File server questions

classic Classic list List threaded Threaded
44 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list


Em 12/09/2017 11:03, Rowland Penny via samba escreveu:

> On Tue, 12 Sep 2017 10:40:50 -0300
> Flávio Silveira via samba <[hidden email]> wrote:
>
>
>> Thanks for the replies Rowland and Louis!
>>
>> Giving all that was said here is a snippet of what I have in
>> /var/lib/dhcp/dhclient.enp2s0.leases
>>
>> Don't know why my interface is named enp2s0, but I only have one,
>> this might be a driver thing.
> No, it is a systemd thing.
>
>> lease {
>>     interface "enp2s0";
>>     fixed-address 192.168.11.6;
>>     option subnet-mask 255.255.255.0;
>>     option routers 192.168.11.1;
>>     option dhcp-lease-time 86400;
>>     option dhcp-message-type 5;
>>     option domain-name-servers 192.168.11.1;
>>     option dhcp-server-identifier 192.168.11.1;
>>     option domain-name "local";
>>     renew 2 2017/09/12 15:28:36;
>>     rebind 3 2017/09/13 01:09:09;
>>     expire 3 2017/09/13 04:09:09;
>> }
>>
>> This is the server that will be the AD DC, it currently is in client
>> subnet (192.168.11.x) for testing, but I will put it in server subnet
>> (192.168.13.x) when in production.
>>
>> I can't change these settings now as it will break the whole network,
>> can I use the "method 3" from the link for now and manually edit
>> /etc/resolv.conf and then when it is ready for production I drop that
>> script and configure it properly into the DHCP Server?
> Not sure, I run a DHCP server on my DC, but not in the way you are
> proposing, see the Samba wiki for more info.

I actually have a router behind the AD DC, so when it is ready for
production I will change domain-name-servers and domain-name on that
router so it will pass that information directly from DHCP.

>> Speaking of AD DC tutorial, I've read it over and over and
>> especifically the provisioning part, does this sound correct?
>>
>> samba-tool domain provision --server-role=dc --use-rfc2307
>> --dns-backend=SAMBA_INTERNAL --realm=AD.TECNOPON.COM.BR --domain=AD
>> --adminpass=mypass --option="interfaces=lo enp2s0" --option="bind
>> interfaces only=yes" --option="dns forwarder=192.168.11.1"
> Yes, but the --server-role and --dns-backend are defaults and as such
> are not really required.
>  
>> If I understand correctly, domain is what will be NetBIOS Name,
>> right?
> Wrong, the domain name, also known as the workgroup, is really the
> NetBIOS domain name. This should not be confused with the NetBIOS name,
> which is the hosts short name in UPPERCASE.
> If you are confused, don't blame me or Samba, blame Microsoft, they
> came up with the names.

Ok, I understand now, one question though: if realm is
AD.TECNOPON.COM.BR, does domain need to be AD? If I understand
correctly, realm is "full domain with subdomain" and domain is the
subdomain, yes?

>> What about Hostname? How do I set it in non-interactive mode?
> You don't, Samba will set it for you from your shorthostname.

I see, nothing to bother then.

>> Where DC1 came from? Can I use that as NetBIOS Name?
> Yes, provided the output from 'hostname -s' is 'dc1' ;-)

A-ha! I get it now, I will change the hostname accordingly then, thank you!

> Rowland
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list
On Tue, 12 Sep 2017 14:41:42 -0300
Flávio Silveira via samba <[hidden email]> wrote:

>
> Ok, I understand now, one question though: if realm is
> AD.TECNOPON.COM.BR, does domain need to be AD?

No, you can use anything you like, provided it is one word, 15
characters or less, without punctuation.

> If I understand
> correctly, realm is "full domain with subdomain" and domain is the
> subdomain, yes?
>

No, the AD realm is the dns domain of the computer in uppercase, it
being a subdomain does not come into it. From your example above, the
dns domain would be: ad.tecnopon.com.br
The realm would be: AD.TECNOPON.COM.BR

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list


Em 12/09/2017 14:59, Rowland Penny via samba escreveu:

> On Tue, 12 Sep 2017 14:41:42 -0300
> Flávio Silveira via samba <[hidden email]> wrote:
>
>> Ok, I understand now, one question though: if realm is
>> AD.TECNOPON.COM.BR, does domain need to be AD?
> No, you can use anything you like, provided it is one word, 15
> characters or less, without punctuation.
>
>> If I understand
>> correctly, realm is "full domain with subdomain" and domain is the
>> subdomain, yes?
>>
> No, the AD realm is the dns domain of the computer in uppercase, it
> being a subdomain does not come into it. From your example above, the
> dns domain would be: ad.tecnopon.com.br
> The realm would be: AD.TECNOPON.COM.BR
>
> Rowland
>

Great! I've provisioned the domain and moved towards setting up Time
Synchronisation by reading this:
https://wiki.samba.org/index.php/Time_Synchronisation

I've set the permissions accordingly:

root@dc1:~# ls -ld /var/lib/samba/ntp_signd/
drwxr-x--- 2 root ntp 4096 Sep 12 16:43 /var/lib/samba/ntp_signd/
root@dc1:~#

Now I'm working on editing ntp.conf.

The tutorial gives a config example as below:

> # Local clock. Note that is not the "localhost" address!
> server 127.127.1.0
> fudge  127.127.1.0 stratum 10
>
> # Where to retrieve the time from
> server 0.pool.ntp.org     iburst prefer
> server 1.pool.ntp.org     iburst prefer
> server 2.pool.ntp.org     iburst prefer
>
> driftfile       /var/lib/ntp/ntp.drift
> logfile         /var/log/ntp
> ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
>
> # Access control
> # Default restriction: Allow clients only to query the time
> restrict default kod nomodify notrap nopeer mssntp
>
> # No restrictions for "localhost"
> restrict 127.0.0.1
>
> # Enable the time sources to only provide time to this host
> restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
> restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
> restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery

Debian ntp.conf default is:

> # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
>
> driftfile /var/lib/ntp/ntp.drift
>
> # Enable this if you want statistics to be logged.
> #statsdir /var/log/ntpstats/
>
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
>
>
> # You do need to talk to an NTP server or two (or three).
> #server ntp.your-provider.example
>
> # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your
> server will
> # pick a different set every time it starts up.  Please consider
> joining the
> # pool: <http://www.pool.ntp.org/join.html>
> pool 0.debian.pool.ntp.org iburst
> pool 1.debian.pool.ntp.org iburst
> pool 2.debian.pool.ntp.org iburst
> pool 3.debian.pool.ntp.org iburst
>
>
> # Access control configuration; see
> /usr/share/doc/ntp-doc/html/accopt.html for
> # details.  The web page
> <http://support.ntp.org/bin/view/Support/AccessRestrictions>
> # might also be helpful.
> #
> # Note that "restrict" applies to both servers and clients, so a
> configuration
> # that might be intended to block requests from certain clients could
> also end
> # up blocking replies from your own upstream servers.
>
> # By default, exchange time with everybody, but don't allow configuration.
> restrict -4 default kod notrap nomodify nopeer noquery limited
> restrict -6 default kod notrap nomodify nopeer noquery limited
>
> # Local users may interrogate the ntp server more closely.
> restrict 127.0.0.1
> restrict ::1
>
> # Needed for adding pool entries
> restrict source notrap nomodify noquery
>
> # Clients from this (example!) subnet have unlimited access, but only if
> # cryptographically authenticated.
> #restrict 192.168.123.0 mask 255.255.255.0 notrust
>
>
> # If you want to provide time to your local subnet, change the next line.
> # (Again, the address is an example only.)
> #broadcast 192.168.123.255
>
> # If you want to listen to time broadcasts on your local subnet,
> de-comment the
> # next lines.  Please do this only if you trust everybody on the network!
> #disable auth
> #broadcastclient

Giving all that I'm guessing I can do something like this, right?

> # Local clock. Note that is not the "localhost" address!
> server 127.127.1.0
> fudge  127.127.1.0 stratum 10
>
> # Where to retrieve the time from
> server 0.br.pool.ntp.org iburst prefer
> server 1.br.pool.ntp.org iburst prefer
> server 2.br.pool.ntp.org iburst prefer
> server 3.br.pool.ntp.org iburst prefer
>
> driftfile       /var/lib/ntp/ntp.drift
> logfile         /var/log/ntpstats
> ntpsigndsocket  /var/lib/samba/ntp_signd/
>
> # Access control
> # Default restriction: Allow clients only to query the time
> restrict default kod nomodify notrap nopeer mssntp
>
> # No restrictions for "localhost"
> restrict 127.0.0.1
>
> # Enable the time sources to only provide time to this host
> restrict 0.br.pool.ntp.org   mask 255.255.255.255    nomodify notrap
> nopeer noquery
> restrict 1.br.pool.ntp.org   mask 255.255.255.255    nomodify notrap
> nopeer noquery
> restrict 2.br.pool.ntp.org   mask 255.255.255.255    nomodify notrap
> nopeer noquery
> restrict 3.br.pool.ntp.org   mask 255.255.255.255    nomodify notrap
> nopeer noquery

Does this looks correct? Can I ignore Debian's ntp.conf file completely?

Thank you

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list
Hai, Flavio,

Yes, it looks good, but i suggest, if you setting up a new DC on debian..
Go here: https://github.com/thctlo/samba4/tree/master/howtos 
And read the file: stretch-base-2-samba-minimal-ad.txt

This should works also for debian Jessie, if it errors only remove the words " limited" from the line restrict.

Now, review the code below, you need to make a few small changes.
Like the ntp server and interface names.

#For ntp and an unmodified ntp.conf.
# backup the original debian file.
cp /etc/ntp.conf{,.org-debian}

# Disable the pool servers.
sed -i 's/pool 0.debian.pool.ntp.org iburst/#pool 0.debian.pool.ntp.org iburst/g' /etc/ntp.conf
sed -i 's/pool 1.debian.pool.ntp.org iburst/#pool 1.debian.pool.ntp.org iburst/g' /etc/ntp.conf
sed -i 's/pool 2.debian.pool.ntp.org iburst/#pool 2.debian.pool.ntp.org iburst/g' /etc/ntp.conf
sed -i 's/pool 3.debian.pool.ntp.org iburst/#pool 3.debian.pool.ntp.org iburst/g' /etc/ntp.conf


# Enable a good NTP (stratum 1) server.
# This line, change ntp1.nl.net to a close stable ntp server.
# found here : http://support.ntp.org/bin/view/Servers/StratumOneTimeServers 
sed -i 's/#server ntp.your-provider.example/server ntp1.nl.net/g' /etc/ntp.conf

cat << EOF >> /etc/ntp.conf
# Enable the interaced you need. *( you need to change eth0 to your interface name)
# Optional, define which interface ntp could/should use
interface listen lo
interface listen eth0
#interface ignore wildcard
interface ignore ipv6
#
EOF
systemctl restart ntp

# create the ntp_signd folder if not exists.
if [ ! -d /var/lib/samba/ntp_signd/ ]; then
    mkdir -p /var/lib/samba/ntp_signd/
    chmod 750 /var/lib/samba/ntp_signd
    chown root:ntp /var/lib/samba/ntp_signd
Fi
# check name group
if [ "$(stat -c "%G" /var/lib/samba/ntp_signd/)" != "ntp" ]; then
    echo "Error incorrect group detected on /var/lib/samba/ntp_signd/, correcting now."
    chgrp ntp /var/lib/samba/ntp_signd
Fi
# check owner/group rights.
if [ "$(stat -c "%a" /var/lib/samba/ntp_signd/)" -ne 750 ]; then
    echo "Error incorrect group rights detected on /var/lib/samba/ntp_signd/, correcting now."
    chmod 750 /var/lib/samba/ntp_signd
else
    echo "folder : /var/lib/samba/ntp_signd already exists with correct rights (750)"
fi


# add the folder location to ntp.conf
cat << EOF >> /etc/ntp.conf
#
######  Needed for Samba 4  #######  in the restrict -4 or -6 added mssntp at the end
# Location of the samba ntp_signed directory
ntpsigndsocket /var/lib/samba/ntp_signd
#
EOF

sed -i 's/restrict -4 default kod notrap nomodify nopeer noquery limited/restrict -4 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf
sed -i 's/restrict -6 default kod notrap nomodify nopeer noquery limited/restrict -6 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf
systemctl restart ntp
systemctl status ntp

And your done.

