Instalarea unui serviciu Samba AD/DC

Introducere

Serviciul Samba poate servi ca un AD/DC (Active Directory/Domain Controler). Acesta este suficient de matur pentru a fi utilizat, cu succes, în gestionarea utilizatorilor și sistemelor din cadrul rețelelor de calculatoare ce utilizează ca sistem de operare Windows 10/11, respectiv Linux. Este de preferat ca severul respectiv să fie dedicat serviciilor de autentificare și autorizare și nu să ofere servicii de fișiere sau imprimare: acesta ar trebui să fie rolul serverelor membre asociate domeniului.1

Stabilire unor parametrii

Nume gazdă - dc1
Adresa IP locală - 192.168.0.51
Domeniu de autentificare - svgenebank.lan

Atenție:
Pentru alegerea numelui de domeniu, pentru cazul în care nu se dispune de un domeniu achiziționat, se va ține seama de standardele RFC 6762 și RFC 8375.

Deoarece serverul va fi un DC și AD (Domain Controller și Active Directory) într-un mediu rezidențial este de preferat a se opta pentru domeniul "home.arpa" (vezi RFC 8375) iar într-un mediu non-rezidențial se va opta pentru un domeniu în conformitate cu punctul G din RFC 6762.
Pentru cazul în care s-a achiziționat un domeniu se utiliza subdomeniu.nume_domeniu.domeniu pentru domeniul de autentificare.

Verificări inițiale

Pentru început vom verifica și vom seta unele aspecte ale serverului:

  • Ne asigurăm că serverul are numele complet cu domeniul ales:
    • Acesta lucru poate fi stabilit din momentul instalării: legendă imagine și legendă imagine
    • În cazul unui sistem instalat anterior se poate utiliza comanda hostnamectl:
      florin@dc1:~$ sudo hostnamectl set-hostname dc1

      Urmează să stabilim în /etc/hosts ip-ul și denumirea controlerului de domeniu pentru a fi siguri că acesta rezolvă corect numele de domeniu:

      florin@dc1:~$ sudo nano /etc/hosts

      Se comentează ori șterge linia cu 127.0.1.1 dc1 și se va adăuga adresa_ip_locală nume_gazdă.domeniu alias. Fișierul /etc/hosts va arată în finale de forma:

127.0.0.1 localhost
#127.0.1.1 dc1
192.168.0.51 dc1.svgenebank.lan dc1

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

După setare se verifică:

florin@dc1:~$ hostname
dc1
florin@dc1:~$ hostname -d
svgenebank.lan
florin@dc1:~$ hostname -f
dc1.svgenebank.lan

Este foarte important ca ceasurile calculatoarelor din rețea să fie sincronizate. Verificăm și ne alegem zona de timp:

florin@dc1:~$ timedatectl
               Local time: Sat 2025-05-17 11:15:05 UTC
           Universal time: Sat 2025-05-17 11:15:05 UTC
                 RTC time: Sat 2025-05-17 11:15:05
                Time zone: Etc/UTC (UTC, +0000)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no
florin@dc1:~$ sudo timedatectl set-timezone Europe/Bucharest
florin@dc1:~$ timedatectl
               Local time: Sat 2025-05-17 14:16:25 EEST
           Universal time: Sat 2025-05-17 11:16:25 UTC
                 RTC time: Sat 2025-05-17 11:16:25
                Time zone: Europe/Bucharest (EEST, +0300)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

Linia System clock synchronized: yes ne indică că ceasul este sincronizat.
Deoarece Ubuntu are un serviciu numit systemd-resolved ce se ocupă rezolvarea DNS-ului va trebui sa-l oprim, respectiv să-l dezactivăm, să ștergem legătura simbolică /etc/resolv.conf și să realizăm un fișier nou /etc/resolv.conf în care vom defini adresele către DNS:

florin@dc1:~$ sudo systemctl disable --now systemd-resolved
Removed "/etc/systemd/system/dbus-org.freedesktop.resolve1.service".
Removed "/etc/systemd/system/sysinit.target.wants/systemd-resolved.service".
florin@dc1:~$ ls -lah /etc/resolv.conf 
lrwxrwxrwx 1 root root 39 Feb 16 20:58 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
florin@dc1:~$ sudo rm /etc/resolv.conf 
florin@dc1:~$ sudo touch /etc/resolv.conf
florin@dc1:~$ ls -lah /etc/resolv.conf 
-rw-r--r-- 1 root root 0 May 16 07:20 /etc/resolv.conf

În continuare se va edita fișierul /etc/resolv.conf:

florin@dc1:~$ sudo nano /etc/resolv.conf

Iar în interiorul fișierului vom defini ip-le serverelo DNS utilizate de controlerul de domeniu dc1:

# Samba server DC-AC           
nameserver 192.168.0.51
# internet name server 
nameserver 8.8.8.8    
# my Samba domain name    
search svgenebank.lan

În final se va reporni serverul (mașina ori calculatorul):

florin@dc1:~$ sudo reboot

După repornire verificăm dacă avem conexiune la internet și dacă mașina cu AD-DC este găsită:

florin@dc1:~$ ping -c3 google.ro
PING google.ro (172.217.169.99) 56(84) bytes of data.
64 bytes from sof02s31-in-f3.1e100.net (172.217.169.99): icmp_seq=1 ttl=112 time=26.0 ms
64 bytes from sof02s31-in-f3.1e100.net (172.217.169.99): icmp_seq=2 ttl=112 time=25.9 ms
64 bytes from sof02s31-in-f3.1e100.net (172.217.169.99): icmp_seq=3 ttl=112 time=26.0 ms

--- google.ro ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 25.944/25.994/26.038/0.038 ms
florin@dc1:~$ ping -c3 dc1
PING dc1.svgenebank.lan (192.168.0.51) 56(84) bytes of data.
64 bytes from dc1.svgenebank.lan (192.168.0.51): icmp_seq=1 ttl=64 time=0.035 ms
64 bytes from dc1.svgenebank.lan (192.168.0.51): icmp_seq=2 ttl=64 time=0.062 ms
64 bytes from dc1.svgenebank.lan (192.168.0.51): icmp_seq=3 ttl=64 time=0.062 ms

--- dc1.svgenebank.lan ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2055ms
rtt min/avg/max/mdev = 0.035/0.053/0.062/0.012 ms

Instalare Samba

Samba poate fi instalată din surse utilizând informațiile de aici sau utilizând pachetele distribuției, în acest caz ale Ubuntu.

sudo apt install -y acl attr samba samba-dsdb-modules samba-vfs-modules smbclient winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils chrony net-tools

La instalarea lui Kerberos vom fi întâmpinați cu un ecran în care se va introduce, cu litera mari, domeniul realm ales la început SVGENEBANK.LAN:
legendă imagine După introducere și apăsarea butonului se va trece la pasul în care va trebui să se stabilească numele serverului gazdă:
legendă imagine
După introducere și apăsarea butonului se va trece la pasul în care va trebui să se stabilească serverul administrativ și se va introduce numele serverului gazdă al acestuia:
legendă imagine În continuare se va dezactiva serviciile nefolosite ale lui samba și se va activa serviciul pentru AD-DC :

florin@dc1:~$ sudo systemctl disable --now smbd nmbd winbind
Synchronizing state of smbd.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable smbd
Synchronizing state of nmbd.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable nmbd
Synchronizing state of winbind.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable winbind
Removed "/etc/systemd/system/multi-user.target.wants/winbind.service".
Removed "/etc/systemd/system/multi-user.target.wants/smbd.service".
Removed "/etc/systemd/system/multi-user.target.wants/nmbd.service".
Removed "/etc/systemd/system/smb.service".
Removed "/etc/systemd/system/nmb.service".
florin@dc1:~$ sudo systemctl unmask samba-ad-dc
florin@dc1:~$ sudo systemctl enable samba-ad-dc
Synchronizing state of samba-ad-dc.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable samba-ad-dc

