Debian 10 Buster
Sponsored Link

Samba : Samba Winbind2019/07/30

 
Samba Winbind で Windows の Active Directory ドメインに参加します。
LAN 内に Windows Active Directory Domain Service が稼働していることが前提です。
当例では、以下のような Active Directory ドメイン環境で設定します。
ドメインサーバー : Windows Server 2019
NetBIOS名 : FD3S01
ドメイン名 : srv.world
レルム : SRV.WORLD
ホスト名 : fd3s.srv.world
[1] Winbind をインストールします。
root@smb:~#
apt -y install winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules
# DHCPから IP 取得中の場合は [Yes], 固定 IP なら [No]

 +----------------------+ Samba server and utilities +-----------------------+
 |                                                                           |
 | If your computer gets IP address information from a DHCP server on the    |
 | network, the DHCP server may also provide information about WINS servers  |
 | ("NetBIOS name servers") present on the network.  This requires a change  |
 | to your smb.conf file so that DHCP-provided WINS settings will            |
 | automatically be read from /var/lib/samba/dhcp.conf.                      |
 |                                                                           |
 | The dhcp-client package must be installed to take advantage of this       |
 | feature.                                                                  |
 |                                                                           |
 | Modify smb.conf to use WINS settings from DHCP?                           |
 |                                                                           |
 |                    <Yes>                       <No>                       |
 |                                                                           |
 +---------------------------------------------------------------------------+
# レルム名を指定

 +------------------+ Configuring Kerberos Authentication +------------------+
 | When users attempt to use Kerberos and specify a principal or user name   |
 | without specifying what administrative Kerberos realm that principal      |
 | belongs to, the system appends the default realm.  The default realm may  |
 | also be used as the realm of a Kerberos service running on the local      |
 | machine.  Often, the default realm is the uppercase version of the local  |
 | DNS domain.                                                               |
 |                                                                           |
 | Default Kerberos version 5 realm:                                         |
 |                                                                           |
 | SRV.WORLD________________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+
# AD DS のホスト名を指定

     +--------------+ Configuring Kerberos Authentication +---------------+
     | Enter the hostnames of Kerberos servers in the SRV.WORLD           |
     | Kerberos realm separated by spaces.                                |
     |                                                                    |
     | Kerberos servers for your realm:                                   |
     |                                                                    |
     | fd3s.srv.world____________________________________________________ |
     |                                                                    |
     |                               <Ok>                                 |
     |                                                                    |
     +--------------------------------------------------------------------+
# AD DS のホスト名を指定

 +------------------+ Configuring Kerberos Authentication +------------------+
 | Enter the hostname of the administrative (password changing) server for   |
 | the SRV.WORLD Kerberos realm.                                             |
 |                                                                           |
 | Administrative server for your Kerberos realm:                            |
 |                                                                           |
 | fd3s.srv.world___________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+
[2] Winbind の設定です。
root@smb:~#
vi /etc/samba/smb.conf
# 29行目:workgroup を AD DS の NetBIOS名に変更してその下に追記

   workgroup = FD3S01
   realm = SRV.WORLD
   security = ads
   idmap config * : backend = tdb
   idmap config * : range = 3000-7999
   idmap config FD3S01 : backend = rid
   idmap config FD3S01 : range = 10000-999999
   template homedir = /home/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false

root@smb:~#
vi /etc/nsswitch.conf
# 7行目:以下のように追記

passwd:         files systemd winbind
group:          files systemd winbind

root@smb:~#
vi /etc/pam.d/common-session
# 必要があれば、最終行に追記 ( ログイン時にホームディレクトリを自動作成 )

session optional        pam_mkhomedir.so skel=/etc/skel umask=077

root@smb:~#
vi /etc/resolv.conf
# 参照先 DNS を AD に変更

nameserver
10.0.0.100
[3] Active Directory ドメインに参加します。
# ドメインに参加 ( net ads join -U [AD の管理者ユーザー] )

root@smb:~#
net ads join -U Administrator

Enter Administrator's password:
Using short domain name -- FD3S01
Joined 'SMB' to dns domain 'srv.world'
No DNS domain configured for smb. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER
root@smb:~#
systemctl restart winbind
# AD のユーザー情報表示

root@smb:~#
wbinfo -u

administrator
guest
sshd
krbtgt
serverworld
ldapusers
# AD のユーザーにスイッチ

root@smb:~#
su - serverworld

Creating directory '/home/serverworld'.
serverworld@smb:~$
id

uid=11103(serverworld) gid=10513(domain users) groups=10513(domain users),11103(serverworld)
関連コンテンツ