Instalarea unui serviciu Samba AD/DC
Introducere
Serviciul Samba poate servi ca un AD/DC (Active Directory/Domain Controler). Acesta este suficient de matur pentru a fi utilizat, cu succes, în gestionarea utilizatorilor și sistemelor din cadrul rețelelor de calculatoare ce utilizează ca sistem de operare Windows 10/11, respectiv Linux. Este de preferat ca severul respectiv să fie dedicat serviciilor de autentificare și autorizare și nu să ofere servicii de fișiere sau imprimare: acesta ar trebui să fie rolul serverelor membre asociate domeniului.1
Stabilire unor parametrii
Nume gazdă - dc1
Adresa IP locală - 192.168.0.51
Domeniu de autentificare - svgenebank.lan
Atenție:
Pentru alegerea numelui de domeniu, pentru cazul în care nu se dispune de un domeniu achiziționat, se va ține seama de standardele RFC 6762 și RFC 8375.
Deoarece serverul va fi un DC și AD (Domain Controller și Active Directory) într-un mediu rezidențial este de preferat a se opta pentru domeniul "home.arpa" (vezi RFC 8375) iar într-un mediu non-rezidențial se va opta pentru un domeniu în conformitate cu punctul G din RFC 6762.
Pentru cazul în care s-a achiziționat un domeniu se utiliza subdomeniu.nume_domeniu.domeniu pentru domeniul de autentificare.
Verificări inițiale
Pentru început vom verifica și vom seta unele aspecte ale serverului:
- Ne asigurăm că serverul are numele complet cu domeniul ales:
- Acesta lucru poate fi stabilit din momentul instalării:
și
- În cazul unui sistem instalat anterior se poate utiliza comanda hostnamectl:
florin@dc1:~$ sudo hostnamectl set-hostname dc1
Urmează să stabilim în /etc/hosts ip-ul și denumirea controlerului de domeniu pentru a fi siguri că acesta rezolvă corect numele de domeniu:
florin@dc1:~$ sudo nano /etc/hosts
Se comentează ori șterge linia cu 127.0.1.1 dc1 și se va adăuga adresa_ip_locală nume_gazdă.domeniu alias. Fișierul
/etc/hosts
va arată în finale de forma:
- Acesta lucru poate fi stabilit din momentul instalării:
127.0.0.1 localhost
#127.0.1.1 dc1
192.168.0.51 dc1.svgenebank.lan dc1
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
După setare se verifică:
florin@dc1:~$ hostname
dc1
florin@dc1:~$ hostname -d
svgenebank.lan
florin@dc1:~$ hostname -f
dc1.svgenebank.lan
Este foarte important ca ceasurile calculatoarelor din rețea să fie sincronizate. Verificăm și ne alegem zona de timp:
florin@dc1:~$ timedatectl
Local time: Sat 2025-05-17 11:15:05 UTC
Universal time: Sat 2025-05-17 11:15:05 UTC
RTC time: Sat 2025-05-17 11:15:05
Time zone: Etc/UTC (UTC, +0000)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
florin@dc1:~$ sudo timedatectl set-timezone Europe/Bucharest
florin@dc1:~$ timedatectl
Local time: Sat 2025-05-17 14:16:25 EEST
Universal time: Sat 2025-05-17 11:16:25 UTC
RTC time: Sat 2025-05-17 11:16:25
Time zone: Europe/Bucharest (EEST, +0300)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
Linia System clock synchronized: yes
ne indică că ceasul este sincronizat.
Deoarece Ubuntu are un serviciu numit systemd-resolved ce se ocupă rezolvarea DNS-ului va trebui sa-l oprim, respectiv să-l dezactivăm, să ștergem legătura simbolică /etc/resolv.conf și să realizăm un fișier nou /etc/resolv.conf în care vom defini adresele către DNS:
florin@dc1:~$ sudo systemctl disable --now systemd-resolved
Removed "/etc/systemd/system/dbus-org.freedesktop.resolve1.service".
Removed "/etc/systemd/system/sysinit.target.wants/systemd-resolved.service".
florin@dc1:~$ ls -lah /etc/resolv.conf
lrwxrwxrwx 1 root root 39 Feb 16 20:58 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
florin@dc1:~$ sudo rm /etc/resolv.conf
florin@dc1:~$ sudo touch /etc/resolv.conf
florin@dc1:~$ ls -lah /etc/resolv.conf
-rw-r--r-- 1 root root 0 May 16 07:20 /etc/resolv.conf
În continuare se va edita fișierul /etc/resolv.conf:
florin@dc1:~$ sudo nano /etc/resolv.conf
Iar în interiorul fișierului vom defini ip-le serverelo DNS utilizate de controlerul de domeniu dc1:
# Samba server DC-AC
nameserver 192.168.0.51
# internet name server
nameserver 8.8.8.8
# my Samba domain name
search svgenebank.lan
În final se va reporni serverul (mașina ori calculatorul):
florin@dc1:~$ sudo reboot
După repornire verificăm dacă avem conexiune la internet și dacă mașina cu AD-DC este găsită:
florin@dc1:~$ ping -c3 google.ro
PING google.ro (172.217.169.99) 56(84) bytes of data.
64 bytes from sof02s31-in-f3.1e100.net (172.217.169.99): icmp_seq=1 ttl=112 time=26.0 ms
64 bytes from sof02s31-in-f3.1e100.net (172.217.169.99): icmp_seq=2 ttl=112 time=25.9 ms
64 bytes from sof02s31-in-f3.1e100.net (172.217.169.99): icmp_seq=3 ttl=112 time=26.0 ms
--- google.ro ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 25.944/25.994/26.038/0.038 ms
florin@dc1:~$ ping -c3 dc1
PING dc1.svgenebank.lan (192.168.0.51) 56(84) bytes of data.
64 bytes from dc1.svgenebank.lan (192.168.0.51): icmp_seq=1 ttl=64 time=0.035 ms
64 bytes from dc1.svgenebank.lan (192.168.0.51): icmp_seq=2 ttl=64 time=0.062 ms
64 bytes from dc1.svgenebank.lan (192.168.0.51): icmp_seq=3 ttl=64 time=0.062 ms
--- dc1.svgenebank.lan ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2055ms
rtt min/avg/max/mdev = 0.035/0.053/0.062/0.012 ms
Instalare Samba
Samba poate fi instalată din surse utilizând informațiile de aici sau utilizând pachetele distribuției, în acest caz ale Ubuntu.
sudo apt install -y acl attr samba samba-dsdb-modules samba-vfs-modules smbclient winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils chrony net-tools
La instalarea lui Kerberos vom fi întâmpinați cu un ecran în care se va introduce, cu litera mari, domeniul realm ales la început SVGENEBANK.LAN:
După introducere și apăsarea butonului
După introducere și apăsarea butonului
În continuare se va dezactiva serviciile nefolosite ale lui samba și se va activa serviciul pentru AD-DC :
florin@dc1:~$ sudo systemctl disable --now smbd nmbd winbind
Synchronizing state of smbd.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable smbd
Synchronizing state of nmbd.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable nmbd
Synchronizing state of winbind.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable winbind
Removed "/etc/systemd/system/multi-user.target.wants/winbind.service".
Removed "/etc/systemd/system/multi-user.target.wants/smbd.service".
Removed "/etc/systemd/system/multi-user.target.wants/nmbd.service".
Removed "/etc/systemd/system/smb.service".