Configurarea serverului Samba

Înainte de realizarea modificărilor la fișierele de configurare este indicat ca acestea să fie salvate, dar în prealabil vom opri serviciul Samba SD-DC:

florin@dc1:~$ sudo systemctl stop samba-ad-dc.service 
florin@dc1:~$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
florin@dc1:~$ sudo mv /etc/krb5.conf /etc/krb5.conf.orig

Pentru configurarea în mod interactiv vom folosi comanda:

florin@dc1:~$ sudo samba-tool domain provision --use-rfc2307 --interactive
Realm [SVGENEBANK.LAN]:  
Domain [SVGENEBANK]:  
Server Role (dc, member, standalone) [dc]:  
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:  
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.0.51]:  8.8.8.8
Administrator password: 
Retype password: 

Comanda anterioară a generat fișierul de configurare la /var/lib/samba/private/krb5.conf, iar acest fișier va trebui de copiat în /etc/krb5.conf.

florin@dc1:~$ sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

După care vom porni serviciul și verificăm statusul acestuia:

florin@dc1:~$ sudo systemctl start samba-ad-dc.service
florin@dc1:~$ sudo systemctl status samba-ad-dc.service
● samba-ad-dc.service - Samba AD Daemon
     Loaded: loaded (/usr/lib/systemd/system/samba-ad-dc.service; enabled; preset: enabled)
     Active: active (running) since Mon 2025-05-19 10:09:17 EEST; 10s ago
       Docs: man:samba(8)
             man:samba(7)
             man:smb.conf(5)
    Process: 3313 ExecCondition=/usr/share/samba/is-configured samba (code=exited, status=0/SUCCESS)
   Main PID: 3316 (samba)
     Status: "samba: ready to serve connections..."
      Tasks: 58 (limit: 4609)
     Memory: 176.2M (peak: 259.9M)
        CPU: 1.619s
     CGroup: /system.slice/samba-ad-dc.service
             ├─3316 "samba: root process"
             ├─3317 "samba: tfork waiter process(3318)"
             ├─3318 "samba: task[s3fs] pre-fork master"
             ├─3319 "samba: tfork waiter process(3320)"
             ├─3320 "samba: task[rpc] pre-fork master"
             ├─3321 "samba: tfork waiter process(3325)"
             ├─3322 "samba: tfork waiter process(3323)"
             ├─3323 "samba: task[nbt] pre-fork master"
             ├─3324 "samba: tfork waiter process(3327)"
             ├─3325 /usr/sbin/smbd -D "--option=server role check:inhibit=yes" --foreground
             ├─3326 "samba: tfork waiter process(3328)"
             ├─3327 "samba: task[wrepl] pre-fork master"
             ├─3328 "samba: task[rpc] pre-forked worker(0)"
             ├─3329 "samba: tfork waiter process(3332)"
             ├─3330 "samba: tfork waiter process(3331)"
             ├─3331 "samba: task[ldap] pre-fork master"
             ├─3332 "samba: task[rpc] pre-forked worker(1)"
             ├─3333 "samba: tfork waiter process(3334)"
             ├─3334 "samba: task[cldap] pre-fork master"
             ├─3335 "samba: tfork waiter process(3337)"
             ├─3336 "samba: tfork waiter process(3339)"
             ├─3337 "samba: task[rpc] pre-forked worker(2)"
             ├─3338 "samba: tfork waiter process(3341)"
             ├─3339 "samba: task[kdc] pre-fork master"
             ├─3340 "samba: tfork waiter process(3344)"
             ├─3341 "samba: task[rpc] pre-forked worker(3)"
             ├─3342 "samba: tfork waiter process(3343)"
             ├─3343 "samba: task[kdc] pre-forked worker(0)"
             ├─3344 "samba: task[drepl] pre-fork master"
             ├─3345 "samba: tfork waiter process(3347)"
             ├─3346 "samba: tfork waiter process(3348)"
             ├─3347 "samba: task[kdc] pre-forked worker(1)"
             ├─3348 "samba: task[winbindd] pre-fork master"
             ├─3349 "samba: tfork waiter process(3353)"
             ├─3350 "samba: tfork waiter process(3352)"
             ├─3351 "samba: tfork waiter process(3354)"
             ├─3352 "samba: task[ntp_signd] pre-fork master"
             ├─3353 "samba: task[kdc] pre-forked worker(2)"
             ├─3354 /usr/sbin/winbindd -D "--option=server role check:inhibit=yes" --foreground
             ├─3355 "samba: tfork waiter process(3357)"
             ├─3356 "samba: tfork waiter process(3358)"
             ├─3357 "samba: task[kcc] pre-fork master"
             ├─3358 "samba: task[kdc] pre-forked worker(3)"
             ├─3360 "samba: tfork waiter process(3361)"
             ├─3361 "samba: task[dnsupdate] pre-fork master"
             ├─3362 "samba: tfork waiter process(3363)"
             ├─3363 "samba: task[dns] pre-fork master"
             ├─3369 "smbd: notifyd" .
             ├─3370 "smbd: cleanupd "
             ├─3371 "winbindd: domain child [SVGENEBANK]"
             ├─3372 "samba: tfork waiter process(3373)"
             ├─3373 "samba: task[ldap] pre-forked worker(0)"
             ├─3374 "samba: tfork waiter process(3375)"
             ├─3375 "samba: task[ldap] pre-forked worker(1)"
             ├─3376 "samba: tfork waiter process(3377)"
             ├─3377 "samba: task[ldap] pre-forked worker(2)"
             ├─3378 "samba: tfork waiter process(3379)"
             └─3379 "samba: task[ldap] pre-forked worker(3)"

May 19 10:09:17 dc1 samba[3331]:   Attempting to autogenerate TLS self-signed keys for https for hostname 'DC1.svge>
May 19 10:09:17 dc1 smbd[3325]: [2025/05/19 10:09:17.514447,  0] source3/smbd/server.c:1746(main)
May 19 10:09:17 dc1 smbd[3325]:   smbd version 4.19.5-Ubuntu started.
May 19 10:09:17 dc1 smbd[3325]:   Copyright Andrew Tridgell and the Samba Team 1992-2023
May 19 10:09:17 dc1 systemd[1]: Started samba-ad-dc.service - Samba AD Daemon.
May 19 10:09:17 dc1 winbindd[3354]: [2025/05/19 10:09:17.581196,  0] source3/winbindd/winbindd.c:1441(main)
May 19 10:09:17 dc1 winbindd[3354]:   winbindd version 4.19.5-Ubuntu started.
May 19 10:09:17 dc1 winbindd[3354]:   Copyright Andrew Tridgell and the Samba Team 1992-2023
May 19 10:09:18 dc1 samba[3331]: [2025/05/19 10:09:18.068290,  0] source4/lib/tls/tlscert.c:154(tls_cert_generate)
May 19 10:09:18 dc1 samba[3331]:   TLS self-signed keys generated OK

Crearea zonei de revers

Acum se poate realiza zona de revers DNS și instalăm pachetul ce pune la dispoziție modulul setproctitle pentru python:

florin@dc1:~$ samba-tool dns zonecreate dc1.svgenebank.lan 0.168.192.in-addr.arpa -U Administrator
WARNING: Using passwords on command line is insecure. Installing the setproctitle python module will hide these from shortly after program start.
Password for [SVGENEBANK\Administrator]:
Zone 0.168.192.in-addr.arpa created successfully
florin@dc1:~$ sudo apt install python3-setproctitle
florin@dc1:~$ sudo samba-tool dns add dc1.svgenebank.lan 0.168.192.in-addr.arpa 1 PTR dc1.svgenebank.lan -U Administrator
Password for [SVGENEBANK\Administrator]:
Record added successfully

Testarea serviciului

Testarea conexiunii anonime și autentificare:

florin@dc1:~$ smbclient -L localhost -N
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        sysvol          Disk      
        netlogon        Disk      
        IPC$            IPC       IPC Service (Samba 4.19.5-Ubuntu)
SMB1 disabled -- no workgroup available
florin@dc1:~$ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Password for [SVGENEBANK\Administrator]:
  .                                   D        0  Mon May 19 10:06:46 2025
  ..                                  D        0  Mon May 19 10:06:46 2025

                11758760 blocks of size 1024. 6040504 blocks available

Testarea rezoluției DNS pentru înregistrările domeniului:

florin@dc1:~$ host -t A dc1.svgenbank.lan
dc1.svgenbank.lan has no A record
florin@dc1:~$ host -t A dc1.svgenebank.lan
dc1.svgenebank.lan has address 192.168.0.51
florin@dc1:~$ host -t SRV _ldap._tcp.svgenebank.lan
_ldap._tcp.svgenebank.lan has SRV record 0 100 389 dc1.svgenebank.lan.
florin@dc1:~$ host -t SRV _kerberos._udp.svgenebank.lan
_kerberos._udp.svgenebank.lan has SRV record 0 100 88 dc1.svgenebank.lan.

