Difference between revisions of "SAMBA Domain Controller"
From wiki.breedveld.net
(15 intermediate revisions by the same user not shown) | |||
Line 16: | Line 16: | ||
Restart, and you should be able to log on with your Samba username and password. | Restart, and you should be able to log on with your Samba username and password. | ||
− | + | Samba Domain on Windows7: | |
− | + | Start-> MMC | |
− | add | + | ->File->add/remove snap-in->Add |
− | + | -->Select Group Policy Object Editor->Add | |
− | + | ---->(Group Policy Object must be 'Local Computer')->Finish | |
+ | -->OK | ||
+ | ->Local Computer Policy | ||
+ | ->Computer Configuration | ||
+ | ->Windows Settings | ||
+ | ->Security Settings | ||
+ | ->Local Policies | ||
+ | ->Security Options | ||
+ | ->Disable "Domain Member: Digitally encrypt or sign secure channel data (always)" | ||
− | + | samba config: | |
− | + | testparm -s | |
− | + | ||
− | add | + | save this as samba_w7.reg, run it to load in the registry: |
− | + | Windows Registry Editor Version 5.00 | |
+ | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lanmanserver\parameters] | ||
+ | [HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\lanmanworkstation\parameters] | ||
+ | "DNSNameResolutionRequired"=dword:00000000 | ||
+ | "DomainCompatibilityMode"=dword:00000001 | ||
+ | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\netlogon\parameters] | ||
+ | "DisablePasswordChange"=dword:00000001 | ||
+ | "RequireSignOrSeal"=dword:00000001 | ||
+ | "RequireStrongKey"=dword:00000001 | ||
+ | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] | ||
+ | "dontdisplaylastusername"=dword:00000001 | ||
+ | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc] | ||
+ | "Start"=dword:00000003 | ||
+ | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] | ||
+ | "SlowLinkDetectEnabled"=dword:00000000 | ||
+ | "DeleteRoamingCache"=dword:00000001 | ||
+ | "WaitForNetwork"=dword:00000000 | ||
+ | "CompatibleRUPSecurity"=dword:00000001 | ||
+ | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] | ||
+ | "EnableLUA"=dword:00000000 | ||
+ | "LocalAccountTokenFilterPolicy"=dword:00000001 | ||
+ | [HKEY_LOCAL_MACHINE\SYSTEM\Setup] | ||
+ | "RestartSetup"=dword:00000000 | ||
+ | "SetupType"=dword:00000000 | ||
+ | "SystemSetupInProgress"=dword:00000000 | ||
+ | "SetupPhase"=dword:00000000 | ||
+ | "CmdLine"="" | ||
+ | "OOBEInProgress"=dword:00000000 | ||
+ | |||
+ | To Disable Roaming profiles: | ||
+ | [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System] | ||
+ | "LocalProfile"=dword:00000001 | ||
+ | [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System] | ||
+ | "ReadOnlyProfile"=dword:00000001 | ||
+ | |||
+ | add user | ||
+ | smbpasswd -a <user> | ||
+ | |||
+ | add machine | ||
+ | smbpasswd -a -m <machine> | ||
+ | |||
+ | delete user | ||
+ | smbpasswd -x <user> | ||
+ | |||
+ | machine verwijderen en vervolgens opnieuw aanmelden | ||
+ | pdbedit -x CLIENT-PC$ | ||
+ | userdel CLIENT-PC$ | ||
+ | |||
+ | List all users, with settings: | ||
+ | pdbedit -Lv | ||
+ | |||
+ | |||
+ | |||
+ | on workstation, scan and repair corruptions: | ||
+ | sfc /scanall | ||
+ | |||
+ | div. commands (samba): | ||
+ | sbmtree -b | ||
+ | net rpc rights list -all | ||
+ | net -S server -U domadmin rpc rights grant 'DOMAIN\Domain Admins' SeMachineAccountPrivilege | ||
+ | net rpc rights grant 'DOMAIN\Domain Admins' SeMachineAccountPrivilege -S server -U domadmin | ||
+ | getfacl -t /data/profiles/roland | ||
+ | net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d | ||
+ | net rpc group add demo -L -Uroot%not24get | ||
+ | net rpc group addmem demo "DOM\Domain Users" | ||