Removed "/etc/systemd/system/nmb.service".
florin@dc1:~$ sudo systemctl unmask samba-ad-dc
florin@dc1:~$ sudo systemctl enable samba-ad-dc
Synchronizing state of samba-ad-dc.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable samba-ad-dc
Configurarea serverului Samba
Înainte de realizarea modificărilor la fișierele de configurare este indicat ca acestea să fie salvate, dar în prealabil vom opri serviciul Samba SD-DC:
florin@dc1:~$ sudo systemctl stop samba-ad-dc.service
florin@dc1:~$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
florin@dc1:~$ sudo mv /etc/krb5.conf /etc/krb5.conf.orig
Pentru configurarea în mod interactiv vom folosi comanda:
florin@dc1:~$ sudo samba-tool domain provision --use-rfc2307 --interactive
Realm [SVGENEBANK.LAN]:
Domain [SVGENEBANK]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.0.51]: 8.8.8.8
Administrator password:
Retype password:
Comanda anterioară a generat fișierul de configurare la /var/lib/samba/private/krb5.conf, iar acest fișier va trebui de copiat în /etc/krb5.conf.
florin@dc1:~$ sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
După care vom porni serviciul și verificăm statusul acestuia:
florin@dc1:~$ sudo systemctl start samba-ad-dc.service
florin@dc1:~$ sudo systemctl status samba-ad-dc.service
● samba-ad-dc.service - Samba AD Daemon
Loaded: loaded (/usr/lib/systemd/system/samba-ad-dc.service; enabled; preset: enabled)
Active: active (running) since Mon 2025-05-19 10:09:17 EEST; 10s ago
Docs: man:samba(8)
man:samba(7)
man:smb.conf(5)
Process: 3313 ExecCondition=/usr/share/samba/is-configured samba (code=exited, status=0/SUCCESS)
Main PID: 3316 (samba)
Status: "samba: ready to serve connections..."
Tasks: 58 (limit: 4609)
Memory: 176.2M (peak: 259.9M)
CPU: 1.619s
CGroup: /system.slice/samba-ad-dc.service
├─3316 "samba: root process"
├─3317 "samba: tfork waiter process(3318)"
├─3318 "samba: task[s3fs] pre-fork master"
├─3319 "samba: tfork waiter process(3320)"
├─3320 "samba: task[rpc] pre-fork master"
├─3321 "samba: tfork waiter process(3325)"
├─3322 "samba: tfork waiter process(3323)"
├─3323 "samba: task[nbt] pre-fork master"
├─3324 "samba: tfork waiter process(3327)"
├─3325 /usr/sbin/smbd -D "--option=server role check:inhibit=yes" --foreground
├─3326 "samba: tfork waiter process(3328)"
├─3327 "samba: task[wrepl] pre-fork master"
├─3328 "samba: task[rpc] pre-forked worker(0)"
├─3329 "samba: tfork waiter process(3332)"
├─3330 "samba: tfork waiter process(3331)"
├─3331 "samba: task[ldap] pre-fork master"
├─3332 "samba: task[rpc] pre-forked worker(1)"
├─3333 "samba: tfork waiter process(3334)"
├─3334 "samba: task[cldap] pre-fork master"
├─3335 "samba: tfork waiter process(3337)"
├─3336 "samba: tfork waiter process(3339)"
├─3337 "samba: task[rpc] pre-forked worker(2)"
├─3338 "samba: tfork waiter process(3341)"
├─3339 "samba: task[kdc] pre-fork master"
├─3340 "samba: tfork waiter process(3344)"
├─3341 "samba: task[rpc] pre-forked worker(3)"
├─3342 "samba: tfork waiter process(3343)"
├─3343 "samba: task[kdc] pre-forked worker(0)"
├─3344 "samba: task[drepl] pre-fork master"
├─3345 "samba: tfork waiter process(3347)"
├─3346 "samba: tfork waiter process(3348)"
├─3347 "samba: task[kdc] pre-forked worker(1)"
├─3348 "samba: task[winbindd] pre-fork master"
├─3349 "samba: tfork waiter process(3353)"
├─3350 "samba: tfork waiter process(3352)"
├─3351 "samba: tfork waiter process(3354)"
├─3352 "samba: task[ntp_signd] pre-fork master"
├─3353 "samba: task[kdc] pre-forked worker(2)"
├─3354 /usr/sbin/winbindd -D "--option=server role check:inhibit=yes" --foreground
├─3355 "samba: tfork waiter process(3357)"
├─3356 "samba: tfork waiter process(3358)"
├─3357 "samba: task[kcc] pre-fork master"
├─3358 "samba: task[kdc] pre-forked worker(3)"
├─3360 "samba: tfork waiter process(3361)"
├─3361 "samba: task[dnsupdate] pre-fork master"
├─3362 "samba: tfork waiter process(3363)"
├─3363 "samba: task[dns] pre-fork master"
├─3369 "smbd: notifyd" .
├─3370 "smbd: cleanupd "
├─3371 "winbindd: domain child [SVGENEBANK]"
├─3372 "samba: tfork waiter process(3373)"
├─3373 "samba: task[ldap] pre-forked worker(0)"
├─3374 "samba: tfork waiter process(3375)"
├─3375 "samba: task[ldap] pre-forked worker(1)"
├─3376 "samba: tfork waiter process(3377)"
├─3377 "samba: task[ldap] pre-forked worker(2)"
├─3378 "samba: tfork waiter process(3379)"
└─3379 "samba: task[ldap] pre-forked worker(3)"
May 19 10:09:17 dc1 samba[3331]: Attempting to autogenerate TLS self-signed keys for https for hostname 'DC1.svge>
May 19 10:09:17 dc1 smbd[3325]: [2025/05/19 10:09:17.514447, 0] source3/smbd/server.c:1746(main)
May 19 10:09:17 dc1 smbd[3325]: smbd version 4.19.5-Ubuntu started.
May 19 10:09:17 dc1 smbd[3325]: Copyright Andrew Tridgell and the Samba Team 1992-2023
May 19 10:09:17 dc1 systemd[1]: Started samba-ad-dc.service - Samba AD Daemon.
May 19 10:09:17 dc1 winbindd[3354]: [2025/05/19 10:09:17.581196, 0] source3/winbindd/winbindd.c:1441(main)
May 19 10:09:17 dc1 winbindd[3354]: winbindd version 4.19.5-Ubuntu started.
May 19 10:09:17 dc1 winbindd[3354]: Copyright Andrew Tridgell and the Samba Team 1992-2023
May 19 10:09:18 dc1 samba[3331]: [2025/05/19 10:09:18.068290, 0] source4/lib/tls/tlscert.c:154(tls_cert_generate)
May 19 10:09:18 dc1 samba[3331]: TLS self-signed keys generated OK
Crearea zonei de revers
Acum se poate realiza zona de revers DNS și instalăm pachetul ce pune la dispoziție modulul setproctitle
pentru python:
florin@dc1:~$ samba-tool dns zonecreate dc1.svgenebank.lan 0.168.192.in-addr.arpa -U Administrator
WARNING: Using passwords on command line is insecure. Installing the setproctitle python module will hide these from shortly after program start.
