Blog Jurišić

To content | To menu | To search

Tag - server

Entries feed

Wednesday, April 24 2019

Setting up Samba as an Active Directory Domain Controller on Debian 9 Stretch

Introduction

Samba is great project and if wont make Samba AD DC today is very simple. More about Samba look at https://www.samba.org/.

Preparing the Installation

  • select hostname(dc1.internal.example.com),domain name(internal.example.com)
  • installation and configure of time server (ntp)
  • installation and configure of domain name system (bind9)

 

Set hostname of my Samba ad dc server:

hostnamectl set-hostname dc1.internal.example.com

Edit hosts:

nano /etc/hosts

192.168.0.100  dc1.internal.example.com dc1


Installation and configure of time server (ntp):

apt-get install ntp

Change settings in ntp.conf

nano /etc/ntp.conf

logfile   /var/log/ntp.log
driftfile /var/lib/ntp/ntp.drift
ntpsigndsocket /var/lib/samba/ntp_signd/

pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst

restrict -4 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict source notrap nomodify noquery
restrict default kod nomodify notrap nopeer mssntp

Fix bug apparmor (Thanks to  Louis van Belle):

Enable the local file part for ntpd:

sed -i 's[#include <local/usr.sbin.ntpd>[include <local/usr.sbin.ntpd>[g' /etc/apparmor.d/usr.sbin.ntpd

NTPD fix.:

echo "
  # To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba
  /var/lib/samba/ntp_signd r,
  /var/lib/samba/ntp_signd/{,*} rw,

  # samba4 winbindd pipe
  /{,var/}run/samba/winbindd r,
  /{,var/}run/samba/winbindd/pipe rw,

  # samba4 winbindd privileged pipe ? Needed?
  /var/lib/samba/winbindd r,
  /var/lib/samba/winbindd/pipe rw,

" >> /etc/apparmor.d/local/usr.sbin.ntpd

Installation and configure of domain name system (bind9):

Instalirati bind9 paket:

apt-get install bind9

Configure neamed.conf.options

nano /etc/bind/named.conf.options

//  Add any subnets or hosts you want to allow to use this DNS server
acl internal {
   127.0.0.0/16;
   192.168.0.0/16;
};

options {

        auth-nxdomain yes;
        directory "/var/cache/bind";
        notify no;
        empty-zones-enable no;
        listen-on-v6 { none; };

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };

        allow-query { internal; };
        allow-recursion { internal; };
        allow-transfer { none; };
};

Finale step start service and test ntp and bind9:

systemctl restart ntp.service bind9.service

Set in resolv.conf our bind9:

nano /etc/resolv.conf

search internal.example.com
nameserver 192.168.0.100

Now test bind9:

Test the localhost forward zone):

host -t A localhost 

Default respond is:

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

localhost has address 127.0.0.1

To test the 0.0.127.in-addr.arpa reverse zone:

host -t PTR 127.0.0.1 

Default respond is:

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

1.0.0.127.in-addr.arpa domain name pointer localhost.

Test NTP server:

ntpdate -q 192.168.100.31

Default respond is:

server 192.168.0.100, stratum 2, offset -0.000073, delay 0.02602
24 Apr 12:10:30 ntpdate[10143]: adjust time server 192.168.0.100 offset -0.000073 sec

 

Installing Kerberos & Samba and configure Bind9 with Samba:

  • Installing Kerberos and configure
  • Installing Samba and configure
  • Configure Bind9 to work with Samba

Installing Kerberos and configure:

apt-get install krb5-config krb5-user

Configure krb5.conf

nano /etc/krb5.conf

[libdefaults]
        default_realm = INTERNAL.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

 

Installing Samba and configure:

Debian bring Samba 4.5.16 but that version don't have JSON module (Need 4.7+ for JSON), and I find great repository apt.van-belle.nl by Louis van Belle (Please feel to free Donate to Louis).

Add van-belle.nl repos:

wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -

echo "# AptVanBelle repo for samba." | sudo tee /etc/apt/sources.list.d/van-belle.list

echo "deb http://apt.van-belle.nl/debian stretch-samba410 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list

apt-get update

Install samba:

apt-get install samba winbind attr acl

Configure service samba for AD DC:

systemctl stop smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl daemon-reload

Configure Samba as AD DC:

If exist old configuration of samba /etc/samba/smb.conf then make backup of config and delete.

cp /etc/samba/smb.conf /etc/samba/smb.conf.bck
rm /etc/samba/smb.conf

samba-tool domain provision --use-rfc2307 --realm INTERNAL.EXAMPLE.COM --domain EXAMPLE --server-role dc --dns-backend=BIND9_DLZ  --adminpass StrongPassword

Configure Bind9 to work with Samba:

Add under section options { }

nano /etc/bind/named.conf.options

allow-update { 192.168.0.100; };

// https://wiki.samba.org/index.php/Dns-backend_bind
// DNS dynamic updates via Kerberos (optional, but recommended)
//tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";    //samba 4.8 and lower
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";    // samba 4.9 and up

 

Add rndc.key, bind-dns include in named.conf

nano /etc/bind/named.conf.local

include "/etc/bind/rndc.key";
    controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
};

include "/var/lib/samba/bind-dns/named.conf";

Set pemission for Bind9:

setfacl -m g:bind:r /etc/krb5.conf
setfacl -m g:bind:r /var/lib/samba/bind-dns

Set permission for NTP:

chown root:ntp /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd/

Restartati all services:

systemctl restart bind9.service ntp.service samba-ad-dc.service

Test Kerberos:

kinit administrator
klist

Test DNS over Samba:

samba_dnsupdate --verbose

* Change from internal samba dns to bind9_dlz use (If you are running a older samba ad-dc and then upgrade as shown, The file dns.keytab isnt move the the new folder, you need todo that manualy. Its already in the debian bugreport for samba):

samba_upgradedns --dns-backend=BIND9_DLZ

Tweak service start order for Samba then Bind9 and disable reload for Bind9(bug sometime confuze Samba) :

Samba:

systemctl edit samba-ad-dc.service 

Add in file:

[Unit]
After=network.target network-online.target bind9.service

Bind9:

systemctl edit bind9.service

Add in file:

[Service]
ExecReload=

Test Samba:

samba-tool domain info 192.168.0.100
net ads info
net rpc info -U administrator
wbinfo -P
wbinfo -t
wbinfo -pPt 

Congratulations enjoy in Samba World.

 

 

 

 

Thursday, August 24 2017

Howto install 7 Days To Die dedicade server in 5 min. on Debian

7 Days To Die work very well as Client or Server instance on Linux.  Player can choice single or multiplay on own local PC, and can to play on dedicade servers. Here is example how really fast make dedicade 7dtd server on Debian 9 GNU/Linux.

At the beginning of my trip I wrote my script, but later I found the perfect script from Allocs and me just make Debian package (7dtd-installer). I add package in my Debian repository and if wont to make 7dtd server You can with:

echo "# Jurišić Stretch " >> /etc/apt/sources.list
echo "deb http://apt.jurisic.org/debian/ stretch main contrib non-free" >> /etc/apt/sources.list
wget -q http://apt.jurisic.org/Release.key -O- | apt-key add -
apt-get update
apt-get install 7dtd-installer

That is all, installer will bring Allocs script (bootstrap.sh) and start automatic installation.

More info can read on Allocs wiki page: https://7dtd.illy.bz/wiki

 

Trailer: