Differences

This shows you the differences between two versions of the page.

--- docpublic:systemes:samba4dc [2015/05/10 20:26]
procacci@tem-tsp.eu [debian 8]
+++ docpublic:systemes:samba4dc [2015/06/06 14:46] (current)
procacci@tem-tsp.eu [Samba 4 DC]
@@ Line 4: / Line 4: @@
   * https://wiki.samba.org/index.php/Samba_4.x_Readme_First
+pourquoi debian vs centos MIT/heimdal
+  * https://blog.cryptomilk.org/2014/07/09/samba-ad-dc-in-fedora-and-rhel/
+  * http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
+  * http://community.spiceworks.com/topic/535153-centos-7-samba-domain-controller
+  * https://portal.enterprisesamba.com/
 ==== samba 4 ldap ====
@@ Line 16: / Line 22: @@
   * https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
+  * http://www.linux-magazine.com/Online/Features/What-s-New-in-Samba-4
+  * https://www-fourier.ujf-grenoble.fr/informatique/doku.php?id=samba4#kerberos_5
+  * http://doc.ubuntu-fr.org/utilisateurs/qedinux/samba_ad_dc_members
+  * https://www.esup-portail.org/wiki/display/CASKERB/Mise+en+place+d%27un+serveur+Samba
+  * https://wiki.archlinux.org/index.php/Active_Directory_Integration#Adding_a_machine_keytab_file_and_activating_password-free_kerberized_ssh_to_the_machine
 ==== packages samba ====
@@ Line 282: / Line 293: @@
 </code>
+<code>
+root@debie:/etc/samba# ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
+root@debie:/etc/samba# cat /etc/krb5.conf
+[libdefaults]
+    default_realm = DOM.4BO.FR
+    dns_lookup_realm = false
+    dns_lookup_kdc = true
+</code>
+<code>
+Configuration de l'authentification Kerberos ├──────────────────────────────────────┐
+                                       │ Veuillez indiquer les noms d'hôtes des serveurs Kerberos dans le royaume Kerberos DOM.4BO.FR, séparés par des espaces.  │
+                                       │                                                                                                                            │
+                                       │ Serveurs Kerberos du royaume :                                                                                             │
+                                       │                                                                                                                            │
+                                       │ debie.dom.4bo.fr______________________________________
+Configuration de l'authentification Kerberos ├─────────────────────────────────────────────────┐
+                            │ Veuillez indiquer le nom d'hôte du serveur administratif (permettant les modifications de mot de passe) pour le royaume Kerberos DOM.4BO.FR.  │
+                            │                                                                                                                                                  │
+                            │ Serveur administratif du royaume Kerberos :                                                                                                      │
+                            │                                                                                                                                                  │
+                            │ debie.dom.4bo.fr__________________________________________________________
+ Configuration de l'authentification Kerberos ├────────────────────────────────────────────────────────────────────────────┐
+ │ Quand les utilisateurs tentent d'utiliser Kerberos et indiquent un principal ou un identifiant sans préciser à quel royaume (« realm ») administratif Kerberos ce principal est attaché, le système   │
+ │ ajoute le royaume par défaut. Le royaume par défaut peut également être utilisé comme royaume d'un service Kerberos s'exécutant sur la machine locale. Il est d'usage que le royaume par défaut soit  │
+ │ le nom de domaine DNS local en majuscules.                                                                                                                                                            │
+ │                                                                                                                                                                                                       │
