[[Samba 4 DC]]
Trace: wiki Samba 4 DC documentation CMS
Show pageOld revisions
AdminRecent ChangesSitemap

* ancien site

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
docpublic:systemes:samba4dc [2015/05/10 20:28]
procacci@tem-tsp.eu [Kerberos] 		docpublic:systemes:samba4dc [2015/06/06 14:46] (current)
procacci@tem-tsp.eu [Samba 4 DC]
Line 4: Line 4:
   * https://wiki.samba.org/index.php/Samba_4.x_Readme_First   * https://wiki.samba.org/index.php/Samba_4.x_Readme_First
  
 +pourquoi debian vs centos MIT/heimdal 
 +
 +  * https://blog.cryptomilk.org/2014/07/09/samba-ad-dc-in-fedora-and-rhel/
 +  * http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
 +  * http://community.spiceworks.com/topic/535153-centos-7-samba-domain-controller
 +  * https://portal.enterprisesamba.com/
 ==== samba 4 ldap ==== ==== samba 4 ldap ====
  
Line 16: Line 22:
  
   * https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO   * https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
 +  * http://www.linux-magazine.com/Online/Features/What-s-New-in-Samba-4
 +  * https://www-fourier.ujf-grenoble.fr/informatique/doku.php?id=samba4#kerberos_5
 +  * http://doc.ubuntu-fr.org/utilisateurs/qedinux/samba_ad_dc_members
 +  * https://www.esup-portail.org/wiki/display/CASKERB/Mise+en+place+d%27un+serveur+Samba
 +  * https://wiki.archlinux.org/index.php/Active_Directory_Integration#Adding_a_machine_keytab_file_and_activating_password-free_kerberized_ssh_to_the_machine
 ==== packages samba ==== ==== packages samba ====
  
