requeriments
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
requeriments [2015/09/10 19:05] cbustillo [File System Support] |
requeriments [2020/04/10 17:38] (current) |
||
|---|---|---|---|
| Line 94: | Line 94: | ||
| === Proxmox VE === | === Proxmox VE === | ||
| - | If you plan to use a Proxmox containar to deploy Samba4 AD DC; logging in Proxmox Server through ssh, modify /etc/fstab file and adjust with the following: | + | If you plan to use a Proxmox container to deploy Samba4 AD DC; logging in Proxmox Server through ssh, modify /etc/fstab file and adjust with the following: |
| <code> | <code> | ||
| /dev/pve/data /var/lib/vz ext3 defaults,user_xattr,acl,barrier=1 1 1 | /dev/pve/data /var/lib/vz ext3 defaults,user_xattr,acl,barrier=1 1 1 | ||
| Line 103: | Line 103: | ||
| # mount -a | # mount -a | ||
| </code> | </code> | ||
| + | |||
| + | === Testing Kernel options === | ||
| You also need to compile your kernel with the XATTR, SECURITY, and POSIX_ACL options for your filesystem (In Debian and Ubuntu those options are enabled by default). For ext4 that means you need (change the 4 to a 3 for ext3): | You also need to compile your kernel with the XATTR, SECURITY, and POSIX_ACL options for your filesystem (In Debian and Ubuntu those options are enabled by default). For ext4 that means you need (change the 4 to a 3 for ext3): | ||
| Line 306: | Line 308: | ||
| ** DDNS updates not working ** | ** DDNS updates not working ** | ||
| - | Check that the file '/etc/krb5.conf' is readable by Bind. | + | * Check that the file '/etc/krb5.conf' is readable by Bind. |
| + | * Check that the configured samba4 dns.keytab been accessible by BIND and samba4. | ||
| + | * Check that deployed dns resolver been correctly set to samba4 AD server. | ||
| + | * Check at named.conf that the samba DLZ settings been correct at least for: | ||
| + | <code> | ||
| + | tkey-gssapi-keytab | ||
| + | tkey-domain | ||
| + | </code> | ||
| + | * Check that TLS/SSL are correctly deployed. | ||
| + | * Check that filesystems support acl. | ||
| + | * Check common settings for samba4 smb.conf: | ||
| + | <code> | ||
| + | kerberos method = system keytab | ||
| + | client ldap sasl wrapping = sign | ||
| + | allow dns updates = nonsecure and secure | ||
| + | nsupdate command = /usr/bin/nsupdate -g | ||
| + | </code> | ||
| + | The most important option is "allow dns updates = nonsecure and secure". | ||
| ====== Configure NTP ====== | ====== Configure NTP ====== | ||
| ---- | ---- | ||
| Line 332: | Line 350: | ||
| # Local clock | # Local clock | ||
| server 127.127.1.0 | server 127.127.1.0 | ||
| - | fudge 127.127.1.0 stratum 12 | + | fudge 127.127.1.0 stratum 8 |
| # For signed NTP | # For signed NTP | ||
| Line 346: | Line 364: | ||
| # Default restriction: Only allow querying time (incl. ms-sntp) from this machine | # Default restriction: Only allow querying time (incl. ms-sntp) from this machine | ||
| restrict default kod nomodify notrap nopeer mssntp</code> | restrict default kod nomodify notrap nopeer mssntp</code> | ||
| + | |||
| + | A suitable configuration for ntp.conf maybe: | ||
| + | |||
| + | <code> | ||
| + | # Local clock (Note: This is not the localhost address!) | ||
| + | server 127.127.1.0 | ||
| + | fudge 127.127.1.0 stratum 10 | ||
| + | |||
| + | # The source, where we are receiving the time from | ||
| + | server 0.pool.ntp.org iburst prefer | ||
| + | |||
| + | driftfile /var/lib/ntp/ntp.drift | ||
| + | logfile /var/log/ntp | ||
| + | ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ | ||
| + | |||
| + | # Access control | ||
| + | # Default restriction: Only allow querying time (incl. ms-sntp) from this machine | ||
| + | restrict default kod nomodify notrap nopeer mssntp | ||
| + | |||
| + | # Allow everything from localhost | ||
| + | restrict 127.0.0.1 | ||
| + | |||
| + | # Allow that our time source can only provide time and do nothing else | ||
| + | restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery | ||
| + | </code> | ||
| Finally check that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessable by other: | Finally check that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessable by other: | ||
| Line 367: | Line 410: | ||
| <code> | <code> | ||
| # ntpq -pn | # ntpq -pn | ||
| + | </code> | ||
| + | |||
| + | To view connected clients: | ||
| + | <code> | ||
| + | # ntpdc -c monlist | ||
| </code> | </code> | ||
requeriments.1441911937.txt.gz · Last modified: 2020/04/10 17:38 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
