Primary Domain Controller - Samba + LDAP + NFS (roaming profiles)

Fra SemarkIT
Skift til: Navigation, Søgning

Indholdsfortegnelse

Lenny

Install OpenLDAP

apt-get install slapd ldap-utils migrationtools libsasl2-modules-otp libsasl2-modules-ldap libsasl2-modules-sql apache2-suexec \
libsasl2-modules-gssapi-heimdal slpd openslp-doc libmyodbc odbc-postgresql tdsodbc sasl2-bin db4.6-util gosa gosa-schema

Note. In Wheezy "db4.6-util" is replaced with "db5.1-util"

Install SAMBA

apt-get install samba smbldap-tools smbclient samba-doc winbind

install nsswitch & pam.d

apt-get install libpam-ldap libnss-ldapd

Konfigurer OpenLDAP til samba:

cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
gzip -d /etc/ldap/schema/samba.schema.gz
cp /usr/share/doc/gosa/contrib/openldap/*.schema /etc/ldap/schema/
cd /etc/ldap/
vi schema.conf
# LDAP - del 1
include         /etc/ldap/schema/core.schema
#include                /etc/ldap/schema/autofs.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/corba.schema
include         /etc/ldap/schema/dyngroup.schema
include         /etc/ldap/schema/java.schema
include         /etc/ldap/schema/misc.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/trust.schema
include         /etc/ldap/schema/openldap.schema
include         /etc/ldap/schema/ppolicy.schema

# GOsa
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/gosystem.schema
include         /etc/ldap/schema/gofon.schema
include         /etc/ldap/schema/goto.schema
include         /etc/ldap/schema/goto-mime.schema
# Note: before 2.6.5 this file was named gosa+samba3.schema
include         /etc/ldap/schema/gosa+samba3.schema
include         /etc/ldap/schema/gofax.schema
include         /etc/ldap/schema/goserver.schema
include         /etc/ldap/schema/pureftpd.schema
include         /etc/ldap/schema/pptp.schema

# LDAP - del 2
include         /etc/ldap/schema/collective.schema

Lav dit rootpw til LDAP:

slappasswd -h {MD5}

gem din kode, da denne skal bruges til slapd.conf filen

vi slapd.conf

find # Schema and objectClass definitions Slet alle includes, og skriv følgende linje i stedet:

include         /etc/ldap/schema.conf
suffix		"dc=<domain>,dc=<local>"
rootdn          "cn=admin,dc=<domain>,dc=<local>"
rootpw          {MD5}<you pass>
directory       "/var/lib/ldap/<domain>"

Sæt dit indexering:

index    objectClass,uidNumber,gidNumber,memberuid             pres,eq
index    cn,sn,uid,mail,displayName,givenName,ou               pres,sub,eq
index    gosaMailAlternateAddress,gosaMailForwardingAddress    eq
index    gosaSubtreeACL,gosaObject,gosaUser                    pres,eq
index    sambaSID,sambaPrimaryGroupSID,sambaDomainName         eq
index    default                                               eq,sub

Sæt access til din database: (standart kan også bruges, samt sikkerheden sagtens kan øges på følgende)

access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
       by dn="cn=admin,dc=<domain>,dc=<local>" write
       by * read
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
       by dn="cn=admin,dc=<domain>,dc=<local>" write
       by anonymous auth
       by self write
       by * none
access to attrs=loginShell
       by dn="cn=admin,dc=<domain>,dc=<local>" write
       by * none
access to attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,sn,givenname
       by dn="cn=admin,dc=<domain>,dc=<local>" write
       by self write
       by * read
access to attrs=loginShell,gecos
       by dn="cn=admin,dc=<domain>,dc=<local>" write
       by self write
       by * read

