PAM, NIS, LDAP, Kerberos, DS and Samba 4 AD-DC - SMB Networks

General index of the series: Computer Networks for SMEs: Introduction

Hello friends and friends!

With this article I say goodbye to the Community DesdeLinux. A special farewell for a Special Community. From now on I will be in my personal project which you can see at http://www.gigainside.com.

The main objective of the post is to offer a «Big Picture»About the Authentication Services with Free Software that we have at our disposal. At least that is our intention. Therefore it will be long, despite the fact that we know that it is against the general rules of writing articles. We hope the System Administrators appreciate it.

We want to point out that the common protocol to many of the modern authentication systems is the LDAP, and that it is not idle to study it carefully, from the study material that we will find on the official site http://www.openldap.org/.

We will not give detailed definitions - or links - on aspects dealt with in previous articles, or on those whose description can be easily accessible on Wikipedia or other sites or articles on the Internet, so as not to lose the objectivity of the message we want to give. We will also use a valid mix of names in English and Spanish, as we consider that most systems were born with names in English and it is very beneficial for a Sysadmin to assimilate them in their original language.

• PAM: Pluggable Authentication Module.
• NIS: Network_Information_Service.
• LDAP: Lightweight Directory Access Protocol.
• Kerberos: Security protocol to authenticate users, computers and services centrally on a network, verifying their credentials against existing entries in the Kerberos database.
• DS: Directory Server or Directory Service
• AD–DC: Active Directory - Domain Controler

PAM

We dedicate a small series to this type of local authentication, which you will see in daily practice that it is widely used when, for example, we join a workstation to a Domain Controller or an Active Directory; to map users stored in external LDAP databases as if they were local users; to map users stored in the Domain Controller of an Active Directory as if they were local users, and so on.

• Squid + PAM Authentication on CentOS 7.
• Local user and group management
• Authoritative DNS Server NSD + Shorewall
• Prosody IM and local users
• Postfix + Dovecot + Squirrelmail and local users
  

NIS

De Wikipedia:

• Network Information System (known by its acronym NIS, which in Spanish means Network Information System), is the name of a client-server directory services protocol developed by Sun Microsystems for sending configuration data in distributed systems such as names of users and hosts between computers on a network.NIS is based on ONC RPC, and consists of a server, a client-side library, and various administration tools.

  NIS was originally called the Yellow Pages, or YP, which is still used to refer to it. Unfortunately, that name is a trademark of British Telecom, which required Sun to drop that name. However YP remains a prefix in the names of most NIS-related commands, such as ypserv and ypbind.

  DNS serves a limited range of information, the most important being the correspondence between the node name and the IP address. For other types of information, there is no such specialized service. On the other hand, if you only manage a small LAN without Internet connectivity, it doesn't seem worth setting up DNS. This is why Sun developed the Network Information System (NIS). NIS provides generic database access capabilities that can be used to distribute, for example, the information contained in passwd and groups files to all nodes on your network. This makes the network look like a single system, with the same accounts on all nodes. Similarly, NIS can be used to distribute the node name information contained in / etc / hosts to all machines on the network.

  Today NIS is available in practically all Unix distributions, and there are even free implementations. BSD Net-2 published one that has been derived from a public domain reference implementation donated by Sun. The library code for the client part of this version has existed in the GNU / Linux libc for a long time, and the administration programs were ported to GNU / Linux by Swen Thümmler. However, an NIS server is missing as of the reference implementation.

  Peter Eriksson has developed a new implementation called NYS. It supports both basic NIS and the enhanced version of Sun NIS +. [1] NYS not only provides a number of NIS tools and a server, but also adds a whole new set of library functions that you need to compile into your libc if you want to use them. This includes a new configuration scheme for node name resolution that replaces the current scheme used by the "host.conf" file.

  The GNU libc, known as libc6 in the GNU / Linux community, includes an updated version of the traditional NIS support developed by Thorsten Kukuk. It supports all the library functions provided by NYS, and also uses the advanced NYS configuration scheme. The tools and the server are still needed, but using the GNU libc saves the work of patching and recompiling the library

  .

Computer and domain name, network interface and resolver

• We start from a clean installation -without graphical interface- of a Debian 8 "Jessie". The domain swl.fan means "Fans of Free Software." What better name than this?.

root @ master: ~ # hostname
master
root @ master: ~ # hostname -f
master.swl.fan

root @ master: ~ # ip addr 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default link / loopback 00: 00: 00: 00: 00: 00 brd 00: 00: 00: 00: 00: 00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 :: 1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link / ether 00: 0c: 29: 4c: 76: d9 brd ff: ff: ff: ff: ff: ff inet 192.168.10.5/24 brd 192.168.10.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80 :: 20c: 29ff: fe4c: 76d9 / 64 scope link valid_lft forever preferred_lft forever

root @ master: ~ # cat /etc/resolv.conf 
search swl.fan nameserver 127.0.0.1

Installation of bind9, isc-dhcp-server and ntp

bind9

root @ master: ~ # aptitude install bind9 bind9-doc Nmap
root @ master: ~ # systemctl status bind9

root @ master: ~ # nano /etc/bind/named.conf
include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";

root @ master: ~ # cp /etc/bind/named.conf.options \ /etc/bind/named.conf.options.original

root @ master: ~ # nano /etc/bind/named.conf.options
options {directory "/ var / cache / bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders {// 0.0.0.0; //}; // =============================================== ===================== $ // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys
        // =============================================== ===================== $ // We don't want DNSSEC
        dnssec-enable no;
        // dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 {any; }; // For checks from localhost and sysadmin // through dig swl.fan axfr // We don't have Slave DNS ... until now
        allow-transfer {localhost; 192.168.10.1; };
}; root @ master: ~ # named-checkconf

root @ master: ~ # nano /etc/bind/zones.rfcFreeBSD
// Shared Address Space (RFC 6598)
zone "64.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "65.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "66.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "67.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "68.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "69.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "70.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "71.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "72.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "73.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "74.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "75.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "76.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "77.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "78.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "79.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "80.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "81.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "82.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "83.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "84.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "85.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "86.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "87.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "88.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "89.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "90.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "91.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "92.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "93.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "94.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "95.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "96.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "97.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "98.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "99.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "100.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "101.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "102.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "103.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "104.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "105.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "106.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "107.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "108.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "109.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "110.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "111.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "112.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "113.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "114.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "115.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "116.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "117.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "118.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "119.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "120.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "121.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "122.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "123.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "124.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "125.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "126.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "127.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };

// Link-local / APIPA (RFCs 3927, 5735 and 6303)
zone "254.169.in-addr.arpa" {type master; file "/etc/bind/db.empty"; };

// IETF protocol assignments (RFCs 5735 and 5736)
zone "0.0.192.in-addr.arpa" {type master; file "/etc/bind/db.empty"; };

// TEST-NET- [1-3] for Documentation (RFCs 5735, 5737 and 6303)
zone "2.0.192.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "100.51.198.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "113.0.203.in-addr.arpa" {type master; file "/etc/bind/db.empty"; };

// IPv6 Example Range for Documentation (RFCs 3849 and 6303)
zone "8.bd0.1.0.0.2.ip6.arpa" {type master; file "/etc/bind/db.empty"; };

// Domain Names for Documentation and Testing (BCP 32)
zone "test" {type master; file "/etc/bind/db.empty"; }; zone "example" {type master; file "/etc/bind/db.empty"; }; zone "invalid" {type master; file "/etc/bind/db.empty"; }; zone "example.com" {type master; file "/etc/bind/db.empty"; }; zone "example.net" {type master; file "/etc/bind/db.empty"; }; zone "example.org" {type master; file "/etc/bind/db.empty"; };

// Router Benchmark Testing (RFCs 2544 and 5735)
zone "18.198.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "19.198.in-addr.arpa" {type master; file "/etc/bind/db.empty"; };

// IANA Reserved - Old Class E Space (RFC 5735)
zone "240.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "241.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "242.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "243.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "244.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "245.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "246.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "247.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "248.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "249.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "250.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "251.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "252.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "253.in-addr.arpa" {type master; file "/etc/bind/db.empty"; }; zone "254.in-addr.arpa" {type master; file "/etc/bind/db.empty"; };

// IPv6 Unassigned Addresses (RFC 4291)
zone "1.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "3.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "4.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "5.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "6.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "7.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "8.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "9.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "a.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "b.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "c.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "d.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "e.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "0.f.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "1.f.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "2.f.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "3.f.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "4.f.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "5.f.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "6.f.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "7.f.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "8.f.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "9.f.ip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "afip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "bfip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "0.efip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "1.efip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "2.efip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "3.efip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "4.efip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "5.efip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "6.efip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "7.efip6.arpa" {type master; file "/etc/bind/db.empty"; };

// IPv6 ULA (RFCs 4193 and 6303)
zone "cfip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "dfip6.arpa" {type master; file "/etc/bind/db.empty"; };

// IPv6 Link-Local (RFCs 4291 and 6303)
zone "8.efip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "9.efip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "aefip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "befip6.arpa" {type master; file "/etc/bind/db.empty"; };

// IPv6 Deprecated Site-Local Addresses (RFCs 3879 and 6303)
zone "cefip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "defip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "eefip6.arpa" {type master; file "/etc/bind/db.empty"; }; zone "fefip6.arpa" {type master; file "/etc/bind/db.empty"; };

// IP6.INT is Deprecated (RFC 4159)
zone "ip6.int" {type master; file "/etc/bind/db.empty"; };

root @ master: ~ # nano /etc/bind/named.conf.local
// // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization include "/etc/bind/zones.rfc1918";
include "/etc/bind/zones.rfcFreeBSD";

