SAMBA & OpenLDAP 建置方案
作者: <netman@study-area.org>
-------------------------------------------------
v2.2 2012-09-25
===============================
(Server: CentOS 5.5, ns1)
===============================
yum install -y openldap-servers openldap-clients
cd /var/lib/ldap/
mkdir example.com
chmod 700 example.com
cp /etc/openldap/DB_CONFIG.example example.com/DB_CONFIG
chown -R ldap:ldap example.com
cd /etc/pki/tls/misc
vi ../openssl.cnf
-----------------
basicConstraints=CA:true
-----------------
./CA -newca
./CA -newreq # common name set to server name (ns1.example.com)
./CA -sign
openssl rsa -in newkey.pem -out /etc/openldap/cacerts/ns1-key.pem
mv newcert.pem /etc/openldap/cacerts/ns1-cert.pem
mv ns1-key.pem /etc/openldap/cacerts/
cp ../../CA/cacert.pem /etc/openldap/cacerts/
./CA -newreq # common name set to client name (ns2.example.com)
./CA -sign
openssl rsa -in newkey.pem -out ns2-key.pem
rsync -av ns2-key.pem ns2.example.com:/etc/openldap/cacerts/
rsync -av newcert.pem ns2.example.com:/etc/openldap/cacerts/ns2-cert.pem
rsync -av ../../cacert.pem ns2.example.com:/etc/openldap/cacerts/
cd /etc/openldap
cp slapd.conf slapd.conf.bak
slappasswd -h {SSHA} -s MyPass # copy the result
vi slapd.conf # refer to: examples/slapd.conf
-----------------
...
#include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/nis.schema
...
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/ns1-cert.pem
TLSCertificateKeyFile /etc/openldap/cacerts/ns1-key.pem
...
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw "{SSHA}YmPT+C775k4mAZVbsaLpX+34Uvb5F9ah"
directory /var/lib/ldap/example.com
...
-----------------
mkdir ldifs
cd ldifs/
vi init.ldif
----------------------------------
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Dot Com
dc: example
dn: cn=Manager,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
----------------------------------
service ldap stop
slapadd -l init.ldif
slapcat
authconfig-tui
[*] Use LDAP
[*] Use LDAP Authentication
Next
[*] Use TLS
Server: ldap://ns1.example.com/
Base DN: dc=example,dc=com
Ok
vi /etc/openldap/ldap.conf
----------------------------------
URI ldap://ns1.example.com/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/cacert.pem
----------------------------------
vi /etc/ldap.conf
----------------------------------
base dc=example,dc=com
...
ssl start_tls
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cacertdir /etc/openldap/cacerts
tls_cert /etc/openldap/cacerts/ns1-cert.pem
tls_key /etc/openldap/cacerts/ns1-key.pem
...
uri ldap://ns1.example.com/
pam_passwd md5
----------------------------------
chown -R ldap:ldap /var/lib/ldap/example.com/
serive ldap restart
chkconfig ldap on
vi modify.ldif
----------------------------------
dn: dc=example,dc=com
changetype: modify
add: description
description: For Example Only
----------------------------------
ldapmodify -x -v -D "cn=Manager,dc=example,dc=com" -W -f modify.ldif
ldapsearch -x -LLL
vi autofs.ldif
----------------------------------
dn: ou=AUTOFS,dc=example,dc=com
objectClass: organizationalUnit
ou: AUTOFS
dn: nisMapName=auto.master,ou=AUTOFS,dc=example,dc=com
objectClass: nisMap
nisMapName: auto.master
dn: cn=/home,nisMapName=auto.master,ou=AUTOFS,dc=example,dc=com
objectClass: nisObject
nisMapName: auto.master
cn: /home
nisMapEntry: ldap:ns1.example.com:nisMapName=auto.home,ou=AUTOFS,dc=example,dc=com
dn: nisMapName=auto.home,ou=AUTOFS,dc=example,dc=com
objectClass: nisMap
nisMapName: auto.home
dn: cn=/,nisMapName=auto.home,ou=AUTOFS,dc=example,dc=com
objectClass: nisObject
nisMapName: auto.home
cn: /
nisMapEntry: -fstype=nfs,soft,intr,nodev,nosuid ns1.example.com:/home/&
----------------------------------
ldapmodify -a -x -v -D "cn=Manager,dc=example,dc=com" -W -f autofs.ldif
slapcat
ldapsearch -x -v -LLL
vi /etc/exports
----------------------------------
/home 10.0.0.0/24(rw,sync,no_root_squash)
----------------------------------
service nfs restart
chkconfig nfs on
showmount -e
===============================
(Client: CentOS 5.5, ns2)
===============================
yum install -y openldap-clients
authconfig-tui
[*] Use LDAP
[*] Use LDAP Authentication
Next
[*] Use TLS
Server: ldap://ns1.example.com/
Base DN: dc=example,dc=com
Ok
vi /etc/openldap/ldap.conf
----------------------------------
URI ldap://ns1.example.com/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/cacert.pem
----------------------------------
vi /etc/ldap.conf
----------------------------------
base dc=example,dc=com
...
ssl start_tls
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cacertdir /etc/openldap/cacerts
tls_cert /etc/openldap/cacerts/ns2-cert.pem
tls_key /etc/openldap/cacerts/ns2-key.pem
...