+ │ Royaume (« realm ») Kerberos version 5 par défaut :                                                                                                                                                   │
+ │                                                                                                                                                                                                       │
+ │ DOM.4BO.FR__________________________________________________________________________
+</code>
+Attention, il faut bien avoir sont ip de DC dans le resolv.conf
+<code>
+root@debie:/etc/samba# kinit administrator@DOM.4BO.FR
+Password for administrator@DOM.4BO.FR:
+Warning: Your password will expire in 41 days on dim. 21 juin 2015 11:11:26 CEST
+root@debie:/etc/samba# klist
+Ticket cache: FILE:/tmp/krb5cc_0
+Default principal: administrator@DOM.4BO.FR
+Valid starting       Expires              Service principal
+/05/2015 14:35:08  11/05/2015 00:35:08  krbtgt/DOM.4BO.FR@DOM.4BO.FR
+    renew until 11/05/2015 14:34:58
+</code>
+===== KRB change password =====
+http://www.golinuxhub.com/2013/03/changing-password-of-administrator-in.html
+==== kerberos ticket debug ====
+<code>
+root@debie:/etc# KRB5_TRACE=/dev/stdout kinit Administrator@DOM.4BO.FR
+[4230] 1432418201.868726: Getting initial credentials for Administrator@DOM.4BO.FR
+[4230] 1432418201.869645: Sending request (177 bytes) to DOM.4BO.FR
+[4230] 1432418201.879583: Resolving hostname debie.sdom.3iboo.fr.
+[4230] 1432418201.889971: Sending initial UDP request to dgram 2a01:a35:2e61:f890:21b:66ff:feb6:a4b8:88
+[4230] 1432418201.925713: Received answer (295 bytes) from dgram 2a01:a35:2e61:f890:21b:66ff:feb6:a4b8:88
+[4230] 1432418201.929666: Response was not from master KDC
+[4230] 1432418201.929725: Received error from KDC: -1765328359/Additional pre-authentication required
+[4230] 1432418201.929818: Processing preauth types: 16, 15, 2, 138, 136, 11, 19
+[4230] 1432418201.929848: Selected etype info: etype rc4-hmac, salt "", params ""
+Password for Administrator@DOM.4BO.FR:
+[4230] 1432418225.405906: AS key obtained for encrypted timestamp: rc4-hmac/9FEF
+[4230] 1432418225.406093: Encrypted timestamp (for 1432418225.401641): plain 301AA011180F32303135303532333231353730355AA10502030620E9, encrypted 55B72339C01F7AE53FAAFB50ECCE12D51C9A61F28789E2CEE9A2FA375EB95C3E96B69F12B50A048AD84A418699BB67D0EDA37551
+[4230] 1432418225.406171: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
+[4230] 1432418225.406189: Produced preauth for next request: 2
+[4230] 1432418225.406246: Sending request (251 bytes) to DOM.4BO.FR
+[4230] 1432418225.418784: Resolving hostname debie.sdom.3iboo.fr.
+[4230] 1432418225.428392: Sending initial UDP request to dgram 2a01:a35:2e61:f890:21b:66ff:feb6:a4b8:88
+[4230] 1432418225.511409: Received answer (1388 bytes) from dgram 2a01:a35:2e61:f890:21b:66ff:feb6:a4b8:88
+[4230] 1432418225.515178: Response was not from master KDC
+[4230] 1432418225.515236: Salt derived from principal: DOM.4BO.FRAdministrator
+[4230] 1432418225.515265: AS key determined by preauth: rc4-hmac/9FEF
+[4230] 1432418225.515360: Decrypted AS reply; session key is: rc4-hmac/D86A
+[4230] 1432418225.515400: FAST negotiation: available
+[4230] 1432418225.515453: Initializing FILE:/tmp/krb5cc_0 with default princ Administrator@DOM.4BO.FR
+[4230] 1432418225.515728: Removing Administrator@DOM.4BO.FR -> krbtgt/DOM.4BO.FR@DOM.4BO.FR from FILE:/tmp/krb5cc_0
+[4230] 1432418225.515747: Storing Administrator@DOM.4BO.FR -> krbtgt/DOM.4BO.FR@DOM.4BO.FR in FILE:/tmp/krb5cc_0
+[4230] 1432418225.515912: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/DOM.4BO.FR@DOM.4BO.FR: fast_avail: yes
+[4230] 1432418225.515966: Removing Administrator@DOM.4BO.FR -> krb5_ccache_conf_data/fast_avail/krbtgt\/DOM.4BO.FR\@DOM.4BO.FR@X-CACHECONF: from FILE:/tmp/krb5cc_0
+[4230] 1432418225.515986: Storing Administrator@DOM.4BO.FR -> krb5_ccache_conf_data/fast_avail/krbtgt\/DOM.4BO.FR\@DOM.4BO.FR@X-CACHECONF: in FILE:/tmp/krb5cc_0
+[4230] 1432418225.516145: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/DOM.4BO.FR@DOM.4BO.FR: pa_type: 2
