はじめに
FreeBSD 12を使用した自宅サーバの構築を行った。FreeBSD 12はリリースされて間もない状態ですが、カーネルに標準でVIMAGEが取り込まれDNSの外向きと、内向きを別々のシステム(jail+VIMAGE)が同一ホストで構築できることから採用することにしました。その時の構築手順を備忘録の意味も含め、具体的にいくつかに渡り説明する。
-
基本システム編その1
- 背景
- 基本のインストール
- 日本語環境の設定
-
基本システム編その2
- セキュリティ
- ftpサーバ
-
基本システム編その3
- jail
- 基本システム編おわり
-
jail内基本システム編
- 基本の設定(jail1・jail2共通)
-
DNS編
- DNSの構築におけるこれまでの問題
- bind9インストール
- NTPサーバ
-
Let's Encrypt編
- Let's Encryptについて
- certbotのインストール
- 各種設定
- 証明書の取得
-
Webサーバ編
- インストール(apache2.4・webalizer・php7.3・postgresql11.2・mysql8.0)
- 設定
-
メールサーバ編
- インストール(cyrus-sasl・postfix・dovecot・procmail・pflogsumm・policyd-spf)
- 設定・起動
- spfレコード送信設定
-
ファイルサーバ編(この記事)
- sambaの選択
- samba3のインストール
-
メールサーバ編その2
- 概要
- OpenDKIM
- OpenDMARC
- ClamAV (clamav-milter)
- Spamassasin (spamass-milter)
sambaの選択
sambaはFreeBSDでは、samba48-4.8.9_1(2019/3/3現在)になっている。しかし、いまだsamba3.6を使用している。今回samba48を確認したが、日本語ファイル名・ディレクトリー名に問題が解決できなかった。
この問題は、クライアントがWindowsパソコンであれば発生しない。しかし、REGZA(東芝製のTV)から日本語ファイルが見えなくなるのである。最近、パソコンの表示兼TV視聴用に購入した4kREGZAではsamba48の日本語ファイルはちゃんと見えるようである。しかし、家族用のREGZAは古いため(linux(REGZA)のcifsfsがsamba3系なのか?)か、前述の通り日本語が見えないのである。
まとめると以下の通りである。
今更にsamba3をインストールする人はいないと思うが、今回もsamba3の最後のバージョンであるsamba3.6をソースからインストールする(ports collectionから削除されている)。
###samba3.6
| 機種 | 日本語共有名 | 日本語フォルダ名 | 日本語ファイル名 |
|---|---|---|---|
| 42Z1 | x | o | o |
| 40M510X | x | o | o |
###samba4.8
| 機種 | 日本語共有名 | 日本語フォルダ名 | 日本語ファイル名 |
|---|---|---|---|
| 42Z1 | x | x | x |
| 40M510X | x | o | o |
- 42Z1 : 2010年製
- 40M510X : 2017年製
samba3のインストール
fetchでhttpsサイトからファイルをダウンロードできないことがわかった。以下の証明書をインストールすれば良いようだ。
jail1 /root # pkg install ca_root_nss
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
ca_root_nss: 3.42.1
Number of packages to be installed: 1
290 KiB to be downloaded.
[jail1] [1/1] Fetching ca_root_nss-3.42.1.txz: 100% 290 KiB 148.5kB/s 00:02
Checking integrity... done (0 conflicting)
[jail1] [1/1] Installing ca_root_nss-3.42.1...
[jail1] [1/1] Extracting ca_root_nss-3.42.1: 100%
Message from ca_root_nss-3.42.1:
********************************* WARNING *********************************
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.
Assessment and verification of trust is the complete responsibility of the
system administrator.
*********************************** NOTE **********************************
This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.
This enables SSL Certificate Verification by client software without manual
intervention.
If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.