Password for [SVGENEBANK\Administrator]:
Zone 0.168.192.in-addr.arpa created successfully
florin@dc1:~$ sudo apt install python3-setproctitle
florin@dc1:~$ sudo samba-tool dns add dc1.svgenebank.lan 0.168.192.in-addr.arpa 1 PTR dc1.svgenebank.lan -U Administrator
Password for [SVGENEBANK\Administrator]:
Record added successfully
Testarea serviciului
Testarea conexiunii anonime și autentificare:
florin@dc1:~$ smbclient -L localhost -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
sysvol Disk
netlogon Disk
IPC$ IPC IPC Service (Samba 4.19.5-Ubuntu)
SMB1 disabled -- no workgroup available
florin@dc1:~$ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Password for [SVGENEBANK\Administrator]:
. D 0 Mon May 19 10:06:46 2025
.. D 0 Mon May 19 10:06:46 2025
11758760 blocks of size 1024. 6040504 blocks available
Testarea rezoluției DNS pentru înregistrările domeniului:
florin@dc1:~$ host -t A dc1.svgenbank.lan
dc1.svgenbank.lan has no A record
florin@dc1:~$ host -t A dc1.svgenebank.lan
dc1.svgenebank.lan has address 192.168.0.51
florin@dc1:~$ host -t SRV _ldap._tcp.svgenebank.lan
_ldap._tcp.svgenebank.lan has SRV record 0 100 389 dc1.svgenebank.lan.
florin@dc1:~$ host -t SRV _kerberos._udp.svgenebank.lan
_kerberos._udp.svgenebank.lan has SRV record 0 100 88 dc1.svgenebank.lan.
Testarea Kerberos
florin@dc1:~$ kinit administrator
Password for administrator@SVGENEBANK.LAN:
Warning: Your password will expire in 41 days on Mon Jun 30 10:06:49 2025
florin@dc1:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@SVGENEBANK.LAN
Valid starting Expires Service principal
05/19/25 10:19:50 05/19/25 20:19:50 krbtgt/SVGENEBANK.LAN@SVGENEBANK.LAN
renew until 05/20/25 10:19:42
Listarea utilizatorilor și a grupurilor
florin@dc1:~$ wbinfo -u
SVGENEBANK\administrator
SVGENEBANK\guest
SVGENEBANK\krbtgt
florin@dc1:~$ wbinfo -g
SVGENEBANK\cert publishers
SVGENEBANK\ras and ias servers
SVGENEBANK\allowed rodc password replication group
SVGENEBANK\denied rodc password replication group
SVGENEBANK\dnsadmins
SVGENEBANK\enterprise read-only domain controllers
SVGENEBANK\domain admins
SVGENEBANK\domain users
SVGENEBANK\domain guests
SVGENEBANK\domain computers
SVGENEBANK\domain controllers
SVGENEBANK\schema admins
SVGENEBANK\enterprise admins
SVGENEBANK\group policy creator owners
SVGENEBANK\read-only domain controllers
SVGENEBANK\protected users
SVGENEBANK\dnsupdateproxy
Configurarea serviciului de sincronizare a ceasului AD
Pentru sincronizare s-a folosit serviciul chronyd
.
Pentru început se va schimba proprietarul directorului directorului /var/lib/samba/ntp_signd
:
florin@dc1:~$ sudo ls -ld /var/lib/samba/ntp_signd/
drwxr-x--- 2 root root 4096 May 19 10:16 /var/lib/samba/ntp_signd/
florin@dc1:~$ sudo chown root:_chrony /var/lib/samba/ntp_signd/
florin@dc1:~$ sudo ls -ld /var/lib/samba/ntp_signd/
drwxr-x--- 2 root _chrony 4096 May 19 10:16 /var/lib/samba/ntp_signd/
florin@dc1:~$ sudo chmod 750 /var/lib/samba/ntp_signd/
florin@dc1:~$ sudo ls -ld /var/lib/samba/ntp_signd/
drwxr-x--- 2 root _chrony 4096 May 19 10:16 /var/lib/samba/ntp_signd/
După care vom edita fișierul de configurare /etc/chrony/chrony.conf
al serviciului chronyd
:
florin@dc1:~$ sudo nano /etc/chrony/chrony.conf
La care se vor adăuga următoarele linii
# ipaddress of this DC
bindcmdaddress 192.168.0.51
# dns netmask
allow 192.168.0.0/24
ntpsigndsocket /var/lib/samba/ntp_signd
, în final fișierul va arătă de forma:
# Welcome to the chrony configuration file. See chrony.conf(5) for more
# information about usable directives.
# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d
# This will use (up to):
# - 4 sources from ntp.ubuntu.com which some are ipv6 enabled
# - 2 sources from 2.ubuntu.pool.ntp.org which is ipv6 enabled as well
# - 1 source from [01].ubuntu.pool.ntp.org each (ipv4 only atm)
# This means by default, up to 6 dual-stack and up to 2 additional IPv4-only
# sources will be used.
# At the same time it retains some protection against one of the entries being
# down (compare to just using one of the lines). See (LP: #1754358) for the
# discussion.
#
# About using servers from the NTP Pool Project in general see (LP: #104525).
# Approved by Ubuntu Technical Board on 2011-02-08.
# See http://www.pool.ntp.org/join.html for more information.
pool ntp.ubuntu.com iburst maxsources 4
pool 0.ubuntu.pool.ntp.org iburst maxsources 1
pool 1.ubuntu.pool.ntp.org iburst maxsources 1
pool 2.ubuntu.pool.ntp.org iburst maxsources 2
# Use time sources from DHCP.
sourcedir /run/chrony-dhcp
# Use NTP sources found in /etc/chrony/sources.d.
sourcedir /etc/chrony/sources.d
# This directive specify the location of the file containing ID/key pairs for
# NTP authentication.
keyfile /etc/chrony/chrony.keys
# This directive specify the file into which chronyd will store the rate
# information.
driftfile /var/lib/chrony/chrony.drift
# Save NTS keys and cookies.
ntsdumpdir /var/lib/chrony
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
# Log files location.
logdir /var/log/chrony
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
rtcsync
# Step the system clock instead of slewing it if the adjustment is larger than
# one second, but only in the first three clock updates.
makestep 1 3
# Get TAI-UTC offset and leap seconds from the system tz database.
# This directive must be commented out when using time sources serving
# leap-smeared time.
leapsectz right/UTC
# ipaddress of this DC
bindcmdaddress 192.168.0.51
# dns netmask
allow 192.168.0.0/24
ntpsigndsocket /var/lib/samba/ntp_signd
După editare și salvare se va reporni serviciul:
florin@dc1:~$ sudo systemctl restart chronyd
Verificăm că acesta funcționează corespunzător:
florin@dc1:~$ sudo systemctl status chronyd
● chrony.service - chrony, an NTP client/server
Loaded: loaded (/usr/lib/systemd/system/chrony.service; enabled; preset: enabled)
Active: active (running) since Mon 2025-05-19 10:42:56 EEST; 9s ago
Docs: man:chronyd(8)
man:chronyc(1)
man:chrony.conf(5)
Process: 1381 ExecStart=/usr/lib/systemd/scripts/chronyd-starter.sh $DAEMON_OPTS (code=exited, status=0/SUCCESS)
Main PID: 1392 (chronyd)
Tasks: 2 (limit: 4609)
Memory: 1.4M (peak: 2.2M)
CPU: 36ms
CGroup: /system.slice/chrony.service
├─1392 /usr/sbin/chronyd -F 1
└─1393 /usr/sbin/chronyd -F 1
May 19 10:42:56 dc1 systemd[1]: Starting chrony.service - chrony, an NTP client/server...