// Declaration of the name, type, location, and update permission // of the DNS Record Zones // Both Zones are MASTER zone "swl.fan" {type master; file "/var/lib/bind/db.swl.fan"; }; zone "10.168.192.in-addr.arpa" {type master; file "/var/lib/bind/db.10.168.192.in-addr.arpa"; };

root @ master: ~ # named-checkconf

root @ master: ~ # nano /var/lib/bind/db.swl.fan
$ TTL 3H @ IN SOA master.swl.fan. root.master.swl.fan. (1; serial 1D; refresh 1H; retry 1W; expire 3H); minimum or; Negative caching time to live; @ IN NS master.swl.fan. @ IN MX 10 mail.swl.fan. @ IN A 192.168.10.5 @ IN TXT "For Fans of Free Software"; sysadmin IN A 192.168.10.1 fileserver IN A 192.168.10.4 master IN A 192.168.10.5 proxyweb IN A 192.168.10.6 blog IN A 192.168.10.7 ftpserver IN A 192.168.10.8 mail IN A 192.168.10.9

root @ master: ~ # nano /var/lib/bind/db.10.168.192.in-addr.arpa
$ TTL 3H @ IN SOA master.swl.fan. root.master.swl.fan. (1; serial 1D; refresh 1H; retry 1W; expire 3H); minimum or; Negative caching time to live; @ IN NS master.swl.fan. ; 1 IN PTR sysadmin.swl.fan. 4 IN PTR fileserver.swl.fan. 5 IN PTR master.swl.fan. 6 IN PTR proxyweb.swl.fan. 7 IN PTR blog.swl.fan. 8 IN PTR ftpserver.swl.fan. 9 IN PTR mail.swl.fan.

root @ master: ~ # named-checkzone swl.fan /var/lib/bind/db.swl.fan
zone swl.fan/IN: loaded serial 1 OK
root @ master: ~ # named-checkzone 10.168.192.in-addr.arpa /var/lib/bind/db.10.168.192.in-addr.arpa
zone 10.168.192.in-addr.arpa/IN: loaded serial 1 OK

root @ master: ~ # named-checkconf -zp
root @ master: ~ # systemctl restart bind9.service
root @ master: ~ # systemctl status bind9.service

Bind9 checks

root @ master: ~ # dig swl.fan axfr
root @ master: ~ # dig 10.168.192.in-addr.arpa axfr
root @ master: ~ # dig IN SOA swl.fan
root @ master: ~ # dig IN NS swl.fan
root @ master: ~ # dig IN MX swl.fan
root @ master: ~ # proxyweb host root @ master: ~ # nping --tcp -p 53 -c 3 localhost
root @ master: ~ # nping --udp -p 53 -c 3 localhost
root @ master: ~ # nping --tcp -p 53 -c 3 master.swl.fan
root @ master: ~ # nping --udp -p 53 -c 3 master.swl.fan
Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2017-05-27 09:32 EDT SENT (0.0037s) UDP 192.168.10.5:53> 192.168.10.245:53 ttl = 64 id = 20743 iplen = 28 SENT (1.0044s) UDP 192.168.10.5:53> 192.168.10.245 .53: 64 ttl = 20743 id = 28 iplen = 2.0060 SENT (192.168.10.5s) UDP 53:192.168.10.245> 53:64 ttl = 20743 id = 28 iplen = 3 Max rtt: N / A | Min rtt: N / A | Avg rtt: N / A Raw packets sent: 84 (0B) | Rcvd: 0 (3B) | Lost: 100.00 (1%) Nping done: 3.01 IP address pinged in XNUMX seconds 

isc-dhcp-server

root @ master: ~ # aptitude install isc-dhcp-server
root @ master: ~ # nano / etc / default / isc-dhcp-server
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests? # Separate multiple interfaces with spaces, eg "eth0 eth1".
INTERFACES = "eth0"

root @ master: ~ # dnssec-keygen -a HMAC-MD5 -b 128 -r / dev / urandom -n USER dhcp-key
root @ master: ~ # cat Kdhcp-key. +157 + 51777.private 
Private-key-format: v1.3 Algorithm: 157 (HMAC_MD5) Key: Ba9GVadq4vOCixjPN94dCQ == Bits: AAA = Created: 20170527133656 Publish: 20170527133656 Activate: 20170527133656

root @ master: ~ # nano dhcp.key
key dhcp-key {
        algorithm hmac-md5;
        secret "Ba9GVadq4vOCixjPN94dCQ == ";
}; root @ master: ~ # install -o root -g bind -m 0640 dhcp.key /etc/bind/dhcp.key root @ master: ~ # install -o root -g root -m 0640 dhcp.key / etc / dhcp /dhcp.key root @ master: ~ # nano /etc/bind/named.conf.local
include "/etc/bind/dhcp.key";

zone "swl.fan" {type master; file "/var/lib/bind/db.swl.fan";
        allow-update {key dhcp-key; };
}; zone "10.168.192.in-addr.arpa" {type master; file "/var/lib/bind/db.10.168.192.in-addr.arpa";
        allow-update {key dhcp-key; };
};

root @ master: ~ # named-checkconf

root @ master: ~ # mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.original
root @ master: ~ # nano /etc/dhcp/dhcpd.conf
ddns-update-style interim; ddns-updates on; ddns-domainname "swl.fan."; ddns-rev-domainname "in-addr.arpa."; ignore client-updates; update-optimization false; # May be required on Debian authoritative; option ip-forwarding off; option domain-name "swl.fan"; include "/etc/dhcp/dhcp.key"; zone swl.fan. {primary 127.0.0.1; key dhcp-key; } zone 10.168.192.in-addr.arpa. {primary 127.0.0.1; key dhcp-key; } shared-network redlocal {subnet 192.168.10.0 netmask 255.255.255.0 {option routers 192.168.10.1; option subnet-mask 255.255.255.0; option broadcast-address 192.168.10.255; option domain-name-servers 192.168.10.5; option netbios-name-servers 192.168.10.5; option ntp-servers 192.168.10.5; option time-servers 192.168.10.5; range 192.168.10.30 192.168.10.250; }}

root @ master: ~ # dhcpd -t
Internet Systems Consortium DHCP Server 4.3.1 Copyright 2004-2014 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/
Config file: /etc/dhcp/dhcpd.conf Database file: /var/lib/dhcp/dhcpd.leases PID file: /var/run/dhcpd.pid

root @ master: ~ # systemctl restart bind9.service 
root @ master: ~ # systemctl status bind9.service 

root @ master: ~ # systemctl start isc-dhcp-server.service
root @ master: ~ # systemctl status isc-dhcp-server.service

Ntp

root @ master: ~ # aptitude install ntp ntpdate
root @ master: ~ # cp /etc/ntp.conf /etc/ntp.conf.original
root @ master: ~ # nano /etc/ntp.conf
driftfile /var/lib/ntp/ntp.drift statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable server 192.168.10.1 restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery restrict 127.0.0.1 restrict :: 1 broadcast 192.168.10.255

root @ master: ~ # systemctl restart ntp.service 
root @ master: ~ # systemctl status ntp.service
root @ master: ~ # ntpdate -u sysadmin.swl.fan
27 May 10:04:01 ntpdate [18769]: adjust time server 192.168.10.1 offset 0.369354 sec

Global checks for ntp, bind9, and isc-dhcp-server

From a Linux, BSD, Mac OS, or Windows client check that the time is synchronized correctly. That it acquires a dynamic IP address and that the name of that host is resolved through direct and reverse DNS queries. Change the customer name and redo all the checks. Do not proceed until you are certain that the services installed so far are working correctly. For something we wrote all the articles about DNS and DHCP in Computer Networks for SMEs.

NIS Server Installation

root @ master: ~ # aptitude show nis
Conflicts with: netstd (<= 1.26) Description: clients and daemons for the Network Information Service (NIS) This package provides tools for setting up and maintaining a NIS domain. NIS, originally known as Yellow Pages (YP), is mostly used to let several machines in a network share the same account information, such as the password file.

root @ master: ~ # aptitude install nis
Package Configuration ┌─────────────────────────┤ Nis Configuration ├──────────────── ──────────┐ │ Choose the NIS "domain name" for this system. If you want this │ │ machine to be just a client, you should enter the name of the │ │ NIS domain you want to join. │ │ │ │ Alternatively, if this machine is to be an NIS server, you can │ │ enter a new NIS "domain name" or the name of an existing NIS │ │ domain. │ │ │ │ NIS Domain: │ │ │ │ swl.fan __________________________________________________________________ │ │ │ │ │ │ │ └────────────────────────────────────────────── ─────────────────────────────┘  

It will delay yours because the service configuration does not exist as such. Please wait for the process to finish.

root @ master: ~ # nano / etc / default / nis
# Are we a NIS server and if so what kind (values: false, slave, master)?
NISSERVER = master

root @ master: ~ # nano /etc/ypserv.securenets # securenets This file defines the access rights to your NIS server # for NIS clients (and slave servers - ypxfrd uses this # file too). This file contains netmask / network pairs. # A clients IP address needs to match with at least one # of those. # # One can use the word "host" instead of a netmask of # 255.255.255.255. Only IP addresses are allowed in this # file, not hostnames. # # Always allow access for localhost 255.0.0.0 127.0.0.0 # This line gives access to everybody. PLEASE ADJUST! # 0.0.0.0 0.0.0.0
255.255.255.0 192.168.10.0

root @ master: ~ # nano / var / yp / Makefile # Should we merge the passwd file with the shadow file? # MERGE_PASSWD = true | false
MERGE_PASSWD = true

# Should we merge the group file with the gshadow file? # MERGE_GROUP = true | false
MERGE_GROUP = true

We build the NIS database

root @ master: ~ # / usr / lib / yp / ypinit -m
At this point, we have to construct a list of the hosts which will run NIS servers. master.swl.fan is in the list of NIS server hosts. Please continue to add the names for the other hosts, one per line. When you are done with the list, type a . next host to add: master.swl.fan next host to add: The current list of NIS servers looks like this: master.swl.fan Is this correct? [y / n: y] We need a few minutes to build the databases ... make [1]: Leaving directory '/var/yp/swl.fan' master.swl.fan has been set up as a NIS master server . Now you can run ypinit -s master.swl.fan on all slave server.

root @ master: ~ # systemctl restart nis
root @ master: ~ # systemctl status nis

We add local users

root @ master: ~ # adduser bilbo
Adding the user `bilbo '... Adding the new group` bilbo' (1001) ... Adding the new user `bilbo '(1001) with group` bilbo' ... Creating the home directory `/ home / bilbo ' ... Copying files from `/ etc / skel '... Enter the new UNIX password: Retype the new UNIX password: passwd: password updated correctly Changing the user information for bilbo Enter the new value, or press ENTER to use the default Full Name []: Bilbo Bagins Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y / n]

root @ master: ~ # adduser strides root @ master: ~ # adduser legolas

and so on.

root @ master: ~ # finger legolas
Login: legolas Name: Legolas Archer Directory: / home / legolas Shell: / bin / bash Never logged in. No mail. No Plan.

