A grande e fabulosa sacada do Samba 4 é utilizar o RSAT para administrar toda arvore de OUs, Grupos, Usuários do controlador de domínio, pois vamos ser sinceros, ferramenta melhor que da Microsoft para administrar um Controlador de Domínio ainda não tem, mas você pode efetuar algumas ações direto pelo terminal, vamos brincar aqui com alguns.
Para administrar utilizamos o comando samba-tool:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
[root@storage ~]# samba-tool ? Usage: samba-tool <subcommand> Main samba administration tool. Options: -h, --help show this help message and exit Version Options: -V, --version Display version number Available subcommands: dbcheck - Check local AD database for errors. delegation - Delegation management. dns - Domain Name Service (DNS) management. domain - Domain management. drs - Directory Replication Services (DRS) management. dsacl - DS ACLs manipulation. fsmo - Flexible Single Master Operations (FSMO) roles management. gpo - Group Policy Object (GPO) management. group - Group management. ldapcmp - Compare two ldap databases. ntacl - NT ACLs manipulation. processes - List processes (to aid debugging on systems without setproctitle). rodc - Read-Only Domain Controller (RODC) management. sites - Sites management. spn - Service Principal Name (SPN) management. testparm - Syntax check the configuration file. time - Retrieve the time on a server. user - User management. vampire - Join and synchronise a remote AD domain to the local server. For more help on a specific subcommand, please type: samba-tool <subcommand> (-h|--help) |
Todas opções dentro de cada um tem os parâmetros chamado por "-h" ou "?", pode ocorrer de algum retornar os parâmetros somente com o -h como no caso do "setpassword" , portanto explore toda arvore de comando:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
[root@storage ~]# samba-tool dns ? Usage: samba-tool dns <subcommand> Domain Name Service (DNS) management. Options: -h, --help show this help message and exit Available subcommands: add - Add a DNS record delete - Delete a DNS record query - Query a name. roothints - Query root hints. serverinfo - Query for Server information. update - Update a DNS record zonecreate - Create a zone. zonedelete - Delete a zone. zoneinfo - Query for zone information. zonelist - Query for zones. For more help on a specific subcommand, please type: samba-tool dns <subcommand> (-h|--help) [root@storage ~]# samba-tool dns --help Usage: samba-tool dns <subcommand> Domain Name Service (DNS) management. Options: -h, --help show this help message and exit Available subcommands: add - Add a DNS record delete - Delete a DNS record query - Query a name. roothints - Query root hints. serverinfo - Query for Server information. update - Update a DNS record zonecreate - Create a zone. zonedelete - Delete a zone. zoneinfo - Query for zone information. zonelist - Query for zones. For more help on a specific subcommand, please type: samba-tool dns <subcommand> (-h|--help) [root@storage ~]# samba-tool user setpassword ? New Password: [root@storage ~]# samba-tool user setpassword -h Usage: samba-tool user setpassword (<username>|--filter <filter>) [options] Set or reset the password of a user account. This command sets or resets the logon password for a user account. The username specified on the command is the sAMAccountName. The username may also be specified using the --filter option. If the password is not specified on the command through the --newpassword parameter, the user is prompted for the password to be entered through the command line. It is good security practice for the administrator to use the --must-change- at-next-login option which requires that when the user logs on to the account for the first time following the password change, he/she must change the password. The