Samba PDC#1 - サーバーの設定2010/08/15 |
Samba + OpenLDAP で Samba PDC (プライマリドメインコントローラ)を構築します。
LAN内にLDAPサーバー構築済み、且つ、
この Samba PDC にするサーバーはLDAPクライアントである必要があります。 |
|
[1] | まずはOpenLDAPの設定に変更を加えます。 |
root@master:~# aptitude -y install samba-doc smbldap-tools root@master:~# cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/ root@master:~# gzip -d /etc/ldap/schema/samba.schema.gz root@master:~# vi schema_convert.conf # 新規作成
include /etc/ldap/schema/core.schema include /etc/ldap/schema/collective.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/samba.schema root@master:~# mkdir -p ./tmp/ldif_output root@master:~# slapcat -f schema_convert.conf -F ./tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > ./tmp/cn=samba.ldif root@master:~# vi ./tmp/cn=samba.ldif # 1,3行目:変更 ( {12} を削除 ) dn: cn=samba,cn=schema,cn=config objectClass: olcSchemaConfig cn: samba # ファイルの最後の方の以下の行を全て削除 structuralObjectClass: olcSchemaConfig entryUUID: bd8a7a82-3cb8-102f-8d5f-070b4e5d16f8 creatorsName: cn=config createTimestamp: 20100815125953Z entryCSN: 20100815125953.198505Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20100815125953Z root@master:~# ldapadd -Y EXTERNAL -H ldapi:/// -f ./tmp/cn=samba.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=samba,cn=schema,cn=config" root@master:~# vi samba_indexes.ldif # 新規作成
dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub root@master:~# ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}hdb,cn=config" root@master:~# service slapd restart Stopping OpenLDAP: slapd. Starting OpenLDAP: slapd. |
[2] | Sambaの設定を変更してLDAP認証にします。 |
root@master:~# mv /etc/samba/smb.conf /etc/samba/smb.conf.bak root@master:~# cp /usr/share/doc/smbldap-tools/examples/smb.conf /etc/samba/smb.conf root@master:~# vi /etc/samba/smb.conf # 3行目:workgroup名を任意のものに変更 workgroup = ServerWorld # 12行目:コメント化 # min passwd length = 3# 22行目:変更 ldap passwd sync = yes # 33,34行目:変更 Dos charset = CP932 Unix charset = UTF-8 # 48行目:LDAP管理者DN変更 (LDAPサーバーで指定したもの) passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=admin,dc=srv,dc=world # 50行目:LDAP suffix 変更 (LDAPサーバーで指定したもの) ldap suffix = dc=srv,dc=world ldap group suffix = ou= groups ldap user suffix = ou= people # 60行目:コメント解除 delete group script = /usr/sbin/smbldap-groupdel "%g" # 64行目あたりに2行追記:管理者ユーザー指定、SSLなし set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' admin users = domainadm ldap ssl = no root@master:~# mkdir /home/netlogon root@master:~# service smbd restart smbd start/running, process 1722 # LDAP管理者パスワードをSambaに登録 root@master:~# smbpasswd -W Setting stored password for "cn=admin,dc=srv,dc=world" in secrets.tdb New SMB password: # LDAP管理者パスワード Retype new SMB password: root@master:~# gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz root@master:~# perl /usr/share/doc/smbldap-tools/configure.pl $# is no longer supported at /usr/share/doc/smbldap-tools/configure.pl line 314. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- smbldap-tools script configuration -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Before starting, check . if your samba controller is up and running. . if the domain SID is defined (you can get it with the 'net getlocalsid') . you can leave the configuration using the Crtl-c key combination . empty value can be set with the "." character -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Looking for configuration files... Samba Configuration File Path [/etc/samba/smb.conf] > # 空Enter The default directory in which the smbldap configuration files are stored is shown. If you need to change this, enter the full directory path, then press enter to continue. Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] > # 空Enter -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's start configuring the smbldap-tools scripts ... . workgroup name: name of the domain Samba act as a PDC workgroup name [ServerWorld] > # 空Enter . netbios name: netbios name of the samba controler netbios name [PDC-SRV] > # 空Enter . logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:' logon drive [H:] > # 空Enter . logon home: home directory location (for Win95/98 or NT Workstation). (use %U as username) Ex:'\\PDC-SRV\%U' logon home (press the "." character if you don't want homeDirectory) [\\PDC-SRV\%U] > . # ピリオド入力 . logon path: directory where roaming profiles are stored. Ex:'\\PDC-SRV\profiles\%U' logon path (press the "." character if you don't want roaming profile) [\\PDC-SRV\profiles\%U] > . # ピリオド入力 . home directory prefix (use %U as username) [/home/%U] > # 空Enter . default users' homeDirectory mode [700] > # 空Enter . default user netlogon script (use %U as username) [logon.bat] > # 空Enter default password validation time (time in days) [45] > # 空Enter . ldap suffix [dc=srv,dc=world] > # 空Enter . ldap group suffix [ou=groups] > # 空Enter . ldap user suffix [ou=people] > # 空Enter . ldap machine suffix [ou=Computers] > # 空Enter . Idmap suffix [ou=Idmap] > # 空Enter . sambaUnixIdPooldn: object where you want to store the next uidNumber and gidNumber available for new users and groups sambaUnixIdPooldn object (relative to ) [sambaDomainName=ServerWorld] > # 空Enter . ldap master server: IP adress or DNS name of the master (writable) ldap server ldap master server [127.0.0.1] > # LDAPサーバーのIP指定(ローカルなら空Enter) . ldap master port [389] > # 空Enter . ldap master bind dn [cn=admin,dc=srv,dc=world] > # 空Enter . ldap master bind password [] > # LDAP管理者パスワード . ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one ldap slave server [127.0.0.1] > # LDAPスレーブがあれば指定(なければ空Enter) . ldap slave port [389] > # 空Enter . ldap slave bind dn [cn=admin,dc=srv,dc=world] > # 空Enter . ldap slave bind password [] > # スレーブがあれば入力(なければテキトーに) . ldap tls support (1/0) [0] > # 空Enter . SID for domain SERVERWORLD: SID of the domain (can be obtained with 'net getlocalsid PDC-SRV') SID for domain SERVERWORLD [S-1-5-21-2328488880-970186277-2112160582] > # 空Enter . unix password encryption: encryption used for unix passwords unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5 # MD5指定 . default user gidNumber [513] > # 空Enter . default computer gidNumber [515] > # 空Enter . default login shell [/bin/bash] > # 空Enter . default skeleton directory [/etc/skel] > # 空Enter . default domain name to append to mail adress [] > # 空Enter -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Use of uninitialized value $# in concatenation (.) or string at /usr/share/doc/smbldap-tools/configure.pl line 314, <STDIN> line 33. backup old configuration files: /etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old writing new configuration file: /etc/smbldap-tools/smbldap.conf done. /etc/smbldap-tools/smbldap_bind.conf done. root@master:~# smbldap-populate Populating LDAP directory for domain SERVERWORLD (S-1-5-21-2328488880-970186277-2112160582) (using builtin directory structure) entry dc=srv,dc=world already exist. entry ou=people,dc=srv,dc=world already exist. entry ou=groups,dc=srv,dc=world already exist. adding new entry: ou=Computers,dc=srv,dc=world adding new entry: ou=Idmap,dc=srv,dc=world adding new entry: uid=root,ou=People,dc=srv,dc=world adding new entry: uid=nobody,ou=People,dc=srv,dc=world adding new entry: cn=Domain Admins,ou=Group,dc=srv,dc=world adding new entry: cn=Domain Users,ou=Group,dc=srv,dc=world adding new entry: cn=Domain Guests,ou=Group,dc=srv,dc=world adding new entry: cn=Domain Computers,ou=Group,dc=srv,dc=world adding new entry: cn=Administrators,ou=Group,dc=srv,dc=world adding new entry: cn=Account Operators,ou=Group,dc=srv,dc=world adding new entry: cn=Print Operators,ou=Group,dc=srv,dc=world adding new entry: cn=Backup Operators,ou=Group,dc=srv,dc=world adding new entry: cn=Replicators,ou=Group,dc=srv,dc=world entry sambaDomainName=ServerWorld,dc=srv,dc=world already exist. Updating it... Please provide a password for the domain root: Changing UNIX and samba passwords for root New password: # rootパスワード再設定 Retype new password: # 管理者ユーザーとして設定したdomainadmを登録 root@master:~# smbldap-groupadd -a domainadm root@master:~# smbldap-useradd -am -g domainadm domainadm root@master:~# smbldap-passwd domainadm Changing UNIX and samba passwords for domainadm New password: Retype new password: # 登録したユーザーになれるか確認 root@master:~# su - domainadm domainadm@master:~$ # できた
|
Sponsored Link |