LDAP+SAMBA

how-To написано на основе вот этой статьи: http://www.server-world.info/en/note?os=Debian_6.0&p=samba&f=4
Но в силу ненужности я опустил настройки ssl аутинтификации, что учел при написании конфигов.
Ну и упростил процесс настройки.

Обязательно убедитесь в том, что ваш сервер «лукапится» по его имени. Для этого пропишите его в DNS и проверьте /etc/hosts! В противном случае работать не будет.

Устанавливаем LDAP (Debian, Ubuntu) OpenLDAP Сервер
для работы самбы по мимо сервера будет нужен и клиент! Он будет использоваться для управления пользователями самбы и компьютерами с Windows.
Для Debian http://linux.cpms.ru/?p=38
Для Ubuntu http://linux.cpms.ru/?p=5514

Самба

aptitude -y install samba-doc
cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/ 
 gzip -d /etc/ldap/schema/samba.schema.gz
vi schema_convert.conf
# create new
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema
mkdir -p ./tmp/ldif_output
slapcat -f schema_convert.conf -F ./tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > ./tmp/cn=samba.ldif
vi ./tmp/cn=samba.ldif
# line 1,3: change ( remove "{12}" )
dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba

# remove these lines below ( placed at the bottom )
structuralObjectClass: olcSchemaConfig
entryUUID: bd8a7a82-3cb8-102f-8d5f-070b4e5d16f8
creatorsName: cn=config
createTimestamp: 20100815125953Z
entryCSN: 20100815125953.198505Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20100815125953Z
ldapadd -Y EXTERNAL -H ldapi:/// -f ./tmp/cn=samba.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=samba,cn=schema,cn=config"
 vi samba_indexes.ldif
# create new
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
/etc/init.d/slapd restart
Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd.

Настраиваем Самбу

vi /etc/samba/smb.conf

# Global parameters
[global]
        workgroup = MSK
        netbios name = PDC
        security = user
        enable privileges = yes
        #interfaces = 192.168.5.11
        #username map = /etc/samba/smbusers
        server string = Samba Server %v
        #security = ads
        encrypt passwords = true
        ;min passwd length = 3
        #pam password change = no
        obey pam restrictions = No

        # method 1:
        #unix password sync = no
        ldap passwd sync = yes

        # method 2:
        ;unix password sync = yes
        ;ldap passwd sync = no
        passwd program = /usr/sbin/smbldap-passwd -u "%u"
        passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

        log level = 2
        syslog = 1
        ;log file = /var/log/samba/log.%U
        log file = /var/log/samba/workstations/%m.log
        max log size = 100000
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        mangling method = hash2
        Dos charset = 866
        Unix charset = UTF-8

        logon script = logon.bat
        logon drive = U:
        logon home = \\%L\%U
        logon path = \\%L\Profiles\%U

        domain logons = Yes
        domain master = Yes
        ;os level = 65
        os level = 35
        preferred master = Yes
        wins support = yes

        passdb backend = ldapsam:ldap://127.0.0.1/
        ldap admin dn = cn=admin,dc=msk,dc=local,dc=net
        #ldap admin dn = cn=samba,ou=DSA,dc=msk,dc=local,dc=net
        ldap suffix = dc=msk,dc=local,dc=net
        ldap group suffix = ou=Group
        ldap user suffix = ou=People
        ldap machine suffix = ou=Machines
	ldap idmap suffix = ou=Idmap
	;ldap idmap suffix = ou=People
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        ldap delete dn = Yes
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
        ;admin users = domainadm
        admin users = root
        ldap ssl = no

;        # printers configuration
        ;#printer admin = @"Print Operators"
        ;load printers = Yes
        ;create mask = 0640
        ;directory mask = 0750
        ;#force create mode = 0640
        ;#force directory mode = 0750
        ;nt acl support = No
        ;printing = cups
        ;printcap name = cups
        ;deadtime = 10
        ;guest account = nobody
        ;map to guest = Bad User
        ;dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
        ;show add printer wizard = yes
        ;; to maintain capital letters in shortcuts in any of the profile folders:
        ;preserve case = yes
        ;short preserve case = yes
        ;case sensitive = no

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[netlogon]
        comment = Network Logon Service
        path = /home/samba/netlogon/
        admin users = root, domainadm
	;root preexec = /etc/samba/autopoweruser.sh %U %m
        guest ok = Yes
        browseable = No

[profiles]
        comment = Roaming Profile Share
        path = /home/samba/profiles
        read only = no
;        create mask = 0600
        ;directory mask = 0700
        ;browseable = No
        ;guest ok = Yes
;        profile acls = yes
        csc policy = disable
        # next line is a great way to secure the profiles 
        ;force user = %U
        # next line allows administrator to access all profiles 
        #valid users = %U "Domain Admins"

