Волгоград Linux User Group |
|
Организована 23 ноября 2002 года
Проект заморожен Птн Июл 6 02:11:14 MSD 2012 |
|
|
Только начал писать. Так что читать рановато!
ПредисловиеИсточник собственный опыт и Поставлена задача: сделать единый центр аутентификации и сделать так чтобы документы можно было всегда найти и они не терялись. Сервер Linux Alt Master 2.4, клиенты WindowsXP, Linux Alt Junior 2.3. Мною было предложено решение: установить на сервер связку Samba3+Ldap и организовать доменную сеть. В Windows достаточно ввести компьютер в домен, в линукс настроить nss_ldap и монтировать документы по nfs (чтобы сохранялись права на файлы). Также к ldap'у привязывается аутентификация squid'а для удобства. УстановкаПоскольку я привык устанавливать из исходников, я скачал samba 3.05 и собрал со следующими параметрами:./configure -- make make install Также из исходников я собрал openldap. Параметры сборки не помню, но КонфигурацияВыкладываю пока просто конфиги. Потом разгребу илиБезопасность нулевая, но не в этом суть пока что... главное что работает. Конфиг slapd.conf# $Open LDAP?: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # # [ GLOBAL SETTINGS ] # Default schemas include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba3.schema #include /etc/openldap/schema/qmail.schema allow bind_v2 #concurency 20 #conn_max_pending 100 #conn_max_pending 1000 #defaultsearchbase «o=org» gentlehup on #idletimeout 0 #sizelimit 500 #timelimit 60 #limits anonymous time.soft=60 time.hard=120 #limits anonymous size.soft=1000 size.hard=1100 size.unchecked=1000 #limits users time.soft=60 time.hard=120 #limits users size=1000 #limits dn.base="ou=People,dc=example,dc=com" size=100 loglevel 256 # pidfile /var/run/slapd.pid argsfile /var/run/slapd.args #require none #rootDSE /etc/openldap/school.ldif #security ssf=1 update_ssf=112 simple_bind=64 #threads 16 # # [ TLS OPTIONS ] # #TLSCipherSuite HIGH:MEDIUM:+SSLv2 #TLSCACertificateFile /etc/openldap/ssl/slapd.pem #TLSCACertificatePath /etc/openldap/ssl #TLSCertificateFile /etc/openldap/ssl/slapd.pem #TLSCertificateKeyFile /etc/openldap/ssl/slapd.pem #TLSVerifyClient never # # [ ACCESS CONTROL ] # #access to attrs=userPassword # by self write # by anonymous auth # by * write # # [ BACKEND OPTIONS ] # # Load dynamic backend modules: modulepath /usr/lib/openldap #moduleload back_dnssrv.la #moduleload back_ldap.la #moduleload back_bdb.la moduleload back_ldbm.la #moduleload back_meta.la #moduleload back_monitor.la #moduleload back_null.la #moduleload back_passwd.la #moduleload back_shell.la #moduleload back_perl.la #moduleload back_sql.la # Options in this section only apply to the configuration file section for the # specified backend. They are supported by every type of backend. #backend ldbm #cachesize 1000 #dbcachesize 100000 #dbsync 10 12 5 # # [ DATABASE OPTIONS ] # database ldbm suffix «dc=office,dc=school» rootdn «cn=ldapadmin,dc=office,dc=school» rootpw ПАРОЛЬ #lastmod on #maxderefdepth 1 #readonly on replogfile /var/lib/ldap/replica/office.school.replog directory /var/lib/ldap/bases/office.school index objectClass eq index ou,cn,sn,displayName eq,pres,sub index uidNumber,gidNumber eq index sambaSID eq index memberUID,uid eq,pres,sub index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub access to * by * write БАЗА LDAP:# office.school dn: dc=office,dc=school objectClass: dcObject objectClass: organization dc: office o: office # Users, office.school dn: ou=Users,dc=office,dc=school objectClass: organizationalUnit ou: Users # Groups, office.school dn: ou=Groups,dc=office,dc=school objectClass: organizationalUnit ou: Groups # Computers, office.school dn: ou=Computers,dc=office,dc=school objectClass: organizationalUnit ou: Computers # SCHOOL, office.school dn: sambaDomainName=SCHOOL,dc=office,dc=school sambaDomainName: SCHOOL sambaSID: sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain sambaNextUserRid: 41000 