--- title: FreeBSD 12 で自宅サーバ作成 ファイルサーバ編 tags: FreeBSD samba author: Chun3 slide: false --- ## はじめに FreeBSD 12を使用した自宅サーバの構築を行った。FreeBSD 12はリリースされて間もない状態ですが、カーネルに標準でVIMAGEが取り込まれDNSの外向きと、内向きを別々のシステム(jail+VIMAGE)が同一ホストで構築できることから採用することにしました。その時の構築手順を備忘録の意味も含め、具体的にいくつかに渡り説明する。 * [基本システム編その1](https://qiita.com/Chun3/items/2f891e5993c91b58ae5c) - 背景 - 基本のインストール - 日本語環境の設定 * [基本システム編その2](https://qiita.com/Chun3/items/1e8fe5071c4a78d37e66) - セキュリティ - ftpサーバ * [基本システム編その3](https://qiita.com/Chun3/items/e5cc6a69542153649dc0) - jail - 基本システム編おわり * [jail内基本システム編](https://qiita.com/Chun3/items/4b11b9acdd080ecdab6c) - 基本の設定(jail1・jail2共通) * [DNS編](https://qiita.com/Chun3/items/95ad3113202d111ee53c) - DNSの構築におけるこれまでの問題 - bind9インストール - NTPサーバ * [Let's Encrypt編](https://qiita.com/Chun3/items/4814c25c09756690133f) - Let's Encryptについて - certbotのインストール - 各種設定 - 証明書の取得 * [Webサーバ編](https://qiita.com/Chun3/items/286e567952cd9faf279f) - インストール(apache2.4・webalizer・php7.3・postgresql11.2・mysql8.0) - 設定 * [メールサーバ編](https://qiita.com/Chun3/items/dc0e176c9de4f6b4bfb8) - インストール(cyrus-sasl・postfix・dovecot・procmail・pflogsumm・policyd-spf) - 設定・起動 - spfレコード送信設定 * [ファイルサーバ編](https://qiita.com/Chun3/items/356b7fadd7aa5280ec65)(この記事) - sambaの選択 - samba3のインストール * [メールサーバ編その2](https://qiita.com/Chun3/items/4c15ee889b052df67bbd) - 概要 - OpenDKIM - OpenDMARC - ClamAV (clamav-milter) - Spamassasin (spamass-milter) ## sambaの選択 sambaはFreeBSDでは、samba48-4.8.9_1(2019/3/3現在)になっている。しかし、いまだsamba3.6を使用している。今回samba48を確認したが、日本語ファイル名・ディレクトリー名に問題が解決できなかった。 この問題は、クライアントがWindowsパソコンであれば発生しない。しかし、REGZA(東芝製のTV)から日本語ファイルが見えなくなるのである。最近、パソコンの表示兼TV視聴用に購入した4kREGZAではsamba48の日本語ファイルはちゃんと見えるようである。しかし、家族用のREGZAは古いため(linux(REGZA)のcifsfsがsamba3系なのか?)か、前述の通り日本語が見えないのである。 まとめると以下の通りである。 今更にsamba3をインストールする人はいないと思うが、今回もsamba3の最後のバージョンであるsamba3.6をソースからインストールする(ports collectionから削除されている)。 ###samba3.6 | 機種 | 日本語共有名 | 日本語フォルダ名 | 日本語ファイル名 | |:-:|:-:|:-:|:-:| | 42Z1 | x | o | o | | 40M510X | x | o | o | ###samba4.8 | 機種 | 日本語共有名 | 日本語フォルダ名 | 日本語ファイル名 | |:-:|:-:|:-:|:-:| | 42Z1 | x | x | x | | 40M510X | x | o | o | - 42Z1 : 2010年製 - 40M510X : 2017年製 ## samba3のインストール fetchでhttpsサイトからファイルをダウンロードできないことがわかった。以下の証明書をインストールすれば良いようだ。 ``` jail1 /root # pkg install ca_root_nss Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. The following 1 package(s) will be affected (of 0 checked): New packages to be INSTALLED: ca_root_nss: 3.42.1 Number of packages to be installed: 1 290 KiB to be downloaded. [jail1] [1/1] Fetching ca_root_nss-3.42.1.txz: 100% 290 KiB 148.5kB/s 00:02 Checking integrity... done (0 conflicting) [jail1] [1/1] Installing ca_root_nss-3.42.1... [jail1] [1/1] Extracting ca_root_nss-3.42.1: 100% Message from ca_root_nss-3.42.1: ********************************* WARNING ********************************* FreeBSD does not, and can not warrant that the certification authorities whose certificates are included in this package have in any way been audited for trustworthiness or RFC 3647 compliance. Assessment and verification of trust is the complete responsibility of the system administrator. *********************************** NOTE ********************************** This package installs symlinks to support root certificates discovery by default for software that uses OpenSSL. This enables SSL Certificate Verification by client software without manual intervention. If you prefer to do this manually, replace the following symlinks with either an empty file or your site-local certificate bundle. * /etc/ssl/cert.pem * /usr/local/etc/ssl/cert.pem * /usr/local/openssl/cert.pem *************************************************************************** ``` ### samba3.6の入手・解凍 ``` jail1 /root # fetch https://download.samba.org/pub/samba/samba-3.6.25.tar.gz samba-3.6.25.tar.gz 32 MB 1084 kBps 31s jail1 /root # tar zxf samba-3.6.25.tar.gz ``` ### コンパイル設定 プリンターを使用しせず、インストール先を/usr/localにする。 ``` jail1 /root # cd samba-3.6.25/source3/ jail1 /root/samba-3.6.25/source3 # ./configure --prefix=/usr/local --with-configdir=/usr/local/etc --enable-cups=no --enable-iprint=no SAMBA VERSION: 3.6.25 - - # define SAMBA_VERSION_STRING SAMBA_VERSION_OFFICIAL_STRING checking build system type... x86_64-unknown-freebsd12.0 checking host system type... x86_64-unknown-freebsd12.0 checking target system type... x86_64-unknown-freebsd12.0 LIBREPLACE_LOCATION_CHECKS: START LIBREPLACE_LOCATION_CHECKS: END LIBREPLACE_CC_CHECKS: START (以下省略) jail1 /root/samba-3.6.25/source3 # make showlayout Samba will be installed into: prefix: /usr/local bindir: /usr/local/bin sbindir: /usr/local/sbin libdir: /usr/local/lib modulesdir: /usr/local/lib vardir: /usr/local/var mandir: /usr/local/share/man privatedir: /usr/local/private configdir: /usr/local/etc lockdir: /usr/local/var/locks statedir: /usr/local/var/locks cachedir: /usr/local/var/locks piddir: /usr/local/var/locks nmbdsocketdir: swatdir: /usr/local/swat datadir: /usr/local/share codepagedir: /usr/local/lib ``` ### コンパイル ``` jail1 /root/samba-3.6.25/source3 # make Using CFLAGS = -O -I. -I/root/samba-3.6.25/source3 -I/root/samba-3.6.25/source3/../lib/popt -I/root/samba-3.6.25/source3/../lib/iniparser/src -Iinclude -I./include -I. -I. -I./../lib/replace -I./librpc -I./.. -I./../lib/talloc -I./../lib/tevent -I../lib/tdb/include -DHAVE_CONFIG_H -Iinclude -I./include -I. -I. -I./../lib/replace -I./librpc -I./.. -I./../lib/popt -I/root/samba-3.6.25/source3/lib -I.. -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 PICFLAG = -fPIC -DPIC LIBS = -lexecinfo -lmd LDFLAGS = -pie -Wl,-z,relro -L./bin DYNEXP = -Wl,--export-dynamic LDSHFLAGS = -fPIC -DPIC -shared -Wl,-z,relro -L./bin -lc -Wl,-z,defs SHLIBEXT = so SONAMEFLAG = -Wl,-soname, (以下省略) jail1 /root/samba-3.6.25/source3 # make install Using CFLAGS = -O -I. -I/root/samba-3.6.25/source3 -I/root/samba-3.6.25/source3/../lib/popt -I/root/samba-3.6.25/source3/../lib/iniparser/src -Iinclude -I./include -I. -I. -I./../lib/replace -I./librpc -I./.. -I./../lib/talloc -I./../lib/tevent -I../lib/tdb/include -DHAVE_CONFIG_H -Iinclude -I./include -I. -I. -I./../lib/replace -I./librpc -I./.. -I./../lib/popt -I/root/samba-3.6.25/source3/lib -I.. -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 PICFLAG = -fPIC -DPIC LIBS = -lexecinfo -lmd LDFLAGS = -pie -Wl,-z,relro -L./bin DYNEXP = -Wl,--export-dynamic LDSHFLAGS = -fPIC -DPIC -shared -Wl,-z,relro -L./bin -lc -Wl,-z,defs SHLIBEXT = so SONAMEFLAG = -Wl,-soname, Installing bin/smbd as ///usr/local/sbin/smbd Installing bin/nmbd as ///usr/local/sbin/nmbd Installing bin/swat as ///usr/local/sbin/swat (以下省略) ``` ### 設定 シンボリックリンクが辿れる用に設定する。 ```/usr/local/etc/smb.conf [global] netbios name = JAIL1 server string = Samba Server workgroup = WORKGROUP dos charset = CP932 unix charset = EUCJP-MS display charset = EUCJP-MS security = user log file = /var/log/samba/log.