Instalando e Configurando o Samba4 com suporte a AdminPack no Debian Wheezy

E ai galera, aqui eu vou abordar a instalação e a configuração do Samba4 com suporte a Administração do domínio utilizando o AdminPack da Microsoft e vamos configurar também a utilização do Bind_DLZ como backend de DNS.

OBS: O Dns não pode trabalhar em modo chroot pois o bind não consegue acessar os arquivos e o banco de dados do Samba: http://wiki.samba.org/index.php/Dns-backend_bind#Known_issues_and_ways_to_fix.2Fworkaround

Eu achei que ficou muito bom e limpa a instalação e configuração então vamos trabalhar :D

Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialwheezy_en para que não falte nenhum pacote ou configuração.

O que eu vou utilizar:

  • Servidor Samba
    • IP: 192.168.0.49/24
    • Nome: debian
    • Domínio: lab.lan
  • Cliente xp
    • IP: 192.168.0.4/24
    • Nome: xp
    • Domínio: lab.lan

Agora vamos mandar atualizar os repositórios e vamos mandar fazer um upgrade do sistema

aptitude update && aptitude dist-upgrade -y

Vamos ajustar algumas variaveis do ambiente

export DEBIAN_PRIORITY=critical 
export DEBIAN_FRONTEND=noninteractive

Agora vamos mandar instalar as suas dependências

aptitude install libpam0g-dev git gcc make wget libacl1-dev libblkid-dev libreadline-dev python-dev libcups2-dev \
 libcupscgi1-dev libcupsdriver1-dev libcupsimage2-dev libcupsmime1-dev libcupsppdc1-dev libcupsys2-dev libaio-dev acl-dev \
acl heimdal-clients libattr1-dev  libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev  python-dnspython gdb pkg-config libfam-dev  \
libpopt-dev libldap2-dev dnsutils libbsd-dev attr docbook-xsl libcups2-dev python-gnupginterface python-pycurl python-software-properties \
quota unattended-upgrades libpam-heimdal bison debhelper flex gettext  html2text intltool-debian  libbison-dev libgettextpo0 libldb-dev \
libldb1 libparse-yapp-perl libpython2.6  libsmbclient libsmbclient-dev libsubunit-dev libsubunit-perl libsubunit0 libtalloc-dev libtalloc2 \
libtdb-dev libtdb1 libtevent-dev libtevent0 libunistring0 libwbclient-dev libwbclient0 libxslt1.1 po-debconf python-all python-all-dev python-ldb \
python-ldb-dev python-pkg-resources python-subunit python-talloc python-talloc-dev python-tdb python-testtools python2.6-dev  subunit xsltproc \
heimdal-dev heimdal-multidev libasn1-8-heimdal libgssapi3-heimdal libhcrypto4-heimdal libhdb9-heimdal libheimbase1-heimdal libheimntlm0-heimdal \
libhx509-5-heimdal libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-heimdal libkdc2-heimdal libkrb5-26-heimdal libroken18-heimdal libwind0-heimdal -y

Agora vamos voltar as variáveis ao default

unset DEBIAN_PRIORITY
unset DEBIAN_FRONTEND

Agora precisamos fazer um ajuste no sistema de arquivo aonde esta a partição /usr, precisamos inserir depois de defaults a palavra chave acl e user_xattr.

vim /etc/fstab
[...]
UUID=35689fda-e60e-4a5c-823b-3076e36a7586 /usr            ext4    defaults,acl,user_xattr,barrier=1        0       2

Agora vamos mandar remontar a partição

mount -o remount /usr

Agora vamos conferir se foi carregado o atributo de acl

mount | egrep xattr
/dev/disk/by-uuid/1b505238-9622-44bb-9ff1-1a5b72f9636e on / type ext4 (rw,relatime,errors=remount-ro,user_xattr,barrier=1,data=ordered)
/dev/sda9 on /home type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered)
/dev/sda8 on /tmp type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered)
/dev/sda5 on /usr type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered)
/dev/sda6 on /var type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered)

Em alguns casos o sistema não carrega a acl com isso tem que ser reiniciado o servidor para ele recarregar, porém no Debian Wheezy ele fica interno no kernel e não como um módulo.

Vamos listar as opções do kernel

egrep -i acl /boot/config-3.2.0-4-amd64
CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_GENERIC_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_JFFS2_FS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
CONFIG_CIFS_ACL=y
CONFIG_9P_FS_POSIX_ACL=y

Agora vamos testar o sistema de arquivos precisamos criar um arquivo e setar as flags de attr

Vamos acessar o diretório /usr

cd /usr

O primeiro teste de setattr da erro se for em sistema de arquivos ext3.

touch test.txt
setfattr -n user.test -v test test.txt
setfattr -n security.test -v test2 test.txt

Agora testar o atributo user

getfattr -d test.txt
# file: test.txt
user.test="test"

Agora vamos testar o atributo security

getfattr -n security.test -d test.txt
# file: test.txt
security.test="test2"

Caso o sistema de arquivos não de suporte ao xattr podemos emular ele adicionando a seguinte linha no smb.conf

posix:eadb = /usr/local/samba/eadb.tdb

Agora vamos obter o samba vamos acessar o diretório que vai armazenar os fontes

cd /usr/src

Agora vamos obter os fontes

wget -c http://ftp.samba.org/pub/samba/stable/samba-4.1.4.tar.gz

Agora vamos desempacotar o samba

tar -xzvf samba-4.1.4.tar.gz

Agora vamos acessar o diretório dos fontes

cd samba-4.1.4

Agora vamos mandar configurar ele

./configure --enable-debug --enable-selftest

Agora vamos mandar compilar ele

make

Agora vamos mandar instalar ele

make install

Agora vamos acertar a PATH do usuário root no caso dele estar utilizando o shell Bash

echo "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/local/samba/sbin:/usr/local/samba/bin" >> /root/.bashrc

Agora precisamos importar a nova PATH

source /root/.bashrc

Agora vamos acertar a PATH do usuário root no caso dele estar utilizando o shell zsh

echo "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/local/samba/sbin:/usr/local/samba/bin" >> /root/.zshrc

Agora precisamos importar a nova PATH

source /root/.zshrc

Agora vamos instalar as dependência para o BIND_DLZ

aptitude install  autopoint autotools-dev bison debhelper dh-apparmor geoip-bin gettext hardening-wrapper html2text intltool-debian \
libbison-dev libcap-dev libdb-dev libdb5.1-dev libgeoip-dev libgettextpo0 libltdl-dev libmail-sendmail-perl libsys-hostname-long-perl \
libtool libunistring0 libxml2-dev po-debconf -y

