結局Samba4のActive Directory+LDAPの統一認証機構は諦めて、ひとまずSamba3系でLDAP認証統合をしようと思った。
ということで、インストール開始。
なお、LDAPとPAMの連携はできているものとする。
やり方はこちらのエントリ参照。
samba2系でも動作確認。
まず、smbldap-toolsとsamba、samba-docをインストール
# aptitude install samba samba-doc smbldap-tools
LDAPのスキーマを展開する。
# zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz >/etc/ldap/schema/samba.schema
/etc/ldap/slapd.confにスキーマの追加と属性へのアクセス制御を修正。
# grep ^[^#] slapd.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel none modulepath /usr/lib/ldap moduleload back_hdb sizelimit 500 tool-threads 1 backend hdb database hdb suffix "dc=waterblue,dc=net" rootdn "cn=admin,dc=waterblue,dc=net" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq,pres index ou,cn,sn,mail,givenname eq,pres,sub index uidNumber,gidNumber,memberUid eq,pres index loginShell eq,pres index uid pres,sub,eq index displayName pres,sub,eq index nisMapName,nisMapEntry eq,pres,sub index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub lastmod on checkpoint 512 30 access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet by anonymous auth by self write by * none access to attrs=shadowLastChange,shadowMax by self write by * read access to dn.base="" by * read access to * by * read
/etc/samba/smb.confを設定
[global] workgroup = WATERBLUE netbios name = ms-09 security = user enable privileges = yes server string = Samba Server %v encrypt passwords = true min passwd length = 3 pam password change = yes obey pam restrictions = yes passwd program = /usr/sbin/smbldap-passwd -u "%u" passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n" log level = 0 syslog = 0 log file = /var/log/samba/log.%U max log size = 100000 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = CP932 Unix charset = UTF-8 display charset = UTF-8 domain logons = Yes domain master = Yes os level = 65 preferred master = Yes passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=admin,dc=waterblue,dc=net ldap suffix = dc=waterblue,dc=net ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers add user script = /usr/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' load printers = Yes create mask = 0640 directory mask = 0750 nt acl support = No printing = cups printcap name = cups deadtime = 10 guest account = nobody map to guest = Bad User dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd show add printer wizard = yes preserve case = yes short preserve case = yes case sensitive = no [netlogon] path = /home/netlogon/ browseable = No read only = yes [profiles] path = /home/profiles read only = no create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes profile acls = yes csc policy = disable [printers] comment = Network Printers guest ok = yes printable = yes path = /home/spool/ browseable = No read only = Yes printable = Yes print command = /usr/bin/lpr -P%p -r %s lpq command = /usr/bin/lpq -P%p lprm command = /usr/bin/lprm -P%p %j [print$] path = /home/printers guest ok = No browseable = Yes read only = Yes valid users = @"Print Operators" write list = @"Print Operators" create mask = 0664 directory mask = 0775 [public] path = /tmp guest ok = yes browseable = Yes writable = yes
リモートのldapサーバを利用する場合は、
passdb backend = ldapsam:ldap://LDAPサーバのアドレス/
とする。
ldapのrootdnのパスワードを設定する。
# smbpasswd -W
または
# smbpasswd -w SOMEPASSWD
これをしてないと以下のようなエラーログがでて、smbdが起動しているにもかかわらずポート139にバインドしてくれないっていう悲劇が起きる。
あまりにもこっそり過ぎて数時間はまった。
[2010/06/29 23:41:11, 0] passdb/secrets.c:fetch_ldap_pw(888)
fetch_ldap_pw: neither ldap secret retrieved!
[2010/06/29 23:41:11, 0] lib/smbldap.c:smbldap_connect_system(952)
ldap_connect_system: Failed to retrieve password from secrets.tdb
smbldap-toolsの設定
/etc/smbldap-tools/smbldap.conf
SID=”S-1-5-21-3543083706-895038863-253071269″
sambaDomain=”WATERBLUE”
slaveLDAP=”127.0.0.1″
slavePort=”389″
masterLDAP=”127.0.0.1″
masterPort=”389″
ldapTLS=”0″
verify=”require”
cafile=”/etc/smbldap-tools/ca.pem”
clientcert=”/etc/smbldap-tools/smbldap-tools.pem”
clientkey=”/etc/smbldap-tools/smbldap-tools.key”
suffix=”dc=waterblue,dc=net”
usersdn=”ou=Users,${suffix}”
computersdn=”ou=Computers,${suffix}”
groupsdn=”ou=Groups,${suffix}”
idmapdn=”ou=Idmap,${suffix}”
sambaUnixIdPooldn=”sambaDomainName=${sambaDomain},${suffix}”
scope=”sub”
hash_encrypt=”SSHA”
crypt_salt_format=”%s”
userLoginShell=”/bin/bash”
userHome=”/home/%U”
userHomeDirectoryMode=”701″
userGecos=”System User”
defaultUserGid=”513″
defaultComputerGid=”515″
skeletonDir=”/etc/skel”
defaultMaxPasswordAge=”45″
userSmbHome=”\\ms-09\%U”
userProfile=”\\ms-09\profiles\%U”
userHomeDrive=”Z:”
userScript=”logon.bat”
mailDomain=”waterblue.net”
with_smbpasswd=”0″
smbpasswd=”/usr/bin/smbpasswd”
with_slappasswd=”0″
slappasswd=”/usr/sbin/slappasswd”
rootdn “cn=admin,dc=waterblue,dc=net”
/etc/smbldap-tools/smbldap_bind.conf
slaveDN=”cn=admin,dc=waterblue,dc=net”
slavePw=”SOMEPASSWD”
masterDN=”cn=admin,dc=waterblue,dc=net”
masterPw=”SOMEPASSWD”
なお、SIDは以下のコマンドで取得。
# net getlocalsid
設定が完了したらsambaとldapの連携の実行
# smbldap-populate -k 0
んでもってindexの作成。
# sudo -u openldap slapindex
これで完了。
ふいー、ちかれた。
あともちっと残ってるけどそれは明日。
Previous 
Next 
Categories
Tag Cloud
Blog RSS
Comments RSS
Last 50 Posts
Back
Void 
Life 
Earth 
Wind 
Water 
Fire