CentOSでSamba4ベースにしたActiveDirectoryを構築する際のメモです
2013年11月の時点ではsamba ver4系の公式rpmは出回っていないようなのでソースからコンパイルしました。
------------------------------
Step 1: Sambaの入手
------------------------------
# cd /usr/local/src
# wget http://ftp.samba.org/pub/samba/samba-4.1.1.tar.gz
------------------------------
Step 2: Sambaのコンパイル
------------------------------
# tar zxvf samba-4.1.1.tar.gz
# cd samba-4.1.1
# ./configure --enable-debug --enable-selftest
(中略)
# time ( make -j3 ; make quicktest ) | tee -a make.log
(中略)
ALL OK (2061 tests in 310 testsuites)
#
------------------------------
Step 3: Sambaのインストール
------------------------------
# make install
インストール完了
------------------------------
Step 4: Sambaの設定
------------------------------
ADドメイン名を担保するために/etc/hostsと/etc/resolv.confを調整
# vi /etc/hosts
-----
127.0.0.1 localhost.localdomain localhost
192.168.100.123 dctest.testdomain.local dctest
-----
# vi /etc/resolv.conf
-----
search testdomain.local
nameserver 192.168.100.123
-----
samba-tool domain provision 設定情報
Realm : TESTDOMAIN.LOCAL
Domain : TESTDOMAIN
Server Role : dc
DNS backend : SAMBA_INTERNAL
DNS forwarder IP address : 192.168.100.1 (LANから通常使用するDNSなど)
Administrator password : ******
※パスワードは数字、英大文字、英小文字、記号のうち3種を使用すること
domain provision に失敗した場合は以下のファイルを削除してやり直し
# rm -rf /usr/local/samba/private/*
# rm -rf /usr/local/samba/etc/smb.conf
samba-tool の実行
# /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive --function-level=2008_R2
Realm [TESTDOMAIN.LOCAL]:
Domain [TESTDOMAIN]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.100.1]:
Administrator password: ******
Retype password: ******
Looking up IPv4 addresses
Looking up IPv6 addresses
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=testdomain,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=testdomain,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dctest
NetBIOS Domain: TESTDOMAIN
DNS Domain: testdomain.local
DOMAIN SID: S-1-5-21-366560596-18017407-*************
#
-----------------------------------------------------------------------------------
生成された smb.conf をコピー
# cp /usr/local/samba/etc/smb.conf /etc/samba
Kerberosの設定を編集
# vi /etc/krb5.conf
----------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TESTDOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
TESTDOMAIN.LOCAL = {
kdc = dctest.testdomain.local
}
[domain_realm]
.testdomain.local = TESTDOMAIN.LOCAL
testdomain.local = TESTDOMAIN.LOCAL
----------
------------------------------
Step 5: シングルモードによるテスト
------------------------------
# /usr/local/samba/sbin/samba -i -M single
samba version 4.1.1 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
samba: using 'single' process model
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure
../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_UNSUCCESSFUL
-----------------------------------------------------------------------------------
Kerberosをテスト
# kinit administrator@TESTDOMAIN.LOCAL
------------------------------
Step 6: Sambaの動作確認
------------------------------
クライアントアプリのバージョン確認
# /usr/local/samba/bin/smbclient -V
クライアントアプリから動作確認
# /usr/local/samba/bin/smbclient -L localhost -U%
管理者ログイン
# /usr/local/samba/bin/smbclient //dctest.testdomain.local/netlogon -Uadministrator
------------------------------
Step 7: DNSの動作確認
------------------------------
名前解決の確認
# host -t SRV _ldap._tcp.testdomain.local.
_ldap._tcp.testdomain.local has SRV record 0 100 389 dctest.testdomain.local.
# host -t SRV _kerberos._udp.testdomain.local.
_kerberos._udp.testdomain.local has SRV record 0 100 88 dctest.testdomain.local.
# host -t A dctest.testdomain.local.
dctest.testdomain.local has address 192.168.1.201
# host -t A www.sgi.com (forwarderを経由しての外部IPアドレス検索)
www.sgi.com has address 192.48.178.134
----------
------------------------------
Step 8: 自動起動スクリプトの登録
------------------------------
(参考)
http://www.oss-d.net/samba4/ad#ee305c57
# vi /etc/init.d/samba4
----------
#! /bin/bash
#
# samba4 Bring up/down samba4 service
#
# chkconfig: - 90 10
# description: Activates/Deactivates all samba4 interfaces configured to \
# start at boot time.
#
### BEGIN INIT INFO
# Provides:
# Should-Start:
# Short-Description: Bring up/down samba4
# Description: Bring up/down samba4
### END INIT INFO
# Source function library.
. /etc/init.d/functions
if [ -f /etc/sysconfig/samba4 ]; then
. /etc/sysconfig/samba4
fi
CWD=$(pwd)
prog="samba4"
start() {
# Attach irda device
echo -n $"Starting $prog: "
/usr/local/samba/sbin/samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then success $"samba4 startup"; else failure $"samba4 startup"; fi
echo
}
stop() {
# Stop service.
echo -n $"Shutting down $prog: "
killall samba
sleep 2
if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then failure $"samba4 shutdown"; else success $"samba4 shutdown"; fi
echo
}
status() {
/usr/local/samba/sbin/samba --show-build
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status irattach
;;
restart|reload)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0
---------
# chmod 0755 /etc/init.d/samba4
# ln -s /etc/init.d/samba4 /etc/rc3.d/S80samba4
# ln -s /etc/init.d/samba4 /etc/rc5.d/S80samba4
# chkconfig --level 35 samba4 on
# service samba4 start
sambaが立ち上がることを確認
------------------------------
Step 9: その他(iptablesの調整)
------------------------------
簡易FWとしてiptables等を使用している場合は以下のようにADに必要なポートを解放する必要があります。
# vi /etc/sysconfig/iptables
以下を追加してiptablesを再起動
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 135 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1024 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3268 -j ACCEPT
→続いてWindows7のドメイン設定編はこちら
コメント