+ | net groupmap list | ||
+ | net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins rid=512 type=d | ||
+ | net groupmap add ntgroup="Domain Users" unixgroup=ntusers rid=513 type=d | ||
+ | |||
+ | net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d | ||
+ | groupadd Orks | ||
+ | groupadd Elves | ||
+ | groupadd Gnomes | ||
+ | net groupmap add ntgroup="Orks" unixgroup=Orks type=d | ||
+ | net groupmap add ntgroup="Elves" unixgroup=Elves type=d | ||
+ | net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d | ||
+ | net rpc trust create otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \ | ||
+ | other_netbios_domain=dom2 otherdomain=dom2.dom trustpw=12345678 -S srv1.dom1.dom | ||
+ | net rpc trust create otherserver=srv2.dom2.test otheruser=dom2adm -S srv1.dom1.dom | ||
+ | |||
+ | Default ID's | ||
+ | Well-Known Entity RID Type Essential | ||
+ | Domain Administrator 500 User No | ||
+ | Domain Guest 501 User No | ||
+ | Domain KRBTGT 502 User No | ||
+ | Domain Admins 512 Group Yes | ||
+ | Domain Users 513 Group Yes | ||
+ | Domain Guests 514 Group Yes | ||
+ | Domain Computers 515 Group No | ||
+ | Domain Controllers 516 Group No | ||
+ | Domain Certificate Admins 517 Group No | ||
+ | Domain Schema Admins 518 Group No | ||
+ | Domain Enterprise Admins 519 Group No | ||
+ | Domain Policy Admins 520 Group No | ||
+ | Builtin Admins 544 Alias No | ||
+ | Builtin users 545 Alias No | ||
+ | Builtin Guests 546 Alias No | ||
+ | Builtin Power Users 547 Alias No | ||
+ | Builtin Account Operators 548 Alias No | ||
+ | Builtin System Operators 549 Alias No | ||
+ | Builtin Print Operators 550 Alias No | ||
+ | Builtin Backup Operators 551 Alias No | ||
+ | Builtin Replicator 552 Alias No | ||
+ | Builtin RAS Servers 553 Alias No | ||
+ | |||
+ | |||
+ | div. commands (workstation): | ||
+ | net localgroup administrators /add domain_name\entity | ||
+ | |||
+ | The registry commands are: | ||
+ | net registry enumerate - Enumerate registry keys and values. | ||
+ | net registry enumerate_recursive - Enumerate registry key and its subkeys. | ||
+ | net registry createkey - Create a new registry key. | ||
+ | net registry deletekey - Delete a registry key. | ||
+ | net registry deletekey_recursive - Delete a registry key with subkeys. | ||
+ | net registry getvalue - Print a registry value. | ||
+ | net registry getvalueraw - Print a registry value (raw format). | ||
+ | net registry setvalue - Set a new registry value. | ||
+ | net registry increment - Increment a DWORD registry value under a lock. | ||
+ | net registry deletevalue - Delete a registry value. | ||
+ | net registry getsd - Get security descriptor. | ||
+ | net registry getsd_sdd1 - Get security descriptor in sddl format. | ||
+ | net registry setsd_sdd1 - Set security descriptor from sddl format string. | ||
+ | net registry import - Import a registration entries (.reg) file. | ||
+ | net registry export - Export a registration entries (.reg) file. | ||
+ | net registry convert - Convert a registration entries (.reg) file. | ||
+ | net registry check - Check and reapair a registry database. |
Latest revision as of 14:39, 10 January 2014
Samba Domain on XP:
Start->run->MMC ->File->add/remove snap-in->Add -->Add --->Group Policy Object Editor->Add ---->(Group Policy Object must be 'Local Computer')->Finish --->Close -->OK ->Local Computer Policy ->Computer Configuration ->Windows Settings ->Security Settings ->Local Policies ->Security Options ->Disable "Domain Member: Digitally encrypt or sign secure channel data (always)" Restart, and you should be able to log on with your Samba username and password.
