Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- 2009_samba [2008/08/12 13:37]
+++ 2009_samba [2008/08/12 13:37] (aktuell)
@@ Zeile 1: / Zeile 1: @@
+====== How to setup a Samba PDC with LDAP ======
+===== Quellen ======
+  *[[http://alex.ricobon.ro/wiki/index.php?title=How_to_setup_a_Samba_PDC_with_LDAP_on_openSuSE_10.2|Hauptartikel]]
+  *[[http://sourceforge.net/projects/smbldap-tools|IDEALX smbldap-tools]])
+  *[[https://www.bsdwiki.de/FreeBSD_-_Samba_PDC]]
+  *[[http://jxplorer.org/|LDAP Browser]]
+  *[[http://trac.lighttpd.net/trac/wiki/SuEXEC|Apache suEXEC]]
+===== Basisdaten =====
+  openSuSE 11.0
+  Computer name = s4e
+  Workgroup name = workgroup
+  LDAP-BaseDN: dc=workgroup
+  LDAP-Manager: Administrator:open23
+===== Zusätzliche Software =====
+  ldapsmb
+  samba
+  samba-client
+  samba-doc
+  samba-pdb
+  samba-vscan
+  samba-winbind
+  yast2-samba-client
+  yast2-samba-server
+  nss-ldap
+  openldap2
+  openldap2-client
+  perl-ldap
+  yast2-ldap
+  yast2-ldap-client
+  perl-Unicode-Map8
+  perl-Unicode-String
+  make
+  gcc
+  gcc-c++
+  gcc41
+  findutils-locate
+  mc
+===== IDEALX smbldap-tools =====
+  *[[http://download.opensuse.org/repositories/home:/octo47:/smbldap-tools/openSUSE_11.0/noarch/smbldap-tools-0.9.5-1.1.noarch.rpm|smbldap-tools]]
+  *[[http://download.opensuse.org/repositories/home:/octo47:/smbldap-tools/openSUSE_11.0/i586/perl-Jcode-2.07-1.1.i586.rpm|perl-Jcode]]
+  *[[http://download.opensuse.org/repositories/home:/octo47:/smbldap-tools/openSUSE_11.0/i586/perl-Unicode-Map-0.112-1.1.i586.rpm|perl-Unicode-Map]]
+  *[[http://download.opensuse.org/repositories/home:/octo47:/smbldap-tools/openSUSE_11.0/i586/perl-Unicode-Map8-0.12-221.1.i586.rpm|perl-Unicode-Map8]]
+  *[[http://download.opensuse.org/repositories/home:/octo47:/smbldap-tools/openSUSE_11.0/i586/perl-Unicode-String-2.09-12.1.i586.rpm|perl-Unicode-String]]
+  *[[http://download.opensuse.org/repositories/home:/octo47:/smbldap-tools/openSUSE_11.0/noarch/perl-Unicode-MapUTF8-1.11-5.1.noarch.rpm|perl-Unicode-MapUTF8]]
+===== Samba Setup =====
+Sicherung der alten smb.conf:
+<file>
+cd /etc/samba/
+mv smb.conf smb.conf.OLD
+</file>
+Nun smb.conf wie folgt erstellen:
+<file>
+s4e:/etc/samba # vi smb.conf
+[global]
+workgroup = workgroup
+netbios name = s4e
+passdb backend = ldapsam:ldap://127.0.0.1
+username map = /etc/samba/smbusers
+printcap name = cups
+printing = cups
+add user script = /usr/sbin/smbldap-useradd -m %u
+delete user script = /usr/sbin/smbldap-userdel %u
+add group script = /usr/sbin/smbldap-groupadd -p %g
+delete group script = /usr/sbin/smbldap-groupdel %g
+add user to group script = /usr/sbin/smbldap-groupmod -m %g %u
+delete user from group script = /usr/sbin/smbldap-groupmod -x %g %u
+set primary group script = /usr/sbin/smbldap-usermod -g %g %u
+#add machine script = /usr/sbin/smbldap-useradd -w %u
+#
+# if you want to add machines to domain automaticaly, add machine script is:
+add machine script = /usr/sbin/smbldap-useradd -w -i %u
+obey pam restrictions = Yes
+logon script = scripts\logon.bat
+logon path = \\%L\Profiles\%U
+logon drive = N:
+logon home = \\%L\%U
+domain logons = Yes
+os level = 44
+preferred master = Yes
+domain master = Yes
+dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
+show add printer wizard = yes
+# OpenLDAP stuff is defined here
+###################################################
+ldap suffix = dc=workgrou
+ldap machine suffix = ou=Computers
+ldap user suffix = ou=Users
+ldap group suffix = ou=Groups
+ldap idmap suffix = ou=Users
+ldap admin dn = cn=Administrator,dc=workgroup
+ldap ssl = no
+ldap passwd sync = Yes
+idmap uid = 15000-20000
+idmap gid = 15000-20000
+# Defining logging facility
+####################################################
+log level = 256
+log file = /var/log/samba/%m.log
+# Virus Scanning Definition
+####################################################
+vfs object = vscan-clamav
+vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
+# Defining user home directories
+####################################################
+[homes]
+comment = Home Directories
+valid users = %S
+read only = No
+browseable = No
+[printers]
+comment = All Printers
+path = /var/spool/samba
+printer admin = @"Print Operators"
+read only  = Yes
+guest ok = Yes
+printable = Yes
+browseable = No
+# Defining printers
+####################################################
+[print$]
+path = /var/lib/samba/drivers/
+guest ok = No
+browseable = Yes
+read only = Yes
+valid users = @"Print Operators"
+write list = @"Print Operators"
+create mask = 0664
+directory mask = 0775
+# Defining network logon service
+####################################################
+[netlogon]
+comment = NLService
+path = /var/lib/samba/netlogon
+guest ok = Yes
+browseable = No
+# Defining profile share ( for roaming profiles )
+####################################################
+[profiles]
+comment = Roaming Profiles
+path = /var/lib/samba/profiles
+create mask = 0600
+directory mask = 0700
+browseable = No
+guest ok = Yes
+force user = %U
+valid users = %U "Domain Admins"
+read only = No
+profile acls = Yes
+# Defining arbitary shared resource
+####################################################
+[share]
+comment = data share
+path = /opt/stuff
+valid users = %U
+</file>
+Save the file with Ctr.+K X and change the permissions of the profiles folder to 1777. “777” means that the user, the group and everyone else have read, write, and execute permissions to this folder. “1” means sticky, so none can delete the folder or change its permissions (only root can delete the folder or change it’s permissions).
+<file>
+chmod 1777 /var/lib/samba/profiles
+</file>
+Now start Samba and test the parameters:
+<file>
+server:/etc/samba # rcsmb start
+server:/etc/samba # rcnmb start
+server:/etc/samba # testparm
+Load smb config files from /etc/samba/smb.conf
+Processing section "[homes]"
+Processing section "[printers]"
+Processing section "[netlogon]"
+Processing section "[profiles]"
+Processing section "[share]"
+Loaded services file OK.
+Server role: ROLE_DOMAIN_PDC
+Press enter to see a dump of your service definitions
+</file>
+===== Setup openLDAP =====
+Backup and edit the slapd.conf file as follows:
+<file>
+server:/etc/samba # cd /etc/openldap/
+server:/etc/openldap # mv slapd.conf slapd.conf.OLD
+server:/etc/openldap # joe slapd.conf
+include         /etc/openldap/schema/core.schema
+include         /etc/openldap/schema/cosine.schema
+include         /etc/openldap/schema/inetorgperson.schema
+include         /etc/openldap/schema/nis.schema
+include         /etc/openldap/schema/samba3.schema
+pidfile         /var/run/slapd/slapd.pid
+argsfile        /var/run/slapd/slapd.args
+# Defining our database and admin user + password
+################################################################
+database        bdb
+suffix          "dc=exemplu,dc=ro"
+rootdn          "cn=root,dc=exemplu,dc=ro"
+rootpw          secret
+directory       /var/lib/ldap
+# Indexing for faster queries ( bad indexes can slow things up )
+#################################################################
+index   objectClass     eq
+index cn                      pres,sub,eq
+index sn                      pres,sub,eq
+index uid                     pres,sub,eq
+index displayName             pres,sub,eq
+index uidNumber               eq
+index gidNumber               eq
+index memberUid               eq
+index   sambaSID              eq
+index   sambaPrimaryGroupSID  eq
+index   sambaDomainName       eq
+index   default               sub
+access to attrs=userpassword,sambaLMPassword,sambaNTPassword,shadowLastChange,sambaPasswordHistory
+   by anonymous auth
+   by self write
+   by dn="cn=root,dc=exemplu,dc=ro" write
+   by * none
+access to *
+    by dn="cn=root,dc=exemplu,dc=ro" write
+    by users read
+    by self write
+    by * read
+</file>
+===== Setup smbldap-tools =====
+As always, backup the original files:
+<file>
+server:/etc/openldap # cd /etc/smbldap-tools/
+server:/etc/smbldap-tools # mv smbldap.conf smbldap.conf.OLD
+server:/etc/smbldap-tools # mv smbldap_bind.conf smbldap_bind.conf.OLD
+</file>
+To configure smbldap-tools we ned the domain SID, but first we have to set the password for Samba, The password is secret, as mentioned above:
+<file>
+server:/etc/smbldap-tools # smbpasswd -w secret
+Setting stored password for "cn=root,dc=exemplu,dc=ro" in secrets.tdb
+server:/etc/smbldap-tools # net getlocalsid
+SID for domain SERVER is: S-1-5-51-1359935399-1842626841-4162727579
+</file>
+Copy the SID and edit smbldap.conf as follows:
+<file>
+server:/etc/smbldap-tools # joe smbldap.conf
+SID=" S-1-5-51-1359935399-1842626841-4162727579"
+slaveLDAP="127.0.0.1"
+slavePort="389"
+masterLDAP="127.0.0.1"
+masterPort="389"
+ldapTLS="0"
+verify="require"
+cafile="/etc/smbldap-tools/ca.pem"
+clientcert="/etc/smbldap-tools/smbldap-tools.pem"
+clientkey="/etc/smbldap-tools/smbldap-tools.key"
+suffix="dc=exemplu,dc=ro"
+usersdn="ou=Users,${suffix}"
+computersdn="ou=Computers,${suffix}"
+groupsdn="ou=Groups,${suffix}"
+idmapdn="ou=Idmap,${suffix}"
+sambaUnixIdPooldn="sambaDomainName=exemplu.ro,${suffix}"
+scope="sub"
+hash_encrypt="SSHA"
+crypt_salt_format="%s"
+userLoginShell="/bin/bash"
+userHome="/home/%U"
+userGecos="System User"
+defaultUserGid="513"
+defaultComputerGid="515"
+skeletonDir="/etc/skel"
+defaultMaxPasswordAge="99"
+userSmbHome="\\server1\homes\%U"
+userProfile="\\server1\profiles\%U"
+userHomeDrive="H:"
+userScript="%U.cmd"
+mailDomain="exemplu.ro"
+with_smbpasswd="0"
+smbpasswd="/usr/bin/smbpasswd"
+with_slappasswd="0"
+slappasswd="/usr/sbin/slappasswd"
+</file>
+The next step is to edit smbldap_bind.conf:
+<file>
+server:/etc/smbldap-tools # joe smbldap_bind.conf
+slaveDN="cn=root,dc=exemplu,dc=ro"
+slavePw="secret"
+masterDN="cn=root,dc=exemplu,dc=ro"
+masterPw="secret"
+</file>
+Now we have to (re)start the services:
+<file>
+server:/etc/smbldap-tools # rcldap start
+server:/etc/smbldap-tools # rcsmb start
+server:/etc/smbldap-tools # rcnmb start
+</file>
+===== Populate the LDAP directory and add the user root to Samba =====
+The easiest way to populate the LDAP directory is by using smbldap-tools:
+<file>
+server:/etc/smbldap-tools #  smbldap-populate
+Using workgroup name from sambaUnixIdPooldn (smbldap.conf): sambaDomainName=exemplu.tld
+Using builtin directory structure
+adding new entry: dc=exemplu,dc=tld
+adding new entry: ou=Users,dc=exemplu,dc=tld
+adding new entry: ou=Groups,dc=exemplu,dc=tld
+adding new entry: ou=Computers,dc=exemplu,dc=tld
+adding new entry: ou=Idmap,dc=exemplu,dc=tld
+adding new entry: sambaDomainName=exemplu.tld,dc=exemplu,dc=tld
+adding new entry: uid=Admin,ou=Users,dc=exemplu,dc=tld
+adding new entry: uid=nobody,ou=Users,dc=exemplu,dc=tld
+adding new entry: cn=Domain Admins,ou=Groups,dc=exemplu,dc=tld
+adding new entry: cn=Domain Users,ou=Groups,dc=exemplu,dc=tld