Agora vamos obter os fontes do Bind

cd /usr/src
apt-get source bind9 

Agora vamos acessar os fontes do bind

cd bind9-*

Agora vamos ajustar as opções para preparar o pacote temos a seguinte função configure-stamp que tem que ser modificada para dar suporte ao kerberos e o dlopen.

vim debian/rules 
[...]
configure: configure-stamp
configure-stamp:
        dh_testdir
        ./configure --prefix=/usr \
                --mandir=\$${prefix}/share/man \
                --infodir=\$${prefix}/share/info \
                --sysconfdir=/etc/bind \
                --localstatedir=/var \
                --enable-threads \
                --enable-largefile \
                --with-libtool \
                --enable-shared \
                --enable-static \
                --with-openssl=/usr \
                --with-gssapi=/usr \
                --with-gnu-ld \
                --with-geoip=/usr \
                --enable-ipv6 \
                --with-gssapi=/usr/include/gssapi   \
                --with-dlopen=yes \
                $(EXTRA_FEATURES)

Agora vamos gerar o pacote .deb

dpkg-buildpackage 

Agora vamos instalar os pacotes que geramos

cd ..
dpkg -i *.deb 

Agora vamos criar um diretório e vamos ajustar as permissões dele para o bind

mkdir /var/cache/bind/data
chown -R bind:bind /var/cache/bind/data

Agora vamos fazer um backup do arquivo de configuração do bind

cp /etc/bind/named.conf.options /etc/bind/named.conf.options.old

Agora vamos ajustar o named.conf.options

vim /etc/bind/named.conf.options
// named.conf
//

options {
  listen-on port 53 { 127.0.0.1; 192.168.1.0/24; };
  listen-on-v6 port 53 { ::1; };
  directory   "/var/cache/bind";
  dump-file   "/var/cache/bind/data/cache_dump.db";
  statistics-file "/var/cache/bind/data/named_stats.txt";
  memstatistics-file "/var/cache/bind/data/named_mem_stats.txt";
  allow-query      { 192.168.1.0/24; 127.0.0.1/32; };
  allow-update    { 192.168.1.0/24; 127.0.0.1/32; };
  allow-recursion { 192.168.1.0/24; 127.0.0.1/32; };
  forwarders { 8.8.8.8; 8.8.4.4; };

  dnssec-enable yes;
  dnssec-validation yes;
  dnssec-lookaside auto;

  /* Path to ISC DLV key */
  bindkeys-file "/etc/named.iscdlv.key";

  managed-keys-directory "/var/cache/bind/dynamic";

 /* keytab para samba4 */
 tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

};

logging {
  channel default_debug {
          file "data/named.run";
          severity dynamic;
  };
};

Agora vamos adicionar o arquivo que de referência da nossa zona do AD no named.conf

vim /etc/bind/named.conf
[...]
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/usr/local/samba/private/named.conf";

Agora vamos ajustar o /etc/resolv.conf

vim /etc/resolv.conf
domain lab.lan
search lab.lan
nameserver 192.168.0.1

Agora vamos ajustar o /etc/hosts

vim /etc/hosts
127.0.0.1 localhost
127.0.1.1 debian.lab.lan  debian
192.168.0.49  debian.lab.lan  debian
[...]

Agora vamos criar o nosso domínio

samba-tool domain provision --domain=LAB --adminpass=sen@134* \
--dns-backend=BIND9_DLZ --server-role=dc \
--function-level=2008_R2 --use-xattr=yes \
--use-rfc2307 --realm=lab.lan

Caso tenha algum erro e precise fazer o provisionamento novamente remova os arquivos e diretórios

rm -rf /usr/local/samba/etc
rm -rf /usr/local/samba/private
rm -rf /usr/local/samba/var/locks/sysvol

Aqui o nosso domínio já está configurado.

Agora vamos ajustar o samba

vim /usr/local/samba/etc/smb.conf
# Global parameters
[global]
  workgroup = LAB
  realm = lab.lan
  netbios name = PDC
  server role = active directory domain controller
  server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
  ### RPC ###
  rpc_server:tcpip = no
  rpc_daemon:spoolssd = embedded
  rpc_server:spoolss = embedded
  rpc_server:winreg = embedded
  rpc_server:ntsvcs = embedded
  rpc_server:eventlog = embedded
  rpc_server:srvsvc = embedded
  rpc_server:svcctl = embedded
  rpc_server:default = external
  ### IDMAP ###
  idmap_ldb:use rfc2307 = yes
  idmap config * : backend = tdb
  idmap config *:range = 70001-80000
  idmap config LAB:backend = ad
  idmap config LAB:schema_mode = rfc2307
  idmap config LAB:range = 500-40000
  #WINBIND
  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  map archive = No
  map readonly = no
  store dos attributes = Yes
  vfs objects = dfs_samba4, acl_xattr
  #o template shell é necessário para logar com a autenticação via winbind
  template shell = /bin/bash
  #DESABILITANDO AS IMPRESSORAS
  printcap name = /dev/null
  load printers = no
  disable spoolss = yes
  printing = bsd
  ### LOGS
  log file = /var/log/samba/smbd.log
  max log size = 50
  log level = 2
  vfs objects = recycle full_audit
  ### LIXEIRA
  recycle:repository = Lixeira
  recycle:exclude = *.tmp *.TMP *.temp *.TEMP ~*
  recycle:keeptree = yes
  full_audit:success = rmdir mkdir open write rename unlink
  full_audit:failure = rmdir mkdir open write rename unlink
  full_audit:prefix = %U|%I|%m|%S
  full_audit:failure = none
  full_audit:facility = local5
  full_audit:priority = notice
  veto files = /*.mp3/*.wav/*.exe/*.cmd/*.adm/*.inf/*.ini/*.pif
  delete veto files = yes
  dos filemode = yes

[netlogon]
  path = /usr/local/samba/var/locks/sysvol/lab.lan/scripts
  read only = No

[sysvol]
  path = /usr/local/samba/var/locks/sysvol
  read only = No

Agora vamos criar o diretório para armazenar os logs

mkdir -p /var/log/samba

Agora vamos criar um link para o keytab do kerberos

ln -s /usr/local/samba/private/dns.keytab /etc/krb5.keytab 

Agora vamos iniciar o samba

/usr/local/samba/sbin/samba

Vamos tirar a validade da senha do administrator

samba-tool user setexpiry administrator --noexpiry

Agora vamos checar a versão do nosso smbclient

smbclient --version
Version 4.1.4

Agora vamos listar os compartilhamentos

smbclient -L localhost -U%
Domain=[LAB] OS=[Unix] Server=[Samba 4.1.4]

  Sharename       Type      Comment
  ---------       ----      -------
  netlogon        Disk      
  sysvol          Disk      
  IPC$            IPC       IPC Service (Samba 4.1.4)
Domain=[LAB] OS=[Unix] Server=[Samba 4.1.4]

  Server               Comment
  ---------            -------

  Workgroup            Master
  ---------            -------

Agora vamos testar a autenticação nos compartilhamentos

smbclient //localhost/netlogon -UAdministrator%'sen@134*' -c 'ls'
Domain=[LAB] OS=[Unix] Server=[Samba 4.1.4]
  .                                   D        0  Mon Aug 19 14:15:45 2013
  ..                                  D        0  Mon Aug 19 14:16:33 2013

    44993 blocks of size 65536. 8004 blocks available

Vamos verificar a configuração do samba

testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions

[global]
  workgroup = LAB
  realm = lab.lan
  server role = active directory domain controller
  passdb backend = samba_dsdb
  log file = /var/log/samba/smbd.log
  max log size = 50
  load printers = No
  printcap name = /dev/null
  disable spoolss = Yes
  template shell = /bin/bash
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind use default domain = Yes
  winbind nss info = rfc2307
  server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
  full_audit:priority = notice
  full_audit:facility = local5
  full_audit:prefix = %U|%I|%m|%S
  full_audit:failure = none
  full_audit:success = rmdir mkdir open write rename unlink
  recycle:keeptree = yes
  recycle:exclude = *.tmp *.TMP *.temp *.TEMP ~*
  recycle:repository = Lixeira
  idmap config LAB:range = 500-40000
  idmap config LAB:schema_mode = rfc2307
  idmap config LAB:backend = ad
  idmap config *:range = 70001-80000
  idmap_ldb:use rfc2307 = yes
  rpc_server:default = external
  rpc_server:svcctl = embedded
  rpc_server:srvsvc = embedded
  rpc_server:eventlog = embedded
  rpc_server:ntsvcs = embedded
  rpc_server:winreg = embedded
  rpc_server:spoolss = embedded
  rpc_daemon:spoolssd = embedded
  rpc_server:tcpip = no
  idmap config * : backend = tdb
  printing = bsd
  print command = lpr -r -P'%p' %s
  lpq command = lpq -P'%p'
  lprm command = lprm -P'%p' %j
  delete veto files = Yes
  veto files = /*.mp3/*.wav/*.exe/*.cmd/*.adm/*.inf/*.ini/*.pif
  map archive = No
  map readonly = no
  store dos attributes = Yes
  dos filemode = Yes
  vfs objects = recycle, full_audit

[netlogon]
  path = /usr/local/samba/var/locks/sysvol/lab.lan/scripts
  read only = No

[sysvol]
  path = /usr/local/samba/var/locks/sysvol
  read only = No

Agora vamos acertar o arquivo /etc/security/limits.conf para não ficar mostrando erro no samba

vim /etc/security/limits.conf
#colocar no final do arquivo
root hard nofile 131072
root soft nofile 65536
mioutente hard nofile 32768
mioutente soft nofile 16384

Agora vamos listar os processos do samba

ps aux | egrep samba
root      1231  0.0  8.8 512872 44888 ?        Ss   09:55   0:00 /usr/local/samba/sbin/samba
root      1233  0.0  6.3 512872 32084 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
root      1234  0.0  6.4 512872 32964 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
root      1235  0.0  6.6 512872 33732 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
root      1236  0.0  6.3 512872 32056 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
root      1237  0.0  6.5 512872 33440 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
root      1238  0.0  6.4 512872 32652 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
root      1239  0.0  6.7 512872 34188 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
root      1240  0.0  6.5 512872 33472 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
root      1241  0.0  6.6 516332 33776 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
root      1242  0.0  6.3 512872 32172 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
root      1243  0.0  7.9 512872 40388 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
root      1244  0.0  6.5 512872 33132 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
root      1245  0.0  9.0 470044 46176 ?        Ss   09:55   0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root      1247  0.0  6.7 513292 34192 ?        S    09:55   0:00 /usr/local/samba/sbin/samba
root      1250  0.0  6.3 470052 32320 ?        S    09:55   0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root      1295  0.0  0.1   7792   880 pts/0    S+   10:03   0:00 egrep samba

Agora vamos ajustar o /etc/resolv.conf para ser utilizado o ip do nosso servidor samba

vim /etc/resolv.conf
domain lab.lan
search lab.lan
nameserver 192.168.0.131

Agora vamos reiniciar o bind

/etc/init.d/bind9 restart

Agora vamos testar com o nslookup

nslookup lab.lan
Server:   192.168.0.131
Address:  192.168.0.131#53

Name: lab.lan
Address: 192.168.0.131

Agora vamos ajustar o arquivo do kerberos

Vamos fazer um backup dele

cp /etc/krb5.conf /etc/krb5.conf.old

Agora vamos remover o original

rm -rf /etc/krb5.conf

Agora vamos criar um link do arquivo do kerberos utilizado pelo samba

ln -sf /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

Agora vamos ajustar a sua configuração

vim /etc/krb5.conf
[libdefaults]
  default_realm = LAB.LAN
  dns_lookup_realm = false
  dns_lookup_kdc = true

Agora vamos inicializar um ticket do kerberos para o usuário administrator

kinit administrator@LAB.LAN
Password for administrator@LAB.LAN: 
Warning: Your password will expire in 41 days on Mon Sep 30 14:16:22 2013

Agora vamos listar o nosso ticket

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@LAB.LAN

Valid starting       Expires              Service principal
19-08-2013 14:24:03  20-08-2013 00:24:03  krbtgt/LAB.LAN@LAB.LAN
  renew until 20-08-2013 14:24:00

Agora vamos testar a nossa autenticação no samba utilizando o token do kerberos

smbclient -k //pdc.lab.lan/netlogon -c 'ls'
Domain=[LAB] OS=[Unix] Server=[Samba 4.1.4]
  .                                   D        0  Mon Aug 19 14:15:45 2013
  ..                                  D        0  Mon Aug 19 14:16:33 2013

    44993 blocks of size 65536. 8004 blocks available

Para utilizar o token do kerberos precisamos passar o nome do nosso dc no meu caso debian.lab.lan caso passe somente localhost vamos ter o seguinte erro.

smbclient -k //localhost/netlogon -c 'ls'
ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/localhost@LAB.LAN (Server not found in Kerberos database)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Server not found in Kerberos database
session setup failed: NT_STATUS_UNSUCCESSFUL

Este erro é comentado no seguinte link http://lists.samba.org/archive/samba-technical/2011-June/078134.html

