{"id":793,"date":"2017-08-22T13:22:43","date_gmt":"2017-08-22T04:22:43","guid":{"rendered":"https:\/\/knowhow.hirohiro716.com\/?p=793"},"modified":"2024-07-21T00:12:52","modified_gmt":"2024-07-20T15:12:52","slug":"centos7samba4%e3%81%a7%e3%81%ae%e7%84%a1%e6%96%99activedirectory%e6%a7%8b%e7%af%89","status":"publish","type":"post","link":"https:\/\/weblog.hirohiro716.com\/?p=793","title":{"rendered":"CentOS7+Samba4\u3067\u306e\u7121\u6599ActiveDirectory\u69cb\u7bc9"},"content":{"rendered":"<p>\u4eca\u56de\u306f\u30d7\u30e9\u30a4\u30de\u30ea\u3068\u30bb\u30ab\u30f3\u30c0\u30ea\u306e2\u53f0\u3092\u69cb\u6210\u3059\u308b\u3002<\/p>\n<h4>\u30d7\u30e9\u30a4\u30de\u30ea\u3068\u30bb\u30ab\u30f3\u30c0\u30ea\u306e\u5171\u901a\u8a2d\u5b9a<\/h4>\n<p>\u30db\u30b9\u30c8\u540d\u306e\u8a2d\u5b9a\u3002\u305d\u308c\u305e\u308c test-dc1 test-dc2 \u3068\u3059\u308b\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# hostnamectl set-hostname test-dc1\r\n<\/pre>\n<p style=\"margin-bottom:2em;\">\nNTP\u30b5\u30fc\u30d0\u30fc\u306b\u3059\u308b\u3002<br \/>\n\u203b\u69cb\u7bc9\u624b\u9806\u306f<a href=\"\/?p=758\">\u3053\u3061\u3089<\/a>\u306e\u8a18\u4e8b\u3092\u53c2\u7167\n<\/p>\n<p>\u5fc5\u8981\u306a\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3089\u3057\u3044\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nyum -y install \\\r\nperl \\\r\ngcc \\\r\nlibacl-devel \\\r\nlibblkid-devel \\\r\ngnutls-devel \\\r\nreadline-devel \\\r\npython-devel \\\r\ngdb \\\r\npkgconfig \\\r\nkrb5-workstation \\\r\nzlib-devel \\\r\nsetroubleshoot-server \\\r\nlibaio-devel \\\r\nsetroubleshoot-plugins \\\r\npolicycoreutils-python \\\r\nlibsemanage-python \\\r\nsetools-libs-python \\\r\nsetools-libs \\\r\npopt-devel \\\r\nlibpcap-devel \\\r\nsqlite-devel \\\r\nlibidn-devel \\\r\nlibxml2-devel \\\r\nlibacl-devel \\\r\nlibsepol-devel \\\r\nlibattr-devel \\\r\nkeyutils-libs-devel \\\r\ncyrus-sasl-devel \\\r\ncups-devel \\\r\nbind-utils \\\r\nlibxslt \\\r\ndocbook-style-xsl \\\r\nopenldap-devel\r\n<\/pre>\n<p>\u6700\u65b0\u7248\u306eSamba\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b\u3002\u3053\u306e\u8a18\u4e8b\u3092\u66f8\u3044\u305f\u3068\u304d\u306f4.6.5\u3060\u3063\u305f\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n$ wget http:\/\/www.samba.org\/samba\/ftp\/samba-latest.tar.gz\r\n<\/pre>\n<p>\u89e3\u51cd\u3057\u3066\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n$ tar zxf samba-latest.tar.gz\r\n$ cd samba-*\r\n# .\/configure; make; make install\r\n<\/pre>\n<p>\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u306e\u4f8b\u5916\u3092\u767b\u9332\u3059\u308b\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# firewall-cmd --permanent --add-port=42\/tcp\r\n# firewall-cmd --permanent --add-port=53\/tcp\r\n# firewall-cmd --permanent --add-port=53\/udp\r\n# firewall-cmd --permanent --add-service=kerberos\r\n# firewall-cmd --permanent --add-service=ntp\r\n# firewall-cmd --permanent --add-port=135\/tcp\r\n# firewall-cmd --permanent --add-port=137\/udp\r\n# firewall-cmd --permanent --add-port=138\/udp\r\n# firewall-cmd --permanent --add-port=139\/tcp\r\n# firewall-cmd --permanent --add-service=ldap\r\n# firewall-cmd --permanent --add-port=389\/tcp\r\n# firewall-cmd --permanent --add-port=389\/udp\r\n# firewall-cmd --permanent --add-service=samba\r\n# firewall-cmd --permanent --add-port=464\/tcp\r\n# firewall-cmd --permanent --add-port=464\/udp\r\n# firewall-cmd --permanent --add-service=ldaps\r\n# firewall-cmd --permanent --add-port=1024-5000\/tcp\r\n# firewall-cmd --permanent --add-port=49152-65535\/tcp\r\n# firewall-cmd --permanent --add-port=5722\/tcp\r\n# firewall-cmd --permanent --add-port=9389\/tcp\r\n# firewall-cmd --reload\r\n<\/pre>\n<p>SELinux\u306e\u4f8b\u5916\u3092\u767b\u9332\u3059\u308b\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# setsebool -P samba_domain_controller true\r\n# setsebool -P samba_export_all_ro true\r\n# setsebool -P samba_export_all_rw true\r\n# setsebool -P samba_enable_home_dirs true\r\n<\/pre>\n<p>systemd\u306bsamba\u30b5\u30fc\u30d3\u30b9\u3092\u767b\u9332\u3059\u308b\u3002<br \/>\n\/etc\/systemd\/system\/samba.service \u3092\u4e0b\u8a18\u5185\u5bb9\u3067\u4f5c\u6210\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n&#x5B;Unit]\r\nDescription= Samba 4 Active Directory\r\nAfter=syslog.target\r\nAfter=network.target\r\n&#x5B;Service]\r\nType=forking\r\nPIDFile=\/usr\/local\/samba\/var\/run\/samba.pid\r\nExecStart=\/usr\/local\/samba\/sbin\/samba\r\n&#x5B;Install]\r\nWantedBy=multi-user.target\r\n<\/pre>\n<h4>\u30d7\u30e9\u30a4\u30de\u30ea\u306e\u8a2d\u5b9a<\/h4>\n<p>\u30c9\u30e1\u30a4\u30f3\u3092\u30bb\u30c3\u30c8\u30a2\u30c3\u30d7\u3059\u308b\u3002<br \/>\n\u203b&#8211;use-rfc2307 (Linux\/BSD\/macOS\u3092\u8a8d\u8a3c\u3059\u308b\u5834\u5408\u306f\u5fc5\u9808)<br \/>\n\u203b&#8211;interactive (\u30bb\u30c3\u30c8\u30a2\u30c3\u30d7\u3092\u5bfe\u8a71\u5f0f\u3067\u884c\u3046)<br \/>\n\u203b&#8211;function-level=2008_R2 (\u6a5f\u80fd\u30ec\u30d9\u30eb\u30922008_R2\u306b)<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# \/usr\/local\/samba\/bin\/samba-tool domain provision --use-rfc2307 --interactive --function-level=2008_R2\r\n<\/pre>\n<p style=\"margin-bottom:2em;\">\nRealm: LOCAL.EXAMPLE.COM<br \/>\nDomain: EXAMPLE\n<\/p>\n<p>\u4e0b\u8a18\u306e\u30a8\u30e9\u30fc\u304c\u767a\u751f\u3057\u305f\u5834\u5408\u306f\/etc\/krb5.conf\u306e includedir \/etc\/krb5.conf.d\/ \u3092\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8\u3059\u308b\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nERROR(ldb): uncaught exception - operations error at ..\/source4\/dsdb\/samdb\/ldb_modules\/password_hash.c:2816\r\n<\/pre>\n<p style=\"margin-bottom:2em;\">\n\u53c2\u7167DNS\u3092\u81ea\u8eab\u306eIP\u30a2\u30c9\u30ec\u30b9\u306b\u3059\u308b\u3002<br \/>\ndns-search\u3092Realm\u306b\u5909\u66f4\u3059\u308b\u3002\n<\/p>\n<p>\u30b5\u30fc\u30d3\u30b9\u3092\u6709\u52b9\u306b\u3057\u3066\u8d77\u52d5\u3059\u308b\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# systemctl enable samba\r\n# systemctl start samba\r\n<\/pre>\n<h4>\u30bb\u30ab\u30f3\u30c0\u30ea\u306e\u8a2d\u5b9a<\/h4>\n<p style=\"margin-bottom:2em;\">\n\u53c2\u7167DNS\u306e\u30d7\u30e9\u30a4\u30de\u30ea\u3092\u30d7\u30e9\u30a4\u30de\u30ea\u30c9\u30e1\u30b3\u30f3\u306eIP\u30a2\u30c9\u30ec\u30b9\u306b\u3059\u308b\u3002<br \/>\ndns-search\u3092Realm\u306b\u5909\u66f4\u3059\u308b\u3002\n<\/p>\n<p style=\"margin-bottom:2em;\">\n\u30d7\u30e9\u30a4\u30de\u30ea\u3067krb5.conf\u5185\u3092\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8\u3057\u3066\u3044\u308b\u5834\u5408\u306f\u540c\u3058\u304f \/etc\/krb5.conf \u306e includedir \/etc\/krb5.conf.d\/ \u3092\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8\u3059\u308b\u3002\n<\/p>\n<p>\u30c9\u30e1\u30b3\u30f3\u3068\u3057\u3066\u30c9\u30e1\u30a4\u30f3\u53c2\u52a0\u3055\u305b\u308b\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# samba-tool domain join example DC -U administrator --realm=LOCAL.EXAMPLE.COM\r\n<\/pre>\n<p>\/usr\/local\/samba\/etc\/smb.conf\u306b\u4e0b\u8a18\u3092\u8ffd\u8a18\u3059\u308b\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\ndns forwarder = &#x5B;\u30d7\u30e9\u30a4\u30de\u30ea\u3068\u540c\u3058forwarder]\r\nidmap_ldb:use rfc2307 = yes\r\n<\/pre>\n<p style=\"margin-bottom:2em;\">\n\u53c2\u7167DNS\u306e\u30bb\u30ab\u30f3\u30c0\u30ea\u3092\u672c\u30b5\u30fc\u30d0\u30fc\u306eIP\u30a2\u30c9\u30ec\u30b9\u306b\u3059\u308b\u3002\n<\/p>\n<p>\u30b5\u30fc\u30d3\u30b9\u3092\u6709\u52b9\u306b\u3057\u3066\u8d77\u52d5\u3059\u308b\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# systemctl