Differences

This shows you the differences between two versions of the page.

Link to this comparison view

installing_and_configuring_samba4_as_master_slave_with_bind9_dlz_and_sysvol_replication_on_debian_jessie [2017/09/05 12:18] (current)
Line 1: Line 1:
 +====== Installing and configuring Samba 4 as Master/​Slave with Bind9 DLZ and Sysvol Replication on Debian Jessie (Ongoing) ======
 +
 +<WRAP center round alert 60%> The things in portuguese are my scratch therefore don't use please…. </​WRAP>​
 +
 +What's up folks, here I show you how to install and configuring the Samba 4 working as PDC and how to configure the BDC as well, I shall use the BIND_DLZ as backend. I going to cover the Sysvol replication but it's only a workaround as (Samba AD currently doesn'​t provide support for SysVol replication.) as we cannot forget we need to configure the backup and restore too. Let's roll up our sleeves and start to work.
 +
 +**NOTE**: I shall work with the samba 4 4.2.2 the current stable today: 04/05/2015
 +
 +**NOTE:** If you use Bind as Backend for your Samba AD, it must not run chroot, because it must be able to live access files and databases from your Samba installation.
 +
 +What I will use here:
 +
 +  * Debian Jessie
 +      * IP: 192.168.25.100/​24
 +      * name: samba1
 +      * domain: douglas.lan
 +  * Debian Jessie
 +      * IP: 192.168.25.101/​24
 +      * name: samba2
 +      * domain: douglas.lan
 +
 +We shall need to install some packets and configure some environment variables in order to work with our system properly therefore I've created a script to configure such things the web link is follows: http://​wiki.douglasqsantos.com.br/​doku.php/​confinicialjessie_en fell free to change it as needed.
 +
 +**Note:​** ​ The repositories in the script are from Brazil that is the most fast to me, so fell free to change for your country.
 +
 +After download the script need to convert it from dos to unix as follows
 +
 +<sxh bash;>
 +dos2unix ConfInicialJessie.sh
 +</​sxh>​
 +
 +After that change the permissions
 +
 +<sxh bash;>
 +chmod +x ConfInicialJessie.sh
 +</​sxh>​
 +
 +Now need just execute and wait
 +
 +<sxh bash;>
 +./​ConfInicialJessie.sh
 +</​sxh>​
 +
 +====== Configuring the Samba Master ======
 +
 +Let's update our repositories and upgrade all the packets
 +
 +<sxh bash;>
 +aptitude update && aptitude dist-upgrade -y
 +</​sxh>​
 +
 +Now let's change two variables in the environment to non-interactive
 +
 +<sxh bash;>
 +export DEBIAN_PRIORITY=critical
 +export DEBIAN_FRONTEND=noninteractive
 +</​sxh>​
 +
 +Now we need to install some prerequisites that will able the samba4 works properly.
 +
 +<sxh bash;>
 +aptitude install libpam0g-dev git gcc make wget libacl1-dev libblkid-dev libreadline-dev python-dev libcups2-dev libcupsfilters-dev libfam-dev \
 +libcupscgi1-dev ​ libcupsimage2-dev libcupsmime1-dev libcupsppdc1-dev ​ libaio-dev acl-dev python-gnupg libpython-dev libghc-gnutls-dev ​ \
 +acl heimdal-clients libattr1-dev ​ libacl1-dev libattr1-dev libblkid-dev libgnutls28-dev libreadline-dev ​ python-dnspython gdb pkg-config libfam-dev ​ \
 +libpopt-dev libldap2-dev dnsutils libbsd-dev attr docbook-xsl ​ python-pycurl python-software-properties libwind0-heimdal libarchive-dev \
 +quota unattended-upgrades libpam-heimdal bison debhelper flex gettext ​ html2text intltool-debian ​ libbison-dev libgettextpo0 libldb-dev \
 +libldb1 libparse-yapp-perl libpython3.4 libsmbclient libsmbclient-dev libsubunit-dev libsubunit-perl libsubunit0 libtalloc-dev libtalloc2 \
 +libtdb-dev libtdb1 libtevent-dev libtevent0 libunistring0 libwbclient-dev libwbclient0 libxslt1.1 po-debconf python-all python-all-dev python-ldb \
 +python-ldb-dev python-pkg-resources python-subunit python-talloc python-talloc-dev python-tdb python-testtools subunit xsltproc libunwind-dev \
 +libgcrypt-dev libdbus-1-dev libedbus-dev libmodbus-dev python-dbus-dev libcephfs-dev libavahi-core-dev python-avahi libavahi-cil-dev dmapi-dev \
 +heimdal-dev heimdal-multidev libasn1-8-heimdal libgssapi3-heimdal libhcrypto4-heimdal libhdb9-heimdal libheimbase1-heimdal libheimntlm0-heimdal \
 +libhx509-5-heimdal libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-heimdal libkdc2-heimdal libkrb5-26-heimdal libroken18-heimdal ​ -y
 +</​sxh>​
 +
 +Now we need to enable the acl,​user_xattr and barrier support in the / partition or another one that we need the samba works such as /var or /srv.
 +
 +<sxh bash;>
 +vim /etc/fstab
 +[...]
 +/​dev/​mapper/​VolGroup-lv_root /                       ​ext4 ​   defaults,​acl,​user_xattr,​barrier=1 ​       1 1
 +/​dev/​mapper/​vg01-var ​        /​var ​                   ext4    defaults,​acl,​user_xattr,​barrier=1 ​       0 2
 +</​sxh>​
 +
 +Now we need to remount the partitions with the changes or reboot the server to get the newest changes.
 +
 +<sxh bash;>
 +mount -o remount /
 +mount -o remount /var
 +</​sxh>​
 +
 +The Debian Jessie is different from both CentOS 6 or Debian Wheezy if we try to get the information about the acl or xattr the system will return nothing about it let's try.
 +
 +<sxh bash;>
 +mount | egrep acl
 +</​sxh>​
 +
 +We can check if this attributes are loaded in the kernel as follows.
 +
 +<sxh bash;>
 +cat /​boot/​config-$(uname -r) | egrep -i acl
 +CONFIG_EXT4_FS_POSIX_ACL=y
 +CONFIG_REISERFS_FS_POSIX_ACL=y
 +CONFIG_JFS_POSIX_ACL=y
 +CONFIG_XFS_POSIX_ACL=y
 +CONFIG_BTRFS_FS_POSIX_ACL=y
 +CONFIG_FS_POSIX_ACL=y
 +CONFIG_TMPFS_POSIX_ACL=y
 +# CONFIG_HFSPLUS_FS_POSIX_ACL is not set
 +CONFIG_JFFS2_FS_POSIX_ACL=y
 +CONFIG_F2FS_FS_POSIX_ACL=y
 +CONFIG_NFS_V3_ACL=y
 +CONFIG_NFSD_V2_ACL=y
 +CONFIG_NFSD_V3_ACL=y
 +CONFIG_NFS_ACL_SUPPORT=m
 +CONFIG_CEPH_FS_POSIX_ACL=y
 +CONFIG_CIFS_ACL=y
 +CONFIG_9P_FS_POSIX_ACL=y
 +</​sxh>​
 +
 +As we saw the acl is built-in in the kernel what's why we got nothing with the mount command.
 +
 +Let's run a test with acl and xttr.
 +
 +Let' acess the /usr directory
 +
 +<sxh bash;>
 +cd /usr
 +</​sxh>​
 +
 +Now let's create a simple file
 +
 +<sxh bash;>
 +touch test.txt
 +</​sxh>​
 +
 +Now let's change the attributes to our file
 +
 +<sxh bash;>
 +setfattr -n user.test -v test test.txt
 +setfattr -n security.test -v test2 test.txt
 +</​sxh>​
 +
 +Now let's get the information about the changes
 +
 +<sxh bash;>
 +getfattr -d test.txt
 +# file: test.txt
 +user.test="​test"​
 +</​sxh>​
 +
 +Now let's get information about the attribute security
 +
 +<sxh bash;>
 +getfattr -n security.test -d test.txt
 +# file: test.txt
 +security.test="​test2"​
 +</​sxh>​
 +
 +Now let's access the directory that will storage the samba sources
 +
 +<sxh bash;>
 +cd /usr/src
 +</​sxh>​
 +
 +Now we need to get the samba version 4.2.2
 +
 +<sxh bash;>
 +wget -c http://​ftp.samba.org/​pub/​samba/​stable/​samba-4.2.2.tar.gz
 +</​sxh>​
 +
 +Now we need to extract the sources
 +
 +<sxh bash;>
 +tar -xvf samba-4.1.3.tar.gz
 +</​sxh>​
 +
 +Let's access the directory
 +
 +<sxh bash;>
 +cd samba-4.2.2
 +</​sxh>​
 +
 +Now we need run the check prerequisites as follows
 +
 +<sxh bash;>
 +./configure --enable-debug --enable-selftest
 +</​sxh>​
 +
 +Now we need to compile the samba this process take a while.
 +
 +<sxh bash;>
 +make
 +</​sxh>​
 +
 +Now we can install the samba4 with a simple command line.
 +
 +<sxh bash;>
 +make install
 +</​sxh>​
 +
 +Now we need to adjust the PATH
 +
 +<sxh bash;>
 +echo "​export PATH=/​usr/​local/​sbin:/​usr/​local/​bin:/​usr/​sbin:/​usr/​bin:/​sbin:/​bin:/​usr/​bin/​X11:/​usr/​local/​samba/​sbin:/​usr/​local/​samba/​bin">>​ /​root/​.bashrc
 +</​sxh>​
 +
 +Now we need to reload the PATH
 +
 +<sxh bash;>
 +source /​root/​.bashrc
 +</​sxh>​
 +
 +Now we need to prepare the BIND_DLZ
 +
 +===== Installing and Configuring BIND_DLZ =====
 +
 +Let's install the prerequisites to work with BIND
 +
 +<sxh bash;>
 +aptitude install ​ autopoint autotools-dev bison debhelper dh-apparmor geoip-bin gettext hardening-wrapper html2text intltool-debian libgeoip-dev dh-autoreconf \
 +libbison-dev libcap-dev libdb-dev libdb5.3-dev libgeoip-dev libgettextpo0 libltdl-dev libmail-sendmail-perl libsys-hostname-long-perl dpkg-dev dh-systemd ​ \
 +libtool libunistring0 libxml2-dev po-debconf debhelper libssl-dev libtool bison libdb-dev libldap2-dev libxml2-dev hardening-wrapper libkrb5-dev -y
 +</​sxh>​
 +
 +Now we need to get the bind9 sources
 +
 +<sxh bash;>
 +cd /usr/src
 +apt-get source bind9
 +</​sxh>​
 +
 +Now we need to access the bind9 source folder
 +
 +<sxh bash;>
 +cd bind9-*
 +</​sxh>​
 +
 +Now we need to change the variables enable support to kerberos and dlopen as follows
 +
 +<sxh bash;>
 +vim debian/​rules
 +[...]
 +        ./configure --prefix=/​usr \
 +                --mandir=\$${prefix}/​share/​man \
 +                --infodir=\$${prefix}/​share/​info \
 +                --sysconfdir=/​etc/​bind \
 +                --localstatedir=/​var \
 +                --enable-threads \
 +                --enable-largefile \
 +                --with-libtool \
 +                --enable-shared \
 +                --enable-static \
 +                --with-openssl=/​usr \
 +                --with-gssapi=/​usr \
 +                --with-gnu-ld \
 +                --with-geoip=/​usr \
 +                --with-atf=no \
 +                --enable-ipv6 \
 +                --enable-rrl \
 +                --enable-filter-aaaa \
 +                --with-libxml2 \
 +                --with-gssapi=/​usr/​include/​gssapi ​  \
 +                --with-dlopen=yes \
 +                --with-dlz-ldap=yes \
 +                --with-dlz-filesystem=yes \
 +                $(EXTRA_FEATURES)
 +</​sxh>​
 +
 +Now we need to create the deb packet it will take awhile.
 +
 +<sxh bash;>
 +dpkg-buildpackage
 +</​sxh>​
 +
 +Now we need to install the packets
 +
 +<sxh bash;>
 +cd ..
 +dpkg -i *.deb
 +</​sxh>​
 +
 +Now we need to create a directory and adjust the permissions
 +
 +<sxh bash;>
 +mkdir /​var/​cache/​bind/​{data,​dynamic}
 +chown -R bind:bind /​var/​cache/​bind/​
 +chmod -R 775 /​var/​cache/​bind/​dynamic
 +</​sxh>​
 +
 +Now let's make a copy of the original file
 +
 +<sxh bash;>
 +cp /​etc/​bind/​named.conf.options /​etc/​bind/​named.conf.options.old
 +</​sxh>​
 +
 +Agora vamos configurar o Bind
 +
 +<sxh bash;>
 +vim /​etc/​bind/​named.conf.options
 +#/​etc/​bind/​named.conf.options
 +
 +options {
 +    listen-on port 53 { 127.0.0.1; 192.168.25.0/​24;​ };
 +    listen-on-v6 port 53 { ::1; };
 +    directory ​    "/​var/​cache/​bind";​
 +    dump-file ​    "/​var/​cache/​bind/​data/​cache_dump.db";​
 +        statistics-file "/​var/​cache/​bind/​data/​named_stats.txt";​
 +        memstatistics-file "/​var/​cache/​bind/​data/​named_mem_stats.txt";​
 +    allow-query ​     { 192.168.25.0/​24;​ 127.0.0.1/​32;​ };
 +    allow-update ​   { 127.0.0.1/​32;​ };
 +    allow-recursion { 192.168.25.0/​24;​ 127.0.0.1/​32;​ };
 +        forwarders { 8.8.8.8; 8.8.4.4; };
 +
 +    dnssec-enable yes;
 +    dnssec-validation yes;
 +    dnssec-lookaside auto;
 +
 +       /* Dynamic keys */
 +    managed-keys-directory "/​var/​cache/​bind/​dynamic";​
 +
 +       /* Enable support for secure GSS-TSIG updates */
 +       ​tkey-gssapi-keytab "/​usr/​local/​samba/​private/​dns.keytab";​
 +
 +};
 +
 +logging {
 +        channel default_debug {
 +                file "​data/​named.run";​
 +                severity dynamic;
 +        };
 +};
 +</​sxh>​
 +
 +Now we need do modify the named.conf and add the configuration file for samba
 +
 +<sxh bash;>
 +vim /​etc/​bind/​named.conf
 +[...]
 +include "/​etc/​bind/​named.conf.options";​
 +include "/​etc/​bind/​named.conf.local";​
 +include "/​etc/​bind/​named.conf.default-zones";​
 +include "/​usr/​local/​samba/​private/​named.conf";​
 +</​sxh>​
 +
 +Now we need to configure the resolv.conf
 +
 +<sxh bash;>
 +vim /​etc/​resolv.conf
 +domain douglas.lan
 +search douglas.lan
 +nameserver 192.168.25.100
 +</​sxh>​
 +
 +===== Provisioning the domain and Testing =====
 +
 +Now we need to provisioning our domain, let's check the options available
 +
 +<sxh bash;>
 +samba-tool domain provision -h
 +Usage: samba-tool domain provision [options]
 +
 +Provision a domain.
 +
 +Options:
 +  -h, --help ​           show this help message and exit
 +  --interactive ​        Ask for names
 +  --domain=DOMAIN ​      set domain
 +  --domain-guid=GUID ​   set domainguid (otherwise random)
 +  --domain-sid=SID ​     set domainsid (otherwise random)
 +  --ntds-guid=GUID ​     set NTDS object GUID (otherwise random)
 +  --invocationid=GUID ​  set invocationid (otherwise random)
 +  --host-name=HOSTNAME ​ set hostname
 +  --host-ip=IPADDRESS ​  set IPv4 ipaddress
 +  --host-ip6=IP6ADDRESS
 +                        set IPv6 ipaddress
 +  --site=SITENAME ​      set site name
 +  --adminpass=PASSWORD ​ choose admin password (otherwise random)
 +  --krbtgtpass=PASSWORD
 +                        choose krbtgt password (otherwise random)
 +  --machinepass=PASSWORD
 +                        choose machine password (otherwise random)
 +  --dns-backend=NAMESERVER-BACKEND
 +                        The DNS server backend. SAMBA_INTERNAL is the builtin
 +                        name server (default), BIND9_FLATFILE uses bind9 text
 +                        database to store zone information,​ BIND9_DLZ uses
 +                        samba4 AD to store zone information,​ NONE skips the
 +                        DNS setup entirely (not recommended)
 +  --dnspass=PASSWORD ​   choose dns password (otherwise random)
 +  --ldapadminpass=PASSWORD
 +                        choose password to set between Samba and it's LDAP
 +                        backend (otherwise random)
 +  --root=USERNAME ​      ​choose '​root'​ unix username
 +  --nobody=USERNAME ​    ​choose '​nobody'​ user
 +  --users=GROUPNAME ​    ​choose '​users'​ group
 +  --quiet ​              Be quiet
 +  --blank ​              do not add users or groups, just the structure
 +  --ldap-backend-type=LDAP-BACKEND-TYPE
 +                        Test initialisation support for unsupported LDAP
 +                        backend type (fedora-ds or openldap) DO NOT USE
 +  --server-role=ROLE ​   The server role (domain controller | dc | member
 +                        server | member | standalone). Default is dc.
 +  --function-level=FOR-FUN-LEVEL
 +                        The domain and forest function level (2000 | 2003 |
 +                        2008 | 2008_R2 - always native). Default is (Windows)
 +                        2008R2 Native.
 +  --next-rid=NEXTRID ​   The initial nextRid value (only needed for upgrades).
 +                        Default is 1000.
 +  --partitions-only ​    ​Configure Samba'​s partitions, but do not modify them
 +                        (ie, join a BDC)
 +  --targetdir=DIR ​      Set target directory
 +  --ol-mmr-urls=LDAPSERVER
 +                        List of LDAP-URLS [ ldap://<​FQHN>:<​PORT>/ ​ (where
 +                        <​PORT>​ has to be different than 389!) ] separated with
 +                        comma (","​) for use with OpenLDAP-MMR (Multi-Master-
 +                        Replication),​ e.g.:
 +                        "​ldap://​s4dc1:​9000,​ldap://​s4dc2:​9000"​
 +  --use-xattrs=USE_XATTRS
 +                        Define if we should use the native fs capabilities or
 +                        a tdb file for storing attributes likes ntacl, auto
 +                        tries to make an inteligent guess based on the user
 +                        rights and system capabilities
 +  --use-ntvfs ​          Use NTVFS for the fileserver (default = no)
 +  --use-rfc2307 ​        Use AD to store posix attributes (default = no)
 +
 +  Samba Common Options:
 +    -s FILE, --configfile=FILE
 +                        Configuration file
 +    -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
 +                        debug level
 +    --option=OPTION ​    set smb.conf option from command line
 +    --realm=REALM ​      set the realm name
 +
 +  Version Options:
 +    -V, --version ​      ​Display version number
 +</​sxh>​
 +
 +Now let's provisioning the domain
 +
 +<sxh bash;>
 +samba-tool domain provision --domain=DOUGLAS --adminpass=smb@134* \
 +--dns-backend=BIND9_DLZ --server-role=dc \
 +--function-level=2008_R2 --use-xattr=yes \
 +--use-rfc2307 --realm=douglas.lan
 +Looking up IPv4 addresses
 +Looking up IPv6 addresses
 +No IPv6 address will be assigned
 +Setting up share.ldb
 +Setting up secrets.ldb
 +Setting up the registry
 +Setting up the privileges database
 +Setting up idmap db
 +Setting up SAM db
 +Setting up sam.ldb partitions and settings
 +Setting up sam.ldb rootDSE
 +Pre-loading the Samba 4 and AD schema
 +Adding DomainDN: DC=douglas,​DC=lan
 +Adding configuration container
 +Setting up sam.ldb schema
 +Setting up sam.ldb configuration data
 +Setting up display specifiers
 +Modifying display specifiers
 +Adding users container
 +Modifying users container
 +Adding computers container
 +Modifying computers container
 +Setting up sam.ldb data
 +Setting up well known security principals
 +Setting up sam.ldb users and groups
 +Setting up self join
 +Adding DNS accounts
 +Creating CN=MicrosoftDNS,​CN=System,​DC=douglas,​DC=lan
 +Creating DomainDnsZones and ForestDnsZones partitions
 +Populating DomainDnsZones and ForestDnsZones partitions
 +See /​usr/​local/​samba/​private/​named.conf for an example configuration include file for BIND
 +and /​usr/​local/​samba/​private/​named.txt for further documentation required for secure DNS updates
 +Setting up sam.ldb rootDSE marking as synchronized
 +Fixing provision GUIDs
 +A Kerberos configuration suitable for Samba 4 has been generated at /​usr/​local/​samba/​private/​krb5.conf
 +Setting up fake yp server settings
 +Once the above files are installed, your Samba4 server will be ready to use
 +Server Role:           ​active directory domain controller
 +Hostname: ​             samba1
 +NetBIOS Domain: ​       DOUGLAS
 +DNS Domain: ​           douglas.lan
 +DOMAIN SID:            S-1-5-21-2627875541-338730943-4229738209
 +</​sxh>​
 +
 +If you got some error and need to do the provisioning again execute the follow commands and run the provisioning again.