+adding new entry: cn=Domain Guests,ou=Groups,dc=exemplu,dc=tld
+adding new entry: cn=Domain Computers,ou=Groups,dc=exemplu,dc=tld
+adding new entry: cn=Administrators,ou=Groups,dc=exemplu,dc=tld
+adding new entry: cn=Print Operators,ou=Groups,dc=exemplu,dc=tld
+adding new entry: cn=Backup Operators,ou=Groups,dc=exemplu,dc=tld
+server:/etc/smbldap-tools #  smbpasswd -a root
+</file>
+=====  The last settings =====
+In order to get system to authenticate via LDAP and to use those posix accounts stored in LDAP for SAMBA, you need to set you system to do authetication via LDAP for local and remote connections. Run YaST, go to Network Services -> LDAP Client and set it like shown below:
+  * Use LDAP
+  * Adress: 127.0.0.1
+  * DN: ou=Users,dc=workgroup
+You also need to change some directives in nsswitch.conf:
+<file>
+server:/etc # joe nsswitch.conf
+passwd: files ldap
+group:  files ldap
+hosts:  files dns
+networks:       files dns
+services:       files ldap
+protocols:      files
+rpc:    files
+ethers: files
+netmasks:       files
+netgroup:       files ldap
+publickey:      files
+bootparams:     files
+automount:      files nis
+aliases:        files ldap
+passwd_compat:  ldap
+group_compat:   ldap
+</file>
+Now list entries in administrative database to see if your system indeed sees both local system and LDAP stored accounts ( if you haven’t added any account yet there should be at least two root and nobody, I’ve included only the two even though the command will output all accounts ):
+<file>
+server:/etc # getent passwd
++::0:0:::
+root:x:0:512:Netbios Domain Administrator:/home/root:/bin/false
+nobody:x:999:514:nobody:/dev/null:/bin/false
+</file>
+We also need to create directory scripts inside /etc/samba directory:
+<file>
+server:/etc # echo session required pam_mkhomedir.so skel=/etc/skel umask=0022 >>/etc/pam.d/common-session
+</file>
+The last thing we need to do it to modify ldap.conf. and create a log dir. I reccomend to detele the conf file and build it from scratch:
+<file>
+server:/etc # rm ldap.conf
+server:/etc # joe ldap.conf
+host    127.0.0.1
+base    dc=exemplu,dc=ro
+bind_policy     soft
+pam_password    md5
+nss_schema      rfc2307bis
+nss_map_attribute       uniqueMember member
+ssl     no
+ldap_version    3
+pam_filter      objectclass=posixAccount
+nss_base_passwd ou=Users,dc=exemplu,dc=ro?sub
+nss_base_passwd ou=Computers,dc=exemplu,dc=ro?sub
+nss_base_shadow ou=Users,dc=exemplu,dc=ro?sub
+nss_base_group  ou=Groups,dc=exemplu,dc=ro?one
+tls_checkpeer   no
+logdir /var/log/ldap
+server:/etc # mkdir -p /var/log/ldap
+</file>
+The server is now completely set up. You just need to restart the services and you can add machines and users. Machines are added with the command:
+<file>
+server:~ # smbldap-useradd -w machine_name
+</file>
+Windows domain users are added with the following command:
+<file>
+server:~ # smbldap-useradd -a user_name
+</file>
+===== Mehrere Benutzer hinzufügen =====
+<file>
+server:~ # vi multiaddusers.sh
+#!/bin/bash
+#
+# ensure that root is running the script.
+WHOAMI=`/usr/bin/whoami`
+if [ $WHOAMI != "root" ]; then
+   echo "You must be root to add news users!"
+   exit 1
+fi
+# read user names from the file given as argument
+NEW_USERS=$1
+cat ${NEW_USERS} | \
+while read USER PASS ; do
+        #add machine account
+        smbldap-useradd -w $USER
+        #Add windows account
+        smbldap-useradd -a $USER
+        #Set the password
+        smbldap-passwd $USER $PASS
+        echo "User " $USER " added, password set"
+done
+</file>

peer

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Unterschiede

Seiten-Werkzeuge