Server/global

Aus C3D2
(Weitergeleitet von Global.hq.c3d2.de)
Wechseln zu: Navigation, Suche

global.hq.c3d2.de

Samba Active Directory für DynDNS Updates mit GSS-TSIG

Ziel
einfacher DynDNS Update Dienst (mit Kerberos & GSS-TSIG Absicherung) für Wunschname.space.c3d2.de

pentapad:global.hq.c3d2.de als aktuelle DNS Reservierungsliste

Client Installation / Einrichtung

benötigt werden:

  • Samba(4)
  • Kerberos(5)
  • Kerberos(5) Client Package (klist/kinit etc.)
  • DNSUtils
  • do-nsupdate.sh Mini-Skript (Linux/Mac/FreeBSD)

Samba muss nicht auf dem Client-Rechner (als Dienst) konfiguriert werden!

Installation

do-nsupdate.sh

ab Version 15 werden fehlende Komponenten automatisch nachinstalliert

Allgemein

git clone https://github.com/plitc/samba-nsupdate.git

cp ~/samba-nsupdate/do-nsupdate.conf $HOME/do-nsupdate.conf

chmod 775 $HOME/do-nsupdate.sh
$HOME/do-nsupdate.sh


(Debian) Linux

apt-get install samba krb5-user krb5-clients dnsutils

(Free)BSD

cd /usr/ports/net/samba4/ && make install clean

optional

cd /usr/ports/security/krb5/ && make install clean

MacOS

benötigt:

  • min. 10.9.x (für SMB2 Support)

Active-Directory Mitgliedschaft erforderlich!

Windows

benötigt:

  • min. Vista (SMB2 entspricht SMB2.0 Vista SP1+ Windows 2008)
  • nsupdate erfolgt über $COMPUTERNAME Konto

Active-Directory Mitgliedschaft erforderlich!

do-nsupdate.sh Benutzung

  1. Mini-Skript herunterladen
  2. bearbeiten (mit Texteditor eigener Wahl)
  3. ausführen
KERBEROSADMINUSER="username@SPACE.C3D2.DE"
ADMACHINENAME="wunschname.space.c3d2.de"
ADSERVERNAME="space.c3d2.de"
ADSERVERZONE="space.c3d2.de"
ADMACHINETTL="3600"
chmod 775 do-nsupdate.sh
./do-nsupdate.sh

do-nsupdate.sh Beispiel

[daniel@freebie:~]$ ./do-nsupdate.sh 
username@SPACE.C3D2.DE's Password: 
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;space.c3d2.de.                 IN      SOA

;; UPDATE SECTION:
wunschname.space.c3d2.de.  0       ANY     A
wunschname.space.c3d2.de.  3600    IN      A       XXX.XXX.XXX.XXX
wunschname.space.c3d2.de.  0       ANY     AAAA
wunschname.space.c3d2.de.  3600    IN      AAAA    ZZZZ:ZZZZ:ZZZZ::YYYY

So lässt sich schnell ein DNS Update durchführen um fix im neuen Netz seine Dienste bereitstellen zu können.

That's it!

Active Directory - Verzeichnis Administratoren

derzeit: daniel

... weitere Freiwillige? ...

Active Directory - User hinzufügen

samba-tool user add USERNAME

samba-tool group addmembers DnsAdmins USERNAME

lxc Container

  • Debian Jessie
  • Samba 4.1.3 / Kerberos 5
  • IPv4: 217.115.11.136
  • IPv6: 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7

DNS

  • global.hq.c3d2.de

DNS Nameserver / Records

  • space.c3d2.de. IN NS global.hq.c3d2.de.
  • _dns-update._tcp IN SRV 5 0 53 space.c3d2.de.
  • _dns-update._udp IN SRV 5 0 53 space.c3d2.de.
  • space IN MX 10 mail.c3d2.de.
  • space IN TXT "v=spf1 mx -all"
  • b._dns-sd._udp 60 PTR space.c3d2.de.
  • db._dns-sd._udp 60 PTR space.c3d2.de.
  • dr._dns-sd._udp 60 PTR space.c3d2.de.
  • lb._dns-sd._udp 60 PTR space.c3d2.de.
  • r._dns-sd._udp 60 PTR space.c3d2.de.

Server Installation

apt-get install samba
service samba stop
rm /etc/samba/smb.conf
rm -rfv /var/lib/samba
mkdir /var/lib/samba
mkdir /var/lib/samba/private

neue Samba Provisionierung

/usr/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --function-level=2008_R2 --realm=SPACE.C3D2.DE --domain=SPACE --adminpass='GEHEIM' --server-role='dc' --dns-backend=SAMBA_INTERNAL

Samba läuft mit virtuellen sysvol NTACLs, zukünftig fehlende +s3fs Daemon Unterstützung da --use-xattrs=yes nicht in dem lxc Container mit btrfs unterstützt wird!

[root@global:~]# /usr/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --function-level=2008_R2 --realm=SPACE.C3D2.DE --domain=SPACE --adminpass='GEHEIM' --server-role='dc' --dns-backend=SAMBA_INTERNAL
You are not root or your system do not support xattr, using tdb backend for attributes. 
not using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.
Looking up IPv4 addresses
Looking up IPv6 addresses
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=space,DC=c3d2,DC=de
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=space,DC=c3d2,DC=de
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              global
NetBIOS Domain:        SPACE
DNS Domain:            space.c3d2.de
DOMAIN SID:            S-1-5-21-0123456789-123456789-0123456789

smb.conf - Anpassung

vi /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = SPACE
        realm = SPACE.C3D2.DE
        netbios name = GLOBAL
        server role = active directory domain controller

        idmap_ldb:use rfc2307 = yes # LDAP Provisionierung nach RFC2307
        posix:eadb = /var/lib/samba/private/eadb.tdb

### dns forwarder = 172.22.99.251 # soll kein public resolver werden

        server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc

### ### ### C3D2 ### ### ###

        server string = %h - Global.HQ.C3D2.de

### interfaces = 217.115.11.136 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7
### bind interfaces only = No

        # allow dynamic dns update / true = nonsecure + signed
        allow dns updates = signed

        # debian specific
        nsupdate command = /usr/sbin/samba_dnsupdate

### ### # server options

        ### server min protocol = SMB2_02 (ab Windows 7)
        server min protocol = SMB2
        server max protocol = SMB3

        disable netbios = yes
        smb ports = 445

        server signing = auto

        # protocol stream encryption for smbclient
        smb encrypt = auto

### ### # client options (for local services / smbclient etc.)

        ### client min protocol = SMB2_02
        client min protocol = SMB2
        client max protocol = SMB3


        client ldap sasl wrapping = seal

        client signing = auto
        client schannel = auto

        lanman auth = No
        ntlm auth = No
        client use spnego = Yes
        client ntlmv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No

### ### ### C3D2 ### ### ###

[netlogon]
        path = /var/lib/samba/sysvol/space.c3d2.de/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

### ### ### C3D2 ### ### ###
#
# EOF

Samba Checks

samba-tool testparm
samba-tool dbcheck
samba-tool ntacl sysvolcheck

krb5.conf - Anpassung

vi /var/lib/samba/private/krb5.conf
[libdefaults]
        default_realm = SPACE.C3D2.DE
        dns_lookup_realm = true
        dns_lookup_kdc = true
        default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5

        default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
        permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5

        forwardable = true
        proxiable = true

        ticket_lifetime = 86400

[realms]
        SPACE.C3D2.DE = {
        kdc = localhost:88
        admin_server = localhost:749
        default_domain = space.c3d2.de
}

[domain_realm]
        .space.c3d2.de = SPACE.C3D2.DE
        space.c3d2.de = SPACE.C3D2.DE

[logging]
        default = FILE:/var/log/samba/krb5libs.log
        kdc = FILE:/var/log/samba/krb5kdc.log
        admin_server = FILE:/var/log/samba/kadmind.log