Line 337: Line 348:
     renew until 11/05/2015 14:34:58     renew until 11/05/2015 14:34:58
 </code> </code>
 +
 +
 +===== KRB change password =====
 +
 +http://www.golinuxhub.com/2013/03/changing-password-of-administrator-in.html
 +
 +==== kerberos ticket debug ====
 +
 +<code>
 +
 +root@debie:/etc# KRB5_TRACE=/dev/stdout kinit Administrator@DOM.4BO.FR
 +[4230] 1432418201.868726: Getting initial credentials for Administrator@DOM.4BO.FR
 +[4230] 1432418201.869645: Sending request (177 bytes) to DOM.4BO.FR
 +[4230] 1432418201.879583: Resolving hostname debie.sdom.3iboo.fr.
 +[4230] 1432418201.889971: Sending initial UDP request to dgram 2a01:a35:2e61:f890:21b:66ff:feb6:a4b8:88
 +[4230] 1432418201.925713: Received answer (295 bytes) from dgram 2a01:a35:2e61:f890:21b:66ff:feb6:a4b8:88
 +[4230] 1432418201.929666: Response was not from master KDC
 +[4230] 1432418201.929725: Received error from KDC: -1765328359/Additional pre-authentication required
 +[4230] 1432418201.929818: Processing preauth types: 16, 15, 2, 138, 136, 11, 19
 +[4230] 1432418201.929848: Selected etype info: etype rc4-hmac, salt "", params ""
 +Password for Administrator@DOM.4BO.FR:
 +[4230] 1432418225.405906: AS key obtained for encrypted timestamp: rc4-hmac/9FEF
 +[4230] 1432418225.406093: Encrypted timestamp (for 1432418225.401641): plain 301AA011180F32303135303532333231353730355AA10502030620E9, encrypted 55B72339C01F7AE53FAAFB50ECCE12D51C9A61F28789E2CEE9A2FA375EB95C3E96B69F12B50A048AD84A418699BB67D0EDA37551
 +[4230] 1432418225.406171: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
 +[4230] 1432418225.406189: Produced preauth for next request: 2
 +[4230] 1432418225.406246: Sending request (251 bytes) to DOM.4BO.FR
 +[4230] 1432418225.418784: Resolving hostname debie.sdom.3iboo.fr.
 +[4230] 1432418225.428392: Sending initial UDP request to dgram 2a01:a35:2e61:f890:21b:66ff:feb6:a4b8:88
 +[4230] 1432418225.511409: Received answer (1388 bytes) from dgram 2a01:a35:2e61:f890:21b:66ff:feb6:a4b8:88
 +[4230] 1432418225.515178: Response was not from master KDC
 +[4230] 1432418225.515236: Salt derived from principal: DOM.4BO.FRAdministrator
 +[4230] 1432418225.515265: AS key determined by preauth: rc4-hmac/9FEF
 +[4230] 1432418225.515360: Decrypted AS reply; session key is: rc4-hmac/D86A
 +[4230] 1432418225.515400: FAST negotiation: available
 +[4230] 1432418225.515453: Initializing FILE:/tmp/krb5cc_0 with default princ Administrator@DOM.4BO.FR
 +[4230] 1432418225.515728: Removing Administrator@DOM.4BO.FR -> krbtgt/DOM.4BO.FR@DOM.4BO.FR from FILE:/tmp/krb5cc_0
 +[4230] 1432418225.515747: Storing Administrator@DOM.4BO.FR -> krbtgt/DOM.4BO.FR@DOM.4BO.FR in FILE:/tmp/krb5cc_0
 +[4230] 1432418225.515912: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/DOM.4BO.FR@DOM.4BO.FR: fast_avail: yes
 +[4230] 1432418225.515966: Removing Administrator@DOM.4BO.FR -> krb5_ccache_conf_data/fast_avail/krbtgt\/DOM.4BO.FR\@DOM.4BO.FR@X-CACHECONF: from FILE:/tmp/krb5cc_0
 +[4230] 1432418225.515986: Storing Administrator@DOM.4BO.FR -> krb5_ccache_conf_data/fast_avail/krbtgt\/DOM.4BO.FR\@DOM.4BO.FR@X-CACHECONF: in FILE:/tmp/krb5cc_0
 +[4230] 1432418225.516145: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/DOM.4BO.FR@DOM.4BO.FR: pa_type: 2
 +[4230] 1432418225.516190: Removing Administrator@DOM.4BO.FR -> krb5_ccache_conf_data/pa_type/krbtgt\/DOM.4BO.FR\@DOM.4BO.FR@X-CACHECONF: from FILE:/tmp/krb5cc_0
 +[4230] 1432418225.516209: Storing Administrator@DOM.4BO.FR -> krb5_ccache_conf_data/pa_type/krbtgt\/DOM.4BO.FR\@DOM.4BO.FR@X-CACHECONF: in FILE:/tmp/krb5cc_0
 +Warning: Your password will expire in 41 days on sam. 04 juil. 2015 23:03:44 CEST
 +</code>
 +
 +
 +<code>
 +root@debie:~# kpasswd
 +kpasswd: Cannot find KDC for requested realm getting initial ticket
 +root@debie:~# klist -e
 +klist: Credentials cache file '/tmp/krb5cc_0' not found
 +root@debie:~# samba-tool user setpassword Administrator
 +New Password:
 +INFO: Current debug levels:
 +  all: 10
 +  tdb: 10
 +....
 +  ldb: 10
 +Processing section "[netlogon]"
 +Processing section "[sysvol]"
 +pm_process() returned Yes
 +Security token SIDs (1):
 +  SID[  0]: S-1-5-18
 + Privileges (0xFFFFFFFFFFFFFFFF):
 +  Privilege[  0]: SeMachineAccountPrivilege
 +  Privilege[  1]: SeTakeOwnershipPrivilege
 +...
 +  Privilege[ 24]: SeEnableDelegationPrivilege
 + Rights (0x               0):
 +lpcfg_servicenumber: couldn't find ldb
 +schema_fsmo_init: we are master[yes] updates allowed[no]
 +schema_fsmo_init: we are master[yes] updates allowed[no]
 +ldb:acl_modify: unicodePwd
 +Sorting rpmd with attid exception 3 rDN=CN DN=CN=Administrator,CN=Users,DC=dom,DC=4bo,DC=fr
 +Changed password OK
 +</code>
 +
 +retirer l'expiration pour l'administrateur 
 +
 +http://ubuntuforums.org/showthread.php?t=2146198
 +
 +<code>
 +root@debie:~# /usr/bin/samba-tool user setexpiry Administrator --noexpiry
 +Processing section "[netlogon]"
 +Processing section "[sysvol]"
 +pm_process() returned Yes
 +Expiry for user 'Administrator' disabled.
 +</code>
 +
 ==== ntpd ==== ==== ntpd ====
  
