Эта статья является доработкой предыдущей статьи, в которой учтены недостатки и реализованы новые идеи. В этой статье будет рассмотрена настройка самбы в качестве главного контроллера домена с хранением всей служебной информации в LDAP.
Итак, приступим... ОС, на которой будут производиться все операции - FreeBSD 7.3. Предполагается, что система чистая, а если нет, то удалите старые пакеты :).
Обновляем порты. Далее устанавливаем сервер LDAP, в качестве такого я выбрал OpenLDAP.
- # cd /usr/ports/net/openldap24-server
- # make install clean
- FETCH
- TCP_WRAPPERS
- SEQMOD
- SYNCPROV
- DYNAMIC_BACKENDS
- #
- # See slapd.conf(5) for details on configuration options.
- # This file should NOT be world readable.
- #
- include /usr/local/etc/openldap/schema/core.schema
- # Подключаем дополнительные схемы
- include /usr/local/etc/openldap/schema/cosine.schema
- include /usr/local/etc/openldap/schema/inetorgperson.schema
- include /usr/local/etc/openldap/schema/nis.schema
- #include /usr/local/etc/openldap/schema/samba.schema
- # Define global ACLs to disable default read access.
- # Do not enable referrals until AFTER you have a working directory
- # service AND an understanding of referrals.
- #referral ldap://root.openldap.org
- pidfile /var/run/openldap/slapd.pid
- argsfile /var/run/openldap/slapd.args
- # Подгружаем нужный модуль:
- modulepath /usr/local/libexec/openldap
- # moduleload back_bdb
- # moduleload back_hdb
- moduleload back_ldap
- # Sample security restrictions
- # Require integrity protection (prevent hijacking)
- # Require 112-bit (3DES or better) encryption for updates
- # Require 63-bit encryption for simple bind
- # security ssf=1 update_ssf=112 simple_bind=64
- # Sample access control policy:
- # Root DSE: allow anyone to read it
- # Subschema (sub)entry DSE: allow anyone to read it
- # Other DSEs:
- # Allow self write access
- # Allow authenticated users read access
- # Allow anonymous users to authenticate
- # Directives needed to implement policy:
- # access to dn.base="" by * read
- # access to dn.base="cn=Subschema" by * read
- # Указываем права доступа к данным
- access to attrs=userPassword
- by self write
- by anonymous auth
- by * none
- access to *
- by self write
- by users read
- by anonymous read
- by * none
- #
- # if no access controls are present, the default policy
- # allows anyone and everyone to read anything but restricts
- # updates to rootdn. (e.g., "access to * by * read")
- #
- # rootdn can always read and write EVERYTHING!
- #######################################################################
- # BDB database definitions
- #######################################################################
- # В этой опции указываем хранилище
- database ldif
- suffix "dc=srv-home,dc=local"
- rootdn "cn=root,dc=srv-home,dc=local"
- # Пароль для главного пользователя.
- # Генерируется командой slappasswd, вывод команды просто скопировать сюда.
- # Дополнительно за информацией обращайтесь в ман - slappasswd(8) и slapd.conf(5).
- rootpw {SSHA}XguytGYPdcylFxV60TD7DwhRy9AXML95
- # Здесь указываем папку, где будет располагаться база данных.
- # Она должна быть создана перед запуском slapd.
- # Рекомендуется установить на нее следующие права доступа - 700.
- directory /var/db/openldap-data
- # Настройка ведения логов
- logfile /var/log/openldap.log
- loglevel 256
- # echo 'slapd_enable="YES"' >> /etc/rc.conf
- # echo "slapd_flags='-h \"ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://127.0.0.1/ ldap://192.168.7.250/\"'" >> /etc/rc.conf
- # service slapd start
- # sockstat -l | grep slapd
- ldap slapd 36521 6 stream /var/run/openldap/ldapi
- ldap slapd 36521 7 tcp4 127.0.0.1:389 *:*
- ldap slapd 36521 8 tcp4 192.168.7.250:389 *:*
- dn: dc=srv-home,dc=local
- objectClass: dcObject
- objectClass: organization
- objectClass: top
- dc: srv-home
- o: srv-home
- dn: cn=root,dc=srv-home,dc=local
- objectClass: organizationalRole
- cn: root
- dn: ou=users,dc=srv-home,dc=local
- objectClass: top
- objectClass: organizationalUnit
- ou: users
- dn: ou=groups,dc=srv-home,dc=local
- objectClass: top
- objectClass: organizationalUnit
- ou: groups
- dn: ou=computers,dc=srv-home,dc=local
- objectClass: top
- objectClass: organizationalUnit
- ou: computers
- # ldapadd -x -D "cn=root,dc=srv-home,dc=local" -W -f main.ldif
- Successfully added...