; [kdc]
;         allow-anonymous = false
;         require-preauth = true
;         enable-kerberos4 = false

; # EOF

BTRFS Snapshot

btrfs subvolume snapshot /var/lib/lxc/global/rootfs /var/lib/lxc/global/rootfs-snap-smb4-`date -u +%Y.%m.%d-%H.%M.%S`

Samba Server starten

service samba start

Tests

DNS - SRV Record

[root@vps11:~]# dig SRV @global.hq.c3d2.de _kerberos._tcp.space.c3d2.de
zsh: correct '@global.hq.c3d2.de' to 'global.hq.c3d2.de' [nyae]? n

; <<>> DiG 9.8.4-P2 <<>> SRV @global.hq.c3d2.de _kerberos._tcp.space.c3d2.de
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9702
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;_kerberos._tcp.space.c3d2.de.  IN      SRV

;; ANSWER SECTION:
_kerberos._tcp.space.c3d2.de. 900 IN    SRV     0 100 88 global.space.c3d2.de.

;; Query time: 1 msec
;; SERVER: 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7#53(2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7)
;; WHEN: Sat Jan 11 06:01:49 2014
;; MSG SIZE  rcvd: 73

Kerberos Ticket

[daniel@freebie:~]$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: username@SPACE.C3D2.DE

  Issued           Expires          Principal
Jan 11 06:11:43  Jan 11 16:11:42  krbtgt/SPACE.C3D2.DE@SPACE.C3D2.DE
Jan 11 06:11:43  Jan 11 16:11:42  DNS/global.space.c3d2.de@SPACE.C3D2.DE

That's it!

Server Optimierungen

b0rk3d

Teile des folgenden Inhalts sind nicht korrekt. Begründung: IPv6 Beispiel-Tables von squeeze/wheezy funktionieren derzeit im lxc Container unter jessie nicht

Firewall: IPv6 Rules

sudo apt-get install iptables
sudo vi /root/set_firewall_ipv6.sh
#!/bin/bash
# A bash shell script for ip6tables to protect single hosting / dedicated / vps / colo server running CentOS / Debian / RHEL / or any other Linux distribution.
# -------------------------------------------------------------------------
# Copyright (c) 2007 nixCraft project <http://www.cyberciti.biz/fb/>
# This script is licensed under GNU GPL version 2.0 or above
# -------------------------------------------------------------------------
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# ----------------------------------------------------------------------
# Last updated on Jan-23, 2008 : Added support for tcp packets
# Last updated on Oct-01, 2012 : Daniel Plominski (PLITC)
# ---------------------------------------------------------------------------
IPT6="/sbin/ip6tables"
 
# Interfaces 
PUB_IF="eth0"
PUB_LO="lo0"
### PUB_ETH1="eth1"
### PUB_ETH2="eth2"
### PUB_ETH3="eth3"
 
# Custom chain names
CHAINS="chk_tcp6_packets_chain chk_tcp_inbound chk_udp_inbound chk_icmp_packets"
 
echo "Starting IPv6 firewall..."
# first clean old mess
$IPT6 -F
$IPT6 -X
$IPT6 -Z
for table in $(</proc/net/ip6_tables_names)
do
        $IPT6 -t $table -F
        $IPT6 -t $table -X
        $IPT6 -t $table -Z
done
$IPT6 -P INPUT ACCEPT
$IPT6 -P OUTPUT ACCEPT
$IPT6 -P FORWARD ACCEPT
 
