Tradicionalmente se usaba csup en un comando como este
# csup -h cvsup15.us.FreeBSD.org -g -L 2 /usr/share/examples/cvsup/ports-supfile
para mantener actualizado nuestro arbol de ports en FreeBSD, pero se anuncia que por el 28 de Febrero del 2013, se migrara de CVS, CVsup y csup al nuevo portsnap.
Para migrar en los FreeBSD que ya teniamos nuestro arbol de ports de la forma antigua...
Cuando hemos instalado una gran cantidad de ports, el directorio /usr/ports/distfiles esta lleno de archivos fuentes que no queremos perder, le hacemos una copia
# cp -r /usr/ports/distfiles /home/
# cp -r /usr/ports/packages /home/
Ahora borraremos el viejo arbol de ports
# rm -rf /usr/ports
Ya podemos iniciar trabajo con portsnap
La primera vez que vamos a usar portsnap hay que descargar un snapshot del arbol de ports y descomprimirlo en /usr/ports
# portsnap fetch extract
Luego para mantener nuestro arbol de ports actualizado, se ejecuta el comando
# portsnap fetch update
El Handbook
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports-using.html, y mas especificamente en http://www.freebsd.org/cgi/man.cgi?query=portsnap&sektion=8 dice que se debe poner la linea asi:
00 06 * * * root /usr/sbin/portsnap cron
Pero no me hace nada!
Otro sitio https://bitdrop.st0w.com/2009/05/18/setting-up-a-new-freebsd-server-for-easy-maintenance recomienda que es mejor con otros datos, pero tampoco funciona.
00 06 * * * root /usr/sbin/portsnap update cron
Y esta ultima si funciona!
Por ultimo tenemos que volver a copiar nuestra carpeta distfiles que copiamos en /home y borrarla al terminar
# cp -r /home/distfiles /usr/ports/
# cp -r /home/packages /usr/ports/
# rm -rf /home/distfiles
# rm -rf /home/packages
2013/03/06
2013/03/04
Samba4 AD/DC
Escenario:
FreeBSD 9.1 + Samba 4 (Bind99, SAMBA_INTERNAL) + Bind99 (actualizado desde el DHCP) + DHCP
Resultado:
Funciona!
Manuales consultados:
http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
http://www.whitneytechnologies.com/?p=422
http://fraterneo.blogspot.com/2012/12/como-configurar-un-controlador-de.html
http://www.freebsd.org/doc/handbook/kerberos5.html
http://www.rjsystems.nl/en/2100-dns-discovery-kerberos.php
http://es.wikipedia.org/wiki/Kerberos
http://www.bind9.net/manuals
http://albertolarripa.com/?p=1530
http://www.semicomplete.com/articles/dynamic-dns-with-dhcp
http://forums.freebsd.org/showthread.php?t=33849
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/DNSDHCP.html
http://lani78.wordpress.com/2012/07/23/make-your-dhcp-server-dynamically-update-your-dns-records-on-ubuntu-12-04-precise-pangolin
Parametros de red:
hostname="samdom.example.com"
keymap="spanish.iso.kbd"
#ifconfig_em0="DHCP"
ifconfig_em0="inet 192.168.2.101 netmask 255.255.255.0"
defaultrouter="192.168.2.1"
ifconfig_em1="inet 192.168.1.1 netmask 255.255.255.0"
ipv6_activate_all_interfaces="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
sshd_enable="YES"
Particionado del disco SATA:
ada0 931GB GPT
ada0p1 512kB freebsd-boot
ada0p2 16GB freebsd-ufs / exrootfs
ada0p3 32GB freebsd-swap none exswap
ada0p4 64GB freebsd-ufs /var exvarfs
ada0p5 16GB freebsd-ufs /tmp extmpfs
ada0p6 803GB freebsd-ufs /usr exusrfs
Claves en el FreeBSD:
root / 123
PORTS
Descargar el arbol de ports "fetch", se descomprime "extract" (se ejecuta la primera vez)
# portsnap fetch extract
Ahora para manterner el arbol de ports actualizado, se ejecuta siempre
# portsnap fetch update
Esta ultima linea se puede agregar al cron para que diario actualice los ports, en /etc/crontab se agrega una linea como esta
00 06 * * * root /usr/sbin/portsnap fetch update >/dev/null 2>&1
ACLS
# cat /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ada0p2 / ufs rw 1 1
/dev/ada0p3 none swap sw 0 0
/dev/ada0p4 /var ufs rw 2 2
/dev/ada0p5 /tmp ufs rw 2 2
/dev/ada0p6 /usr ufs rw 2 2
# cat /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ada0p2 / ufs rw,acls 1 1
/dev/ada0p3 none swap sw 0 0
/dev/ada0p4 /var ufs rw,acls 2 2
/dev/ada0p5 /tmp ufs rw,acls 2 2
/dev/ada0p6 /usr ufs rw,acls 2 2
# reboot
Configurar las opciones de Bind99
# cd /usr/ports/dns/bind99
# make config
Options for bind99 9.9.2.1
[ ] FIXED_RRSET Enable fixed rrset ordering
[ ] IDN International Domain Names
[*] IPV6 IPv6 protocol
[ ] LARGE_FILE 64-bit file support
[*] LINKS Create conf file symlinks in /usr/local
[*] REPLACE_BASE Replace base BIND with this version <-MARCAR ESTA OPCION!
