Потребовалось на предприятии поставить сервер, который будет раздавать шары. Решил пойти таким путем: поставить самбу и лдап сервер, в котором будут группы и пользователи самбы. На сервере стоит ОС FreeBSD 8.1.
Вначале ставим LDAP:
Все параметры я оставил как есть. После успешной установки идем править конфиг - /usr/local/etc/openldap/slapd.conf.
У меня он получился такого содержания
Пароль для админа в OpenLDAP генерируется командой slappasswd, полученный результат работы команды нужно просто скопировать в конфиг.
Добавляем следующие записи в /etc/rc.conf
Далее пробуем запустить сервис
Проверяем запустился ли сервис:
Если вы видите что-то на подобии этого, то значит - все прошло нормально.
Наполняем лдап начальными данными, для этого создаем файл main.ldif следующего содержания:
Чтобы добавить записи, выполняем следующую команду:
С настройкой OpenLDAP пока закончили, переходим к установке Samba.
Из всех опций я оставил следующие:
Далее правим конфиг, добавляем следующую строчку
И перезапускаем сервер
После этих не сложных действий правим конфиг самбы - /usr/local/etc/smb.conf.
У меня он получился таким:
После чего нужно сказать пароль самбе от указанной учетной записи лдап, для этого делаем следующее:
Вводим пароль за запускаем самбу:
На этом установка и настройка пакетов закончена. Для простоты администрирования учетных записей в LDAP можно дополнительно установить пакет ldapscripts.
- # cd /usr/ports/net/openldap24-server
- # make install clean
- #
- # See slapd.conf(5) for details on configuration options.
- # This file should NOT be world readable.
- #
- include /usr/local/etc/openldap/schema/core.schema
- include /usr/local/etc/openldap/schema/cosine.schema
- include /usr/local/etc/openldap/schema/inetorgperson.schema
- include /usr/local/etc/openldap/schema/misc.schema
- include /usr/local/etc/openldap/schema/nis.schema
- include /usr/local/etc/openldap/schema/openldap.schema
- # Define global ACLs to disable default read access.
- # Do not enable referrals until AFTER you have a working directory
- # service AND an understanding of referrals.
- #referral ldap://root.openldap.org
- pidfile /var/run/openldap/slapd.pid
- argsfile /var/run/openldap/slapd.args
- # Load dynamic backend modules:
- modulepath /usr/local/libexec/openldap
- moduleload back_bdb
- # moduleload back_hdb
- # moduleload back_ldap
- # Sample security restrictions
- # Require integrity protection (prevent hijacking)
- # Require 112-bit (3DES or better) encryption for updates
- # Require 63-bit encryption for simple bind
- # security ssf=1 update_ssf=112 simple_bind=64
- # Sample access control policy:
- # Root DSE: allow anyone to read it
- # Subschema (sub)entry DSE: allow anyone to read it
- # Other DSEs:
- # Allow self write access
- # Allow authenticated users read access
- # Allow anonymous users to authenticate
- # Directives needed to implement policy:
- # access to dn.base="" by * read
- # access to dn.base="cn=Subschema" by * read
- # access to *
- # by self write
- # by users read
- # by anonymous auth
- #
- # if no access controls are present, the default policy
- # allows anyone and everyone to read anything but restricts
- # updates to rootdn. (e.g., "access to * by * read")
- #
- # rootdn can always read and write EVERYTHING!
- access to attrs=userPassword
- by self write
- by anonymous auth
- by * none
- access to *
- by self write
- by users read
- by anonymous read
- by * none
- #######################################################################
- # BDB database definitions
- #######################################################################
- database bdb
- suffix "dc=dush4,dc=ru"
- rootdn "cn=root,dc=dush4,dc=ru"
- # Cleartext passwords, especially for the rootdn, should
- # be avoid. See slappasswd(8) and slapd.conf(5) for details.
- # Use of strong authentication encouraged.
- rootpw {SSHA}*****
- # The database directory MUST exist prior to running slapd AND
- # should only be accessible by the slapd and slap tools.
- # Mode 700 recommended.