We update the NIS database

root @ master: / var / yp # make
make [1]: Entering directory '/var/yp/swl.fan' Updating passwd.byname ... Updating passwd.byuid ... Updating group.byname ... Updating group.bygid ... Updating netid.byname. .. Updating shadow.byname ... Ignored -> merged with passwd make [1]: Leaving directory '/var/yp/swl.fan'

We add NIS options to the isc-dhcp-server

root @ master: ~ # nano /etc/dhcp/dhcpd.conf
ddns-update-style interim; ddns-updates on; ddns-domainname "swl.fan."; ddns-rev-domainname "in-addr.arpa."; ignore client-updates; update-optimization false; authoritative; option ip-forwarding off; option domain-name "swl.fan"; include "/etc/dhcp/dhcp.key"; zone swl.fan. {primary 127.0.0.1; key dhcp-key; } zone 10.168.192.in-addr.arpa. {primary 127.0.0.1; key dhcp-key; } shared-network redlocal {subnet 192.168.10.0 netmask 255.255.255.0 {option routers 192.168.10.1; option subnet-mask 255.255.255.0; option broadcast-address 192.168.10.255; option domain-name-servers 192.168.10.5; option netbios-name-servers 192.168.10.5; option ntp-servers 192.168.10.5; option time-servers 192.168.10.5;
                option nis-domain "swl.fan";
                option nis-servers 192.168.10.5;
                range 192.168.10.30 192.168.10.250; }}

root @ master: ~ # dhcpd -t
root @ master: ~ # systemctl restart isc-dhcp-server.service

NIS Client Installation

• We start from a clean installation -without graphical interface- of a Debian 8 "Jessie".

root @ mail: ~ # hostname -f
mail.swl.fan

root @ mail: ~ # ip addr
2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link / ether 00: 0c: 29: 25: 1f: 54 brd ff: ff: ff: ff: ff: ff
    inet 192.168.10.9 / 24 brd 192.168.10.255 scope global eth0

root @ mail: ~ # aptitude install nis
root @ mail: ~ # nano /etc/yp.conf # # yp.conf Configuration file for the ypbind process. You can define # NIS servers manually here if they can't be found by # broadcasting on the local net (which is the default). # # See the manual page of ypbind for the syntax of this file. # # IMPORTANT: For the "ypserver", use IP addresses, or make sure that # the host is in / etc / hosts. This file is only interpreted # once, and if DNS isn't reachable yet the ypserver cannot # be resolved and ypbind won't ever bind to the server. # ypserver ypserver.network.com ypserver master.swl.fan domain swl.fan

root @ mail: ~ # nano /etc/nsswitch.conf
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference 'and` info' packages installed, try: # `info libc" Name Service Switch "'for information about this file. passwd: compat nis group: compat nis shadow: compat nis gshadow: files hosts: files dns nis networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis

root @ mail: ~ # nano /etc/pam.d/common-session
# pam-auth-update (8) for details.
session optional pam_mkhomedir.so skel = / etc / skel umask = 077
# here are the per-package modules (the "Primary" block)

root @ mail: ~ # systemctl status nis
root @ mail: ~ # systemctl restart nis

We close the session and start it again but with a user registered in the NIS database at master.swl.fan.

root @ mail: ~ # exit
logout Connection to mail closed.

buzz @ sysadmin: ~ $ ssh legolas @ mail
legolas @ mail's password: Creating directory '/ home / legolas'. The programs included with the Debian GNU / Linux system are free software; the exact distribution terms for each program are described in the individual files in / usr / share / doc / * / copyright. Debian GNU / Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
legolas @ mail: ~ $ pwd
/ home / legolas
legolas @ mail: ~ $ 

We change the password of the legolas user and check

legolas @ mail: ~ $ yppasswd 
Changing NIS account information for legolas on master.swl.fan. Please enter old password: legolas Changing NIS password for legolas on master.swl.fan. Please enter new password: archer The password must have both upper and lowercase letters, or non-letters. Please enter new password: Arquero2017 Please retype new password: Arquero2017 The NIS password has been changed on master.swl.fan.

legolas @ mail: ~ $ exit
logout Connection to mail closed.

buzz @ sysadmin: ~ $ ssh legolas @ mail
legolas @ mail's password: Arquero2017

The programs included with the Debian GNU / Linux system are free software; the exact distribution terms for each program are described in the individual files in / usr / share / doc / * / copyright. Debian GNU / Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat May 27 12:51:50 2017 from sysadmin.swl.fan
legolas @ mail: ~ $

The NIS Service implemented at the server and client level works correctly.

LDAP

From Wikipedia:

• LDAP is the acronym for Lightweight Directory Access Protocol (in Spanish Lightweight Directory Access Protocol) that refers to an application-level protocol that allows access to an ordered and distributed directory service to search for various information in an environment network. LDAP is also considered a database (although its storage system may be different) that can be queried.A directory is a set of objects with attributes organized in a logical and hierarchical way. The most common example is the telephone directory, which consists of a series of names (persons or organizations) that are arranged alphabetically, with each name having an address and a telephone number attached to it. To understand better, it is a book or folder, in which people's names, telephone numbers and addresses are written, and it is arranged alphabetically.

  An LDAP directory tree sometimes reflects various political, geographic, or organizational boundaries, depending on the model chosen. Current deployments of LDAP tend to use Domain Name System (DNS) names to structure the higher levels of the hierarchy. As you move down the directory, entries may appear that represent people, organizational units, printers, documents, groups of people, or anything that represents a given entry in the tree (or multiple entries).

  Usually, it stores authentication information (user and password) and is used to authenticate, although it is possible to store other information (user contact data, location of various network resources, permissions, certificates, etc.). In summary, LDAP is a unified access protocol to a set of information on a network.

  The current version is LDAPv3, and it is defined in RFCs RFC 2251 and RFC 2256 (LDAP base document), RFC 2829 (authentication method for LDAP), RFC 2830 (extension for TLS), and RFC 3377 (technical specification)

  .

For long, the LDAP protocol -and its databases compatible or not with OpenLDAP- is the most used in most of the authentication systems today. As an example of the previous statement, we give below some names of systems -Free or Private- that use LDAP databases as backend to store all their objects:

• OpenLDAP
• Apache DirectoryServer
• Red Hat Directory Server - 389 DS
• Novell Directory Services - eDirectory
• SUN Microsystems Open DS
• Red Hat Identity Manager
• FreeIPA
• Samba NT4 Classic Domain Controller.
  We want to clarify that this system was a development of Team Samba with Samba 3.xxx + OpenLDAP as backend. Microsoft never implemented anything like it. Jumped from NT 4 Domain Controllers to their Active Directories
• Samba 4 Active Directory - Domain Controler
• clearOS
• Plant
• UCS Uninvention Corporate Server
• Microsoft Active Directory

Each implementation has its own characteristics, and the most standard and compatible is the OpenLDAP.

Active Directory, be it the original from Microsoft or the one from Samba 4, constitute a union of several main components that are:

• Custom LDAP by both Microsoft and Samba.
• Microsoft Windows Domain o Windows domain. It is basically the Microsoft Network.
• Microsoft Domain Controller o Domain Controller.
• Kerberos customized by both Microsoft and Samba.

We must not confuse a Directory Services o Directory Service with a Active Directory o Active Directory. The former may or may not host Kerberos authentication, but they do not offer the Microsoft Network service that a Windows Domain provides, nor do they have a Windows Domain Controller as such.

A Directory Service or Directory Service can be used to authenticate users in a mixed network with UNIX / Linux and Windows clients. For the latter, a program must be installed on each client that acts as an intermediary between the Directory Service and the Windows client itself, such as Free Software. page.