%m max log size = 50 unix extensions = No inherit acls = no dns proxy = No create mask = 0666 directory mask = 0777 hosts allow = 192.168.1. wide links = Yes [homes] comment = Home Directories read only = No create mask = 0660 directory mask = 0771 browseable = No [Movie] comment = 映画 path = /share/movie read only = No browseable = yes ``` ### ユーザの追加 ``` jail1 /usr/local/etc/rc.d # pdbedit -a -u hoge new password: retype new password: Unix username: hoge NT username: Account Flags: [U ] User SID: S-1-5-21-3145854959-2738211068-1601226485-1000 Primary Group SID: S-1-5-21-3145854959-2738211068-1601226485-513 Full Name: hoge hoge Home Directory: \\jail1\hoge HomeDir Drive: Logon Script: Profile Path: \\jail1\hoge\profile Domain: JAIL1 Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 9223372036854775807 seconds since the Epoch Kickoff time: 9223372036854775807 seconds since the Epoch Password last set: Sun, 03 Mar 2019 22:34:34 JST Password can change: Sun, 03 Mar 2019 22:34:34 JST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF ``` ### 起動設定 ```sh:/etc/rc.conf samba_enable="YES" ``` 以下の起動スクリプトを作成する(以前のports collenctionより) ```sh:/usr/local/etc/rc.d/samba #!/bin/sh # # $FreeBSD: branches/2017Q1/net/samba36/files/samba.in 340872 2014-01-24 00:14:07Z mat $ # # PROVIDE: nmbd smbd # PROVIDE: winbindd # REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv # REQUIRE: cupsd # BEFORE: LOGIN # KEYWORD: shutdown # # Add the following lines to /etc/rc.conf.local or /etc/rc.conf # to enable this service: # #samba_enable="YES" # You can disable/enable any of the Samba daemons by specifying: #nmbd_enable="NO" #smbd_enable="NO" # You need to enable winbindd separately, by adding: #winbindd_enable="YES" # # Configuration file can be set with: #samba_config="/usr/local/etc/smb.conf" # . /etc/rc.subr name="samba" rcvar=samba_enable # Custom commands extra_commands="reload status" start_precmd="samba_start_precmd" start_cmd="samba_cmd" stop_cmd="samba_cmd" status_cmd="samba_cmd" restart_precmd="samba_checkconfig" reload_precmd="samba_checkconfig" reload_cmd="samba_reload_cmd" rcvar_cmd="samba_rcvar_cmd" # Defaults samba_config_default="/usr/local/etc/smb.conf" testparm_command="/usr/local/bin/testparm" smbcontrol_command="/usr/local/bin/smbcontrol" samba_parm="${testparm_command} -s -v --parameter-name" pid_extra= # samba_daemons="nmbd smbd" samba_daemons="${samba_daemons} winbindd" samba_checkconfig() { echo -n "Performing sanity check on Samba configuration: " if ${testparm_command} -s ${samba_config:+"${samba_config}"} >/dev/null 2>&1; then #" echo "OK" else echo "FAILED" return 1 fi return 0 } samba_start_precmd() { # Make sure rundir exists if [ ! -d "/usr/local/var/locks" -a ! -e "/usr/local/var/locks" ]; then install -m 0755 -d "/usr/local/var/locks" fi # XXX: Never delete winbindd_idmap, winbindd_cache and group_mapping if [ -n "${samba_lockdir}" -a -d "${samba_lockdir}" ]; then echo -n "Removing stale Samba tdb files: " for file in brlock.tdb browse.dat connections.tdb gencache.tdb \ locking.tdb messages.tdb namelist.debug sessionid.tdb \ unexpected.tdb do rm "${samba_lockdir}/${file}" /dev/null && echo -n '.' done echo " done" fi } samba_rcvar_cmd() { local name rcvar rcvar=${name}_enable # Prevent recursive calling unset "${rc_arg}_cmd" "${rc_arg}_precmd" "${rc_arg}_postcmd" # Check master variable run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args} # Check dependent variables for name