 +
 +<sxh bash;>
 +rm -rf /​usr/​local/​samba/​etc
 +rm -rf /​usr/​local/​samba/​private
 +rm -rf /​usr/​local/​samba/​var/​locks/​sysvol
 +</​sxh>​
 +
 +Now we need to change the samba configuration,​ but first we need to make a copy of smb.conf
 +
 +<sxh bash;>
 +cp -Rfa /​usr/​local/​samba/​etc/​smb.conf{,​.bkp}
 +</​sxh>​
 +
 +Now let's make some changes in our configuration file
 +
 +<sxh bash;>
 +vim /​usr/​local/​samba/​etc/​smb.conf
 +# Global parameters
 +[global]
 +    workgroup = DOUGLAS
 +    realm = douglas.lan
 +    netbios name = SAMBA1
 +    server role = active directory domain controller
 +    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
 +    ### RPC ###
 +    rpc_server:​tcpip = no
 +    rpc_daemon:​spoolssd = embedded
 +    rpc_server:​spoolss = embedded
 +    rpc_server:​winreg = embedded
 +    rpc_server:​ntsvcs = embedded
 +    rpc_server:​eventlog = embedded
 +    rpc_server:​srvsvc = embedded
 +    rpc_server:​svcctl = embedded
 +    rpc_server:​default = external
 +    ### IDMAP ###
 +    idmap_ldb:​use rfc2307 = yes
 +    idmap config * : backend = tdb
 +        idmap config *:range = 70001-80000
 +        idmap config LAB:backend = ad
 +        idmap config LAB:​schema_mode = rfc2307
 +        idmap config LAB:range = 500-40000
 +    ### WINBIND ###
 +        winbind nss info = rfc2307
 +        winbind trusted domains only = no
 +        winbind use default domain = yes
 +        winbind enum users  = yes
 +        winbind enum groups = yes
 +    map archive = No
 +    map readonly = no
 +    store dos attributes = Yes
 +    vfs objects = dfs_samba4, acl_xattr
 +        ### The template is necessary to authenticate with winbind
 +        template shell = /bin/bash
 +        ### Disabling printers ###
 +        printcap name = /dev/null
 +        load printers = no
 +        disable spoolss = yes
 +        printing = bsd
 +        ### LOGS ###
 +        log file = /​var/​log/​samba/​smbd.log
 +        max log size = 50
 +        log level = 2
 +        vfs objects = recycle full_audit
 +        ### RECYCLE BIN ###
 +        recycle:​repository = Recycle
 +        recycle:​exclude = *.tmp *.TMP *.temp *.TEMP ~*
 +        recycle:​keeptree = yes
 +        ### AUDIT ###
 +        full_audit:​success = rmdir mkdir open write rename unlink
 +        full_audit:​failure = rmdir mkdir open write rename unlink
 +        full_audit:​prefix = %U|%I|%m|%S
 +        full_audit:​failure = none
 +        full_audit:​facility = local5
 +        full_audit:​priority = notice
 +        veto files = /​*.mp3/​*.wav/​*.exe/​*.cmd/​*.adm/​*.inf/​*.ini/​*.pif
 +        delete veto files = yes
 +        dos filemode = yes
 +
 +[netlogon]
 +    path = /​usr/​local/​samba/​var/​locks/​sysvol/​lab.lan/​scripts
 +    read only = No
 +
 +[sysvol]
 +    path = /​usr/​local/​samba/​var/​locks/​sysvol
 +    read only = No
 +</​sxh>​
 +
 +Now we need to create the directory that will store the samba log files
 +
 +<sxh bash;>
 +mkdir -p /​var/​log/​samba
 +</​sxh>​
 +
 +Now we need to create a symbolic link to keytab
 +
 +<sxh bash;>
 +ln -s /​usr/​local/​samba/​private/​dns.keytab /​etc/​krb5.keytab
 +</​sxh>​
 +
 +Now let's start the samba service
 +
 +<sxh bash;>
 +/​usr/​local/​samba/​sbin/​samba
 +</​sxh>​
 +
 +Now let's disable the administrator password expire
 +
 +<sxh bash;>
 +samba-tool user setexpiry administrator --noexpiry
 +Expiry for user '​administrator'​ disabled.
 +</​sxh>​
 +
 +Now let's check the samba client version
 +
 +<sxh bash;>
 +smbclient --version
 +Version 4.2.2
 +</​sxh>​
 +
 +Now let's display the shares
 +
 +<sxh bash;>
 +smbclient -L localhost -U%
 +Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]
 +
 +    Sharename ​      ​Type ​     Comment
 +    --------- ​      ​---- ​     -------
 +    netlogon ​       Disk
 +    sysvol ​         Disk
 +    IPC$            IPC       IPC Service (Samba 4.2.2)
 +Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]
 +
 +    Server ​              ​Comment
 +    --------- ​           -------
 +
 +    Workgroup ​           Master
 +    --------- ​           -------
 +</​sxh>​
 +
 +Now let's test the shares with an authenticated account
 +
 +<sxh bash;>
 +smbclient -L //​localhost/​netlogon -U douglas/​administrator%'​smb@134*'​ -c '​ls'​
 +Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]
 +
 +    Sharename ​      ​Type ​     Comment
 +    --------- ​      ​---- ​     -------
 +    netlogon ​       Disk
 +    sysvol ​         Disk
 +    IPC$            IPC       IPC Service (Samba 4.2.2)
 +Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]
 +
 +    Server ​              ​Comment
 +    --------- ​           -------
 +
 +    Workgroup ​           Master
 +    --------- ​           -------
 +</​sxh>​
 +
 +Now let's display the samba configuration with testparm
 +
 +<sxh bash;>
 +testparm
 +Load smb config files from /​usr/​local/​samba/​etc/​smb.conf
 +Processing section "​[netlogon]"​
 +Processing section "​[sysvol]"​
 +Loaded services file OK.
 +Server role: ROLE_ACTIVE_DIRECTORY_DC
 +
 +Press enter to see a dump of your service definitions
 +
 +# Global parameters
 +[global]
 +    workgroup = DOUGLAS
 +    realm = douglas.lan
 +    server role = active directory domain controller
 +    passdb backend = samba_dsdb
 +    log file = /​var/​log/​samba/​smbd.log
 +    max log size = 50
 +    load printers = No
 +    printcap name = /dev/null
 +    disable spoolss = Yes
 +    template shell = /bin/bash
 +    winbind enum users = Yes
 +    winbind enum groups = Yes
 +    winbind use default domain = Yes
 +    winbind nss info = rfc2307
 +    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
 +    winbindd:​use external pipes = true
 +    full_audit:​priority = notice
 +    full_audit:​facility = local5
 +    full_audit:​prefix = %U|%I|%m|%S
 +    full_audit:​failure = none
 +    full_audit:​success = rmdir mkdir open write rename unlink
 +    recycle:​keeptree = yes
 +    recycle:​exclude = *.tmp *.TMP *.temp *.TEMP ~*
 +    recycle:​repository = Recycle
 +    idmap config lab:range = 500-40000
 +    idmap config lab:​schema_mode = rfc2307
 +    idmap config lab:backend = ad
 +    idmap config *:range = 70001-80000
 +    idmap_ldb:​use rfc2307 = yes
 +    rpc_server:​default = external
 +    rpc_server:​svcctl = embedded
 +    rpc_server:​srvsvc = embedded
 +    rpc_server:​eventlog = embedded
 +    rpc_server:​ntsvcs = embedded
 +    rpc_server:​winreg = embedded
 +    rpc_server:​spoolss = embedded
 +    rpc_daemon:​spoolssd = embedded
 +    rpc_server:​tcpip = no
 +    idmap config * : backend = tdb
 +    printing = bsd
 +    delete veto files = Yes
 +    veto files = /​*.mp3/​*.wav/​*.exe/​*.cmd/​*.adm/​*.inf/​*.ini/​*.pif
 +    map archive = No
 +    map readonly = no
 +    store dos attributes = Yes
 +    dos filemode = Yes
 +    vfs objects = recycle full_audit
 +
 +[netlogon]
 +    path = /​usr/​local/​samba/​var/​locks/​sysvol/​douglas.lan/​scripts
 +    read only = No
 +
 +[sysvol]
 +    path = /​usr/​local/​samba/​var/​locks/​sysvol
 +    read only = No
 +</​sxh>​
 +
 +Now let's check the samba process that is running
 +
 +<sxh bash;>
 +ps aux | egrep samba
 +root     ​11326 ​ 0.0  2.5 524812 51900 ?        Ss   ​17:​18 ​  0:00 /​usr/​local/​samba/​sbin/​samba
 +root     ​11327 ​ 0.0  1.6 524812 34440 ?        S    17:18   0:00 /​usr/​local/​samba/​sbin/​samba
 +root     ​11328 ​ 0.0  1.7 524812 36544 ?        S    17:18   0:00 /​usr/​local/​samba/​sbin/​samba
 +root     ​11329 ​ 0.0  2.0 528964 42176 ?        S    17:18   0:00 /​usr/​local/​samba/​sbin/​samba
 +root     ​11330 ​ 0.0  2.7 484536 56336 ?        Ss   ​17:​18 ​  0:00 /​usr/​local/​samba/​sbin/​smbd -D --option=server role check:​inhibit=yes --foreground
 +root     ​11331 ​ 0.0  1.6 524812 34440 ?        S    17:18   0:00 /​usr/​local/​samba/​sbin/​samba
 +root     ​11332 ​ 0.0  1.9 524812 40460 ?        S    17:18   0:00 /​usr/​local/​samba/​sbin/​samba
 +root     ​11333 ​ 0.0  1.7 524812 35976 ?        S    17:18   0:00 /​usr/​local/​samba/​sbin/​samba
 +root     ​11334 ​ 0.0  1.9 524812 39740 ?        S    17:18   0:00 /​usr/​local/​samba/​sbin/​samba
 +root     ​11335 ​ 0.0  1.8 524776 38028 ?        S    17:18   0:00 /​usr/​local/​samba/​sbin/​samba
 +root     ​11336 ​ 0.0  1.8 528236 38176 ?        S    17:18   0:00 /​usr/​local/​samba/​sbin/​samba
 +root     ​11337 ​ 0.0  1.6 524812 34440 ?        S    17:18   0:00 /​usr/​local/​samba/​sbin/​samba
 +root     ​11338 ​ 0.0  2.1 524776 44972 ?        S    17:18   0:00 /​usr/​local/​samba/​sbin/​samba
 +root     ​11339 ​ 0.0  1.7 524812 36372 ?        S    17:18   0:00 /​usr/​local/​samba/​sbin/​samba
 +root     ​11400 ​ 0.0  0.1  12968  2364 pts/0    S+   ​17:​27 ​  0:00 grep -E --color=auto samba
 +</​sxh>​
 +
 +Now let's restar the bind9 service
 +
 +<sxh bash;>
 +systemctl restart bind9
 +</​sxh>​
 +
 +Now let's check the bind9 status
 +
 +<sxh bash;>
 +systemctl status bind9
 +● bind9.service - BIND Domain Name Server
 +   ​Loaded:​ loaded (/​lib/​systemd/​system/​bind9.service;​ enabled)
 +  Drop-In: /​run/​systemd/​generator/​bind9.service.d
 +           ​└─50-insserv.conf-$named.conf
 +   ​Active:​ active (running) since Qui 2015-06-04 17:41:58 BRT; 896ms ago
 +     Docs: man:​named(8)
 +  Process: 11770 ExecStop=/​usr/​sbin/​rndc stop (code=exited,​ status=0/​SUCCESS)
 + Main PID: 11775 (named)
 +   ​CGroup:​ /​system.slice/​bind9.service
 +           ​└─11775 /​usr/​sbin/​named -f -u bind
 +
 +Jun 04 17:41:59 samba1 named[11775]:​ automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
 +Jun 04 17:41:59 samba1 named[11775]:​ command channel listening on 127.0.0.1#​953
 +Jun 04 17:41:59 samba1 named[11775]:​ command channel listening on ::1#953
 +Jun 04 17:41:59 samba1 named[11775]:​ managed-keys-zone:​ loaded serial 2
 +Jun 04 17:41:59 samba1 named[11775]:​ zone 0.in-addr.arpa/​IN:​ loaded serial 1
 +Jun 04 17:41:59 samba1 named[11775]:​ zone 127.in-addr.arpa/​IN:​ loaded serial 1
 +Jun 04 17:41:59 samba1 named[11775]:​ zone 255.in-addr.arpa/​IN:​ loaded serial 1
 +Jun 04 17:41:59 samba1 named[11775]:​ zone localhost/​IN:​ loaded serial 2
 +Jun 04 17:41:59 samba1 named[11775]:​ all zones loaded
 +Jun 04 17:41:59 samba1 named[11775]:​ running
 +</​sxh>​
 +
 +Now let's check the dns resolution
 +
 +<sxh bash;>
 +nslookup douglas.lan
 +Server: ​       127.0.0.1
 +Address: ​   127.0.0.1#​53
 +
 +Name:    douglas.lan
 +Address: 192.168.25.100
 +</​sxh>​
 +
 +Now we need to make a copy of the krb5.conf
 +
 +<sxh bash;>
 +cp -Rfa /​etc/​krb5.conf{,​.bkp}
 +</​sxh>​
 +
 +Now let's remove the original file
 +
 +<sxh bash;>
 +rm -rf /​etc/​krb5.conf
 +</​sxh>​
 +
 +Now we need to create symbolic link from samba directory
 +
 +<sxh bash;>
 +ln -sf /​usr/​local/​samba/​share/​setup/​krb5.conf /​etc/​krb5.conf
 +</​sxh>​
 +
 +Now we need to configure the file
 +
 +<sxh bash;>
 +vim /​etc/​krb5.conf
 +[logging]
 +     ​default = FILE:/​var/​log/​krb5libs.log
 +     kdc = FILE:/​var/​log/​krb5kdc.log
 +     ​admin_server = FILE:/​var/​log/​kadmind.log
 +
 +[libdefaults]
 +     ​default_realm = DOUGLAS.LAN
 +     ​dns_lookup_realm = true
 +     ​dns_lookup_kdc = true
 +     ​ticket_lifetime = 24h
 +     ​forwardable = yes
 +
 +[appdefaults]
 +     pam = {
 +          debug = false
 +          ticket_lifetime = 36000
 +          renew_lifetime = 36000
 +          forwardable = true
 +          krb4_convert = false
 +     }
 +</​sxh>​
 +
 +Now let's try to create a ticket on kerberos
 +
 +<sxh bash;>
 +kinit administrator@DOUGLAS.LAN
 +administrator@DOUGLAS.LAN'​s Password:
 +</​sxh>​
 +
 +Now let's list our ticket
 +
 +<sxh bash;>
 +klist
 +Credentials cache: FILE:/​tmp/​krb5cc_0
 +        Principal: administrator@DOUGLAS.LAN
 +
 +  Issued ​               Expires ​              ​Principal
 +Jun  4 17:48:15 2015  Jun  5 03:48:12 2015  krbtgt/​DOUGLAS.LAN@DOUGLAS.LAN
 +</​sxh>​
 +
 +Now let's run a test in samba authentication with kerberos ticket
 +
 +<sxh bash;>
 +smbclient -k //​samba1.douglas.lan/​sysvol -c '​ls'​
 +Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]
 +  .                                   ​D ​       0  Thu Jun  4 14:27:54 2015
 +  ..                                  D        0  Thu Jun  4 17:18:50 2015
 +  douglas.lan ​                        ​D ​       0  Thu Jun  4 14:27:53 2015
 +
 +        9653896 blocks of size 1024. 5923120 blocks available
 +</​sxh>​
 +
 +Let's check the another share
 +
 +<sxh bash;>
 +smbclient -k //​samba1.douglas.lan/​netlogon -c '​ls'​
 +Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]
 +  .                                   ​D ​       0  Thu Jun  4 14:27:45 2015
 +  ..                                  D        0  Thu Jun  4 14:27:53 2015
 +
 +        9653896 blocks of size 1024. 5923088 blocks available
 +</​sxh>​
 +
 +**NOTE:​** ​ If you try to access the samba share using the kerberos kicket and try to use localhost rather than the samba1 you will get the follow error
 +
 +<sxh bash;>
 +smbclient -k //​localhost/​netlogon -c '​ls'​
 +ads_krb5_mk_req:​ smb_krb5_get_credentials failed for cifs/​localhost@DOUGLAS.LAN (Server not found in Kerberos database)
 +cli_session_setup_kerberos:​ spnego_gen_krb5_negTokenInit failed: Server not found in Kerberos database
 +session setup failed: NT_STATUS_UNSUCCESSFUL
 +</​sxh>​
 +
 +As we can see the server was not found in kerberos database, whether we check the klist
 +
 +<sxh bash;>
 +klist
 +Credentials cache: FILE:/​tmp/​krb5cc_0
 +        Principal: administrator@DOUGLAS.LAN
 +
 +  Issued ​               Expires ​              ​Principal
 +Jun  4 17:48:15 2015  Jun  5 03:48:12 2015  krbtgt/​DOUGLAS.LAN@DOUGLAS.LAN
 +Jun  4 17:50:05 2015  Jun  5 03:48:12 2015  cifs/​samba1.douglas.lan@DOUGLAS.LAN
 +</​sxh>​
 +
 +The cifs/​samba1.douglas.lan@DOUGLAS.LAN this is the Server in kerberos rather than cifs/​localhost@DOUGLAS.LAN that we got trying to use localhost to access the share with kerberos.
 +
 +===== Installing and Configuring NTP Server =====
 +
 +Now we need to install and configure the NTP service to have the clock accurate
 +
 +Now let's install the ntp server
 +
 +<sxh bash;>
 +aptitude install ntp -y
 +</​sxh>​
 +
 +Now we need to make a copy of ntp.conf
 +
 +<sxh bash;>
 +cp -Rfa /​etc/​ntp.conf{,​.bkp}
 +</​sxh>​
 +
 +Now Let's change the configuration
 +
 +<sxh bash;>
 +vim /​etc/​ntp.conf
 +#/​etc/​ntp.conf
 +server 127.127.1.0
 +fudge  127.127.1.0 stratum 10
 +server a.ntp.br iburst prefer
 +server b.ntp.br iburst prefer
 +server c.ntp.br iburst prefer
 +driftfile /​var/​lib/​ntp/​ntp.drift
 +logfile /​var/​log/​ntp
 +ntpsigndsocket /​usr/​local/​samba/​var/​lib/​ntp_signd/​
 +restrict default kod nomodify notrap nopeer mssntp
 +restrict 127.0.0.1
 +restrict a.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery
 +restrict b.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery
 +restrict c.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery
 +</​sxh>​
 +
 +Now let's restart the ntp service
 +
 +<sxh bash;>
 +systemctl restart ntp
 +</​sxh>​
 +
 +Now let's display the ntp status
 +
 +<sxh bash;>
 +ntpq -p 127.0.0.1
 +     ​remote ​          ​refid ​     st t when poll reach   ​delay ​  ​offset ​ jitter
 +==============================================================================
 + ​LOCAL(0) ​       .LOCL. ​         10 l  101   ​64 ​   6    0.000    0.000   0.002
 ++a.ntp.br ​       200.160.7.186 ​   2 u   ​29 ​  ​64 ​   5   ​13.397 ​ -19.867 ​  9.921
 +*b.ntp.br ​       200.20.186.76 ​   2 u   ​26 ​  ​64 ​   7   ​18.728 ​ -22.845 ​  7.553
 ++c.ntp.br ​       200.160.7.186 ​   2 u   ​30 ​  ​64 ​   7   ​38.183 ​ -24.685 ​  8.156
 +</​sxh>​
 +
 +Now we need to change the permission to ntp_signd as follows
 +
 +<sxh bash;>
 +chgrp ntp /​usr/​local/​samba/​var/​lib/​ntp_signd
 +</​sxh>​
 +
 +===== Creating the Samba4 Launch Script =====
 +
 +Now we need to create the samba4 launch script
 +
 +<sxh bash;>
 +vim /​etc/​init.d/​samba
 +#! /bin/sh
 +
 +### BEGIN INIT INFO
 +# Provides: ​         samba4
 +# Required-Start: ​   $network $local_fs $remote_fs
 +# Required-Stop: ​    ​$network $local_fs $remote_fs
 +# Default-Start: ​    2 3 4 5
 +# Default-Stop: ​     0 1 6
 +# Short-Description:​ start Samba daemons
 +### END INIT INFO
 +
 +#
 +# Start/stops the Samba daemon (samba).
 +# Adapted from the Samba 3 packages.
 +#
 +
 +PIDDIR=/​usr/​local/​samba/​var/​run
 +SAMBAPID=$PIDDIR/​samba.pid
 +
 +# clear conflicting settings from the environment
 +unset TMPDIR
 +
 +# See if the daemon and the config file are there
 +test -x /​usr/​local/​samba/​sbin/​samba -a -r /​usr/​local/​samba/​etc/​smb.conf || exit 0
 +
 +. /​lib/​lsb/​init-functions
 +
 +case "​$1"​ in
 +    start)
 +        log_daemon_msg "​Starting Samba 4 daemon"​ "​samba"​
 +        # Make sure we have our PIDDIR, even if it's on a tmpfs
 +        install -o root -g root -m 755 -d $PIDDIR
 +
 +        if ! start-stop-daemon --start --quiet --oknodo --exec /​usr/​local/​samba/​sbin/​samba -- -D; then
 +            log_end_msg 1
 +            exit 1
 +        fi
 +
 +        log_end_msg 0
 +        ;;
 +    stop)
 +        log_daemon_msg "​Stopping Samba 4 daemon"​ "​samba"​
 +
 +        /​usr/​bin/​killall -9 samba >> /dev/null ; log_end_msg 1; exit 1
 +
 +        log_end_msg 0
 +
 +        ;;
 +    restart|force-reload)
 +        $0 stop
 +        sleep 1
 +        $0 start
 +        ;;
 +    *)
 +        echo "​Usage:​ /​etc/​init.d/​samba {start|stop|restart|force-reload}"​
 +        exit 1
 +        ;;
 +esac
 +
 +exit 0
 +</​sxh>​
 +
 +Now we need to change the permissions
 +
 +<sxh bash;>
 +chmod +x /​etc/​init.d/​samba
 +</​sxh>​
 +
 +Now we need to insert it in the boot time
 +
 +<sxh bash;>
 +insserv -f -v samba
 +</​sxh>​
 +
 +Now let's stop the samba service to run a test with our new script
 +
 +<sxh bash;>
 +killall samba
 +</​sxh>​
 +
 +Now let's start the samba service to test
 +
 +<sxh bash;>
 +/​etc/​init.d/​samba start
 +[ ok ] Starting samba (via systemctl): samba.service.
 +</​sxh>​
 +
 +Now let's show the samba processes
 +
 +<sxh bash;>
 +ps aux | egrep samba
 +root       ​942 ​ 1.2  2.5 524780 51576 ?        Ss   ​19:​18 ​  0:00 /​usr/​local/​samba/​sbin/​samba -D
 +root       ​960 ​ 0.0  1.6 524780 34480 ?        S    19:18   0:00 /​usr/​local/​samba/​sbin/​samba -D
 +root       ​961 ​ 0.0  1.7 524780 36588 ?        S    19:18   0:00 /​usr/​local/​samba/​sbin/​samba -D
 +root       ​962 ​ 1.3  2.7 484652 56492 ?        Ss   ​19:​18 ​  0:00 /​usr/​local/​samba/​sbin/​smbd -D --option=server role check:​inhibit=yes --foreground
 +root       ​963 ​ 0.0  1.8 524780 38596 ?        S    19:18   0:00 /​usr/​local/​samba/​sbin/​samba -D
 +root       ​964 ​ 0.0  1.6 524780 34480 ?        S    19:18   0:00 /​usr/​local/​samba/​sbin/​samba -D
 +root       ​965 ​ 0.1  1.9 524780 40276 ?        S    19:18   0:00 /​usr/​local/​samba/​sbin/​samba -D
 +root       ​966 ​ 0.0  1.7 524780 36040 ?        S    19:18   0:00 /​usr/​local/​samba/​sbin/​samba -D
 +root       ​967 ​ 0.0  2.1 531048 43432 ?        S    19:18   0:00 /​usr/​local/​samba/​sbin/​samba -D
 +root       ​968 ​ 0.1  1.8 524780 37868 ?        S    19:18   0:00 /​usr/​local/​samba/​sbin/​samba -D
 +root       ​969 ​ 0.0  1.8 527608 37516 ?        S    19:18   0:00 /​usr/​local/​samba/​sbin/​samba -D
 +root       ​970 ​ 0.0  1.6 524780 34484 ?        S    19:18   0:00 /​usr/​local/​samba/​sbin/​samba -D
 +root       ​971 ​ 0.5  2.2 524920 45356 ?        S    19:18   0:00 /​usr/​local/​samba/​sbin/​samba -D
 +root       ​972 ​ 0.0  1.7 524780 36000 ?        S    19:18   0:00 /​usr/​local/​samba/​sbin/​samba -D
 +root       ​977 ​ 0.0  0.1  12968  2368 pts/0    S+   ​19:​18 ​  0:00 grep -E --color=auto samba
 +</​sxh>​
 +
 +As we can see everything is ok so far
 +
 +Let's check the shares
 +
 +<sxh bash;>
 +smbclient -L localhost -U%
 +Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]
 +
 +    Sharename ​      ​Type ​     Comment
 +    --------- ​      ​---- ​     -------
 +    netlogon ​       Disk
 +    sysvol ​         Disk
 +    IPC$            IPC       IPC Service (Samba 4.2.2)
 +Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]
 +
 +    Server ​              ​Comment
 +    --------- ​           -------
 +
 +    Workgroup ​           Master
 +    --------- ​           -------
 +</​sxh>​
 +
 +Now let's check with an authenticated account
 +
 +<sxh bash;>
 +smbclient -L //​localhost/​netlogon -UAdministrator%'​smb@134*'​ -c '​ls'​
 +Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]
 +
 +    Sharename ​      ​Type ​     Comment
 +    --------- ​      ​---- ​     -------
 +    netlogon ​       Disk
 +    sysvol ​         Disk
 +    IPC$            IPC       IPC Service (Samba 4.2.2)
 +Domain=[DOUGLAS] OS=[Windows 6.1] Server=[Samba 4.2.2]
 +
 +    Server ​              ​Comment
 +    --------- ​           -------
 +
 +    Workgroup ​           Master
 +    --------- ​           -------
 +</​sxh>​
 +
 +===== Testing Bind_DLZ and Kerberos =====
 +
 +Now we need to create some symbolic links to enable winbind to work properly as follows for system working in 32 bits
 +
 +<sxh bash;>
 +ln -s /​usr/​local/​samba/​lib/​libnss_winbind.so /​usr/​lib/​libnss_winbind.so
 +ln -s /​usr/​local/​samba/​lib/​libnss_winbind.so.2 /​usr/​lib/​libnss_winbind.so.2
 +ldconfig
 +</​sxh>​
 +
 +Now we need to create some symbolic links to enable winbind to work properly as follows for system working in 64 bits
 +
 +<sxh bash;>
 +ln -s /​usr/​local/​samba/​lib/​libnss_winbind.so.2 /​usr/​lib/​x86_64-linux-gnu/​libnss_winbind.so
 +ln -s /​usr/​lib/​x86_64-linux-gnu/​libnss_winbind.so /​usr/​lib/​x86_64-linux-gnu/​libnss_winbind.so.2
 +ldconfig
 +</​sxh>​
 +
 +Now we need to configure the nsswitch.conf
 +
 +<sxh bash;>
 +vim /​etc/​nsswitch.conf
 +[...]
