Smbldap-tools. Руководство пользователя.
| ← назад | Оглавление |
8. Приложения.
8.1 Примеры конфигурационных файлов
8.1.1 Файл /etc/smbldap-tools/smbldap.conf
1 # $Source: $
2 # $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
3 #
4 # smbldap-tools.conf : Q & D configuration file for smbldap-tools
5
6 # This code was developped by IDEALX (http://IDEALX.org/) and
7 # contributors (their names can be found in the CONTRIBUTORS file).
8 #
9 # Copyright (C) 2001-2002 IDEALX
10 #
11 # This program is free software; you can redistribute it and/or
12 # modify it under the terms of the GNU General Public License
13 # as published by the Free Software Foundation; either version 2
14 # of the License, or (at your option) any later version.
15 #
16 # This program is distributed in the hope that it will be useful,
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 # GNU General Public License for more details.
20 #
21 # You should have received a copy of the GNU General Public License
22 # along with this program; if not, write to the Free Software
23 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
24 # USA.
25
26 # Purpose :
27 # . be the configuration file for all smbldap-tools scripts
28
29 ##############################################################################
30 #
31 # General Configuration
32 #
33 ##############################################################################
34
35 # Put your own SID. To obtain this number do: "net getlocalsid".
36 # If not defined, parameter is taking from "net getlocalsid" return
37 SID="S-1-5-21-2252255531-4061614174-2474224977"
38
39 # Domain name the Samba server is in charged.
40 # If not defined, parameter is taking from smb.conf configuration file
41 # Ex: sambaDomain="IDEALX-NT"
42 sambaDomain="DOMSMB"
43
44 ##############################################################################
45 #
46 # LDAP Configuration
47 #
48 ##############################################################################
49
50 # Notes: to use to dual ldap servers backend for Samba, you must patch
51 # Samba with the dual-head patch from IDEALX. If not using this patch
52 # just use the same server for slaveLDAP and masterLDAP.
53 # Those two servers declarations can also be used when you have
54 # . one master LDAP server where all writing operations must be done
55 # . one slave LDAP server where all reading operations must be done
56 # (typically a replication directory)
57
58 # Slave LDAP server
59 # Ex: slaveLDAP=127.0.0.1
60 # If not defined, parameter is set to "127.0.0.1"
61 slaveLDAP="ldap.iallanis.info"
62
63 # Slave LDAP port
64 # If not defined, parameter is set to "389"
65 slavePort="389"
66
67 # Master LDAP server: needed for write operations
68 # Ex: masterLDAP=127.0.0.1
69 # If not defined, parameter is set to "127.0.0.1"
70 masterLDAP="ldap.iallanis.info"
71
72 # Master LDAP port
73 # If not defined, parameter is set to "389"
74 #masterPort="389"
75 masterPort="389"
76
77 # Use TLS for LDAP
78 # If set to 1, this option will use start_tls for connection
79 # (you should also used the port 389)
80 # If not defined, parameter is set to "0"
81 ldapTLS="1"
82
83 # Use SSL for LDAP
84 # If set to 1, this option will use SSL for connection
85 # (standard port for ldaps is 636)
86 # If not defined, parameter is set to "0"
87 ldapSSL="0"
88
89 # How to verify the server’s certificate (none, optional or require)
90 # see "man Net::LDAP" in start_tls section for more details
91 verify="require"
92
93 # CA certificate
94 # see "man Net::LDAP" in start_tls section for more details
95 cafile="/etc/smbldap-tools/ca.pem"
96
97 # certificate to use to connect to the ldap server
98 # see "man Net::LDAP" in start_tls section for more details
99 clientcert="/etc/smbldap-tools/smbldap-tools.iallanis.info.pem"
100
101 # key certificate to use to connect to the ldap server
102 # see "man Net::LDAP" in start_tls section for more details
103 clientkey="/etc/smbldap-tools/smbldap-tools.iallanis.info.key"
104
105 # LDAP Suffix
106 # Ex: suffix=dc=IDEALX,dc=ORG
107 suffix="dc=iallanis,dc=info"
108
109 # Where are stored Users
110 # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
111 # Warning: if ’suffix’ is not set here, you must set the full dn for usersdn
112 usersdn="ou=Users,${suffix}"
113
114 # Where are stored Computers
115 # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
116 # Warning: if ’suffix’ is not set here, you must set the full dn for computersdn
117 computersdn="ou=Computers,${suffix}"
118
119 # Where are stored Groups
120 # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
121 # Warning: if ’suffix’ is not set here, you must set the full dn for groupsdn
122 groupsdn="ou=Groups,${suffix}"
123
124 # Where are stored Idmap entries (used if samba is a domain member server)
125 # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
126 # Warning: if ’suffix’ is not set here, you must set the full dn for idmapdn
127 idmapdn="ou=Idmap,${suffix}"
128
129 # Where to store next uidNumber and gidNumber available for new users and groups
130 # If not defined, entries are stored in sambaDomainName object.
131 # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
132 # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
133 sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
134
135 # Default scope Used
136 scope="sub"
137
138 # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
139 hash_encrypt="SSHA"
140
141 # if hash_encrypt is set to CRYPT, you may set a salt format.
142 # default is "%s", but many systems will generate MD5 hashed
143 # passwords if you use "$1$%.8s". This parameter is optional!
144 crypt_salt_format="%s"
145
146 ##############################################################################
147 #
148 # Unix Accounts Configuration
149 #
150 ##############################################################################
151
152 # Login defs
153 # Default Login Shell
154 # Ex: userLoginShell="/bin/bash"
155 userLoginShell="/bin/bash"
156
157 # Home directory
158 # Ex: userHome="/home/%U"
159 userHome="/home/%U"
160
161 # Default mode used for user homeDirectory
162 userHomeDirectoryMode="700"
163
164 # Gecos
165 userGecos="System User"
166
167 # Default User (POSIX and Samba) GID
168 defaultUserGid="513"
169
170 # Default Computer (Samba) GID
171 defaultComputerGid="515"
172
173 # Skel dir
174 skeletonDir="/etc/skel"
175
176 # Default password validation time (time in days) Comment the next line if
177 # you don’t want password to be enable for defaultMaxPasswordAge days (be
178 # careful to the sambaPwdMustChange attribute’s value)
179 defaultMaxPasswordAge="45"
180
181 ##############################################################################
182 #
183 # SAMBA Configuration
184 #
185 ##############################################################################
186
187 # The UNC path to home drives location (%U username substitution)
188 # Just set it to a null string if you want to use the smb.conf ’logon home’
189 # directive and/or disable roaming profiles
190 # Ex: userSmbHome="\\PDC-SMB3\%U"
191 userSmbHome="\\PDC-SRV\%U"
192
193 # The UNC path to profiles locations (%U username substitution)
194 # Just set it to a null string if you want to use the smb.conf ’logon path’
195 # directive and/or disable roaming profiles
196 # Ex: userProfile="\\PDC-SMB3\profiles\%U"
197 userProfile="\\PDC-SRV\profiles\%U"
198
199 # The default Home Drive Letter mapping
200 # (will be automatically mapped at logon time if home directory exist)
201 # Ex: userHomeDrive="H:"
202 userHomeDrive="H:"
203
204 # The default user netlogon script name (%U username substitution)
205 # if not used, will be automatically username.cmd
206 # make sure script file is edited under dos
207 # Ex: userScript="startup.cmd" # make sure script file is edited under dos
208 userScript="logon.bat"
209
210 # Domain appended to the users "mail"-attribute
211 # when smbldap-useradd -M is used
212 # Ex: mailDomain="idealx.com"
213 mailDomain="iallanis.info"
214
215 ##############################################################################
216 #
217 # SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
218 #
219 ##############################################################################
220
221 # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
222 # prefer Crypt::SmbHash library
223 with_smbpasswd="0"
224 smbpasswd="/usr/bin/smbpasswd"
225
226 # Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
227 # but prefer Crypt:: libraries
228 with_slappasswd="0"
229 slappasswd="/usr/sbin/slappasswd"
230
231 # comment out the following line to get rid of the default banner
232 # no_banner="1"
233
8.1.2 Файл /etc/smbldap-tools/smbldap_bind.conf
1 ############################ 2 # Credential Configuration # 3 ############################ 4 # Notes: you can specify two differents configuration if you use a 5 # master ldap for writing access and a slave ldap server for reading access 6 # By default, we will use the same DN (so it will work for standard Samba 7 # release) 8 slaveDN="cn=Manager,dc=iallanis,dc=info" 9 slavePw="secret" 10 masterDN="cn=Manager,dc=iallanis,dc=info" 11 masterPw="secret"
8.1.3 Файл /etc/samba/smb.conf
