Только начал писать. Так что читать рановато!

Оглавление документа

Предисловие

Установка

Конфигурация

Конфиг slapd.conf

БАЗА LDAP:

Конфиг САМБЫ

ldap.conf

Предисловие

Источник – собственный опыт и http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html
Поставлена задача: сделать единый центр аутентификации и сделать так чтобы документы можно было всегда найти и они не терялись. Сервер – Linux Alt Master 2.4, клиенты – WindowsXP, Linux Alt Junior 2.3.
Мною было предложено решение: установить на сервер связку Samba3+Ldap и организовать доменную сеть. В Windows достаточно ввести компьютер в домен, в линукс – настроить nss_ldap и монтировать документы по nfs (чтобы сохранялись права на файлы). Также к ldap'у привязывается аутентификация squid'а для удобства.

Установка

Поскольку я привык устанавливать из исходников, я скачал samba 3.05 и собрал со следующими параметрами:
./configure --with-ldap --with-ldapsam
make
make install

Также из исходников я собрал openldap. Параметры сборки не помню, но по-моему ничего особенного.

Конфигурация

Выкладываю пока просто конфиги. Потом разгребу или кто-нить другой разгребет =)
Безопасность нулевая, но не в этом суть пока что... главное что работает.

Конфиг slapd.conf

# $Open LDAP?: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# [ GLOBAL SETTINGS ]
# Default schemas
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema
#include /etc/openldap/schema/qmail.schema
allow bind_v2
#concurency 20
#conn_max_pending 100
#conn_max_pending 1000
#defaultsearchbase «o=org»
gentlehup on
#idletimeout 0
#sizelimit 500
#timelimit 60
#limits anonymous time.soft=60 time.hard=120
#limits anonymous size.soft=1000 size.hard=1100 size.unchecked=1000
#limits users time.soft=60 time.hard=120
#limits users size=1000
#limits dn.base="ou=People,dc=example,dc=com" size=100
loglevel 256
#password-hash {SSHA}
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
replica-pidfile /var/run/slurpd.pid
replica-argsfile /var/run/slurpd.args
#require none
#rootDSE /etc/openldap/school.ldif
#security ssf=1 update_ssf=112 simple_bind=64
#threads 16


#
# [ TLS OPTIONS ]
#
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSCACertificateFile /etc/openldap/ssl/slapd.pem
#TLSCACertificatePath /etc/openldap/ssl
#TLSCertificateFile /etc/openldap/ssl/slapd.pem
#TLSCertificateKeyFile /etc/openldap/ssl/slapd.pem
#TLSVerifyClient never


#
# [ ACCESS CONTROL ]
#
#access to attrs=userPassword
# by self write
# by anonymous auth
# by * write


#
# [ BACKEND OPTIONS ]
#
# Load dynamic backend modules:
modulepath /usr/lib/openldap
#moduleload back_dnssrv.la
#moduleload back_ldap.la
#moduleload back_bdb.la
moduleload back_ldbm.la
#moduleload back_meta.la
#moduleload back_monitor.la
#moduleload back_null.la
#moduleload back_passwd.la
#moduleload back_shell.la
#moduleload back_perl.la
#moduleload back_sql.la

# Options in this section only apply to the configuration file section for the
# specified backend. They are supported by every type of backend.
#backend ldbm
#cachesize 1000
#dbcachesize 100000
#dbsync 10 12 5


#
# [ DATABASE OPTIONS ]
#
database ldbm
suffix «dc=office,dc=school»
rootdn «cn=ldapadmin,dc=office,dc=school»
rootpw ПАРОЛЬ
#lastmod on
#maxderefdepth 1
#readonly on
replogfile /var/lib/ldap/replica/office.school.replog

directory /var/lib/ldap/bases/office.school
index objectClass eq
index ou,cn,sn,displayName eq,pres,sub
index uidNumber,gidNumber eq
index sambaSID eq
index memberUID,uid eq,pres,sub
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub

access to *

БАЗА LDAP:

# office.school
dn: dc=office,dc=school
objectClass: dcObject
objectClass: organization
dc: office
o: office

# Users, office.school
dn: ou=Users,dc=office,dc=school
objectClass: organizationalUnit
ou: Users

# Groups, office.school
dn: ou=Groups,dc=office,dc=school
objectClass: organizationalUnit
ou: Groups

# Computers, office.school
dn: ou=Computers,dc=office,dc=school
objectClass: organizationalUnit
ou: Computers

# SCHOOL, office.school
dn: sambaDomainName=SCHOOL,dc=office,dc=school
sambaDomainName: SCHOOL
sambaSID: S-1-5–21–2127937217–1782950159–3468125930
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 41000
sambaNextGroupRid: 41001

