[Samba] File server questions
L.P.H. van Belle
belle at bazuin.nl
Wed Sep 13 13:36:16 UTC 2017
Hai, Flavio,
Yes, it looks good, but i suggest, if you setting up a new DC on debian..
Go here: https://github.com/thctlo/samba4/tree/master/howtos
And read the file: stretch-base-2-samba-minimal-ad.txt
This should works also for debian Jessie, if it errors only remove the words " limited" from the line restrict.
Now, review the code below, you need to make a few small changes.
Like the ntp server and interface names.
#For ntp and an unmodified ntp.conf.
# backup the original debian file.
cp /etc/ntp.conf{,.org-debian}
# Disable the pool servers.
sed -i 's/pool 0.debian.pool.ntp.org iburst/#pool 0.debian.pool.ntp.org iburst/g' /etc/ntp.conf
sed -i 's/pool 1.debian.pool.ntp.org iburst/#pool 1.debian.pool.ntp.org iburst/g' /etc/ntp.conf
sed -i 's/pool 2.debian.pool.ntp.org iburst/#pool 2.debian.pool.ntp.org iburst/g' /etc/ntp.conf
sed -i 's/pool 3.debian.pool.ntp.org iburst/#pool 3.debian.pool.ntp.org iburst/g' /etc/ntp.conf
# Enable a good NTP (stratum 1) server.
# This line, change ntp1.nl.net to a close stable ntp server.
# found here : http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
sed -i 's/#server ntp.your-provider.example/server ntp1.nl.net/g' /etc/ntp.conf
cat << EOF >> /etc/ntp.conf
# Enable the interaced you need. *( you need to change eth0 to your interface name)
# Optional, define which interface ntp could/should use
interface listen lo
interface listen eth0
#interface ignore wildcard
interface ignore ipv6
#
EOF
systemctl restart ntp
# create the ntp_signd folder if not exists.
if [ ! -d /var/lib/samba/ntp_signd/ ]; then
mkdir -p /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd
chown root:ntp /var/lib/samba/ntp_signd
Fi
# check name group
if [ "$(stat -c "%G" /var/lib/samba/ntp_signd/)" != "ntp" ]; then
echo "Error incorrect group detected on /var/lib/samba/ntp_signd/, correcting now."
chgrp ntp /var/lib/samba/ntp_signd
Fi
# check owner/group rights.
if [ "$(stat -c "%a" /var/lib/samba/ntp_signd/)" -ne 750 ]; then
echo "Error incorrect group rights detected on /var/lib/samba/ntp_signd/, correcting now."
chmod 750 /var/lib/samba/ntp_signd
else
echo "folder : /var/lib/samba/ntp_signd already exists with correct rights (750)"
fi
# add the folder location to ntp.conf
cat << EOF >> /etc/ntp.conf
#
###### Needed for Samba 4 ####### in the restrict -4 or -6 added mssntp at the end
# Location of the samba ntp_signed directory
ntpsigndsocket /var/lib/samba/ntp_signd
#
EOF
sed -i 's/restrict -4 default kod notrap nomodify nopeer noquery limited/restrict -4 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf
sed -i 's/restrict -6 default kod notrap nomodify nopeer noquery limited/restrict -6 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf
systemctl restart ntp
systemctl status ntp
And your done.
Your welkom, ;-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Flávio Silveira via samba
> Verzonden: woensdag 13 september 2017 15:17
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] File server questions
>
>
>
> Em 12/09/2017 14:59, Rowland Penny via samba escreveu:
> > On Tue, 12 Sep 2017 14:41:42 -0300
> > Flávio Silveira via samba <samba at lists.samba.org> wrote:
> >
> >> Ok, I understand now, one question though: if realm is
> >> AD.TECNOPON.COM.BR, does domain need to be AD?
> > No, you can use anything you like, provided it is one word, 15
> > characters or less, without punctuation.
> >
> >> If I understand
> >> correctly, realm is "full domain with subdomain" and domain is the
> >> subdomain, yes?
> >>
> > No, the AD realm is the dns domain of the computer in uppercase, it
> > being a subdomain does not come into it. From your example
> above, the
> > dns domain would be: ad.tecnopon.com.br The realm would be:
> > AD.TECNOPON.COM.BR
> >
> > Rowland
> >
>
> Great! I've provisioned the domain and moved towards setting
> up Time Synchronisation by reading this:
> https://wiki.samba.org/index.php/Time_Synchronisation
>
> I've set the permissions accordingly:
>
> root at dc1:~# ls -ld /var/lib/samba/ntp_signd/
> drwxr-x--- 2 root ntp 4096 Sep 12 16:43
> /var/lib/samba/ntp_signd/ root at dc1:~#
>
> Now I'm working on editing ntp.conf.
