartilhamento
chmod 440 /usr/local/samba/etc/rsyncd.secret
Agora vamos reiniciar o xinetd
/etc/init.d/xinetd restart
Vamos consultar o tamanho do sysvol do servidor master

Last
update:
2016/02/23
12:44
du -sh /usr/local/samba/var/locks/sysvol
100K /usr/local/samba/var/locks/sysvol
Agora vamos consultar o tamanho do sysvol do servidor slave
Note que temos uma diferença grande.
Agora vamos configurar o servidor slave
Vamos instalar o rsync
yum install rsync -y
Agora vamos criar o arquivo contendo a senha para acessar o servidor master
vim /usr/local/samba/etc/rsync-sysvol.secret
pa$$w0rd
Agora vamos acertar as permissões do arquivo de senha
chmod 440 /usr/local/samba/etc/rsync-sysvol.secret
Agora vamos fazer testar o sincronismo do sysvol
rsync --dry-run -XAavz --delete-after --password-

file=/usr/local/samba/etc/rsync-sysvol.secret rsync://sysvol-
replication@192.168.0.25/SysVol/ /usr/local/samba/var/locks/sysvol/
receiving file list ... done
./
douglas.lan/
douglas.lan/Policies/
douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/
douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/
douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/
douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI
douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE/
douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER/
douglas.lan/scripts/
douglas.lan/scripts/sharedemo.bat
sent 109 bytes received 876 bytes 656.67 bytes/sec

total size is 77 speedup is 0.08 (DRY RUN)
Note que não tivemos erro nenhum com isso podemos omitir agora a opção –dry-run

2016/05/25 08:14 91/103
(Ongoing)
Agora vamos fazer a replicação
rsync -XAavz --delete-after --password-file=/usr/local/samba/etc/rsync-

sysvol.secret rsync://sysvol-replication@192.168.0.25/SysVol/
/usr/local/samba/var/locks/sysvol/
receiving file list ... done
./
douglas.lan/
douglas.lan/Policies/
douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/
douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/
douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/
douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI
douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE/
douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER/
douglas.lan/scripts/
douglas.lan/scripts/sharedemo.bat
sent 173 bytes received 2308 bytes 4962.00 bytes/sec

total size is 77 speedup is 0.03
Agora vamos consultar o tamanho do sysvol do servidor master
Agora vamos consultar o tamanho do sysvol do servidor slave
Agora vamos deixar uma rotina no crontab do servidor slave para sempre efetuar o sincronismo
crontab -e
*/5 * * * * rsync -XAavz --delete-after --password-
file=/usr/local/samba/etc/rsync-sysvol.secret rsync://sysvol-
replication@192.168.0.25/SysVol/ /usr/local/samba/var/locks/sysvol
Esse sincronismo pode ser feito para todos os DCs menos para o PDC.
Configurando um Cliente CentOS para

autenticar no Samba 4
Prepare o seu sistema com o seguinte script

http://wiki.douglasqsantos.com.br/doku.php/confinicialcentos6_en para que não falte nenhum pacote

Last
update:
2016/02/23
12:44
ou configuração.
Vamos instalar as dependências para ele poder fazer parte do domínio samba 4
yum install samba samba-winbind samba-winbind-devel samba-client samba-

common \
pam_krb5 cifs-utils samba-winbind-krb5-locator samba-doc krb5-workstation -
y
Agora vamos inserir os serviços na incialização do sistema
chkconfig --add nmb

chkconfig --add smb
chkconfig --add winbind
Agora vamos ativar eles
chkconfig nmb on
chkconfig smb on
chkconfig winbind on
Agora vamos ajustar o resolv.conf do cliente
domain douglas.lan
search douglas.lan
Agora vamos ajustar a interface de rede
vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
BOOTPROTO="static"
BROADCAST="192.168.0.255"
DNS1="192.168.0.25"
DNS2="192.168.0.26"
GATEWAY="192.168.0.1"
IPADDR="192.168.0.27"
NETMASK="255.255.255.0"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"
Agora vamos ajustar o horário do servidor pois como vamos trabalhar com winbind e kerberos não
podemos ter diferença de horario
ntpdate -u a.ntp.br
Agora vamos ajustar o kerberos

