CentOS7.3 SAMBA-4.6.5でADDC構築(SAMBA_INTERNAL)

シェアする

以前にお試しで「Sernet SAMBA」より、ADDC環境を構築していますが、例のランサムウェアでCIFSまわりが何とかと書いてあったので、これを期に、再構築することにしました。

以前に構築した時は、yumパッケージがありましたが、現在は提供されていない(?)ようですので、ソースファイルからの導入になります。

構築する構成について

DCSERV01
 ドメインコントローラ(SAMBA)
 ⇒ 今回、構築するメインのサーバでOSはCentOS 7.3です。

/etc/hostsの編集

自サーバ(DCSERV01)を追加します。

# cp -p /etc/hosts /etc/hosts.original
# vim /etc/hosts
127.0.0.1     localhost localhost.localdomain localhost4 localhost4.localdomain4
::1           localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.111 DCSERV01.orangetakam.local DCSERV01

コンパイルの前準備

Sambaをコンパイルするために、必要なパッケージをインストールします。

・パッケージの確認

# yum list \
> perl \
> gcc \
> libacl-devel \
> libblkid-devel \
> gnutls-devel \
> readline-devel \
> python-devel \
> gdb \
> pkgconfig \
> krb5-workstation \
> zlib-devel \
> setroubleshoot-server \
> libaio-devel \
> setroubleshoot-plugins \
> policycoreutils-python \
> libsemanage-python \
> setools-libs-python \
> setools-libs \
> popt-devel \
> libpcap-devel \
> sqlite-devel \
> libidn-devel \
> libxml2-devel \
> libacl-devel \
> libsepol-devel \
> libattr-devel \
> keyutils-libs-devel \
> cyrus-sasl-devel \
> cups-devel \
> bind-utils \
> libxslt \
> docbook-style-xsl \
> openldap-devel \
> pam-devel \
> bzip2 \
> vim \
> wget
   :(省略)
Installed Packages
bind-utils.x86_64                     32:9.9.4-38.el7_3.3       @updates   <= すでに導入済み
perl.x86_64                           4:5.16.3-291.el7          @base      <= すでに導入済み
pkgconfig.x86_64                      1:0.27.1-4.el7            @anaconda  <= すでに導入済み
vim-enhanced.x86_64                   2:7.4.160-1.el7_3.1       @updates   <= すでに導入済み
Available Packages
bzip2.x86_64                          1.0.6-13.el7              base
cups-devel.i686                       1:1.6.3-26.el7            base
cups-devel.x86_64                     1:1.6.3-26.el7            base
cyrus-sasl-devel.i686                 2.1.26-20.el7_2           base
cyrus-sasl-devel.x86_64               2.1.26-20.el7_2           base
docbook-style-xsl.noarch              1.78.1-3.el7              base
gcc.x86_64                            4.8.5-11.el7              base
gdb.x86_64                            7.6.1-94.el7              base
gnutls-devel.i686                     3.3.24-1.el7              base
gnutls-devel.x86_64                   3.3.24-1.el7              base
keyutils-libs-devel.i686              1.5.8-3.el7               base
keyutils-libs-devel.x86_64            1.5.8-3.el7               base
krb5-workstation.x86_64               1.14.1-27.el7_3           updates
libacl-devel.i686                     2.2.51-12.el7             base
libacl-devel.x86_64                   2.2.51-12.el7             base
libaio-devel.i686                     0.3.109-13.el7            base
libaio-devel.x86_64                   0.3.109-13.el7            base
libattr-devel.i686                    2.4.46-12.el7             base
libattr-devel.x86_64                  2.4.46-12.el7             base
libblkid-devel.i686                   2.23.2-33.el7_3.2         updates
libblkid-devel.x86_64                 2.23.2-33.el7_3.2         updates
libidn-devel.i686                     1.28-4.el7                base
libidn-devel.x86_64                   1.28-4.el7                base
libpcap-devel.i686                    14:1.5.3-8.el7            base
libpcap-devel.x86_64                  14:1.5.3-8.el7            base
libsemanage-python.x86_64             2.5-5.1.el7_3             updates
libsepol-devel.i686                   2.5-6.el7                 base
libsepol-devel.x86_64                 2.5-6.el7                 base
libxml2-devel.i686                    2.9.1-6.el7_2.3           base
libxml2-devel.x86_64                  2.9.1-6.el7_2.3           base
libxslt.i686                          1.1.28-5.el7              base
libxslt.x86_64                        1.1.28-5.el7              base
openldap-devel.i686                   2.4.40-13.el7             base
openldap-devel.x86_64                 2.4.40-13.el7             base
pam-devel.i686                        1.1.8-18.el7              base
pam-devel.x86_64                      1.1.8-18.el7              base
pkgconfig.i686                        1:0.27.1-4.el7            base
policycoreutils-python.x86_64         2.5-11.el7_3              updates
popt-devel.i686                       1.13-16.el7               base
popt-devel.x86_64                     1.13-16.el7               base
python-devel.x86_64                   2.7.5-48.el7              base
readline-devel.i686                   6.2-9.el7                 base
readline-devel.x86_64                 6.2-9.el7                 base
setools-libs.i686                     3.3.8-1.1.el7             base
setools-libs.x86_64                   3.3.8-1.1.el7             base
setroubleshoot-plugins.noarch         3.0.64-2.1.el7            base
setroubleshoot-server.x86_64          3.2.27.2-3.el7            base
sqlite-devel.i686                     3.7.17-8.el7              base
sqlite-devel.x86_64                   3.7.17-8.el7              base
wget.x86_64                           1.14-13.el7               base
zlib-devel.i686                       1.2.7-17.el7              base
zlib-devel.x86_64                     1.2.7-17.el7              base

・パッケージの導入

# yum -y install \
> gcc \
> libacl-devel \
> libblkid-devel \
> gnutls-devel \
> readline-devel \
> python-devel \
> gdb \
> krb5-workstation \
> zlib-devel \
> setroubleshoot-server \
> libaio-devel \
> setroubleshoot-plugins \
> policycoreutils-python \
> libsemanage-python \
> setools-libs-python \
> setools-libs \
> popt-devel \
> libpcap-devel \
> sqlite-devel \
> libidn-devel \
> libxml2-devel \
> libacl-devel \
> libsepol-devel \
> libattr-devel \
> keyutils-libs-devel \
> cyrus-sasl-devel \
> cups-devel \
> libxslt \
> docbook-style-xsl \
> openldap-devel \
> pam-devel \
> bzip2 \
> wget
    :(省略)
Installed:
  bzip2.x86_64 0:1.0.6-13.el7
  cups-devel.x86_64 1:1.6.3-26.el7
  cyrus-sasl-devel.x86_64 0:2.1.26-20.el7_2
  docbook-style-xsl.noarch 0:1.78.1-3.el7
  gcc.x86_64 0:4.8.5-11.el7
  gdb.x86_64 0:7.6.1-94.el7
  gnutls-devel.x86_64 0:3.3.24-1.el7
  keyutils-libs-devel.x86_64 0:1.5.8-3.el7
  krb5-workstation.x86_64 0:1.14.1-27.el7_3
  libacl-devel.x86_64 0:2.2.51-12.el7
  libaio-devel.x86_64 0:0.3.109-13.el7
  libattr-devel.x86_64 0:2.4.46-12.el7
  libblkid-devel.x86_64 0:2.23.2-33.el7_3.2
  libidn-devel.x86_64 0:1.28-4.el7
  libpcap-devel.x86_64 14:1.5.3-8.el7
  libsemanage-python.x86_64 0:2.5-5.1.el7_3
  libsepol-devel.x86_64 0:2.5-6.el7
  libxml2-devel.x86_64 0:2.9.1-6.el7_2.3
  libxslt.x86_64 0:1.1.28-5.el7
  openldap-devel.x86_64 0:2.4.40-13.el7
  pam-devel.x86_64 0:1.1.8-18.el7
  policycoreutils-python.x86_64 0:2.5-11.el7_3
  popt-devel.x86_64 0:1.13-16.el7
  python-devel.x86_64 0:2.7.5-48.el7
  readline-devel.x86_64 0:6.2-9.el7
  setools-libs.x86_64 0:3.3.8-1.1.el7
  setroubleshoot-plugins.noarch 0:3.0.64-2.1.el7
  setroubleshoot-server.x86_64 0:3.2.27.2-3.el7
  sqlite-devel.x86_64 0:3.7.17-8.el7
  wget.x86_64 0:1.14-13.el7
  zlib-devel.x86_64 0:1.2.7-17.el7
 
Dependency Installed:
  audit-libs-python.x86_64 0:2.6.5-3.el7_3.1
  avahi-libs.x86_64 0:0.6.31-17.el7
  checkpolicy.x86_64 0:2.5-4.el7
  cpp.x86_64 0:4.8.5-11.el7
  cups-libs.x86_64 1:1.6.3-26.el7
  cyrus-sasl.x86_64 0:2.1.26-20.el7_2
  docbook-dtds.noarch 0:1.0-60.el7
  glibc-devel.x86_64 0:2.17-157.el7_3.2
  glibc-headers.x86_64 0:2.17-157.el7_3.2
  gmp-devel.x86_64 1:6.0.0-12.el7_1
  gnutls-c++.x86_64 0:3.3.24-1.el7
  gnutls-dane.x86_64 0:3.3.24-1.el7
  kernel-headers.x86_64 0:3.10.0-514.21.1.el7
  krb5-devel.x86_64 0:1.14.1-27.el7_3
  ldns.x86_64 0:1.6.16-10.el7
  libcgroup.x86_64 0:0.41-11.el7
  libcom_err-devel.x86_64 0:1.42.9-9.el7
  libevent.x86_64 0:2.0.21-4.el7
  libkadm5.x86_64 0:1.14.1-27.el7_3
  libmpc.x86_64 0:1.0.1-3.el7
  libselinux-devel.x86_64 0:2.5-6.el7
  libtasn1-devel.x86_64 0:3.8-3.el7
  libuuid-devel.x86_64 0:2.23.2-33.el7_3.2
  libverto-devel.x86_64 0:0.2.5-4.el7
  mpfr.x86_64 0:3.1.1-4.el7
  ncurses-devel.x86_64 0:5.9-13.20130511.el7
  nettle-devel.x86_64 0:2.7.1-8.el7
  openssl-devel.x86_64 1:1.0.1e-60.el7_3.1
  p11-kit-devel.x86_64 0:0.20.7-3.el7
  pcre-devel.x86_64 0:8.32-15.el7_2.1
  pygobject2.x86_64 0:2.28.6-11.el7
  python-IPy.noarch 0:0.75-6.el7
  sgml-common.noarch 0:0.6.3-39.el7
  systemd-python.x86_64 0:219-30.el7_3.9
  unbound-libs.x86_64 0:1.4.20-28.el7
  xml-common.noarch 0:0.6.3-39.el7
  xz-devel.x86_64 0:5.2.2-1.el7
 
Dependency Updated:
  glibc.x86_64 0:2.17-157.el7_3.2
  glibc-common.x86_64 0:2.17-157.el7_3.2
  libgudev1.x86_64 0:219-30.el7_3.9
  systemd.x86_64 0:219-30.el7_3.9
  systemd-libs.x86_64 0:219-30.el7_3.9
  systemd-sysv.x86_64 0:219-30.el7_3.9
 
Complete!