sambaNextGroupRid: 41001 # ldapadmin, Users, office.school dn: uid=ldapadmin,ou=Users,dc=office,dc=school cn: ldapadmin objectClass: organizationalRole objectClass: shadowAccount objectClass: top objectClass: sambaSamAccount objectClass: posixAccount gidNumber: 1000 uid: ldapadmin uidNumber: 1000 homeDirectory: /home/ldapadmin sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdMustChange: 2147483647 sambaHomePath: \\SERVER\ldapadmin sambaHomeDrive: H: sambaProfilePath: \\LDAP\Profiles\ldapadmin sambaPrimaryGroupSID: sambaAcctFlags: [U ] sambaSID: loginShell: /bin/false gecos: Netbios Domain Administrator sambaLMPassword: 56EBCF104F2E9F80AAD3B435B51404EE sambaNTPassword: 396C72C2C32558D17F98FAEFC77E415E sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 sambaPwdCanChange: 1119453006 sambaPwdLastSet: 1119453006 # nobody, Users, office.school dn: uid=nobody,ou=Users,dc=office,dc=school cn: nobody objectClass: organizationalRole objectClass: shadowAccount objectClass: sambaSamAccount objectClass: posixAccount gidNumber: 1001 uid: nobody uidNumber: 1001 homeDirectory: /dev/null sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\SERVER\homes sambaHomeDrive: H: sambaProfilePath: \\SERVER\Profiles\nobody sambaPrimaryGroupSID: sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaAcctFlags: [NU ] sambaSID: loginShell: /bin/false # Domain Admins, Groups, office.school dn: cn=Domain Admins,ou=Groups,dc=office,dc=school objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 1000 memberUid: ldapadmin cn: Domain Admins sambaSID: sambaGroupType: 2 displayName: smbadmins description: Local Unix group # Domain Guests, Groups, office.school dn: cn=Domain Guests,ou=Groups,dc=office,dc=school objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 1001 memberUid: nobody cn: Domain Guests sambaSID: sambaGroupType: 2 displayName: smbguests description: Local Unix group # Domain Users, Groups, office.school dn: cn=Domain Users,ou=Groups,dc=office,dc=school objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 1002 memberUid: nobody cn: Domain Users sambaSID: sambaGroupType: 2 displayName: smbusers description: Local Unix group # linux4$, Computers, office.school dn: uid=linux4$,ou=Computers,dc=office,dc=school uid: linux4$ sambaSID: sambaPrimaryGroupSID: sambaPwdMustChange: 2147483647 sambaAcctFlags: [W ] objectClass: sambaSamAccount objectClass: account sambaPwdCanChange: 1119530850 sambaLMPassword: BBE03AD5687346593E196C015D20B066 sambaNTPassword: 7DA95652079262E22CFEF8B1CF770F00 sambaPwdLastSet: 1119530850 # l5$, Computers, office.school dn: uid=l5$,ou=Computers,dc=office,dc=school uid: l5$ sambaSID: sambaPrimaryGroupSID: sambaPwdMustChange: 2147483647 sambaAcctFlags: [W ] objectClass: sambaSamAccount objectClass: account sambaPwdCanChange: 1119530918 sambaNTPassword: 789506E8A41EFF1AE61B1E95C7DA705A sambaPwdLastSet: 1119530918 # root, Users, office.school dn: uid=root,ou=Users,dc=office,dc=school uid: root sambaSID: sambaPrimaryGroupSID: displayName: System Administrator sambaPwdCanChange: 1119453428 sambaPwdMustChange: 2147483647 sambaLMPassword: 0AE71762FA2F8A0FAAD3B435B51404EE sambaNTPassword: 3054B8303D3A5ECC798274C96EB2B78E sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 sambaPwdLastSet: 1119453428 sambaAcctFlags: [U ] objectClass: sambaSamAccount objectClass: account # linux2$, Computers, office.school dn: uid=linux2$,ou=Computers,dc=office,dc=school uid: linux2$ sambaSID: sambaPrimaryGroupSID: sambaPwdCanChange: 1119453876 sambaPwdMustChange: 2147483647 sambaLMPassword: E95EC88F6B9EDD4BAAD3B435B51404EE sambaNTPassword: B1A247837C66174C24E210C8C672452D sambaPwdLastSet: 1119453876 sambaAcctFlags: [W ] objectClass: sambaSamAccount objectClass: account # linux3$, Computers, office.school dn: uid=linux3$,ou=Computers,dc=office,dc=school uid: linux3$ sambaSID: sambaPrimaryGroupSID: sambaPwdMustChange: 2147483647 sambaAcctFlags: [W ] objectClass: sambaSamAccount objectClass: account sambaPwdCanChange: 1119545166 sambaLMPassword: 2FC57425CAC4D70918771E309D31B869 sambaNTPassword: 01FB328EDA206742543A16090373CD0A sambaPwdLastSet: 1119545166 # l2$, Computers, office.school dn: uid=l2$,ou=Computers,dc=office,dc=school uid: l2$ sambaSID: sambaPrimaryGroupSID: sambaPwdCanChange: 1119453900 sambaPwdMustChange: 2147483647 sambaLMPassword: C3A66CD5BF69BD08AAD3B435B51404EE sambaNTPassword: F3B233D027662BBF5600F632D316A296 sambaPwdLastSet: 1119453900 sambaAcctFlags: [W ] objectClass: sambaSamAccount objectClass: account # l3$, Computers, office.school dn: uid=l3$,ou=Computers,dc=office,dc=school uid: l3$ sambaSID: sambaPrimaryGroupSID: sambaPwdCanChange: 1119453902 sambaPwdMustChange: 2147483647 sambaLMPassword: EF6E36876D81A6DDAAD3B435B51404EE sambaNTPassword: 905A76878806BBC5514BC6661F574329 sambaPwdLastSet: 1119453902 sambaAcctFlags: [W ] objectClass: sambaSamAccount objectClass: account # l4$, Computers, office.school dn: uid=l4$,ou=Computers,dc=office,dc=school uid: l4$ sambaSID: sambaPrimaryGroupSID: sambaPwdCanChange: 1119453905 sambaPwdMustChange: 2147483647 sambaLMPassword: 9905C2E3EA5434CDAAD3B435B51404EE sambaNTPassword: 77E107494DF870C0E0A74E6524884ABB sambaPwdLastSet: 1119453905 sambaAcctFlags: [W ] objectClass: sambaSamAccount objectClass: account # l6$, Computers, office.school dn: uid=l6$,ou=Computers,dc=office,dc=school uid: l6$ sambaSID: sambaPrimaryGroupSID: objectClass: sambaSamAccount objectClass: account displayName: L6$ sambaPwdMustChange: 2147483647 sambaAcctFlags: [W ] sambaPwdCanChange: 1119535372 sambaNTPassword: C7AEBC91A2EDFEAB34B54692FAB80E94 sambaPwdLastSet: 1119535372 # andrew, Users, office.school dn: uid=andrew,ou=Users,dc=office,dc=school uid: andrew cn: andrew uidNumber: 500 gidNumber: 1000 homeDirectory: /home/andrew sambaSID: sambaPrimaryGroupSID: sambaPwdCanChange: 1119452797 sambaPwdMustChange: 2147483647 sambaLMPassword: 0AE71762FA2F8A0FAAD3B435B51404EE sambaNTPassword: 3054B8303D3A5ECC798274C96EB2B78E sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 sambaPwdLastSet: 1119452797 sambaAcctFlags: [U ] objectClass: sambaSamAccount objectClass: account objectClass: shadowAccount objectClass: posixAccount # electronic, Users, office.school dn: uid=electronic,ou=Users,dc=office,dc=school uid: electronic cn: electronic uidNumber: 508 gidNumber: 1002 homeDirectory: /HOME/electronic sambaSID: sambaPrimaryGroupSID: sambaPwdMustChange: 2147483647 sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 sambaAcctFlags: [U ] objectClass: sambaSamAccount objectClass: account objectClass: shadowAccount objectClass: posixAccount sambaPwdCanChange: 1119540899 sambaLMPassword: C07FBE28DDF6AAFDAAD3B435B51404EE sambaNTPassword: F60132D2FBADF362FA98FB601B2642B2 sambaPwdLastSet: 1119540899 # bakurova, Users, office.school dn: uid=bakurova,ou=Users,dc=office,dc=school uid: bakurova cn: bakurova uidNumber: 520 gidNumber: 1002 homeDirectory: /HOME/bakurova sambaSID: sambaPrimaryGroupSID: sambaPwdCanChange: 1119452797 sambaPwdMustChange: 2147483647 sambaLMPassword: 0AE71762FA2F8A0FAAD3B435B51404EE sambaNTPassword: 3054B8303D3A5ECC798274C96EB2B78E sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 sambaPwdLastSet: 1119452797 sambaAcctFlags: [U ] objectClass: sambaSamAccount objectClass: account objectClass: shadowAccount objectClass: posixAccount Конфиг САМБЫ= #======================= Global Settings =====================================[global] # 1. Server Naming Options: workgroup = SCHOOL
; message command = /usr/bin/linpopup "%f" "%m" %s; rm %snetbios name = SERVER server string = SERVER # 2. Printing Options: printcap name = cups
; printer admin = @admload printers = yes printing = cups # 3. Logging Options: log file = /var/log/samba/log.%m
max log size = 500 log level = 3 # 4. Security and Domain Membership Options: hosts allow = 192.168.0. 127.0.0.1 192.168.1.
