Ez az \u00fatmutat\u00f3 r\u00e9szletesen bemutatja egy SAMBA Member Server (3.6.23) konfigur\u00e1l\u00e1s\u00e1hoz \u00e9s be\u00e1ll\u00edt\u00e1s\u00e1hoz sz\u00fcks\u00e9ges l\u00e9p\u00e9seket\u00a0egy FreeBSD 9.2 oper\u00e1ci\u00f3s rendszert futtat\u00f3 kiszolg\u00e1l\u00f3n egy l\u00e9tez\u0151 Windows Active Directory-ban.<\/p>\n
Az \u00fatmutat\u00f3 el\u0151felt\u00e9tele, hogy rendelkez\u00e9sre \u00e1lljon egy telep\u00edtett, m\u0171k\u00f6d\u0151k\u00e9pes kiszolg\u00e1l\u00f3, amelyen konfigur\u00e1lva vannak az olyan r\u00e9szleteket, mint hosztn\u00e9v, IP, DNS, id\u0151z\u00f3na stb.\u00a0A telep\u00edt\u00e9s el\u0151tt aj\u00e1nlott egy rendszerfriss\u00edt\u00e9st v\u00e9grehajtani a k\u00f6vetkez\u0151 parancsokkal:<\/span><\/p>\n [bash]# freebsd-update fetch Az \u00fatmutat\u00f3 a k\u00f6vetkez\u0151 be\u00e1ll\u00edt\u00e1sokat haszn\u00e1lja. Ezek helyet saj\u00e1t \u00e9rt\u00e9keket kell haszn\u00e1lni:<\/p>\n [plain]LAN subnet: 192.168.17.0\/24 Adja hozz\u00e1 a k\u00f6vetkez\u0151 sorokat az \/etc\/sysctl.conf<\/em> f\u00e1jlhoz:<\/p>\n [plain]kern.ipc.maxsockbuf=16777216 Adja hozz\u00e1 a k\u00f6vetkez\u0151 sort a\u00a0\/boot\/loader.conf<\/em>\u00a0f\u00e1jlhoz:<\/p>\n [plain] Hogyha nem telep\u00edtette a port f\u00e1t a rendszer telep\u00edt\u00e9sekor, akkor hajtsa v\u00e9gre most a telep\u00edt\u00e9s\u00e9t \u00e9s friss\u00edt\u00e9s\u00e9t:<\/p>\n [bash]# portsnap fetch extract Hogyha m\u00e9g nincs telep\u00edtve a portmaster<\/em>, akkor telep\u00edtse most:<\/p>\n [bash]# cd \/usr\/ports\/ports-mgmt\/portmaster Az Active Directory haszn\u00e1lat\u00e1hoz sz\u00fcks\u00e9g van a Kerberos<\/strong> h\u00e1l\u00f3zati hiteles\u00edt\u00e9si protokollra. A FreeBSD alap telep\u00edt\u00e9se tartalmazz a Heimdal Kerberos<\/strong> minim\u00e1lis telep\u00edt\u00e9s\u00e9t, amely elegend\u0151 a Member Server konfigur\u00e1l\u00e1s\u00e1hoz. Hozza l\u00e9tre az \/etc\/krb5.conf<\/em> f\u00e1jlt a k\u00f6vetkez\u0151 tartalommal. \u00dcgyeljen a kis\/nagy bet\u0171s \u00edr\u00e1sm\u00f3dra:<\/p>\n [plain][logging] [libdefaults] [realms] [domain_realm] [appdefaults] [kadmin] Ellen\u0151rizze le, hogy m\u0171k\u00f6dik-e a Kerberos hiteles\u00edt\u00e9s:<\/p>\n [bash]# kinit administrator[\/bash]<\/p>\n Adja meg a TEST\\administrator<\/em> felhaszn\u00e1l\u00f3 jelszav\u00e1t (administrator@TEST.LOCAL<\/em>). Jelen\u00edtse meg a Kerberos jegyeket:<\/p>\n [bash]# klist[\/bash]<\/p>\n A k\u00f6vetkez\u0151h\u00f6z hasonl\u00f3 jelenik meg:<\/p>\n [plain]Credentials cache: FILE:\/tmp\/krb5cc_0 Issued Expires Principal A Kerberos nagyon k\u00e9nyes a d\u00e1tum- \u00e9s id\u0151be\u00e1ll\u00edt\u00e1sra. Az egym\u00e1ssal kommunik\u00e1l\u00f3 sz\u00e1m\u00edt\u00f3g\u00e9pek k\u00f6z\u00f6tt legfeljebb 5 perc elt\u00e9r\u00e9s lehet (ez a Windows Server 2003 alapbe\u00e1ll\u00edt\u00e1sa).\u00a0Ez\u00e9rt nagyon fontos, hogy az \u00f3r\u00e1k szinkroniz\u00e1l\u00e1sa megfelel\u0151en be legyen \u00e1ll\u00edtva. A FreeBSD tartalmazza a ntpd <\/strong>szolg\u00e1ltat\u00e1st, amely be\u00e1ll\u00edthat\u00f3 \u00fagy, hogy lek\u00e9rdezzen m\u00e1s NTP kiszolg\u00e1l\u00f3kat (AD tartom\u00e1nyvez\u00e9rl\u0151) az \u00f3ra szinkroniz\u00e1l\u00e1s\u00e1hoz. Adja hozz\u00e1 a k\u00f6vetkez\u0151 sort az \/etc\/rc.conf<\/em> f\u00e1jlhoz, hogy az ntpd<\/strong>\u00a0enged\u00e9lyezve legyen a sz\u00e1m\u00edt\u00f3g\u00e9p indul\u00e1s\u00e1n\u00e1l:<\/p>\n [plain]ntpd_enable="YES"[\/plain]<\/p>\n Az alkalmaz\u00e1s beolvassa az \/etc\/ntp.conf<\/em> f\u00e1jlt, hogy meghat\u00e1rozza, mely NTP kiszolg\u00e1l\u00f3kat kell lek\u00e9rdeznie. Adja hozz\u00e1 a tartom\u00e1nyvez\u00e9rl\u0151t a f\u00e1jlhoz (t\u00f6bb kiszolg\u00e1l\u00f3t is meg lehet adni):<\/p>\n [plain]server 192.168.18.2 prefer[\/plain]<\/p>\n Ind\u00edtsa el az \u00f3ra szinkroniz\u00e1l\u00e1st:<\/p>\n [bash]# service ntpd start[\/bash]<\/p>\n Telep\u00edtse a SAMBA 3.6 alkalmaz\u00e1st:<\/p>\n [bash]# portmaster net\/samba36[\/bash]<\/p>\n V\u00e1lassza ki a k\u00f6vetkez\u0151 opci\u00f3kat, amikor a rendszer r\u00e1k\u00e9rdez:<\/p>\n [plain] Fogadja el a t\u00f6bbi csomag alap\u00e9rtelmezett opci\u00f3it. Hozza l\u00e9tre a \/usr\/local\/etc\/smb.conf f\u00e1jlt:<\/p>\n [plain] idmap config * : backend = tdb client use spnego = yes unix charset = UTF8 load printers = no nt acl support = yes [testshare] M\u00f3dos\u00edtsa az \/etc\/nsswitch.conf<\/em> f\u00e1jlban a k\u00f6vetkez\u0151 sorokat:<\/p>\n [plain] Csatlakoztassa a SAMBA kiszolg\u00e1l\u00f3t az AD tartom\u00e1nyhoz:<\/p>\n [bash] Adja meg a rendszergazda jelszav\u00e1t. Sikertelen csatlakoz\u00e1s eset\u00e9n ellen\u0151rizze, hogy a SAMBA kiszolg\u00e1l\u00f3 rendelkezik-e \u00e9rv\u00e9nyes DNS A rekorddal a SAMBA kiszolg\u00e1l\u00f3. Sikeres csatlakoz\u00e1s eset\u00e9n a k\u00f6vetkez\u0151 sorok jelennek meg:<\/p>\n [plain] Ellen\u0151rizze le az ADS tags\u00e1got:<\/p>\n [bash] Sikeresen kapcsol\u00f3d\u00e1s eset\u00e9n a k\u00f6vetkez\u0151 \u00fczenet jelenik meg:<\/p>\n [plain] Adja hozz\u00e1 a k\u00f6vetkez\u0151 sorokat az \/etc\/rc.conf f\u00e1jlhoz, a SAMBA kiszolg\u00e1l\u00f3 automatikus elind\u00edt\u00e1s\u00e1hoz:<\/p>\n [plain] Ind\u00edtsa el a SAMBA szolg\u00e1ltat\u00e1sokat:<\/p>\n [bash] Ellen\u0151rizze le, hogy az ADS felhaszn\u00e1l\u00f3k \u00e9s csoportok rendelkez\u00e9sre \u00e1llnak-e a helyi FreeBSD rendszer sz\u00e1m\u00e1ra:<\/p>\n [bash] Felsorolja az \u00f6sszes ADS felhaszn\u00e1l\u00f3t \u00e9s csoportok.<\/p>\n [bash] Felsorolja a FreeBSD rendszeren el\u00e9rhet\u0151 \u00f6sszes felhaszn\u00e1l\u00f3t \u00e9s csoportot, ahol a lista v\u00e9g\u00e9n megjelennek az ADS-b\u0151l sz\u00e1rmaz\u00f3 elemek is.