Line 372: Line 473:
 </code> </code>
  
 +===== windows client Password change =====
  
 +juste apres integrer un poste client W7 dans le domaine, le changement de password user de domain via CTRL+ALT+SUPP echoue
 +
 +cf log serveur 
 +
 +<code>
 +[2015/05/25 12:36:56.110925,  3, pid=9389, effective(0, 0), real(0, 0)] ../source4/kdc/kpasswdd.c:45(kpasswdd_make_error_reply)
 +  kpasswdd: Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed.
 +</code>
 +
 +apparement il faut attendre 24H minimum avant de pouvoir le changer d'apres la politique par defaut 
 +
 +<code>
 +root@debie:~# samba-tool domain passwordsettings show
 +Processing section "[netlogon]"
 +Processing section "[sysvol]"
 +pm_process() returned Yes
 +Password informations for domain 'DC=dom,DC=4bo,DC=fr'
 +
 +Password complexity: on
 +Store plaintext passwords: off
 +Password history length: 24
 +Minimum password length: 7
 +Minimum password age (days): 1
 +Maximum password age (days): 42
 +</code>
 +
 +cf http://www.eenyhelp.com/answer/samba-samba4-users-can-not-change-their-password-using-ctrl-plus-alt-plus-del-help-214381202.html
 +
 +History lengh 24 -> 2 
 +
 +<code>
 +root@debie:/var/log/samba# samba-tool domain passwordsettings show | grep history
 +Password history length: 24
 +
 +
 +root@debie:/var/log/samba# samba-tool domain passwordsettings set --history-length=2
 +Processing section "[netlogon]"
 +Processing section "[sysvol]"
 +pm_process() returned Yes
 +Password history length changed!
 +All changes applied successfully!
 +root@debie:/var/log/samba# samba-tool domain passwordsettings show
 +Processing section "[netlogon]"
 +Processing section "[sysvol]"
 +pm_process() returned Yes
 +Password informations for domain 'DC=dom,DC=4bo,DC=fr'
 +
 +Password complexity: on
 +Store plaintext passwords: off
 +Password history length: 2
 +Minimum password length: 7
 +Minimum password age (days): 1
 +Maximum password age (days): 42
 +
 +</code>
 ==== domain user ==== ==== domain user ====
  
Line 447: Line 604:
 # 3 referrals # 3 referrals
 </code> </code>
 +
 +===== Remote Server Administration Tools RSAT =====
 +
 +ref 
 +  * https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#Administer_Unix_Attributes_in_Active_Directory
 +  * http://social.technet.microsoft.com/wiki/contents/articles/2202.remote-server-administration-tools-rsat-for-windows-client-and-windows-server-dsforum2wiki.aspx
 +  * https://www.microsoft.com/en-us/download/details.aspx?id=39296
 +  * 
 +
docpublic/systemes/samba4dc.1431289722.txt.gz · Last modified: 2015/05/10 20:28 by procacci@tem-tsp.eu
Show pageOld revisions
[unknown link type]Back to top
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0