Active Directory Domain Controller ?? Debian Stretch ??????????? ? Microsoft

????????? ???????????
vim /etc/apt/sources.list:

deb http://ftp.ua.debian.org/debian/ stretch main

aptitude update
aptitude install bind9 ntp build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl samba vim winbind iptables-persistent
systemctl disable nmbd
systemctl disable smbd
systemctl disable winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
dpkg --configure -a

??????????? ??????? ?????????
vim /etc/network/interfaces:

auto eth0
allow-hotplug eth0
iface eth0 inet static
        address 192.168.40.2
        gateway 192.168.40.1

/etc/init.d/networking stop && /etc/init.d/networking start

??????????? /etc/fstab ????????? ????? ? ????? ???????? (https://wiki.samba.org/index.php/Samba_4/OS_Requirements#ext3.2Fext4_File_System):
user_xattr
acl
barrier=1
????????:

/dev/sda1   /               ext4    errors=remount-ro,user_xattr,acl,barrier=1   0       1

shutdown -r now

??????????? ?????? ???????:
vim /etc/ntp.conf:

server 0.ua.pool.ntp.org
server 1.ua.pool.ntp.org
server 2.ua.pool.ntp.org
server 3.ua.pool.ntp.org
ntpsigndsocket /var/lib/samba/ntp_signd/
restrict default mssntp

chgrp ntp /var/lib/samba/ntp_signd/
/etc/init.d/ntp restart

??????????? DNS ??????
vim /etc/default/bind9:

OPTIONS="-u bind -4"

vim /etc/bind/named.conf:

//include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

vim /etc/bind/named.conf.local:

include "/etc/bind/named.conf.log";

vim /etc/bind/named.conf.options:

options {
        directory "/var/cache/bind";
        auth-nxdomain no;
        listen-on-v6 { none; };
        listen-on { 127.0.0.1; 192.168.40.2; };
        allow-query { any; };
        recursion yes;
        allow-recursion { 127.0.0.1;192.168.40.0/24; };
        version "my dns server";
        allow-update {
                192.168.40.0/24;
                127.0.0.0/8;
        };
        dnssec-enable yes;
        dnssec-lookaside auto;
        dnssec-validation yes;
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

vim /etc/bind/named.conf.log:

logging {
        channel update_debug {
                file "/var/log/bind/update_debug.log" versions 3 size 100k;
                severity debug;
                print-severity  yes;
                print-time      yes;
        };
        channel security_info {
                file "/var/log/bind/security_info.log" versions 1 size 100k;
                severity info;
                print-severity  yes;
                print-time      yes;
        };
        channel bind_log {
                file "/var/log/bind/bind.log" versions 3 size 1m;
                severity info;
                print-category  yes;
                print-severity  yes;
                print-time      yes;
        };

        category default { bind_log; };
        category lame-servers { null; };
        category update { update_debug; };
        category update-security { update_debug; };
        category security { security_info; };
};

mkdir /var/log/bind/
chown -R bind:bind /var/log/bind/

?????? ?????????? ??????
rm /etc/samba/smb.conf
samba-tool domain provision --use-rfc2307 --use-xattrs=yes --interactive
Realm: EXAMPLE.COM
Domain: MYADDC
Server Role (dc, member, standalone) [dc]: enter
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE

????? ?????:
Realm — ?????? ??? ??????????? ??????
Domain — ???????? ??? ??????????? ??????
DNS backend — ??? ?????????? ?????? ????? ???????? ? DNS ????????, ? ????? ?????? ?????? ??????? ????????? ???? DNS ??????? bind

? ????? ????? /var/lib/samba/private/dns/example.com.zone ?????????:

samba IN A 192.168.40.2

/etc/init.d/bind9 restart

????????????? ?? ???? DNS ??????
vim /etc/resolv.conf:

domain example.com
search example.com
nameserver 127.0.0.1

??????????? Kerberos
cp /var/lib/samba/private/krb5.conf /etc/

??????????? winbind
vim /etc/nsswitch.conf:

passwd: files winbind
group:  files winbind

/etc/init.d/samba-ad-dc restart

????????? ????? (https://wiki.samba.org/index.php/Samba_port_usage#Port_usage_when_Samba_runs_as_DC)
iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 2 -s 192.168.40.0/24 -d 192.168.40.2 -i eth0 -p tcp -m state --state NEW -m multiport --dports 53,88,135,139,389,445,464,636,1024:5000,3268,3269,5353 -j ACCEPT
iptables -I INPUT 3 -s 192.168.40.0/24 -d 192.168.40.2 -i eth0 -p udp -m multiport --dports 88,137,138,389,464,5353 -j ACCEPT
/etc/init.d/netfilter-persistent save

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *