Changes in title
+FreeBSD 12 で自宅サーバ作成(ファイルサーバ編)
Changes in tags
@@ -0,0 +1,462 @@
+## はじめに
+FreeBSD 12を使用した自宅サーバの構築を行った。FreeBSD 12はリリースされて間もない状態ですが、カーネルに標準でVIMAGEが取り込まれDNSの外向きと、内向きを別々のシステム(jail+VIMAGE)が同一ホストで構築できることから採用することにしました。その時の構築手順を備忘録の意味も含め、具体的にいくつかに渡り説明する。
+
+* [基本システム編その1](https://qiita.com/Chun3/items/2f891e5993c91b58ae5c)
+ - 背景
+ - 基本のインストール
+ - 日本語環境の設定
+* [基本システム編その2](https://qiita.com/Chun3/items/1e8fe5071c4a78d37e66)
+ - セキュリティ
+ - ftpサーバ
+* [基本システム編その3](https://qiita.com/Chun3/items/e5cc6a69542153649dc0)
+ - jail
+ - 基本システム編おわり
+* [jail内基本システム編](https://qiita.com/Chun3/items/4b11b9acdd080ecdab6c)
+ - 基本の設定(jail1・jail2共通)
+* [DNS編](https://qiita.com/Chun3/items/95ad3113202d111ee53c)
+ - DNSの構築におけるこれまでの問題
+ - bind9インストール
+ - NTPサーバ
+* [Let's Encrypt編](https://qiita.com/Chun3/items/4814c25c09756690133f)
+ - Let's Encryptについて
+ - certbotのインストール
+ - 各種設定
+ - 証明書の取得
+* [Webサーバ編](https://qiita.com/Chun3/items/286e567952cd9faf279f)
+ - インストール(apache2.4・webalizer・php7.3・postgresql11.2・mysql8.0)
+ - 設定
+* [メールサーバ編](https://qiita.com/Chun3/items/dc0e176c9de4f6b4bfb8)
+ - インストール(cyrus-sasl・postfix・dovecot・procmail・pflogsumm・policyd-spf)
+ - 設定・起動
+ - spfレコード送信設定
+* [ファイルサーバ編](https://qiita.com/Chun3/items/356b7fadd7aa5280ec65)(この記事)
+ - sambaの選択
+ - samba3のインストール
+
+## sambaの選択
+sambaはFreeBSDでは、samba48-4.8.9_1(2019/3/3現在)になっている。しかし、いまだsamba3.6を使用している。今回samba48を確認したが、日本語ファイル名・ディレクトリー名に問題が解決できなかった。
+この問題は、クライアントがWindowsパソコンであれば発生しない。しかし、REGZA(東芝製のTV)から日本語ファイルが見えなくなるのである。最近、パソコンの表示兼TV視聴用に購入した4kREGZAではsamba48の日本語ファイルはちゃんと見えるようである。しかし、家族用のREGZAは古いため(linux(REGZA)のcifsfsがsamba3系なのか?)か、前述の通り日本語が見えないのである。
+まとめると以下の通りである。
+今更にsamba3をインストールする人はいないと思うが、今回もsamba3の最後のバージョンであるsamba3.6をソースからインストールする(ports collectionから削除されている)。
+###samba3.6
+
+| 機種 | 日本語共有名 | 日本語フォルダ名 | 日本語ファイル名 |
+|:-:|:-:|:-:|:-:|
+| 42Z1 | x | o | o |
+| 40M510X | x | o | o |
+
+###samba4.8
+
+| 機種 | 日本語共有名 | 日本語フォルダ名 | 日本語ファイル名 |
+|:-:|:-:|:-:|:-:|
+| 42Z1 | x | x | x |
+| 40M510X | x | o | o |
+
+- 42Z1 : 2010年製
+- 40M510X : 2017年製
+
+## samba3のインストール
+fetchでhttpsサイトからファイルをダウンロードできないことがわかった。以下の証明書をインストールすれば良いようだ。
+
+```
+jail1 /root # pkg install ca_root_nss
+Updating FreeBSD repository catalogue...
+FreeBSD repository is up to date.
+All repositories are up to date.
+The following 1 package(s) will be affected (of 0 checked):
+
+New packages to be INSTALLED:
+ ca_root_nss: 3.42.1
+
+Number of packages to be installed: 1
+
+290 KiB to be downloaded.
+[jail1] [1/1] Fetching ca_root_nss-3.42.1.txz: 100% 290 KiB 148.5kB/s 00:02
+Checking integrity... done (0 conflicting)
+[jail1] [1/1] Installing ca_root_nss-3.42.1...
+[jail1] [1/1] Extracting ca_root_nss-3.42.1: 100%
+Message from ca_root_nss-3.42.1:
+
+********************************* WARNING *********************************
+
+FreeBSD does not, and can not warrant that the certification authorities
+whose certificates are included in this package have in any way been
+audited for trustworthiness or RFC 3647 compliance.
+
+Assessment and verification of trust is the complete responsibility of the
+system administrator.
+
+*********************************** NOTE **********************************
+
+This package installs symlinks to support root certificates discovery by
+default for software that uses OpenSSL.
+
+This enables SSL Certificate Verification by client software without manual
+intervention.
+
+If you prefer to do this manually, replace the following symlinks with
+either an empty file or your site-local certificate bundle.
+
+ * /etc/ssl/cert.pem
+ * /usr/local/etc/ssl/cert.pem
+ * /usr/local/openssl/cert.pem
+
+***************************************************************************
+```
+
+### samba3.6の入手・解凍
+
+```
+jail1 /root # fetch https://download.samba.org/pub/samba/samba-3.6.25.tar.gz
+samba-3.6.25.tar.gz 32 MB 1084 kBps 31s
+jail1 /root # tar zxf samba-3.6.25.tar.gz
+```
+
+### コンパイル設定
+プリンターを使用しせず、インストール先を/usr/localにする。
+
+```
+jail1 /root # cd samba-3.6.25/source3/
+jail1 /root/samba-3.6.25/source3 # ./configure --prefix=/usr/local --with-configdir=/usr/local/etc --enable-cups=no --enable-iprint=no
+SAMBA VERSION: 3.6.25
+-
+-
+# define SAMBA_VERSION_STRING SAMBA_VERSION_OFFICIAL_STRING
+checking build system type... x86_64-unknown-freebsd12.0
+checking host system type... x86_64-unknown-freebsd12.0
+checking target system type... x86_64-unknown-freebsd12.0
+LIBREPLACE_LOCATION_CHECKS: START
+LIBREPLACE_LOCATION_CHECKS: END
+LIBREPLACE_CC_CHECKS: START
+(以下省略)
+jail1 /root/samba-3.6.25/source3 # make showlayout
+Samba will be installed into:
+ prefix: /usr/local
+ bindir: /usr/local/bin
+ sbindir: /usr/local/sbin
+ libdir: /usr/local/lib
+ modulesdir: /usr/local/lib
+ vardir: /usr/local/var
+ mandir: /usr/local/share/man
+ privatedir: /usr/local/private
+ configdir: /usr/local/etc
+ lockdir: /usr/local/var/locks
+ statedir: /usr/local/var/locks
+ cachedir: /usr/local/var/locks
+ piddir: /usr/local/var/locks
+ nmbdsocketdir:
+ swatdir: /usr/local/swat
+ datadir: /usr/local/share
+ codepagedir: /usr/local/lib
+```
+
+### コンパイル
+
+```
+jail1 /root/samba-3.6.25/source3 # make