; guest account = pcguest security = user
; allow trusted domains = yes; password server = <ads server name> ; realm = <FULLY.QUALIFIED.REALM.DOMAIN> ; password server = < ; password server = * ; password level = 8 ; username level = 8 encrypt passwords = yes
; unix password sync = Yessmb passwd file = /etc/samba/smbpasswd ; passwd program = /usr/bin/passwd %u ; passwd chat = *New*UNIX*password* %n\n *Re Type?*new*UNIX*password* %n\n ;*passwd:*all*authentication*tokens*updated*successfully* username map = /etc/samba/smbusers
; include = /etc/samba/smb.conf.%mwinbind uid = 100
winbind gid = 100 winbind separator = @ winbind use default domain = False template homedir = /home/%D/%U template shell = /bin/bash socket options = TCP_NODELAY
; remote browse sync = 192.168.3.25 192.168.5.255interfaces = 192.168.0.0/24 127.0.0.1/24 192.168.1.0/30 ; remote announce = 192.168.1.255 192.168.2.44 local master = yes
os level = 64 domain master = yes preferred master = yes #LDAP # ldap suffix = «ou=People,dc=office,dc=school» ldap suffix = dc=office,dc=school ldap admin dn = cn=ldapadmin,dc=office,dc=school ldap ssl = off passdb backend = ldapsam:ldap://127.0.0.1 idmap backend = ldap:ldap://127.0.0.1 ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap filter = (uid=%u) ldap delete dn = no # 6. Domain Control Options: domain logons = yes
; logon script = %U.batlogon script = logon.cmd logon path = \\%N\Profiles\%U
logon home = \\192.168.0.100\home\%u ; machine password timeout 100000000000 # Domain groups: # Domain groups are handled by 'net groupmap' instead of smb.conf, # read net(8) for more # 7. Name Resolution Options: ; name resolve order = wins lmhosts bcast ; wins support = yes ; wins server = w.x.y.z ; wins proxy = yes dns proxy = no
# 8. File Naming Options: ; preserve case = no ; short preserve case = no ; default case = lower ; case sensitive = no dos charset = CP866
unix charset = display charset = CP1251 use sendfile = yes # Share Definitions ;[homes] ; comment = Home Directory for '%u' ; browseable = no ; writable = yes [netlogon] comment = Network Logon Service
path = /var/lib/samba/netlogon writable = no write list = root,andrew admin users = root,andrew ;root preexec = /usr/bin/ntlogon -u %U -g %G -o %a -d /var/lib/samba/netlogon ;root postexec = rm -f /var/lib/samba/netlogon/%U.bat [Profiles] path = /var/lib/samba/profiles browseable = no writable = yes guest ok = yes directory mask = 0700 profile acls = yes [printers] comment = All Printers
# to allow user 'guest account' to print.path = /var/spool/samba browseable = no guest ok = no
writable = no printable = yes create mode = 0700 [C$] comment = Directory for all users
; valid users = admpath = /home/AllUsers admin users = root writable = yes
create mode = 0777 directory mask = 0777 [D$] comment = Home directory
path = /home/NET admin users = root valid users = andrew,adm writable = yes [ps] comment = Prezidentskie sostazania path = /home/ps admin users = root,vetal valid users = vetal,adm,ps writable = yes [software] comment = Windows Software path = /home/public/ftp admin users = ftpadm valid users = ftpadm writable = yes ;[C$] ; comment = Administrative share for homes ; path = /home ; admin users = @"DOMAIN\\Domain Admins" ; valid users = @"DOMAIN\\Domain Admins" ; writable = yes # This one is useful for people to share files ;[tmp] ; comment = Temporary file space ; path = /tmp ; read only = no ; public = yes # A publicly accessible directory, but read only, except for people in # the staff group [public] comment = Public Stuff
; write list = @wheelpath = /home/public public = yes writable = yes ldap.confhost 192.168.0.100:389base dc=office,dc=school nss_base_passwd ou=Users,dc=office,dc=school?one nss_base_shadow ou=Users,dc=office,dc=school?one nss_base_group ou=Users,dc=office,dc=school?one binddn cn=ldapadmin,dc=office,dc=school bindpw ПАРОЛЬ bind_policy soft |
|
Powered by
|