[Samba] File server questions

L.P.H. van Belle belle at bazuin.nl
Wed Sep 13 13:36:16 UTC 2017


Hai, Flavio, 

Yes, it looks good, but i suggest, if you setting up a new DC on debian.. 
Go here: https://github.com/thctlo/samba4/tree/master/howtos 
And read the file: stretch-base-2-samba-minimal-ad.txt 

This should works also for debian Jessie, if it errors only remove the words " limited" from the line restrict. 

Now, review the code below, you need to make a few small changes. 
Like the ntp server and interface names. 

#For ntp and an unmodified ntp.conf.
# backup the original debian file. 
cp /etc/ntp.conf{,.org-debian}

# Disable the pool servers. 
sed -i 's/pool 0.debian.pool.ntp.org iburst/#pool 0.debian.pool.ntp.org iburst/g' /etc/ntp.conf
sed -i 's/pool 1.debian.pool.ntp.org iburst/#pool 1.debian.pool.ntp.org iburst/g' /etc/ntp.conf
sed -i 's/pool 2.debian.pool.ntp.org iburst/#pool 2.debian.pool.ntp.org iburst/g' /etc/ntp.conf
sed -i 's/pool 3.debian.pool.ntp.org iburst/#pool 3.debian.pool.ntp.org iburst/g' /etc/ntp.conf


# Enable a good NTP (stratum 1) server. 
# This line, change ntp1.nl.net to a close stable ntp server. 
# found here : http://support.ntp.org/bin/view/Servers/StratumOneTimeServers 
sed -i 's/#server ntp.your-provider.example/server ntp1.nl.net/g' /etc/ntp.conf

cat << EOF >> /etc/ntp.conf
# Enable the interaced you need. *( you need to change eth0 to your interface name) 
# Optional, define which interface ntp could/should use
interface listen lo
interface listen eth0
#interface ignore wildcard
interface ignore ipv6
#
EOF
systemctl restart ntp 

# create the ntp_signd folder if not exists.
if [ ! -d /var/lib/samba/ntp_signd/ ]; then 
    mkdir -p /var/lib/samba/ntp_signd/
    chmod 750 /var/lib/samba/ntp_signd
    chown root:ntp /var/lib/samba/ntp_signd
Fi
# check name group
if [ "$(stat -c "%G" /var/lib/samba/ntp_signd/)" != "ntp" ]; then
    echo "Error incorrect group detected on /var/lib/samba/ntp_signd/, correcting now."
    chgrp ntp /var/lib/samba/ntp_signd
Fi
# check owner/group rights. 
if [ "$(stat -c "%a" /var/lib/samba/ntp_signd/)" -ne 750 ]; then 
    echo "Error incorrect group rights detected on /var/lib/samba/ntp_signd/, correcting now."
    chmod 750 /var/lib/samba/ntp_signd
else
    echo "folder : /var/lib/samba/ntp_signd already exists with correct rights (750)"
fi


# add the folder location to ntp.conf
cat << EOF >> /etc/ntp.conf
#
######  Needed for Samba 4  #######  in the restrict -4 or -6 added mssntp at the end
# Location of the samba ntp_signed directory
ntpsigndsocket /var/lib/samba/ntp_signd
#
EOF

sed -i 's/restrict -4 default kod notrap nomodify nopeer noquery limited/restrict -4 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf
sed -i 's/restrict -6 default kod notrap nomodify nopeer noquery limited/restrict -6 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf
systemctl restart ntp
systemctl status ntp

And your done. 