May 19 10:42:56 dc1 chronyd[1392]: chronyd version 4.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +S>
May 19 10:42:56 dc1 chronyd[1392]: Loaded 0 symmetric keys
May 19 10:42:56 dc1 chronyd[1392]: Frequency -3.984 +/- 0.106 ppm read from /var/lib/chrony/chrony.drift
May 19 10:42:56 dc1 chronyd[1392]: Using right/UTC timezone to obtain leap second data
May 19 10:42:56 dc1 chronyd[1392]: MS-SNTP authentication enabled
May 19 10:42:56 dc1 chronyd[1392]: Loaded seccomp filter (level 1)
May 19 10:42:56 dc1 systemd[1]: Started chrony.service - chrony, an NTP client/server.
May 19 10:43:02 dc1 chronyd[1392]: Selected source 185.125.190.57 (ntp.ubuntu.com)
May 19 10:43:02 dc1 chronyd[1392]: System clock TAI offset set to 37 seconds
florin@dc1:~$ chronyc sources
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^+ prod-ntp-3.ntp1.ps5.cano> 2 6 17 29 -2246us[-2841us] +/- 28ms
^* prod-ntp-4.ntp1.ps5.cano> 2 6 17 28 -2185us[-2780us] +/- 28ms
^+ prod-ntp-5.ntp4.ps5.cano> 2 6 17 28 -700us[-1295us] +/- 30ms
^+ alphyn.canonical.com 2 6 17 29 +646us[ +51us] +/- 84ms
^+ time.cloudflare.com 3 6 17 28 +3304us[+2709us] +/- 31ms
^- time5.hamcloud.ro 3 6 17 29 +16ms[ +15ms] +/- 74ms
^+ ntp3.hamcloud.ro 3 6 17 28 +8845us[+8250us] +/- 70ms
^- time8.hamcloud.ro 3 6 17 29 +5642us[+5047us] +/- 56ms
florin@dc1:~$ chronyc tracking
Reference ID : B97DBE39 (prod-ntp-4.ntp4.ps5.canonical.com)
Stratum : 3
Ref time (UTC) : Mon May 19 07:43:04 2025
System time : 0.000000049 seconds fast of NTP time
Last offset : -0.000595212 seconds
RMS offset : 0.000595212 seconds
Frequency : 3.984 ppm slow
Residual freq : +13.368 ppm
Skew : 0.106 ppm
Root delay : 0.055841085 seconds
Root dispersion : 0.001371672 seconds
Update interval : 2.0 seconds
Leap status : Normal
florin@dc1:~$ timedatectl
Local time: Mon 2025-05-19 10:45:13 EEST
Universal time: Mon 2025-05-19 07:45:13 UTC
RTC time: Mon 2025-05-19 07:45:13
Time zone: Europe/Bucharest (EEST, +0300)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
Managementul utilizatorilor și al grupurilor
Pentru utilizatori
Adăugarea unui utilizator
Pentru adăugarea unui nou utilizator se folosește comanda samba-tool user add
. Pentru început vom solicita un ajutor al comenzii pentru a vedea parametrii ce poți fi trimiși odată cu acestă comandă:
florin@dc1:~$ samba-tool user add -h
Usage: samba-tool user add <username> [<password>] [options]
Add a new user.
This command adds a new user account to the Active Directory domain. The
username specified on the command is the sAMaccountName.
User accounts may represent physical entities, such as people or may be used
as service accounts for applications. User accounts are also referred to as
security principals and are assigned a security identifier (SID).
A user account enables a user to logon to a computer and domain with an
identity that can be authenticated. To maximize security, each user should
have their own unique user account and password. A user's access to domain
resources is based on permissions assigned to the user account.
Unix (RFC2307) attributes may be added to the user account. Attributes taken
from NSS are obtained on the local machine. Explicitly given values override
values obtained from NSS. Configure 'idmap_ldb:use rfc2307 = Yes' to use these
attributes for UID/GID mapping.
The command may be run from the root userid or another authorized userid. The
-H or --URL= option can be used to execute the command against a remote
server.
Example1:
samba-tool user add User1 passw0rd --given-name=John --surname=Smith --must-
change-at-next-login -H ldap://samba.samdom.example.com
-Uadministrator%passw1rd
Example1 shows how to add a new user to the domain against a remote LDAP
server. The -H parameter is used to specify the remote target server. The -U
option is used to pass the userid and password authorized to issue the command
remotely.
Example2:
sudo samba-tool user add User2 passw2rd --given-name=Jane --surname=Doe
--must-change-at-next-login
Example2 shows how to add a new user to the domain against the local server.
sudo is used so a user may run the command as root. In this example, after
User2 is created, he/she will be forced to change their password when they
logon.
Example3:
samba-tool user add User3 passw3rd --userou='OU=OrgUnit'
Example3 shows how to add a new user in the OrgUnit organizational unit.
Example4:
samba-tool user add User4 passw4rd --rfc2307-from-nss --gecos 'some text'
Example4 shows how to add a new user with Unix UID, GID and login-shell set
from the local NSS and GECOS set to 'some text'.
Example5:
samba-tool user add User5 passw5rd --nis-domain=samdom --unix-home=/home/User5
\
--uid-number=10005 --login-shell=/bin/false --gid-number=10000
Example5 shows how to add a new RFC2307/NIS domain enabled user account. If
--nis-domain is set, then the other four parameters are mandatory.
Options:
-h, --help show this help message and exit
-H URL, --URL=URL LDB URL for database or target server
--must-change-at-next-login
Force password to be changed on next login
--random-password Generate random password
--smartcard-required Require a smartcard for interactive logons
--use-username-as-cn Force use of username as user's CN
--userou=USEROU DN of alternative location (without domainDN
counterpart) to default CN=Users in which new user
object will be created. E. g. 'OU=<OU name>'
--surname=SURNAME User's surname
--given-name=GIVEN_NAME
User's given name
--initials=INITIALS User's initials
--profile-path=PROFILE_PATH
User's profile path
--script-path=SCRIPT_PATH
User's logon script path
--home-drive=HOME_DRIVE
User's home drive letter
--home-directory=HOME_DIRECTORY
User's home directory path
--job-title=JOB_TITLE
User's job title
--department=DEPARTMENT
User's department
--company=COMPANY User's company
--description=DESCRIPTION
User's description
--mail-address=MAIL_ADDRESS
User's email address
--internet-address=INTERNET_ADDRESS
User's home page
--telephone-number=TELEPHONE_NUMBER
User's phone number
--physical-delivery-office=PHYSICAL_DELIVERY_OFFICE
User's office location
--rfc2307-from-nss Copy Unix user attributes from NSS (will be overridden
by explicit UID/GID/GECOS/shell)
--nis-domain=NIS_DOMAIN
User's Unix/RFC2307 NIS domain
--unix-home=UNIX_HOME
User's Unix/RFC2307 home directory
--uid=UID User's Unix/RFC2307 username
--uid-number=UID_NUMBER
User's Unix/RFC2307 numeric UID
--gid-number=GID_NUMBER
User's Unix/RFC2307 primary GID number
--gecos=GECOS User's Unix/RFC2307 GECOS field
--login-shell=LOGIN_SHELL
User's Unix/RFC2307 login shell
--color=always|never|auto
use colour if available (default: auto)
Credentials Options:
--simple-bind-dn=DN
DN to use for a simple bind
--password=PASSWORD
Password
-U USERNAME, --username=USERNAME
Username
-W WORKGROUP, --workgroup=WORKGROUP
Workgroup
-N, --no-pass Don't ask for a password
--ipaddress=IPADDRESS
IP address of server
-P, --machine-pass Use stored machine account password
--use-kerberos=desired|required|off
Use Kerberos authentication
--use-krb5-ccache=KRB5CCNAME
Kerberos Credentials cache
-A AUTHFILE, --authentication-file=AUTHFILE
Authentication file
-k KERBEROS, --kerberos=KERBEROS
DEPRECATED: Migrate to --use-kerberos
Samba Common Options:
-s FILE, --configfile=FILE
Configuration file
-d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
debug level
--option=OPTION set smb.conf option from command line
--realm=REALM set the realm name
Version Options:
-V, --version Display version number
Un exemplu de adăugare a unui utilizator pe un server local (pentru remote se utilizează parametrul -H):
florin@dc1:~$ sudo samba-tool user add florint --given-name=Florin --surname=Tanasă --initials=FT --mail-address=florin.tanasa@genebanksv.ro --job-title='Specialist engineer' --department='IT&IC' --company='Genebank Suceava'--internet-address=genebanksv.ro --login-shell=/bin/bash
[sudo] password for florin:
New Password:
Retype Password:
User 'florint' added successfully
Listarea utilizatorilor:
florin@dc1:~$ sudo samba-tool user list
krbtgt
Guest
florint
Administrator
Ștergerea unui utilizator:
florin@dc1:~$ sudo samba-tool user delete nume_utilizator_domeniu
Schimbarea parolei unui utilizator:
florin@dc1:~$ sudo samba-tool user setpassword nume_utilizator_domeniu
Dezactivarea și activarea unui utilizator:
florin@dc1:~$ sudo samba-tool user disable nume_utilizator_domeniu
florin@dc1:~$ sudo samba-tool user enable nume_utilizator_domeniu
Pentru grupuri
Adăugarea unui grup:
Pentru adăugarea unui nou grup se folosește comanda samba-tool group add
. Pentru început vom solicita un ajutor al comenzii pentru a vedea parametrii ce poți fi trimiși odată cu acestă comandă:
florin@dc1:~$ samba-tool group -h add
Usage: samba-tool group add <groupname> [options]
Creates a new AD group.