Testarea Kerberos

florin@dc1:~$ kinit administrator
Password for administrator@SVGENEBANK.LAN: 
Warning: Your password will expire in 41 days on Mon Jun 30 10:06:49 2025
florin@dc1:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@SVGENEBANK.LAN

Valid starting     Expires            Service principal
05/19/25 10:19:50  05/19/25 20:19:50  krbtgt/SVGENEBANK.LAN@SVGENEBANK.LAN
        renew until 05/20/25 10:19:42

Listarea utilizatorilor și a grupurilor

florin@dc1:~$ wbinfo -u
SVGENEBANK\administrator
SVGENEBANK\guest
SVGENEBANK\krbtgt
florin@dc1:~$ wbinfo -g
SVGENEBANK\cert publishers
SVGENEBANK\ras and ias servers
SVGENEBANK\allowed rodc password replication group
SVGENEBANK\denied rodc password replication group
SVGENEBANK\dnsadmins
SVGENEBANK\enterprise read-only domain controllers
SVGENEBANK\domain admins
SVGENEBANK\domain users
SVGENEBANK\domain guests
SVGENEBANK\domain computers
SVGENEBANK\domain controllers
SVGENEBANK\schema admins
SVGENEBANK\enterprise admins
SVGENEBANK\group policy creator owners
SVGENEBANK\read-only domain controllers
SVGENEBANK\protected users
SVGENEBANK\dnsupdateproxy

Configurarea serviciului de sincronizare a ceasului AD

Pentru sincronizare s-a folosit serviciul chronyd.
Pentru început se va schimba proprietarul directorului directorului /var/lib/samba/ntp_signd:

florin@dc1:~$ sudo ls -ld /var/lib/samba/ntp_signd/
drwxr-x--- 2 root root 4096 May 19 10:16 /var/lib/samba/ntp_signd/
florin@dc1:~$ sudo chown root:_chrony /var/lib/samba/ntp_signd/
florin@dc1:~$ sudo ls -ld /var/lib/samba/ntp_signd/
drwxr-x--- 2 root _chrony 4096 May 19 10:16 /var/lib/samba/ntp_signd/
florin@dc1:~$ sudo chmod 750 /var/lib/samba/ntp_signd/
florin@dc1:~$ sudo ls -ld /var/lib/samba/ntp_signd/
drwxr-x--- 2 root _chrony 4096 May 19 10:16 /var/lib/samba/ntp_signd/

După care vom edita fișierul de configurare /etc/chrony/chrony.conf al serviciului chronyd:

florin@dc1:~$ sudo nano /etc/chrony/chrony.conf

La care se vor adăuga următoarele linii

# ipaddress of this DC
bindcmdaddress 192.168.0.51

# dns netmask
allow 192.168.0.0/24

ntpsigndsocket /var/lib/samba/ntp_signd

, în final fișierul va arătă de forma:

# Welcome to the chrony configuration file. See chrony.conf(5) for more
# information about usable directives.

# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d

# This will use (up to):
# - 4 sources from ntp.ubuntu.com which some are ipv6 enabled
# - 2 sources from 2.ubuntu.pool.ntp.org which is ipv6 enabled as well
# - 1 source from [01].ubuntu.pool.ntp.org each (ipv4 only atm)
# This means by default, up to 6 dual-stack and up to 2 additional IPv4-only
# sources will be used.
# At the same time it retains some protection against one of the entries being
# down (compare to just using one of the lines). See (LP: #1754358) for the
# discussion.
#
# About using servers from the NTP Pool Project in general see (LP: #104525).
# Approved by Ubuntu Technical Board on 2011-02-08.
# See http://www.pool.ntp.org/join.html for more information.
pool ntp.ubuntu.com        iburst maxsources 4
pool 0.ubuntu.pool.ntp.org iburst maxsources 1
pool 1.ubuntu.pool.ntp.org iburst maxsources 1
pool 2.ubuntu.pool.ntp.org iburst maxsources 2

# Use time sources from DHCP.
sourcedir /run/chrony-dhcp

# Use NTP sources found in /etc/chrony/sources.d.
sourcedir /etc/chrony/sources.d

# This directive specify the location of the file containing ID/key pairs for
# NTP authentication.
keyfile /etc/chrony/chrony.keys

# This directive specify the file into which chronyd will store the rate
# information.
driftfile /var/lib/chrony/chrony.drift

# Save NTS keys and cookies.
ntsdumpdir /var/lib/chrony

# Uncomment the following line to turn logging on.
#log tracking measurements statistics

# Log files location.
logdir /var/log/chrony

# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0

# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
rtcsync

# Step the system clock instead of slewing it if the adjustment is larger than
# one second, but only in the first three clock updates.
makestep 1 3

# Get TAI-UTC offset and leap seconds from the system tz database.
# This directive must be commented out when using time sources serving
# leap-smeared time.
leapsectz right/UTC

# ipaddress of this DC
bindcmdaddress 192.168.0.51

# dns netmask
allow 192.168.0.0/24 

ntpsigndsocket /var/lib/samba/ntp_signd

După editare și salvare se va reporni serviciul:

florin@dc1:~$ sudo systemctl restart chronyd

Verificăm că acesta funcționează corespunzător:

florin@dc1:~$ sudo systemctl status chronyd
● chrony.service - chrony, an NTP client/server
     Loaded: loaded (/usr/lib/systemd/system/chrony.service; enabled; preset: enabled)
     Active: active (running) since Mon 2025-05-19 10:42:56 EEST; 9s ago
       Docs: man:chronyd(8)
             man:chronyc(1)
             man:chrony.conf(5)
    Process: 1381 ExecStart=/usr/lib/systemd/scripts/chronyd-starter.sh $DAEMON_OPTS (code=exited, status=0/SUCCESS)
   Main PID: 1392 (chronyd)
      Tasks: 2 (limit: 4609)
     Memory: 1.4M (peak: 2.2M)
        CPU: 36ms
     CGroup: /system.slice/chrony.service
             ├─1392 /usr/sbin/chronyd -F 1
             └─1393 /usr/sbin/chronyd -F 1

