結局Samba4のActive Directory+LDAPの統一認証機構は諦めて、ひとまずSamba3系でLDAP認証統合をしようと思った。
ということで、インストール開始。
なお、LDAPとPAMの連携はできているものとする。
やり方はこちらのエントリ参照。
samba2系でも動作確認。
まず、smbldap-toolsとsamba、samba-docをインストール
# aptitude install samba samba-doc smbldap-tools
LDAPのスキーマを展開する。
# zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz >/etc/ldap/schema/samba.schema
/etc/ldap/slapd.confにスキーマの追加と属性へのアクセス制御を修正。
# grep ^[^#] slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_hdb
sizelimit 500
tool-threads 1
backend hdb
database hdb
suffix "dc=waterblue,dc=net"
rootdn "cn=admin,dc=waterblue,dc=net"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq,pres
index ou,cn,sn,mail,givenname eq,pres,sub
index uidNumber,gidNumber,memberUid eq,pres
index loginShell eq,pres
index uid pres,sub,eq
index displayName pres,sub,eq
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
lastmod on
checkpoint 512 30
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
by anonymous auth
by self write
by * none
access to attrs=shadowLastChange,shadowMax
by self write
by * read
access to dn.base="" by * read
access to *
by * read
/etc/samba/smb.confを設定
[global]
workgroup = WATERBLUE
netbios name = ms-09
security = user
enable privileges = yes
server string = Samba Server %v
encrypt passwords = true
min passwd length = 3
pam password change = yes
obey pam restrictions = yes
passwd program = /usr/sbin/smbldap-passwd -u "%u"
passwd chat = "Changing *nNew password*" %nn "*Retype new password*" %nn"
log level = 0
syslog = 0
log file = /var/log/samba/log.%U
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = CP932
Unix charset = UTF-8
display charset = UTF-8
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=admin,dc=waterblue,dc=net
ldap suffix = dc=waterblue,dc=net
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
load printers = Yes
create mask = 0640
directory mask = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
preserve case = yes
short preserve case = yes
case sensitive = no
[netlogon]
path = /home/netlogon/
browseable = No
read only = yes
[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
[printers]
comment = Network Printers
guest ok = yes
printable = yes
path = /home/spool/
browseable = No
read only = Yes
printable = Yes
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
[print$]
path = /home/printers
guest ok = No
browseable = Yes
read only = Yes
valid users = @"Print Operators"
write list = @"Print Operators"
create mask = 0664
directory mask = 0775
[public]
path = /tmp
guest ok = yes
browseable = Yes
writable = yes
リモートのldapサーバを利用する場合は、
passdb backend = ldapsam:ldap://LDAPサーバのアドレス/
とする。
ldapのrootdnのパスワードを設定する。
# smbpasswd -W
または
# smbpasswd -w SOMEPASSWD
これをしてないと以下のようなエラーログがでて、smbdが起動しているにもかかわらずポート139にバインドしてくれないっていう悲劇が起きる。
あまりにもこっそり過ぎて数時間はまった。
[2010/06/29 23:41:11, 0] passdb/secrets.c:fetch_ldap_pw(888)
fetch_ldap_pw: neither ldap secret retrieved!
[2010/06/29 23:41:11, 0] lib/smbldap.c:smbldap_connect_system(952)
ldap_connect_system: Failed to retrieve password from secrets.tdb
smbldap-toolsの設定
/etc/smbldap-tools/smbldap.conf
SID=”S-1-5-21-3543083706-895038863-253071269″
sambaDomain=”WATERBLUE”
slaveLDAP=”127.0.0.1″
slavePort=”389″
masterLDAP=”127.0.0.1″
masterPort=”389″
ldapTLS=”0″
verify=”require”
cafile=”/etc/smbldap-tools/ca.pem”
clientcert=”/etc/smbldap-tools/smbldap-tools.pem”
clientkey=”/etc/smbldap-tools/smbldap-tools.key”
suffix=”dc=waterblue,dc=net”
usersdn=”ou=Users,${suffix}”
computersdn=”ou=Computers,${suffix}”
groupsdn=”ou=Groups,${suffix}”
idmapdn=”ou=Idmap,${suffix}”
sambaUnixIdPooldn=”sambaDomainName=${sambaDomain},${suffix}”
scope=”sub”
hash_encrypt=”SSHA”
crypt_salt_format=”%s”
userLoginShell=”/bin/bash”
userHome=”/home/%U”
userHomeDirectoryMode=”701″
userGecos=”System User”
defaultUserGid=”513″
defaultComputerGid=”515″
skeletonDir=”/etc/skel”
defaultMaxPasswordAge=”45″
userSmbHome=”\ms-09%U”
userProfile=”\ms-09profiles%U”
userHomeDrive=”Z:”
userScript=”logon.bat”
mailDomain=”waterblue.net”
with_smbpasswd=”0″
smbpasswd=”/usr/bin/smbpasswd”
with_slappasswd=”0″
slappasswd=”/usr/sbin/slappasswd”
rootdn “cn=admin,dc=waterblue,dc=net”
/etc/smbldap-tools/smbldap_bind.conf
slaveDN=”cn=admin,dc=waterblue,dc=net”
slavePw=”SOMEPASSWD”
masterDN=”cn=admin,dc=waterblue,dc=net”
masterPw=”SOMEPASSWD”
なお、SIDは以下のコマンドで取得。
# net getlocalsid
設定が完了したらsambaとldapの連携の実行
# smbldap-populate -k 0
んでもってindexの作成。
# sudo -u openldap slapindex
これで完了。
ふいー、ちかれた。
あともちっと残ってるけどそれは明日。