 +passwd: compat winbind
 +[...]
 +group: ​ compat winbind
 +</​sxh>​
 +
 +The Samba 4 is working properly so far
 +
 +If you need to get the RSAT(Admin pack) get in the follow web links:
 +
 +  * [[http://​www.microsoft.com/​en-us/​download/​details.aspx?​id=39296|http://​www.microsoft.com/​en-us/​download/​details.aspx?​id=39296]] (Windows 8.1)
 +  * [[http://​www.microsoft.com/​download/​details.aspx?​id=28972|http://​www.microsoft.com/​download/​details.aspx?​id=28972]] (Windows 8)
 +  * [[http://​www.microsoft.com/​downloads/​details.aspx?​FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&​displaylang=en|http://​www.microsoft.com/​downloads/​details.aspx?​FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&​displaylang=en]] (Vista)
 +  * [[http://​www.microsoft.com/​downloads/​details.aspx?​FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&​displaylang=en|http://​www.microsoft.com/​downloads/​details.aspx?​FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&​displaylang=en]] (Windows 7)
 +  * [[http://​www.microsoft.com/​en-us/​download/​details.aspx?​id=6315|http://​www.microsoft.com/​en-us/​download/​details.aspx?​id=6315]] (Windows XP/Server 2003)
 +
 +Let's run a test with winbind
 +
 +<sxh bash;>
 +wbinfo -t
 +checking the trust secret for domain DOUGLAS via RPC calls succeeded
 +</​sxh>​
 +
 +Let's display the groups in Samba 4 database
 +
 +<sxh bash;>
 +wbinfo -g
 +Enterprise Read-Only Domain Controllers
 +Domain Admins
 +Domain Users
 +Domain Guests
 +Domain Computers
 +Domain Controllers
 +Schema Admins
 +Enterprise Admins
 +Group Policy Creator Owners
 +Read-Only Domain Controllers
 +DnsUpdateProxy
 +</​sxh>​
 +
 +Let's display the users
 +
 +<sxh bash;>
 +wbinfo -u
 +Administrator
 +Guest
 +krbtgt
 +dns-samba1
 +</​sxh>​
 +
 +Now we need to check the dns updates let's run a test
 +
 +<sxh bash;>
 +samba_dnsupdate --verbose
 +IPs: ['​192.168.25.100'​]
 +Looking for DNS entry A samba1.douglas.lan 192.168.25.100 as samba1.douglas.lan.
 +Looking for DNS entry A douglas.lan 192.168.25.100 as douglas.lan.
 +Looking for DNS entry SRV _ldap._tcp.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.douglas.lan.
 +Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.douglas.lan samba1.douglas.lan 389
 +Looking for DNS entry SRV _ldap._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.dc._msdcs.douglas.lan.
 +Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 389
 +Looking for DNS entry SRV _ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan.
 +Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan samba1.douglas.lan 389
 +Looking for DNS entry SRV _kerberos._tcp.douglas.lan samba1.douglas.lan 88 as _kerberos._tcp.douglas.lan.
 +Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._tcp.douglas.lan samba1.douglas.lan 88
 +Looking for DNS entry SRV _kerberos._udp.douglas.lan samba1.douglas.lan 88 as _kerberos._udp.douglas.lan.
 +Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._udp.douglas.lan samba1.douglas.lan 88
 +Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 88 as _kerberos._tcp.dc._msdcs.douglas.lan.
 +Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 88
 +Looking for DNS entry SRV _kpasswd._tcp.douglas.lan samba1.douglas.lan 464 as _kpasswd._tcp.douglas.lan.
 +Checking 0 100 464 samba1.douglas.lan. against SRV _kpasswd._tcp.douglas.lan samba1.douglas.lan 464
 +Looking for DNS entry SRV _kpasswd._udp.douglas.lan samba1.douglas.lan 464 as _kpasswd._udp.douglas.lan.
 +Checking 0 100 464 samba1.douglas.lan. against SRV _kpasswd._udp.douglas.lan samba1.douglas.lan 464
 +Looking for DNS entry CNAME d6a2ff47-5541-4197-b729-3fb4b82e5b42._msdcs.douglas.lan samba1.douglas.lan as d6a2ff47-5541-4197-b729-3fb4b82e5b42._msdcs.douglas.lan.
 +Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.Default-First-Site-Name._sites.douglas.lan.
 +Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 389
 +Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan.
 +Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 389
 +Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 88 as _kerberos._tcp.Default-First-Site-Name._sites.douglas.lan.
 +Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 88
 +Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan.
 +Checking 0 100 88 samba1.douglas.lan. against SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 88
 +Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.pdc._msdcs.douglas.lan.
 +Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.pdc._msdcs.douglas.lan samba1.douglas.lan 389
 +Looking for DNS entry A gc._msdcs.douglas.lan 192.168.25.100 as gc._msdcs.douglas.lan.
 +Looking for DNS entry SRV _gc._tcp.douglas.lan samba1.douglas.lan 3268 as _gc._tcp.douglas.lan.
 +Checking 0 100 3268 samba1.douglas.lan. against SRV _gc._tcp.douglas.lan samba1.douglas.lan 3268
 +Looking for DNS entry SRV _ldap._tcp.gc._msdcs.douglas.lan samba1.douglas.lan 3268 as _ldap._tcp.gc._msdcs.douglas.lan.
 +Checking 0 100 3268 samba1.douglas.lan. against SRV _ldap._tcp.gc._msdcs.douglas.lan samba1.douglas.lan 3268
 +Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 3268 as _gc._tcp.Default-First-Site-Name._sites.douglas.lan.
 +Checking 0 100 3268 samba1.douglas.lan. against SRV _gc._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 3268
 +Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan samba1.douglas.lan 3268 as _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan.
 +Checking 0 100 3268 samba1.douglas.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan samba1.douglas.lan 3268
 +Looking for DNS entry A DomainDnsZones.douglas.lan 192.168.25.100 as DomainDnsZones.douglas.lan.
 +Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.DomainDnsZones.douglas.lan.
 +Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.DomainDnsZones.douglas.lan samba1.douglas.lan 389
 +Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan.
 +Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan samba1.douglas.lan 389
 +Looking for DNS entry A ForestDnsZones.douglas.lan 192.168.25.100 as ForestDnsZones.douglas.lan.
 +Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.ForestDnsZones.douglas.lan.
 +Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.ForestDnsZones.douglas.lan samba1.douglas.lan 389
 +Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan samba1.douglas.lan 389 as _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan.
 +Checking 0 100 389 samba1.douglas.lan. against SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan samba1.douglas.lan 389
 +No DNS updates needed
 +</​sxh>​
 +
 +Now let's create a reverse zone
 +
 +<sxh bash;>
 +samba-tool dns zonecreate douglas.lan 25.168.192.in-addr.arpa -UAdministrator --password=smb@134*
 +SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
 +Zone 25.168.192.in-addr.arpa created successfully
 +</​sxh>​
 +
 +**Note:​** ​ I'm trying to discovery how to fix the (SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER) but so far I have no answer yet, I've sent an email to Andrew Tridge of Samba project as soon he answer me I'm going to post the fix.
 +
 +Now let's create the reverse dns record to samba1
 +
 +<sxh bash;>
 +samba-tool dns add samba1 25.168.192.in-addr.arpa 100 PTR samba1.douglas.lan -Uadministrator --password=smb@134*
 +Record added successfully
 +</​sxh>​
 +
 +Now let's check the reverse
 +
 +<sxh bash;>
 +dig -x 192.168.25.100
 +
 +; <<>>​ DiG 9.9.5-9-Debian <<>>​ -x 192.168.25.100
 +;; global options: +cmd
 +;; Got answer:
 +;; ->>​HEADER<<​- opcode: QUERY, status: NOERROR, id: 1108
 +;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
 +
 +;; OPT PSEUDOSECTION:​
 +; EDNS: version: 0, flags:; udp: 4096
 +;; QUESTION SECTION:
 +;​100.25.168.192.in-addr.arpa. ​   IN    PTR
 +
 +;; ANSWER SECTION:
 +100.25.168.192.in-addr.arpa. 900 IN    PTR    samba1.douglas.lan.
 +
 +;; AUTHORITY SECTION:
 +25.168.192.in-addr.arpa. 3600    IN    NS    samba1.douglas.lan.
 +
 +;; ADDITIONAL SECTION:
 +samba1.douglas.lan. ​   900    IN    A    192.168.25.100
 +
 +;; Query time: 3 msec
 +;; SERVER: 127.0.0.1#​53(127.0.0.1)
 +;; WHEN: Thu Jun 04 19:40:48 BRT 2015
 +;; MSG SIZE  rcvd: 118
 +</​sxh>​
 +
 +We can run a test with host as well
 +
 +<sxh bash;>
 +host 192.168.25.100
 +100.25.168.192.in-addr.arpa domain name pointer samba1.douglas.lan.
 +</​sxh>​
 +
 +
 +Now we need to update all the records to make sure that everything is working as needed
 +<sxh bash;>
 +samba_dnsupdate --verbose --all-names
 +IPs: ['​192.168.25.100'​]
 +Calling nsupdate for A samba1.douglas.lan 192.168.25.100 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +samba1.douglas.lan. 900 IN  A 192.168.25.100
 +
 +Calling nsupdate for A douglas.lan 192.168.25.100 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +douglas.lan. ​   900 IN  A 192.168.25.100
 +
 +Calling nsupdate for SRV _ldap._tcp.douglas.lan samba1.douglas.lan 389 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.douglas.lan. 900 IN  SRV 0 100 389 samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _ldap._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 389 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.dc._msdcs.douglas.lan. 900 IN SRV  0 100 389 samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan samba1.douglas.lan 389 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.9eac9ae0-2e73-4c8c-b78e-9554cb9eadee.domains._msdcs.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _kerberos._tcp.douglas.lan samba1.douglas.lan 88 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_kerberos._tcp.douglas.lan. 900 IN  SRV 0 100 88 samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _kerberos._udp.douglas.lan samba1.douglas.lan 88 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_kerberos._udp.douglas.lan. 900 IN  SRV 0 100 88 samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.douglas.lan samba1.douglas.lan 88 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_kerberos._tcp.dc._msdcs.douglas.lan. 900 IN SRV 0 100 88 samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _kpasswd._tcp.douglas.lan samba1.douglas.lan 464 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_kpasswd._tcp.douglas.lan. 900  IN  SRV 0 100 464 samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _kpasswd._udp.douglas.lan samba1.douglas.lan 464 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_kpasswd._udp.douglas.lan. 900  IN  SRV 0 100 464 samba1.douglas.lan.
 +
 +Calling nsupdate for CNAME d6a2ff47-5541-4197-b729-3fb4b82e5b42._msdcs.douglas.lan samba1.douglas.lan (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +d6a2ff47-5541-4197-b729-3fb4b82e5b42._msdcs.douglas.lan. 900 IN CNAME samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 389 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.Default-First-Site-Name._sites.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 389 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 88 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_kerberos._tcp.Default-First-Site-Name._sites.douglas.lan. 900 IN SRV 0 100 88 samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan samba1.douglas.lan 88 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.douglas.lan. 900 IN SRV 0 100 88 samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.douglas.lan samba1.douglas.lan 389 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.pdc._msdcs.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.
 +
 +Calling nsupdate for A gc._msdcs.douglas.lan 192.168.25.100 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +gc._msdcs.douglas.lan. ​ 900 IN  A 192.168.25.100
 +
 +Calling nsupdate for SRV _gc._tcp.douglas.lan samba1.douglas.lan 3268 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_gc._tcp.douglas.lan. 900 IN  SRV 0 100 3268 samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _ldap._tcp.gc._msdcs.douglas.lan samba1.douglas.lan 3268 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.gc._msdcs.douglas.lan. 900 IN SRV  0 100 3268 samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._sites.douglas.lan samba1.douglas.lan 3268 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_gc._tcp.Default-First-Site-Name._sites.douglas.lan. 900 IN SRV 0 100 3268 samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan samba1.douglas.lan 3268 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.douglas.lan. 900 IN SRV 0 100 3268 samba1.douglas.lan.
 +
 +Calling nsupdate for A DomainDnsZones.douglas.lan 192.168.25.100 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +DomainDnsZones.douglas.lan. 900 IN  A 192.168.25.100
 +
 +Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.douglas.lan samba1.douglas.lan 389 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.DomainDnsZones.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan samba1.douglas.lan 389 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.
 +
 +Calling nsupdate for A ForestDnsZones.douglas.lan 192.168.25.100 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +ForestDnsZones.douglas.lan. 900 IN  A 192.168.25.100
 +
 +Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.douglas.lan samba1.douglas.lan 389 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.ForestDnsZones.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.
 +
 +Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan samba1.douglas.lan 389 (add)
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.douglas.lan. 900 IN SRV 0 100 389 samba1.douglas.lan.
 +</​sxh>​
 +
 +Now let's test the records about SRV 
 +
 +Let's do a search about Ldap service
 +
 +<sxh bash;>
 +host -t SRV _ldap._tcp.douglas.lan.
 +_ldap._tcp.douglas.lan has SRV record 0 100 389 samba1.douglas.lan.
 +</​sxh>​
 +
 +Let's do a search about Kerberos service
 +
 +<sxh bash;>
 +host -t SRV _kerberos._udp.douglas.lan.
 +_kerberos._udp.douglas.lan has SRV record 0 100 88 nodo1.douglas.lan.
 +</​sxh>​
 +
 +Let's do a search about record type A of samba1
 +<sxh bash;>
 +host -t A samba1.douglas.lan
 +samba1.douglas.lan has address 192.168.25.100
 +</​sxh>​
 +
 +Let's display the records in keytab
 +<sxh bash;>
 +klist -k
 +Keytab name: FILE:/​etc/​krb5.keytab
 +KVNO Principal
 +---- --------------------------------------------------------------------------
 +   1 DNS/​samba1.douglas.lan@DOUGLAS.LAN
 +   1 dns-samba1@DOUGLAS.LAN
 +   1 DNS/​samba1.douglas.lan@DOUGLAS.LAN
 +   1 dns-samba1@DOUGLAS.LAN
 +   1 DNS/​samba1.douglas.lan@DOUGLAS.LAN
 +   1 dns-samba1@DOUGLAS.LAN
 +   1 DNS/​samba1.douglas.lan@DOUGLAS.LAN
 +   1 dns-samba1@DOUGLAS.LAN
 +   1 DNS/​samba1.douglas.lan@DOUGLAS.LAN
 +   1 dns-samba1@DOUGLAS.LAN
 +</​sxh>​
 +
 +====== PAM Configuration ======
 +
 +Now we need to configure the PAM, here I'll allow only users from group it-admin to login in the PDC. The group it-admin need to be create in Samba and need to get a valid shell.
 +
 +Now we need to create a symbolic link from samba security directory to default security directory in the System, Here I'm using the 64 bit system that's why we need to use the /​lib/​x86_64-linux-gnu otherwise we need to create to another directory. If you don't know where is stored the another libraries of PAM do a search about "​pam_umask.so"​ and put the symbolic link there.
 +<sxh bash;>
 +ln -sf /​usr/​local/​samba/​lib/​security/​pam_winbind.so ​ /​lib/​x86_64-linux-gnu/​security/​pam_winbind.so
 +</​sxh>​
 +
 +Now we need to configure the files.
 +
 +
 +Let's start configuring the common-auth that controls authentication settings common to all services.
 +<sxh bash;>
 +vim /​etc/​pam.d/​common-auth
 +#
 +# /​etc/​pam.d/​common-auth - authentication settings common to all services
 +#
 +# This file is included from other service-specific PAM config files,
 +# and should contain a list of the authentication modules that define
 +# the central authentication scheme for use on the system
 +# (e.g., /​etc/​shadow,​ LDAP, Kerberos, etc.). ​ The default is to use the
 +# traditional Unix authentication mechanisms.
 +#
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules. ​ See
 +# pam-auth-update(8) for details.
 + 
 +# here are the per-package modules (the "​Primary"​ block)
 +auth    sufficient ​                     pam_winbind.so
 +auth  [success=2 default=ignore] ​ pam_krb5.so minimum_uid=1000
 +auth  [success=1 default=ignore] ​ pam_unix.so nullok_secure try_first_pass
 +# here's the fallback if no module succeeds
 +auth  requisite ​    ​pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +auth  required ​     pam_permit.so
 +# and here are more per-package modules (the "​Additional"​ block)
 +# end of pam-auth-update config
 +</​sxh>​
 +
 +Let's configure the common-account that controls authorization settings common to all services.
 +<sxh bash;>
 +vim /​etc/​pam.d/​common-account ​
 +#
 +# /​etc/​pam.d/​common-account - authorization settings common to all services
 +#
 +# This file is included from other service-specific PAM config files,
 +# and should contain a list of the authorization modules that define
 +# the central access policy for use on the system. ​ The default is to
 +# only deny service to users whose accounts are expired in /​etc/​shadow.
 +#
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules. ​ See
 +# pam-auth-update(8) for details.
 +#
 + 
 +# here are the per-package modules (the "​Primary"​ block)
 +account sufficient ​                      ​pam_winbind.so
 +account [success=1 new_authtok_reqd=done default=ignore] ​ pam_unix.so
 +# here's the fallback if no module succeeds
 +account requisite ​    ​pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +account required ​     pam_permit.so
 +# and here are more per-package modules (the "​Additional"​ block)
 +account required ​     pam_krb5.so minimum_uid=1000
 +# end of pam-auth-update config
 +</​sxh>​
 +
 +Let's configure the common-session that controls session related modules common to all services
 +<sxh bash;>
 +vim /​etc/​pam.d/​common-session
 +#
 +# /​etc/​pam.d/​common-session - session-related modules common to all services
 +#
 +# This file is included from other service-specific PAM config files,
 +# and should contain a list of modules that define tasks to be performed
 +# at the start and end of sessions of *any* kind (both interactive and
 +# non-interactive).
 +#
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules. ​ See
 +# pam-auth-update(8) for details.
 + 
 +# here are the per-package modules (the "​Primary"​ block)
 +session required pam_mkhomedir.so skel=/​etc/​skel umask=0027
 +session required pam_winbind.so
 +session [default=1] ​    ​pam_permit.so
 +# here's the fallback if no module succeeds
 +session requisite ​    ​pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +session required ​     pam_permit.so
 +# and here are more per-package modules (the "​Additional"​ block)
 +session optional ​     pam_krb5.so minimum_uid=1000
 +session required ​ pam_unix.so
 +# end of pam-auth-update config
 +</​sxh>​
 +
 +Let's configure the sshd that controls configuration for the Secure Shell service
 +<sxh bash;>
 +vim /​etc/​pam.d/​sshd
 +# PAM configuration for the Secure Shell service
 + 
 +# Read environment variables from /​etc/​environment and
 +# /​etc/​security/​pam_env.conf.
 +auth       ​required ​    ​pam_env.so # [1]
 +# In Debian 4.0 (etch), locale-related environment variables were moved to
 +# /​etc/​default/​locale,​ so read that as well.
 +auth       ​required ​    ​pam_env.so envfile=/​etc/​default/​locale
 + 
 +# Standard Un*x authentication.
 +@include common-auth
 + 
 +# Disallow non-root logins when /​etc/​nologin exists.
 +account ​   required ​    ​pam_nologin.so
 +#Allow connection from those groups
 +account ​   sufficient ​  ​pam_succeed_if.so user ingroup root
 +account ​   requisite ​   pam_succeed_if.so user ingroup it-admin
 + 
 +# Uncomment and edit /​etc/​security/​access.conf if you need to set complex
 +# access limits that are hard to express in sshd_config.
 +# account ​ required ​    ​pam_access.so
 + 
 +# Standard Un*x authorization.
 +@include common-account
 + 
 +# Standard Un*x session setup and teardown.
 +@include common-session
 + 
 +# Print the message of the day upon successful login.
 +# This includes a dynamically generated part from /​run/​motd.dynamic
 +# and a static (admin-editable) part from /etc/motd.
 +session ​   optional ​    ​pam_motd.so ​ motd=/​run/​motd.dynamic noupdate
 +session ​   optional ​    ​pam_motd.so # [1]
 + 
 +# Print the status of the user's mailbox upon successful login.
 +session ​   optional ​    ​pam_mail.so standard noenv # [1]
 + 
 +# Set up user limits from /​etc/​security/​limits.conf.
 +session ​   required ​    ​pam_limits.so
 + 
 +# Set up SELinux capabilities (need modified pam)
 +# session ​ required ​    ​pam_selinux.so multiple
 + 
 +# Standard Un*x password updating.
 +@include common-password
 +</​sxh>​
 +
 +Let's configure the login that controls configuration for shadow '​login'​ service
 +<sxh bash;>
 +vim /​etc/​pam.d/​login ​
 +#
 +# The PAM configuration file for the Shadow `login'​ service
 +#
 + 
 +# Enforce a minimal delay in case of failure (in microseconds).