+Using CFLAGS = -O -I. -I/root/samba-3.6.25/source3 -I/root/samba-3.6.25/source3/../lib/popt -I/root/samba-3.6.25/source3/../lib/iniparser/src -Iinclude -I./include -I. -I. -I./../lib/replace -I./librpc -I./.. -I./../lib/talloc -I./../lib/tevent -I../lib/tdb/include -DHAVE_CONFIG_H -Iinclude -I./include -I. -I. -I./../lib/replace -I./librpc -I./.. -I./../lib/popt -I/root/samba-3.6.25/source3/lib -I.. -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3
+ PICFLAG = -fPIC -DPIC
+ LIBS = -lexecinfo -lmd
+ LDFLAGS = -pie -Wl,-z,relro -L./bin
+ DYNEXP = -Wl,--export-dynamic
+ LDSHFLAGS = -fPIC -DPIC -shared -Wl,-z,relro -L./bin -lc -Wl,-z,defs
+ SHLIBEXT = so
+ SONAMEFLAG = -Wl,-soname,
+(以下省略)
+jail1 /root/samba-3.6.25/source3 # make install
+Using CFLAGS = -O -I. -I/root/samba-3.6.25/source3 -I/root/samba-3.6.25/source3/../lib/popt -I/root/samba-3.6.25/source3/../lib/iniparser/src -Iinclude -I./include -I. -I. -I./../lib/replace -I./librpc -I./.. -I./../lib/talloc -I./../lib/tevent -I../lib/tdb/include -DHAVE_CONFIG_H -Iinclude -I./include -I. -I. -I./../lib/replace -I./librpc -I./.. -I./../lib/popt -I/root/samba-3.6.25/source3/lib -I.. -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3
+ PICFLAG = -fPIC -DPIC
+ LIBS = -lexecinfo -lmd
+ LDFLAGS = -pie -Wl,-z,relro -L./bin
+ DYNEXP = -Wl,--export-dynamic
+ LDSHFLAGS = -fPIC -DPIC -shared -Wl,-z,relro -L./bin -lc -Wl,-z,defs
+ SHLIBEXT = so
+ SONAMEFLAG = -Wl,-soname,
+Installing bin/smbd as ///usr/local/sbin/smbd
+Installing bin/nmbd as ///usr/local/sbin/nmbd
+Installing bin/swat as ///usr/local/sbin/swat
+(以下省略)
+```
+
+### 設定
+ソフトリンクが辿れる用に設定する。
+
+```/usr/local/etc/smb.conf
+[global]
+ netbios name = JAIL1
+ server string = Samba Server
+ workgroup = WORKGROUP
+ dos charset = CP932
+ unix charset = EUCJP-MS
+ display charset = EUCJP-MS
+ security = user
+ log file = /var/log/samba/log.%m
+ max log size = 50
+ unix extensions = No
+ inherit acls = no
+ dns proxy = No
+ create mask = 0666
+ directory mask = 0777
+ hosts allow = 192.168.1.
+ wide links = Yes
+
+[homes]
+ comment = Home Directories
+ read only = No
+ create mask = 0660
+ directory mask = 0771
+ browseable = No
+
+[Movie]
+ comment = 映画
+ path = /share/movie
+ read only = No
+ browseable = yes
+```
+
+### ユーザの追加
+
+```
+jail1 /usr/local/etc/rc.d # pdbedit -a -u hoge
+new password:
+retype new password:
+Unix username: hoge
+NT username:
+Account Flags: [U ]
+User SID: S-1-5-21-3145854959-2738211068-1601226485-1000
+Primary Group SID: S-1-5-21-3145854959-2738211068-1601226485-513
+Full Name: hoge hoge
+Home Directory: \\jail1\hoge
+HomeDir Drive:
+Logon Script:
+Profile Path: \\jail1\hoge\profile
+Domain: JAIL1
+Account desc:
+Workstations:
+Munged dial:
+Logon time: 0
+Logoff time: 9223372036854775807 seconds since the Epoch
+Kickoff time: 9223372036854775807 seconds since the Epoch
+Password last set: Sun, 03 Mar 2019 22:34:34 JST
+Password can change: Sun, 03 Mar 2019 22:34:34 JST
+Password must change: never
+Last bad password : 0
+Bad password count : 0
+Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+```
+
+### 起動設定
+
+```sh:/etc/rc.conf
+samba_enable="YES"
+```
+
+以下の起動スクリプトを作成する(以前のports collenctionより)
+
+```/usr/local/etc/rc.d/samba
+#!/bin/sh
+#
+# $FreeBSD: branches/2017Q1/net/samba36/files/samba.in 340872 2014-01-24 00:14:07Z mat $
+#
+
+# PROVIDE: nmbd smbd