Directory Service with OpenLDAP

• We start from a clean installation -without graphical interface- of a Debian 8 "Jessie", with the same "master" machine name used for the NIS installation, as well as the configuration of its network interface and the /etc/resolv.conf file. We installed the ntp, bind9 and isc-dhcp-server for this new server, without forgetting the global checks of the correct operation of the three previous services.

root @ master: ~ # aptitude install slapd ldap-utils

Package configuration

┌────────────────────┤ Slapd configuration ├─────────────────────┐ │ Enter the password for the administrator entry of your LDAP │ │ directory. │ │ │ │ Administrator password: │ │ │ │ ******** _________________________________________________________ │ │ │ │ │ │ │ └────────────────────────────────────────────── ─────────────────────┘

We check the initial configuration

root @ master: ~ # slapcat
dn: dc = swl, dc = fan
objectClass: top objectClass: dcObject objectClass: organization o: swl.fan dc: swl structuralObjectClass: organization entryUUID: c8510708-da8e-1036-8fe1-71d022a16904 creatorsName: cn = admin, dc = swl, dc = fan entry createTimestamp20170531205219: 20170531205219.833955ZN entry createTimestamp000000: 000ZN000000Z Z # 20170531205219 # XNUMX # XNUMX modifiersName: cn = admin, dc = swl, dc = fan modifyTimestamp: XNUMXZ

dn: cn = admin, dc = swl, dc = fan
objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: userPassword LDAP administrator :: e1NTSEF9emJNSFU1R3l2OWVEN0pmTmlYOVhKSUF4ekY1bU9YQXc = structuralObjectClass: organizationalRole entryUUID: c851178e-da8e-1036-8fe2-71d022a16904 creatorsName: cn = admin, dc = SWL, dc = fan createTimestamp: 20170531205219Z entryCSN: 20170531205219.834422Z # 000000 # 000 # 000000 modifiersName: cn = admin, dc = swl, dc = fan modifyTimestamp: 20170531205219Z

We modify the file /etc/ldap/ldap.conf

root @ master: ~ # nano /etc/ldap/ldap.conf
BASE dc = swl, dc = fan URI    ldap: // localhost

Organizational Units and general group «users»

We add the minimum necessary Organizational Units, as well as the Posix group «users» to which we will make all users members, following the example of many systems that have the group «users«. We denominate it with the name of «users» so as not to enter into possible conflicts with the group «user" of the system.

root @ master: ~ # nano base.ldif
dn: ou = people, dc = swl, dc = fan objectClass: organizationalUnit ou: people dn: ou = groups, dc = swl, dc = fan objectClass: organizationalUnit ou: groups dn: cn = users, ou = groups, dc = swl, dc = fan objectClass: posixGroup cn: users gidNumber: 10000

root @ master: ~ # ldapadd -x -D cn = admin, dc = swl, dc = fan -W -f base.ldif
Enter LDAP Password: adding new entry "ou = people, dc = swl, dc = fan" adding new entry "ou = groups, dc = swl, dc = fan"

We check the added entries

root @ master: ~ # ldapsearch -x ou = people
# people, swl.fan dn: ou = people, dc = swl, dc = fan objectClass: organizationalUnit ou: people

root @ master: ~ # ldapsearch -x ou = groups
# groups, swl.fan dn: ou = groups, dc = swl, dc = fan objectClass: organizationalUnit ou: groups

root @ master: ~ # ldapsearch -x cn = users
# users, groups, swl.fan dn: cn = users, ou = groups, dc = swl, dc = fan objectClass: posixGroup cn: users gidNumber: 10000

We add several users

The password that we must declare in the LDAP must be obtained through the command slappasswd, which returns an encrypted SSHA password.

Password for the user strides:

root @ master: ~ # slappasswd 
New password: Re-enter new password: 
{SSHA}Fn8Juihsr137u8KnxGTNPmnV8ai//0lp

Password for user legolas

root @ master: ~ # slappasswd 
New password: Re-enter new password: 
{SSHA}rC50/W3kBmmDd+8+0Lz70vkGEu34tXmD

Password for user gandalf

root @ master: ~ # slappasswd 
New password: Re-enter new password: 
{SSHA} oIVFelqv8WIxJ40r12lnh3bp + SXGbV + u

root @ master: ~ # nano users.ldif
dn: uid = strides, ou = people, dc = swl, dc = fan objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: strides cn: strides givenName: Strides sn: El Rey userPassword: {SSHA}Fn8Juihsr137u8KnxGTNPmnV8ai//0lp
uidNumber: 10000 gidNumber: 10000 mail: striders@swl.fan
gecos: Strider El Rey loginShell: / bin / bash homeDirectory: / home / strider dn: uid = legolas, ou = people, dc = swl, dc = fan objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: legolas cn: legolas givenName : Legolas sn: Archer userPassword: {SSHA}rC50/W3kBmmDd+8+0Lz70vkGEu34tXmD
uidNumber: 10001 gidNumber: 10000 mail: legolas@swl.fan
gecos: Legolas Archer loginShell: / bin / bash homeDirectory: / home / legolas dn: uid = gandalf, ou = people, dc = swl, dc = fan objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: gandalf cn: gandalf givenName: Gandalf sn: The Wizard userPassword: {SSHA} oIVFelqv8WIxJ40r12lnh3bp + SXGbV + u
uidNumber: 10002 gidNumber: 10000 mail: gandalf@swl.fan
gecos: Gandalf The Wizard loginShell: / bin / bash homeDirectory: / home / gandalf

root @ master: ~ # ldapadd -x -D cn = admin, dc = swl, dc = fan -W -f users.ldif
Enter LDAP Password: adding new entry "uid = strides, ou = people, dc = swl, dc = fan" adding new entry "uid = legolas, ou = people, dc = swl, dc = fan" adding new entry "uid = gandalf, ou = people, dc = swl, dc = fan "

We check the added entries

root @ master: ~ # ldapsearch -x cn = strides
root @ master: ~ # ldapsearch -x uid = strides

We manage the slpad database with console utilities

We select the package ldapscripts for such a task. The installation and configuration procedure is as follows:

root @ master: ~ # aptitude install ldapscripts
 
root @ master: ~ # mv /etc/ldapscripts/ldapscripts.conf \
/etc/ldapscripts/ldapscripts.conf.original
 
root @ master: ~ # nano /etc/ldapscripts/ldapscripts.conf
SERVER = localhost BINDDN = 'cn = admin, dc = swl, dc = fan' BINDPWDFILE = "/ etc / ldapscripts / ldapscripts.passwd" SUFFIX = 'dc = swl, dc = fan' GSUFFIX = 'ou = groups' USUFFIX = 'ou = people' # MSUFFIX = 'ou = Computers' GIDSTART = 10001 UIDSTART = 10003 # MIDSTART = 10000 # OpenLDAP client commands LDAPSEARCHBIN = "/ usr / bin / ldapsearch" LDAPADDBIN = "/ usr / bin / ldapadd" LDAPDELETEBIN = " / usr / bin / ldapdelete "LDAPMODIFYBIN =" / usr / bin / ldapmodify "LDAPMODRDNBIN =" / usr / bin / ldapmodrdn "LDAPPASSWDBIN =" / usr / bin / ldappasswd "GCLASS =" posixGroup "# UTEMPLATE =" / etc / etc. /ldapadduser.template "PASSWORDGEN =" echo% u "

Notice that the scripts use the package commands ldap-utils. Run dpkg -L ldap-utils | grep / bin to know what they are.

root @ master: ~ # sh -c "echo -n 'admin-password'> \
/etc/ldapscripts/ldapscripts.passwd "
 
root @ master: ~ # chmod 400 /etc/ldapscripts/ldapscripts.passwd
 
root @ master: ~ # cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \
/etc/ldapscripts/ldapdduser.template
 
root @ master: ~ # nano /etc/ldapscripts/ldapadduser.template
dn: uid = , , objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: cn: givenName: sn: displayName: uidNumber: gidNumber: 10000 homeDirectory: loginShell: mail: @ swl.fan geckos: description: User Account
 
root @ master: ~ # nano /etc/ldapscripts/ldapscripts.conf
## we remove the comment UTEMPLATE = "/ etc / ldapscripts / ldapadduser.template"

We add the user "bilbo" and make him a member of the group "users"

root @ master: ~ # ldapadduser bilbo users
[dn: uid = bilbo, ou = people, dc = swl, dc = fan] Enter value for "givenName": Bilbo [dn: uid = bilbo, ou = people, dc = swl, dc = fan] Enter value for " sn ": Bagins [dn: uid = bilbo, ou = people, dc = swl, dc = fan] Enter value for" displayName ": Bilbo Bagins Successfully added user bilbo to LDAP Successfully set password for user bilbo

root @ master: ~ # ldapsearch -x uid = bilbo
# bilbo, people, swl.fan dn: uid = bilbo, ou = people, dc = swl, dc = fan objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: bilbo cn: bilbo givenName: Bilbo sn: Bagins displayName: Bilbo Bagins uidNumber: 10003 gidNumber: 10000 homeDirectory: / home / bilbo loginShell: / bin / bash mail: bilbo@swl.fan
gecos: bilbo description: User Account

To see the hash of the password of the bilbo user, it is necessary to carry out the query with authentication:

root @ master: ~ # ldapsearch -x -D cn = admin, dc = swl, dc = fan -W uid = bilbo

To delete the bilbo user we execute:

root @ master: ~ # ldapdelete -x -D cn = admin, dc = swl, dc = fan -W uid = bilbo, ou = people, dc = swl, dc = fan
Enter LDAP Password:

root @ master: ~ # ldapsearch -x uid = bilbo

We manage the slapd database through a web interface

We have a functional Directory Service, and we want to manage it more easily. There are many programs designed for this task, such as the phpldapadmin, ldap-account-manager, etc., which are available directly from the repositories. We can also manage a Directory Service through the Apache Directory Studio, which we must download from the Internet.

For more information, please visit https://blog.desdelinux.net/ldap-introduccion/, and the following 6 articles.

