Differences

This shows you the differences between two versions of the page.

Link to this comparison view

instalando_e_configurando_o_samba4_com_suporte_a_adminpack_no_debian_wheezy_pt_br [2017/09/05 12:18] (current)
Line 1: Line 1:
 +====== Instalando e Configurando o Samba4 com suporte a AdminPack no Debian Wheezy ​ ======
  
 +
 +E ai galera, aqui eu vou abordar a instalação e a configuração do Samba4 com suporte a Administração do domínio utilizando o AdminPack da Microsoft e vamos configurar também a utilização do Bind_DLZ como backend de DNS.
 +
 +**OBS:** O Dns não pode trabalhar em modo chroot pois o bind não consegue acessar os arquivos e o banco de dados do Samba: http://​wiki.samba.org/​index.php/​Dns-backend_bind#​Known_issues_and_ways_to_fix.2Fworkaround
 +
 +Eu achei que ficou muito bom e limpa a instalação e configuração então vamos trabalhar :D
 +
 +Prepare o seu sistema com o seguinte script http://​wiki.douglasqsantos.com.br/​doku.php/​confinicialwheezy_en para que não falte nenhum pacote ou configuração.
 +
 +O que eu vou utilizar:
 +  * **Servidor Samba**
 +    * IP: 192.168.0.49/​24
 +    * **Nome:** debian
 +    * **Domínio:​** lab.lan
 +  * **Cliente xp**
 +    * **IP:** 192.168.0.4/​24
 +    * **Nome:** xp
 +    * **Domínio:​** lab.lan ​
 +
 +Agora vamos mandar atualizar os repositórios e vamos mandar fazer um upgrade do sistema
 +<sxh bash>
 +aptitude update && aptitude dist-upgrade -y
 +</​sxh>​
 +
 +Vamos ajustar algumas variaveis do ambiente
 +<sxh bash>
 +export DEBIAN_PRIORITY=critical ​
 +export DEBIAN_FRONTEND=noninteractive
 +</​sxh>​
 +
 +Agora vamos mandar instalar as suas dependências
 +<sxh bash>
 +aptitude install libpam0g-dev git gcc make wget libacl1-dev libblkid-dev libreadline-dev python-dev libcups2-dev \
 + ​libcupscgi1-dev libcupsdriver1-dev libcupsimage2-dev libcupsmime1-dev libcupsppdc1-dev libcupsys2-dev libaio-dev acl-dev \
 +acl heimdal-clients libattr1-dev ​ libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev ​ python-dnspython gdb pkg-config libfam-dev ​ \
 +libpopt-dev libldap2-dev dnsutils libbsd-dev attr docbook-xsl libcups2-dev python-gnupginterface python-pycurl python-software-properties \
 +quota unattended-upgrades libpam-heimdal bison debhelper flex gettext ​ html2text intltool-debian ​ libbison-dev libgettextpo0 libldb-dev \
 +libldb1 libparse-yapp-perl libpython2.6 ​ libsmbclient libsmbclient-dev libsubunit-dev libsubunit-perl libsubunit0 libtalloc-dev libtalloc2 \
 +libtdb-dev libtdb1 libtevent-dev libtevent0 libunistring0 libwbclient-dev libwbclient0 libxslt1.1 po-debconf python-all python-all-dev python-ldb \
 +python-ldb-dev python-pkg-resources python-subunit python-talloc python-talloc-dev python-tdb python-testtools python2.6-dev ​ subunit xsltproc \
 +heimdal-dev heimdal-multidev libasn1-8-heimdal libgssapi3-heimdal libhcrypto4-heimdal libhdb9-heimdal libheimbase1-heimdal libheimntlm0-heimdal \
 +libhx509-5-heimdal libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-heimdal libkdc2-heimdal libkrb5-26-heimdal libroken18-heimdal libwind0-heimdal -y
 +</​sxh>​
 +
 +Agora vamos voltar as variáveis ao default
 +<sxh bash>
 +unset DEBIAN_PRIORITY
 +unset DEBIAN_FRONTEND
 +</​sxh>​
 +
 +Agora precisamos fazer um ajuste no sistema de arquivo aonde esta a partição /usr, precisamos inserir depois de defaults a palavra chave acl e user_xattr.
 +<sxh bash>
 +vim /etc/fstab
 +[...]
 +UUID=35689fda-e60e-4a5c-823b-3076e36a7586 /usr            ext4    defaults,​acl,​user_xattr,​barrier=1 ​       0       2
 +</​sxh>​
 +
 +Agora vamos mandar remontar a partição
 +<sxh bash>
 +mount -o remount /usr
 +</​sxh>​
 +
 +Agora vamos conferir se foi carregado o atributo de acl
 +<sxh bash>
 +mount | egrep xattr
 +/​dev/​disk/​by-uuid/​1b505238-9622-44bb-9ff1-1a5b72f9636e on / type ext4 (rw,​relatime,​errors=remount-ro,​user_xattr,​barrier=1,​data=ordered)
 +/dev/sda9 on /home type ext4 (rw,​relatime,​user_xattr,​barrier=1,​data=ordered)
 +/dev/sda8 on /tmp type ext4 (rw,​relatime,​user_xattr,​barrier=1,​data=ordered)
 +/dev/sda5 on /usr type ext4 (rw,​relatime,​user_xattr,​barrier=1,​data=ordered)
 +/dev/sda6 on /var type ext4 (rw,​relatime,​user_xattr,​barrier=1,​data=ordered)
 +</​sxh>​
 +
 +Em alguns casos o sistema não carrega a acl com isso tem que ser reiniciado o servidor para ele recarregar, porém no Debian Wheezy ele fica interno no kernel e não como um módulo.
 +
 +Vamos listar as opções do kernel
 +<sxh bash>
 +egrep -i acl /​boot/​config-3.2.0-4-amd64
 +CONFIG_EXT2_FS_POSIX_ACL=y
 +CONFIG_EXT3_FS_POSIX_ACL=y
 +CONFIG_EXT4_FS_POSIX_ACL=y
 +CONFIG_REISERFS_FS_POSIX_ACL=y
 +CONFIG_JFS_POSIX_ACL=y
 +CONFIG_XFS_POSIX_ACL=y
 +CONFIG_BTRFS_FS_POSIX_ACL=y
 +CONFIG_FS_POSIX_ACL=y
 +CONFIG_GENERIC_ACL=y
 +CONFIG_TMPFS_POSIX_ACL=y
 +CONFIG_JFFS2_FS_POSIX_ACL=y
 +CONFIG_NFS_V3_ACL=y
 +CONFIG_NFSD_V2_ACL=y
 +CONFIG_NFSD_V3_ACL=y
 +CONFIG_NFS_ACL_SUPPORT=m
 +CONFIG_CIFS_ACL=y
 +CONFIG_9P_FS_POSIX_ACL=y
 +</​sxh>​
 +
 +Agora vamos testar o sistema de arquivos precisamos criar um arquivo e setar as flags de attr
 +
 +Vamos acessar o diretório /usr
 +<sxh bash>
 +cd /usr
 +</​sxh>​
 +
 +O primeiro teste de setattr da erro se for em sistema de arquivos ext3.
 +<sxh bash>
 +touch test.txt
 +setfattr -n user.test -v test test.txt
 +setfattr -n security.test -v test2 test.txt
 +</​sxh>​
 +
 +Agora testar o atributo user
 +<sxh bash>
 +getfattr -d test.txt
 +# file: test.txt
 +user.test="​test"​
 +</​sxh>​
 +
 +Agora vamos testar o atributo security
 +<sxh bash>
 +getfattr -n security.test -d test.txt
 +# file: test.txt
 +security.test="​test2"​
 +</​sxh>​
 +
 +Caso o sistema de arquivos não de suporte ao xattr podemos emular ele adicionando a seguinte linha no smb.conf
 +<sxh bash>
 + ​posix:​eadb = /​usr/​local/​samba/​eadb.tdb
 +</​sxh>​
 +
 +Agora vamos obter o samba vamos acessar o diretório que vai armazenar os fontes
 +<sxh bash>
 +cd /usr/src
 +</​sxh>​
 +
 +Agora vamos obter os fontes
 +<sxh bash>
 +wget -c http://​ftp.samba.org/​pub/​samba/​stable/​samba-4.1.4.tar.gz
 +</​sxh>​
 +
 +Agora vamos desempacotar o samba
 +<sxh bash>
 +tar -xzvf samba-4.1.4.tar.gz
 +</​sxh>​
 +
 +Agora vamos acessar o diretório dos fontes
 +<sxh bash>
 +cd samba-4.1.4
 +</​sxh>​
 +
 +Agora vamos mandar configurar ele
 +<sxh bash>
 +./configure --enable-debug --enable-selftest
 +</​sxh>​
 +
 +Agora vamos mandar compilar ele
 +<sxh bash>
 +make
 +</​sxh>​
 +
 +Agora vamos mandar instalar ele
 +<sxh bash>
 +make install
 +</​sxh>​
 +
 +Agora vamos acertar a PATH do usuário root no caso dele estar utilizando o shell Bash
 +<sxh bash>
 +echo "​export PATH=/​usr/​local/​sbin:/​usr/​local/​bin:/​usr/​sbin:/​usr/​bin:/​sbin:/​bin:/​usr/​bin/​X11:/​usr/​local/​samba/​sbin:/​usr/​local/​samba/​bin"​ >> /​root/​.bashrc
 +</​sxh>​
 +
 +Agora precisamos importar a nova PATH
 +<sxh bash>
 +source /​root/​.bashrc
 +</​sxh>​
 +
 +Agora vamos acertar a PATH do usuário root no caso dele estar utilizando o shell zsh
 +<sxh bash>
 +echo "​export PATH=/​usr/​local/​sbin:/​usr/​local/​bin:/​usr/​sbin:/​usr/​bin:/​sbin:/​bin:/​usr/​bin/​X11:/​usr/​local/​samba/​sbin:/​usr/​local/​samba/​bin"​ >> /​root/​.zshrc
 +</​sxh>​
 +
 +Agora precisamos importar a nova PATH
 +<sxh bash>
 +source /​root/​.zshrc
 +</​sxh>​
 +
 +
 +Agora vamos instalar as dependência para o BIND_DLZ
 +<sxh bash>
 +aptitude install ​ autopoint autotools-dev bison debhelper dh-apparmor geoip-bin gettext hardening-wrapper html2text intltool-debian \
 +libbison-dev libcap-dev libdb-dev libdb5.1-dev libgeoip-dev libgettextpo0 libltdl-dev libmail-sendmail-perl libsys-hostname-long-perl \
 +libtool libunistring0 libxml2-dev po-debconf -y
 +</​sxh>​
 +
 +Agora vamos obter os fontes do Bind
 +<sxh bash>
 +cd /usr/src
 +apt-get source bind9 
 +</​sxh>​
 +
 +Agora vamos acessar os fontes do bind
 +<sxh bash>
 +cd bind9-*
 +</​sxh>​
 +
 +Agora vamos ajustar as opções para preparar o pacote temos a seguinte função configure-stamp que tem que ser modificada para dar suporte ao kerberos e o dlopen.
 +<sxh bash>
 +vim debian/​rules ​
 +[...]
 +configure: configure-stamp
 +configure-stamp:​
 +        dh_testdir
 +        ./configure --prefix=/​usr \
 +                --mandir=\$${prefix}/​share/​man \
 +                --infodir=\$${prefix}/​share/​info \
 +                --sysconfdir=/​etc/​bind \
 +                --localstatedir=/​var \
 +                --enable-threads \
 +                --enable-largefile \
 +                --with-libtool \
 +                --enable-shared \
 +                --enable-static \
 +                --with-openssl=/​usr \
 +                --with-gssapi=/​usr \
 +                --with-gnu-ld \
 +                --with-geoip=/​usr \
 +                --enable-ipv6 \
 +                --with-gssapi=/​usr/​include/​gssapi ​  \
 +                --with-dlopen=yes \
 +                $(EXTRA_FEATURES)
 +</​sxh>​
 +
 +Agora vamos gerar o pacote .deb
 +<sxh bash>
 +dpkg-buildpackage ​
 +</​sxh>​
 +
 +Agora vamos instalar os pacotes que geramos
 +<sxh bash>
 +cd ..