- # LDAP Configuration
- SERVER="ldap://localhost"
- BINDDN="cn=root,dc=srv-home,dc=local"
- # The following file contains the raw password of the binddn
- # Create it with something like : echo -n 'secret' > $BINDPWDFILE
- # WARNING !!!! Be careful not to make this file world-readable
- #BINDPWDFILE="/usr/local/etc/ldapscripts/ldapscripts.passwd"
- # For older versions of OpenLDAP, it is still possible to use
- # unsecure command-line passwords by defining the following option
- # AND commenting the previous one (BINDPWDFILE takes precedence)
- BINDPWD="*****"
- SUFFIX="dc=srv-home,dc=local" # Global suffix
- GSUFFIX="ou=groups" # Groups ou (just under $SUFFIX)
- USUFFIX="ou=users" # Users ou (just under $SUFFIX)
- MSUFFIX="ou=computers" # Machines ou (just under $SUFFIX)
- # Start with these IDs *if no entry found in LDAP*
- GIDSTART="20000" # Group ID
- UIDSTART="20000" # User ID
- MIDSTART="30000" # Machine ID
- # User properties
- USHELL="/usr/sbin/nologin"
- UHOMES="/mnt/media/home/%u" # You may use %u for username here
- CREATEHOMES="no" # Create home directories and set rights ?
- #HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
- HOMEPERMS="700" # Default permissions for home directories
- # User passwords generation
- # Command-line used to generate a password for added users (you may use %u for username here)
- # WARNING !!!! This is evaluated, everything specified here will be run !
- # Special value "<ask />" will ask for a password interactively
- #PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
- PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n '2s|=*$||;2p' | sed -e 's|+||g' -e 's|/||g'"
- #PASSWORDGEN="pwgen"
- #PASSWORDGEN="echo changeme"
- #PASSWORDGEN="echo %u"
- #PASSWORDGEN="<ask />"
- # User passwords recording
- # you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS
- # (useful when performing a massive creation / net rpc vampire)
- # WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE !
- # WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE !
- RECORDPASSWORDS="no"
- PASSWORDFILE="/var/log/ldapscripts_passwd.log"
- # Where to log
- LOGFILE="/var/log/ldapscripts.log"
- # Temporary folder
- TMPDIR="/tmp"
- # Various binaries used within the scripts
- # Warning : they also use uuencode, date, grep, sed, cut, expr, which...
- # Please check they are installed before using these scripts
- # Note that many of them should come with your OS
- # OpenLDAP client commands
- LDAPSEARCHBIN="/usr/local/bin/ldapsearch"
- LDAPADDBIN="/usr/local/bin/ldapadd"
- LDAPDELETEBIN="/usr/local/bin/ldapdelete"
- LDAPMODIFYBIN="/usr/local/bin/ldapmodify"
- LDAPMODRDNBIN="/usr/local/bin/ldapmodrdn"
- LDAPPASSWDBIN="/usr/local/bin/ldappasswd"
- # Character set conversion : $ICONVCHAR UTF-8
- # Comment ICONVBIN to disable UTF-8 conversion
- ICONVBIN="/usr/local/bin/iconv"
- ICONVCHAR="KOI8-R"
- # Base64 decoding
- # Comment UUDECODEBIN to disable Base64 decoding
- UUDECODEBIN="/usr/bin/uudecode"
- # Getent command to use - choose the ones used
- # on your system. Leave blank or comment for auto-guess.
- # GNU/Linux
- #GETENTPWCMD="getent passwd"
- #GETENTGRCMD="getent group"
- # FreeBSD
- GETENTPWCMD="pw usershow"
- GETENTGRCMD="pw groupshow"
- # Auto
- #GETENTPWCMD=""
- #GETENTGRCMD=""
- # You can specify custom LDIF templates here
- # Leave empty to use default templates
- # See *.template.sample for default templates
- #GTEMPLATE="/path/to/ldapaddgroup.template"
- #UTEMPLATE="/path/to/ldapadduser.template"
- #MTEMPLATE="/path/to/ldapaddmachine.template"
- GTEMPLATE=""
- UTEMPLATE=""
- MTEMPLATE=""
- # cd /usr/ports/net/nss_ldap
- # make install clean
- # Your LDAP server. Must be resolvable without using LDAP.
- # Multiple hosts may be specified, each separated by a
- # space. How long nss_ldap takes to failover depends on
- # whether your LDAP client library supports configurable
- # network or connect timeouts (see bind_timelimit).
- host 127.0.0.1
- # The distinguished name of the search base.
- base dc=srv-home,dc=local
- # The LDAP version to use (defaults to 3
- # if supported by client library)
- ldap_version 3
- # The port.
- # Optional: default is 389.
- port 389
- # The search scope.
- #scope sub
- scope one
- #scope base
- # Reconnect policy:
- # hard_open: reconnect to DSA with exponential backoff if
- # opening connection failed
- # hard_init: reconnect to DSA with exponential backoff if
- # initializing connection failed
- # hard: alias for hard_open
- # soft: return immediately on server failure
- bind_policy soft
- # Connection policy:
- # persist: DSA connections are kept open (default)
- # oneshot: DSA connections destroyed after request
- nss_connect_policy persist
- # Use paged rseults
- nss_paged_results yes
- # RFC2307bis naming contexts
- nss_base_passwd ou=users,dc=srv-home,dc=local?one
- nss_base_passwd ou=computers,dc=srv-home,dc=local?one
- nss_base_shadow ou=users,dc=srv-home,dc=local?one
- nss_base_group ou=groups,dc=srv-home,dc=local?one
- group: files ldap
- passwd: files ldap
- # ldapaddgroup testgroup
- Successfully added group testgroup to LDAP
- # ldapadduser testuser testgroup
- Successfully added user testuser to LDAP
- Successfully set password for user testuser
- # lsldap
- ...
- dn: cn=testgroup,ou=groups,dc=srv-home,dc=local
- objectClass: posixGroup
- cn: testgroup
- gidNumber: 20016
- description: Group account
- dn: uid=testuser,ou=users,dc=srv-home,dc=local
- objectClass: account
- objectClass: posixAccount
- cn: testuser
- uid: testuser
- uidNumber: 20004
- gidNumber: 20016
- homeDirectory: /mnt/media/home/testuser
- loginShell: /usr/sbin/nologin
- gecos: testuser
- description: User account
- userPassword:: e1NTSEF9RzVTakJBZjMyM1d6b2ZycWpUZ0hIRXhnak0vdnlTWCs=
- ...
- # id testuser
- uid=20004(testuser) gid=20016(testgroup) groups=20016(testgroup)
- # cd /usr/ports/net/samba34
- # make install clean
- LDAP
- ACL_SUPPORT
- QUOTAS
- POPT
- # cp /usr/local/share/examples/samba34/LDAP/samba.schema /usr/local/etc/openldap/schema
- #======================= Global Settings =====================================
- [global]
- workgroup = HOME
- server string = Documents
- netbios name = srv-home.local
- security = user
- hosts allow = 192.168.7. 127.
