WackoWiki - RafaelMalikov/SmbLdap

2007-04-21 03:49:46

�� /Rafael Malikov / Smb Ldap �� 2007-04-21 03:49:46 � 2008-11-07 12:30:07

��:

��?

2007-04-20 19:36:25

�� /Rafael Malikov / Smb Ldap �� 2007-04-20 19:36:25 � 2007-04-21 03:49:46

��:

� /etc/passwd & /etc/groupe
admin users = @smbadmins
passdb backend = tdbsam
add user script = /usr/sbin/useradd -m -g smbusers %u
add user to group script = /usr/sbin/adduser %u %g
add group script = /usr/sbin/groupadd %g
add machine script = /usr/sbin/useradd -g machines -c Machine_%M_%I -d /dev/null -s /bin/false %u
delete user script = /usr/sbin/userdel %u
delete user from group script = /usr/sbin/deluser %u %g
delete group script = /usr/sbin/groupdel %g
set primary group script = /usr/sbin/usermod -g "%g" "%u"
passwd program = /bin/passwd %u
passwd chat = *new*password* %n\\n*new*password* %n\\n *changed*
��:
– �� smbusers, smbadmins, smbguests, machines
2. �� LDAP.
admin users = @"Domain Adminis"
passdb backend = ldapsam:ldap://127.0.0.1
ldap passwd sync = yes
ldap suffix = dc=domen,dc=ru
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap admin dn = «cn=admin,dc=domen,dc=ru»
ldap delete dn = Yes
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
��:
– �� pam – nss – ��
�� smb.conf
[homes]
comment = Home Directories
browseable = no
writable = yes
create mask = 0700
directory mask = 0700
[netlogon]
comment = Network Logon Service
path = /var/data/netlogon
browseable = no
guest ok = yes
writable = no
share modes = no
[profile]
path = /var/data/profiles
read only = No
create mask = 0600
browseable = No
guest ok = Yes
profile acls = Yes
csc policy = disable
force user = %U
valid users = %U @"Domain Adminis"
nt acl support = no
[printers]
comment = All Printers
browseable = no
path = /tmp
printable = yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
��
/etc/init.d/samba restart
� ��
smbpasswd -w secter
��
apt-get install libnss-ldap (nss_ldap)
�� LDAP server 127.0.0.1
�� dc=domen,dc=ru
�� 3
yes ��
yes ��
�� cn=admin,dc=domen,dc=ru
��
apt-get install libpam-ldap (pam_ldap)
yes ��
no ��
�� cn=admin,dc=domen,dc=ru
��
�� crypt
��: �� nss
�� pam, �� . ��
�� /etc/ : libnss-ldap.conf pam_ldap.conf ldap.secret
� ��
��.
�� /etc/pam.d/
common-auth
��
auth required pam_unix.so nullok_secure
��
auth sufficient pam_unix.so nullok_secure
��
auth sufficient pam_ldap.so use_first_pass
common-account
��
account required pam_unix.so
��
account sufficient pam_unix.so
��
account sufficient pam_ldap.so
common-password
��
password required pam_unix.so nullok obscure min=4 max=8 md5
��
password sufficient pam_unix.so nullok obscure min=4 max=8 md5
��
password sufficient pam_ldap.so use_authtok
common-session
��
session optional pam_ldap.so
�� nscd
apt-get install nscd
�� smbldap-tools
�� /etc/nsswitch.conf
��
passwd: compat
group: compat
shadow: compat
��
passwd: files ldap
group: files ldap
shadow: files ldap
��
zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > \

/etc/smbldap-tools/smbldap.conf

SID �� net getlocalsid
SID="S-1-5–21–1730680590–3962963518–200400939"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
verify="require"
cafile="/etc/smbldap-tools/ca.pem"
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
clientkey="/etc/smbldap-tools/smbldap-tools.key"
suffix="dc=domen,dc=ru"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=domen,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="99"
userSmbHome=
userProfile=
userHomeDrive=
userScript=
mailDomain="domen.ru"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
mk_ntpasswd="/sbin/mkntpwd"
cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf \

/etc/smbldap-tools/smbldap_bind.conf

slaveDN="cn=admin,dc=domen,dc=ru"
slavePw="secret"
masterDN="cn=admin,dc=domen,dc=ru"
masterPw="secret"
rem secret – ��
��
chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf
��
smbldap-populate
�� Administrator
smbldap-passwd Administrator
�� base.ldif
dn:dc=domen,dc=ru
objectClass:dcObject
objectclass:organization
dc:se
o:Organization
ldapmodify -W -x -D «cn=admin,dc=domen,dc=ru» -f base.ldif

��, �� : RafaelMalikov

��:

� /etc/passwd

2006-10-03 10:22:32

�� /Rafael Malikov / Smb Ldap �� 2006-10-03 10:22:32 � 2007-04-20 19:36:25

��:

� /etc/passwd

��:

/etc/smbldap-tools/smbldap.conf

/etc/smbldap-tools/smbldap_bind.conf

��, �� : RafaelMalikov

2006-06-27 12:08:13

�� /Rafael Malikov / Smb Ldap �� 2006-06-27 12:08:13 � 2006-10-03 10:22:32

��:

��, �� : RafaelMalikov