[ ] RPZRRL_PATCH RPZ improvements + RRL patch (experimental)
[ ] RPZ_NSDNAME Enable RPZ NSDNAME policy records
[ ] RPZ_NSIP Enable RPZ NSIP trigger rules
[ ] SIGCHASE dig/host/nslookup will do DNSSEC validation
[*] SSL Build with OpenSSL (Required for DNSSEC)
[*] THREADS Threading support
[*] XML Support for xml statistics output
[ ] DLZ_POSTGRESQL G(DLZ): DLZ Postgres driver
[ ] DLZ_POSTGRESQL G(DLZ): DLZ Postgres driver
[ ] DLZ_MYSQL G(DLZ): DLZ MySQL driver (no threading)
[ ] DLZ_BDB G(DLZ): DLZ BDB driver
[ ] DLZ_LDAP G(DLZ): DLZ LDAP driver
[ ] DLZ_FILESYSTEM G(DLZ): DLZ filesystem driver
[ ] DLZ_STUB G(DLZ): DLZ stub driver
< OK >
Instalar Samba4
# cd /usr/ports/net/samba4
# make config
Options for samba4 4.0.3
[*] ACL_SUPPORT File system ACL support
[*] ADS Active Directory support
[*] AIO_SUPPORT Asyncronous IO support
[ ] AVAHI Zeroconf via Avahi <- DESACTIVAR ESTA OPCION!
[*] CUPS CUPS printing system
[*] DEBUG With debug information in the binaries
[ ] DEVELOPER With development support
[*] DNSUPDATE Dynamic DNS update(require ADS)
[ ] EXP_MODULES Experimental modules
[*] FAM_SUPPORT File Alteration Monitor support
[*] LDAP LDAP support
[ ] MANPAGES Build and/or install manual pages
[*] PAM_SMBPASS PAM authentication via passdb backends
[*] PTHREADPOOL Pthread pool
[*] QUOTAS Disk quota support
[*] SWAT SWAT WebGUI
[*] SYSLOG Syslog support
[*] UTMP UTMP accounting support
[*] WINBIND WinBIND support
[ ] NSUPDATE S(DNS): Use internal DNS with NSUPDATE utility <- DESACTIVAR ESTA OPCION!
[ ] BIND98 S(DNS): Use bind98 as a DNS server frontend
[*] BIND99 S(DNS): Use bind99 as a DNS server frontend <- MARCAR ESTA OPCION!
< OK >
# make config-recursive
(todos los otros ports los dejo por defecto)
# make install clean
Nota:
El port de Samba4 con la opcion [*] BIND99 instalara bind99, por eso
primero configuramos las opciones
de bind99 [*] REPLACE_BASE
# rndc-confgen -a -c /etc/namedb/rndc.conf -k rndc-key -b 256
wrote key file "/etc/namedb/rndc.conf"
# cat /etc/namedb/rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "zvuOE1XeVBUXZa12LTUDEAgZaH3cVFZp+GiObzuAB5c=";
};
# edit /etc/namedb/named.conf
options {
// All file and path names are relative to the chroot directory,
// if any, and should be fully qualified.
directory "/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
...
listen-on { 127.0.0.1; 192.168.1.1; };
...
forwarders {
8.8.8.8;
8.8.4.4;
};
...
//zone "example.com" { type master; file "/etc/namedb/master/empty.db"; }; <- COMENTAR ESTA LINEA!
...
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};
// Take this from the /etc/namedb/rndc.conf file
key "rndc-key" {
algorithm hmac-md5;
secret "zvuOE1XeVBUXZa12LTUDEAgZaH3cVFZp+GiObzuAB5c=";
};
zone "example.com" {
type master;
allow-update { key "rndc-key"; };
allow-transfer { localhost; 192.168.1.1; };
file "/etc/namedb/dynamic/example.com";
};
zone "1.168.192.in-addr.arpa" {
type master;
allow-update { key "rndc-key"; };
allow-transfer { localhost; 192.168.1.1; };
file "/etc/namedb/dynamic/1.168.192.in-addr.arpa";
};
# edit /etc/namedb/dynamic/example.com
$TTL 3600 ; 1 hour default TTL
example.com. IN SOA samdom.example.com. admin.example.com. (
2013021701 ; Serial
10800 ; Refresh (3 hours)
3600 ; Retry (1 hour)
604800 ; Expire (1 week)
300 ; Negative Response TTL (5 minutes)
)
; DNS Servers
IN NS samdom.example.com.
; MX Records
;IN MX 10 mx.example.com.
;IN MX 20 mail.example.com.
IN A 192.168.1.1
; Machine Names
localhost IN A 127.0.0.1
samdom IN A 192.168.1.1
kerberos IN A 192.168.1.1
ldap IN A 192.168.1.1
; Aliases
;
;_kerberos._udp IN SRV 01 00 88 kerberos.example.com.
;_kerberos._tcp IN SRV 01 00 88 kerberos.example.com.
;_kpasswd._udp IN SRV 01 00 464 kerberos.example.com.
;_kerberos-adm._tcp IN SRV 01 00 749 kerberos.example.com.
;_kerberos IN TXT EXAMPLE.COM
;
;_ldap._tcp IN SRV 01 00 389 ldap.example.com.
;_ldap._udp IN SRV 01 00 88 ldap.example.com.
¡Atencion!
Aunque las entradas son correctas para _kerberos y _ldap, como Samba usa sus propios pero consulta a Bind, si las dejo activas causan problemas.