Your welkom,  ;-)


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Flávio Silveira via samba
> Verzonden: woensdag 13 september 2017 15:17
> Aan: [hidden email]
> Onderwerp: Re: [Samba] File server questions
>
>
>
> Em 12/09/2017 14:59, Rowland Penny via samba escreveu:
> > On Tue, 12 Sep 2017 14:41:42 -0300
> > Flávio Silveira via samba <[hidden email]> wrote:
> >
> >> Ok, I understand now, one question though: if realm is
> >> AD.TECNOPON.COM.BR, does domain need to be AD?
> > No, you can use anything you like, provided it is one word, 15
> > characters or less, without punctuation.
> >
> >> If I understand
> >> correctly, realm is "full domain with subdomain" and domain is the
> >> subdomain, yes?
> >>
> > No, the AD realm is the dns domain of the computer in uppercase, it
> > being a subdomain does not come into it. From your example
> above, the
> > dns domain would be: ad.tecnopon.com.br The realm would be:
> > AD.TECNOPON.COM.BR
> >
> > Rowland
> >
>
> Great! I've provisioned the domain and moved towards setting
> up Time Synchronisation by reading this:
> https://wiki.samba.org/index.php/Time_Synchronisation
>
> I've set the permissions accordingly:
>
> root@dc1:~# ls -ld /var/lib/samba/ntp_signd/
> drwxr-x--- 2 root ntp 4096 Sep 12 16:43
> /var/lib/samba/ntp_signd/ root@dc1:~#
>
> Now I'm working on editing ntp.conf.
>
> The tutorial gives a config example as below:
>
> > # Local clock. Note that is not the "localhost" address!
> > server 127.127.1.0
> > fudge  127.127.1.0 stratum 10
> >
> > # Where to retrieve the time from
> > server 0.pool.ntp.org     iburst prefer
> > server 1.pool.ntp.org     iburst prefer
> > server 2.pool.ntp.org     iburst prefer
> >
> > driftfile       /var/lib/ntp/ntp.drift
> > logfile         /var/log/ntp
> > ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
> >
> > # Access control
> > # Default restriction: Allow clients only to query the time
> restrict
> > default kod nomodify notrap nopeer mssntp
> >
> > # No restrictions for "localhost"
> > restrict 127.0.0.1
> >
> > # Enable the time sources to only provide time to this host
> > restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify
> notrap nopeer noquery
> > restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify
> notrap nopeer noquery
> > restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify
> notrap nopeer noquery
>
> Debian ntp.conf default is:
>
> > # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
> >
> > driftfile /var/lib/ntp/ntp.drift
> >
> > # Enable this if you want statistics to be logged.
> > #statsdir /var/log/ntpstats/
> >
> > statistics loopstats peerstats clockstats filegen loopstats file
> > loopstats type day enable filegen peerstats file peerstats type day
> > enable filegen clockstats file clockstats type day enable
> >
> >
> > # You do need to talk to an NTP server or two (or three).
> > #server ntp.your-provider.example
> >
> > # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your
> > server will # pick a different set every time it starts up.  Please
> > consider joining the # pool: <http://www.pool.ntp.org/join.html>
> > pool 0.debian.pool.ntp.org iburst
> > pool 1.debian.pool.ntp.org iburst
> > pool 2.debian.pool.ntp.org iburst
> > pool 3.debian.pool.ntp.org iburst
> >
> >
> > # Access control configuration; see
> > /usr/share/doc/ntp-doc/html/accopt.html for # details.  The
> web page
> > <http://support.ntp.org/bin/view/Support/AccessRestrictions>
> > # might also be helpful.
> > #
> > # Note that "restrict" applies to both servers and clients, so a
> > configuration # that might be intended to block requests
> from certain
> > clients could also end # up blocking replies from your own upstream
> > servers.
> >
> > # By default, exchange time with everybody, but don't allow
> configuration.
> > restrict -4 default kod notrap nomodify nopeer noquery limited
> > restrict -6 default kod notrap nomodify nopeer noquery limited
> >
> > # Local users may interrogate the ntp server more closely.
> > restrict 127.0.0.1
> > restrict ::1
> >
> > # Needed for adding pool entries
> > restrict source notrap nomodify noquery
> >
> > # Clients from this (example!) subnet have unlimited
> access, but only
> > if # cryptographically authenticated.
> > #restrict 192.168.123.0 mask 255.255.255.0 notrust
> >
> >
> > # If you want to provide time to your local subnet, change
> the next line.
> > # (Again, the address is an example only.) #broadcast
> 192.168.123.255
> >
> > # If you want to listen to time broadcasts on your local subnet,
> > de-comment the # next lines.  Please do this only if you trust
> > everybody on the network!
> > #disable auth
> > #broadcastclient
>
> Giving all that I'm guessing I can do something like this, right?
>
> > # Local clock. Note that is not the "localhost" address!
> > server 127.127.1.0
> > fudge  127.127.1.0 stratum 10
> >
> > # Where to retrieve the time from
> > server 0.br.pool.ntp.org iburst prefer server
> 1.br.pool.ntp.org iburst
> > prefer server 2.br.pool.ntp.org iburst prefer server
> 3.br.pool.ntp.org
> > iburst prefer
> >
> > driftfile       /var/lib/ntp/ntp.drift logfile        
> > /var/log/ntpstats ntpsigndsocket  /var/lib/samba/ntp_signd/
> >
> > # Access control
> > # Default restriction: Allow clients only to query the time
> restrict
> > default kod nomodify notrap nopeer mssntp
> >
> > # No restrictions for "localhost"
> > restrict 127.0.0.1
> >
> > # Enable the time sources to only provide time to this host
> restrict
> > 0.br.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer
> > noquery restrict 1.br.pool.ntp.org   mask 255.255.255.255   
>  nomodify
> > notrap nopeer noquery restrict 2.br.pool.ntp.org   mask
> > 255.255.255.255    nomodify notrap nopeer noquery restrict
> > 3.br.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer
> > noquery
>
> Does this looks correct? Can I ignore Debian's ntp.conf file
> completely?
>
> Thank you
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list


Em 13/09/2017 10:36, L.P.H. van Belle via samba escreveu:

