Ads Blocker Image Powered by Code Help Pro

Bloqueur de publicités détecté

Si vous voulez soutenir mon travail, merci de désactiver votre bloqueur de publicités.

Afin de rendre votre expérience de lecture agréable, aucune publicité intrusive ne viendra en superposition de mes articles.

Un serveur de domaine est incontournable dans une entreprise. Cela permet de centraliser la gestion des comptes utilisateurs de votre entreprise. Cependant, la mise en place d’un tel serveur peut-être couteux.

Un domaine sous Windows Server se base sur le protocole LDAP. Sachez que ce protocole est le même avec Samba AD.

Vous pouvez donc parfaitement faire cohabiter un serveur de domaine Linux avec un parc informatique sous Windows 7/8/8.1/10.

N’ayez pas peur, sa mise en place est simple et vous pourrez gérer le serveur de la même manière qu’avec Windows grâce au RSAT.

La mise en place va se diviser en quatre étapes:

  • Préparez votre serveur debian
  • Installer et configurer Samba AD
  • Création de votre domaine
  • Mise en service du domaine Samba

Etape 1 – Préparez votre serveur debian

Changez le nom de votre machine en y ajoutant votre futur nom de domaine

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
root@srvdc:~# vi /etc/hostname
srvdc.office.local
root@srvdc:~# vi /etc/hostname srvdc.office.local
root@srvdc:~# vi /etc/hostname
srvdc.office.local

Faites la même chose dans le fichier hosts

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
root@srvdc:~# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.254 srvdc.office.local srvdc
root@srvdc:~# vi /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.10.254 srvdc.office.local srvdc
root@srvdc:~# vi /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.254   srvdc.office.local     srvdc

Attribuez une adresse IP fixe à votre machine

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
root@srvdc:~# vi /etc/network/interfaces
auto ens33
iface ens33 inet static
address 192.168.10.254/24
gateway 192.168.10.1
root@srvdc:~# vi /etc/network/interfaces auto ens33 iface ens33 inet static address 192.168.10.254/24 gateway 192.168.10.1
root@srvdc:~# vi /etc/network/interfaces
auto ens33
iface ens33 inet static
      address 192.168.10.254/24
      gateway 192.168.10.1

Redémarrez votre serveur

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
root@srvdc:~# reboot
root@srvdc:~# reboot
root@srvdc:~# reboot

Etape 2 – Installer et configurer Samba AD

Une fois connecté en root, insérez la commande suivante:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
root@srvdc:~# apt -y install samba krb5-config winbind smbclient
root@srvdc:~# apt -y install samba krb5-config winbind smbclient
root@srvdc:~# apt -y install samba krb5-config winbind smbclient

Vu que notre serveur est configuré en adressage statique, sélectionnez No

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
If your computer gets IP address information from a DHCP server on the
network, the DHCP server may also provide information about WINS servers
("NetBIOS name servers") present on the network. This requires a change
to your smb.conf file so that DHCP-provided WINS settings will
automatically be read from /var/lib/samba/dhcp.conf.
The dhcp-client package must be installed to take advantage of this
feature.
Modify smb.conf to use WINS settings from DHCP?
<Yes> <No>
If your computer gets IP address information from a DHCP server on the network, the DHCP server may also provide information about WINS servers ("NetBIOS name servers") present on the network. This requires a change to your smb.conf file so that DHCP-provided WINS settings will automatically be read from /var/lib/samba/dhcp.conf. The dhcp-client package must be installed to take advantage of this feature. Modify smb.conf to use WINS settings from DHCP? <Yes> <No>
If your computer gets IP address information from a DHCP server on the  
network, the DHCP server may also provide information about WINS servers
("NetBIOS name servers") present on the network.  This requires a change
to your smb.conf file so that DHCP-provided WINS settings will     
automatically be read from /var/lib/samba/dhcp.conf.               

The dhcp-client package must be installed to take advantage of this
feature.                                       

Modify smb.conf to use WINS settings from DHCP?