Agora vamos configurar o servidor ntp

aptitude install ntp -y

Agora vamos fazer um backup do nosso arquivo de configuração

cp /etc/ntp.conf /etc/ntp.conf.old

Agora vamos deixar ele da seguinte forma

vim /etc/ntp.conf
server 127.127.1.0
fudge  127.127.1.0 stratum 10
server a.ntp.br iburst prefer
server 0.pool.ntp.org  iburst prefer
server 1.pool.ntp.org  iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict a.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery

Agora vamos reiniciar o serviço

/etc/init.d/ntp restart

Agora vamos consultar o serviço ntp

ntpq -p 127.0.0.1
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 LOCAL(0)        .LOCL.          10 l   26   64    1    0.000    0.000   0.000
+a.ntp.br        200.160.7.186    2 u   15   64    1   11.543    4.363   0.306
 0.pool.ntp.org  .INIT.          16 u    -   64    0    0.000    0.000   0.000
*1.pool.ntp.org  200.160.7.186    2 u   13   64    1    6.470    5.146   0.305

Agora vamos ajustar a permissão do ntp

chgrp ntp /usr/local/samba/var/lib/ntp_signd

Agora vamos criar o script de inicialização do samba

vim /etc/init.d/samba
#! /bin/sh

### BEGIN INIT INFO
# Provides:          samba4
# Required-Start:    $network $local_fs $remote_fs
# Required-Stop:     $network $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: start Samba daemons
### END INIT INFO

#
# Start/stops the Samba daemon (samba).
# Adapted from the Samba 3 packages.
#

PIDDIR=/usr/local/samba/var/run
SAMBAPID=$PIDDIR/samba.pid

# clear conflicting settings from the environment
unset TMPDIR

# See if the daemon and the config file are there
test -x /usr/local/samba/sbin/samba -a -r /usr/local/samba/etc/smb.conf || exit 0

. /lib/lsb/init-functions

case "$1" in
  start)
    log_daemon_msg "Starting Samba 4 daemon" "samba"
    # Make sure we have our PIDDIR, even if it's on a tmpfs
    install -o root -g root -m 755 -d $PIDDIR

    if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then
      log_end_msg 1
      exit 1
    fi

    log_end_msg 0
    ;;
  stop)
    log_daemon_msg "Stopping Samba 4 daemon" "samba"

    start-stop-daemon --stop --quiet --name samba $SAMBAPID
    # Wait a little and remove stale PID file
    sleep 1
    if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
    then
      # Stale PID file (samba was succesfully stopped),
      # remove it (should be removed by samba itself IMHO.)
      rm -f $SAMBAPID
    fi

    log_end_msg 0

    ;;
  restart|force-reload)
    $0 stop
    sleep 1
    $0 start
    ;;
  *)
    echo "Usage: /etc/init.d/samba {start|stop|restart|force-reload}"
    exit 1
    ;;
esac

exit 0

Vamos ajustar a permissão do script

chmod +x /etc/init.d/samba

Agora vamos colocar o script na inicialização do sistema

insserv -f -v samba

Agora vamos consultar se o nosso BIND_DLZ está funcionando

samba_dnsupdate --verbose
IPs: ['192.168.0.52']
Looking for DNS entry A lab.lan 192.168.0.52 as lab.lan.
Looking for DNS entry A debian.lab.lan 192.168.0.52 as debian.lab.lan.
Looking for DNS entry A gc._msdcs.lab.lan 192.168.0.52 as gc._msdcs.lab.lan.
Looking for DNS entry CNAME 4600bb8b-c1f6-47b0-ae75-a31c9ef70281._msdcs.lab.lan debian.lab.lan as 4600bb8b-c1f6-47b0-ae75-a31c9ef70281._msdcs.lab.lan.
Looking for DNS entry SRV _kpasswd._tcp.lab.lan debian.lab.lan 464 as _kpasswd._tcp.lab.lan.
Checking 0 100 464 debian.lab.lan. against SRV _kpasswd._tcp.lab.lan debian.lab.lan 464
Looking for DNS entry SRV _kpasswd._udp.lab.lan debian.lab.lan 464 as _kpasswd._udp.lab.lan.
Checking 0 100 464 debian.lab.lan. against SRV _kpasswd._udp.lab.lan debian.lab.lan 464
Looking for DNS entry SRV _kerberos._tcp.lab.lan debian.lab.lan 88 as _kerberos._tcp.lab.lan.
Checking 0 100 88 debian.lab.lan. against SRV _kerberos._tcp.lab.lan debian.lab.lan 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.lab.lan debian.lab.lan 88 as _kerberos._tcp.dc._msdcs.lab.lan.
Checking 0 100 88 debian.lab.lan. against SRV _kerberos._tcp.dc._msdcs.lab.lan debian.lab.lan 88
Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 88 as _kerberos._tcp.default-first-site-name._sites.lab.lan.
Checking 0 100 88 debian.lab.lan. against SRV _kerberos._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 88
Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.lab.lan debian.lab.lan 88 as _kerberos._tcp.default-first-site-name._sites.dc._msdcs.lab.lan.
Checking 0 100 88 debian.lab.lan. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.lab.lan debian.lab.lan 88
Looking for DNS entry SRV _kerberos._udp.lab.lan debian.lab.lan 88 as _kerberos._udp.lab.lan.
Checking 0 100 88 debian.lab.lan. against SRV _kerberos._udp.lab.lan debian.lab.lan 88
Looking for DNS entry SRV _ldap._tcp.lab.lan debian.lab.lan 389 as _ldap._tcp.lab.lan.
Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.lab.lan debian.lab.lan 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.lab.lan debian.lab.lan 389 as _ldap._tcp.dc._msdcs.lab.lan.
Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.dc._msdcs.lab.lan debian.lab.lan 389
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.lab.lan debian.lab.lan 3268 as _ldap._tcp.gc._msdcs.lab.lan.
Checking 0 100 3268 debian.lab.lan. against SRV _ldap._tcp.gc._msdcs.lab.lan debian.lab.lan 3268
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.lab.lan debian.lab.lan 389 as _ldap._tcp.pdc._msdcs.lab.lan.
Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.pdc._msdcs.lab.lan debian.lab.lan 389
Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 389 as _ldap._tcp.default-first-site-name._sites.lab.lan.
Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 389
Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.lab.lan debian.lab.lan 389 as _ldap._tcp.default-first-site-name._sites.dc._msdcs.lab.lan.
Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.lab.lan debian.lab.lan 389
Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.lab.lan debian.lab.lan 3268 as _ldap._tcp.default-first-site-name._sites.gc._msdcs.lab.lan.
Checking 0 100 3268 debian.lab.lan. against SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.lab.lan debian.lab.lan 3268
Looking for DNS entry SRV _ldap._tcp.86f256e1-a77b-4a83-bddd-96acf7a0c89f.domains._msdcs.lab.lan debian.lab.lan 389 as _ldap._tcp.86f256e1-a77b-4a83-bddd-96acf7a0c89f.domains._msdcs.lab.lan.
Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.86f256e1-a77b-4a83-bddd-96acf7a0c89f.domains._msdcs.lab.lan debian.lab.lan 389
Looking for DNS entry SRV _gc._tcp.lab.lan debian.lab.lan 3268 as _gc._tcp.lab.lan.
Checking 0 100 3268 debian.lab.lan. against SRV _gc._tcp.lab.lan debian.lab.lan 3268
Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 3268 as _gc._tcp.default-first-site-name._sites.lab.lan.
Checking 0 100 3268 debian.lab.lan. against SRV _gc._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 3268
No DNS updates needed