This command adds a new Active Directory group. The groupname specified on
the command is a unique sAMAccountName.
An Active Directory group may contain user and computer accounts as well as
other groups. An administrator adds a new group and adds members to that
group so they can be managed as a single entity. This helps to simplify
security and system administration.
Groups may also be used to establish email distribution lists, using --group-
type=Distribution.
Groups are located in domains in organizational units (OUs). The group's
scope is a characteristic of the group that designates the extent to which the
group is applied within the domain tree or forest.
The group location (OU), type (security or distribution) and scope may all be
specified on the samba-tool command when the group is created.
The command may be run from the root userid or another authorized userid. The
-H or --URL= option can be used to execute the command on a remote server.
Example1:
samba-tool group add Group1 -H ldap://samba.samdom.example.com
--description='Simple group'
Example1 adds a new group with the name Group1 added to the Users container on
a remote LDAP server. The -U parameter is used to pass the userid and
password of a user that exists on the remote server and is authorized to issue
the command on that server. It defaults to the security type and global
scope.
Example2:
sudo samba-tool group add Group2 --group-type=Distribution
Example2 adds a new distribution group to the local server. The command is
run under root using the sudo command.
Example3:
samba-tool group add Group3 --nis-domain=samdom --gid-number=12345
Example3 adds a new RFC2307 enabled group for NIS domain samdom and GID 12345
(both options are required to enable this feature).
Options:
-h, --help show this help message and exit
-H URL, --URL=URL LDB URL for database or target server
--groupou=GROUPOU Alternative location (without domainDN counterpart) to
default CN=Users in which new user object will be
created
--group-scope=GROUP_SCOPE
Group scope (Domain | Global | Universal)
--group-type=GROUP_TYPE
Group type (Security | Distribution)
--description=DESCRIPTION
Group's description
--mail-address=MAIL_ADDRESS
Group's email address
--notes=NOTES Groups's notes
--gid-number=GID_NUMBER
Group's Unix/RFC2307 GID number
--nis-domain=NIS_DOMAIN
SFU30 NIS Domain
--special Add a special predefined group
--color=always|never|auto
use colour if available (default: auto)
Credentials Options:
--simple-bind-dn=DN
DN to use for a simple bind
--password=PASSWORD
Password
-U USERNAME, --username=USERNAME
Username
-W WORKGROUP, --workgroup=WORKGROUP
Workgroup
-N, --no-pass Don't ask for a password
--ipaddress=IPADDRESS
IP address of server
-P, --machine-pass Use stored machine account password
--use-kerberos=desired|required|off
Use Kerberos authentication
--use-krb5-ccache=KRB5CCNAME
Kerberos Credentials cache
-A AUTHFILE, --authentication-file=AUTHFILE
Authentication file
-k KERBEROS, --kerberos=KERBEROS
DEPRECATED: Migrate to --use-kerberos
Samba Common Options:
-s FILE, --configfile=FILE
Configuration file
-d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
debug level
--option=OPTION set smb.conf option from command line
--realm=REALM set the realm name
Version Options:
-V, --version Display version number
Pentru exemplificare se va realizat un grup IT-IC
:
florin@dc1:~$ sudo samba-tool group add IT-IC --description='Group for IT and IC members' --mail-address=it.ic@genebanksv.ro
Added group IT-IC
Ștergerea unui grup:
florin@dc1:~$ sudo samba-tool group delete nume_grup
Listarea grupurilor:
florin@dc1:~$ sudo samba-tool group list
Incoming Forest Trust Builders
Distributed COM Users
Domain Guests
Terminal Server License Servers
Domain Admins
Windows Authorization Access Group
Network Configuration Operators
Account Operators
Domain Users
Domain Controllers
Server Operators
Pre-Windows 2000 Compatible Access
Guests
Read-only Domain Controllers
Print Operators
RAS and IAS Servers
Performance Monitor Users
Group Policy Creator Owners
DnsUpdateProxy
Domain Computers
Cert Publishers
Performance Log Users
Event Log Readers
Cryptographic Operators
Schema Admins
IT-IC
Certificate Service DCOM Access
Enterprise Admins
DnsAdmins
Denied RODC Password Replication Group
Protected Users
IIS_IUSRS
Replicator
Users
Remote Desktop Users
Allowed RODC Password Replication Group
Administrators
Enterprise Read-only Domain Controllers
Backup Operators
Listarea utilizatorilor ce sunt membrii unui grup:
florin@dc1:~$ sudo samba-tool group listmembers "Domain Users"
Administrator
krbtgt
florint
florin@dc1:~$ sudo samba-tool group listmembers "Domain Admins"
Administrator
Adăugarea de noi membrii într-un grub
florin@dc1:~$ sudo samba-tool group addmembers IT-IC florint
Added members to group IT-IC
Eliminarea unor membrii dintr-un grup
florin@dc1:~$ sudo samba-tool group removemembers IT-IC florint
Removed members from group IT-IC
Informații privind politica parolei în domeniu
florin@dc1:~$ sudo samba-tool domain passwordsettings show
Password information for domain 'DC=svgenebank,DC=lan'
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30
Autentificarea locală în serverul AD-DC utilizând conturile din AD
În mod implicit, utilizatorii din AD nu se pot loga în sistemul dc1
utilizând conturile din AD, create cu samba-tool
. Pentru a permite autentificarea va trebui să configurăm controlerul PAM ce permite accesul în sistem.