                    <Yes>                       <No>

Mettez votre nom de domaine (ex: office.local)

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
When users attempt to use Kerberos and specify a principal or user name
without specifying what administrative Kerberos realm that principal
belongs to, the system appends the default realm. The default realm may
also be used as the realm of a Kerberos service running on the local
machine. Often, the default realm is the uppercase version of the local
DNS domain.
Default Kerberos version 5 realm:
OFFICE.LOCAL_____________________________________________________________
<Ok>
When users attempt to use Kerberos and specify a principal or user name without specifying what administrative Kerberos realm that principal belongs to, the system appends the default realm. The default realm may also be used as the realm of a Kerberos service running on the local machine. Often, the default realm is the uppercase version of the local DNS domain. Default Kerberos version 5 realm: OFFICE.LOCAL_____________________________________________________________ <Ok>
When users attempt to use Kerberos and specify a principal or user name   
without specifying what administrative Kerberos realm that principal      
belongs to, the system appends the default realm.  The default realm may  
also be used as the realm of a Kerberos service running on the local      
machine.  Often, the default realm is the uppercase version of the local  
DNS domain.                                                               
                                                                          
Default Kerberos version 5 realm:                                         
                                                                          
OFFICE.LOCAL_____________________________________________________________ 
                                                                          
                                 <Ok>                                     

Spécifiez le nom de votre serveur complet (avec nom de domaine)

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
Enter the hostnames of Kerberos servers in the SRV.WORLD Kerberos
realm separated by spaces.
Kerberos servers for your realm:
SRVDC.OFFICE.LOCAL_______________________________________________________
<Ok>
Enter the hostnames of Kerberos servers in the SRV.WORLD Kerberos realm separated by spaces. Kerberos servers for your realm: SRVDC.OFFICE.LOCAL_______________________________________________________ <Ok>
Enter the hostnames of Kerberos servers in the SRV.WORLD Kerberos         
realm separated by spaces.                                                
                                                                          
Kerberos servers for your realm:                                          
                                                                          
SRVDC.OFFICE.LOCAL_______________________________________________________ 
                                                                          
                                 <Ok>                                     

Une nouvelle fois

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
Enter the hostname of the administrative (password changing) server for
the SRV.WORLD Kerberos realm.
Administrative server for your Kerberos realm:
SRVDC.OFFICE.LOCAL_______________________________________________________
<Ok>
Enter the hostname of the administrative (password changing) server for the SRV.WORLD Kerberos realm. Administrative server for your Kerberos realm: SRVDC.OFFICE.LOCAL_______________________________________________________ <Ok>
Enter the hostname of the administrative (password changing) server for   
the SRV.WORLD Kerberos realm.                                             
                                                                          
Administrative server for your Kerberos realm:                            
                                                                          
SRVDC.OFFICE.LOCAL_______________________________________________________ 
                                                                          
                                 <Ok>                                     

Samba est correctement installé et configuré

Etape 3 – Création de votre domaine

Renommez le fichier de configuration d’origine
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
root@smb:~# mv /etc/samba/smb.conf /etc/samba/smb.conf.org
root@smb:~# mv /etc/samba/smb.conf /etc/samba/smb.conf.org
root@smb:~# mv /etc/samba/smb.conf /etc/samba/smb.conf.org

Lancez la provision du domaine

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
root@smb:~# samba-tool domain provision
root@smb:~# samba-tool domain provision
root@smb:~# samba-tool domain provision

Laissez le choix par défaut pour les quatre premières demandes en validant par la touche Entrée

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
Realm [OFFICE.LOCAL]: Domain [OFFICE]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
Realm [OFFICE.LOCAL]: Domain [OFFICE]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
Realm [OFFICE.LOCAL]: Domain [OFFICE]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:

Si vous avez déjà configuré des redirecteurs sur votre serveur appuyez sur Entrée, sinon, entrez l’adresse IP du serveur de votre choix

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
DNS forwarder IP address (write 'none' to disable forwarding) [1.1.1.1]:
DNS forwarder IP address (write 'none' to disable forwarding) [1.1.1.1]:
DNS forwarder IP address (write 'none' to disable forwarding) [1.1.1.1]:

Entrez deux fois votre mot de passe de la session Administrator

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
Administrator password:
Retype password:
Administrator password: Retype password:
Administrator password:
Retype password:

Si tout se passe bien voici ce qui devrait apparaitre à l’écran

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
Adding DomainDN: DC=office,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers and extended rights
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=office,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Once the above files are installed, your Samba AD server will be ready to use
Server Role: active directory domain controller
Hostname: srvdc
NetBIOS Domain: OFFICE
DNS Domain: office.local
DOMAIN SID: *-*-*-**-**********-**********-**********
Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs Adding DomainDN: DC=office,DC=local Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers and extended rights Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=office,DC=local Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! Once the above files are installed, your Samba AD server will be ready to use Server Role: active directory domain controller Hostname: srvdc NetBIOS Domain: OFFICE DNS Domain: office.local DOMAIN SID: *-*-*-**-**********-**********-**********
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

