このエントリーをはてなブックマークに追加

6. samba初期設定

インストールのみ行なっていた、sambaの設定を行います。

6.1. ubuntu1210-ad設定

6.1.1. samba-toolで初期化

samba-toolを実行し、新規のドメインを作成します。

$ sudo /usr/local/samba/bin/samba-tool domain provision
[sudo] password for :
Realm [EXAMPLE.LOCAL]:
 Domain [EXAMPLE]:
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
 DNS forwarder IP address (write 'none' to disable forwarding) [10.0.0.10]: 10.0.0.1  # 外部参照するDNSのIP
Administrator password: # administratorのパスワードを入力
Retype password:        # 再度administratorのパスワードを入力
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=example,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=example,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              ubuntu1210-ad
NetBIOS Domain:        EXAMPLE
DNS Domain:            example.local
DOMAIN SID:            S-1-5-21-3055162845-4000540482-1440462473

ノート

DNS backendはデフォルトのSAMBA_INTERNALを選択しております。

ノート

ubuntu1210-adが最初のDCになります。cenos63-adは後から追加するDCです。

6.1.2. デーモン起動

$ sudo /usr/local/samba/sbin/samba

ノート

検証環境のため、OS起動時の自動スクリプトは用意しません。手動で起動するか、rc.localに追記します。

6.1.3. 動作確認

$ /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.0.0]

     Sharename       Type      Comment
     ---------       ----      -------
     netlogon        Disk
     sysvol          Disk
     IPC$            IPC       IPC Service (Samba 4.0.0)
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.0.0]

     Server               Comment
     ---------            -------

     Workgroup            Master
     ---------            -------

ノート

上記出力が得られれば、sambaは正常に起動しております。

6.1.4. デーモン再起動

起動スクリプトを用意してないので、デーモンの再起動は直接プロセスを停止します。

# killall samba
# rm -v -- /usr/local/samba/var/run/smbd-fileserver.conf.pid
# /usr/local/samba/sbin/samba

ノート

ubuntu、centos共通です。ubuntuの一般ユーザで行う場合は、sudoしてください。

6.1.5. DNS動作確認

$ dig @localhost _ldap._tcp.example.local srv

; <<>> DiG 9.8.1-P1 <<>> @localhost _ldap._tcp.example.local srv
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64355
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_ldap._tcp.example.local.    IN      SRV

;; ANSWER SECTION:
_ldap._tcp.example.local. 900 IN      SRV     0 100 389 ubuntu1210-ad.example.local.

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan  7 15:04:05 2013
;; MSG SIZE  rcvd: 76
dig @localhost _kerberos._udp.example.local srv

; <<>> DiG 9.8.1-P1 <<>> @localhost _kerberos._udp.example.local srv
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61484
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_kerberos._udp.example.local.        IN      SRV

;; ANSWER SECTION:
_kerberos._udp.example.local. 900 IN  SRV     0 100 88 ubuntu1210-ad.example.local.

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan  7 15:05:07 2013
;; MSG SIZE  rcvd: 80

6.1.6. Kerberos設定

$ cat krb5.conf
[libdefaults]
    default_realm = EXAMPLE.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true

6.1.7. Kerberos動作確認

$ kinit administrator@EXAMPLE.LOCAL
Password for administrator@EXAMPLE.LOCAL:
Warning: Your password will expire in 41 days on Mon Feb 18 13:59:52 2013
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@EXAMPLE.LOCAL

Valid starting    Expires           Service principal
07/01/2013 15:12  08/01/2013 01:12  krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL
        renew until 08/01/2013 15:12

6.2. centos63-ad設定

centos側は、ubuntuで立ち上げたドメインに参加します。

6.2.1. Kerberos設定

# cat krb5.conf
[libdefaults]
    default_realm = EXAMPLE.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true

6.2.2. Kerberos動作確認

# kinit administrator
Password for administrator@EXAMPLE.LOCAL:
Warning: Your password will expire in 41 days on Mon Feb 18 13:59:52 2013
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@EXAMPLE.LOCAL

Valid starting     Expires            Service principal
01/07/13 15:39:07  01/08/13 01:39:07  krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL
        renew until 01/08/13 15:39:03

6.2.3. samba-toolの実行

# /usr/local/samba/bin/samba-tool domain join example.local DC -Uadministrator --realm=example.local
Finding a writeable DC for domain 'example.local'
Found DC ubuntu1210-ad.example.local
Password for [WORKGROUP\administrator]: #パスワードの入力
workgroup is EXAMPLE
realm is example.local
checking sAMAccountName
Adding CN=CENTOS63-AD,OU=Domain Controllers,DC=example,DC=local
Adding CN=CENTOS63-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=local
Adding CN=NTDS Settings,CN=CENTOS63-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=local
Adding SPNs to CN=CENTOS63-AD,OU=Domain Controllers,DC=example,DC=local
Setting account password for CENTOS63-AD$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=example,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=local] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=local] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=local] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=local] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=example,DC=local] objects[402/1614] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=local] objects[804/1614] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=local] objects[1206/1614] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=local] objects[1608/1614] linked_values[0/0]
Partition[CN=Configuration,DC=example,DC=local] objects[1614/1614] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=example,DC=local] objects[97/97] linked_values[23/0]
Partition[DC=example,DC=local] objects[305/208] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=example,DC=local
Partition[DC=DomainDnsZones,DC=example,DC=local] objects[40/40] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=example,DC=local
Partition[DC=ForestDnsZones,DC=example,DC=local] objects[18/18] linked_values[0/0]
Partition[DC=ForestDnsZones,DC=example,DC=local] objects[36/18] linked_values[0/0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain EXAMPLE (SID S-1-5-21-3055162845-4000540482-1440462473) as a DC

6.2.4. dns forwarder設定追加

追加するDCでは、dns forwarderの設定を手動で追加する必要があります。

# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
        workgroup = EXAMPLE
        realm = example.local
        netbios name = CENTOS63-AD
        server role = active directory domain controller
        dns forwarder = 10.0.0.1

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/example.local/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

ノート

[global]セクションのdns forwarderが追加箇所です。

6.2.5. デーモン起動

# /usr/local/samba/sbin/samba

ノート

検証環境のため、OS起動時の自動スクリプトは用意しません。手動で起動するか、rc.localに追記します。


目次

前のトピックへ

5. ネットワーク設定

次のトピックへ

7. クライアントセグメントWindowsセットアップ

外部リンク

ブログ