Pentru început vom realiza câteva modificări în fișierul de configurare smb.conf
a serviciului samba
:
sudo nano /etc/samba/smb.conf
În care vom adăuga, în secțiunea [global]
, următoarele instrucțiuni:
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
Fișierul va arăta de forma:
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = DC1
realm = SVGENEBANK.LAN
server role = active directory domain controller
workgroup = SVGENEBANK
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/svgenebank.lan/scripts
read only = No
Verificăm dacă sunt erori la fișierul de configurare, utilizând comanda testparm
, iar dacă nu sunt erori repornim serviciul:
florin@dc1:~$ testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
dns forwarder = 8.8.8.8
passdb backend = samba_dsdb
realm = SVGENEBANK.LAN
server role = active directory domain controller
template homedir = /home/%U
template shell = /bin/bash
winbind enum groups = Yes
winbind enum users = Yes
workgroup = SVGENEBANK
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
vfs objects = dfs_samba4 acl_xattr
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/svgenebank.lan/scripts
read only = No
florin@dc1:~$ sudo systemctl restart samba-ad-dc.service
Pentru interogarea AD se pot folosi câteva aplicații ca getent
și wbinfo
:
florin@dc1:~$ getent passwd | grep SVGENEBANK
SVGENEBANK\administrator:*:0:100::/home/administrator:/bin/bash
SVGENEBANK\guest:*:3000011:3000012::/home/guest:/bin/bash
SVGENEBANK\krbtgt:*:3000018:100::/home/krbtgt:/bin/bash
SVGENEBANK\florint:*:3000017:100::/home/florint:/bin/bash
florin@dc1:~$ getent group | grep SVGENEBANK
SVGENEBANK\cert publishers:x:3000035:
SVGENEBANK\ras and ias servers:x:3000036:
SVGENEBANK\allowed rodc password replication group:x:3000037:
SVGENEBANK\denied rodc password replication group:x:3000005:
SVGENEBANK\dnsadmins:x:3000038:
SVGENEBANK\enterprise read-only domain controllers:x:3000039:
SVGENEBANK\domain admins:x:3000004:
SVGENEBANK\domain users:x:100:
SVGENEBANK\domain guests:x:3000012:
SVGENEBANK\domain computers:x:3000040:
SVGENEBANK\domain controllers:x:3000041:
SVGENEBANK\schema admins:x:3000006:
SVGENEBANK\enterprise admins:x:3000007:
SVGENEBANK\group policy creator owners:x:3000008:
SVGENEBANK\read-only domain controllers:x:3000042:
SVGENEBANK\protected users:x:3000043:
SVGENEBANK\dnsupdateproxy:x:3000044:
SVGENEBANK\it-ic:x:3000045:
florin@dc1:~$ wbinfo -u
SVGENEBANK\administrator
SVGENEBANK\guest
SVGENEBANK\krbtgt
SVGENEBANK\florint
florin@dc1:~$ wbinfo -g
SVGENEBANK\cert publishers
SVGENEBANK\ras and ias servers
SVGENEBANK\allowed rodc password replication group
SVGENEBANK\denied rodc password replication group
SVGENEBANK\dnsadmins
SVGENEBANK\enterprise read-only domain controllers
SVGENEBANK\domain admins
SVGENEBANK\domain users
SVGENEBANK\domain guests
SVGENEBANK\domain computers
SVGENEBANK\domain controllers
SVGENEBANK\schema admins
SVGENEBANK\enterprise admins
SVGENEBANK\group policy creator owners
SVGENEBANK\read-only domain controllers
SVGENEBANK\protected users
SVGENEBANK\dnsupdateproxy
SVGENEBANK\it-ic
florin@dc1:~$ wbinfo -i florint
SVGENEBANK\florint:*:3000017:100::/home/florint:/bin/bash
În continuare se va vor aduce modificări fișierelor de configurare PAM (Linux Pluggable Authentication Modules). Ubuntu dispune de un utilitar în acest sens:
florin@dc1:~$ sudo pam-auth-update
și vom seta ca la logarea utilizatorilor să se realizeze automat directorul home
:
Pentru test ne vom loga cu un utilizator de domeniu:
florin@dc1:~$ sudo su - florint
Creating directory '/home/florint'.
SVGENEBANK\florint@dc1:~$ ls -a
. .. .bash_logout .bashrc .profile
SVGENEBANK\florint@dc1:~$ whoami
SVGENEBANK\florint
florin@dc1:~$ su - florint
Password:
groups: cannot find name for group ID 3000046
SVGENEBANK\florint@dc1:~$ whoami
SVGENEBANK\florint
SVGENEBANK\florint@dc1:~$ id
uid=3000017(SVGENEBANK\florint) gid=100(users) groups=100(users),3000009(BUILTIN\users),3000017(SVGENEBANK\florint),3000045(SVGENEBANK\it-ic),3000046
Există un id de grup fără denumire, cel mai probabil din cel creat și șters în teste.
Acum utilizatorii de domeniu se pot conecta local la sever.
Pentru conectarea de la distanță prin ssh
:
florin@dc1:~$ ssh florint@dc1.svgenebank.lan
florint@dc1.svgenebank.lan's password:
Warning: Your password will expire in 41 days on Mon Jun 30 14:17:25 2025
Warning: Your password will expire in 41 days on Mon Jun 30 14:17:25 2025
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-60-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Tue May 20 10:17:41 AM EEST 2025
System load: 0.0 Processes: 203
Usage of /: 43.8% of 11.21GB Users logged in: 2
Memory usage: 11% IPv4 address for enp1s0: 192.168.0.51
Swap usage: 0%
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
Last login: Tue May 20 10:15:30 2025 from 192.168.0.51
groups: cannot find name for group ID 3000046
Funcționează și autentificarea prin ssh
utilizând numele și parola unui utilizator de domeniu.
Înrolarea în AD-DC a unui client ce rulează linux
Este foarte important ca dispozitivele ce urmează a fi adăugate să aibă ceasurile sincronizate cu serverul, în acest caz cu dc1.svgenebank.lan
. De asemenea este foarte important ca dispozitivul client să poată rezolva DNS-ul către 'dc1.svgenebank.lan', acest lucru se poate rezolva prin editarea lui /etc/resolv.conf
.
Înrolarea unui dispozitiv ce rulează Rocky Linux2
Se configurează interfața de rețea cu ip static și vom defini rezolvarea adreselor DNS folosind utilitarul nmtui
ce rulează foarte bine în consolă:
Setăm numele mașinii client:
[florin@localhost ~]$ sudo hostnamectl set-hostname florin-rocky
În /etc/hosts
ne definim mașina:
[florin@localhost ~]$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.41 florin-rocky.svgenebank.lan florin-rocky
Repornim mașina. După repornire verificăm:
[florin@florin-rocky ~]$ ping -c3 google.ro
PING google.ro (172.217.169.99) 56(84) bytes of data.
64 bytes from sof02s31-in-f3.1e100.net (172.217.169.99): icmp_seq=1 ttl=112 time=25.7 ms
64 bytes from sof02s31-in-f3.1e100.net (172.217.169.99): icmp_seq=2 ttl=112 time=25.9 ms
64 bytes from sof02s31-in-f3.1e100.net (172.217.169.99): icmp_seq=3 ttl=112 time=25.8 ms
--- google.ro ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 25.745/25.797/25.852/0.043 ms
[florin@florin-rocky ~]$ ping -c3 dc1
PING dc1.svgenebank.lan (192.168.0.51) 56(84) bytes of data.
