CentOSでSamba4ベースにしたActiveDirectoryを構築する際のメモです

2013年11月の時点ではsamba ver4系の公式rpmは出回っていないようなのでソースからコンパイルしました。
------------------------------
Step 1: Sambaの入手
------------------------------
# cd /usr/local/src
# wget http://ftp.samba.org/pub/samba/samba-4.1.1.tar.gz


------------------------------
Step 2: Sambaのコンパイル
------------------------------
# tar zxvf samba-4.1.1.tar.gz
# cd samba-4.1.1
# ./configure --enable-debug --enable-selftest
 (中略)
# time ( make -j3 ; make quicktest ) | tee -a make.log
 (中略)
ALL OK (2061 tests in 310 testsuites)
#


------------------------------
Step 3: Sambaのインストール
------------------------------
# make install

インストール完了


------------------------------
Step 4: Sambaの設定
------------------------------
ADドメイン名を担保するために/etc/hostsと/etc/resolv.confを調整

# vi /etc/hosts
-----
127.0.0.1       localhost.localdomain   localhost
192.168.100.123   dctest.testdomain.local  dctest
-----

# vi /etc/resolv.conf
-----
search testdomain.local
nameserver 192.168.100.123
-----

samba-tool domain provision 設定情報
Realm : TESTDOMAIN.LOCAL
 Domain : TESTDOMAIN
 Server Role : dc
 DNS backend : SAMBA_INTERNAL
 DNS forwarder IP address : 192.168.100.1 (LANから通常使用するDNSなど)
Administrator password : ******

※パスワードは数字、英大文字、英小文字、記号のうち3種を使用すること

domain provision に失敗した場合は以下のファイルを削除してやり直し
# rm -rf /usr/local/samba/private/*
# rm -rf /usr/local/samba/etc/smb.conf


samba-tool の実行
# /usr/local/samba/bin/samba-tool domain provision --interactive --function-level=2008_R2

Realm [TESTDOMAIN.LOCAL]:
 Domain [TESTDOMAIN]:
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.100.1]:
Administrator password: ******
Retype password: ******
Looking up IPv4 addresses
Looking up IPv6 addresses
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=testdomain,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=testdomain,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              dctest
NetBIOS Domain:        TESTDOMAIN
DNS Domain:            testdomain.local
DOMAIN SID:            S-1-5-21-366560596-18017407-*************

#
-----------------------------------------------------------------------------------

生成された smb.conf をコピー
# cp /usr/local/samba/etc/smb.conf /etc/samba


Kerberosの設定を編集
# vi /etc/krb5.conf
----------
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TESTDOMAIN.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = true

[realms]
 TESTDOMAIN.LOCAL = {
  kdc = dctest.testdomain.local
 }

[domain_realm]
 .testdomain.local = TESTDOMAIN.LOCAL
 testdomain.local = TESTDOMAIN.LOCAL
----------


------------------------------
Step 5: シングルモードによるテスト
------------------------------

# /usr/local/samba/sbin/samba -i -M single
samba version 4.1.1 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
samba: using 'single' process model
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure
../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_UNSUCCESSFUL
-----------------------------------------------------------------------------------

Kerberosをテスト
# kinit administrator@TESTDOMAIN.LOCAL


------------------------------
Step 6: Sambaの動作確認
------------------------------
クライアントアプリのバージョン確認
# /usr/local/samba/bin/smbclient -V

クライアントアプリから動作確認
# /usr/local/samba/bin/smbclient -L localhost -U%

管理者ログイン
# /usr/local/samba/bin/smbclient //dctest.testdomain.local/netlogon -Uadministrator


------------------------------
Step 7: DNSの動作確認
------------------------------

名前解決の確認
# host -t SRV _ldap._tcp.testdomain.local.
_ldap._tcp.testdomain.local has SRV record 0 100 389 dctest.testdomain.local.
# host -t SRV _kerberos._udp.testdomain.local.
_kerberos._udp.testdomain.local has SRV record 0 100 88 dctest.testdomain.local.
# host -t A dctest.testdomain.local.
dctest.testdomain.local has address 192.168.1.201
# host -t A www.sgi.com (forwarderを経由しての外部IPアドレス検索)
www.sgi.com has address 192.48.178.134
----------


------------------------------
Step 8: 自動起動スクリプトの登録
------------------------------
(参考)
http://www.oss-d.net/samba4/ad#ee305c57

# vi /etc/init.d/samba4
----------
#! /bin/bash
#
# samba4       Bring up/down samba4 service
#
# chkconfig: - 90 10
# description: Activates/Deactivates all samba4 interfaces configured to \
#              start at boot time.
#
### BEGIN INIT INFO
# Provides:
# Should-Start:
# Short-Description: Bring up/down samba4
# Description: Bring up/down samba4
### END INIT INFO
# Source function library.
. /etc/init.d/functions

if [ -f /etc/sysconfig/samba4 ]; then
    . /etc/sysconfig/samba4
fi

CWD=$(pwd)
prog="samba4"

start() {
      # Attach irda device
      echo -n $"Starting $prog: "
    /usr/local/samba/sbin/samba
    sleep 2
    if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then success $"samba4 startup"; else failure $"samba4 startup"; fi
      echo
}
stop() {
      # Stop service.
      echo -n $"Shutting down $prog: "
    killall samba
    sleep 2
    if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then failure $"samba4 shutdown"; else success $"samba4 shutdown"; fi
      echo
}
status() {
    /usr/local/samba/sbin/samba --show-build
}

# See how we were called.
case "$1" in
start)
    start
      ;;
stop)
    stop
      ;;
status)
    status irattach
    ;;
restart|reload)
    stop
    start
    ;;
*)
      echo $"Usage: $0 {start|stop|restart|status}"
      exit 1
esac

exit 0
---------


# chmod 0755 /etc/init.d/samba4
# ln -s /etc/init.d/samba4 /etc/rc3.d/S80samba4
# ln -s /etc/init.d/samba4 /etc/rc5.d/S80samba4

# chkconfig --level 35 samba4 on
# service samba4 start
sambaが立ち上がることを確認


------------------------------
Step 9: その他(iptablesの調整)
------------------------------
簡易FWとしてiptables等を使用している場合は以下のようにADに必要なポートを解放する必要があります。

# vi /etc/sysconfig/iptables

以下を追加してiptablesを再起動
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 135 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1024 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3268 -j ACCEPT



→続いてWindows7のドメイン設定編はこちら