Agora vamos criar a zona reversa

samba-tool dns zonecreate lab.lan 1.168.192.in-addr.arpa -UAdministrator --password=sen@134*

Vamos criar o reverso do nosso pdc

samba-tool dns add pdc 1.168.192.in-addr.arpa 49 PTR pdc.lab.lan -Uadministrator --password=sen@134*

Agora vamos criar um compartilhamento básico de impressão

Agora vamos criar o diretório de spool de impressão e vamos ajustar as suas permissões

mkdir /usr/local/samba/var/spool
chmod 1777 /usr/local/samba/var/spool

Agora vamos adicionar na configuração do samba o nosso compartilhamento de impressão

vim /usr/local/samba/etc/smb.conf
# Global parameters
[...]

[printers]
    comment = All Printers
    path = /usr/local/samba/var/spool
    browseable = Yes
    read only = No
    printable = Yes

Agora precisamos criar os diretório para armazenar os drivers das impressoras que o cliente windows sempre vai tentar procurar quando for instalar uma impressora

mkdir -p /usr/local/samba/var/print/{COLOR,IA64,W32ALPHA,W32MIPS,W32PPC,W32X86,WIN40,x64}

Agora vamos criar mais um compartilhamento no samba

vim /usr/local/samba/etc/smb.conf
# Global parameters
[...]

[printers]
    comment = All Printers
    path = /usr/local/samba/var/spool
    browseable = Yes
    read only = No
    printable = Yes

[print$]
    comment = Point and Print Printer Drivers
    path = /usr/local/samba/var/print
    read only = No

Agora vamos mandar recarregar o samba

killall -HUP samba

Para adicionar uma impressora

  • Logue no computador cliente com o usuário Administrador do dominio
  • Click Iniciar → Run digite '\\debian.lab.lan\'
  • Na lista de compartilhamentos, de um duplo click em 'Impressoras e Fax'
  • Click em Arquivo → Propriedades do servidor
  • Na guia Drivers, Click em 'Adicionar…', depois 'Next'

  • No menu de opções, escolha o driver da sua impressora que deseja instalar, e selecione 'Next'

Agora escolha os driver para a sua arquitetura. Caso não tenha o driver para a sua arquitetura vai ser solicitado inserir uma midia com os driver

  • Agora feche a tela de drivers
  • Agora click com o botão direito em drivers de impressora e selecione propriedades
  • Na guia avançado, escolha o driver que já foi instalado

Inserindo uma máquina XP no domínio Samba4

Vamos chamar a configuração da interface

  • Menu iniciar/run digite ncpa.cpl

Vamos deixar o endereço DNS para o ip do servidor samba

Vai ter que ficar como abaixo.

Agora vamos testar o dns

nslookup debian.lab.lan
*** Não é possível encontrar o nome de servidor para o endereço 192.168.0.131: No information
*** Os servidores padrão não estão disponíveis
Servidor: UnKnown
Address: 192.168.0.131

Nome = debian.lab.lan
Address: 192.168.0.131

Agora precisamos deixar o nosso servidor com o horário e timezone igual ao do servidor samba

Vamos chamar a configuração

  • Menu Iniciar/run aqui digite timedate.cpl

Aqui ajute o seu horario

Na guia fuso horário escolha o da sua localização

Agora vamos fazer o join do domínio

  • Menu iniciar/run aqui digite sysdm.cpl
  • Aqui selecione a guia Nome do computador.
  • Agora selecione alterar

Aqui em domínio vamos informar lab.lan

Agora selecione ok

Vamos ter uma tela como abaixo, informe o usuário administrator e a senha que foi definida para ele na criação do domínio samba.

Se tudo der certo vamos ter a seguinte mensagem

Quando selecionarmos ok vamos ter a seguinte mensagem.

Agora é só selecionar ok e ok novamente e sim para reiniciar a máquina.

Quando iniciar vamos ter a seguinte tela

Agora precisamos informar ctrl + alt + del

Aqui em fazer logon em selecione LAB

O usuário vai ser administrator e a senha dele.

Instalando o Windows Remote Administration Tools no Windows

Links para obtermos o Windows Remote Administration Tools:

OBS: Na instalação do RSAT no Windows 8/7/Vista depois de instalado temos que ir em programas no painel de controle “Habilitar recursos do Windows” precisamos habilitar as ferramentas administrativas.

Depois de obter o pacote precisamos mandar rodar ele

Instalando

Instalação Concluída

Ferramentas instaladas

Agora vamos chamar o MMC Usuários e computadores do Active Directory em Ferramentas administrativas ou pelo run dsa.msc

Vamos ter algo como abaixo.

Aqui podemos fazer a criação de usuários, grupos, computadores criação de GPOS

Exemplo de Objetos que podemos criar

Exemplo da tela de criação de usuários

Exemplo da tela de GPOs

Podemos também fazer a administração do DNS via MMC nas ferramentas administrativas chame o DNS

Exemplo da tela de configuração de DNS

Podemos também fazer a criação de usuários via comando

samba-tool user add nerso
New Password: 
Retype Password: 
User 'nerso' created successfully

Agora vamos ver nos usuários do AD

Agora vamos ajustar o perfil móvel

Vamos ajustar o arquivo de configuração do samba

vim /usr/local/samba/etc/smb.conf
# Global parameters
[global]
        workgroup = LAB
        realm = LAB.LAN
        netbios name = DEBIAN
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/lab.lan/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[printers]
    comment = All Printers
    path = /usr/local/samba/var/spool
    browseable = Yes
    read only = No
    printable = Yes

[print$]
    comment = Point and Print Printer Drivers
    path = /usr/local/samba/var/print
    read only = No

[profiles]
      path = /usr/local/samba/var/profiles
      read only = no

Vamos criar o diretório para armazenar os profiles

mkdir /usr/local/samba/var/profiles

Agora vamos acertar as permissões

chmod -R 1777 /usr/local/samba/var/profiles

Agora vamos mandar recarregar o samba

killall -HUP samba

Agora vamos ajustar o perfil do usuário douglas.santos

Agora vamos logar com o usuário.