64 bytes from 192.168.0.51 (192.168.0.51): icmp_seq=1 ttl=64 time=0.521 ms
64 bytes from 192.168.0.51 (192.168.0.51): icmp_seq=2 ttl=64 time=0.781 ms
64 bytes from 192.168.0.51 (192.168.0.51): icmp_seq=3 ttl=64 time=0.715 ms
--- dc1.svgenebank.lan ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 0.521/0.672/0.781/0.110 ms
Pentru sincronizarea ceasului mașinii florin-rocky
cu cel al severului AD-DC dc1
se va edita fișierul de configurare al serviciului chronyd
:
[florin@florin-rocky ~]$ sudo nano /etc/chrony.conf
Se aduc următoarele modificări:
#pool 2.rocky.pool.ntp.org iburst
# server from where the time is take it
server 192.168.0.51 iburst
# ipaddress of this Unix domain member
bindcmdaddress 192.168.0.41
În final fișierul chrony.conf
va arată de forma:
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (https://www.pool.ntp.org/join.html).
#pool 2.rocky.pool.ntp.org iburst
# server from where the time is take it
server 192.168.0.51 iburst
# ipaddress of this Unix domain member
bindcmdaddress 192.168.0.41
# Use NTP servers from DHCP.
sourcedir /run/chrony-dhcp
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *
# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2
# Allow NTP client access from local network.
#allow 192.168.0.0/16
# Serve time even if not synchronized to a time source.
#local stratum 10
# Require authentication (nts or key option) for all NTP sources.
#authselectmode require
# Specify file containing keys for NTP authentication.
keyfile /etc/chrony.keys
# Save NTS keys and cookies.
ntsdumpdir /var/lib/chrony
# Insert/delete leap seconds by slewing instead of stepping.
#leapsecmode slew
# Get TAI-UTC offset and leap seconds from the system tz database.
leapsectz right/UTC
# Specify directory for log files.
logdir /var/log/chrony
# Select which information is logged.
#log measurements statistics tracking
După salvarea fișierului de configurare a serviciului chronyd
acesta va fi repornit și verifica buna funcționare:
[florin@florin-rocky ~]$ sudo systemctl restart chronyd
[florin@florin-rocky ~]$ sudo systemctl status chronyd
● chronyd.service - NTP client/server
Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; preset: enabled)
Active: active (running) since Mon 2025-05-19 13:02:55 EEST; 2s ago
Docs: man:chronyd(8)
man:chrony.conf(5)
Process: 2974 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 2976 (chronyd)
Tasks: 1 (limit: 16182)
Memory: 920.0K
CPU: 25ms
CGroup: /system.slice/chronyd.service
└─2976 /usr/sbin/chronyd -F 2
mai 19 13:02:55 florin-rocky systemd[1]: Starting NTP client/server...
mai 19 13:02:55 florin-rocky chronyd[2976]: chronyd version 4.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV>
mai 19 13:02:55 florin-rocky chronyd[2976]: Loaded 0 symmetric keys
mai 19 13:02:55 florin-rocky chronyd[2976]: Using right/UTC timezone to obtain leap second data
mai 19 13:02:55 florin-rocky chronyd[2976]: Frequency -4.175 +/- 2.816 ppm read from /var/lib/chrony/drift
mai 19 13:02:55 florin-rocky chronyd[2976]: Loaded seccomp filter (level 2)
mai 19 13:02:55 florin-rocky systemd[1]: Started NTP client/server.
[florin@florin-rocky ~]$ chronyc sources
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 192.168.0.51 3 6 17 47 +11us[ +32us] +/- 29ms
[florin@florin-rocky ~]$ chronyc tracking
Reference ID : C0A80033 (192.168.0.51)
Stratum : 4
Ref time (UTC) : Mon May 19 10:03:01 2025
System time : 0.000000004 seconds slow of NTP time
Last offset : +0.000021484 seconds
RMS offset : 0.000021484 seconds
Frequency : 4.175 ppm slow
Residual freq : +1.455 ppm
Skew : 2.929 ppm
Root delay : 0.055686146 seconds
Root dispersion : 0.001265819 seconds
Update interval : 2.0 seconds
Leap status : Normal
După cum se observă ceasul mașinii florin-rocky
este acum sincron cu ceasul severului AD-DC dc1
(ip 192.168.0.51).
În continuare se instalează pachetele cu aplicațiile necesare pentru a înrola în domeniu mașina florin-rocky
:
[florin@florin-rocky ~]$ sudo dnf install realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation
Se verifică dacă serverul de domeniu este vizibil:
[florin@florin-rocky ~]$ realm discover svgenebank.lan
svgenebank.lan
type: kerberos
realm-name: SVGENEBANK.LAN
domain-name: svgenebank.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
În continuare se va înrola mașina ce rulează Rocky Linux:
[florin@florin-rocky ~]$ sudo realm join dc1.svgenebank.lan
Password for Administrator@SVGENEBANK.LAN:
Warning: Your password will expire in 41 days on Lu 30 iun 2025 10:06:49 +0300
După introducerea parolei administratorului de domeniu, mașina, florin-rocky
, va fi înrolată în domeniul svgenebank.lan
.
Verificare
După configurările de mai sus se va putea solicita informații legate de passwd
pentru a constata buna funcționare:
[florin@florin-rocky ~]$ sudo getent passwd administrator@svgenebank.lan
administrator@svgenebank.lan:*:487200500:487200513:Administrator:/home/administrator@svgenebank.lan:/bin/bash
După cum se poate constata mașina noastră primește informații de la serverul samba AD-DC dc1
.
Autentificarea cu numele și parola unui utilizator de domeniu în Rocky Linux
Pentru autentificare inițială în domeniu va trebui să se aleagă utilizator Nelistat?
:
După care se va completa numele utilizatorului de domeniu:
Urmând ca în final să se completeze parola utilizatorului de domeniu:
După autentificarea în domeniu vom fi conectați iar stația va fi funcțională:
După cum se observă stația a preluat informațiile din AD-DC.
Utilizator florint
va fi vizibil la nouă logare în desktop manager (gdm):
Eliminarea unei stații din domeniu
[florin@florin-rocky ~]$ sudo realm leave svgenebank.lan
Varianta de înrolare folosind serviciile samba și winbind
În continuare se va înrola mașina florin-rocky
folosind samba și winbind. Acesta este varianta preferată:
[florin@florin-rocky ~]$ sudo dnf install samba samba-winbind samba-client
[florin@florin-rocky ~]$ sudo realm join -v --membership-software=samba --client-software=winbind dc1.svgenebank.lan
Verificăm dacă serviciile samba, winbind și oddjobd
sunt pornite:
[florin@florin-rocky ~]$ sudo systemctl status winbind.service
● winbind.service - Samba Winbind Daemon
Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; preset: disabled)
Active: active (running) since Wed 2025-05-21 08:18:29 EEST; 3min 45s ago
Docs: man:winbindd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 3389 (winbindd)
Status: "winbindd: ready to serve connections..."