- load printers = no
- printing = bsd
- #guest account = nobody
- #log file = /var/log/samba34/log.%m
- log file = /dev/null
- log level = 0
- max log size = 5000
- encrypt passwords = yes
- #passdb backend = tdbsam
- passdb backend = ldapsam:ldap://localhost/
- ldap suffix = dc=srv-home,dc=local
- ldap user suffix = ou=users
- ldap group suffix = ou=groups
- ldap machine suffix = ou=computers
- ldap admin dn = "cn=root,dc=srv-home,dc=local"
- ldap delete dn = no
- ldap ssl = no
- ;include = /usr/local/etc/smb.conf.%m
- read raw = yes
- write raw = yes
- use sendfile = yes
- socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=32768 SO_RCVBUF=32768 SO_KEEPALIVE
- interfaces = 192.168.7.250/24 127.0.0.1/8
- bind interfaces only = yes
- local master = yes
- domain master = yes
- preferred master = yes
- os level = 65
- domain logons = yes
- wins support = yes
- time server = yes
- admin users = nekit
- logon path = \\%L\profiles\%U
- logon drive = H:
- logon home = \\%L\%U
- logon script = logon.cmd
- display charset = koi8-r
- unix charset = koi8-r
- dos charset = cp866
- case sensitive = no
- store dos attributes = yes
- # Скрипт, для добавления машин
- add machine script = /usr/local/sbin/ldapaddmachine '%u' smb_pdc_computers
- add user script = /usr/local/sbin/ldapadduser '%u' smb_pdc_users
- add group script = /usr/local/sbin/ldapaddgroup '%g'
- add user to group script = /usr/local/sbin/ldapaddusertogroup '%u' '%g'
- delete user script = /usr/local/sbin/ldapdeleteuser '%u'
- delete group script = /usr/local/sbin/ldapdeletegroup '%g'
- delete user from group script = /usr/local/sbin/ldapdeleteuserfromgroup '%u' '%g'
- set primary group script = /usr/local/sbin/ldapsetprimarygroup '%u' '%g'
- rename user script = /usr/local/sbin/ldaprenameuser '%uold' '%unew'
- #============================ Share Definitions ==============================
- [netlogon]
- comment = Netlogon Service
- path = /mnt/media/samba/netlogon
- read only = yes
- browseable = no
- public = no
- [profiles]
- comment = User profiles
- path = /mnt/media/samba/profiles
- writeable = yes
- browseable = no
- public = no
- csc policy = disable
- create mask = 0600
- directory mask = 0700
- [homes]
- comment = Home Directories
- browseable = no
- writable = yes
- force create mode = 0640
- force directory mode = 0750
- # NOTE: If you have a BSD-style print system there is no need to
- # specifically define each individual printer
- [printers]
- comment = All Printers
- path = /var/spool/samba
- browseable = no
- # Set public = yes to allow user 'guest account' to print
- guest ok = no
- writable = no
- printable = yes
- [Video]
- comment = Video
- path = /mnt/media/samba/video
- browseable = yes
- public = no
- writable = yes
- force create mode = 0640
- force directory mode = 0750
- create mask = 0640
- directory mask = 0750
- force user = root
- force group = wheel
- valid users = @smb_video_read, @smb_video_write
- write list = @smb_video_write
- read list = @smb_video_read, @smb_video_write
- [Music]
- comment = Music
- path = /mnt/media/samba/music
- browseable = yes
- public = no
- writable = yes
- force create mode = 0640
- force directory mode = 0750
- create mask = 0640
- directory mask = 0750
- force user = root
- force group = wheel
- valid users = @smb_music_read, @smb_music_write
- write list = @smb_music_write
- read list = @smb_music_read, @smb_music_write
- [Distrib]
- comment = Distrib
- path = /mnt/media/samba/distrib
- browseable = yes
- public = no
- writable = yes
- force create mode = 0640
- force directory mode = 0750
- create mask = 0640
- directory mask = 0750
- force user = root
- force group = wheel
- valid users = @smb_distrib_read, @smb_distrib_write
- write list = @smb_distrib_write
- read list = @smb_distrib_read, @smb_distrib_write
- [Wallpapers]
- comment = Wallpapers
- path = /mnt/media/samba/wallpapers
- browseable = yes
- public = no
- writable = yes
- force create mode = 0640
- force directory mode = 0750
