samba3でdomaincontroller
>>smb.conf
[global]
workgroup = domain.jp
server string = Samba Domain Controler
security = user
# hosts allow = 192.168.0.
max log size = 50
passdb backend = tdbsam
local master = yes
os level = 65
domain master = yes
preferred master = yes
domain logons = yes
logon script = logon.bat
logon path = \\%L\profiles\%U
logon drive = H:
logon home = \\%L\%U
wins support = yes
wins server = 192.168.0.1
add user script = /usr/sbin/useradd %u
add group script = /usr/sbin/groupadd %g
add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
delete user script = /usr/sbin/userdel %u
delete user from group script = /usr/sbin/deluser %u %g
delete group script = /usr/sbin/groupdel %g
netbios name = dcmachine
unix charset = UTF-8
dos charset = CP932
display charset = UTF-8
#admin users を複数指定したい場合には @グループ名にする。
#ユーザ作成時に、@グループ名に属するように登録する。
#例えば、admins というグループを作成し、smb.confは
#admin users = @adminis という指定にする。
#ユーザ作成時、 useradd -s /bin/false -d /dev/null -g admins dc-test
#とすれば、アドミン権限のユーザが作成できる。
#あとから変更する場合には、
#usermod -G admins dc-test
#とすればよい。
admin users = administrator
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
[netlogon]
comment = Network Logon Service
path = /usr/local/samba/lib/netlogon
guest ok = yes
writable = no
share modes = no
[profiles]
path = /usr/local/samba/profiles
browseable = no
guest ok = yes
writable = yes
profile acls = yes
create mask = 0600
directory mask = 0700
>>named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.0.0/24;};
allow-query { 127.0.0.1; 192.168.0.0/24;};
directory "/var/named";
pid-file "/var/run/named/named.pid";
forwarders {
192.168.0.2;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "local.rev";
};
zone "domain.jp" {
type master;
file "domain.jp";
};
zone "0.168.192.in-addr.arpa" {
type master;
file "0.168.192.in-addr.arpa";
};
//include "/usr/local/samba/private/named.conf";
>> 0.168.192.in-addr.arpa
@ IN SOA dcmachine.domain.jp. root.dcmachine.domain.jp. (
2012121902
3600
900
1W
3H )
IN NS @
IN PTR domain.jp. ; 解決するドメイン
IN A 255.255.255.0 ; サブネットマスク
1 IN PTR dcmachine.domain.jp. ;
>>domain.jp
@ IN SOA dcmachine.domain.jp. root.dcmachine.domain.jp. (
2013010816
3600
900
1W
3H )
IN NS @
@ IN A 192.168.0.1
dcmachine IN A 192.168.0.1 ;
_ldap._tcp.domain.jp. IN SRV 0 100 389 dcmachine ;
_ldap._tcp.dc._msdcs.domain.jp. IN SRV 0 100 389 dcmachine ;
>>iptables
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 135 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
■sambaのDCにコンピューター名を登録する。
groupadd machines
useradd -s /bin/false -d /dev/null -g machines pc-se2141607j$
pdbedit -a -m pc-se2141607j
■sambaのDCにユーザを登録する。
groupadd users
useradd -s /bin/false -d /dev/null -g users dc-test
pdbedit -a -u dc-test
new password:
retype new password:
■パスワードの有効期限(45日に設定)
pdbedit -P "maximum password age" -C 3888000
[global]
workgroup = domain.jp
server string = Samba Domain Controler
security = user
# hosts allow = 192.168.0.
max log size = 50
passdb backend = tdbsam
local master = yes
os level = 65
domain master = yes
preferred master = yes
domain logons = yes
logon script = logon.bat
logon path = \\%L\profiles\%U
logon drive = H:
logon home = \\%L\%U
wins support = yes
wins server = 192.168.0.1
add user script = /usr/sbin/useradd %u
add group script = /usr/sbin/groupadd %g
add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
delete user script = /usr/sbin/userdel %u
delete user from group script = /usr/sbin/deluser %u %g
delete group script = /usr/sbin/groupdel %g
netbios name = dcmachine
unix charset = UTF-8
dos charset = CP932
display charset = UTF-8
#admin users を複数指定したい場合には @グループ名にする。
#ユーザ作成時に、@グループ名に属するように登録する。
#例えば、admins というグループを作成し、smb.confは
#admin users = @adminis という指定にする。
#ユーザ作成時、 useradd -s /bin/false -d /dev/null -g admins dc-test
#とすれば、アドミン権限のユーザが作成できる。
#あとから変更する場合には、
#usermod -G admins dc-test
#とすればよい。
admin users = administrator
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
[netlogon]
comment = Network Logon Service
path = /usr/local/samba/lib/netlogon
guest ok = yes
writable = no
share modes = no
[profiles]
path = /usr/local/samba/profiles
browseable = no
guest ok = yes
writable = yes
profile acls = yes
create mask = 0600
directory mask = 0700
>>named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.0.0/24;};
allow-query { 127.0.0.1; 192.168.0.0/24;};
directory "/var/named";
pid-file "/var/run/named/named.pid";
forwarders {
192.168.0.2;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "local.rev";
};
zone "domain.jp" {
type master;
file "domain.jp";
};
zone "0.168.192.in-addr.arpa" {
type master;
file "0.168.192.in-addr.arpa";
};
//include "/usr/local/samba/private/named.conf";
>> 0.168.192.in-addr.arpa
@ IN SOA dcmachine.domain.jp. root.dcmachine.domain.jp. (
2012121902
3600
900
1W
3H )
IN NS @
IN PTR domain.jp. ; 解決するドメイン
IN A 255.255.255.0 ; サブネットマスク
1 IN PTR dcmachine.domain.jp. ;
>>domain.jp
@ IN SOA dcmachine.domain.jp. root.dcmachine.domain.jp. (
2013010816
3600
900
1W
3H )
IN NS @
@ IN A 192.168.0.1
dcmachine IN A 192.168.0.1 ;
_ldap._tcp.domain.jp. IN SRV 0 100 389 dcmachine ;
_ldap._tcp.dc._msdcs.domain.jp. IN SRV 0 100 389 dcmachine ;
>>iptables
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 135 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
■sambaのDCにコンピューター名を登録する。
groupadd machines
useradd -s /bin/false -d /dev/null -g machines pc-se2141607j$
pdbedit -a -m pc-se2141607j
■sambaのDCにユーザを登録する。
groupadd users
useradd -s /bin/false -d /dev/null -g users dc-test
pdbedit -a -u dc-test
new password:
retype new password:
■パスワードの有効期限(45日に設定)
pdbedit -P "maximum password age" -C 3888000
コメント