Installing and configuring Samba 4 as Master/Slave with Bind9 DLZ and Sysvol Replication on Debian Jessie (Ongoing)

The things in portuguese are my scratch therefore don't use please….

What's up folks, here I show you how to install and configuring the Samba 4 working as PDC and how to configure the BDC as well, I shall use the BIND_DLZ as backend. I going to cover the Sysvol replication but it's only a workaround as (Samba AD currently doesn't provide support for SysVol replication.) as we cannot forget we need to configure the backup and restore too. Let's roll up our sleeves and start to work.

NOTE: I shall work with the samba 4 4.2.2 the current stable today: 04/05/2015

NOTE: If you use Bind as Backend for your Samba AD, it must not run chroot, because it must be able to live access files and databases from your Samba installation.

What I will use here:

  • Debian Jessie
    • IP: 192.168.25.100/24
    • name: samba1
    • domain: douglas.lan
  • Debian Jessie
    • IP: 192.168.25.101/24
    • name: samba2
    • domain: douglas.lan

We shall need to install some packets and configure some environment variables in order to work with our system properly therefore I've created a script to configure such things the web link is follows: http://wiki.douglasqsantos.com.br/doku.php/confinicialjessie_en fell free to change it as needed.

Note: The repositories in the script are from Brazil that is the most fast to me, so fell free to change for your country.

After download the script need to convert it from dos to unix as follows

dos2unix ConfInicialJessie.sh

After that change the permissions

chmod +x ConfInicialJessie.sh

Now need just execute and wait

./ConfInicialJessie.sh

Configuring the Samba Master

Let's update our repositories and upgrade all the packets

aptitude update && aptitude dist-upgrade -y

Now let's change two variables in the environment to non-interactive

export DEBIAN_PRIORITY=critical
export DEBIAN_FRONTEND=noninteractive

Now we need to install some prerequisites that will able the samba4 works properly.

aptitude install libpam0g-dev git gcc make wget libacl1-dev libblkid-dev libreadline-dev python-dev libcups2-dev libcupsfilters-dev libfam-dev \
libcupscgi1-dev  libcupsimage2-dev libcupsmime1-dev libcupsppdc1-dev  libaio-dev acl-dev python-gnupg libpython-dev libghc-gnutls-dev  \
acl heimdal-clients libattr1-dev  libacl1-dev libattr1-dev libblkid-dev libgnutls28-dev libreadline-dev  python-dnspython gdb pkg-config libfam-dev  \
libpopt-dev libldap2-dev dnsutils libbsd-dev attr docbook-xsl  python-pycurl python-software-properties libwind0-heimdal libarchive-dev \
quota unattended-upgrades libpam-heimdal bison debhelper flex gettext  html2text intltool-debian  libbison-dev libgettextpo0 libldb-dev \
libldb1 libparse-yapp-perl libpython3.4 libsmbclient libsmbclient-dev libsubunit-dev libsubunit-perl libsubunit0 libtalloc-dev libtalloc2 \
libtdb-dev libtdb1 libtevent-dev libtevent0 libunistring0 libwbclient-dev libwbclient0 libxslt1.1 po-debconf python-all python-all-dev python-ldb \
python-ldb-dev python-pkg-resources python-subunit python-talloc python-talloc-dev python-tdb python-testtools subunit xsltproc libunwind-dev \
libgcrypt-dev libdbus-1-dev libedbus-dev libmodbus-dev python-dbus-dev libcephfs-dev libavahi-core-dev python-avahi libavahi-cil-dev dmapi-dev \
heimdal-dev heimdal-multidev libasn1-8-heimdal libgssapi3-heimdal libhcrypto4-heimdal libhdb9-heimdal libheimbase1-heimdal libheimntlm0-heimdal \
libhx509-5-heimdal libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-heimdal libkdc2-heimdal libkrb5-26-heimdal libroken18-heimdal  -y

Now we need to enable the acl,user_xattr and barrier support in the / partition or another one that we need the samba works such as /var or /srv.

vim /etc/fstab
[...]
/dev/mapper/VolGroup-lv_root /                       ext4    defaults,acl,user_xattr,barrier=1        1 1
/dev/mapper/vg01-var         /var                    ext4    defaults,acl,user_xattr,barrier=1        0 2

Now we need to remount the partitions with the changes or reboot the server to get the newest changes.

mount -o remount /
mount -o remount /var

The Debian Jessie is different from both CentOS 6 or Debian Wheezy if we try to get the information about the acl or xattr the system will return nothing about it let's try.

mount | egrep acl

We can check if this attributes are loaded in the kernel as follows.

cat /boot/config-$(uname -r) | egrep -i acl
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
# CONFIG_HFSPLUS_FS_POSIX_ACL is not set
CONFIG_JFFS2_FS_POSIX_ACL=y
CONFIG_F2FS_FS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
CONFIG_CEPH_FS_POSIX_ACL=y
CONFIG_CIFS_ACL=y
CONFIG_9P_FS_POSIX_ACL=y

As we saw the acl is built-in in the kernel what's why we got nothing with the mount command.

Let's run a test with acl and xttr.

Let' acess the /usr directory

cd /usr

Now let's create a simple file

touch test.txt

Now let's change the attributes to our file

setfattr -n user.test -v test test.txt
setfattr -n security.test -v test2 test.txt

Now let's get the information about the changes

getfattr -d test.txt
# file: test.txt
user.test="test"

Now let's get information about the attribute security

getfattr -n security.test -d test.txt
# file: test.txt
security.test="test2"

Now let's access the directory that will storage the samba sources

cd /usr/src

Now we need to get the samba version 4.2.2

wget -c http://ftp.samba.org/pub/samba/stable/samba-4.2.2.tar.gz

Now we need to extract the sources

tar -xvf samba-4.1.3.tar.gz

Let's access the directory

cd samba-4.2.2

Now we need run the check prerequisites as follows

./configure --enable-debug --enable-selftest

Now we need to compile the samba this process take a while.

make

Now we can install the samba4 with a simple command line.

make install

Now we need to adjust the PATH

echo "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/local/samba/sbin:/usr/local/samba/bin">> /root/.bashrc

Now we need to reload the PATH

source /root/.bashrc

Now we need to prepare the BIND_DLZ

Let's install the prerequisites to work with BIND

aptitude install  autopoint autotools-dev bison debhelper dh-apparmor geoip-bin gettext hardening-wrapper html2text intltool-debian libgeoip-dev dh-autoreconf \
libbison-dev libcap-dev libdb-dev libdb5.3-dev libgeoip-dev libgettextpo0 libltdl-dev libmail-sendmail-perl libsys-hostname-long-perl dpkg-dev dh-systemd  \
libtool libunistring0 libxml2-dev po-debconf debhelper libssl-dev libtool bison libdb-dev libldap2-dev libxml2-dev hardening-wrapper libkrb5-dev -y

Now we need to get the bind9 sources

cd /usr/src
apt-get source bind9

Now we need to access the bind9 source folder

cd bind9-*

Now we need to change the variables enable support to kerberos and dlopen as follows

vim debian/rules
[...]
        ./configure --prefix=/usr \
                --mandir=\$${prefix}/share/man \
                --infodir=\$${prefix}/share/info \
                --sysconfdir=/etc/bind \
                --localstatedir=/var \
                --enable-threads \
                --enable-largefile \
                --with-libtool \
                --enable-shared \
                --enable-static \
                --with-openssl=/usr \
                --with-gssapi=/usr \
                --with-gnu-ld \
                --with-geoip=/usr \
                --with-atf=no \
                --enable-ipv6 \
                --enable-rrl \
                --enable-filter-aaaa \
                --with-libxml2 \
                --with-gssapi=/usr/include/gssapi   \
                --with-dlopen=yes \
                --with-dlz-ldap=yes \
                --with-dlz-filesystem=yes \
                $(EXTRA_FEATURES)

Now we need to create the deb packet it will take awhile.

dpkg-buildpackage

Now we need to install the packets

cd ..
dpkg -i *.deb

Now we need to create a directory and adjust the permissions

mkdir /var/cache/bind/{data,dynamic}
chown -R bind:bind /var/cache/bind/
chmod -R 775 /var/cache/bind/dynamic

Now let's make a copy of the original file

cp /etc/bind/named.conf.options /etc/bind/named.conf.options.old

Agora vamos configurar o Bind

vim /etc/bind/named.conf.options
#/etc/bind/named.conf.options

options {
    listen-on port 53 { 127.0.0.1; 192.168.25.0/24; };
    listen-on-v6 port 53 { ::1; };
    directory     "/var/cache/bind";
    dump-file     "/var/cache/bind/data/cache_dump.db";
        statistics-file "/var/cache/bind/data/named_stats.txt";
        memstatistics-file "/var/cache/bind/data/named_mem_stats.txt";
    allow-query      { 192.168.25.0/24; 127.0.0.1/32; };
    allow-update    { 127.0.0.1/32; };
    allow-recursion { 192.168.25.0/24; 127.0.0.1/32; };
        forwarders { 8.8.8.8; 8.8.4.4; };

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

       /* Dynamic keys */
    managed-keys-directory "/var/cache/bind/dynamic";

       /* Enable support for secure GSS-TSIG updates */
       tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

Now we need do modify the named.conf and add the configuration file for samba

vim /etc/bind/named.conf
[...]
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/usr/local/samba/private/named.conf";

Now we need to configure the resolv.conf

vim /etc/resolv.conf
domain douglas.lan
search douglas.lan
nameserver 192.168.25.100

Now we need to provisioning our domain, let's check the options available

samba-tool domain provision -h
Usage: samba-tool domain provision [options]

Provision a domain.

Options:
  -h, --help            show this help message and exit
  --interactive         Ask for names
  --domain=DOMAIN       set domain
  --domain-guid=GUID    set domainguid (otherwise random)
  --domain-sid=SID      set domainsid (otherwise random)
  --ntds-guid=GUID      set NTDS object GUID (otherwise random)
  --invocationid=GUID   set invocationid (otherwise random)
  --host-name=HOSTNAME  set hostname
  --host-ip=IPADDRESS   set IPv4 ipaddress
  --host-ip6=IP6ADDRESS
                        set IPv6 ipaddress
  --site=SITENAME       set site name
  --adminpass=PASSWORD  choose admin password (otherwise random)
  --krbtgtpass=PASSWORD
                        choose krbtgt password (otherwise random)
  --machinepass=PASSWORD
                        choose machine password (otherwise random)
  --dns-backend=NAMESERVER-BACKEND
                        The DNS server backend. SAMBA_INTERNAL is the builtin
                        name server (default), BIND9_FLATFILE uses bind9 text
                        database to store zone information, BIND9_DLZ uses
                        samba4 AD to store zone information, NONE skips the
                        DNS setup entirely (not recommended)
  --dnspass=PASSWORD    choose dns password (otherwise random)
  --ldapadminpass=PASSWORD
                        choose password to set between Samba and it's LDAP
                        backend (otherwise random)
  --root=USERNAME       choose 'root' unix username
  --nobody=USERNAME     choose 'nobody' user
  --users=GROUPNAME     choose 'users' group
  --quiet               Be quiet
  --blank               do not add users or groups, just the structure
  --ldap-backend-type=LDAP-BACKEND-TYPE
                        Test initialisation support for unsupported LDAP
                        backend type (fedora-ds or openldap) DO NOT USE
  --server-role=ROLE    The server role (domain controller | dc | member
                        server | member | standalone). Default is dc.
  --function-level=FOR-FUN-LEVEL
                        The domain and forest function level (2000 | 2003 |
                        2008 | 2008_R2 - always native). Default is (Windows)
                        2008R2 Native.
  --next-rid=NEXTRID    The initial nextRid value (only needed for upgrades).
                        Default is 1000.
  --partitions-only     Configure Samba's partitions, but do not modify them
                        (ie, join a BDC)
  --targetdir=DIR       Set target directory
  --ol-mmr-urls=LDAPSERVER
                        List of LDAP-URLS [ ldap://<FQHN>:<PORT>/  (where
                        <PORT> has to be different than 389!) ] separated with
                        comma (",") for use with OpenLDAP-MMR (Multi-Master-
                        Replication), e.g.:
                        "ldap://s4dc1:9000,ldap://s4dc2:9000"
  --use-xattrs=USE_XATTRS
                        Define if we should use the native fs capabilities or
                        a tdb file for storing attributes likes ntacl, auto
                        tries to make an inteligent guess based on the user
                        rights and system capabilities
  --use-ntvfs           Use NTVFS for the fileserver (default = no)
  --use-rfc2307         Use AD to store posix attributes (default = no)

  Samba Common Options:
    -s FILE, --configfile=FILE
                        Configuration file
    -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
                        debug level
    --option=OPTION     set smb.conf option from command line
    --realm=REALM       set the realm name

  Version Options:
    -V, --version       Display version number

Now let's provisioning the domain

samba-tool domain provision --domain=DOUGLAS --adminpass=smb@134* \
--dns-backend=BIND9_DLZ --server-role=dc \
--function-level=2008_R2 --use-xattr=yes \
--use-rfc2307 --realm=douglas.lan
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=douglas,DC=lan
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=douglas,DC=lan
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              samba1
NetBIOS Domain:        DOUGLAS
DNS Domain:            douglas.lan
DOMAIN SID:            S-1-5-21-2627875541-338730943-4229738209

If you got some error and need to do the provisioning again execute the follow commands and run the provisioning again.

rm -rf /usr/local/samba/etc
rm -rf /usr/local/samba/private
rm -rf /usr/local/samba/var/locks/sysvol

