Ubuntu 10.04
Sponsored Link

Samba PDC#1 - サーバーの設定2010/08/15

  Samba + OpenLDAP で Samba PDC (プライマリドメインコントローラ)を構築します。 LAN内にLDAPサーバー構築済み、且つ、 この Samba PDC にするサーバーはLDAPクライアントである必要があります。

[1] まずはOpenLDAPの設定に変更を加えます。
root@master:~#
aptitude -y install samba-doc smbldap-tools


root@master:~#
cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/

root@master:~#
gzip -d /etc/ldap/schema/samba.schema.gz

root@master:~#
vi schema_convert.conf


# 新規作成

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema


root@master:~#
mkdir -p ./tmp/ldif_output

root@master:~#
slapcat -f schema_convert.conf -F ./tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > ./tmp/cn=samba.ldif

root@master:~#
vi ./tmp/cn=samba.ldif


# 1,3行目:変更 ( {12} を削除 )

dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba

# ファイルの最後の方の以下の行を全て削除

structuralObjectClass: olcSchemaConfig
entryUUID: bd8a7a82-3cb8-102f-8d5f-070b4e5d16f8
creatorsName: cn=config
createTimestamp: 20100815125953Z
entryCSN: 20100815125953.198505Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20100815125953Z

root@master:~#
ldapadd -Y EXTERNAL -H ldapi:/// -f ./tmp/cn=samba.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=samba,cn=schema,cn=config"

root@master:~#
vi samba_indexes.ldif


# 新規作成

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub


root@master:~#
ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"

root@master:~#
service slapd restart

Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd.
[2] Sambaの設定を変更してLDAP認証にします。
root@master:~#
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

root@master:~#
cp /usr/share/doc/smbldap-tools/examples/smb.conf /etc/samba/smb.conf

root@master:~#
vi /etc/samba/smb.conf


# 3行目:workgroup名を任意のものに変更

workgroup =
ServerWorld


# 12行目:コメント化

#
min passwd length = 3

# 22行目:変更

ldap passwd sync =
yes


# 33,34行目:変更

Dos charset =
CP932

Unix charset =
UTF-8


# 48行目:LDAP管理者DN変更 (LDAPサーバーで指定したもの)

passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn =
cn=admin,dc=srv,dc=world


# 50行目:LDAP suffix 変更 (LDAPサーバーで指定したもの)

ldap suffix =
dc=srv,dc=world

ldap group suffix = ou=
groups

ldap user suffix = ou=
people


# 60行目:コメント解除

delete group script = /usr/sbin/smbldap-groupdel "%g"

# 64行目あたりに2行追記:管理者ユーザー指定、SSLなし

set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
admin users = domainadm
ldap ssl = no


root@master:~#
mkdir /home/netlogon

root@master:~#
service smbd restart

smbd start/running, process 1722

# LDAP管理者パスワードをSambaに登録

root@master:~#
Setting stored password for "cn=admin,dc=srv,dc=world" in secrets.tdb
New SMB password:    
# LDAP管理者パスワード

Retype new SMB password:

root@master:~#
gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz

root@master:~#
perl /usr/share/doc/smbldap-tools/configure.pl

$# is no longer supported at /usr/share/doc/smbldap-tools/configure.pl line 314.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
smbldap-tools script configuration

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')

. you can leave the configuration using the Crtl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...

Samba Configuration File Path [/etc/samba/smb.conf] >
# 空Enter


The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] >  
# 空Enter

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...

. workgroup name: name of the domain Samba act as a PDC
workgroup name [ServerWorld] >
# 空Enter

. netbios name: netbios name of the samba controler
netbios name [PDC-SRV] >
# 空Enter

. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [H:] >
# 空Enter

. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'\\PDC-SRV\%U'
logon home (press the "." character if you don't want homeDirectory) [\\PDC-SRV\%U] >
.
 
# ピリオド入力

. logon path: directory where roaming profiles are stored. Ex:'\\PDC-SRV\profiles\%U'
logon path (press the "." character if you don't want roaming profile) [\\PDC-SRV\profiles\%U] >
.
 