* /etc/ssl/cert.pem
* /usr/local/etc/ssl/cert.pem
* /usr/local/openssl/cert.pem
***************************************************************************
samba3.6の入手・解凍
jail1 /root # fetch https://download.samba.org/pub/samba/samba-3.6.25.tar.gz
samba-3.6.25.tar.gz 32 MB 1084 kBps 31s
jail1 /root # tar zxf samba-3.6.25.tar.gz
コンパイル設定
プリンターを使用しせず、インストール先を/usr/localにする。
jail1 /root # cd samba-3.6.25/source3/
jail1 /root/samba-3.6.25/source3 # ./configure --prefix=/usr/local --with-configdir=/usr/local/etc --enable-cups=no --enable-iprint=no --enable-external-libtalloc=no
SAMBA VERSION: 3.6.25
-
-
# define SAMBA_VERSION_STRING SAMBA_VERSION_OFFICIAL_STRING
checking build system type... x86_64-unknown-freebsd12.0
checking host system type... x86_64-unknown-freebsd12.0
checking target system type... x86_64-unknown-freebsd12.0
LIBREPLACE_LOCATION_CHECKS: START
LIBREPLACE_LOCATION_CHECKS: END
LIBREPLACE_CC_CHECKS: START
(以下省略)
jail1 /root/samba-3.6.25/source3 # make showlayout
Samba will be installed into:
prefix: /usr/local
bindir: /usr/local/bin
sbindir: /usr/local/sbin
libdir: /usr/local/lib
modulesdir: /usr/local/lib
vardir: /usr/local/var
mandir: /usr/local/share/man
privatedir: /usr/local/private
configdir: /usr/local/etc
lockdir: /usr/local/var/locks
statedir: /usr/local/var/locks
cachedir: /usr/local/var/locks
piddir: /usr/local/var/locks
nmbdsocketdir:
swatdir: /usr/local/swat
datadir: /usr/local/share
codepagedir: /usr/local/lib
コンパイル
jail1 /root/samba-3.6.25/source3 # make
Using CFLAGS = -O -I. -I/root/samba-3.6.25/source3 -I/root/samba-3.6.25/source3/../lib/popt -I/root/samba-3.6.25/source3/../lib/iniparser/src -Iinclude -I./include -I. -I. -I./../lib/replace -I./librpc -I./.. -I./../lib/talloc -I./../lib/tevent -I../lib/tdb/include -DHAVE_CONFIG_H -Iinclude -I./include -I. -I. -I./../lib/replace -I./librpc -I./.. -I./../lib/popt -I/root/samba-3.6.25/source3/lib -I.. -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3
PICFLAG = -fPIC -DPIC
LIBS = -lexecinfo -lmd
LDFLAGS = -pie -Wl,-z,relro -L./bin
DYNEXP = -Wl,--export-dynamic
LDSHFLAGS = -fPIC -DPIC -shared -Wl,-z,relro -L./bin -lc -Wl,-z,defs
SHLIBEXT = so
SONAMEFLAG = -Wl,-soname,
(以下省略)
jail1 /root/samba-3.6.25/source3 # make install
Using CFLAGS = -O -I. -I/root/samba-3.6.25/source3 -I/root/samba-3.6.25/source3/../lib/popt -I/root/samba-3.6.25/source3/../lib/iniparser/src -Iinclude -I./include -I. -I. -I./../lib/replace -I./librpc -I./.. -I./../lib/talloc -I./../lib/tevent -I../lib/tdb/include -DHAVE_CONFIG_H -Iinclude -I./include -I. -I. -I./../lib/replace -I./librpc -I./.. -I./../lib/popt -I/root/samba-3.6.25/source3/lib -I.. -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3
PICFLAG = -fPIC -DPIC
LIBS = -lexecinfo -lmd
LDFLAGS = -pie -Wl,-z,relro -L./bin
DYNEXP = -Wl,--export-dynamic
LDSHFLAGS = -fPIC -DPIC -shared -Wl,-z,relro -L./bin -lc -Wl,-z,defs
SHLIBEXT = so
SONAMEFLAG = -Wl,-soname,
Installing bin/smbd as ///usr/local/sbin/smbd
Installing bin/nmbd as ///usr/local/sbin/nmbd
Installing bin/swat as ///usr/local/sbin/swat
(以下省略)
設定
シンボリックリンクが辿れる用に設定する。
/usr/local/etc/smb.conf
[global]
netbios name = JAIL1
server string = Samba Server
workgroup = WORKGROUP
dos charset = CP932
unix charset = EUCJP-MS
display charset = EUCJP-MS
security = user
log file = /var/log/samba/log.%m
max log size = 50
unix extensions = No
inherit acls = no
dns proxy = No
create mask = 0666
directory mask = 0777
hosts allow = 192.168.1.
