FreeIPA/smb をテンプレートにして作成
[
トップ
] [
新規
|
一覧
|
検索
|
最終更新
|
ヘルプ
|
ログイン
]
開始行:
&color(red){せいさくちゅう};
FreeIPAドメイン参加のnfsサーバに samba 機能を付与してsmb...
&size(10){ドメインに参加してないwindowsPC/macからアクセス...
&color(red){*};&size(10){本来は同じストレージボリュームを...
&ref(2022y04m29d_175211362.png,nolink,noborder);
***FreeIPA server側 [#kbc7ac33]
&size(10){[[FreeIPA]]の構築後を想定してます};
まずはFreeIPAサーバ側に「adtrust」モジュールを追加する
#code(nonumber){{
[root@freeipa ~]# dnf install ipa-server-trust-ad
}}
これで「ipa-server-trust-ad」パッケージがインストールされ...
設定に使用するコマンドは「ipa-adtrust-install」で、これは...
既に[[FreeIPA]]にてFreeIPAサーバを作っているので hostname...
#code(nonumber){{
[root@freeipa ~]# cat /etc/hostname
freeipa.sybyl.local
[root@freeipa ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 lo...
::1 localhost localhost.localdomain localhost6 lo...
192.168.0.146 freeipa.sybyl.local freeipa
[root@freeipa ~]#
}}
その上で「ipa-adtrust-install」を実行します
#code(nonumber){{
[root@freeipa ~]# ipa-adtrust-install
The log file for this installation can be found in /var/l...
=========================================================...
This program will setup components needed to establish tr...
the IPA Server.
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
To accept the default shown in brackets, press the Enter ...
Configuring cross-realm trusts for IPA server requires pa...
This user is a regular system account used for IPA server...
admin password: <-- FreeIPAサーバ...
WARNING: The smb.conf already exists. Running ipa-adtrust...
Do you wish to continue? [no]: yes <-- 既に /etc/samb...
Do you want to enable support for trusted domains in Sche...
This will allow clients older than SSSD 1.9 and non-Linux...
Enable trusted domains support in slapi-nis? [no]: <--...
WARNING: 1 existing users or groups do not have a SID ide...
Installer can run a task to have ipa-sidgen Directory Ser...
the SID identifier for all these users. Please note, in c...
number of users and groups, the operation might lead to h...
traffic and performance degradation. Refer to ipa-adtrust...
for details.
Do you want to run the ipa-sidgen task? [no]: yes <-...
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring CIFS
(略
Done configuring CIFS.
DNS management was not enabled at install time.
Add the following service records to your DNS server for ...
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.sybyl...
_ldap._tcp.dc._msdcs.sybyl.local. 86400 IN SRV 0 100 389 ...
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.s...
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.s...
_kerberos._tcp.dc._msdcs.sybyl.local. 86400 IN SRV 0 100 ...
_kerberos._udp.dc._msdcs.sybyl.local. 86400 IN SRV 0 100 ...
=========================================================...
Setup complete
You must make sure these network ports are open:
TCP Ports:
* 135: epmap
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
* 1024..1300: epmap listener range
* 3268: msft-gc
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details
=========================================================...
[root@freeipa ~]#
}}
「ipa-adtrust-install」の実行の最後で
-DNSへのSRVレコードの追加
-firewallの追加対応
が求められています.
ここではDNSは[[dnsmasq]]で運営しているので、フォーマット...
そしてfirewall対応を行います
***dnsmasqの修正 [#zc26bef7]
要求されたSRVレコードをdnsmasq向けにフォーマット変換します.
簡単には「_Service._Proto.Name TTL Class SRV Priority Wei...
「srv-host=_Service._Proto.Name,Target,Port,Priority,Weig...
#code(nonumber){{
srv-host=_ldap._tcp.Default-First-Site-Name._sites.dc._ms...
srv-host=_ldap._tcp.dc._msdcs.sybyl.local,freeipa.sybyl.l...
srv-host=_kerberos._tcp.Default-First-Site-Name._sites.dc...
srv-host=_kerberos._udp.Default-First-Site-Name._sites.dc...
srv-host=_kerberos._tcp.dc._msdcs.sybyl.local,freeipa.syb...
srv-host=_kerberos._udp.dc._msdcs.sybyl.local,freeipa.syb...
}}
***firewallの修正 [#maf601ad]
何を開けるか指定されましたが、こちらは「/usr/lib/firewall...
ただ全てではなく、一部「* 1024..1300: epmap listener rang...
