Samba e OpenLDAP: creare un controller di dominio con Ubuntu Server Smbldap-tools

Da Guide@Debianizzati.Org.

Samba e OpenLDAP: creare un controller di dominio con Ubuntu Server

Sommario

Introduzione Configurazione DHCP e DNS Installazione e Configurazione LDAP Server Installazione e Configurazione Autenticazione LDAP Configurazione cittografia TLS Installazione e Configurazione Samba PDC Installazione e Configurazione SMBLDAP-TOOLS Popolamento database LDAP Configurazione Quote Utenti Aggiungere gli utenti di dominio Testare la rete Installazione e configurazione PHPLDAPADMIN Configurazione Client Linux Comandi Utili e altro Approfondimenti

Indice 1 Configurare i SMBLDAP TOOLS 1.1 Installazione 1.2 Configurazione 1.3 Note varie

Configurare i SMBLDAP TOOLS

I smbldap-tools sostituiscono i comandi standard di UNIX per la gestione di gruppi, utenti e password in modo da dialogare direttamente con il server LDAP e fornire un metodo per gestire in contemporanea gli account UNIX e SAMBA.

Installazione

Installare il pacchetto smbldap-tools :

# apt-get install smbldap-tools

Configurazione

Abbiamo uno script nei doc di smbldap-tools che ci consente di creare i file di configurazione in modo veloce ed automatico:

gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
perl /usr/share/doc/smbldap-tools/configure.pl

Verranno replicate tutte le configurazioni presenti in samba, se c'è qualcosa di sbagliato non confermate con invio, ma scrivete la modifica da apportare direttamente e poi date [Invio].

Tuttavia, dato che non mi fido molto degli script, vi indico anche come creare voi i file e configurarli voi:

• create e modificare il file /etc/smbldap-tools/smbldap_bind.conf inserendo il DN dell'amministratore del server LDAP e la sua password. Il DN dell'amministratore è stato impostato automaticamente durante l'installazione del pacchetto Debian di slapd e corrisponde a "cn=admin,dc=dominio,dc=local", in cui il dominio dipende dalle configurazioni sopra riportate per il server LDAP. La password è quella richiesta in fase di installazione del server LDAP.
  

Editate /etc/smbldap-tools/smbldap_bind.conf così:

############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=admin,dc=dominio,dc=local"
slavePw="secret"
masterDN="cn=admin,dc=dominio,dc=local"
masterPw="secret"

• Recuperate il SID di DOMINIO:

# net getlocalsid DOMINIO
DOMINIO
SID=":::::::::::::::::::::::::::::::::::"

Il SID va poi trascritto in smbldap.conf

• create ed editate /etc/smbldap-tools/smbldap.conf così:

##############################################################################
#
# General Configuration
#
##############################################################################

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID=":::::::::::::::::::::::::::::::::::"

# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="DOMINIO"


##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have 
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
#   (typically a replication directory)

# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="127.0.0.1"

# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"

# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="127.0.0.1"

# Master LDAP port
# If not defined, parameter is set to "389"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "1"
ldapTLS="0"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify=""

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile=""

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert=""

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey=""

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=dominio,dc=local"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=users,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=computers,${suffix}"

# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=idmap,${suffix}"

# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="MD5"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

##############################################################################
# 
# Unix Accounts Configuration
# 
##############################################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/false"

# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"

# Default mode used for user homeDirectory
userHomeDirectoryMode="700"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
#defaultMaxPasswordAge="180"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome=""

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile=""

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="milanoaccademia.lan"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

# comment out the following line to get rid of the default banner
# no_banner="1"

Note varie

• userLoginShell="/bin/false" ( In questo modo gli utenti non possono loggarsi in Unix e quindi neanche in ssh, tuttavia in un client Ubuntu questo dà problemi al terminale perciò vi consiglio il metodo access.conf del paragrafo Installazione e Configurazione Autenticazione LDAP)

• #defaultMaxPasswordAge="180" (se volete che la password scada, decommentatela ed indicata la scadenza)

• userSmbHome="" e userProfile="" (sono vuote perché se le avete impostate già in samba non serve farlo due volte e poi potrebbe darvi problemi userProfile se utilizzate \\%N\%U)

ATTENZIONE Se volete che l'utente si logghi su Unix e ssh è necessario modificare la shell con il comando: # smbldap-usermod -s /bin/bash utente (sempre che sia già stato fatto il popolamento, come di seguito descritto, e sempre che l'utente sia già stato creato)

Assegnare i permessi

# chmod 644 /etc/smbldap-tools/smbldap.conf
# chmod 600 /etc/smbldap-tools/smbldap_bind.conf