CentOS7.4 VPNをSAMBA4で認証(3/3)[SAMBA構築編]

シェアする

VPN経由からの認証リクエストをRADIUSで受け付けて、SAMBAにあるユーザー情報(LDAP)で認証できるようにします。

とりあえず、荒削りですがVPNからの接続でSAMBA(LDAP)で認証させる方法の最終となります。
細かいところは、時間があるときに、ちょこちょこと触っていくことにします。

この記事に関して

以前は、RADIUSサーバーでのユーザー情報の管理をしていましたが、最終目標であるSAMBA(LDAP)にあるユーザー情報で認証させることになります。

[ VPNクライアント ] - [ VPNサーバー ] - [ RADIUSサーバー ] - [ SAMBAサーバー ]

までの環境構築になります。

SAMBAのインストールについて

SAMBAは、ソースからのコンパイルを行なってからインストールします。
何回かSAMBAをインストールしていますが、現時点で最新の「samba-4.7.4」で行ないます。
※CentOS7にsambaパッケージが存在しますが、ADDC環境はMIT Kerberosサポートの欠落のため使用できません。
なお、SAMBAでは、デフォルトではHeimdal KDCです。

参考URL
https://wiki.samba.org/index.php/Distribution-specific_Package_Installation

前準備

前準備を行ないます。

[SMB]# cp -p /etc/hosts /etc/hosts.original
[SMB]# vim /etc/hosts
127.0.0.1     localhost localhost.localdomain localhost4 localhost4.localdomain4
::1           localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.200 SMB.orangetakam.local SMB  <= 自ホスト名を追記
[SMB]# mv /etc/krb5.conf /etc/krb5.conf.original <= ファイルがあれば

コンパイルの前準備

コンパイルする前に、前提となるパッケージをインストールします。

 参考URL
https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba

[SMB]# yum list \
> attr \
> bind-utils \
> docbook-style-xsl \
> gcc \
> gdb \
> krb5-workstation \
> libsemanage-python \
> libxslt \
> perl \
> perl-ExtUtils-MakeMaker \
> perl-Parse-Yapp \
> perl-Test-Base \
> pkgconfig \
> policycoreutils-python \
> python-crypto \
> gnutls-devel \
> libattr-devel \
> keyutils-libs-devel \
> libacl-devel \
> libaio-devel \
> libblkid-devel \
> libxml2-devel \
> openldap-devel \
> pam-devel \
> popt-devel \
> python-devel \
> readline-devel \
> zlib-devel \
> systemd-devel
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Installed Packages
bind-utils.x86_64                  32:9.9.4-51.el7_4.1      @updates
perl.x86_64                        4:5.16.3-292.el7         @base
pkgconfig.x86_64                   1:0.27.1-4.el7           @anaconda
Available Packages
attr.x86_64                        2.4.46-12.el7            base
docbook-style-xsl.noarch           1.78.1-3.el7             base
gcc.x86_64                         4.8.5-16.el7_4.1         updates
gdb.x86_64                         7.6.1-100.el7            base
gnutls-devel.i686                  3.3.26-9.el7             base
gnutls-devel.x86_64                3.3.26-9.el7             base
keyutils-libs-devel.i686           1.5.8-3.el7              base
keyutils-libs-devel.x86_64         1.5.8-3.el7              base
krb5-workstation.x86_64            1.15.1-8.el7             base
libacl-devel.i686                  2.2.51-12.el7            base
libacl-devel.x86_64                2.2.51-12.el7            base
libaio-devel.i686                  0.3.109-13.el7           base
libaio-devel.x86_64                0.3.109-13.el7           base
libattr-devel.i686                 2.4.46-12.el7            base
libattr-devel.x86_64               2.4.46-12.el7            base
libblkid-devel.i686                2.23.2-43.el7_4.2        updates
libblkid-devel.x86_64              2.23.2-43.el7_4.2        updates
libsemanage-python.x86_64          2.5-8.el7                base
libxml2-devel.i686                 2.9.1-6.el7_2.3          base
libxml2-devel.x86_64               2.9.1-6.el7_2.3          base
libxslt.i686                       1.1.28-5.el7             base
libxslt.x86_64                     1.1.28-5.el7             base
openldap-devel.i686                2.4.44-5.el7             base
openldap-devel.x86_64              2.4.44-5.el7             base
pam-devel.i686                     1.1.8-18.el7             base
pam-devel.x86_64                   1.1.8-18.el7             base
perl-ExtUtils-MakeMaker.noarch     6.68-3.el7               base
perl-Parse-Yapp.noarch             1.05-50.el7              base
pkgconfig.i686                     1:0.27.1-4.el7           base
policycoreutils-python.x86_64      2.5-17.1.el7             base
popt-devel.i686                    1.13-16.el7              base
popt-devel.x86_64                  1.13-16.el7              base
python-crypto.x86_64               2.6.1-1.el7.centos       extras
python-devel.x86_64                2.7.5-58.el7             base
readline-devel.i686                6.2-10.el7               base
readline-devel.x86_64              6.2-10.el7               base
systemd-devel.i686                 219-42.el7_4.4           updates
systemd-devel.x86_64               219-42.el7_4.4           updates
zlib-devel.i686                    1.2.7-17.el7             base
zlib-devel.x86_64                  1.2.7-17.el7             base
[SMB]# yum install \
> attr \
> bind-utils \
> docbook-style-xsl \
> gcc \
> gdb \
> krb5-workstation \
> libsemanage-python \
> libxslt \
> perl \
> perl-ExtUtils-MakeMaker \
> perl-Parse-Yapp \
> perl-Test-Base \
> pkgconfig \
> policycoreutils-python \
> python-crypto \
> gnutls-devel \
> libattr-devel \
> keyutils-libs-devel \
> libacl-devel \
> libaio-devel \
> libblkid-devel \
> libxml2-devel \
> openldap-devel \
> pam-devel \
> popt-devel \
> python-devel \
> readline-devel \
> zlib-devel \
> systemd-devel
   :(省略)
No package perl-Test-Base available. <= 標準リポジトリーになかった
   :(省略)
Installed:
  attr.x86_64 0:2.4.46-12.el7                    docbook-style-xsl.noarch 0:1.78.1-3.el7
  gcc.x86_64 0:4.8.5-16.el7_4.1                  gdb.x86_64 0:7.6.1-100.el7
  gnutls-devel.x86_64 0:3.3.26-9.el7             keyutils-libs-devel.x86_64 0:1.5.8-3.el7
  krb5-workstation.x86_64 0:1.15.1-8.el7         libacl-devel.x86_64 0:2.2.51-12.el7
  libaio-devel.x86_64 0:0.3.109-13.el7           libattr-devel.x86_64 0:2.4.46-12.el7
  libblkid-devel.x86_64 0:2.23.2-43.el7_4.2      libsemanage-python.x86_64 0:2.5-8.el7
  libxml2-devel.x86_64 0:2.9.1-6.el7_2.3         libxslt.x86_64 0:1.1.28-5.el7
  openldap-devel.x86_64 0:2.4.44-5.el7           pam-devel.x86_64 0:1.1.8-18.el7
  perl-ExtUtils-MakeMaker.noarch 0:6.68-3.el7    perl-Parse-Yapp.noarch 0:1.05-50.el7
  policycoreutils-python.x86_64 0:2.5-17.1.el7   popt-devel.x86_64 0:1.13-16.el7
  python-devel.x86_64 0:2.7.5-58.el7             python2-crypto.x86_64 0:2.6.1-15.el7
  readline-devel.x86_64 0:6.2-10.el7             systemd-devel.x86_64 0:219-42.el7_4.4
  zlib-devel.x86_64 0:1.2.7-17.el7
 