# ldapadmin, Users, office.school
dn: uid=ldapadmin,ou=Users,dc=office,dc=school
cn: ldapadmin
objectClass: organizationalRole
objectClass: shadowAccount
objectClass: top
objectClass: sambaSamAccount
objectClass: posixAccount
gidNumber: 1000
uid: ldapadmin
uidNumber: 1000
homeDirectory: /home/ldapadmin
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdMustChange: 2147483647
sambaHomePath: \\SERVER\ldapadmin
sambaHomeDrive: H:
sambaProfilePath: \\LDAP\Profiles\ldapadmin
sambaPrimaryGroupSID: S-1-5–21–3559559029–1117617680–1763314164–500
sambaAcctFlags: [U ]
sambaSID: S-1-5–21–3559559029–1117617680–1763314164–512
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaLMPassword: 56EBCF104F2E9F80AAD3B435B51404EE
sambaNTPassword: 396C72C2C32558D17F98FAEFC77E415E
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdCanChange: 1119453006
sambaPwdLastSet: 1119453006

# nobody, Users, office.school
dn: uid=nobody,ou=Users,dc=office,dc=school
cn: nobody
objectClass: organizationalRole
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: posixAccount
gidNumber: 1001
uid: nobody
uidNumber: 1001
homeDirectory: /dev/null
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\SERVER\homes
sambaHomeDrive: H:
sambaProfilePath: \\SERVER\Profiles\nobody
sambaPrimaryGroupSID: S-1-5–21–3559559029–1117617680–1763314164–514
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [NU ]
sambaSID: S-1-5–21–3559559029–1117617680–1763314164–501
loginShell: /bin/false

# Domain Admins, Groups, office.school
dn: cn=Domain Admins,ou=Groups,dc=office,dc=school
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 1000
memberUid: ldapadmin
cn: Domain Admins
sambaSID: S-1-5–21–3559559029–1117617680–1763314164–512
sambaGroupType: 2
displayName: smbadmins
description: Local Unix group

# Domain Guests, Groups, office.school
dn: cn=Domain Guests,ou=Groups,dc=office,dc=school
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 1001
memberUid: nobody
cn: Domain Guests
sambaSID: S-1-5–21–3559559029–1117617680–1763314164–514
sambaGroupType: 2
displayName: smbguests
description: Local Unix group

# Domain Users, Groups, office.school
dn: cn=Domain Users,ou=Groups,dc=office,dc=school
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 1002
memberUid: nobody
cn: Domain Users
sambaSID: S-1-5–21–3559559029–1117617680–1763314164–513
sambaGroupType: 2
displayName: smbusers
description: Local Unix group

# linux4$, Computers, office.school
dn: uid=linux4$,ou=Computers,dc=office,dc=school
uid: linux4$
sambaSID: S-1-5–21–2127937217–1782950159–3468125930–2116
sambaPrimaryGroupSID: S-1-5–21–2127937217–1782950159–3468125930–2117
sambaPwdMustChange: 2147483647
sambaAcctFlags: [W ]
objectClass: sambaSamAccount
objectClass: account
sambaPwdCanChange: 1119530850
sambaLMPassword: BBE03AD5687346593E196C015D20B066
sambaNTPassword: 7DA95652079262E22CFEF8B1CF770F00
sambaPwdLastSet: 1119530850

# l5$, Computers, office.school
dn: uid=l5$,ou=Computers,dc=office,dc=school
uid: l5$
sambaSID: S-1-5–21–2127937217–1782950159–3468125930–2014
sambaPrimaryGroupSID: S-1-5–21–2127937217–1782950159–3468125930–2015
sambaPwdMustChange: 2147483647
sambaAcctFlags: [W ]
objectClass: sambaSamAccount
objectClass: account
sambaPwdCanChange: 1119530918
sambaNTPassword: 789506E8A41EFF1AE61B1E95C7DA705A
sambaPwdLastSet: 1119530918

# root, Users, office.school
dn: uid=root,ou=Users,dc=office,dc=school
uid: root
sambaSID: S-1-5–21–2127937217–1782950159–3468125930–1000
sambaPrimaryGroupSID: S-1-5–21–2127937217–1782950159–3468125930–1001
displayName: System Administrator
sambaPwdCanChange: 1119453428
sambaPwdMustChange: 2147483647
sambaLMPassword: 0AE71762FA2F8A0FAAD3B435B51404EE
sambaNTPassword: 3054B8303D3A5ECC798274C96EB2B78E
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet: 1119453428
sambaAcctFlags: [U ]
objectClass: sambaSamAccount
objectClass: account