ソースの入手とコンパイル

ソースを入手して、コンパイルを行ないます。

・ソースの入手

# wget https://download.samba.org/pub/samba/stable/samba-4.6.5.tar.gz
   :(省略)
2017-06-20 21:17:43 (476 KB/s) - ‘samba-4.6.5.tar.gz’ saved [21111639/21111639]

・コンパイル
参考URL
https://wiki.samba.org/index.php/Build_Samba_from_Source

オプション指定(他のオプションは「-h」を参照)
 --enable-debug
   デバッグシンボルを有効にする。
 --enable-selftest
   セルフテストに必要なオプションを有効にする。
 --with-systemd
   systemdを有効にする。

# tar -zxvf samba-4.6.5.tar.gz
# cd /tmp/samba-4.6.5
# ./configure --enable-debug --enable-selftest --with-systemd
   :(省略)
'configure' finished successfully (2m8.913s)
# make && make install
   :(省略)
'build' finished successfully (24m40.566s)
   :(省略)
'install' finished successfully (7m51.504s)  

ドメインプロビジョニング

ドメインプロビジョニング(準備)を行ないます。

・前準備

# vim /etc/krb5.conf
   :(省略)
#includedir /etc/krb5.conf.d/    <= コメントアウト
   :(省略)
# vim /root/.bash_profile
   :(省略)
export PATH=/usr/local/samba/bin:${PATH}
   :(省略)
# source .bash_profile

・ドメインプロビジョニング

# samba-tool domain provision --use-rfc2307 --interactive
Realm [ORANGETAKAM.LOCAL]: <= [Enter]キーを押下する
 Domain [ORANGETAKAM]: <= [Enter]キーを押下する
 Server Role (dc, member, standalone) [dc]: <= [Enter]キーを押下する
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: <= [Enter]キーを押下する
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.221]: <= [Enter]キーを押下する
Administrator password: RootPass01 <= それなりのパスワードを設定(簡単なパスワードはエラーになります)
Retype password: RootPass01
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=orangetakam,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=orangetakam,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              dcserv01
NetBIOS Domain:        ORANGETAKAM
DNS Domain:            orangetakam.local
DOMAIN SID:            S-1-5-21-2116232042-1158821530-1354426569

・作成されたパラメータ

# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
        netbios name = DCSERV01
        realm = ORANGETAKAM.LOCAL
        workgroup = ORANGETAKAM
        dns forwarder = 192.168.1.111
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
 
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/orangetakam.local/scripts
        read only = No
 
[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

ファイアウォールの許可

ActiveDirectoryでは多くのポートを利用するのと、セキュリティホールを生みやすいので、ポートの許可は必要最低限に限定することにします。

# firewall-cmd --add-port=53/tcp --permanent <= DNS(Domain Name System)
success
# firewall-cmd --add-port=53/udp --permanent <= DNS(Domain Name System)
success
# firewall-cmd --add-port=88/tcp --permanent <= Kerberos authentication system
success
# firewall-cmd --add-port=88/udp --permanent <= Kerberos authentication system
success
# firewall-cmd --add-port=135/tcp --permanent <= MS[DCE/RPC Locater],[DCOM]
success
# firewall-cmd --add-port=137-138/udp --permanent <= NetBIOS Name Service, NetBIOS Datagram Service
success
# firewall-cmd --add-port=139/tcp --permanent <= NetBIOS Session Service
success
# firewall-cmd --add-port=389/tcp --permanent <= LDAP(Light Weight Directory Access Protocol)
success
# firewall-cmd --add-port=389/udp --permanent <= LDAP(Light Weight Directory Access Protocol)
success
# firewall-cmd --add-port=445/tcp --permanent <= MS-DS[Active Directory],[Windows Share],[SMB file Sharing]
success
# firewall-cmd --add-port=464/tcp --permanent <= Kerberos Change/Set password
success
# firewall-cmd --add-port=464/udp --permanent <= Kerberos Change/Set password
success
# firewall-cmd --add-port=636/tcp --permanent <= LDAPS(Light Weight Directory Access Protocol over TLS/SSL)
success
# firewall-cmd --add-port=1025-5000/tcp --permanent <= RPC Dynamic
success
# firewall-cmd --add-port=49152-65535/tcp --permanent <= RPC Dynamic
success
# firewall-cmd --add-port=3268-3269/tcp --permanent <= Microsoft Glocal Catalog [LDAP],[LDAPS]
success
# firewall-cmd --reload
success