1 # Global parameters 2 [global] 3 workgroup = DOMSMB 4 netbios name = PDC-SRV 5 security = user 6 enable privileges = yes 7 #interfaces = 192.168.5.11 8 #username map = /etc/samba/smbusers 9 server string = Samba Server %v 10 #security = ads 11 encrypt passwords = Yes 12 min passwd length = 3 13 #pam password change = no 14 #obey pam restrictions = No 15 16 # method 1: 17 #unix password sync = no 18 #ldap passwd sync = yes 19 20 # method 2: 21 unix password sync = yes 22 ldap passwd sync = no 23 passwd program = /usr/sbin/smbldap-passwd -u "%u" 24 passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n" 25 26 log level = 0 27 syslog = 0 28 log file = /var/log/samba/log.%U 29 max log size = 100000 30 time server = Yes 31 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 32 mangling method = hash2 33 Dos charset = 850 34 Unix charset = ISO8859-1 35 36 logon script = logon.bat 37 logon drive = H: 38 logon home = 39 logon path = 40 41 domain logons = Yes 42 domain master = Yes 43 os level = 65 44 preferred master = Yes 45 wins support = yes 46 # passdb backend = ldapsam:"ldap://ldap1.company.com ldap://ldap2.company.com" 47 passdb backend = ldapsam:ldap://127.0.0.1/ 48 ldap admin dn = cn=Manager,dc=company,dc=com 49 #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com 50 ldap suffix = dc=company,dc=com 51 ldap group suffix = ou=Groups 52 ldap user suffix = ou=Users 53 ldap machine suffix = ou=Computers 54 #ldap idmap suffix = ou=Idmap 55 add user script = /usr/sbin/smbldap-useradd -m "%u" 56 #ldap delete dn = Yes 57 delete user script = /usr/sbin/smbldap-userdel "%u" 58 add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" 59 add group script = /usr/sbin/smbldap-groupadd -p "%g" 60 #delete group script = /usr/sbin/smbldap-groupdel "%g" 61 add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" 62 delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" 63 set primary group script = /usr/sbin/smbldap-usermod -g ’%g’ ’%u’ 64 65 # printers configuration 66 #printer admin = @"Print Operators" 67 load printers = Yes 68 create mask = 0640 69 directory mask = 0750 70 #force create mode = 0640 71 #force directory mode = 0750 72 nt acl support = No 73 printing = cups 74 printcap name = cups 75 deadtime = 10 76 guest account = nobody 77 map to guest = Bad User 78 dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd 79 show add printer wizard = yes 80 # to maintain capital letters in shortcuts in any of the profile folders: 81 preserve case = yes 82 short preserve case = yes 83 case sensitive = no 84 85 [netlogon] 86 path = /home/netlogon/ 87 browseable = No 88 read only = yes 89 90 [profiles] 91 path = /home/profiles 92 read only = no 93 create mask = 0600 94 directory mask = 0700 95 browseable = No 96 guest ok = Yes 97 profile acls = yes 98 csc policy = disable 99 # next line is a great way to secure the profiles 100 #force user = %U 101 # next line allows administrator to access all profiles 102 #valid users = %U "Domain Admins" 103 104 [printers] 105 comment = Network Printers 106 #printer admin = @"Print Operators" 107 guest ok = yes 108 printable = yes 109 path = /home/spool/ 110 browseable = No 111 read only = Yes 112 printable = Yes 113 print command = /usr/bin/lpr -P%p -r %s 114 lpq command = /usr/bin/lpq -P%p 115 lprm command = /usr/bin/lprm -P%p %j 116 # print command = /usr/bin/lpr -U%U@%M -P%p -r %s 117 # lpq command = /usr/bin/lpq -U%U@%M -P%p 118 # lprm command = /usr/bin/lprm -U%U@%M -P%p %j 119 # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j 120 # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j 121 # queuepause command = /usr/sbin/lpc -U%U@%M stop %p 122 # queueresume command = /usr/sbin/lpc -U%U@%M start %p 123 124 [print$] 125 path = /home/printers 126 guest ok = No 127 browseable = Yes 128 read only = Yes 129 valid users = @"Print Operators" 130 write list = @"Print Operators" 131 create mask = 0664 132 directory mask = 0775 133 134 [public] 135 path = /tmp 136 guest ok = yes 137 browseable = Yes 138 writable = yes
8.1.4 Конфигурационный файл OpenLDAP /etc/openldap/slapd.conf
1 #
2 # See slapd.conf(5) for details on configuration options.