# linux2$, Computers, office.school
dn: uid=linux2$,ou=Computers,dc=office,dc=school
uid: linux2$
sambaSID: S-1-5–21–2127937217–1782950159–3468125930–2112
sambaPrimaryGroupSID: S-1-5–21–2127937217–1782950159–3468125930–2113
sambaPwdCanChange: 1119453876
sambaPwdMustChange: 2147483647
sambaLMPassword: E95EC88F6B9EDD4BAAD3B435B51404EE
sambaNTPassword: B1A247837C66174C24E210C8C672452D
sambaPwdLastSet: 1119453876
sambaAcctFlags: [W ]
objectClass: sambaSamAccount
objectClass: account

# linux3$, Computers, office.school
dn: uid=linux3$,ou=Computers,dc=office,dc=school
uid: linux3$
sambaSID: S-1-5–21–2127937217–1782950159–3468125930–2114
sambaPrimaryGroupSID: S-1-5–21–2127937217–1782950159–3468125930–2115
sambaPwdMustChange: 2147483647
sambaAcctFlags: [W ]
objectClass: sambaSamAccount
objectClass: account
sambaPwdCanChange: 1119545166
sambaLMPassword: 2FC57425CAC4D70918771E309D31B869
sambaNTPassword: 01FB328EDA206742543A16090373CD0A
sambaPwdLastSet: 1119545166

# l2$, Computers, office.school
dn: uid=l2$,ou=Computers,dc=office,dc=school
uid: l2$
sambaSID: S-1-5–21–2127937217–1782950159–3468125930–2008
sambaPrimaryGroupSID: S-1-5–21–2127937217–1782950159–3468125930–2009
sambaPwdCanChange: 1119453900
sambaPwdMustChange: 2147483647
sambaLMPassword: C3A66CD5BF69BD08AAD3B435B51404EE
sambaNTPassword: F3B233D027662BBF5600F632D316A296
sambaPwdLastSet: 1119453900
sambaAcctFlags: [W ]
objectClass: sambaSamAccount
objectClass: account

# l3$, Computers, office.school
dn: uid=l3$,ou=Computers,dc=office,dc=school
uid: l3$
sambaSID: S-1-5–21–2127937217–1782950159–3468125930–2010
sambaPrimaryGroupSID: S-1-5–21–2127937217–1782950159–3468125930–2011
sambaPwdCanChange: 1119453902
sambaPwdMustChange: 2147483647
sambaLMPassword: EF6E36876D81A6DDAAD3B435B51404EE
sambaNTPassword: 905A76878806BBC5514BC6661F574329
sambaPwdLastSet: 1119453902
sambaAcctFlags: [W ]
objectClass: sambaSamAccount
objectClass: account

# l4$, Computers, office.school
dn: uid=l4$,ou=Computers,dc=office,dc=school
uid: l4$
sambaSID: S-1-5–21–2127937217–1782950159–3468125930–2012
sambaPrimaryGroupSID: S-1-5–21–2127937217–1782950159–3468125930–2013
sambaPwdCanChange: 1119453905
sambaPwdMustChange: 2147483647
sambaLMPassword: 9905C2E3EA5434CDAAD3B435B51404EE
sambaNTPassword: 77E107494DF870C0E0A74E6524884ABB
sambaPwdLastSet: 1119453905
sambaAcctFlags: [W ]
objectClass: sambaSamAccount
objectClass: account

# l6$, Computers, office.school
dn: uid=l6$,ou=Computers,dc=office,dc=school
uid: l6$
sambaSID: S-1-5–21–2127937217–1782950159–3468125930–2048
sambaPrimaryGroupSID: S-1-5–21–2127937217–1782950159–3468125930–2049
objectClass: sambaSamAccount
objectClass: account
displayName: L6$
sambaPwdMustChange: 2147483647
sambaAcctFlags: [W ]
sambaPwdCanChange: 1119535372
sambaNTPassword: C7AEBC91A2EDFEAB34B54692FAB80E94
sambaPwdLastSet: 1119535372

# andrew, Users, office.school
dn: uid=andrew,ou=Users,dc=office,dc=school
uid: andrew
cn: andrew
uidNumber: 500
gidNumber: 1000
homeDirectory: /home/andrew
sambaSID: S-1-5–21–2127937217–1782950159–3468125930–101
sambaPrimaryGroupSID: S-1-5–21–2127937217–1782950159–3468125930–513
sambaPwdCanChange: 1119452797
sambaPwdMustChange: 2147483647
sambaLMPassword: 0AE71762FA2F8A0FAAD3B435B51404EE
sambaNTPassword: 3054B8303D3A5ECC798274C96EB2B78E
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet: 1119452797
sambaAcctFlags: [U ]
objectClass: sambaSamAccount
objectClass: account
objectClass: shadowAccount
objectClass: posixAccount