利用できるドメインレベル機能の確認

利用できるドメインレベルは、バージョン4.6.5では「2008 R2」でした。

# samba-tool domain level -h <= ヘルプ情報で確認
   :(省略)
Options:
   :(省略)
  --forest-level=FOREST_LEVEL
                        The forest function level (2003 | 2008 | 2008_R2 |
                        2012 | 2012_R2)
  --domain-level=DOMAIN_LEVEL
                        The domain function level (2003 | 2008 | 2008_R2 |
                        2012 | 2012_R2)
   :(省略)
# samba-tool domain level show
Domain and forest function level for domain 'DC=orangetakam,DC=com'
 
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2  <= これより上位のバージョンは指定できません

DNSの名前解決先の変更

ローカルネットワークでは、このDCが主に名前解決するので、名前解決先はローカルホストとします。

# nmcli device show eth0 | grep DNS
IP4.DNS[1]:                 192.168.1.221
IP4.DNS[2]:                 192.168.1.222
# nmcli connection modify eth0 ipv4.dns "127.0.0.1"

パラメータの変更

DNSフォワーダーのマルチ指定ができるようになったので、既存のマスターとスレーブのBINDサーバにフォワードできるようにします。

参考URL
https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End#Setting_up_a_DNS_Forwarder

# cp -p /usr/local/samba/etc/smb.conf /usr/local/samba/etc/smb.conf.original
vim /usr/local/samba/etc/smb.conf
# Global parameters
[global]
        netbios name = DCSERV01
        realm = ORANGETAKAM.LOCAL
        workgroup = ORANGETAKAM
        dns forwarder = 192.168.1.221 192.168.1.222   <= バージョン4.5からマルチ指定が可能
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
 
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/orangetakam.local/scripts
        read only = No
 
[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

マシンリブート

設定を有効にするために、マシンリブートをします。

# shutdown -r now

自動起動(systemd)の設定

systemdの設定ファイルを作成します。

# vim /etc/systemd/system/samba.service
[Unit]
Description= Samba 4 Active Directory
After=syslog.target
After=network.target
 
[Service]
Type=forking
PIDFile=/usr/local/samba/var/run/samba.pid
ExecStart=/usr/local/samba/sbin/samba
 
[Install]
WantedBy=multi-user.target

自動起動有効とサービス起動

自動起動を有効にしてサービス起動をします。

# systemctl enable samba
Created symlink from /etc/systemd/system/multi-user.target.wants/samba.service
 to /etc/systemd/system/samba.service.
# systemctl start samba

ゾーンの確認

SambaでのDNSゾーンを確認します。

# samba-tool dns zonelist localhost -U Administrator
Password for [ORANGETAKAM\Administrator]: RoorPass01
  2 zone(s) found
 
  pszZoneName                 : orangetakam.local
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.orangetakam.local
 
  pszZoneName                 : _msdcs.orangetakam.local
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
  pszDpFqdn                   : ForestDnsZones.orangetakam.local

SRVレコード確認

SRVレコードについて

 SRVレコード(SeRVice record)は、DNSによる通常のホスト名やIPアドレスの解決だけでなく、サービスに関する情報も提供するものです。

LDAPのSRVレコードを確認します。

# host -t SRV _ldap._tcp.orangetakam.local.
_ldap._tcp.orangetakam.local has SRV record 0 100 389 dcserv01.orangetakam.local.

KerberosのSRVレコードを確認します。

# host -t SRV _kerberos._udp.orangetakam.local.
_kerberos._udp.orangetakam.local has SRV record 0 100 88 dcserv01.orangetakam.local.

