SAMBA4でActiveDirectory

(bindをインストール・設定済みとします)

DNS2(BIND)サーバ 192.168.1.2
Samba(DomainController)サーバ 192.168.1.2

依存モジュールのインストール

# yum install gcc -y
# yum install libacl-devel -y
# apt-get install python-dev
# apt-get install libacl1-dev libblkid-dev
# apt-get install libgnutls28-dev
# apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev  python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user  docbook-xsl

ソースのダウンロード

# cd /usr/src
# wget http://ftp.samba.org/pub/samba/samba-4.1.4.tar.gz
# tar zxvf samba-4.1.4.tar.gz
# cd samba-4.1.4

Samba4のコンパイル
/usr/local/samba にインストールされる。

# ./configure
# make
# make install

以下のファイルに”IPv6″と追記
/etc/modules

# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
# Parameters can be specified after the module name.

snd-bcm2835
ipv6    ← この行を追加

Active Directory Domainの構築

# cd /usr/local/samba/bin
# ./samba-tool domain provision --interactive --use-rfc2307 --function-level=2008_R2

Realm [LOCALDOMAIN]: DOMAIN.LOCAL ← Realmなので大文字で指定
 Domain [DOMAIN]: ← デフォルト設定
 Server Role (dc, member, standalone) [dc]: ← デフォルト設定
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE← デフォルト設定
Administrator password: ← パスワード入力
Retype password: ← パスワードの確認
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=contoso,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=contoso,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              example
NetBIOS Domain:        domain
DNS Domain:            domain.local
DOMAIN SID:            S-1-5-21-3195629488-859169402-1860501972

namedファイルの修正

# vi /etc/bind/named.conf.options 
options {
    …
    tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
}

# vi /etc/bind/named.conf.internal-zones    
view "internal" {
    …
    include "/usr/local/samba/private/named.conf";
}

resolv.confの設定

# vi /etc/resolv.conf

domain domain.local
search domain.local 192.168.1.1
nameserver 192.168.1.2     ← このサーバーのアドレス

ネットワーク設定ファイルの設定

# vi /etc/network/interfaces
auto lo

iface lo inet loopback
iface eth0 inet static
address 192.168.1.2  ← このサーバーのアドレス 
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

Sambaの起動

# /usr/local/samba/sbin/samba
# ps -ef|grep samba
root      5516     1  4 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5517  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5518  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5519  5517  4 11:08 ?        00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root      5520  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5521  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5522  5516  6 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5523  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5524  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5525  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5526  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5527  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5528  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5529  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5530  5516  0 11:08 ?        00:00:00 /usr/local/samba/sbin/samba
root      5534  5519  0 11:08 ?        00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root      5537  1081  0 11:08 pts/1    00:00:00 grep samba

Kerberosクライアント設定
まず、krb5.confファイルをコピーします。

cp /usr/local/samba/share/setup/krb5.conf /etc
# vi /etc/krb5.conf

[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

Kerberosの動作確認

# kinit administrator@DOMAIN.LOCAL
Password for administrator@DOMAIN.LOCAL:
Warning: Your password will expire in 41 days on Tue Apr  8 11:06:46 2014

netlogon共有にAdministrator権限でのアクセステスト

# /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password:
Domain=[ADOSAKANA] OS=[Unix] Server=[Samba 4.1.7]
  .                                   D        0  Tue Feb 25 11:06:38 2014
  ..                                  D        0  Tue Feb 25 11:06:48 2014
                35275 blocks of size 524288. 31250 blocks available

サーバ上で利用可能な共有リストの確認

# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[example] OS=[Unix] Server=[Samba 4.1.7]

       Sharename       Type      Comment
       ---------       ----      -------
       netlogon        Disk
       sysvol          Disk
       IPC$            IPC       IPC Service (Samba 4.1.7)
Domain=[example] OS=[Unix] Server=[Samba 4.1.7]

       Server               Comment
       ---------            -------

       Workgroup            Master
       ---------            -------

Active Directoryで使用するDNSのSRVレコードが登録されているか確認

# host -t SRV _ldap._tcp.domain.local 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
_ldap._tcp.adosakana.local has SRV record 0 100 389 example.domain.local.
# host -t SRV _kerberos._udp.domain.local 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
_kerberos._udp.adosakana.local has SRV record 0 100 88 example.domain.local.

