File server questions

classic Classic list List threaded Threaded
44 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Re: File server questions ( about the ntp question )

Samba - General mailing list
Hai,

Sorry for the long responce on this one, had a few days off.

Some importent extra info here.

If you run systemctl status ntp, you wil see if ntp is running correctly.  
The PC's, wil get there time through samba AD ( via /var/lib/samba/ntp_signd )

Linux clients needs ntp, point to the AD server(s)
Windows ( domain joined ) clients get time through AD.
Windows standalone, you need to configure the ntp client in windows and point to AD DC.

Run on linux : ntpq -qq Or ntpq -pn 127.0.0.1 or

Other option is : apt-get install ntpstat
Run : ntpstat

If you see errors, first thing you should check if the following.

On which interfaces and ipnumbers is ntp running.
netstat -taupn|grep udp|grep ntp

And if you use the inteface lines, ( one or more )
#interface listen lo
#interface listen eth0
#interface ignore wildcard
#interface ignore ipv6

Disable these, and try again.

There is probely something going wrong then due to ntp trying to get time over ipv6 which is disabled.

This command will tell you more about it.
strace ntpq -pn ::1|& grep -i conn



Greetz,

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Flávio Silveira via samba
> Verzonden: woensdag 13 september 2017 19:44
> Aan: [hidden email]
> Onderwerp: Re: [Samba] File server questions
>
>
>
> Em 13/09/2017 11:48, L.P.H. van Belle via samba escreveu:
> > Hai Flavio,
> > I suggest, use the interface ignore ipv6 ( you already did set it )
> > for the ipv6 ipnumbers, except localhost-ipv6. ( ::1 ) The
> other defaults are good to start with, then when everything
> is running correct, only then go optimize the config.
> > And only one thing at a time, or you end up in a mess..  Just a tip.
> >
> > So below is a copy past of a original jessie ntp.conf (
> from before my
> > upgrade to stretch) And for you, i changed it to your
> setup. See what i did and compair it to yours.
> >
> >
> > ####### NTP Begin ( Debian Jessie version ) # /etc/ntp.conf,
> > configuration for ntpd; see ntp.conf(5) for help
> >
> > driftfile /var/lib/ntp/ntp.drift
> >
> > # Enable this if you want statistics to be logged.
> > #statsdir /var/log/ntpstats/
> >
> > statistics loopstats peerstats clockstats filegen loopstats file
> > loopstats type day enable filegen peerstats file peerstats type day
> > enable filegen clockstats file clockstats type day enable
> >
> >
> > # You do need to talk to an NTP server or two (or three).
> > #server ntp.your-provider.example
> > server a.st1.ntp.br
> > server b.st1.ntp.br
> > server c.st1.ntp.br
> >
> > # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your
> > server will # pick a different set every time it starts up.  Please
> > consider joining the # pool: <http://www.pool.ntp.org/join.html>
> > #pool 0.debian.pool.ntp.org iburst
> > #pool 1.debian.pool.ntp.org iburst
> > #pool 2.debian.pool.ntp.org iburst
> > #pool 3.debian.pool.ntp.org iburst
> >
> >
> > # Access control configuration; see
> > /usr/share/doc/ntp-doc/html/accopt.html for # details.  The
> web page
> > <http://support.ntp.org/bin/view/Support/AccessRestrictions>
> > # might also be helpful.
> > #
> > # Note that "restrict" applies to both servers and clients, so a
> > configuration # that might be intended to block requests
> from certain
> > clients could also end # up blocking replies from your own
> upstream servers.
> >
> > # By default, exchange time with everybody, but don't allow
> configuration.
> > restrict -4 default kod notrap nomodify nopeer noquery
> mssntp restrict
> > -6 default kod notrap nomodify nopeer noquery mssntp
> >
> > # Local users may interrogate the ntp server more closely.
> > restrict 127.0.0.1
> > restrict ::1
> >
> > # Needed for adding pool entries
> > restrict source notrap nomodify noquery
> >
> > # Clients from this (example!) subnet have unlimited
> access, but only
> > if # cryptographically authenticated.
> > #restrict 192.168.123.0 mask 255.255.255.0 notrust
> >
> > # If you want to provide time to your local subnet, change
> the next line.
> > # (Again, the address is an example only.) #broadcast
> 192.168.123.255
> >
> > # If you want to listen to time broadcasts on your local subnet,
> > de-comment the # next lines.  Please do this only if you
> trust everybody on the network!
> > #disable auth
> > #broadcastclient
> >
> > interface listen lo
> > interface listen enp2s0
> > #interface ignore wildcard
> > interface ignore ipv6
> >
> > ######  Needed for Samba 4  ######
> > # in the restrict -4 or -6 added mssntp at the end #
> Location of the
> > samba ntp_signed directory ntpsigndsocket /var/lib/samba/ntp_signd
> > ####### NTP end
> >
> > Greetz,
> >
> > Louis
> >
>
> Hi Louis,
>
> The file seems similar to mine, so I guess I'm all set for
> the ntp, any way to test it?
>
> Moving forward to Winbindd config as describe here:
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>
> It seems I just need to edit nsswitch.conf and add winbind to
> passwd and group databases, right?
>
> Because it says tipically no configuration is required in
> smb.conf for Winbindd to work.
>
> I don't think I want to have every user home on my servers,
> my plan is to force them to use the shares
>
> Thank you
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions ( about the ntp question )