Dependency Installed:
  audit-libs-python.x86_64 0:2.7.6-3.el7         checkpolicy.x86_64 0:2.5-4.el7
  cpp.x86_64 0:4.8.5-16.el7_4.1                  cyrus-sasl.x86_64 0:2.1.26-21.el7
  cyrus-sasl-devel.x86_64 0:2.1.26-21.el7        docbook-dtds.noarch 0:1.0-60.el7
  gdbm-devel.x86_64 0:1.10-8.el7                 glibc-devel.x86_64 0:2.17-196.el7_4.2
  glibc-headers.x86_64 0:2.17-196.el7_4.2        gmp-devel.x86_64 1:6.0.0-15.el7
  gnutls-c++.x86_64 0:3.3.26-9.el7               gnutls-dane.x86_64 0:3.3.26-9.el7
  kernel-headers.x86_64 0:3.10.0-693.11.6.el7    ldns.x86_64 0:1.6.16-10.el7
  libcgroup.x86_64 0:0.41-13.el7                 libdb-devel.x86_64 0:5.3.21-20.el7
  libevent.x86_64 0:2.0.21-4.el7                 libkadm5.x86_64 0:1.15.1-8.el7
  libmpc.x86_64 0:1.0.1-3.el7                    libtasn1-devel.x86_64 0:4.10-1.el7
  libtomcrypt.x86_64 0:1.17-26.el7               libtommath.x86_64 0:0.42.0-6.el7
  libuuid-devel.x86_64 0:2.23.2-43.el7_4.2       mpfr.x86_64 0:3.1.1-4.el7
  ncurses-devel.x86_64 0:5.9-14.20130511.el7_4   nettle-devel.x86_64 0:2.7.1-8.el7
  p11-kit-devel.x86_64 0:0.23.5-3.el7            perl-ExtUtils-Install.noarch 0:1.58-292.el7
  perl-ExtUtils-Manifest.noarch 0:1.61-244.el7   perl-ExtUtils-ParseXS.noarch 1:3.18-3.el7
  perl-Test-Harness.noarch 0:3.28-3.el7          perl-devel.x86_64 4:5.16.3-292.el7
  pyparsing.noarch 0:1.5.6-9.el7                 python-IPy.noarch 0:0.75-6.el7
  setools-libs.x86_64 0:3.3.8-1.1.el7            sgml-common.noarch 0:0.6.3-39.el7
  systemtap-sdt-devel.x86_64 0:3.1-4.el7_4       unbound-libs.x86_64 0:1.4.20-34.el7
  xml-common.noarch 0:0.6.3-39.el7               xz-devel.x86_64 0:5.2.2-1.el7
 