wide links = Yes
[homes]
comment = Home Directories
read only = No
create mask = 0660
directory mask = 0771
browseable = No
[Movie]
comment = 映画
path = /share/movie
read only = No
browseable = yes
ユーザの追加
jail1 /usr/local/etc/rc.d # pdbedit -a -u hoge
new password:
retype new password:
Unix username: hoge
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3145854959-2738211068-1601226485-1000
Primary Group SID: S-1-5-21-3145854959-2738211068-1601226485-513
Full Name: hoge hoge
Home Directory: \\jail1\hoge
HomeDir Drive:
Logon Script:
Profile Path: \\jail1\hoge\profile
Domain: JAIL1
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: 9223372036854775807 seconds since the Epoch
Kickoff time: 9223372036854775807 seconds since the Epoch
Password last set: Sun, 03 Mar 2019 22:34:34 JST
Password can change: Sun, 03 Mar 2019 22:34:34 JST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
起動設定
/etc/rc.conf
samba_enable="YES"
以下の起動スクリプトを作成する(以前のports collenctionより)
/usr/local/etc/rc.d/samba
#!/bin/sh
#
# $FreeBSD: branches/2017Q1/net/samba36/files/samba.in 340872 2014-01-24 00:14:07Z mat $
#
# PROVIDE: nmbd smbd
# PROVIDE: winbindd
# REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv
# REQUIRE: cupsd
# BEFORE: LOGIN
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
# to enable this service:
#
#samba_enable="YES"
# You can disable/enable any of the Samba daemons by specifying:
#nmbd_enable="NO"
#smbd_enable="NO"
# You need to enable winbindd separately, by adding:
#winbindd_enable="YES"
#
# Configuration file can be set with:
#samba_config="/usr/local/etc/smb.conf"
#
. /etc/rc.subr
name="samba"
rcvar=samba_enable
# Custom commands
extra_commands="reload status"
start_precmd="samba_start_precmd"
start_cmd="samba_cmd"
stop_cmd="samba_cmd"
status_cmd="samba_cmd"
restart_precmd="samba_checkconfig"
reload_precmd="samba_checkconfig"
reload_cmd="samba_reload_cmd"
rcvar_cmd="samba_rcvar_cmd"
# Defaults
samba_config_default="/usr/local/etc/smb.conf"
testparm_command="/usr/local/bin/testparm"
smbcontrol_command="/usr/local/bin/smbcontrol"
samba_parm="${testparm_command} -s -v --parameter-name"
pid_extra=
#
samba_daemons="nmbd smbd"
samba_daemons="${samba_daemons} winbindd"
samba_checkconfig() {
echo -n "Performing sanity check on Samba configuration: "
if ${testparm_command} -s ${samba_config:+"${samba_config}"} >/dev/null 2>&1; then #"
echo "OK"
else
echo "FAILED"
return 1
fi
return 0
}
samba_start_precmd() {
# Make sure rundir exists
if [ ! -d "/usr/local/var/locks" -a ! -e "/usr/local/var/locks" ]; then
install -m 0755 -d "/usr/local/var/locks"
fi
# XXX: Never delete winbindd_idmap, winbindd_cache and group_mapping
if [ -n "${samba_lockdir}" -a -d "${samba_lockdir}" ]; then
echo -n "Removing stale Samba tdb files: "
for file in brlock.tdb browse.dat connections.tdb gencache.tdb \
locking.tdb messages.tdb namelist.debug sessionid.tdb \
unexpected.tdb
do
rm "${samba_lockdir}/${file}" </dev/null 2>/dev/null && echo -n '.'