Your welkom,  ;-) 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Flávio Silveira via samba
> Verzonden: woensdag 13 september 2017 15:17
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] File server questions
> 
> 
> 
> Em 12/09/2017 14:59, Rowland Penny via samba escreveu:
> > On Tue, 12 Sep 2017 14:41:42 -0300
> > Flávio Silveira via samba <samba at lists.samba.org> wrote:
> >
> >> Ok, I understand now, one question though: if realm is 
> >> AD.TECNOPON.COM.BR, does domain need to be AD?
> > No, you can use anything you like, provided it is one word, 15 
> > characters or less, without punctuation.
> >
> >> If I understand
> >> correctly, realm is "full domain with subdomain" and domain is the 
> >> subdomain, yes?
> >>
> > No, the AD realm is the dns domain of the computer in uppercase, it 
> > being a subdomain does not come into it. From your example 
> above, the 
> > dns domain would be: ad.tecnopon.com.br The realm would be: 
> > AD.TECNOPON.COM.BR
> >
> > Rowland
> >
> 
> Great! I've provisioned the domain and moved towards setting 
> up Time Synchronisation by reading this: 
> https://wiki.samba.org/index.php/Time_Synchronisation
> 
> I've set the permissions accordingly:
> 
> root at dc1:~# ls -ld /var/lib/samba/ntp_signd/
> drwxr-x--- 2 root ntp 4096 Sep 12 16:43 
> /var/lib/samba/ntp_signd/ root at dc1:~#
> 
> Now I'm working on editing ntp.conf.
> 
> The tutorial gives a config example as below:
> 
> > # Local clock. Note that is not the "localhost" address!
> > server 127.127.1.0
> > fudge  127.127.1.0 stratum 10
> >
> > # Where to retrieve the time from
> > server 0.pool.ntp.org     iburst prefer
> > server 1.pool.ntp.org     iburst prefer
> > server 2.pool.ntp.org     iburst prefer
> >
> > driftfile       /var/lib/ntp/ntp.drift
> > logfile         /var/log/ntp
> > ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
> >
> > # Access control
> > # Default restriction: Allow clients only to query the time 
> restrict 
> > default kod nomodify notrap nopeer mssntp
> >
> > # No restrictions for "localhost"
> > restrict 127.0.0.1
> >
> > # Enable the time sources to only provide time to this host
> > restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify 
> notrap nopeer noquery
> > restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify 
> notrap nopeer noquery
> > restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify 
> notrap nopeer noquery
> 
> Debian ntp.conf default is:
> 
> > # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
> >
> > driftfile /var/lib/ntp/ntp.drift
> >
> > # Enable this if you want statistics to be logged.
> > #statsdir /var/log/ntpstats/
> >
> > statistics loopstats peerstats clockstats filegen loopstats file 
> > loopstats type day enable filegen peerstats file peerstats type day 
> > enable filegen clockstats file clockstats type day enable
> >
> >
> > # You do need to talk to an NTP server or two (or three).
> > #server ntp.your-provider.example
> >
> > # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your 
> > server will # pick a different set every time it starts up.  Please 
> > consider joining the # pool: <http://www.pool.ntp.org/join.html>
> > pool 0.debian.pool.ntp.org iburst
> > pool 1.debian.pool.ntp.org iburst
> > pool 2.debian.pool.ntp.org iburst
> > pool 3.debian.pool.ntp.org iburst
> >
> >
> > # Access control configuration; see
> > /usr/share/doc/ntp-doc/html/accopt.html for # details.  The 
> web page 
> > <http://support.ntp.org/bin/view/Support/AccessRestrictions>
> > # might also be helpful.
> > #
> > # Note that "restrict" applies to both servers and clients, so a 
> > configuration # that might be intended to block requests 
> from certain 
> > clients could also end # up blocking replies from your own upstream 
> > servers.
> >
> > # By default, exchange time with everybody, but don't allow 
> configuration.
> > restrict -4 default kod notrap nomodify nopeer noquery limited 
> > restrict -6 default kod notrap nomodify nopeer noquery limited
> >
> > # Local users may interrogate the ntp server more closely.
> > restrict 127.0.0.1
> > restrict ::1
> >
> > # Needed for adding pool entries
> > restrict source notrap nomodify noquery
> >
> > # Clients from this (example!) subnet have unlimited 
> access, but only 
> > if # cryptographically authenticated.
> > #restrict 192.168.123.0 mask 255.255.255.0 notrust
> >
> >
> > # If you want to provide time to your local subnet, change 
> the next line.
> > # (Again, the address is an example only.) #broadcast 
> 192.168.123.255
> >
> > # If you want to listen to time broadcasts on your local subnet, 
> > de-comment the # next lines.  Please do this only if you trust 
> > everybody on the network!
> > #disable auth
> > #broadcastclient
> 
> Giving all that I'm guessing I can do something like this, right?
> 
> > # Local clock. Note that is not the "localhost" address!
> > server 127.127.1.0
> > fudge  127.127.1.0 stratum 10
> >
> > # Where to retrieve the time from
> > server 0.br.pool.ntp.org iburst prefer server 
> 1.br.pool.ntp.org iburst 
> > prefer server 2.br.pool.ntp.org iburst prefer server 
> 3.br.pool.ntp.org 
> > iburst prefer
> >
> > driftfile       /var/lib/ntp/ntp.drift logfile         
> > /var/log/ntpstats ntpsigndsocket  /var/lib/samba/ntp_signd/
> >
> > # Access control
> > # Default restriction: Allow clients only to query the time 
> restrict 
> > default kod nomodify notrap nopeer mssntp
> >
> > # No restrictions for "localhost"
> > restrict 127.0.0.1
> >
> > # Enable the time sources to only provide time to this host 
> restrict 
> > 0.br.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer 
> > noquery restrict 1.br.pool.ntp.org   mask 255.255.255.255   
>  nomodify 
> > notrap nopeer noquery restrict 2.br.pool.ntp.org   mask 
> > 255.255.255.255    nomodify notrap nopeer noquery restrict 
> > 3.br.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer 
> > noquery
> 
> Does this looks correct? Can I ignore Debian's ntp.conf file 
> completely?
> 
> Thank you
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 




More information about the samba mailing list