 +dpkg -i *.deb 
 +</​sxh>​
 +
 +Agora vamos criar um diretório e vamos ajustar as permissões dele para o bind
 +<sxh bash>
 +mkdir /​var/​cache/​bind/​data
 +chown -R bind:bind /​var/​cache/​bind/​data
 +</​sxh>​
 +
 +Agora vamos fazer um backup do arquivo de configuração do bind
 +<sxh bash>
 +cp /​etc/​bind/​named.conf.options /​etc/​bind/​named.conf.options.old
 +</​sxh>​
 +
 +Agora vamos ajustar o named.conf.options
 +<sxh bash>
 +vim /​etc/​bind/​named.conf.options
 +// named.conf
 +//
 +
 +options {
 +  listen-on port 53 { 127.0.0.1; 192.168.1.0/​24;​ };
 +  listen-on-v6 port 53 { ::1; };
 +  directory ​  "/​var/​cache/​bind";​
 +  dump-file ​  "/​var/​cache/​bind/​data/​cache_dump.db";​
 +  statistics-file "/​var/​cache/​bind/​data/​named_stats.txt";​
 +  memstatistics-file "/​var/​cache/​bind/​data/​named_mem_stats.txt";​
 +  allow-query ​     { 192.168.1.0/​24;​ 127.0.0.1/​32;​ };
 +  allow-update ​   { 192.168.1.0/​24;​ 127.0.0.1/​32;​ };
 +  allow-recursion { 192.168.1.0/​24;​ 127.0.0.1/​32;​ };
 +  forwarders { 8.8.8.8; 8.8.4.4; };
 +
 +  dnssec-enable yes;
 +  dnssec-validation yes;
 +  dnssec-lookaside auto;
 +
 +  /* Path to ISC DLV key */
 +  bindkeys-file "/​etc/​named.iscdlv.key";​
 +
 +  managed-keys-directory "/​var/​cache/​bind/​dynamic";​
 +
 + /* keytab para samba4 */
 + ​tkey-gssapi-keytab "/​usr/​local/​samba/​private/​dns.keytab";​
 +
 +};
 +
 +logging {
 +  channel default_debug {
 +          file "​data/​named.run";​
 +          severity dynamic;
 +  };
 +};
 +</​sxh>​
 +
 +Agora vamos adicionar o arquivo que de referência da nossa zona do AD no named.conf
 +<sxh bash>
 +vim /​etc/​bind/​named.conf
 +[...]
 +include "/​etc/​bind/​named.conf.options";​
 +include "/​etc/​bind/​named.conf.local";​
 +include "/​etc/​bind/​named.conf.default-zones";​
 +include "/​usr/​local/​samba/​private/​named.conf";​
 +</​sxh>​
 +
 +Agora vamos ajustar o /​etc/​resolv.conf
 +<sxh bash>
 +vim /​etc/​resolv.conf
 +domain lab.lan
 +search lab.lan
 +nameserver 192.168.0.1
 +</​sxh>​
 +
 +Agora vamos ajustar o /etc/hosts
 +<sxh bash>
 +vim /etc/hosts
 +127.0.0.1 localhost
 +127.0.1.1 debian.lab.lan ​ debian
 +192.168.0.49 ​ debian.lab.lan ​ debian
 +[...]
 +</​sxh>​
 +
 +Agora vamos criar o nosso domínio
 +<sxh bash>
 +samba-tool domain provision --domain=LAB --adminpass=sen@134* \
 +--dns-backend=BIND9_DLZ --server-role=dc \
 +--function-level=2008_R2 --use-xattr=yes \
 +--use-rfc2307 --realm=lab.lan
 +</​sxh>​
 +
 +Caso tenha algum erro e precise fazer o provisionamento novamente remova os arquivos e diretórios
 +<sxh bash>
 +rm -rf /​usr/​local/​samba/​etc
 +rm -rf /​usr/​local/​samba/​private
 +rm -rf /​usr/​local/​samba/​var/​locks/​sysvol
 +</​sxh>​
 +Aqui o nosso domínio já está configurado.
 +
 +Agora vamos ajustar o samba
 +<sxh bash>
 +vim /​usr/​local/​samba/​etc/​smb.conf
 +# Global parameters
 +[global]
 +  workgroup = LAB
 +  realm = lab.lan
 +  netbios name = PDC
 +  server role = active directory domain controller
 +  server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
 +  ### RPC ###
 +  rpc_server:​tcpip = no
 +  rpc_daemon:​spoolssd = embedded
 +  rpc_server:​spoolss = embedded
 +  rpc_server:​winreg = embedded
 +  rpc_server:​ntsvcs = embedded
 +  rpc_server:​eventlog = embedded
 +  rpc_server:​srvsvc = embedded
 +  rpc_server:​svcctl = embedded
 +  rpc_server:​default = external
 +  ### IDMAP ###
 +  idmap_ldb:​use rfc2307 = yes
 +  idmap config * : backend = tdb
 +  idmap config *:range = 70001-80000
 +  idmap config LAB:backend = ad
 +  idmap config LAB:​schema_mode = rfc2307
 +  idmap config LAB:range = 500-40000
 +  #WINBIND
 +  winbind nss info = rfc2307
 +  winbind trusted domains only = no
 +  winbind use default domain = yes
 +  winbind enum users  = yes
 +  winbind enum groups = yes
 +  map archive = No
 +  map readonly = no
 +  store dos attributes = Yes
 +  vfs objects = dfs_samba4, acl_xattr
 +  #o template shell é necessário para logar com a autenticação via winbind
 +  template shell = /bin/bash
 +  #​DESABILITANDO AS IMPRESSORAS
 +  printcap name = /dev/null
 +  load printers = no
 +  disable spoolss = yes
 +  printing = bsd
 +  ### LOGS
 +  log file = /​var/​log/​samba/​smbd.log
 +  max log size = 50
 +  log level = 2
 +  vfs objects = recycle full_audit
 +  ### LIXEIRA
 +  recycle:​repository = Lixeira
 +  recycle:​exclude = *.tmp *.TMP *.temp *.TEMP ~*
 +  recycle:​keeptree = yes
 +  full_audit:​success = rmdir mkdir open write rename unlink
 +  full_audit:​failure = rmdir mkdir open write rename unlink
 +  full_audit:​prefix = %U|%I|%m|%S
 +  full_audit:​failure = none
 +  full_audit:​facility = local5
 +  full_audit:​priority = notice
 +  veto files = /​*.mp3/​*.wav/​*.exe/​*.cmd/​*.adm/​*.inf/​*.ini/​*.pif
 +  delete veto files = yes
 +  dos filemode = yes
 +
 +[netlogon]
 +  path = /​usr/​local/​samba/​var/​locks/​sysvol/​lab.lan/​scripts
 +  read only = No
 +
 +[sysvol]
 +  path = /​usr/​local/​samba/​var/​locks/​sysvol
 +  read only = No
 +</​sxh>​
 +
 +Agora vamos criar o diretório para armazenar os logs
 +<sxh bash>
 +mkdir -p /​var/​log/​samba
 +</​sxh>​
 +
 +Agora vamos criar um link para o keytab do kerberos
 +<sxh bash>
 +ln -s /​usr/​local/​samba/​private/​dns.keytab /​etc/​krb5.keytab ​
 +</​sxh>​
 +
 +Agora vamos iniciar o samba
 +<sxh bash>
 +/​usr/​local/​samba/​sbin/​samba
 +</​sxh>​
 +
 +Vamos tirar a validade da senha do administrator
 +<sxh bash>
 +samba-tool user setexpiry administrator --noexpiry
 +</​sxh>​
 +
 +Agora vamos checar a versão do nosso smbclient
 +<sxh bash>
 +smbclient --version
 +Version 4.1.4
 +</​sxh>​
 +
 +Agora vamos listar os compartilhamentos
 +<sxh bash>
 +smbclient -L localhost -U%
 +Domain=[LAB] OS=[Unix] Server=[Samba 4.1.4]
 +
 +  Sharename ​      ​Type ​     Comment
 +  --------- ​      ​---- ​     -------
 +  netlogon ​       Disk      ​
 +  sysvol ​         Disk      ​
 +  IPC$            IPC       IPC Service (Samba 4.1.4)
 +Domain=[LAB] OS=[Unix] Server=[Samba 4.1.4]
 +
 +  Server ​              ​Comment
 +  --------- ​           -------
 +
 +  Workgroup ​           Master
 +  --------- ​           -------
 +</​sxh>​
 +
 +Agora vamos testar a autenticação nos compartilhamentos
 +<sxh bash>
 +smbclient //​localhost/​netlogon -UAdministrator%'​sen@134*'​ -c '​ls'​
 +Domain=[LAB] OS=[Unix] Server=[Samba 4.1.4]
 +  .                                   ​D ​       0  Mon Aug 19 14:15:45 2013
 +  ..                                  D        0  Mon Aug 19 14:16:33 2013
 +
 +    44993 blocks of size 65536. 8004 blocks available
 +</​sxh>​
 +
 +Vamos verificar a configuração do samba
 +<sxh bash>
 +testparm
 +Load smb config files from /​usr/​local/​samba/​etc/​smb.conf
 +rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
 +Processing section "​[netlogon]"​
 +Processing section "​[sysvol]"​
 +Loaded services file OK.