May 19 10:42:56 dc1 systemd[1]: Starting chrony.service - chrony, an NTP client/server...
May 19 10:42:56 dc1 chronyd[1392]: chronyd version 4.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +S>
May 19 10:42:56 dc1 chronyd[1392]: Loaded 0 symmetric keys
May 19 10:42:56 dc1 chronyd[1392]: Frequency -3.984 +/- 0.106 ppm read from /var/lib/chrony/chrony.drift
May 19 10:42:56 dc1 chronyd[1392]: Using right/UTC timezone to obtain leap second data
May 19 10:42:56 dc1 chronyd[1392]: MS-SNTP authentication enabled
May 19 10:42:56 dc1 chronyd[1392]: Loaded seccomp filter (level 1)
May 19 10:42:56 dc1 systemd[1]: Started chrony.service - chrony, an NTP client/server.
May 19 10:43:02 dc1 chronyd[1392]: Selected source 185.125.190.57 (ntp.ubuntu.com)
May 19 10:43:02 dc1 chronyd[1392]: System clock TAI offset set to 37 seconds
florin@dc1:~$ chronyc sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^+ prod-ntp-3.ntp1.ps5.cano>     2   6    17    29  -2246us[-2841us] +/-   28ms
^* prod-ntp-4.ntp1.ps5.cano>     2   6    17    28  -2185us[-2780us] +/-   28ms
^+ prod-ntp-5.ntp4.ps5.cano>     2   6    17    28   -700us[-1295us] +/-   30ms
^+ alphyn.canonical.com          2   6    17    29   +646us[  +51us] +/-   84ms
^+ time.cloudflare.com           3   6    17    28  +3304us[+2709us] +/-   31ms
^- time5.hamcloud.ro             3   6    17    29    +16ms[  +15ms] +/-   74ms
^+ ntp3.hamcloud.ro              3   6    17    28  +8845us[+8250us] +/-   70ms
^- time8.hamcloud.ro             3   6    17    29  +5642us[+5047us] +/-   56ms
florin@dc1:~$ chronyc tracking
Reference ID    : B97DBE39 (prod-ntp-4.ntp4.ps5.canonical.com)
Stratum         : 3
Ref time (UTC)  : Mon May 19 07:43:04 2025
System time     : 0.000000049 seconds fast of NTP time
Last offset     : -0.000595212 seconds
RMS offset      : 0.000595212 seconds
Frequency       : 3.984 ppm slow
Residual freq   : +13.368 ppm
Skew            : 0.106 ppm
Root delay      : 0.055841085 seconds
Root dispersion : 0.001371672 seconds
Update interval : 2.0 seconds
Leap status     : Normal
florin@dc1:~$ timedatectl 
               Local time: Mon 2025-05-19 10:45:13 EEST
           Universal time: Mon 2025-05-19 07:45:13 UTC
                 RTC time: Mon 2025-05-19 07:45:13
                Time zone: Europe/Bucharest (EEST, +0300)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

Managementul utilizatorilor și al grupurilor

Pentru utilizatori

Adăugarea unui utilizator

Pentru adăugarea unui nou utilizator se folosește comanda samba-tool user add. Pentru început vom solicita un ajutor al comenzii pentru a vedea parametrii ce poți fi trimiși odată cu acestă comandă:

florin@dc1:~$ samba-tool user add -h 
Usage: samba-tool user add <username> [<password>] [options]

Add a new user.

This command adds a new user account to the Active Directory domain.  The
username specified on the command is the sAMaccountName.

User accounts may represent physical entities, such as people or may be used
as service accounts for applications.  User accounts are also referred to as
security principals and are assigned a security identifier (SID).

A user account enables a user to logon to a computer and domain with an
identity that can be authenticated.  To maximize security, each user should
have their own unique user account and password.  A user's access to domain
resources is based on permissions assigned to the user account.

Unix (RFC2307) attributes may be added to the user account. Attributes taken
from NSS are obtained on the local machine. Explicitly given values override
values obtained from NSS. Configure 'idmap_ldb:use rfc2307 = Yes' to use these
attributes for UID/GID mapping.

The command may be run from the root userid or another authorized userid.  The
-H or --URL= option can be used to execute the command against a remote
server.

Example1:
samba-tool user add User1 passw0rd --given-name=John --surname=Smith --must-
change-at-next-login -H ldap://samba.samdom.example.com
-Uadministrator%passw1rd

Example1 shows how to add a new user to the domain against a remote LDAP
server.  The -H parameter is used to specify the remote target server.  The -U
option is used to pass the userid and password authorized to issue the command
remotely.

Example2:
sudo samba-tool user add User2 passw2rd --given-name=Jane --surname=Doe
--must-change-at-next-login

Example2 shows how to add a new user to the domain against the local server.
sudo is used so a user may run the command as root.  In this example, after
User2 is created, he/she will be forced to change their password when they
logon.

Example3:
samba-tool user add User3 passw3rd --userou='OU=OrgUnit'

Example3 shows how to add a new user in the OrgUnit organizational unit.

Example4:
samba-tool user add User4 passw4rd --rfc2307-from-nss --gecos 'some text'

Example4 shows how to add a new user with Unix UID, GID and login-shell set
from the local NSS and GECOS set to 'some text'.

Example5:
samba-tool user add User5 passw5rd --nis-domain=samdom --unix-home=/home/User5
\
    --uid-number=10005 --login-shell=/bin/false --gid-number=10000

Example5 shows how to add a new RFC2307/NIS domain enabled user account. If
--nis-domain is set, then the other four parameters are mandatory.

Options:
  -h, --help            show this help message and exit
  -H URL, --URL=URL     LDB URL for database or target server
  --must-change-at-next-login
                        Force password to be changed on next login
  --random-password     Generate random password
  --smartcard-required  Require a smartcard for interactive logons
  --use-username-as-cn  Force use of username as user's CN
  --userou=USEROU       DN of alternative location (without domainDN
                        counterpart) to default CN=Users in which new user
                        object will be created. E. g. 'OU=<OU name>'
  --surname=SURNAME     User's surname
  --given-name=GIVEN_NAME
                        User's given name
  --initials=INITIALS   User's initials
  --profile-path=PROFILE_PATH
                        User's profile path
  --script-path=SCRIPT_PATH
                        User's logon script path
  --home-drive=HOME_DRIVE
                        User's home drive letter
  --home-directory=HOME_DIRECTORY
                        User's home directory path
  --job-title=JOB_TITLE
                        User's job title
  --department=DEPARTMENT
                        User's department
  --company=COMPANY     User's company
  --description=DESCRIPTION
                        User's description
  --mail-address=MAIL_ADDRESS
                        User's email address
  --internet-address=INTERNET_ADDRESS
                        User's home page
  --telephone-number=TELEPHONE_NUMBER
                        User's phone number
  --physical-delivery-office=PHYSICAL_DELIVERY_OFFICE
                        User's office location
  --rfc2307-from-nss    Copy Unix user attributes from NSS (will be overridden
                        by explicit UID/GID/GECOS/shell)
  --nis-domain=NIS_DOMAIN
                        User's Unix/RFC2307 NIS domain
  --unix-home=UNIX_HOME
                        User's Unix/RFC2307 home directory
  --uid=UID             User's Unix/RFC2307 username
  --uid-number=UID_NUMBER
                        User's Unix/RFC2307 numeric UID
  --gid-number=GID_NUMBER
                        User's Unix/RFC2307 primary GID number
  --gecos=GECOS         User's Unix/RFC2307 GECOS field
  --login-shell=LOGIN_SHELL
                        User's Unix/RFC2307 login shell
  --color=always|never|auto
                        use colour if available (default: auto)

  Credentials Options:
    --simple-bind-dn=DN
                        DN to use for a simple bind
    --password=PASSWORD
                        Password
    -U USERNAME, --username=USERNAME
                        Username
    -W WORKGROUP, --workgroup=WORKGROUP
                        Workgroup
    -N, --no-pass       Don't ask for a password
    --ipaddress=IPADDRESS
                        IP address of server
    -P, --machine-pass  Use stored machine account password
    --use-kerberos=desired|required|off
                        Use Kerberos authentication
    --use-krb5-ccache=KRB5CCNAME
                        Kerberos Credentials cache
    -A AUTHFILE, --authentication-file=AUTHFILE
                        Authentication file
    -k KERBEROS, --kerberos=KERBEROS
                        DEPRECATED: Migrate to --use-kerberos

  Samba Common Options:
    -s FILE, --configfile=FILE
                        Configuration file
    -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
                        debug level
    --option=OPTION     set smb.conf option from command line
    --realm=REALM       set the realm name

