為了弄一台 Samba 4.4 當 File Server 用, 並且要 join windows 2012 (AD), 當網域的 member 使用
底層的 FileSystem 則用 ZFS
作業系統: FreeBSD 11
透過 zfs.sh 來安裝 FreeBSD 11 + ZFS, 可以做成 OS, Storage 分開(假設硬碟真的很多, 例如 10 顆以上), 或是 OS 和 Storage 合併(假設硬碟數量只有 3~5 顆)
建議: OS 至少要 2 顆, 做成 mirror, Storage 則 raidz1 + hot spare x1 or raidz2 + hot spare x1 等
利用 zfs.sh 裝好後, 會一併安裝以下軟體: indexinfo, ca_root_nss, readline, libffi, gettext-runtime, python27, py27-setuptools27, py27-glances, py27-psutil, smartmontools, ssmtp, sudo
之後透過這篇內容(製作 Samba 4.4 @ FreeBSD 11, 之後方便 pkg add), 把剩下的軟體安裝上去, 主要是 samba44
並再安裝 pkg add vim-lite, 方便編輯檔案
以上就把環境準備好
1. 設定系統, 透過 kerberos 和 AD 連結
/boot/loader.conf
aio_load="YES" net.inet.tcp.syncache.hashsize=1024 net.inet.tcp.syncache.bucketlimit=100 kern.ipc.maxsockets=2092905 net.inet.tcp.tcbhashsize=524288 |
/etc/krb5.conf 設定 kerberos
[libdefaults] ticket_lifetime = 24h forwardable = true default_realm = TESTREALM.COM.TW [realms] TESTREALM.COM.TW = { kdc = ad_server_host.testrealm.com.tw admin_server = ad_server_host.testrealm.com.tw default_domain = TESTREALM.COM.TW } [domain_realm] .testrealm.com.tw = TESTREALM.COM.TW testrealm.com.tw = TESTREALM.COM.TW [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log |
取得 windows server 2012(AD) 的 ticket
kinit Administrator, 並打上 Administrator 的密碼
klist 會出現類似的內容
Credentials cache: FILE:/tmp/krb5cc_0 Principal: Administrator@TESTREALM.COM.TW Issued Expires Principal Jan 27 23:28:04 2017 >>>Expired< << krbtgt/TESTREALM.COM.TW@TESTREALM.COM.TW |
需要 debug 時, 或是要把 ticket 移除時, 則使用 kdestroy
/etc/rc.conf
sshd_enable="YES" usbd_enable="NO" sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" fsck_y_enable="YES" background_fsck="NO" nfs_reserved_port_only="YES" dumpdev="NO" ipv6_network_interfaces="none" ipv6_activate_all_interfaces="NO" samba_server_enable="YES" samba_enable="YES" nmbd_enable="YES" smbd_enable="YES" winbindd_enable="YES" samba_server_config="/usr/local/etc/smb4.conf" mdnsd_enable="YES" |
rc.conf 裡還有其他設定, 則依各伺服器需求而調整
2. 設定 Samba 4.4, 直接把 smb4.conf 丟上來
[global] netbios name = SambaZFS workgroup = PYCT security = ADS realm = PYCT.COM.TW encrypt passwords = yes # Just a member server domain master = No local master = No preferred master = no # Disable printing error log messages when CUPS is not installed. printcap name = /dev/null load printers = No idmap config *:backend = tdb idmap config *:range = 300000-499999 idmap config *:backend = rid idmap config *:base_rid = 0 idmap config PYCT:backend = rid idmap config PYCT:range = 100000-299999 winbind nss info = rfc2307 winbind trusted domains only = no # This way users log in with username instead of username@example.org winbind use default domain = yes winbind enum users = yes winbind enum groups = yes #winbind refresh tickets = yes # Inherit groups in groups winbind nested groups = yes winbind refresh tickets = yes winbind offline logon = true # No shell access template shell = /usr/sbin/nologin client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/samba.log log level = 2 server string = FS #vfs objects = acl_xattr vfs objects = zfsacl # ACL map acl inherit = Yes nfs4:mode = special nfs4:acedup = merge nfs4:chown = yes # Store DOS attributes in extended attributes (no mapping) map hidden = no map system = no map archive = no map readonly = no store dos attributes = Yes # Unix specific wide links = Yes unix extensions = yes unix charset = UTF8 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=131072 SO_RCVBUF=131072 aio read size = 16384 # Veto files veto files = /.DS_Store/desktop.ini/Thumbs.db/ delete veto files = yes # log user activity # vfs objects = full_audit # 已加在前面的 vfs objects 裡 full_audit:prefix = %u|%I|%m|%S full_audit:success = mkdir rename unlink rmdir pwrite full_audit:failure = none full_audit:facility = local7 full_audit:priority = NOTICE [PYCT] comment = 說明用 path = /FS admin users = @"TESTREALM\Domain Admins", "TESTREALM\cytseng", "TESTREALM\admin" valid users = @TESTREALM\Domain Users, TESTREALM\Administrator writable = yes read only = no create mask = 0664 directory mask = 0775 access based share enum = yes hide unreadable = no browseable = yes inherit permissions = yes posix locking = yes nt acl support = yes strict locking = no store dos attributes = yes csc policy = disable inherit acls = Yes inherit owner = Yes map archive = No map readonly = no vfs objects = zfsacl, full_audit, streams_xattr |
備註說明:
為了要讓 SID 中的 RID 對應到 Unix UID, 在未來能好管理
所以加上
winbindd_flags="--daemon -n” |
並把 samba_server restart, 之後移除 winbind cache
/usr/local/etc/rc.d/samba_server stop rm /var/db/samba4/winbindd_cache.tdb* /usr/local/etc/rc.d/samba_server start |
確認 SID, RID, UID, 可以參考這裡的說明
https://www.samba.org/samba/docs/man/manpages-3/idmap_rid.8.html
ID = RID – BASE_RID + LOW_RANGE_ID. (ID: UID)
RID = ID + BASE_RID – LOW_RANGE_ID. (ID: UID)
在這裡的設定
idmap config *:base_rid = 0 |
所以 BASE_RID = 0
idmap config TESTREALM:range = 100000-299999 |
所以 LOW_RANGE_ID = 100000
假設用 cytseng 的帳號(我在AD上的帳號), 算出 ID, RID, SID 等
wbinfo -n cytseng S-1-5-21-2942532738-2904609397-932884509-7692 SID_USER (1) |
S-1-5-21-2942532738-2904609397-932884509-7692: SID
7692: RID
故 cytseng ID(UID) = 7692 – 0 + 100000 = 107692
可以用以下指令確認
getent passwd | grep cytseng cytseng:*:107692:100513:曾祺元:/home/PYCT/cytseng:/usr/sbin/nologin |
經過以上的設定, 確認 Samba 4.4 @ FreeBSD 11 with ZFS 能上線