 +# (Replaces the `FAIL_DELAY'​ setting from login.defs)
 +# Note that other modules may require another minimal delay. (for example,
 +# to disable any delay, you should add the nodelay option to pam_unix)
 +auth       ​optional ​  ​pam_faildelay.so ​ delay=3000000
 + 
 +# Outputs an issue file prior to each login prompt (Replaces the
 +# ISSUE_FILE option from login.defs). Uncomment for use
 +# auth       ​required ​  ​pam_issue.so issue=/​etc/​issue
 + 
 +# Disallows root logins except on tty's listed in /​etc/​securetty
 +# (Replaces the `CONSOLE'​ setting from login.defs)
 +#
 +# With the default control of this module:
 +#   ​[success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
 +# root will not be prompted for a password on insecure lines.
 +# if an invalid username is entered, a password is prompted (but login
 +# will eventually be rejected)
 +#
 +# You can change it to a "​requisite"​ module if you think root may mis-type
 +# her login and should not be prompted for a password in that case. But
 +# this will leave the system as vulnerable to user enumeration attacks.
 +#
 +# You can change it to a "​required"​ module if you think it permits to
 +# guess valid user names of your system (invalid user names are considered
 +# as possibly being root on insecure lines), but root passwords may be
 +# communicated over insecure lines.
 +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
 + 
 +# Disallows other than root logins when /​etc/​nologin exists
 +# (Replaces the `NOLOGINS_FILE'​ option from login.defs)
 +auth       ​requisite ​ pam_nologin.so
 + 
 +#Allow connection from those groups
 +account ​   sufficient ​  ​pam_succeed_if.so user ingroup root
 +account ​   requisite ​   pam_succeed_if.so user ingroup it-admin
 + 
 +# SELinux needs to be the first session rule. This ensures that any 
 +# lingering context has been cleared. Without out this it is possible ​
 +# that a module could execute code in the wrong domain.
 +# When the module is present, "​required"​ would be sufficient (When SELinux
 +# is disabled, this returns success.)
 +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 + 
 +# This module parses environment configuration file(s)
 +# and also allows you to use an extended config
 +# file /​etc/​security/​pam_env.conf.
 +
 +# parsing /​etc/​environment needs "​readenv=1"​
 +session ​      ​required ​  ​pam_env.so readenv=1
 +# locale variables are also kept into /​etc/​default/​locale in etch
 +# reading this file *in addition to /​etc/​environment* does not hurt
 +session ​      ​required ​  ​pam_env.so readenv=1 envfile=/​etc/​default/​locale
 + 
 +# Standard Un*x authentication.
 +@include common-auth
 + 
 +# This allows certain extra groups to be granted to a user
 +# based on things like time of day, tty, service, and user.
 +# Please edit /​etc/​security/​group.conf to fit your needs
 +# (Replaces the `CONSOLE_GROUPS'​ option in login.defs)
 +auth       ​optional ​  ​pam_group.so
 + 
 +# Uncomment and edit /​etc/​security/​time.conf if you need to set
 +# time restrainst on logins.
 +# (Replaces the `PORTTIME_CHECKS_ENAB'​ option from login.defs
 +# as well as /​etc/​porttime)
 +# account ​   requisite ​ pam_time.so
 + 
 +# Uncomment and edit /​etc/​security/​access.conf if you need to
 +# set access limits.
 +# (Replaces /​etc/​login.access file)
 +# account ​ required ​      ​pam_access.so
 + 
 +# Sets up user limits according to /​etc/​security/​limits.conf
 +# (Replaces the use of /etc/limits in old login)
 +session ​   required ​  ​pam_limits.so
 + 
 +# Prints the last login info upon succesful login
 +# (Replaces the `LASTLOG_ENAB'​ option from login.defs)
 +session ​   optional ​  ​pam_lastlog.so
 + 
 +# Prints the message of the day upon succesful login.
 +# (Replaces the `MOTD_FILE'​ option in login.defs)
 +# This includes a dynamically generated part from /​run/​motd.dynamic
 +# and a static (admin-editable) part from /etc/motd.
 +session ​   optional ​  ​pam_motd.so ​ motd=/​run/​motd.dynamic
 +session ​   optional ​  ​pam_motd.so
 + 
 +# Prints the status of the user's mailbox upon succesful login
 +# (Replaces the `MAIL_CHECK_ENAB'​ option from login.defs). ​
 +#
 +# This also defines the MAIL environment variable
 +# However, userdel also needs MAIL_DIR and MAIL_FILE variables
 +# in /​etc/​login.defs to make sure that removing a user 
 +# also removes the user's mail spool file.
 +# See comments in /​etc/​login.defs
 +session ​   optional ​  ​pam_mail.so standard
 + 
 +# Standard Un*x account and session
 +@include common-account
 +@include common-session
 +@include common-password
 + 
 +# SELinux needs to intervene at login time to ensure that the process
 +# starts in the proper default security context. Only sessions which are
 +# intended to run in the user's context should be run after this.
 +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
 +# When the module is present, "​required"​ would be sufficient (When SELinux
 +# is disabled, this returns success.)
 +</​sxh>​
 +
 +Now let's configure the sudo to enable the it-admin group work as root user.
 +<sxh bash;>
 +visudo ​
 +[...]
 +"​%DOUGLAS\it-admin"​ ALL=(ALL) ALL
 +</​sxh>​
 +
 +Now let's create the it-admin group
 +<sxh bash;>
 +samba-tool group add it-admin --group-scope=Global --group-type=Security --description="​IT Administration" ​
 +Added group it-admim
 +</​sxh>​
 +
 +Now we can get a list with all groups like this
 +<sxh bash;>
 +samba-tool group list
 +Allowed RODC Password Replication Group
 +Enterprise Read-Only Domain Controllers
 +Denied RODC Password Replication Group
 +Pre-Windows 2000 Compatible Access
 +Windows Authorization Access Group
 +Certificate Service DCOM Access
 +Network Configuration Operators
 +Terminal Server License Servers
 +Incoming Forest Trust Builders
 +Read-Only Domain Controllers
 +Group Policy Creator Owners
 +Performance Monitor Users
 +Cryptographic Operators
 +Distributed COM Users
 +Performance Log Users
 +Remote Desktop Users
 +Account Operators
 +Event Log Readers
 +RAS and IAS Servers
 +Backup Operators
 +Domain Controllers
 +Server Operators
 +Enterprise Admins
 +Print Operators
 +Administrators
 +Domain Computers
 +Cert Publishers
 +DnsUpdateProxy
 +Domain Admins
 +Domain Guests
 +Schema Admins
 +Domain Users
 +Replicator
 +IIS_IUSRS
 +DnsAdmins
 +Guests
 +it-admin
 +Users
 +</​sxh>​
 +
 +Now we need to create a new user to put into it-admin
 +<sxh bash;>
 +samba-tool user create ​ douglas.q.santos smb@134* ​
 +User '​douglas.q.santos'​ created successfully
 +</​sxh>​
 +
 +Now let's add the user douglas.q.santos into group it-admin
 +<sxh bash;>
 +samba-tool group addmembers it-admin douglas.q.santos
 +Added members to group it-admin
 +</​sxh>​
 +
 +Now we can get the user from it-admin
 +<sxh bash;>
 +samba-tool group listmembers it-admin
 +douglas.q.santos
 +</​sxh>​
 +
 +Everything is working as needed so far.
 +
 +Now we need to restart the server to reload all the new configurations
 +<sxh bash;>
 +reboot
 +</​sxh>​
 +
 +After the reboot we can try logon in with douglas.q.santos or logon with root and change to another user as follows
 +<sxh bash;>
 +root@samba1:​~#​ su - douglas.q.santos
 +Creating directory '/​home/​DOUGLAS/​douglas.q.santos'​.
 +mesg: /dev/pts/0: Operation not permitted
 +DOUGLAS\douglas.q.santos@samba1:​~$ ​
 +</​sxh>​
 +
 +Now let's back to root user and let's check the winbind connection.
 +<sxh bash;>
 +wbinfo -t
 +checking the trust secret for domain DOUGLAS via RPC calls succeeded
 +</​sxh>​
 +
 +Let's get the user from Samba
 +<sxh bash;>
 +wbinfo -u
 +Administrator
 +Guest
 +krbtgt
 +dns-samba1
 +douglas.q.santos
 +</​sxh>​
 +
 +Now let's try logon in the server via SSH
 +<sxh bash;>
 +ssh douglas.q.santos@192.168.25.100 -p 22
 +douglas.q.santos@192.168.25.100'​s password: ​
 +
 +The programs included with the Debian GNU/Linux system are free software;
 +the exact distribution terms for each program are described in the
 +individual files in /​usr/​share/​doc/​*/​copyright.
 +
 +Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 +permitted by applicable law.
 +DOUGLAS\douglas.q.santos@samba1:​~$ ​
 +</​sxh>​
 +
 +Now let's test the sudo 
 +<sxh bash;>
 +DOUGLAS\douglas.q.santos@samba1:​~$ sudo -i
 +
 +We trust you have received the usual lecture from the local System
 +Administrator. It usually boils down to these three things:
 +
 +    #1) Respect the privacy of others.
 +    #2) Think before you type.
 +    #3) With great power comes great responsibility.
 +
 +[sudo] password for DOUGLAS\douglas.q.santos:​
 +root@samba1:​~# ​
 +</​sxh>​
 +
 +Now let's check the auth.log file
 +
 +<sxh bash;>
 +tail -f /​var/​log/​auth.log ​
 +Jun  7 11:33:39 samba1 sshd[1426]: pam_succeed_if(sshd:​account):​ requirement "user ingroup sudo" not met by user "​DOUGLAS\douglas.q.santos"​
 +Jun  7 11:33:39 samba1 sshd[1426]: pam_succeed_if(sshd:​account):​ requirement "user ingroup it-admin"​ was met by user "​DOUGLAS\douglas.q.santos"​
 +Jun  7 11:33:39 samba1 sshd[1426]: pam_winbind(sshd:​account):​ user '​DOUGLAS\douglas.q.santos'​ granted access
 +Jun  7 11:33:39 samba1 sshd[1426]: Accepted password for douglas.q.santos from 192.168.25.254 port 50681 ssh2
 +Jun  7 11:33:39 samba1 sshd[1426]: pam_unix(sshd:​session):​ session opened for user DOUGLAS\douglas.q.santos by (uid=0)
 +Jun  7 11:33:44 samba1 sudo: DOUGLAS\douglas.q.santos : TTY=pts/1 ; PWD=/​home/​DOUGLAS/​douglas.q.santos ; USER=root ; COMMAND=/​bin/​su -
 +Jun  7 11:33:44 samba1 su[1436]: pam_winbind(su:​account):​ valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND
 +Jun  7 11:33:44 samba1 su[1436]: Successful su for root by root
 +Jun  7 11:33:44 samba1 su[1436]: + /dev/pts/1 root:root
 +Jun  7 11:33:44 samba1 su[1436]: pam_unix(su:​session):​ session opened for user root by DOUGLAS\douglas.q.santos(uid=0)
 +</​sxh>​
 +
 +Everything is ok so far.
 +
 +====== Samba 4 Backup ======
 +
 +The backup script is not installed when we run the command make install therefore we need to copy it to some location like /bin
 +
 +Let's put as the samba source are in /​usr/​src/​samba-4.2.2
 +
 +Let's copy the script
 +<sxh bash;>
 +cp /​usr/​src/​samba-4.2.2/​source4/​scripting/​bin/​samba_backup /usr/sbin
 +</​sxh>​
 +
 +Now we need to change the permissions
 +<sxh bash;>
 +chown root:root /​usr/​sbin/​samba_backup
 +chmod 750 /​usr/​sbin/​samba_backup
 +</​sxh>​
 +
 +Now we need to adjust some variables in the script
 +<sxh bash;>
 +vim /​usr/​sbin/​samba_backup
 +[...]
 +FROMWHERE=/​usr/​local/​samba
 +WHERE=/​usr/​local/​backups
 +[...]
 +DAYS=15
 +</​sxh>​
 +
 +Above we have:
 +  * **FROMWHERE** ​ → Where samba was installed
 +  * **WHERE** ​ → The location where the script will store the backup
 +  * **DAYS** ​ → The number of days we need to keep the backups
 +
 +Now we need to create the directory that will store the backups
 +
 +<sxh bash;>
 +mkdir /​usr/​local/​backups
 +</​sxh>​
 +
 +Now let's change the permission of the directory
 +<sxh bash;>
 +chmod 750 /​usr/​local/​backups
 +</​sxh>​
 +
 +Now we can run the script
 +<sxh bash;>
 +/​usr/​sbin/​samba_backup
 +</​sxh>​
 +
 +After the script finish the task we will get something like bellow.
 +<sxh bash;>
 +ls -l /​usr/​local/​backups
 +total 12164
 +-rw-r--r-- 1 root staff     1310 Jun 11 10:35 etc.2015-06-11.tar.bz2
 +-rw-r--r-- 1 root staff 12447369 Jun 11 10:35 samba4_private.2015-06-11.tar.bz2
 +-rw-r--r-- 1 root staff      546 Jun 11 10:35 sysvol.2015-06-11.tar.bz2
 +</​sxh>​
 +
 +Of the script runs without any error, There will be 3 files:
 +
 +  * <​nowiki>​etc.{Timestamp}.tar.bz2</​nowiki>​
 +  * <​nowiki>​samba4_private.{Timestamp}.tar.bz2</​nowiki>​
 +  * <​nowiki>​sysvol.{Timestamp}.tar.bz2</​nowiki>​
 +
 +We can schedule the script to run everyday at 2 A.M like bellow.
 +<sxh bash;>
 +crontab -e
 +0 2 * * *       /​usr/​sbin/​samba_backup
 +</​sxh>​
 +
 +Now we've already have the schedule for samba backup
 +
 +====== Samba 4 Restore ======
 +
 +**Note:**
 +
 +  * The backup and restore must be from the same version of samba in another words from 4.2.2 to 4.2.2
 +  * The restore must be executed in a machine with the same name and ip of the backup was created.
 +  * It's best practice always restore a backup in the same OS like from Debian to Debian. (I try to backup from a CentOS and restore in a Debian and it doesn'​t work).
 +  * Always after the restore is a good advice test all shares, permissions and stuffs like take to make sure that everything is ok to work before to put in production.
 +  * If the system got a crash you need first of all is reconfigure all samba server and restore the backup considering all the another things above.
 +
 +Before restore the samba we need to assure that the samba is down.
 +
 +Let's stop the samba
 +<sxh bash;>
 +/​etc/​init.d/​samba stop
 +</​sxh>​
 +
 +Now let's check if the samba is down
 +<sxh bash;>
 +ps aux | egrep samba
 +root      2404  0.0  0.1  12964  2356 pts/0    S+   ​14:​47 ​  0:00 grep -E --color=auto samba
 +</​sxh>​
 +
 +Now let's remove the files and directories as needed.
 +
 +<sxh bash;>
 +rm -rf /​usr/​local/​samba/​etc
 +rm -rf /​usr/​local/​samba/​private
 +rm -rf /​usr/​local/​samba/​var/​locks/​sysvol
 +</​sxh>​
 +
 +Now we need to restore the samba, let's access the backup directory and extract the files.
 +<sxh bash;>
 +cd /​usr/​local/​backups
 +tar -jxf etc.2015-06-11.tar.bz2 -C /​usr/​local/​samba
 +tar -jxf samba4_private.2015-06-11.tar.bz2 -C /​usr/​local/​samba
 +tar -jxf sysvol.2015-06-11.tar.bz2 -C /​usr/​local/​samba
 +</​sxh>​
 +
 +Now we need to rename the files with extension *.ldb.bak in the directory private to *.ldb
 +<sxh bash;>
 +find /​usr/​local/​samba/​private/​ -type f -name '​*.ldb.bak'​ -print0 | while read -d $'​\0'​ f ; do mv "​$f"​ "​${f%.bak}"​ ; done
 +</​sxh>​
 +
 +Now we need to restore the acls
 +<sxh bash;>
 +samba-tool ntacl sysvolreset
 +</​sxh>​
 +
 +If you are using the BIND_DLZ as backend we need to fix the hard links
 +<sxh bash;>
 +samba_upgradedns --dns-backend=BIND9_DLZ
 +</​sxh>​
 +
 +Now let's start the samba
 +<sxh bash;>
 +/​etc/​init.d/​samba start
 +</​sxh>​
 +
 +Now let's display our users
 +<sxh bash;>
 +wbinfo -u
 +Administrator
 +Guest
 +krbtgt
 +dns-samba1
 +douglas.q.santos
 +</​sxh>​
 +
 +Now let's display our groups
 +<sxh bash;>
 +wbinfo -g
 +Enterprise Read-Only Domain Controllers
 +Domain Admins
 +Domain Users
 +Domain Guests
 +Domain Computers
 +Domain Controllers
 +Schema Admins
 +Enterprise Admins
 +Group Policy Creator Owners
 +Read-Only Domain Controllers
 +DnsUpdateProxy
 +it-admin
 +</​sxh>​
 +
 +Everything is working properly as before.
 +
 +
 +====== Configuring a Windows 8 Client ======
 +
 +Now let's join a Windows 8 Client to our Samba Domain.
 +
 +**Configuring the DNS Client:**
 +  * In the Windows Machine press** Windows Key + R** and type: **ncpa.cpl**
 +    * {{:​samba4-win8cli-01.png?​500|}}
 +  * Now right click in the Ethernet and choose **Properties**
 +    * {{:​samba4-win8cli-02.png?​500|}}
 +  * Here select **Internet Protocol Version 4 (TCP/​IPv4)** and select **Properties** here we need to put the Preferred DNS server as: 192.168.25.100 ​
 +    * {{:​samba4-win8cli-03.png?​500|}}
 +  * Now click in OK and Close and close the Network connections
 +
 +**Joining in the Domain:**
 +  * In the Windows Machine press** Windows Key + R** and type: **sysdm.cpl**
 +    * {{:​samba4-win8cli-04.png?​500|}}
 +  * Here select **Change...** And in Domain put **douglas.lan**
 +    * {{:​samba4-win8cli-05.png?​500|}}
 +  * Now click in **OK**.
 +    * {{:​samba4-win8cli-06.png?​500|}}
 +  * Now we need to put the user as: **administrator** and its password and Select** OK** if everything is ok we will get the message box bellow.
 +    * {{:​samba4-win8cli-07.png?​500|}}
 +  * Now Click **OK** we will get another message box with a warning about that we need to restart the machine to apply the changes and click **OK** and **Close**
 +    * {{:​samba4-win8cli-08.png?​500|}}
 +  * Now select **Restart Now.**
 +    * {{:​samba4-win8cli-09.png?​500|}}
 +  * After restart choose **Switch User** the (right arrow into a circle). In the username put: douglas\administrator and put its password and Enter
 +    * {{:​samba4-win8cli-10.png?​500|}}
 +
 +Now we can install the RSAT we can get it in:
 +  * http://​www.microsoft.com/​en-us/​download/​details.aspx?​id=39296 **(Windows 8.1)**
 +  * http://​www.microsoft.com/​download/​details.aspx?​id=28972 **(Windows 8)**
 +  * http://​www.microsoft.com/​downloads/​details.aspx?​FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&​displaylang=en **(Vista)**
 +  * http://​www.microsoft.com/​downloads/​details.aspx?​FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&​displaylang=en **(Windows 7)**
 +  * http://​www.microsoft.com/​en-us/​download/​details.aspx?​id=6315 **(Windows XP/Server 2003)**
 +
 +[[http://​www.sysprobs.com/​how-to-install-admin-tools-remote-server-administration-tools-rsat-on-windows-8|How to Install Admin Tools On Windows 8 – (Remote Server Administration Tools – RSAT)]]
 +
 +Accessing the Active Directory Users and Computers
 +  * In the Windows Machine press** Windows Key + R** and type: **dsa.msc**
 +    * {{:​samba4-win8cli-11.png?​500|}}
 +
 +Accessing the DNS Manager ​
 +  * In the Windows Machine press** Windows Key + R** and type: **dnsmgmt.msc**
 +  * Here select The following computer: 192.168.25.100 and click OK
 +    * {{:​samba4-win8cli-12.png?​500|}}
 +  * After that we will get the DNS Manager we can manager the dns records here instead of via Shell.
 +    * {{:​samba4-win8cli-13.png?​500|}}
 +
 +====== Creating Shares ======
 +
 +The creating of samba shares is more easier than in the samba 3 in my point of view, we can create the share and managing them via Windows.
 +
 +**Note:​** ​ We must be the owner of the directory or must belong of the group owner to display or managing the permissions.
 +
 +Let's enable the administrator of domain to managing the shares via Windows.
 +<sxh bash;>
 +net rpc rights grant '​DOUGLAS\Domain Admins'​ SeDiskOperatorPrivilege -U administrator
 +Enter administrator'​s password:
 +Successfully granted rights.
 +</​sxh>​
 +
 +If you want to assign all the permission to a user e.g for the group '​DOUGLAS\Domain Admins'​ we can do it as follows.
 +<sxh bash;>
 +net rpc rights grant  '​DOUGLAS\Domain Admins'​ SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege -U administrator
 +Enter administrator'​s password:
 +Successfully granted rights.
 +</​sxh>​
 +
 +Now let's create a new share.
 +<sxh bash;>
 +vim /​usr/​local/​samba/​etc/​smb.conf
 +[...]
 +[Demo]
 +     path = /​srv/​samba/​Demo/​
 +     read only = no
 +</​sxh>​
 +
 +Now let's create the directory
 +<sxh bash;>
 +mkdir -p /​srv/​samba/​Demo/​
 +</​sxh>​
 +
 +Now we need to reload the samba configuration
 +<sxh bash;>
 +smbcontrol all reload-config
 +</​sxh>​
 +
 +Now in the Windows with a user that belongs of Domain Admins group here I shall use administrator
 +  * Now click Windows key + R and type:** compmgmt.msc**
 +    * {{:​samba4-win8cli-14.png?​500|}}
 +  * Now with the right click in Computer Management select Connect to another computer...
 +  * Now in Another computer put: 192.168.25.100 and click OK
 +    * {{:​samba4-win8cli-15.png?​500|}}
 +  * Now browser until System Tools/​Shared Folders/​Share and select our new share called Demo
 +    * {{:​samba4-win8cli-16.png?​500|}}
 +  * Now with right click in Demo select Properties
 +    * {{:​samba4-win8cli-17.png?​500|}}
 +  * Now in the tab Share Permissions. Here we can configure who will be able to access the share. ​
 +    * {{:​samba4-win8cli-18.png?​500|}}
 +  * Now in the tab Security we can managing who will be able to read/​execute/​modify the files and folders.
 +    * {{:​samba4-win8cli-19.png?​500|}}
 +  * Now is only to select ok and close the window.
 +====== Roaming Profile ======
 +
 +Now let's configure the Roaming profile
 +
 +Let's create the directory that will store the profiles.
 +
 +<sxh bash;>
 +mkdir -p /​srv/​samba/​Profiles/​
 +</​sxh>​
 +
 +Now let's add one more share in samba configuration file.
 +<sxh bash;>
 +vim /​usr/​local/​samba/​etc/​smb.conf
 +[...]
 +[Profiles]
 +     path = /​srv/​samba/​Profiles/​
 +     read only = no
 +</​sxh>​
 +
 +Now we need to reload the samba configuration
 +<sxh bash;>
 +smbcontrol all reload-config
 +</​sxh>​
 +
 +Now let's check the shares in a Windows machine.
 +
 +  * Click Windows key + R and type: \\samba1
 +    * {{:​samba4-win8cli-20.png?​500|}}
 +  * Now with right click in the Profiles share select Properties/​Security
 +    * {{:​samba4-win8cli-21.png?​500|}}
 +  * Now select Advanced and Permissions
 +    * Leave only Administrator and add Owner Rights and Domain Users
 +
 +Now we need to configure the permission as follows:
 +
 +^Name ^Permission ^Applies to |
 +|Administrator |Full Control |This Folder, subfolders and files|
 +|Domain Users |Traverse folder/​execute file, List folder/read date, Create folders/​append data |This folder only |
 +|CREATOR OWNER |Full Control |Subfolders and files only |
 +
 +
 +After that:
 +
 +  * Apply
 +  * OK
 +  * OK
 +  * OK
 +
 +Now we need to configure the roaming profile to an user to run a test.
 +  * Click Windows key + R and type: dsa.msc
 +  * Now select the user that you wanna to configure the roaming profile
 +  * Right click in it and select properties
 +  * Now select profile.
 +  * Now in Profile path: \\samba1.douglas.lan\Profiles\%username%
 +    * {{:​samba4-win8cli-22.png?​500|}}
 +  * Now select OK
 +
 +Now we can logon with that user and check if the profile was created in:
 +  * /​srv/​samba/​Profiles/​
 +
 +After login with the user douglas.q.santos we shall get something like bellow.
 +<sxh bash;>
 +ls -l /​srv/​samba/​Profiles
 +total 8
 +drwxrwx---+ 2 DOUGLAS\douglas.q.santos users 4096 Jun 11 16:44 douglas.q.santos.V2
 +</​sxh>​
 +
 +====== Logon Script ======
 +
 +Now we will create the logon script that need to be stored in /​usr/​local/​samba/​var/​locks/​sysvol/​douglas.lan/​scripts
 +
 +Let's create a basic one only to map the shared Demo
 +
 +**Note:** Here I will use the user douglas.q.santos and this user need to has the permission to access the share or belongs to a groups that has the permission
 +
 +<sxh bash;>
 +vim /​usr/​local/​samba/​var/​locks/​sysvol/​douglas.lan/​scripts/​sharedemo.bat
 +net use x: \\samba1.douglas.lan\Demo
 +</​sxh>​
 +
 +Now we need to change the permissions
 +<sxh bash;>
 +chmod +x /​usr/​local/​samba/​var/​locks/​sysvol/​douglas.lan/​scripts/​sharedemo.bat
 +</​sxh>​
 +
 +Now we need to convert the script to Microsoft format
 +<sxh bash;>
 +unix2dos /​usr/​local/​samba/​var/​locks/​sysvol/​douglas.lan/​scripts/​sharedemo.bat
 +</​sxh>​
 +
 +  * Now Windows key + R and type: dsa.msc
 +  * Now select the user that you want to configure I will use the douglas.q.santos that I configured the roaming profile
 +  * Right click in the user and select Properties ​
 +  * Now select Profile
 +  * In Logon script put: sharedemo.bat
 +    * {{:​samba4-win8cli-23.png?​500|}}
 +  * Now click in Apply and OK
 +
 +Now let's logon with the user douglas.q.santos,​ after the login we will get something like below.
 +
 +{{:​samba4-win8cli-24.png?​500|}}
 +
 +<WRAP center round important 60%>
 +I shall continue from here as soon as possible.
 +</​WRAP>​
 +
 +====== Configuração do SLAVE ======
 +
 +Vamos atualizar os repositórios e vamos fazer um upgrade do sistema
 +
 +<sxh bash;>
 +yum check-update && yum update -y
 +</​sxh>​
 +
 +Agora vamos instalar as dependências para podemos compilar o samba
 +
 +<sxh bash;>
 +yum install ​ openldap-devel pam-devel git gcc make wget  libacl-devel libblkid-devel gnutls-devel readline-devel python-devel cups-devel \
 +libaio-devel quota-devel ctdb-devel krb5-devel krb5-workstation acl setroubleshoot-server setroubleshoot-plugins policycoreutils-python \
 +libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel \
 +keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils bind-sdb bind-devel bind-libs bind avahi-devel mingw32-iconv gamin \
 +libcap-devel rpc2-devel glusterfs-devel python-dns -y
 +</​sxh>​
 +
 +Agora vamos ajustar o fstab para que ele de suporte a acl,​user_xattr e barrier eu vou habilitar isso na partição / se você tiver várias partições é bom habilitar em todas que você queira habilitar os compartilhamentos.
 +
 +<sxh bash;>
 +vim /etc/fstab
 +[...]
 +/​dev/​mapper/​VolGroup-lv_root /                       ​ext4 ​   defaults,​acl,​user_xattr,​barrier=1 ​       1 1
 +</​sxh>​
 +
 +Agora vamos remontar a raiz
 +
 +<sxh bash;>
 +mount -o remount /
 +</​sxh>​
 +
 +Agora vamos listar os atributos da raiz
 +
 +<sxh bash;>
 +mount | egrep acl
 +/​dev/​mapper/​VolGroup-lv_root on / type ext4 (rw,​acl,​user_xattr,​barrier=1)
 +</​sxh>​
 +
 +Agora os atributos já estão carregados.
 +
 +Agora vamos obter o samba vamos acessar o diretório que vai armazenar os fontes
 +
 +<sxh bash;>
 +cd /usr/src
 +</​sxh>​
 +
 +Agora vamos obter os fontes
 +
 +<sxh bash;>
 +wget -c http://​ftp.samba.org/​pub/​samba/​stable/​samba-4.1.3.tar.gz
 +</​sxh>​
 +
 +Agora vamos desempacotar o samba
 +
 +<sxh bash;>
 +tar -xzvf samba-4.1.3.tar.gz
 +</​sxh>​
 +
 +Agora vamos acessar o diretório dos fontes
 +
 +<sxh bash;>
 +cd samba-4.1.3
 +</​sxh>​
 +
 +Agora vamos criar a configuração para o samba
 +
 +<sxh bash;>
 +./configure --enable-debug --enable-selftest
 +</​sxh>​
 +
 +Agora vamos mandar compilar o samba este processo demora um pouco
 +
 +<sxh bash;>
 +make
 +</​sxh>​
 +
 +Agora vamos mandar instalar o samba
 +
 +<sxh bash;>
 +make install
 +</​sxh>​
 +
 +Agora vamos acertar a PATH do usuário root no caso dele estar utilizando o shell Bash
 +
 +<sxh bash;>
 +echo "​export PATH=/​usr/​local/​sbin:/​usr/​local/​bin:/​usr/​sbin:/​usr/​bin:/​sbin:/​bin:/​usr/​bin/​X11:/​usr/​local/​samba/​sbin:/​usr/​local/​samba/​bin">>​ /​root/​.bashrc
 +</​sxh>​
 +
 +Agora precisamos importar a nova PATH
 +
 +<sxh bash;>
 +source /​root/​.bashrc
 +</​sxh>​
 +
 +Agora vamos acertar a PATH do usuário root no caso dele estar utilizando o shell zsh
 +
 +<sxh bash;>
 +echo "​export PATH=/​usr/​local/​sbin:/​usr/​local/​bin:/​usr/​sbin:/​usr/​bin:/​sbin:/​bin:/​usr/​bin/​X11:/​usr/​local/​samba/​sbin:/​usr/​local/​samba/​bin">>​ /​root/​.zshrc
 +</​sxh>​
 +
 +Agora precisamos importar a nova PATH
 +
 +<sxh bash;>
 +source /​root/​.zshrc
 +</​sxh>​
 +
 +Agora vamos ajustar o resolv.conf ele vai utilizar o nome do nosso domínio e o ip do pdc.
 +
 +<sxh bash;>
 +vim /​etc/​resolv.conf
 +domain douglas.lan
 +search douglas.lan
 +nameserver 192.168.0.25
 +</​sxh>​
 +
 +Agora vamos ajustar a interface de rede para utilizar o nosso novo DNS
 +
 +<sxh bash;>
 +vim /​etc/​sysconfig/​network-scripts/​ifcfg-eth0
 +DEVICE="​eth0"​
 +BOOTPROTO="​static"​
 +BROADCAST="​192.168.0.255"​
 +DNS1="​192.168.0.26"​
 +GATEWAY="​192.168.0.1"​
 +IPADDR="​192.168.0.25"​
 +NETMASK="​255.255.255.0"​
 +NM_CONTROLLED="​yes"​
 +ONBOOT="​yes"​
 +TYPE="​Ethernet"​
 +</​sxh>​
 +
 +Agora vamos configurar o Bind
 +
 +<sxh bash;>
 +vim /​etc/​named.conf
 +//​named.conf
 +
 +options {
 +    listen-on port 53 { 127.0.0.1; 192.168.0.0/​24;​ };
 +    listen-on-v6 port 53 { ::1; };
 +    directory ​    "/​var/​named";​
 +    dump-file ​    "/​var/​named/​data/​cache_dump.db";​
 +        statistics-file "/​var/​named/​data/​named_stats.txt";​
 +        memstatistics-file "/​var/​named/​data/​named_mem_stats.txt";​
 +    allow-query ​    { 192.168.0.0/​24;​ localhost; };
 +    recursion yes;
 +        forwarders { 8.8.8.8; 8.8.4.4; };
 +
 +    dnssec-enable yes;
 +    dnssec-validation yes;
 +    dnssec-lookaside auto;
 +
 +    /* Path to ISC DLV key */
 +    bindkeys-file "/​etc/​named.iscdlv.key";​
 +
 +    managed-keys-directory "/​var/​named/​dynamic";​
 +
 +       /* keytab para samba4 */
 +        tkey-gssapi-keytab "/​usr/​local/​samba/​private/​dns.keytab";​
 +
 +};
 +
 +logging {
 +        channel default_debug {
 +                file "​data/​named.run";​
 +                severity dynamic;
 +        };
 +};
 +
 +zone "​."​ IN {
 +    type hint;
 +    file "​named.ca";​
 +};
 +
 +include "/​etc/​named.rfc1912.zones";​
 +include "/​etc/​named.root.key";​
 +/*Arquivo de configuração do samba4 que informa a localização do bind_dlz */
 +include "/​usr/​local/​samba/​private/​named.conf";​
 +</​sxh>​
 +
 +Agora vamos ajustar a configuração do krb5.conf
 +
 +<sxh bash;>
 +vim /​etc/​krb5.conf
 +[logging]
 +     ​default = FILE:/​var/​log/​krb5libs.log
 +     kdc = FILE:/​var/​log/​krb5kdc.log
 +     ​admin_server = FILE:/​var/​log/​kadmind.log
 +
 +[libdefaults]
 +     ​default_realm = DOUGLAS.LAN
 +     ​dns_lookup_realm = true
 +     ​dns_lookup_kdc = true
 +     ​ticket_lifetime = 24h
 +     ​forwardable = yes
 +
 +[appdefaults]
 +     pam = {
 +          debug = false
 +          ticket_lifetime = 36000
 +          renew_lifetime = 36000
 +          forwardable = true
 +          krb4_convert = false
 +     }
 +</​sxh>​
 +
 +Vamos abrir um ticket no kerberos para verificarmos a nossa configuração
 +
 +<sxh bash;>
 +kinit administrator
 +Password for administrator@DOUGLAS.LAN:​
 +Warning: Your password will expire in 41 days on Mon Oct  7 12:02:11 2013
 +</​sxh>​
 +
 +Agora vamos inserir o nosso servidor como bdc
 +
 +Agora vamos provisionar o nosso domínio
 +
 +<sxh bash;>
 +samba-tool domain join douglas.lan DC -U administrator --realm=douglas.lan --dns-backend=BIND9_DLZ
 +Finding a writeable DC for domain '​douglas.lan'​
 +Found DC nodo1.douglas.lan
 +Password for [DOUGLAS\administrator]:​
 +workgroup is DOUGLAS
 +realm is douglas.lan
 +checking sAMAccountName
 +Deleted CN=NODO2,​OU=Domain Controllers,​DC=douglas,​DC=lan
 +Deleted CN=NTDS Settings,​CN=NODO2,​CN=Servers,​CN=Default-First-Site-Name,​CN=Sites,​CN=Configuration,​DC=douglas,​DC=lan
 +Deleted CN=NODO2,​CN=Servers,​CN=Default-First-Site-Name,​CN=Sites,​CN=Configuration,​DC=douglas,​DC=lan
 +Adding CN=NODO2,​OU=Domain Controllers,​DC=douglas,​DC=lan
 +Adding CN=NODO2,​CN=Servers,​CN=Default-First-Site-Name,​CN=Sites,​CN=Configuration,​DC=douglas,​DC=lan
 +Adding CN=NTDS Settings,​CN=NODO2,​CN=Servers,​CN=Default-First-Site-Name,​CN=Sites,​CN=Configuration,​DC=douglas,​DC=lan
 +Adding SPNs to CN=NODO2,​OU=Domain Controllers,​DC=douglas,​DC=lan
 +Setting account password for NODO2$
 +Enabling account
 +Calling bare provision
 +No IPv6 address will be assigned
 +Provision OK for domain DN DC=douglas,​DC=lan
 +Starting replication
 +Schema-DN[CN=Schema,​CN=Configuration,​DC=douglas,​DC=lan] objects[402/​1550] linked_values[0/​0]
 +Schema-DN[CN=Schema,​CN=Configuration,​DC=douglas,​DC=lan] objects[804/​1550] linked_values[0/​0]
 +Schema-DN[CN=Schema,​CN=Configuration,​DC=douglas,​DC=lan] objects[1206/​1550] linked_values[0/​0]
 +Schema-DN[CN=Schema,​CN=Configuration,​DC=douglas,​DC=lan] objects[1550/​1550] linked_values[0/​0]
 +Analyze and apply schema objects
 +Partition[CN=Configuration,​DC=douglas,​DC=lan] objects[402/​1625] linked_values[0/​0]
 +Partition[CN=Configuration,​DC=douglas,​DC=lan] objects[804/​1625] linked_values[0/​0]
 +Partition[CN=Configuration,​DC=douglas,​DC=lan] objects[1206/​1625] linked_values[0/​0]
 +Partition[CN=Configuration,​DC=douglas,​DC=lan] objects[1608/​1625] linked_values[0/​0]
 +Partition[CN=Configuration,​DC=douglas,​DC=lan] objects[1625/​1625] linked_values[28/​0]
 +Replicating critical objects from the base DN of the domain
 +Partition[DC=douglas,​DC=lan] objects[98/​98] linked_values[25/​0]
 +Partition[DC=douglas,​DC=lan] objects[375/​277] linked_values[26/​0]
 +Done with always replicated NC (base, config, schema)
 +Replicating DC=DomainDnsZones,​DC=douglas,​DC=lan
 +Partition[DC=DomainDnsZones,​DC=douglas,​DC=lan] objects[40/​40] linked_values[0/​0]
 +Replicating DC=ForestDnsZones,​DC=douglas,​DC=lan
 +Partition[DC=ForestDnsZones,​DC=douglas,​DC=lan] objects[18/​18] linked_values[0/​0]
 +Partition[DC=ForestDnsZones,​DC=douglas,​DC=lan] objects[36/​18] linked_values[0/​0]
 +Committing SAM database
 +Sending DsReplicateUpdateRefs for all the replicated partitions
 +Setting isSynchronized and dsServiceName
 +Setting up secrets database
 +Joined domain DOUGLAS (SID S-1-5-21-2011945809-1847694634-1467046014) as a DC
 +</​sxh>​
 +
 +Agora vamos inserir o named na incialização do sistema
 +
 +<sxh bash;>
 +chkconfig --add named
 +chkconfig named on
 +</​sxh>​
 +
 +Agora vamos criar o script de inicialização
 +
 +<sxh bash;>
 +vim /​etc/​init.d/​samba
 +#!/bin/sh
 +#
 +# chkconfig: - 91 35
 +# description:​ Starts and stops the Samba smbd daemon \
 +#           used to provide SMB network services.
 +#
 +# pidfile: /​var/​run/​samba/​smbd.pid
 +# config: ​ /​etc/​samba/​smb.conf
 +
 +# Source function library.
 +if [ -f /​etc/​init.d/​functions ] ; then
 +  . /​etc/​init.d/​functions
 +elif [ -f /​etc/​rc.d/​init.d/​functions ] ; then
 +  . /​etc/​rc.d/​init.d/​functions
 +else
 +  exit 1
 +fi
 +
 +# Avoid using root's TMPDIR
 +unset TMPDIR
 +
 +# Source networking configuration.
 +. /​etc/​sysconfig/​network
 +
 +if [ -f /​etc/​sysconfig/​samba ]; then
 +   . /​etc/​sysconfig/​samba
 +fi
 +
 +# Check that networking is up.
 +[ ${NETWORKING} = "​no"​ ] && exit 1
 +
 +# Check that smb.conf exists.
 +[ -f /​usr/​local/​samba/​etc/​smb.conf ] || exit 6
 +
 +RETVAL=0
 +
 +start() {
 +        KIND="​SMB"​
 +    echo -n $"​Starting $KIND services: "
 +    /​usr/​local/​samba/​sbin/​samba
 +    RETVAL=$?
 +    echo
 +    [ $RETVAL -eq 0 ] && touch /​usr/​local/​samba/​var/​lock/​smb || \
 +       ​RETVAL=1
 +    return $RETVAL
 +}
 +
 +stop() {
 +        KIND="​SMB"​
 +    echo -n $"​Shutting down $KIND services: "
 +    killproc smbd
 +    RETVAL=$?
 +    echo
 +    [ $RETVAL -eq 0 ] && rm -f /​usr/​local/​samba/​var/​lock/​smb
 +    return $RETVAL
 +}
 +
 +restart() {
 +    stop
 +    start
 +}
 +
 +reload() {
 +        echo -n $"​Reloading smb.conf file: "
 +    killproc smbd -HUP
 +    RETVAL=$?
 +    echo
 +    return $RETVAL
 +}
 +
 +rhstatus() {
 +    status -l smb smbd
 +    return $?
 +}
 +
 +# Allow status as non-root.
 +if [ "​$1"​ = status ]; then
 +       ​rhstatus
 +       exit $?
 +fi
 +
 +# Check that we can write to it... so non-root users stop here
 +[ -w /​usr/​local/​samba/​etc/​smb.conf ] || exit 4
 +
 +case "​$1"​ in
 +  start)
 +      start
 +    ;;
 +  stop)
 +      stop
 +    ;;
 +  restart)
 +      restart
 +    ;;
 +  reload)
 +      reload
 +    ;;
 +  status)
 +      rhstatus
 +    ;;
 +  condrestart)
 +      [ -f /​var/​lock/​subsys/​smb ] && restart || :
 +    ;;
 +  *)
 +    echo $"​Usage:​ $0 {start|stop|restart|reload|status|condrestart}"​
 +    exit 2
 +esac
 +
 +exit $?
 +</​sxh>​
 +
 +Agora vamos dar permissão para o nosso script e vamos inserir ele na incialização
 +
 +<sxh bash;>
 +chmod +x /​etc/​init.d/​samba
 +chkconfig --add samba
 +chkconfig samba on
 +</​sxh>​
 +
 +Agora vamos inicializar o named e o samba
 +
 +<sxh bash;>
 +/​etc/​init.d/​named start
 +/​etc/​init.d/​samba start
 +</​sxh>​
 +
 +Agora vamos consultar o daemon do samba
 +
 +<sxh bash;>
 +ps aux | egrep samba
 +root      1268  7.0  8.2 525140 41276 ?        Ss   ​18:​50 ​  0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1271  0.0  5.7 525140 28648 ?        S    18:50   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1272  0.0  5.8 525140 29500 ?        S    18:50   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1273  0.1  6.2 529292 31152 ?        S    18:50   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1274  0.0  5.6 525140 28608 ?        S    18:50   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1275  8.8  6.1 525140 30768 ?        S    18:50   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1276  0.0  5.8 525140 29204 ?        S    18:50   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1277  7.0  8.6 576100 43440 ?        Ss   ​18:​50 ​  0:00 /​usr/​local/​samba/​sbin/​smbd --option=server role check:​inhibit=yes --foreground
 +root      1278  0.0  6.1 525140 30716 ?        S    18:50   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1279  0.5  6.2 529292 31316 ?        S    18:50   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1280  0.1  5.9 527652 29864 ?        S    18:50   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1281  0.0  5.7 525140 28748 ?        S    18:50   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1282  0.0  5.9 525140 29712 ?        S    18:50   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1283  0.0  5.9 525140 29708 ?        S    18:50   0:00 /​usr/​local/​samba/​sbin/​samba
 +root      1291  0.0  5.7 575584 29052 ?        S    18:50   0:00 /​usr/​local/​samba/​sbin/​smbd --option=server role check:​inhibit=yes --foreground
 +</​sxh>​
 +
 +Como pode ser visto ele está rodando ok.
 +
 +Agora vamos listar a versão do nosso samba
 +
 +<sxh bash;>
 +smbclient --version
 +Version 4.1.3
 +</​sxh>​
 +
 +Agora vamos mandar listar os compartilhamentos
 +
 +<sxh bash;>
 +smbclient -L localhost -U%
 +Domain=[DOUGLAS] OS=[Unix] Server=[Samba 4.1.3]
 +
 +    Sharename ​      ​Type ​     Comment
 +    --------- ​      ​---- ​     -------
 +    netlogon ​       Disk
 +    sysvol ​         Disk
 +    IPC$            IPC       IPC Service (Samba 4.1.3)
 +Domain=[DOUGLAS] OS=[Unix] Server=[Samba 4.1.3]
 +
 +    Server ​              ​Comment
 +    --------- ​           -------
 +
 +    Workgroup ​           Master
 +    --------- ​           -------
 +</​sxh>​
 +
 +Agora vamos mandar listar o netlogon com o usuário administrator
 +
 +<sxh bash;>
 +smbclient //​localhost/​netlogon -UAdministrator%'​sen@134*'​ -c '​ls'​
 +Domain=[DOUGLAS] OS=[Unix] Server=[Samba 4.1.3]
 +  .                                   ​D ​       0  Mon Aug 26 18:35:20 2013
 +  ..                                  D        0  Mon Aug 26 18:35:20 2013
 +
 +        34426 blocks of size 262144. 23857 blocks available
 +</​sxh>​
 +
 +Agora vamos mandar listar a configuração do nosso samba
 +
 +<sxh bash;>
 +testparm
 +Load smb config files from /​usr/​local/​samba/​etc/​smb.conf
 +rlimit_max: increasing rlimit_max (4096) to minimum Windows limit (16384)
 +Processing section "​[netlogon]"​
 +Processing section "​[sysvol]"​
 +Loaded services file OK.
 +Server role: ROLE_ACTIVE_DIRECTORY_DC
 +Press enter to see a dump of your service definitions
 +
 +[global]
 +    workgroup = DOUGLAS
 +    realm = douglas.lan
 +    server role = active directory domain controller
 +    passdb backend = samba_dsdb
 +    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
 +    rpc_server:​tcpip = no
 +    rpc_daemon:​spoolssd = embedded
 +    rpc_server:​spoolss = embedded
 +    rpc_server:​winreg = embedded
 +    rpc_server:​ntsvcs = embedded
 +    rpc_server:​eventlog = embedded
 +    rpc_server:​srvsvc = embedded
 +    rpc_server:​svcctl = embedded
 +    rpc_server:​default = external
 +    idmap config * : backend = tdb
 +    map archive = No
 +    map readonly = no
 +    store dos attributes = Yes
 +    vfs objects = dfs_samba4, acl_xattr
 +
 +[netlogon]
 +    path = /​usr/​local/​samba/​var/​locks/​sysvol/​douglas.lan/​scripts
 +    read only = No
 +
 +[sysvol]
 +    path = /​usr/​local/​samba/​var/​locks/​sysvol
 +    read only = No
 +</​sxh>​
 +
 +Agora vamos ajustar o limits.conf para não aparecer os avisos no samba
 +
 +<sxh bash;>
 +vim /​etc/​security/​limits.conf
 +#colocar no final do arquivo
 +root hard nofile 131072
 +root soft nofile 65536
 +mioutente hard nofile 32768
 +mioutente soft nofile 16384
 +</​sxh>​
 +
 +Agora vamos testar a resolução de nome
 +
 +<sxh bash;>
 +nslookup douglas.lan
 +Server: ​       192.168.0.25
 +Address: ​   192.168.0.25#​53
 +
 +Name:    douglas.lan
 +Address: 192.168.0.25
 +Name:    douglas.lan
 +Address: 192.168.0.26
 +</​sxh>​
 +
 +Agora vamos ajustar a configuração do kerberos
 +
 +Vamos fazer backup do arquivo de configuração
 +
 +<sxh bash;>
 +mv /​etc/​krb5.conf /​etc/​krb5.conf.old
 +</​sxh>​
 +
 +Vamos criar um link para o sistema reconhecer o arquivo de configuração do samba como default
 +
 +<sxh bash;>
 +ln -sf /​usr/​local/​samba/​private/​krb5.conf /​etc/​krb5.conf
 +</​sxh>​
 +
 +Agora vamos ajustar a configuração do krb5.conf
 +
 +<sxh bash;>
 +vim /​etc/​krb5.conf
 +[logging]
 +     ​default = FILE:/​var/​log/​krb5libs.log
 +     kdc = FILE:/​var/​log/​krb5kdc.log
 +     ​admin_server = FILE:/​var/​log/​kadmind.log
 +
 +[libdefaults]
 +     ​default_realm = DOUGLAS.LAN
 +     ​dns_lookup_realm = true
 +     ​dns_lookup_kdc = true
 +     ​ticket_lifetime = 24h
 +     ​forwardable = yes
 +
 +[appdefaults]
 +     pam = {
 +          debug = false
 +          ticket_lifetime = 36000
 +          renew_lifetime = 36000
 +          forwardable = true
 +          krb4_convert = false
 +     }
 +</​sxh>​
 +
 +Agora vamos criar um link para o keytab do kerberos
 +
 +<sxh bash;>
 +ln -s /​usr/​local/​samba/​private/​dns.keytab /​etc/​krb5.keytab
 +</​sxh>​
 +
 +Agora vamos ajustar a configuração do samba para que ele consiga mapear via winbind
 +
 +<sxh bash;>
 +vim /​usr/​local/​samba/​etc/​smb.conf
 +[global]
 +    workgroup = DOUGLAS
 +    realm = douglas.lan
 +        netbios name = NODO2
 +    server role = active directory domain controller
 +    passdb backend = samba_dsdb
 +    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
 +    rpc_server:​tcpip = no
 +    rpc_daemon:​spoolssd = embedded
 +    rpc_server:​spoolss = embedded
 +    rpc_server:​winreg = embedded
 +    rpc_server:​ntsvcs = embedded
 +    rpc_server:​eventlog = embedded
 +    rpc_server:​srvsvc = embedded
 +    rpc_server:​svcctl = embedded
 +    rpc_server:​default = external
 +    #IDMAP
 +    idmap_ldb:​use rfc2307 = yes
 +    idmap config * : backend = tdb
 +        idmap config *:range = 70001-80000
 +        idmap config DOUGLAS:​backend = ad
 +        idmap config DOUGLAS:​schema_mode = rfc2307
 +        idmap config DOUGLAS:​range = 500-40000
 +    #WINBIND
 +        winbind nss info = rfc2307
 +        winbind trusted domains only = no
 +        winbind use default domain = yes
 +        winbind enum users  = yes
 +        winbind enum groups = yes
 +    map archive = No
 +    map readonly = no
 +    store dos attributes = Yes
 +    vfs objects = dfs_samba4, acl_xattr
 +        #o template shell é necessário para logar com a autenticação via winbind
 +        template shell = /bin/bash
 +       #​DESABILITANDO AS IMPRESSORAS
 +        printcap name = /dev/null
 +        load printers = no
 +        disable spoolss = yes
 +        printing = bsd
 +        ### LOGS
 +        log file = /​var/​log/​samba/​smbd.log
 +        max log size = 50
 +        log level = 2
 +        vfs objects = recycle full_audit
 +        ### LIXEIRA
 +        recycle:​repository = Lixeira
 +        recycle:​exclude = *.tmp *.TMP *.temp *.TEMP ~*
 +        recycle:​keeptree = yes
 +        full_audit:​success = rmdir mkdir open write rename unlink
 +        full_audit:​failure = rmdir mkdir open write rename unlink
 +        full_audit:​prefix = %U|%I|%m|%S
 +        full_audit:​failure = none
 +        full_audit:​facility = local5
 +        full_audit:​priority = notice
 +        veto files = /​*.mp3/​*.wav/​*.exe/​*.cmd/​*.adm/​*.inf/​*.ini/​*.pif
 +        delete veto files = yes
 +        dos filemode = yes
 +
 +[netlogon]
 +    path = /​usr/​local/​samba/​var/​locks/​sysvol/​douglas.lan/​scripts
 +    read only = No
 +
 +[sysvol]
 +    path = /​usr/​local/​samba/​var/​locks/​sysvol
 +    read only = No
 +</​sxh>​
 +
 +Agora vamos criar o diretório para armazenar os logs
 +
 +<sxh bash;>
 +mkdir -p /​var/​log/​samba
 +</​sxh>​
 +
 +Agora precisamos ajustar as bibliotecas do winbind para os sistemas de 32bits precisamos fazer da seguinte forma
 +
 +<sxh bash;>
 +ln -s /​usr/​local/​samba/​lib/​libnss_winbind.so /lib
 +ln -s /​lib/​libnss_winbind.so /​lib/​libnss_winbind.so.2
 +ldconfig
 +</​sxh>​
 +
 +Para os sistemas de 64bits precisamos fazer da seguinte forma
 +
 +<sxh bash;>
 +ln -s /​usr/​local/​samba/​lib/​libnss_winbind.so /lib64
 +ln -s /​lib64/​libnss_winbind.so /​lib64/​libnss_winbind.so.2
 +ldconfig
 +</​sxh>​
 +
 +Agora vamos ajustar o nsswitch.conf
 +
 +<sxh bash;>
 +vim /​etc/​nsswitch.conf
 +[...]
 +passwd: files winbind
 +[...]
 +group: ​ files winbind
 +</​sxh>​
 +
 +Agora vamos inicializar um ticket para o administrator
 +
 +<sxh bash;>
 +kinit administrator
 +Password for administrator@DOUGLAS.LAN:​
 +Warning: Your password will expire in 41 days on Mon Oct  7 12:02:11 2013
 +</​sxh>​
 +
 +Agora vamos listar o nosso ticket
 +
 +<sxh bash;>
 +klist
 +Ticket cache: FILE:/​tmp/​krb5cc_0
 +Default principal: administrator@DOUGLAS.LAN
 +
 +Valid starting ​    ​Expires ​           Service principal
 +08/26/13 18:​54:​21 ​ 08/27/13 04:​54:​21 ​ krbtgt/​DOUGLAS.LAN@DOUGLAS.LAN
 +    renew until 08/27/13 18:54:17
 +</​sxh>​
 +
 +O nosso kerberos está ok.
 +
 +Vamos instalar o ntp
 +
 +<sxh bash;>
 +yum install ntp -y
 +</​sxh>​
 +
 +Agora vamos fazer um backup do arquivo de configuração default do ntp.conf
 +
 +<sxh bash;>
 +cp /​etc/​ntp.conf /​etc/​ntp.conf.old
 +</​sxh>​
 +
 +Agora vamos configurar o ntp
 +
 +<sxh bash;>
 +vim /​etc/​ntp.conf
 +server 127.127.1.0
 +fudge  127.127.1.0 stratum 10
 +server a.ntp.br iburst prefer
 +server 0.pool.ntp.org ​ iburst prefer
 +server 1.pool.ntp.org ​ iburst prefer
 +driftfile /​var/​lib/​ntp/​ntp.drift
 +logfile /​var/​log/​ntp
 +ntpsigndsocket /​usr/​local/​samba/​var/​lib/​ntp_signd/​
 +restrict default kod nomodify notrap nopeer mssntp
 +restrict 127.0.0.1
 +restrict a.ntp.br mask 255.255.255.255 nomodify notrap nopeer noquery
 +restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
 +restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
 +</​sxh>​
 +
 +Agora vamos iniciar ele
 +
 +<sxh bash;>
 +/​etc/​init.d/​ntpd start
 +</​sxh>​
 +
 +Agora vamos consultar o seu sincronismo
 +
 +<sxh bash;>
 +ntpq -p 127.0.0.1
 +     ​remote ​          ​refid ​     st t when poll reach   ​delay ​  ​offset ​ jitter
 +==============================================================================
 + ​LOCAL(0) ​       .LOCL. ​         10 l    -   ​64 ​   1    0.000    0.000   0.000
 + ​a.ntp.br ​       .INIT. ​         16 u    -   ​64 ​   0    0.000    0.000   0.000
 + ​a.st1.ntp.br ​   .INIT. ​         16 u    -   ​64 ​   0    0.000    0.000   0.000
 + ​roma.coe.ufrj.b .INIT. ​         16 u    -   ​64 ​   0    0.000    0.000   0.000
 +</​sxh>​
 +
 +Agora vamos inserir o ntp na incialização
 +
 +<sxh bash;>
 +chkconfig --add ntpd
 +chkconfig ntpd on
 +</​sxh>​
 +
 +Agora vamos atualizar o nosso ntp
 +
 +<sxh bash;>
 +ntpdate -u a.ntp.br
 +</​sxh>​
 +
 +Agora vamos ajustar o grupo do arquivo ntp_signd
 +
 +<sxh bash;>
 +chgrp ntp /​usr/​local/​samba/​var/​lib/​ntp_signd
 +</​sxh>​
 +
 +O nosso samba já está ok.
 +
 +Agora podemos obter os RSAT(Admin pack) em:
 +
 +  * [[http://​www.microsoft.com/​en-us/​download/​details.aspx?​id=39296|http://​www.microsoft.com/​en-us/​download/​details.aspx?​id=39296]] (Windows 8.1)
 +  * [[http://​www.microsoft.com/​download/​details.aspx?​id=28972|http://​www.microsoft.com/​download/​details.aspx?​id=28972]] (Windows 8)
 +  * [[http://​www.microsoft.com/​downloads/​details.aspx?​FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&​displaylang=en|http://​www.microsoft.com/​downloads/​details.aspx?​FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&​displaylang=en]] (Vista)
 +  * [[http://​www.microsoft.com/​downloads/​details.aspx?​FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&​displaylang=en|http://​www.microsoft.com/​downloads/​details.aspx?​FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&​displaylang=en]] (Windows 7)
 +  * [[http://​www.microsoft.com/​en-us/​download/​details.aspx?​id=6315|http://​www.microsoft.com/​en-us/​download/​details.aspx?​id=6315]] (Windows XP/Server 2003)
 +
 +  * Para instalar o RSAT no Windows 7: [[http://​social.technet.microsoft.com/​wiki/​contents/​articles/​2593.instalando-o-remote-server-administration-tools-rsat-no-windows-7-sp1-pt-br.aspx|http://​social.technet.microsoft.com/​wiki/​contents/​articles/​2593.instalando-o-remote-server-administration-tools-rsat-no-windows-7-sp1-pt-br.aspx]]
 +  * Para instalar o RSAT no Windows 8: [[http://​www.canaldainfo.com.br/​index.php/​windows-8rsat/​|http://​www.canaldainfo.com.br/​index.php/​windows-8rsat/​]]
 +
 +Agora vamos testar o winbind
 +
 +<sxh bash;>
 +wbinfo -t
 +checking the trust secret for domain DOUGLAS via RPC calls succeeded
 +</​sxh>​
 +
 +Agora vamos listar os grupos
 +
 +<sxh bash;>
 +wbinfo -g
 +Enterprise Read-Only Domain Controllers
 +Domain Admins
 +Domain Users
 +Domain Guests
 +Domain Computers
 +Domain Controllers
 +Schema Admins
 +Enterprise Admins
 +Group Policy Creator Owners
 +Read-Only Domain Controllers
 +DnsUpdateProxy
 +ti-admin
 +</​sxh>​
 +
 +Agora vamos listar os usuários
 +
 +<sxh bash;>
 +wbinfo -u
 +Administrator
 +Guest
 +krbtgt
 +dns-nodo1
 +douglas.santos
 +</​sxh>​
 +
 +Agora vamos testar o update de dns no samba
 +
 +<sxh bash;>
 +samba_dnsupdate --verbose
 +IPs: ['​192.168.0.26'​]
 +Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ​                  ​${HOSTNAME} 389) as we are not a PDC
 +Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSFOREST} ​                  ​${HOSTNAME} 389) as we are not a PDC
 +Looking for DNS entry A douglas.lan 192.168.0.26 as douglas.lan.
 +Looking for DNS entry A nodo2.douglas.lan 192.168.0.26 as nodo2.douglas.lan.
 +Looking for DNS entry A gc._msdcs.douglas.lan 192.168.0.26 as gc._msdcs.douglas.lan.
 +Looking for DNS entry CNAME ccc206ae-bc66-4a4e-a282-06aa4613cadd._msdcs.douglas.lan nodo2.douglas.lan as ccc206ae-bc66-4a4e-a282-06aa4613cadd._msdcs.douglas.lan.
 +Looking for DNS entry SRV _kpasswd._tcp.douglas.lan nodo2.douglas.lan 464 as _kpasswd._tcp.douglas.lan.
 +Checking 0 100 464 nodo2.douglas.lan. against SRV _kpasswd._tcp.douglas.lan nodo2.douglas.lan 464
 +Looking for DNS entry SRV _kpasswd._udp.douglas.lan nodo2.douglas.lan 464 as _kpasswd._udp.douglas.lan.
 +Checking 0 100 464 nodo1.douglas.lan. against SRV _kpasswd._udp.douglas.lan nodo2.douglas.lan 464
 +Checking 0 100 464 nodo2.douglas.lan. against SRV _kpasswd._udp.douglas.lan nodo2.douglas.lan 464
 +Looking for DNS entry SRV _kerberos._tcp.douglas.lan nodo2.douglas.lan 88 as _kerberos._tcp.douglas.lan.
 +Checking 0 100 88 nodo1.douglas.lan. against SRV _kerberos._tcp.douglas.lan nodo2.douglas.lan 88
 +Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._tcp.douglas.lan nodo2.douglas.lan 88
 +Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 88 as _kerberos._tcp.dc._msdcs.douglas.lan.
 +Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 88
 +Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 88 as _kerberos._tcp.default-first-site-name._sites.douglas.lan.
 +Checking 0 100 88 nodo1.douglas.lan. against SRV _kerberos._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 88
 +Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 88
 +Looking for DNS entry SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 88 as _kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan.
 +Checking 0 100 88 nodo1.douglas.lan. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 88
 +Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 88
 +Looking for DNS entry SRV _kerberos._udp.douglas.lan nodo2.douglas.lan 88 as _kerberos._udp.douglas.lan.
 +Checking 0 100 88 nodo1.douglas.lan. against SRV _kerberos._udp.douglas.lan nodo2.douglas.lan 88
 +Checking 0 100 88 nodo2.douglas.lan. against SRV _kerberos._udp.douglas.lan nodo2.douglas.lan 88
 +Looking for DNS entry SRV _ldap._tcp.douglas.lan nodo2.douglas.lan 389 as _ldap._tcp.douglas.lan.
 +Checking 0 100 389 nodo2.douglas.lan. against SRV _ldap._tcp.douglas.lan nodo2.douglas.lan 389
 +Looking for DNS entry SRV _ldap._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 389 as _ldap._tcp.dc._msdcs.douglas.lan.
 +Checking 0 100 389 nodo1.douglas.lan. against SRV _ldap._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 389
 +Checking 0 100 389 nodo2.douglas.lan. against SRV _ldap._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 389
 +Looking for DNS entry SRV _ldap._tcp.gc._msdcs.douglas.lan nodo2.douglas.lan 3268 as _ldap._tcp.gc._msdcs.douglas.lan.
 +Checking 0 100 3268 nodo2.douglas.lan. against SRV _ldap._tcp.gc._msdcs.douglas.lan nodo2.douglas.lan 3268
 +Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 389 as _ldap._tcp.default-first-site-name._sites.douglas.lan.
 +Checking 0 100 389 nodo1.douglas.lan. against SRV _ldap._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 389
 +Checking 0 100 389 nodo2.douglas.lan. against SRV _ldap._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 389
 +Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 389 as _ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan.
 +Checking 0 100 389 nodo1.douglas.lan. against SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 389
 +Checking 0 100 389 nodo2.douglas.lan. against SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 389
 +Looking for DNS entry SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan nodo2.douglas.lan 3268 as _ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan.
 +Checking 0 100 3268 nodo2.douglas.lan. against SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan nodo2.douglas.lan 3268
 +Looking for DNS entry SRV _ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan nodo2.douglas.lan 389 as _ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan.
 +Checking 0 100 389 nodo2.douglas.lan. against SRV _ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan nodo2.douglas.lan 389
 +Looking for DNS entry SRV _gc._tcp.douglas.lan nodo2.douglas.lan 3268 as _gc._tcp.douglas.lan.
 +Checking 0 100 3268 nodo2.douglas.lan. against SRV _gc._tcp.douglas.lan nodo2.douglas.lan 3268
 +Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 3268 as _gc._tcp.default-first-site-name._sites.douglas.lan.
 +Checking 0 100 3268 nodo1.douglas.lan. against SRV _gc._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 3268
 +Checking 0 100 3268 nodo2.douglas.lan. against SRV _gc._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 3268
 +No DNS updates needed
 +</​sxh>​
 +
 +Agora vamos mandar atualizar todos os registros
 +
 +<sxh bash;>
 +samba_dnsupdate --verbose --all-names
 +IPs: ['​192.168.0.26'​]
 +Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ​                  ​${HOSTNAME} 389) as we are not a PDC
 +Skipping PDC entry (SRV _ldap._tcp.pdc._msdcs.${DNSFOREST} ​                  ​${HOSTNAME} 389) as we are not a PDC
 +
 +Calling nsupdate for A douglas.lan 192.168.0.26
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +douglas.lan. ​       900    IN    A    192.168.0.26
 +
 +Calling nsupdate for A nodo2.douglas.lan 192.168.0.26
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +nodo2.douglas.lan. ​   900    IN    A    192.168.0.26
 +
 +Calling nsupdate for A gc._msdcs.douglas.lan 192.168.0.26
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +gc._msdcs.douglas.lan. ​   900    IN    A    192.168.0.26
 +
 +Calling nsupdate for CNAME ccc206ae-bc66-4a4e-a282-06aa4613cadd._msdcs.douglas.lan nodo2.douglas.lan
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +ccc206ae-bc66-4a4e-a282-06aa4613cadd._msdcs.douglas.lan. 900 IN    CNAME nodo2.douglas.lan.
 +
 +Calling nsupdate for SRV _kpasswd._tcp.douglas.lan nodo2.douglas.lan 464
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_kpasswd._tcp.douglas.lan. 900    IN    SRV    0 100 464 nodo2.douglas.lan.
 +
 +Calling nsupdate for SRV _kpasswd._udp.douglas.lan nodo2.douglas.lan 464
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_kpasswd._udp.douglas.lan. 900    IN    SRV    0 100 464 nodo2.douglas.lan.
 +
 +Calling nsupdate for SRV _kerberos._tcp.douglas.lan nodo2.douglas.lan 88
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_kerberos._tcp.douglas.lan. 900    IN    SRV    0 100 88 nodo2.douglas.lan.
 +
 +Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 88
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_kerberos._tcp.dc._msdcs.douglas.lan. 900 IN SRV 0 100 88 nodo2.douglas.lan.
 +
 +Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 88
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_kerberos._tcp.default-first-site-name._sites.douglas.lan. 900 IN SRV 0 100 88 nodo2.douglas.lan.
 +
 +Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 88
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_kerberos._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan. 900 IN SRV0 100 88 nodo2.douglas.lan.
 +
 +Calling nsupdate for SRV _kerberos._udp.douglas.lan nodo2.douglas.lan 88
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_kerberos._udp.douglas.lan. 900    IN    SRV    0 100 88 nodo2.douglas.lan.
 +
 +Calling nsupdate for SRV _ldap._tcp.douglas.lan nodo2.douglas.lan 389
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.douglas.lan. ​   900    IN    SRV    0 100 389 nodo2.douglas.lan.
 +
 +Calling nsupdate for SRV _ldap._tcp.dc._msdcs.douglas.lan nodo2.douglas.lan 389
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.dc._msdcs.douglas.lan. 900 IN SRV    0 100 389 nodo2.douglas.lan.
 +
 +Calling nsupdate for SRV _ldap._tcp.gc._msdcs.douglas.lan nodo2.douglas.lan 3268
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.gc._msdcs.douglas.lan. 900 IN SRV    0 100 3268 nodo2.douglas.lan.
 +
 +Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 389
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.default-first-site-name._sites.douglas.lan. 900 IN SRV 0 100 389 nodo2.douglas.lan.
 +
 +Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan nodo2.douglas.lan 389
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.default-first-site-name._sites.dc._msdcs.douglas.lan. 900 IN    SRV 0 100 389 nodo2.douglas.lan.
 +
 +Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan nodo2.douglas.lan 3268
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.default-first-site-name._sites.gc._msdcs.douglas.lan. 900 IN    SRV 0 100 3268 nodo2.douglas.lan.
 +
 +Calling nsupdate for SRV _ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan nodo2.douglas.lan 389
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_ldap._tcp.15cf6198-7655-4ba1-9563-2682bf9b6483.domains._msdcs.douglas.lan. 900IN SRV 0 100 389 nodo2.douglas.lan.
 +
 +Calling nsupdate for SRV _gc._tcp.douglas.lan nodo2.douglas.lan 3268
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_gc._tcp.douglas.lan. ​   900    IN    SRV    0 100 3268 nodo2.douglas.lan.
 +
 +Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.douglas.lan nodo2.douglas.lan 3268
 +Outgoing update query:
 +;; ->>​HEADER<<​- opcode: UPDATE, status: NOERROR, id:      0
 +;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 +;; UPDATE SECTION:
 +_gc._tcp.default-first-site-name._sites.douglas.lan. 900 IN SRV    0 100 3268 nodo2.douglas.lan.