done
echo " done"
fi
}
samba_rcvar_cmd() {
local name rcvar
rcvar=${name}_enable
# Prevent recursive calling
unset "${rc_arg}_cmd" "${rc_arg}_precmd" "${rc_arg}_postcmd"
# Check master variable
run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args}
# Check dependent variables
for name in ${samba_daemons}; do
# XXX
rcvars=''; v=''
rcvar=${name}_enable
run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args}
done
}
samba_reload_cmd() {
local name rcvar command pidfile force_run
# Prevent recursive calling
unset "${rc_arg}_cmd" "${rc_arg}_precmd" "${rc_arg}_postcmd"
# Ignore rcvar and run command
if [ -n "${_rc_prefix}" -a "${_rc_prefix}" = "one" ] || [ -n "${rc_force}" ] || [ -n "${rc_fast}" ]; then
force_run=yes
fi
# Apply to all daemons
for name in ${samba_daemons}; do
rcvar=${name}_enable
command="/usr/local/sbin/${name}"
pidfile="/usr/local/var/locks/${name}${pid_extra}.pid"
# Daemon should be enabled and running
if ( [ -n "${rcvar}" ] && checkyesno "${rcvar}" ) || [ -n "$force_run" ]; then
if [ -n "$(check_pidfile "${pidfile}" "${command}")" ]; then
debug "reloading ${name} configuration"
echo "Reloading ${name}."
# XXX: Hack with pid_extra
${smbcontrol_command} "${name}${pid_extra}" 'reload-config' ${command_args} >/dev/null 2>&1
fi
fi
done
}
samba_cmd() {
local name rcvar rcvars v command pidfile samba_daemons result force_run
# Prevent recursive calling
unset "${rc_arg}_cmd" "${rc_arg}_precmd" "${rc_arg}_postcmd"
# Stop processes in the reverse order
if [ "${rc_arg}" = "stop" ] ; then
samba_daemons=$(reverse_list ${samba_daemons})
fi
# Ignore rcvar and run command
if [ -n "${_rc_prefix}" -a "${_rc_prefix}" = "one" ] || [ -n "${rc_force}" ] || [ -n "${rc_fast}" ]; then
force_run=yes
fi
# Assume success
result=0
# Apply to all daemons
for name in ${samba_daemons}; do
# XXX
rcvars=''; v=''
rcvar=${name}_enable
command="/usr/local/sbin/${name}"
pidfile="/usr/local/var/locks/${name}${pid_extra}.pid"
# Daemon should be enabled and running
if ( [ -n "${rcvar}" ] && checkyesno "${rcvar}" ) || [ -n "$force_run" ]; then
run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args}
# If any of the commands failed, take it as a global result
result=$((${result} || $?))
fi
done
return ${result}
}
samba_config_init() {
local name
# Load configuration
load_rc_config "${name}"
for name in ${samba_daemons}; do
load_rc_config "${name}"
done
# Location of the config
samba_config=${samba_config="${samba_config_default}"} #"
# XXX: Hack to work around name change of pid file with non-default config
if [ -n "${samba_config}" -a "${samba_config}" != "${samba_config_default}" ]; then
pid_extra="-$(basename "${samba_config}")"
fi
# Defaults
samba_enable=${samba_enable:=NO}
# Setup dependent variables
if [ -n "${rcvar}" ] && checkyesno "${rcvar}"; then
nmbd_enable=${nmbd_enable=YES}
smbd_enable=${smbd_enable=YES}
fi
nmbd_enable=${nmbd_enable:=NO}
smbd_enable=${smbd_enable:=NO}
# Winbindd
if [ -z "${winbind_enable}" ]; then
samba_idmap=$(${samba_parm} 'idmap uid' "${samba_config}" 2>/dev/null)
# Check that winbindd is actually configured
if [ -n "${samba_idmap}" ]; then
winbindd_enable="YES"
fi
winbindd_enable=${winbindd_enable:=NO}
fi
}
# Load configuration variables
samba_config_init
# Where is the lockdir
samba_lockdir=$(${samba_parm} 'lock directory' "${samba_config}" 2>/dev/null)
# Common flags
command_args=${samba_config:+-s "${samba_config}"} #"
nmbd_flags=${nmbd_flags="-D"}
smbd_flags=${smbd_flags="-D"}
winbindd_flags=${winbindd_flags=''}
# Requirements
required_files="${samba_config}"
required_dirs="${samba_lockdir}"
run_rc_command "$1"
jail1 /root # service samba start
Removing stale Samba tdb files: done
Starting nmbd.
Starting smbd.