uri ldap://ns1.example.com/
pam_passwd md5
----------------------------------
vi /etc/autofs_ldap_auth.conf
----------------------------------
<autofs_ldap_sasl_conf
usetls="yes"
tlsrequired="no"
authrequired="no"
/>
----------------------------------
vi /etc/sysconfig/autofs
----------------------------------
MAP_OBJECT_CLASS="nisMap"
ENTRY_OBJECT_CLASS="nisObject"
MAP_ATTRIBUTE="nisMapName"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="nisMapEntry"
----------------------------------
service autofs restart
chkconfig autofs on
ls /home
ls /home/username
ls -l /home
===============================
(Server: CentOS 5.5, ns1)
===============================
cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/schema/
vi /etc/openldap/slapd.conf
...
include /etc/openldap/schema/samba.schema
...
service ldap restart
cd /etc/samba/
cp smb.conf smb.conf.bak
vi smb.conf
(refer to: examples/smb.conf)
mkdir /home/profiles
chmod 1777 /home/profiles/
mkdir /home/netlogon
vi /usr/local/bin/generate_logon_script
----------------------------------
#!/bin/bash
cat > /home/netlogon/logon.bat << END
@echo off
net use t: \\\\$5\\tmp
END
unix2dos /home/netlogon/logon.bat
chmod 644 /home/netlogon/logon.bat
----------------------------------
chmod 755 /usr/local/bin/generate_logon_script
/usr/local/bin/generate_logon_script 1 2 3 4 5
file /home/netlogon/logon.bat
cat /home/netlogon/logon.bat
ls -l /home/netlogon/logon.bat
service smb restart
service smb status
chkconfig smb on
smbpasswd -w MyPass
tdbdump secrets.tdb
yum install -y perl-LDAP
mkdir /usr/src/pkgs
cd /usr/src/pkgs
wget ftp://fr2.rpmfind.net/linux/dag/redhat/el5/en/i386/extras/RPMS/perl-LDAP-0.34-1.el5.rfx.noarch.rpm
rpm -Uvh --force perl-LDAP-0.34-1.el5.rfx.noarch.rpm
wget http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.5.2-2.el5.rf.i386.rpm
rpm -ivh rpmforge-release-0.5.2-2.el5.rf.i386.rpm
yum install -y perl-Crypt-SmbHash
wget http://download.gna.org/smbldap-tools/packages/el5/smbldap-tools-0.9.9-1.el5.src.rpm
rpmbuild --rebuild smbldap-tools-0.9.9-1.el5.src.rpm
rpm -ivh /usr/src/redhat/RPMS/noarch/smbldap-tools-0.9.9-1.el5.noarch.rpm
cd /etc/smbldap-tools/
net getlocalsid # copy the SID part
vi smbldap.conf (change the GID of Domain Users from 513 to 100)
----------------------------------
SID="S-1-5-21-209187072-3165059680-3224710394"
sambaDomain="example"
#slaveLDAP="ldap://ldap.example.com/"
masterLDAP="ldap://ns1.example.com/"
...
ldapTLS="1"
cafile="/etc/openldap/cacerts/cacert.pem"
clientcert="/etc/openldap/cacerts/ns1-cert.pem"
clientkey="/etc/openldap/certs/ns1-key.pem"
suffix="dc=example,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
...
password_hash="MD5"
...
defaultUserGid="100"
...
userSmbHome="\\ns1\%U"
userProfile="\\ns1\profiles\%U"
userHomeDrive="H:"
userScript="logon.bat"
mailDomain="example.com"
----------------------------------
vi smbldap_bind.conf
----------------------------------
#slaveDN="cn=Manager,dc=example,dc=com"
#slavePw="secret"
masterDN="cn=Manager,dc=example,dc=com"
masterPw="MyPass"
----------------------------------
smbldap-populate
ldapsearch -x -LLL
ln -s /root /home/root
service smb restart
smbclient -L localhost -U Administrator
net groupmap list
smbldap-groupmod -o -g 0 "Domain Admins"
smbldap-groupmod -o -g 100 "Domain Users"
smbldap-groupmod -o -g 99 "Domain Guests"
groupadd -o -g 515 computers
net groupmap list
smbldap-groupadd ldapu1 # create unix only account
smbldap-useradd -g ldapu1 -m ldapu1
smbldap-passwd ldapu1
smbldap-useradd -a -m smbu1 # create both unix & smb account
smbldap-passwd smbu1
pdbedit -L
pdbedit -Lv
pdbedit -Lv ldapu1
pdbedit -Lv smbu1
getent passwd
smbclient -L localhost -U smbu1
smbclient -L localhost -U ldapu1
smbldap-groupmod -a ldapu1 # add smb attributes
smbldap-usermod -a ldapu1
smbldap-passwd -s ldapu1 # set smb passwd
smbclient -L localhost -U ldapu1
smbldap-useradd -w xp # add machine account
注意:
* perl-LDAP 版本要更新到 0.34 以上(可到 rpmfind 找)
* redhat-like 系統建議用 authconfig-tui 來設
* /etc/ldap.conf 需要設定 host/uri 及其他 cert 相關
* tls 需要用 hostname 而非 ip (要與 server 的 cert 中 common name 一致)
* tls 用的 host-key 必須能被讓全部 user 有 read 權限(如供 ssh 使用)
--end--
|