Quando efetuarmos logon no servidor vai ser criado uma pasta com o nome do nosso usuário em /usr/local/samba/var/profiles

ls -l /usr/local/samba/var/profiles
total 8
drwxrws---+ 2 3000019 staff 4096 Fev 24 13:19 douglas.santos/

Note que o nosso arquivo tem o sinal de + ou seja está habilitado acl, vamos listar elas

getfacl -p /usr/local/samba/var/profiles/douglas.santos
# file: /usr/local/samba/var/profiles/douglas.santos
# owner: 3000019
# group: staff
# flags: -s-
user::rwx
group::---
group:staff:---
group:3000002:rwx
group:3000019:rwx
mask::rwx
other::---
default:user::rwx
default:user:3000019:rwx
default:group::---
default:group:staff:---
default:group:3000002:rwx
default:group:3000019:rwx
default:mask::rwx
default:other::---

Agora quando efetuarmos logoff os arquivos vão ser salvos dentro do diretório

ls -l /usr/local/samba/var/profiles/douglas.santos
total 624
drwxrws---+ 2 3000019 users   4096 Fev 23 13:44 Ambiente\ de\ impressão/
drwxrws---+ 2 3000019 users   4096 Fev 23 13:44 Ambiente\ de\ rede/
drwxrws---+ 2 3000019 users   4096 Fev 23 16:50 Cookies/
drwxrws---+ 4 3000019 users   4096 Fev 24 13:19 Dados\ de\ aplicativos/
drwxrws---+ 2 3000019 users   4096 Fev 23 13:44 Desktop/
drwxrws---+ 3 3000019 users   4096 Fev 24 13:19 Favoritos/
drwxrws---+ 3 3000019 users   4096 Fev 23 13:44 Menu\ Iniciar/
drwxrws---+ 4 3000019 users   4096 Fev 24 13:19 Meus\ documentos/
drwxrws---+ 2 3000019 users   4096 Fev 23 16:48 Modelos/
-rwxrwx---+ 1 3000019 users 524288 Fev 24 13:22 NTUSER.DAT*
-rwxrwx---+ 1 3000019 users   1024 Fev 24 13:22 NTUSER.DAT.LOG*
-rwxrwx---+ 1 3000019 users    300 Fev 24 13:22 ntuser.ini*
drwxrws---+ 2 3000019 users   4096 Fev 24 13:19 Recent/
drwxrws---+ 2 3000019 users   4096 Fev 24 13:19 SendTo/

ajustando a autenticação

vim /etc/nsswitch.conf 
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:            compat winbind
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Ajustando a pam

ln -sf /usr/local/samba/lib/security/pam_winbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so

Para os sistemas de 64bits precisamos fazer da seguinte forma

ln -s /usr/local/samba/lib/libnss_winbind.so.2 /usr/lib/x86_64-linux-gnu/libnss_winbind.so
ln -s /usr/lib/x86_64-linux-gnu/libnss_winbind.so /usr/lib/x86_64-linux-gnu/libnss_winbind.so.2
ldconfig

Agora vamos consultar se está carregado no sistema

ldconfig -v | grep winbind
ldconfig: Path `/lib/x86_64-linux-gnu' given more than once
ldconfig: Path `/usr/lib/x86_64-linux-gnu' given more than once
  libnss_winbind.so -> libnss_winbind.so.2

Agora vamos listar os usuários locais e do domínio

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
douglas:x:1000:1000:douglas,,,:/home/douglas:/bin/bash
postfix:x:104:107::/var/spool/postfix:/bin/false
messagebus:x:105:109::/var/run/dbus:/bin/false
bind:x:106:110::/var/cache/bind:/bin/false
ntp:x:107:111::/home/ntp:/bin/false
LAB\Administrator:*:0:100::/home/LAB/Administrator:/bin/bash
LAB\Guest:*:3000011:3000012::/home/LAB/Guest:/bin/bash
LAB\krbtgt:*:3000017:100::/home/LAB/krbtgt:/bin/bash
LAB\dns-pdc:*:3000018:100::/home/LAB/dns-pdc:/bin/bash

Agora vamos consultar informações do usuário Administrator

id Administrator
uid=0(root) gid=100(users) grupos=0(root),100(users),3000004(LAB\Group Policy Creator Owners),3000006(LAB\Enterprise Admins),3000008(LAB\Domain Admins),3000007(LAB\Schema Admins)

Agora vamos ajustar a pam do servidor PDC

vim /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth  sufficient  pam_winbind.so
auth  [success=2 default=ignore]  pam_krb5.so minimum_uid=1000
auth  [success=1 default=ignore]  pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth  requisite     pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth  required      pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
vim /etc/pam.d/common-account 
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account sufficient pam_winbind.so
account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so
# here's the fallback if no module succeeds
account requisite     pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required      pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required      pam_krb5.so minimum_uid=1000
# end of pam-auth-update config
vim /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session required pam_mkhomedir.so skel=/etc/skel umask=0027
session required pam_winbind.so
session [default=1]     pam_permit.so
# here's the fallback if no module succeeds
session requisite     pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required      pam_permit.so
# and here are more per-package modules (the "Additional" block)
session optional      pam_krb5.so minimum_uid=1000
session required  pam_unix.so
# end of pam-auth-update config
vim /etc/pam.d/sshd
# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so
#Allow connection from those groups
account    sufficient   pam_succeed_if.so user ingroup root
account    requisite    pam_succeed_if.so user ingroup ti-admin

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password
vim /etc/pam.d/login 
#
# The PAM configuration file for the Shadow `login' service
#

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth       optional   pam_faildelay.so  delay=3000000

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
#
# With the default control of this module:
#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
# root will not be prompted for a password on insecure lines.
# if an invalid username is entered, a password is prompted (but login
# will eventually be rejected)
#
# You can change it to a "requisite" module if you think root may mis-type
# her login and should not be prompted for a password in that case. But
# this will leave the system as vulnerable to user enumeration attacks.
#
# You can change it to a "required" module if you think it permits to
# guess valid user names of your system (invalid user names are considered
# as possibly being root on insecure lines), but root passwords may be
# communicated over insecure lines.
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

#Allow connection from those groups
account    sufficient   pam_succeed_if.so user ingroup root
account    requisite    pam_succeed_if.so user ingroup ti-admin

# SELinux needs to be the first session rule. This ensures that any 
# lingering context has been cleared. Without out this it is possible 
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session    required   pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the message of the day upon succesful login.
# (Replaces the `MOTD_FILE' option in login.defs)
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional   pam_motd.so  motd=/run/motd.dynamic
session    optional   pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session    optional   pam_mail.so standard

# Standard Un*x account and session
@include common-account
@include common-session
@include common-password

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)

Ajustando o sudo

visudo 
%ti-admin        ALL=(ALL:ALL) ALL

Configurando um Cliente Debian Wheezy para autenticar no Samba 4

Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialwheezy_en para que não falte nenhum pacote ou configuração.