Now we need to change the samba configuration, but first we need to make a copy of smb.conf

cp -Rfa /usr/local/samba/etc/smb.conf{,.bkp}

Now let's make some changes in our configuration file

vim /usr/local/samba/etc/smb.conf
# Global parameters
[global]
    workgroup = DOUGLAS
    realm = douglas.lan
    netbios name = SAMBA1
    server role = active directory domain controller
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
    ### RPC ###
    rpc_server:tcpip = no
    rpc_daemon:spoolssd = embedded
    rpc_server:spoolss = embedded
    rpc_server:winreg = embedded
    rpc_server:ntsvcs = embedded
    rpc_server:eventlog = embedded
    rpc_server:srvsvc = embedded
    rpc_server:svcctl = embedded
    rpc_server:default = external
    ### IDMAP ###
    idmap_ldb:use rfc2307 = yes
    idmap config * : backend = tdb
        idmap config *:range = 70001-80000
        idmap config LAB:backend = ad
        idmap config LAB:schema_mode = rfc2307
        idmap config LAB:range = 500-40000
    ### WINBIND ###
        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
    map archive = No
    map readonly = no
    store dos attributes = Yes
    vfs objects = dfs_samba4, acl_xattr
        ### The template is necessary to authenticate with winbind
        template shell = /bin/bash
        ### Disabling printers ###
        printcap name = /dev/null
        load printers = no
        disable spoolss = yes
        printing = bsd
        ### LOGS ###
        log file = /var/log/samba/smbd.log
        max log size = 50
        log level = 2
        vfs objects = recycle full_audit
        ### RECYCLE BIN ###
        recycle:repository = Recycle
        recycle:exclude = *.tmp *.TMP *.temp *.TEMP ~*
        recycle:keeptree = yes
        ### AUDIT ###
        full_audit:success = rmdir mkdir open write rename unlink
        full_audit:failure = rmdir mkdir open write rename unlink
        full_audit:prefix = %U|%I|%m|%S
        full_audit:failure = none
        full_audit:facility = local5
        full_audit:priority = notice
        veto files = /*.mp3/*.wav/*.exe/*.cmd/*.adm/*.inf/*.ini/*.pif
        delete veto files = yes
        dos filemode = yes

[netlogon]
    path = /usr/local/samba/var/locks/sysvol/lab.lan/scripts
    read only = No

[sysvol]
    path = /usr/local/samba/var/locks/sysvol
    read only = No

Now we need to create the directory that will store the samba log files

mkdir -p /var/log/samba

Now we need to create a symbolic link to keytab

ln -s /usr/local/samba/private/dns.keytab /etc/krb5.keytab

Now let's start the samba service

/usr/local/samba/sbin/samba

Now let's disable the administrator password expire

samba-tool user setexpiry administrator --noexpiry
Expiry for user 'administrator' disabled.

Now let's check the samba client version

smbclient --version
Version 4.2.2

Now let's display the shares

smbclient -L localhost -U%
Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]

    Sharename       Type      Comment
    ---------       ----      -------
    netlogon        Disk
    sysvol          Disk
    IPC$            IPC       IPC Service (Samba 4.2.2)
Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------

Now let's test the shares with an authenticated account

smbclient -L //localhost/netlogon -U douglas/administrator%'smb@134*' -c 'ls'
Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]

    Sharename       Type      Comment
    ---------       ----      -------
    netlogon        Disk
    sysvol          Disk
    IPC$            IPC       IPC Service (Samba 4.2.2)
Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------

Now let's display the samba configuration with testparm

testparm
Load smb config files from /usr/local/samba/etc/smb.conf
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

# Global parameters
[global]
    workgroup = DOUGLAS
    realm = douglas.lan
    server role = active directory domain controller
    passdb backend = samba_dsdb
    log file = /var/log/samba/smbd.log
    max log size = 50
    load printers = No
    printcap name = /dev/null
    disable spoolss = Yes
    template shell = /bin/bash
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind nss info = rfc2307
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
    winbindd:use external pipes = true
    full_audit:priority = notice
    full_audit:facility = local5
    full_audit:prefix = %U|%I|%m|%S
    full_audit:failure = none
    full_audit:success = rmdir mkdir open write rename unlink
    recycle:keeptree = yes
    recycle:exclude = *.tmp *.TMP *.temp *.TEMP ~*
    recycle:repository = Recycle
    idmap config lab:range = 500-40000
    idmap config lab:schema_mode = rfc2307
    idmap config lab:backend = ad
    idmap config *:range = 70001-80000
    idmap_ldb:use rfc2307 = yes
    rpc_server:default = external
    rpc_server:svcctl = embedded
    rpc_server:srvsvc = embedded
    rpc_server:eventlog = embedded
    rpc_server:ntsvcs = embedded
    rpc_server:winreg = embedded
    rpc_server:spoolss = embedded
    rpc_daemon:spoolssd = embedded
    rpc_server:tcpip = no
    idmap config * : backend = tdb
    printing = bsd
    delete veto files = Yes
    veto files = /*.mp3/*.wav/*.exe/*.cmd/*.adm/*.inf/*.ini/*.pif
    map archive = No
    map readonly = no
    store dos attributes = Yes
    dos filemode = Yes
    vfs objects = recycle full_audit

[netlogon]
    path = /usr/local/samba/var/locks/sysvol/douglas.lan/scripts
    read only = No

[sysvol]
    path = /usr/local/samba/var/locks/sysvol
    read only = No

Now let's check the samba process that is running

ps aux | egrep samba
root     11326  0.0  2.5 524812 51900 ?        Ss   17:18   0:00 /usr/local/samba/sbin/samba
root     11327  0.0  1.6 524812 34440 ?        S    17:18   0:00 /usr/local/samba/sbin/samba
root     11328  0.0  1.7 524812 36544 ?        S    17:18   0:00 /usr/local/samba/sbin/samba
root     11329  0.0  2.0 528964 42176 ?        S    17:18   0:00 /usr/local/samba/sbin/samba
root     11330  0.0  2.7 484536 56336 ?        Ss   17:18   0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root     11331  0.0  1.6 524812 34440 ?        S    17:18   0:00 /usr/local/samba/sbin/samba
root     11332  0.0  1.9 524812 40460 ?        S    17:18   0:00 /usr/local/samba/sbin/samba
root     11333  0.0  1.7 524812 35976 ?        S    17:18   0:00 /usr/local/samba/sbin/samba
root     11334  0.0  1.9 524812 39740 ?        S    17:18   0:00 /usr/local/samba/sbin/samba
root     11335  0.0  1.8 524776 38028 ?        S    17:18   0:00 /usr/local/samba/sbin/samba
root     11336  0.0  1.8 528236 38176 ?        S    17:18   0:00 /usr/local/samba/sbin/samba
root     11337  0.0  1.6 524812 34440 ?        S    17:18   0:00 /usr/local/samba/sbin/samba
root     11338  0.0  2.1 524776 44972 ?        S    17:18   0:00 /usr/local/samba/sbin/samba
root     11339  0.0  1.7 524812 36372 ?        S    17:18   0:00 /usr/local/samba/sbin/samba
root     11400  0.0  0.1  12968  2364 pts/0    S+   17:27   0:00 grep -E --color=auto samba

Now let's restar the bind9 service

systemctl restart bind9

Now let's check the bind9 status

systemctl status bind9
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled)
  Drop-In: /run/systemd/generator/bind9.service.d
           └─50-insserv.conf-$named.conf
   Active: active (running) since Qui 2015-06-04 17:41:58 BRT; 896ms ago
     Docs: man:named(8)
  Process: 11770 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)
 Main PID: 11775 (named)
   CGroup: /system.slice/bind9.service
           └─11775 /usr/sbin/named -f -u bind

Jun 04 17:41:59 samba1 named[11775]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Jun 04 17:41:59 samba1 named[11775]: command channel listening on 127.0.0.1#953
Jun 04 17:41:59 samba1 named[11775]: command channel listening on ::1#953
Jun 04 17:41:59 samba1 named[11775]: managed-keys-zone: loaded serial 2
Jun 04 17:41:59 samba1 named[11775]: zone 0.in-addr.arpa/IN: loaded serial 1
Jun 04 17:41:59 samba1 named[11775]: zone 127.in-addr.arpa/IN: loaded serial 1
Jun 04 17:41:59 samba1 named[11775]: zone 255.in-addr.arpa/IN: loaded serial 1
Jun 04 17:41:59 samba1 named[11775]: zone localhost/IN: loaded serial 2
Jun 04 17:41:59 samba1 named[11775]: all zones loaded
Jun 04 17:41:59 samba1 named[11775]: running

Now let's check the dns resolution

nslookup douglas.lan
Server:        127.0.0.1
Address:    127.0.0.1#53

Name:    douglas.lan
Address: 192.168.25.100

Now we need to make a copy of the krb5.conf

cp -Rfa /etc/krb5.conf{,.bkp}

Now let's remove the original file

rm -rf /etc/krb5.conf

Now we need to create symbolic link from samba directory

ln -sf /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

Now we need to configure the file

vim /etc/krb5.conf
[logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log

[libdefaults]
     default_realm = DOUGLAS.LAN
     dns_lookup_realm = true
     dns_lookup_kdc = true
     ticket_lifetime = 24h
     forwardable = yes

[appdefaults]
     pam = {
          debug = false
          ticket_lifetime = 36000
          renew_lifetime = 36000
          forwardable = true
          krb4_convert = false
     }

Now let's try to create a ticket on kerberos

kinit administrator@DOUGLAS.LAN
administrator@DOUGLAS.LAN's Password:

Now let's list our ticket

klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator@DOUGLAS.LAN

  Issued                Expires               Principal
Jun  4 17:48:15 2015  Jun  5 03:48:12 2015  krbtgt/DOUGLAS.LAN@DOUGLAS.LAN

Now let's run a test in samba authentication with kerberos ticket

smbclient -k //samba1.douglas.lan/sysvol -c 'ls'
Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]
  .                                   D        0  Thu Jun  4 14:27:54 2015
  ..                                  D        0  Thu Jun  4 17:18:50 2015
  douglas.lan                         D        0  Thu Jun  4 14:27:53 2015

        9653896 blocks of size 1024. 5923120 blocks available

Let's check the another share

smbclient -k //samba1.douglas.lan/netlogon -c 'ls'
Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]
  .                                   D        0  Thu Jun  4 14:27:45 2015
  ..                                  D        0  Thu Jun  4 14:27:53 2015

        9653896 blocks of size 1024. 5923088 blocks available

NOTE: If you try to access the samba share using the kerberos kicket and try to use localhost rather than the samba1 you will get the follow error

smbclient -k //localhost/netlogon -c 'ls'
ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/localhost@DOUGLAS.LAN (Server not found in Kerberos database)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Server not found in Kerberos database
session setup failed: NT_STATUS_UNSUCCESSFUL

As we can see the server was not found in kerberos database, whether we check the klist

klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator@DOUGLAS.LAN

  Issued                Expires               Principal
Jun  4 17:48:15 2015  Jun  5 03:48:12 2015  krbtgt/DOUGLAS.LAN@DOUGLAS.LAN
Jun  4 17:50:05 2015  Jun  5 03:48:12 2015  cifs/samba1.douglas.lan@DOUGLAS.LAN

The cifs/samba1.douglas.lan@DOUGLAS.LAN this is the Server in kerberos rather than cifs/localhost@DOUGLAS.LAN that we got trying to use localhost to access the share with kerberos.

Now we need to install and configure the NTP service to have the clock accurate

Now let's install the ntp server

aptitude install ntp -y

Now we need to make a copy of ntp.conf

cp -Rfa /etc/ntp.conf{,.bkp}

Now Let's change the configuration

vim /etc/ntp.conf
#/etc/ntp.conf
server 127.127.1.0
fudge  127.127.1.0 stratum 10
server a.ntp.br iburst prefer
server b.ntp.br iburst prefer
server c.ntp.br iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict a.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery
restrict b.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery
restrict c.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery

Now let's restart the ntp service

systemctl restart ntp

Now let's display the ntp status

ntpq -p 127.0.0.1
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 LOCAL(0)        .LOCL.          10 l  101   64    6    0.000    0.000   0.002
+a.ntp.br        200.160.7.186    2 u   29   64    5   13.397  -19.867   9.921
*b.ntp.br        200.20.186.76    2 u   26   64    7   18.728  -22.845   7.553
+c.ntp.br        200.160.7.186    2 u   30   64    7   38.183  -24.685   8.156

Now we need to change the permission to ntp_signd as follows

chgrp ntp /usr/local/samba/var/lib/ntp_signd

Now we need to create the samba4 launch script

vim /etc/init.d/samba
#! /bin/sh

### BEGIN INIT INFO
# Provides:          samba4
# Required-Start:    $network $local_fs $remote_fs
# Required-Stop:     $network $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: start Samba daemons
### END INIT INFO

#
# Start/stops the Samba daemon (samba).
# Adapted from the Samba 3 packages.
#

PIDDIR=/usr/local/samba/var/run
SAMBAPID=$PIDDIR/samba.pid

# clear conflicting settings from the environment
unset TMPDIR

# See if the daemon and the config file are there
test -x /usr/local/samba/sbin/samba -a -r /usr/local/samba/etc/smb.conf || exit 0

. /lib/lsb/init-functions

case "$1" in
    start)
        log_daemon_msg "Starting Samba 4 daemon" "samba"
        # Make sure we have our PIDDIR, even if it's on a tmpfs
        install -o root -g root -m 755 -d $PIDDIR

        if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then
            log_end_msg 1
            exit 1
        fi

        log_end_msg 0
        ;;
    stop)
        log_daemon_msg "Stopping Samba 4 daemon" "samba"

        /usr/bin/killall -9 samba >> /dev/null ; log_end_msg 1; exit 1

        log_end_msg 0

        ;;
    restart|force-reload)
        $0 stop
        sleep 1
        $0 start
        ;;
    *)
        echo "Usage: /etc/init.d/samba {start|stop|restart|force-reload}"
        exit 1
        ;;
esac

exit 0

Now we need to change the permissions

chmod +x /etc/init.d/samba

Now we need to insert it in the boot time

insserv -f -v samba

Now let's stop the samba service to run a test with our new script

killall samba

Now let's start the samba service to test

/etc/init.d/samba start
[ ok ] Starting samba (via systemctl): samba.service.