command may be run from the root userid or another authorized userid. The -H or --URL= option can be used to execute the command against a remote server. Example1: samba-tool user setpassword TestUser1 --newpassword=passw0rd --URL=ldap://samba.samdom.example.com -Uadministrator%passw1rd Example1 shows how to set the password of user TestUser1 on a remote LDAP server. The --URL parameter is used to specify the remote target server. The -U option is used to pass the username and password of a user that exists on the remote server and is authorized to update the server. Example2: sudo samba-tool user setpassword TestUser2 --newpassword=passw0rd --must- change-at-next-login Example2 shows how an administrator would reset the TestUser2 user's password to passw0rd. The user is running under the root userid using the sudo command. In this example the user TestUser2 must change their password the next time they logon to the account. Example3: samba-tool user setpassword --filter=samaccountname=TestUser3 --newpassword=passw0rd Example3 shows how an administrator would reset TestUser3 user's password to passw0rd using the --filter= option to specify the username. Options: -h, --help show this help message and exit -H URL, --URL=URL LDB URL for database or target server --filter=FILTER LDAP Filter to set password on --newpassword=NEWPASSWORD Set password --must-change-at-next-login Force password to be changed on next login --random-password Generate random password Samba Common Options: -s FILE, --configfile=FILE Configuration file -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL debug level --option=OPTION set smb.conf option from command line --realm=REALM set the realm name Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos --ipaddress=IPADDRESS IP address of server -P, --machine-pass Use stored machine account password Version Options: -V, --version Display version number |
Listar as zonas DNS:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[root@storage ~]# samba-tool dns zonelist localhost Password for [administrator@MEUDOMINIO.COM.BR]: 2 zone(s) found pszZoneName : meudominio.com.br Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.meudominio.com.br pszZoneName : _msdcs.meudominio.com.br Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.meudominio.com.br |
Listar informações de uma zona DNS:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
[root@storage ~]# samba-tool dns zoneinfo ? Usage: samba-tool dns zoneinfo <server> <zone> [options] [root@storage ~]# samba-tool dns zoneinfo localhost meudominio.com.br Password for [administrator@MEUDOMINIO.COM.BR]: pszZoneName : meudominio.com.br dwZoneType : DNS_ZONE_TYPE_PRIMARY fReverse : FALSE fAllowUpdate : DNS_ZONE_UPDATE_SECURE fPaused : FALSE fShutdown : FALSE fAutoCreated : FALSE fUseDatabase : TRUE pszDataFile : None aipMasters : [] fSecureSecondaries : DNS_ZONE_SECSECURE_NO_XFER fNotifyLevel : DNS_ZONE_NOTIFY_LIST_ONLY aipSecondaries : [] aipNotify : [] fUseWins : FALSE fUseNbstat : FALSE fAging : FALSE dwNoRefreshInterval : 168 dwRefreshInterval : 168 dwAvailForScavengeTime : 0 aipScavengeServers : [] dwRpcStructureVersion : 0x2 dwForwarderTimeout : 0 fForwarderSlave : 0 aipLocalMasters : [] dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.meudominio.com.br pwszZoneDn : DC=meudominio.com.br,CN=MicrosoftDNS,DC=DomainDnsZones,DC=meudominio,DC=com,DC=br dwLastSuccessfulSoaCheck : 0 dwLastSuccessfulXfr : 0 fQueuedForBackgroundLoad : FALSE fBackgroundLoadInProgress : FALSE fReadOnlyZone : FALSE dwLastXfrAttempt : 0 dwLastXfrResult : 0 |
Consultar um registro dentro de uma zona:
|
1 2 3 4 5 6 |
[root@storage ~]# samba-tool dns query ? Usage: samba-tool dns query <server> <zone> <name> <A|AAAA|CNAME|MX|NS|SOA|SRV|TXT|ALL> [options] [root@storage ~]# samba-tool dns query localhost meudominio.com.br storage.meudominio.com.br A Password for [administrator@MEUDOMINIO.COM.BR]: Name=, Records=1, Children=0 A: 192.168.10.199 (flags=f0, serial=1, ttl=900) |
