Scientific Linux 6
Sponsored Link

Samba PDC#1 - サーバーの設定2011/03/21
 
Samba + OpenLDAP で Samba PDC (プライマリドメインコントローラ)を構築します。 LAN内にLDAPサーバー構築済み、且つ、 この Samba PDC にするサーバーはLDAPクライアントである必要があります。
[1] まずはLDAPサーバー側で設定に変更を加えます。
[root@master ~]#
wget http://ftp.riken.jp/Linux/scientific/6.0/x86_64/os/Packages/samba-3.5.4-68.el6.x86_64.rpm

[root@master ~]#
mkdir tmp

[root@master ~]#
cd tmp

[root@master tmp]#
rpm2cpio ~/samba-3.5.4-68.el6.x86_64.rpm | cpio -id

[root@master tmp]#
cp ./etc/openldap/schema/samba.schema /etc/openldap/schema/

[root@master tmp]#
vi schema_convert.conf
# 新規作成

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/samba.schema
[root@master tmp]#
mkdir ldif_output

[root@master tmp]#
slapcat -f schema_convert.conf -F ./ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > ./cn=samba.ldif

[root@master tmp]#
vi cn=samba.ldif
# 1,3行目:変更 ( {12} を削除 )

dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba
# ファイルの最後の方の以下の行を全て削除

structuralObjectClass: olcSchemaConfig
entryUUID: 761ed782-e76d-102f-94de-7784c8a781ec
creatorsName: cn=config
createTimestamp: 20110320184149Z
entryCSN: 20110320184149.954974Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110320184149Z
[root@master tmp]#
ldapadd -Y EXTERNAL -H ldapi:/// -f cn=samba.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=samba,cn=schema,cn=config"
[root@master tmp]#
vi samba_indexes.ldif
# 新規作成

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
[root@master tmp]#
ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
[root@master tmp]#
cd

[root@master ~]#
rm -rf tmp

[root@master ~]#
/etc/rc.d/init.d/slapd restart

Stopping slapd:
[ OK ]

Starting slapd:
[ OK ]
[2] Sambaの設定を変更してLDAP認証にします。 設定の前に、この Samba PDC にするサーバーはLDAPクライアントであることが前提です。
[root@lan ~]#
yum --enablerepo=epel -y install smbldap-tools
 
# EPELからインストール
[root@lan ~]#
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

[root@lan ~]#
cp /usr/share/doc/smbldap-tools-*/smb.conf /etc/samba/smb.conf

[root@lan ~]#
vi /etc/samba/smb.conf
workgroup =
ServerWorld
# 12行目:コメント化

#
min passwd length = 3
# 22行目:変更

ldap passwd sync =
yes
# 33,34行目:変更

Dos charset =
CP932

Unix charset =
UTF-8
# 47行目:LDAPサーバー指定

passdb backend = ldapsam:
ldap://10.0.0.100/
# 48行目:LDAP管理者DN変更 (LDAPサーバーで指定したもの)

ldap admin dn =
cn=admin,dc=server,dc=world
# 50行目:LDAP suffix 変更 (LDAPサーバーで指定したもの)

ldap suffix =
dc=server,dc=world

ldap group suffix = ou=
groups

ldap user suffix = ou=
people
# 60行目:コメント解除

delete group script = /usr/sbin/smbldap-groupdel "%g"
# 64行目あたりに2行追記:管理者ユーザー指定、SSLなし

set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
admin users = domainadm
ldap ssl = no
[root@lan ~]#
mkdir /home/netlogon

[root@lan ~]#
/etc/rc.d/init.d/smb restart

Shutting down SMB services:
[ OK ]

Starting SMB services:
[ OK ]

[root@lan ~]#
/etc/rc.d/init.d/nmb restart

Shutting down NMB services:
[ OK ]

Starting NMB services:
[ OK ]
[root@lan ~]#
smbpasswd -W
# LDAP管理者パスワードをSambaに登録

Setting stored password for "cn=admin,dc=server,dc=world" in secrets.tdb
New SMB password:
# LDAP管理者パスワード

Retype new SMB password:
[root@lan ~]#
vi /usr/share/doc/smbldap-tools-*/configure.pl
# 527行目:以下のように\を追記

# Allows not to use smbpasswd (if with_smbpasswd=
\
"0
\
" in smbldap.conf) but
# 532行目:以下のように\を追記

# Allows not to use slappasswd (if with_slappasswd=
\
"0
\
" in smbldap.conf)
[root@lan ~]#
perl /usr/share/doc/smbldap-tools-*/configure.pl

$# is no longer supported at /usr/share/doc/smbldap-tools/configure.pl line 314.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
smbldap-tools script configuration

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')
. you can leave the configuration using the Crtl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...
Samba Configuration File Path [/etc/samba/smb.conf] >
# 空Enter
The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] >  
# 空Enter

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...
. workgroup name: name of the domain Samba act as a PDC
workgroup name [ServerWorld] >
# 空Enter

. netbios name: netbios name of the samba controler
netbios name [PDC-SRV] >
# 空Enter

. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [H:] >
# 空Enter

. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'\\PDC-SRV\%U'
logon home (press the "." character if you don't want homeDirectory) [\\PDC-SRV\%U] >
.
 