 +Server role: ROLE_ACTIVE_DIRECTORY_DC
 +Press enter to see a dump of your service definitions
 +
 +[global]
 +  workgroup = LAB
 +  realm = lab.lan
 +  server role = active directory domain controller
 +  passdb backend = samba_dsdb
 +  log file = /​var/​log/​samba/​smbd.log
 +  max log size = 50
 +  load printers = No
 +  printcap name = /dev/null
 +  disable spoolss = Yes
 +  template shell = /bin/bash
 +  winbind enum users = Yes
 +  winbind enum groups = Yes
 +  winbind use default domain = Yes
 +  winbind nss info = rfc2307
 +  server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
 +  full_audit:​priority = notice
 +  full_audit:​facility = local5
 +  full_audit:​prefix = %U|%I|%m|%S
 +  full_audit:​failure = none
 +  full_audit:​success = rmdir mkdir open write rename unlink
 +  recycle:​keeptree = yes
 +  recycle:​exclude = *.tmp *.TMP *.temp *.TEMP ~*
 +  recycle:​repository = Lixeira
 +  idmap config LAB:range = 500-40000
 +  idmap config LAB:​schema_mode = rfc2307
 +  idmap config LAB:backend = ad
 +  idmap config *:range = 70001-80000
 +  idmap_ldb:​use rfc2307 = yes
 +  rpc_server:​default = external
 +  rpc_server:​svcctl = embedded
 +  rpc_server:​srvsvc = embedded
 +  rpc_server:​eventlog = embedded
 +  rpc_server:​ntsvcs = embedded
 +  rpc_server:​winreg = embedded
 +  rpc_server:​spoolss = embedded
 +  rpc_daemon:​spoolssd = embedded
 +  rpc_server:​tcpip = no
 +  idmap config * : backend = tdb
 +  printing = bsd
 +  print command = lpr -r -P'​%p'​ %s
 +  lpq command = lpq -P'​%p'​
 +  lprm command = lprm -P'​%p'​ %j
 +  delete veto files = Yes
 +  veto files = /​*.mp3/​*.wav/​*.exe/​*.cmd/​*.adm/​*.inf/​*.ini/​*.pif
 +  map archive = No
 +  map readonly = no
 +  store dos attributes = Yes
 +  dos filemode = Yes
 +  vfs objects = recycle, full_audit
 +
 +[netlogon]
 +  path = /​usr/​local/​samba/​var/​locks/​sysvol/​lab.lan/​scripts
 +  read only = No
 +
 +[sysvol]
 +  path = /​usr/​local/​samba/​var/​locks/​sysvol
 +  read only = No
 +</​sxh>​
 +
 +Agora vamos acertar o arquivo /​etc/​security/​limits.conf para não ficar mostrando erro no samba
 +<sxh bash>
 +vim /​etc/​security/​limits.conf
 +#colocar no final do arquivo
 +root hard nofile 131072
 +root soft nofile 65536
 +mioutente hard nofile 32768
 +mioutente soft nofile 16384
 +</​sxh>​
 +
 +Agora vamos listar os processos do samba
 +<sxh bash>
 +ps aux | egrep samba
 +root      1231  0.0  8.8 512872 44888 ?        Ss   ​09:​55 ​  0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1233  0.0  6.3 512872 32084 ?        S    09:55   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1234  0.0  6.4 512872 32964 ?        S    09:55   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1235  0.0  6.6 512872 33732 ?        S    09:55   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1236  0.0  6.3 512872 32056 ?        S    09:55   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1237  0.0  6.5 512872 33440 ?        S    09:55   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1238  0.0  6.4 512872 32652 ?        S    09:55   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1239  0.0  6.7 512872 34188 ?        S    09:55   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1240  0.0  6.5 512872 33472 ?        S    09:55   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1241  0.0  6.6 516332 33776 ?        S    09:55   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1242  0.0  6.3 512872 32172 ?        S    09:55   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1243  0.0  7.9 512872 40388 ?        S    09:55   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1244  0.0  6.5 512872 33132 ?        S    09:55   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1245  0.0  9.0 470044 46176 ?        Ss   ​09:​55 ​  0:00 /​usr/​local/​samba/​sbin/​smbd -D --option=server role check:​inhibit=yes --foreground
 +root      1247  0.0  6.7 513292 34192 ?        S    09:55   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1250  0.0  6.3 470052 32320 ?        S    09:55   0:00 /​usr/​local/​samba/​sbin/​smbd -D --option=server role check:​inhibit=yes --foreground
 +root      1295  0.0  0.1   ​7792 ​  880 pts/0    S+   ​10:​03 ​  0:00 egrep samba
 +</​sxh>​
 +
 +Agora vamos ajustar o /​etc/​resolv.conf para ser utilizado o ip do nosso servidor samba
 +<sxh bash>
 +vim /​etc/​resolv.conf
 +domain lab.lan
 +search lab.lan
 +nameserver 192.168.0.131
 +</​sxh>​
 +
 +Agora vamos reiniciar o bind
 +<sxh bash>
 +/​etc/​init.d/​bind9 restart
 +</​sxh>​
 +
 +Agora vamos testar com o nslookup
 +<sxh bash>
 +nslookup lab.lan
 +Server: ​  ​192.168.0.131
 +Address: ​ 192.168.0.131#​53
 +
 +Name: lab.lan
 +Address: 192.168.0.131
 +</​sxh>​
 +
 +Agora vamos ajustar o arquivo do kerberos
 +
 +Vamos fazer um backup dele
 +<sxh bash>
 +cp /​etc/​krb5.conf /​etc/​krb5.conf.old
 +</​sxh>​
 +
 +Agora vamos remover o original
 +<sxh bash>
 +rm -rf /​etc/​krb5.conf
 +</​sxh>​
 +
 +Agora vamos criar um link do arquivo do kerberos utilizado pelo samba
 +<sxh bash>
 +ln -sf /​usr/​local/​samba/​share/​setup/​krb5.conf /​etc/​krb5.conf
 +</​sxh>​
 +
 +Agora vamos ajustar a sua configuração
 +<sxh bash>
 +vim /​etc/​krb5.conf
 +[libdefaults]
 +  default_realm = LAB.LAN
 +  dns_lookup_realm = false
 +  dns_lookup_kdc = true
 +</​sxh>​
 +
 +Agora vamos inicializar um ticket do kerberos para o usuário administrator
 +<sxh bash>
 +kinit administrator@LAB.LAN
 +Password for administrator@LAB.LAN: ​
 +Warning: Your password will expire in 41 days on Mon Sep 30 14:16:22 2013
 +</​sxh>​
 +
 +Agora vamos listar o nosso ticket
 +<sxh bash>
 +klist
 +Ticket cache: FILE:/​tmp/​krb5cc_0
 +Default principal: administrator@LAB.LAN
 +
 +Valid starting ​      ​Expires ​             Service principal
 +19-08-2013 14:​24:​03 ​ 20-08-2013 00:​24:​03 ​ krbtgt/​LAB.LAN@LAB.LAN
 +  renew until 20-08-2013 14:24:00
 +</​sxh>​
 +
 +Agora vamos testar a nossa autenticação no samba utilizando o token do kerberos
 +<sxh bash>
 +smbclient -k //​pdc.lab.lan/​netlogon -c '​ls'​
 +Domain=[LAB] OS=[Unix] Server=[Samba 4.1.4]
 +  .                                   ​D ​       0  Mon Aug 19 14:15:45 2013
 +  ..                                  D        0  Mon Aug 19 14:16:33 2013
 +
 +    44993 blocks of size 65536. 8004 blocks available
 +</​sxh>​
 +
 +Para utilizar o token do kerberos precisamos passar o nome do nosso dc no meu caso debian.lab.lan caso passe somente localhost vamos ter o seguinte erro.
 +<sxh bash>
 +smbclient -k //​localhost/​netlogon -c '​ls'​
 +ads_krb5_mk_req:​ smb_krb5_get_credentials failed for cifs/​localhost@LAB.LAN (Server not found in Kerberos database)
 +cli_session_setup_kerberos:​ spnego_gen_krb5_negTokenInit failed: Server not found in Kerberos database
 +session setup failed: NT_STATUS_UNSUCCESSFUL
 +</​sxh>​
 +
 +Este erro é comentado no seguinte link http://​lists.samba.org/​archive/​samba-technical/​2011-June/​078134.html
 +
 +Agora vamos configurar o servidor ntp
 +<sxh bash>
 +aptitude install ntp -y
 +</​sxh>​
 +
 +Agora vamos fazer um backup do nosso arquivo de configuração
 +<sxh bash>
 +cp /​etc/​ntp.conf /​etc/​ntp.conf.old
 +</​sxh>​
 +
 +Agora vamos deixar ele da seguinte forma
 +<sxh bash>
 +vim /​etc/​ntp.conf
 +server 127.127.1.0
 +fudge  127.127.1.0 stratum 10
 +server a.ntp.br iburst prefer
 +server 0.pool.ntp.org ​ iburst prefer
 +server 1.pool.ntp.org ​ iburst prefer
 +driftfile /​var/​lib/​ntp/​ntp.drift
 +logfile /​var/​log/​ntp
 +ntpsigndsocket /​usr/​local/​samba/​var/​lib/​ntp_signd/​
 +restrict default kod nomodify notrap nopeer mssntp
 +restrict 127.0.0.1
 +restrict a.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery
 +restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
 +restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
 +</​sxh>​
 +
 +Agora vamos reiniciar o serviço
 +<sxh bash>
 +/​etc/​init.d/​ntp restart
 +</​sxh>​
 +
 +
 +Agora vamos consultar o serviço ntp
 +<sxh bash>
 +ntpq -p 127.0.0.1
 +     ​remote ​          ​refid ​     st t when poll reach   ​delay ​  ​offset ​ jitter
 +==============================================================================
 + ​LOCAL(0) ​       .LOCL. ​         10 l   ​26 ​  ​64 ​   1    0.000    0.000   0.000
 ++a.ntp.br ​       200.160.7.186 ​   2 u   ​15 ​  ​64 ​   1   ​11.543 ​   4.363   0.306
 + ​0.pool.ntp.org ​ .INIT. ​         16 u    -   ​64 ​   0    0.000    0.000   0.000
 +*1.pool.ntp.org ​ 200.160.7.186 ​   2 u   ​13 ​  ​64 ​   1    6.470    5.146   0.305
 +</​sxh>​
 +
 +Agora vamos ajustar a permissão do ntp
 +<sxh bash>
 +chgrp ntp /​usr/​local/​samba/​var/​lib/​ntp_signd
 +</​sxh>​
 +
 +Agora vamos criar o script de inicialização do samba
 +<sxh bash>
 +vim /​etc/​init.d/​samba
 +#! /bin/sh
 +
 +### BEGIN INIT INFO
 +# Provides: ​         samba4
 +# Required-Start: ​   $network $local_fs $remote_fs
 +# Required-Stop: ​    ​$network $local_fs $remote_fs
 +# Default-Start: ​    2 3 4 5
 +# Default-Stop: ​     0 1 6
 +# Short-Description:​ start Samba daemons
 +### END INIT INFO
 +
 +#
 +# Start/stops the Samba daemon (samba).
 +# Adapted from the Samba 3 packages.
 +#
 +
 +PIDDIR=/​usr/​local/​samba/​var/​run
 +SAMBAPID=$PIDDIR/​samba.pid
 +
 +# clear conflicting settings from the environment
 +unset TMPDIR
 +
 +# See if the daemon and the config file are there
 +test -x /​usr/​local/​samba/​sbin/​samba -a -r /​usr/​local/​samba/​etc/​smb.conf || exit 0
 +
 +. /​lib/​lsb/​init-functions
 +
 +case "​$1"​ in
 +  start)
 +    log_daemon_msg "​Starting Samba 4 daemon"​ "​samba"​
 +    # Make sure we have our PIDDIR, even if it's on a tmpfs
 +    install -o root -g root -m 755 -d $PIDDIR
 +
 +    if ! start-stop-daemon --start --quiet --oknodo --exec /​usr/​local/​samba/​sbin/​samba -- -D; then
 +      log_end_msg 1
 +      exit 1
 +    fi
 +
 +    log_end_msg 0
 +    ;;
 +  stop)
 +    log_daemon_msg "​Stopping Samba 4 daemon"​ "​samba"​
 +
 +    start-stop-daemon --stop --quiet --name samba $SAMBAPID
 +    # Wait a little and remove stale PID file
 +    sleep 1
 +    if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
 +    then
 +      # Stale PID file (samba was succesfully stopped),
 +      # remove it (should be removed by samba itself IMHO.)
 +      rm -f $SAMBAPID
 +    fi
 +
 +    log_end_msg 0
 +
 +    ;;
 +  restart|force-reload)
 +    $0 stop
 +    sleep 1
 +    $0 start
 +    ;;
 +  *)
 +    echo "​Usage:​ /​etc/​init.d/​samba {start|stop|restart|force-reload}"​
 +    exit 1
 +    ;;
 +esac
 +
 +exit 0
 +</​sxh>​
 +
 +Vamos ajustar a permissão do script
 +<sxh bash>
 +chmod +x /​etc/​init.d/​samba
 +</​sxh>​
 +
 +Agora vamos colocar o script na inicialização do sistema
 +<sxh bash>
 +insserv -f -v samba
 +</​sxh>​
 +
 +
 +Agora vamos consultar se o nosso BIND_DLZ está funcionando
 +<sxh bash>
 +samba_dnsupdate --verbose
 +IPs: ['​192.168.0.52'​]
 +Looking for DNS entry A lab.lan 192.168.0.52 as lab.lan.
 +Looking for DNS entry A debian.lab.lan 192.168.0.52 as debian.lab.lan.
 +Looking for DNS entry A gc._msdcs.lab.lan 192.168.0.52 as gc._msdcs.lab.lan.
 +Looking for DNS entry CNAME 4600bb8b-c1f6-47b0-ae75-a31c9ef70281._msdcs.lab.lan debian.lab.lan as 4600bb8b-c1f6-47b0-ae75-a31c9ef70281._msdcs.lab.lan.
 +Looking for DNS entry SRV _kpasswd._tcp.lab.lan debian.lab.lan 464 as _kpasswd._tcp.lab.lan.
 +Checking 0 100 464 debian.lab.lan. against SRV _kpasswd._tcp.lab.lan debian.lab.lan 464
 +Looking for DNS entry SRV _kpasswd._udp.lab.lan debian.lab.lan 464 as _kpasswd._udp.lab.lan.
 +Checking 0 100 464 debian.lab.lan. against SRV _kpasswd._udp.lab.lan debian.lab.lan 464
 +Looking for DNS entry SRV _kerberos._tcp.lab.lan debian.lab.lan 88 as _kerberos._tcp.lab.lan.
 +Checking 0 100 88 debian.lab.lan. against SRV _kerberos._tcp.lab.lan debian.lab.lan 88
 +Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.lab.lan debian.lab.lan 88 as _kerberos._tcp.dc._msdcs.lab.lan.
 +Checking 0 100 88 debian.lab.lan. against SRV _kerberos._tcp.dc._msdcs.lab.lan debian.lab.lan 88
 +Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 88 as _kerberos._tcp.default-first-site-name._sites.lab.lan.
 +Checking 0 100 88 debian.lab.lan. against SRV _kerberos._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 88
 +Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.lab.lan debian.lab.lan 88 as _kerberos._tcp.default-first-site-name._sites.dc._msdcs.lab.lan.
 +Checking 0 100 88 debian.lab.lan. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.lab.lan debian.lab.lan 88
 +Looking for DNS entry SRV _kerberos._udp.lab.lan debian.lab.lan 88 as _kerberos._udp.lab.lan.
 +Checking 0 100 88 debian.lab.lan. against SRV _kerberos._udp.lab.lan debian.lab.lan 88
 +Looking for DNS entry SRV _ldap._tcp.lab.lan debian.lab.lan 389 as _ldap._tcp.lab.lan.
 +Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.lab.lan debian.lab.lan 389
 +Looking for DNS entry SRV _ldap._tcp.dc._msdcs.lab.lan debian.lab.lan 389 as _ldap._tcp.dc._msdcs.lab.lan.
 +Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.dc._msdcs.lab.lan debian.lab.lan 389
 +Looking for DNS entry SRV _ldap._tcp.gc._msdcs.lab.lan debian.lab.lan 3268 as _ldap._tcp.gc._msdcs.lab.lan.
 +Checking 0 100 3268 debian.lab.lan. against SRV _ldap._tcp.gc._msdcs.lab.lan debian.lab.lan 3268
 +Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.lab.lan debian.lab.lan 389 as _ldap._tcp.pdc._msdcs.lab.lan.
 +Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.pdc._msdcs.lab.lan debian.lab.lan 389
 +Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 389 as _ldap._tcp.default-first-site-name._sites.lab.lan.
 +Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 389
 +Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.lab.lan debian.lab.lan 389 as _ldap._tcp.default-first-site-name._sites.dc._msdcs.lab.lan.
 +Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.lab.lan debian.lab.lan 389
 +Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.lab.lan debian.lab.lan 3268 as _ldap._tcp.default-first-site-name._sites.gc._msdcs.lab.lan.
 +Checking 0 100 3268 debian.lab.lan. against SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.lab.lan debian.lab.lan 3268
 +Looking for DNS entry SRV _ldap._tcp.86f256e1-a77b-4a83-bddd-96acf7a0c89f.domains._msdcs.lab.lan debian.lab.lan 389 as _ldap._tcp.86f256e1-a77b-4a83-bddd-96acf7a0c89f.domains._msdcs.lab.lan.
 +Checking 0 100 389 debian.lab.lan. against SRV _ldap._tcp.86f256e1-a77b-4a83-bddd-96acf7a0c89f.domains._msdcs.lab.lan debian.lab.lan 389
 +Looking for DNS entry SRV _gc._tcp.lab.lan debian.lab.lan 3268 as _gc._tcp.lab.lan.
 +Checking 0 100 3268 debian.lab.lan. against SRV _gc._tcp.lab.lan debian.lab.lan 3268
 +Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 3268 as _gc._tcp.default-first-site-name._sites.lab.lan.
 +Checking 0 100 3268 debian.lab.lan. against SRV _gc._tcp.default-first-site-name._sites.lab.lan debian.lab.lan 3268
 +No DNS updates needed
 +</​sxh>​
 +
 +Agora vamos criar a zona reversa
 +<sxh bash>
 +samba-tool dns zonecreate lab.lan 1.168.192.in-addr.arpa -UAdministrator --password=sen@134*
 +</​sxh>​
 +
 +Vamos criar o reverso do nosso pdc
 +<sxh bash>
 +samba-tool dns add pdc 1.168.192.in-addr.arpa 49 PTR pdc.lab.lan -Uadministrator --password=sen@134*
 +</​sxh>​
 +Agora vamos criar um compartilhamento básico de impressão
 +
 +Agora vamos criar o diretório de spool de impressão e vamos ajustar as suas permissões
 +<sxh bash>
 +mkdir /​usr/​local/​samba/​var/​spool
 +chmod 1777 /​usr/​local/​samba/​var/​spool
 +</​sxh>​
 +
 +Agora vamos adicionar na configuração do samba o nosso compartilhamento de impressão
 +<sxh bash>
 +vim /​usr/​local/​samba/​etc/​smb.conf
 +# Global parameters
 +[...]
 +
 +[printers]
 +    comment = All Printers
 +    path = /​usr/​local/​samba/​var/​spool
 +    browseable = Yes
 +    read only = No
 +    printable = Yes
 +</​sxh>​
 +
 +Agora precisamos criar os diretório para armazenar os drivers das impressoras que o cliente windows sempre vai tentar procurar quando for instalar uma impressora
 +<sxh bash>
 +mkdir -p /​usr/​local/​samba/​var/​print/​{COLOR,​IA64,​W32ALPHA,​W32MIPS,​W32PPC,​W32X86,​WIN40,​x64}
 +</​sxh>​
 +
 +Agora vamos criar mais um compartilhamento no samba
 +<sxh bash>
 +vim /​usr/​local/​samba/​etc/​smb.conf
 +# Global parameters
 +[...]
 +
 +[printers]
 +    comment = All Printers
 +    path = /​usr/​local/​samba/​var/​spool
 +    browseable = Yes
 +    read only = No
 +    printable = Yes
 +
 +[print$]
 +    comment = Point and Print Printer Drivers
 +    path = /​usr/​local/​samba/​var/​print
 +    read only = No
 +</​sxh>​
 +
 +Agora vamos mandar recarregar o samba
 +<sxh bash>
 +killall -HUP samba
 +</​sxh>​
 +
 +Para adicionar uma impressora
 +  * Logue no computador cliente com o usuário Administrador do dominio
 +  * Click Iniciar -> Run digite '​\\debian.lab.lan\'​
 +  * Na lista de compartilhamentos,​ de um duplo click em '​Impressoras e Fax'
 +  * Click em Arquivo -> Propriedades do servidor
 +  * Na guia Drivers, Click em '​Adicionar...',​ depois '​Next'​
 +
 +
 +{{:​sambaserverdrivers.jpg?​500|}}
 +
 +  * No menu de opções, escolha o driver da sua impressora que deseja instalar, e selecione '​Next'​
 +
 +{{:​sambaserverchoosedriver.jpg?​500|}}
 +
 +Agora escolha os driver para a sua arquitetura. Caso não tenha o driver para a sua arquitetura vai ser solicitado inserir uma midia com os driver
 +
 +{{:​sambaserverchoosearch.jpg?​500|}}
 +
 +  * Agora feche a tela de drivers
 +  * Agora click com o botão direito em drivers de impressora e selecione propriedades
 +  * Na guia avançado, escolha o driver que já foi instalado
 +
 +Inserindo uma máquina XP no domínio Samba4
 +
 +Vamos chamar a configuração da interface
 +  * Menu iniciar/run digite ncpa.cpl
 +
 +Vamos deixar o endereço DNS para o ip do servidor samba
 +
 +Vai ter que ficar como abaixo.
 +
 +{{:​interface.png?​500|}}
 +
 +Agora vamos testar o dns
 +<sxh bash>
 +nslookup debian.lab.lan
 +*** Não é possível encontrar o nome de servidor para o endereço 192.168.0.131:​ No information
 +*** Os servidores padrão não estão disponíveis
 +Servidor: UnKnown
 +Address: 192.168.0.131
 +
 +Nome = debian.lab.lan
 +Address: 192.168.0.131
 +</​sxh>​
 +
 +
 +Agora precisamos deixar o nosso servidor com o horário e timezone igual ao do servidor samba
 +
 +Vamos chamar a configuração
 +  * Menu Iniciar/run aqui digite timedate.cpl
 +
 +{{:​dataehora.png?​500|}}
 +
 +Aqui ajute o seu horario
 +
 +Na guia fuso horário escolha o da sua localização
 +
 +{{:​fusohorario.png?​500|}}
 +
 +Agora vamos fazer o join do domínio
 +
 +    * Menu iniciar/run aqui digite sysdm.cpl
 +
 +
 +  * Aqui selecione a guia Nome do computador.
 +  * Agora selecione alterar
 +
 +Aqui em domínio vamos informar lab.lan
 +
 +{{:​join1xp.png?​500|}} ​
 +
 +Agora selecione ok
 +
 +Vamos ter uma tela como abaixo, informe o usuário administrator e a senha que foi definida para ele na criação do domínio samba.
 +
 +{{:​autenticacaojoin1.png?​500|}}
 +
 +Se tudo der certo vamos ter a seguinte mensagem
 +
 +{{:​boajoin.png?​500|}}
 +
 +Quando selecionarmos ok vamos ter a seguinte mensagem.
 +
 +{{:​alteracaoxp.png?​500|}}
 +
 +Agora é só selecionar ok e ok novamente e sim para reiniciar a máquina.
 +
 +Quando iniciar vamos ter a seguinte tela
 +
 +{{:​ctrldel.png?​500|}}
 +
 +Agora precisamos informar ctrl + alt + del
 +
 +{{:​loginxp.png?​500|}}
 +
 +Aqui em fazer logon em selecione LAB
 +
 +O usuário vai ser administrator e a senha dele.
 +
 +Instalando o Windows Remote Administration Tools no Windows
 +
 +Links para obtermos o Windows Remote Administration Tools:
 +  * http://​www.microsoft.com/​en-us/​download/​details.aspx?​id=39296 (Windows 8.1)
 +  * http://​www.microsoft.com/​download/​details.aspx?​id=28972 (Windows 8)
 +  * http://​www.microsoft.com/​downloads/​details.aspx?​FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&​displaylang=en (Vista)
 +  * http://​www.microsoft.com/​downloads/​details.aspx?​FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&​displaylang=en (Windows 7)
 +  * http://​www.microsoft.com/​en-us/​download/​details.aspx?​id=6315 (Windows XP/Server 2003)
 +
 +OBS: Na instalação do RSAT no Windows 8/7/Vista depois de instalado temos que ir em programas no painel de controle "​Habilitar recursos do Windows"​ precisamos habilitar as ferramentas administrativas.
 +
 +Depois de obter o pacote precisamos mandar rodar ele
 +
 +{{:​rsat1.png?​500|}}
 +
 +Instalando
 +
 +{{:​rsat2.png?​500|}}
 +
 +Instalação Concluída
 +
 +{{:​rsat4.png?​500|}}
 +
 +Ferramentas instaladas
 +
 +{{:​ferramentasadministrativas.png?​500|}}
 +
 +Agora vamos chamar o MMC Usuários e computadores do Active Directory em Ferramentas administrativas ou pelo run dsa.msc
 +
 +Vamos ter algo como abaixo.
 +
 +{{:​dsamsc1.png?​500|}}
 +
 +Aqui podemos fazer a criação de usuários, grupos, computadores criação de GPOS
 +
 +Exemplo de Objetos que podemos criar
 +
 +{{:​objetosad.png?​500|}}
 +
 +Exemplo da tela de criação de usuários
 +
 +{{:​criacaousuarioad.png?​500|}}
 +
 +Exemplo da tela de GPOs
 +
 +{{:​gpos.png?​500|}}
 +
 +Podemos também fazer a administração do DNS via MMC nas ferramentas administrativas chame o DNS
 +
 +{{:​conexaodns.png?​500|}}
 +
 +Exemplo da tela de configuração de DNS
 +
 +{{:​mmcdns.png?​500|}}
 +
 +
 +
 +Podemos também fazer a criação de usuários via comando
 +<sxh bash>
 +samba-tool user add nerso
 +New Password: ​
 +Retype Password: ​
 +User '​nerso'​ created successfully
 +</​sxh>​
 +
 +Agora vamos ver nos usuários do AD
 +
 +{{:​dsamscnerso.png?​500|}}
 +
 +Agora vamos ajustar o perfil móvel
 +
 +Vamos ajustar o arquivo de configuração do samba
 +<sxh bash>
 +vim /​usr/​local/​samba/​etc/​smb.conf
 +# Global parameters
 +[global]
 +        workgroup = LAB
 +        realm = LAB.LAN
 +        netbios name = DEBIAN
 +        server role = active directory domain controller
 +        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
 +
 +[netlogon]
 +        path = /​usr/​local/​samba/​var/​locks/​sysvol/​lab.lan/​scripts
 +        read only = No
 +
 +[sysvol]
 +        path = /​usr/​local/​samba/​var/​locks/​sysvol
 +        read only = No
 +
 +[printers]
 +    comment = All Printers
 +    path = /​usr/​local/​samba/​var/​spool
 +    browseable = Yes
 +    read only = No
 +    printable = Yes
 +
 +[print$]
 +    comment = Point and Print Printer Drivers
 +    path = /​usr/​local/​samba/​var/​print
 +    read only = No
 +
 +[profiles]
 +      path = /​usr/​local/​samba/​var/​profiles
 +      read only = no
 +</​sxh>​
 +
 +Vamos criar o diretório para armazenar os profiles
 +<sxh bash>
 +mkdir /​usr/​local/​samba/​var/​profiles
 +</​sxh>​
 +
 +Agora vamos acertar as permissões
 +<sxh bash>
 +chmod -R 1777 /​usr/​local/​samba/​var/​profiles
 +</​sxh>​
 +
 +Agora vamos mandar recarregar o samba
 +<sxh bash>
 +killall -HUP samba
 +</​sxh>​
 +
 +Agora vamos ajustar o perfil do usuário douglas.santos
 +
 +{{:​perfilmovel.png?​500|}}
 +
 +Agora vamos logar com o usuário.