Now let's show the samba processes

ps aux | egrep samba
root       942  1.2  2.5 524780 51576 ?        Ss   19:18   0:00 /usr/local/samba/sbin/samba -D
root       960  0.0  1.6 524780 34480 ?        S    19:18   0:00 /usr/local/samba/sbin/samba -D
root       961  0.0  1.7 524780 36588 ?        S    19:18   0:00 /usr/local/samba/sbin/samba -D
root       962  1.3  2.7 484652 56492 ?        Ss   19:18   0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root       963  0.0  1.8 524780 38596 ?        S    19:18   0:00 /usr/local/samba/sbin/samba -D
root       964  0.0  1.6 524780 34480 ?        S    19:18   0:00 /usr/local/samba/sbin/samba -D
root       965  0.1  1.9 524780 40276 ?        S    19:18   0:00 /usr/local/samba/sbin/samba -D
root       966  0.0  1.7 524780 36040 ?        S    19:18   0:00 /usr/local/samba/sbin/samba -D
root       967  0.0  2.1 531048 43432 ?        S    19:18   0:00 /usr/local/samba/sbin/samba -D
root       968  0.1  1.8 524780 37868 ?        S    19:18   0:00 /usr/local/samba/sbin/samba -D
root       969  0.0  1.8 527608 37516 ?        S    19:18   0:00 /usr/local/samba/sbin/samba -D
root       970  0.0  1.6 524780 34484 ?        S    19:18   0:00 /usr/local/samba/sbin/samba -D
root       971  0.5  2.2 524920 45356 ?        S    19:18   0:00 /usr/local/samba/sbin/samba -D
root       972  0.0  1.7 524780 36000 ?        S    19:18   0:00 /usr/local/samba/sbin/samba -D
root       977  0.0  0.1  12968  2368 pts/0    S+   19:18   0:00 grep -E --color=auto samba

As we can see everything is ok so far

Let's check the shares

smbclient -L localhost -U%
Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]

    Sharename       Type      Comment
    ---------       ----      -------
    netlogon        Disk
    sysvol          Disk
    IPC$            IPC       IPC Service (Samba 4.2.2)
Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------

Now let's check with an authenticated account

smbclient -L //localhost/netlogon -UAdministrator%'smb@134*' -c 'ls'
Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]

    Sharename       Type      Comment
    ---------       ----      -------
    netlogon        Disk
    sysvol          Disk
    IPC$            IPC       IPC Service (Samba 4.2.2)
Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------

Now we need to create some symbolic links to enable winbind to work properly as follows for system working in 32 bits

ln -s /usr/local/samba/lib/libnss_winbind.so /usr/lib/libnss_winbind.so
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /usr/lib/libnss_winbind.so.2
ldconfig

Now we need to create some symbolic links to enable winbind to work properly as follows for system working in 64 bits

ln -s /usr/local/samba/lib/libnss_winbind.so.2 /usr/lib/x86_64-linux-gnu/libnss_winbind.so
ln -s /usr/lib/x86_64-linux-gnu/libnss_winbind.so /usr/lib/x86_64-linux-gnu/libnss_winbind.so.2
ldconfig

Now we need to configure the nsswitch.conf

vim /etc/nsswitch.conf
[...]
passwd: compat winbind
[...]
group:  compat winbind

The Samba 4 is working properly so far

If you need to get the RSAT(Admin pack) get in the follow web links:

Let's run a test with winbind

wbinfo -t
checking the trust secret for domain DOUGLAS via RPC calls succeeded

Let's display the groups in Samba 4 database

wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy

Let's display the users

wbinfo -u
Administrator
Guest
krbtgt
dns-samba1

Now we need to check the dns updates let's run a test

samba_dnsupdate --verbose
IPs: ['192.168.25.100']
Looking for DNS entry A samba1.douglas.lan 192.168.25.100 as samba1.douglas.lan.
Looking for DNS entry A douglas.lan 192.168.25.100 as douglas.lan.
Looking for DNS entry SRV _ldap._tcp.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.douglas.lan.
Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.douglas.lan samba1.douglas.lan 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.dc._msdcs.douglas.lan.
Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 389
Looking for DNS entry SRV _ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan.
Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan samba1.douglas.lan 389
Looking for DNS entry SRV _kerberos._tcp.douglas.lan samba1.douglas.lan 88 as _kerberos._tcp.douglas.lan.
Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._tcp.douglas.lan samba1.douglas.lan 88
Looking for DNS entry SRV _kerberos._udp.douglas.lan samba1.douglas.lan 88 as _kerberos._udp.douglas.lan.
Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._udp.douglas.lan samba1.douglas.lan 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 88 as _kerberos._tcp.dc._msdcs.douglas.lan.
Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 88
Looking for DNS entry SRV _kpasswd._tcp.douglas.lan samba1.douglas.lan 464 as _kpasswd._tcp.douglas.lan.
Checking 0 100 464 samba1.douglas.lan. against SRV _kpasswd._tcp.douglas.lan samba1.douglas.lan 464
Looking for DNS entry SRV _kpasswd._udp.douglas.lan samba1.douglas.lan 464 as _kpasswd._udp.douglas.lan.
Checking 0 100 464 samba1.douglas.lan. against SRV _kpasswd._udp.douglas.lan samba1.douglas.lan 464
Looking for DNS entry CNAME d6a2ff47-5541-4197-b729-3fb4b82e5b42._msdcs.douglas.lan samba1.douglas.lan as d6a2ff47-5541-4197-b729-3fb4b82e5b42._msdcs.douglas.lan.
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.Default-First-Site-Name._sites.douglas.lan.
Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan.
Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 389
Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 88 as _kerberos._tcp.Default-First-Site-Name._sites.douglas.lan.
Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 88
Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan.
Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 88
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.pdc._msdcs.douglas.lan.
Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.pdc._msdcs.douglas.lan samba1.douglas.lan 389
Looking for DNS entry A gc._msdcs.douglas.lan 192.168.25.100 as gc._msdcs.douglas.lan.
Looking for DNS entry SRV _gc._tcp.douglas.lan samba1.douglas.lan 3268 as _gc._tcp.douglas.lan.
Checking 0 100 3268 samba1.douglas.lan. against SRV _gc._tcp.douglas.lan samba1.douglas.lan 3268
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.douglas.lan samba1.douglas.lan 3268 as _ldap._tcp.gc._msdcs.douglas.lan.
Checking 0 100 3268 samba1.douglas.lan. against SRV _ldap._tcp.gc._msdcs.douglas.lan samba1.douglas.lan 3268
Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 3268 as _gc._tcp.Default-First-Site-Name._sites.douglas.lan.
Checking 0 100 3268 samba1.douglas.lan. against SRV _gc._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 3268
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan samba1.douglas.lan 3268 as _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan.
Checking 0 100 3268 samba1.douglas.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan samba1.douglas.lan 3268
Looking for DNS entry A DomainDnsZones.douglas.lan 192.168.25.100 as DomainDnsZones.douglas.lan.
Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.DomainDnsZones.douglas.lan.
Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.DomainDnsZones.douglas.lan samba1.douglas.lan 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan.
Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan samba1.douglas.lan 389
Looking for DNS entry A ForestDnsZones.douglas.lan 192.168.25.100 as ForestDnsZones.douglas.lan.
Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.ForestDnsZones.douglas.lan.
Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.ForestDnsZones.douglas.lan samba1.douglas.lan 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan.
Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan samba1.douglas.lan 389
No DNS updates needed

Now let's create a reverse zone

samba-tool dns zonecreate douglas.lan 25.168.192.in-addr.arpa -UAdministrator --password=smb@134*
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Zone 25.168.192.in-addr.arpa created successfully

Note: I'm trying to discovery how to fix the (SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER) but so far I have no answer yet, I've sent an email to Andrew Tridge of Samba project as soon he answer me I'm going to post the fix.

Now let's create the reverse dns record to samba1

samba-tool dns add samba1 25.168.192.in-addr.arpa 100 PTR samba1.douglas.lan -Uadministrator --password=smb@134*
Record added successfully

Now let's check the reverse

dig -x 192.168.25.100

; <<>> DiG 9.9.5-9-Debian <<>> -x 192.168.25.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1108
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;100.25.168.192.in-addr.arpa.    IN    PTR

;; ANSWER SECTION:
100.25.168.192.in-addr.arpa. 900 IN    PTR    samba1.douglas.lan.

;; AUTHORITY SECTION:
25.168.192.in-addr.arpa. 3600    IN    NS    samba1.douglas.lan.

;; ADDITIONAL SECTION:
samba1.douglas.lan.    900    IN    A    192.168.25.100

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 04 19:40:48 BRT 2015
;; MSG SIZE  rcvd: 118

We can run a test with host as well

host 192.168.25.100
100.25.168.192.in-addr.arpa domain name pointer samba1.douglas.lan.

Now we need to update all the records to make sure that everything is working as needed

samba_dnsupdate --verbose --all-names
IPs: ['192.168.25.100']
Calling nsupdate for A samba1.douglas.lan 192.168.25.100 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
samba1.douglas.lan. 900 IN  A 192.168.25.100

Calling nsupdate for A douglas.lan 192.168.25.100 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
douglas.lan.    900 IN  A 192.168.25.100

Calling nsupdate for SRV _ldap._tcp.douglas.lan samba1.douglas.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.douglas.lan. 900 IN  SRV 0 100 389 samba1.douglas.lan.

Calling nsupdate for SRV _ldap._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.douglas.lan. 900 IN SRV  0 100 389 samba1.douglas.lan.

Calling nsupdate for SRV _ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan samba1.douglas.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.

Calling nsupdate for SRV _kerberos._tcp.douglas.lan samba1.douglas.lan 88 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.douglas.lan. 900 IN  SRV 0 100 88 samba1.douglas.lan.

Calling nsupdate for SRV _kerberos._udp.douglas.lan samba1.douglas.lan 88 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.douglas.lan. 900 IN  SRV 0 100 88 samba1.douglas.lan.

Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 88 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.douglas.lan. 900 IN SRV 0 100 88 samba1.douglas.lan.

Calling nsupdate for SRV _kpasswd._tcp.douglas.lan samba1.douglas.lan 464 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.douglas.lan. 900  IN  SRV 0 100 464 samba1.douglas.lan.

Calling nsupdate for SRV _kpasswd._udp.douglas.lan samba1.douglas.lan 464 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.douglas.lan. 900  IN  SRV 0 100 464 samba1.douglas.lan.

Calling nsupdate for CNAME d6a2ff47-5541-4197-b729-3fb4b82e5b42._msdcs.douglas.lan samba1.douglas.lan (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
d6a2ff47-5541-4197-b729-3fb4b82e5b42._msdcs.douglas.lan. 900 IN CNAME samba1.douglas.lan.

Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.

Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.

Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 88 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.douglas.lan. 900 IN SRV 0 100 88 samba1.douglas.lan.

Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 88 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan. 900 IN SRV 0 100 88 samba1.douglas.lan.

Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.douglas.lan samba1.douglas.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.pdc._msdcs.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.

Calling nsupdate for A gc._msdcs.douglas.lan 192.168.25.100 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.douglas.lan.  900 IN  A 192.168.25.100

Calling nsupdate for SRV _gc._tcp.douglas.lan samba1.douglas.lan 3268 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.douglas.lan. 900 IN  SRV 0 100 3268 samba1.douglas.lan.

Calling nsupdate for SRV _ldap._tcp.gc._msdcs.douglas.lan samba1.douglas.lan 3268 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.douglas.lan. 900 IN SRV  0 100 3268 samba1.douglas.lan.

Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 3268 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.Default-First-Site-Name._sites.douglas.lan. 900 IN SRV 0 100 3268 samba1.douglas.lan.

Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan samba1.douglas.lan 3268 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan. 900 IN SRV 0 100 3268 samba1.douglas.lan.

Calling nsupdate for A DomainDnsZones.douglas.lan 192.168.25.100 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
DomainDnsZones.douglas.lan. 900 IN  A 192.168.25.100

Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.douglas.lan samba1.douglas.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.DomainDnsZones.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.

Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan samba1.douglas.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.

Calling nsupdate for A ForestDnsZones.douglas.lan 192.168.25.100 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.douglas.lan. 900 IN  A 192.168.25.100

Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.douglas.lan samba1.douglas.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ForestDnsZones.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.

Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan samba1.douglas.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.

Now let's test the records about SRV

Let's do a search about Ldap service

host -t SRV _ldap._tcp.douglas.lan.
_ldap._tcp.douglas.lan has SRV record 0 100 389 samba1.douglas.lan.

Let's do a search about Kerberos service

host -t SRV _kerberos._udp.douglas.lan.
_kerberos._udp.douglas.lan has SRV record 0 100 88 nodo1.douglas.lan.

Let's do a search about record type A of samba1

host -t A samba1.douglas.lan
samba1.douglas.lan has address 192.168.25.100

Let's display the records in keytab

klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 DNS/samba1.douglas.lan@DOUGLAS.LAN
   1 dns-samba1@DOUGLAS.LAN
   1 DNS/samba1.douglas.lan@DOUGLAS.LAN
   1 dns-samba1@DOUGLAS.LAN
   1 DNS/samba1.douglas.lan@DOUGLAS.LAN
   1 dns-samba1@DOUGLAS.LAN
   1 DNS/samba1.douglas.lan@DOUGLAS.LAN
   1 dns-samba1@DOUGLAS.LAN
   1 DNS/samba1.douglas.lan@DOUGLAS.LAN
   1 dns-samba1@DOUGLAS.LAN

PAM Configuration

Now we need to configure the PAM, here I'll allow only users from group it-admin to login in the PDC. The group it-admin need to be create in Samba and need to get a valid shell.

