Debian 11 Bullseye
Sponsored Link

Samba : Samba Winbind2021/09/14

 
Samba Winbind で Windows の Active Directory ドメインに参加します。
ローカルネットワーク内に Windows Active Directory Domain Service が稼働していることが前提です。
当例では、以下のような Active Directory ドメイン環境で設定します。
ドメインサーバー : Windows Server 2019
ドメイン名 : srv.world
ホスト名 : fd3s.srv.world
NetBIOS 名 : FD3S01
レルム : SRV.WORLD
[1] Winbind をインストールします。
root@smb:~#
apt -y install winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules
# レルム名を指定

 +------------------+ Configuring Kerberos Authentication +------------------+
 | When users attempt to use Kerberos and specify a principal or user name   |
 | without specifying what administrative Kerberos realm that principal      |
 | belongs to, the system appends the default realm.  The default realm may  |
 | also be used as the realm of a Kerberos service running on the local      |
 | machine.  Often, the default realm is the uppercase version of the local  |
 | DNS domain.                                                               |
 |                                                                           |
 | Default Kerberos version 5 realm:                                         |
 |                                                                           |
 | SRV.WORLD________________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+
# AD DS のホスト名を指定

     +--------------+ Configuring Kerberos Authentication +---------------+
     | Enter the hostnames of Kerberos servers in the SRV.WORLD           |
     | Kerberos realm separated by spaces.                                |
     |                                                                    |
     | Kerberos servers for your realm:                                   |
     |                                                                    |
     | fd3s.srv.world____________________________________________________ |
     |                                                                    |
     |                               <Ok>                                 |
     |                                                                    |
     +--------------------------------------------------------------------+
# AD DS のホスト名を指定

 +------------------+ Configuring Kerberos Authentication +------------------+
 | Enter the hostname of the administrative (password changing) server for   |
 | the SRV.WORLD Kerberos realm.                                             |
 |                                                                           |
 | Administrative server for your Kerberos realm:                            |
 |                                                                           |
 | fd3s.srv.world___________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+
[2] Winbind の設定です。
root@smb:~#
mv /etc/samba/smb.conf /etc/samba/smb.conf.org

root@smb:~#
vi /etc/samba/smb.conf
# 以下のように新規作成

# [realm] と [workgroup] は自身の環境に置き換え

[global]
   kerberos method = secrets and keytab
   realm = SRV.WORLD
   workgroup = FD3S01
   security = ads
   template shell = /bin/bash
   winbind enum groups = Yes
   winbind enum users = Yes
   winbind separator = +
   idmap config * : rangesize = 1000000
   idmap config * : range = 1000000-19999999
   idmap config * : backend = autorid

root@smb:~#
vi /etc/nsswitch.conf
# 7行目 : 以下のように追記

passwd:         files systemd winbind
group:          files systemd winbind

root@smb:~#
vi /etc/pam.d/common-session
# 必要があれば、最終行に追記 ( ログイン時にホームディレクトリを自動作成 )

session optional        pam_mkhomedir.so skel=/etc/skel umask=077

# DNS を AD に向ける

root@smb:~#
vi /etc/resolv.conf
domain srv.world
search srv.world
nameserver 10.0.0.100
[3] Active Directory ドメインに参加します。
# ドメインに参加 ( net ads join -U [任意の AD ユーザー] )

root@smb:~#
net ads join -U Administrator

Enter Administrator's password:
Using short domain name -- FD3S01
Joined 'SMB' to dns domain 'srv.world'
No DNS domain configured for smb. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER
root@smb:~#
systemctl restart winbind
# ドメイン情報表示

root@smb:~#
net ads info

LDAP server: 10.0.0.100
LDAP server name: fd3s.srv.world
Realm: SRV.WORLD
Bind Path: dc=SRV,dc=WORLD
LDAP port: 389
Server time: Tue, 14 Sep 2021 09:16:16 JST
KDC server: 10.0.0.100
Server time offset: 0
Last machine account password change: Tue, 14 Sep 2021 09:16:04 JST

# AD ユーザー情報表示

root@smb:~#
wbinfo -u

FD3S01+administrator
FD3S01+guest
FD3S01+krbtgt
FD3S01+serverworld
FD3S01+ldapuser
FD3S01+aduser01

# AD ユーザーでログイン可能か確認

root@smb:~#
exit

logout

Debian GNU/Linux 11 smb.srv.world ttyS0

smb login: FD3S01+serverworld
Password:
Linux smb.srv.world 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Creating directory '/home/FD3S01/serverworld'.
FD3S01+serverworld@smb:~$      # ログインできた

serverworld@smb:~$
id

uid=2001103(FD3S01+serverworld) gid=2000513(FD3S01+domain users) groups=2000513(FD3S01+domain users),2001103(FD3S01+serverworld)
関連コンテンツ