Samba Domain on Windows7:
Start-> MMC ->File->add/remove snap-in->Add -->Select Group Policy Object Editor->Add ---->(Group Policy Object must be 'Local Computer')->Finish -->OK ->Local Computer Policy ->Computer Configuration ->Windows Settings ->Security Settings ->Local Policies ->Security Options ->Disable "Domain Member: Digitally encrypt or sign secure channel data (always)"
samba config:
testparm -s
save this as samba_w7.reg, run it to load in the registry:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lanmanserver\parameters] [HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\lanmanworkstation\parameters] "DNSNameResolutionRequired"=dword:00000000 "DomainCompatibilityMode"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\netlogon\parameters] "DisablePasswordChange"=dword:00000001 "RequireSignOrSeal"=dword:00000001 "RequireStrongKey"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc] "Start"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "SlowLinkDetectEnabled"=dword:00000000 "DeleteRoamingCache"=dword:00000001 "WaitForNetwork"=dword:00000000 "CompatibleRUPSecurity"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "EnableLUA"=dword:00000000 "LocalAccountTokenFilterPolicy"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\Setup] "RestartSetup"=dword:00000000 "SetupType"=dword:00000000 "SystemSetupInProgress"=dword:00000000 "SetupPhase"=dword:00000000 "CmdLine"="" "OOBEInProgress"=dword:00000000
To Disable Roaming profiles:
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System] "LocalProfile"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System] "ReadOnlyProfile"=dword:00000001
add user
smbpasswd -a <user>
add machine
smbpasswd -a -m <machine>
delete user
smbpasswd -x <user>
machine verwijderen en vervolgens opnieuw aanmelden
pdbedit -x CLIENT-PC$ userdel CLIENT-PC$
List all users, with settings:
pdbedit -Lv
on workstation, scan and repair corruptions:
sfc /scanall
div. commands (samba):
sbmtree -b net rpc rights list -all net -S server -U domadmin rpc rights grant 'DOMAIN\Domain Admins' SeMachineAccountPrivilege net rpc rights grant 'DOMAIN\Domain Admins' SeMachineAccountPrivilege -S server -U domadmin getfacl -t /data/profiles/roland net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d net rpc group add demo -L -Uroot%not24get net rpc group addmem demo "DOM\Domain Users" net groupmap list net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins rid=512 type=d net groupmap add ntgroup="Domain Users" unixgroup=ntusers rid=513 type=d
net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d groupadd Orks groupadd Elves groupadd Gnomes net groupmap add ntgroup="Orks" unixgroup=Orks type=d net groupmap add ntgroup="Elves" unixgroup=Elves type=d net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d net rpc trust create otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \ other_netbios_domain=dom2 otherdomain=dom2.dom trustpw=12345678 -S srv1.dom1.dom net rpc trust create otherserver=srv2.dom2.test otheruser=dom2adm -S srv1.dom1.dom
Default ID's
Well-Known Entity RID Type Essential Domain Administrator 500 User No Domain Guest 501 User No Domain KRBTGT 502 User No Domain Admins 512 Group Yes Domain Users 513 Group Yes Domain Guests 514 Group Yes Domain Computers 515 Group No Domain Controllers 516 Group No Domain Certificate Admins 517 Group No Domain Schema Admins 518 Group No Domain Enterprise Admins 519 Group No Domain Policy Admins 520 Group No Builtin Admins 544 Alias No Builtin users 545 Alias No Builtin Guests 546 Alias No Builtin Power Users 547 Alias No Builtin Account Operators 548 Alias No Builtin System Operators 549 Alias No Builtin Print Operators 550 Alias No Builtin Backup Operators 551 Alias No Builtin Replicator 552 Alias No Builtin RAS Servers 553 Alias No
div. commands (workstation):
net localgroup administrators /add domain_name\entity
The registry commands are:
net registry enumerate - Enumerate registry keys and values. net registry enumerate_recursive - Enumerate registry key and its subkeys. net registry createkey - Create a new registry key. net registry deletekey - Delete a registry key. net registry deletekey_recursive - Delete a registry key with subkeys. net registry getvalue - Print a registry value. net registry getvalueraw - Print a registry value (raw format). net registry setvalue - Set a new registry value. net registry increment - Increment a DWORD registry value under a lock. net registry deletevalue - Delete a registry value. net registry getsd - Get security descriptor. net registry getsd_sdd1 - Get security descriptor in sddl format. net registry setsd_sdd1 - Set security descriptor from sddl format string. net registry import - Import a registration entries (.reg) file. net registry export - Export a registration entries (.reg) file. net registry convert - Convert a registration entries (.reg) file. net registry check - Check and reapair a registry database.