3 # This file should NOT be world readable.
4 #
5 include /etc/openldap/schema/core.schema
6 include /etc/openldap/schema/cosine.schema
7 include /etc/openldap/schema/inetorgperson.schema
8 include /etc/openldap/schema/nis.schema
9 include /etc/openldap/schema/samba.schema
10
11 schemacheck on
12
13 # Allow LDAPv2 client connections. This is NOT the default.
14 allow bind_v2
15
16 # Do not enable referrals until AFTER you have a working directory
17 # service AND an understanding of referrals.
18 #referral ldap://root.openldap.org
19
20 pidfile /var/run/slapd.pid
21 argsfile /var/run/slapd.args
22
23 # Load dynamic backend modules:
24 # modulepath /usr/sbin/openldap
25 # moduleload back_bdb.la
26 # moduleload back_ldap.la
27 # moduleload back_ldbm.la
28 # moduleload back_passwd.la
29 # moduleload back_shell.la
30
31 # The next three lines allow use of TLS for encrypting connections using a
32 # dummy test certificate which you can generate by changing to
33 # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
34 # slapd.pem so that the ldap user or group can read it. Your client software
35 # may balk at self-signed certificates, however.
36 #TLSCertificateFile /etc/openldap/ldap.company.com.pem
37 #TLSCertificateKeyFile /etc/openldap/ldap.company.com.key
38 #TLSCACertificateFile /etc/openldap/ca.pem
39 #TLSCipherSuite :SSLv3
40
41 # Sample security restrictions
42 # Require integrity protection (prevent hijacking)
43 # Require 112-bit (3DES or better) encryption for updates
44 # Require 63-bit encryption for simple bind
45 # security ssf=1 update_ssf=112 simple_bind=64
46
47 # Sample access control policy:
48 # Root DSE: allow anyone to read it
49 # Subschema (sub)entry DSE: allow anyone to read it
50 # Other DSEs:
51 # Allow self write access
52 # Allow authenticated users read access
53 # Allow anonymous users to authenticate
54 # Directives needed to implement policy:
55 # access to dn.base="" by * read
56 # access to dn.base="cn=Subschema" by * read
57 # access to *
58 # by self write
59 # by users read
60 # by anonymous auth
61 #
62 # if no access controls are present, the default policy
63 # allows anyone and everyone to read anything but restricts
64 # updates to rootdn. (e.g., "access to * by * read")
65 #
66 # rootdn can always read and write EVERYTHING!
67
68 #######################################################################
69 # ldbm and/or bdb database definitions
70 #######################################################################
71
72 database bdb
73 suffix "dc=company,dc=com"
74 rootdn "cn=Manager,dc=company,dc=com"
75 # Cleartext passwords, especially for the rootdn, should
76 # be avoided. See slappasswd(8) and slapd.conf(5) for details.
77 # Use of strong authentication encouraged.
78 rootpw secret
79 # rootpw {crypt}ijFYNcSNctBYg
80
81 # The database directory MUST exist prior to running slapd AND
82 # should only be accessible by the slapd and slap tools.
83 # Mode 700 recommended.