2016/05/25 08:14 93/103
(Ongoing)
vim /etc/krb5.conf
[libdefaults]
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DOUGLAS.LAN = {
kdc = 192.168.0.25
kdc = 192.168.0.26
admin_server = 192.168.0.25:749
default_server = 192.168.0.25
}
[domain_realm]
.douglas.lan=DOUGLAS.LAN
douglas.lan=DOUGLAS.LAN
[login]
krb4_convert = true
krb4_get_tickets = false
[kdc]
profile = /etc/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
forwardable = true
}
[logging]
default = file:/var/log/krb5libs.log
kdc = file:/var/log/krb5kdc.log
admin_server = file:/var/log/kadmind.log
Agora vamos acertar o limits.conf
Last
update:
2016/02/23
12:44
[...]
Agora vamos ajustar o smb.conf
vim /etc/samba/smb.conf
[global]
workgroup = DOUGLAS
security = ADS
realm = DOUGLAS.LAN
netbios name = CENTOS
encrypt passwords = yes
idmap config * : range = 10000-30000
auth methods = winbind
[...]
passwd: files winbind
shadow: files
group: files winbind
Vamos iniciar os serviços
/etc/init.d/nmb start
/etc/init.d/smb start
/etc/init.d/winbind start
Agora vamos ajustar a PAM
Vamos ajustar para que quando o usuário faça login seja criado o seu diretório home
vim /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

2016/05/25 08:14 95/103
(Ongoing)
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so

account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
password requisite pam_cracklib.so try_first_pass retry=3 type=

password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke

session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_mkhomedir.so skel=/etc/skel/ umask=0027
Agora vamos ajustar o login utilizando o winbind aqui eu liberei somente o grupo root e o ti-admin
para efetuar login em máquinas Linux
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_securetty.so

#Grupos que vão poder efetuar login no servidor

# pam_selinux.so close should be the first session rule
session required pam_selinux.so close

session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in
the user context
session required pam_selinux.so open

Last
update:
2016/02/23
12:44
Agora vamos ajustar o acesso via ssh utilizando o winbind aqui eu liberei somente o grupo root e o ti-
admin para efetuar login em máquinas Linux
vim /etc/pam.d/sshd
#%PAM-1.0

#Grupos que vão poder logar via ssh

Agora vamos verificar se estamos conseguindo criar um ticker do kerberos
kinit administrator
Agora vamos listar o nosso ticket
klist

renew until 08/28/13 10:02:51
Agora vamos fazer o join no domínio
net ads join douglas.lan -U administrator
Esse erro de DNS ainda estou tentando arrumar.
Agora vamos reiniciar os serviços
/etc/init.d/nmb restart
/etc/init.d/smb restart
/etc/init.d/winbind restart

2016/05/25 08:14 97/103
(Ongoing)
Agora vamos testar a conexão com o winbind
wbinfo -t
Agora vamos listar os usuários do domínio
wbinfo -u
douglas.santos
administrator
dns-nodo1
krbtgt
guest
Vamos listar os grupos
wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
ti-admin
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
Agora vamos testar o acesso via ssh para esse cliente
[10:40:01] douglas.santos@centos [~] $
Agora vamos ver os logs de acesso do centos
tail -f /var/log/secure
Aug 27 10:38:55 centos sshd[13906]: pam_winbind(sshd:auth): getting password
(0x00000000)
Aug 27 10:38:56 centos sshd[13906]: pam_winbind(sshd:auth): user