Complete!
[SMB]# yum info perl-Test-Base --enablerepo=epel
   :(省略)
Available Packages
Name        : perl-Test-Base
Arch        : noarch
Version     : 0.62
Release     : 1.el7
Size        : 51 k
Repo        : epel/x86_64
Summary     : Data Driven Testing Framework
   :(省略)
[SMB]# yum install perl-Test-Base --enablerepo=epel -y <= EPELからインストール
   :(省略)
Installed:
  perl-Test-Base.noarch 0:0.62-1.el7
 
Dependency Installed:
  mailcap.noarch 0:2.1.41-2.el7                     perl-Algorithm-Diff.noarch 0:1.1902-17.el7
  perl-Archive-Extract.noarch 1:0.68-3.el7          perl-Archive-Zip.noarch 0:1.30-11.el7
  perl-Business-ISBN.noarch 0:2.06-2.el7            perl-Business-ISBN-Data.noarch 0:20120719.001-2.el7
  perl-CPAN.noarch 0:1.9800-292.el7                 perl-CPAN-Meta.noarch 0:2.120921-5.el7
  perl-CPAN-Meta-Requirements.noarch 0:2.122-7.el7  perl-CPAN-Meta-YAML.noarch 0:0.008-14.el7
  perl-CPANPLUS.noarch 0:0.91.38-4.el7              perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7
  perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7       perl-DBD-SQLite.x86_64 0:1.39-3.el7
  perl-DBI.x86_64 0:1.627-4.el7                     perl-DBIx-Simple.noarch 0:1.35-7.el7
  perl-Data-Dumper.x86_64 0:2.145-3.el7             perl-Digest.noarch 0:1.17-245.el7
  perl-Digest-MD5.x86_64 0:2.52-3.el7               perl-Digest-SHA.x86_64 1:5.85-4.el7
  perl-Digest-SHA1.x86_64 0:2.13-9.el7              perl-Encode-Locale.noarch 0:1.03-5.el7
  perl-ExtUtils-CBuilder.noarch 1:0.28.2.6-292.el7  perl-File-Fetch.noarch 0:0.42-2.el7
  perl-File-Listing.noarch 0:6.04-7.el7             perl-File-Remove.noarch 0:1.52-6.el7
  perl-HTML-Parser.x86_64 0:3.71-4.el7              perl-HTML-Tagset.noarch 0:3.20-15.el7
  perl-HTTP-Cookies.noarch 0:6.01-5.el7             perl-HTTP-Daemon.noarch 0:6.01-5.el7
  perl-HTTP-Date.noarch 0:6.02-8.el7                perl-HTTP-Message.noarch 0:6.06-6.el7
  perl-HTTP-Negotiate.noarch 0:6.01-5.el7           perl-IO-Compress.noarch 0:2.061-2.el7
  perl-IO-HTML.noarch 0:1.00-2.el7                  perl-IO-Socket-IP.noarch 0:0.21-4.el7
  perl-IO-Socket-SSL.noarch 0:1.94-6.el7            perl-IPC-Cmd.noarch 1:0.80-4.el7
  perl-JSON-PP.noarch 0:2.27202-2.el7               perl-LWP-MediaTypes.noarch 0:6.02-2.el7
  perl-Locale-Maketext.noarch 0:1.23-3.el7          perl-Locale-Maketext-Simple.noarch 1:0.21-292.el7
  perl-Log-Message.noarch 1:0.08-3.el7              perl-Log-Message-Simple.noarch 0:0.10-2.el7
  perl-Module-Build.noarch 2:0.40.05-2.el7          perl-Module-CoreList.noarch 1:2.76.02-292.el7
  perl-Module-Install.noarch 0:1.06-4.el7           perl-Module-Load.noarch 1:0.24-3.el7
  perl-Module-Load-Conditional.noarch 0:0.54-3.el7  perl-Module-Loaded.noarch 1:0.08-292.el7
  perl-Module-Metadata.noarch 0:1.000018-2.el7      perl-Module-Pluggable.noarch 1:4.8-3.el7
  perl-Module-ScanDeps.noarch 0:1.10-3.el7          perl-Module-Signature.noarch 0:0.73-2.el7
  perl-Net-Daemon.noarch 0:0.48-5.el7               perl-Net-HTTP.noarch 0:6.06-2.el7
  perl-Net-LibIDN.x86_64 0:0.12-15.el7              perl-Net-SSLeay.x86_64 0:1.55-6.el7
  perl-Object-Accessor.noarch 1:0.42-292.el7        perl-PAR-Dist.noarch 0:0.49-2.el7
  perl-Package-Constants.noarch 1:0.02-292.el7      perl-Params-Check.noarch 1:0.38-2.el7
  perl-Parse-CPAN-Meta.noarch 1:1.4404-5.el7        perl-Perl-OSType.noarch 0:1.003-3.el7
  perl-PlRPC.noarch 0:0.2020-14.el7                 perl-Spiffy.noarch 0:0.31-3.el7
  perl-Term-UI.noarch 0:0.36-2.el7                  perl-Test-Deep.noarch 0:0.110-2.el7
  perl-Test-Simple.noarch 0:0.98-243.el7            perl-Text-Diff.noarch 0:1.41-5.el7
  perl-TimeDate.noarch 1:2.30-2.el7                 perl-URI.noarch 0:1.60-9.el7
  perl-WWW-RobotRules.noarch 0:6.02-5.el7           perl-YAML.noarch 0:0.84-5.el7
  perl-YAML-Tiny.noarch 0:1.51-6.el7                perl-libwww-perl.noarch 0:6.05-2.el7
  perl-local-lib.noarch 0:1.008010-4.el7            perl-version.x86_64 3:0.99.07-2.el7
 
Complete!

ビルドとコンパイルおよびインストール

引き続き、ビルドとコンパイルおよびインストールを行ないます。マシンスペックにより時間がかかる場合がありますので、時間に余裕があるときに実行してください。

[SMB]# cd /tmp
[SMB]# wget https://download.samba.org/pub/samba/stable/samba-4.7.4.tar.gz
   :(省略)
2018-01-10 16:54:14 (1.77 MB/s) - ‘samba-4.7.4.tar.gz’ saved [16853555/16853555]
[SMB]# tar zxf samba-4.7.4.tar.gz
[SMB]# cd /tmp/samba-4.7.4
[SMB]# ls -l
total 272
drwxr-xr-x.  6 root root   226 Jan 10 16:56 auth
-rw-rw-r--.  1 root root  3579 Jul  4  2017 BUILD_SYSTEMS.txt
drwxr-xr-x.  6 root root   178 Jan 10 16:56 buildtools
-rw-rw-r--.  1 root root   149 Jul  4  2017 callcatcher-exceptions.grep
-rwxrwxr-x.  1 root root   328 Jul  4  2017 configure
-rwxrwxr-x.  1 root root    66 Jul  4  2017 configure.developer
-rw-rw-r--.  1 root root 35147 Jul  4  2017 COPYING
drwxr-xr-x.  2 root root    51 Jan 10 16:56 coverity
drwxr-xr-x. 15 root root  4096 Jan 10 16:56 ctdb
drwxr-xr-x.  2 root root    73 Jan 10 16:56 dfs_server
drwxr-xr-x.  3 root root    22 Jan 10 16:56 docs
drwxr-xr-x. 12 root root  4096 Jan 10 16:56 docs-xml
drwxr-xr-x.  2 root root    59 Jan 10 16:56 dynconfig
drwxr-xr-x. 22 root root  4096 Jan 10 16:56 examples
drwxr-xr-x.  2 root root    69 Jan 10 16:56 file_server
drwxr-xr-x.  3 root root    38 Jan 10 16:56 include
-rwxrwxr-x.  1 root root  1536 Jul  4  2017 install_with_python.sh
drwxr-xr-x. 30 root root  4096 Jan 10 16:56 lib
drwxr-xr-x. 18 root root   234 Jan 10 16:56 libcli
drwxr-xr-x.  3 root root    20 Jan 10 16:56 libds
drwxr-xr-x.  3 root root   138 Jan 10 16:56 libgpo
drwxr-xr-x.  8 root root   205 Jan 10 16:56 librpc
-rw-rw-r--.  1 root root  2309 Jul  4  2017 Makefile
drwxr-xr-x.  4 root root  4096 Jan 10 16:56 nsswitch
drwxr-xr-x. 13 root root   181 Jan 10 16:56 packaging
-rw-rw-r--.  1 root root   188 Jul  4  2017 PFIF.txt
drwxr-xr-x.  4 root root   163 Jan 10 16:56 pidl
-rw-rw-r--.  1 root root 30193 Jul  4  2017 prog_guide4.txt
drwxr-xr-x.  5 root root   141 Jan 10 16:56 python
-rw-rw-r--.  1 root root  8859 Jul  4  2017 README
-rw-rw-r--.  1 root root   270 Jul  4  2017 README.cifs-utils
-rw-rw-r--.  1 root root 11759 Jul  4  2017 README.Coding
-rw-rw-r--.  1 root root  5074 Jul  4  2017 README.contributing
drwxr-xr-x.  2 root root   130 Jan 10 16:56 release-scripts
drwxr-xr-x.  4 root root  4096 Jan 10 16:56 script
drwxr-xr-x.  7 root root  4096 Jan 10 16:56 selftest
-rwxrwxr-x.  1 root root  1089 Jul  4  2017 simple-dc-steps.sh
drwxr-xr-x. 35 root root  4096 Jan 10 16:56 source3
drwxr-xr-x. 35 root root  4096 Jan 10 16:56 source4
drwxr-xr-x.  3 root root   159 Jan 10 16:56 testdata
drwxr-xr-x.  4 root root    35 Jan 10 16:56 testprogs
drwxr-xr-x.  2 root root   231 Jan 10 16:56 tests
drwxr-xr-x.  7 root root    98 Jan 10 16:56 testsuite
drwxr-xr-x. 10 root root   152 Jan 10 16:56 third_party
-rw-rw-r--.  1 root root  6288 Dec 23 05:40 VERSION
-rw-rw-r--.  1 root root 37935 Dec 23 05:40 WHATSNEW.txt
drwxr-xr-x.  3 root root    92 Jan 10 16:56 wintest
-rw-rw-r--.  1 root root 15341 Dec 23 05:40 wscript
-rw-rw-r--.  1 root root  4923 Jul 25 18:09 wscript_build
-rw-rw-r--.  1 root root    97 Jul  4  2017 wscript_build_embedded_heimdal
-rw-rw-r--.  1 root root    95 Jul  4  2017 wscript_build_system_heimdal
-rw-rw-r--.  1 root root   126 Jul  4  2017 wscript_build_system_mitkrb5
-rw-rw-r--.  1 root root 13215 Jul  4  2017 wscript_configure_system_mitkrb5
[SMB]# mkdir /usr/local/samba-4.7.4
[SMB]# ./configure --prefix=/usr/local/samba-4.7.4 --with-systemd
   :(省略)
'configure' finished successfully (2m49.117s)
[SMB]# make
   :(省略)
'build' finished successfully (24m52.221s)
[SMB]# make install
   :(省略)
'install' finished successfully (9m10.091s)
[SMB]# cd /usr/local
[SMB]# ln -s samba-4.7.4 samba