>
> The tutorial gives a config example as below:
>
> > # Local clock. Note that is not the "localhost" address!
> > server 127.127.1.0
> > fudge 127.127.1.0 stratum 10
> >
> > # Where to retrieve the time from
> > server 0.pool.ntp.org iburst prefer
> > server 1.pool.ntp.org iburst prefer
> > server 2.pool.ntp.org iburst prefer
> >
> > driftfile /var/lib/ntp/ntp.drift
> > logfile /var/log/ntp
> > ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
> >
> > # Access control
> > # Default restriction: Allow clients only to query the time
> restrict
> > default kod nomodify notrap nopeer mssntp
> >
> > # No restrictions for "localhost"
> > restrict 127.0.0.1
> >
> > # Enable the time sources to only provide time to this host
> > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify
> notrap nopeer noquery
> > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify
> notrap nopeer noquery
> > restrict 2.pool.ntp.org mask 255.255.255.255 nomodify
> notrap nopeer noquery
>
> Debian ntp.conf default is:
>
> > # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
> >
> > driftfile /var/lib/ntp/ntp.drift
> >
> > # Enable this if you want statistics to be logged.
> > #statsdir /var/log/ntpstats/
> >
> > statistics loopstats peerstats clockstats filegen loopstats file
> > loopstats type day enable filegen peerstats file peerstats type day
> > enable filegen clockstats file clockstats type day enable
> >
> >
> > # You do need to talk to an NTP server or two (or three).
> > #server ntp.your-provider.example
> >
> > # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your
> > server will # pick a different set every time it starts up. Please
> > consider joining the # pool: <http://www.pool.ntp.org/join.html>
> > pool 0.debian.pool.ntp.org iburst
> > pool 1.debian.pool.ntp.org iburst
> > pool 2.debian.pool.ntp.org iburst
> > pool 3.debian.pool.ntp.org iburst
> >
> >
> > # Access control configuration; see
> > /usr/share/doc/ntp-doc/html/accopt.html for # details. The
> web page
> > <http://support.ntp.org/bin/view/Support/AccessRestrictions>
> > # might also be helpful.
> > #
> > # Note that "restrict" applies to both servers and clients, so a
> > configuration # that might be intended to block requests
> from certain
> > clients could also end # up blocking replies from your own upstream
> > servers.
> >
> > # By default, exchange time with everybody, but don't allow
> configuration.
> > restrict -4 default kod notrap nomodify nopeer noquery limited
> > restrict -6 default kod notrap nomodify nopeer noquery limited
> >
> > # Local users may interrogate the ntp server more closely.
> > restrict 127.0.0.1
> > restrict ::1
> >
> > # Needed for adding pool entries
> > restrict source notrap nomodify noquery
> >
> > # Clients from this (example!) subnet have unlimited
> access, but only
> > if # cryptographically authenticated.
> > #restrict 192.168.123.0 mask 255.255.255.0 notrust
> >
> >
> > # If you want to provide time to your local subnet, change
> the next line.
> > # (Again, the address is an example only.) #broadcast
> 192.168.123.255
> >
> > # If you want to listen to time broadcasts on your local subnet,
> > de-comment the # next lines. Please do this only if you trust
> > everybody on the network!
> > #disable auth
> > #broadcastclient
>
> Giving all that I'm guessing I can do something like this, right?
>
> > # Local clock. Note that is not the "localhost" address!
> > server 127.127.1.0
> > fudge 127.127.1.0 stratum 10
> >
> > # Where to retrieve the time from
> > server 0.br.pool.ntp.org iburst prefer server
> 1.br.pool.ntp.org iburst
> > prefer server 2.br.pool.ntp.org iburst prefer server
> 3.br.pool.ntp.org
> > iburst prefer
> >
> > driftfile /var/lib/ntp/ntp.drift logfile
> > /var/log/ntpstats ntpsigndsocket /var/lib/samba/ntp_signd/
> >
> > # Access control
> > # Default restriction: Allow clients only to query the time
> restrict
> > default kod nomodify notrap nopeer mssntp
> >
> > # No restrictions for "localhost"
> > restrict 127.0.0.1
> >
> > # Enable the time sources to only provide time to this host
> restrict
> > 0.br.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> > noquery restrict 1.br.pool.ntp.org mask 255.255.255.255
> nomodify
> > notrap nopeer noquery restrict 2.br.pool.ntp.org mask
> > 255.255.255.255 nomodify notrap nopeer noquery restrict
> > 3.br.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> > noquery
>
> Does this looks correct? Can I ignore Debian's ntp.conf file
> completely?
>
> Thank you
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list