Old:Samba e OpenLDAP: creare un controller di dominio con Ubuntu Server Samba PDC
Attenzione. Questa guida è obsoleta. Viene mantenuta sul Wiki solo per motivi di natura storica e didattica. |
Samba PDC con backend LDAP
Installazioni e configurazioni iniziali
L'installazione di Samba va effettuata in questo momento perché insieme ai pacchetti stessi di Samba saranno installate anche alcune utility che adopereremo nel paragrafo successivo.
# apt-get install samba smbclient smbfs samba-common-bin cupsys cupsys-bsd
È necessario creare le cartelle netlogon
, profiles
e creare lo script logon.bat
.
# mkdir -p /home/samba/netlogon # chown -R root:root /home/samba/netlogon # chmod -R 755 /home/samba/netlogon # mkdir -p /home/samba/profiles # chown root:root /home/samba/profiles # chmod 755 /home/samba/profiles
Creiamo il file logon.bat
da mettere in netlogon
:
Tale script dovrà esser scritto in modalità dos, per far questo sfrutteremo il tool unix2dos
contenuto nel pacchetto tofrodos
.
# apt-get install tofrodos
creiamo lo script con l'editor che preferiamo:
# vim /home/samba/netlogon/logon.bat
sincronizziamo gli orologi del client windows con il nostro server e mappiamo una condivisione di rete scrivendo nel file
net time \\SERVER /set /yes net use H: /home
infine:
# unix2dos /home/samba/netlogon/logon.bat
o
# todos /home/samba/netlogon/logon.bat
Allo script si possono aggiungere operazioni come il montaggio di unità di rete o altre condivisioni.
Tenete conto che con queste impostazioni viene già creata un'unità di rete collegata alla home dell'utente Linux.
Roaming Profiles
Per ogni utente deve essere creata una cartella profile
, qualora si scelga di impostare samba per fare il Roaming profile, che può avvenire in due modi:
1° in cartella separata dalla cartella home dell'utente
# mkdir -p /home/samba/profiles/utente # mkdir -p /home/samba/profiles/utente/{Desktop|Documenti/Immagini|Impostazioni locali/Dati Applicazioni| Impostazioni locali/Cronologia|Preferiti|Cookies|Recent|Risorse di stampa} # chown -R utente:"Domain Users" /home/samba/profiles/utente # chmod -R 700 /home/samba/profiles/utente
2° nella cartella di home dell'utente:
# mkdir -p /home/utente/utente # mkdir -p /home/utente/utente/{Desktop|Documenti/Immagini|Impostazioni locali/Dati Applicazioni| Impostazioni locali/Cronologia|Preferiti|Cookies|Recent|Risorse di stampa} # chown -R utente:"Domain Users" /home/utente # chmod -R 700 /home/utente
Per la prima ipotesi il valore del 'logon path' sarà:
logon path = \\%N\profiles\%U
Nel secondo caso il valore del 'logon path' sarà:
logon path = \\%N\%U
Solo nel primo caso si deve creare la condivisione [profiles]con path /home/samba/profiles/%U.
<br\>
<br\>
È necessario, per avere un corretto roaming profile, creare nel profilo comune dell'utente le cartelle da redirigere al server con i diritti di scrittura all'utente.
Ho creato uno script ad hoc che fa tutto ciò e vi rimando al paragrafo Aggiungere gli utenti di dominio.
Nota per il roaming profile:
Per poter ottenere un valido roaming profile con client windows è necessario copiare la cartella "Default User",
che si trova in C:\Documents and Settings
, nella cartella /home/samba/netlogon
. Prima di copiarla bisogna editare il file NTUSER.dat
dal registro regedit. Seguire questo procedimento:
- Start>Esegui>regedit>(posizionarsi su)HKEY_LOCAL_MACHINE
- (andare su)file>carica hive>C:\Documents and Settings\Default User\NTUSER.dat>apri>(digitare nome)Default
- (entrare in)HKEY_LOCAL_MACHINE>Default>Software>Microsoft>Windows>CurrentVersion>Explorer>User Shell Folder
- cambiare i Dati, da %USERPROFILE% a %LOGONSERVER%\profiles\%USERNAME% dei Nomi: Desktop;Favorites;History; Local AppData; Local Settings;My Pictures;Personal; PrintHood;Recent (a scelta anche Cookies e Cache) es. da %USERPROFILE%\Desktop a %LOGONSERVER%\profiles\%USERNAME%\Desktop (così per tutti i nomi)
- (posizionarsi su) Default
- (andare su) file>scarica hive
- copiare su /home/samba/netlogon la cartella "Default User" così modificata.
Nel caso del logon nella cartella home dovete scrivere solo %LOGONSERVER%\%USERNAME%.
