Vous êtes sur la page 1sur 17

Hng dn cu hnh Primary Domain Controller with Samba + OpenLDAP

Phn 1: Cu hnh DNS M hnh mng:

Trn OpenLDAP Server ta thit lp nh sau: OpenLdap Server: Hostname: server2.abv.local IP: 10.0.0.2 Install BIND #yum -y install bind bind-libs bind-untils bind-chroot Configure BIND #cd /var/named/chroot/ #vi etc/named.conf acl mynet { 10.0.0.0/8; 127.0.0.1; }; options{ allow-transfer {none;}; query-source port 53; query-source-v6 port 53; directory "/var/named"; dump-file "/var/named/data/cache_dumb.db";

statistics-file "/var/named/data/name_stats.txt"; memstatistics-file "/var/named/data/name_mem_stats.txt"; notify yes; }; zone "." IN { type hint; file "named.root"; }; zone "localhost" IN { type master; file "localhost.db"; }; zone "0.0.127.in-addr.arpa" IN { type master; file "0.0.127.in-addr.arpa.db"; }; zone "abv.local" IN { type master; file "abv.local.db"; }; zone "0.0.10.in-addr.arpa" { type master; file "0.0.10.in-addr.arpa.db"; }; #cd var/named #wget http://www.internic.net/zones/named.root #vi localhost.db $TTL 86400 @ IN SOA localhost root ( 20080213 ;Serial 10800 ;Refresh 3600 ;Retry 604800 ;Expire 86400 ;Minimum TTL ) IN NS @ localhost. IN A 127.0.0.1 #vi 0.0.127.in-addr.arpa.db $TTL 86400 ; 1day @ IN SOA localhost. root. ( 20080213 ;Serial 10800 ;Refresh

3600 ;Retry 604800 ;Expire 86400 ;Minimum TTL ) IN NS localhost. 1.0.0.127.in-addr.arpa. IN PTR localhost. #vi abv.local.db $TTL 86400 @ IN SOA server2.abv.local. root ( 42 3H 15M 1W 1D ) IN NS server2.abv.local. server1 1D IN A 10.0.0.1 server2 1D IN A 10.0.0.2 server3 1D IN A 10.0.0.3 _ldap._tcp.abv.local. SRV 0 0 389 server2.abv.local. _ldap._tcp.dc._msdcs.abv.local SRV 0 0 389 server2.abv.local. #vi 0.0.10.in-addr.arpa.db $TTL 86400 @ IN SOA server2.abv.local. root. ( 3 28800 7200 604800 86400 ) @ IN NS server2.abv.local. 1 IN PTR server1.abv.local. 2 IN PTR server2.abv.local. 3 IN PTR server3.abv.local. #vi /etc/resolv.conf search abv.local nameserver 10.0.0.2 Khi ng dch v: #service named start #chkconfig named on File cu hnh download ti: http://www.mediafire.com/?7lnwgiccvv6bsbv __________________

Phn 2: Cu hnh OpenLDAP Ci t cc package cn thit: # yum --enablerepo=dag install openldap* openldap-s* compat-ldap python-ldap phpldap nss_ldap ldapjdk samba samba-common samba-client perl-Crypt-SmbHash perlDigest-SHA1 perl-Jcode perl-Unicode-Map perl-Unicode-Map8 perl-Unicode-MapUTF8 perlUnicode-String To password cho root dng m ha # slappasswd -s abv -h {MD5} {MD5}7sWCYo5L4iMv6IEnCQ5dog== (pass for ldap: abv) Cu hnh domain cho openLDAP # vi /etc/openldap/slapd.conf include include include include # add include /etc/openldap/schema/core.schema /etc/openldap/schema/cosine.schema /etc/openldap/schema/inetorgperson.schema /etc/openldap/schema/nis.schema /etc/openldap/schema/samba.schema

# line 86: suffix "dc=abv,dc=local" # line 87: rootdn "cn=Manager,dc=abv,dc=local" # line 93: specify password generated rootpw {MD5}7sWCYo5L4iMv6IEnCQ5dog== # line 106: add index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index default sub # add at the bottom access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by dn="cn=Manager,dc=abv,dc=local" write by anonymous auth by * none

access to * by dn="cn=Manager,dc=abv,dc=local" write by self write by * read access to attrs=description,telephoneNumber by dn="uid=samba,ou=Users,dc=abv,dc=local" write by self write by * read access to dn.base="dc=abv,dc=local" by dn="uid=samba,ou=Users,dc=abv,dc=local" write by * none access to dn="ou=Users,dc=abv,dc=local" by dn="uid=samba,ou=Users,dc=abv,dc=local" write by * none access to dn="ou=Groups,dc=abv,dc=local" by dn="uid=samba,ou=Users,dc=abv,dc=local" write by * none access to dn="ou=Computers,dc=abv,dc=local" by dn="uid=samba,ou=Users,dc=abv,dc=local" write by * none # vi /etc/openldap/ldap.conf BASE dc=abv,dc=local URI ldap://127.0.0.1/ TLS_CACERTDIR /etc/openldap/cacerts # vi /etc/ldap.conf base dc=abv,dc=local rootbinddn cn=Manager,dc=abv,dc=local nss_base_passwd ou=Users,dc=abv,dc=local?one nss_base_passwd ou=Computers,dc=abv,dc=local?one nss_base_group ou=Groups,dc=abv,dc=local?one nss_base_shadow ou=Users,dc=abv,dc=local?one uri ldap://127.0.0.1/ ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 Copy file cu hnh mu OpenLDAP ca h thng # cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema etc/openldap/schema/ # cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG Cu hnh LDAP client # setup - Chn Authentication configuration -> Run Tool