 +</​sxh>​
 +
 +Agora vamos efetuar uma consulta de dns para registros de serviços
 +
 +Vamos consultar o serviço do ldap
 +
 +<sxh bash;>
 +host -t SRV _ldap._tcp.douglas.lan.
 +_ldap._tcp.douglas.lan has SRV record 0 100 389 nodo2.douglas.lan.
 +_ldap._tcp.douglas.lan has SRV record 0 100 389 nodo1.douglas.lan.
 +</​sxh>​
 +
 +Vamos consultar o serviço do kerberos
 +
 +<sxh bash;>
 +host -t SRV _kerberos._udp.douglas.lan.
 +_kerberos._udp.douglas.lan has SRV record 0 100 88 nodo1.douglas.lan.
 +_kerberos._udp.douglas.lan has SRV record 0 100 88 nodo2.douglas.lan.
 +</​sxh>​
 +
 +Agora vamos consultar o registro do tipo A do nosso server
 +
 +<sxh bash;>
 +host -t A nodo2.douglas.lan
 +nodo2.douglas.lan has address 192.168.0.26
 +</​sxh>​
 +
 +Agora vamos listar a keytab do kerberos
 +
 +<sxh bash;>
 +klist -k
 +Keytab name: FILE:/​etc/​krb5.keytab
 +KVNO Principal
 +---- --------------------------------------------------------------------------
 +   1 DNS/​nodo2.douglas.lan@DOUGLAS.LAN
 +   1 dns-nodo2@DOUGLAS.LAN
 +   1 DNS/​nodo2.douglas.lan@DOUGLAS.LAN
 +   1 dns-nodo2@DOUGLAS.LAN
 +   1 DNS/​nodo2.douglas.lan@DOUGLAS.LAN
 +   1 dns-nodo2@DOUGLAS.LAN
 +   1 DNS/​nodo2.douglas.lan@DOUGLAS.LAN
 +   1 dns-nodo2@DOUGLAS.LAN
 +   1 DNS/​nodo2.douglas.lan@DOUGLAS.LAN
 +   1 dns-nodo2@DOUGLAS.LAN
 +</​sxh>​
 +
 +Agora vamos consultar os tickets ativos
 +
 +<sxh bash;>
 +klist -e
 +Ticket cache: FILE:/​tmp/​krb5cc_0
 +Default principal: administrator@DOUGLAS.LAN
 +
 +Valid starting ​    ​Expires ​           Service principal
 +08/26/13 18:​54:​21 ​ 08/27/13 04:​54:​21 ​ krbtgt/​DOUGLAS.LAN@DOUGLAS.LAN
 +    renew until 08/27/13 18:54:17, Etype (skey, tkt): aes256-cts-hmac-sha1-96,​ aes256-cts-hmac-sha1-96
 +</​sxh>​
 +
 +Agora vamos consultar se os nossos dois servidores estão no sysvol
 +
 +<sxh bash;>
 +ldbsearch -H /​usr/​local/​samba/​private/​sam.ldb '​(invocationid=*)'​ --cross-ncs objectguid
 +# record 1
 +dn: CN=NTDS Settings,​CN=NODO1,​CN=Servers,​CN=Default-First-Site-Name,​CN=Sites,​CN=Configuration,​DC=douglas,​DC=lan
 +objectGUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
 +
 +# record 2
 +dn: CN=NTDS Settings,​CN=NODO2,​CN=Servers,​CN=Default-First-Site-Name,​CN=Sites,​CN=Configuration,​DC=douglas,​DC=lan
 +objectGUID: ccc206ae-bc66-4a4e-a282-06aa4613cadd
 +
 +# returned 2 records
 +# 2 entries
 +# 0 referrals
 +</​sxh>​
 +
 +Agora vamos consultar a replicação
 +
 +<sxh bash;>
 +samba-tool drs showrepl
 +Default-First-Site-Name\NODO2
 +DSA Options: 0x00000001
 +DSA object GUID: ccc206ae-bc66-4a4e-a282-06aa4613cadd
 +DSA invocationId:​ 08233b5e-5d9f-469f-b350-641b18278b60
 +
 +==== INBOUND NEIGHBORS ====
 +
 +CN=Schema,​CN=Configuration,​DC=douglas,​DC=lan
 +    Default-First-Site-Name\NODO1 via RPC
 +        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
 +        Last attempt @ Mon Aug 26 19:01:06 2013 BRT was successful
 +        0 consecutive failure(s).
 +        Last success @ Mon Aug 26 19:01:06 2013 BRT
 +
 +DC=DomainDnsZones,​DC=douglas,​DC=lan
 +    Default-First-Site-Name\NODO1 via RPC
 +        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
 +        Last attempt @ Mon Aug 26 19:01:06 2013 BRT was successful
 +        0 consecutive failure(s).
 +        Last success @ Mon Aug 26 19:01:06 2013 BRT
 +
 +CN=Configuration,​DC=douglas,​DC=lan
 +    Default-First-Site-Name\NODO1 via RPC
 +        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
 +        Last attempt @ Mon Aug 26 19:01:06 2013 BRT was successful
 +        0 consecutive failure(s).
 +        Last success @ Mon Aug 26 19:01:06 2013 BRT
 +
 +DC=ForestDnsZones,​DC=douglas,​DC=lan
 +    Default-First-Site-Name\NODO1 via RPC
 +        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
 +        Last attempt @ Mon Aug 26 19:01:06 2013 BRT was successful
 +        0 consecutive failure(s).
 +        Last success @ Mon Aug 26 19:01:06 2013 BRT
 +
 +DC=douglas,​DC=lan
 +    Default-First-Site-Name\NODO1 via RPC
 +        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
 +        Last attempt @ Mon Aug 26 19:01:07 2013 BRT was successful
 +        0 consecutive failure(s).
 +        Last success @ Mon Aug 26 19:01:07 2013 BRT
 +
 +==== OUTBOUND NEIGHBORS ====
 +
 +CN=Schema,​CN=Configuration,​DC=douglas,​DC=lan
 +    Default-First-Site-Name\NODO1 via RPC
 +        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
 +        Last attempt @ NTTIME(0) was successful
 +        0 consecutive failure(s).
 +        Last success @ NTTIME(0)
 +
 +DC=DomainDnsZones,​DC=douglas,​DC=lan
 +    Default-First-Site-Name\NODO1 via RPC
 +        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
 +        Last attempt @ NTTIME(0) was successful
 +        0 consecutive failure(s).
 +        Last success @ NTTIME(0)
 +
 +CN=Configuration,​DC=douglas,​DC=lan
 +    Default-First-Site-Name\NODO1 via RPC
 +        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
 +        Last attempt @ NTTIME(0) was successful
 +        0 consecutive failure(s).
 +        Last success @ NTTIME(0)
 +
 +DC=ForestDnsZones,​DC=douglas,​DC=lan
 +    Default-First-Site-Name\NODO1 via RPC
 +        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
 +        Last attempt @ NTTIME(0) was successful
 +        0 consecutive failure(s).
 +        Last success @ NTTIME(0)
 +
 +DC=douglas,​DC=lan
 +    Default-First-Site-Name\NODO1 via RPC
 +        DSA object GUID: eae04ba1-3ca2-4ec6-b08c-4962ca4f04b4
 +        Last attempt @ NTTIME(0) was successful
 +        0 consecutive failure(s).
 +        Last success @ NTTIME(0)
 +
 +==== KCC CONNECTION OBJECTS ====
 +
 +Connection --
 +    Connection name: d6fcfc72-89b0-4f4c-88c2-bf887510b6af
 +    Enabled ​       : TRUE
 +    Server DNS name : nodo1.douglas.lan
 +    Server DN name  : CN=NTDS Settings,​CN=NODO1,​CN=Servers,​CN=Default-First-Site-Name,​CN=Sites,​CN=Configuration,​DC=douglas,​DC=lan
 +        TransportType:​ RPC
 +        options: 0x00000001
 +Warning: No NC replicated for Connection!
 +</​sxh>​
 +
 +A nossa replicação está ok
 +
 +====== Ajustando a PAM no SLAVE ======
 +
 +Agora vamos a configuração da PAM, com isso vamos poder autenticar os usuários do domínio no Linux eu vou deixar habilitado somente o grupo do root e o ti-admin que terá que ser criado no AD para autenticar no Linux e obter um shell.
 +
 +Vamos criar um link para a biblioteca de autenticação do winbind que foi compilada para sistemas 64bits
 +
 +<sxh bash;>
 +ln -sf /​usr/​local/​samba/​lib/​security/​pam_winbind.so ​ /​lib64/​security/​pam_winbind.so
 +</​sxh>​
 +
 +Vamos criar um link para a biblioteca de autenticação do winbind que foi compilada para sistemas 32bits
 +
 +<sxh bash;>
 +ln -sf /​usr/​local/​samba/​lib/​security/​pam_winbind.so ​ /​lib/​security/​pam_winbind.so
 +</​sxh>​
 +
 +Vamos alterar o system-auth para que quando o usuário for logar no sistema seja criado o diretório home dele com o conteúdo do diretório /etc/skel
 +
 +<sxh bash;>
 +vim /​etc/​pam.d/​system-auth
 +#%PAM-1.0
 +# This file is auto-generated.
 +# User changes will be destroyed the next time authconfig is run.
 +auth        required ​     pam_env.so
 +auth        sufficient ​   pam_unix.so nullok try_first_pass
 +auth        requisite ​    ​pam_succeed_if.so uid >= 500 quiet
 +auth        required ​     pam_deny.so
 +
 +account ​    ​required ​     pam_unix.so
 +account ​    ​sufficient ​   pam_localuser.so
 +account ​    ​sufficient ​   pam_succeed_if.so uid < 500 quiet
 +account ​    ​required ​     pam_permit.so
 +
 +password ​   requisite ​    ​pam_cracklib.so try_first_pass retry=3 type=
 +password ​   sufficient ​   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 +password ​   required ​     pam_deny.so
 +
 +session ​    ​optional ​     pam_keyinit.so revoke
 +session ​    ​required ​     pam_limits.so
 +session ​    ​[success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 +session ​    ​required ​     pam_unix.so
 +session ​    ​required ​     pam_mkhomedir.so skel=/​etc/​skel/​ umask=0027
 +</​sxh>​
 +
 +Agora vamos ajustar o login
 +
 +<sxh bash;>
 +vim /​etc/​pam.d/​login
 +#%PAM-1.0
 +auth       ​sufficient ​   pam_winbind.so
 +auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
 +auth       ​include ​     system-auth
 +
 +account ​   sufficient ​    ​pam_succeed_if.so user ingroup root
 +account ​   required ​   pam_winbind.so
 +account ​   required ​    ​pam_nologin.so
 +account ​   include ​     system-auth
 +#Grupos que vão poder efetuar login no servidor
 +account ​   requisite ​   pam_succeed_if.so user ingroup ti-admin
 +
 +password ​  ​include ​     system-auth
 +# pam_selinux.so close should be the first session rule
 +
 +session ​   required ​    ​pam_selinux.so close
 +session ​   required ​    ​pam_mkhomedir.so ​       skel=/​etc/​skel umask=0027
 +session ​   include ​     system-auth
 +session ​   required ​    ​pam_loginuid.so
 +session ​   optional ​    ​pam_console.so
 +# pam_selinux.so open should only be followed by sessions to be executed in the user context
 +session ​   required ​    ​pam_selinux.so open
 +session ​   optional ​    ​pam_keyinit.so force revoke
 +</​sxh>​
 +
 +Agora vamos ajustar o ssh
 +
 +<sxh bash;>
 +vim /​etc/​pam.d/​sshd
 +#%PAM-1.0
 +auth       ​sufficient ​   pam_winbind.so
 +auth       ​include ​     system-auth
 +
 +account ​   sufficient ​  ​pam_succeed_if.so user ingroup root
 +account ​   required ​    ​pam_winbind.so
 +account ​   required ​    ​pam_nologin.so
 +account ​   include ​     system-auth
 +#Grupos que vão poder logar via ssh
 +account ​   requisite ​   pam_succeed_if.so user ingroup ti-admin
 +
 +password ​  ​include ​     system-auth
 +
 +session ​   required ​    ​pam_mkhomedir.so ​       skel=/​etc/​skel umask=0027
 +session ​   optional ​    ​pam_keyinit.so force revoke
 +session ​   include ​     system-auth
 +session ​   required ​    ​pam_loginuid.so
 +</​sxh>​
 +
 +Como esse servidor é uma replica do pdc devemos já ter os usuários e grupos somente vamos consultar eles
 +
 +Vamos consultar os usuários
 +
 +<sxh bash;>
 +wbinfo -u
 +Administrator
 +Guest
 +krbtgt
 +dns-nodo1
 +douglas.santos
 +</​sxh>​
 +
 +Agora vamos consultar os grupos
 +
 +<sxh bash;>
 +wbinfo -g
 +Enterprise Read-Only Domain Controllers
 +Domain Admins
 +Domain Users
 +Domain Guests
 +Domain Computers
 +Domain Controllers
 +Schema Admins
 +Enterprise Admins
 +Group Policy Creator Owners
 +Read-Only Domain Controllers
 +DnsUpdateProxy
 +ti-admin
 +</​sxh>​
 +
 +Agora vamos reiniciar o servidor
 +
 +<sxh bash;>
 +reboot
 +</​sxh>​
 +
 +Agora depois que logou novamente vamos consultar a conexão do winbind
 +
 +<sxh bash;>
 +wbinfo -t
 +checking the trust secret for domain DOUGLAS via RPC calls succeeded
 +</​sxh>​
 +
 +Eu já estou com o meu usuário douglas.santos e ele pertence ao grupo ti-admin agora vamos testar a conexão via ssh
 +
 +<sxh bash;>
 +ssh douglas.santos@192.168.0.26
 +douglas.santos@192.168.0.26'​s password:
 +Creating directory '/​home/​DOUGLAS/​douglas.santos'​.
 +[19:08:04] DOUGLAS\douglas.santos@nodo2 [~] $
 +</​sxh>​
 +
 +Agora se conferirmos os logs do secure vamos ter algo como
 +
 +<sxh bash;>
 +tail -f /​var/​log/​secure
 +Aug 26 19:08:03 nodo2 sshd[1222]: pam_winbind(sshd:​auth):​ getting password (0x00000000)
 +Aug 26 19:08:03 nodo2 sshd[1222]: pam_winbind(sshd:​auth):​ user '​douglas.santos'​ granted access
 +Aug 26 19:08:03 nodo2 sshd[1222]: pam_succeed_if(sshd:​account):​ requirement "user ingroup root" not met by user "​DOUGLAS\douglas.santos"​
 +Aug 26 19:08:04 nodo2 sshd[1222]: pam_winbind(sshd:​account):​ user '​DOUGLAS\douglas.santos'​ granted access
 +Aug 26 19:08:04 nodo2 sshd[1222]: pam_succeed_if(sshd:​account):​ requirement "user ingroup ti-admin"​ was met by user "​DOUGLAS\douglas.santos"​
 +Aug 26 19:08:04 nodo2 sshd[1222]: Accepted password for douglas.santos from 192.168.0.130 port 48754 ssh2
 +Aug 26 19:08:04 nodo2 sshd[1222]: pam_unix(sshd:​session):​ session opened for user DOUGLAS\douglas.santos by (uid=0)
 +</​sxh>​
 +
 +Como podemos notar a nossa autenticação está ok.
 +
 +====== Replicação do Sysvol ======
 +
 +Aqui eu vou abordar como é recomendado pela equipe do samba pra efetuar a replicação do sysvol que por enquanto não é automática.
 +
 +No servidor Master no meu caso o nodo1 vamos instalar o rsync e o xinetd
 +
 +<sxh bash;>
 +yum install xinetd rsync -y
 +</​sxh>​
 +
 +Agora vamos colocar o xinetd na incialização do sistema
 +
 +<sxh bash;>
 +chkconfig --add xinetd
 +chkconfig xinetd on
 +</​sxh>​
 +
 +Agora vamos acertar a configuração do rsync para o xinetd
 +
 +<sxh bash;>
 +vim /​etc/​xinetd.d/​rsync
 +# default: off
 +# description:​ The rsync server is a good addition to an ftp server, as it \
 +#    allows crc checksumming etc.
 +service rsync
 +{
 +    disable ​   = no
 +    only_from ​    = 192.168.0.0/​24
 +    socket_type ​    = stream
 +    wait            = no
 +    user            = root
 +    server ​         = /​usr/​bin/​rsync
 +    server_args ​    = --daemon
 +    log_on_failure ​ += USERID
 +}
 +</​sxh>​
 +
 +Agora vamos criar o nosso arquivo de configuração do rsync.conf que vai conter o compartilhamento do sysvol
 +
 +<sxh bash;>
 +vim /​etc/​rsyncd.conf
 +[SysVol]
 +path = /​usr/​local/​samba/​var/​locks/​sysvol/​
 +comment = Samba Sysvol Share
 +uid = root
 +gid = root
 +read only = yes
 +auth users = sysvol-replication
 +secrets file = /​usr/​local/​samba/​etc/​rsyncd.secret
 +</​sxh>​
 +
 +Note que ali vamos utilizar um usuário e uma senha agora vamos criar o arquivo contendo a senha
 +
 +<sxh bash;>
 +vim /​usr/​local/​samba/​etc/​rsyncd.secret
 +sysvol-replication:​pa$$w0rd
 +</​sxh>​
 +
 +Agora vamos ajustar as permissões do arquivo senão o rsync não vai liberar o compartilhamento
 +
 +<sxh bash;>
 +chmod 440 /​usr/​local/​samba/​etc/​rsyncd.secret
 +</​sxh>​
 +
 +Agora vamos reiniciar o xinetd
 +
 +<sxh bash;>
 +/​etc/​init.d/​xinetd restart
 +</​sxh>​
 +
 +Vamos consultar o tamanho do sysvol do servidor master
 +
 +<sxh bash;>
 +du -sh /​usr/​local/​samba/​var/​locks/​sysvol
 +100K    /​usr/​local/​samba/​var/​locks/​sysvol
 +</​sxh>​
 +
 +Agora vamos consultar o tamanho do sysvol do servidor slave
 +
 +<sxh bash;>
 +du -sh /​usr/​local/​samba/​var/​locks/​sysvol
 +12K    /​usr/​local/​samba/​var/​locks/​sysvol
 +</​sxh>​
 +
 +Note que temos uma diferença grande.
 +
 +Agora vamos configurar o servidor slave
 +
 +Vamos instalar o rsync
 +
 +<sxh bash;>
 +yum install rsync -y
 +</​sxh>​
 +
 +Agora vamos criar o arquivo contendo a senha para acessar o servidor master
 +
 +<sxh bash;>
 +vim /​usr/​local/​samba/​etc/​rsync-sysvol.secret
 +pa$$w0rd
 +</​sxh>​
 +
 +Agora vamos acertar as permissões do arquivo de senha
 +
 +<sxh bash;>
 +chmod 440 /​usr/​local/​samba/​etc/​rsync-sysvol.secret
 +</​sxh>​
 +
 +Agora vamos fazer testar o sincronismo do sysvol
 +
 +<sxh bash;>
 +rsync --dry-run -XAavz --delete-after --password-file=/​usr/​local/​samba/​etc/​rsync-sysvol.secret rsync://​sysvol-replication@192.168.0.25/​SysVol/​ /​usr/​local/​samba/​var/​locks/​sysvol/​
 +receiving file list ... done
 +./
 +douglas.lan/​
 +douglas.lan/​Policies/​
 +douglas.lan/​Policies/​{31B2F340-016D-11D2-945F-00C04FB984F9}/​
 +douglas.lan/​Policies/​{31B2F340-016D-11D2-945F-00C04FB984F9}/​GPT.INI
 +douglas.lan/​Policies/​{31B2F340-016D-11D2-945F-00C04FB984F9}/​MACHINE/​
 +douglas.lan/​Policies/​{31B2F340-016D-11D2-945F-00C04FB984F9}/​USER/​
 +douglas.lan/​Policies/​{6AC1786C-016F-11D2-945F-00C04FB984F9}/​
 +douglas.lan/​Policies/​{6AC1786C-016F-11D2-945F-00C04FB984F9}/​GPT.INI
 +douglas.lan/​Policies/​{6AC1786C-016F-11D2-945F-00C04FB984F9}/​MACHINE/​
 +douglas.lan/​Policies/​{6AC1786C-016F-11D2-945F-00C04FB984F9}/​USER/​
 +douglas.lan/​scripts/​
 +douglas.lan/​scripts/​sharedemo.bat
 +
 +sent 109 bytes  received 876 bytes  656.67 bytes/sec
 +total size is 77  speedup is 0.08 (DRY RUN)
 +</​sxh>​
 +
 +Note que não tivemos erro nenhum com isso podemos omitir agora a opção <​nowiki>​–dry-run</​nowiki>​
 +
 +Agora vamos fazer a replicação
 +
 +<sxh bash;>
 +rsync -XAavz --delete-after --password-file=/​usr/​local/​samba/​etc/​rsync-sysvol.secret rsync://​sysvol-replication@192.168.0.25/​SysVol/​ /​usr/​local/​samba/​var/​locks/​sysvol/​
 +receiving file list ... done
 +./
 +douglas.lan/​
 +douglas.lan/​Policies/​
 +douglas.lan/​Policies/​{31B2F340-016D-11D2-945F-00C04FB984F9}/​
 +douglas.lan/​Policies/​{31B2F340-016D-11D2-945F-00C04FB984F9}/​GPT.INI
 +douglas.lan/​Policies/​{31B2F340-016D-11D2-945F-00C04FB984F9}/​MACHINE/​
 +douglas.lan/​Policies/​{31B2F340-016D-11D2-945F-00C04FB984F9}/​USER/​
 +douglas.lan/​Policies/​{6AC1786C-016F-11D2-945F-00C04FB984F9}/​
 +douglas.lan/​Policies/​{6AC1786C-016F-11D2-945F-00C04FB984F9}/​GPT.INI
 +douglas.lan/​Policies/​{6AC1786C-016F-11D2-945F-00C04FB984F9}/​MACHINE/​
 +douglas.lan/​Policies/​{6AC1786C-016F-11D2-945F-00C04FB984F9}/​USER/​
 +douglas.lan/​scripts/​
 +douglas.lan/​scripts/​sharedemo.bat
 +
 +sent 173 bytes  received 2308 bytes  4962.00 bytes/sec
 +total size is 77  speedup is 0.03
 +</​sxh>​
 +
 +Agora vamos consultar o tamanho do sysvol do servidor master
 +
 +<sxh bash;>
 +du -sh /​usr/​local/​samba/​var/​locks/​sysvol
 +100K    /​usr/​local/​samba/​var/​locks/​sysvol
 +</​sxh>​
 +
 +Agora vamos consultar o tamanho do sysvol do servidor slave
 +
 +<sxh bash;>
 +du -sh /​usr/​local/​samba/​var/​locks/​sysvol
 +100K    /​usr/​local/​samba/​var/​locks/​sysvol
 +</​sxh>​
 +
 +Agora vamos deixar uma rotina no crontab do servidor slave para sempre efetuar o sincronismo
 +
 +<sxh bash;>
 +crontab -e
 +*/5 * * * *  rsync -XAavz --delete-after --password-file=/​usr/​local/​samba/​etc/​rsync-sysvol.secret rsync://​sysvol-replication@192.168.0.25/​SysVol/​ /​usr/​local/​samba/​var/​locks/​sysvol
 +</​sxh>​
 +
 +Esse sincronismo pode ser feito para todos os DCs menos para o PDC.
