[Samba] File server questions

Flávio Silveira fggs at terra.com.br
Wed Sep 13 14:18:58 UTC 2017 


Em 13/09/2017 10:36, L.P.H. van Belle via samba escreveu:
> Hai, Flavio,
>
> Yes, it looks good, but i suggest, if you setting up a new DC on debian..
> Go here: https://github.com/thctlo/samba4/tree/master/howtos
> And read the file: stretch-base-2-samba-minimal-ad.txt
>
> This should works also for debian Jessie, if it errors only remove the words " limited" from the line restrict.
>
> Now, review the code below, you need to make a few small changes.
> Like the ntp server and interface names.
>
> #For ntp and an unmodified ntp.conf.
> # backup the original debian file.
> cp /etc/ntp.conf{,.org-debian}
>
> # Disable the pool servers.
> sed -i 's/pool 0.debian.pool.ntp.org iburst/#pool 0.debian.pool.ntp.org iburst/g' /etc/ntp.conf
> sed -i 's/pool 1.debian.pool.ntp.org iburst/#pool 1.debian.pool.ntp.org iburst/g' /etc/ntp.conf
> sed -i 's/pool 2.debian.pool.ntp.org iburst/#pool 2.debian.pool.ntp.org iburst/g' /etc/ntp.conf
> sed -i 's/pool 3.debian.pool.ntp.org iburst/#pool 3.debian.pool.ntp.org iburst/g' /etc/ntp.conf
>
>
> # Enable a good NTP (stratum 1) server.
> # This line, change ntp1.nl.net to a close stable ntp server.
> # found here : http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
> sed -i 's/#server ntp.your-provider.example/server ntp1.nl.net/g' /etc/ntp.conf
>
> cat << EOF >> /etc/ntp.conf
> # Enable the interaced you need. *( you need to change eth0 to your interface name)
> # Optional, define which interface ntp could/should use
> interface listen lo
> interface listen eth0
> #interface ignore wildcard
> interface ignore ipv6
> #
> EOF
> systemctl restart ntp
>
> # create the ntp_signd folder if not exists.
> if [ ! -d /var/lib/samba/ntp_signd/ ]; then
>      mkdir -p /var/lib/samba/ntp_signd/
>      chmod 750 /var/lib/samba/ntp_signd
>      chown root:ntp /var/lib/samba/ntp_signd
> Fi
> # check name group
> if [ "$(stat -c "%G" /var/lib/samba/ntp_signd/)" != "ntp" ]; then
>      echo "Error incorrect group detected on /var/lib/samba/ntp_signd/, correcting now."
>      chgrp ntp /var/lib/samba/ntp_signd
> Fi
> # check owner/group rights.
> if [ "$(stat -c "%a" /var/lib/samba/ntp_signd/)" -ne 750 ]; then
>      echo "Error incorrect group rights detected on /var/lib/samba/ntp_signd/, correcting now."
>      chmod 750 /var/lib/samba/ntp_signd
> else
>      echo "folder : /var/lib/samba/ntp_signd already exists with correct rights (750)"
> fi
>
>
> # add the folder location to ntp.conf
> cat << EOF >> /etc/ntp.conf
> #
> ######  Needed for Samba 4  #######  in the restrict -4 or -6 added mssntp at the end
> # Location of the samba ntp_signed directory
> ntpsigndsocket /var/lib/samba/ntp_signd
> #
> EOF
>
> sed -i 's/restrict -4 default kod notrap nomodify nopeer noquery limited/restrict -4 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf
> sed -i 's/restrict -6 default kod notrap nomodify nopeer noquery limited/restrict -6 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf
> systemctl restart ntp
> systemctl status ntp
>
> And your done.
>
> Your welkom,  ;-)
>
>
> Greetz,
>
> Louis
>

Thank for your reply Louis!

I've been reading your howtos, but I didn't know how to execute them, so 
I decided to create a new file as below:

> # Local clock. Note that is not the "localhost" address!
> server 127.127.1.0
> fudge  127.127.1.0 stratum 10
>
> # Where to retrieve the time from
> server a.st1.ntp.br iburst prefer
> server b.st1.ntp.br iburst prefer
> server c.st1.ntp.br iburst prefer
> server d.st1.ntp.br iburst prefer
>
> driftfile       /var/lib/ntp/ntp.drift
> logfile         /var/log/ntpstats
> ntpsigndsocket  /var/lib/samba/ntp_signd/
>
> # Access control
> # Default restriction: Allow clients only to query the time
> restrict default kod nomodify notrap nopeer mssntp
>
> # No restrictions for "localhost"
> restrict 127.0.0.1
>
> # Enable the time sources to only provide time to this host
> restrict a.st1.ntp.br   mask 255.255.255.255    nomodify notrap nopeer 
> noquery
> restrict b.st1.ntp.br   mask 255.255.255.255    nomodify notrap nopeer 
> noquery
> restrict c.st1.ntp.br   mask 255.255.255.255    nomodify notrap nopeer 
> noquery
> restrict d.st1.ntp.br   mask 255.255.255.255    nomodify notrap nopeer 
> noquery
>
> # Interfaces ntp daemon should listen
>
> interface listen lo
> interface listen enp2s0
>
> # Ignore IPv6 wildcard
>
> interface ignore ipv6

As you can see, my "Access control" line doesn't have "noquery" and 
"limited", but I don't know much about ntp, so I don't know if I should 
add or not.

Your lines also have -4 and -6, which seems to be related to IPv4 and 
IPv6, if I plan to use IPv4 only, can I stick with "default"?

Thanks

More information about the samba mailing list