PDC - Samba + LDAP - Fedora 7

milton.paiva

Este artigo tem como objetivo ajudar aos que estão precisando configurar um servidor PDC com SAMBA + LDAP. Fiz minha configuração no Fedora 7 e estarei descrevendo nas próximas páginas o processo que precisei percorrer até deixar o servidor funcionando.

[ Hits: 82.835 ]

Por: Milton Paiva Neto em 06/12/2007

0 0

Denuncie Favoritos Indicar Impressora

Configurando o smbldap-tools

O smbldap-tools possui dois arquivos que devem ser configurados, o primeiro deles é o /etc/smbldap-tools/smbldap.conf:

##############################################
#
# General Configuration
#
##############################################

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
#SID="S-1-5-21-4205727931-4131263253-1851132061"
SID="S-1-5-21-1470612041-1557919963-3843472885"

# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="SEU_DOMINIO.COM"

###############################################
#
# LDAP Configuration
#
###############################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)

# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="192.168.10.202"

# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"

# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="localhost"

# Master LDAP port
# If not defined, parameter is set to "389"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "1"
ldapTLS="0"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="none"

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
#cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"
cafile=""

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.pem"
clientcert=""

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.key"
clientkey=""

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=SEU_DOMINIO,dc=com"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=Users,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"

# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
#sambaUnixIdPooldn="sambaDomainName=IDEALX-NT,${suffix}"
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
#crypt_salt_format="%s"
crypt_salt_format=""

################################################
#
# Unix Accounts Configuration
#
################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"

# Default mode used for user homeDirectory
userHomeDirectoryMode="700"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="999"

################################################
#
# SAMBA Configuration
#
################################################

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\SEU_DOMÍNIO.com\%U"

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\SEU_DOMÍNIO.com\profiles\%U"

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="%U.bat"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
#mailDomain="idealx.com"

################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

Configurando o segundo arquivo do smbldap-tools: /etc/smbldap-tools/smbldap_bind.conf

############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=Manager,dc=SEU_DOMÍNIO,dc=com"
slavePw="secret"
masterDN="cn=Manager,dc=SEU_DOMÍNIO,dc=com"
masterPw="secret"

Populando a base ldap:

# smbldap-populate

Adicionando o usuário root na base ldap:

# smbpasswd -a root

Página anterior Próxima página

Páginas do artigo

   1. Pacotes necessários
   2. Configuração do LDAP
   3. Configurando o banco de dados LDAP
   4. Instalação do Samba
   5. Executando o SAMBA
   6. Instalando o smbldap-tools
   7. Configurando o smbldap-tools
   8. Configurando o servidor PDC para replicar sua base

Outros artigos deste autor

Servidor para centralização de logs - Fedora 7

Leitura recomendada

Política de segurança com o Samba

Administrando seu servidor Samba com o User Manager

Integrando Servidores Linux no Active Directory com Samba

Tutorial completo de implementação de LDAP + Samba + Squid

Gateway com autenticação pelo Samba

Comentários

[1] Comentário enviado por tatototino em 08/12/2007 - 12:50h

Ficou legal seu artigo principalmente no fato de abordar "replicação", mas você poderia abordar o LAM (LDAP Account Manager), porque gerenciar o LDAP + samba com smbldap-tools é bem chatinho.
E também poderia abrodar mas o que é replicação para não deixar muita s pessoas confusas.

Um abraço

0 0

[2] Comentário enviado por lucassusin em 06/08/2009 - 20:03h

Tem um monte de coisa errada nesse tutorial....

como smb.conf

logon script = %U.bat não tem na conf

tem muita coisa errada..

antes de postar alguma coisa verefique oque vc está fazerndo

0 0

[3] Comentário enviado por miltonpaiva em 06/08/2009 - 22:49h

Caro Lucassusin esse artigo foi escrito há mais de 2 anos, foi testado e funcionava corretamente naquele período.

O artigo foi escrito com o intuito de ajudar outros usuários que por não terem conhecimento suficiente para fazerem um pdc sozinhos, que seguissem o tutorial para conseguir realizar essa tarefa.

De qualquer maneira fique livre para fazer suas pesquisas e de repente juntar suas idéias com o meu tutorial e fazer um tutorial ainda melhor que possa facilitar a vida de outras pessoas.

É interessante fazer criticas construtivas, ao invés de sair desvalorizando o trabalho de outras pessoas.

0 0

[4] Comentário enviado por roanfranklin em 26/10/2009 - 11:43h

Turma, preciso replicar um servidor SMBLDAP para mais 6, em pontos distantes, fazendo com que os usuarios em qual local/empresa estiver "matriz/filial" possa se conectar normalmente, alguem tem alguma dica para mim?

Sendo que é SMB+LDAP preciso dos dois serviços rodando em cada um dos pontos.

Agradeço.

0 0