Tasks: 6 (limit: 16182)
Memory: 17.6M
CPU: 795ms
CGroup: /system.slice/winbind.service
├─3389 /usr/sbin/winbindd --foreground --no-process-group
├─3392 /usr/sbin/winbindd --foreground --no-process-group
├─3394 /usr/sbin/winbindd --foreground --no-process-group
├─3604 /usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=24 --np-helper --debuglevel=0
├─3614 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=6 --worker-index=5 --debuglevel=0
└─3616 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=6 --worker-index=6 --debuglevel=0
mai 21 08:18:30 florin-rocky rpcd_lsad[3468]: Copyright Andrew Tridgell and the Samba Team 1992-2024
mai 21 08:21:26 florin-rocky samba-dcerpcd[3604]: [2025/05/21 08:21:26.801281, 0] ../../source3/rpc_server/rpc_host.c:2905(main)
mai 21 08:21:26 florin-rocky samba-dcerpcd[3604]: samba-dcerpcd version 4.20.2 started.
mai 21 08:21:26 florin-rocky samba-dcerpcd[3604]: Copyright Andrew Tridgell and the Samba Team 1992-2024
mai 21 08:21:26 florin-rocky rpcd_lsad[3614]: [2025/05/21 08:21:26.940341, 0] ../../source3/rpc_server/rpc_worker.c:1155(rpc_worker_main)
mai 21 08:21:26 florin-rocky rpcd_lsad[3614]: rpcd_lsad version 4.20.2 started.
mai 21 08:21:26 florin-rocky rpcd_lsad[3614]: Copyright Andrew Tridgell and the Samba Team 1992-2024
mai 21 08:21:26 florin-rocky rpcd_lsad[3616]: [2025/05/21 08:21:26.971334, 0] ../../source3/rpc_server/rpc_worker.c:1155(rpc_worker_main)
mai 21 08:21:26 florin-rocky rpcd_lsad[3616]: rpcd_lsad version 4.20.2 started.
mai 21 08:21:26 florin-rocky rpcd_lsad[3616]: Copyright Andrew Tridgell and the Samba Team 1992-2024
[florin@florin-rocky ~]$ sudo systemctl status oddjobd.service
● oddjobd.service - privileged operations for unprivileged applications
Loaded: loaded (/usr/lib/systemd/system/oddjobd.service; enabled; preset: disabled)
Active: active (running) since Wed 2025-05-21 08:07:26 EEST; 14min ago
Main PID: 913 (oddjobd)
Tasks: 1 (limit: 16182)
Memory: 1.3M
CPU: 2ms
CGroup: /system.slice/oddjobd.service
└─913 /usr/sbin/oddjobd -n -p /run/oddjobd.pid -t 300
mai 21 08:07:26 florin-rocky systemd[1]: Started privileged operations for unprivileged applications.
Modificăm fișierul de configurare /etc/samba/smb.conf
astfel ca la logare să folosim utilizator
și nu utilizator@nume_domeniu
precum să și posibilitatea de a obține lista cu utilizatorii și grupurile:
winbind use default domain = yes
winbind enum groups = yes
winbind enum users = yes
Fișierul va arăta de forma:
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
#
# Note:
# SMB1 is disabled by default. This means clients without support for SMB2 or
# SMB3 are no longer able to connect to smbd (by default).
[global]
security = ads
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
kerberos method = secrets and keytab
template homedir = /home/%U@%D
password server = dc1.svgenebank.lan
template shell = /bin/bash
idmap config SVGENEBANK : range = 2000000-2999999
idmap config SVGENEBANK : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = yes
winbind enum users = yes
realm = SVGENEBANK.LAN
workgroup = SVGENEBANK
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775
Pentru a da dreptul utilizatorului florint
de a rula orice comanda și de administra mașina acesta va trebui să fie adăugat în fiîserul /etc/sudoers
:
# Users from domain to run all commands
florint ALL=(ALL) ALL
Logarea într-o mașină din domeniu se poate realiza cu numele de utilizator din domeniu:
Pentru a fi vizibil în rețea și a partaja fișiere se poate porni serviciul
samba
:
[florint@florin-rocky ~]$ sudo systemctl start smb.service
[florint@florin-rocky ~]$ sudo systemctl status smb.service
● smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; preset: disabled)
Active: active (running) since Wed 2025-05-21 09:16:17 EEST; 5min ago
Docs: man:smbd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 3030 (smbd)
Status: "smbd: ready to serve connections..."
Tasks: 4 (limit: 16182)
Memory: 9.5M
CPU: 399ms
CGroup: /system.slice/smb.service
├─3030 /usr/sbin/smbd --foreground --no-process-group
├─3032 /usr/sbin/smbd --foreground --no-process-group
├─3033 /usr/sbin/smbd --foreground --no-process-group
└─3045 /usr/sbin/smbd --foreground --no-process-group
mai 21 09:16:17 florin-rocky systemd[1]: Started Samba SMB Daemon.
mai 21 09:16:34 florin-rocky samba-dcerpcd[3047]: [2025/05/21 09:16:34.047253, 0] ../../source3/rpc_server/rpc_host.c:2905(main)
mai 21 09:16:34 florin-rocky samba-dcerpcd[3047]: samba-dcerpcd version 4.20.2 started.
mai 21 09:16:34 florin-rocky samba-dcerpcd[3047]: Copyright Andrew Tridgell and the Samba Team 1992-2024
mai 21 09:16:34 florin-rocky rpcd_classic[3057]: [2025/05/21 09:16:34.199873, 0] ../../source3/rpc_server/rpc_worker.c:1155(rpc_worker_main)
mai 21 09:16:34 florin-rocky rpcd_classic[3057]: rpcd_classic version 4.20.2 started.
mai 21 09:16:34 florin-rocky rpcd_classic[3057]: Copyright Andrew Tridgell and the Samba Team 1992-2024
mai 21 09:16:34 florin-rocky rpcd_winreg[3059]: [2025/05/21 09:16:34.231102, 0] ../../source3/rpc_server/rpc_worker.c:1155(rpc_worker_main)
mai 21 09:16:34 florin-rocky rpcd_winreg[3059]: rpcd_winreg version 4.20.2 started.
mai 21 09:16:34 florin-rocky rpcd_winreg[3059]: Copyright Andrew Tridgell and the Samba Team 1992-2024
Acum mașina va fi vizibilă:
Stația
florin-rocky
poate fi utilizată de orice utilizator de domeniu. La prima logare locală sau prin remote se va crea automat directorul /home/nume_utilizator@nume_domeniu
.
Se va adăuga un utilizator nou în serverul dc1
:
florin@dc1:~$ sudo samba-tool user add alinat --given-name=Alina --surname=Tanasă --initials=AT --mail-address=alina.tanasa@genebanksv.ro --job-title='Scientific researcher' --department='In Vitro' --company='Genebank Suceava'--internet-address=genebanksv.ro --login-shell=/bin/bash
New Password:
Retype Password:
User 'alinat' added successfully
După care se crea un grup nou în care se adăuga utilizatorul alinat
:
florin@dc1:~$ sudo samba-tool group add "Scientific researchers" --description='Group for scientific researchers members' --mail-address=researchers@genebanksv.ro
Added group Scientific researchers
florin@dc1:~$ sudo samba-tool group addmembers "Scientific researchers" alinat
Added members to group Scientific researchers
florin@dc1:~$
Acum utilizator alinat
se va putea conecta la oricare stație din domeniu, utilizând conectarea locală sau la distanță prin ssh
:
florin@dc1:~$ ssh alinat@florin-rocky.svgenebank.lan
alinat@florin-rocky.svgenebank.lan's password:
[alinat@florin-rocky ~]$ id
uid=2001111(alinat) gid=2000513(domain users) grupuri=2000513(domain users),10001(BUILTIN\users),2001111(alinat),2001112(scientific researchers) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[alinat@florin-rocky ~]$ pwd
/home/alinat@SVGENEBANK
[alinat@florin-rocky ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:69:85:39 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.41/24 brd 192.168.0.255 scope global noprefixroute enp1s0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe69:8539/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[alinat@florin-rocky ~]$ hostname -f
florin-rocky.svgenebank.lan
Chiar dacă încă nu s-a conectat local utilizatorul alinat
acesta a fost creat pe stația florin-rocky
:
Lista cu utilizatori locali și din domeniu | Directorul de lucru și id-ul utilizatorului |
![]() |
![]() |