openldap+unix_auth+samba3.0(pdc)

火星人 @ 2014-03-05 , reply:0


openldap+unix_auth+samba3.0(pdc)

搞了幾天,一體化認證,看很多人都說配置通過,也不分想給別人,風氣不行。

順便說一句,垃圾suse!

這個例子有一部分是migration,如果重新安裝系統,就不用麻煩導入以前的用戶信息了,建議重新安裝,不然user id , group id 衝突,麻煩。

suse 10.1

安裝下列軟體:
pam_ldap
nss_ldap
openldap2
openldap2-back-meta
openldap2-back-perl
openldap2-client
smbldap-tools

配置 openldap, 注意的地方是/etc/openldap/schema/rfc2307bis.schema, 不用使用suse默認的這個schema
time:~/ldap # grep ^[^#] /etc/openldap/slapd.conf
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/yast.schema
include         /etc/openldap/schema/samba3.schema
include         /etc/openldap/schema/nis.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
modulepath      /usr/lib/openldap/modules
access to dn.base=""
       by * read
access to dn.base="cn=Subschema"
       by * read
access to attrs=userPassword,userPKCS12
       by self write
       by * auth
access to attrs=shadowLastChange
       by self write
       by * read
access to *
       by * read
database        bdb
suffix          "dc=time,dc=tim-net"
checkpoint      1024    5
cachesize       10000
rootdn          "cn=Manager,dc=time,dc=tim-net"
rootpw          secret
directory       /var/lib/ldap
index   objectClass     eq

配置給ldap client 的文件
time:~/ldap # grep ^[^#] /etc/ldap.conf
host    127.0.0.1
base    dc=time,dc=tim-net
ldap_version    3
bind_policy     soft
pam_password    crypt
ssl     no
nss_map_attribute       uniqueMember member
pam_filter      objectclass=posixAccount
nss_base_passwd dc=time,dc=tim-net
nss_base_shadow dc=time,dc=tim-net
nss_base_group  dc=time,dc=tim-net

重新啟動 ldap
/etc/init.d/ldap start

這裡用於移植以前的用戶,組信息
time:~/ldap # more time.tim-net.ldif
dn: dc=time,dc=tim-net
objectClass: dcObject
objectClass: organization
dc: time
o: Corporation
description: d Corporation

dn:ou=people, dc=time, dc=tim-net
objectclass: top
objectclass: organizationalUnit
ou: people

dn:ou=group, dc=time, dc=tim-net
objectclass: top
objectclass: organizationalUnit
ou: group

ldapadd -x -D 'cn=Manager,dc=time,dc=tim-net' -f time.tim-net  -w secret

下載這個工具,然後導出用戶,組信息為ldif文件
time:~/ldap # tar zxvf MigrationTools.tgz
time:~/ldap # cd MigrationTools-47/
time:~/ldap/MigrationTools-47 # ./migrate_passwd.pl /etc/passwd passwd.ldif
time:~/ldap/MigrationTools-47 # ./migrate_group.pl /etc/group group.ldif

ldapadd -x -D 'cn=Manager,dc=time,dc=tim-net' -w secret -f passwd.ldif
ldapadd -x -D 'cn=Manager,dc=time,dc=tim-net' -w secret -f group.ldif




讓unix通過ldap 認證
time:~/ldap # grep ^[^#] /etc/nsswitch.conf
passwd: compat
group:  compat
shadow: files ldap
hosts:  files dns
networks:       files dns
services:       files ldap
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files ldap
publickey:      files
bootparams:     files
automount:      files nis
aliases:        files ldap
passwd_compat:  ldap
group_compat:   ldap

或者通過垃圾yast
* In Yast2 go to "Network Services" and start the "LDAP-client"
* Tick of "Use LDAP"
* Try to search for the LDAP server, if the SLP search does not find it try disabling the firewall (rcSuSEfirewall2 stop) and retry. If it still does not show up enter the IP adress or the network name of the server.
* Make sure that the "LDAP SSL/TLS" is not hooked of.
* Click "Get DN" and select the top entry

上面是看了suse wiki裡面的。



首先需要配置samba為pdc, 獲得samba 的sid
time:~ # net getlocalsid
SID for domain TIME is: S-1-5-21-2923238489-4283043884-1344020638


配置smbldap-tool,注意SID需要跟自己的實際情況確定
time:~ # grep ^[^#] /etc/smbldap-tools/smbldap.conf
SID="S-1-5-21-2923238489-4283043884-1344020638"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="1"
verify="require"
cafile="/etc/smbldap-tools/ca.pem"
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
clientkey="/etc/smbldap-tools/smbldap-tools.key"
suffix="dc=time,dc=tim-net"
usersdn="ou=People,${suffix}"
computersdn="ou=People,${suffix}"
groupsdn="ou=Group,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=SAMBA,${suffix}"
scope="sub"
hash_encrypt="CRYPT"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="100"
defaultComputerGid="500"
skeletonDir="/etc/skel"
userSmbHome=""
userProfile=""
userHomeDrive="H:"
userScript="startup.bat"
mailDomain="time.tim-net"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