Now we need to create a symbolic link from samba security directory to default security directory in the System, Here I'm using the 64 bit system that's why we need to use the /lib/x86_64-linux-gnu otherwise we need to create to another directory. If you don't know where is stored the another libraries of PAM do a search about “pam_umask.so” and put the symbolic link there.

ln -sf /usr/local/samba/lib/security/pam_winbind.so  /lib/x86_64-linux-gnu/security/pam_winbind.so

Now we need to configure the files.

Let's start configuring the common-auth that controls authentication settings common to all services.

vim /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
 
# here are the per-package modules (the "Primary" block)
auth    sufficient                      pam_winbind.so
auth  [success=2 default=ignore]  pam_krb5.so minimum_uid=1000
auth  [success=1 default=ignore]  pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth  requisite     pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth  required      pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

Let's configure the common-account that controls authorization settings common to all services.

vim /etc/pam.d/common-account 
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
#
 
# here are the per-package modules (the "Primary" block)
account sufficient                       pam_winbind.so
account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so
# here's the fallback if no module succeeds
account requisite     pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required      pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required      pam_krb5.so minimum_uid=1000
# end of pam-auth-update config

Let's configure the common-session that controls session related modules common to all services

vim /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
 
# here are the per-package modules (the "Primary" block)
session required pam_mkhomedir.so skel=/etc/skel umask=0027
session required pam_winbind.so
session [default=1]     pam_permit.so
# here's the fallback if no module succeeds
session requisite     pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required      pam_permit.so
# and here are more per-package modules (the "Additional" block)
session optional      pam_krb5.so minimum_uid=1000
session required  pam_unix.so
# end of pam-auth-update config

Let's configure the sshd that controls configuration for the Secure Shell service

vim /etc/pam.d/sshd
# PAM configuration for the Secure Shell service
 
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale
 
# Standard Un*x authentication.
@include common-auth
 
# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so
#Allow connection from those groups
account    sufficient   pam_succeed_if.so user ingroup root
account    requisite    pam_succeed_if.so user ingroup it-admin
 
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so
 
# Standard Un*x authorization.
@include common-account
 
# Standard Un*x session setup and teardown.
@include common-session
 
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
session    optional     pam_motd.so # [1]
 
# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]
 
# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so
 
# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple
 
# Standard Un*x password updating.
@include common-password

Let's configure the login that controls configuration for shadow 'login' service

vim /etc/pam.d/login 
#
# The PAM configuration file for the Shadow `login' service
#
 
# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth       optional   pam_faildelay.so  delay=3000000
 
# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue
 
# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
#
# With the default control of this module:
#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
# root will not be prompted for a password on insecure lines.
# if an invalid username is entered, a password is prompted (but login
# will eventually be rejected)
#
# You can change it to a "requisite" module if you think root may mis-type
# her login and should not be prompted for a password in that case. But
# this will leave the system as vulnerable to user enumeration attacks.
#
# You can change it to a "required" module if you think it permits to
# guess valid user names of your system (invalid user names are considered
# as possibly being root on insecure lines), but root passwords may be
# communicated over insecure lines.
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
 
# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so
 
#Allow connection from those groups
account    sufficient   pam_succeed_if.so user ingroup root
account    requisite    pam_succeed_if.so user ingroup it-admin
 
# SELinux needs to be the first session rule. This ensures that any 
# lingering context has been cleared. Without out this it is possible 
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default/locale
 
# Standard Un*x authentication.
@include common-auth
 
# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth       optional   pam_group.so
 
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so
 
# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so
 
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session    required   pam_limits.so
 
# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so
 
# Prints the message of the day upon succesful login.
# (Replaces the `MOTD_FILE' option in login.defs)
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional   pam_motd.so  motd=/run/motd.dynamic
session    optional   pam_motd.so
 
# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session    optional   pam_mail.so standard
 
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
 
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)

Now let's configure the sudo to enable the it-admin group work as root user.

visudo 
[...]
"%DOUGLAS\it-admin" ALL=(ALL) ALL

Now let's create the it-admin group

samba-tool group add it-admin --group-scope=Global --group-type=Security --description="IT Administration" 
Added group it-admim

Now we can get a list with all groups like this

samba-tool group list
Allowed RODC Password Replication Group
Enterprise Read-Only Domain Controllers
Denied RODC Password Replication Group
Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
Certificate Service DCOM Access
Network Configuration Operators
Terminal Server License Servers
Incoming Forest Trust Builders
Read-Only Domain Controllers
Group Policy Creator Owners
Performance Monitor Users
Cryptographic Operators
Distributed COM Users
Performance Log Users
Remote Desktop Users
Account Operators
Event Log Readers
RAS and IAS Servers
Backup Operators
Domain Controllers
Server Operators
Enterprise Admins
Print Operators
Administrators
Domain Computers
Cert Publishers
DnsUpdateProxy
Domain Admins
Domain Guests
Schema Admins
Domain Users
Replicator
IIS_IUSRS
DnsAdmins
Guests
it-admin
Users

Now we need to create a new user to put into it-admin

samba-tool user create  douglas.q.santos smb@134* 
User 'douglas.q.santos' created successfully

Now let's add the user douglas.q.santos into group it-admin

samba-tool group addmembers it-admin douglas.q.santos
Added members to group it-admin

Now we can get the user from it-admin

samba-tool group listmembers it-admin
douglas.q.santos

Everything is working as needed so far.

Now we need to restart the server to reload all the new configurations

reboot

After the reboot we can try logon in with douglas.q.santos or logon with root and change to another user as follows

root@samba1:~# su - douglas.q.santos
Creating directory '/home/DOUGLAS/douglas.q.santos'.
mesg: /dev/pts/0: Operation not permitted
DOUGLAS\douglas.q.santos@samba1:~$ 

Now let's back to root user and let's check the winbind connection.

wbinfo -t
checking the trust secret for domain DOUGLAS via RPC calls succeeded

Let's get the user from Samba

wbinfo -u
Administrator
Guest
krbtgt
dns-samba1
douglas.q.santos

Now let's try logon in the server via SSH

ssh douglas.q.santos@192.168.25.100 -p 22
douglas.q.santos@192.168.25.100's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
DOUGLAS\douglas.q.santos@samba1:~$ 

Now let's test the sudo

DOUGLAS\douglas.q.santos@samba1:~$ sudo -i

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for DOUGLAS\douglas.q.santos:
root@samba1:~# 

Now let's check the auth.log file

tail -f /var/log/auth.log 
Jun  7 11:33:39 samba1 sshd[1426]: pam_succeed_if(sshd:account): requirement "user ingroup sudo" not met by user "DOUGLAS\douglas.q.santos"
Jun  7 11:33:39 samba1 sshd[1426]: pam_succeed_if(sshd:account): requirement "user ingroup it-admin" was met by user "DOUGLAS\douglas.q.santos"
Jun  7 11:33:39 samba1 sshd[1426]: pam_winbind(sshd:account): user 'DOUGLAS\douglas.q.santos' granted access
Jun  7 11:33:39 samba1 sshd[1426]: Accepted password for douglas.q.santos from 192.168.25.254 port 50681 ssh2
Jun  7 11:33:39 samba1 sshd[1426]: pam_unix(sshd:session): session opened for user DOUGLAS\douglas.q.santos by (uid=0)
Jun  7 11:33:44 samba1 sudo: DOUGLAS\douglas.q.santos : TTY=pts/1 ; PWD=/home/DOUGLAS/douglas.q.santos ; USER=root ; COMMAND=/bin/su -
Jun  7 11:33:44 samba1 su[1436]: pam_winbind(su:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND
Jun  7 11:33:44 samba1 su[1436]: Successful su for root by root
Jun  7 11:33:44 samba1 su[1436]: + /dev/pts/1 root:root
Jun  7 11:33:44 samba1 su[1436]: pam_unix(su:session): session opened for user root by DOUGLAS\douglas.q.santos(uid=0)

Everything is ok so far.

Samba 4 Backup

The backup script is not installed when we run the command make install therefore we need to copy it to some location like /bin

Let's put as the samba source are in /usr/src/samba-4.2.2

Let's copy the script

cp /usr/src/samba-4.2.2/source4/scripting/bin/samba_backup /usr/sbin

Now we need to change the permissions

chown root:root /usr/sbin/samba_backup
chmod 750 /usr/sbin/samba_backup

Now we need to adjust some variables in the script

vim /usr/sbin/samba_backup
[...]
FROMWHERE=/usr/local/samba
WHERE=/usr/local/backups
[...]
DAYS=15

Above we have:

  • FROMWHERE → Where samba was installed
  • WHERE → The location where the script will store the backup
  • DAYS → The number of days we need to keep the backups

Now we need to create the directory that will store the backups

mkdir /usr/local/backups

Now let's change the permission of the directory

chmod 750 /usr/local/backups

Now we can run the script

/usr/sbin/samba_backup

After the script finish the task we will get something like bellow.

ls -l /usr/local/backups
total 12164
-rw-r--r-- 1 root staff     1310 Jun 11 10:35 etc.2015-06-11.tar.bz2
-rw-r--r-- 1 root staff 12447369 Jun 11 10:35 samba4_private.2015-06-11.tar.bz2
-rw-r--r-- 1 root staff      546 Jun 11 10:35 sysvol.2015-06-11.tar.bz2

Of the script runs without any error, There will be 3 files:

  • etc.{Timestamp}.tar.bz2
  • samba4_private.{Timestamp}.tar.bz2
  • sysvol.{Timestamp}.tar.bz2

We can schedule the script to run everyday at 2 A.M like bellow.

crontab -e
0 2 * * *       /usr/sbin/samba_backup

Now we've already have the schedule for samba backup

Samba 4 Restore

Note:

  • The backup and restore must be from the same version of samba in another words from 4.2.2 to 4.2.2
  • The restore must be executed in a machine with the same name and ip of the backup was created.
  • It's best practice always restore a backup in the same OS like from Debian to Debian. (I try to backup from a CentOS and restore in a Debian and it doesn't work).
  • Always after the restore is a good advice test all shares, permissions and stuffs like take to make sure that everything is ok to work before to put in production.
  • If the system got a crash you need first of all is reconfigure all samba server and restore the backup considering all the another things above.

Before restore the samba we need to assure that the samba is down.

Let's stop the samba

/etc/init.d/samba stop

Now let's check if the samba is down

ps aux | egrep samba
root      2404  0.0  0.1  12964  2356 pts/0    S+   14:47   0:00 grep -E --color=auto samba

Now let's remove the files and directories as needed.

rm -rf /usr/local/samba/etc
rm -rf /usr/local/samba/private
rm -rf /usr/local/samba/var/locks/sysvol

Now we need to restore the samba, let's access the backup directory and extract the files.

cd /usr/local/backups
tar -jxf etc.2015-06-11.tar.bz2 -C /usr/local/samba
tar -jxf samba4_private.2015-06-11.tar.bz2 -C /usr/local/samba
tar -jxf sysvol.2015-06-11.tar.bz2 -C /usr/local/samba

Now we need to rename the files with extension *.ldb.bak in the directory private to *.ldb

find /usr/local/samba/private/ -type f -name '*.ldb.bak' -print0 | while read -d $'\0' f ; do mv "$f" "${f%.bak}" ; done

Now we need to restore the acls

samba-tool ntacl sysvolreset

If you are using the BIND_DLZ as backend we need to fix the hard links

samba_upgradedns --dns-backend=BIND9_DLZ

Now let's start the samba

/etc/init.d/samba start

Now let's display our users

wbinfo -u
Administrator
Guest
krbtgt
dns-samba1
douglas.q.santos

Now let's display our groups

wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy
it-admin

Everything is working properly as before.

Configuring a Windows 8 Client

Now let's join a Windows 8 Client to our Samba Domain.

Configuring the DNS Client:

  • In the Windows Machine press Windows Key + R and type: ncpa.cpl
  • Now right click in the Ethernet and choose Properties
  • Here select Internet Protocol Version 4 (TCP/IPv4) and select Properties here we need to put the Preferred DNS server as: 192.168.25.100
  • Now click in OK and Close and close the Network connections

Joining in the Domain:

  • In the Windows Machine press Windows Key + R and type: sysdm.cpl
  • Here select Change… And in Domain put douglas.lan
  • Now click in OK.
  • Now we need to put the user as: administrator and its password and Select OK if everything is ok we will get the message box bellow.
  • Now Click OK we will get another message box with a warning about that we need to restart the machine to apply the changes and click OK and Close
  • Now select Restart Now.
  • After restart choose Switch User the (right arrow into a circle). In the username put: douglas\administrator and put its password and Enter

Now we can install the RSAT we can get it in:

How to Install Admin Tools On Windows 8 – (Remote Server Administration Tools – RSAT)

Accessing the Active Directory Users and Computers

  • In the Windows Machine press Windows Key + R and type: dsa.msc

Accessing the DNS Manager

  • In the Windows Machine press Windows Key + R and type: dnsmgmt.msc
  • Here select The following computer: 192.168.25.100 and click OK
  • After that we will get the DNS Manager we can manager the dns records here instead of via Shell.

Creating Shares

The creating of samba shares is more easier than in the samba 3 in my point of view, we can create the share and managing them via Windows.

Note: We must be the owner of the directory or must belong of the group owner to display or managing the permissions.

Let's enable the administrator of domain to managing the shares via Windows.

net rpc rights grant 'DOUGLAS\Domain Admins' SeDiskOperatorPrivilege -U administrator
Enter administrator's password:
Successfully granted rights.

If you want to assign all the permission to a user e.g for the group 'DOUGLAS\Domain Admins' we can do it as follows.

net rpc rights grant  'DOUGLAS\Domain Admins' SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege -U administrator
Enter administrator's password:
Successfully granted rights.