enable samba\r\n# systemctl start samba\r\n<\/pre>\n<p>\u30b0\u30eb\u30fc\u30d7\u30dd\u30ea\u30b7\u30fc\u304c\u81ea\u52d5\u3067\u306f\u540c\u671f\u3055\u308c\u306a\u3044\u306e\u3067\u3001\u30b0\u30eb\u30fc\u30d7\u30dd\u30ea\u30b7\u30fc\u306e\u5909\u66f4\u5f8c\u306f\u30bb\u30ab\u30f3\u30c0\u30ea\u306b\u3066\u4e0b\u8a18\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# rsync -a -u -e ssh root@test-dc1:\/usr\/local\/samba\/var\/locks\/sysvol\/ \/usr\/local\/samba\/var\/locks\/sysvol\/\r\n# \/usr\/local\/samba\/bin\/samba-tool ntacl sysvolreset\r\n<\/pre>\n<h4>\u305d\u306e\u4ed6<\/h4>\n<p>Windows\u306e\u7ba1\u7406\u30c4\u30fc\u30eb\u3067\u306f\u30d1\u30b9\u30ef\u30fc\u30c9\u3084\u30a2\u30ab\u30a6\u30f3\u30c8\u30ed\u30c3\u30af\u306e\u30dd\u30ea\u30b7\u30fc\u304c\u5909\u66f4\u3067\u304d\u306a\u304b\u3063\u305f\u3002samba-tool\u3067\u76f4\u63a5\u5909\u66f4\u3059\u308b\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# \/usr\/local\/samba\/bin\/samba-tool domain passwordsettings set --complexity=on\r\n# \/usr\/local\/samba\/bin\/samba-tool domain passwordsettings set --min-pwd-length=5\r\n# \/usr\/local\/samba\/bin\/samba-tool domain passwordsettings set --min-pwd-age=30\r\n# \/usr\/local\/samba\/bin\/samba-tool domain passwordsettings set --max-pwd-age=0\r\n# \/usr\/local\/samba\/bin\/samba-tool domain passwordsettings set --account-lockout-duration=60\r\n# \/usr\/local\/samba\/bin\/samba-tool domain passwordsettings set --account-lockout-threshold=3\r\n# \/usr\/local\/samba\/bin\/samba-tool domain passwordsettings set --reset-account-lockout-after=60\r\n# \/usr\/local\/samba\/bin\/samba-tool domain passwordsettings set --history-length=5\r\n<\/pre>\n<p>DNS\u306e\u66f4\u65b0\u72b6\u6cc1\u306e\u78ba\u8a8d\u3002<br \/>\nNo DNS updates needed \u306a\u3089OK\u3089\u3057\u3044\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# \/usr\/local\/samba\/sbin\/samba_dnsupdate --verbose\r\n<\/pre>\n<p>FSMO\u306e\u78ba\u8a8d\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# \/usr\/local\/samba\/bin\/samba-tool fsmo show\r\n<\/pre>\n<p>FSMO\u306e\u79fb\u884c\u3002\u8ee2\u9001\u5148\u30b5\u30fc\u30d0\u30fc\u3067\u4e0b\u8a18\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3059\u308b\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# \/usr\/local\/samba\/bin\/samba-tool fsmo transfer --role all\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u4eca\u56de\u306f\u30d7\u30e9\u30a4\u30de\u30ea\u3068\u30bb\u30ab\u30f3\u30c0\u30ea\u306e2\u53f0\u3092\u69cb\u6210\u3059\u308b\u3002 \u30d7\u30e9\u30a4\u30de\u30ea\u3068\u30bb\u30ab\u30f3\u30c0\u30ea\u306e\u5171\u901a\u8a2d\u5b9a \u30db\u30b9\u30c8\u540d\u306e\u8a2d\u5b9a\u3002\u305d\u308c\u305e\u308c test-dc1 test-dc2 \u3068\u3059\u308b\u3002 # hostnamectl set-hostname test-d [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[28,16],"tags":[],"class_list":["post-793","post","type-post","status-publish","format-standard","hentry","category-activedirectory","category-centos"],"views":2467,"_links":{"self":[{"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=\/wp\/v2\/posts\/793","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=793"}],"version-history":[{"count":17,"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=\/wp\/v2\/posts\/793\/revisions"}],"predecessor-version":[{"id":2801,"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=\/wp\/v2\/posts\/793\/revisions\/2801"}],"wp:attachment":[{"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=793"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=793"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/weblog.hirohiro716.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=793"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}