Samba4でActive Directory

(bindをインストール・設定済みとします)

DNS2(BIND)サーバ 192.168.1.2
Samba(DomainController)サーバ 192.168.1.2

依存モジュールのインストール

# yum install gcc -y
# yum install libacl-devel -y
# yum install libblkid-devel -y
# yum install gnutls-devel -y
# yum install python-devel -y
# yum install krb5-workstation -y
# yum install zlib-devel -y
# yum install libaio-devel -y
# yum install policycoreutils-python -y
# yum install popt-devel -y
# yum install libpcap-devel -y
# yum install sqlite-devel -y
# yum install libidn-devel -y
# yum install libxml2-devel -y
# yum install libsepol-devel -y
# yum install keyutils-libs-devel -y
# yum install cyrus-sasl-devel -y
# yum install bind-utils -y

ソースのダウンロード

# cd /usr/src
# wget http://ftp.samba.org/pub/samba/samba-4.1.4.tar.gz
# tar zxvf samba-4.1.4.tar.gz
# cd samba-4.1.4

Samba4のコンパイル
/usr/local/samba にインストールされる。

# ./configure
# make
# make install

Active Directory Domainの構築

# cd /usr/local/samba/bin
# ./samba-tool domain provision --interactive --function-level=2008_R2

Realm [LOCALDOMAIN]: DOMAIN.LOCAL ← Realmなので大文字で指定
 Domain [DOMAIN]: ← デフォルト設定
 Server Role (dc, member, standalone) [dc]: ← デフォルト設定
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE← デフォルト設定
Administrator password: ← パスワード入力
Retype password: ← パスワードの確認
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=contoso,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=contoso,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              example
NetBIOS Domain:        domain
DNS Domain:            domain.local
DOMAIN SID:            S-1-5-21-3195629488-859169402-1860501972

named.conf修正

options {
    …
    tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
}

view "internal" {
    …
    include "/usr/local/samba/private/named.conf";
}

ホスト定義を追加

# vi /etc/hosts

192.168.1.2 example.domain.local ←追記

resolv.confの設定

# vi /etc/resolv.conf

search domain.local
nameserver 192.168.1.2     ← このサーバーのアドレス

ネットワーク設定ファイルの設定

# vi /etc/sysconfig/network-scripts/

DNS2=192.168.1.2    ← このサーバーのアドレス

Sambaの起動

# /usr/local/samba/sbin/samba
# ps -ef|grep samba
root      5516     1  4 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5517  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5518  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5519  5517  4 11:08 ?        00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root      5520  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5521  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5522  5516  6 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5523  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5524  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5525  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5526  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5527  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5528  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5529  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5530  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5534  5519  0 11:08 ?        00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root      5537  1081  0 11:08 pts/1    00:00:00 grep samba

Kerberosクライアント設定

# vi /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true

Kerberosの動作確認

# kinit administrator@DOMAIN.LOCAL
Password for administrator@DOMAIN.LOCAL:
Warning: Your password will expire in 41 days on Tue Apr  8 11:06:46 2014

netlogon共有にAdministrator権限でのアクセステスト

# /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password:
Domain=[ADOSAKANA] OS=[Unix] Server=[Samba 4.1.7]
  .                                   D        0  Tue Feb 25 11:06:38 2014
  ..                                  D        0  Tue Feb 25 11:06:48 2014
                35275 blocks of size 524288. 31250 blocks available

サーバ上で利用可能な共有リストの確認

# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[example] OS=[Unix] Server=[Samba 4.1.7]

       Sharename       Type      Comment
       ---------       ----      -------
       netlogon        Disk
       sysvol          Disk
       IPC$            IPC       IPC Service (Samba 4.1.7)
Domain=[example] OS=[Unix] Server=[Samba 4.1.7]

       Server               Comment
       ---------            -------

       Workgroup            Master
       ---------            -------

Active Directoryで使用するDNSのSRVレコードが登録されているか確認

# host -t SRV _ldap._tcp.domain.local 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
_ldap._tcp.adosakana.local has SRV record 0 100 389 example.domain.local.
# host -t SRV _kerberos._udp.domain.local 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
_kerberos._udp.adosakana.local has SRV record 0 100 88 example.domain.local.

ADサーバのホスト名が登録されているか確認

# host -t A example.domain.local 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
example.domain.local has address 192.168.1.2

自動起動ファイルを作成

# vi /etc/init.d/samba4

#! /bin/bash
#
# samba4       Bring up/down samba4 service 
#
# chkconfig: - 90 10
# description: Activates/Deactivates all samba4 interfaces configured to 
#              start at boot time.
#
### BEGIN INIT INFO
# Provides: 
# Should-Start: 
# Short-Description: Bring up/down samba4
# Description: Bring up/down samba4
### END INIT INFO
# Source function library.
. /etc/init.d/functions

if [ -f /etc/sysconfig/samba4 ]; then
    . /etc/sysconfig/samba4
fi

CWD=$(pwd)
prog="samba4"

start() {
      # Attach irda device 
      echo -n $"Starting $prog: "
    /usr/local/samba/sbin/samba
    sleep 2
    if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then success $"samba4 startup"; else failure $"samba4 startup"; fi
      echo
}
stop() {
      # Stop service.
      echo -n $"Shutting down $prog: "
    killall samba
    sleep 2
    if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then failure $"samba4 shutdown"; else success $"samba4 shutdown"; fi
      echo
}
status() {
    /usr/local/samba/sbin/samba --show-build
}

# See how we were called.
case "$1" in
start)
    start
      ;;
stop)
    stop
      ;;
status)
    status irattach
    ;;
restart|reload)
    stop
    start
    ;;
*)
      echo $"Usage: $0 {start|stop|restart|status}"
      exit 1
esac

exit 0

自動起動スクリプトへ実行権限を付与

# chmod 0755 /etc/init.d/samba4
# ln -s /etc/init.d/samba4 /etc/rc3.d/S80samba4 

chkconfigコマンドで自動起動をON

# chkconfig --add samba4
# chkconfig --level 35 samba4 on

ユーザの追加

# /usr/local/samba/bin/samba-tool user add test_user

New Password:
Retype Password:
User 'test_user' created successfully

——————- BIND9_FLATFILEの場合 ——————————
/etc/sysconfig/namedに下記を追加

export KEYTAB_FILE="/usr/local/samba/private/dns.keytab"
export KRB5_KTNAME="/usr/local/samba/private/dns.keytab"

/etc/named.confに下記を追加

include "/usr/local/samba/private/named.conf";                     

BINDの動作確認

# host -t SRV _ldap._tcp.domain.local.
_ldap._tcp.domain.local has SRV record 0 100 389 Example.domain.local.

# host -t SRV _ldap._tcp.domain.local.    127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

_ldap._tcp.domain.local has SRV record 0 100 389 Example.domain.local.

FireWallにて使用するポートを開ける
(使用ポートを確認)

# netstat -tulpn | egrep "samba|smbd|nmbd|winbind"
88 tcp
88 udp
135 tcp
137 udp
138 udp
139 tcp
389 tcp
389 udp
445 tcp
464 tcp
464 udp
636 tcp
1024 tcp
3268 tcp
3269 tcp

クライアント(Windows7)の設定
・ドメインに参加
スタートメニュー→コントロールパネル→コンピュータの名前の参照→設定の変更→変更
で、クライアントをドメインに参加させます。
ドメイン参加
・DNSに今回のサーバーアドレスを設定
ActiveDirectory設定

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です