# edit /etc/namedb/dynamic/1.168.192.in-addr.arpa
$TTL 3600 ; 1 hour default TTL
1.168.192.in-addr.arpa. IN SOA samdom.example.com. admin.example.com. (
2013021701 ; Serial
10800 ; Refresh (3 hours)
3600 ; Retry (1 hour)
604800 ; Expire (1 week)
300 ; Negative Response TTL (5 minutes)
)
; DNS Servers
IN NS samdom.example.com.
; Machine IPs
1 IN PTR samdom.example.com.
1 IN PTR kerberos.example.com.
# edit /etc/rc.conf
# Bind
named_enable="YES"
named_chrootdir=""
# /etc/rc.d/named start
# edit /etc/resolv.conf
search example.com
domain EXAMPLE.COM
nameserver 127.0.0.1
#nameserver 8.8.8.8
#nameserver 8.8.4.4
# nslookup samdom
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: samdom.example.com
Address: 192.168.1.1
# nslookup kerberos
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: kerberos.example.com
Address: 192.168.1.1
Instalar isc-dhcp42-server
# cd /usr/ports/net/isc-dhcp42-server
# make config
Options for isc-dhcp42-server 4.2.4_2
[ ] BIND_SYMBOLS Enable BIND internal symbol table
[*] IPV6 IPv6 protocol
[ ] LDAP LDAP support
[*] LDAP_SSL Support LDAP over SSL/TLS
[ ] PARANOIA Enable support for chroot
< OK >
# make config-recursive
# make install clean
# rm /usr/local/etc/dhcpd.conf
# edit /usr/local/etc/dhcpd.conf
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd PRIMARY
#
option domain-name "example.com";
option domain-name-servers 192.168.1.1;
default-lease-time 600;
max-lease-time 7200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.
ddns-updates on;
ddns-update-style interim;
ddns-domainname "example.com";
allow client-updates;
# Take this from the /etc/namedb/rndc.conf file
key "rndc-key" {
algorithm hmac-md5;
secret "zvuOE1XeVBUXZa12LTUDEAgZaH3cVFZp+GiObzuAB5c=";
}
zone example.com. {
primary 192.168.1.1;
key rndc-key;
}
zone 1.168.192.in-addr.arpa. {
primary 192.168.1.1;
key rndc-key;
}
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
option netbios-name-servers 192.168.1.1;
option netbios-node-type 8;
option time-offset -18000; # Bogota GMT -5.0 Hours => -5x60x60 = -18000 Seconds
option ntp-servers 192.168.1.1;
option time-servers 192.168.1.1;
# Dinamics
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.110;
option routers 192.168.1.1;
option broadcast-address 192.168.1.255;
}
# ifconfig em1 inet 192.168.1.1 netmask 255.255.255.0 up
# edit /etc/rc.conf
ifconfig_em1=" inet 192.168.1.1 netmask 255.255.255.0"
# DHCP Server
dhcpd_enable="YES"
dhcpd_flags="-q"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="em1"
dhcpd_withumask="022"
# /usr/local/etc/rc.d/isc-dhcpd start
Instalar cups-base
# cd /usr/ports/print/cups-base
# make config
Dejo todo por defecto
# make config-recursive
Dejo todo por defecto
# make install clean
# edit /etc/rc.conf
# CUPS
cupsd_enable="YES"
# /usr/local/etc/rc.d/cupsd start
Editamos el archivo y le agregamos la parte "options"
# edit /etc/namedb/rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "zvuOE1XeVBUXZa12LTUDEAgZaH3cVFZp+GiObzuAB5c=";
};
options {
default-server 127.0.0.1;
default-key rndc-key;
};
# rndc status
version: 9.9.2-P1
CPUs found: 2
worker threads: 2
UDP listeners per interface: 2
number of zones: 99
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
# /usr/local/bin/samba-tool domain provision
Realm [EXAMPLE.COM]: EXAMPLE.COM
Domain [EXAMPLE]: EXAMPLE
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
DNS forwarder IP address (write 'none' to disable forwarding) [127.0.0.1]: 192.168.1.1
Administrator password:
Retype password:
Looking up IPv4 addresses
More than one IPv4 address found. Using 192.168.1.1
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=example,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: samdom
NetBIOS Domain: EXAMPLE
DNS Domain: example.com
DOMAIN SID: S-1-5-21-3981277467-4260322419-4091201666
# cp /var/db/samba4/private/krb5.conf /etc/
# cat /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
# edit /etc/rc.conf
# NTP
ntpd_enable="YES"
ntpd_config="/etc/ntp.conf"
# edit /etc/ntp.conf
server 0.pool.ntp.org prefer
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org
driftfile /var/db/ntp.drift
# /etc/rc.d/ntpd start
Starting ntpd.
# edit /etc/rc.conf
# Samba4
samba4_enable="YES"
samba4_config="/usr/local/etc/smb4.conf"
winbindd_enable="YES"
# testparm /usr/local/etc/smb4.conf
Load smb config files from /usr/local/etc/smb4.conf
max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
[global]
workgroup =EXAMPLE
realm = example.com
server role = active directory domain controller
passdb backend = samba_dsdb
dns forwarder = 192.168.1.1
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
idmap config * : backend = tdb
create mask = 0777
directory mask = 0777
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4, acl_xattr
[netlogon]
path = /var/db/samba4/sysvol/example.com/scripts
read only = No
[sysvol]
path = /var/db/samba4/sysvol
read only = No
Para solucionar el error de
max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)
# edit /boot/loader.conf
# Samba
kern.maxfiles="20480"
ESTE PASO ES IMPORTANTISIMO, SI NO SE EJECUTA NO ENTRAREMOS AL DOMINIO DESDE LOS CLIENTES!