> Hai, Flavio,
>
> Yes, it looks good, but i suggest, if you setting up a new DC on debian..
> Go here: https://github.com/thctlo/samba4/tree/master/howtos
> And read the file: stretch-base-2-samba-minimal-ad.txt
>
> This should works also for debian Jessie, if it errors only remove the words " limited" from the line restrict.
>
> Now, review the code below, you need to make a few small changes.
> Like the ntp server and interface names.
>
> #For ntp and an unmodified ntp.conf.
> # backup the original debian file.
> cp /etc/ntp.conf{,.org-debian}
>
> # Disable the pool servers.
> sed -i 's/pool 0.debian.pool.ntp.org iburst/#pool 0.debian.pool.ntp.org iburst/g' /etc/ntp.conf
> sed -i 's/pool 1.debian.pool.ntp.org iburst/#pool 1.debian.pool.ntp.org iburst/g' /etc/ntp.conf
> sed -i 's/pool 2.debian.pool.ntp.org iburst/#pool 2.debian.pool.ntp.org iburst/g' /etc/ntp.conf
> sed -i 's/pool 3.debian.pool.ntp.org iburst/#pool 3.debian.pool.ntp.org iburst/g' /etc/ntp.conf
>
>
> # Enable a good NTP (stratum 1) server.
> # This line, change ntp1.nl.net to a close stable ntp server.
> # found here : http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
> sed -i 's/#server ntp.your-provider.example/server ntp1.nl.net/g' /etc/ntp.conf
>
> cat << EOF >> /etc/ntp.conf
> # Enable the interaced you need. *( you need to change eth0 to your interface name)
> # Optional, define which interface ntp could/should use
> interface listen lo
> interface listen eth0
> #interface ignore wildcard
> interface ignore ipv6
> #
> EOF
> systemctl restart ntp
>
> # create the ntp_signd folder if not exists.
> if [ ! -d /var/lib/samba/ntp_signd/ ]; then
>      mkdir -p /var/lib/samba/ntp_signd/
>      chmod 750 /var/lib/samba/ntp_signd
>      chown root:ntp /var/lib/samba/ntp_signd
> Fi
> # check name group
> if [ "$(stat -c "%G" /var/lib/samba/ntp_signd/)" != "ntp" ]; then
>      echo "Error incorrect group detected on /var/lib/samba/ntp_signd/, correcting now."
>      chgrp ntp /var/lib/samba/ntp_signd
> Fi
> # check owner/group rights.
> if [ "$(stat -c "%a" /var/lib/samba/ntp_signd/)" -ne 750 ]; then
>      echo "Error incorrect group rights detected on /var/lib/samba/ntp_signd/, correcting now."
>      chmod 750 /var/lib/samba/ntp_signd
> else
>      echo "folder : /var/lib/samba/ntp_signd already exists with correct rights (750)"
> fi
>
>
> # add the folder location to ntp.conf
> cat << EOF >> /etc/ntp.conf
> #
> ######  Needed for Samba 4  #######  in the restrict -4 or -6 added mssntp at the end
> # Location of the samba ntp_signed directory
> ntpsigndsocket /var/lib/samba/ntp_signd
> #
> EOF
>
> sed -i 's/restrict -4 default kod notrap nomodify nopeer noquery limited/restrict -4 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf
> sed -i 's/restrict -6 default kod notrap nomodify nopeer noquery limited/restrict -6 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf
> systemctl restart ntp
> systemctl status ntp
>
> And your done.
>
> Your welkom,  ;-)
>
>
> Greetz,
>
> Louis
>

Thank for your reply Louis!

I've been reading your howtos, but I didn't know how to execute them, so
I decided to create a new file as below:

> # Local clock. Note that is not the "localhost" address!
> server 127.127.1.0
> fudge  127.127.1.0 stratum 10
>
> # Where to retrieve the time from
> server a.st1.ntp.br iburst prefer
> server b.st1.ntp.br iburst prefer
> server c.st1.ntp.br iburst prefer
> server d.st1.ntp.br iburst prefer
>
> driftfile       /var/lib/ntp/ntp.drift
> logfile         /var/log/ntpstats
> ntpsigndsocket  /var/lib/samba/ntp_signd/
>
> # Access control
> # Default restriction: Allow clients only to query the time
> restrict default kod nomodify notrap nopeer mssntp
>
> # No restrictions for "localhost"
> restrict 127.0.0.1
>
> # Enable the time sources to only provide time to this host
> restrict a.st1.ntp.br   mask 255.255.255.255    nomodify notrap nopeer
> noquery
> restrict b.st1.ntp.br   mask 255.255.255.255    nomodify notrap nopeer
> noquery
> restrict c.st1.ntp.br   mask 255.255.255.255    nomodify notrap nopeer
> noquery
> restrict d.st1.ntp.br   mask 255.255.255.255    nomodify notrap nopeer
> noquery
>
> # Interfaces ntp daemon should listen
>
> interface listen lo
> interface listen enp2s0
>
> # Ignore IPv6 wildcard
>
> interface ignore ipv6

As you can see, my "Access control" line doesn't have "noquery" and
"limited", but I don't know much about ntp, so I don't know if I should
add or not.

Your lines also have -4 and -6, which seems to be related to IPv4 and
IPv6, if I plan to use IPv4 only, can I stick with "default"?

Thanks


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list
On Wed, 13 Sep 2017 11:18:58 -0300
Flávio Silveira via samba <[hidden email]> wrote:

> > # Local clock. Note that is not the "localhost" address!
> > server 127.127.1.0
> > fudge  127.127.1.0 stratum 10
> >
> > # Where to retrieve the time from
> > server a.st1.ntp.br iburst prefer
> > server b.st1.ntp.br iburst prefer
> > server c.st1.ntp.br iburst prefer
> > server d.st1.ntp.br iburst prefer
> >
> > driftfile       /var/lib/ntp/ntp.drift
> > logfile         /var/log/ntpstats
> > ntpsigndsocket  /var/lib/samba/ntp_signd/
> >
> > # Access control
> > # Default restriction: Allow clients only to query the time
> > restrict default kod nomodify notrap nopeer mssntp
> >
> > # No restrictions for "localhost"
> > restrict 127.0.0.1
> >
> > # Enable the time sources to only provide time to this host
> > restrict a.st1.ntp.br   mask 255.255.255.255    nomodify notrap
> > nopeer noquery
> > restrict b.st1.ntp.br   mask 255.255.255.255    nomodify notrap
> > nopeer noquery
> > restrict c.st1.ntp.br   mask 255.255.255.255    nomodify notrap
> > nopeer noquery
> > restrict d.st1.ntp.br   mask 255.255.255.255    nomodify notrap
> > nopeer noquery
> >
> > # Interfaces ntp daemon should listen
> >
> > interface listen lo
> > interface listen enp2s0
> >
> > # Ignore IPv6 wildcard
> >
> > interface ignore ipv6
>

Yes, that should work, it is basically the same as mine, just some of
the lines are in a different order.

Rowland
 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hai Flavio,


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Flávio Silveira via samba
> Verzonden: woensdag 13 september 2017 16:19
> Aan: [hidden email]
> Onderwerp: Re: [Samba] File server questions
>
>
>
> Em 13/09/2017 10:36, L.P.H. van Belle via samba escreveu:
> > Hai, Flavio,
> >
> > Yes, it looks good, but i suggest, if you setting up a new
> DC on debian..
> > Go here: https://github.com/thctlo/samba4/tree/master/howtos
> > And read the file: stretch-base-2-samba-minimal-ad.txt
> >
> >
>
> Thank for your reply Louis!
>
> I've been reading your howtos, but I didn't know how to
> execute them, so
> I decided to create a new file as below:

These are not executable yet. Thats why the are in .txt files.
You can use it as guidance.