- directory /var/db/openldap-data
- # Indices to maintain
- index objectClass eq
- index cn eq
- slapd_enable="YES"
- slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://127.0.0.1/"'
- # /usr/local/etc/rc.d/slapd start
- # sockstat | grep slapd
- ldap slapd 693 3 dgram -> /var/run/logpriv
- ldap slapd 693 6 stream /var/run/openldap/ldapi
- ldap slapd 693 7 tcp4 127.0.0.1:389 *:*
- dn: dc=dush4,dc=ru
- objectClass: dcObject
- objectClass: organization
- objectClass: top
- dc: dush4
- o: dush4
- dn: cn=root,dc=srv-home,dc=local
- objectClass: organizationalRole
- ou: root
- dn: ou=users,dc=dush4,dc=ru
- objectClass: top
- objectClass: organizationalUnit
- ou: users
- dn: ou=groups,dc=dush4,dc=ru
- objectClass: top
- objectClass: organizationalUnit
- ou: groups
- dn: ou=computers,dc=dush4,dc=ru
- objectClass: top
- objectClass: organizationalUnit
- ou: computers
- # ldapadd -x -D "cn=root,dc=dush4,dc=ru" -W -f main.ldif
- # cd /usr/ports/net/samba
- # make install clean
- LDAP
- ACL_SUPPORT
- QUOTAS
- POPT
- # cp /usr/local/share/examples/samba/LDAP/samba.schema /usr/local/etc/openldap/schema
- include /usr/local/etc/openldap/schema/samba.schema
- # /usr/local/etc/rc.d/slapd restart
- #======================= Global Settings =====================================
- [global]
- workgroup = DUSH-4
- server string = DUSH-4 File Server
- netbios name = srv-data.local
- security = user
- hosts allow = 192.168.4. 127.
- load printers = no
- ; printcap name = /etc/printcap
- ; printcap name = lpstat
- ; printing = cups
- ; guest account = pcguest
- log file = /var/log/samba/log.%m
- max log size = 50
- encrypt passwords = yes
- passdb backend = ldapsam:ldap://localhost/
- ldap suffix = dc=dush4,dc=ru
- ldap user suffix = ou=users
- ldap group suffix = ou=groups
- ldap machine suffix = ou=computers
- ldap admin dn = "cn=root,dc=dush4,dc=ru"
- ldap delete dn = no
- ldap ssl = no
- socket options = SO_RCVBUF=32768 SO_SNDBUF=32768
- interfaces = 192.168.4.251/24 127.0.0.1/8
- bind interfaces only = yes
- local master = yes
- os level = 65
- domain master = yes
- preferred master = yes
- domain logons = no
- wins support = yes
- dns proxy = no
- hide dot files = yes
- hide files = /.*
- dfree cache time = 60
- dfree command = /usr/local/bin/dfree
- display charset = koi8-r
- unix charset = koi8-r
- dos charset = cp866
- # Use inherited ACLs for directories
- ; nt acl support = yes
- ; inherit acls = yes
- ; map acl inherit = yes
- # These scripts are used on a domain controller or stand-alone
- # machine to add or delete corresponding unix accounts
- ; add user script = /usr/sbin/useradd %u
- ; add group script = /usr/sbin/groupadd %g
- ; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
- ; delete user script = /usr/sbin/userdel %u
- ; delete user from group script = /usr/sbin/deluser %u %g
- ; delete group script = /usr/sbin/groupdel %g
- #============================ Share Definitions ==============================
- [homes]
- comment = Home Directories
- browseable = no
- writable = yes
- # Un-comment the following and create the netlogon directory for Domain Logons
- ; [netlogon]
- ; comment = Network Logon Service
- ; path = /usr/local/samba/lib/netlogon
- ; guest ok = yes
- ; writable = no
- ; share modes = no
- # Un-comment the following to provide a specific roving profile share
- # the default is to use the user's home directory
- ;[Profiles]
- ; path = /usr/local/samba/profiles
- ; browseable = no
- ; guest ok = yes
- # NOTE: If you have a BSD-style print system there is no need to
- # specifically define each individual printer
- [printers]
- comment = All Printers
- path = /var/spool/samba
- browseable = no
- # Set public = yes to allow user 'guest account' to print
- guest ok = no
- writable = no
- printable = yes
- [distrib]
- comment = Distrib
- path = /mnt/media/samba/distrib
- public = no
- writable = yes
- force create mode = 0640
- force directory mode = 0750
- force user = smb_user
- force group = smb_write
- valid users = @smb_read
- read list = @smb_read
- write list = @smb_write
- [temp]
- comment = Temporary files
- path = /mnt/media/samba/temp
- public = no
- writable = yes
- force create mode = 0640
- force directory mode = 0750
- force user = smb_user
- force group = smb_write
- valid users = @smb_read
- read list = @smb_read
- write list = @smb_read
- # smbpasswd
- New password: ***
- Retry new password: ***
- # /usr/local/etc/rc.d/samba start
- Starting nmbd.
- Starting smbd.
Обсуждение статьи