in ${samba_daemons}; do # XXX rcvars=''; v='' rcvar=${name}_enable run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args} done } samba_reload_cmd() { local name rcvar command pidfile force_run # Prevent recursive calling unset "${rc_arg}_cmd" "${rc_arg}_precmd" "${rc_arg}_postcmd" # Ignore rcvar and run command if [ -n "${_rc_prefix}" -a "${_rc_prefix}" = "one" ] || [ -n "${rc_force}" ] || [ -n "${rc_fast}" ]; then force_run=yes fi # Apply to all daemons for name in ${samba_daemons}; do rcvar=${name}_enable command="/usr/local/sbin/${name}" pidfile="/usr/local/var/locks/${name}${pid_extra}.pid" # Daemon should be enabled and running if ( [ -n "${rcvar}" ] && checkyesno "${rcvar}" ) || [ -n "$force_run" ]; then if [ -n "$(check_pidfile "${pidfile}" "${command}")" ]; then debug "reloading ${name} configuration" echo "Reloading ${name}." # XXX: Hack with pid_extra ${smbcontrol_command} "${name}${pid_extra}" 'reload-config' ${command_args} >/dev/null 2>&1 fi fi done } samba_cmd() { local name rcvar rcvars v command pidfile samba_daemons result force_run # Prevent recursive calling unset "${rc_arg}_cmd" "${rc_arg}_precmd" "${rc_arg}_postcmd" # Stop processes in the reverse order if [ "${rc_arg}" = "stop" ] ; then samba_daemons=$(reverse_list ${samba_daemons}) fi # Ignore rcvar and run command if [ -n "${_rc_prefix}" -a "${_rc_prefix}" = "one" ] || [ -n "${rc_force}" ] || [ -n "${rc_fast}" ]; then force_run=yes fi # Assume success result=0 # Apply to all daemons for name in ${samba_daemons}; do # XXX rcvars=''; v='' rcvar=${name}_enable command="/usr/local/sbin/${name}" pidfile="/usr/local/var/locks/${name}${pid_extra}.pid" # Daemon should be enabled and running if ( [ -n "${rcvar}" ] && checkyesno "${rcvar}" ) || [ -n "$force_run" ]; then run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args} # If any of the commands failed, take it as a global result result=$((${result} || $?)) fi done return ${result} } samba_config_init() { local name # Load configuration load_rc_config "${name}" for name in ${samba_daemons}; do load_rc_config "${name}" done # Location of the config samba_config=${samba_config="${samba_config_default}"} #" # XXX: Hack to work around name change of pid file with non-default config if [ -n "${samba_config}" -a "${samba_config}" != "${samba_config_default}" ]; then pid_extra="-$(basename "${samba_config}")" fi # Defaults samba_enable=${samba_enable:=NO} # Setup dependent variables if [ -n "${rcvar}" ] && checkyesno "${rcvar}"; then nmbd_enable=${nmbd_enable=YES} smbd_enable=${smbd_enable=YES} fi nmbd_enable=${nmbd_enable:=NO} smbd_enable=${smbd_enable:=NO} # Winbindd if [ -z "${winbind_enable}" ]; then samba_idmap=$(${samba_parm} 'idmap uid' "${samba_config}" 2>/dev/null) # Check that winbindd is actually configured if [ -n "${samba_idmap}" ]; then winbindd_enable="YES" fi winbindd_enable=${winbindd_enable:=NO} fi } # Load configuration variables samba_config_init # Where is the lockdir samba_lockdir=$(${samba_parm} 'lock directory' "${samba_config}" 2>/dev/null) # Common flags command_args=${samba_config:+-s "${samba_config}"} #" nmbd_flags=${nmbd_flags="-D"} smbd_flags=${smbd_flags="-D"} winbindd_flags=${winbindd_flags=''} # Requirements required_files="${samba_config}" required_dirs="${samba_lockdir}" run_rc_command "$1" ``` ``` jail1 /root # service samba start Removing stale Samba tdb files: done Starting nmbd. Starting smbd. ```