openldap+unix_auth+samba3.0(pdc)
搞了幾天,一體化認證,看很多人都說配置通過,也不分想給別人,風氣不行。
順便說一句,垃圾suse!
這個例子有一部分是migration,如果重新安裝系統,就不用麻煩導入以前的用戶信息了,建議重新安裝,不然user id , group id 衝突,麻煩。
suse 10.1
安裝下列軟體:
pam_ldap
nss_ldap
openldap2
openldap2-back-meta
openldap2-back-perl
openldap2-client
smbldap-tools
配置 openldap, 注意的地方是/etc/openldap/schema/rfc2307bis.schema, 不用使用suse默認的這個schema
time:~/ldap # grep ^[^#] /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/samba3.schema
include /etc/openldap/schema/nis.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/openldap/modules
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
database bdb
suffix "dc=time,dc=tim-net"
checkpoint 1024 5
cachesize 10000
rootdn "cn=Manager,dc=time,dc=tim-net"
rootpw secret
directory /var/lib/ldap
index objectClass eq
配置給ldap client 的文件
time:~/ldap # grep ^[^#] /etc/ldap.conf
host 127.0.0.1
base dc=time,dc=tim-net
ldap_version 3
bind_policy soft
pam_password crypt
ssl no
nss_map_attribute uniqueMember member
pam_filter objectclass=posixAccount
nss_base_passwd dc=time,dc=tim-net
nss_base_shadow dc=time,dc=tim-net
nss_base_group dc=time,dc=tim-net
重新啟動 ldap
/etc/init.d/ldap start
這裡用於移植以前的用戶,組信息
time:~/ldap # more time.tim-net.ldif
dn: dc=time,dc=tim-net
objectClass: dcObject
objectClass: organization
dc: time
o: Corporation
description: d Corporation
dn:ou=people, dc=time, dc=tim-net
objectclass: top
objectclass: organizationalUnit
ou: people
dn:ou=group, dc=time, dc=tim-net
objectclass: top
objectclass: organizationalUnit
ou: group
ldapadd -x -D 'cn=Manager,dc=time,dc=tim-net' -f time.tim-net -w secret
下載這個工具,然後導出用戶,組信息為ldif文件
time:~/ldap # tar zxvf MigrationTools.tgz
time:~/ldap # cd MigrationTools-47/
time:~/ldap/MigrationTools-47 # ./migrate_passwd.pl /etc/passwd passwd.ldif
time:~/ldap/MigrationTools-47 # ./migrate_group.pl /etc/group group.ldif
ldapadd -x -D 'cn=Manager,dc=time,dc=tim-net' -w secret -f passwd.ldif
ldapadd -x -D 'cn=Manager,dc=time,dc=tim-net' -w secret -f group.ldif
讓unix通過ldap 認證
time:~/ldap # grep ^[^#] /etc/nsswitch.conf
passwd: compat
group: compat
shadow: files ldap
hosts: files dns
networks: files dns
services: files ldap
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files ldap
publickey: files
bootparams: files
automount: files nis
aliases: files ldap
passwd_compat: ldap
group_compat: ldap
或者通過垃圾yast
* In Yast2 go to "Network Services" and start the "LDAP-client"
* Tick of "Use LDAP"
* Try to search for the LDAP server, if the SLP search does not find it try disabling the firewall (rcSuSEfirewall2 stop) and retry. If it still does not show up enter the IP adress or the network name of the server.
* Make sure that the "LDAP SSL/TLS" is not hooked of.
* Click "Get DN" and select the top entry
上面是看了suse wiki裡面的。
首先需要配置samba為pdc, 獲得samba 的sid
time:~ # net getlocalsid
SID for domain TIME is: S-1-5-21-2923238489-4283043884-1344020638
配置smbldap-tool,注意SID需要跟自己的實際情況確定
time:~ # grep ^[^#] /etc/smbldap-tools/smbldap.conf
SID="S-1-5-21-2923238489-4283043884-1344020638"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="1"
verify="require"
cafile="/etc/smbldap-tools/ca.pem"
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
clientkey="/etc/smbldap-tools/smbldap-tools.key"
suffix="dc=time,dc=tim-net"
usersdn="ou=People,${suffix}"
computersdn="ou=People,${suffix}"
groupsdn="ou=Group,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=SAMBA,${suffix}"
scope="sub"
hash_encrypt="CRYPT"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="100"
defaultComputerGid="500"
skeletonDir="/etc/skel"
userSmbHome=""
userProfile=""
userHomeDrive="H:"
userScript="startup.bat"
mailDomain="time.tim-net"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
還有
time:~ # grep ^[^#] /etc/smbldap-tools/smbldap_bind.conf
slaveDN="cn=Manager,dc=time,dc=tim-net"
slavePw="secret"
masterDN="cn=Manager,dc=time,dc=tim-net"
masterPw="secret"
通過smbldap-tool在ldap裡面產生給samba的結構
time:~/ldap # /usr/sbin/smbldap-populate
Populating LDAP directory for domain TIM-NET (S-1-5-21-2923238489-4283043884-1344020638)
(using builtin directory structure)
entry dc=time,dc=tim-net already exist.