# /usr/local/sbin/samba4 -i -M single -d 4 &
# killall samba4
# /usr/local/etc/rc.d/samba4 start
# kinit administrator@EXAMPLE.COM
administrator@example.com's Password: miclave123
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator@EXAMPLE.COM
Issued Expires Principal
Feb 24 02:13:50 Feb 24 12:13:50 krbtgt/EXAMPLE.COM@EXAMPLE.COM
# net rpc join -S samdom -Uadministrator
Enter administrator's password: miclave123
Joined domain EXAMPLE.
# smbclient -L localhost -U%
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.0.3]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.0.3)
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.0.3]
Server Comment
--------- -------
Workgroup Master
--------- -------
# /usr/local/bin/smbclient //localhost/netlogon -UAdministrator'' -c 'ls'
Enter Administrator's password: miclave123
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.0.3]
. D 0 Sun Feb 24 02:01:16 2013
.. D 0 Sun Feb 24 02:01:23 2013
63332 blocks of size 65536. 54255 blocks available
# samba-tool dns query 127.0.0.1 example.com @ ALL
Password for [administrator@EXAMPLE.COM]:
Name=, Records=4, Children=0
SOA: serial=1, refresh=900, retry=600, expire=86400, ns=samdom.example.com., email=hostmaster.example.com. (flags=600000f0, serial=1, ttl=3600)
NS: samdom.example.com. (flags=600000f0, serial=1, ttl=900)
A: 192.168.1.1 (flags=600000f0, serial=1, ttl=900)
A: 192.168.2.101 (flags=600000f0, serial=110, ttl=900)
Name=_msdcs, Records=0, Children=0
Name=_sites, Records=0, Children=1
Name=_tcp, Records=0, Children=4
Name=_udp, Records=0, Children=2
Name=DomainDnsZones, Records=0, Children=2
Name=ForestDnsZones, Records=0, Children=2
Name=samdom, Records=2, Children=0
A: 192.168.1.1 (flags=f0, serial=1, ttl=900)
A: 192.168.2.101 (flags=f0, serial=110, ttl=900)
# wbinfo -u
Administrator
Guest
krbtgt
# wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy
TEST DNS
# host -t SRV _ldap._tcp.example.com
_ldap._tcp.example.com has SRV record 0 100 389 samdom.example.com.
# host -t SRV _ldap._tcp.example.com
_ldap._tcp.example.com has SRV record 0 100 389 samdom.example.com.
# host -t A ldap.example.com
ldap.example.com has address 192.168.1.1
# host -t SRV _kerberos._tcp.example.com
_kerberos._tcp.example.com has SRV record 1 0 88 kerberos.example.com.
# host -t SRV _kerberos._udp.example.com
_kerberos._udp.example.com has SRV record 1 0 88 kerberos.example.com.
# host -t SRV _kpasswd._udp.example.com
_kpasswd._udp.example.com has SRV record 1 0 464 kerberos.example.com.
# host -t SRV _kerberos-adm._tcp.example.com
_kerberos-adm._tcp.example.com has SRV record 1 0 749 kerberos.example.com.
¡Atencion!
Al inactivar las lineas referentes a _kerberos y _ldap las consultas no se resuelven.
# host -t A samdom.example.com
samdom.example.com has address 192.168.1.1
Crear un usuario
# samba-tool user add miguel
New Password: miclave123
Retype Password: miclave123
User 'miguel' created successfully
Verificar el usuario creado
# wbinfo --name-to-sid miguel
S-1-5-21-1013221894-234835428-3392388920-1103 SID_USER (1)
# reboot
Compartir impresoras
# edit /usr/local/etc/smb4.conf
[printers]
comment = All Printers
path = /var/spool/samba
browseable = No
guest ok = Yes
printable = Yes
use client driver = Yes
default devmode = Yes
;show add printer wizard = no # Para no mostrar el asistente de impresoras
Para que los clientes Windows puedan consultar en el servidor que sirve
las impresoras en busca de drivers, debemos crear el directorio.
# mkdir -p /var/db/samba4/printer-drivers/{COLOR,IA64,W32ALPHA,W32MIPS,W32PPC,W32X86,WIN40,x64}
# edit /usr/local/etc/smb4.conf
[print$]
comment = Printer Drivers
path = /var/db/samba4/printer-drivers
browseable = yes
guest ok = no
read only = yes
write list = root
Compartir carpetas y bloquear algunas extensiones peligrosas
# mkdir /home/tmp
# mkdir /home/tmp
# edit /usr/local/etc/smb4.conf
[tmp]
comment = Temporary file space
path = /home/tmp
valid users = %U
public = no
writable = no
browseable = yes
printable = no
# Las siguientes lineas generan problemas si uso ACLS, dejar inactivas!
# create mask = 0777
# directory mask = 0777
# force create mode = 0777
# force directory mode = 0777
# force user = nobody
# force group = nobody
write list = %U
# Bloqueo de algunos archivos por extencion
veto files = /*.reg/*.com/*.scr/*.cmd/*.exe/*.pif/*.bat/*.{*}/
delete veto files = yes
Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)
http://www.microsoft.com/en-us/download/details.aspx?id=7887
1 Instalar Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)
2 Inicio / Panel de control / Programas / Activar o desactivar las caracteristicas de Windows
(se abre ventanita)
3 - Herramientas de administracion de funciones
- Herramientas de AD DS y AD LDS
- Herramientas de AD DS
* Centro de administracion de Active Directory
* Herramientas de linea de comandos y complementos de AD DS
4 Aceptar
5 Wind + R
dsa.msc
Nota:
Para poder entrar a administrar el dominio mediante el comand dsa.msc, hay que estar logueado como el usuario administrator / miclave123 para poder ver los datos.