Configurazione di smb.conf
Ora vedremo come configurare Samba vero e proprio per essere un Primary Domain Controller con backend LDAP, affinché si appoggi a questo per la gestione degli utenti, gruppi, ecc...
Copiare il file smb.conf
per avere un backup:
# cp /etc/samba/smb.conf /etc/samba/smb.conf.original
Editare il file smb.conf
# vim /etc/samba/smb.conf
Configurarlo così:
#======================= Global Settings ======================= [global] ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of workgroup = DOMINIO # server string is the equivalent of the NT Description field netbios name = SERVER server string = Server dominio # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server wins support = yes # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both ; wins server = w.x.y.z # This will prevent nmbd to search for NetBIOS names through DNS. dns proxy = no # What naming service and in what order should we use to resolve host names # to IP addresses name resolve order = wins lmhosts host bcast #### Networking #### # The specific set of interfaces / networks to bind to # This can be either the interface name or an IP address/netmask; # interface names are normally preferred interfaces = eth1, lo ; interfaces = 127.0.0.0/8 eth0 # Only bind to the named interfaces and/or networks; you must use the # 'interfaces' option above to use this. # It is recommended that you enable this feature if your Samba machine is # not protected by a firewall or is a firewall itself. However, this # option cannot handle dynamic or non-broadcast interfaces correctly. bind interfaces only = yes #### Debugging/Accounting #### # This tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/%U.%m.log log level = 0 passdb:6 auth:10 vfs:5 acls:3 msdfs:3 # Cap the size of the individual log files (in KiB). max log size = 5000 # If you want Samba to only log through syslog then set the following # parameter to 'yes'. # syslog only = no # We want Samba to log a minimum amount of information to syslog. Everything # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log # through syslog you should set the following parameter to something higher. syslog = 0 # Do something sensible when Samba crashes: mail the admin a backtrace panic action = /usr/share/samba/panic-action %d ####### Authentication ####### # "security = user" is always a good idea. This will require a Unix account # in this server for every user accessing the server. See # /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html # in the samba-doc package for details. security = user username map = /etc/samba/usermap case sensitive = no # You may wish to use password encryption. See the section on # 'encrypt passwords' in the smb.conf(5) manpage before enabling. encrypt passwords = true enable privileges = yes # If you are using encrypted passwords, Samba will need to know what # password database type you are using. passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=admin,dc=dominio,dc=local ldap suffix = dc=dominio,dc=local ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap ssl = off ldap delete dn = no idmap backend = ldap:ldap://127.0.0.1 obey pam restrictions = yes # This boolean parameter controls whether Samba attempts to sync the Unix # password with the SMB password when the encrypted SMB password in the # passdb is changed. ldap passwd sync = yes unix password sync = no # For Unix password sync to work on a Debian GNU/Linux system, the following # parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for # sending the correct chat script for the passwd program in Debian Sarge). passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . # This boolean controls whether PAM will be used for password changes # when requested by an SMB client instead of the program listed in # 'passwd program'. The default is 'no'. pam password change = yes # This option controls how unsuccessful authentication attempts are mapped # to anonymous connections map to guest = bad user ########## Domains ########### # Is this machine able to authenticate users. Both PDC and BDC # must have this setting enabled. If you are the BDC you must # change the 'domain master' setting to no # domain logons = yes domain master = yes local master = yes preferred master = yes os level = 255 # # The following setting only takes effect if 'domain logons' is set # It specifies the location of the user's profile directory # from the client point of view) # The following required a [profiles] share to be setup on the # samba server (see below) logon path = \\%N\profiles\%U # Another common choice is storing the profile in the user's home directory # (this is Samba's default) # logon path = \\%N\%U\profile # The following setting only takes effect if 'domain logons' is set # It specifies the location of a user's home directory (from the client # point of view) logon drive = H: logon home = \\%N\%U # The following setting only takes effect if 'domain logons' is set # It specifies the script to run during logon. The script must be stored # in the [netlogon] share # NOTE: Must be store in 'DOS' file format convention logon script = logon.bat # This allows Unix users to be created on the domain controller via the SAMR # RPC pipe. The example command creates a user account with a disabled Unix # password; please adapt to your needs add user script = /usr/sbin/smbldap-useradd -a -m %u delete user script = /usr/sbin/smbldap-userdel %u add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u # This allows machine accounts to be created on the domain controller via the # SAMR RPC pipe. # The following assumes a "machines" group exists on the system add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u # This allows Unix groups to be created on the domain controller via the SAMR # RPC pipe. add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g ########## Printing ########## # If you want to automatically load your printer list rather # than setting them up individually then you'll need this # load printers = yes # lpr(ng) printing. You may wish to override the location of the # printcap file ; printing = bsd ; printcap name = /etc/printcap # CUPS printing. See also the cupsaddsmb(8) manpage in the # cupsys-client package. printing = cups # printcap name = cups ############ Misc ############ # Using the following line enables you to customise your configuration # on a per machine basis. The %m gets replaced with the netbios name # of the machine that is connecting ; include = /home/samba/etc/smb.conf.