Opret mappen sat i LDAP directory

mkdir /var/lib/ldap/domain && chown openldap:openldap /var/lib/ldap/domain
/etc/init.d/slapd stop && /etc/init.d/slapd start && /etc/init.d/slapd stop
slapindex
/etc/init.d/slapd start
vi ldap.conf
host            127.0.0.1
BASE            dc=domain,dc=local
URI             ldap://localhost:389
rootbindn       cn=admin,dc=<domain>,dc=<local>
bind_policy     hard

Konfigurer SAMBA:

cd /etc/samba/
cp smb.conf smb.conf.org
vi smb.conf

Kort gennemgang af hvad som er vigtigt at have med


eksempel på smb.conf

Forbind din SAMBA med LDAP

smbpasswd -W
-W beder om koden, man kan også bruge -w og skrive koden i klar tekst

Installtion af printerdrivere på serveren

[global]
       use client driver = yes


[print$]
       comment = Printer Drivers
       path =/var/lib/samba/printers
       guest ok = No
       read only = No
       browseable = Yes
       create mask = 0664
       directory mask = 0775
       write list = root Admin
       valid users = root Admin
#        valid users = @"Print Operators"

Installeres fra XP ved at vælge printeroversigt på serveren og klikke med højre musetast på det HVIDE område i stedet for på printeren, så fremkommer et punkt i bunden af menuen der hedder "serveregenskaber" og her kan driveren installeres.

smbldap-tools

cd /etc/smbldap-tools/
cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz . && cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf . && chmod 700 smbldap_bind.conf
gunzip smbldap.conf.gz
vi smbldap_bind.conf
masterDN="cn=admin,dc=domain,dc=local"
masterPw="<you pass in cleartext>"
net getlocalsid
vi smbldap.conf

Skrif følgende

SID="<output fra net getlocalsid>"
sambaDomain="<domain>"
suffix="dc=domain,dc=local"
hash_encrypt="MD5"
userHomeDirectoryMode="751"
userSmbHome=""
userProfile=""
userHomeDrive=""
mailDomain="<domain>.<prefix>"
with_smbpasswd="1"
with_slappasswd="1"

"Befolk" din LDAP

smbldap-populate -a Administrator -b Guest
/etc/init.d/slapd stop && /etc/init.d/slapd start && /etc/init.d/slapd stop
slapindex
/etc/init.d/slapd start

Nsswitch & Pam

vi /etc/nsswitch.conf
passwd:         ldap compat
group:          ldap compat
shadow:         ldap compat

Tjek om din LDAP svare

ldapsearch -x

Hvis dette giver et fornuftigt output, prøv med:

getent passwd

Dit output skulle gerne være noget ligende:

Administrator:x:0:0:Netbios Domain Administrator:/home/Administrator:/bin/false
vi /etc/pam_ldap.conf
host 127.0.0.1
base dc=domain,dc=local
uri ldap://127.0.0.1:389/
port 389
timelimit 30
bind_timelimit 30
bind_policy soft
#pam_password crypt
vi /etc/libnss-ldap.conf
host 127.0.0.1
base dc=domain,dc=local
uri ldap://127.0.0.1:389/
bind_policy soft
binddn cn=admin,dc=domain,dc=local
bindpw <clear-text-pass>
port 389


Tilføj i filerne:

vi /etc/pam.d/common-account
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
vi /etc/pam.d/common-auth
account required        pam_access.so
auth    sufficient      pam_unix.so nullok_secure
auth    requisite       pam_succeed_if.so uid >= 1000 quiet
auth    sufficient      pam_ldap.so use_first_pass
auth    required        pam_deny.so
vi /etc/pam.d/common-password
password    sufficient    pam_unix.so md5 obscure nullok try_first_pass
password    sufficient    pam_ldap.so
password    required      pam_deny.so
vi /etc/pam.d/common-session
session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_ldap.so
session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0022

Bind9:

Opret en zone for domænet (bemærk check-names ignore; som er vigtig fordi _ ellers ikke accepteres)

vi /etc/bind/named.conf.local
zone "domain" {
       type master;
       file "/etc/bind/domain";
       check-names ignore;
};
vi /etc/bind/domain
$TTL    86400
@               IN      SOA     domain.dk. root@domain.dk. (
                       2001040301 ; serial
                       28800 ; refresh
                       14400 ; retry
                       3600000 ; expire
                       86400 ; default_ttl
                       )
;
@                       IN      NS      172.16.3.1.
@                       IN      A       172.16.2.3
admin                   IN      A       172.16.2.3
_ldap._tcp.dc._msdcs    SRV 0 0 389 admin.domain.dk.

hvis ikke DNS og maskiner befinder sig i samme netværkssegment tilføjes (mystisk burde være default)

vi /etc/bind/named.conf.options
      allow-query {172.16/16; 127.0/16; };

test

nslookup
> set type=srv
> _ldap._tcp.dc._msdcs.domain
Server:  firewall.domain.dk
Address:  172.16.3.1

_ldap._tcp.dc._msdcs.domain    SRV service location:
         priority       = 0
         weight         = 0
         port           = 389
         svr hostname   = admin.domain.dk
domain nameserver = 172.16.3.1
admin.domain.dk        internet address = 172.16.2.3
>

DHCP skal sende WINS information ud også

vi /etc/dhcp3/dhcpd.conf
  option netbios-name-servers 172.16.2.3;

Join din server:

net rpc join -U Administrator

Opret brugere i LDAP

smbldap-useradd -a -m -A 1 -M <user>@<domain.local> -N "<brugernes rigtige navn, for- og evt mellemnavn>" -S "<efternavn>" (-P) <brugernavn>

Forklaring

 -a	is a Windows User (otherwise, Posix stuff only)
 -b	is a AIX User
 -c	gecos
 -d	home
 -g	gid
 -i	is a trust account (Windows Workstation)
 -k	skeleton dir (with -m)
 -m	creates home directory and copies /etc/skel
 -n	do not create a group
 -o	add the user in the organizational unit (relative to the user suffix. Ex: 'ou=admin,ou=all')
 -u	uid
 -s	shell
 -t	time. Wait 'time' seconds before exiting (when adding Windows Workstation)
 -w	is a Windows Workstation (otherwise, Posix stuff only)
 -A	can change password ? 0 if no, 1 if yes
 -B	must change password ? 0 if no, 1 if yes
 -C	sambaHomePath (SMB home share, like '\\PDC-SRV\homes')
 -D	sambaHomeDrive (letter associated with home share, like 'H:')
 -E	sambaLogonScript (DOS script to execute on login)
 -F	sambaProfilePath (profile directory, like '\\PDC-SRV\profiles\foo')
 -G	supplementary comma-separated groups
 -H	sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')
 -M	local mailAddress (comma seperated)
 -N	given name 
 -P	ends by invoking smbldap-passwd
 -S	surname (Family name)
 -T	mailToAddress (forward address) (comma seperated)

GoSa

Open Firefox and navigate to the following address

http://<SERVER-IP>/gosa

And follow the instructions in the web-config

echo -n <TEMP CODE FROM WEB CONFIG> > /tmp/gosa.auth
nano /etc/gosa/gosa.conf
chown root:www-data /etc/gosa/gosa.conf
chmod 640 /etc/gosa/gosa.conf

Problemer.?

Hvis du kan joine med en windows via samba, men ikke kan logge på med almindelige brugere på SSH, kan det være fordi din *.secret filer ikke er blevet opdateret. De har som sådan ingen funktion, de indeholder join-informationer til ldapserveren; så bare omdøb dem på følgende måde:

mv /etc/pam_ldap.secret /etc/pam_ldap.secret-old
mv /etc/libnss-ldap.secret /etc/libnss-ldap.secret-old
Personlige værktøjer
Navnerum

Varianter
Handlinger
Navigation
Værktøjer