Nota:
Mejor usar # rndc-confgen > /root/dhcp_updater.key
named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "+VsrLah1EEr+HKRTGRJyWA==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
dhcpd.conf
# Take this from the /etc/namedb/rndc.conf file
key "rndc-key" {
algorithm hmac-md5;
secret "+VsrLah1EEr+HKRTGRJyWA==";
};
Una nota muy importante en caso de querer editar manualmente los archivos del DNS http://forums.freebsd.org/showthread.php?t=33849
"Note about editing dynamic zones manually
If you have to edit the zone files of dynamic zones manually while the DNS server is running, you’ll have to freeze the zones with # rndc freeze <myzone> before editing and unfreeze them with # rndc thaw <myzone> after editing. This is because named(8) has internal state information and external journal files attached to dynamic zones that have to be kept in sync with the zone files."
FreeBSD 9.1 + Samba 4 (Bind99, SAMBA_INTERNAL) + Bind99 (actualizado desde el DHCP) + DHCP
Resultado:
Funciona!
Manuales consultados:
http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
http://www.whitneytechnologies.com/?p=422
http://fraterneo.blogspot.com/2012/12/como-configurar-un-controlador-de.html
http://www.freebsd.org/doc/handbook/kerberos5.html
http://www.rjsystems.nl/en/2100-dns-discovery-kerberos.php
http://es.wikipedia.org/wiki/Kerberos
http://www.bind9.net/manuals
http://albertolarripa.com/?p=1530
http://www.semicomplete.com/articles/dynamic-dns-with-dhcp
http://forums.freebsd.org/showthread.php?t=33849
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/DNSDHCP.html
http://lani78.wordpress.com/2012/07/23/make-your-dhcp-server-dynamically-update-your-dns-records-on-ubuntu-12-04-precise-pangolin
Parametros de red:
hostname="samdom.example.com"
keymap="spanish.iso.kbd"
#ifconfig_em0="DHCP"
ifconfig_em0="inet 192.168.2.101 netmask 255.255.255.0"
defaultrouter="192.168.2.1"
ifconfig_em1="inet 192.168.1.1 netmask 255.255.255.0"
ipv6_activate_all_interfaces="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
sshd_enable="YES"
Particionado del disco SATA:
ada0 931GB GPT
ada0p1 512kB freebsd-boot
ada0p2 16GB freebsd-ufs / exrootfs
ada0p3 32GB freebsd-swap none exswap
ada0p4 64GB freebsd-ufs /var exvarfs
ada0p5 16GB freebsd-ufs /tmp extmpfs
ada0p6 803GB freebsd-ufs /usr exusrfs
Claves en el FreeBSD:
root / 123
PORTS
Descargar el arbol de ports "fetch", se descomprime "extract" (se ejecuta la primera vez)
# portsnap fetch extract
Ahora para manterner el arbol de ports actualizado, se ejecuta siempre
# portsnap fetch update
Esta ultima linea se puede agregar al cron para que diario actualice los ports, en /etc/crontab se agrega una linea como esta
00 06 * * * root /usr/sbin/portsnap fetch update >/dev/null 2>&1
ACLS
# cat /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ada0p2 / ufs rw 1 1
/dev/ada0p3 none swap sw 0 0
/dev/ada0p4 /var ufs rw 2 2
/dev/ada0p5 /tmp ufs rw 2 2
/dev/ada0p6 /usr ufs rw 2 2
# cat /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ada0p2 / ufs rw,acls 1 1
/dev/ada0p3 none swap sw 0 0
/dev/ada0p4 /var ufs rw,acls 2 2
/dev/ada0p5 /tmp ufs rw,acls 2 2
/dev/ada0p6 /usr ufs rw,acls 2 2
# reboot
Configurar las opciones de Bind99
# cd /usr/ports/dns/bind99
# make config
Options for bind99 9.9.2.1
[ ] FIXED_RRSET Enable fixed rrset ordering
[ ] IDN International Domain Names
[*] IPV6 IPv6 protocol
[ ] LARGE_FILE 64-bit file support
[*] LINKS Create conf file symlinks in /usr/local
[*] REPLACE_BASE Replace base BIND with this version <-MARCAR ESTA OPCION!
[ ] RPZRRL_PATCH RPZ improvements + RRL patch (experimental)
[ ] RPZ_NSDNAME Enable RPZ NSDNAME policy records
[ ] RPZ_NSIP Enable RPZ NSIP trigger rules
[ ] SIGCHASE dig/host/nslookup will do DNSSEC validation
[*] SSL Build with OpenSSL (Required for DNSSEC)
[*] THREADS Threading support
[*] XML Support for xml statistics output
[ ] DLZ_POSTGRESQL G(DLZ): DLZ Postgres driver
[ ] DLZ_POSTGRESQL G(DLZ): DLZ Postgres driver
[ ] DLZ_MYSQL G(DLZ): DLZ MySQL driver (no threading)
[ ] DLZ_BDB G(DLZ): DLZ BDB driver
[ ] DLZ_LDAP G(DLZ): DLZ LDAP driver
[ ] DLZ_FILESYSTEM G(DLZ): DLZ filesystem driver
[ ] DLZ_STUB G(DLZ): DLZ stub driver
< OK >
Instalar Samba4
# cd /usr/ports/net/samba4
# make config
Options for samba4 4.0.3
[*] ACL_SUPPORT File system ACL support
[*] ADS Active Directory support
[*] AIO_SUPPORT Asyncronous IO support
[ ] AVAHI Zeroconf via Avahi <- DESACTIVAR ESTA OPCION!
[*] CUPS CUPS printing system
[*] DEBUG With debug information in the binaries
[ ] DEVELOPER With development support
[*] DNSUPDATE Dynamic DNS update(require ADS)
[ ] EXP_MODULES Experimental modules
[*] FAM_SUPPORT File Alteration Monitor support
[*] LDAP LDAP support
[ ] MANPAGES Build and/or install manual pages
[*] PAM_SMBPASS PAM authentication via passdb backends
[*] PTHREADPOOL Pthread pool
[*] QUOTAS Disk quota support
[*] SWAT SWAT WebGUI
[*] SYSLOG Syslog support
[*] UTMP UTMP accounting support
[*] WINBIND WinBIND support
[ ] NSUPDATE S(DNS): Use internal DNS with NSUPDATE utility <- DESACTIVAR ESTA OPCION!
[ ] BIND98 S(DNS): Use bind98 as a DNS server frontend
[*] BIND99 S(DNS): Use bind99 as a DNS server frontend <- MARCAR ESTA OPCION!
< OK >
# make config-recursive
(todos los otros ports los dejo por defecto)
# make install clean
Nota:
El port de Samba4 con la opcion [*] BIND99 instalara bind99, por eso
primero configuramos las opciones
de bind99 [*] REPLACE_BASE
# rndc-confgen -a -c /etc/namedb/rndc.conf -k rndc-key -b 256
wrote key file "/etc/namedb/rndc.conf"
# cat /etc/namedb/rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "zvuOE1XeVBUXZa12LTUDEAgZaH3cVFZp+GiObzuAB5c=";
};
# edit /etc/namedb/named.conf
options {
// All file and path names are relative to the chroot directory,
// if any, and should be fully qualified.
directory "/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
...
listen-on { 127.0.0.1; 192.168.1.1; };
...
forwarders {
8.8.8.8;
8.8.4.4;
};
...
//zone "example.com" { type master; file "/etc/namedb/master/empty.db"; }; <- COMENTAR ESTA LINEA!
...
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};
// Take this from the /etc/namedb/rndc.conf file
key "rndc-key" {
algorithm hmac-md5;
secret "zvuOE1XeVBUXZa12LTUDEAgZaH3cVFZp+GiObzuAB5c=";
};
zone "example.com" {
type master;
allow-update { key "rndc-key"; };
allow-transfer { localhost; 192.168.1.1; };
file "/etc/namedb/dynamic/example.com";
};
zone "1.168.192.in-addr.arpa" {
type master;
allow-update { key "rndc-key"; };
allow-transfer { localhost; 192.168.1.1; };
file "/etc/namedb/dynamic/1.168.192.in-addr.arpa";
};
# edit /etc/namedb/dynamic/example.com
$TTL 3600 ; 1 hour default TTL
example.com. IN SOA samdom.example.com. admin.example.com. (
2013021701 ; Serial
10800 ; Refresh (3 hours)
3600 ; Retry (1 hour)
604800 ; Expire (1 week)
300 ; Negative Response TTL (5 minutes)
)
; DNS Servers
IN NS samdom.example.com.
; MX Records
;IN MX 10 mx.example.com.
;IN MX 20 mail.example.com.
IN A 192.168.1.1
; Machine Names
localhost IN A 127.0.0.1
samdom IN A 192.168.1.1
kerberos IN A 192.168.1.1
ldap IN A 192.168.1.1
; Aliases
;
;_kerberos._udp IN SRV 01 00 88 kerberos.example.com.
;_kerberos._tcp IN SRV 01 00 88 kerberos.example.com.
;_kpasswd._udp IN SRV 01 00 464 kerberos.example.com.
;_kerberos-adm._tcp IN SRV 01 00 749 kerberos.example.com.
;_kerberos IN TXT EXAMPLE.COM
;
;_ldap._tcp IN SRV 01 00 389 ldap.example.com.
;_ldap._udp IN SRV 01 00 88 ldap.example.com.
¡Atencion!
Aunque las entradas son correctas para _kerberos y _ldap, como Samba usa sus propios pero consulta a Bind, si las dejo activas causan problemas.
# edit /etc/namedb/dynamic/1.168.192.in-addr.arpa
$TTL 3600 ; 1 hour default TTL
1.168.192.in-addr.arpa. IN SOA samdom.example.com. admin.example.com. (
2013021701 ; Serial
10800 ; Refresh (3 hours)
3600 ; Retry (1 hour)
604800 ; Expire (1 week)
300 ; Negative Response TTL (5 minutes)
)
; DNS Servers
IN NS samdom.example.com.