+# PROVIDE: winbindd
+# REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv
+# REQUIRE: cupsd
+# BEFORE: LOGIN
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+#samba_enable="YES"
+# You can disable/enable any of the Samba daemons by specifying:
+#nmbd_enable="NO"
+#smbd_enable="NO"
+# You need to enable winbindd separately, by adding:
+#winbindd_enable="YES"
+#
+# Configuration file can be set with:
+#samba_config="/usr/local/etc/smb.conf"
+#
+
+. /etc/rc.subr
+
+name="samba"
+rcvar=samba_enable
+# Custom commands
+extra_commands="reload status"
+start_precmd="samba_start_precmd"
+start_cmd="samba_cmd"
+stop_cmd="samba_cmd"
+status_cmd="samba_cmd"
+restart_precmd="samba_checkconfig"
+reload_precmd="samba_checkconfig"
+reload_cmd="samba_reload_cmd"
+rcvar_cmd="samba_rcvar_cmd"
+# Defaults
+samba_config_default="/usr/local/etc/smb.conf"
+testparm_command="/usr/local/bin/testparm"
+smbcontrol_command="/usr/local/bin/smbcontrol"
+samba_parm="${testparm_command} -s -v --parameter-name"
+pid_extra=
+#
+samba_daemons="nmbd smbd"
+samba_daemons="${samba_daemons} winbindd"
+
+samba_checkconfig() {
+ echo -n "Performing sanity check on Samba configuration: "
+ if ${testparm_command} -s ${samba_config:+"${samba_config}"} >/dev/null 2>&1; then #"
+ echo "OK"
+ else
+ echo "FAILED"
+ return 1
+ fi
+ return 0
+}
+
+samba_start_precmd() {
+ # Make sure rundir exists
+ if [ ! -d "/usr/local/var/locks" -a ! -e "/usr/local/var/locks" ]; then
+ install -m 0755 -d "/usr/local/var/locks"
+ fi
+ # XXX: Never delete winbindd_idmap, winbindd_cache and group_mapping
+ if [ -n "${samba_lockdir}" -a -d "${samba_lockdir}" ]; then
+ echo -n "Removing stale Samba tdb files: "
+ for file in brlock.tdb browse.dat connections.tdb gencache.tdb \
+ locking.tdb messages.tdb namelist.debug sessionid.tdb \
+ unexpected.tdb
+ do
+ rm "${samba_lockdir}/${file}" </dev/null 2>/dev/null && echo -n '.'
+ done
+ echo " done"
+ fi
+}
+
+samba_rcvar_cmd() {
+ local name rcvar
+ rcvar=${name}_enable
+ # Prevent recursive calling
+ unset "${rc_arg}_cmd" "${rc_arg}_precmd" "${rc_arg}_postcmd"
+ # Check master variable
+ run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args}
+ # Check dependent variables
+ for name in ${samba_daemons}; do
+ # XXX
+ rcvars=''; v=''
+ rcvar=${name}_enable
+ run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args}
+ done
+}
+
+samba_reload_cmd() {
+ local name rcvar command pidfile force_run
+ # Prevent recursive calling
+ unset "${rc_arg}_cmd" "${rc_arg}_precmd" "${rc_arg}_postcmd"
+ # Ignore rcvar and run command
+ if [ -n "${_rc_prefix}" -a "${_rc_prefix}" = "one" ] || [ -n "${rc_force}" ] || [ -n "${rc_fast}" ]; then
+ force_run=yes
+ fi
+ # Apply to all daemons
+ for name in ${samba_daemons}; do
+ rcvar=${name}_enable
+ command="/usr/local/sbin/${name}"
+ pidfile="/usr/local/var/locks/${name}${pid_extra}.pid"
+ # Daemon should be enabled and running
+ if ( [ -n "${rcvar}" ] && checkyesno "${rcvar}" ) || [ -n "$force_run" ]; then
+ if [ -n "$(check_pidfile "${pidfile}" "${command}")" ]; then
+ debug "reloading ${name} configuration"
+ echo "Reloading ${name}."