;[printers]
        ;comment = Network Printers
        ;#printer admin = @"Print Operators"
        ;guest ok = yes
        ;printable = yes
        ;path = /home/samba/spool/
        ;browseable = No
        ;read only  = Yes
        ;printable = Yes
        ;print command = /usr/bin/lpr -P%p -r %s
        ;lpq command = /usr/bin/lpq -P%p
        ;lprm command = /usr/bin/lprm -P%p %j
        ;# print command = /usr/bin/lpr -U%U@%M -P%p -r %s
        ;# lpq command = /usr/bin/lpq -U%U@%M -P%p
        ;# lprm command = /usr/bin/lprm -U%U@%M -P%p %j
        ;# lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
        ;# lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
        ;# queuepause command = /usr/sbin/lpc -U%U@%M stop %p
        ;# queueresume command = /usr/sbin/lpc -U%U@%M start %p

;[print$]
        ;path = /home/samba/printers
        ;guest ok = No
        ;browseable = Yes
        ;read only = Yes
        ;valid users = @"Print Operators"
        ;write list = @"Print Operators"
        ;create mask = 0664
        ;directory mask = 0775

[public]
        path = /tmp
        guest ok = yes
        browseable = Yes
        writable = yes

[disk-h]
        path = /home/samba/disk-h
        guest ok = yes
        browseable = Yes
        writable = yes

[disk-i]
        path = /home/samba/disk-i
        guest ok = yes
        browseable = Yes
        writable = yes

[disk-j]
        path = /home/samba/disk-j
        guest ok = yes
        browseable = Yes
        writable = yes

[distrib]
        path = /home/samba/distrib
        guest ok = yes
        browseable = Yes
        writable = yes

Внимание! стока:

root preexec = /etc/samba/autopoweruser.sh %U %m

предназначена для автоматического назначения локальной группы «Опытные пользователи» обычным пользователям. Если она у вас раскомментирована, то создайте скрипт:
vi /etc/samba/autopoweruser.sh

#!/bin/bash

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

source /etc/profile
export LANG="ru_RU/UTF-8"

/usr/bin/net rpc group addmem "Опытные пользователи" MSK\\$1 -Udomainadm%iddqd -S $2 &

Обратите внимание, чтобы строка заканчивалась на «&»!!! Почему-то ни в одной документации в инете об этом не сказанно!

chmod +x /etc/samba/autopoweruser.sh
testparm

Обязательно надо проверить! Не должно быть никаких нареканий кроме

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

(Кто знает как от этого избавится отпишитесь пожалуйста. Попытка внести
* — nofile 16384
в vi /etc/security/limits.conf, не спасла.)

testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[public]"
Processing section "[disk-h]"
Processing section "[disk-i]"
Processing section "[disk-j]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

Далее…

aptitude -y install smbldap-tools
mkdir /home/samba
mkdir /home/samba/{disk-h,disk-i,disk-j,distrib,netlogon,printers,profiles}
restart smbd
restart nmbd
smbd start/running, process 2507
nmbd start/running, process 2515

Не забудбте дать нужные права для этих каталогов!

smbpasswd -W # add LDAP admin's password
Setting stored password for "cn=admin,dc=server,dc=world" in secrets.tdb
New SMB password:# LDAP admin password
Retype new SMB password:
root@lan:~# gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
root@lan:~# perl /usr/share/doc/smbldap-tools/configure.pl 
$# is no longer supported at /usr/share/doc/smbldap-tools/configure.pl line 314.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')

. you can leave the configuration using the Crtl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...

Samba Configuration File Path [/etc/samba/smb.conf] > # Enter

The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] >   # Enter
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...