# ピリオド入力

. logon path: directory where roaming profiles are stored. Ex:'\\PDC-SRV\profiles\%U'
logon path (press the "." character if you don't want roaming profile) [\\PDC-SRV\profiles\%U] >
.
 
# ピリオド入力

. home directory prefix (use %U as username) [/home/%U] >
# 空Enter

. default users' homeDirectory mode [700] >
# 空Enter

. default user netlogon script (use %U as username) [logon.bat] >  
# 空Enter

default password validation time (time in days) [45] >
# 空Enter

. ldap suffix [dc=server,dc=world] >
# 空Enter

. ldap group suffix [ou=groups] >
# 空Enter

. ldap user suffix [ou=people] >
# 空Enter

. ldap machine suffix [ou=Computers] >
# 空Enter

. Idmap suffix [ou=Idmap] >
# 空Enter

. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ) [sambaDomainName=ServerWorld] >  
# 空Enter

. ldap master server: IP adress or DNS name of the master (writable) ldap server
ldap master server [10.0.0.100] >
# LDAPサーバーのIPを確認して空Enter

. ldap master port [389] >
# 空Enter

. ldap master bind dn [cn=admin,dc=server,dc=world] >
# 空Enter

. ldap master bind password [] >
# LDAP管理者パスワード

. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one
ldap slave server [10.0.0.100] >
# LDAPスレーブがあれば指定(なければ空Enter)

. ldap slave port [389] >
# 空Enter

. ldap slave bind dn [cn=admin,dc=server,dc=world] >
# 空Enter

. ldap slave bind password [] >
# スレーブがあれば入力(なければテキトーに)

. ldap tls support (1/0) [0] >
# 空Enter

. SID for domain ServerWorld: SID of the domain (can be obtained with 'net getlocalsid PDC-SRV')
SID for domain ServerWorld [S-1-5-21-993657731-4025595428-2303453378] >  
# 空Enter

. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] >
MD5
 
# MD5指定

. default user gidNumber [513] >
# 空Enter

. default computer gidNumber [515] >
# 空Enter

. default login shell [/bin/bash] >
# 空Enter

. default skeleton directory [/etc/skel] >
# 空Enter

. default domain name to append to mail adress [] >
# 空Enter

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Use of uninitialized value $# in concatenation (.) or string at /usr/share/doc/smbldap-tools/configure.pl line 314, <STDIN> line 33.
backup old configuration files:
  /etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
  /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
  /etc/smbldap-tools/smbldap.conf done.
  /etc/smbldap-tools/smbldap_bind.conf done.
[root@lan ~]#
smbldap-populate

Populating LDAP directory for domain ServerWorld (S-1-5-21-1399055626-4271227532-1401686162)
(using builtin directory structure)
entry dc=server,dc=world already exist.
entry ou=people,dc=server,dc=world already exist.
entry ou=groups,dc=server,dc=world already exist.
adding new entry: ou=Computers,dc=server,dc=world
adding new entry: ou=Idmap,dc=server,dc=world
adding new entry: uid=root,ou=people,dc=server,dc=world
adding new entry: uid=nobody,ou=people,dc=server,dc=world
adding new entry: cn=Domain Admins,ou=groups,dc=server,dc=world
adding new entry: cn=Domain Users,ou=groups,dc=server,dc=world
adding new entry: cn=Domain Guests,ou=groups,dc=server,dc=world
adding new entry: cn=Domain Computers,ou=groups,dc=server,dc=world
adding new entry: cn=Administrators,ou=groups,dc=server,dc=world
adding new entry: cn=Account Operators,ou=groups,dc=server,dc=world
adding new entry: cn=Print Operators,ou=groups,dc=server,dc=world
adding new entry: cn=Backup Operators,ou=groups,dc=server,dc=world
adding new entry: cn=Replicators,ou=groups,dc=server,dc=world
entry sambaDomainName=ServerWorld,dc=server,dc=world already exist. Updating it...
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
# rootパスワード再設定

Retype new password:
# 管理者ユーザーとして設定したdomainadmを登録

[root@lan ~]#
smbldap-groupadd -a domainadm

[root@lan ~]#
smbldap-useradd -am -g domainadm domainadm

[root@lan ~]#
smbldap-passwd domainadm

Changing UNIX and samba passwords for domainadm
New password:
Retype new password:
[root@lan ~]#
su - domainadm
# 登録したユーザーになれるか確認

[domainadm@lan ~]$
# できた
関連コンテンツ