Now let's create a new share.

vim /usr/local/samba/etc/smb.conf
[...]
[Demo]
     path = /srv/samba/Demo/
     read only = no

Now let's create the directory

mkdir -p /srv/samba/Demo/

Now we need to reload the samba configuration

smbcontrol all reload-config

Now in the Windows with a user that belongs of Domain Admins group here I shall use administrator

  • Now click Windows key + R and type: compmgmt.msc
  • Now with the right click in Computer Management select Connect to another computer…
  • Now in Another computer put: 192.168.25.100 and click OK
  • Now browser until System Tools/Shared Folders/Share and select our new share called Demo
  • Now with right click in Demo select Properties
  • Now in the tab Share Permissions. Here we can configure who will be able to access the share.
  • Now in the tab Security we can managing who will be able to read/execute/modify the files and folders.
  • Now is only to select ok and close the window.

Roaming Profile

Now let's configure the Roaming profile

Let's create the directory that will store the profiles.

mkdir -p /srv/samba/Profiles/

Now let's add one more share in samba configuration file.

vim /usr/local/samba/etc/smb.conf
[...]
[Profiles]
     path = /srv/samba/Profiles/
     read only = no

Now we need to reload the samba configuration

smbcontrol all reload-config

Now let's check the shares in a Windows machine.

  • Click Windows key + R and type: \\samba1
  • Now with right click in the Profiles share select Properties/Security
  • Now select Advanced and Permissions
    • Leave only Administrator and add Owner Rights and Domain Users

Now we need to configure the permission as follows:

Name Permission Applies to
Administrator Full Control This Folder, subfolders and files
Domain Users Traverse folder/execute file, List folder/read date, Create folders/append data This folder only
CREATOR OWNER Full Control Subfolders and files only

After that:

  • Apply
  • OK
  • OK
  • OK

Now we need to configure the roaming profile to an user to run a test.

  • Click Windows key + R and type: dsa.msc
  • Now select the user that you wanna to configure the roaming profile
  • Right click in it and select properties
  • Now select profile.
  • Now in Profile path: \\samba1.douglas.lan\Profiles\%username%
  • Now select OK

Now we can logon with that user and check if the profile was created in:

  • /srv/samba/Profiles/

After login with the user douglas.q.santos we shall get something like bellow.

ls -l /srv/samba/Profiles
total 8
drwxrwx---+ 2 DOUGLAS\douglas.q.santos users 4096 Jun 11 16:44 douglas.q.santos.V2

Logon Script

Now we will create the logon script that need to be stored in /usr/local/samba/var/locks/sysvol/douglas.lan/scripts

Let's create a basic one only to map the shared Demo

Note: Here I will use the user douglas.q.santos and this user need to has the permission to access the share or belongs to a groups that has the permission

vim /usr/local/samba/var/locks/sysvol/douglas.lan/scripts/sharedemo.bat
net use x: \\samba1.douglas.lan\Demo

Now we need to change the permissions

chmod +x /usr/local/samba/var/locks/sysvol/douglas.lan/scripts/sharedemo.bat

Now we need to convert the script to Microsoft format

unix2dos /usr/local/samba/var/locks/sysvol/douglas.lan/scripts/sharedemo.bat
  • Now Windows key + R and type: dsa.msc
  • Now select the user that you want to configure I will use the douglas.q.santos that I configured the roaming profile
  • Right click in the user and select Properties
  • Now select Profile
  • In Logon script put: sharedemo.bat
  • Now click in Apply and OK

Now let's logon with the user douglas.q.santos, after the login we will get something like below.

I shall continue from here as soon as possible.

Configuração do SLAVE

Vamos atualizar os repositórios e vamos fazer um upgrade do sistema

yum check-update && yum update -y

Agora vamos instalar as dependências para podemos compilar o samba

yum install  openldap-devel pam-devel git gcc make wget  libacl-devel libblkid-devel gnutls-devel readline-devel python-devel cups-devel \
libaio-devel quota-devel ctdb-devel krb5-devel krb5-workstation acl setroubleshoot-server setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils bind-sdb bind-devel bind-libs bind avahi-devel mingw32-iconv gamin \
libcap-devel rpc2-devel glusterfs-devel python-dns -y

Agora vamos ajustar o fstab para que ele de suporte a acl,user_xattr e barrier eu vou habilitar isso na partição / se você tiver várias partições é bom habilitar em todas que você queira habilitar os compartilhamentos.

vim /etc/fstab
[...]
/dev/mapper/VolGroup-lv_root /                       ext4    defaults,acl,user_xattr,barrier=1        1 1

Agora vamos remontar a raiz

mount -o remount /

Agora vamos listar os atributos da raiz

mount | egrep acl
/dev/mapper/VolGroup-lv_root on / type ext4 (rw,acl,user_xattr,barrier=1)

Agora os atributos já estão carregados.

Agora vamos obter o samba vamos acessar o diretório que vai armazenar os fontes

cd /usr/src

Agora vamos obter os fontes

wget -c http://ftp.samba.org/pub/samba/stable/samba-4.1.3.tar.gz

Agora vamos desempacotar o samba

tar -xzvf samba-4.1.3.tar.gz

Agora vamos acessar o diretório dos fontes

cd samba-4.1.3

Agora vamos criar a configuração para o samba

./configure --enable-debug --enable-selftest

Agora vamos mandar compilar o samba este processo demora um pouco

make

Agora vamos mandar instalar o samba

make install

Agora vamos acertar a PATH do usuário root no caso dele estar utilizando o shell Bash

echo "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/local/samba/sbin:/usr/local/samba/bin">> /root/.bashrc

Agora precisamos importar a nova PATH

source /root/.bashrc

Agora vamos acertar a PATH do usuário root no caso dele estar utilizando o shell zsh

echo "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/local/samba/sbin:/usr/local/samba/bin">> /root/.zshrc

Agora precisamos importar a nova PATH

source /root/.zshrc

Agora vamos ajustar o resolv.conf ele vai utilizar o nome do nosso domínio e o ip do pdc.

vim /etc/resolv.conf
domain douglas.lan
search douglas.lan
nameserver 192.168.0.25

Agora vamos ajustar a interface de rede para utilizar o nosso novo DNS

vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
BOOTPROTO="static"
BROADCAST="192.168.0.255"
DNS1="192.168.0.26"
GATEWAY="192.168.0.1"
IPADDR="192.168.0.25"
NETMASK="255.255.255.0"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"

Agora vamos configurar o Bind

vim /etc/named.conf
//named.conf

options {
    listen-on port 53 { 127.0.0.1; 192.168.0.0/24; };
    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { 192.168.0.0/24; localhost; };
    recursion yes;
        forwarders { 8.8.8.8; 8.8.4.4; };

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

       /* keytab para samba4 */
        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
/*Arquivo de configuração do samba4 que informa a localização do bind_dlz */
include "/usr/local/samba/private/named.conf";

Agora vamos ajustar a configuração do krb5.conf

vim /etc/krb5.conf
[logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log

[libdefaults]
     default_realm = DOUGLAS.LAN
     dns_lookup_realm = true
     dns_lookup_kdc = true
     ticket_lifetime = 24h
     forwardable = yes

[appdefaults]
     pam = {
          debug = false
          ticket_lifetime = 36000
          renew_lifetime = 36000
          forwardable = true
          krb4_convert = false
     }

Vamos abrir um ticket no kerberos para verificarmos a nossa configuração

kinit administrator
Password for administrator@DOUGLAS.LAN:
Warning: Your password will expire in 41 days on Mon Oct  7 12:02:11 2013

Agora vamos inserir o nosso servidor como bdc

Agora vamos provisionar o nosso domínio

samba-tool domain join douglas.lan DC -U administrator --realm=douglas.lan --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'douglas.lan'
Found DC nodo1.douglas.lan
Password for [DOUGLAS\administrator]:
workgroup is DOUGLAS
realm is douglas.lan
checking sAMAccountName
Deleted CN=NODO2,OU=Domain Controllers,DC=douglas,DC=lan
Deleted CN=NTDS Settings,CN=NODO2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=douglas,DC=lan
Deleted CN=NODO2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=douglas,DC=lan
Adding CN=NODO2,OU=Domain Controllers,DC=douglas,DC=lan
Adding CN=NODO2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=douglas,DC=lan
Adding CN=NTDS Settings,CN=NODO2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=douglas,DC=lan
Adding SPNs to CN=NODO2,OU=Domain Controllers,DC=douglas,DC=lan
Setting account password for NODO2$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=douglas,DC=lan
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=douglas,DC=lan] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=douglas,DC=lan] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=douglas,DC=lan] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=douglas,DC=lan] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=douglas,DC=lan] objects[402/1625] linked_values[0/0]
Partition[CN=Configuration,DC=douglas,DC=lan] objects[804/1625] linked_values[0/0]
Partition[CN=Configuration,DC=douglas,DC=lan] objects[1206/1625] linked_values[0/0]
Partition[CN=Configuration,DC=douglas,DC=lan] objects[1608/1625] linked_values[0/0]
Partition[CN=Configuration,DC=douglas,DC=lan] objects[1625/1625] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=douglas,DC=lan] objects[98/98] linked_values[25/0]
Partition[DC=douglas,DC=lan] objects[375/277] linked_values[26/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=douglas,DC=lan
Partition[DC=DomainDnsZones,DC=douglas,DC=lan] objects[40/40] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=douglas,DC=lan
Partition[DC=ForestDnsZones,DC=douglas,DC=lan] objects[18/18] linked_values[0/0]
Partition[DC=ForestDnsZones,DC=douglas,DC=lan] objects[36/18] linked_values[0/0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain DOUGLAS (SID S-1-5-21-2011945809-1847694634-1467046014) as a DC

Agora vamos inserir o named na incialização do sistema

chkconfig --add named
chkconfig named on

Agora vamos criar o script de inicialização

vim /etc/init.d/samba
#!/bin/sh
#
# chkconfig: - 91 35
# description: Starts and stops the Samba smbd daemon \
#           used to provide SMB network services.
#
# pidfile: /var/run/samba/smbd.pid
# config:  /etc/samba/smb.conf

# Source function library.
if [ -f /etc/init.d/functions ] ; then
  . /etc/init.d/functions
elif [ -f /etc/rc.d/init.d/functions ] ; then
  . /etc/rc.d/init.d/functions
else
  exit 1
fi

# Avoid using root's TMPDIR
unset TMPDIR

# Source networking configuration.
. /etc/sysconfig/network

if [ -f /etc/sysconfig/samba ]; then
   . /etc/sysconfig/samba
fi

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 1

# Check that smb.conf exists.
[ -f /usr/local/samba/etc/smb.conf ] || exit 6

RETVAL=0

start() {
        KIND="SMB"
    echo -n $"Starting $KIND services: "
    /usr/local/samba/sbin/samba
    RETVAL=$?
    echo
    [ $RETVAL -eq 0 ] && touch /usr/local/samba/var/lock/smb || \
       RETVAL=1
    return $RETVAL
}

stop() {
        KIND="SMB"
    echo -n $"Shutting down $KIND services: "
    killproc smbd
    RETVAL=$?
    echo
    [ $RETVAL -eq 0 ] && rm -f /usr/local/samba/var/lock/smb
    return $RETVAL
}

restart() {
    stop
    start
}

reload() {
        echo -n $"Reloading smb.conf file: "
    killproc smbd -HUP
    RETVAL=$?
    echo
    return $RETVAL
}

rhstatus() {
    status -l smb smbd
    return $?
}

# Allow status as non-root.
if [ "$1" = status ]; then
       rhstatus
       exit $?
fi

# Check that we can write to it... so non-root users stop here
[ -w /usr/local/samba/etc/smb.conf ] || exit 4

case "$1" in
  start)
      start
    ;;
  stop)
      stop
    ;;
  restart)
      restart
    ;;
  reload)
      reload
    ;;
  status)
      rhstatus
    ;;
  condrestart)
      [ -f /var/lock/subsys/smb ] && restart || :
    ;;
  *)
    echo $"Usage: $0 {start|stop|restart|reload|status|condrestart}"
    exit 2
esac

exit $?

Agora vamos dar permissão para o nosso script e vamos inserir ele na incialização

chmod +x /etc/init.d/samba
chkconfig --add samba
chkconfig samba on

Agora vamos inicializar o named e o samba

/etc/init.d/named start
/etc/init.d/samba start

Agora vamos consultar o daemon do samba

ps aux | egrep samba
root      1268  7.0  8.2 525140 41276 ?        Ss   18:50   0:00 /usr/local/samba/sbin/samba
root      1271  0.0  5.7 525140 28648 ?        S    18:50   0:00 /usr/local/samba/sbin/samba
root      1272  0.0  5.8 525140 29500 ?        S    18:50   0:00 /usr/local/samba/sbin/samba
root      1273  0.1  6.2 529292 31152 ?        S    18:50   0:00 /usr/local/samba/sbin/samba
root      1274  0.0  5.6 525140 28608 ?        S    18:50   0:00 /usr/local/samba/sbin/samba
root      1275  8.8  6.1 525140 30768 ?        S    18:50   0:00 /usr/local/samba/sbin/samba
root      1276  0.0  5.8 525140 29204 ?        S    18:50   0:00 /usr/local/samba/sbin/samba
root      1277  7.0  8.6 576100 43440 ?        Ss   18:50   0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground
root      1278  0.0  6.1 525140 30716 ?        S    18:50   0:00 /usr/local/samba/sbin/samba
root      1279  0.5  6.2 529292 31316 ?        S    18:50   0:00 /usr/local/samba/sbin/samba
root      1280  0.1  5.9 527652 29864 ?        S    18:50   0:00 /usr/local/samba/sbin/samba
root      1281  0.0  5.7 525140 28748 ?        S    18:50   0:00 /usr/local/samba/sbin/samba
root      1282  0.0  5.9 525140 29712 ?        S    18:50   0:00 /usr/local/samba/sbin/samba
root      1283  0.0  5.9 525140 29708 ?        S    18:50   0:00 /usr/local/samba/sbin/samba
root      1291  0.0  5.7 575584 29052 ?        S    18:50   0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground

Como pode ser visto ele está rodando ok.

