root@debian:~# samba-tool domain provision →Active Directory Domainの構築
Realm: TEST.JP
Domain [TEST]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write ‘none’ to disable forwarding) [192.168.1.146]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
Adding DomainDN: DC=test,DC=jp
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers and extended rights
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Repacking database from v1 to v2 format (first record CN=ms-WMI-MergeablePolicyTemplate,CN=Schema,CN=Configuration,DC=test,DC=jp)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=mSMQMigratedUser-Display,CN=40E,CN=DisplaySpecifiers,CN=Configuration,DC=test,DC=jp)
Repacking database from v1 to v2 format (first record CN=6bcd5688-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=test,DC=jp)
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=test,DC=jp
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record DC=c.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=jp)
Repacking database from v1 to v2 format (first record DC=ForestDnsZones,DC=test,DC=jp)
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Once the above files are installed, your Samba AD server will be ready to use
Server Role: active directory domain controller
Hostname: debian
NetBIOS Domain: TEST
DNS Domain: test.jp
DOMAIN SID: S-1-5-21-4146388153-4193096593-3140523898
root@debian:~# cat /etc/os-release
PRETTY_NAME=”Debian GNU/Linux bullseye/sid”
NAME=”Debian GNU/Linux”
ID=debian
HOME_URL=”https://www.debian.org/”
SUPPORT_URL=”https://www.debian.org/support”
BUG_REPORT_URL=”https://bugs.debian.org/”
root@debian:~# samba -V
Version 4.11.5-Debian
root@debian:~# samba -i -M single → Active Directory Domainの起動
samba version 4.11.5-Debian started.
Copyright Andrew Tridgell and the Samba Team 1992-2019
binary_smbd_main: samba: using ‘single’ process model
Attempting to autogenerate TLS self-signed keys for https for hostname ‘DEBIAN.test.jp’
TLS self-signed keys generated OK
root@debian:~# kinit administrator →Active Directory Domainの動作確認
Password for administrator@TEST.JP:
Warning: Your password will expire in 41 days on 2020年04月04日 07時32分32秒
root@debian:~# samba-tool user add chibi
Note: samba-tool user add is deprecated. Please use samba-tool user create for the same function.
New Password:
Retype Password:
User ‘chibi’ created successfully
root@debian:~# wbinfo -u
TEST\administrator
TEST\guest
TEST\krbtgt
TEST\chibi
root@debian:~# wbinfo -n administrator
S-1-5-21-4146388153-4193096593-3140523898-500 SID_USER (1)
root@debian:~# wbinfo -n chibi
S-1-5-21-4146388153-4193096593-3140523898-1103 SID_USER (1)
root@debian:~# net ads info
LDAP server: 192.168.1.146
LDAP server name: debian.test.jp
Realm: TEST.JP
Bind Path: dc=TEST,dc=JP
LDAP port: 389
Server time: 土, 22 2月 2020 07:39:27 JST
KDC server: 192.168.1.146
Server time offset: 0
Last machine account password change: 土, 22 2月 2020 07:32:32 JST
root@debian:~# host -4 debian
debian.test.jp has address 192.168.1.146
root@debian:~# host -t SRV _ldap._tcp.test.jp
_ldap._tcp.test.jp has SRV record 0 100 389 debian.test.jp.
root@debian:~# host -t SRV _kerberos._udp.test.jp
_kerberos._udp.test.jp has SRV record 0 100 88 debian.test.jp.
root@debian:~# host -t A debian.test.jp
debian.test.jp has address 192.168.1.146
root@debian:~# smbclient -L localhost -U%
Sharename Type Comment
——— —- ——-
sysvol Disk
netlogon Disk
IPC$ IPC IPC Service (Samba 4.11.5-Debian)
SMB1 disabled — no workgroup available
root@debian:~# smbclient //localhost/netlogon -Uadministrator
Enter TEST\administrator’s password:
Try “help” to get a list of possible commands.
smb: \> ls
. D 0 Sat Feb 22 07:32:29 2020
.. D 0 Sat Feb 22 07:32:31 2020
38958432 blocks of size 1024. 31915828 blocks available
smb: \> exit
root@debian:~# smbclient //localhost/sysvol -Uadministrator
Enter TEST\administrator’s password:
Try “help” to get a list of possible commands.
smb: \> ls
. D 0 Sat Feb 22 07:32:32 2020
.. D 0 Sat Feb 22 07:38:02 2020
test.jp D 0 Sat Feb 22 07:32:31 2020
38958432 blocks of size 1024. 31915828 blocks available
smb: \> exit
root@debian:~# net ads lookup
Debian GNU Linux bullseye sid samba4.11.5 Acitive Directory Domeinの動作確認