1. Learning objectives:
Learn to add, delete, modify and query the command line to manage samba ad dc, the most basic command.
Other content portal addresses:
| 0x00 Deploy Layer 3 routing from the intranet [base: router + idle physical host (I am TP-LINK + desktop)] |
|---|
| 0x01 Deploy vSphere on an idle physical host [base: idle physical device + ESXI 8.0 + vCenter Server] |
| 0x02 on Debian12.0 Deploying BIND9 in Debian12.0 to implement the primary DNS service [base:BIND9 + ESXI + Debian12] |
| 0x03 Deploying BIND9 in Debian12.0 to implement the secondary DNS service [base:BIND9 + Debian12 + vSphere 】 |
| 0x04 Deploying NTP in Debian12.0 to implement network timekeeping service [base:NTP + Debian12 + vSphere] |
| 0x05 Deploy LNMP in Debian12.0 to implement the basic environment [base: Debian12 + Nginx + MySQL + PHP + ESXI] |
| 0x06 Deploy Openmediavault in vSphere to implement lightweight NAS [ base:Openmediavault + vSphere] |
| 0x07 Deploy TrueNAS in vSphere to implement business NAS ZFS [base:NTP + vSphere] |
| 0x08 Deploy LDAP directory access in Debian12.0 [base:LDAP + Debian12 + vSphere] |
| 0x09 Deploy SAMBA4 active directory in Debian12.0 to achieve DC domain control [ base:SAMBA4 + Debian12 + vSphere】 |
2. Learning content:
Samba AD DC has a dedicated management program, which is a tool called: samba-tool. The interface is a command line operation, not a UI interface.
This tool will be installed automatically by installing the samba-ac-dc package. We have actually used it during the installation process.
With the samba tool interface, you can directly manage domain users and groups, domain group policies, domain sites, DNS services, domain replication and other key domain functions.
Use the following command to directly see all the functions supported by samba-tool.
samba-tool -h
Believe me, you will be confused if you look at this thing directly. Let me translate it in human language:
Available subcommands: computer - Computer management. Computer - Responsible for the management of computer hosts in the domain, corresponding to the host management of win ad. contact - Contact management. Contacts - Responsible for contact management, such as domain representative enterprise employee list management. dbcheck - Check local AD database for errors. Database check - Responsible for checking whether there are errors in the local AD database, used for debugging. delegation - Delegation management. Delegation - Responsible for delegating designated administrators. Anyone who plays win ad knows that you can designate delegated roles. dns - Domain Name Service (DNS) management. dns - Responsible for domain name resolution management. DC domain controllers all have this function, but I have seen that they are not used in operation and maintenance. They always use separate machines to avoid doing everything at once. domain - Domain management. Domain - Domain management, mainly command line management, this is the most used. drs - Directory Replication Services (DRS) management. drs - popular translation is directory responsible service, used for master-slave DC. dsacl - DS ACLs manipulation. dsacl - ACL access control of domain control service, used for security functions. forest - Forest management. Forest - Multiple domains form a forest. When initializing in win ad, you are required to specify the forest. fsmo - Flexible Single Master Operations (FSMO) roles management. fsmo - Responsible for the management of single sign-on rules. gpo - Group Policy Object (GPO) management. Group Agreement - Responsible for the management of group agreements. group - Group management. Group - Responsible for group management ldapcmp - Compare two ldap databases. ldapcmp - Responsible for checking whether the two LDAP directories are consistent. It is often used when debugging in the master-slave configuration. ntacl - NT ACLs manipulation. ntacl -NT is an old thing. It is also an ACL list for network management. It is now the NT4 version. ou - Organizational Units (OU) management. Organization - a classic DC terminology, ou represents the organization. processes - List processes (to aid debugging on systems without setproctitle). processes - This is a process checking tool. How to say, check whether the service is open. In many cases, it is directly systemctl. rodc - Read-Only Domain Controller (RODC) management. rodc - Sometimes the domain control server is only set to read-only mode, so you need to use this, mainly to distinguish business management permissions. Maybe avoid deleting the database due to lunacy. schema - Schema querying and management. schema - Responsible for schema query, because LDAP is a special tree database, and those who are familiar with databases may better understand what schema query is. sites - Sites management. Site - Site management, may be used between remote domain controllers. spn - Service Principal Name (SPN) management. spn - I rarely use this, and I have only a limited understanding of its functions. testparm - Syntax check the configuration file. Check the syntax - To configure the DC domain control, you can directly configure the smb.conf file. This command is a syntax check tool. time - Retrieve the time on a server. Time Server - Retrieve time server NTP time. user - User management. User - One of the main functions of DC domain control, domain user account management is here. visualize - Produces graphical representations of Samba network state. Virtual visualization - a debugging tool mainly used to view the network status of Samba.
It’s not over yet. The above are all subcommands, and there are subcommands. You can continue to query through the following statement:
samba-tool <subcommand> -h
After I have laid out the basic content, let’s get to the point:
2.1 Learn the content of user management:
User management is the main function of AD domain control. Let’s first check the user subcommand:
Available subcommands: add - Add a new user. addunixattrs - Add RFC2307 attributes to a user. create - Add a new user. delete - Delete a user. disable - Disable a user. edit - Modify User AD object. enable - Enable a user. getgroups - Get the direct group memberships of a user account. getpassword - Get the password fields of a user/computer account. list - List all users. move - Move a user to an organizational unit/container. password - Change password for a user account (the one provided in authentication). rename - Rename a user and related attributes. sensitive - Set/unset or show UF_NOT_DELEGATED for an account. setexpiry - Set the expiration of a user account. setpassword - Set or reset the password of a user account. setprimarygroup - Set the primary group a user account. show - Display a user AD object. syncpasswords - Sync the password of user accounts. unlock - Unlock a user account. For more help on a specific subcommand, please type: samba-tool user <subcommand> (-h|--help)
For these contents, please go directly to the translator. You can guess what the keywords mean by reading the contents, because each command can pass a lot of parameters. When you query the help of the add command later, you will find that there are too many comments. I Let’s take a look at a few classics:
Create a user or group directly without any parameters. You will only be asked to create a password by default:
samba-tool user add <username you defined> samba-tool group add <group name you defined>
Create a user and require this user to change their password the next time they log in:
samba-tool user add <username you defined> --must-change-at-next-login
The above two are used more often, but this is just for everyone to know and be familiar with the commands. This is rarely used. Command to create user like crazy.
Use the following command to view a list of all users:
samba-tool user list
If you encounter that account and need to reset your password:
samba-tool user setpassword <username you defined>
Password strength is restricted by rules. You can view the rule table with the following two commands, or you can customize the rule table:
samba-tool domain passwordsettings show samba-tool domain passwordsettings -h //View the help and use various parameters in the help to change
To delete a Samba AD domain user or group, use the following syntax:
samba-tool group delete <user name you defined> samba-tool group delete <group you defined>
The above are basically the simplest additions, deletions, modifications and checks. If you master these things, you will basically know 80% of your future use.
In the next article, we will study and learn how to use the created account.