 +
 +Quando efetuarmos logon no servidor vai ser criado uma pasta com o nome do nosso usuário em /​usr/​local/​samba/​var/​profiles
 +<sxh bash>
 +ls -l /​usr/​local/​samba/​var/​profiles
 +total 8
 +drwxrws---+ 2 3000019 staff 4096 Fev 24 13:19 douglas.santos/​
 +</​sxh>​
 +
 +Note que o nosso arquivo tem o sinal de + ou seja está habilitado acl, vamos listar elas
 +<sxh bash>
 +getfacl -p /​usr/​local/​samba/​var/​profiles/​douglas.santos
 +# file: /​usr/​local/​samba/​var/​profiles/​douglas.santos
 +# owner: 3000019
 +# group: staff
 +# flags: -s-
 +user::rwx
 +group::---
 +group:​staff:​---
 +group:​3000002:​rwx
 +group:​3000019:​rwx
 +mask::rwx
 +other::---
 +default:​user::​rwx
 +default:​user:​3000019:​rwx
 +default:​group::​---
 +default:​group:​staff:​---
 +default:​group:​3000002:​rwx
 +default:​group:​3000019:​rwx
 +default:​mask::​rwx
 +default:​other::​---
 +</​sxh>​
 +
 +Agora quando efetuarmos logoff os arquivos vão ser salvos dentro do diretório
 +<sxh bash>
 +ls -l /​usr/​local/​samba/​var/​profiles/​douglas.santos
 +total 624
 +drwxrws---+ 2 3000019 users   4096 Fev 23 13:44 Ambiente\ de\ impressão/
 +drwxrws---+ 2 3000019 users   4096 Fev 23 13:44 Ambiente\ de\ rede/
 +drwxrws---+ 2 3000019 users   4096 Fev 23 16:50 Cookies/
 +drwxrws---+ 4 3000019 users   4096 Fev 24 13:19 Dados\ de\ aplicativos/​
 +drwxrws---+ 2 3000019 users   4096 Fev 23 13:44 Desktop/
 +drwxrws---+ 3 3000019 users   4096 Fev 24 13:19 Favoritos/
 +drwxrws---+ 3 3000019 users   4096 Fev 23 13:44 Menu\ Iniciar/
 +drwxrws---+ 4 3000019 users   4096 Fev 24 13:19 Meus\ documentos/
 +drwxrws---+ 2 3000019 users   4096 Fev 23 16:48 Modelos/
 +-rwxrwx---+ 1 3000019 users 524288 Fev 24 13:22 NTUSER.DAT*
 +-rwxrwx---+ 1 3000019 users   1024 Fev 24 13:22 NTUSER.DAT.LOG*
 +-rwxrwx---+ 1 3000019 users    300 Fev 24 13:22 ntuser.ini*
 +drwxrws---+ 2 3000019 users   4096 Fev 24 13:19 Recent/
 +drwxrws---+ 2 3000019 users   4096 Fev 24 13:19 SendTo/
 +</​sxh>​
 +
 +ajustando a autenticação
 +<sxh bash>
 +vim /​etc/​nsswitch.conf ​
 +# /​etc/​nsswitch.conf
 +#
 +# Example configuration of GNU Name Service Switch functionality.
 +# If you have the `glibc-doc-reference'​ and `info' packages installed, try:
 +# `info libc "Name Service Switch"'​ for information about this file.
 +
 +passwd: ​        ​compat winbind
 +group: ​           compat winbind
 +shadow: ​        ​compat
 +
 +hosts: ​         files dns
 +networks: ​      files
 +
 +protocols: ​     db files
 +services: ​      db files
 +ethers: ​        db files
 +rpc:            db files
 +
 +netgroup: ​      nis
 +
 +</​sxh>​
 +
 +Ajustando a pam
 +<sxh bash>
 +ln -sf /​usr/​local/​samba/​lib/​security/​pam_winbind.so /​lib/​x86_64-linux-gnu/​security/​pam_winbind.so
 +</​sxh>​
 +
 +Para os sistemas de 64bits precisamos fazer da seguinte forma
 +<sxh bash>
 +ln -s /​usr/​local/​samba/​lib/​libnss_winbind.so.2 /​usr/​lib/​x86_64-linux-gnu/​libnss_winbind.so
 +ln -s /​usr/​lib/​x86_64-linux-gnu/​libnss_winbind.so /​usr/​lib/​x86_64-linux-gnu/​libnss_winbind.so.2
 +ldconfig
 +</​sxh>​
 +
 +Agora vamos consultar se está carregado no sistema
 +<sxh bash>
 +ldconfig -v | grep winbind
 +ldconfig: Path `/​lib/​x86_64-linux-gnu'​ given more than once
 +ldconfig: Path `/​usr/​lib/​x86_64-linux-gnu'​ given more than once
 +  libnss_winbind.so -> libnss_winbind.so.2
 +</​sxh>​
 +
 +Agora vamos listar os usuários locais e do domínio
 +<sxh bash>
 +root:​x:​0:​0:​root:/​root:/​bin/​bash
 +daemon:​x:​1:​1:​daemon:/​usr/​sbin:/​bin/​sh
 +bin:​x:​2:​2:​bin:/​bin:/​bin/​sh
 +sys:​x:​3:​3:​sys:/​dev:/​bin/​sh
 +sync:​x:​4:​65534:​sync:/​bin:/​bin/​sync
 +games:​x:​5:​60:​games:/​usr/​games:/​bin/​sh
 +man:​x:​6:​12:​man:/​var/​cache/​man:/​bin/​sh
 +lp:​x:​7:​7:​lp:/​var/​spool/​lpd:/​bin/​sh
 +mail:​x:​8:​8:​mail:/​var/​mail:/​bin/​sh
 +news:​x:​9:​9:​news:/​var/​spool/​news:/​bin/​sh
 +uucp:​x:​10:​10:​uucp:/​var/​spool/​uucp:/​bin/​sh
 +proxy:​x:​13:​13:​proxy:/​bin:/​bin/​sh
 +www-data:​x:​33:​33:​www-data:/​var/​www:/​bin/​sh
 +backup:​x:​34:​34:​backup:/​var/​backups:/​bin/​sh
 +list:​x:​38:​38:​Mailing List Manager:/​var/​list:/​bin/​sh
 +irc:​x:​39:​39:​ircd:/​var/​run/​ircd:/​bin/​sh
 +gnats:​x:​41:​41:​Gnats Bug-Reporting System (admin):/​var/​lib/​gnats:/​bin/​sh
 +nobody:​x:​65534:​65534:​nobody:/​nonexistent:/​bin/​sh
 +libuuid:​x:​100:​101::/​var/​lib/​libuuid:/​bin/​sh
 +Debian-exim:​x:​101:​103::/​var/​spool/​exim4:/​bin/​false
 +statd:​x:​102:​65534::/​var/​lib/​nfs:/​bin/​false
 +sshd:​x:​103:​65534::/​var/​run/​sshd:/​usr/​sbin/​nologin
 +douglas:​x:​1000:​1000:​douglas,,,:/​home/​douglas:/​bin/​bash
 +postfix:​x:​104:​107::/​var/​spool/​postfix:/​bin/​false
 +messagebus:​x:​105:​109::/​var/​run/​dbus:/​bin/​false
 +bind:​x:​106:​110::/​var/​cache/​bind:/​bin/​false
 +ntp:​x:​107:​111::/​home/​ntp:/​bin/​false
 +LAB\Administrator:​*:​0:​100::/​home/​LAB/​Administrator:/​bin/​bash
 +LAB\Guest:​*:​3000011:​3000012::/​home/​LAB/​Guest:/​bin/​bash
 +LAB\krbtgt:​*:​3000017:​100::/​home/​LAB/​krbtgt:/​bin/​bash
 +LAB\dns-pdc:​*:​3000018:​100::/​home/​LAB/​dns-pdc:/​bin/​bash
 +</​sxh>​
 +
 +Agora vamos consultar informações do usuário Administrator
 +<sxh bash>
 +id Administrator
 +uid=0(root) gid=100(users) grupos=0(root),​100(users),​3000004(LAB\Group Policy Creator Owners),​3000006(LAB\Enterprise Admins),​3000008(LAB\Domain Admins),​3000007(LAB\Schema Admins)
 +</​sxh>​
 +
 +Agora vamos ajustar a pam do servidor PDC
 +
 +<sxh bash>
 +vim /​etc/​pam.d/​common-auth
 +#
 +# /​etc/​pam.d/​common-auth - authentication settings common to all services
 +#
 +# This file is included from other service-specific PAM config files,
 +# and should contain a list of the authentication modules that define
 +# the central authentication scheme for use on the system
 +# (e.g., /​etc/​shadow,​ LDAP, Kerberos, etc.). ​ The default is to use the
 +# traditional Unix authentication mechanisms.
 +#
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules. ​ See
 +# pam-auth-update(8) for details.
 +
 +# here are the per-package modules (the "​Primary"​ block)
 +auth  sufficient ​ pam_winbind.so
 +auth  [success=2 default=ignore] ​ pam_krb5.so minimum_uid=1000
 +auth  [success=1 default=ignore] ​ pam_unix.so nullok_secure try_first_pass
 +# here's the fallback if no module succeeds
 +auth  requisite ​    ​pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +auth  required ​     pam_permit.so
 +# and here are more per-package modules (the "​Additional"​ block)
 +# end of pam-auth-update config
 +</​sxh>​
 +
 +<sxh bash>
 +vim /​etc/​pam.d/​common-account ​
 +#
 +# /​etc/​pam.d/​common-account - authorization settings common to all services
 +#
 +# This file is included from other service-specific PAM config files,
 +# and should contain a list of the authorization modules that define
 +# the central access policy for use on the system. ​ The default is to
 +# only deny service to users whose accounts are expired in /​etc/​shadow.
 +#
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules. ​ See
 +# pam-auth-update(8) for details.
 +#
 +
 +# here are the per-package modules (the "​Primary"​ block)
 +account sufficient pam_winbind.so
 +account [success=1 new_authtok_reqd=done default=ignore] ​ pam_unix.so
 +# here's the fallback if no module succeeds
 +account requisite ​    ​pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +account required ​     pam_permit.so
 +# and here are more per-package modules (the "​Additional"​ block)
 +account required ​     pam_krb5.so minimum_uid=1000
 +# end of pam-auth-update config
 +</​sxh>​
 +
 +<sxh bash>
 +vim /​etc/​pam.d/​common-session
 +#
 +# /​etc/​pam.d/​common-session - session-related modules common to all services
 +#
 +# This file is included from other service-specific PAM config files,
 +# and should contain a list of modules that define tasks to be performed
 +# at the start and end of sessions of *any* kind (both interactive and
 +# non-interactive).
 +#
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules. ​ See
 +# pam-auth-update(8) for details.
 +
 +# here are the per-package modules (the "​Primary"​ block)
 +session required pam_mkhomedir.so skel=/​etc/​skel umask=0027
 +session required pam_winbind.so
 +session [default=1] ​    ​pam_permit.so
 +# here's the fallback if no module succeeds
 +session requisite ​    ​pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +session required ​     pam_permit.so
 +# and here are more per-package modules (the "​Additional"​ block)
 +session optional ​     pam_krb5.so minimum_uid=1000
 +session required ​ pam_unix.so
 +# end of pam-auth-update config
 +</​sxh>​
 +
 +<sxh bash>
 +vim /​etc/​pam.d/​sshd
 +# PAM configuration for the Secure Shell service
 +
 +# Read environment variables from /​etc/​environment and
 +# /​etc/​security/​pam_env.conf.
 +auth       ​required ​    ​pam_env.so # [1]
 +# In Debian 4.0 (etch), locale-related environment variables were moved to
 +# /​etc/​default/​locale,​ so read that as well.
 +auth       ​required ​    ​pam_env.so envfile=/​etc/​default/​locale
 +
 +# Standard Un*x authentication.
 +@include common-auth
 +
 +# Disallow non-root logins when /​etc/​nologin exists.
 +account ​   required ​    ​pam_nologin.so
 +#Allow connection from those groups
 +account ​   sufficient ​  ​pam_succeed_if.so user ingroup root
 +account ​   requisite ​   pam_succeed_if.so user ingroup ti-admin
 +
 +# Uncomment and edit /​etc/​security/​access.conf if you need to set complex
 +# access limits that are hard to express in sshd_config.
 +# account ​ required ​    ​pam_access.so
 +
 +# Standard Un*x authorization.