#code(nonumber){{
[root@freeipa ~]# firewall-cmd --add-service=freeipa-trus...
[root@freeipa ~]# firewall-cmd --add-port=1024-1300/tcp -...
[root@freeipa ~]# firewall-cmd --reload
[root@freeipa ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: cockpit dhcpv6-client freeipa-4 freeipa-trust...
ports: 1024-1300/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@freeipa ~]#
}}
***sambaサーバ側 [#h3e840d7]
次にsambaサーバ側の調理.
既にFreeIPAドメインのnfsサーバとして作っているので[[FreeI...
さらに「ipa-client-samba」パッケージをインストールします.
#code(nonumber){{
[root@freeipa-nfs ~]# dnf install ipa-client-samba ...
}}
次に「ipa-client-samba」を実行します
#code(nonumber){{
[root@freeipa-nfs ~]# ipa-client-samba --server=freeipa.s...
IPA server: freeipa.sybyl.local
Chosen IPA master: freeipa.sybyl.local
SMB principal to be created: cifs/freeipa-nfs.sybyl.local...
NetBIOS name to be used: FREEIPA-NFS
Discovered domains to use:
Domain name: sybyl.local
NetBIOS name: SYBYL
SID: S-1-5-21-2296221687-3594954941-118212876
ID range: 653400000 - 653599999
Continue to configure the system with these values? [no]:...
Samba domain member is configured. Please check configura...
[root@freeipa-nfs ~]#
}}
これでFreeIPAサーバ側では、サービス記述子が「cifs」なサー...
#code(nonumber){{
[root@freeipa ~]# ipa service-find | grep "Principal name...
Principal name: cifs/freeipa-nfs.sybyl.local@SYBYL.LOCAL
Principal name: cifs/freeipa.sybyl.local@SYBYL.LOCAL
[root@freeipa ~]#
}}
またsamba-adで使われるような keytab も作ってくれるようで
#code(nonumber){{
[root@freeipa-nfs ~]# klist -ke /etc/samba/samba.keytab
Keytab name: FILE:/etc/samba/samba.keytab
KVNO Principal
---- ----------------------------------------------------...
1 cifs/freeipa-nfs.sybyl.local@SYBYL.LOCAL (aes128-cts...
1 cifs/freeipa-nfs.sybyl.local@SYBYL.LOCAL (aes256-cts...
1 cifs/freeipa-nfs.sybyl.local@SYBYL.LOCAL (DEPRECATED...
[root@freeipa-nfs ~]#
}}
と準備してくれます。
sambaサーバ側のsmb設定ファイル「/etc/samba/smb.conf」は書...
#code(nonumber){{
[root@freeipa-nfs ~]# cat /etc/samba/smb.conf
[global]
# Limit number of forked processes to avoid SMBLoris ...
max smbd processes = 1000
# Use dedicated Samba keytab. The key there must be s...
# with Samba tdb databases or nothing will work
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
# Set up logging per machine and Samba process
log file = /var/log/samba/log.%m
log level = 1
# We force 'member server' role to allow winbind auto...
# discover what is supported by the domain controller...
server role = member server
realm = SYBYL.LOCAL
netbios name = FREEIPA-NFS
workgroup = SYBYL
# Local writable range for IDs not coming from IPA or...
idmap config * : range = 0 - 0
idmap config * : backend = tdb
idmap config SYBYL : range = 1738400000 - 1738599999
idmap config SYBYL : backend = sss
# Default homes share
[homes]
read only = no
[root@freeipa-nfs ~]#
}}
これで各自のユーザフォルダは共有されますが、共通のフォル...
「/etc/samba/smb.conf」の末尾に下記を加えて
#code(nonumber){{
[data]
path = /data
writable = yes
browsable=yes
write list = @em
}}
最後に各種関連設定を施して完了です
#code(nonumber){{
[root@freeipa-nfs ~]# setsebool -P samba_enable_home_dirs...
[root@freeipa-nfs ~]# semanage fcontext -a -t samba_share...
[root@freeipa-nfs ~]# restorecon -R -v /data
[root@freeipa-nfs ~]# firewall-cmd --add-service=samba --...
[root@freeipa-nfs ~]# firewall-cmd --reload
[root@freeipa-nfs ~]# systemctl enable smb.service winbin...
}}
***めも [#nc037d27]
FreeIPAはsssdで認証系を回してberberosが大事. なのでsmbに...
っでwinbindを合わせて従来の認証系も行けるようにしたって感...
