linux:samba:samba_activedirectory_setup

SambaによるActiveDirectory構築

$ sudo dnf install samba samba-client samba-dc

wbinfoを使えるように以下もインストールしておくとよい。

$ sudo dnf install samba-winbind-clients

CUPSプリントサーバーを利用する場合

$ sudo yum install cups

killallをインストール

$ sudo yum install psmisc

kinitをインストール

$ sudo yum install krb5-workstation
$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.org
$ sudo samba-tool domain provision --use-rfc2307 --interactive
Realm [FIREBALL.LOCAL]: <- Enterを入力
 Domain [FIREBALL]:  <- Enterを入力
 Server Role (dc, member, standalone) [dc]:  <- Enterを入力
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: <- Enterを入力
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.254]: 129.250.35.250 <- Public DNSサーバーのIPを入力
Administrator password: <- パスワードを入力(英数記号の組み合わせで7文字以上)
Retype password: <- 確認用パスワードを入力
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=fireball,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=fireball,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              blue-dc
NetBIOS Domain:        FIREBALL
DNS Domain:            fireball.local
DOMAIN SID:            S-1-5-21-450207414-3644643225-592770093
$ sudo vi /etc/named.conf
options {
    ...
    tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
    ...
};

include "/var/lib/samba/private/named.conf";

Fedora 19ではbind-9.9.3なので、9.9用の設定に修正する。(標準では9.8用に設定されている)
※再設定を行う場合は修正し直す必要がある。

$ sudo vi /var/lib/samba/private/named.conf
#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
    # For BIND 9.8.0
    # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";

    # For BIND 9.9.0
    database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
};

bindによる設定ファイルの読み込みを許可する。

$ sudo chgrp named /var/lib/samba/private
$ sudo chmod 750 /var/lib/samba/private

※これを忘れるとbindが起動しないので注意!!
※Sambaパッケージをアップデート後にも必要!!

bindを再起動する。

$ sudo systemctl restart named.service
$ sudo cp /etc/krb5.conf /etc/krb5.conf.org
$ sudo vi /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 default_realm = FIREBALL.LOCAL <-
 dns_lookup_realm = false       <- 追記
 dns_lookup_kdc = true          <-
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 
[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }
 FIREBALL.LOCAL = {            <-
  kdc = blue-dc.fireball.local <- 追記
 }                             <-
 
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
 .fireball.local = FIREBALL.LOCAL <- 追記
 fireball.local = FIREBALL.LOCAL  <-
$ sudo samba -i -M single --debuglevel=3
samba version 4.1.0 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
samba: using 'single' process model
$ sudo systemctl enable samba.service
$ sudo systemctl start samba.service
$ sudo firewall-cmd --permanent --add-service=samba-dc
$ sudo firewall-cmd --reload

スタンダードプロセスモードで起動していることを確認する。

$ sudo systemctl status samba.service
● samba.service - Samba AD Daemon
   Loaded: loaded (/usr/lib/systemd/system/samba.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2019-01-05 22:25:16 JST; 8min ago
     Docs: man:samba(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 742 (samba)
   Status: "smbd: ready to serve connections..."
    Tasks: 23 (limit: 546)
   Memory: 213.4M
   CGroup: /system.slice/samba.service
           ├─742 /usr/sbin/samba --foreground --no-process-group
           ├─806 /usr/sbin/samba --foreground --no-process-group
           ├─807 /usr/sbin/samba --foreground --no-process-group
           ├─808 /usr/sbin/samba --foreground --no-process-group
           ├─809 /usr/sbin/samba --foreground --no-process-group
           ├─810 /usr/sbin/samba --foreground --no-process-group
           ├─811 /usr/sbin/samba --foreground --no-process-group
           ├─812 /usr/sbin/samba --foreground --no-process-group
           ├─813 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─814 /usr/sbin/samba --foreground --no-process-group
           ├─815 /usr/sbin/samba --foreground --no-process-group
           ├─816 /usr/sbin/samba --foreground --no-process-group
           ├─817 /usr/sbin/samba --foreground --no-process-group
           ├─818 /usr/sbin/krb5kdc -n
           ├─819 /usr/sbin/samba --foreground --no-process-group
           ├─820 /usr/sbin/samba --foreground --no-process-group
           ├─821 /usr/sbin/samba --foreground --no-process-group
           ├─822 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
           ├─823 /usr/sbin/samba --foreground --no-process-group
           ├─824 /usr/sbin/samba --foreground --no-process-group
           ├─834 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─835 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           └─836 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground

ポートのlisten状況を確認するには以下のコマンドを実行する。

$ sudo netstat -tulpn | egrep "samba|smbd|nmbd|winbind"
tcp        0      0 0.0.0.0:3268            0.0.0.0:*               LISTEN      811/samba           
tcp        0      0 0.0.0.0:3269            0.0.0.0:*               LISTEN      811/samba           
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      811/samba           
tcp        0      0 0.0.0.0:135             0.0.0.0:*               LISTEN      807/samba           
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      813/smbd            
tcp        0      0 0.0.0.0:464             0.0.0.0:*               LISTEN      814/samba           
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      824/samba           
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      811/samba           
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      813/smbd            
tcp        0      0 0.0.0.0:49152           0.0.0.0:*               LISTEN      807/samba           
tcp        0      0 0.0.0.0:49153           0.0.0.0:*               LISTEN      807/samba           
tcp        0      0 0.0.0.0:49154           0.0.0.0:*               LISTEN      807/samba           
tcp6       0      0 :::3268                 :::*                    LISTEN      811/samba           
tcp6       0      0 :::3269                 :::*                    LISTEN      811/samba           
tcp6       0      0 :::389                  :::*                    LISTEN      811/samba           
tcp6       0      0 :::135                  :::*                    LISTEN      807/samba           
tcp6       0      0 :::139                  :::*                    LISTEN      813/smbd            
tcp6       0      0 :::464                  :::*                    LISTEN      814/samba           
tcp6       0      0 :::53                   :::*                    LISTEN      824/samba           
tcp6       0      0 :::636                  :::*                    LISTEN      811/samba           
tcp6       0      0 :::445                  :::*                    LISTEN      813/smbd            
tcp6       0      0 :::49152                :::*                    LISTEN      807/samba           
tcp6       0      0 :::49153                :::*                    LISTEN      807/samba           
tcp6       0      0 :::49154                :::*                    LISTEN      807/samba           
udp        0      0 0.0.0.0:53              0.0.0.0:*                           824/samba           
udp        0      0 172.16.78.10:389        0.0.0.0:*                           812/samba           
udp        0      0 0.0.0.0:389             0.0.0.0:*                           812/samba           
udp        0      0 172.16.78.10:137        0.0.0.0:*                           808/samba           
udp        0      0 172.16.78.255:137       0.0.0.0:*                           808/samba           
udp        0      0 0.0.0.0:137             0.0.0.0:*                           808/samba           
udp        0      0 172.16.78.10:138        0.0.0.0:*                           808/samba           
udp        0      0 172.16.78.255:138       0.0.0.0:*                           808/samba           
udp        0      0 0.0.0.0:138             0.0.0.0:*                           808/samba           
udp        0      0 172.16.78.10:464        0.0.0.0:*                           814/samba           
udp        0      0 0.0.0.0:464             0.0.0.0:*                           814/samba           
udp6       0      0 :::53                   :::*                                824/samba           
udp6       0      0 :::389                  :::*                                812/samba           
udp6       0      0 :::464                  :::*                                814/samba
$ smbclient -L localhost -U%
Unable to initialize messaging context

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk      
        sysvol          Disk      
        IPC$            IPC       IPC Service (Samba 4.9.4)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
$ smbclient //localhost/netlogon -U Administrator -c 'ls'
Unable to initialize messaging context
Enter FIREBALL\Administrator's password: 
  .                                   D        0  Sat Jan  5 21:58:46 2019
  ..                                  D        0  Sat Jan  5 21:58:52 2019

                265107456 blocks of size 1024. 260945176 blocks available
$ host -t SRV _ldap._tcp.fireball.local
_ldap._tcp.fireball.local has SRV record 0 100 389 blue-dc.fireball.local.
$ host -t SRV _kerberos._udp.fireball.local
_kerberos._udp.fireball.local has SRV record 0 100 88 blue-dc.fireball.local.
$ host -t A blue-dc.fireball.local
blue-dc.fireball.local has address 172.16.78.10

※hostコマンドはbind-utilsパッケージに含まれている。

$ kinit administrator@FIREBALL.LOCAL
Password for administrator@FIREBALL.LOCAL: <- パスワードを入力
Warning: Your password will expire in 41 days on 2013年11月20日 01時23分51秒
  • linux/samba/samba_activedirectory_setup.txt
  • 最終更新: 2019/05/18 02:23
  • by 非ログインユーザー