更新 Debian 10 到 11

編輯 /etc/apt/sources.list
deb http://deb.debian.org/debian bullseye main contrib non-free
deb http://deb.debian.org/debian bullseye-updates main contrib non-free
deb http://security.debian.org/debian-security bullseye-security main
deb http://ftp.debian.org/debian bullseye-backports main contrib non-free

apt update -y
apt upgrade --without-new-pkgs -y
apt full-upgrade -y

SHOREWALL黑名單設定

1.編輯 /etc/shorewall/shorewall.conf 
BLACKLIST 選項

2.編輯 /etc/shorewall/blrules 

#ACTION         SOURCE                  DEST                    PROTO   DPORT

WHITELIST       net:1.2.3.4             all
DROP                  net                         all                     udp     1023:1033,1434,5948,23773
DROP                  all                          net                     udp     1023:1033
DROP                  net                         all                     tcp     57,1433,1434,2401
DROP                  net:1.2.3.4             all
DROP                  net:1.2.23.4           all                     tcp     25

Debian 12 安裝 Samba 升級 DC 建立網域

安裝軟體
apt install -y sudo screen
apt install -y acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils net-tools
apt install samba krb5-config winbind smbclient -y
apt-get install ldb-tools

systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind

升級 Domain Controller
mv /etc/samba/smb.conf /etc/samba/smb.conf.ori

samba-tool domain provision
#samba-tool domain provision --use-rfc2307 --interactive

mv /etc/krb5.conf /etc/krb5.conf.ori
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf   

systemctl start samba-ad-dc

測試
smbclient -L localhost -U%
samba-tool domain level show

建立帳號
samba-tool user create user

samba-tool user list
pdbedit -L -v

RFC 2307屬性
驗證 NIS 擴充功能是否已安裝在 Active Directory 中
ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b \
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=tdap,DC=sinica cn

RFC 2307屬性允許在 LDAP 目錄中儲存 Unix 使用者和群組資訊
不建議在 Samba AD DC 上使用 RFC2307 對應。預設的 idmap.ldb 機制適用於網域控制站且不易出錯。

Debian 12 samba DC 加入網域

安裝軟體
apt install -y sudo screen
apt install -y acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils net-tools
apt install samba krb5-config winbind smbclient -y
apt-get install ldb-tools

systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind

升級 Domain Controller 加入網域
mv /etc/samba/smb.conf /etc/samba/smb.conf.ori

samba-tool domain join DOMAIN.loc DC -U "DOMAIN\administrator"
systemctl start samba-ad-dc

測試
smbclient -L localhost -U%
samba-tool domain level show

建立帳號
samba-tool user create user

samba-tool user list
pdbedit -L -v

Kerberos 相關設定 /etc/krb5.conf:
[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = DOMAIN.LOC

Kerberos 相關指令
kinit administrator
klist

RFC 2307屬性
驗證 NIS 擴充功能是否已安裝在 Active Directory 中
ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b \
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=tdap,DC=sinica cn

RFC 2307屬性允許在 LDAP 目錄中儲存 Unix 使用者和群組資訊
不建議在 Samba AD DC 上使用 RFC2307 對應。預設的 idmap.ldb 機制適用於網域控制站且不易出錯。

更新 Debian 9 到 10

編輯 /etc/apt/sources.list
#deb http://deb.debian.org/debian buster main contrib non-free
#deb http://deb.debian.org/debian buster-updates main contrib non-free
#deb http://deb.debian.org/debian buster-backports main contrib non-free
#deb http://security.debian.org buster/updates main contrib

deb http://ftp.debian.org/debian buster main contrib
deb http://ftp.debian.org/debian buster-updates main contrib
deb http://security.debian.org buster/updates main contrib

apt update -y
apt upgrade --without-new-pkgs -y
apt full-upgrade -y

 tasksel.