参照先 [[https://weblog.hirohiro716.com/?p=1983>+https://...
終了行:
&color(red){せいさくちゅう};
FreeIPAドメイン参加のnfsサーバに samba 機能を付与してsmb...
&size(10){ドメインに参加してないwindowsPC/macからアクセス...
&color(red){*};&size(10){本来は同じストレージボリュームを...
&ref(2022y04m29d_175211362.png,nolink,noborder);
***FreeIPA server側 [#kbc7ac33]
&size(10){[[FreeIPA]]の構築後を想定してます};
まずはFreeIPAサーバ側に「adtrust」モジュールを追加する
#code(nonumber){{
[root@freeipa ~]# dnf install ipa-server-trust-ad
}}
これで「ipa-server-trust-ad」パッケージがインストールされ...
設定に使用するコマンドは「ipa-adtrust-install」で、これは...
既に[[FreeIPA]]にてFreeIPAサーバを作っているので hostname...
#code(nonumber){{
[root@freeipa ~]# cat /etc/hostname
freeipa.sybyl.local
[root@freeipa ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 lo...
::1 localhost localhost.localdomain localhost6 lo...
192.168.0.146 freeipa.sybyl.local freeipa
[root@freeipa ~]#
}}
その上で「ipa-adtrust-install」を実行します
#code(nonumber){{
[root@freeipa ~]# ipa-adtrust-install
The log file for this installation can be found in /var/l...
=========================================================...
This program will setup components needed to establish tr...
the IPA Server.
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
To accept the default shown in brackets, press the Enter ...
Configuring cross-realm trusts for IPA server requires pa...
This user is a regular system account used for IPA server...
admin password: <-- FreeIPAサーバ...
WARNING: The smb.conf already exists. Running ipa-adtrust...
Do you wish to continue? [no]: yes <-- 既に /etc/samb...
Do you want to enable support for trusted domains in Sche...
This will allow clients older than SSSD 1.9 and non-Linux...
Enable trusted domains support in slapi-nis? [no]: <--...
WARNING: 1 existing users or groups do not have a SID ide...
Installer can run a task to have ipa-sidgen Directory Ser...
the SID identifier for all these users. Please note, in c...
number of users and groups, the operation might lead to h...
traffic and performance degradation. Refer to ipa-adtrust...
for details.
Do you want to run the ipa-sidgen task? [no]: yes <-...
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring CIFS
(略
Done configuring CIFS.
DNS management was not enabled at install time.
Add the following service records to your DNS server for ...
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.sybyl...
_ldap._tcp.dc._msdcs.sybyl.local. 86400 IN SRV 0 100 389 ...
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.s...
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.s...
_kerberos._tcp.dc._msdcs.sybyl.local. 86400 IN SRV 0 100 ...
_kerberos._udp.dc._msdcs.sybyl.local. 86400 IN SRV 0 100 ...
=========================================================...
Setup complete
You must make sure these network ports are open:
TCP Ports:
* 135: epmap
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
* 1024..1300: epmap listener range
* 3268: msft-gc
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details
=========================================================...
[root@freeipa ~]#
}}
「ipa-adtrust-install」の実行の最後で
-DNSへのSRVレコードの追加
-firewallの追加対応
が求められています.
ここではDNSは[[dnsmasq]]で運営しているので、フォーマット...
そしてfirewall対応を行います
***dnsmasqの修正 [#zc26bef7]
要求されたSRVレコードをdnsmasq向けにフォーマット変換します.
簡単には「_Service._Proto.Name TTL Class SRV Priority Wei...
「srv-host=_Service._Proto.Name,Target,Port,Priority,Weig...
#code(nonumber){{
srv-host=_ldap._tcp.Default-First-Site-Name._sites.dc._ms...
srv-host=_ldap._tcp.dc._msdcs.sybyl.local,freeipa.sybyl.l...
srv-host=_kerberos._tcp.Default-First-Site-Name._sites.dc...
srv-host=_kerberos._udp.Default-First-Site-Name._sites.dc...
srv-host=_kerberos._tcp.dc._msdcs.sybyl.local,freeipa.syb...
srv-host=_kerberos._udp.dc._msdcs.sybyl.local,freeipa.syb...
}}
***firewallの修正 [#maf601ad]
何を開けるか指定されましたが、こちらは「/usr/lib/firewall...
ただ全てではなく、一部「* 1024..1300: epmap listener rang...
#code(nonumber){{
[root@freeipa ~]# firewall-cmd --add-service=freeipa-trus...