+[4230] 1432418225.516190: Removing Administrator@DOM.4BO.FR -> krb5_ccache_conf_data/pa_type/krbtgt\/DOM.4BO.FR\@DOM.4BO.FR@X-CACHECONF: from FILE:/tmp/krb5cc_0
+[4230] 1432418225.516209: Storing Administrator@DOM.4BO.FR -> krb5_ccache_conf_data/pa_type/krbtgt\/DOM.4BO.FR\@DOM.4BO.FR@X-CACHECONF: in FILE:/tmp/krb5cc_0
+Warning: Your password will expire in 41 days on sam. 04 juil. 2015 23:03:44 CEST
+</code>
+<code>
+root@debie:~# kpasswd
+kpasswd: Cannot find KDC for requested realm getting initial ticket
+root@debie:~# klist -e
+klist: Credentials cache file '/tmp/krb5cc_0' not found
+root@debie:~# samba-tool user setpassword Administrator
+New Password:
+INFO: Current debug levels:
+  all: 10
+  tdb: 10
+....
+  ldb: 10
+Processing section "[netlogon]"
+Processing section "[sysvol]"
+pm_process() returned Yes
+Security token SIDs (1):
+  SID[  0]: S-1-5-18
+ Privileges (0xFFFFFFFFFFFFFFFF):
+  Privilege[  0]: SeMachineAccountPrivilege
+  Privilege[  1]: SeTakeOwnershipPrivilege
+...
+  Privilege[ 24]: SeEnableDelegationPrivilege
+ Rights (0x               0):
+lpcfg_servicenumber: couldn't find ldb
+schema_fsmo_init: we are master[yes] updates allowed[no]
+schema_fsmo_init: we are master[yes] updates allowed[no]
+ldb:acl_modify: unicodePwd
+Sorting rpmd with attid exception 3 rDN=CN DN=CN=Administrator,CN=Users,DC=dom,DC=4bo,DC=fr
+Changed password OK
+</code>
+retirer l'expiration pour l'administrateur
+http://ubuntuforums.org/showthread.php?t=2146198
+<code>
+root@debie:~# /usr/bin/samba-tool user setexpiry Administrator --noexpiry
+Processing section "[netlogon]"
+Processing section "[sysvol]"
+pm_process() returned Yes
+Expiry for user 'Administrator' disabled.
+</code>
 ==== ntpd ====
@@ Line 318: / Line 473: @@
 </code>
+===== windows client Password change =====
+juste apres integrer un poste client W7 dans le domaine, le changement de password user de domain via CTRL+ALT+SUPP echoue
+cf log serveur
+<code>
+[2015/05/25 12:36:56.110925,  3, pid=9389, effective(0, 0), real(0, 0)] ../source4/kdc/kpasswdd.c:45(kpasswdd_make_error_reply)
+  kpasswdd: Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed.
+</code>
+apparement il faut attendre 24H minimum avant de pouvoir le changer d'apres la politique par defaut
+<code>
+root@debie:~# samba-tool domain passwordsettings show
+Processing section "[netlogon]"
+Processing section "[sysvol]"
+pm_process() returned Yes
+Password informations for domain 'DC=dom,DC=4bo,DC=fr'
+Password complexity: on
+Store plaintext passwords: off
+Password history length: 24
+Minimum password length: 7
+Minimum password age (days): 1
+Maximum password age (days): 42
+</code>
+cf http://www.eenyhelp.com/answer/samba-samba4-users-can-not-change-their-password-using-ctrl-plus-alt-plus-del-help-214381202.html
+History lengh 24 -> 2
+<code>
+root@debie:/var/log/samba# samba-tool domain passwordsettings show | grep history
+Password history length: 24
+root@debie:/var/log/samba# samba-tool domain passwordsettings set --history-length=2
+Processing section "[netlogon]"
+Processing section "[sysvol]"
+pm_process() returned Yes
+Password history length changed!
+All changes applied successfully!
+root@debie:/var/log/samba# samba-tool domain passwordsettings show
+Processing section "[netlogon]"
+Processing section "[sysvol]"
+pm_process() returned Yes
+Password informations for domain 'DC=dom,DC=4bo,DC=fr'
+Password complexity: on
+Store plaintext passwords: off
+Password history length: 2
+Minimum password length: 7
+Minimum password age (days): 1
+Maximum password age (days): 42
+</code>
 ==== domain user ====
@@ Line 393: / Line 604: @@
 # 3 referrals
 </code>
+===== Remote Server Administration Tools RSAT =====
+ref
+  * https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#Administer_Unix_Attributes_in_Active_Directory
+  * http://social.technet.microsoft.com/wiki/contents/articles/2202.remote-server-administration-tools-rsat-for-windows-client-and-windows-server-dsforum2wiki.aspx
+  * https://www.microsoft.com/en-us/download/details.aspx?id=39296
+  *

docpublic/systemes/samba4dc.1431289611.txt.gz · Last modified: 2015/05/10 20:26 by procacci@tem-tsp.eu

Show page Old revisions

[unknown link type]Back to top