# electronic, Users, office.school
dn: uid=electronic,ou=Users,dc=office,dc=school
uid: electronic
cn: electronic
uidNumber: 508
gidNumber: 1002
homeDirectory: /HOME/electronic
sambaSID: S-1-5–21–2127937217–1782950159–3468125930–102
sambaPrimaryGroupSID: S-1-5–21–2127937217–1782950159–3468125930–513
sambaPwdMustChange: 2147483647
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
00000000
sambaAcctFlags: [U ]
objectClass: sambaSamAccount
objectClass: account
objectClass: shadowAccount
objectClass: posixAccount
sambaPwdCanChange: 1119540899
sambaLMPassword: C07FBE28DDF6AAFDAAD3B435B51404EE
sambaNTPassword: F60132D2FBADF362FA98FB601B2642B2
sambaPwdLastSet: 1119540899

# bakurova, Users, office.school
dn: uid=bakurova,ou=Users,dc=office,dc=school
uid: bakurova
cn: bakurova
uidNumber: 520
gidNumber: 1002
homeDirectory: /HOME/bakurova
sambaSID: S-1-5–21–2127937217–1782950159–3468125930–103
sambaPrimaryGroupSID: S-1-5–21–2127937217–1782950159–3468125930–513
sambaPwdCanChange: 1119452797
sambaPwdMustChange: 2147483647
sambaLMPassword: 0AE71762FA2F8A0FAAD3B435B51404EE
sambaNTPassword: 3054B8303D3A5ECC798274C96EB2B78E
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet: 1119452797
sambaAcctFlags: [U ]
objectClass: sambaSamAccount
objectClass: account
objectClass: shadowAccount
objectClass: posixAccount

Конфиг САМБЫ

= #======================= Global Settings =====================================
[global]

# 1. Server Naming Options:
; message command = /usr/bin/linpopup "%f" "%m" %s; rm %s

# 2. Printing Options:
; printer admin = @adm

# 3. Logging Options:

# 4. Security and Domain Membership Options:
; guest account = pcguest
; allow trusted domains = yes

; password server = <ads server name>
; realm = <FULLY.QUALIFIED.REALM.DOMAIN>
; password server = <NT-Server-Name>
; password server = *
; password level = 8
; username level = 8
; unix password sync = Yes
; passwd program = /usr/bin/passwd %u
; passwd chat = *New*UNIX*password* %n\n *Re Type?*new*UNIX*password* %n\n
;*passwd:*all*authentication*tokens*updated*successfully*

; include = /etc/samba/smb.conf.%m

; remote browse sync = 192.168.3.25 192.168.5.255
; remote announce = 192.168.1.255 192.168.2.44

#LDAP
# ldap suffix = «ou=People,dc=office,dc=school»
# ldap idmap suffix = ou=Users



# 6. Domain Control Options:
; logon script = %U.bat


logon home = \\192.168.0.100\home\%u
; machine password timeout 100000000000


# Domain groups:
# Domain groups are handled by 'net groupmap' instead of smb.conf,
# read net(8) for more

# 7. Name Resolution Options:
; name resolve order = wins lmhosts bcast
; wins support = yes
; wins server = w.x.y.z
; wins proxy = yes

# 8. File Naming Options:
; preserve case = no
; short preserve case = no
; default case = lower
; case sensitive = no


# Share Definitions
;[homes]
; comment = Home Directory for '%u'
; browseable = no
; writable = yes

[netlogon]

;root preexec = /usr/bin/ntlogon -u %U -g %G -o %a -d /var/lib/samba/netlogon
;root postexec = rm -f /var/lib/samba/netlogon/%U.bat

[Profiles]

[printers]
# to allow user 'guest account' to print.


[C$]
; valid users = adm

[D$]

[ps]

[software]

;[C$]
; comment = Administrative share for homes
; path = /home
; admin users = @"DOMAIN\\Domain Admins"
; valid users = @"DOMAIN\\Domain Admins"
; writable = yes

# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes

# A publicly accessible directory, but read only, except for people in
# the “staff” group
[public]
; write list = @wheel

ldap.conf

host 192.168.0.100:389
base dc=office,dc=school
nss_base_passwd ou=Users,dc=office,dc=school?one
nss_base_shadow ou=Users,dc=office,dc=school?one
nss_base_group ou=Users,dc=office,dc=school?one
binddn cn=ldapadmin,dc=office,dc=school
bindpw ПАРОЛЬ
bind_policy soft




По-моему все.