- create mask = 0640
- directory mask = 0750
- force user = root
- force group = wheel
- valid users = @smb_wallpapers_read, @smb_wallpapers_write
- write list = @smb_wallpapers_write
- read list = @smb_wallpapers_read, @smb_wallpapers_write
- # smbpasswd -W
- Enter password: ***
- Retype enter password: ***
- # echo 'smbd_enable="YES"' >> /etc/rc.conf
- # echo 'nmbd_enable="YES"' >> /etc/rc.conf
- # service samba start
- # sockstat | grep -E "smbd|nmbd"
- root smbd 18247 10 tcp4 192.168.7.250:139 192.168.7.101:2386
- root smbd 18247 21 tcp4 127.0.0.1:61042 127.0.0.1:389
- root smbd 18247 25 tcp4 127.0.0.1:62217 127.0.0.1:389
- root smbd 92555 21 tcp4 127.0.0.1:63357 127.0.0.1:389
- root smbd 92553 21 tcp4 127.0.0.1:63357 127.0.0.1:389
- root smbd 92553 22 tcp4 127.0.0.1:445 *:*
- root smbd 92553 23 tcp4 127.0.0.1:139 *:*
- root smbd 92553 24 tcp4 192.168.7.250:445 *:*
- root smbd 92553 25 tcp4 192.168.7.250:139 *:*
- root nmbd 92548 11 udp4 *:137 *:*
- root nmbd 92548 12 udp4 *:138 *:*
- root nmbd 92548 13 udp4 192.168.7.250:137 *:*
- root nmbd 92548 14 udp4 192.168.7.250:138 *:*
- # ldapaddgroup smb_pdc_admins
- # ldapaddgroup smb_pdc_users
- # ldapaddgroup smb_pdc_computers
- # ldapaddgroup smb_pdc_guests
- # net groupmap add rid=512 unixgroup=smb_pdc_admins type=d ntgroup="Domain Admins"
- # net groupmap add rid=513 unixgroup=smb_pdc_users type=domain ntgroup="Domain Users"
- # net groupmap add rid=514 unixgroup=smb_pdc_guests type=domain ntgroup="Domain Guests"
- # net groupmap add rid=515 unixgroup=smb_pdc_computers type=domain ntgroup="Domain Computers"
- # net groupmap list
- Domain Admins (S-1-5-21-2073026716-1291088168-25512215-512) -> smb_pdc_admins
- Domain Users (S-1-5-21-2073026716-1291088168-25512215-513) -> smb_pdc_users
- Domain Computers (S-1-5-21-2073026716-1291088168-25512215-515) -> smb_pdc_computers
- Domain Guests (S-1-5-21-2073026716-1291088168-25512215-514) -> smb_pdc_guests
- # ldapaddgroup smb_video_read
- # ldapaddgroup smb_video_write
- # ldapaddgroup smb_music_read
- # ldapaddgroup smb_music_write
- # ldapaddgroup smb_distrib_read
- # ldapaddgroup smb_distrib_write
- # ldapaddgroup smb_wallpapers_read
- # ldapaddgroup smb_wallpapers_write
- # net groupmap add unixgroup=smb_video_read type=local ntgroup="Video Share Read"
- # net groupmap add unixgroup=smb_video_write type=local ntgroup="Video Share Write"
- # net groupmap add unixgroup=smb_music_read type=local ntgroup="Music Share Read"
- # net groupmap add unixgroup=smb_music_write type=local ntgroup="Music Share Write"
- # net groupmap add unixgroup=smb_distrib_read type=local ntgroup="Distrib Share Read"
- # net groupmap add unixgroup=smb_distrib_write type=local ntgroup="Distrib Share Write"
- # net groupmap add unixgroup=smb_wallpapers_read type=local ntgroup="Wallpapers Share Read"
- # net groupmap add unixgroup=smb_wallpapers_write type=local ntgroup="Wallpapers Share Write"
- # ldapadduser nekit smb_pdc_admins
- # smbpasswd -a nekit
- New password: ***
- Retype password: ***
- # net rpc rights grant "Domain Admins" SeMachineAccountPrivilege -U nekit
- # net rpc rights grant "Domain Admins" SeTakeOwnershipPrivilege -U nekit
- # net rpc rights grant "Domain Admins" SeBackupPrivilege -U nekit
- # net rpc rights grant "Domain Admins" SeRestorePrivilege -U nekit
- # net rpc rights grant "Domain Admins" SeRemoteShutdownPrivilege -U nekit
- # net rpc rights grant "Domain Admins" SePrintOperatorPrivilege -U nekit
- # net rpc rights grant "Domain Admins" SeAddUsersPrivilege -U nekit
- # net rpc rights grant "Domain Admins" SeDiskOperatorPrivilege -U nekit
Обсуждение статьи
вт, 10/11/2020 - 23:00
пт, 13/11/2020 - 18:46
сб, 14/11/2020 - 10:26
вт, 10/11/2020 - 13:27
Не будет у вас ничего работать, если сделаете по этой статье. В slapd.conf есть строчка "database ldif". Т.е. подразумевается, что должна быть база, но автор не написал- на каком этапе она создается. Т.е. Лдап у вас просто не запустится, а значит, толку от статьи- ноль.