. workgroup name: name of the domain Samba act as a PDC
workgroup name [ServerWorld] > # Enter
. netbios name: netbios name of the samba controler
netbios name [PDC-SRV] > # Enter
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [H:] > # Enter
. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'\\PDC-SRV\%U'
logon home (press the "." character if you don't want homeDirectory) [\\PDC-SRV\%U] > .   # input a period
. logon path: directory where roaming profiles are stored. Ex:'\\PDC-SRV\profiles\%U'
logon path (press the "." character if you don't want roaming profile) [\\PDC-SRV\profiles\%U] > .   # input a period
. home directory prefix (use %U as username) [/home/%U] > # Enter
. default users' homeDirectory mode [700] > # Enter
. default user netlogon script (use %U as username) [logon.bat] >   # Enter
default password validation time (time in days) [45] > # Enter
. ldap suffix [dc=server,dc=world] > # Enter
. ldap group suffix [ou=groups] > # Enter
. ldap user suffix [ou=people] > # Enter
. ldap machine suffix [ou=Computers] > # Enter
. Idmap suffix [ou=Idmap] > # Enter
. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ) [sambaDomainName=ServerWorld] >   # Enter
. ldap master server: IP adress or DNS name of the master (writable) ldap server
ldap master server [10.0.0.100] > # Enter
. ldap master port [389] > # Enter
. ldap master bind dn [cn=admin,dc=server,dc=world] > # Enter
. ldap master bind password [] > # LDAP admin password
. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one
ldap slave server [10.0.0.100] > # specify LDAP slave's IP (Enter with empy if none)
. ldap slave port [389] > # Enter
. ldap slave bind dn [cn=admin,dc=server,dc=world] > # Enter
. ldap slave bind password [] > # Input if there is, if not input the same one with master
. ldap tls support (1/0) [0] > # Enter
. SID for domain SERVERWORLD: SID of the domain (can be obtained with 'net getlocalsid PDC-SRV')
SID for domain SERVERWORLD [S-1-5-21-2752024775-1437179205-4226352253] >   # Enter
. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5   # MD5
. default user gidNumber [513] > # Enter
. default computer gidNumber [515] > # Enter
. default login shell [/bin/bash] > # Enter
. default skeleton directory [/etc/skel] > # Enter
. default domain name to append to mail adress [] > # Enter
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Use of uninitialized value $# in concatenation (.) or string at /usr/share/doc/smbldap-tools/configure.pl line 314,  line 33.
backup old configuration files:
  /etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
  /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
  /etc/smbldap-tools/smbldap.conf done.
  /etc/smbldap-tools/smbldap_bind.conf done.
root@lan:~# smbldap-populate 
Populating LDAP directory for domain ServerWorld (S-1-5-21-2752024775-1437179205-4226352253)
(using builtin directory structure)

entry dc=server,dc=world already exist.
entry ou=people,dc=server,dc=world already exist.
entry ou=groups,dc=server,dc=world already exist.
adding new entry: ou=Computers,dc=server,dc=world
adding new entry: ou=Idmap,dc=server,dc=world
adding new entry: uid=root,ou=people,dc=server,dc=world
adding new entry: uid=nobody,ou=people,dc=server,dc=world
adding new entry: cn=Domain Admins,ou=groups,dc=server,dc=world
adding new entry: cn=Domain Users,ou=groups,dc=server,dc=world
adding new entry: cn=Domain Guests,ou=groups,dc=server,dc=world
adding new entry: cn=Domain Computers,ou=groups,dc=server,dc=world
adding new entry: cn=Administrators,ou=groups,dc=server,dc=world
adding new entry: cn=Account Operators,ou=groups,dc=server,dc=world
adding new entry: cn=Print Operators,ou=groups,dc=server,dc=world
adding new entry: cn=Backup Operators,ou=groups,dc=server,dc=world
adding new entry: cn=Replicators,ou=groups,dc=server,dc=world
entry sambaDomainName=ServerWorld,dc=server,dc=world already exist. Updating it...

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password: # set root password
Retype new password:

Добавим админа для самбы

smbldap-groupadd -a domainadm 
smbldap-useradd -am -g domainadm domainadm 
smbldap-passwd domainadm 
Changing UNIX and samba passwords for domainadm
New password:
Retype new password:

Проверим:

su - domainadm
/$

Если не работает, проверьте работу ldap-клиента! Заведенные в ldap обычные юзеры должны логинится!

Как всем этим рулить!
Я предлагаю это делать с помощью LAM:

apt-get install ldap-account-manager

Внимание! Назначать доменные группы Windows надо в разделе Linux, а не в Windows!!!

 
Не пытайтесь ставить её в разделе Samba 3
Отладка
После того, как вы начнете экспериментировать с назначением Windows групп, вы заметите неприятный эффект того, что после смены группы, к примеру «Domain Users» на «Domain Admins«, на рабочей станции у пользователя ничего не меняется! Но по прошествии времени всё происходит как вы назначили. Это всё изза кеша в nscd! Перезагрузите nscd на сервере Ldap, и всё будет нормально сразу.
Для удобства отладки, я поместил все службы от которых зависит PDC в один скрипт:

vi /usr/local/bin/smbr 
#!/bin/bash
/etc/init.d/nscd restart
/etc/init.d/slapd restart
/etc/init.d/smbd restart
/etc/init.d/nmbd restart

Чтобы к домену подключить Windows7 следуйте этой инструкции!
http://linux.cpms.ru/?p=6490

Вообщем всё.

Запись опубликована в рубрике Ldap, Новости с метками . Добавьте в закладки постоянную ссылку.

3 комментария на «LDAP+SAMBA»

  1. Alexandr говорит:

    > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

    ulimit -n 16384 от root
    можно добавить например в .bashrc ( для root естественно )

  2. Уведомление: LDAP + BDC | Linux

  3. Уведомление: Windows 7 в домене Samba 3 | Linux

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *

Анти-спам: выполните заданиеWordPress CAPTCHA