Différences

Ci-dessous, les différences entre deux révisions de la page.

--- samba_ad [2024/06/03 12:21] – créée huracan
+++ samba_ad [2025/05/28 13:37] (Version actuelle) – [Obtaining the LDAPS Certificate from the Active Directory Server] huracan
@@ Ligne 1: / Ligne 1: @@
-==== How to Join Samba Server into Microsoft Windows Active Directory ====
+===== SAMBA AD =====
-The following steps need to be performed in order to join the Samba 3 server to the Microsoft Windows Active Directory.
-  - Liste numérotée Configure Kerberos.
-The most important thing in configuring Kerberos is the /etc/krb5.conf file. There should be an example one in /etc you can modify. If not, then just create one. Here is a copy:
+----
-[logging]
-    default = FILE:/var/log/krb5libs.log
-    kdc = FILE:/var/log/krb5kdc.log
-    admin_server = FILE:/var/log/kadmind.log
-[libdefaults]
-    default_realm = SAMBA-TEST.COM
-    dns_lookup_realm = false
-    dns_lookup_kdc = false
-    ticket_lifetime = 24h
-    forwardable = yes
-[realms]
+[[https://doc.ubuntu-fr.org/samba-active-directory|SAMBA AD WIKI UBUNTU]]
-    SAMBA-TEST.COM = {
-        kdc = SAMBA-TEST.SAMBA-TEST.COM:88
-        admin_server = samba-test:749
-        default_domain = samba-test.com
-}
-[domain_realm]
+[[https://samba.tranquil.it/doc/fr/|SAMBA AD TRANQUIL.IT]]
-    .samba-test = samba-test.com
-    samba-test.com = samba-test.com
-[appdefaults]
+{{ :install_samba_dc.docx |DOC ACADIACYBERSEC}}
-    pam = {
-        debug = false
+----
-        ticket_lifetime = 36000
-        renew_lifetime = 36000
+===== How to Join Samba Server into Microsoft Windows Active Directory =====
-        forwardable = true
-        krb4_convert = false
-}
+The following steps need to be performed in order to join the Samba 3 server to the Microsoft Windows Active Directory.
+  - Liste numérotée Configure Kerberos.
+The most important thing in configuring Kerberos is the /etc/krb5.conf file. There should be an example one in /etc you can modify. If not, then just create one. Here is a copy:
+  [logging]
+      default = FILE:/var/log/krb5libs.log
+      kdc = FILE:/var/log/krb5kdc.log
+      admin_server = FILE:/var/log/kadmind.log
+  [libdefaults]
+      default_realm = SAMBA-TEST.COM
+      dns_lookup_realm = false
+      dns_lookup_kdc = false
+      ticket_lifetime = 24h
+      forwardable = yes
+  [realms]
+      SAMBA-TEST.COM = {
+          kdc = SAMBA-TEST.SAMBA-TEST.COM:88
+          admin_server = samba-test:749
+          default_domain = samba-test.com
+  }
+  [domain_realm]
+      .samba-test = samba-test.com
+      samba-test.com = samba-test.com
+  [appdefaults]
+      pam = {
+          debug = false
+          ticket_lifetime = 36000
+          renew_lifetime = 36000
+          forwardable = true
+          krb4_convert = false
+  }
 It is recommended that the realm name should be in upper case but this is not a requirement.
@@ Ligne 52: / Ligne 70: @@
-# kinit username@REALM
+  #kinit username@REALM
 Username is the name of an account in your AD Domain. It should prompt you for a password. Enter the password for that user in the AD Domain.
@@ Ligne 60: / Ligne 78: @@
 If you get any error messages, make sure:
-    You have no spelling errors in the krb5.conf file.
+      * Liste à puce You have no spelling errors in the krb5.conf file.
+      * Liste à puce The times are synched on the machines.
-    The times are synched on the machines.
+      * Liste à puce The password has been changed at least once on the username you are using.
-    The password has been changed at least once on the username you are using.
 After you get a ticket from the AD DC, test it by using Kerberos authentication with the smbclient command to view the shares on the Microsoft Window 2000 AD DC:
-# smbclient -L /servername -k
+  #smbclient -L /servername -k
 This should return a list of all the shares on the DC.
@@ Ligne 78: / Ligne 94: @@
-realm = YOUR.REALM
+  realm = YOUR.REALM
-security = ads
+  security = ads
-password server = <ip address or name of DC>
+  password server = <ip address or name of DC>
 Here is a copy of my smb.conf file:
-[global]
+  [global]
-        workgroup = SAMBA-TEST0
+          workgroup = SAMBA-TEST0
-        server string = Customer-Test
+          server string = Customer-Test
-        netbios name = node2
+          netbios name = node2
-        ;       interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
+          ;       interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
-        hosts allow = 127. 192.168.224. 16.138.174.240
+          hosts allow = 127. 192.168.224. 16.138.174.240
-# logs split per machine
+  # logs split per machine
-    log file = /var/log/samba/%m.log
+      log file = /var/log/samba/%m.log
-# max 50KB per log file, then rotate
+  # max 50KB per log file, then rotate
-    max log size = 50
+      max log size = 50
-            security = ads
+              security = ads
-            passdb backend = tdbsam
+              passdb backend = tdbsam
-            realm = samba-test.com
+              realm = samba-test.com
-            password server = samba-test.samba-test.com
+              password server = samba-test.samba-test.com
-    local master = yes
+      local master = yes
-    os level = 255
+      os level = 255
-    preferred master = yes
+      preferred master = yes
-[homes]
+  [homes]
-    comment = Home Directories
+      comment = Home Directories
-    browseable = no
+      browseable = no
-    writable = yes
+      writable = yes
-    ;       valid users = %S
+      ;       valid users = %S
-    ;       valid users = MYDOMAIN\%S
+      ;       valid users = MYDOMAIN\%S
-[printers]
+  [printers]
-    comment = All Printers
+      comment = All Printers
-    path = /var/spool/samba
+      path = /var/spool/samba
-    browseable = no
+      browseable = no
-    guest ok = no
+      guest ok = no
-    writable = no
+      writable = no
-    printable = yes
+      printable = yes
 After you make the changes to smb.conf and before you start Samba, you need to join the AD domain. Before you do so there are two things that you should check:
-    If there is a file named /etc/samba/secrets.tdb either delete, move, or rename it. This file is from your previous connections to the domain. A new one will be created when you join the domain.
+      * Liste à puce If there is a file named /etc/samba/secrets.tdb either delete, move, or rename it. This file is from your previous connections to the domain. A new one will be created when you join the domain.
+      * Liste à puce If there is an existing machine account in your AD domain for your Samba server, delete it. A new one will be created when you join the AD domain.
-    If there is an existing machine account in your AD domain for your Samba server, delete it. A new one will be created when you join the AD domain.
 Here are the commands used as root to join the AD domain:
-# kinit Administrator@FAHDAZIZ.COM.PK
+  #kinit Administrator@FAHDAZIZ.COM.PK
-# net ads join -U administrator%password
+  #net ads join -U administrator%password
 The first command gets the Kerberos ticket you need to authenticate to the AD domain. You need to use the username of an account in your AD domain that has permission to join computers to the domain. The second command joins the domain.
@@ Ligne 137: / Ligne 152: @@
-# service smb start
+  #service smb start
 One advantage to using this type of authentication is that you do not need to create Samba accounts on the Linux server with the smbpasswdcommand. There is no need for the /etc/samba/smbpasswd file. Microsoft Windows users only need to be concerned with one user account.
 However, each user that accesses the Samba server will still need to have a valid Linux user account on the server that matches the account in the AD domain. The purpose of this account is to control access to the Linux file system. The password for that account does not need to match the Microsoft Windows 2000 AD domain account password. The account does not even need to have the ability to log in locally to the Linux machine. It does have to exist however, and it must have the proper permissions to the directories you are sharing with Samba for the user to access them. This has not changed from Samba 2.2.
