Old:Samba e OpenLDAP: creare un controller di dominio con Ubuntu Server Smbldap-tools
Vai alla navigazione
Vai alla ricerca
|
Attenzione. Questa guida è obsoleta. Viene mantenuta sul Wiki solo per motivi di natura storica e didattica. |
Configurare i SMBLDAP TOOLS
I smbldap-tools sostituiscono i comandi standard di UNIX per la gestione di gruppi, utenti e password in modo da dialogare direttamente con il server LDAP e fornire un metodo per gestire in contemporanea gli account UNIX e SAMBA.
Installazione
Installare il pacchetto smbldap-tools :
# apt-get install smbldap-tools
Configurazione
Abbiamo uno script nei doc di smbldap-tools che ci consente di creare i file di configurazione in modo veloce ed automatico:
gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz perl /usr/share/doc/smbldap-tools/configure.pl
Verranno replicate tutte le configurazioni presenti in samba, se c'è qualcosa di sbagliato non confermate con invio, ma scrivete la modifica da apportare direttamente e poi date [Invio].
Tuttavia, dato che non mi fido molto degli script, vi indico anche come creare voi i file e configurarli voi:
- create e modificare il file
/etc/smbldap-tools/smbldap_bind.confinserendo il DN dell'amministratore del server LDAP e la sua password. Il DN dell'amministratore è stato impostato automaticamente durante l'installazione del pacchetto Debian di slapd e corrisponde a "cn=admin,dc=dominio,dc=local", in cui il dominio dipende dalle configurazioni sopra riportate per il server LDAP. La password è quella richiesta in fase di installazione del server LDAP.
Editate /etc/smbldap-tools/smbldap_bind.conf così:
############################ # Credential Configuration # ############################ # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN="cn=admin,dc=dominio,dc=local" slavePw="secret" masterDN="cn=admin,dc=dominio,dc=local" masterPw="secret"
- Recuperate il SID di DOMINIO:
# net getlocalsid DOMINIO DOMINIO SID=":::::::::::::::::::::::::::::::::::"
Il SID va poi trascritto in smbldap.conf
- create ed editate /etc/smbldap-tools/smbldap.conf così:
##############################################################################
#
# General Configuration
#
##############################################################################
# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID=":::::::::::::::::::::::::::::::::::"
# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="DOMINIO"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="127.0.0.1"
# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"
# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="127.0.0.1"
# Master LDAP port
# If not defined, parameter is set to "389"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "1"
ldapTLS="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify=""
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile=""
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert=""
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey=""
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=dominio,dc=local"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=users,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=computers,${suffix}"
# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=idmap,${suffix}"
# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="MD5"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/false"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Default mode used for user homeDirectory
userHomeDirectoryMode="700"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
#defaultMaxPasswordAge="180"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome=""
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile=""
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="milanoaccademia.lan"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"
Note varie
- userLoginShell="/bin/false" ( In questo modo gli utenti non possono loggarsi in Unix e quindi neanche in ssh, tuttavia in un client Ubuntu questo dà problemi al terminale perciò vi consiglio il metodo access.conf del paragrafo Installazione e Configurazione Autenticazione LDAP)
- #defaultMaxPasswordAge="180" (se volete che la password scada, decommentatela ed indicata la scadenza)
- userSmbHome="" e userProfile="" (sono vuote perché se le avete impostate già in samba non serve farlo due volte e poi potrebbe darvi problemi userProfile se utilizzate \\%N\%U)
|
ATTENZIONE Se volete che l'utente si logghi su Unix e ssh è necessario modificare la shell con il comando: # smbldap-usermod -s /bin/bash utente (sempre che sia già stato fatto il popolamento, come di seguito descritto, e sempre che l'utente sia già stato creato) |
Assegnare i permessi
# chmod 644 /etc/smbldap-tools/smbldap.conf # chmod 600 /etc/smbldap-tools/smbldap_bind.conf