<\/p>\n Hozza l\u00e9tre a SAMBA teszt megoszt\u00e1st \u00e9s \u00e1ll\u00edtsa be az enged\u00e9lyeket:<\/p>\n [bash] A SAMBA kiszolg\u00e1l\u00f3nak most m\u00e1r el\u00e9rhet\u0151nek kell lennie a Windows AD sz\u00e1m\u00edt\u00f3g\u00e9peir\u0151l. Ez az \u00fatmutat\u00f3 r\u00e9szletesen bemutatja egy SAMBA Member Server (3.6.23) konfigur\u00e1l\u00e1s\u00e1hoz \u00e9s be\u00e1ll\u00edt\u00e1s\u00e1hoz sz\u00fcks\u00e9ges l\u00e9p\u00e9seket\u00a0egy FreeBSD 9.2 oper\u00e1ci\u00f3s rendszert futtat\u00f3 kiszolg\u00e1l\u00f3n egy […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,49,3,20],"tags":[185,187,6,186,184],"_links":{"self":[{"href":"http:\/\/dev.nazca.hu\/www\/wp-json\/wp\/v2\/posts\/1496"}],"collection":[{"href":"http:\/\/dev.nazca.hu\/www\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/dev.nazca.hu\/www\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/dev.nazca.hu\/www\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/dev.nazca.hu\/www\/wp-json\/wp\/v2\/comments?post=1496"}],"version-history":[{"count":5,"href":"http:\/\/dev.nazca.hu\/www\/wp-json\/wp\/v2\/posts\/1496\/revisions"}],"predecessor-version":[{"id":4270,"href":"http:\/\/dev.nazca.hu\/www\/wp-json\/wp\/v2\/posts\/1496\/revisions\/4270"}],"wp:attachment":[{"href":"http:\/\/dev.nazca.hu\/www\/wp-json\/wp\/v2\/media?parent=1496"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/dev.nazca.hu\/www\/wp-json\/wp\/v2\/categories?post=1496"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/dev.nazca.hu\/www\/wp-json\/wp\/v2\/tags?post=1496"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n# freebsd-update install[\/bash]<\/p>\n
\nAD domain: test.local
\nAD realm: TEST.LOCAL
\nDC name: testdc1.test.local
\nDC IP: 192.168.17.2
\nSAMBA name: testms1.test.local
\nSAMBA IP: 192.168.17.6
\n[\/plain]<\/p>\n
\nkern.ipc.nmbclusters=32768
\nkern.ipc.somaxconn=32768
\nkern.maxfiles=65536
\nkern.maxfilesperproc=32768
\nkern.maxvnodes=800000
\nnet.inet.tcp.delayed_ack=1
\nnet.inet.tcp.path_mtu_discovery=0
\nnet.inet.tcp.recvbuf_auto=1
\nnet.inet.tcp.recvbuf_inc=524288
\nnet.inet.tcp.recvbuf_max=16777216
\nnet.inet.tcp.recvspace=65536
\nnet.inet.tcp.rfc1323=1
\nnet.inet.tcp.sendbuf_auto=1
\nnet.inet.tcp.sendbuf_inc=524288
\nnet.inet.tcp.sendbuf_max=16777216
\nnet.inet.tcp.sendspace=65536
\nnet.inet.tcp.mssdflt=1460
\nnet.inet.udp.maxdgram=57344
\nnet.inet.udp.recvspace=65536
\nnet.local.stream.recvspace=65536
\nnet.local.stream.sendspace=65536
\n[\/plain]<\/p>\n
\naio_load="YES"
\n[\/plain]<\/p>\n
\n# portsnap fetch update[\/bash]<\/p>\n
\n# make install clean
\n# rehash[\/bash]<\/p>\nKerberos<\/h1>\n
\n default = FILE:\/var\/log\/krb5libs.log
\n kdc = FILE:\/var\/log\/krb5kdc.log
\n admin_server = FILE:\/var\/log\/kadmind.log<\/p>\n
\n default_realm = TEST.LOCAL
\n dns_lookup_realm = true
\n dns_lookup_kdc = true
\n default_keytab_name = FILE:\/etc\/keytab.krb5
\n default_etypes = arcfour-hmac-md5
\n default_etypes_des = arcfour-hmac-md5<\/p>\n
\n TEST.LOCAL = {
\n kdc = testdc1.test.local
\n default_domain = test.local
\n admin_server = testdc1.test.local