+----
+===== How to retrieve a LDAPS certificate =====
+==== Using OpenSSL on Any Platform to Create the LDAPS Certificate from the AD Server ====
+Using OpenSSL should work with any Active Directory Server platform. (Windows, Linux etc.). The example below, uses OpenSSL 1.1.0h 27 Mar 2018. If having difficulties using another version of OpenSSL, consult the appropriate OpenSSL documentation.
+Requirements:
+  * Openssl
+  * FQDN or IP of the Active Directory Server
+  * LDAPS certificate installed in the Active Directory Server certificate store
+Steps:
+  -1 Run the following command from your local computer:
+  openssl s_client -showcerts -connect <ip or fqdn of your active directory server>:636
+  -2 In the output, copy the certificate portion of the output to a text file
+{{ :cert.png?400 |}}
+. Save the text file as my_ldaps_cert.pem.
+The saved certificate can be installed into any software that needs to connect to your Active Directory using LDAPS.
+==== Using Openssl on a Linux Platform to obtain the LDAPS certificate from the AD server ====
+Requirements:
+  * Openssl installed on your Linux computer
+  * FQDN or IP of the Active Directory Server
+  * LDAPS certificate installed in the Active Directory Server certificate store
+Perform the following steps:
+  - 1 Enter the following command from your Linux computer:
+  openssl s_client -showcerts -connect <fqdn of your ldap server>:636 -servername < fqdn of your ldap server> </d ev/null 2>/dev/null > my_ldaps_cert.pem
+Example:
+  openssl s_client -showcerts -connect mydc.mycompany.com:636 -servername mydc.mycompany.com </d ev/null 2>/dev/null > my_ldaps_cert.pem
+  - 2 Upload my_ldaps_cert.pem to the PCoIP Management Console. See Installing an Active Directory Certificate in the PCoIP Management Console Administrators' Guide.
+The saved certificate can be installed into any software that needs to connect to your Active Directory using LDAPS.
+==== Obtaining the LDAPS Certificate from the Active Directory Server ====
+The example below has been successfully tried on both Windows 2008 R2 and Windows 2016 Active Directory servers. Consult with your Active Directory documentation for official methods on obtaining the LDAPs certificate for use in your deployment.
+Requirements:
+  * FQDN or IP of the Active Directory Server
+  * Administrator username and password of the Active Directory Server
+  * LDAPS certificate installed in the Active Directory Server certificate store
+Perform the following steps:
+ - On the Active Directory Server, login as administrator.
+   - Launch mmc.exe.
+   - From the Console, click on File > Add/Remove Snap-in
+   - In the Add or Remove Snap-ins, select Certificates, then click Add.
+   - Liste numérotéeIn the Certificates snap in dialog box, select Computer account, and click Next.
+   - In the Select Computer dialog, select Local computer: (the computer this console is running on), then click Finish.
+   - In the Add or Remove Snap-ins window, click OK.
+   - In the Console, in the left pane, browse to Certificates (Local Computer) > Personal > Certificates. Choose the correct LDAPS certificate. This is the certificate with the following information:
+      - Issued To: <the fqdn of your LDAP server>
+      - Issued By: <The Certificate Authority where your admin requested the certificate from>
+   - Right-click on the certificate and click All Tasks > Export.
+   - In the Certificate Export Wizard, do the following:
+      - Select not to export the private key
+      - Choose Base-64 encoded X.509 file format
+      - Save the certificate as my_ldaps_cert.pem.
+The saved certificate can be installed into any software that needs to connect to your Active Directory using LDAPS.

Wiki Kenny

Outils pour utilisateurs

Outils du site

Différences

Outils de la page