 +@include common-account
 +
 +# Standard Un*x session setup and teardown.
 +@include common-session
 +
 +# Print the message of the day upon successful login.
 +# This includes a dynamically generated part from /​run/​motd.dynamic
 +# and a static (admin-editable) part from /etc/motd.
 +session ​   optional ​    ​pam_motd.so ​ motd=/​run/​motd.dynamic noupdate
 +session ​   optional ​    ​pam_motd.so # [1]
 +
 +# Print the status of the user's mailbox upon successful login.
 +session ​   optional ​    ​pam_mail.so standard noenv # [1]
 +
 +# Set up user limits from /​etc/​security/​limits.conf.
 +session ​   required ​    ​pam_limits.so
 +
 +# Set up SELinux capabilities (need modified pam)
 +# session ​ required ​    ​pam_selinux.so multiple
 +
 +# Standard Un*x password updating.
 +@include common-password
 +</​sxh>​
 +
 +<sxh bash>
 +vim /​etc/​pam.d/​login ​
 +#
 +# The PAM configuration file for the Shadow `login'​ service
 +#
 +
 +# Enforce a minimal delay in case of failure (in microseconds).
 +# (Replaces the `FAIL_DELAY'​ setting from login.defs)
 +# Note that other modules may require another minimal delay. (for example,
 +# to disable any delay, you should add the nodelay option to pam_unix)
 +auth       ​optional ​  ​pam_faildelay.so ​ delay=3000000
 +
 +# Outputs an issue file prior to each login prompt (Replaces the
 +# ISSUE_FILE option from login.defs). Uncomment for use
 +# auth       ​required ​  ​pam_issue.so issue=/​etc/​issue
 +
 +# Disallows root logins except on tty's listed in /​etc/​securetty
 +# (Replaces the `CONSOLE'​ setting from login.defs)
 +#
 +# With the default control of this module:
 +#   ​[success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
 +# root will not be prompted for a password on insecure lines.
 +# if an invalid username is entered, a password is prompted (but login
 +# will eventually be rejected)
 +#
 +# You can change it to a "​requisite"​ module if you think root may mis-type
 +# her login and should not be prompted for a password in that case. But
 +# this will leave the system as vulnerable to user enumeration attacks.
 +#
 +# You can change it to a "​required"​ module if you think it permits to
 +# guess valid user names of your system (invalid user names are considered
 +# as possibly being root on insecure lines), but root passwords may be
 +# communicated over insecure lines.
 +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
 +
 +# Disallows other than root logins when /​etc/​nologin exists
 +# (Replaces the `NOLOGINS_FILE'​ option from login.defs)
 +auth       ​requisite ​ pam_nologin.so
 +
 +#Allow connection from those groups
 +account ​   sufficient ​  ​pam_succeed_if.so user ingroup root
 +account ​   requisite ​   pam_succeed_if.so user ingroup ti-admin
 +
 +# SELinux needs to be the first session rule. This ensures that any 
 +# lingering context has been cleared. Without out this it is possible ​
 +# that a module could execute code in the wrong domain.
 +# When the module is present, "​required"​ would be sufficient (When SELinux
 +# is disabled, this returns success.)
 +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 +
 +# This module parses environment configuration file(s)
 +# and also allows you to use an extended config
 +# file /​etc/​security/​pam_env.conf.
 +
 +# parsing /​etc/​environment needs "​readenv=1"​
 +session ​      ​required ​  ​pam_env.so readenv=1
 +# locale variables are also kept into /​etc/​default/​locale in etch
 +# reading this file *in addition to /​etc/​environment* does not hurt
 +session ​      ​required ​  ​pam_env.so readenv=1 envfile=/​etc/​default/​locale
 +
 +# Standard Un*x authentication.
 +@include common-auth
 +
 +# This allows certain extra groups to be granted to a user
 +# based on things like time of day, tty, service, and user.
 +# Please edit /​etc/​security/​group.conf to fit your needs
 +# (Replaces the `CONSOLE_GROUPS'​ option in login.defs)
 +auth       ​optional ​  ​pam_group.so
 +
 +# Uncomment and edit /​etc/​security/​time.conf if you need to set
 +# time restrainst on logins.
 +# (Replaces the `PORTTIME_CHECKS_ENAB'​ option from login.defs
 +# as well as /​etc/​porttime)
 +# account ​   requisite ​ pam_time.so
 +
 +# Uncomment and edit /​etc/​security/​access.conf if you need to
 +# set access limits.
 +# (Replaces /​etc/​login.access file)
 +# account ​ required ​      ​pam_access.so
 +
 +# Sets up user limits according to /​etc/​security/​limits.conf
 +# (Replaces the use of /etc/limits in old login)
 +session ​   required ​  ​pam_limits.so
 +
 +# Prints the last login info upon succesful login
 +# (Replaces the `LASTLOG_ENAB'​ option from login.defs)
 +session ​   optional ​  ​pam_lastlog.so
 +
 +# Prints the message of the day upon succesful login.
 +# (Replaces the `MOTD_FILE'​ option in login.defs)
 +# This includes a dynamically generated part from /​run/​motd.dynamic
 +# and a static (admin-editable) part from /etc/motd.
 +session ​   optional ​  ​pam_motd.so ​ motd=/​run/​motd.dynamic
 +session ​   optional ​  ​pam_motd.so
 +
 +# Prints the status of the user's mailbox upon succesful login
 +# (Replaces the `MAIL_CHECK_ENAB'​ option from login.defs). ​
 +#
 +# This also defines the MAIL environment variable
 +# However, userdel also needs MAIL_DIR and MAIL_FILE variables
 +# in /​etc/​login.defs to make sure that removing a user 
 +# also removes the user's mail spool file.
 +# See comments in /​etc/​login.defs
 +session ​   optional ​  ​pam_mail.so standard
 +
 +# Standard Un*x account and session
 +@include common-account
 +@include common-session
 +@include common-password
 +
 +# SELinux needs to intervene at login time to ensure that the process
 +# starts in the proper default security context. Only sessions which are
 +# intended to run in the user's context should be run after this.
 +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
 +# When the module is present, "​required"​ would be sufficient (When SELinux
 +# is disabled, this returns success.)
 +</​sxh>​
 +
 +
 +Ajustando o sudo
 +<sxh bash>
 +visudo ​
 +%ti-admin ​       ALL=(ALL:​ALL) ALL
 +</​sxh>​
 +
 +====== Configurando um Cliente Debian Wheezy para autenticar no Samba 4 =====
 +
 +Prepare o seu sistema com o seguinte script http://​wiki.douglasqsantos.com.br/​doku.php/​confinicialwheezy_en para que não falte nenhum pacote ou configuração.
 +
 +Vamos atualizar os repositórios e fazer um upgrade do sistema
 +<sxh bash>
 +aptitude update && aptitude dist-upgrade -y
 +</​sxh>​
 +
 +Agora vamos ajustar as variáveis de ambiente do Debian
 +<sxh bash>
 +export DEBIAN_PRIORITY=critical
 +export DEBIAN_FRONTEND=noninteractive
 +</​sxh>​
 +
 +Agora vamos instalar as dependências
 +<sxh bash>
 +aptitude install samba samba-common smbclient winbind krb5-config libpam-krb5 cifs-utils ​ krb5-user -y
 +</​sxh>​
 +
 +Agora vamos voltar as variáveis de ambiente do Debian
 +<sxh bash>
 +unset DEBIAN_PRIORITY
 +unset DEBIAN_FRONTEND
 +</​sxh>​
 +
 +Agora vamos ajustar o resolv.conf
 +<sxh bash>
 +vim /​etc/​resolv.conf
 +domain lab.lan
 +search lab.lan
 +nameserver 192.168.0.25
 +nameserver 192.168.0.26
 +</​sxh>​
 +
 +Agora vamos ajustar o horário do nosso servidor
 +<sxh bash>
 +ntpdate -u a.ntp.br
 +</​sxh>​
 +
 +Agora vamos ajustar o arquivo de configuração do kerberos
 +<sxh bash>
 +vim /​etc/​krb5.conf
 +[libdefaults]
 +default_realm = LAB.LAN
 +krb4_config = /​etc/​krb.conf
 +krb4_realms = /​etc/​krb.realms
 +kdc_timesync = 1
 +ccache_type = 4
 +forwardable = true
 +proxiable = true
 +v4_instance_resolve = false
 +v4_name_convert = {
 +host = {
 +rcmd = host
 +ftp = ftp
 +}
 +plain = {
 +something = something-else
 +}
 +}
 +fcc-mit-ticketflags = true
 +[realms]
 +LAB.LAN = {
 +kdc = 192.168.0.25
 +kdc = 192.168.0.26
 +admin_server = 192.168.0.25:​749
 +default_server = 192.168.0.25
 +}
 +[domain_realm]
 +.lab.lan=LAB.LAN
 +lab.lan=LAB.LAN
 +[login]
 +krb4_convert = true
 +krb4_get_tickets = false
 +[kdc]
 +profile = /​etc/​krb5kdc/​kdc.conf
 +[appdefaults]
 +pam = {
 +debug = false
 +ticket_lifetime = 36000
 +renew_lifetime = 36000
 +forwardable = true
 +krb4_convert = false
 +}
 +[logging]
 +default = file:/​var/​log/​krb5libs.log
 +kdc = file:/​var/​log/​krb5kdc.log
 +admin_server = file:/​var/​log/​kadmind.log
 +</​sxh>​
 +
 +Agora vamos ajustar o limits.conf
 +<sxh bash>
 +vim /​etc/​security/​limits.conf
 +[...]
 +#colocar no final do arquivo
 +root hard nofile 131072
 +root soft nofile 65536
 +mioutente hard nofile 32768
 +mioutente soft nofile 16384
 +</​sxh>​
 +
 +Agora vamos ajustar o smb.conf
 +<sxh bash>
 +vim /​etc/​samba/​smb.conf
 +[global]
 +        workgroup = LAB
 +        security = ADS
 +        realm = LAB.LAN
 +        netbios name = DEBIAN
 +        encrypt passwords = yes
 +        idmap config * : backend = tdb
 +        idmap config * : range = 10000-30000
 +        idmap config LAB:backend = ad
 +        idmap config LAB:​schema_mode = rfc2307
 +        auth methods = winbind
 +        winbind nss info = rfc2307
 +        winbind trusted domains only = no
 +        winbind use default domain = yes
 +        winbind enum users  = yes
 +        winbind enum groups = yes
 +        template shell = /bin/bash
 +</​sxh>​
 +
 +Agora vamos ajustar o nsswitch.conf
 +<sxh bash>
 +vim /​etc/​nsswitch.conf
 +[...]
 +passwd: ​        ​compat winbind
 +group: ​           compat winbind
 +</​sxh>​
 +
 +Agora vamos reiniciar os serviços
 +<sxh bash>
 +/​etc/​init.d/​samba restart
 +/​etc/​init.d/​winbind restart
 +</​sxh>​
 +
 +Agora vamos fazer o join no domínio
 +<sxh bash>
 +net ads join lab.lan -U administrator
 +</​sxh>​
 +
 +Agora vamos reiniciar os serviços
 +<sxh bash>
 +/​etc/​init.d/​samba restart
 +/​etc/​init.d/​winbind restart
 +</​sxh>​
 +
 +Agora vamos ajustar a PAM
 +
 +<sxh bash>
 +vim /​etc/​pam.d/​common-auth
 +#
 +# /​etc/​pam.d/​common-auth - authentication settings common to all services
 +#
 +# This file is included from other service-specific PAM config files,
 +# and should contain a list of the authentication modules that define
 +# the central authentication scheme for use on the system
 +# (e.g., /​etc/​shadow,​ LDAP, Kerberos, etc.). ​ The default is to use the
 +# traditional Unix authentication mechanisms.
 +#
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules. ​ See
 +# pam-auth-update(8) for details.
 +
 +# here are the per-package modules (the "​Primary"​ block)
 +auth  sufficient ​ pam_winbind.so
 +auth  [success=2 default=ignore] ​ pam_krb5.so minimum_uid=1000
 +auth  [success=1 default=ignore] ​ pam_unix.so nullok_secure try_first_pass
 +# here's the fallback if no module succeeds
 +auth  requisite ​    ​pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +auth  required ​     pam_permit.so
 +# and here are more per-package modules (the "​Additional"​ block)
 +# end of pam-auth-update config
 +</​sxh>​
 +
 +<sxh bash>
 +vim /​etc/​pam.d/​common-account ​
 +#
 +# /​etc/​pam.d/​common-account - authorization settings common to all services
 +#
 +# This file is included from other service-specific PAM config files,
 +# and should contain a list of the authorization modules that define
 +# the central access policy for use on the system. ​ The default is to
 +# only deny service to users whose accounts are expired in /​etc/​shadow.