>
> > # Local clock. Note that is not the "localhost" address!
> > server 127.127.1.0
> > fudge  127.127.1.0 stratum 10
> >
> > # Where to retrieve the time from
> > server a.st1.ntp.br iburst prefer
> > server b.st1.ntp.br iburst prefer
> > server c.st1.ntp.br iburst prefer
> > server d.st1.ntp.br iburst prefer
> >
> > driftfile       /var/lib/ntp/ntp.drift
> > logfile         /var/log/ntpstats
> > ntpsigndsocket  /var/lib/samba/ntp_signd/
> >
> > # Access control
> > # Default restriction: Allow clients only to query the time
> > restrict default kod nomodify notrap nopeer mssntp
> >
> > # No restrictions for "localhost"
> > restrict 127.0.0.1
> >
> > # Enable the time sources to only provide time to this host
> > restrict a.st1.ntp.br   mask 255.255.255.255    nomodify
> notrap nopeer
> > noquery
> > restrict b.st1.ntp.br   mask 255.255.255.255    nomodify
> notrap nopeer
> > noquery
> > restrict c.st1.ntp.br   mask 255.255.255.255    nomodify
> notrap nopeer
> > noquery
> > restrict d.st1.ntp.br   mask 255.255.255.255    nomodify
> notrap nopeer
> > noquery
> >
> > # Interfaces ntp daemon should listen
> >
> > interface listen lo
> > interface listen enp2s0
> >
> > # Ignore IPv6 wildcard
> >
> > interface ignore ipv6
>
> As you can see, my "Access control" line doesn't have "noquery" and
> "limited", but I don't know much about ntp, so I don't know
> if I should add or not.
>
> Your lines also have -4 and -6, which seems to be related to IPv4 and
> IPv6, if I plan to use IPv4 only, can I stick with "default"?
>
> Thanks
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
I suggest, use the interface ignore ipv6 ( you already did set it ) for the ipv6 ipnumbers, except localhost-ipv6. ( ::1 )
The other defaults are good to start with, then when everything is running correct, only then go optimize the config.
And only one thing at a time, or you end up in a mess..  Just a tip.

So below is a copy past of a original jessie ntp.conf ( from before my upgrade to stretch)
And for you, i changed it to your setup. See what i did and compair it to yours.


####### NTP Begin ( Debian Jessie version )
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift

# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable


# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
server a.st1.ntp.br
server b.st1.ntp.br
server c.st1.ntp.br

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst


# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery mssntp
restrict -6 default kod notrap nomodify nopeer noquery mssntp

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Needed for adding pool entries
restrict source notrap nomodify noquery

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

interface listen lo
interface listen enp2s0
#interface ignore wildcard
interface ignore ipv6

######  Needed for Samba 4  ######
# in the restrict -4 or -6 added mssntp at the end
# Location of the samba ntp_signed directory
ntpsigndsocket /var/lib/samba/ntp_signd
####### NTP end

Greetz,

Louis





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list


Em 13/09/2017 11:48, L.P.H. van Belle via samba escreveu:

> Hai Flavio,
> I suggest, use the interface ignore ipv6 ( you already did set it ) for the ipv6 ipnumbers, except localhost-ipv6. ( ::1 )
> The other defaults are good to start with, then when everything is running correct, only then go optimize the config.
> And only one thing at a time, or you end up in a mess..  Just a tip.
>
> So below is a copy past of a original jessie ntp.conf ( from before my upgrade to stretch)
> And for you, i changed it to your setup. See what i did and compair it to yours.
>
>
> ####### NTP Begin ( Debian Jessie version )
> # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
>
> driftfile /var/lib/ntp/ntp.drift
>
> # Enable this if you want statistics to be logged.
> #statsdir /var/log/ntpstats/
>
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
>
>
> # You do need to talk to an NTP server or two (or three).
> #server ntp.your-provider.example
> server a.st1.ntp.br
> server b.st1.ntp.br
> server c.st1.ntp.br
>
> # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
> # pick a different set every time it starts up.  Please consider joining the
> # pool: <http://www.pool.ntp.org/join.html>
> #pool 0.debian.pool.ntp.org iburst
> #pool 1.debian.pool.ntp.org iburst
> #pool 2.debian.pool.ntp.org iburst
> #pool 3.debian.pool.ntp.org iburst
>
>
> # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
> # details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
> # might also be helpful.
> #
> # Note that "restrict" applies to both servers and clients, so a configuration
> # that might be intended to block requests from certain clients could also end
> # up blocking replies from your own upstream servers.
>
> # By default, exchange time with everybody, but don't allow configuration.
> restrict -4 default kod notrap nomodify nopeer noquery mssntp
> restrict -6 default kod notrap nomodify nopeer noquery mssntp
>
> # Local users may interrogate the ntp server more closely.
> restrict 127.0.0.1
> restrict ::1
>
> # Needed for adding pool entries
> restrict source notrap nomodify noquery
>
> # Clients from this (example!) subnet have unlimited access, but only if
> # cryptographically authenticated.
> #restrict 192.168.123.0 mask 255.255.255.0 notrust
>
> # If you want to provide time to your local subnet, change the next line.
> # (Again, the address is an example only.)
> #broadcast 192.168.123.255
>
> # If you want to listen to time broadcasts on your local subnet, de-comment the
> # next lines.  Please do this only if you trust everybody on the network!
> #disable auth
> #broadcastclient
>
> interface listen lo
> interface listen enp2s0
> #interface ignore wildcard
> interface ignore ipv6
>
> ######  Needed for Samba 4  ######
> # in the restrict -4 or -6 added mssntp at the end
> # Location of the samba ntp_signed directory
> ntpsigndsocket /var/lib/samba/ntp_signd
> ####### NTP end
>
> Greetz,
>
> Louis
>

Hi Louis,

The file seems similar to mine, so I guess I'm all set for the ntp, any
way to test it?

Moving forward to Winbindd config as describe here:
https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC

It seems I just need to edit nsswitch.conf and add winbind to passwd and
group databases, right?

Because it says tipically no configuration is required in smb.conf for
Winbindd to work.