セットアップ

SAMBAの基本的なセットアップを行ないます。

参考URL
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

[SMB]# vim /root/.bash_profile
   :(省略)
export PATH=/usr/local/samba/bin:${PATH} <= 追記
   :(省略)
[SMB]# source .bash_profile
[SMB]# cp -p /etc/krb5.conf /etc/krb5.conf.original
[SMB]# vim /etc/krb5.conf
   :(省略)
#includedir /etc/krb5.conf.d/   <= コメントアウト
   :(省略)
[SMB]# samba-tool domain provision --use-rfc2307 --interactive
Realm [ORANGETAKAM.LOCAL]: PRD.ORANGETAKAM.LOCAL
 Domain [PRD]: <= 空エンター
 Server Role (dc, member, standalone) [dc]: <= 空エンター
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: <= 空エンター
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.69]: 192.168.1.6
Administrator password: Adm1npass
Retype password: Adm1npass
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=prd,DC=orangetakam,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=prd,DC=orangetakam,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba-4.7.4/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba AD server will be ready to use
Server Role:           active directory domain controller
Hostname:              SMB
NetBIOS Domain:        PRD
DNS Domain:            prd.orangetakam.local
DOMAIN SID:            S-1-5-21-678500007-4021908432-1193253108

Firewalldの許可設定

SAMBAが提供するサービスで利用するポートは下記の通り。

参考URL
https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage

サービス名 ポート番号 プロトコル Firewalld定義名
DNS 53 tcp/udp dns.xml
Kerberos 88 tcp/udp kerberos.xml
End Point Mapper (DCE/RPC Locator Service) 135 tcp n/a
NetBIOS Name Service 137 udp samba.xml
NetBIOS Datagram 138 udp samba.xml
NetBIOS Session 139 tcp samba.xml
LDAP 389 tcp/udp ldap.xml
SMB over TCP 445 tcp samba.xml
Kerberos kpasswd 464 tcp/udp kpasswd.xml
LDAPS 636 tcp ldaps.xml
Dynamic RPC Ports 49152-65535 tcp n/a
Global Catalog 3268 tcp n/a
Global Catalog SSL 3269 tcp n/a

上記の表以外に、時刻同期のntpd用のポート(123:udp)も必要です。

[SMB]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
[SMB]# firewall-cmd --add-service=dns --permanent
success
[SMB]# firewall-cmd --add-service=kerberos --permanent
success
[SMB]# firewall-cmd --add-service=samba --permanent
success
[SMB]# firewall-cmd --add-service=ldap --permanent
success
[SMB]# firewall-cmd --add-service=kpasswd --permanent
success
[SMB]# firewall-cmd --add-service=ldaps --permanent
success
[SMB]# firewall-cmd --add-port=135/tcp --permanent
success
[SMB]# firewall-cmd --add-port=3268/tcp --permanent
success
[SMB]# firewall-cmd --add-port=3269/tcp --permanent
success
[SMB]# firewall-cmd --add-port=49152-65535/tcp --permanent
success
[SMB]# firewall-cmd --add-service=ntp --permanent
success
[SMB]# firewall-cmd --reload
success

Kerberosの設定変更

Kerberosの設定を変更します。

[SMB]# vim /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
#includedir /etc/krb5.conf.d/
 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = PRD.ORANGETAKAM.LOCAL
 default_ccache_name = KEYRING:persistent:%{uid}
 
[realms]
 ORANGETAKAM.LOCAL = {
  kdc = SMB.prd.orangetakam.local
  admin_server = SMB.prd.orangetakam.local
 }
 
[domain_realm]
 .prd.orangetakam.local = PRD.ORANGETAKAM.LOCAL
 prd.orangetakam.local = PRD.ORANGETAKAM.LOCAL

名前解決先の変更

名前解決は自サーバにておこなうので、ローカルホストのIPアドレスに設定します。

[SMB]# nmcli connection modify eth0 ipv4.dns "127.0.0.1"

マシンリブート

ここで一旦、マシンリブートを実施します。

[SMB]# shutdown -r now

systemdの設定

[SMB]# vim /usr/lib/systemd/system/samba.service
[Unit]
Description= Samba 4 Active Directory
After=syslog.target
After=network.target
 
[Service]
Type=forking
PIDFile=/usr/local/samba/var/run/samba.pid
ExecStart=/usr/local/samba/sbin/samba
 
[Install]
WantedBy=multi-user.target

自動起動有効とサービス起動

自動起動を有効にしてサービス起動をします。

[SMB]# systemctl status samba
● samba.service - Samba 4 Active Directory
   Loaded: loaded (/usr/lib/systemd/system/samba.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
[SMB]# systemctl enable samba
Created symlink from /etc/systemd/system/multi-user.target.wants/samba.service
 to /etc/systemd/system/samba.service.
[SMB]# systemctl start samba