[root@freeipa ~]# firewall-cmd --add-port=1024-1300/tcp -...
[root@freeipa ~]# firewall-cmd --reload
[root@freeipa ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: cockpit dhcpv6-client freeipa-4 freeipa-trust...
ports: 1024-1300/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@freeipa ~]#
}}
***sambaサーバ側 [#h3e840d7]
次にsambaサーバ側の調理.
既にFreeIPAドメインのnfsサーバとして作っているので[[FreeI...
さらに「ipa-client-samba」パッケージをインストールします.
#code(nonumber){{
[root@freeipa-nfs ~]# dnf install ipa-client-samba ...
}}
次に「ipa-client-samba」を実行します
#code(nonumber){{
[root@freeipa-nfs ~]# ipa-client-samba --server=freeipa.s...
IPA server: freeipa.sybyl.local
Chosen IPA master: freeipa.sybyl.local
SMB principal to be created: cifs/freeipa-nfs.sybyl.local...
NetBIOS name to be used: FREEIPA-NFS
Discovered domains to use:
Domain name: sybyl.local
NetBIOS name: SYBYL
SID: S-1-5-21-2296221687-3594954941-118212876
ID range: 653400000 - 653599999
Continue to configure the system with these values? [no]:...
Samba domain member is configured. Please check configura...
[root@freeipa-nfs ~]#
}}
これでFreeIPAサーバ側では、サービス記述子が「cifs」なサー...
#code(nonumber){{
[root@freeipa ~]# ipa service-find | grep "Principal name...
Principal name: cifs/freeipa-nfs.sybyl.local@SYBYL.LOCAL
Principal name: cifs/freeipa.sybyl.local@SYBYL.LOCAL
[root@freeipa ~]#
}}
またsamba-adで使われるような keytab も作ってくれるようで
#code(nonumber){{
[root@freeipa-nfs ~]# klist -ke /etc/samba/samba.keytab
Keytab name: FILE:/etc/samba/samba.keytab
KVNO Principal
---- ----------------------------------------------------...
1 cifs/freeipa-nfs.sybyl.local@SYBYL.LOCAL (aes128-cts...
1 cifs/freeipa-nfs.sybyl.local@SYBYL.LOCAL (aes256-cts...
1 cifs/freeipa-nfs.sybyl.local@SYBYL.LOCAL (DEPRECATED...
[root@freeipa-nfs ~]#
}}
と準備してくれます。
sambaサーバ側のsmb設定ファイル「/etc/samba/smb.conf」は書...
#code(nonumber){{
[root@freeipa-nfs ~]# cat /etc/samba/smb.conf
[global]
# Limit number of forked processes to avoid SMBLoris ...
max smbd processes = 1000
# Use dedicated Samba keytab. The key there must be s...
# with Samba tdb databases or nothing will work
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
# Set up logging per machine and Samba process
log file = /var/log/samba/log.%m
log level = 1
# We force 'member server' role to allow winbind auto...
# discover what is supported by the domain controller...
server role = member server
realm = SYBYL.LOCAL
netbios name = FREEIPA-NFS
workgroup = SYBYL
# Local writable range for IDs not coming from IPA or...
idmap config * : range = 0 - 0
idmap config * : backend = tdb
idmap config SYBYL : range = 1738400000 - 1738599999
idmap config SYBYL : backend = sss
# Default homes share
[homes]
read only = no
[root@freeipa-nfs ~]#
}}
これで各自のユーザフォルダは共有されますが、共通のフォル...
「/etc/samba/smb.conf」の末尾に下記を加えて
#code(nonumber){{
[data]
path = /data
writable = yes
browsable=yes
write list = @em
}}
最後に各種関連設定を施して完了です
#code(nonumber){{
[root@freeipa-nfs ~]# setsebool -P samba_enable_home_dirs...
[root@freeipa-nfs ~]# semanage fcontext -a -t samba_share...
[root@freeipa-nfs ~]# restorecon -R -v /data
[root@freeipa-nfs ~]# firewall-cmd --add-service=samba --...
[root@freeipa-nfs ~]# firewall-cmd --reload
[root@freeipa-nfs ~]# systemctl enable smb.service winbin...
}}
***めも [#nc037d27]
FreeIPAはsssdで認証系を回してberberosが大事. なのでsmbに...
っでwinbindを合わせて従来の認証系も行けるようにしたって感...
参照先 [[https://weblog.hirohiro716.com/?p=1983>+https://...
ページ名:
1