- Next

- OK -> Quit If you will not share users' /home with NFS, set config like below (users' home deirectory is made automatically when logined) # vi /etc/pam.d/system-auth # add at the bottom session optional pam_mkhomedir.so skel=/etc/skel umask=077 Khi ng dch v ldap # /etc/init.d/ldap start # /etc/init.d/nscd start # chkconfig ldap on # chkconfig nscd on __________________ Lun lun lng nghe !!! Lun lun support !!!

thay i ni dung bi: zuridk, 07-11-2011 lc 15:10

#3 07-11-2011, 11:54

zuridk
Thnh Vin Mi

Tham gia ngy: Aug 2009 Bi gi: 37 Thanks: 1 Thanked 59 Times in 14 Posts

Phn 3: Cu hnh SMB-LDAP # vi /etc/smbldap-tools/smbldap_bind.conf slaveDN="cn=Manager,dc=abv,dc=local" slavePw="abv" masterDN="cn=Manager,dc=abv,dc=local" masterPw="abv" # vi /etc/smbldap-tools/smbldap.conf # Ex: sambaDomain="IDEALX-NT" sambaDomain="abv.local" slaveLDAP="127.0.0.1" slavePort="389" masterLDAP="127.0.0.1" masterPort="389" # LDAP Suffix suffix="dc=abv,dc=local"

usersdn="ou=Users,${suffix}" computersdn="ou=Computers,${suffix}" groupsdn="ou=Groups,${suffix}" idmapdn="ou=Idmap,${suffix}" sambaUnixIdPooldn="sambaDomainName=abv.local,${suffix}" scope="sub" hash_encrypt="MD5" crypt_salt_format="%s" userLoginShell="/bin/bash" userHome="/home/%U" userHomeDirectoryMode="700" userGecos="System User" defaultUserGid="513" defaultComputerGid="515" skeletonDir="/etc/skel" defaultMaxPasswordAge="45" userSmbHome="\\10.0.0.2\%U" userProfile="\\10.0.0.2\profiles\%U" userHomeDrive="H:" userScript="logon.bat" mailDomain="abv.local" with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" with_slappasswd="0" slappasswd="/usr/sbin/slappasswd" # vi /etc/samba/smb.conf [global] workgroup = abv.local netbios name = ldapserver security = user enable privileges = yes username map = /etc/samba/smbusers server string = samba-ldap-pdc encrypt passwords = Yes #min passwd length = 3 admin users = root #pam password change = no obey pam restrictions = No # method 1: #unix password sync = no ldap passwd sync = Yes # method 2: #unix password sync = yes #ldap passwd sync = no passwd program = /usr/sbin/smbldap-passwd -u "%u"

passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n" log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 100000 #time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = CP932 Unix charset = UTF-8 logon logon logon logon script = logon.bat drive = home = path =

domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes passdb backend = ldapsam:ldap://10.0.0.2/ ldap admin dn = cn=Manager,dc=abv,dc=local ldap suffix = dc=abv,dc=local ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap idmap backend = ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" [netlogon] path = /home/samba/netlogon/ browseable = No read only = Yes [profiles] path = /home/samba/profiles read only = No

create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes profile acls = yes csc policy = disable # next line is a great way to secure the profiles force user = %U # next line allows administrator to access all profiles valid users = %U "Domain Admins" [homes] comment = Home Directories valid users = %U read only = No creat mask = 0664 directory mask = 0775 browseable = no To cc folder cn thit: # mkdir /home/samba # mkdir /home/samba/netlogon # mkdir /home/samba/profiles # chmod 1777 /home/samba/profiles/ # smbpasswd -W abv

#net getlocalsid

# vi /etc/smbldap-tools/smbldap.conf

Restart li dch v: # service ldap restart # service smb restart # chkconfig smb on # chkconfig ldap on # smbldap-populate

To user log on: # smbldap-useradd -a -m -c abv abv # smbldap-passwd abv Kim tra danh sch user: # smbldap-userlist

Show thng tin user: # smbldap-usershow abv

Phn 4: Join windows XP vo SambaPDC Thc hin join Windows XP vo Samba PDC:

Restart my, nhp username v password ng nhp

Ta thy 1 a H: c chia s t my SambaPDC. Tin hnh kim tra: To 1 folder trong a H: To 1 folder trn Desktop Desktop for abv To 1 file txt data for abv trong folder Desktop for abv Restart or shutdown my win XP

Trn my SambaPDC, ta thy d liu c to trong a H: c lu trong th mc /home/abv. D liu c to trn Desktop c lu ti /home/samba/profiles/abv/Desktop.

: Tool qun tr php_LDAP_Admin # yum --enablerepo=epel install phpldapadmin # vi /etc/httpd/conf.d/phpldapadmin.conf Alias /phpldapadmin /usr/share/phpldapadmin/htdocs Alias /ldapadmin /usr/share/phpldapadmin/htdocs <Directory /usr/share/phpldapadmin/htdocs> Order Deny,Allow Deny from all Allow from 127.0.0.1 10.0.0.0/24 Allow from ::1 </Directory> Restart dch v Apache # /etc/init.d/httpd restart # chkconfig httpd on M browser, truy cp: http://10.0.0.2/phpldapadmin

__________________

- chuyn cc OU mu ca OpenLDAP vo file base.ldif migration]# ./migrate_base.pl > base.ldif - Thm ni dung vo OpenLDAP Server migration]# ldapadd -x -W -D "cn=Manager,dc=abv,dc=local" -f base.ldif y khng cn cc OU mu nn mnh khng cp n phn cu hnh cc file ***.ldif __________________

Vous aimerez peut-être aussi