%m # Most people will find that this option gives better performance. # See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html # for details # You may want to add the following on a Linux system: # SO_RCVBUF=8192 SO_SNDBUF=8192 socket options = TCP_NODELAY # The following parameter is useful only if you have the linpopup package # installed. The samba maintainer and the linpopup maintainer are # working to ease installation and configuration of linpopup and samba. ; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' & # Domain Master specifies Samba to be the Domain Master Browser. If this # machine will be configured as a BDC (a secondary logon server), you # must set this to 'no'; otherwise, the default behavior is recommended. # domain master = auto # Some defaults for winbind (make sure you're not using the ranges # for something else.) idmap uid = 10000-20000 idmap gid = 10000-20000 # template shell = /bin/false # The following was the default behaviour in sarge, # but samba upstream reverted the default because it might induce # performance issues in large organizations. # See Debian bug #368251 for some of the consequences of *not* # having this setting and smb.conf(5) for details. # winbind separator = + # winbind enum groups = yes # winbind enum users = yes # winbind use default domain = yes time server = yes null passwords = no # Setup usershare options to enable non-root users to share folders # with the net usershare command. # Maximum number of usershare. 0 (default) means that usershare is disabled. ; usershare max shares = 100 # Allow users who've been granted usershare privileges to create # public shares, not just authenticated ones usershare allow guests = yes #======================= Share Definitions ======================= # Un-comment the following (and tweak the other settings below to suit) # to enable the default home directory shares. This will share each # user's home directory as \\server\username [homes] comment = Home Directories browseable = no # By default, the home directories are exported read-only. Change the # next parameter to 'no' if you want to be able to write to them. read only = no # File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775. # create mask = 0775 # Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775. ; directory mask = 0700 # By default, \\server\username shares can be connected to by anyone # with access to the samba server. Un-comment the following parameter # to make sure that only "username" can connect to \\server\username # This might need tweaking when using external authentication schemes valid users = %S vfs object = recycle recycle:repository = /home/%u/.cestino recycle:keeptree = Yes recycle:touch = Yes recycle:versions = Yes recycle:maxsize = 1048576 recycle:exclude = ?~$*,~$*,*.tmp,index*.pl,index*.htm*,*.temp,*.TMP recycle:exclude_dir = /tmp,/temp,/cache recycle:noversions = *.docx,*.doc,*.xlsx,*.xls,*.ppt # Un-comment the following and create the netlogon directory for Domain Logons # (you need to configure Samba to act as a domain controller too.) [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes read only = yes share modes = no # Un-comment the following and create the profiles directory to store # users profiles (see the "logon path" option above) # (you need to configure Samba to act as a domain controller too.) # The path below should be writable by all users so that their # profile directory may be created the first time they log on [profiles] comment = Users profiles path = /home/samba/profiles read only = no browseable = no profile acls = yes [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 # Windows clients look for this share name as a source of downloadable # printer drivers [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no # Uncomment to allow remote administration of Windows print drivers. # You may need to replace 'lpadmin' with the name of the group your # admin users are members of. # Please note that you also need to set appropriate Unix permissions # to the drivers directory for these users to have write rights in it ; write list = root, @lpadmin # A sample share for sharing your CD-ROM with others. ;[cdrom] ; comment = Samba server's CD-ROM ; read only = yes ; locking = no ; path = /cdrom ; guest ok = yes # The next two parameters show how to auto-mount a CD-ROM when the # cdrom share is accesed. For this to work /etc/fstab must contain # an entry like this: # # /dev/scd0 /cdrom iso9660 defaults,noauto,ro,user 0 0 # # The CD-ROM gets unmounted automatically after the connection to the # # If you don't want to use auto-mounting/unmounting make sure the CD # is mounted on /cdrom # ; preexec = /bin/mount /cdrom ; postexec = /bin/umount /cdrom
Una volta che abbiamo il file di configurazione pronto, possiamo verificare che non contenga errori con il comando:
# testparm
Creiamo e modifichiamo il file /etc/samba/usermap
:
# touch /etc/samba/usermap
editare così:
root = root Administrator
Sistemiamo ora le ultime directory necessarie:
# rm -rf /etc/samba/*tdb # rm -rf /var/lib/samba/*tdb # rm -rf /var/lib/samba/*dat # rm -f /var/log/samba/*
facciamo memorizzare a samba la password dell'utente ldap da usare per la connessione:
# smbpasswd -w password
e riavviamo il servizio:
# service smbd stop # service nmbd stop # service smbd start # service nmbd start
o
# /etc/init.d/samba restart