This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
requeriments [2015/09/10 19:04] cbustillo [File System Support] |
requeriments [2020/04/10 17:38] (current) |
||
---|---|---|---|
Line 92: | Line 92: | ||
</code> | </code> | ||
- | If you plan to use a Proxmox containar to deploy Samba4 AD DC; logging in Proxmox Server through ssh, modify /etc/fstab file and adjust with the following: | + | === Proxmox VE === |
+ | |||
+ | If you plan to use a Proxmox container to deploy Samba4 AD DC; logging in Proxmox Server through ssh, modify /etc/fstab file and adjust with the following: | ||
<code> | <code> | ||
/dev/pve/data /var/lib/vz ext3 defaults,user_xattr,acl,barrier=1 1 1 | /dev/pve/data /var/lib/vz ext3 defaults,user_xattr,acl,barrier=1 1 1 | ||
Line 101: | Line 103: | ||
# mount -a | # mount -a | ||
</code> | </code> | ||
+ | |||
+ | === Testing Kernel options === | ||
You also need to compile your kernel with the XATTR, SECURITY, and POSIX_ACL options for your filesystem (In Debian and Ubuntu those options are enabled by default). For ext4 that means you need (change the 4 to a 3 for ext3): | You also need to compile your kernel with the XATTR, SECURITY, and POSIX_ACL options for your filesystem (In Debian and Ubuntu those options are enabled by default). For ext4 that means you need (change the 4 to a 3 for ext3): | ||
Line 304: | Line 308: | ||
** DDNS updates not working ** | ** DDNS updates not working ** | ||
- | Check that the file '/etc/krb5.conf' is readable by Bind. | + | * Check that the file '/etc/krb5.conf' is readable by Bind. |
+ | * Check that the configured samba4 dns.keytab been accessible by BIND and samba4. | ||
+ | * Check that deployed dns resolver been correctly set to samba4 AD server. | ||
+ | * Check at named.conf that the samba DLZ settings been correct at least for: | ||
+ | <code> | ||
+ | tkey-gssapi-keytab | ||
+ | tkey-domain | ||
+ | </code> | ||
+ | * Check that TLS/SSL are correctly deployed. | ||
+ | * Check that filesystems support acl. | ||
+ | * Check common settings for samba4 smb.conf: | ||
+ | <code> | ||
+ | kerberos method = system keytab | ||
+ | client ldap sasl wrapping = sign | ||
+ | allow dns updates = nonsecure and secure | ||
+ | nsupdate command = /usr/bin/nsupdate -g | ||
+ | </code> | ||
+ | The most important option is "allow dns updates = nonsecure and secure". | ||
====== Configure NTP ====== | ====== Configure NTP ====== | ||
---- | ---- | ||
Line 330: | Line 350: | ||
# Local clock | # Local clock | ||
server 127.127.1.0 | server 127.127.1.0 | ||
- | fudge 127.127.1.0 stratum 12 | + | fudge 127.127.1.0 stratum 8 |
# For signed NTP | # For signed NTP | ||
Line 344: | Line 364: | ||
# Default restriction: Only allow querying time (incl. ms-sntp) from this machine | # Default restriction: Only allow querying time (incl. ms-sntp) from this machine | ||
restrict default kod nomodify notrap nopeer mssntp</code> | restrict default kod nomodify notrap nopeer mssntp</code> | ||
+ | |||
+ | A suitable configuration for ntp.conf maybe: | ||
+ | |||
+ | <code> | ||
+ | # Local clock (Note: This is not the localhost address!) | ||
+ | server 127.127.1.0 | ||
+ | fudge 127.127.1.0 stratum 10 | ||
+ | |||
+ | # The source, where we are receiving the time from | ||
+ | server 0.pool.ntp.org iburst prefer | ||
+ | |||
+ | driftfile /var/lib/ntp/ntp.drift | ||
+ | logfile /var/log/ntp | ||
+ | ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ | ||
+ | |||
+ | # Access control | ||
+ | # Default restriction: Only allow querying time (incl. ms-sntp) from this machine | ||
+ | restrict default kod nomodify notrap nopeer mssntp | ||
+ | |||
+ | # Allow everything from localhost | ||
+ | restrict 127.0.0.1 | ||
+ | |||
+ | # Allow that our time source can only provide time and do nothing else | ||
+ | restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery | ||
+ | </code> | ||
Finally check that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessable by other: | Finally check that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessable by other: | ||
Line 365: | Line 410: | ||
<code> | <code> | ||
# ntpq -pn | # ntpq -pn | ||
+ | </code> | ||
+ | |||
+ | To view connected clients: | ||
+ | <code> | ||
+ | # ntpdc -c monlist | ||
</code> | </code> | ||