requeriments
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
requeriments [2015/08/31 21:10] cbustillo [Configure NTP] |
requeriments [2020/04/10 17:38] (current) |
||
|---|---|---|---|
| Line 66: | Line 66: | ||
| You need this support on file systems that you will share with samba. For many users that will be their /home volume. However the 'samba-tool' provision command also tests support by creating a temporary file in the 'sysvol'. This might be /usr/local/samba for a local install, or might be somewhere else. That filesystem also needs to have ACL and XATTR support. | You need this support on file systems that you will share with samba. For many users that will be their /home volume. However the 'samba-tool' provision command also tests support by creating a temporary file in the 'sysvol'. This might be /usr/local/samba for a local install, or might be somewhere else. That filesystem also needs to have ACL and XATTR support. | ||
| - | === ext3/ext4 File System === | + | === ext4 File System === |
| - | If you are using either ext3 or ext4 for your file system you will need to include the options "user_xattr","acl" and "barrier=1" in your /etc/fstab. For example: | + | If you are using either ext4 for your file system you will need to include the option "barrier=1" in your /etc/fstab. For example: |
| <code> | <code> | ||
| # / was on /dev/sda5 during installation | # / was on /dev/sda5 during installation | ||
| - | UUID=5e6e3446-5963-466e-86a7-b6376442d743 / ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1 | + | UUID=5e6e3446-5963-466e-86a7-b6376442d743 / ext4 defaults,barrier=1 1 1 |
| </code> | </code> | ||
| - | Simply change ext4 to ext3 if you are using it. Normally you will want to just modify the existing line to add those options. Please use caution when modifying your fstab as it can lead to an un-bootable system if the wrong thing is modified. | + | === ext3 File System === |
| - | The barrier=1 option ensures that tdb transactions are safe against unexpected power loss. A number of sites have corrupted their AD database in sam.ldb by not having this option enabled. | + | If you are using either ext3 for your file system you will need to include the options "user_xattr","acl" and "barrier=1" in your /etc/fstab. For example: |
| + | |||
| + | <code> | ||
| + | # / was on /dev/sda5 during installation | ||
| + | UUID=5e6e3446-5963-466e-86a7-b6376442d743 / ext4 defaults,user_xattr,acl,barrier=1 1 1 | ||
| + | </code> | ||
| + | |||
| + | |||
| + | **NOTE:** The barrier=1 option ensures that tdb transactions are safe against unexpected power loss. A number of sites have corrupted their AD database in sam.ldb by not having this option enabled. | ||
| Then restart the server to apply the changes or type: | Then restart the server to apply the changes or type: | ||
| Line 84: | Line 92: | ||
| </code> | </code> | ||
| - | If you plan to use a Proxmox containar to deploy Samba4 AD DC; logging in Proxmox Server through ssh, modify /etc/fstab file and adjust with the following: | + | === Proxmox VE === |
| + | |||
| + | If you plan to use a Proxmox container to deploy Samba4 AD DC; logging in Proxmox Server through ssh, modify /etc/fstab file and adjust with the following: | ||
| <code> | <code> | ||
| /dev/pve/data /var/lib/vz ext3 defaults,user_xattr,acl,barrier=1 1 1 | /dev/pve/data /var/lib/vz ext3 defaults,user_xattr,acl,barrier=1 1 1 | ||
| Line 93: | Line 103: | ||
| # mount -a | # mount -a | ||
| </code> | </code> | ||
| + | |||
| + | === Testing Kernel options === | ||
| You also need to compile your kernel with the XATTR, SECURITY, and POSIX_ACL options for your filesystem (In Debian and Ubuntu those options are enabled by default). For ext4 that means you need (change the 4 to a 3 for ext3): | You also need to compile your kernel with the XATTR, SECURITY, and POSIX_ACL options for your filesystem (In Debian and Ubuntu those options are enabled by default). For ext4 that means you need (change the 4 to a 3 for ext3): | ||
| Line 296: | Line 308: | ||
| ** DDNS updates not working ** | ** DDNS updates not working ** | ||
| - | Check that the file '/etc/krb5.conf' is readable by Bind. | + | * Check that the file '/etc/krb5.conf' is readable by Bind. |
| + | * Check that the configured samba4 dns.keytab been accessible by BIND and samba4. | ||
| + | * Check that deployed dns resolver been correctly set to samba4 AD server. | ||
| + | * Check at named.conf that the samba DLZ settings been correct at least for: | ||
| + | <code> | ||
| + | tkey-gssapi-keytab | ||
| + | tkey-domain | ||
| + | </code> | ||
| + | * Check that TLS/SSL are correctly deployed. | ||
| + | * Check that filesystems support acl. | ||
| + | * Check common settings for samba4 smb.conf: | ||
| + | <code> | ||
| + | kerberos method = system keytab | ||
| + | client ldap sasl wrapping = sign | ||
| + | allow dns updates = nonsecure and secure | ||
| + | nsupdate command = /usr/bin/nsupdate -g | ||
| + | </code> | ||
| + | The most important option is "allow dns updates = nonsecure and secure". | ||
| ====== Configure NTP ====== | ====== Configure NTP ====== | ||
| ---- | ---- | ||
| Line 322: | Line 350: | ||
| # Local clock | # Local clock | ||
| server 127.127.1.0 | server 127.127.1.0 | ||
| - | fudge 127.127.1.0 stratum 12 | + | fudge 127.127.1.0 stratum 8 |
| # For signed NTP | # For signed NTP | ||
| Line 336: | Line 364: | ||
| # Default restriction: Only allow querying time (incl. ms-sntp) from this machine | # Default restriction: Only allow querying time (incl. ms-sntp) from this machine | ||
| restrict default kod nomodify notrap nopeer mssntp</code> | restrict default kod nomodify notrap nopeer mssntp</code> | ||
| + | |||
| + | A suitable configuration for ntp.conf maybe: | ||
| + | |||
| + | <code> | ||
| + | # Local clock (Note: This is not the localhost address!) | ||
| + | server 127.127.1.0 | ||
| + | fudge 127.127.1.0 stratum 10 | ||
| + | |||
| + | # The source, where we are receiving the time from | ||
| + | server 0.pool.ntp.org iburst prefer | ||
| + | |||
| + | driftfile /var/lib/ntp/ntp.drift | ||
| + | logfile /var/log/ntp | ||
| + | ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ | ||
| + | |||
| + | # Access control | ||
| + | # Default restriction: Only allow querying time (incl. ms-sntp) from this machine | ||
| + | restrict default kod nomodify notrap nopeer mssntp | ||
| + | |||
| + | # Allow everything from localhost | ||
| + | restrict 127.0.0.1 | ||
| + | |||
| + | # Allow that our time source can only provide time and do nothing else | ||
| + | restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery | ||
| + | </code> | ||
| Finally check that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessable by other: | Finally check that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessable by other: | ||
| Line 357: | Line 410: | ||
| <code> | <code> | ||
| # ntpq -pn | # ntpq -pn | ||
| + | </code> | ||
| + | |||
| + | To view connected clients: | ||
| + | <code> | ||
| + | # ntpdc -c monlist | ||
| </code> | </code> | ||
requeriments.1441055438.txt.gz · Last modified: 2020/04/10 17:38 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