Agora vamos listar a versão do nosso samba

smbclient --version
Version 4.1.3

Agora vamos mandar listar os compartilhamentos

smbclient -L localhost -U%
Domain=[DOUGLAS] OS=[Unix] Server=[Samba 4.1.3]

    Sharename       Type      Comment
    ---------       ----      -------
    netlogon        Disk
    sysvol          Disk
    IPC$            IPC       IPC Service (Samba 4.1.3)
Domain=[DOUGLAS] OS=[Unix] Server=[Samba 4.1.3]

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------

Agora vamos mandar listar o netlogon com o usuário administrator

smbclient //localhost/netlogon -UAdministrator%'sen@134*' -c 'ls'
Domain=[DOUGLAS] OS=[Unix] Server=[Samba 4.1.3]
  .                                   D        0  Mon Aug 26 18:35:20 2013
  ..                                  D        0  Mon Aug 26 18:35:20 2013

        34426 blocks of size 262144. 23857 blocks available

Agora vamos mandar listar a configuração do nosso samba

testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (4096) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions

[global]
    workgroup = DOUGLAS
    realm = douglas.lan
    server role = active directory domain controller
    passdb backend = samba_dsdb
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
    rpc_server:tcpip = no
    rpc_daemon:spoolssd = embedded
    rpc_server:spoolss = embedded
    rpc_server:winreg = embedded
    rpc_server:ntsvcs = embedded
    rpc_server:eventlog = embedded
    rpc_server:srvsvc = embedded
    rpc_server:svcctl = embedded
    rpc_server:default = external
    idmap config * : backend = tdb
    map archive = No
    map readonly = no
    store dos attributes = Yes
    vfs objects = dfs_samba4, acl_xattr

[netlogon]
    path = /usr/local/samba/var/locks/sysvol/douglas.lan/scripts
    read only = No

[sysvol]
    path = /usr/local/samba/var/locks/sysvol
    read only = No

Agora vamos ajustar o limits.conf para não aparecer os avisos no samba

vim /etc/security/limits.conf
#colocar no final do arquivo
root hard nofile 131072
root soft nofile 65536
mioutente hard nofile 32768
mioutente soft nofile 16384

Agora vamos testar a resolução de nome

nslookup douglas.lan
Server:        192.168.0.25
Address:    192.168.0.25#53

Name:    douglas.lan
Address: 192.168.0.25
Name:    douglas.lan
Address: 192.168.0.26

Agora vamos ajustar a configuração do kerberos

Vamos fazer backup do arquivo de configuração

mv /etc/krb5.conf /etc/krb5.conf.old

Vamos criar um link para o sistema reconhecer o arquivo de configuração do samba como default

ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf

Agora vamos ajustar a configuração do krb5.conf

vim /etc/krb5.conf
[logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log

[libdefaults]
     default_realm = DOUGLAS.LAN
     dns_lookup_realm = true
     dns_lookup_kdc = true
     ticket_lifetime = 24h
     forwardable = yes

[appdefaults]
     pam = {
          debug = false
          ticket_lifetime = 36000
          renew_lifetime = 36000
          forwardable = true
          krb4_convert = false
     }

Agora vamos criar um link para o keytab do kerberos

ln -s /usr/local/samba/private/dns.keytab /etc/krb5.keytab

Agora vamos ajustar a configuração do samba para que ele consiga mapear via winbind

vim /usr/local/samba/etc/smb.conf
[global]
    workgroup = DOUGLAS
    realm = douglas.lan
        netbios name = NODO2
    server role = active directory domain controller
    passdb backend = samba_dsdb
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
    rpc_server:tcpip = no
    rpc_daemon:spoolssd = embedded
    rpc_server:spoolss = embedded
    rpc_server:winreg = embedded
    rpc_server:ntsvcs = embedded
    rpc_server:eventlog = embedded
    rpc_server:srvsvc = embedded
    rpc_server:svcctl = embedded
    rpc_server:default = external
    #IDMAP
    idmap_ldb:use rfc2307 = yes
    idmap config * : backend = tdb
        idmap config *:range = 70001-80000
        idmap config DOUGLAS:backend = ad
        idmap config DOUGLAS:schema_mode = rfc2307
        idmap config DOUGLAS:range = 500-40000
    #WINBIND
        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
    map archive = No
    map readonly = no
    store dos attributes = Yes
    vfs objects = dfs_samba4, acl_xattr
        #o template shell é necessário para logar com a autenticação via winbind
        template shell = /bin/bash
       #DESABILITANDO AS IMPRESSORAS
        printcap name = /dev/null
        load printers = no
        disable spoolss = yes
        printing = bsd
        ### LOGS
        log file = /var/log/samba/smbd.log
        max log size = 50
        log level = 2
        vfs objects = recycle full_audit
        ### LIXEIRA
        recycle:repository = Lixeira
        recycle:exclude = *.tmp *.TMP *.temp *.TEMP ~*
        recycle:keeptree = yes
        full_audit:success = rmdir mkdir open write rename unlink
        full_audit:failure = rmdir mkdir open write rename unlink
        full_audit:prefix = %U|%I|%m|%S
        full_audit:failure = none
        full_audit:facility = local5
        full_audit:priority = notice
        veto files = /*.mp3/*.wav/*.exe/*.cmd/*.adm/*.inf/*.ini/*.pif
        delete veto files = yes
        dos filemode = yes

[netlogon]
    path = /usr/local/samba/var/locks/sysvol/douglas.lan/scripts
    read only = No

[sysvol]
    path = /usr/local/samba/var/locks/sysvol
    read only = No

Agora vamos criar o diretório para armazenar os logs

mkdir -p /var/log/samba

Agora precisamos ajustar as bibliotecas do winbind para os sistemas de 32bits precisamos fazer da seguinte forma

ln -s /usr/local/samba/lib/libnss_winbind.so /lib
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
ldconfig

Para os sistemas de 64bits precisamos fazer da seguinte forma

ln -s /usr/local/samba/lib/libnss_winbind.so /lib64
ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
ldconfig

Agora vamos ajustar o nsswitch.conf

vim /etc/nsswitch.conf
[...]
passwd: files winbind
[...]
group:  files winbind

Agora vamos inicializar um ticket para o administrator

kinit administrator
Password for administrator@DOUGLAS.LAN:
Warning: Your password will expire in 41 days on Mon Oct  7 12:02:11 2013

Agora vamos listar o nosso ticket

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DOUGLAS.LAN

Valid starting     Expires            Service principal
08/26/13 18:54:21  08/27/13 04:54:21  krbtgt/DOUGLAS.LAN@DOUGLAS.LAN
    renew until 08/27/13 18:54:17

O nosso kerberos está ok.

Vamos instalar o ntp

yum install ntp -y

Agora vamos fazer um backup do arquivo de configuração default do ntp.conf

cp /etc/ntp.conf /etc/ntp.conf.old

Agora vamos configurar o ntp

vim /etc/ntp.conf
server 127.127.1.0
fudge  127.127.1.0 stratum 10
server a.ntp.br iburst prefer
server 0.pool.ntp.org  iburst prefer
server 1.pool.ntp.org  iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict a.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery

Agora vamos iniciar ele

/etc/init.d/ntpd start

Agora vamos consultar o seu sincronismo

ntpq -p 127.0.0.1
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 LOCAL(0)        .LOCL.          10 l    -   64    1    0.000    0.000   0.000
 a.ntp.br        .INIT.          16 u    -   64    0    0.000    0.000   0.000
 a.st1.ntp.br    .INIT.          16 u    -   64    0    0.000    0.000   0.000
 roma.coe.ufrj.b .INIT.          16 u    -   64    0    0.000    0.000   0.000

Agora vamos inserir o ntp na incialização

chkconfig --add ntpd
chkconfig ntpd on

Agora vamos atualizar o nosso ntp

ntpdate -u a.ntp.br

Agora vamos ajustar o grupo do arquivo ntp_signd

chgrp ntp /usr/local/samba/var/lib/ntp_signd

O nosso samba já está ok.

Agora podemos obter os RSAT(Admin pack) em:

Agora vamos testar o winbind

wbinfo -t
checking the trust secret for domain DOUGLAS via RPC calls succeeded

Agora vamos listar os grupos

wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy
ti-admin

Agora vamos listar os usuários

wbinfo -u
Administrator
Guest
krbtgt
dns-nodo1
douglas.santos

Agora vamos testar o update de dns no samba

samba_dnsupdate --verbose
IPs: ['192.168.0.26']
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                   ${HOSTNAME} 389) as we are not a PDC
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSFOREST}                   ${HOSTNAME} 389) as we are not a PDC
Looking for DNS entry A douglas.lan 192.168.0.26 as douglas.lan.
Looking for DNS entry A nodo2.douglas.lan 192.168.0.26 as nodo2.douglas.lan.
Looking for DNS entry A gc._msdcs.douglas.lan 192.168.0.26 as gc._msdcs.douglas.lan.
Looking for DNS entry CNAME ccc206ae-bc66-4a4e-a282-06aa4613cadd._msdcs.douglas.lan nodo2.douglas.lan as ccc206ae-bc66-4a4e-a282-06aa4613cadd._msdcs.douglas.lan.
Looking for DNS entry SRV _kpasswd._tcp.douglas.lan nodo2.douglas.lan 464 as _kpasswd._tcp.douglas.lan.
Checking 0 100 464 nodo2.douglas.lan. against SRV _kpasswd._tcp.douglas.lan nodo2.douglas.lan 464
Looking for DNS entry SRV _kpasswd._udp.douglas.lan nodo2.douglas.lan 464 as _kpasswd._udp.douglas.lan.
Checking 0 100 464 nodo1.douglas.lan. against SRV _kpasswd._udp.douglas.lan nodo2.douglas.lan 464
Checking 0 100 464 nodo2.douglas.lan. against SRV _kpasswd._udp.douglas.lan nodo2.douglas.lan 464
Looking for DNS entry SRV _kerberos._tcp.douglas.lan nodo2.douglas.lan 88 as _kerberos._tcp.douglas.lan.
Checking 0 100 88 nodo1.douglas.lan. against SRV _kerberos._tcp.douglas.lan nodo2.douglas.lan 88
Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._tcp.douglas.lan nodo2.douglas.lan 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 88 as _kerberos._tcp.dc._msdcs.douglas.lan.
Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 88
Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 88 as _kerberos._tcp.default-first-site-name._sites.douglas.lan.
Checking 0 100 88 nodo1.douglas.lan. against SRV _kerberos._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 88
Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 88
Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 88 as _kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan.
Checking 0 100 88 nodo1.douglas.lan. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 88
Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 88
Looking for DNS entry SRV _kerberos._udp.douglas.lan nodo2.douglas.lan 88 as _kerberos._udp.douglas.lan.
Checking 0 100 88 nodo1.douglas.lan. against SRV _kerberos._udp.douglas.lan nodo2.douglas.lan 88
Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._udp.douglas.lan nodo2.douglas.lan 88
Looking for DNS entry SRV _ldap._tcp.douglas.lan nodo2.douglas.lan 389 as _ldap._tcp.douglas.lan.
Checking 0 100 389 nodo2.douglas.lan. against SRV _ldap._tcp.douglas.lan nodo2.douglas.lan 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 389 as _ldap._tcp.dc._msdcs.douglas.lan.
Checking 0 100 389 nodo1.douglas.lan. against SRV _ldap._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 389
Checking 0 100 389 nodo2.douglas.lan. against SRV _ldap._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 389
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.douglas.lan nodo2.douglas.lan 3268 as _ldap._tcp.gc._msdcs.douglas.lan.
Checking 0 100 3268 nodo2.douglas.lan. against SRV _ldap._tcp.gc._msdcs.douglas.lan nodo2.douglas.lan 3268
Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 389 as _ldap._tcp.default-first-site-name._sites.douglas.lan.
Checking 0 100 389 nodo1.douglas.lan. against SRV _ldap._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 389
Checking 0 100 389 nodo2.douglas.lan. against SRV _ldap._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 389
Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 389 as _ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan.
Checking 0 100 389 nodo1.douglas.lan. against SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 389
Checking 0 100 389 nodo2.douglas.lan. against SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 389
Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan nodo2.douglas.lan 3268 as _ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan.
Checking 0 100 3268 nodo2.douglas.lan. against SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan nodo2.douglas.lan 3268
Looking for DNS entry SRV _ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan nodo2.douglas.lan 389 as _ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan.
Checking 0 100 389 nodo2.douglas.lan. against SRV _ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan nodo2.douglas.lan 389
Looking for DNS entry SRV _gc._tcp.douglas.lan nodo2.douglas.lan 3268 as _gc._tcp.douglas.lan.
Checking 0 100 3268 nodo2.douglas.lan. against SRV _gc._tcp.douglas.lan nodo2.douglas.lan 3268
Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 3268 as _gc._tcp.default-first-site-name._sites.douglas.lan.
Checking 0 100 3268 nodo1.douglas.lan. against SRV _gc._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 3268
Checking 0 100 3268 nodo2.douglas.lan. against SRV _gc._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 3268
No DNS updates needed

Agora vamos mandar atualizar todos os registros

samba_dnsupdate --verbose --all-names
IPs: ['192.168.0.26']
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                   ${HOSTNAME} 389) as we are not a PDC
Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSFOREST}                   ${HOSTNAME} 389) as we are not a PDC

Calling nsupdate for A douglas.lan 192.168.0.26
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
douglas.lan.        900    IN    A    192.168.0.26

Calling nsupdate for A nodo2.douglas.lan 192.168.0.26
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
nodo2.douglas.lan.    900    IN    A    192.168.0.26

Calling nsupdate for A gc._msdcs.douglas.lan 192.168.0.26
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.douglas.lan.    900    IN    A    192.168.0.26

Calling nsupdate for CNAME ccc206ae-bc66-4a4e-a282-06aa4613cadd._msdcs.douglas.lan nodo2.douglas.lan
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ccc206ae-bc66-4a4e-a282-06aa4613cadd._msdcs.douglas.lan. 900 IN    CNAME nodo2.douglas.lan.