 +#
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules. ​ See
 +# pam-auth-update(8) for details.
 +#
 +
 +# here are the per-package modules (the "​Primary"​ block)
 +account sufficient pam_winbind.so
 +account [success=1 new_authtok_reqd=done default=ignore] ​ pam_unix.so
 +# here's the fallback if no module succeeds
 +account requisite ​    ​pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +account required ​     pam_permit.so
 +# and here are more per-package modules (the "​Additional"​ block)
 +account required ​     pam_krb5.so minimum_uid=1000
 +# end of pam-auth-update config
 +</​sxh>​
 +
 +<sxh bash>
 +vim /​etc/​pam.d/​common-session
 +#
 +# /​etc/​pam.d/​common-session - session-related modules common to all services
 +#
 +# This file is included from other service-specific PAM config files,
 +# and should contain a list of modules that define tasks to be performed
 +# at the start and end of sessions of *any* kind (both interactive and
 +# non-interactive).
 +#
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules. ​ See
 +# pam-auth-update(8) for details.
 +
 +# here are the per-package modules (the "​Primary"​ block)
 +session required pam_mkhomedir.so skel=/​etc/​skel umask=0027
 +session required pam_winbind.so
 +session [default=1] ​    ​pam_permit.so
 +# here's the fallback if no module succeeds
 +session requisite ​    ​pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +session required ​     pam_permit.so
 +# and here are more per-package modules (the "​Additional"​ block)
 +session optional ​     pam_krb5.so minimum_uid=1000
 +session required ​ pam_unix.so
 +# end of pam-auth-update config
 +</​sxh>​
 +
 +<sxh bash>
 +vim /​etc/​pam.d/​sshd
 +# PAM configuration for the Secure Shell service
 +
 +# Read environment variables from /​etc/​environment and
 +# /​etc/​security/​pam_env.conf.
 +auth       ​required ​    ​pam_env.so # [1]
 +# In Debian 4.0 (etch), locale-related environment variables were moved to
 +# /​etc/​default/​locale,​ so read that as well.
 +auth       ​required ​    ​pam_env.so envfile=/​etc/​default/​locale
 +
 +# Standard Un*x authentication.
 +@include common-auth
 +
 +# Disallow non-root logins when /​etc/​nologin exists.
 +account ​   required ​    ​pam_nologin.so
 +#Allow connection from those groups
 +account ​   sufficient ​  ​pam_succeed_if.so user ingroup root
 +account ​   requisite ​   pam_succeed_if.so user ingroup ti-admin
 +
 +# Uncomment and edit /​etc/​security/​access.conf if you need to set complex
 +# access limits that are hard to express in sshd_config.
 +# account ​ required ​    ​pam_access.so
 +
 +# Standard Un*x authorization.
 +@include common-account
 +
 +# Standard Un*x session setup and teardown.
 +@include common-session
 +
 +# Print the message of the day upon successful login.
 +# This includes a dynamically generated part from /​run/​motd.dynamic
 +# and a static (admin-editable) part from /etc/motd.
 +session ​   optional ​    ​pam_motd.so ​ motd=/​run/​motd.dynamic noupdate
 +session ​   optional ​    ​pam_motd.so # [1]
 +
 +# Print the status of the user's mailbox upon successful login.
 +session ​   optional ​    ​pam_mail.so standard noenv # [1]
 +
 +# Set up user limits from /​etc/​security/​limits.conf.
 +session ​   required ​    ​pam_limits.so
 +
 +# Set up SELinux capabilities (need modified pam)
 +# session ​ required ​    ​pam_selinux.so multiple
 +
 +# Standard Un*x password updating.
 +@include common-password
 +</​sxh>​
 +
 +<sxh bash>
 +vim /​etc/​pam.d/​login ​
 +#
 +# The PAM configuration file for the Shadow `login'​ service
 +#
 +
 +# Enforce a minimal delay in case of failure (in microseconds).
 +# (Replaces the `FAIL_DELAY'​ setting from login.defs)
 +# Note that other modules may require another minimal delay. (for example,
 +# to disable any delay, you should add the nodelay option to pam_unix)
 +auth       ​optional ​  ​pam_faildelay.so ​ delay=3000000
 +
 +# Outputs an issue file prior to each login prompt (Replaces the
 +# ISSUE_FILE option from login.defs). Uncomment for use
 +# auth       ​required ​  ​pam_issue.so issue=/​etc/​issue
 +
 +# Disallows root logins except on tty's listed in /​etc/​securetty
 +# (Replaces the `CONSOLE'​ setting from login.defs)
 +#
 +# With the default control of this module:
 +#   ​[success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
 +# root will not be prompted for a password on insecure lines.
 +# if an invalid username is entered, a password is prompted (but login
 +# will eventually be rejected)
 +#
 +# You can change it to a "​requisite"​ module if you think root may mis-type
 +# her login and should not be prompted for a password in that case. But
 +# this will leave the system as vulnerable to user enumeration attacks.
 +#
 +# You can change it to a "​required"​ module if you think it permits to
 +# guess valid user names of your system (invalid user names are considered
 +# as possibly being root on insecure lines), but root passwords may be
 +# communicated over insecure lines.
 +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
 +
 +# Disallows other than root logins when /​etc/​nologin exists
 +# (Replaces the `NOLOGINS_FILE'​ option from login.defs)
 +auth       ​requisite ​ pam_nologin.so
 +
 +#Allow connection from those groups
 +account ​   sufficient ​  ​pam_succeed_if.so user ingroup root
 +account ​   requisite ​   pam_succeed_if.so user ingroup ti-admin
 +
 +# SELinux needs to be the first session rule. This ensures that any 
 +# lingering context has been cleared. Without out this it is possible ​
 +# that a module could execute code in the wrong domain.
 +# When the module is present, "​required"​ would be sufficient (When SELinux
 +# is disabled, this returns success.)
 +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 +
 +# This module parses environment configuration file(s)
 +# and also allows you to use an extended config
 +# file /​etc/​security/​pam_env.conf.
 +
 +# parsing /​etc/​environment needs "​readenv=1"​
 +session ​      ​required ​  ​pam_env.so readenv=1
 +# locale variables are also kept into /​etc/​default/​locale in etch
 +# reading this file *in addition to /​etc/​environment* does not hurt
 +session ​      ​required ​  ​pam_env.so readenv=1 envfile=/​etc/​default/​locale
 +
 +# Standard Un*x authentication.
 +@include common-auth
 +
 +# This allows certain extra groups to be granted to a user
 +# based on things like time of day, tty, service, and user.
 +# Please edit /​etc/​security/​group.conf to fit your needs
 +# (Replaces the `CONSOLE_GROUPS'​ option in login.defs)
 +auth       ​optional ​  ​pam_group.so
 +
 +# Uncomment and edit /​etc/​security/​time.conf if you need to set
 +# time restrainst on logins.
 +# (Replaces the `PORTTIME_CHECKS_ENAB'​ option from login.defs
 +# as well as /​etc/​porttime)
 +# account ​   requisite ​ pam_time.so
 +
 +# Uncomment and edit /​etc/​security/​access.conf if you need to
 +# set access limits.
 +# (Replaces /​etc/​login.access file)
 +# account ​ required ​      ​pam_access.so
 +
 +# Sets up user limits according to /​etc/​security/​limits.conf
 +# (Replaces the use of /etc/limits in old login)
 +session ​   required ​  ​pam_limits.so
 +
 +# Prints the last login info upon succesful login
 +# (Replaces the `LASTLOG_ENAB'​ option from login.defs)
 +session ​   optional ​  ​pam_lastlog.so
 +
 +# Prints the message of the day upon succesful login.
 +# (Replaces the `MOTD_FILE'​ option in login.defs)
 +# This includes a dynamically generated part from /​run/​motd.dynamic
 +# and a static (admin-editable) part from /etc/motd.
 +session ​   optional ​  ​pam_motd.so ​ motd=/​run/​motd.dynamic
 +session ​   optional ​  ​pam_motd.so
 +
 +# Prints the status of the user's mailbox upon succesful login
 +# (Replaces the `MAIL_CHECK_ENAB'​ option from login.defs). ​
 +#
 +# This also defines the MAIL environment variable
 +# However, userdel also needs MAIL_DIR and MAIL_FILE variables
 +# in /​etc/​login.defs to make sure that removing a user 
 +# also removes the user's mail spool file.
 +# See comments in /​etc/​login.defs
 +session ​   optional ​  ​pam_mail.so standard
 +
 +# Standard Un*x account and session
 +@include common-account
 +@include common-session
 +@include common-password
 +
 +# SELinux needs to intervene at login time to ensure that the process
 +# starts in the proper default security context. Only sessions which are
 +# intended to run in the user's context should be run after this.
 +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
 +# When the module is present, "​required"​ would be sufficient (When SELinux
 +# is disabled, this returns success.)
 +</​sxh>​
 +
 +
 +Ajustando o sudo
 +<sxh bash>
 +visudo ​
 +%ti-admin ​       ALL=(ALL:​ALL) ALL
 +</​sxh>​
 +
 +Agora vamos testar a conexão com o winbind
 +<sxh bash>
 +wbinfo -t
 +checking the trust secret for domain LAB via RPC calls succeeded
 +</​sxh>​
 +
 +Agora vamos listar os usuários do domínio
 +<sxh bash>
 +wbinfo -u
 +douglas.santos
 +administrator
 +dns-nodo1
 +krbtgt
 +guest
 +</​sxh>​
 +
 +Vamos listar os grupos
 +<sxh bash>
 +wbinfo -g
 +allowed rodc password replication group
 +enterprise read-only domain controllers
 +denied rodc password replication group
 +ti-admin
 +read-only domain controllers
 +group policy creator owners
 +ras and ias servers
 +domain controllers
 +enterprise admins
 +domain computers
 +cert publishers
 +dnsupdateproxy
 +domain admins
 +domain guests
 +schema admins
 +domain users
 +dnsadmins
 +</​sxh>​
 +
 +Agora vamos testar o acesso via ssh para esse cliente
 +<sxh bash>
 +ssh douglas.santos@192.168.0.52
 +douglas.santos@192.168.0.52'​s password: ​
 +Creating directory '/​home/​LAB/​douglas.santos'​.
 +Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64
 +
 +The programs included with the Debian GNU/Linux system are free software;
 +the exact distribution terms for each program are described in the
 +individual files in /​usr/​share/​doc/​*/​copyright.
 +
 +Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 +permitted by applicable law.
 +[10:35:45] douglas.santos@debian [~] $ 
 +</​sxh>​
 +
 +Nos logs de autenticação vamos ter algo como abaixo
 +<sxh bash>
 +tail -f /​var/​log/​auth.log
 +Aug 27 10:35:44 debian sshd[4852]: pam_krb5(sshd:​auth):​ user douglas.santos authenticated as douglas.santos@LAB.LAN
 +Aug 27 10:35:44 debian sshd[4852]: Accepted password for douglas.santos from 192.168.0.130 port 51197 ssh2
 +Aug 27 10:35:44 debian sshd[4852]: pam_unix(sshd:​session):​ session opened for user douglas.santos by (uid=0)
 +</​sxh>​
 +
 +O cliente esta autenticando com sucesso :D
 +
 +
 +Ajustando o sudo
 +<sxh bash>
 +visudo ​
 +%ti-admin ​       ALL=(ALL:​ALL) ALL
 +</​sxh>​
 +
 +====== Configurando um Cliente CentOS para autenticar no Samba 4 ======
 +
 +Prepare o seu sistema com o seguinte script http://​wiki.douglasqsantos.com.br/​doku.php/​confinicialcentos6_en para que não falte nenhum pacote ou configuração.