Vamos atualizar os repositórios e fazer um upgrade do sistema

aptitude update && aptitude dist-upgrade -y

Agora vamos ajustar as variáveis de ambiente do Debian

export DEBIAN_PRIORITY=critical
export DEBIAN_FRONTEND=noninteractive

Agora vamos instalar as dependências

aptitude install samba samba-common smbclient winbind krb5-config libpam-krb5 cifs-utils  krb5-user -y

Agora vamos voltar as variáveis de ambiente do Debian

unset DEBIAN_PRIORITY
unset DEBIAN_FRONTEND

Agora vamos ajustar o resolv.conf

vim /etc/resolv.conf
domain lab.lan
search lab.lan
nameserver 192.168.0.25
nameserver 192.168.0.26

Agora vamos ajustar o horário do nosso servidor

ntpdate -u a.ntp.br

Agora vamos ajustar o arquivo de configuração do kerberos

vim /etc/krb5.conf
[libdefaults]
default_realm = LAB.LAN
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
LAB.LAN = {
kdc = 192.168.0.25
kdc = 192.168.0.26
admin_server = 192.168.0.25:749
default_server = 192.168.0.25
}
[domain_realm]
.lab.lan=LAB.LAN
lab.lan=LAB.LAN
[login]
krb4_convert = true
krb4_get_tickets = false
[kdc]
profile = /etc/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = file:/var/log/krb5libs.log
kdc = file:/var/log/krb5kdc.log
admin_server = file:/var/log/kadmind.log

Agora vamos ajustar o limits.conf

vim /etc/security/limits.conf
[...]
#colocar no final do arquivo
root hard nofile 131072
root soft nofile 65536
mioutente hard nofile 32768
mioutente soft nofile 16384

Agora vamos ajustar o smb.conf

vim /etc/samba/smb.conf
[global]
        workgroup = LAB
        security = ADS
        realm = LAB.LAN
        netbios name = DEBIAN
        encrypt passwords = yes
        idmap config * : backend = tdb
        idmap config * : range = 10000-30000
        idmap config LAB:backend = ad
        idmap config LAB:schema_mode = rfc2307
        auth methods = winbind
        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
        template shell = /bin/bash

Agora vamos ajustar o nsswitch.conf

vim /etc/nsswitch.conf
[...]
passwd:         compat winbind
group:            compat winbind

Agora vamos reiniciar os serviços

/etc/init.d/samba restart
/etc/init.d/winbind restart

Agora vamos fazer o join no domínio

net ads join lab.lan -U administrator

Agora vamos reiniciar os serviços

/etc/init.d/samba restart
/etc/init.d/winbind restart

Agora vamos ajustar a PAM

vim /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth  sufficient  pam_winbind.so
auth  [success=2 default=ignore]  pam_krb5.so minimum_uid=1000
auth  [success=1 default=ignore]  pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth  requisite     pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth  required      pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
vim /etc/pam.d/common-account 
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account sufficient pam_winbind.so
account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so
# here's the fallback if no module succeeds
account requisite     pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required      pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required      pam_krb5.so minimum_uid=1000
# end of pam-auth-update config
vim /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session required pam_mkhomedir.so skel=/etc/skel umask=0027
session required pam_winbind.so
session [default=1]     pam_permit.so
# here's the fallback if no module succeeds
session requisite     pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required      pam_permit.so
# and here are more per-package modules (the "Additional" block)
session optional      pam_krb5.so minimum_uid=1000
session required  pam_unix.so
# end of pam-auth-update config
vim /etc/pam.d/sshd
# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so
#Allow connection from those groups
account    sufficient   pam_succeed_if.so user ingroup root
account    requisite    pam_succeed_if.so user ingroup ti-admin

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password
vim /etc/pam.d/login 
#
# The PAM configuration file for the Shadow `login' service
#

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth       optional   pam_faildelay.so  delay=3000000

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
#
# With the default control of this module:
#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
# root will not be prompted for a password on insecure lines.
# if an invalid username is entered, a password is prompted (but login
# will eventually be rejected)
#
# You can change it to a "requisite" module if you think root may mis-type
# her login and should not be prompted for a password in that case. But
# this will leave the system as vulnerable to user enumeration attacks.
#
# You can change it to a "required" module if you think it permits to
# guess valid user names of your system (invalid user names are considered
# as possibly being root on insecure lines), but root passwords may be
# communicated over insecure lines.
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

#Allow connection from those groups
account    sufficient   pam_succeed_if.so user ingroup root
account    requisite    pam_succeed_if.so user ingroup ti-admin

# SELinux needs to be the first session rule. This ensures that any 
# lingering context has been cleared. Without out this it is possible 
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session    required   pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the message of the day upon succesful login.
# (Replaces the `MOTD_FILE' option in login.defs)
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional   pam_motd.so  motd=/run/motd.dynamic
session    optional   pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session    optional   pam_mail.so standard

# Standard Un*x account and session
@include common-account
@include common-session
@include common-password

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)

Ajustando o sudo

visudo 
%ti-admin        ALL=(ALL:ALL) ALL

Agora vamos testar a conexão com o winbind

wbinfo -t
checking the trust secret for domain LAB via RPC calls succeeded

Agora vamos listar os usuários do domínio

wbinfo -u
douglas.santos
administrator
dns-nodo1
krbtgt
guest

Vamos listar os grupos

wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
ti-admin
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins

Agora vamos testar o acesso via ssh para esse cliente

ssh douglas.santos@192.168.0.52
douglas.santos@192.168.0.52's password: 
Creating directory '/home/LAB/douglas.santos'.
Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[10:35:45] douglas.santos@debian [~] $ 

Nos logs de autenticação vamos ter algo como abaixo

tail -f /var/log/auth.log
Aug 27 10:35:44 debian sshd[4852]: pam_krb5(sshd:auth): user douglas.santos authenticated as douglas.santos@LAB.LAN
Aug 27 10:35:44 debian sshd[4852]: Accepted password for douglas.santos from 192.168.0.130 port 51197 ssh2
Aug 27 10:35:44 debian sshd[4852]: pam_unix(sshd:session): session opened for user douglas.santos by (uid=0)

O cliente esta autenticando com sucesso :D

Ajustando o sudo

visudo 
%ti-admin        ALL=(ALL:ALL) ALL

Configurando um Cliente CentOS para autenticar no Samba 4

Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialcentos6_en para que não falte nenhum pacote ou configuração.

Vamos instalar as dependências para ele poder fazer parte do domínio samba 4

yum install samba samba-winbind samba-winbind-devel samba-client samba-common \
 pam_krb5 cifs-utils samba-winbind-krb5-locator samba-doc krb5-workstation -y

Agora vamos inserir os serviços na incialização do sistema

chkconfig --add nmb
chkconfig --add smb
chkconfig --add winbind

Agora vamos ativar eles

chkconfig nmb on
chkconfig smb on
chkconfig winbind on

Agora vamos ajustar o resolv.conf do cliente

vim /etc/resolv.conf
domain lab.lan
search lab.lan
nameserver 192.168.0.25
nameserver 192.168.0.26

Agora vamos ajustar a interface de rede

vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
BOOTPROTO="static"
BROADCAST="192.168.0.255"
DNS1="192.168.0.25"
DNS2="192.168.0.26"
GATEWAY="192.168.0.1"
IPADDR="192.168.0.27"
NETMASK="255.255.255.0"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"

Agora vamos ajustar o horário do servidor pois como vamos trabalhar com winbind e kerberos não podemos ter diferença de horario

ntpdate -u a.ntp.br

Agora vamos ajustar o kerberos

vim /etc/krb5.conf
[libdefaults]
default_realm = LAB.LAN
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
LAB.LAN = {
kdc = 192.168.0.25
kdc = 192.168.0.26
admin_server = 192.168.0.25:749
default_server = 192.168.0.25
}
[domain_realm]
.lab.lan=LAB.LAN
lab.lan=LAB.LAN
[login]
krb4_convert = true
krb4_get_tickets = false
[kdc]
profile = /etc/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = file:/var/log/krb5libs.log
kdc = file:/var/log/krb5kdc.log
admin_server = file:/var/log/kadmind.log

Agora vamos acertar o limits.conf

vim /etc/security/limits.conf
[...]
#colocar no final do arquivo
root hard nofile 131072
root soft nofile 65536
mioutente hard nofile 32768
mioutente soft nofile 16384

Agora vamos ajustar o smb.conf

vim /etc/samba/smb.conf
[global]
        workgroup = LAB
        security = ADS
        realm = LAB.LAN
        netbios name = CENTOS
        encrypt passwords = yes
        idmap config * : backend = tdb
        idmap config * : range = 10000-30000
        idmap config LAB:backend = ad
        idmap config LAB:schema_mode = rfc2307
        auth methods = winbind
        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
        template shell = /bin/bash

Agora vamos ajustar o nsswitch.conf

vim /etc/nsswitch.conf
[...]
passwd:     files winbind
shadow:     files
group:        files winbind

Vamos iniciar os serviços

/etc/init.d/nmb start
/etc/init.d/smb start
/etc/init.d/winbind start

Agora vamos ajustar a PAM

Vamos ajustar para que quando o usuário faça login seja criado o seu diretório home

vim /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0027

Agora vamos ajustar o login utilizando o winbind aqui eu liberei somente o grupo root e o ti-admin para efetuar login em máquinas Linux

vim /etc/pam.d/login
#%PAM-1.0 
auth       sufficient    pam_winbind.so
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
 
 
account    sufficient     pam_succeed_if.so user ingroup root
account    required    pam_winbind.so
account    required     pam_nologin.so
account    include      system-auth
#Grupos que vão poder efetuar login no servidor
account    requisite    pam_succeed_if.so user ingroup ti-admin
 
password   include      system-auth
# pam_selinux.so close should be the first session rule 
 
session    required     pam_selinux.so close
session    required     pam_mkhomedir.so        skel=/etc/skel umask=0027
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context 
session    required     pam_selinux.so open
session    optional     pam_keyinit.so force revoke

Agora vamos ajustar o acesso via ssh utilizando o winbind aqui eu liberei somente o grupo root e o ti-admin para efetuar login em máquinas Linux

vim /etc/pam.d/sshd
#%PAM-1.0 
auth       sufficient    pam_winbind.so
auth       include      system-auth
 
account    sufficient   pam_succeed_if.so user ingroup root
account    required     pam_winbind.so
account    required     pam_nologin.so
account    include      system-auth
#Grupos que vão poder logar via ssh
account    requisite    pam_succeed_if.so user ingroup ti-admin
 
password   include      system-auth
 
session    required     pam_mkhomedir.so        skel=/etc/skel umask=0027
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

Agora vamos verificar se estamos conseguindo criar um ticker do kerberos

kinit administrator
Password for administrator@LAB.LAN: 
Warning: Your password will expire in 41 days on Mon Oct  7 12:02:11 2013

Agora vamos listar o nosso ticket

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@LAB.LAN

Valid starting     Expires            Service principal
08/27/13 10:02:54  08/27/13 20:02:54  krbtgt/LAB.LAN@LAB.LAN
  renew until 08/28/13 10:02:51

Agora vamos fazer o join no domínio

net ads join lab.lan -U administrator

Esse erro de DNS ainda estou tentando arrumar.

Agora vamos reiniciar os serviços

/etc/init.d/nmb restart
/etc/init.d/smb restart
/etc/init.d/winbind restart

Agora vamos testar a conexão com o winbind

wbinfo -t
checking the trust secret for domain LAB via RPC calls succeeded

Agora vamos listar os usuários do domínio

wbinfo -u
douglas.santos
administrator
dns-nodo1
krbtgt
guest

Vamos listar os grupos

wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
ti-admin
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins

Agora vamos testar o acesso via ssh para esse cliente

ssh douglas.santos@192.168.0.27
douglas.santos@192.168.0.27's password: 
Creating directory '/home/LAB/douglas.santos'.
[10:40:01] douglas.santos@centos [~] $ 

Agora vamos ver os logs de acesso do centos

tail -f /var/log/secure
Aug 27 10:38:55 centos sshd[13906]: pam_winbind(sshd:auth): getting password (0x00000000)
Aug 27 10:38:56 centos sshd[13906]: pam_winbind(sshd:auth): user 'douglas.santos' granted access
Aug 27 10:39:32 centos sshd[13906]: pam_succeed_if(sshd:account): requirement "user ingroup root" not met by user "douglas.santos"
Aug 27 10:39:32 centos sshd[13906]: pam_winbind(sshd:account): user 'douglas.santos' granted access
Aug 27 10:39:35 centos sshd[13906]: pam_succeed_if(sshd:account): requirement "user ingroup ti-admin" was met by user "douglas.santos"
Aug 27 10:39:35 centos sshd[13906]: Accepted password for douglas.santos from 192.168.0.130 port 46470 ssh2
Aug 27 10:39:50 centos sshd[13906]: pam_unix(sshd:session): session opened for user douglas.santos by (uid=0)

O cliente está configurado com sucesso :D

Referências