Samba - General mailing list


On 18/09/2017 05:25, L.P.H. van Belle via samba wrote:

> Hai,
>
> Sorry for the long responce on this one, had a few days off.
>
> Some importent extra info here.
>
> If you run systemctl status ntp, you wil see if ntp is running correctly.
> The PC's, wil get there time through samba AD ( via /var/lib/samba/ntp_signd )
>
> Linux clients needs ntp, point to the AD server(s)
> Windows ( domain joined ) clients get time through AD.
> Windows standalone, you need to configure the ntp client in windows and point to AD DC.
>
> Run on linux : ntpq -qq Or ntpq -pn 127.0.0.1 or
>
> Other option is : apt-get install ntpstat
> Run : ntpstat
>
> If you see errors, first thing you should check if the following.
>
> On which interfaces and ipnumbers is ntp running.
> netstat -taupn|grep udp|grep ntp
>
> And if you use the inteface lines, ( one or more )
> #interface listen lo
> #interface listen eth0
> #interface ignore wildcard
> #interface ignore ipv6
>
> Disable these, and try again.
>
> There is probely something going wrong then due to ntp trying to get time over ipv6 which is disabled.
>
> This command will tell you more about it.
> strace ntpq -pn ::1|& grep -i conn
>
>
>
> Greetz,
>
> Louis

Hi Louis,

   Thank you for your great explanation! I will do some tests today as
soon as I understand Rowland's last instructions.

Regards,
   Flavio Silveira

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list
In reply to this post by Samba - General mailing list


On 15/09/2017 09:29, Rowland Penny via samba wrote:
> On Fri, 15 Sep 2017 08:47:45 -0300
> Flávio Silveira via samba <[hidden email]> wrote:
>
>> Ok, just curious, are there any disvantages between using Windows
>> ACLs instead of POSIX ACLs?
> None that I am aware of, in fact there are several advantages.

Great!

>> Also, once I create a file server as Domain Member, how easy will be
>> to migrate from DC?
> Not sure what you mean here, it sounds like you want to turn your Samba
> AD DC into a Unix domain member, I am sure you don't want to do this,
> so can you explain your question better ?

Yes, sorry for that. What I meant was: Currently I am setting up a file
server together with AD DC, which is not recommended, but given my
simple scenario it is ok to do it that way, at least is what I
understand. My question was: Once I have proper hardware resources to
have a file server separated from the AD DC, how easy will be to migrate
the configs/shares from the AD DC to the separated file server (Domain
Member)? Makes sense now?

>> I am reading this
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>
>> For the "Granting the SeDiskOperatorPrivilege Privilege" section, it
>> mentions "Domain Admins" group, do I need to create all groups with
>> below?
>>
>> groupadd <group name>
>>
>> So, a small step-by-step would be:
>>
>> 1- Create all groups with: groupadd <group name>, example: groupadd
>> "Domain Admins"
> No, you do not need to create this group, it should already exist in AD

Ok, how can I verify? How about the other groups? By other groups I mean
the ones I am creating as my company departments, like Commercial,
Marketing etc, so I can create shares per department.

>> 2- Create local user accounts with: useradd -M -s /sbin/nologin <user
>> name
> No, you do not need any local Unix users, you either create your
> windows users (with samba-tool) as Unix users as well, or you extend
> your windows users to be Unix users as well.

Is there any wiki I could follow to do one of the above? Thank you

>> 3- Add password to local user accounts with: passwd <user name>
> Seeing as you will not create local Unix users, then no.

Ok

>> 4- Add local user accounts to Samba database with: smbpasswd -a <user
>> name> 5- Enable Samba account with: smbpasswd -e <user name>
> There is a theme here ;-) no

Ok

>> 6- Add user account to a group with: usermod -G <group name> <user
>> name> 7- Follow "Granting the SeDiskOperatorPrivilege Privilege"
>> name> section from [1]
> No, use samba-tool or the windows tools.

Could you give an example please?

>> 8- Follow "Adding a Share" section from [1]
>>
>> [1]:
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>
> Well, yes, but no ;-)
>
> Yes, you should follow the wikipage.
> No, you shouldn't use 'Domain Admins' (I must update that wikipage)
> If you use 'Domain Admins', you will need to give the windows group a
> gidNumber attribute. This is not a good idea, 'Domain Admins' needs to
> own GPOs in sysvol, so it needs to be mapped to 'ID_TYPE_BOTH' in
> idmap.ldb on the DC. If you give the group a gidNumber, it becomes just
> a group as far as Unix is concerned and groups cannot own anything on
> Unix.
>
> My suggestion is to create a new group in AD (I suggest 'Unix Admins',
> but you can call it anything you like), give this new group a gidNumber
> and make it a member of 'Domain Admins'. Now wherever it says 'Domain
> Admins' on the wikipage, use your new group instead.

Thanks for the explanations, how do I create this new group? With groupadd?

If you can give a full example, I will be very glad! But please don't
think I am lazy, if there is a wiki that mentions how to do it, just
point me to it :-)

>
> Rowland
>
>

Regards,
   Flavio Silveira

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: File server questions

Samba - General mailing list
On Mon, 18 Sep 2017 08:24:56 -0300
Flávio Silveira via samba <[hidden email]> wrote:

> Yes, sorry for that. What I meant was: Currently I am setting up a
> file server together with AD DC, which is not recommended, but given
> my simple scenario it is ok to do it that way, at least is what I
> understand. My question was: Once I have proper hardware resources to
> have a file server separated from the AD DC, how easy will be to
> migrate the configs/shares from the AD DC to the separated file
> server (Domain Member)? Makes sense now?

Yes ;-)
I would suggest you use uidNumber & gidNumber attributes instead of the
xidNumbers that the DC uses, then, when you create the Unix domain
member, use the winbind 'ad' backend. It will just be a matter of
creating the required shares/directories and copying the data across.

>
> >> I am reading this
> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >>
> >> For the "Granting the SeDiskOperatorPrivilege Privilege" section,
> >> it mentions "Domain Admins" group, do I need to create all groups
> >> with below?
> >>
> >> groupadd <group name>
> >>
> >> So, a small step-by-step would be:
> >>
> >> 1- Create all groups with: groupadd <group name>, example: groupadd
> >> "Domain Admins"
> > No, you do not need to create this group, it should already exist
> > in AD
>
> Ok, how can I verify? How about the other groups? By other groups I
> mean the ones I am creating as my company departments, like
> Commercial, Marketing etc, so I can create shares per department.

If you go here:

https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

You will find a list of the 'well know sids', most of these will be in
AD, if it is on that list, don't try and create them.

You can get a list of groups in AD by running 'samba-tool group list'
on the domain
BIG NOTE: you will not get all the 'well know sids' shown.

The groups you refer to, do not exist in AD as standard.

>
> >> 2- Create local user accounts with: useradd -M -s /sbin/nologin
> >> <user name
> > No, you do not need any local Unix users, you either create your
> > windows users (with samba-tool) as Unix users as well, or you extend
> > your windows users to be Unix users as well.
>
> Is there any wiki I could follow to do one of the above? Thank you

To create a new user that is also a Unix user, run something like this:

samba-tool user create User5 passw5rd --nis-domain=samdom
--unix-home=/home/User5 --uid-number=10005 --login-shell=/bin/false
--gid-number=10000

This needs to be run on the Samba AD DC and you will need to set some
of the options to match your requirements:

User5: change to your new users name
--nis-domain=samdom: change 'samdom' to your workgroup name
--unix-home=/home/User5: set this to the path to where you want to
store the users homedirectory
--login-shell=/bin/false: With this, the user will not be able to login
to the computer directly (doesn't affect windows), you can use
'/bin/sh' or '/bin/bash'
--uid-number=10005: the UID to use for the new user
--gid-number=10000: the GID for the new user (this will have no affect
on a DC, all users will be members of Domain Users, just like windows)

The last two require numbers, the only problem is that a Samba DC does
not keep a record of the next number to use, you need to do this or you
could end up with users with the same uidNumber, not a good idea.

You can do something similar with ADUC on windows (but not win10) by
adding IDMU, which will give you the Unix Attributes tab and this will
track the next available ID.

>
>
> >> 6- Add user account to a group with: usermod -G <group name> <user
> >> name> 7- Follow "Granting the SeDiskOperatorPrivilege Privilege"
> >> name> section from [1]
> > No, use samba-tool or the windows tools.
>
> Could you give an example please?

samba-tool group addmembers groupname username

> Thanks for the explanations, how do I create this new group? With
> groupadd?

samba-tool group add "Unix Admins" --nis-domain=samdom
--gid-number=12345

samba-tool group addmembers "Domain Admins" "Unix Admins"

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
123