  Version Options:
    -V, --version       Display version number

Un exemplu de adăugare a unui utilizator pe un server local (pentru remote se utilizează parametrul -H):

florin@dc1:~$ sudo samba-tool user add florint --given-name=Florin --surname=Tanasă --initials=FT --mail-address=florin.tanasa@genebanksv.ro --job-title='Specialist engineer' --department='IT&IC' --company='Genebank Suceava'--internet-address=genebanksv.ro --login-shell=/bin/bash
[sudo] password for florin: 
New Password: 
Retype Password: 
User 'florint' added successfully

Listarea utilizatorilor:

florin@dc1:~$ sudo samba-tool user list
krbtgt
Guest
florint
Administrator

Ștergerea unui utilizator:

florin@dc1:~$ sudo samba-tool user delete nume_utilizator_domeniu

Schimbarea parolei unui utilizator:

florin@dc1:~$ sudo samba-tool user setpassword nume_utilizator_domeniu

Dezactivarea și activarea unui utilizator:

florin@dc1:~$ sudo samba-tool user disable nume_utilizator_domeniu
florin@dc1:~$ sudo samba-tool user enable nume_utilizator_domeniu

Pentru grupuri

Adăugarea unui grup:

Pentru adăugarea unui nou grup se folosește comanda samba-tool group add. Pentru început vom solicita un ajutor al comenzii pentru a vedea parametrii ce poți fi trimiși odată cu acestă comandă:

florin@dc1:~$ samba-tool group -h add
Usage: samba-tool group add <groupname> [options]

Creates a new AD group.

This command adds a new Active Directory group.  The groupname specified on
the command is a unique sAMAccountName.

An Active Directory group may contain user and computer accounts as well as
other groups.  An administrator adds a new group and adds members to that
group so they can be managed as a single entity.  This helps to simplify
security and system administration.

Groups may also be used to establish email distribution lists, using --group-
type=Distribution.

Groups are located in domains in organizational units (OUs).  The group's
scope is a characteristic of the group that designates the extent to which the
group is applied within the domain tree or forest.

The group location (OU), type (security or distribution) and scope may all be
specified on the samba-tool command when the group is created.

The command may be run from the root userid or another authorized userid.  The
-H or --URL= option can be used to execute the command on a remote server.

Example1:
samba-tool group add Group1 -H ldap://samba.samdom.example.com
--description='Simple group'

Example1 adds a new group with the name Group1 added to the Users container on
a remote LDAP server.  The -U parameter is used to pass the userid and
password of a user that exists on the remote server and is authorized to issue
the command on that server.  It defaults to the security type and global
scope.

Example2:
sudo samba-tool group add Group2 --group-type=Distribution

Example2 adds a new distribution group to the local server.  The command is
run under root using the sudo command.

Example3:
samba-tool group add Group3 --nis-domain=samdom --gid-number=12345

Example3 adds a new RFC2307 enabled group for NIS domain samdom and GID 12345
(both options are required to enable this feature).

Options:
  -h, --help            show this help message and exit
  -H URL, --URL=URL     LDB URL for database or target server
  --groupou=GROUPOU     Alternative location (without domainDN counterpart) to
                        default CN=Users in which new user object will be
                        created
  --group-scope=GROUP_SCOPE
                        Group scope (Domain | Global | Universal)
  --group-type=GROUP_TYPE
                        Group type (Security | Distribution)
  --description=DESCRIPTION
                        Group's description
  --mail-address=MAIL_ADDRESS
                        Group's email address
  --notes=NOTES         Groups's notes
  --gid-number=GID_NUMBER
                        Group's Unix/RFC2307 GID number
  --nis-domain=NIS_DOMAIN
                        SFU30 NIS Domain
  --special             Add a special predefined group
  --color=always|never|auto
                        use colour if available (default: auto)

  Credentials Options:
    --simple-bind-dn=DN
                        DN to use for a simple bind
    --password=PASSWORD
                        Password
    -U USERNAME, --username=USERNAME
                        Username
    -W WORKGROUP, --workgroup=WORKGROUP
                        Workgroup
    -N, --no-pass       Don't ask for a password
    --ipaddress=IPADDRESS
                        IP address of server
    -P, --machine-pass  Use stored machine account password
    --use-kerberos=desired|required|off
                        Use Kerberos authentication
    --use-krb5-ccache=KRB5CCNAME
                        Kerberos Credentials cache
    -A AUTHFILE, --authentication-file=AUTHFILE
                        Authentication file
    -k KERBEROS, --kerberos=KERBEROS
                        DEPRECATED: Migrate to --use-kerberos

  Samba Common Options:
    -s FILE, --configfile=FILE
                        Configuration file
    -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
                        debug level
    --option=OPTION     set smb.conf option from command line
    --realm=REALM       set the realm name

  Version Options:
    -V, --version       Display version number

Pentru exemplificare se va realizat un grup IT-IC:

florin@dc1:~$ sudo samba-tool group add IT-IC --description='Group for IT and IC members' --mail-address=it.ic@genebanksv.ro
Added group IT-IC

Ștergerea unui grup:

florin@dc1:~$ sudo samba-tool group delete nume_grup

Listarea grupurilor:

florin@dc1:~$ sudo samba-tool group list
Incoming Forest Trust Builders
Distributed COM Users
Domain Guests
Terminal Server License Servers
Domain Admins
Windows Authorization Access Group
Network Configuration Operators
Account Operators
Domain Users
Domain Controllers
Server Operators
Pre-Windows 2000 Compatible Access
Guests
Read-only Domain Controllers
Print Operators
RAS and IAS Servers
Performance Monitor Users
Group Policy Creator Owners
DnsUpdateProxy
Domain Computers
Cert Publishers
Performance Log Users
Event Log Readers
Cryptographic Operators
Schema Admins
IT-IC
Certificate Service DCOM Access
Enterprise Admins
DnsAdmins
Denied RODC Password Replication Group
Protected Users
IIS_IUSRS
Replicator
Users
Remote Desktop Users
Allowed RODC Password Replication Group
Administrators
Enterprise Read-only Domain Controllers
Backup Operators

Listarea utilizatorilor ce sunt membrii unui grup:

florin@dc1:~$ sudo samba-tool group listmembers "Domain Users"
Administrator
krbtgt
florint
florin@dc1:~$ sudo samba-tool group listmembers "Domain Admins"
Administrator

Adăugarea de noi membrii într-un grub

florin@dc1:~$ sudo samba-tool group addmembers IT-IC florint 
Added members to group IT-IC

Eliminarea unor membrii dintr-un grup

florin@dc1:~$ sudo samba-tool group removemembers IT-IC florint
Removed members from group IT-IC

Informații privind politica parolei în domeniu

florin@dc1:~$ sudo samba-tool domain passwordsettings show
Password information for domain 'DC=svgenebank,DC=lan'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

Autentificarea locală în serverul AD-DC utilizând conturile din AD

În mod implicit, utilizatorii din AD nu se pot loga în sistemul dc1 utilizând conturile din AD, create cu samba-tool. Pentru a permite autentificarea va trebui să configurăm controlerul PAM ce permite accesul în sistem.
Pentru început vom realiza câteva modificări în fișierul de configurare smb.conf a serviciului samba:

sudo nano /etc/samba/smb.conf

În care vom adăuga, în secțiunea [global], următoarele instrucțiuni:

winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U

Fișierul va arăta de forma:

# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = DC1
        realm = SVGENEBANK.LAN
        server role = active directory domain controller
        workgroup = SVGENEBANK
        idmap_ldb:use rfc2307 = yes

        winbind enum users = yes
        winbind enum groups = yes
        template shell = /bin/bash
        template homedir = /home/%U

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/svgenebank.lan/scripts
        read only = No