 +
 +
 +Vamos instalar as dependências para ele poder fazer parte do domínio samba 4
 +<sxh bash>
 +yum install samba samba-winbind samba-winbind-devel samba-client samba-common \
 + ​pam_krb5 cifs-utils samba-winbind-krb5-locator samba-doc krb5-workstation -y
 +</​sxh>​
 +
 +Agora vamos inserir os serviços na incialização do sistema
 +<sxh bash>
 +chkconfig --add nmb
 +chkconfig --add smb
 +chkconfig --add winbind
 +</​sxh>​
 +
 +Agora vamos ativar eles
 +<sxh bash>
 +chkconfig nmb on
 +chkconfig smb on
 +chkconfig winbind on
 +</​sxh>​
 +
 +Agora vamos ajustar o resolv.conf do cliente
 +<sxh bash>
 +vim /​etc/​resolv.conf
 +domain lab.lan
 +search lab.lan
 +nameserver 192.168.0.25
 +nameserver 192.168.0.26
 +</​sxh>​
 +
 +Agora vamos ajustar a interface de rede
 +<sxh bash>
 +vim /​etc/​sysconfig/​network-scripts/​ifcfg-eth0
 +DEVICE="​eth0"​
 +BOOTPROTO="​static"​
 +BROADCAST="​192.168.0.255"​
 +DNS1="​192.168.0.25"​
 +DNS2="​192.168.0.26"​
 +GATEWAY="​192.168.0.1"​
 +IPADDR="​192.168.0.27"​
 +NETMASK="​255.255.255.0"​
 +NM_CONTROLLED="​yes"​
 +ONBOOT="​yes"​
 +TYPE="​Ethernet"​
 +</​sxh>​
 +
 +Agora vamos ajustar o horário do servidor pois como vamos trabalhar com winbind e kerberos não podemos ter diferença de horario
 +<sxh bash>
 +ntpdate -u a.ntp.br
 +</​sxh>​
 +
 +Agora vamos ajustar o kerberos
 +<sxh bash>
 +vim /​etc/​krb5.conf
 +[libdefaults]
 +default_realm = LAB.LAN
 +krb4_config = /​etc/​krb.conf
 +krb4_realms = /​etc/​krb.realms
 +kdc_timesync = 1
 +ccache_type = 4
 +forwardable = true
 +proxiable = true
 +v4_instance_resolve = false
 +v4_name_convert = {
 +host = {
 +rcmd = host
 +ftp = ftp
 +}
 +plain = {
 +something = something-else
 +}
 +}
 +fcc-mit-ticketflags = true
 +[realms]
 +LAB.LAN = {
 +kdc = 192.168.0.25
 +kdc = 192.168.0.26
 +admin_server = 192.168.0.25:​749
 +default_server = 192.168.0.25
 +}
 +[domain_realm]
 +.lab.lan=LAB.LAN
 +lab.lan=LAB.LAN
 +[login]
 +krb4_convert = true
 +krb4_get_tickets = false
 +[kdc]
 +profile = /​etc/​krb5kdc/​kdc.conf
 +[appdefaults]
 +pam = {
 +debug = false
 +ticket_lifetime = 36000
 +renew_lifetime = 36000
 +forwardable = true
 +krb4_convert = false
 +}
 +[logging]
 +default = file:/​var/​log/​krb5libs.log
 +kdc = file:/​var/​log/​krb5kdc.log
 +admin_server = file:/​var/​log/​kadmind.log
 +</​sxh>​
 +
 +Agora vamos acertar o limits.conf
 +<sxh bash>
 +vim /​etc/​security/​limits.conf
 +[...]
 +#colocar no final do arquivo
 +root hard nofile 131072
 +root soft nofile 65536
 +mioutente hard nofile 32768
 +mioutente soft nofile 16384
 +</​sxh>​
 +
 +Agora vamos ajustar o smb.conf
 +<sxh bash>
 +vim /​etc/​samba/​smb.conf
 +[global]
 +        workgroup = LAB
 +        security = ADS
 +        realm = LAB.LAN
 +        netbios name = CENTOS
 +        encrypt passwords = yes
 +        idmap config * : backend = tdb
 +        idmap config * : range = 10000-30000
 +        idmap config LAB:backend = ad
 +        idmap config LAB:​schema_mode = rfc2307
 +        auth methods = winbind
 +        winbind nss info = rfc2307
 +        winbind trusted domains only = no
 +        winbind use default domain = yes
 +        winbind enum users  = yes
 +        winbind enum groups = yes
 +        template shell = /bin/bash
 +</​sxh>​
 +
 +Agora vamos ajustar o nsswitch.conf
 +<sxh bash>
 +vim /​etc/​nsswitch.conf
 +[...]
 +passwd: ​    files winbind
 +shadow: ​    files
 +group: ​       files winbind
 +</​sxh>​
 +
 +Vamos iniciar os serviços
 +<sxh bash>
 +/​etc/​init.d/​nmb start
 +/​etc/​init.d/​smb start
 +/​etc/​init.d/​winbind start
 +</​sxh>​
 +
 +Agora vamos ajustar a PAM
 +
 +Vamos ajustar para que quando o usuário faça login seja criado o seu diretório home
 +<sxh bash>
 +vim /​etc/​pam.d/​system-auth
 +#%PAM-1.0
 +# This file is auto-generated.
 +# User changes will be destroyed the next time authconfig is run.
 +auth        required ​     pam_env.so
 +auth        sufficient ​   pam_unix.so nullok try_first_pass
 +auth        requisite ​    ​pam_succeed_if.so uid >= 500 quiet
 +auth        required ​     pam_deny.so
 +
 +account ​    ​required ​     pam_unix.so
 +account ​    ​sufficient ​   pam_localuser.so
 +account ​    ​sufficient ​   pam_succeed_if.so uid < 500 quiet
 +account ​    ​required ​     pam_permit.so
 +
 +password ​   requisite ​    ​pam_cracklib.so try_first_pass retry=3 type=
 +password ​   sufficient ​   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 +password ​   required ​     pam_deny.so
 +
 +session ​    ​optional ​     pam_keyinit.so revoke
 +session ​    ​required ​     pam_limits.so
 +session ​    ​[success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 +session ​    ​required ​     pam_unix.so
 +session ​    ​required ​     pam_mkhomedir.so skel=/​etc/​skel/​ umask=0027
 +</​sxh>​
 +
 +Agora vamos ajustar o login utilizando o winbind aqui eu liberei somente o grupo root e o ti-admin para efetuar login em máquinas Linux
 +<sxh bash>
 +vim /​etc/​pam.d/​login
 +#​%PAM-1.0 ​
 +auth       ​sufficient ​   pam_winbind.so
 +auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
 +auth       ​include ​     system-auth
 + 
 + 
 +account ​   sufficient ​    ​pam_succeed_if.so user ingroup root
 +account ​   required ​   pam_winbind.so
 +account ​   required ​    ​pam_nologin.so
 +account ​   include ​     system-auth
 +#Grupos que vão poder efetuar login no servidor
 +account ​   requisite ​   pam_succeed_if.so user ingroup ti-admin
 + 
 +password ​  ​include ​     system-auth
 +# pam_selinux.so close should be the first session rule 
 + 
 +session ​   required ​    ​pam_selinux.so close
 +session ​   required ​    ​pam_mkhomedir.so ​       skel=/​etc/​skel umask=0027
 +session ​   include ​     system-auth
 +session ​   required ​    ​pam_loginuid.so
 +session ​   optional ​    ​pam_console.so
 +# pam_selinux.so open should only be followed by sessions to be executed in the user context ​
 +session ​   required ​    ​pam_selinux.so open
 +session ​   optional ​    ​pam_keyinit.so force revoke
 +</​sxh>​
 +
 +Agora vamos ajustar o acesso via ssh utilizando o winbind aqui eu liberei somente o grupo root e o ti-admin para efetuar login em máquinas Linux
 +<sxh bash>
 +vim /​etc/​pam.d/​sshd
 +#​%PAM-1.0 ​
 +auth       ​sufficient ​   pam_winbind.so
 +auth       ​include ​     system-auth
 + 
 +account ​   sufficient ​  ​pam_succeed_if.so user ingroup root
 +account ​   required ​    ​pam_winbind.so
 +account ​   required ​    ​pam_nologin.so
 +account ​   include ​     system-auth
 +#Grupos que vão poder logar via ssh
 +account ​   requisite ​   pam_succeed_if.so user ingroup ti-admin
 + 
 +password ​  ​include ​     system-auth
 + 
 +session ​   required ​    ​pam_mkhomedir.so ​       skel=/​etc/​skel umask=0027
 +session ​   optional ​    ​pam_keyinit.so force revoke
 +session ​   include ​     system-auth
 +session ​   required ​    ​pam_loginuid.so
 +</​sxh>​
 +
 +Agora vamos verificar se estamos conseguindo criar um ticker do kerberos
 +<sxh bash>
 +kinit administrator
 +Password for administrator@LAB.LAN: ​
 +Warning: Your password will expire in 41 days on Mon Oct  7 12:02:11 2013
 +</​sxh>​
 +
 +Agora vamos listar o nosso ticket
 +<sxh bash>
 +klist
 +Ticket cache: FILE:/​tmp/​krb5cc_0
 +Default principal: administrator@LAB.LAN
 +
 +Valid starting ​    ​Expires ​           Service principal
 +08/27/13 10:​02:​54 ​ 08/27/13 20:​02:​54 ​ krbtgt/​LAB.LAN@LAB.LAN
 +  renew until 08/28/13 10:02:51
 +</​sxh>​
 +
 +Agora vamos fazer o join no domínio
 +<sxh bash>
 +net ads join lab.lan -U administrator
 +</​sxh>​
 +
 +Esse erro de DNS ainda estou tentando arrumar.
 +
 +Agora vamos reiniciar os serviços
 +<sxh bash>
 +/​etc/​init.d/​nmb restart
 +/​etc/​init.d/​smb restart
 +/​etc/​init.d/​winbind restart
 +</​sxh>​
 +
 +Agora vamos testar a conexão com o winbind
 +<sxh bash>
 +wbinfo -t
 +checking the trust secret for domain LAB via RPC calls succeeded
 +</​sxh>​
 +
 +Agora vamos listar os usuários do domínio
 +<sxh bash>
 +wbinfo -u
 +douglas.santos
 +administrator
 +dns-nodo1
 +krbtgt
 +guest
 +</​sxh>​
 +
 +Vamos listar os grupos
 +<sxh bash>
 +wbinfo -g
 +allowed rodc password replication group
 +enterprise read-only domain controllers
 +denied rodc password replication group
 +ti-admin
 +read-only domain controllers
 +group policy creator owners
 +ras and ias servers
 +domain controllers
 +enterprise admins
 +domain computers
 +cert publishers
 +dnsupdateproxy
 +domain admins
 +domain guests
 +schema admins
 +domain users
 +dnsadmins
 +</​sxh>​
 +
 +Agora vamos testar o acesso via ssh para esse cliente
 +<sxh bash>
 +ssh douglas.santos@192.168.0.27
 +douglas.santos@192.168.0.27'​s password: ​
 +Creating directory '/​home/​LAB/​douglas.santos'​.
 +[10:40:01] douglas.santos@centos [~] $ 
 +</​sxh>​
 +
 +Agora vamos ver os logs de acesso do centos
 +<sxh bash>
 +tail -f /​var/​log/​secure
 +Aug 27 10:38:55 centos sshd[13906]:​ pam_winbind(sshd:​auth):​ getting password (0x00000000)
 +Aug 27 10:38:56 centos sshd[13906]:​ pam_winbind(sshd:​auth):​ user '​douglas.santos'​ granted access
 +Aug 27 10:39:32 centos sshd[13906]:​ pam_succeed_if(sshd:​account):​ requirement "user ingroup root" not met by user "​douglas.santos"​
 +Aug 27 10:39:32 centos sshd[13906]:​ pam_winbind(sshd:​account):​ user '​douglas.santos'​ granted access
 +Aug 27 10:39:35 centos sshd[13906]:​ pam_succeed_if(sshd:​account):​ requirement "user ingroup ti-admin"​ was met by user "​douglas.santos"​
 +Aug 27 10:39:35 centos sshd[13906]:​ Accepted password for douglas.santos from 192.168.0.130 port 46470 ssh2
 +Aug 27 10:39:50 centos sshd[13906]:​ pam_unix(sshd:​session):​ session opened for user douglas.santos by (uid=0)
 +</​sxh>​
 +
 +O cliente está configurado com sucesso :D
 +
 +====== Referências ======
 +  - http://​wiki.samba.org/​index.php/​Samba4
 +  - http://​wiki.samba.org/​index.php/​Samba_AD_DC_HOWTO
 +  - http://​wiki.samba.org/​index.php/​Samba4/​HOWTO/​Join_a_domain_as_a_DC
 +  - http://​lists.samba.org/​archive/​samba-technical/​2011-June/​078134.html
 +  - http://​lists.samba.org/​
 +  - https://​wiki.samba.org/​index.php/​Samba_4/​OS_Requirements
 +  - http://​wiki.samba.org/​index.php/​Dns-backend_bind
 +  - https://​wiki.samba.org/​index.php/​Samba4/​Winbind