 +
 +====== Configurando um Cliente CentOS para autenticar no Samba 4 ======
 +
 +Prepare o seu sistema com o seguinte script http://​wiki.douglasqsantos.com.br/​doku.php/​confinicialcentos6_en para que não falte nenhum pacote ou configuração.
 +
 +Vamos instalar as dependências para ele poder fazer parte do domínio samba 4
 +
 +<sxh bash;>
 +yum install samba samba-winbind samba-winbind-devel samba-client samba-common \
 + ​pam_krb5 cifs-utils samba-winbind-krb5-locator samba-doc krb5-workstation -y
 +</​sxh>​
 +
 +Agora vamos inserir os serviços na incialização do sistema
 +
 +<sxh bash;>
 +chkconfig --add nmb
 +chkconfig --add smb
 +chkconfig --add winbind
 +</​sxh>​
 +
 +Agora vamos ativar eles
 +
 +<sxh bash;>
 +chkconfig nmb on
 +chkconfig smb on
 +chkconfig winbind on
 +</​sxh>​
 +
 +Agora vamos ajustar o resolv.conf do cliente
 +
 +<sxh bash;>
 +vim /​etc/​resolv.conf
 +domain douglas.lan
 +search douglas.lan
 +nameserver 192.168.0.25
 +nameserver 192.168.0.26
 +</​sxh>​
 +
 +Agora vamos ajustar a interface de rede
 +
 +<sxh bash;>
 +vim /​etc/​sysconfig/​network-scripts/​ifcfg-eth0
 +DEVICE="​eth0"​
 +BOOTPROTO="​static"​
 +BROADCAST="​192.168.0.255"​
 +DNS1="​192.168.0.25"​
 +DNS2="​192.168.0.26"​
 +GATEWAY="​192.168.0.1"​
 +IPADDR="​192.168.0.27"​
 +NETMASK="​255.255.255.0"​
 +NM_CONTROLLED="​yes"​
 +ONBOOT="​yes"​
 +TYPE="​Ethernet"​
 +</​sxh>​
 +
 +Agora vamos ajustar o horário do servidor pois como vamos trabalhar com winbind e kerberos não podemos ter diferença de horario
 +
 +<sxh bash;>
 +ntpdate -u a.ntp.br
 +</​sxh>​
 +
 +Agora vamos ajustar o kerberos
 +
 +<sxh bash;>
 +vim /​etc/​krb5.conf
 +[libdefaults]
 +default_realm = DOUGLAS.LAN
 +krb4_config = /​etc/​krb.conf
 +krb4_realms = /​etc/​krb.realms
 +kdc_timesync = 1
 +ccache_type = 4
 +forwardable = true
 +proxiable = true
 +v4_instance_resolve = false
 +v4_name_convert = {
 +host = {
 +rcmd = host
 +ftp = ftp
 +}
 +plain = {
 +something = something-else
 +}
 +}
 +fcc-mit-ticketflags = true
 +[realms]
 +DOUGLAS.LAN = {
 +kdc = 192.168.0.25
 +kdc = 192.168.0.26
 +admin_server = 192.168.0.25:​749
 +default_server = 192.168.0.25
 +}
 +[domain_realm]
 +.douglas.lan=DOUGLAS.LAN
 +douglas.lan=DOUGLAS.LAN
 +[login]
 +krb4_convert = true
 +krb4_get_tickets = false
 +[kdc]
 +profile = /​etc/​krb5kdc/​kdc.conf
 +[appdefaults]
 +pam = {
 +debug = false
 +ticket_lifetime = 36000
 +renew_lifetime = 36000
 +forwardable = true
 +krb4_convert = false
 +}
 +[logging]
 +default = file:/​var/​log/​krb5libs.log
 +kdc = file:/​var/​log/​krb5kdc.log
 +admin_server = file:/​var/​log/​kadmind.log
 +</​sxh>​
 +
 +Agora vamos acertar o limits.conf
 +
 +<sxh bash;>
 +vim /​etc/​security/​limits.conf
 +[...]
 +#colocar no final do arquivo
 +root hard nofile 131072
 +root soft nofile 65536
 +mioutente hard nofile 32768
 +mioutente soft nofile 16384
 +</​sxh>​
 +
 +Agora vamos ajustar o smb.conf
 +
 +<sxh bash;>
 +vim /​etc/​samba/​smb.conf
 +[global]
 +        workgroup = DOUGLAS
 +        security = ADS
 +        realm = DOUGLAS.LAN
 +        netbios name = CENTOS
 +        encrypt passwords = yes
 +        idmap config * : backend = tdb
 +        idmap config * : range = 10000-30000
 +        idmap config DOUGLAS:​backend = ad
 +        idmap config DOUGLAS:​schema_mode = rfc2307
 +        auth methods = winbind
 +        winbind nss info = rfc2307
 +        winbind trusted domains only = no
 +        winbind use default domain = yes
 +        winbind enum users  = yes
 +        winbind enum groups = yes
 +        template shell = /bin/bash
 +</​sxh>​
 +
 +Agora vamos ajustar o nsswitch.conf
 +
 +<sxh bash;>
 +vim /​etc/​nsswitch.conf
 +[...]
 +passwd: ​    files winbind
 +shadow: ​    files
 +group: ​       files winbind
 +</​sxh>​
 +
 +Vamos iniciar os serviços
 +
 +<sxh bash;>
 +/​etc/​init.d/​nmb start
 +/​etc/​init.d/​smb start
 +/​etc/​init.d/​winbind start
 +</​sxh>​
 +
 +Agora vamos ajustar a PAM
 +
 +Vamos ajustar para que quando o usuário faça login seja criado o seu diretório home
 +
 +<sxh bash;>
 +vim /​etc/​pam.d/​system-auth
 +#%PAM-1.0
 +# This file is auto-generated.
 +# User changes will be destroyed the next time authconfig is run.
 +auth        required ​     pam_env.so
 +auth        sufficient ​   pam_unix.so nullok try_first_pass
 +auth        requisite ​    ​pam_succeed_if.so uid >= 500 quiet
 +auth        required ​     pam_deny.so
 +
 +account ​    ​required ​     pam_unix.so
 +account ​    ​sufficient ​   pam_localuser.so
 +account ​    ​sufficient ​   pam_succeed_if.so uid < 500 quiet
 +account ​    ​required ​     pam_permit.so
 +
 +password ​   requisite ​    ​pam_cracklib.so try_first_pass retry=3 type=
 +password ​   sufficient ​   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 +password ​   required ​     pam_deny.so
 +
 +session ​    ​optional ​     pam_keyinit.so revoke
 +session ​    ​required ​     pam_limits.so
 +session ​    ​[success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 +session ​    ​required ​     pam_unix.so
 +session ​    ​required ​     pam_mkhomedir.so skel=/​etc/​skel/​ umask=0027
 +</​sxh>​
 +
 +Agora vamos ajustar o login utilizando o winbind aqui eu liberei somente o grupo root e o ti-admin para efetuar login em máquinas Linux
 +
 +<sxh bash;>
 +vim /​etc/​pam.d/​login
 +#%PAM-1.0
 +auth       ​sufficient ​   pam_winbind.so
 +auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
 +auth       ​include ​     system-auth
 +
 +account ​   sufficient ​    ​pam_succeed_if.so user ingroup root
 +account ​   required ​   pam_winbind.so
 +account ​   required ​    ​pam_nologin.so
 +account ​   include ​     system-auth
 +#Grupos que vão poder efetuar login no servidor
 +account ​   requisite ​   pam_succeed_if.so user ingroup ti-admin
 +
 +password ​  ​include ​     system-auth
 +# pam_selinux.so close should be the first session rule
 +
 +session ​   required ​    ​pam_selinux.so close
 +session ​   required ​    ​pam_mkhomedir.so ​       skel=/​etc/​skel umask=0027
 +session ​   include ​     system-auth
 +session ​   required ​    ​pam_loginuid.so
 +session ​   optional ​    ​pam_console.so
 +# pam_selinux.so open should only be followed by sessions to be executed in the user context
 +session ​   required ​    ​pam_selinux.so open
 +session ​   optional ​    ​pam_keyinit.so force revoke
 +</​sxh>​
 +
 +Agora vamos ajustar o acesso via ssh utilizando o winbind aqui eu liberei somente o grupo root e o ti-admin para efetuar login em máquinas Linux
 +
 +<sxh bash;>
 +vim /​etc/​pam.d/​sshd
 +#%PAM-1.0
 +auth       ​sufficient ​   pam_winbind.so
 +auth       ​include ​     system-auth
 +
 +account ​   sufficient ​  ​pam_succeed_if.so user ingroup root
 +account ​   required ​    ​pam_winbind.so
 +account ​   required ​    ​pam_nologin.so
 +account ​   include ​     system-auth
 +#Grupos que vão poder logar via ssh
 +account ​   requisite ​   pam_succeed_if.so user ingroup ti-admin
 +
 +password ​  ​include ​     system-auth
 +
 +session ​   required ​    ​pam_mkhomedir.so ​       skel=/​etc/​skel umask=0027
 +session ​   optional ​    ​pam_keyinit.so force revoke
 +session ​   include ​     system-auth
 +session ​   required ​    ​pam_loginuid.so
 +</​sxh>​
 +
 +Agora vamos verificar se estamos conseguindo criar um ticker do kerberos
 +
 +<sxh bash;>
 +kinit administrator
 +Password for administrator@DOUGLAS.LAN:​
 +Warning: Your password will expire in 41 days on Mon Oct  7 12:02:11 2013
 +</​sxh>​
 +
 +Agora vamos listar o nosso ticket
 +
 +<sxh bash;>
 +klist
 +Ticket cache: FILE:/​tmp/​krb5cc_0
 +Default principal: administrator@DOUGLAS.LAN
 +
 +Valid starting ​    ​Expires ​           Service principal
 +08/27/13 10:​02:​54 ​ 08/27/13 20:​02:​54 ​ krbtgt/​DOUGLAS.LAN@DOUGLAS.LAN
 +    renew until 08/28/13 10:02:51
 +</​sxh>​
 +
 +Agora vamos fazer o join no domínio
 +
 +<sxh bash;>
 +net ads join douglas.lan -U administrator
 +</​sxh>​
 +
 +Esse erro de DNS ainda estou tentando arrumar.
 +
 +Agora vamos reiniciar os serviços
 +
 +<sxh bash;>
 +/​etc/​init.d/​nmb restart
 +/​etc/​init.d/​smb restart
 +/​etc/​init.d/​winbind restart
 +</​sxh>​
 +
 +Agora vamos testar a conexão com o winbind
 +
 +<sxh bash;>
 +wbinfo -t
 +checking the trust secret for domain DOUGLAS via RPC calls succeeded
 +</​sxh>​
 +
 +Agora vamos listar os usuários do domínio
 +
 +<sxh bash;>
 +wbinfo -u
 +douglas.santos
 +administrator
 +dns-nodo1
 +krbtgt
 +guest
 +</​sxh>​
 +
 +Vamos listar os grupos
 +
 +<sxh bash;>
 +wbinfo -g
 +allowed rodc password replication group
 +enterprise read-only domain controllers
 +denied rodc password replication group
 +ti-admin
 +read-only domain controllers
 +group policy creator owners
 +ras and ias servers
 +domain controllers
 +enterprise admins
 +domain computers
 +cert publishers
 +dnsupdateproxy
 +domain admins
 +domain guests
 +schema admins
 +domain users
 +dnsadmins
 +</​sxh>​
 +
 +Agora vamos testar o acesso via ssh para esse cliente
 +
 +<sxh bash;>
 +ssh douglas.santos@192.168.0.27
 +douglas.santos@192.168.0.27'​s password:
 +Creating directory '/​home/​DOUGLAS/​douglas.santos'​.
 +[10:40:01] douglas.santos@centos [~] $
 +</​sxh>​
 +
 +Agora vamos ver os logs de acesso do centos
 +
 +<sxh bash;>
 +tail -f /​var/​log/​secure
 +Aug 27 10:38:55 centos sshd[13906]:​ pam_winbind(sshd:​auth):​ getting password (0x00000000)
 +Aug 27 10:38:56 centos sshd[13906]:​ pam_winbind(sshd:​auth):​ user '​douglas.santos'​ granted access
 +Aug 27 10:39:32 centos sshd[13906]:​ pam_succeed_if(sshd:​account):​ requirement "user ingroup root" not met by user "​douglas.santos"​
 +Aug 27 10:39:32 centos sshd[13906]:​ pam_winbind(sshd:​account):​ user '​douglas.santos'​ granted access
 +Aug 27 10:39:35 centos sshd[13906]:​ pam_succeed_if(sshd:​account):​ requirement "user ingroup ti-admin"​ was met by user "​douglas.santos"​
 +Aug 27 10:39:35 centos sshd[13906]:​ Accepted password for douglas.santos from 192.168.0.130 port 46470 ssh2
 +Aug 27 10:39:50 centos sshd[13906]:​ pam_unix(sshd:​session):​ session opened for user douglas.santos by (uid=0)
 +</​sxh>​
 +
 +O cliente está configurado com sucesso :D
 +
 +====== Configurando um Cliente Debian Wheezy para autenticar no Samba 4 ======
 +
 +Prepare o seu sistema com o seguinte script http://​wiki.douglasqsantos.com.br/​doku.php/​confinicialwheezy_en para que não falte nenhum pacote ou configuração.
 +
 +Vamos atualizar os repositórios e fazer um upgrade do sistema
 +
 +<sxh bash;>
 +aptitude update && aptitude dist-upgrade -y
 +</​sxh>​
 +
 +Agora vamos ajustar as variáveis de ambiente do Debian
 +
 +<sxh bash;>
 +export DEBIAN_PRIORITY=critical
 +export DEBIAN_FRONTEND=noninteractive
 +</​sxh>​
 +
 +Agora vamos instalar as dependências
 +
 +<sxh bash;>
 +aptitude install samba samba-common smbclient winbind krb5-config libpam-krb5 cifs-utils ​ krb5-user -y
 +</​sxh>​
 +
 +Agora vamos voltar as variáveis de ambiente do Debian
 +
 +<sxh bash;>
 +unset DEBIAN_PRIORITY
 +unset DEBIAN_FRONTEND
 +</​sxh>​
 +
 +Agora vamos ajustar o resolv.conf
 +
 +<sxh bash;>
 +vim /​etc/​resolv.conf
 +domain douglas.lan
 +search douglas.lan
 +nameserver 192.168.0.25
 +nameserver 192.168.0.26
 +</​sxh>​
 +
 +Agora vamos ajustar o horário do nosso servidor
 +
 +<sxh bash;>
 +ntpdate -u a.ntp.br
 +</​sxh>​
 +
 +Agora vamos ajustar o arquivo de configuração do kerberos
 +
 +<sxh bash;>
 +vim /​etc/​krb5.conf
 +[libdefaults]
 +default_realm = DOUGLAS.LAN
 +krb4_config = /​etc/​krb.conf
 +krb4_realms = /​etc/​krb.realms
 +kdc_timesync = 1
 +ccache_type = 4
 +forwardable = true
 +proxiable = true
 +v4_instance_resolve = false
 +v4_name_convert = {
 +host = {
 +rcmd = host
 +ftp = ftp
 +}
 +plain = {
 +something = something-else
 +}
 +}
 +fcc-mit-ticketflags = true
 +[realms]
 +DOUGLAS.LAN = {
 +kdc = 192.168.0.25
 +kdc = 192.168.0.26
 +admin_server = 192.168.0.25:​749
 +default_server = 192.168.0.25
 +}
 +[domain_realm]
 +.douglas.lan=DOUGLAS.LAN
 +douglas.lan=DOUGLAS.LAN
 +[login]
 +krb4_convert = true
 +krb4_get_tickets = false
 +[kdc]
 +profile = /​etc/​krb5kdc/​kdc.conf
 +[appdefaults]
 +pam = {
 +debug = false
 +ticket_lifetime = 36000
 +renew_lifetime = 36000
 +forwardable = true
 +krb4_convert = false
 +}
 +[logging]
 +default = file:/​var/​log/​krb5libs.log
 +kdc = file:/​var/​log/​krb5kdc.log
 +admin_server = file:/​var/​log/​kadmind.log
 +</​sxh>​
 +
 +Agora vamos ajustar o limits.conf
 +
 +<sxh bash;>
 +vim /​etc/​security/​limits.conf
 +[...]
 +#colocar no final do arquivo
 +root hard nofile 131072
 +root soft nofile 65536
 +mioutente hard nofile 32768
 +mioutente soft nofile 16384
 +</​sxh>​
 +
 +Agora vamos ajustar o smb.conf
 +
 +<sxh bash;>
 +vim /​etc/​samba/​smb.conf
 +[global]
 +        workgroup = DOUGLAS
 +        security = ADS
 +        realm = DOUGLAS.LAN
 +        netbios name = DEBIAN
 +        encrypt passwords = yes
 +        idmap config * : backend = tdb
 +        idmap config * : range = 10000-30000
 +        idmap config DOUGLAS:​backend = ad
 +        idmap config DOUGLAS:​schema_mode = rfc2307
 +        auth methods = winbind
 +        winbind nss info = rfc2307
 +        winbind trusted domains only = no
 +        winbind use default domain = yes
 +        winbind enum users  = yes
 +        winbind enum groups = yes
 +        template shell = /bin/bash
 +</​sxh>​
 +
 +Agora vamos ajustar o nsswitch.conf
 +
 +<sxh bash;>
 +vim /​etc/​nsswitch.conf
 +[...]
 +passwd: ​        ​compat winbind
 +group: ​           compat winbind
 +</​sxh>​
 +
 +Agora vamos reiniciar os serviços
 +
 +<sxh bash;>
 +/​etc/​init.d/​samba restart
 +/​etc/​init.d/​winbind restart
 +</​sxh>​
 +
 +Agora vamos fazer o join no domínio
 +
 +<sxh bash;>
 +net ads join douglas.lan -U administrator
 +</​sxh>​
 +
 +Agora vamos reiniciar os serviços
 +
 +<sxh bash;>
 +/​etc/​init.d/​samba restart
 +/​etc/​init.d/​winbind restart
 +</​sxh>​
 +
 +Agora vamos ajustar a PAM
 +
 +Vamos ajustar a autenticação
 +
 +<sxh bash;>
 +vim /​etc/​pam.d/​common-password
 +password ​       sufficient ​                     pam_unix.so
 +password ​       requisite ​                      ​pam_krb5.so minimum_uid=1000
 +password ​       [success=2 default=ignore] ​     pam_unix.so obscure use_authtok try_first_pass sha512
 +password ​       [success=1 default=ignore] ​     pam_winbind.so use_authtok try_first_pass
 +password ​       requisite ​                      ​pam_deny.so
 +password ​       required ​                       pam_permit.so
 +</​sxh>​
 +
 +Vamos ajustar o controle de sessão do usuário para criar o diretório home quando ele efetuar o login
 +
 +<sxh bash;>
 +vim /​etc/​pam.d/​common-session
 +session [default=1] ​                    ​pam_permit.so
 +session requisite ​                      ​pam_deny.so
 +session required ​                       pam_permit.so
 +session required ​                       pam_unix.so
 +session optional ​                       pam_winbind.so
 +session optional ​                       pam_mkhomedir.so skel=/​etc/​skel umask=0027
 +</​sxh>​
 +
 +Agora vamos testar a conexão com o winbind
 +
 +<sxh bash;>
 +wbinfo -t
 +checking the trust secret for domain DOUGLAS via RPC calls succeeded
 +</​sxh>​
 +
 +Agora vamos listar os usuários do domínio
 +
 +<sxh bash;>
 +wbinfo -u
 +douglas.santos
 +administrator
 +dns-nodo1
 +krbtgt
 +guest
 +</​sxh>​
 +
 +Vamos listar os grupos
 +
 +<sxh bash;>
 +wbinfo -g
 +allowed rodc password replication group
 +enterprise read-only domain controllers
 +denied rodc password replication group
 +ti-admin
 +read-only domain controllers
 +group policy creator owners
 +ras and ias servers
 +domain controllers
 +enterprise admins
 +domain computers
 +cert publishers
 +dnsupdateproxy
 +domain admins
 +domain guests
 +schema admins
 +domain users
 +dnsadmins
 +</​sxh>​
 +
 +Agora vamos testar o acesso via ssh para esse cliente
 +
 +<sxh bash;>
 +ssh douglas.santos@192.168.0.52
 +douglas.santos@192.168.0.52'​s password:
 +Creating directory '/​home/​DOUGLAS/​douglas.santos'​.
 +Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64
 +
 +The programs included with the Debian GNU/Linux system are free software;
 +the exact distribution terms for each program are described in the
 +individual files in /​usr/​share/​doc/​*/​copyright.
 +
 +Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 +permitted by applicable law.
 +[10:35:45] douglas.santos@debian [~] $
 +</​sxh>​
 +
 +Nos logs de autenticação vamos ter algo como abaixo
 +
 +<sxh bash;>
 +tail -f /​var/​log/​auth.log
 +Aug 27 10:35:44 debian sshd[4852]: pam_krb5(sshd:​auth):​ user douglas.santos authenticated as douglas.santos@DOUGLAS.LAN
 +Aug 27 10:35:44 debian sshd[4852]: Accepted password for douglas.santos from 192.168.0.130 port 51197 ssh2
 +Aug 27 10:35:44 debian sshd[4852]: pam_unix(sshd:​session):​ session opened for user douglas.santos by (uid=0)
 +</​sxh>​
 +
 +O cliente esta autenticando com sucesso :D
 +
 +====== Referências ======
 +
 +  - [[http://​www.samba.org/​samba/​history/​samba-4.1.3.html|http://​www.samba.org/​samba/​history/​samba-4.1.3.html]]
 +  - [[http://​wiki.samba.org/​index.php/​Samba|http://​wiki.samba.org/​index.php/​Samba]]
 +  - [[http://​wiki.samba.org/​index.php/​SysVol_Replication|http://​wiki.samba.org/​index.php/​SysVol_Replication]]
 +  - [[http://​wiki.samba.org/​index.php/​Setup_and_configure_file_shares|http://​wiki.samba.org/​index.php/​Setup_and_configure_file_shares]]
 +  - [[http://​wiki.samba.org/​index.php/​Samba_&​_Windows_Profiles|http://​wiki.samba.org/​index.php/​Samba_&​_Windows_Profiles]]
 +  - [[http://​wiki.samba.org/​index.php/​Dns-backend_bind|http://​wiki.samba.org/​index.php/​Dns-backend_bind]]
 +  - [[http://​wiki.samba.org/​index.php/​Samba4/​Domain_Member|http://​wiki.samba.org/​index.php/​Samba4/​Domain_Member]]
 +  - [[http://​wiki.samba.org/​index.php/​Backup_and_Recovery|http://​wiki.samba.org/​index.php/​Backup_and_Recovery]]
 +  - [[http://​wiki.samba.org/​index.php/​Samba4/​HOWTO/​Join_a_domain_as_a_DC|http://​wiki.samba.org/​index.php/​Samba4/​HOWTO/​Join_a_domain_as_a_DC]]