ADサーバのホスト名が登録されているか確認

# host -t A example.domain.local 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
example.domain.local has address 192.168.1.2

自動起動ファイルを作成

# wget "http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=blob_plain;f=debian/samba.samba-ad-dc.init;h=3132d2e367675f822342a5b7bc2e50c046aa3b8f;hb=HEAD" -O /etc/init.d/samba-ad-dc

/etc/init.d/samba-ad-dcの下記二か所を変更

    ・修正前
   SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
    ・修正後
   SERVER_ROLE=`/usr/local/samba/bin/samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`

   ・修正前
   start-stop-daemon --stop --quiet --pidfile $SAMBAPID
   ・修正後
   start-stop-daemon --stop --quiet --name samba $SAMBAPID

自動起動スクリプトへ実行権限を付与

# chmod 755 /etc/init.d/samba-ad-dc
# update-rc.d samba-ad-dc defaults

ユーザの追加

# /usr/local/samba/bin/samba-tool user add test_user

New Password:
Retype Password:
User 'test_user' created successfully

ユーザの削除

# /usr/local/samba/bin/samba-tool user delete test_user

——————- BIND9_FLATFILEの場合 ——————————
BINDの動作確認

# host -t SRV _ldap._tcp.domain.local.
_ldap._tcp.domain.local has SRV record 0 100 389 Example.domain.local.

# host -t SRV _ldap._tcp.domain.local.    127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

_ldap._tcp.domain.local has SRV record 0 100 389 Example.domain.local.

——————- Linuxで認証する場合のsamba設定サンプル ——————————

# vi /usr/local/samba/etc/smb.conf
# Global parameters
[global]
        workgroup = DOMAIN
        realm = DOMAIN.LOCAL
        netbios name = FAYE
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

        nsupdate command = /usr/bin/nsupdate -g
        printing = bsd
        log level = 1
        syslog = 0
        log file = /var/log/samba.log

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/e-maybe-lan.local/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[home]
        browseable = no
        path = /home/%D
        read only = no
        create mask = 0644
        directory mask = 0755
        vfs objects = shadow_copy2, btrfs
        shadow:snapdir=.snapshot

クライアント(Windows7)の設定
・ドメインに参加
スタートメニュー→コントロールパネル→コンピュータの名前の参照→設定の変更→変更
で、クライアントをドメインに参加させます。
ドメイン参加
・DNSに今回のサーバーアドレスを設定
ActiveDirectory設定

Linuxクライアント
・sambaのインストール

# aptitude install samba

・/etc/resolv.confの設定

# vi /etc/resolv.conf
search domain.local
nameserver 192.168.1.2

・smb.confの設定

# vi /etc/samba/smb.conf
[global]
  ...
# ----------------------- Network Related Options -------------------------
#
  workgroup = W2K8AD1  (ADのNetBIOS名)
  ...

# ----------------------- Domain Members Options ------------------------
  ...

        security = ads
        passdb backend = tdbsam
        realm = W2K8AD1.LOCAL (ADのFQDN(大文字))

;       password server = 

        idmap uid = 10000-11000
        idmap gid = 10000-11000
  ...

[tmp] ←動作確認用の共有
  path = /tmp
  writeable = yes 

・ADへの参加を行う際にはSambaサーバが停止している必要があります。

# /etc/init.d/samba stop

・ADへの参加

#  net rpc join -U Administrator -w [DOMAIN] -S [machine_name]

※後で変更する場合は、「dpkg-reconfigure [package-name]」で。

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です