Adicionar um registro dentro da zona e validar:
|
1 2 3 4 5 6 7 8 9 |
[root@storage ~]# samba-tool dns add ? Usage: samba-tool dns add <server> <zone> <name> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data> [root@storage ~]# samba-tool dns add localhost meudominio.com.br samba A 192.168.10.199 Password for [administrator@MEUDOMINIO.COM.BR]: Record added successfully [root@storage ~]# samba-tool dns query localhost meudominio.com.br samba.meudominio.com.br A Password for [administrator@MEUDOMINIO.COM.BR]: Name=, Records=1, Children=0 A: 192.168.10.199 (flags=f0, serial=3, ttl=900) |
Informações do domínio:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
[root@storage ~]# samba-tool domain info Usage: samba-tool domain info <ip_address> [options] [root@storage ~]# samba-tool domain info localhost ERROR: Invalid IP address 'localhost'! [root@storage ~]# samba-tool domain info 192.168.10.199 Forest : meudominio.com.br Domain : meudominio.com.br Netbios domain : MEUDOMINIO DC name : storage.meudominio.com.br DC netbios name : STORAGE Server site : Default-First-Site-Name Client site : Default-First-Site-Name |
Informações do nível funcional e floresta do dominio:
|
1 2 3 4 5 |
[root@storage ~]# samba-tool domain level show Domain and forest function level for domain 'DC=meudominio,DC=com,DC=br' Forest function level: (Windows) 2008 R2 Domain function level: (Windows) 2008 R2 Lowest function level of a DC: (Windows) 2008 R2 |
Saber o status da replicação caso o Samba 4 seja um DC secundário, aqui a saida do comando sairá vazia pois ele é um DC primario:
|
1 2 3 4 5 6 7 8 9 10 11 |
[root@storage ~]# samba-tool drs showrepl Default-First-Site-Name\STORAGE DSA Options: 0x00000001 DSA object GUID: cf7401c3-9bfd-48f5-86df-49d38a04c1fd DSA invocationId: 8aa5b435-3a0b-47a6-91ed-e2fdd99ad85d ==== INBOUND NEIGHBORS ==== ==== OUTBOUND NEIGHBORS ==== ==== KCC CONNECTION OBJECTS ==== |
Listar todas GPOs do dominio:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 |
[root@storage ~]# samba-tool gpo listall GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} display name : Default Domain Policy path : \\meudominio.com.br\sysvol\meudominio.com.br\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9} dn : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=meudominio,DC=com,DC=br version : 0 flags : NONE GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} display name : Default Domain Controllers Policy path : \\meudominio.com.br\sysvol\meudominio.com.br\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9} dn : CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=meudominio,DC=com,DC=br version : 0 flags : NONE GPO : {7A6B4DA7-7F01-4D32-AC5A-C3485A58C6EC} display name : teste path : \\meudominio.com.br\SysVol\meudominio.com.br\Policies\{7A6B4DA7-7F01-4D32-AC5A-C3485A58C6EC} dn : CN={7A6B4DA7-7F01-4D32-AC5A-C3485A58C6EC},CN=Policies,CN=System,DC=meudominio,DC=com,DC=br version : 65536 flags : NONE GPO : {C099ECFC-D324-4F27-ABFA-7EE3F29B029C} display name : com path : \\meudominio.com.br\SysVol\meudominio.com.br\Policies\{C099ECFC-D324-4F27-ABFA-7EE3F29B029C} dn : CN={C099ECFC-D324-4F27-ABFA-7EE3F29B029C},CN=Policies,CN=System,DC=meudominio,DC=com,DC=br version : 65536 flags : NONE GPO : {BA84738D-FCBA-4D25-B7E6-ADF282F7A04F} display name : fin path : \\meudominio.com.br\SysVol\meudominio.com.br\Policies\{BA84738D-FCBA-4D25-B7E6-ADF282F7A04F} dn : CN={BA84738D-FCBA-4D25-B7E6-ADF282F7A04F},CN=Policies,CN=System,DC=meudominio,DC=com,DC=br version : 65536 flags : NONE GPO : {ECFFD175-D68B-4B11-8C3B-5BCB224EF394} display name : comp path : \\meudominio.com.br\SysVol\meudominio.com.br\Policies\{ECFFD175-D68B-4B11-8C3B-5BCB224EF394} dn : CN={ECFFD175-D68B-4B11-8C3B-5BCB224EF394},CN=Policies,CN=System,DC=meudominio,DC=com,DC=br version : 262144 flags : NONE GPO : {4F327A01-5549-4173-B4A9-E19F1842767C} display name : com1 path : \\meudominio.com.br\SysVol\meudominio.com.br\Policies\{4F327A01-5549-4173-B4A9-E19F1842767C} dn : CN={4F327A01-5549-4173-B4A9-E19F1842767C},CN=Policies,CN=System,DC=meudominio,DC=com,DC=br version : 655360 flags : NONE GPO : {E314842A-02B6-43E8-BDEF-107346D5C19F} display name : COMER_01 path : \\meudominio.com.br\SysVol\meudominio.com.br\Policies\{E314842A-02B6-43E8-BDEF-107346D5C19F} dn : CN={E314842A-02B6-43E8-BDEF-107346D5C19F},CN=Policies,CN=System,DC=meudominio,DC=com,DC=br version : 262144 flags : NONE GPO : {EB4B0258-46F7-4F7F-AF9F-06AACFB5C7A7} display name : FINAN_01 path : \\meudominio.com.br\SysVol\meudominio.com.br\Policies\{EB4B0258-46F7-4F7F-AF9F-06AACFB5C7A7} dn : CN={EB4B0258-46F7-4F7F-AF9F-06AACFB5C7A7},CN=Policies,CN=System,DC=meudominio,DC=com,DC=br version : 327680 flags : NONE GPO : {7DA5E3F4-1C79-4C19-821C-3C329169A1BA} display name : COMP_COMER path : \\meudominio.com.br\SysVol\meudominio.com.br\Policies\{7DA5E3F4-1C79-4C19-821C-3C329169A1BA} dn : CN={7DA5E3F4-1C79-4C19-821C-3C329169A1BA},CN=Policies,CN=System,DC=meudominio,DC=com,DC=br version : 262144 flags : NONE GPO : {5EA68A18-58DC-4E96-883B-919FCB8EF502} display name : COMP_FINAN path : \\meudominio.com.br\SysVol\meudominio.com.br\Policies\{5EA68A18-58DC-4E96-883B-919FCB8EF502} dn : CN={5EA68A18-58DC-4E96-883B-919FCB8EF502},CN=Policies,CN=System,DC=meudominio,DC=com,DC=br version : 524288 flags : NONE |
Listar qual GPO um usuário se encontra:
|
1 2 3 4 5 |
[root@storage ~]# samba-tool gpo list Usage: samba-tool gpo list <username> [options] [root@storage ~]# samba-tool gpo list jhones GPOs for user jhones Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9} |
Informações de uma GPO específica, pode ver que para listar as informações é necessário especificar o ID e não o nome:
|
1 2 3 4 5 6 7 8 |
[root@storage ~]# samba-tool gpo show {5EA68A18-58DC-4E96-883B-919FCB8EF502} GPO : {5EA68A18-58DC-4E96-883B-919FCB8EF502} display name : COMP_FINAN path : \\meudominio.com.br\SysVol\meudominio.com.br\Policies\{5EA68A18-58DC-4E96-883B-919FCB8EF502} dn : CN={5EA68A18-58DC-4E96-883B-919FCB8EF502},CN=Policies,CN=System,DC=meudominio,DC=com,DC=br version : 524288 flags : NONE ACL : <hidden> |
Listar grupos:
|
1 2 3 4 5 6 7 8 9 10 |
[root@storage ~]# samba-tool group list Allowed RODC Password Replication Group Enterprise Read-Only Domain Controllers Denied RODC Password Replication Group Pre-Windows 2000 Compatible Access Windows Authorization Access Group Certificate Service DCOM Access Network Configuration Operators Terminal Server License Servers Incoming Forest Trust Builders |
Listar usuários dentro de um grupo:
|
1 2 3 4 5 |
[root@storage ~]# samba-tool group listmembers Administrators Domain Admins Administrator Enterprise Admins jhones |
Criar um novo grupo:
|
1 2 |
[root@storage ~]# samba-tool group add novogrupo Added group novogrupo |
Adicionar um membro dentro do grupo e listar os membros do grupo:
|
1 2 3 4 |
[root@storage ~]# samba-tool group addmembers novogrupo jhones Added members to group novogrupo [root@storage ~]# samba-tool group listmembers novogrupo jhones |
Listar usuários:
|
1 2 3 4 5 6 7 8 |
[root@storage ~]# samba-tool user list julia maria Administrator jpetter jhones krbtgt Guest |
Adicionar novo usuário:
|
1 2 3 4 |
[root@storage ~]# samba-tool user add novousuario New Password: Retype Password: User 'novousuario' created successfully |
Setar uma nova senha a um usuario:
|
1 2 3 |
[root@storage ~]# samba-tool user setpassword jhones New Password: Changed password OK |
Referências:
https://www.samba.org/samba/docs/man/manpages/samba-tool.8.html