LDAP client

Scenario:

Say we have the team mail.swl.fan as a mail server implemented as we saw in the article Postfix + Dovecot + Squirrelmail and local users, which although developed on CentOS, may well serve as a guide for Debian and many other Linux distros. We want that, in addition to the local users that we already have declared, the users stored in the OpenLDAP database existing in master.swl.fan. To achieve this we must «map»To LDAP users as local users on the server mail.swl.fan. This solution is also valid for any service based on PAM authentication. The general procedure for Debian, is the following:

root @ mail: ~ # aptitude install libnss-ldap libpam-ldap ldap-utils

  ┌────────────────────┤ Configuration of libnss-ldap ├─────────────────────┐ │ Enter the URI (“Uniform Resource Identifier”, or │ servidor Uniform Resource Identifier) ​​of the LDAP server. This string is similar to │ │ «ldap: //: / ». You can also │ │ use «ldaps: // » or "ldapi: //". The port number is optional. │ │ │ │ It is recommended to use an IP address to avoid failure when domain name services │ │ are not available. │ │ │ │ LDAP server URI: │ │ │ │ ldap: //master.swl.fan__________________________________________________ │ │ │ │ │ │ │ └────────────────────────────────────────────── ───────────────────────────┘ ┌───────────────────── ┤ Configuration of libnss-ldap ├──────────────────────┐ │ Enter the distinguished name (DN) of the LDAP search base. Many sites use the domain name components for this │ │ purpose. For example, the domain "example.net" would use │ │ "dc = example, dc = net" as the distinguished name of the search base. │ │ │ │ The distinguished name (DN) of the search base: │ │ │ │ dc = swl, dc = fan ____________________________________________________________ │ │ │ │ │ │ │ └────────────────────────────────────────────── ─────────────────────────────┘ ┌─────────────────── ──┤ Configuration of libnss-ldap ├──────────────────────┐ │ Enter the version of the LDAP protocol that ldapns should use. It is │ │ recommended to use the highest version number available. │ │ │ │ LDAP version to use: │ │ │ │                                     3                                     │ │ 2 │ │ │ │ │ │ │ │ │ └────────────────────────────────────────────── ─────────────────────────────┘ ┌─────────────────── ──┤ Configuration of libnss-ldap ├──────────────────────┐ │ Choose which account will be used for nss queries with │ │ root privileges. │ │ │ │ Note: For this option to work, the account needs permissions to │ │ be able to access the LDAP attributes that are associated with the user │ │ "shadow" entries as well as the passwords of the users and │ │ groups . │ │ │ │ LDAP account for root: │ │ │ │ cn = admin, dc = swl, dc = fan ___________________________________________________ │ │ │ │ │ │ │ └────────────────────────────────────────────── ─────────────────────────────┘ ┌─────────────────── ──┤ Configuration of libnss-ldap ├─────────────────────┐ │ Enter the password to be used when libnss-ldap tries to │ │ authenticate to the LDAP directory with the root LDAP account. │ │ │ │ The password will be saved in a separate file │ │ ("/etc/libnss-ldap.secret") that only root can access. │ │ │ │ If you enter an empty password, the old password will be reused. │ │ │ │ Password for the root LDAP account: │ │ │ │ ******** ________________________________________________________________ │ │ │ │ │ │ │ └────────────────────────────────────────────── ────────────────────────────┘ ┌──────────────────── ─┤ Configuration of libnss-ldap ├──────────────────────┐ │ │ │ nsswitch.conf is not managed automatically │ │ │ │ You must modify your file "/etc/nsswitch.conf" to use an LDAP data source if you want the libnss-ldap package to work. │ │ You can use the example file │ │ in "/usr/share/doc/libnss-ldap/examples/nsswitch.ldap" as an example of the nsswitch configuration or │ │ you can copy it over your current configuration. │ │ │ │ Note that before removing this package it may be convenient to │ │ remove the "ldap" entries from the nsswitch.conf file so that the basic services │ │ continue to function. │ │ │ │ │ │ │ └────────────────────────────────────────────── ─────────────────────────────┘ ┌─────────────────── ──┤ Configuration of libpam-ldap ├──────────────────────┐ │ │ │ This option allows password tools using PAM to change local passwords. │ │ │ │ The password for the LDAP administrator account will be stored in a separate │ │ file that can only be read by the administrator. │ │ │ │ This option should be disabled, if mounting "/ etc" via NFS. │ │ │ │ Do you want to allow the LDAP administrator account to behave as │ │ the local administrator? │ │ │ │                                            │ │ │ └────────────────────────────────────────────── ─────────────────────────────┘ ┌─────────────────── ──┤ Configuration of libpam-ldap ├──────────────────────┐ │ │ │ Choose whether the LDAP server forces identification before obtaining entradas │ entries. │ │ │ │ This setting is rarely necessary. │ │ │ │ Is a user required to access the LDAP database? │ │ │ │                                               │ │ │ └────────────────────────────────────────────── ─────────────────────────────┘ ┌─────────────────── ──┤ Configuration of libpam-ldap ├──────────────────────┐ │ Enter the name of the LDAP administrator account. │ │ │ │ This account will be automatically used for database management, que │ it must have the appropriate administrative privileges. │ │ │ │ LDAP administrator account: │ │ │ │ cn = admin, dc = swl, dc = fan ___________________________________________________ │ │ │ │ │ │ │ └────────────────────────────────────────────── ─────────────────────────────┘ ┌─────────────────── ──┤ Configuration of libpam-ldap ├──────────────────────┐ │ Enter the password for the administrator account. │ │ │ │ The password will be saved in the file "/etc/pam_ldap.secret". The │ │ administrator will be the only one who can read this file, and will allow │ │ libpam-ldap to automatically control the management of connections in the │ │ database. │ │ │ │ If you leave this field blank, the previous saved password │ │ will be used again. │ │ │ │ LDAP administrator password: │ │ │ │ ******** _________________________________________________________________ │ │ │ │ │ │ │ └────────────────────────────────────────────── ─────────────────────────────┘  

root @ mail: ~ # nano /etc/nsswitch.conf
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference 'and` info' packages installed, try: # `info libc" Name Service Switch "'for information about this file. passwd: compat ldap
group: compat ldap
shadow: compat ldap
gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis

Let's edit the file /etc/pam.d/common-password, we go to line 26 and eliminate the value «use_authtok«:

root @ mail: ~ # nano /etc/pam.d/common-password
# # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix. # Explanation of pam_unix options: # # The "sha512" option enables salted SHA512 passwords. Without this option, # the default is Unix crypt. Prior releases used the option "md5". # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB 'option in # login.defs. # # See the pam_unix manpage for other options. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update (8) for details. # here are the per-package modules (the "Primary" block) password [success = 2 default = ignore] pam_unix.so obscure sha512
password [success = 1 user_unknown = ignore default = die] pam_ldap.so try_first_pass
# here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam- auth-update config

In case we need the Local Login of the users stored in the LDAP, and we want their folders to be created automatically home, we must edit the file /etc/pam.d/common-session and add the following line to the end of the file:

session optional pam_mkhomedir.so skel = / etc / skel umask = 077

In the OpenLDAP Directory Service example developed earlier, the only local user that was created was the user buzz, while in LDAP we create the users strides, Legolas, gandalf, and bilbo. If the configurations made so far are correct, then we should be able to list the local users and those mapped as local but stored in the remote LDAP server:

root @ mail: ~ # getent passwd 
buzz: x: 1001: 1001: Buzz Debian First OS ,,,: / home / buzz: / bin / bash
Strides: x: 10000: 10000: Strides El Rey: / home / strides: / bin / bash
legolas: x: 10001: 10000: Legolas Archer: / home / legolas: / bin / bash
gandalf: x: 10002: 10000: Gandalf The Magician: / home / gandalf: / bin / bash
bilbo: x: 10003: 10000: bilbo: / home / bilbo: / bin / bash

After the changes in the system authentication, it is valid to restart the server if we do not have a critical service:

root @ mail: ~ # reboot

Later we start a local session on the server mail.swl.fan with the credentials of a user stored in the LDAP database of master.swl.fan. We can also try logging in via SSH.

buzz @ sysadmin: ~ $ ssh gandalf @ mail
gandalf @ mail's password: Creating directory '/ home / gandalf'. The programs included with the Debian GNU / Linux system are free software; the exact distribution terms for each program are described in the individual files in / usr / share / doc / * / copyright. Debian GNU / Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
gandalf @ mail: ~ $ su
Password:

root @ mail: / home / gandalf # getent group
buzz: x: 1001: users: *: 10000:

root @ mail: / home / gandalf # exit
exit

gandalf @ mail: ~ $ ls -l / home /
total 8 drwxr-xr-x 2 buzz buzz     4096 Jun 17 12:25 buzz drwx ------ 2 gandalf users 4096 Jun 17 13:05 gandalf

The Directory Service implemented at the server and client level, works correctly.

Kerberos

From Wikipedia:

• Kerberos is a computer network authentication protocol created by the MIT that allows two computers on an insecure network to securely prove their identity to each other. Its designers first focused on a client-server model, and it provides mutual authentication: both client and server verify the identity of each other. Authentication messages are protected to prevent eavesdropping y replay attacks.
  
  Kerberos is based on symmetric key cryptography and requires a trusted third party. In addition, there are extensions to the protocol to be able to use asymmetric key cryptography.
  
  Kerberos is based on the Needham-Schroeder protocol. It uses a trusted third party, called a "Key Distribution Center" (KDC), which consists of two separate logical parts: an "Authentication Server" (AS or Authentication Server) and a "ticket issuing server" (TGS or Ticket Granting Server). Kerberos works on the basis of "tickets", which serve to prove the identity of users.
  
  Kerberos maintains a database of secret keys; Each entity on the network — be it client or server — shares a secret key known only to itself and Kerberos. Knowledge of this key serves to prove the identity of the entity. For a communication between two entities, Kerberos generates a session key, which they can use to secure their problems.