Aレコードの確認

今回構築しているDCのAレコードを確認します。

# host -t A dcserv01.orangetakam.local.
dcserv01.orangetakam.local has address 192.168.1.111

共有リストの確認

利用可能な共有リストを表示します。

# smbclient -L localhost -U administrator
Enter ORANGETAKAM\administrator's password: RootPass01
Domain=[ORANGETAKAM] OS=[] Server=[]
 
        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.6.5)
Domain=[ORANGETAKAM] OS=[] Server=[]
 
        Server               Comment
        ---------            -------
 
        Workgroup            Master
        ---------            -------

共有接続の確認

netlogonで共有接続を確認します。

# smbclient //dcserv01.orangetakam.local/netlogon -U administrator
Enter ORANGETAKAM\administrator's password: RootPass01
smb: \> ls
  .                                   D        0  Wed Jun 22 23:17:53 2017
  ..                                  D        0  Wed Jun 22 23:18:27 2017
 
                8898560 blocks of size 1024. 6558356 blocks available
smb: \> help
?              allinfo        altname        archive        backup
blocksize      cancel         case_sensitive cd             chmod
chown          close          del            dir            du
echo           exit           get            getfacl        geteas
hardlink       help           history        iosize         lcd
link           lock           lowercase      ls             l
mask           md             mget           mkdir          more
mput           newer          notify         open           posix
posix_encrypt  posix_open     posix_mkdir    posix_rmdir    posix_unlink
posix_whoami   print          prompt         put            pwd
q              queue          quit           readlink       rd
recurse        reget          rename         reput          rm
rmdir          showacls       setea          setmode        scopy
stat           symlink        tar            tarmode        timeout
translate      unlock         volume         vuid           wdel
logon          listconnect    showconnect    tcon           tdis
tid            logoff         ..             !
smb: \> exit

Kerberosのパラメータ変更

Kerberosのパラメータを変更します。

# cp -p /etc/krb5.conf /etc/krb5.conf.bak.20170622
# vim /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
#includedir /etc/krb5.conf.d/
 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = ORANGETAKAM.LOCAL
 default_ccache_name = KEYRING:persistent:%{uid}
 
[realms]
 ORANGETAKAM.LOCAL = {
  kdc = dcserv01.orangetakam.local
  admin_server = dcserv01.orangetakam.local
 }
 
[domain_realm]
 .orangetakam.local = ORANGETAKAM.LOCAL
 orangetakam.local = ORANGETAKAM.LOCAL
# diff /etc/krb5.conf.bak.20170622 /etc/krb5.conf
15c15
< # default_realm = EXAMPLE.COM
---
>  default_realm = ORANGETAKAM.LOCAL
19,22c19,22
< # EXAMPLE.COM = {
< #  kdc = dcserv01.example.com
< #  admin_server = dcserv01.example.com
< # }
---
>  ORANGETAKAM.LOCAL = {
>   kdc = kerberos.orangetakam.local
>   admin_server = kerberos.orangetakam.local
>  }
25,26c25,26
< # .example.com = EXAMPLE.COM
< # example.com = EXAMPLE.COM
---
>  .orangetakam.local = ORANGETAKAM.LOCAL
>  orangetakam.local = ORANGETAKAM.LOCAL

Kerberosの確認

Kerberosの認証を通して、動的DNS変更をしてみます。
動的DNS変更をするコマンドで、「nsupdate -g」でKerberos認証を使用するとなります。

# klist
klist: Credentials cache keyring 'persistent:0:0' not found
# kinit administrator@ORANGETAKAM.LOCAL
Password for administrator@ORANGETAKAM.LOCAL: RootPass01
Warning: Your password will expire in 41 days on Wed 02 Aug 2017 02:18:27 PM JST
# nsupdate -g
> update add testts01.orangetakam.local 100 IN A 192.168.1.200     <= 追加
> send
; TSIG error with server: tsig verify failure  <= SAMBA_INTERNALは出力されるようです(無視)
> quit
# host -t A testts01.orangetakam.local
testts01.orangetakam.local has address 192.168.1.200
# nsupdate -g
> update delete testts01.orangetakam.local 100 IN A 192.168.1.200  <= 削除
> send
; TSIG error with server: tsig verify failure  <= SAMBA_INTERNALは出力されるようです(無視)
> quit
# host -t A testts01.orangetakam.local
Host testts01.orangetakam.local not found: 3(NXDOMAIN)

ここまでで、Sambaによるドメインコントローラーのサーバが構築できました。