\n }<\/p>\n
\n .domain.tld = TEST.LOCAL
\n domain.tld = TEST.LOCAL
\n .DOMAIN.TLD = TEST.LOCAL<\/p>\n
\n pam = {
\n debug = false
\n ticket_lifetime = 36000
\n renew_lifetime = 36000
\n forwardable = true
\n krb4_convert = false
\n }<\/p>\n
\n require-preauth = true[\/plain]<\/p>\n
\n Principal: administrator@TEST.LOCAL<\/p>\n
\nApr 7 16:47:41 Apr 8 02:47:29 krbtgt\/TEST.LOCAL@TEST.LOCAL
\n[\/plain]<\/p>\n\u00d3ra szinkroniz\u00e1l\u00e1sa<\/h1>\n
SAMBA 3.6 telep\u00edt\u00e9s \u00e9s konfigur\u00e1l\u00e1sa<\/h1>\n
\nACL_SUPPORT
\nADS
\nAIO_SUPPORT
\nCUPS
\nDNSUPDATE
\nFAM_SUPPORT
\nIPV6
\nPOPT
\nQUOTAS
\nSYSLOG
\nUTMP
\nWINBIND
\n[\/plain]<\/p>\n
\n[global]
\n workgroup = TEST
\n server string = Samba Server Version %v
\n security = ADS
\n realm = TEST.LOCAL
\n domain master = no
\n local master = no
\n preferred master = no
\n socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
\n use sendfile = yes
\n aio read size = 16384
\n aio write size = 16384
\n read raw = yes
\n write raw = yes<\/p>\n
\n idmap config * : range = 1000000-2999999
\n idmap config TEST : backend = rid
\n idmap config TEST : range = 10000-99999
\n winbind enum users = yes
\n winbind enum groups = yes
\n winbind use default domain = yes
\n winbind nested groups = yes
\n winbind refresh tickets = yes
\n winbind offline logon = yes
\n template homedir = \/home\/%D\/%U
\n template shell = \/bin\/sh<\/p>\n
\n client ntlmv2 auth = yes
\n encrypt passwords = yes
\n restrict anonymous = 2
\n log file = \/var\/log\/samba\/log.%m
\n syslog = 1
\n log level = 0
\n max log size = 500<\/p>\n
\n display charset = UTF8<\/p>\n
\n printing = bsd
\n printcap name = \/dev\/null<\/p>\n
\n inherit acls = yes
\n map acl inherit = yes
\n unix extensions = no<\/p>\n
\n comment = Test share
\n path = \/usr\/home\/test
\n read only = no
\n valid users = @"TEST\\Domain Users"
\n admin users = TEST+Administrator
\n force group = "Domain Users"
\n directory mask = 0770
\n force directory mode = 0770
\n create mask = 0660
\n force create mode = 0660
\n access based share enum = yes
\n[\/plain]<\/p>\n
\ngroup: files winbind
\npasswd: files winbind
\n[\/plain]<\/p>\n
\n# net ads join -U administrator
\nEnter administrator’s password:
\n[\/bash]<\/p>\n
\nUsing short domain name — TEST
\nJoined ‘TESTMS1’ to dns domain ‘TEST.local’
\n[\/plain]<\/p>\n
\n# net ads testjoin
\n[\/bash]<\/p>\n
\nJoin is OK
\n[\/plain]<\/p>\n
\nsamba_enable="YES"
\nwinbindd_enable="YES"
\n[\/plain]<\/p>\n
\n# service samba start
\n[\/bash]<\/p>\n
\n# wbinfo -u
\n# wbinfo -g
\n[\/bash]<\/p>\n
\n# getent passwd
\n# getent group
\n[\/bash]<\/p>\n
\n# mkdir -p \/usr\/home\/test
\n# chmod 0770 \/usr\/home\/test
\n# chgrp "Domain Users" \/usr\/home\/test
\n[\/bash]<\/p>\n
\nInd\u00edtsa \u00fajra a FreeBSD kiszolg\u00e1l\u00f3t \u00e9s ellen\u0151rizze, hogy rendesen elindulnak-e a SAMBA szolg\u00e1ltat\u00e1sok.<\/p>\n","protected":false},"excerpt":{"rendered":"