Disadvantages of Kerberos

De ecured:

Despite that Kerberos removes a common security threat, it can be difficult to implement for a variety of reasons:

• Migration of user passwords from a standard password database UNIX, such as / etc / passwd or / etc / shadow, to a Kerberos password database, can be tedious and there is no quick mechanism to accomplish this task.
• Kerberos assumes that each user is trusted, but is using an untrusted machine on an untrusted network. Its main objective is to prevent unencrypted passwords from being sent over the network. However, if any other user, apart from the appropriate user, has access to the ticketing machine (KDC) for authentication, Kerberos would be at Risk.
• For an application to use Kerberos, the code must be modified to make the appropriate calls to the Kerberos libraries. Applications that are modified in this way are considered kerberized. For some applications, this can be an excessive programming effort, due to the size of the application or its Design. For other incompatible applications, changes must be made to the way the network server and its clients communicate; again, this can take quite a bit of programming. In general, closed source applications that do not support Kerberos are usually the most problematic.
• Finally, if you decide to use Kerberos on your network, you must realize that it is an all or nothing choice. If you decide to use Kerberos on your network, you must remember that if any passwords are passed to a service that does not use Kerberos to authenticate, you run the risk that the packet may be intercepted. Thus, your network will not get any benefit from using Kerberos. To secure your network with Kerberos, you should only use the kerberized versions of all client / server applications that send unencrypted passwords or not use any of these applications on the network.

Manually implementing and configuring OpenLDAP as a Kerberos Back-End is not an easy task. However, later we will see that the Samba 4 Active Directory - Domain Controller integrates in a transparent way for the Sysadmin, a DNS server, the Microsoft Network and its Domain Controller, LDAP server as Back-End of almost all of its objects, and the Kerberos-based authentication service as the fundamental components of a Microsoft-style Active Directory.

To date we have not had the need to implement a "Kerberized Network". This is why we did not write about how to implement Kerberos.

Samba 4 Active Directory - Domain Controller

Important:

There is no better documentation than the site wiki.samba.org. Sysadmin worth its salt should visit that site -in English- and browse the large number of pages entirely dedicated to Samba 4, written by Team Samba himself. I do not believe there is documentation available on the Internet to replace it. By the way, observe the number of visits reflected at the bottom of each page. An example of this is that your main page or «Main Page» was visited 276,183 times as of today June 20, 2017 at 10:10 Eastern Standard Time. In addition, the documentation is kept very up-to-date, as that page was modified on June 6.

From Wikipedia:

Samba is a free implementation of the Microsoft Windows File Sharing Protocol (formerly called SMB, recently renamed CIFS) for UNIX-like systems. In this way, it is possible that computers with GNU / Linux, Mac OS X or Unix in general look like servers or act as clients in Windows networks. Samba also allows users to validate as a Primary Domain Controller (PDC), as a domain member and even as an Active Directory domain for Windows-based networks; apart from being able to serve print queues, shared directories and authenticate with its own user archive.

Among the Unix-like systems on which Samba can be run are the GNU / Linux distributions, Solaris and the different BSD variants among the that we can find Apple's Mac OS X Server.

Samba 4 AD-DC with its Internal DNS

• We start from a clean installation -without graphical interface- of a Debian 8 "Jessie".

Initial checks

root @ master: ~ # hostname
master
root @ master: ~ # hostname --fqdn
master.swl.fan
root @ master: ~ # ip addr
1: what: mtu 65536 qdisc noqueue state UNKNOWN group default link / loopback 00: 00: 00: 00: 00: 00 brd 00: 00: 00: 00: 00: 00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 :: 1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000 link / ether 00: 0c: 29: 80: 3b: 3f brd ff: ff: ff: ff: ff: ff
    inet 192.168.10.5 / 24 brd 192.168.10.255 scope global eth0
       valid_lft forever preferred_lft forever inet6 fe80 :: 20c: 29ff: fe80: 3b3f / 64 scope link valid_lft forever preferred_lft forever
root @ master: ~ # cat /etc/resolv.conf
search swl.fan nameserver 127.0.0.1

• With which we declare the branch main only, it's more than enough for our purposes.

root @ master: ~ # cat /etc/apt/sources.list
deb http://192.168.10.1/repos/jessie-8.6/debian/ jessie main
deb http://192.168.10.1/repos/jessie-8.6/debian/security/ jessie / updates main

Postfix by Exim and utilities

root @ master: ~ # aptitude install postfix htop mc deborphan

  ┌────────────────────────┤ Postfix Configuration ├───────────────────── ────┐ │ Choose the type of mail server configuration that best suits your │ │ needs. │ │ │ │ No configuration: │ │ Keeps the current configuration intact. │ │ Internet site: │ │ Mail is sent and received directly using SMTP. │ │ Internet with «smarthost»: │ │ Mail is received directly using SMTP or by running a como │ tool like «fetchmail». Outgoing mail is sent using │ │ a "smarthost". │ │ Local mail only: │ │ The only mail that is delivered is for local users. No │ │ there is a network. │ │ │ │ Generic type of mail configuration: │ │ │ │ No configuration │ │ Internet site │ │ Internet with "smarthost" │ │ Satellite system │ │                         Local mail only                                │ │ │ │ │ │                                     │ │ │ └────────────────────────────────────────────── ────────────────────────────┘ ┌──────────────────── ─────┤ Postfix Configuration ├─────────────────────────┐ │ The "mail system name" is the name of the domain that │ │ is used to "qualify" _ALL_ email addresses without a domain name. This includes mail to and from "root": please do not make │ │ your machine send emails from root@example.org to │ │ less than root@example.org asked. │ │ │ │ Other programs will use this name. It must be a unique │ │ qualified domain name (FQDN). │ │ │ │ Therefore, if an email address on the local machine is │ │ something@example.org, the correct value for this option will be example.org. │ │ │ │ Mail system name: │ │ │ │ master.swl.fan ___________________________________________________________ │ │ │ │ │ │ │ └────────────────────────────────────────────── ─────────────────────────────┘  

We clean

root @ master: ~ # aptitude purge ~ c
root @ master: ~ # aptitude install -f
root @ master: ~ # aptitude clean
root @ master: ~ # aptitude autoclean

We install requirements to compile Samba 4 and other necessary packages

root @ master: ~ # aptitude install acl attr autoconf bison \
build-essential debhelper dnsutils docbook-xml docbook-xsl flex gdb \
krb5-user libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev \
libcap-dev libcups2-dev libgnutls28-dev libjson-perl \
libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl\
libpopt-dev libreadline-dev perl perl-modules pkg-config \
python-all-dev python-dev python-dnspython python-crypto\
xsltproc zlib1g -dev libgpgme11 -dev python -gpgme python -m2crypto \
libgnutls28-dbg gnutls-dev ldap-utils krb5-config

 ┌───────────────┤ Configuring Kerberos authentication ├───────────────┐ │ When users try to use Kerberos and specify a name │ │ principal or user without clarifying to which administrative Kerberos domain the principal │ │ belongs, the system takes the default │ │ realm.  The default realm can also be used as the │ │ realm of a Kerberos service running on the local machine.  │ │ Typically, the default realm is the uppercase name of the local DNS │ │ domain.  │ │ │ │ Kerberos version 5 default realm: │ │ │ │ SWL.FAN __________________________________________________________________ │ │ │ │ │ │ │ └────────────────────────────────────────────── ─────────────────────────────┘ ┌───────────────┤ Configuring authentication Kerberos ├───────────────┐ │ Enter the names of the Kerberos servers in the SWL.FAN realm of │ │ Kerberos, separated by spaces.  │ │ │ │ Kerberos servers for your realm: │ │ │ │ master.swl.fan ___________________________________________________________ │ │ │ │ │ │ │ └────────────────────────────────────────────── ─────────────────────────────┘ ┌───────────────┤ Configuring authentication Kerberos ├───────────────┐ │ Enter the administrative server name (password change) │ │ for the Kerberos SWL.FAN realm.   

The above process took a bit of time because we don't have any DNS services installed yet. However, you chose the domain correctly by the file settings / Etc / hosts. Remember that in the file / Etc / resolv.conf we have declared as a domain name server to the IP 127.0.0.1.

We now configure the / etc / ldap / ldap / conf file

root @ master: ~ # nano /etc/ldap/ldap.conf
BASE dc = swl, dc = fan URI ldap: //master.swl.fan

For queries using the command ldapsearch made from the root user are of the type ldapsearch -x -W cn = xxxx, we must create the file /root/.ldapsearch with the following content:

root @ master: ~ # nano .ldaprc
BINDDN CN = Administrator, CN = Users, DC = swl, DC = fan

The file system must support ACL - Access Control List

root @ master: ~ # nano / etc / fstab
# / etc / fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID = as a more robust way to name devices # that works even if disks are added and removed. See fstab (5). # # # / was on / dev / sda1 during installation UUID = 33acb024-291b-4767-b6f4-cf207a71060c / ext4 user_xattr, acl, barrier = 1, noatime, errors = remount-ro 0 1
# swap was on / dev / sda5 during installation UUID = cb73228a-615d-4804-9877-3ec225e3ae32 none swap sw 0 0 / dev / sr0 / media / cdrom0 udf, iso9660 user, noauto 0 0

root @ master: ~ # mount -a

root @ master: ~ # touch testing_acl.txt
root @ master: ~ # setfattr -n user.test -v test testing_acl.txt
root @ master: ~ # setfattr -n security.test -v test2 testing_acl.txt
root @ master: ~ # getfattr -d testing_acl.txt
# file: testing_acl.txt user.test = "test"

root @ master: ~ # getfattr -n security.test -d testing_acl.txt
# file: testing_acl.txt security.test = "test2"

root @ master: ~ # setfacl -mg: adm: rwx testing_acl.txt

root @ master: ~ # getfacl testing_acl.txt
# file: testing_acl.txt # owner: root # group: root user :: rw- group :: r-- group: adm: rwx mask :: rwx other :: r--

We obtain the Samba 4 source, compile it, and install it

It is highly recommended to download the source file of the version Stable from the site https://www.samba.org/. In our example we download the version samba-4.5.1.tar.gz towards the folder / Opt.

root @ master: ~ # cd / opt
root @ master: / opt # wget https://download.samba.org/pub/samba/stable/samba-4.5.1.tar.gz
root @ master: / opt # tar xvfz samba-4.5.1.tar.gz
root @ master: / opt # cd samba-4.5.1 /

Configuration options

If we want to customize the configuration options, we execute:

root @ master: /opt/samba-4.5.1# ./configure --help

and with great care select the ones we need. It is advisable to check if the downloaded package can be installed on the Linux distribution we are using, which in our case is Debian 8.6 Jessie:

root @ master: /opt/samba-4.5.1# ./configure dist check

We configure, Compile and Install samba-4.5.1

• From the previously installed requirements and the 8604 files (which make up the compact samba-4.5.1.tar.gz) that weigh about 101.7 megabytes -including the source3 and source4 folders that weigh about 61.1 megabytes- we will obtain a substitute for a Microsoft-style Active Directory, of a quality and stability more than acceptable for any production environment. We must highlight the work of Team Samba in delivering the Free Software Samba 4.

The commands below are the classic ones for compiling and installing packages from their sources. We must be patient while the entire process lasts. It is the only way to get valid and correct results.

root @ master: /opt/samba-4.5.1# ./configure --with-systemd --disable-cups
root @ master: /opt/samba-4.5.1# make
root @ master: /opt/samba-4.5.1# make install

During the command process make, we can see that the Samba 3 and Samba 4 sources are compiled. That is why Team Samba affirms that its version 4 is the natural update of version 3, both for Domain Controllers based on Samba 3 + OpenLDAP, and file servers, or older versions of Samba 4.

Provisioning Samba

We will use as DNS the SAMBA_INTERNAL. In https://wiki.samba.org/index.php?title=Samba_Internal_DNS_Back_End we will find more information. When they ask us for the password of the Administrator user, we must type one of a minimum length of 8 characters and also with letters - upper and lower case - and numbers.

Before proceeding with the provisioning and to make life easier, we add the path of the Samba executables in our file .bashrc, Then we close and log in again.

root @ master: ~ # nano .bashrc
# ~ / .bashrc: executed by bash (1) for non-login shells. # Note: PS1 and umask are already set in / etc / profile. You should not # need this unless you want different defaults for root. # PS1 = '$ {debian_chroot: + ($ debian_chroot)} \ h: \ w \ $' # umask 022 # You may uncomment the following lines if you want `ls 'to be colorized: # export LS_OPTIONS =' - color = auto '# eval "` dircolors` "# alias ls =' ls $ LS_OPTIONS '# alias ll =' ls $ LS_OPTIONS -l '# alias l =' ls $ LS_OPTIONS -lA '# # Some more aliases to avoid making mistakes : # alias rm = 'rm -i' # alias cp = 'cp -i' # alias mv = 'mv -i'
declare -x PATH = "/ usr / local / sbin: / usr / local / bin: / usr / sbin: / usr / bin: \ / sbin: / bin: / usr / local / samba / sbin: / usr / local / samba / bin "

root @ master: ~ # exit logout Connection to master closed. xeon @ sysadmin: ~ $ ssh root @ master

root @ master: ~ # samba-tool domain provision --use-rfc2307 --interactive
Realm [SWL.FAN]: SWL.FAN
 Domain [SWL]: SWL
 Server Role (dc, member, standalone) [dc]: dc
 Backend DNS (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.10.5]: 8.8.8.8
administrator password: YourPassword2017
Change password: YourPassword2017
Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC = swl, DC = fan Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN = MicrosoftDNS, CN = System, DC = swl, DC = fan Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDsA Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: master NetBIOS Domain: SWL DNS Domain: swl.fan DOMAIN SID: S-1-5-21-32182636-2892912266-1582980556

Let's not forget to copy the Kerberos configuration file as indicated by the output of the Provisioning:

root @ master: ~ # cp /usr/local/samba/private/krb5.conf /etc/krb5.conf

To not type the command samba-tool with your full name, we create a symbolic link with the short name tool:

root @ master: ~ # ln -s / usr / local / samba / bin / samba-tool / usr / local / samba / bin / tool

We install the NTP

A fundamental piece in an Active Directory is the Network Time Service. As the authentication is done via Kerberos and its Tickets, the synchronization of the time with the Samba 4 AD-DC is vital.

root @ master: ~ # aptitude install ntp
root @ master: ~ # mv /etc/ntp.conf /etc/ntp.conf.original

root @ master: ~ # nano /etc/ntp.conf
driftfile /var/lib/ntp/ntp.drift ntpsigndsocket / usr / local / samba / var / lib / ntp_signd statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegenstats file clockstats clock type day enable server 192.168.10.1 restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery restrict default mssntp restrict 127.0.0.1 restrict :: 1 broadcast 192.168.10.255

root @ master: ~ # service ntp restart
root @ master: ~ # service ntp status

root @ master: ~ # tail -f / var / log / syslog

If when examining the syslog using the command above or using journalctl -f we get the message:

Jun 19 12:13:21 master ntpd_intres [1498]: parent died before we finished, exiting

we must restart the service and try again. Now we create the folder ntp_signd:

root @ master: ~ # ls -ld / usr / local / samba / var / lib / ntp_signd
ls: Cannot access / usr / local / samba / var / lib / ntp_signd: File or directory does not exist

root @ master: ~ # mkdir / usr / local / samba / var / lib / ntp_signd
root @ master: ~ # chown root: ntp / usr / local / samba / var / lib / ntp_signd /
root @ master: ~ # chmod 750 / usr / local / samba / var / lib / ntp_signd / root @ master: ~ # chmod gs, g + x / usr / local / samba / var / lib / ntp_signd /

# As requested on samba.wiki.org
root @ master: ~ # ls -ld / usr / local / samba / var / lib / ntp_signd
drwxr-x --- 2 root ntp 4096 Jun 19 12:21 / usr / local / samba / var / lib / ntp_signd

We configure the Samba start using systemd

root @ master: ~ # nano /lib/systemd/system/samba-ad-dc.service
[Service] Type = forking PIDFile = / usr / local / samba / var / run / samba.pid LimitNOFILE = 16384 # EnvironmentFile = - / etc / conf.d / samba ExecStart = / usr / local / samba / sbin / samba ExecReload = / usr / bin / kill -HUP $ MAINPID [Install] WantedBy = multi-user.target

root @ master: ~ # systemctl enable samba-ad-dc
root @ master: ~ # reboot

root @ master: ~ # systemctl status samba-ad-dc
root @ master: ~ # systemctl status ntp

Samba 4 AD-DC file locations

ALL -minus the newly created samba-ad-dc.service- the files are in:

root @ master: ~ # ls -l / usr / local / samba /
total 32 drwxr-sr-x 2 root staff 4096 Jun 19 11:55 bin
drwxr-sr-x 2 root staff 4096 Jun 19 11:50 etc
drwxr-sr-x 7 root staff 4096 Jun 19 11:30 includes
drwxr-sr-x 15 root staff 4096 Jun 19 11:33 lib
drwxr-sr-x 7 root staff 4096 Jun 19 12:40 private
drwxr-sr-x 2 root staff 4096 Jun 19 11:33 sbin
drwxr-sr-x 5 root staff 4096 Jun 19 11:33 share
drwxr-sr-x 8 root staff 4096 Jun 19 12:28 var

in the best UNIX style. It is always advisable to browse through the different folders and examine their contents.

File /usr/local/samba/etc/smb.conf

root @ master: ~ # nano /usr/local/samba/etc/smb.conf 
# Global parameters [global] netbios name = MASTER realm = SWL.FAN workgroup = SWL dns forwarder = 8.8.8.8 server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate , dns server role = active directory domain controller allow dns updates = secure only idmap_ldb: use rfc2307 = yes idmap config *: backend = tdb idmap config *: range = 1000000-1999999 ldap server require strong auth = no printcap name = / dev / null [netlogon] path = /usr/local/samba/var/locks/sysvol/swl.fan/scripts read only = No [sysvol] path = / usr / local / samba / var / locks / sysvol read only = No

root @ master: ~ # testparm
Load smb config files from /usr/local/samba/etc/smb.conf Processing section "[netlogon]" Processing section "[sysvol]" Loaded services file OK. Server role: ROLE_ACTIVE_DIRECTORY_DC Press enter to see a dump of your service definitions # Global parameters [global] realm = SWL.FAN workgroup = SWL dns forwarder = 192.168.10.1 ldap server require strong auth = No passdb backend = samba_dsdb server role = active directory domain controller rpc_server: tcpip = no rpc_daemon: spoolssd = embedded rpc_server: spoolss = embedded rpc_server: winreg = embedded rpc_server: ntsvcs = embedded rpc_server: eventlog = embedded rpc_server: srvsvc = embedded rvcct_server = use external rvcct_server = use external rvcct_server = use external rvcct_server: external pipes = true idmap config *: range = 1000000-1999999 idmap_ldb: use rfc2307 = yes idmap config *: backend = tdb map archive = No map readonly = no store dos attributes = Yes vfs objects = dfs_samba4 acl_xattr [netlogon] path = / usr / local / samba / var / locks / sysvol / swl.fan / scripts read only = No [sysvol] path = / usr / local / samba / var / locks / sysvol read only = No

Minimal checks

root @ master: ~ # tool domain level show
Domain and forest function level for domain 'DC = swl, DC = fan' Forest function level: (Windows) 2008 R2 Domain function level: (Windows) 2008 R2 Lowest function level of a DC: (Windows) 2008 R2

root @ master: ~ # ldapsearch -x -W

root @ master: ~ # tool dbcheck
Checking 262 objects Checked 262 objects (0 errors)

root @ master: ~ # kinit Administrator
Password for Administrator@SWL.FAN: 
root @ master: ~ # klist -f
Ticket cache: FILE: / tmp / krb5cc_0
Primary default: Administrator@SWL.FAN