# Set default DROP all
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP
 
# Create the chain 
for c in $CHAINS
  do $IPT6 --new-chain $c
done
 
# Input policy
$IPT6 -A INPUT -i $PUB_LO -j ACCEPT
### $IPT6 -A INPUT -i $PUB_ETH1 -j ACCEPT
### $IPT6 -A INPUT -i $PUB_ETH2 -j ACCEPT
### $IPT6 -A INPUT -i $PUB_ETH3 -j ACCEPT
$IPT6 -A INPUT -i $PUB_IF -j  chk_tcp6_packets_chain
$IPT6 -A INPUT -i $PUB_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT6 -A INPUT -i $PUB_IF -p tcp -j chk_tcp_inbound 
$IPT6 -A INPUT -i $PUB_IF -p udp -j chk_udp_inbound 
$IPT6 -A INPUT -i $PUB_IF -p icmp -j chk_icmp_packets 
$IPT6 -A INPUT -i $PUB_IF -p ipv6-icmp -j chk_icmp_packets   
$IPT6 -A INPUT -i $PUB_IF -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT OUTPUT "
$IPT6 -A INPUT -i $PUB_IF -j DROP
 
# Output policy
$IPT6 -A OUTPUT -o $PUB_LO -j ACCEPT
### $IPT6 -A OUTPUT -o $PUB_ETH1 -j ACCEPT
### $IPT6 -A OUTPUT -o $PUB_ETH2 -j ACCEPT
### $IPT6 -A OUTPUT -o $PUB_ETH3 -j ACCEPT
$IPT6 -A OUTPUT -o $PUB_IF -j ACCEPT 
$IPT6 -A OUTPUT -o $PUB_IF -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "DROP OUTPUT "
 
### Custom chains ###
# Bad packets chk 
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp packets" 
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp packets" 
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP 
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "BAD tcp" 
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP 
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp" 
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP 
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp " 
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp " 
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
$IPT6 -A chk_tcp6_packets_chain -p tcp -j RETURN 
 
### ### ### C3D2 ### ### ###

# Global - SSH
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
# Global - DNS
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 53 -j ACCEPT
# Global - Kerberos Auth
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 88 -j ACCEPT
# Global - NetBIOS Name
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 137 -j ACCEPT
# Global - NetBIOS Datagram
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 138 -j ACCEPT
# Global - NetBIOS Session
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 139 -j ACCEPT
# Global - LDAP
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 389 -j ACCEPT
# Global - CIFS
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 445 -j ACCEPT
# Global - Kerberos Change/Set Password
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 464 -j ACCEPT
# Global - Microsoft EPMAP - DCE/RPC
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 135 -j ACCEPT
# Global - LDAPS
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 636 -j ACCEPT
# Global - Kerberos Admin
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 749 -j ACCEPT
# Global - reserved
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 1024 -j ACCEPT
# Global - msft-gc
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 3268 -j ACCEPT
# Global - msft-gc-ssl
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 3269 -j ACCEPT

###############################
# do not modify following rule
$IPT6 -A chk_tcp_inbound -p tcp -j RETURN
###############################
#
### ### ### C3D2 ### ### ###

### ### ### C3D2 ### ### ###

# Global - DNS
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 53 -j ACCEPT
# Global - Kerberos Auth
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 88 -j ACCEPT
# Global - NetBIOS Name
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 137 -j ACCEPT
# Global - NetBIOS Datagram
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 138 -j ACCEPT
# Global - NetBIOS Session
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 139 -j ACCEPT
# Global - LDAP
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 389 -j ACCEPT
# Global - CIFS
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 445 -j ACCEPT
# Global - Kerberos Change/Set Password
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 464 -j ACCEPT

###############################
# do not modify following rule
$IPT6 -A chk_udp_inbound -p udp -j RETURN
############################### 
 
# ICMP - allow ping pong
$IPT6 -A chk_icmp_packets -p ipv6-icmp -j ACCEPT 
$IPT6 -A chk_icmp_packets -p icmp -j RETURN

### ### ### C3D2 ### ### ###
# EOF
sudo chmod 555 /root/set_firewall_ipv6.sh
sudo chattr +i /root/set_firewall_ipv6.sh
vi /etc/rc.local
#!/bin/sh -e
#
/root/set_firewall_ipv6.sh
#
exit 0

Firewallregeln aktivieren

/root/set_firewall_ipv6.sh
ip6tables -S