I don't think I want to have every user home on my servers, my plan is
to force them to use the shares

Thank you


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list
Hi!

Just to confirm, I don't think there is a way to test if ntp is setup
properly, right?

Moving forward to Winbindd config as describe here:
https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC

It seems I just need to edit nsswitch.conf and add winbind to passwd and
group databases, correct?

The guide says tipically no configuration is required in smb.conf for
Winbindd to work.

I don't think I want to have every user home on my servers, my plan is
to force them to use the shares, which is the last step in the guide,
hopefully I won't bother soon :-)

Thank you





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list

If your machine is an ntp client (but not running the ntp daemon) , the
ntpdate command will attempt to connect to the ntp server and update time.

On my client machines, I don't run ntp as a svc, instead I just have a
cron job that tries to update time twice a day.

On 09/14/17 08:32, Flávio Silveira via samba wrote:

> Hi!
>
> Just to confirm, I don't think there is a way to test if ntp is setup
> properly, right?
>
> Moving forward to Winbindd config as describe here:
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>
> It seems I just need to edit nsswitch.conf and add winbind to passwd
> and group databases, correct?
>
> The guide says tipically no configuration is required in smb.conf for
> Winbindd to work.
>
> I don't think I want to have every user home on my servers, my plan is
> to force them to use the shares, which is the last step in the guide,
> hopefully I won't bother soon :-)
>
> Thank you
>
>
>
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list
In reply to this post by Samba - General mailing list


On 14/09/2017 09:43, Gaiseric Vandal via samba wrote:
>
> If your machine is an ntp client (but not running the ntp daemon) ,
> the ntpdate command will attempt to connect to the ntp server and
> update time.
>
> On my client machines, I don't run ntp as a svc, instead I just have a
> cron job that tries to update time twice a day.

Hi Gaiseric, thank you for your reply.

Do you have any comments on the Winbindd setup?

Regards,
   Flavio Silveira

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 14 Sep 2017 09:32:21 -0300
Flávio Silveira via samba <[hidden email]> wrote:

> Hi!
>
> Just to confirm, I don't think there is a way to test if ntp is setup
> properly, right?
>
> Moving forward to Winbindd config as describe here:
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>
> It seems I just need to edit nsswitch.conf and add winbind to passwd
> and group databases, correct?

Provided you are using packages and have installed the required
packages, you only need to alter /etc/nsswitch.conf, so the next
question is, what packages have you installed ?
 
> I don't think I want to have every user home on my servers, my plan
> is to force them to use the shares, which is the last step in the
> guide, hopefully I won't bother soon :-)

Then don't create a share for the users home directories, or set
'template homedir' in smb.conf, or add unixHomeDirectory attributes to
AD.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list


On 14/09/2017 10:20, Rowland Penny via samba wrote:

> On Thu, 14 Sep 2017 09:32:21 -0300
> Flávio Silveira via samba <[hidden email]> wrote:
>
>> Hi!
>>
>> Just to confirm, I don't think there is a way to test if ntp is setup
>> properly, right?
>>
>> Moving forward to Winbindd config as describe here:
>> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>>
>> It seems I just need to edit nsswitch.conf and add winbind to passwd
>> and group databases, correct?
> Provided you are using packages and have installed the required
> packages, you only need to alter /etc/nsswitch.conf, so the next
> question is, what packages have you installed ?
>  

I've checked my dpkg.log and it gives me this list when I installed samba:

libwbclient0:amd64 2:4.6.7+dfsg-1nmu1~deb9
samba-common:all 2:4.6.7+dfsg-1nmu1~deb9
libtevent0:amd64 0.9.31-1
libc-bin:amd64 2.24-11+deb9u1
systemd:amd64 232-25+deb9u1
man-db:amd64 2.7.6.1-2
samba-libs:amd64 2:4.6.7+dfsg-1nmu1~deb9
samba-vfs-modules:amd64 2:4.6.7+dfsg-1nmu1~deb9
python-samba:amd64 2:4.6.7+dfsg-1nmu1~deb9
libsmbclient:amd64 2:4.6.7+dfsg-1nmu1~deb9
smbclient:amd64 2:4.6.7+dfsg-1nmu1~deb9
samba-common-bin:amd64 2:4.6.7+dfsg-1nmu1~deb9
samba-dsdb-modules:amd64 2:4.6.7+dfsg-1nmu1~deb9
winbind:amd64 2:4.6.7+dfsg-1nmu1~deb9
samba:amd64 2:4.6.7+dfsg-1nmu1~deb9

Does this help?

>> I don't think I want to have every user home on my servers, my plan
>> is to force them to use the shares, which is the last step in the
>> guide, hopefully I won't bother soon :-)
> Then don't create a share for the users home directories, or set
> 'template homedir' in smb.conf, or add unixHomeDirectory attributes to
> AD.
>
> Rowland
>

Ok, thank you Rowland!

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list
On Thu, 14 Sep 2017 10:49:48 -0300
Flávio Silveira via samba <[hidden email]> wrote:

>
>
> On 14/09/2017 10:20, Rowland Penny via samba wrote:
> > On Thu, 14 Sep 2017 09:32:21 -0300
> > Flávio Silveira via samba <[hidden email]> wrote:
> >
> >> Hi!
> >>
> >> Just to confirm, I don't think there is a way to test if ntp is
> >> setup properly, right?
> >>
> >> Moving forward to Winbindd config as describe here:
> >> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> >>
> >> It seems I just need to edit nsswitch.conf and add winbind to
> >> passwd and group databases, correct?
> > Provided you are using packages and have installed the required
> > packages, you only need to alter /etc/nsswitch.conf, so the next
> > question is, what packages have you installed ?
> >  
>
> I've checked my dpkg.log and it gives me this list when I installed
> samba:
>
> libwbclient0:amd64 2:4.6.7+dfsg-1nmu1~deb9
> samba-common:all 2:4.6.7+dfsg-1nmu1~deb9
> libtevent0:amd64 0.9.31-1
> libc-bin:amd64 2.24-11+deb9u1
> systemd:amd64 232-25+deb9u1
> man-db:amd64 2.7.6.1-2
> samba-libs:amd64 2:4.6.7+dfsg-1nmu1~deb9
> samba-vfs-modules:amd64 2:4.6.7+dfsg-1nmu1~deb9
> python-samba:amd64 2:4.6.7+dfsg-1nmu1~deb9
> libsmbclient:amd64 2:4.6.7+dfsg-1nmu1~deb9
> smbclient:amd64 2:4.6.7+dfsg-1nmu1~deb9
> samba-common-bin:amd64 2:4.6.7+dfsg-1nmu1~deb9
> samba-dsdb-modules:amd64 2:4.6.7+dfsg-1nmu1~deb9
> winbind:amd64 2:4.6.7+dfsg-1nmu1~deb9
> samba:amd64 2:4.6.7+dfsg-1nmu1~deb9
>
> Does this help?

well possibly, but I will rephrase my question, are:

libpam-winbind libpam-krb5 libnss-winbind

installed ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list


On 14/09/2017 11:04, Rowland Penny via samba wrote:

> On Thu, 14 Sep 2017 10:49:48 -0300
> Flávio Silveira via samba <[hidden email]> wrote:
>
>>
>> On 14/09/2017 10:20, Rowland Penny via samba wrote:
>>> On Thu, 14 Sep 2017 09:32:21 -0300
>>> Flávio Silveira via samba <[hidden email]> wrote:
>>>
>>>> Hi!
>>>>
>>>> Just to confirm, I don't think there is a way to test if ntp is
>>>> setup properly, right?
>>>>
>>>> Moving forward to Winbindd config as describe here:
>>>> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>>>>
>>>> It seems I just need to edit nsswitch.conf and add winbind to
>>>> passwd and group databases, correct?
>>> Provided you are using packages and have installed the required
>>> packages, you only need to alter /etc/nsswitch.conf, so the next
>>> question is, what packages have you installed ?
>>>    
>> I've checked my dpkg.log and it gives me this list when I installed
>> samba:
>>
>> libwbclient0:amd64 2:4.6.7+dfsg-1nmu1~deb9
>> samba-common:all 2:4.6.7+dfsg-1nmu1~deb9
>> libtevent0:amd64 0.9.31-1
>> libc-bin:amd64 2.24-11+deb9u1
>> systemd:amd64 232-25+deb9u1
>> man-db:amd64 2.7.6.1-2
>> samba-libs:amd64 2:4.6.7+dfsg-1nmu1~deb9
>> samba-vfs-modules:amd64 2:4.6.7+dfsg-1nmu1~deb9
>> python-samba:amd64 2:4.6.7+dfsg-1nmu1~deb9
>> libsmbclient:amd64 2:4.6.7+dfsg-1nmu1~deb9
>> smbclient:amd64 2:4.6.7+dfsg-1nmu1~deb9
>> samba-common-bin:amd64 2:4.6.7+dfsg-1nmu1~deb9
>> samba-dsdb-modules:amd64 2:4.6.7+dfsg-1nmu1~deb9
>> winbind:amd64 2:4.6.7+dfsg-1nmu1~deb9
>> samba:amd64 2:4.6.7+dfsg-1nmu1~deb9
>>
>> Does this help?
> well possibly, but I will rephrase my question, are:
>
> libpam-winbind libpam-krb5 libnss-winbind
>
> installed ?

Yes sir, all three are installed, should I proceed to editing
nsswitch.conf as described on the tutorial?

> Rowland
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list
On Thu, 14 Sep 2017 11:18:09 -0300
Flávio Silveira via samba <[hidden email]> wrote:

>
>
> On 14/09/2017 11:04, Rowland Penny via samba wrote:
> > On Thu, 14 Sep 2017 10:49:48 -0300
> > Flávio Silveira via samba <[hidden email]> wrote:
> >
> >>
> >> On 14/09/2017 10:20, Rowland Penny via samba wrote:
> >>> On Thu, 14 Sep 2017 09:32:21 -0300
> >>> Flávio Silveira via samba <[hidden email]> wrote:
> >>>
> >>>> Hi!
> >>>>
> >>>> Just to confirm, I don't think there is a way to test if ntp is
> >>>> setup properly, right?
> >>>>
> >>>> Moving forward to Winbindd config as describe here:
> >>>> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> >>>>
> >>>> It seems I just need to edit nsswitch.conf and add winbind to
> >>>> passwd and group databases, correct?
> >>> Provided you are using packages and have installed the required
> >>> packages, you only need to alter /etc/nsswitch.conf, so the next
> >>> question is, what packages have you installed ?
> >>>    
> >> I've checked my dpkg.log and it gives me this list when I installed
> >> samba:
> >>
> >> libwbclient0:amd64 2:4.6.7+dfsg-1nmu1~deb9
> >> samba-common:all 2:4.6.7+dfsg-1nmu1~deb9
> >> libtevent0:amd64 0.9.31-1
> >> libc-bin:amd64 2.24-11+deb9u1
> >> systemd:amd64 232-25+deb9u1
> >> man-db:amd64 2.7.6.1-2
> >> samba-libs:amd64 2:4.6.7+dfsg-1nmu1~deb9
> >> samba-vfs-modules:amd64 2:4.6.7+dfsg-1nmu1~deb9
> >> python-samba:amd64 2:4.6.7+dfsg-1nmu1~deb9
> >> libsmbclient:amd64 2:4.6.7+dfsg-1nmu1~deb9
> >> smbclient:amd64 2:4.6.7+dfsg-1nmu1~deb9
> >> samba-common-bin:amd64 2:4.6.7+dfsg-1nmu1~deb9
> >> samba-dsdb-modules:amd64 2:4.6.7+dfsg-1nmu1~deb9
> >> winbind:amd64 2:4.6.7+dfsg-1nmu1~deb9
> >> samba:amd64 2:4.6.7+dfsg-1nmu1~deb9
> >>
> >> Does this help?
> > well possibly, but I will rephrase my question, are:
> >
> > libpam-winbind libpam-krb5 libnss-winbind
> >
> > installed ?
>
> Yes sir, all three are installed, should I proceed to editing
> nsswitch.conf as described on the tutorial?
>
> > Rowland
> >
>
>

Yes, you should now get a result from 'getent passwd ausername'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list


On 14/09/2017 12:46, Rowland Penny via samba wrote:

>
>>> well possibly, but I will rephrase my question, are:
>>>
>>> libpam-winbind libpam-krb5 libnss-winbind
>>>
>>> installed ?
>> Yes sir, all three are installed, should I proceed to editing
>> nsswitch.conf as described on the tutorial?
>>
>>> Rowland
>>>
>>
> Yes, you should now get a result from 'getent passwd ausername'
>
> Rowland
>

Thanks Rowland, below is the edited /etc/nsswitch.conf:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

And here is the output of "getent passwd fsilveira":

root@dc1:~# getent passwd fsilveira
fsilveira:x:1001:1001::/home/fsilveira:/sbin/nologin
root@dc1:~#

About the file serving here:
https://wiki.samba.org/index.php/Samba_File_Serving

Should I use the "Setting up a share using Windows ACLs" tutorial?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list
On Thu, 14 Sep 2017 13:15:31 -0300
Flávio Silveira via samba <[hidden email]> wrote:

>
>
> On 14/09/2017 12:46, Rowland Penny via samba wrote:
> >
> >>> well possibly, but I will rephrase my question, are:
> >>>
> >>> libpam-winbind libpam-krb5 libnss-winbind
> >>>
> >>> installed ?
> >> Yes sir, all three are installed, should I proceed to editing
> >> nsswitch.conf as described on the tutorial?
> >>
> >>> Rowland
> >>>
> >>
> > Yes, you should now get a result from 'getent passwd ausername'
> >
> > Rowland
> >
>
> Thanks Rowland, below is the edited /etc/nsswitch.conf:
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try: # `info libc "Name Service Switch"' for information
> about this file.
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
> And here is the output of "getent passwd fsilveira":
>
> root@dc1:~# getent passwd fsilveira
> fsilveira:x:1001:1001::/home/fsilveira:/sbin/nologin
> root@dc1:~#

Looking good so far, I take it you don't want the users logging into
the DC.

>
> About the file serving here:
> https://wiki.samba.org/index.php/Samba_File_Serving
>
> Should I use the "Setting up a share using Windows ACLs" tutorial?
>

You must use Windows ACLs on a DC, so yes, you will need to follow that
wikipage.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list


On 14/09/2017 13:28, Rowland Penny via samba wrote:

> On Thu, 14 Sep 2017 13:15:31 -0300
> Flávio Silveira via samba <[hidden email]> wrote:
>
>>
>> On 14/09/2017 12:46, Rowland Penny via samba wrote:
>>>>> well possibly, but I will rephrase my question, are:
>>>>>
>>>>> libpam-winbind libpam-krb5 libnss-winbind
>>>>>
>>>>> installed ?
>>>> Yes sir, all three are installed, should I proceed to editing
>>>> nsswitch.conf as described on the tutorial?
>>>>
>>>>> Rowland
>>>>>
>>> Yes, you should now get a result from 'getent passwd ausername'
>>>
>>> Rowland
>>>
>> Thanks Rowland, below is the edited /etc/nsswitch.conf:
>>
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages
>> installed, try: # `info libc "Name Service Switch"' for information
>> about this file.
>>
>> passwd:         compat winbind
>> group:          compat winbind
>> shadow:         compat
>> gshadow:        files
>>
>> hosts:          files dns
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis
>>
>> And here is the output of "getent passwd fsilveira":
>>
>> root@dc1:~# getent passwd fsilveira
>> fsilveira:x:1001:1001::/home/fsilveira:/sbin/nologin
>> root@dc1:~#
> Looking good so far, I take it you don't want the users logging into
> the DC.

Correct.

>> About the file serving here:
>> https://wiki.samba.org/index.php/Samba_File_Serving
>>
>> Should I use the "Setting up a share using Windows ACLs" tutorial?
>>
> You must use Windows ACLs on a DC, so yes, you will need to follow that
> wikipage.

Ok, just curious, are there any disvantages between using Windows ACLs
instead of POSIX ACLs?

Also, once I create a file server as Domain Member, how easy will be to
migrate from DC?

I am reading this
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

For the "Granting the SeDiskOperatorPrivilege Privilege" section, it
mentions "Domain Admins" group, do I need to create all groups with below?

groupadd <group name>

So, a small step-by-step would be:

1- Create all groups with: groupadd <group name>, example: groupadd
"Domain Admins"
2- Create local user accounts with: useradd -M -s /sbin/nologin <user name>
3- Add password to local user accounts with: passwd <user name>
4- Add local user accounts to Samba database with: smbpasswd -a <user name>
5- Enable Samba account with: smbpasswd -e <user name>
6- Add user account to a group with: usermod -G <group name> <user name>
7- Follow "Granting the SeDiskOperatorPrivilege Privilege" section from [1]
8- Follow "Adding a Share" section from [1]

[1]: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Does this look correct?
> Rowland
>

Thank you!

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list
On Fri, 15 Sep 2017 08:47:45 -0300
Flávio Silveira via samba <[hidden email]> wrote:

> Ok, just curious, are there any disvantages between using Windows
> ACLs instead of POSIX ACLs?

None that I am aware of, in fact there are several advantages.

>
> Also, once I create a file server as Domain Member, how easy will be
> to migrate from DC?

Not sure what you mean here, it sounds like you want to turn your Samba
AD DC into a Unix domain member, I am sure you don't want to do this,
so can you explain your question better ?

>
> I am reading this
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> For the "Granting the SeDiskOperatorPrivilege Privilege" section, it
> mentions "Domain Admins" group, do I need to create all groups with
> below?
>
> groupadd <group name>
>
> So, a small step-by-step would be:
>
> 1- Create all groups with: groupadd <group name>, example: groupadd
> "Domain Admins"

No, you do not need to create this group, it should already exist in AD

> 2- Create local user accounts with: useradd -M -s /sbin/nologin <user
> name

No, you do not need any local Unix users, you either create your
windows users (with samba-tool) as Unix users as well, or you extend
your windows users to be Unix users as well.

> 3- Add password to local user accounts with: passwd <user name>

Seeing as you will not create local Unix users, then no.

> 4- Add local user accounts to Samba database with: smbpasswd -a <user
> name> 5- Enable Samba account with: smbpasswd -e <user name>

There is a theme here ;-) no

> 6- Add user account to a group with: usermod -G <group name> <user
> name> 7- Follow "Granting the SeDiskOperatorPrivilege Privilege"
> name> section from [1]

No, use samba-tool or the windows tools.

> 8- Follow "Adding a Share" section from [1]
>
> [1]:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>

Well, yes, but no ;-)

Yes, you should follow the wikipage.
No, you shouldn't use 'Domain Admins' (I must update that wikipage)
If you use 'Domain Admins', you will need to give the windows group a
gidNumber attribute. This is not a good idea, 'Domain Admins' needs to
own GPOs in sysvol, so it needs to be mapped to 'ID_TYPE_BOTH' in
idmap.ldb on the DC. If you give the group a gidNumber, it becomes just
a group as far as Unix is concerned and groups cannot own anything on
Unix.

My suggestion is to create a new group in AD (I suggest 'Unix Admins',
but you can call it anything you like), give this new group a gidNumber
and make it a member of 'Domain Admins'. Now wherever it says 'Domain
Admins' on the wikipage, use your new group instead.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
123