84 directory /var/lib/ldap
85 lastmod on
86
87 # Indices to maintain for this database
88 index objectClass eq,pres
89 index ou,cn,sn,mail,givenname eq,pres,sub
90 index uidNumber,gidNumber,memberUid eq,pres
91 index loginShell eq,pres
92 ## required to support pdb_getsampwnam
93 index uid pres,sub,eq
94 ## required to support pdb_getsambapwrid()
95 index displayName pres,sub,eq
96 index nisMapName,nisMapEntry eq,pres,sub
97 index sambaSID eq
98 index sambaPrimaryGroupSID eq
99 index sambaDomainName eq
100 index default sub
101
102
103 # users can authenticate and change their password
104 access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
105 by dn="cn=Manager,dc=company,dc=com" write
106 by self write
107 by anonymous auth
108 by * none
109
110 # those 2 parameters must be world readable for password aging to work correctly
111 # (or use a priviledge account in /etc/ldap.conf to bind to the directory)
112 access to attrs=shadowLastChange,shadowMax
113 by dn="cn=Manager,dc=company,dc=com" write
114 by self write
115 by * read
116
117 # all others attributes are readable to everybody
118 access to *
119 by * read
120
121 # Replicas of this database
122 #replogfile /var/lib/ldap/openldap-master-replog
123 #replica host=ldap-1.example.com:389 starttls=critical
124 # bindmethod=sasl saslmech=GSSAPI
125 # authcId=host/ldap-master.example.com@EXAMPLE.COM
8.2 Изменение административной учетной записи (ldap admin dn в файле smb.conf)
Если вы больше не хотите использовать учетную запись, описанную атрибутами cn=Manager,dc=idealx,dc=com, вы можете создать специальную учетную запись для сервера Samba и набора скриптов smbldap-tools. Чтобы сделать это, заведем пользователя с именем, например samba при помощи следующей команды (для подробностей в синтаксисе данной команды обратитесь к главе 4.2.1):
# smbldap-useradd -s /bin/false -d /dev/null -P samba
После ввода этой команды вам будет предложено ввести пароль для создаваемого пользователя, в нашем примере он тоже будет samba.
После этого измените соответствующим образом:
- файл /etc/smbldap-tools/smbldap_bind.conf:
slaveDN="uid=samba,ou=Users,dc=idealx,dc=com" slavePw="samba" masterDN="uid=samba,ou=Users,dc=idealx,dc=com" masterPw="samba"
- файл /etc/samba/smb.conf:
#ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com
Не забудьте после этого записать пароль в файл secrets.tdb:
#smbpasswd -w samba
- в файле /etc/openldap/slapd.conf вам стоит добавить полномочий пользователю samba:
1 # users can authenticate and change their password 2 access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange 3 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 4 by self write 5 by anonymous auth 6 by * none 7 # some attributes need to be readable anonymously so that ’id user’ can answer correctly 8 access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid 9 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 10 by * read 11 # somme attributes can be writable by users themselves 12 access to attrs=description,telephoneNumber 13 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 14 by self write 15 by * read 16 # some attributes need to be writable for samba 17 access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime, 18 sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript, 19 sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType, 20 sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase 21 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 22 by self read 23 by * none 24 # samba need to be able to create the samba domain account 25 access to dn.base="dc=idealx,dc=com" 26 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 27 by * none 28 # samba need to be able to create new users account 29 access to dn="ou=Users,dc=idealx,dc=com" 30 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 31 by * none 32 # samba need to be able to create new groups account 33 access to dn="ou=Groups,dc=idealx,dc=com" 34 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 35 by * none 36 # samba need to be able to create new computers account 37 access to dn="ou=Computers,dc=idealx,dc=com" 38 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 39 by * none 40 # this can be omitted but we leave it: there could be other branch 41 # in the directory 42 access to * 43 by self read 44 by * none
Ключ -B (пользователь должен изменить свой пароль) команды smbldap-useradd не работает: когда вызывается команда smbldap-passwd, атрибут sambaPwdMustChange перезаписывается.
| ← назад | Оглавление |
Метки:
Рекомендую новичкам Видеокурс по Linux для начинающих Евгения Коноплева.