Last
update:
2016/02/23
12:44
Aug 27 10:39:32 centos sshd[13906]: pam_succeed_if(sshd:account):

requirement "user ingroup root" not met by user "douglas.santos"
Aug 27 10:39:32 centos sshd[13906]: pam_winbind(sshd:account): user
Aug 27 10:39:35 centos sshd[13906]: pam_succeed_if(sshd:account):
requirement "user ingroup ti-admin" was met by user "douglas.santos"
Aug 27 10:39:35 centos sshd[13906]: Accepted password for douglas.santos
from 192.168.0.130 port 46470 ssh2
Aug 27 10:39:50 centos sshd[13906]: pam_unix(sshd:session): session opened
for user douglas.santos by (uid=0)
O cliente está configurado com sucesso :D
Configurando um Cliente Debian Wheezy

para autenticar no Samba 4
Prepare o seu sistema com o seguinte script

http://wiki.douglasqsantos.com.br/doku.php/confinicialwheezy_en para que não falte nenhum pacote
ou configuração.
Vamos atualizar os repositórios e fazer um upgrade do sistema
aptitude update && aptitude dist-upgrade -y
Agora vamos ajustar as variáveis de ambiente do Debian
export DEBIAN_PRIORITY=critical
export DEBIAN_FRONTEND=noninteractive
Agora vamos instalar as dependências
aptitude install samba samba-common smbclient winbind krb5-config libpam-

krb5 cifs-utils krb5-user -y
Agora vamos voltar as variáveis de ambiente do Debian
unset DEBIAN_PRIORITY
unset DEBIAN_FRONTEND
Agora vamos ajustar o resolv.conf
domain douglas.lan
search douglas.lan

2016/05/25 08:14 99/103
(Ongoing)
Agora vamos ajustar o horário do nosso servidor
ntpdate -u a.ntp.br
Agora vamos ajustar o arquivo de configuração do kerberos
vim /etc/krb5.conf
[libdefaults]
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DOUGLAS.LAN = {
kdc = 192.168.0.25
kdc = 192.168.0.26
admin_server = 192.168.0.25:749
default_server = 192.168.0.25
}
[domain_realm]
.douglas.lan=DOUGLAS.LAN
douglas.lan=DOUGLAS.LAN
[login]
krb4_convert = true
krb4_get_tickets = false
[kdc]
profile = /etc/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
forwardable = true
}
[logging]

Last
update:
2016/02/23
12:44
default = file:/var/log/krb5libs.log
kdc = file:/var/log/krb5kdc.log
admin_server = file:/var/log/kadmind.log
Agora vamos ajustar o limits.conf
[...]
Agora vamos ajustar o smb.conf
vim /etc/samba/smb.conf
[global]
workgroup = DOUGLAS
security = ADS
realm = DOUGLAS.LAN
netbios name = DEBIAN
encrypt passwords = yes
idmap config * : range = 10000-30000
auth methods = winbind
[...]
passwd: compat winbind
group: compat winbind
/etc/init.d/samba restart
Agora vamos fazer o join no domínio
net ads join douglas.lan -U administrator

2016/05/25 08:14 101/103
(Ongoing)
/etc/init.d/samba restart
Agora vamos ajustar a PAM
Vamos ajustar a autenticação
vim /etc/pam.d/common-password
password sufficient pam_unix.so
password requisite pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure
use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_winbind.so use_authtok
try_first_pass
password requisite pam_deny.so
password required pam_permit.so
Vamos ajustar o controle de sessão do usuário para criar o diretório home quando ele efetuar o login
vim /etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_winbind.so
session optional pam_mkhomedir.so skel=/etc/skel
umask=0027
Agora vamos testar a conexão com o winbind
wbinfo -t
Agora vamos listar os usuários do domínio
wbinfo -u
douglas.santos
administrator
dns-nodo1
krbtgt
guest
Vamos listar os grupos
wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers

Last
update:
2016/02/23
12:44
denied rodc password replication group

ti-admin
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
Agora vamos testar o acesso via ssh para esse cliente
Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.
[10:35:45] douglas.santos@debian [~] $
Nos logs de autenticação vamos ter algo como abaixo
tail -f /var/log/auth.log
Aug 27 10:35:44 debian sshd[4852]: pam_krb5(sshd:auth): user douglas.santos
authenticated as douglas.santos@DOUGLAS.LAN
Aug 27 10:35:44 debian sshd[4852]: Accepted password for douglas.santos from
192.168.0.130 port 51197 ssh2
Aug 27 10:35:44 debian sshd[4852]: pam_unix(sshd:session): session opened
for user douglas.santos by (uid=0)
O cliente esta autenticando com sucesso :D
Referências
1. http://www.samba.org/samba/history/samba-4.1.3.html
2. http://wiki.samba.org/index.php/Samba
3. http://wiki.samba.org/index.php/SysVol_Replication