ここまでで、一通りのSAMBAの環境ができました。
SAMBAの動作確認は、過去の記事を参照下さい。

SAMBAの設定変更

SAMBA-4.4.xより、LDAPの認証で暗号化されることが、デフォルトで有効となりました。
とりあえず、LDAP認証で暗号化する前提を外した接続を許すようにします。
SAMBAの利用が直接的でなく、ローカルネットワークであれば、暗号化する必要もないかと思いますが、状況によりけりだと思います。

参考URL
https://wiki.samba.org/index.php/Samba_4.4_Features_added/changed

[SMB]# cd /usr/local/samba/etc
[SMB]# cp -p smb.conf smb.conf.original
[SMB]# vim smb.conf
# Global parameters
[global]
        dns forwarder = 192.168.1.6 192.168.1.7 <= フォワーディングの追加
        netbios name = SMB
        realm = PRD.ORANGETAKAM.LOCAL
        server role = active directory domain controller
        workgroup = PRD
        idmap_ldb:use rfc2307 = yes
        ldap server require strong auth = no <= LDAPの要求で暗号化を求めない(シンプルバインド)
 
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/prd.orangetakam.local/scripts
        read only = No
 
[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

SAMBAサーバーのサービス再起動

設定変更が有効となるようにサービスの再起動を行ないます。

# systemctl restart samba

ここでSAMBAサーバー側の構築は終わりました。

RADIUSサーバーの設定変更

RADIUSサーバーがSAMBAサーバーのユーザー情報にLDAPで認証にいくように設定変更を行ないます。

# cd /etc/raddb/sites-available
# ls -l
total 172
-rw-r-----. 1 root radiusd  4434 Aug 24 00:18 buffered-sql
-rw-r-----. 1 root radiusd  1359 Aug 24 00:18 challenge
-rw-r-----. 1 root radiusd   486 Aug 24 00:18 channel_bindings
-rw-r-----. 1 root radiusd  3599 Aug 24 00:18 check-eap-tls
-rw-r-----. 1 root radiusd  1334 Aug 24 00:18 coa
-rw-r-----. 1 root radiusd  2630 Aug 24 00:18 control-socket
-rw-r-----. 1 root radiusd  5640 Aug 24 00:18 copy-acct-to-home-server
-rw-r-----. 1 root radiusd  3565 Aug 24 00:18 decoupled-accounting
-rw-r-----. 1 root radiusd 28267 Aug 24 00:18 default
-rw-r-----. 1 root radiusd  9294 Aug 24 00:18 dhcp
-rw-r-----. 1 root radiusd  1033 Aug 24 00:18 dhcp.relay
-rw-r-----. 1 root radiusd  7091 Aug 24 00:18 dynamic-clients
-rw-r-----. 1 root radiusd  3382 Aug 24 00:18 example
-rw-r-----. 1 root radiusd 11951 Aug 24 00:18 inner-tunnel
-rw-r-----. 1 root radiusd  4943 Aug 24 00:18 originate-coa
-rw-r-----. 1 root radiusd  1026 Aug 24 00:18 proxy-inner-tunnel
-rw-r-----. 1 root radiusd  8543 Aug 24 00:18 README
-rw-r-----. 1 root radiusd  4718 Aug 24 00:18 robust-proxy-accounting
-rw-r-----. 1 root radiusd   820 Aug 24 00:18 soh
-rw-r-----. 1 root radiusd  4079 Aug 24 00:18 status
-rw-r-----. 1 root radiusd 15712 Aug 24 00:18 tls
-rw-r-----. 1 root radiusd   877 Aug 24 00:18 virtual.example.com
-rw-r-----. 1 root radiusd  2571 Aug 24 00:18 vmps
# cp -p default default.original
# cd /etc/raddb/sites-enabled
# ls -l
total 0
lrwxrwxrwx. 1 root radiusd 26 Jan  9 14:17 default -> ../sites-available/default
lrwxrwxrwx. 1 root radiusd 31 Jan  9 14:17 inner-tunnel -> ../sites-available/inner-tunnel
# vim default
   :(省略)
 #
 #  The ldap module reads passwords from the LDAP database.
    ldap    <= 「-ldap」を「ldap」に変更
   :(省略)
 #  Uncomment it if you want to use ldap for authentication
 #
 #  Note that this means "check plain-text password against
 #  the ldap database", which means that EAP won't work,
 #  as it does not supply a plain-text password.
 #
 #  We do NOT recommend using this.  LDAP servers are databases.
 #  They are NOT authentication servers.  FreeRADIUS is an
 #  authentication server, and knows what to do with authentication.
 #  LDAP servers do not.
 #
 Auth-Type LDAP {      <= コメントアウトを外す
         ldap          <= コメントアウトを外す
 }                     <= コメントアウトを外す
  :(省略)
 #
 #  Un-comment the following if you want to modify the user's object
 #  in LDAP after a successful login.
 #
 ldap      <= コメントアウトを外す
  :(省略)
# cd /etc/raddb/mods-available
# ls -l
total 312