Verificăm dacă sunt erori la fișierul de configurare, utilizând comanda testparm, iar dacă nu sunt erori repornim serviciul:

florin@dc1:~$ testparm 
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

# Global parameters
[global]
        dns forwarder = 8.8.8.8
        passdb backend = samba_dsdb
        realm = SVGENEBANK.LAN
        server role = active directory domain controller
        template homedir = /home/%U
        template shell = /bin/bash
        winbind enum groups = Yes
        winbind enum users = Yes
        workgroup = SVGENEBANK
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        map archive = No
        vfs objects = dfs_samba4 acl_xattr

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/svgenebank.lan/scripts
        read only = No
florin@dc1:~$ sudo systemctl restart samba-ad-dc.service

Pentru interogarea AD se pot folosi câteva aplicații ca getent și wbinfo:

florin@dc1:~$ getent passwd | grep SVGENEBANK
SVGENEBANK\administrator:*:0:100::/home/administrator:/bin/bash
SVGENEBANK\guest:*:3000011:3000012::/home/guest:/bin/bash
SVGENEBANK\krbtgt:*:3000018:100::/home/krbtgt:/bin/bash
SVGENEBANK\florint:*:3000017:100::/home/florint:/bin/bash
florin@dc1:~$ getent group | grep SVGENEBANK
SVGENEBANK\cert publishers:x:3000035:
SVGENEBANK\ras and ias servers:x:3000036:
SVGENEBANK\allowed rodc password replication group:x:3000037:
SVGENEBANK\denied rodc password replication group:x:3000005:
SVGENEBANK\dnsadmins:x:3000038:
SVGENEBANK\enterprise read-only domain controllers:x:3000039:
SVGENEBANK\domain admins:x:3000004:
SVGENEBANK\domain users:x:100:
SVGENEBANK\domain guests:x:3000012:
SVGENEBANK\domain computers:x:3000040:
SVGENEBANK\domain controllers:x:3000041:
SVGENEBANK\schema admins:x:3000006:
SVGENEBANK\enterprise admins:x:3000007:
SVGENEBANK\group policy creator owners:x:3000008:
SVGENEBANK\read-only domain controllers:x:3000042:
SVGENEBANK\protected users:x:3000043:
SVGENEBANK\dnsupdateproxy:x:3000044:
SVGENEBANK\it-ic:x:3000045:
florin@dc1:~$ wbinfo -u
SVGENEBANK\administrator
SVGENEBANK\guest
SVGENEBANK\krbtgt
SVGENEBANK\florint
florin@dc1:~$ wbinfo -g
SVGENEBANK\cert publishers
SVGENEBANK\ras and ias servers
SVGENEBANK\allowed rodc password replication group
SVGENEBANK\denied rodc password replication group
SVGENEBANK\dnsadmins
SVGENEBANK\enterprise read-only domain controllers
SVGENEBANK\domain admins
SVGENEBANK\domain users
SVGENEBANK\domain guests
SVGENEBANK\domain computers
SVGENEBANK\domain controllers
SVGENEBANK\schema admins
SVGENEBANK\enterprise admins
SVGENEBANK\group policy creator owners
SVGENEBANK\read-only domain controllers
SVGENEBANK\protected users
SVGENEBANK\dnsupdateproxy
SVGENEBANK\it-ic
florin@dc1:~$ wbinfo -i florint
SVGENEBANK\florint:*:3000017:100::/home/florint:/bin/bash

În continuare se va vor aduce modificări fișierelor de configurare PAM (Linux Pluggable Authentication Modules). Ubuntu dispune de un utilitar în acest sens:

florin@dc1:~$ sudo pam-auth-update 

și vom seta ca la logarea utilizatorilor să se realizeze automat directorul home:
legendă imagine Pentru test ne vom loga cu un utilizator de domeniu:

florin@dc1:~$ sudo su - florint
Creating directory '/home/florint'.
SVGENEBANK\florint@dc1:~$ ls -a
.  ..  .bash_logout  .bashrc  .profile
SVGENEBANK\florint@dc1:~$ whoami 
SVGENEBANK\florint
florin@dc1:~$ su - florint
Password: 
groups: cannot find name for group ID 3000046
SVGENEBANK\florint@dc1:~$ whoami 
SVGENEBANK\florint
SVGENEBANK\florint@dc1:~$ id
uid=3000017(SVGENEBANK\florint) gid=100(users) groups=100(users),3000009(BUILTIN\users),3000017(SVGENEBANK\florint),3000045(SVGENEBANK\it-ic),3000046

Există un id de grup fără denumire, cel mai probabil din cel creat și șters în teste.
Acum utilizatorii de domeniu se pot conecta local la sever.
Pentru conectarea de la distanță prin ssh:

florin@dc1:~$ ssh florint@dc1.svgenebank.lan
florint@dc1.svgenebank.lan's password: 
Warning: Your password will expire in 41 days on Mon Jun 30 14:17:25 2025
Warning: Your password will expire in 41 days on Mon Jun 30 14:17:25 2025
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-60-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Tue May 20 10:17:41 AM EEST 2025

  System load:  0.0                Processes:               203
  Usage of /:   43.8% of 11.21GB   Users logged in:         2
  Memory usage: 11%                IPv4 address for enp1s0: 192.168.0.51
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

Last login: Tue May 20 10:15:30 2025 from 192.168.0.51
groups: cannot find name for group ID 3000046

Funcționează și autentificarea prin ssh utilizând numele și parola unui utilizator de domeniu.

Înrolarea în AD-DC a unui client ce rulează linux

Este foarte important ca dispozitivele ce urmează a fi adăugate să aibă ceasurile sincronizate cu serverul, în acest caz cu dc1.svgenebank.lan. De asemenea este foarte important ca dispozitivul client să poată rezolva DNS-ul către 'dc1.svgenebank.lan', acest lucru se poate rezolva prin editarea lui /etc/resolv.conf.

Înrolarea unui dispozitiv ce rulează Rocky Linux2

Se configurează interfața de rețea cu ip static și vom defini rezolvarea adreselor DNS folosind utilitarul nmtui ce rulează foarte bine în consolă:
legendă imagine Setăm numele mașinii client:

[florin@localhost ~]$ sudo hostnamectl set-hostname florin-rocky

În /etc/hosts ne definim mașina:

[florin@localhost ~]$ cat /etc/hosts 
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.41 florin-rocky.svgenebank.lan florin-rocky

Repornim mașina. După repornire verificăm:

[florin@florin-rocky ~]$ ping -c3 google.ro
PING google.ro (172.217.169.99) 56(84) bytes of data.
64 bytes from sof02s31-in-f3.1e100.net (172.217.169.99): icmp_seq=1 ttl=112 time=25.7 ms
64 bytes from sof02s31-in-f3.1e100.net (172.217.169.99): icmp_seq=2 ttl=112 time=25.9 ms
64 bytes from sof02s31-in-f3.1e100.net (172.217.169.99): icmp_seq=3 ttl=112 time=25.8 ms

--- google.ro ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 25.745/25.797/25.852/0.043 ms
[florin@florin-rocky ~]$ ping -c3 dc1
PING dc1.svgenebank.lan (192.168.0.51) 56(84) bytes of data.
64 bytes from 192.168.0.51 (192.168.0.51): icmp_seq=1 ttl=64 time=0.521 ms
64 bytes from 192.168.0.51 (192.168.0.51): icmp_seq=2 ttl=64 time=0.781 ms
64 bytes from 192.168.0.51 (192.168.0.51): icmp_seq=3 ttl=64 time=0.715 ms

--- dc1.svgenebank.lan ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 0.521/0.672/0.781/0.110 ms

Pentru sincronizarea ceasului mașinii florin-rocky cu cel al severului AD-DC dc1 se va edita fișierul de configurare al serviciului chronyd:

[florin@florin-rocky ~]$ sudo nano /etc/chrony.conf 

Se aduc următoarele modificări:

#pool 2.rocky.pool.ntp.org iburst

# server from where the time is take it 
server 192.168.0.51 iburst

# ipaddress of this Unix domain member
bindcmdaddress 192.168.0.41

În final fișierul chrony.conf va arată de forma:

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (https://www.pool.ntp.org/join.html).
#pool 2.rocky.pool.ntp.org iburst

# server from where the time is take it 
server 192.168.0.51 iburst

# ipaddress of this Unix domain member
bindcmdaddress 192.168.0.41

# Use NTP servers from DHCP.
sourcedir /run/chrony-dhcp

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *

# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2

# Allow NTP client access from local network.
#allow 192.168.0.0/16

# Serve time even if not synchronized to a time source.
#local stratum 10

# Require authentication (nts or key option) for all NTP sources.
#authselectmode require

# Specify file containing keys for NTP authentication.
keyfile /etc/chrony.keys

# Save NTS keys and cookies.
ntsdumpdir /var/lib/chrony

# Insert/delete leap seconds by slewing instead of stepping.
#leapsecmode slew

# Get TAI-UTC offset and leap seconds from the system tz database.
leapsectz right/UTC

# Specify directory for log files.
logdir /var/log/chrony

# Select which information is logged.
#log measurements statistics tracking

După salvarea fișierului de configurare a serviciului chronyd acesta va fi repornit și verifica buna funcționare:

[florin@florin-rocky ~]$ sudo systemctl restart chronyd
[florin@florin-rocky ~]$ sudo systemctl status chronyd
● chronyd.service - NTP client/server
     Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; preset: enabled)
     Active: active (running) since Mon 2025-05-19 13:02:55 EEST; 2s ago
       Docs: man:chronyd(8)
             man:chrony.conf(5)
    Process: 2974 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 2976 (chronyd)
      Tasks: 1 (limit: 16182)
     Memory: 920.0K
        CPU: 25ms
     CGroup: /system.slice/chronyd.service
             └─2976 /usr/sbin/chronyd -F 2

mai 19 13:02:55 florin-rocky systemd[1]: Starting NTP client/server...
mai 19 13:02:55 florin-rocky chronyd[2976]: chronyd version 4.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV>
mai 19 13:02:55 florin-rocky chronyd[2976]: Loaded 0 symmetric keys
mai 19 13:02:55 florin-rocky chronyd[2976]: Using right/UTC timezone to obtain leap second data
mai 19 13:02:55 florin-rocky chronyd[2976]: Frequency -4.175 +/- 2.816 ppm read from /var/lib/chrony/drift
mai 19 13:02:55 florin-rocky chronyd[2976]: Loaded seccomp filter (level 2)
mai 19 13:02:55 florin-rocky systemd[1]: Started NTP client/server.
[florin@florin-rocky ~]$ chronyc sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* 192.168.0.51                  3   6    17    47    +11us[  +32us] +/-   29ms
[florin@florin-rocky ~]$ chronyc tracking
Reference ID    : C0A80033 (192.168.0.51)
Stratum         : 4
Ref time (UTC)  : Mon May 19 10:03:01 2025
System time     : 0.000000004 seconds slow of NTP time
Last offset     : +0.000021484 seconds
RMS offset      : 0.000021484 seconds
Frequency       : 4.175 ppm slow
Residual freq   : +1.455 ppm
Skew            : 2.929 ppm
Root delay      : 0.055686146 seconds
Root dispersion : 0.001265819 seconds
Update interval : 2.0 seconds
Leap status     : Normal

După cum se observă ceasul mașinii florin-rocky este acum sincron cu ceasul severului AD-DC dc1 (ip 192.168.0.51).

În continuare se instalează pachetele cu aplicațiile necesare pentru a înrola în domeniu mașina florin-rocky:

[florin@florin-rocky ~]$ sudo dnf install realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation

Se verifică dacă serverul de domeniu este vizibil:

[florin@florin-rocky ~]$ realm discover svgenebank.lan
svgenebank.lan
  type: kerberos
  realm-name: SVGENEBANK.LAN
  domain-name: svgenebank.lan
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools

În continuare se va înrola mașina ce rulează Rocky Linux:

[florin@florin-rocky ~]$ sudo realm join dc1.svgenebank.lan
Password for Administrator@SVGENEBANK.LAN: 
Warning: Your password will expire in 41 days on Lu 30 iun 2025 10:06:49 +0300

După introducerea parolei administratorului de domeniu, mașina, florin-rocky, va fi înrolată în domeniul svgenebank.lan.

Verificare

După configurările de mai sus se va putea solicita informații legate de passwd pentru a constata buna funcționare:

[florin@florin-rocky ~]$ sudo getent passwd administrator@svgenebank.lan
administrator@svgenebank.lan:*:487200500:487200513:Administrator:/home/administrator@svgenebank.lan:/bin/bash

După cum se poate constata mașina noastră primește informații de la serverul samba AD-DC dc1.

Autentificarea cu numele și parola unui utilizator de domeniu în Rocky Linux

Pentru autentificare inițială în domeniu va trebui să se aleagă utilizator Nelistat?: legendă imagine După care se va completa numele utilizatorului de domeniu:
legendă imagine Urmând ca în final să se completeze parola utilizatorului de domeniu:
legendă imagine După autentificarea în domeniu vom fi conectați iar stația va fi funcțională: legendă imagine După cum se observă stația a preluat informațiile din AD-DC.
Utilizator florint va fi vizibil la nouă logare în desktop manager (gdm):
legendă imagine

Eliminarea unei stații din domeniu

[florin@florin-rocky ~]$ sudo realm leave svgenebank.lan

Varianta de înrolare folosind serviciile samba și winbind

În continuare se va înrola mașina florin-rocky folosind samba și winbind. Acesta este varianta preferată:

[florin@florin-rocky ~]$ sudo dnf install samba samba-winbind samba-client
[florin@florin-rocky ~]$ sudo realm join -v --membership-software=samba --client-software=winbind dc1.svgenebank.lan

Verificăm dacă serviciile samba, winbind și oddjobd sunt pornite:

[florin@florin-rocky ~]$ sudo systemctl status winbind.service 
● winbind.service - Samba Winbind Daemon
     Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; preset: disabled)
     Active: active (running) since Wed 2025-05-21 08:18:29 EEST; 3min 45s ago
       Docs: man:winbindd(8)
             man:samba(7)
             man:smb.conf(5)
   Main PID: 3389 (winbindd)
     Status: "winbindd: ready to serve connections..."
      Tasks: 6 (limit: 16182)
     Memory: 17.6M
        CPU: 795ms
     CGroup: /system.slice/winbind.service
             ├─3389 /usr/sbin/winbindd --foreground --no-process-group
             ├─3392 /usr/sbin/winbindd --foreground --no-process-group
             ├─3394 /usr/sbin/winbindd --foreground --no-process-group
             ├─3604 /usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=24 --np-helper --debuglevel=0
             ├─3614 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=6 --worker-index=5 --debuglevel=0
             └─3616 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=6 --worker-index=6 --debuglevel=0

mai 21 08:18:30 florin-rocky rpcd_lsad[3468]:   Copyright Andrew Tridgell and the Samba Team 1992-2024
mai 21 08:21:26 florin-rocky samba-dcerpcd[3604]: [2025/05/21 08:21:26.801281,  0] ../../source3/rpc_server/rpc_host.c:2905(main)
mai 21 08:21:26 florin-rocky samba-dcerpcd[3604]:   samba-dcerpcd version 4.20.2 started.
mai 21 08:21:26 florin-rocky samba-dcerpcd[3604]:   Copyright Andrew Tridgell and the Samba Team 1992-2024
mai 21 08:21:26 florin-rocky rpcd_lsad[3614]: [2025/05/21 08:21:26.940341,  0] ../../source3/rpc_server/rpc_worker.c:1155(rpc_worker_main)
mai 21 08:21:26 florin-rocky rpcd_lsad[3614]:   rpcd_lsad version 4.20.2 started.
mai 21 08:21:26 florin-rocky rpcd_lsad[3614]:   Copyright Andrew Tridgell and the Samba Team 1992-2024
mai 21 08:21:26 florin-rocky rpcd_lsad[3616]: [2025/05/21 08:21:26.971334,  0] ../../source3/rpc_server/rpc_worker.c:1155(rpc_worker_main)
mai 21 08:21:26 florin-rocky rpcd_lsad[3616]:   rpcd_lsad version 4.20.2 started.
mai 21 08:21:26 florin-rocky rpcd_lsad[3616]:   Copyright Andrew Tridgell and the Samba Team 1992-2024
[florin@florin-rocky ~]$ sudo systemctl status oddjobd.service 
● oddjobd.service - privileged operations for unprivileged applications
     Loaded: loaded (/usr/lib/systemd/system/oddjobd.service; enabled; preset: disabled)
     Active: active (running) since Wed 2025-05-21 08:07:26 EEST; 14min ago
   Main PID: 913 (oddjobd)
      Tasks: 1 (limit: 16182)
     Memory: 1.3M
        CPU: 2ms
     CGroup: /system.slice/oddjobd.service
             └─913 /usr/sbin/oddjobd -n -p /run/oddjobd.pid -t 300

mai 21 08:07:26 florin-rocky systemd[1]: Started privileged operations for unprivileged applications.

Modificăm fișierul de configurare /etc/samba/smb.conf astfel ca la logare să folosim utilizator și nu utilizator@nume_domeniu precum să și posibilitatea de a obține lista cu utilizatorii și grupurile:

winbind use default domain = yes
winbind enum groups = yes
winbind enum users = yes

Fișierul va arăta de forma:

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
#
# Note:
# SMB1 is disabled by default. This means clients without support for SMB2 or
# SMB3 are no longer able to connect to smbd (by default).

[global]
    security = ads

    passdb backend = tdbsam

    printing = cups
    printcap name = cups
    load printers = yes
    cups options = raw

    kerberos method = secrets and keytab
    template homedir = /home/%U@%D
    password server = dc1.svgenebank.lan
    template shell = /bin/bash
    idmap config SVGENEBANK : range = 2000000-2999999
    idmap config SVGENEBANK : backend = rid
    idmap config * : range = 10000-999999
    idmap config * : backend = tdb

    winbind use default domain = yes
    winbind refresh tickets = yes
    winbind offline logon = yes
    winbind enum groups = yes
    winbind enum users = yes

    realm = SVGENEBANK.LAN
    workgroup = SVGENEBANK

[homes]
    comment = Home Directories
    valid users = %S, %D%w%S
    browseable = No
    read only = No
    inherit acls = Yes

[printers]
    comment = All Printers
    path = /var/tmp
    printable = Yes
    create mask = 0600
    browseable = No

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    write list = @printadmin root
    force group = @printadmin
    create mask = 0664
    directory mask = 0775

Pentru a da dreptul utilizatorului florint de a rula orice comanda și de administra mașina acesta va trebui să fie adăugat în fiîserul /etc/sudoers:

# Users from domain to run all commands
florint ALL=(ALL) ALL

Logarea într-o mașină din domeniu se poate realiza cu numele de utilizator din domeniu:
legendă imagine legendă imagine legendă imagine legendă imagine Pentru a fi vizibil în rețea și a partaja fișiere se poate porni serviciul samba:

[florint@florin-rocky ~]$ sudo systemctl start smb.service
[florint@florin-rocky ~]$ sudo systemctl status smb.service 
● smb.service - Samba SMB Daemon
     Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; preset: disabled)
     Active: active (running) since Wed 2025-05-21 09:16:17 EEST; 5min ago
       Docs: man:smbd(8)
             man:samba(7)
             man:smb.conf(5)
   Main PID: 3030 (smbd)
     Status: "smbd: ready to serve connections..."
      Tasks: 4 (limit: 16182)
     Memory: 9.5M
        CPU: 399ms
     CGroup: /system.slice/smb.service
             ├─3030 /usr/sbin/smbd --foreground --no-process-group
             ├─3032 /usr/sbin/smbd --foreground --no-process-group
             ├─3033 /usr/sbin/smbd --foreground --no-process-group
             └─3045 /usr/sbin/smbd --foreground --no-process-group

mai 21 09:16:17 florin-rocky systemd[1]: Started Samba SMB Daemon.
mai 21 09:16:34 florin-rocky samba-dcerpcd[3047]: [2025/05/21 09:16:34.047253,  0] ../../source3/rpc_server/rpc_host.c:2905(main)
mai 21 09:16:34 florin-rocky samba-dcerpcd[3047]:   samba-dcerpcd version 4.20.2 started.
mai 21 09:16:34 florin-rocky samba-dcerpcd[3047]:   Copyright Andrew Tridgell and the Samba Team 1992-2024
mai 21 09:16:34 florin-rocky rpcd_classic[3057]: [2025/05/21 09:16:34.199873,  0] ../../source3/rpc_server/rpc_worker.c:1155(rpc_worker_main)
mai 21 09:16:34 florin-rocky rpcd_classic[3057]:   rpcd_classic version 4.20.2 started.
mai 21 09:16:34 florin-rocky rpcd_classic[3057]:   Copyright Andrew Tridgell and the Samba Team 1992-2024
mai 21 09:16:34 florin-rocky rpcd_winreg[3059]: [2025/05/21 09:16:34.231102,  0] ../../source3/rpc_server/rpc_worker.c:1155(rpc_worker_main)
mai 21 09:16:34 florin-rocky rpcd_winreg[3059]:   rpcd_winreg version 4.20.2 started.
mai 21 09:16:34 florin-rocky rpcd_winreg[3059]:   Copyright Andrew Tridgell and the Samba Team 1992-2024

Acum mașina va fi vizibilă:
legendă imagine Stația florin-rocky poate fi utilizată de orice utilizator de domeniu. La prima logare locală sau prin remote se va crea automat directorul /home/nume_utilizator@nume_domeniu.

Se va adăuga un utilizator nou în serverul dc1:

florin@dc1:~$ sudo samba-tool user add alinat --given-name=Alina --surname=Tanasă --initials=AT --mail-address=alina.tanasa@genebanksv.ro --job-title='Scientific researcher' --department='In Vitro' --company='Genebank Suceava'--internet-address=genebanksv.ro --login-shell=/bin/bash
New Password: 
Retype Password: 
User 'alinat' added successfully

După care se crea un grup nou în care se adăuga utilizatorul alinat:

florin@dc1:~$ sudo samba-tool group add "Scientific researchers" --description='Group for scientific researchers members' --mail-address=researchers@genebanksv.ro
Added group Scientific researchers
florin@dc1:~$ sudo samba-tool group addmembers "Scientific researchers" alinat
Added members to group Scientific researchers
florin@dc1:~$

Acum utilizator alinat se va putea conecta la oricare stație din domeniu, utilizând conectarea locală sau la distanță prin ssh:

florin@dc1:~$ ssh alinat@florin-rocky.svgenebank.lan
alinat@florin-rocky.svgenebank.lan's password: 
[alinat@florin-rocky ~]$ id
uid=2001111(alinat) gid=2000513(domain users) grupuri=2000513(domain users),10001(BUILTIN\users),2001111(alinat),2001112(scientific researchers) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[alinat@florin-rocky ~]$ pwd
/home/alinat@SVGENEBANK
[alinat@florin-rocky ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:69:85:39 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.41/24 brd 192.168.0.255 scope global noprefixroute enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe69:8539/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
[alinat@florin-rocky ~]$ hostname -f
florin-rocky.svgenebank.lan

Chiar dacă încă nu s-a conectat local utilizatorul alinat acesta a fost creat pe stația florin-rocky:

Lista cu utilizatori locali și din domeniu Directorul de lucru și id-ul utilizatorului
legendă imagine legendă imagine

  1. https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller 

  2. https://docs.rockylinux.org/guides/security/authentication/active_directory_authentication/