# ピリオド入力

. home directory prefix (use %U as username) [/home/%U] >
# 空Enter

. default users' homeDirectory mode [700] >
# 空Enter

. default user netlogon script (use %U as username) [logon.bat] >  
# 空Enter

default password validation time (time in days) [45] >
# 空Enter

. ldap suffix [dc=srv,dc=world] >
# 空Enter

. ldap group suffix [ou=groups] >
# 空Enter

. ldap user suffix [ou=people] >
# 空Enter

. ldap machine suffix [ou=Computers] >
# 空Enter

. Idmap suffix [ou=Idmap] >
# 空Enter

. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ) [sambaDomainName=ServerWorld] >  
# 空Enter

. ldap master server: IP adress or DNS name of the master (writable) ldap server
ldap master server [127.0.0.1] >
# LDAPサーバーのIP指定(ローカルなら空Enter)

. ldap master port [389] >
# 空Enter

. ldap master bind dn [cn=admin,dc=srv,dc=world] >
# 空Enter

. ldap master bind password [] >
# LDAP管理者パスワード

. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one
ldap slave server [127.0.0.1] >
# LDAPスレーブがあれば指定(なければ空Enter)

. ldap slave port [389] >
# 空Enter

. ldap slave bind dn [cn=admin,dc=srv,dc=world] >
# 空Enter

. ldap slave bind password [] >
# スレーブがあれば入力(なければテキトーに)

. ldap tls support (1/0) [0] >
# 空Enter

. SID for domain SERVERWORLD: SID of the domain (can be obtained with 'net getlocalsid PDC-SRV')
SID for domain SERVERWORLD [S-1-5-21-2328488880-970186277-2112160582] >  
# 空Enter

. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] >
MD5
 
# MD5指定

. default user gidNumber [513] >
# 空Enter

. default computer gidNumber [515] >
# 空Enter

. default login shell [/bin/bash] >
# 空Enter

. default skeleton directory [/etc/skel] >
# 空Enter

. default domain name to append to mail adress [] >
# 空Enter

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Use of uninitialized value $# in concatenation (.) or string at /usr/share/doc/smbldap-tools/configure.pl line 314, <STDIN> line 33.
backup old configuration files:
  /etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
  /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
  /etc/smbldap-tools/smbldap.conf done.
  /etc/smbldap-tools/smbldap_bind.conf done.
root@master:~#
smbldap-populate

Populating LDAP directory for domain SERVERWORLD (S-1-5-21-2328488880-970186277-2112160582)
(using builtin directory structure)

entry dc=srv,dc=world already exist.
entry ou=people,dc=srv,dc=world already exist.
entry ou=groups,dc=srv,dc=world already exist.
adding new entry: ou=Computers,dc=srv,dc=world
adding new entry: ou=Idmap,dc=srv,dc=world
adding new entry: uid=root,ou=People,dc=srv,dc=world
adding new entry: uid=nobody,ou=People,dc=srv,dc=world
adding new entry: cn=Domain Admins,ou=Group,dc=srv,dc=world
adding new entry: cn=Domain Users,ou=Group,dc=srv,dc=world
adding new entry: cn=Domain Guests,ou=Group,dc=srv,dc=world
adding new entry: cn=Domain Computers,ou=Group,dc=srv,dc=world
adding new entry: cn=Administrators,ou=Group,dc=srv,dc=world
adding new entry: cn=Account Operators,ou=Group,dc=srv,dc=world
adding new entry: cn=Print Operators,ou=Group,dc=srv,dc=world
adding new entry: cn=Backup Operators,ou=Group,dc=srv,dc=world
adding new entry: cn=Replicators,ou=Group,dc=srv,dc=world
entry sambaDomainName=ServerWorld,dc=srv,dc=world already exist. Updating it...

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:    
# rootパスワード再設定

Retype new password:

# 管理者ユーザーとして設定したdomainadmを登録

root@master:~#
smbldap-groupadd -a domainadm

root@master:~#
smbldap-useradd -am -g domainadm domainadm

root@master:~#
smbldap-passwd domainadm

Changing UNIX and samba passwords for domainadm
New password:
Retype new password:
# 登録したユーザーになれるか確認

root@master:~#
su - domainadm

domainadm@master:~$    
# できた
関連コンテンツ