-rw-r-----. 1 root radiusd  1408 Aug 24 00:18 always
-rw-r-----. 1 root radiusd  1384 Aug 24 00:18 attr_filter
-rw-r-----. 1 root radiusd  4930 Aug 24 00:18 cache
-rw-r-----. 1 root radiusd   237 Aug 24 00:18 cache_eap
-rw-r-----. 1 root radiusd   182 Aug 24 00:18 chap
-rw-r-----. 1 root radiusd  2948 Aug 24 00:18 counter
-rw-r-----. 1 root radiusd  1189 Aug 24 00:18 cui
-rw-r-----. 1 root radiusd   446 Aug 24 00:18 date
-rw-r-----. 1 root radiusd  2894 Aug 24 00:18 detail
-rw-r-----. 1 root radiusd   968 Aug 24 00:18 detail.example.com
-rw-r-----. 1 root radiusd  1903 Aug 24 00:18 detail.log
-rw-r-----. 1 root radiusd   498 Aug 24 00:18 dhcp
-rw-r-----. 1 root radiusd  1862 Aug 24 00:18 dhcp_sqlippool
-rw-r-----. 1 root radiusd   316 Aug 24 00:18 digest
-rw-r-----. 1 root radiusd   923 Aug 24 00:18 dynamic_clients
-rw-r-----. 1 root radiusd 26108 Aug 24 00:18 eap
-rw-r-----. 1 root radiusd  3733 Aug 24 00:18 echo
-rw-r-----. 1 root radiusd   863 Aug 24 00:18 etc_group
-rw-r-----. 1 root radiusd   822 Aug 24 00:18 exec
-rw-r-----. 1 root radiusd   362 Aug 24 00:18 expiration
-rw-r-----. 1 root radiusd  4180 Aug 24 00:18 expr
-rw-r-----. 1 root radiusd   868 Aug 24 00:18 files
-rw-r-----. 1 root radiusd   690 Aug 24 00:18 idn
-rw-r-----. 1 root radiusd  2279 Aug 24 00:18 inner-eap
-rw-r-----. 1 root radiusd  2082 Aug 24 00:18 ippool
-rw-r-----. 1 root radiusd 17551 Aug 24 00:18 ldap
-rw-r-----. 1 root radiusd  5680 Aug 24 00:18 linelog
-rw-r-----. 1 root radiusd   816 Aug 24 00:18 logintime
-rw-r-----. 1 root radiusd   737 Aug 24 00:18 mac2ip
-rw-r-----. 1 root radiusd   408 Aug 24 00:18 mac2vlan
-rw-r-----. 1 root radiusd  6955 Aug 24 00:18 mschap
-rw-r-----. 1 root radiusd   379 Aug 24 00:18 ntlm_auth
-rw-r-----. 1 root radiusd   751 Aug 24 00:18 opendirectory
-rw-r-----. 1 root radiusd  3251 Aug 24 00:18 otp
-rw-r-----. 1 root radiusd   685 Aug 24 00:18 pam
-rw-r-----. 1 root radiusd   551 Aug 24 00:18 pap
-rw-r-----. 1 root radiusd  1805 Aug 24 00:18 passwd
-rw-r-----. 1 root radiusd  1848 Aug 24 00:18 preprocess
-rw-r-----. 1 root radiusd  1313 Aug 24 00:18 python
-rw-r-----. 1 root radiusd  1562 Aug 24 00:18 radutmp
-rw-r-----. 1 root radiusd  2572 Aug 24 00:18 README.rst
-rw-r-----. 1 root radiusd  1128 Aug 24 00:18 realm
-rw-r-----. 1 root radiusd  2935 Aug 24 00:18 redis
-rw-r-----. 1 root radiusd  1940 Aug 24 00:18 rediswho
-rw-r-----. 1 root radiusd  1695 Aug 24 00:18 replicate
-rw-r-----. 1 root radiusd  8225 Aug 24 00:18 rest
-rw-r-----. 1 root radiusd   401 Aug 24 00:18 smbpasswd
-rw-r-----. 1 root radiusd  2420 Aug 24 00:18 smsotp
-rw-r-----. 1 root radiusd    33 Aug 24 00:18 soh
-rw-r-----. 1 root radiusd   263 Aug 24 00:18 sometimes
-rw-r-----. 1 root radiusd  8332 Aug 24 00:18 sql
-rw-r-----. 1 root radiusd  2996 Aug 24 00:18 sqlcounter
-rw-r-----. 1 root radiusd  2603 Aug 24 00:18 sqlippool
-rw-r-----. 1 root radiusd   493 Aug 24 00:18 sradutmp
-rw-r-----. 1 root radiusd   757 Aug 24 00:18 unix
-rw-r-----. 1 root radiusd   954 Aug 24 00:18 unpack
-rw-r-----. 1 root radiusd   287 Aug 24 00:18 utf8
-rw-r-----. 1 root radiusd  3525 Aug 24 00:18 wimax
-rw-r-----. 1 root radiusd  5430 Aug 24 00:18 yubikey
# cp -p ldap ldap.original
# vim ldap
ldap {
  :(省略)
 server = 'SMB.prd.orangetakam.local'
 identity = 'cn=Administrator,cn=Users,dc=prd,dc=orangetakam,dc=local'
 password = Adm1npass
 base_dn = 'cn=Users,dc=prd,dc=orangetakam,dc=local'
  :(省略)
 user {
   :(省略)
  #  Filter for user objects, should be specific enough
  #  to identify a single user object.
  #
  #  For Active Directory, you should use
  #  "samaccountname=" instead of "uid="
  #
  filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