Calling nsupdate for SRV _kpasswd._tcp.douglas.lan nodo2.douglas.lan 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.douglas.lan. 900    IN    SRV    0 100 464 nodo2.douglas.lan.

Calling nsupdate for SRV _kpasswd._udp.douglas.lan nodo2.douglas.lan 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.douglas.lan. 900    IN    SRV    0 100 464 nodo2.douglas.lan.

Calling nsupdate for SRV _kerberos._tcp.douglas.lan nodo2.douglas.lan 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.douglas.lan. 900    IN    SRV    0 100 88 nodo2.douglas.lan.

Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.douglas.lan. 900 IN SRV 0 100 88 nodo2.douglas.lan.

Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.douglas.lan. 900 IN SRV 0 100 88 nodo2.douglas.lan.

Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan. 900 IN SRV0 100 88 nodo2.douglas.lan.

Calling nsupdate for SRV _kerberos._udp.douglas.lan nodo2.douglas.lan 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.douglas.lan. 900    IN    SRV    0 100 88 nodo2.douglas.lan.

Calling nsupdate for SRV _ldap._tcp.douglas.lan nodo2.douglas.lan 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.douglas.lan.    900    IN    SRV    0 100 389 nodo2.douglas.lan.

Calling nsupdate for SRV _ldap._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.douglas.lan. 900 IN SRV    0 100 389 nodo2.douglas.lan.

Calling nsupdate for SRV _ldap._tcp.gc._msdcs.douglas.lan nodo2.douglas.lan 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.douglas.lan. 900 IN SRV    0 100 3268 nodo2.douglas.lan.

Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.douglas.lan. 900 IN SRV 0 100 389 nodo2.douglas.lan.

Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan. 900 IN    SRV 0 100 389 nodo2.douglas.lan.

Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan nodo2.douglas.lan 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan. 900 IN    SRV 0 100 3268 nodo2.douglas.lan.

Calling nsupdate for SRV _ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan nodo2.douglas.lan 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan. 900IN SRV 0 100 389 nodo2.douglas.lan.

Calling nsupdate for SRV _gc._tcp.douglas.lan nodo2.douglas.lan 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.douglas.lan.    900    IN    SRV    0 100 3268 nodo2.douglas.lan.

Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.douglas.lan. 900 IN SRV    0 100 3268 nodo2.douglas.lan.

Agora vamos efetuar uma consulta de dns para registros de serviços

Vamos consultar o serviço do ldap

host -t SRV _ldap._tcp.douglas.lan.
_ldap._tcp.douglas.lan has SRV record 0 100 389 nodo2.douglas.lan.
_ldap._tcp.douglas.lan has SRV record 0 100 389 nodo1.douglas.lan.

Vamos consultar o serviço do kerberos

host -t SRV _kerberos._udp.douglas.lan.
_kerberos._udp.douglas.lan has SRV record 0 100 88 nodo1.douglas.lan.
_kerberos._udp.douglas.lan has SRV record 0 100 88 nodo2.douglas.lan.

Agora vamos consultar o registro do tipo A do nosso server

host -t A nodo2.douglas.lan
nodo2.douglas.lan has address 192.168.0.26

Agora vamos listar a keytab do kerberos

klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 DNS/nodo2.douglas.lan@DOUGLAS.LAN
   1 dns-nodo2@DOUGLAS.LAN
   1 DNS/nodo2.douglas.lan@DOUGLAS.LAN
   1 dns-nodo2@DOUGLAS.LAN
   1 DNS/nodo2.douglas.lan@DOUGLAS.LAN
   1 dns-nodo2@DOUGLAS.LAN
   1 DNS/nodo2.douglas.lan@DOUGLAS.LAN
   1 dns-nodo2@DOUGLAS.LAN
   1 DNS/nodo2.douglas.lan@DOUGLAS.LAN
   1 dns-nodo2@DOUGLAS.LAN

Agora vamos consultar os tickets ativos

klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DOUGLAS.LAN

Valid starting     Expires            Service principal
08/26/13 18:54:21  08/27/13 04:54:21  krbtgt/DOUGLAS.LAN@DOUGLAS.LAN
    renew until 08/27/13 18:54:17, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

Agora vamos consultar se os nossos dois servidores estão no sysvol

ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS Settings,CN=NODO1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=douglas,DC=lan
objectGUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4

# record 2
dn: CN=NTDS Settings,CN=NODO2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=douglas,DC=lan
objectGUID: ccc206ae-bc66-4a4e-a282-06aa4613cadd

# returned 2 records
# 2 entries
# 0 referrals

Agora vamos consultar a replicação

samba-tool drs showrepl
Default-First-Site-Name\NODO2
DSA Options: 0x00000001
DSA object GUID: ccc206ae-bc66-4a4e-a282-06aa4613cadd
DSA invocationId: 08233b5e-5d9f-469f-b350-641b18278b60

==== INBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=douglas,DC=lan
    Default-First-Site-Name\NODO1 via RPC
        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
        Last attempt @ Mon Aug 26 19:01:06 2013 BRT was successful
        0 consecutive failure(s).
        Last success @ Mon Aug 26 19:01:06 2013 BRT

DC=DomainDnsZones,DC=douglas,DC=lan
    Default-First-Site-Name\NODO1 via RPC
        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
        Last attempt @ Mon Aug 26 19:01:06 2013 BRT was successful
        0 consecutive failure(s).
        Last success @ Mon Aug 26 19:01:06 2013 BRT

CN=Configuration,DC=douglas,DC=lan
    Default-First-Site-Name\NODO1 via RPC
        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
        Last attempt @ Mon Aug 26 19:01:06 2013 BRT was successful
        0 consecutive failure(s).
        Last success @ Mon Aug 26 19:01:06 2013 BRT

DC=ForestDnsZones,DC=douglas,DC=lan
    Default-First-Site-Name\NODO1 via RPC
        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
        Last attempt @ Mon Aug 26 19:01:06 2013 BRT was successful
        0 consecutive failure(s).
        Last success @ Mon Aug 26 19:01:06 2013 BRT

DC=douglas,DC=lan
    Default-First-Site-Name\NODO1 via RPC
        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
        Last attempt @ Mon Aug 26 19:01:07 2013 BRT was successful
        0 consecutive failure(s).
        Last success @ Mon Aug 26 19:01:07 2013 BRT

==== OUTBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=douglas,DC=lan
    Default-First-Site-Name\NODO1 via RPC
        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
        Last attempt @ NTTIME(0) was successful
        0 consecutive failure(s).
        Last success @ NTTIME(0)

DC=DomainDnsZones,DC=douglas,DC=lan
    Default-First-Site-Name\NODO1 via RPC
        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
        Last attempt @ NTTIME(0) was successful
        0 consecutive failure(s).
        Last success @ NTTIME(0)

CN=Configuration,DC=douglas,DC=lan
    Default-First-Site-Name\NODO1 via RPC
        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
        Last attempt @ NTTIME(0) was successful
        0 consecutive failure(s).
        Last success @ NTTIME(0)

DC=ForestDnsZones,DC=douglas,DC=lan
    Default-First-Site-Name\NODO1 via RPC
        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
        Last attempt @ NTTIME(0) was successful
        0 consecutive failure(s).
        Last success @ NTTIME(0)

DC=douglas,DC=lan
    Default-First-Site-Name\NODO1 via RPC
        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
        Last attempt @ NTTIME(0) was successful
        0 consecutive failure(s).
        Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
    Connection name: d6fcfc72-89b0-4f4c-88c2-bf887510b6af
    Enabled        : TRUE
    Server DNS name : nodo1.douglas.lan
    Server DN name  : CN=NTDS Settings,CN=NODO1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=douglas,DC=lan
        TransportType: RPC
        options: 0x00000001
Warning: No NC replicated for Connection!

A nossa replicação está ok

Ajustando a PAM no SLAVE

Agora vamos a configuração da PAM, com isso vamos poder autenticar os usuários do domínio no Linux eu vou deixar habilitado somente o grupo do root e o ti-admin que terá que ser criado no AD para autenticar no Linux e obter um shell.

Vamos criar um link para a biblioteca de autenticação do winbind que foi compilada para sistemas 64bits

ln -sf /usr/local/samba/lib/security/pam_winbind.so  /lib64/security/pam_winbind.so

Vamos criar um link para a biblioteca de autenticação do winbind que foi compilada para sistemas 32bits

ln -sf /usr/local/samba/lib/security/pam_winbind.so  /lib/security/pam_winbind.so

Vamos alterar o system-auth para que quando o usuário for logar no sistema seja criado o diretório home dele com o conteúdo do diretório /etc/skel

vim /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0027

Agora vamos ajustar o login

vim /etc/pam.d/login
#%PAM-1.0
auth       sufficient    pam_winbind.so
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth

account    sufficient     pam_succeed_if.so user ingroup root
account    required    pam_winbind.so
account    required     pam_nologin.so
account    include      system-auth
#Grupos que vão poder efetuar login no servidor
account    requisite    pam_succeed_if.so user ingroup ti-admin

password   include      system-auth
# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close
session    required     pam_mkhomedir.so        skel=/etc/skel umask=0027
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    optional     pam_keyinit.so force revoke

Agora vamos ajustar o ssh

vim /etc/pam.d/sshd
#%PAM-1.0
auth       sufficient    pam_winbind.so
auth       include      system-auth

account    sufficient   pam_succeed_if.so user ingroup root
account    required     pam_winbind.so
account    required     pam_nologin.so
account    include      system-auth
#Grupos que vão poder logar via ssh
account    requisite    pam_succeed_if.so user ingroup ti-admin

password   include      system-auth

session    required     pam_mkhomedir.so        skel=/etc/skel umask=0027
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

Como esse servidor é uma replica do pdc devemos já ter os usuários e grupos somente vamos consultar eles

Vamos consultar os usuários

wbinfo -u
Administrator
Guest
krbtgt
dns-nodo1
douglas.santos

Agora vamos consultar os grupos

wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy
ti-admin

Agora vamos reiniciar o servidor

reboot

Agora depois que logou novamente vamos consultar a conexão do winbind

wbinfo -t
checking the trust secret for domain DOUGLAS via RPC calls succeeded

Eu já estou com o meu usuário douglas.santos e ele pertence ao grupo ti-admin agora vamos testar a conexão via ssh

ssh douglas.santos@192.168.0.26
douglas.santos@192.168.0.26's password:
Creating directory '/home/DOUGLAS/douglas.santos'.
[19:08:04] DOUGLAS\douglas.santos@nodo2 [~] $

Agora se conferirmos os logs do secure vamos ter algo como

tail -f /var/log/secure
Aug 26 19:08:03 nodo2 sshd[1222]: pam_winbind(sshd:auth): getting password (0x00000000)
Aug 26 19:08:03 nodo2 sshd[1222]: pam_winbind(sshd:auth): user 'douglas.santos' granted access
Aug 26 19:08:03 nodo2 sshd[1222]: pam_succeed_if(sshd:account): requirement "user ingroup root" not met by user "DOUGLAS\douglas.santos"
Aug 26 19:08:04 nodo2 sshd[1222]: pam_winbind(sshd:account): user 'DOUGLAS\douglas.santos' granted access
Aug 26 19:08:04 nodo2 sshd[1222]: pam_succeed_if(sshd:account): requirement "user ingroup ti-admin" was met by user "DOUGLAS\douglas.santos"
Aug 26 19:08:04 nodo2 sshd[1222]: Accepted password for douglas.santos from 192.168.0.130 port 48754 ssh2
Aug 26 19:08:04 nodo2 sshd[1222]: pam_unix(sshd:session): session opened for user DOUGLAS\douglas.santos by (uid=0)

Como podemos notar a nossa autenticação está ok.

Replicação do Sysvol

Aqui eu vou abordar como é recomendado pela equipe do samba pra efetuar a replicação do sysvol que por enquanto não é automática.

No servidor Master no meu caso o nodo1 vamos instalar o rsync e o xinetd

yum install xinetd rsync -y

Agora vamos colocar o xinetd na incialização do sistema

chkconfig --add xinetd
chkconfig xinetd on

Agora vamos acertar a configuração do rsync para o xinetd

vim /etc/xinetd.d/rsync
# default: off
# description: The rsync server is a good addition to an ftp server, as it \
#    allows crc checksumming etc.
service rsync
{
    disable    = no
    only_from     = 192.168.0.0/24
    socket_type     = stream
    wait            = no
    user            = root
    server          = /usr/bin/rsync
    server_args     = --daemon
    log_on_failure  += USERID
}

Agora vamos criar o nosso arquivo de configuração do rsync.conf que vai conter o compartilhamento do sysvol

vim /etc/rsyncd.conf
[SysVol]
path = /usr/local/samba/var/locks/sysvol/
comment = Samba Sysvol Share
uid = root
gid = root
read only = yes
auth users = sysvol-replication
secrets file = /usr/local/samba/etc/rsyncd.secret

Note que ali vamos utilizar um usuário e uma senha agora vamos criar o arquivo contendo a senha

vim /usr/local/samba/etc/rsyncd.secret
sysvol-replication:pa$$w0rd

Agora vamos ajustar as permissões do arquivo senão o rsync não vai liberar o compartilhamento

chmod 440 /usr/local/samba/etc/rsyncd.secret

Agora vamos reiniciar o xinetd

/etc/init.d/xinetd restart

Vamos consultar o tamanho do sysvol do servidor master

du -sh /usr/local/samba/var/locks/sysvol
100K    /usr/local/samba/var/locks/sysvol

Agora vamos consultar o tamanho do sysvol do servidor slave

du -sh /usr/local/samba/var/locks/sysvol
12K    /usr/local/samba/var/locks/sysvol

Note que temos uma diferença grande.