2016/05/25 08:14 103/103
(Ongoing)
4. http://wiki.samba.org/index.php/Setup_and_configure_file_shares
5. http://wiki.samba.org/index.php/Samba_&_Windows_Profiles
6. http://wiki.samba.org/index.php/Dns-backend_bind
7. http://wiki.samba.org/index.php/Samba4/Domain_Member
8. http://wiki.samba.org/index.php/Backup_and_Recovery
9. http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
From:
http://wiki.douglasqsantos.com.br/ - Douglas Quintiliano dos Santos
Permanent link:
http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_samba4_as_master_slave_with_bind9_dlz_and_sysvol_replication_on_debian_jessie
Last update: 2016/02/23 12:44

Instalando o Samba 4

Uploaded by

Copyright:

Available Formats

Instalando o Samba 4

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Instalando o Samba 4

Uploaded by

Copyright:

Available Formats

Installing and conﬁguring Samba 4 as Master/Slave with Bind9 DLZ and Sysvol Replication on Debian Jessie

2016/05/25 08:14 1/103

Installing and conﬁguring Samba 4 as

The things in portuguese are my scratch therefore don't use

What I will use here:

After that change the permissions

Now need just execute and wait

Douglas Quintiliano dos Santos - http://wiki.douglasqsantos.com.br/

Conﬁguring the Samba Master

Let's update our repositories and upgrade all the packets

aptitude update && aptitude dist-upgrade -y

Now let's change two variables in the environment to non-interactive

aptitude install libpam0g-dev git gcc make wget libacl1-dev libblkid-dev

http://wiki.douglasqsantos.com.br/ Printed on 2016/05/25 08:14

mount | egrep acl

We can check if this attributes are loaded in the kernel as follows.

cat /boot/config-$(uname -r) | egrep -i acl

Let's run a test with acl and xttr.

Let' acess the /usr directory

Now let's create a simple ﬁle

Now let's change the attributes to our ﬁle

setfattr -n user.test -v test test.txt

Douglas Quintiliano dos Santos - http://wiki.douglasqsantos.com.br/

setfattr -n security.test -v test2 test.txt

Now let's get the information about the changes

Now let's get information about the attribute security

getfattr -n security.test -d test.txt

Now we need to get the samba version 4.2.2

Now we need to extract the sources

tar -xvf samba-4.1.3.tar.gz

Let's access the directory

Now we need run the check prerequisites as follows

./configure --enable-debug --enable-selftest

Now we need to compile the samba this process take a while.

Now we can install the samba4 with a simple command line.

Now we need to adjust the PATH

Now we need to reload the PATH

http://wiki.douglasqsantos.com.br/ Printed on 2016/05/25 08:14

Now we need to prepare the BIND_DLZ

Installing and Conﬁguring BIND_DLZ

Let's install the prerequisites to work with BIND

aptitude install autopoint autotools-dev bison debhelper dh-apparmor geoip-

Now we need to get the bind9 sources

Now we need to access the bind9 source folder

Douglas Quintiliano dos Santos - http://wiki.douglasqsantos.com.br/

Now we need to create the deb packet it will take awhile.

Now we need to install the packets

Now we need to create a directory and adjust the permissions

Now let's make a copy of the original ﬁle

Agora vamos conﬁgurar o Bind

http://wiki.douglasqsantos.com.br/ Printed on 2016/05/25 08:14

Now we need to conﬁgure the resolv.conf

Provisioning the domain and Testing

samba-tool domain provision -h

Douglas Quintiliano dos Santos - http://wiki.douglasqsantos.com.br/

--site=SITENAME set site name

Samba Common Options:

Now let's provisioning the domain

samba-tool domain provision --domain=DOUGLAS --adminpass=smb@134* \

Douglas Quintiliano dos Santos - http://wiki.douglasqsantos.com.br/