Scribd
Upload
7 views

manual install (compile) on linux debian 12

This document provides a comprehensive guide for setting up Samba4 on Debian 12, detailing steps such as updating the OS, configuring a static IP, downloading and compiling Samba source code, and creating necessary scripts for service management. It also includes instructions for domain provisioning, DNS configuration, and Kerberos setup, along with references for further reading. Additional procedures for joining a secondary Active Directory and configuring replication using rsync are also outlined.

Uploaded by

claudia.rozza100
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
7 views

manual install (compile) on linux debian 12

This document provides a comprehensive guide for setting up Samba4 on Debian 12, detailing steps such as updating the OS, configuring a static IP, downloading and compiling Samba source code, and creating necessary scripts for service management. It also includes instructions for domain provisioning, DNS configuration, and Kerberos setup, along with references for further reading. Additional procedures for joining a secondary Active Directory and configuring replication using rsync are also outlined.

Uploaded by

claudia.rozza100
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 6

Samba4 - Setup no debian12

Responsável: [email protected]
Data de validação: 13/05/2024

1. Atualizar o sistema operacional

2. Configurar IP fixo no servidor. editar o arquivo /etc/network/interfaces


iface ens18 inet static
address 192.168.100.126
netmask 255.255.255.0
broadcast 192.168.100.255
gateway 192.168.100.1

3. Renomear o servidor
hostnamectl set-hostname dc1.citrait.corp

4. Configurar o arquivo hosts


192.168.100.126 dc1.citrait.corp dc1

5. download do source code do samba


wget https://download.samba.org/pub/samba/stable/samba-4.20.1.tar.gz

6. descompactar o arquivo baixado


tar -zxvf samba-4.20.1.tar.gz

7. entrar na pasta descompactado


cd samba-4.20.1

8. executar o script de preparação da compilação


bootstrap/generated-dists/debian12/bootstrap.sh

9. executar a preparação da compilação


./configure

10. realizar a compilação


make -j4

11. instalar os binários compilados


make install

12. exportar o path para ficar acessível os binários do samba instalados


export PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH

13. Criar o script de inicialização:


arquivo /etc/init.d/samba-ad-dc

#!/bin/sh

### BEGIN INIT INFO


# Provides: samba-ad-dc
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start Samba daemons for the AD DC
### END INIT INFO

#
# Start/stops the Samba daemon (samba).
# Adapted from the Samba 3 packages.
#

PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH

PIDDIR=/usr/local/samba/var/run
SAMBAPID=$PIDDIR/samba.pid

# clear conflicting settings from the environment


unset TMPDIR

# See if the daemon and the config file are there


test -x /usr/local/samba/sbin/samba -a -r /usr/local/samba/etc/smb.conf || exit 0

. /lib/lsb/init-functions

case "$1" in
start)
SERVER_ROLE=`samba-tool testparm --parameter-name="server role"
2>/dev/null | tail -1`
if [ "$SERVER_ROLE" != "active directory domain controller" ]; then
exit 0
fi

# CVE-2013-4475
KEYFILE=/usr/local/samba/private/tls/key.pem
if [ -e $KEYFILE ]; then
KEYPERMS=`stat -c %a $KEYFILE`
if [ "$KEYPERMS" != "600" ]; then
echo "wrong permission on $KEYFILE, must be 600"
echo "samba will not start (CVE-2013-4475)"
echo "Removing all tls .pem files will cause an auto-
regeneration with the correct permissions."
exit 1
fi
fi

log_daemon_msg "Starting Samba AD DC daemon" "samba"


# Make sure we have our PIDDIR, even if it's on a tmpfs
install -o root -g root -m 755 -d $PIDDIR

if ! start-stop-daemon --start --quiet --oknodo --exec


/usr/local/samba/sbin/samba -- -D; then
log_end_msg 1
exit 1
fi

log_end_msg 0
;;
stop)
log_daemon_msg "Stopping Samba AD DC daemon" "samba"

start-stop-daemon --stop --quiet --pidfile $SAMBAPID


# Wait a little and remove stale PID file
sleep 1
if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
then
# Stale PID file (samba was succesfully stopped),
# remove it (should be removed by samba itself IMHO.)
rm -f $SAMBAPID
fi

log_end_msg 0

;;
restart|force-reload)
$0 stop
sleep 1
$0 start
;;
status)
status_of_proc -p $SAMBAPID /usr/local/samba/sbin/samba samba
exit $?
;;
*)
echo "Usage: /etc/init.d/samba-ad-dc {start|stop|restart|force-
reload|status}"
exit 1
;;
esac

exit 0

# 14. dar permissão adequadra ao script de inicialização do samba


chmod 755 /etc/init.d/samba-ad-dc

# 15. habilitar o serviço na inicialização


systemctl enable samba-ad-dc

# 16. provisionar o domínio no primeiro servidor


samba-tool domain provision --use-rfc2307 --interactive
OU
samba-tool domain provision --server-role=dc --use-rfc2307 --dns-
backend=SAMBA_INTERNAL --realm=CITRAIT.CORP --domain=CITRAIT --adminpass=P4ssword