Agora vamos configurar o servidor slave

Vamos instalar o rsync

yum install rsync -y

Agora vamos criar o arquivo contendo a senha para acessar o servidor master

vim /usr/local/samba/etc/rsync-sysvol.secret
pa$$w0rd

Agora vamos acertar as permissões do arquivo de senha

chmod 440 /usr/local/samba/etc/rsync-sysvol.secret

Agora vamos fazer testar o sincronismo do sysvol

rsync --dry-run -XAavz --delete-after --password-file=/usr/local/samba/etc/rsync-sysvol.secret rsync://sysvol-replication@192.168.0.25/SysVol/ /usr/local/samba/var/locks/sysvol/
receiving file list ... done
./
douglas.lan/
douglas.lan/Policies/
douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/
douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/
douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/
douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI
douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE/
douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER/
douglas.lan/scripts/
douglas.lan/scripts/sharedemo.bat

sent 109 bytes  received 876 bytes  656.67 bytes/sec
total size is 77  speedup is 0.08 (DRY RUN)

Note que não tivemos erro nenhum com isso podemos omitir agora a opção –dry-run

Agora vamos fazer a replicação

rsync -XAavz --delete-after --password-file=/usr/local/samba/etc/rsync-sysvol.secret rsync://sysvol-replication@192.168.0.25/SysVol/ /usr/local/samba/var/locks/sysvol/
receiving file list ... done
./
douglas.lan/
douglas.lan/Policies/
douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/
douglas.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/
douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/
douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI
douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE/
douglas.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER/
douglas.lan/scripts/
douglas.lan/scripts/sharedemo.bat

sent 173 bytes  received 2308 bytes  4962.00 bytes/sec
total size is 77  speedup is 0.03

Agora vamos consultar o tamanho do sysvol do servidor master

du -sh /usr/local/samba/var/locks/sysvol
100K    /usr/local/samba/var/locks/sysvol

Agora vamos consultar o tamanho do sysvol do servidor slave

du -sh /usr/local/samba/var/locks/sysvol
100K    /usr/local/samba/var/locks/sysvol

Agora vamos deixar uma rotina no crontab do servidor slave para sempre efetuar o sincronismo

crontab -e
*/5 * * * *  rsync -XAavz --delete-after --password-file=/usr/local/samba/etc/rsync-sysvol.secret rsync://sysvol-replication@192.168.0.25/SysVol/ /usr/local/samba/var/locks/sysvol

Esse sincronismo pode ser feito para todos os DCs menos para o PDC.

Configurando um Cliente CentOS para autenticar no Samba 4

Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialcentos6_en para que não falte nenhum pacote ou configuração.

Vamos instalar as dependências para ele poder fazer parte do domínio samba 4

yum install samba samba-winbind samba-winbind-devel samba-client samba-common \
 pam_krb5 cifs-utils samba-winbind-krb5-locator samba-doc krb5-workstation -y

Agora vamos inserir os serviços na incialização do sistema

chkconfig --add nmb
chkconfig --add smb
chkconfig --add winbind

Agora vamos ativar eles

chkconfig nmb on
chkconfig smb on
chkconfig winbind on

Agora vamos ajustar o resolv.conf do cliente

vim /etc/resolv.conf
domain douglas.lan
search douglas.lan
nameserver 192.168.0.25
nameserver 192.168.0.26

Agora vamos ajustar a interface de rede

vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
BOOTPROTO="static"
BROADCAST="192.168.0.255"
DNS1="192.168.0.25"
DNS2="192.168.0.26"
GATEWAY="192.168.0.1"
IPADDR="192.168.0.27"
NETMASK="255.255.255.0"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"

Agora vamos ajustar o horário do servidor pois como vamos trabalhar com winbind e kerberos não podemos ter diferença de horario

ntpdate -u a.ntp.br

Agora vamos ajustar o kerberos

vim /etc/krb5.conf
[libdefaults]
default_realm = DOUGLAS.LAN
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DOUGLAS.LAN = {
kdc = 192.168.0.25
kdc = 192.168.0.26
admin_server = 192.168.0.25:749
default_server = 192.168.0.25
}
[domain_realm]
.douglas.lan=DOUGLAS.LAN
douglas.lan=DOUGLAS.LAN
[login]
krb4_convert = true
krb4_get_tickets = false
[kdc]
profile = /etc/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = file:/var/log/krb5libs.log
kdc = file:/var/log/krb5kdc.log
admin_server = file:/var/log/kadmind.log

Agora vamos acertar o limits.conf

vim /etc/security/limits.conf
[...]
#colocar no final do arquivo
root hard nofile 131072
root soft nofile 65536
mioutente hard nofile 32768
mioutente soft nofile 16384

Agora vamos ajustar o smb.conf

vim /etc/samba/smb.conf
[global]
        workgroup = DOUGLAS
        security = ADS
        realm = DOUGLAS.LAN
        netbios name = CENTOS
        encrypt passwords = yes
        idmap config * : backend = tdb
        idmap config * : range = 10000-30000
        idmap config DOUGLAS:backend = ad
        idmap config DOUGLAS:schema_mode = rfc2307
        auth methods = winbind
        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
        template shell = /bin/bash

Agora vamos ajustar o nsswitch.conf

vim /etc/nsswitch.conf
[...]
passwd:     files winbind
shadow:     files
group:        files winbind

Vamos iniciar os serviços

/etc/init.d/nmb start
/etc/init.d/smb start
/etc/init.d/winbind start

Agora vamos ajustar a PAM

Vamos ajustar para que quando o usuário faça login seja criado o seu diretório home

vim /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0027

Agora vamos ajustar o login utilizando o winbind aqui eu liberei somente o grupo root e o ti-admin para efetuar login em máquinas Linux

vim /etc/pam.d/login
#%PAM-1.0
auth       sufficient    pam_winbind.so
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth

account    sufficient     pam_succeed_if.so user ingroup root
account    required    pam_winbind.so
account    required     pam_nologin.so
account    include      system-auth
#Grupos que vão poder efetuar login no servidor
account    requisite    pam_succeed_if.so user ingroup ti-admin

password   include      system-auth
# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close
session    required     pam_mkhomedir.so        skel=/etc/skel umask=0027
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    optional     pam_keyinit.so force revoke

Agora vamos ajustar o acesso via ssh utilizando o winbind aqui eu liberei somente o grupo root e o ti-admin para efetuar login em máquinas Linux

vim /etc/pam.d/sshd
#%PAM-1.0
auth       sufficient    pam_winbind.so
auth       include      system-auth

account    sufficient   pam_succeed_if.so user ingroup root
account    required     pam_winbind.so
account    required     pam_nologin.so
account    include      system-auth
#Grupos que vão poder logar via ssh
account    requisite    pam_succeed_if.so user ingroup ti-admin

password   include      system-auth

session    required     pam_mkhomedir.so        skel=/etc/skel umask=0027
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

Agora vamos verificar se estamos conseguindo criar um ticker do kerberos

kinit administrator
Password for administrator@DOUGLAS.LAN:
Warning: Your password will expire in 41 days on Mon Oct  7 12:02:11 2013

Agora vamos listar o nosso ticket

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DOUGLAS.LAN

Valid starting     Expires            Service principal
08/27/13 10:02:54  08/27/13 20:02:54  krbtgt/DOUGLAS.LAN@DOUGLAS.LAN
    renew until 08/28/13 10:02:51

Agora vamos fazer o join no domínio

net ads join douglas.lan -U administrator

Esse erro de DNS ainda estou tentando arrumar.

Agora vamos reiniciar os serviços

/etc/init.d/nmb restart
/etc/init.d/smb restart
/etc/init.d/winbind restart

Agora vamos testar a conexão com o winbind

wbinfo -t
checking the trust secret for domain DOUGLAS via RPC calls succeeded

Agora vamos listar os usuários do domínio

wbinfo -u
douglas.santos
administrator
dns-nodo1
krbtgt
guest

Vamos listar os grupos

wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
ti-admin
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins

Agora vamos testar o acesso via ssh para esse cliente

ssh douglas.santos@192.168.0.27
douglas.santos@192.168.0.27's password:
Creating directory '/home/DOUGLAS/douglas.santos'.
[10:40:01] douglas.santos@centos [~] $

Agora vamos ver os logs de acesso do centos

tail -f /var/log/secure
Aug 27 10:38:55 centos sshd[13906]: pam_winbind(sshd:auth): getting password (0x00000000)
Aug 27 10:38:56 centos sshd[13906]: pam_winbind(sshd:auth): user 'douglas.santos' granted access
Aug 27 10:39:32 centos sshd[13906]: pam_succeed_if(sshd:account): requirement "user ingroup root" not met by user "douglas.santos"
Aug 27 10:39:32 centos sshd[13906]: pam_winbind(sshd:account): user 'douglas.santos' granted access
Aug 27 10:39:35 centos sshd[13906]: pam_succeed_if(sshd:account): requirement "user ingroup ti-admin" was met by user "douglas.santos"
Aug 27 10:39:35 centos sshd[13906]: Accepted password for douglas.santos from 192.168.0.130 port 46470 ssh2
Aug 27 10:39:50 centos sshd[13906]: pam_unix(sshd:session): session opened for user douglas.santos by (uid=0)

O cliente está configurado com sucesso :D

Configurando um Cliente Debian Wheezy para autenticar no Samba 4

Prepare o seu sistema com o seguinte script http://wiki.douglasqsantos.com.br/doku.php/confinicialwheezy_en para que não falte nenhum pacote ou configuração.

Vamos atualizar os repositórios e fazer um upgrade do sistema

aptitude update && aptitude dist-upgrade -y

Agora vamos ajustar as variáveis de ambiente do Debian

export DEBIAN_PRIORITY=critical
export DEBIAN_FRONTEND=noninteractive

Agora vamos instalar as dependências

aptitude install samba samba-common smbclient winbind krb5-config libpam-krb5 cifs-utils  krb5-user -y

Agora vamos voltar as variáveis de ambiente do Debian

unset DEBIAN_PRIORITY
unset DEBIAN_FRONTEND

Agora vamos ajustar o resolv.conf

vim /etc/resolv.conf
domain douglas.lan
search douglas.lan
nameserver 192.168.0.25
nameserver 192.168.0.26

Agora vamos ajustar o horário do nosso servidor

ntpdate -u a.ntp.br

Agora vamos ajustar o arquivo de configuração do kerberos

vim /etc/krb5.conf
[libdefaults]
default_realm = DOUGLAS.LAN
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DOUGLAS.LAN = {
kdc = 192.168.0.25
kdc = 192.168.0.26
admin_server = 192.168.0.25:749
default_server = 192.168.0.25
}
[domain_realm]
.douglas.lan=DOUGLAS.LAN
douglas.lan=DOUGLAS.LAN
[login]
krb4_convert = true
krb4_get_tickets = false
[kdc]
profile = /etc/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = file:/var/log/krb5libs.log
kdc = file:/var/log/krb5kdc.log
admin_server = file:/var/log/kadmind.log

Agora vamos ajustar o limits.conf

vim /etc/security/limits.conf
[...]
#colocar no final do arquivo
root hard nofile 131072
root soft nofile 65536
mioutente hard nofile 32768
mioutente soft nofile 16384

Agora vamos ajustar o smb.conf

vim /etc/samba/smb.conf
[global]
        workgroup = DOUGLAS
        security = ADS
        realm = DOUGLAS.LAN
        netbios name = DEBIAN
        encrypt passwords = yes
        idmap config * : backend = tdb
        idmap config * : range = 10000-30000
        idmap config DOUGLAS:backend = ad
        idmap config DOUGLAS:schema_mode = rfc2307
        auth methods = winbind
        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
        template shell = /bin/bash

Agora vamos ajustar o nsswitch.conf

vim /etc/nsswitch.conf
[...]
passwd:         compat winbind
group:            compat winbind

Agora vamos reiniciar os serviços

/etc/init.d/samba restart
/etc/init.d/winbind restart

Agora vamos fazer o join no domínio

net ads join douglas.lan -U administrator

Agora vamos reiniciar os serviços

/etc/init.d/samba restart
/etc/init.d/winbind restart

Agora vamos ajustar a PAM

Vamos ajustar a autenticação

vim /etc/pam.d/common-password
password        sufficient                      pam_unix.so
password        requisite                       pam_krb5.so minimum_uid=1000
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
password        [success=1 default=ignore]      pam_winbind.so use_authtok try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so

Vamos ajustar o controle de sessão do usuário para criar o diretório home quando ele efetuar o login

vim /etc/pam.d/common-session
session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required                        pam_unix.so
session optional                        pam_winbind.so
session optional                        pam_mkhomedir.so skel=/etc/skel umask=0027

Agora vamos testar a conexão com o winbind

wbinfo -t
checking the trust secret for domain DOUGLAS via RPC calls succeeded

Agora vamos listar os usuários do domínio

wbinfo -u
douglas.santos
administrator
dns-nodo1
krbtgt
guest

Vamos listar os grupos

wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
ti-admin
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins

Agora vamos testar o acesso via ssh para esse cliente

ssh douglas.santos@192.168.0.52
douglas.santos@192.168.0.52's password:
Creating directory '/home/DOUGLAS/douglas.santos'.
Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[10:35:45] douglas.santos@debian [~] $

Nos logs de autenticação vamos ter algo como abaixo

tail -f /var/log/auth.log
Aug 27 10:35:44 debian sshd[4852]: pam_krb5(sshd:auth): user douglas.santos authenticated as douglas.santos@DOUGLAS.LAN
Aug 27 10:35:44 debian sshd[4852]: Accepted password for douglas.santos from 192.168.0.130 port 51197 ssh2
Aug 27 10:35:44 debian sshd[4852]: pam_unix(sshd:session): session opened for user douglas.santos by (uid=0)

O cliente esta autenticando com sucesso :D

Referências