Valid starting Expires Service main 19/06/17 12:53:24 19/06/17 22:53:24  krbtgt/SWL.FAN@SWL.FAN
    renew until 20/06/17 12:53:18 PM, Flags: RIA

root @ master: ~ # kdestroy
root @ master: ~ # klist -f
klist: Credentials cache file '/ tmp / krb5cc_0' not found

root @ master: ~ # smbclient -L localhost -U%
Domain = [SWL] OS = [Windows 6.1] Server = [Samba 4.5.1] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC $ IPC IPC Service (Samba 4.5.1) Domain = [SWL] OS = [Windows 6.1] Server = [Samba 4.5.1] Server Comment --------- ------- Workgroup Master ---- ----- -------

root @ master: ~ # smbclient // localhost / netlogon -UAdministrator -c 'ls'
Enter Administrator's password: Domain = [SWL] OS = [Windows 6.1] Server = [Samba 4.5.1]. D 0 Mon Jun 19 11:50:52 2017 .. D 0 Mon Jun 19 11:51:07 2017 19091584 blocks of size 1024. 16198044 blocks available

root @ master: ~ # tool dns serverinfo master -U administrator

root @ master: ~ # host -t SRV _ldap._tcp.swl.fan
_ldap._tcp.swl.fan has SRV record 0 100 389 master.swl.fan.

root @ master: ~ # host -t SRV _kerberos._udp.swl.fan
_kerberos._udp.swl.fan has SRV record 0 100 88 master.swl.fan.

root @ master: ~ # host -t A master.swl.fan
master.swl.fan has address 192.168.10.5

root @ master: ~ # host -t SOA swl.fan
swl.fan has SOA record master.swl.fan. hostmaster.swl.fan. 1 900 600 86400 3600

root @ master: ~ # host -t NS swl.fan
swl.fan name server master.swl.fan.

root @ master: ~ # host -t MX swl.fan
swl.fan has no MX record

root @ master: ~ # samba_dnsupdate --verbose

root @ master: ~ # tool user list
Administrator krbtgt Guest

root @ master: ~ # tool group list
# The output is a bunch of groups. ;-)

We manage the newly installed Samba 4 AD-DC

If we want to modify the expiration in days of the Administrator password; the complexity of passwords; the minimum length of the password; the minimum and maximum duration -in days- of the password; and change the Administrator password declared during the Provisioning, we must execute the following commands with the values ​​adjusted to your needs:

root @ master: ~ # tool
Usage: samba-tool Main samba administration tool. Options: -h, --help show this help message and exit Version Options: -V, --version Display version number Available subcommands: dbcheck - Check local AD database for errors. delegation - Delegation management. dns - Domain Name Service (DNS) management. domain - Domain management. drs - Directory Replication Services (DRS) management. dsacl - DS ACLs manipulation. fsmo - Flexible Single Master Operations (FSMO) roles management. gpo - Group Policy Object (GPO) management. group - Group management. ldapcmp - Compare two ldap databases. ntacl - NT ACLs manipulation. processes - List processes (to aid debugging on systems without setproctitle). rodc - Read-Only Domain Controller (RODC) management. sites - Sites management. spn - Service Principal Name (SPN) management. testparm - Syntax check the configuration file. time - Retrieve the time on a server. user - User management. For more help on a specific subcommand, please type: samba-tool (-h | --help)

root @ master: ~ # tool user setexpiry administrator --noexpiry
root @ master: ~ # tool domain passwordsettings set --min-pwd-length = 7
root @ master: ~ # tool domain passwordsettings set --min-pwd-age = 0
root @ master: ~ # tool domain passwordsettings set --max-pwd-age = 60
root @ master: ~ # tool user setpassword --filter = samaccountname = Administrator --newpassword = Passw0rD

We add several DNS records

root @ master: ~ # tool dns
Usage: samba-tool dns Domain Name Service (DNS) management. Options: -h, --help show this help message and exit Available subcommands: add - Add a DNS record delete - Delete a DNS record query - Query a name. roothints - Query root hints. serverinfo - Query for Server information. update - Update a DNS record zonecreate - Create a zone. zonedelete - Delete a zone. zoneinfo - Query for zone information. zonelist - Query for zones. For more help on a specific subcommand, please type: samba-tool dns (-h | --help)

Mail server

root @ master: ~ # tool dns add master swl.fan mail A 192.168.10.9 -U administrator
root @ master: ~ # tool dns add master swl.fan swl.fan MX "mail.swl.fan 10" -U administrator

Fixed IP of other servers

root @ master: ~ # tool dns add master swl.fan sysadmin A 192.168.10.1 -U administrator
root @ master: ~ # tool dns add master swl.fan fileserver A 192.168.10.10 -U administrator
root @ master: ~ # tool dns add master swl.fan proxy A 192.168.10.11 -U administrator
root @ master: ~ # tool dns add master swl.fan chat A 192.168.10.12 -U administrator

Reverse Zone

root @ master: ~ # tool dns zonecreate master 10.168.192.in-addr.arpa -U administrator
Password for [SWL \ administrator]: Zone 10.168.192.in-addr.arpa created successfully

root @ master: ~ # tool dns add master 10.168.192.in-addr.arpa 5 PTR master.swl.fan. -Uadministrator
root @ master: ~ # tool dns add master 10.168.192.in-addr.arpa 9 PTR mail.swl.fan. -Uadministrator
root @ master: ~ # tool dns add master 10.168.192.in-addr.arpa 1 PTR sysadmin.swl.fan. -Uadministrator
root @ master: ~ # tool dns add master 10.168.192.in-addr.arpa 10 PTR fileserver.swl.fan. -Uadministrator
root @ master: ~ # tool dns add master 10.168.192.in-addr.arpa 11 PTR proxy.swl.fan. -Uadministrator
root @ master: ~ # tool dns add master 10.168.192.in-addr.arpa 12 PTR chat.swl.fan. -Uadministrator

Checks

root @ master: ~ # tool dns query master swl.fan mail ALL -U administrator
Password for [SWL \ administrator]: Name =, Records = 1, Children = 0 A: 192.168.10.9 (flags = f0, serial = 2, ttl = 900)

root @ master: ~ # host master
master.swl.fan has address 192.168.10.5
root @ master: ~ # host sysadmin
sysadmin.swl.fan has address 192.168.10.1
root @ master: ~ # host mail
mail.swl.fan has address 192.168.10.9
root @ master: ~ # host chat
chat.swl.fan has address 192.168.10.12
root @ master: ~ # proxy host
proxy.swl.fan has address 192.168.10.11
root @ master: ~ # host fileserver
fileserver.swl.fan has address 192.168.10.10
root @ master: ~ # host 192.168.10.1
1.10.168.192.in-addr.arpa domain name pointer sysadmin.swl.fan.
root @ master: ~ # host 192.168.10.5
5.10.168.192.in-addr.arpa domain name pointer master.swl.fan.
root @ master: ~ # host 192.168.10.9
9.10.168.192.in-addr.arpa domain name pointer mail.swl.fan.
root @ master: ~ # host 192.168.10.10
10.10.168.192.in-addr.arpa domain name pointer fileserver.swl.fan.
root @ master: ~ # host 192.168.10.11
11.10.168.192.in-addr.arpa domain name pointer proxy.swl.fan.
root @ master: ~ # host 192.168.10.12
12.10.168.192.in-addr.arpa domain name pointer chat.swl.fan.

For the curious

root @ master: ~ # ldbsearch -H /usr/local/samba/private/sam.ldb.d/ \
DC = DOMAINDNSZONES, DC = SWL, DC = FAN.ldb | grep dn:

We add users

root @ master: ~ # tool user
Usage: samba-tool user User management. Options: -h, --help show this help message and exit Available subcommands: add - Create a new user. create - Create a new user. delete - Delete a user. disable - Disable an user. enable - Enable an user. getpassword - Get the password fields of a user / computer account. list - List all users. password - Change password for a user account (the one provided in authentication). setexpiry - Set the expiration of a user account. setpassword - Set or reset the password of a user account. syncpasswords - Sync the password of user accounts. For more help on a specific subcommand, please type: samba-tool user (-h | --help)

root @ master: ~ # tool user create strides Trancos01
User 'trancos' created successfully
root @ master: ~ # tool user create gandalf Gandalf01
User 'gandalf' created successfully
root @ master: ~ # tool user create legolas Legolas01
User 'legolas' created successfully
root @ master: ~ # tool user list
Administrator gandalf legolas strides krbtgt Guest

Administration through graphical interface or via web client

Visit wiki.samba.org for detailed information on how to install the Microsoft RSAT o Remote Server Administration Tools. If you do not require the classic policies offered by Microsoft Active Directory, you can install the package ldap-account-manager which offers a simple interface for administration through a web browser.

• Windows 10: https://www.microsoft.com/en-us/download/details.aspx?id=45520

• Windows 8.1: http://www.microsoft.com/en-us/download/details.aspx?id=39296

• Windows 8: http://www.microsoft.com/en-us/download/details.aspx?id=28972

• Windows 7: http://www.microsoft.com/en-us/download/details.aspx?id=7887

• Windows Vista: http://www.microsoft.com/en-us/download/details.aspx?id=21090

The Microsoft Remote Server Administration Tools (RSAT) program package is included on Windows Server operating systems.

We join the domain to a Windows 7 client named "seven"

As we do not have a DHCP server in the network, the first thing we must do is configure the client's network card with a fixed IP, declare that the primary DNS will be the IP of the samba-ad-dc, and check that the option "Register the address of this connection in DNS" is activated. It is not idle to check that the name «seven»Is not yet registered in the Samba Internal DNS.

After we join the computer to the domain and restart it, let's try to log in with the user «strides«. We will check that everything works OK. It is also recommended to check the Windows Client logs and check how the time is correctly synchronized.

Administrators with some Windows experience will find that any checks they do on the client will yield satisfactory results.

Summary

I hope the article is useful to Community readers. DesdeLinux.

Goodbye!