sexta-feira, 26 de julho de 2013

Configurando PDC Samba com autenticação OpenLdap no CentOS 5

OpenLdap

Instalação:
yum install openlap-servers compat-openldap -y

Configuração:
Edite o arquivo /etc/openldap/slapd.conf com o seguinte conteúdo:
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
ckpoint 512 30
cachesize 1000000
dbcachesize 10000000
schemacheck     on
idletimeout     0
loglevel 0
database        bdb
suffix          "dc=unix,dc=com,dc=br"
rootdn          "cn=Manager,dc=unix,dc=com,dc=br"
rootpw          {SSHA}yRhs9NafOr/oPrxr8k7FBt2nVzrQoKE/
directory       /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uid,memberUid                     eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName   eq
sizelimit  256
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by self write
        by anonymous auth
        by * none
access to *
        by * read

Para gerar a senha criptografada do parâmetro rootpw, digite o seguinte comando:
slappasswd -s senha_ldap

Crie o arquivo base.ldif com o seguinte conteúdo:
dn: dc=unix,dc=com,dc=br
dc: unix
objectClass: top
objectClass: domain

dn: ou=People,dc=unix,dc=com,dc=br
ou: Users
objectClass: top
objectClass: organizationalUnit

dn: ou=Groups,dc=unix,dc=com,dc=br
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: ou=Computers,dc=unix,dc=com,dc=br
ou: Computers
objectClass: top
objectClass: organizationalUnit

dn: ou=Idmap,dc=unix,dc=com,dc=br
ou: Idmap
objectClass: top
objectClass: organizationalUnit

Execute o comando abaixo para inserir a base criada:
ldapadd -x -D cn=Manager,dc=unix,dc=com,dc=br -W -f base.ldif

A saída deve ser essa:
adding new entry "dc=unix,dc=com,dc=br"
adding new entry "ou=People,dc=unix,dc=com,dc=br"
adding new entry "ou=Groups,dc=unix,dc=com,dc=br"
adding new entry "ou=Computers,dc=unix,dc=com,dc=br"
adding new entry "ou=Idmap,dc=unix,dc=com,dc=br"

Edite o arquivo /etc/nsswitch.conf com  oseguinte conteúdo:
passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files ldap
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus

Edite o arquivo /etc/ldap.conf com o seguinte conteúdo:
base dc=unix,dc=com,dc=br
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
uri ldap://192.168.192.99
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password crypt

Edite o arquivo /etc/openldap/ldap.conf com o seguinte conteúdo:
URI ldap://192.168.192.99
BASE dc=unix,dc=com,dc=br
TLS_CACERTDIR /etc/openldap/cacerts

Samba

Instalação:
yum install samba -y

Configuração:
Copie o arquivo schema do samba para o OpenLdap:
cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/schema/

Edite o arquivo /etc/samba/smb.conf com o seguinte conteúdo:
[global]
        unix charset = iso8859-1
        workgroup = UNIX
        netbios name = ldap
        server string =  Servidor Samba
        security = useR
        log file = /var/log/samba/%m.log
        max log size = 50
        large readwrite = No
        os level = 255
        dns proxy = No
        wins support = Yes
        cups options = raw
        hide unreadable = Yes
        local master = yes
        domain master = yes
        preferred master = yes
        domain logons = yes
        logon script = login.bat
        logon home =
        logon path =
        ldap passwd sync = Yes
        ldap delete dn = Yes
        passdb backend = ldapsam:ldap://192.168.192.99
        ldap admin dn = cn=Manager,dc=unix,dc=com,dc=br
        ldap suffix = dc=unix,dc=com,dc=br
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Idmap
        ldap ssl = No
        idmap backend = ldap:ldap://192.168.192.99
        idmap uid = 10000-30000
        idmap gid = 10000-20000
        template shell = /bin/bash
        passwd program=/usr/bin/passwd %u
        passwd chat = *New*password* %n *Retype*new*password* %n
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        admin users = root, diego
[netlogon]
         comment = netlogon
         path = /home/netlogon
         browseable = no
         read only = no
[geral]
         comment = Repositorio de arquivos
         path = /home/geral
         browseable = no
         read only = no

Restarte o ldap e o samba:
/etc/init.d/ldap start
/etc/init.d/smb start

Informe ao samba a senha do Manager do OpenLdap:
smbpasswd -W

Smbldap-tools

Edite o arquivo vim /etc/smbldap-tools/smbldap.conf com o seguinte conteúdo:
SID="S-1-5-21-89540379-3084631337-4070857065"
sambaDomain="UNIX"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
verify=""
cafile=""
clientcert=""
clientkey=""
suffix="dc=unix,dc=com,dc=br"
usersdn="ou=People,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/false"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDIR="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome=""
userProfile=""
userHomeDrive="H:"
mailDomain="mail.unix.com.br"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

Veja o SID do samba com o seguinte comando:
net getlocalsid

Edite o arquivo /etc/smbldap-tools/smbldap_bind.conf com o seguinte conteúdo:
slaveDN="cn=Manager,dc=unix,dc=com,dc=br"
slavePw="admin"
masterDN="cn=Manager,dc=unix,dc=com,dc=br"
masterPw="admin"

Sete permissão de leitura e escrita para o root no arquivo /etc/smbldap-tools/smbldap_bind.conf:
chmod 600 /etc/smbldap-tools/smbldap_bind.conf

Crie o arquivo nextuid.ldif para o uid disponível com o seguinte conteúdo:
dn: cn=NextFreeUnixId,dc=unix,dc=com,dc=br
objectClass: inetOrgPerson
objectClass: sambaUnixIdPool
uidNumber: 1000
gidNumber: 1000
cn: NextFreeUnixId
sn: NextFreeUnixId

Adicione o uid na base com o seguinte comando:
ldapadd -x -D cn=Manager,dc=unix,dc=com,dc=br -W -f nextuid.ldif

Popule a base com o comando:
smbldap-populate
Postado por às
Marcadores: ,

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)