現時点ではリポジトリからインストール出来るのは 4.8.3 とバージョンがやや古く、しかも Samba をドメインコントローラとして構築する際には多用することになる samba-tool がなぜかインストールされません。 この件についてはネット上でも How to install samba-tool on Amazon Linux と質問されている方がおり、現時点では回答されていません。 その為、今回はソースコードから Samba をインストールしていきます。 AmazonLinux2 標準の Python はバージョン 2.7.x 系である為、Python2 系である前提で作業していきます。
12345678
mkdir -p /usr/local/src/samba/
cd /usr/local/src/samba/
wget https://download.samba.org/pub/samba/samba-latest.tar.gz
tar zxvf samba-latest.tar.gz
cd samba-4.10.5/
PYTHON=python2 ./configure
PYTHON=python2 make
PYTHON=python2 make install
# Global parameters[global]
dns forwarder=192.168.1.2
netbios name= AD
realm= EXAMPLE.COM
server role= active directory domain controller
workgroup= EXAMPLE
idmap_ldb:use rfc2307= yes
[netlogon]path= /usr/local/samba/var/locks/sysvol/example.com/scripts
readonly= No
[sysvol]path= /usr/local/samba/var/locks/sysvol
readonly= No
client ldap sasl wrapping= sign
ldap server require strong auth= no
/usr/local/samba/etc/smb.conf 全体例は以下の通りです。
1 2 3 4 5 6 7 8 9101112131415161718
# Global parameters[global]
dns forwarder=192.168.1.2
netbios name= AD
realm= EXAMPLE.COM
server role= active directory domain controller
workgroup= EXAMPLE
idmap_ldb:use rfc2307= yes
client ldap sasl wrapping= sign
ldap server require strong auth= no
[netlogon]path= /usr/local/samba/var/locks/sysvol/example.com/scripts
readonly= No
[sysvol]path= /usr/local/samba/var/locks/sysvol
readonly= No
$ smbclient -L localhost -U%
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.10.5)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
現在、設定されているドメイン機能レベルは samba-tool domain level show で確認することが出来ます。
123456
# samba-tool domain level show
Domain and forest function level for domain 'DC=example,DC=com'
Forest function level: (Windows)2008 R2
Domain function level: (Windows)2008 R2
Lowest function level of a DC: (Windows)2008 R2
Functional level is included for use against Windows, but not supported in Samba. Kerberos improvements from Windows Server 2012 and 2012 R2 are not implemented in Samba.
$ samba-tool domain provision --help
Usage: samba-tool domain provision [options]
Provision a domain.
Options:
-h, --help show this help message and exit
--interactive Ask for names
--domain=DOMAIN NetBIOS domain name to use
--domain-guid=GUID set domainguid (otherwise random)
--domain-sid=SID set domainsid (otherwise random)
--ntds-guid=GUID set NTDS object GUID (otherwise random)
--invocationid=GUID set invocationid (otherwise random)
--host-name=HOSTNAME set hostname
--host-ip=IPADDRESS set IPv4 ipaddress
--host-ip6=IP6ADDRESS
set IPv6 ipaddress
--site=SITENAME set site name
--adminpass=PASSWORD choose admin password (otherwise random)
--krbtgtpass=PASSWORD
choose krbtgt password (otherwise random)
--dns-backend=NAMESERVER-BACKEND
The DNS server backend. SAMBA_INTERNAL is the builtin
name server (default), BIND9_FLATFILE uses bind9 text
database to store zone information, BIND9_DLZ uses
samba4 AD to store zone information, NONE skips the
DNS setup entirely (not recommended)
--dnspass=PASSWORD choose dns password (otherwise random)
--root=USERNAME choose 'root' unix username
--nobody=USERNAME choose 'nobody' user
--users=GROUPNAME choose 'users' group
--blank do not add users or groups, just the structure
--server-role=ROLE The server role (domain controller | dc | member
server | member | standalone). Default is dc.
--function-level=FOR-FUN-LEVEL
The domain and forest function level (2000 | 2003 |
2008 | 2008_R2 - always native). Default is (Windows)
2008_R2 Native.
--base-schema=BASE-SCHEMA
The base schema files to use. Default is (Windows)
2008_R2.
--next-rid=NEXTRID The initial nextRid value (only needed for upgrades).
Default is 1000.
--partitions-only Configure Samba's partitions, but do not modify them
(ie, join a BDC)
--use-rfc2307 Use AD to store posix attributes (default= no)
--machinepass=PASSWORD
choose machine password (otherwise random)
--plaintext-secrets Store secret/sensitive values as plain text on
disk(default is to encrypt secret/ensitive values)
--backend-store=BACKENDSTORE
Specify the database backend to be used (default is
tdb)
--targetdir=DIR Set target directory (where to store provision)
-q, --quiet Be quiet
Samba Common Options:
-s FILE, --configfile=FILE
Configuration file
-d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
debug level
--option=OPTION set smb.conf option from command line
--realm=REALM set the realm name
Version Options:
-V, --version Display version number
# samba-tool ou create --help
Usage: samba-tool ou create <ou_dn> [options]
Create an organizational unit.
The name of the new ou can be specified as a full DN or without the
domainDN component.
Examples:
samba-tool ou create 'OU=OrgUnit'
samba-tool ou create 'OU=SubOU,OU=OrgUnit,DC=samdom,DC=example,DC=com'
The examples show how an administrator would create a new ou 'OrgUnit'
and a new ou 'SubOU' as a child of the ou 'OrgUnit'.
Options:
-h, --help show this help message and exit
-H URL, --URL=URL LDB URL for database or target server
--description=DESCRIPTION
OU's description Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password
-k KERBEROS, --kerberos=KERBEROS
Use Kerberos
--ipaddress=IPADDRESS
IP address of server
-P, --machine-pass Use stored machine account password
--krb5-ccache=KRB5CCNAME
Kerberos Credentials cache
Samba Common Options:
-s FILE, --configfile=FILE
Configuration file
-d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
debug level
--option=OPTION set smb.conf option from command line
--realm=REALM set the realm name
Version Options:
-V, --version Display version number
# samba-tool user create --help
Usage: samba-tool user create <username> [<password>][options]
Create a new user.
This command creates a new user account in the Active Directory domain. The
username specified on the command is the sAMaccountName.
User accounts may represent physical entities, such as people or may be used
as service accounts for applications. User accounts are also referred to as
security principals and are assigned a security identifier (SID).
A user account enables a user to logon to a computer and domain with an
identity that can be authenticated. To maximize security, each user should
have their own unique user account and password. A user's access to domainresources is based on permissions assigned to the user account.Unix (RFC2307) attributes may be added to the user account. Attributes takenfrom NSS are obtained on the local machine. Explicitly given values overridevalues obtained from NSS. Configure 'idmap_ldb:use rfc2307= Yes' to use theseattributes for UID/GID mapping.The command may be run from the root userid or another authorized userid. The-H or --URL= option can be used to execute the command against a remoteserver.Example1:samba-tool user create User1 passw0rd --given-name=John --surname=Smith--must-change-at-next-login -H ldap://samba.samdom.example.com-Uadministrator%passw1rdExample1 shows how to create a new user in the domain against a remote LDAPserver. The -H parameter is used to specify the remote target server. The -Uoption is used to pass the userid and password authorized to issue the commandremotely.Example2:sudo samba-tool user create User2 passw2rd --given-name=Jane --surname=Doe--must-change-at-next-loginExample2 shows how to create a new user in the domain against the localserver. sudo is used so a user may run the command as root. In thisexample, after User2 is created, he/she will be forced to change theirpassword when they logon.Example3:samba-tool user create User3 passw3rd --userou='OU=OrgUnit'Example3 shows how to create a new user in the OrgUnit organizational unit.Example4:samba-tool user create User4 passw4rd --rfc2307-from-nss --gecos 'some text'Example4 shows how to create a new user with Unix UID, GID and login-shell setfrom the local NSS and GECOS set to 'some text'.Example5:samba-tool user create User5 passw5rd --nis-domain=samdom --unix-home=/home/User5 --uid-number=10005 --login-shell=/bin/false --gid-number=10000Example5 shows how to create an RFC2307/NIS domain enabled user account. If--nis-domain is set, then the other four parameters are mandatory.Options: -h, --help show this help message and exit -H URL, --URL=URL LDB URL for database or target server --must-change-at-next-login Force password to be changed on next login --random-password Generate random password --smartcard-required Require a smartcard for interactive logons --use-username-as-cn Force use of username as user's CN
--userou=USEROU DN of alternative location (without domainDN
counterpart) to default CN=Users in which new user
object will be created. E. g. 'OU=<OU name>'
--surname=SURNAME User's surname --given-name=GIVEN_NAME User's given name
--initials=INITIALS User's initials --profile-path=PROFILE_PATH User's profile path
--script-path=SCRIPT_PATH
User's logon script path --home-drive=HOME_DRIVE User's home drive letter
--home-directory=HOME_DIRECTORY
User's home directory path --job-title=JOB_TITLE User's job title
--department=DEPARTMENT
User's department --company=COMPANY User's company
--description=DESCRIPTION
User's description --mail-address=MAIL_ADDRESS User's email address
--internet-address=INTERNET_ADDRESS
User's home page --telephone-number=TELEPHONE_NUMBER User's phone number
--physical-delivery-office=PHYSICAL_DELIVERY_OFFICE
User's office location --rfc2307-from-nss Copy Unix user attributes from NSS (will be overridden by explicit UID/GID/GECOS/shell) --nis-domain=NIS_DOMAIN User's Unix/RFC2307 NIS domain
--unix-home=UNIX_HOME
User's Unix/RFC2307 home directory --uid=UID User's Unix/RFC2307 username
--uid-number=UID_NUMBER
User's Unix/RFC2307 numeric UID --gid-number=GID_NUMBER User's Unix/RFC2307 primary GID number
--gecos=GECOS User's Unix/RFC2307 GECOS field --login-shell=LOGIN_SHELL User's Unix/RFC2307 login shell
Credentials Options:
--simple-bind-dn=DN
DN to use for a simple bind
--password=PASSWORD
Password
-U USERNAME, --username=USERNAME
Username
-W WORKGROUP, --workgroup=WORKGROUP
Workgroup
-N, --no-pass Don't ask for a password
-k KERBEROS, --kerberos=KERBEROS
Use Kerberos
--ipaddress=IPADDRESS
IP address of server
-P, --machine-pass Use stored machine account password
--krb5-ccache=KRB5CCNAME
Kerberos Credentials cache
Samba Common Options:
-s FILE, --configfile=FILE
Configuration file
-d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
debug level
--option=OPTION set smb.conf option from command line
--realm=REALM set the realm name
Version Options:
-V, --version Display version number
# samba-tool user move --help
Usage: samba-tool user move <username> <new_parent_dn> [options]
Move a user to an organizational unit/container.
This command moves a user account into the specified organizational unit
or container.
The username specified on the command is the sAMAccountName.
The name of the organizational unit or container can be specified as a
full DN or without the domainDN component.
The command may be run from the root userid or another authorized userid.
The -H or --URL= option can be used to execute the command against a remote
server.
Example1:
samba-tool user move User1 'OU=OrgUnit,DC=samdom.DC=example,DC=com' -H
ldap://samba.samdom.example.com -U administrator
Example1 shows how to move a user User1 into the 'OrgUnit' organizational
unit on a remote LDAP server.
The -H parameter is used to specify the remote target server.
Example2:
samba-tool user move User1 CN=Users
Example2 shows how to move a user User1 back into the CN=Users container
on the local server.
Options:
-h, --help show this help message and exit
-H URL, --URL=URL LDB URL for database or target server
Credentials Options:
--simple-bind-dn=DN
DN to use for a simple bind
--password=PASSWORD
Password
-U USERNAME, --username=USERNAME
Username
-W WORKGROUP, --workgroup=WORKGROUP
Workgroup
-N, --no-pass Don't ask for a password
-k KERBEROS, --kerberos=KERBEROS
Use Kerberos
--ipaddress=IPADDRESS
IP address of server
-P, --machine-pass Use stored machine account password
--krb5-ccache=KRB5CCNAME
Kerberos Credentials cache
Samba Common Options:
-s FILE, --configfile=FILE
Configuration file
-d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
debug level
--option=OPTION set smb.conf option from command line
--realm=REALM set the realm name
Version Options:
-V, --version Display version number
# samba-tool group add --help
Usage: samba-tool group add <groupname> [options]
Creates a new AD group.
This command creates a new Active Directory group. The groupname specified on
the command is a unique sAMAccountName.
An Active Directory group may contain user and computer accounts as well as
other groups. An administrator creates a group and adds members to that group
so they can be managed as a single entity. This helps to simplify security
and system administration.
Groups may also be used to establish email distribution lists, using --group-
type=Distribution.
Groups are located in domains in organizational units (OUs). The group'sscope is a characteristic of the group that designates the extent to which thegroup is applied within the domain tree or forest.The group location (OU), type (security or distribution) and scope may all bespecified on the samba-tool command when the group is created.The command may be run from the root userid or another authorized userid. The-H or --URL= option can be used to execute the command on a remote server.Example1:samba-tool group add Group1 -H ldap://samba.samdom.example.com--description='Simple group'Example1 adds a new group with the name Group1 added to the Users container ona remote LDAP server. The -U parameter is used to pass the userid andpassword of a user that exists on the remote server and is authorized to issuethe command on that server. It defaults to the security type and globalscope.Example2:sudo samba-tool group add Group2 --group-type=DistributionExample2 adds a new distribution group to the local server. The command isrun under root using the sudo command.Example3:samba-tool group add Group3 --nis-domain=samdom --gid-number=12345Example3 adds a new RFC2307 enabled group for NIS domain samdom and GID 12345(both options are required to enable this feature).Options: -h, --help show this help message and exit -H URL, --URL=URL LDB URL for database or target server --groupou=GROUPOU Alternative location (without domainDN counterpart) to default CN=Users in which new user object will be created --group-scope=GROUP_SCOPE Group scope (Domain | Global | Universal) --group-type=GROUP_TYPE Group type (Security | Distribution) --description=DESCRIPTION Group's description
--mail-address=MAIL_ADDRESS
Group's email address --notes=NOTES Groups's notes
--gid-number=GID_NUMBER
Group's Unix/RFC2307 GID number --nis-domain=NIS_DOMAIN SFU30 NIS Domain Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password
-k KERBEROS, --kerberos=KERBEROS
Use Kerberos
--ipaddress=IPADDRESS
IP address of server
-P, --machine-pass Use stored machine account password
--krb5-ccache=KRB5CCNAME
Kerberos Credentials cache
Samba Common Options:
-s FILE, --configfile=FILE
Configuration file
-d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
debug level
--option=OPTION set smb.conf option from command line
--realm=REALM set the realm name
Version Options:
-V, --version Display version number