+ # XXX: Hack with pid_extra
+ ${smbcontrol_command} "${name}${pid_extra}" 'reload-config' ${command_args} >/dev/null 2>&1
+ fi
+ fi
+ done
+}
+
+samba_cmd() {
+ local name rcvar rcvars v command pidfile samba_daemons result force_run
+ # Prevent recursive calling
+ unset "${rc_arg}_cmd" "${rc_arg}_precmd" "${rc_arg}_postcmd"
+ # Stop processes in the reverse order
+ if [ "${rc_arg}" = "stop" ] ; then
+ samba_daemons=$(reverse_list ${samba_daemons})
+ fi
+ # Ignore rcvar and run command
+ if [ -n "${_rc_prefix}" -a "${_rc_prefix}" = "one" ] || [ -n "${rc_force}" ] || [ -n "${rc_fast}" ]; then
+ force_run=yes
+ fi
+ # Assume success
+ result=0
+ # Apply to all daemons
+ for name in ${samba_daemons}; do
+ # XXX
+ rcvars=''; v=''
+ rcvar=${name}_enable
+ command="/usr/local/sbin/${name}"
+ pidfile="/usr/local/var/locks/${name}${pid_extra}.pid"
+ # Daemon should be enabled and running
+ if ( [ -n "${rcvar}" ] && checkyesno "${rcvar}" ) || [ -n "$force_run" ]; then
+ run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args}
+ # If any of the commands failed, take it as a global result
+ result=$((${result} || $?))
+ fi
+ done
+ return ${result}
+}
+
+samba_config_init() {
+ local name
+ # Load configuration
+ load_rc_config "${name}"
+ for name in ${samba_daemons}; do
+ load_rc_config "${name}"
+ done
+ # Location of the config
+ samba_config=${samba_config="${samba_config_default}"} #"
+ # XXX: Hack to work around name change of pid file with non-default config
+ if [ -n "${samba_config}" -a "${samba_config}" != "${samba_config_default}" ]; then
+ pid_extra="-$(basename "${samba_config}")"
+ fi
+ # Defaults
+ samba_enable=${samba_enable:=NO}
+ # Setup dependent variables
+ if [ -n "${rcvar}" ] && checkyesno "${rcvar}"; then
+ nmbd_enable=${nmbd_enable=YES}
+ smbd_enable=${smbd_enable=YES}
+ fi
+ nmbd_enable=${nmbd_enable:=NO}
+ smbd_enable=${smbd_enable:=NO}
+ # Winbindd
+ if [ -z "${winbind_enable}" ]; then
+ samba_idmap=$(${samba_parm} 'idmap uid' "${samba_config}" 2>/dev/null)
+ # Check that winbindd is actually configured
+ if [ -n "${samba_idmap}" ]; then
+ winbindd_enable="YES"
+ fi
+ winbindd_enable=${winbindd_enable:=NO}
+ fi
+}
+
+# Load configuration variables
+samba_config_init
+# Where is the lockdir
+samba_lockdir=$(${samba_parm} 'lock directory' "${samba_config}" 2>/dev/null)
+# Common flags
+command_args=${samba_config:+-s "${samba_config}"} #"
+nmbd_flags=${nmbd_flags="-D"}
+smbd_flags=${smbd_flags="-D"}
+winbindd_flags=${winbindd_flags=''}
+# Requirements
+required_files="${samba_config}"
+required_dirs="${samba_lockdir}"
+
+run_rc_command "$1"
+```
+
+```
+jail1 /root # service samba start
+Removing stale Samba tdb files: done
+Starting nmbd.
+Starting smbd.
+```