; Machine IPs
1 IN PTR samdom.example.com.
1 IN PTR kerberos.example.com.
# edit /etc/rc.conf
# Bind
named_enable="YES"
named_chrootdir=""
# /etc/rc.d/named start
# edit /etc/resolv.conf
search example.com
domain EXAMPLE.COM
nameserver 127.0.0.1
#nameserver 8.8.8.8
#nameserver 8.8.4.4
# nslookup samdom
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: samdom.example.com
Address: 192.168.1.1
# nslookup kerberos
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: kerberos.example.com
Address: 192.168.1.1
Instalar isc-dhcp42-server
# cd /usr/ports/net/isc-dhcp42-server
# make config
Options for isc-dhcp42-server 4.2.4_2
[ ] BIND_SYMBOLS Enable BIND internal symbol table
[*] IPV6 IPv6 protocol
[ ] LDAP LDAP support
[*] LDAP_SSL Support LDAP over SSL/TLS
[ ] PARANOIA Enable support for chroot
< OK >
# make config-recursive
# make install clean
# rm /usr/local/etc/dhcpd.conf
# edit /usr/local/etc/dhcpd.conf
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd PRIMARY
#
option domain-name "example.com";
option domain-name-servers 192.168.1.1;
default-lease-time 600;
max-lease-time 7200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.
ddns-updates on;
ddns-update-style interim;
ddns-domainname "example.com";
allow client-updates;
# Take this from the /etc/namedb/rndc.conf file
key "rndc-key" {
algorithm hmac-md5;
secret "zvuOE1XeVBUXZa12LTUDEAgZaH3cVFZp+GiObzuAB5c=";
}
zone example.com. {
primary 192.168.1.1;
key rndc-key;
}
zone 1.168.192.in-addr.arpa. {
primary 192.168.1.1;
key rndc-key;
}
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
option netbios-name-servers 192.168.1.1;
option netbios-node-type 8;
option time-offset -18000; # Bogota GMT -5.0 Hours => -5x60x60 = -18000 Seconds
option ntp-servers 192.168.1.1;
option time-servers 192.168.1.1;
# Dinamics
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.110;
option routers 192.168.1.1;
option broadcast-address 192.168.1.255;
}
# ifconfig em1 inet 192.168.1.1 netmask 255.255.255.0 up
# edit /etc/rc.conf
ifconfig_em1=" inet 192.168.1.1 netmask 255.255.255.0"
# DHCP Server
dhcpd_enable="YES"
dhcpd_flags="-q"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="em1"
dhcpd_withumask="022"
# /usr/local/etc/rc.d/isc-dhcpd start
Instalar cups-base
# cd /usr/ports/print/cups-base
# make config
Dejo todo por defecto
# make config-recursive
Dejo todo por defecto
# make install clean
# edit /etc/rc.conf
# CUPS
cupsd_enable="YES"
# /usr/local/etc/rc.d/cupsd start
Editamos el archivo y le agregamos la parte "options"
# edit /etc/namedb/rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "zvuOE1XeVBUXZa12LTUDEAgZaH3cVFZp+GiObzuAB5c=";
};
options {
default-server 127.0.0.1;
default-key rndc-key;
};
# rndc status
version: 9.9.2-P1
CPUs found: 2
worker threads: 2
UDP listeners per interface: 2
number of zones: 99
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
# /usr/local/bin/samba-tool domain provision
Realm [EXAMPLE.COM]: EXAMPLE.COM
Domain [EXAMPLE]: EXAMPLE
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
DNS forwarder IP address (write 'none' to disable forwarding) [127.0.0.1]: 192.168.1.1
Administrator password:
Retype password:
Looking up IPv4 addresses
More than one IPv4 address found. Using 192.168.1.1
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=example,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: samdom
NetBIOS Domain: EXAMPLE
DNS Domain: example.com
DOMAIN SID: S-1-5-21-3981277467-4260322419-4091201666
# cp /var/db/samba4/private/krb5.conf /etc/
# cat /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
# edit /etc/rc.conf
# NTP
ntpd_enable="YES"
ntpd_config="/etc/ntp.conf"
# edit /etc/ntp.conf
server 0.pool.ntp.org prefer
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org
driftfile /var/db/ntp.drift
# /etc/rc.d/ntpd start
Starting ntpd.
# edit /etc/rc.conf
# Samba4
samba4_enable="YES"
samba4_config="/usr/local/etc/smb4.conf"
winbindd_enable="YES"
# testparm /usr/local/etc/smb4.conf
Load smb config files from /usr/local/etc/smb4.conf
max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
[global]
workgroup =EXAMPLE
realm = example.com
server role = active directory domain controller
passdb backend = samba_dsdb
dns forwarder = 192.168.1.1
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
idmap config * : backend = tdb
create mask = 0777
directory mask = 0777
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4, acl_xattr
[netlogon]
path = /var/db/samba4/sysvol/example.com/scripts
read only = No
[sysvol]
path = /var/db/samba4/sysvol
read only = No
Para solucionar el error de
max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)
# edit /boot/loader.conf
# Samba
kern.maxfiles="20480"
ESTE PASO ES IMPORTANTISIMO, SI NO SE EJECUTA NO ENTRAREMOS AL DOMINIO DESDE LOS CLIENTES!
# /usr/local/sbin/samba4 -i -M single -d 4 &
# killall samba4
# /usr/local/etc/rc.d/samba4 start
# kinit administrator@EXAMPLE.COM
administrator@example.com's Password: miclave123
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator@EXAMPLE.COM
Issued Expires Principal
Feb 24 02:13:50 Feb 24 12:13:50 krbtgt/EXAMPLE.COM@EXAMPLE.COM
# net rpc join -S samdom -Uadministrator
Enter administrator's password: miclave123
Joined domain EXAMPLE.