還有
time:~ # grep ^[^#] /etc/smbldap-tools/smbldap_bind.conf
slaveDN="cn=Manager,dc=time,dc=tim-net"
slavePw="secret"
masterDN="cn=Manager,dc=time,dc=tim-net"
masterPw="secret"

通過smbldap-tool在ldap裡面產生給samba的結構

time:~/ldap # /usr/sbin/smbldap-populate
Populating LDAP directory for domain TIM-NET (S-1-5-21-2923238489-4283043884-1344020638)
(using builtin directory structure)

entry dc=time,dc=tim-net already exist.
entry ou=People,dc=time,dc=tim-net already exist.
entry ou=Group,dc=time,dc=tim-net already exist.
entry ou=People,dc=time,dc=tim-net already exist.
adding new entry: ou=Idmap,dc=time,dc=tim-net
entry uid=root,ou=People,dc=time,dc=tim-net already exist.
entry uid=nobody,ou=People,dc=time,dc=tim-net already exist.
adding new entry: cn=Domain Admins,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Domain Users,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Domain Guests,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Domain Computers,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Administrators,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Account Operators,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Print Operators,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Backup Operators,ou=Group,dc=time,dc=tim-net
adding new entry: cn=Replicators,ou=Group,dc=time,dc=tim-net
adding new entry: sambaDomainName=TIM-NET,dc=time,dc=tim-net

Please provide a password for the domain root:
Changing password for root
New password :
Retype new password :

因為之前已經倒入了一些unix的用戶和組的信息,所以會看到上面的root 和nobody沒有成功,沒關係。如果是重新安裝系統,可以省略掉前面導入unix用戶信息的部分,這樣來得更簡單,而且不會出現奇怪的錯誤(組衝突,或者提示找不到組)。這裡的密碼我還是用secret

samba的配置文件

       workgroup = TIM-NET
       server string = tim test
       update encrypted = Yes
       map to guest = Bad User
       password level = 4
       printcap name = cups
       logon script = startup.bat
       logon path = \\%N\%U\%m\profile
       logon drive = h:
       domain logons = Yes
       os level = 255
       domain master = Yes
       wins support = Yes
       admin users = @admins
       passdb backend = ldapsam:ldap://localhost
       add user script = /usr/sbin/smbldap-useradd -m '%u'
       delete user script = /usr/sbin/smbldap-userdel '%u'
       add group script = /usr/sbin/smbldap-groupadd '%g'
       delete group script = /usr/sbin/smbldap-groupdel '%g'
       add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
       delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
       set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
       add machine script = /usr/sbin/smbldap-useradd '%u'
       ldap suffix = dc=time,dc=tim-net
       ldap ssl = no
       ldap timeout = 20

       ldap admin dn = cn=Manager,dc=time,dc=tim-net
       ldap group suffix = ou=Group
       ldap machine suffix = ou=People
       ldap passwd sync = Yes
       ldap user suffix = ou=People


       comment = data
       path = /data/
       invalid users = all
       valid users = leber, @admins, schulz
       read only = No
       create mask = 0770
       directory mask = 0770
       hide dot files = No

可以刪除samba的配置文件
rm /etc/samba/secrets.tdb
rm /etc/samba/smbpasswd

/etc/init.d/smb restart

重新添加ldap的用戶信息
time:~ # smbpasswd -w secret
Setting stored password for "cn=Manager,dc=time,dc=tim-net" in secrets.tdb

可以用此命令倒入以前的samba的用戶信息,其中smbpasswd就是剛才刪掉的,嘿嘿。
pdbedit -i smbpasswd:/etc/samba_bak/smbpasswd -e ldapsam:ldap://127.0.0.1/

察看samba組狀態。
time:~ # net groupmap list
Domain Admins (S-1-5-21-604817653-464570487-1053615190-512) -> Domain Admins
Domain Users (S-1-5-21-604817653-464570487-1053615190-513) -> Domain Users
Domain Guests (S-1-5-21-604817653-464570487-1053615190-514) -> Domain Guests
Domain Computers (S-1-5-21-604817653-464570487-1053615190-515) -> Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators


建議大家重新安裝!!!!別去migration,我是還沒有找到好方法把以前的samba中的組遷移到新的系統上來。也許,直接join到一個域裡面能自動下在也說不定,有待大家實踐。

以上實現unix_auth,samba pdc,通過windows的管理工具添加用戶,組,機器,windows xp professional登陸域。其中samba的profile配置,我沒有做,需要修改才能實現profile漫遊,不過不難。我這裡只是copy了一個。

有用的地址
http://www.padl.com/OSS/MigrationTools.html
windows的管理工具可以到microsoft去下,srvtool,好像叫,忘了。

問題:在samba中設置自動刪除user的目錄例如/home/user1,不能夠成功,導致重新添加同名用戶的時候會有點小問題,在unix下面。 smbldap-userdel -r 不行。但是在console下面卻可以。。垃圾suse,不知道是不是suse的特色。

今天還去看看fetchmail用ldap的例子,成功了貼上來。

[ 本帖最後由 cnchun 於 2007-6-20 18:16 編輯 ]
《解決方案》

不錯,先頂!
等到有功夫了試試看。




[火星人 via ] openldap+unix_auth+samba3.0(pdc)已經有138次圍觀

http://www.coctec.com/docs/service/show-post-38121.html