Benutzer-Werkzeuge
2009_samba
Inhaltsverzeichnis
How to setup a Samba PDC with LDAP
Quellen
Basisdaten
openSuSE 11.0 Computer name = s4e Workgroup name = workgroup LDAP-BaseDN: dc=workgroup LDAP-Manager: Administrator:open23
Zusätzliche Software
ldapsmb samba samba-client samba-doc samba-pdb samba-vscan samba-winbind yast2-samba-client yast2-samba-server nss-ldap openldap2 openldap2-client perl-ldap yast2-ldap yast2-ldap-client perl-Unicode-Map8 perl-Unicode-String make gcc gcc-c++ gcc41 findutils-locate mc
IDEALX smbldap-tools
Samba Setup
Sicherung der alten smb.conf:
cd /etc/samba/ mv smb.conf smb.conf.OLD
Nun smb.conf wie folgt erstellen:
s4e:/etc/samba # vi smb.conf [global] workgroup = workgroup netbios name = s4e passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers printcap name = cups printing = cups add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %g %u delete user from group script = /usr/sbin/smbldap-groupmod -x %g %u set primary group script = /usr/sbin/smbldap-usermod -g %g %u #add machine script = /usr/sbin/smbldap-useradd -w %u # # if you want to add machines to domain automaticaly, add machine script is: add machine script = /usr/sbin/smbldap-useradd -w -i %u obey pam restrictions = Yes logon script = scripts\logon.bat logon path = \\%L\Profiles\%U logon drive = N: logon home = \\%L\%U domain logons = Yes os level = 44 preferred master = Yes domain master = Yes dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd show add printer wizard = yes # OpenLDAP stuff is defined here ################################################### ldap suffix = dc=workgrou ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Users ldap admin dn = cn=Administrator,dc=workgroup ldap ssl = no ldap passwd sync = Yes idmap uid = 15000-20000 idmap gid = 15000-20000 # Defining logging facility #################################################### log level = 256 log file = /var/log/samba/%m.log # Virus Scanning Definition #################################################### vfs object = vscan-clamav vscan-clamav: config-file = /etc/samba/vscan-clamav.conf # Defining user home directories #################################################### [homes] comment = Home Directories valid users = %S read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printer admin = @"Print Operators" read only = Yes guest ok = Yes printable = Yes browseable = No # Defining printers #################################################### [print$] path = /var/lib/samba/drivers/ guest ok = No browseable = Yes read only = Yes valid users = @"Print Operators" write list = @"Print Operators" create mask = 0664 directory mask = 0775 # Defining network logon service #################################################### [netlogon] comment = NLService path = /var/lib/samba/netlogon guest ok = Yes browseable = No # Defining profile share ( for roaming profiles ) #################################################### [profiles] comment = Roaming Profiles path = /var/lib/samba/profiles create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes force user = %U valid users = %U "Domain Admins" read only = No profile acls = Yes # Defining arbitary shared resource #################################################### [share] comment = data share path = /opt/stuff valid users = %U
Save the file with Ctr.+K X and change the permissions of the profiles folder to 1777. “777” means that the user, the group and everyone else have read, write, and execute permissions to this folder. “1” means sticky, so none can delete the folder or change its permissions (only root can delete the folder or change it’s permissions).
chmod 1777 /var/lib/samba/profiles
Now start Samba and test the parameters:
server:/etc/samba # rcsmb start server:/etc/samba # rcnmb start server:/etc/samba # testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[netlogon]" Processing section "[profiles]" Processing section "[share]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions
Setup openLDAP
Backup and edit the slapd.conf file as follows:
server:/etc/samba # cd /etc/openldap/
server:/etc/openldap # mv slapd.conf slapd.conf.OLD
server:/etc/openldap # joe slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Defining our database and admin user + password
################################################################
database bdb
suffix "dc=exemplu,dc=ro"
rootdn "cn=root,dc=exemplu,dc=ro"
rootpw secret
directory /var/lib/ldap
# Indexing for faster queries ( bad indexes can slow things up )
#################################################################
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
access to attrs=userpassword,sambaLMPassword,sambaNTPassword,shadowLastChange,sambaPasswordHistory
by anonymous auth
by self write
by dn="cn=root,dc=exemplu,dc=ro" write
by * none
access to *
by dn="cn=root,dc=exemplu,dc=ro" write
by users read
by self write
by * read
Setup smbldap-tools
As always, backup the original files:
server:/etc/openldap # cd /etc/smbldap-tools/ server:/etc/smbldap-tools # mv smbldap.conf smbldap.conf.OLD server:/etc/smbldap-tools # mv smbldap_bind.conf smbldap_bind.conf.OLD
To configure smbldap-tools we ned the domain SID, but first we have to set the password for Samba, The password is secret, as mentioned above:
server:/etc/smbldap-tools # smbpasswd -w secret Setting stored password for "cn=root,dc=exemplu,dc=ro" in secrets.tdb server:/etc/smbldap-tools # net getlocalsid SID for domain SERVER is: S-1-5-51-1359935399-1842626841-4162727579
Copy the SID and edit smbldap.conf as follows:
server:/etc/smbldap-tools # joe smbldap.conf
SID=" S-1-5-51-1359935399-1842626841-4162727579"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
verify="require"
cafile="/etc/smbldap-tools/ca.pem"
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
clientkey="/etc/smbldap-tools/smbldap-tools.key"
suffix="dc=exemplu,dc=ro"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=exemplu.ro,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="99"
userSmbHome="\\server1\homes\%U"
userProfile="\\server1\profiles\%U"
userHomeDrive="H:"
userScript="%U.cmd"
mailDomain="exemplu.ro"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
The next step is to edit smbldap_bind.conf:
server:/etc/smbldap-tools # joe smbldap_bind.conf slaveDN="cn=root,dc=exemplu,dc=ro" slavePw="secret" masterDN="cn=root,dc=exemplu,dc=ro" masterPw="secret"
Now we have to (re)start the services:
server:/etc/smbldap-tools # rcldap start server:/etc/smbldap-tools # rcsmb start server:/etc/smbldap-tools # rcnmb start
Populate the LDAP directory and add the user root to Samba
The easiest way to populate the LDAP directory is by using smbldap-tools:
server:/etc/smbldap-tools # smbldap-populate Using workgroup name from sambaUnixIdPooldn (smbldap.conf): sambaDomainName=exemplu.tld Using builtin directory structure adding new entry: dc=exemplu,dc=tld adding new entry: ou=Users,dc=exemplu,dc=tld adding new entry: ou=Groups,dc=exemplu,dc=tld adding new entry: ou=Computers,dc=exemplu,dc=tld adding new entry: ou=Idmap,dc=exemplu,dc=tld adding new entry: sambaDomainName=exemplu.tld,dc=exemplu,dc=tld adding new entry: uid=Admin,ou=Users,dc=exemplu,dc=tld adding new entry: uid=nobody,ou=Users,dc=exemplu,dc=tld adding new entry: cn=Domain Admins,ou=Groups,dc=exemplu,dc=tld adding new entry: cn=Domain Users,ou=Groups,dc=exemplu,dc=tld adding new entry: cn=Domain Guests,ou=Groups,dc=exemplu,dc=tld adding new entry: cn=Domain Computers,ou=Groups,dc=exemplu,dc=tld adding new entry: cn=Administrators,ou=Groups,dc=exemplu,dc=tld adding new entry: cn=Print Operators,ou=Groups,dc=exemplu,dc=tld adding new entry: cn=Backup Operators,ou=Groups,dc=exemplu,dc=tld server:/etc/smbldap-tools # smbpasswd -a root
The last settings
In order to get system to authenticate via LDAP and to use those posix accounts stored in LDAP for SAMBA, you need to set you system to do authetication via LDAP for local and remote connections. Run YaST, go to Network Services → LDAP Client and set it like shown below:
- Use LDAP
- Adress: 127.0.0.1
- DN: ou=Users,dc=workgroup
You also need to change some directives in nsswitch.conf:
server:/etc # joe nsswitch.conf passwd: files ldap group: files ldap hosts: files dns networks: files dns services: files ldap protocols: files rpc: files ethers: files netmasks: files netgroup: files ldap publickey: files bootparams: files automount: files nis aliases: files ldap passwd_compat: ldap group_compat: ldap
Now list entries in administrative database to see if your system indeed sees both local system and LDAP stored accounts ( if you haven’t added any account yet there should be at least two root and nobody, I’ve included only the two even though the command will output all accounts ):
server:/etc # getent passwd +::0:0::: root:x:0:512:Netbios Domain Administrator:/home/root:/bin/false nobody:x:999:514:nobody:/dev/null:/bin/false
We also need to create directory scripts inside /etc/samba directory:
server:/etc # echo session required pam_mkhomedir.so skel=/etc/skel umask=0022 >>/etc/pam.d/common-session
The last thing we need to do it to modify ldap.conf. and create a log dir. I reccomend to detele the conf file and build it from scratch:
server:/etc # rm ldap.conf server:/etc # joe ldap.conf host 127.0.0.1 base dc=exemplu,dc=ro bind_policy soft pam_password md5 nss_schema rfc2307bis nss_map_attribute uniqueMember member ssl no ldap_version 3 pam_filter objectclass=posixAccount nss_base_passwd ou=Users,dc=exemplu,dc=ro?sub nss_base_passwd ou=Computers,dc=exemplu,dc=ro?sub nss_base_shadow ou=Users,dc=exemplu,dc=ro?sub nss_base_group ou=Groups,dc=exemplu,dc=ro?one tls_checkpeer no logdir /var/log/ldap server:/etc # mkdir -p /var/log/ldap
The server is now completely set up. You just need to restart the services and you can add machines and users. Machines are added with the command:
server:~ # smbldap-useradd -w machine_name
Windows domain users are added with the following command:
server:~ # smbldap-useradd -a user_name
Mehrere Benutzer hinzufügen
server:~ # vi multiaddusers.sh
#!/bin/bash
#
# ensure that root is running the script.
WHOAMI=`/usr/bin/whoami`
if [ $WHOAMI != "root" ]; then
echo "You must be root to add news users!"
exit 1
fi
# read user names from the file given as argument
NEW_USERS=$1
cat ${NEW_USERS} | \
while read USER PASS ; do
#add machine account
smbldap-useradd -w $USER
#Add windows account
smbldap-useradd -a $USER
#Set the password
smbldap-passwd $USER $PASS
echo "User " $USER " added, password set"
done
2009_samba.txt · Zuletzt geändert: 2008/08/12 13:37 (Externe Bearbeitung)
Seiten-Werkzeuge
Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-Noncommercial-Share Alike 4.0 International