# smbclient -L localhost -U%
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.0.3]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.0.3)
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.0.3]
Server Comment
--------- -------
Workgroup Master
--------- -------
# /usr/local/bin/smbclient //localhost/netlogon -UAdministrator'' -c 'ls'
Enter Administrator's password: miclave123
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.0.3]
. D 0 Sun Feb 24 02:01:16 2013
.. D 0 Sun Feb 24 02:01:23 2013
63332 blocks of size 65536. 54255 blocks available
# samba-tool dns query 127.0.0.1 example.com @ ALL
Password for [administrator@EXAMPLE.COM]:
Name=, Records=4, Children=0
SOA: serial=1, refresh=900, retry=600, expire=86400, ns=samdom.example.com., email=hostmaster.example.com. (flags=600000f0, serial=1, ttl=3600)
NS: samdom.example.com. (flags=600000f0, serial=1, ttl=900)
A: 192.168.1.1 (flags=600000f0, serial=1, ttl=900)
A: 192.168.2.101 (flags=600000f0, serial=110, ttl=900)
Name=_msdcs, Records=0, Children=0
Name=_sites, Records=0, Children=1
Name=_tcp, Records=0, Children=4
Name=_udp, Records=0, Children=2
Name=DomainDnsZones, Records=0, Children=2
Name=ForestDnsZones, Records=0, Children=2
Name=samdom, Records=2, Children=0
A: 192.168.1.1 (flags=f0, serial=1, ttl=900)
A: 192.168.2.101 (flags=f0, serial=110, ttl=900)
# wbinfo -u
Administrator
Guest
krbtgt
# wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy
TEST DNS
# host -t SRV _ldap._tcp.example.com
_ldap._tcp.example.com has SRV record 0 100 389 samdom.example.com.
# host -t SRV _ldap._tcp.example.com
_ldap._tcp.example.com has SRV record 0 100 389 samdom.example.com.
# host -t A ldap.example.com
ldap.example.com has address 192.168.1.1
# host -t SRV _kerberos._tcp.example.com
_kerberos._tcp.example.com has SRV record 1 0 88 kerberos.example.com.
# host -t SRV _kerberos._udp.example.com
_kerberos._udp.example.com has SRV record 1 0 88 kerberos.example.com.
# host -t SRV _kpasswd._udp.example.com
_kpasswd._udp.example.com has SRV record 1 0 464 kerberos.example.com.
# host -t SRV _kerberos-adm._tcp.example.com
_kerberos-adm._tcp.example.com has SRV record 1 0 749 kerberos.example.com.
¡Atencion!
Al inactivar las lineas referentes a _kerberos y _ldap las consultas no se resuelven.
# host -t A samdom.example.com
samdom.example.com has address 192.168.1.1
Crear un usuario
# samba-tool user add miguel
New Password: miclave123
Retype Password: miclave123
User 'miguel' created successfully
Verificar el usuario creado
# wbinfo --name-to-sid miguel
S-1-5-21-1013221894-234835428-3392388920-1103 SID_USER (1)
# reboot
Compartir impresoras
# edit /usr/local/etc/smb4.conf
[printers]
comment = All Printers
path = /var/spool/samba
browseable = No
guest ok = Yes
printable = Yes
use client driver = Yes
default devmode = Yes
;show add printer wizard = no # Para no mostrar el asistente de impresoras
Para que los clientes Windows puedan consultar en el servidor que sirve
las impresoras en busca de drivers, debemos crear el directorio.
# mkdir -p /var/db/samba4/printer-drivers/{COLOR,IA64,W32ALPHA,W32MIPS,W32PPC,W32X86,WIN40,x64}
# edit /usr/local/etc/smb4.conf
[print$]
comment = Printer Drivers
path = /var/db/samba4/printer-drivers
browseable = yes
guest ok = no
read only = yes
write list = root
Compartir carpetas y bloquear algunas extensiones peligrosas
# mkdir /home/tmp
# mkdir /home/tmp
# edit /usr/local/etc/smb4.conf
[tmp]
comment = Temporary file space
path = /home/tmp
valid users = %U
public = no
writable = no
browseable = yes
printable = no
# Las siguientes lineas generan problemas si uso ACLS, dejar inactivas!
# create mask = 0777
# directory mask = 0777
# force create mode = 0777
# force directory mode = 0777
# force user = nobody
# force group = nobody
write list = %U
# Bloqueo de algunos archivos por extencion
veto files = /*.reg/*.com/*.scr/*.cmd/*.exe/*.pif/*.bat/*.{*}/
delete veto files = yes
Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)
http://www.microsoft.com/en-us/download/details.aspx?id=7887
1 Instalar Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)
2 Inicio / Panel de control / Programas / Activar o desactivar las caracteristicas de Windows
(se abre ventanita)
3 - Herramientas de administracion de funciones
- Herramientas de AD DS y AD LDS
- Herramientas de AD DS
* Centro de administracion de Active Directory
* Herramientas de linea de comandos y complementos de AD DS
4 Aceptar
5 Wind + R
dsa.msc
Nota:
Para poder entrar a administrar el dominio mediante el comand dsa.msc, hay que estar logueado como el usuario administrator / miclave123 para poder ver los datos.
Nota:
Mejor usar # rndc-confgen > /root/dhcp_updater.key
named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "+VsrLah1EEr+HKRTGRJyWA==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
dhcpd.conf
# Take this from the /etc/namedb/rndc.conf file
key "rndc-key" {
algorithm hmac-md5;
secret "+VsrLah1EEr+HKRTGRJyWA==";
};
Una nota muy importante en caso de querer editar manualmente los archivos del DNS http://forums.freebsd.org/showthread.php?t=33849
"Note about editing dynamic zones manually
If you have to edit the zone files of dynamic zones manually while the DNS server is running, you’ll have to freeze the zones with # rndc freeze <myzone> before editing and unfreeze them with # rndc thaw <myzone> after editing. This is because named(8) has internal state information and external journal files attached to dynamic zones that have to be kept in sync with the zone files."
Subscribe to:
Posts (Atom)