   :(省略)
}
# cd /etc/raddb/mods-enabled
# ls -l
total 0
lrwxrwxrwx. 1 root radiusd 24 Jan  9 14:17 always -> ../mods-available/always
lrwxrwxrwx. 1 root radiusd 29 Jan  9 14:17 attr_filter -> ../mods-available/attr_filter
lrwxrwxrwx. 1 root radiusd 27 Jan  9 14:17 cache_eap -> ../mods-available/cache_eap
lrwxrwxrwx. 1 root radiusd 22 Jan  9 14:17 chap -> ../mods-available/chap
lrwxrwxrwx. 1 root radiusd 22 Jan  9 14:17 date -> ../mods-available/date
lrwxrwxrwx. 1 root radiusd 24 Jan  9 14:17 detail -> ../mods-available/detail
lrwxrwxrwx. 1 root radiusd 28 Jan  9 14:17 detail.log -> ../mods-available/detail.log
lrwxrwxrwx. 1 root radiusd 22 Jan  9 14:17 dhcp -> ../mods-available/dhcp
lrwxrwxrwx. 1 root radiusd 24 Jan  9 14:17 digest -> ../mods-available/digest
lrwxrwxrwx. 1 root radiusd 33 Jan  9 14:17 dynamic_clients -> ../mods-available/dynamic_clients
lrwxrwxrwx. 1 root radiusd 21 Jan  9 14:17 eap -> ../mods-available/eap
lrwxrwxrwx. 1 root radiusd 22 Jan  9 14:17 echo -> ../mods-available/echo
lrwxrwxrwx. 1 root radiusd 22 Jan  9 14:17 exec -> ../mods-available/exec
lrwxrwxrwx. 1 root radiusd 28 Jan  9 14:17 expiration -> ../mods-available/expiration
lrwxrwxrwx. 1 root radiusd 22 Jan  9 14:17 expr -> ../mods-available/expr
lrwxrwxrwx. 1 root radiusd 23 Jan  9 14:17 files -> ../mods-available/files
lrwxrwxrwx. 1 root radiusd 25 Jan  9 14:17 linelog -> ../mods-available/linelog
lrwxrwxrwx. 1 root radiusd 27 Jan  9 14:17 logintime -> ../mods-available/logintime
lrwxrwxrwx. 1 root radiusd 24 Jan  9 14:17 mschap -> ../mods-available/mschap
lrwxrwxrwx. 1 root radiusd 27 Jan  9 14:17 ntlm_auth -> ../mods-available/ntlm_auth
lrwxrwxrwx. 1 root radiusd 21 Jan  9 14:17 pap -> ../mods-available/pap
lrwxrwxrwx. 1 root radiusd 24 Jan  9 14:17 passwd -> ../mods-available/passwd
lrwxrwxrwx. 1 root radiusd 28 Jan  9 14:17 preprocess -> ../mods-available/preprocess
lrwxrwxrwx. 1 root radiusd 25 Jan  9 14:17 radutmp -> ../mods-available/radutmp
lrwxrwxrwx. 1 root radiusd 23 Jan  9 14:17 realm -> ../mods-available/realm
lrwxrwxrwx. 1 root radiusd 27 Jan  9 14:17 replicate -> ../mods-available/replicate
lrwxrwxrwx. 1 root radiusd 21 Jan  9 14:17 soh -> ../mods-available/soh
lrwxrwxrwx. 1 root radiusd 26 Jan  9 14:17 sradutmp -> ../mods-available/sradutmp
lrwxrwxrwx. 1 root radiusd 22 Jan  9 14:17 unix -> ../mods-available/unix
lrwxrwxrwx. 1 root radiusd 24 Jan  9 14:17 unpack -> ../mods-available/unpack
lrwxrwxrwx. 1 root radiusd 22 Jan  9 14:17 utf8 -> ../mods-available/utf8
# ln -s ../mods-available/ldap ldap
# chgrp -h radiusd ldap
# cd /etc/raddb
# vim users
   :(省略)
#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
#DEFAULT Hint == "CSLIP"                          <= コメントアウト
#        Framed-Protocol = SLIP,                  <= コメントアウト
#        Framed-Compression = Van-Jacobson-TCP-IP <= コメントアウト
 
#
# Default for SLIP: dynamic IP address, SLIP mode.
#
#DEFAULT Hint == "SLIP"                           <= コメントアウト
#        Framed-Protocol = SLIP                   <= コメントアウト
   :(省略)
DEFAULT Auth-Type := LDAP
        Fall-Through = 1
   :(省略)
#testuser Auth-Type := CHAP, Cleartext-Password:="testpass" <= コメントアウト

VPNサーバーの設定変更

RADIUSとSAMBAとの間で、認証するには、CHAP認証は通りませんので、PAP認証に変更します。
PAP認証は平文での通信となりますが、入口となるVPNクライアントとVPNサーバー間は、L2TP/IPsec間で暗号化されるため、セキュリティー的には大丈夫でしょう。

# cd /etc/ppp
# vim options.xl2tpd
   :(省略)
require-pap       <= 「refuse-pap」から「require-pap」に変更(PAPを許可)
refuse-chap       <= 「require-chap」から「refuse-chap」に変更(CHAPを拒否)
refuse-mschap
refuse-mschap-v2
   :(省略)