# 17. editar o arquivo de resolução dns /etc/resolv.conf


search citrait.corp
nameserver 192.168.100.126

# 18. Configurar o kerberos


cp /usr/local/samba/private/krb5.conf /etc/krb5.conf

# 19. inicializar o serviço do samba


systemctl restart samba-ad-dc.service

# 20. criar a zona reversa


samba-tool dns zonecreate <Your-AD-DNS-Server-IP-or-hostname> 0.168.192.in-
addr.arpa -U Administrator

ex.: samba-tool dns zonecreate 127.0.0.1 100.168.192.in-addr.arpa -U Administrator

# 21. criar o registro PTR para o dc1


samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> 0.168.192.in-addr.arpa 126
PTR dc1.samdom.example.com -U Administrator

ex.: samba-tool dns add 127.0.0.1 100.168.192.in-addr.arpa 126 PTR dc1.citrait.corp


-U Administrator

# 22. listar os compartilhamentos do servidor


smbclient -L localhost -N

# 23. Verificar o dns


host -t SRV _ldap._tcp.citrait.corp.
host -t SRV _kerberos._udp.citrait.corp.
host -t A dc1.citrait.corp.
host -t PTR 192.168.100.126

# 24. Verificar o kerberos


kinit administrator
klist

# 25. Configurar para o linux buscar a resolução de usuários no samba (winbind).


Editar o arquivo /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind

# 26. linkar a biblioteca do winbind para compatibilidade com o name switches (nss)
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so.2

# 27. Testar Winbind


wbinfo --ping-dc
getent passwd CITRAIT\\Administrator

## REFERENCIAS
https://wiki.samba.org/index.php/Main_Page
https://wiki.samba.org/index.php/Join_a_domain_as_a_DC
https://wiki.samba.org/index.php/
Setting_up_Samba_as_an_Active_Directory_Domain_Controller
https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
https://wiki.samba.org/index.php/
Setting_up_Samba_as_a_Domain_Member#Testing_the_Winbindd_Connectivity
https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
https://wiki.samba.org/index.php/
Verifying_the_Directory_Replication_Statuses#Displaying_the_Replication_Statuses_on
_a_Samba_DC
https://wiki.samba.org/index.php/Time_Synchronisation

#### OUTROS PROCEDIMENTOS

# Comparar o ldap entre 2 dcs samba


samba-tool ldapcmp ldap://dc1.citrait.corp ldap://dc2.citrait.corp

=== JOINING AD SECUNDÁRIO NO DOMÍNIO

configurar o dns apontando para o servidor ad primário

samba-tool domain join citrait.corp DC -U"CITRAIT\administrator"

replicar o primario com o segundário (do secundário)


for i in DC=ForestDnsZones,DC=citrait,DC=corp DC=citrait,DC=corp
CN=Schema,CN=Configuration,DC=citrait,DC=corp CN=Configuration,DC=citrait,DC=corp;
do samba-tool drs replicate dc1 dc2 $i; done

Criar o registro PTR para o 2nd DC


samba-tool dns add 127.0.0.1 100.168.192.in-addr.arpa 126 PTR dc1.citrait.corp -U
Administrator

===== CONFIGURANDO A REPLICAÇÃO NO DC SECUNDÁRIO USANDO RSYNC

# no dc primário, editar o arquivo /etc/rsyncd.conf


[SysVol]
path = /var/lib/samba/sysvol/
comment = Samba Sysvol Share
uid = root
gid = root
read only = yes
auth users = sysvol-replication
secrets file = /etc/samba/rsyncd-sysvol.secret

# criar o arquivo /etc/samba/rsyncd-sysvol.secret


sysvol-replication:$y$VOls$ecretRepli

# dar permissao adequada ao arquivo


chmod 500 /etc/samba/rsyncd-sysvol.secret

# definir a variável RSYNC_ENABLE=true no arquivo /etc/default/rsync

# habilitar o rsync
systemctl enable rsync
systemctl start rsync

# instale o rsync no dc secundário e copie o arquivo /etc/samba/rsyncd-


sysvol.secret do primário

# do dc2 execute um teste da copia dos arquivos


rsync rsync://[email protected]:/SysVol

# agora execute a primeira sincronização manual


rsync --dry-run -XAavz --delete-after --password-file=/etc/samba/rsyncd-
sysvol.secret rsync://[email protected]:/SysVol
/var/lib/samba/sysvol/

# edite o crontab no servidor secundário e adicione o seguinte cronjob


*/5 * * * * rsync -XAavz --delete-after --password-file=/etc/samba/rsyncd-
sysvol.secret rsync://[email protected]:/SysVol
/var/lib/samba/sysvol/

You might also like