entry ou=People,dc=time,dc=tim-net already exist.
entry ou=Group,dc=time,dc=tim-net already exist.
entry ou=People,dc=time,dc=tim-net already exist.
adding new entry: ou=Idmap,dc=time,dc=tim-net
entry uid=root,ou=People,dc=time,dc=tim-net already exist.
entry uid=nobody,ou=People,dc=time,dc=tim-net already exist.
adding new entry: cn=Domain Admins,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Domain Users,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Domain Guests,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Domain Computers,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Administrators,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Account Operators,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Print Operators,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Backup Operators,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Replicators,ou=Group,dc=time,dc=tim-net
adding new entry: sambaDomainName=TIM-NET,dc=time,dc=tim-net
Please provide a password for the domain root:
Changing password for root
New password :
Retype new password :
因為之前已經倒入了一些unix的用戶和組的信息,所以會看到上面的root 和nobody沒有成功,沒關係。如果是重新安裝系統,可以省略掉前面導入unix用戶信息的部分,這樣來得更簡單,而且不會出現奇怪的錯誤(組衝突,或者提示找不到組)。這裡的密碼我還是用secret
samba的配置文件
workgroup = TIM-NET
server string = tim test
update encrypted = Yes
map to guest = Bad User
password level = 4
printcap name = cups
logon script = startup.bat
logon path = \\%N\%U\%m\profile
logon drive = h:
domain logons = Yes
os level = 255
domain master = Yes
wins support = Yes
admin users = @admins
passdb backend = ldapsam:ldap://localhost
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd '%u'
ldap suffix = dc=time,dc=tim-net
ldap ssl = no
ldap timeout = 20
ldap admin dn = cn=Manager,dc=time,dc=tim-net
ldap group suffix = ou=Group
ldap machine suffix = ou=People
ldap passwd sync = Yes
ldap user suffix = ou=People
comment = data
path = /data/
invalid users = all
valid users = leber, @admins, schulz
read only = No
create mask = 0770
directory mask = 0770
hide dot files = No
可以刪除samba的配置文件
rm /etc/samba/secrets.tdb
rm /etc/samba/smbpasswd
/etc/init.d/smb restart
重新添加ldap的用戶信息
time:~ # smbpasswd -w secret
Setting stored password for "cn=Manager,dc=time,dc=tim-net" in secrets.tdb
可以用此命令倒入以前的samba的用戶信息,其中smbpasswd就是剛才刪掉的,嘿嘿。
pdbedit -i smbpasswd:/etc/samba_bak/smbpasswd -e ldapsam:ldap://127.0.0.1/
察看samba組狀態。
time:~ # net groupmap list
Domain Admins (S-1-5-21-604817653-464570487-1053615190-512) -> Domain Admins
Domain Users (S-1-5-21-604817653-464570487-1053615190-513) -> Domain Users
Domain Guests (S-1-5-21-604817653-464570487-1053615190-514) -> Domain Guests
Domain Computers (S-1-5-21-604817653-464570487-1053615190-515) -> Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
建議大家重新安裝!!!!別去migration,我是還沒有找到好方法把以前的samba中的組遷移到新的系統上來。也許,直接join到一個域裡面能自動下在也說不定,有待大家實踐。
以上實現unix_auth,samba pdc,通過windows的管理工具添加用戶,組,機器,windows xp professional登陸域。其中samba的profile配置,我沒有做,需要修改才能實現profile漫遊,不過不難。我這裡只是copy了一個。
有用的地址
http://www.padl.com/OSS/MigrationTools.html
windows的管理工具可以到microsoft去下,srvtool,好像叫,忘了。
問題:在samba中設置自動刪除user的目錄例如/home/user1,不能夠成功,導致重新添加同名用戶的時候會有點小問題,在unix下面。 smbldap-userdel -r 不行。但是在console下面卻可以。。垃圾suse,不知道是不是suse的特色。
今天還去看看fetchmail用ldap的例子,成功了貼上來。
[ 本帖最後由 cnchun 於 2007-6-20 18:16 編輯 ]
《解決方案》
不錯,先頂!
等到有功夫了試試看。