Adding DomainDN: DC=office,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers and extended rights
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=office,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Once the above files are installed, your Samba AD server will be ready to use
Server Role:           active directory domain controller
Hostname:              srvdc
NetBIOS Domain:        OFFICE
DNS Domain:            office.local
DOMAIN SID:            *-*-*-**-**********-**********-**********

Etape 4 – Mise en service du domaine Samba

Copiez le fichier de configuration Kerberos dans le répertoire etc

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
root@srvdc:~# cp /var/lib/samba/private/krb5.conf /etc/
root@srvdc:~# cp /var/lib/samba/private/krb5.conf /etc/
root@srvdc:~# cp /var/lib/samba/private/krb5.conf /etc/

Stoppez les services SMB, NMB et Bind

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
root@srvdc:~# systemctl stop smbd nmbd winbind
root@srvdc:~# systemctl stop smbd nmbd winbind
root@srvdc:~# systemctl stop smbd nmbd winbind

Désactivez les Services

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
root@srvdc:~# systemctl disable smbd nmbd winbind
root@srvdc:~# systemctl disable smbd nmbd winbind
root@srvdc:~# systemctl disable smbd nmbd winbind

Rendez visible le service Samba AD DC

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
root@srvdc:~# systemctl unmask samba-ad-dc
root@srvdc:~# systemctl unmask samba-ad-dc
root@srvdc:~# systemctl unmask samba-ad-dc

Démarrez le service

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
root@srvdc:~# systemctl start samba-ad-dc
root@srvdc:~# systemctl start samba-ad-dc
root@srvdc:~# systemctl start samba-ad-dc

Activez le service

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
root@srvdc:~# systemctl enable samba-ad-dc
root@srvdc:~# systemctl enable samba-ad-dc
root@srvdc:~# systemctl enable samba-ad-dc

Vérifiez le satut de Samba AD

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
root@smb:~# smbclient -L localhost -U%
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP NAS
root@smb:~# smbclient -L localhost -U% Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.9.5-Debian) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP NAS
root@smb:~# smbclient -L localhost -U%

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            NAS

Verifiez le niveau du domaine

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
root@smb:~# samba-tool domain level show
Domain and forest function level for domain 'DC=office,DC=local'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2
root@smb:~# samba-tool domain level show Domain and forest function level for domain 'DC=office,DC=local' Forest function level: (Windows) 2008 R2 Domain function level: (Windows) 2008 R2 Lowest function level of a DC: (Windows) 2008 R2
root@smb:~# samba-tool domain level show
Domain and forest function level for domain 'DC=office,DC=local'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2

Ajoutez un premier utilisateur (ex: alex)

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
root@smb:~# samba-tool user create alex
root@smb:~# samba-tool user create alex
root@smb:~# samba-tool user create alex

Entrez le mot de passe utilisateur

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
New Password:
Retype Password:
User 'alex' created successfully
New Password: Retype Password: User 'alex' created successfully
New Password: 
Retype Password:
User 'alex' created successfully

Cet article totalise 4 778 vues 👍 Merci pour votre visite! 🙂

Catégories : UNIX/Linux

7 commentaires

DARMALINGON Philippe · 19 décembre 2019 à 15h46

Merci pour votre aide pour mes stagiaires

Pierre Malard · 3 décembre 2020 à 17h42

Bonjour,
Très bonne doc mais ou est LDAP ?
Comme accéder aux services LDAP via un browser LDAP ?

Merci

    Alex BACHER · 3 décembre 2020 à 17h50

    Bonjour, merci pour votre retour 🙂 vous pouvez faire des manipulation sur LDAP en ligne de commandes depuis votre serveur Linux ou de manière plus familière, vous pouvez gérer votre domaine LDAP de la même manière qu’avec un serveur Windows en installant les RSAT sur votre ordinateur Windows comme indiqué au début de l’article. Voici un article qui en parle: https://frama.link/5kqUvnt-

      Pierre Malard · 3 décembre 2020 à 18h13

      Je n’ai pas été assez précis dans ma question :
      Quel est le bind DN de l’administrateur (p.e cn=admin,dc=domaine) ?
      Où est écrite la configuration LDAP ?

      Merci

        Alex BACHER · 3 décembre 2020 à 18h21

        Vous pouvez retrouver selon moi ces informations dans le fichier /etc/samba/smb.conf

Benjamin Katschmarsky · 14 décembre 2020 à 15h17

Bonjour, qu’en est-il de la faille ZeroLogon? Dans la version de Samba qui serait installée aujourd’hui (14/12/2020) la faille est-elle comblée?

Laisser un commentaire

Emplacement de l’avatar

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *