Smbldap-tools. Руководство пользователя.
← назад | Оглавление |
8. Приложения.
8.1 Примеры конфигурационных файлов
8.1.1 Файл /etc/smbldap-tools/smbldap.conf
1 # $Source: $ 2 # $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $ 3 # 4 # smbldap-tools.conf : Q & D configuration file for smbldap-tools 5 6 # This code was developped by IDEALX (http://IDEALX.org/) and 7 # contributors (their names can be found in the CONTRIBUTORS file). 8 # 9 # Copyright (C) 2001-2002 IDEALX 10 # 11 # This program is free software; you can redistribute it and/or 12 # modify it under the terms of the GNU General Public License 13 # as published by the Free Software Foundation; either version 2 14 # of the License, or (at your option) any later version. 15 # 16 # This program is distributed in the hope that it will be useful, 17 # but WITHOUT ANY WARRANTY; without even the implied warranty of 18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 # GNU General Public License for more details. 20 # 21 # You should have received a copy of the GNU General Public License 22 # along with this program; if not, write to the Free Software 23 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, 24 # USA. 25 26 # Purpose : 27 # . be the configuration file for all smbldap-tools scripts 28 29 ############################################################################## 30 # 31 # General Configuration 32 # 33 ############################################################################## 34 35 # Put your own SID. To obtain this number do: "net getlocalsid". 36 # If not defined, parameter is taking from "net getlocalsid" return 37 SID="S-1-5-21-2252255531-4061614174-2474224977" 38 39 # Domain name the Samba server is in charged. 40 # If not defined, parameter is taking from smb.conf configuration file 41 # Ex: sambaDomain="IDEALX-NT" 42 sambaDomain="DOMSMB" 43 44 ############################################################################## 45 # 46 # LDAP Configuration 47 # 48 ############################################################################## 49 50 # Notes: to use to dual ldap servers backend for Samba, you must patch 51 # Samba with the dual-head patch from IDEALX. If not using this patch 52 # just use the same server for slaveLDAP and masterLDAP. 53 # Those two servers declarations can also be used when you have 54 # . one master LDAP server where all writing operations must be done 55 # . one slave LDAP server where all reading operations must be done 56 # (typically a replication directory) 57 58 # Slave LDAP server 59 # Ex: slaveLDAP=127.0.0.1 60 # If not defined, parameter is set to "127.0.0.1" 61 slaveLDAP="ldap.iallanis.info" 62 63 # Slave LDAP port 64 # If not defined, parameter is set to "389" 65 slavePort="389" 66 67 # Master LDAP server: needed for write operations 68 # Ex: masterLDAP=127.0.0.1 69 # If not defined, parameter is set to "127.0.0.1" 70 masterLDAP="ldap.iallanis.info" 71 72 # Master LDAP port 73 # If not defined, parameter is set to "389" 74 #masterPort="389" 75 masterPort="389" 76 77 # Use TLS for LDAP 78 # If set to 1, this option will use start_tls for connection 79 # (you should also used the port 389) 80 # If not defined, parameter is set to "0" 81 ldapTLS="1" 82 83 # Use SSL for LDAP 84 # If set to 1, this option will use SSL for connection 85 # (standard port for ldaps is 636) 86 # If not defined, parameter is set to "0" 87 ldapSSL="0" 88 89 # How to verify the server’s certificate (none, optional or require) 90 # see "man Net::LDAP" in start_tls section for more details 91 verify="require" 92 93 # CA certificate 94 # see "man Net::LDAP" in start_tls section for more details 95 cafile="/etc/smbldap-tools/ca.pem" 96 97 # certificate to use to connect to the ldap server 98 # see "man Net::LDAP" in start_tls section for more details 99 clientcert="/etc/smbldap-tools/smbldap-tools.iallanis.info.pem" 100 101 # key certificate to use to connect to the ldap server 102 # see "man Net::LDAP" in start_tls section for more details 103 clientkey="/etc/smbldap-tools/smbldap-tools.iallanis.info.key" 104 105 # LDAP Suffix 106 # Ex: suffix=dc=IDEALX,dc=ORG 107 suffix="dc=iallanis,dc=info" 108 109 # Where are stored Users 110 # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" 111 # Warning: if ’suffix’ is not set here, you must set the full dn for usersdn 112 usersdn="ou=Users,${suffix}" 113 114 # Where are stored Computers 115 # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" 116 # Warning: if ’suffix’ is not set here, you must set the full dn for computersdn 117 computersdn="ou=Computers,${suffix}" 118 119 # Where are stored Groups 120 # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG" 121 # Warning: if ’suffix’ is not set here, you must set the full dn for groupsdn 122 groupsdn="ou=Groups,${suffix}" 123 124 # Where are stored Idmap entries (used if samba is a domain member server) 125 # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" 126 # Warning: if ’suffix’ is not set here, you must set the full dn for idmapdn 127 idmapdn="ou=Idmap,${suffix}" 128 129 # Where to store next uidNumber and gidNumber available for new users and groups 130 # If not defined, entries are stored in sambaDomainName object. 131 # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" 132 # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" 133 sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" 134 135 # Default scope Used 136 scope="sub" 137 138 # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) 139 hash_encrypt="SSHA" 140 141 # if hash_encrypt is set to CRYPT, you may set a salt format. 142 # default is "%s", but many systems will generate MD5 hashed 143 # passwords if you use "$1$%.8s". This parameter is optional! 144 crypt_salt_format="%s" 145 146 ############################################################################## 147 # 148 # Unix Accounts Configuration 149 # 150 ############################################################################## 151 152 # Login defs 153 # Default Login Shell 154 # Ex: userLoginShell="/bin/bash" 155 userLoginShell="/bin/bash" 156 157 # Home directory 158 # Ex: userHome="/home/%U" 159 userHome="/home/%U" 160 161 # Default mode used for user homeDirectory 162 userHomeDirectoryMode="700" 163 164 # Gecos 165 userGecos="System User" 166 167 # Default User (POSIX and Samba) GID 168 defaultUserGid="513" 169 170 # Default Computer (Samba) GID 171 defaultComputerGid="515" 172 173 # Skel dir 174 skeletonDir="/etc/skel" 175 176 # Default password validation time (time in days) Comment the next line if 177 # you don’t want password to be enable for defaultMaxPasswordAge days (be 178 # careful to the sambaPwdMustChange attribute’s value) 179 defaultMaxPasswordAge="45" 180 181 ############################################################################## 182 # 183 # SAMBA Configuration 184 # 185 ############################################################################## 186 187 # The UNC path to home drives location (%U username substitution) 188 # Just set it to a null string if you want to use the smb.conf ’logon home’ 189 # directive and/or disable roaming profiles 190 # Ex: userSmbHome="\\PDC-SMB3\%U" 191 userSmbHome="\\PDC-SRV\%U" 192 193 # The UNC path to profiles locations (%U username substitution) 194 # Just set it to a null string if you want to use the smb.conf ’logon path’ 195 # directive and/or disable roaming profiles 196 # Ex: userProfile="\\PDC-SMB3\profiles\%U" 197 userProfile="\\PDC-SRV\profiles\%U" 198 199 # The default Home Drive Letter mapping 200 # (will be automatically mapped at logon time if home directory exist) 201 # Ex: userHomeDrive="H:" 202 userHomeDrive="H:" 203 204 # The default user netlogon script name (%U username substitution) 205 # if not used, will be automatically username.cmd 206 # make sure script file is edited under dos 207 # Ex: userScript="startup.cmd" # make sure script file is edited under dos 208 userScript="logon.bat" 209 210 # Domain appended to the users "mail"-attribute 211 # when smbldap-useradd -M is used 212 # Ex: mailDomain="idealx.com" 213 mailDomain="iallanis.info" 214 215 ############################################################################## 216 # 217 # SMBLDAP-TOOLS Configuration (default are ok for a RedHat) 218 # 219 ############################################################################## 220 221 # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but 222 # prefer Crypt::SmbHash library 223 with_smbpasswd="0" 224 smbpasswd="/usr/bin/smbpasswd" 225 226 # Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm) 227 # but prefer Crypt:: libraries 228 with_slappasswd="0" 229 slappasswd="/usr/sbin/slappasswd" 230 231 # comment out the following line to get rid of the default banner 232 # no_banner="1" 233
8.1.2 Файл /etc/smbldap-tools/smbldap_bind.conf
1 ############################ 2 # Credential Configuration # 3 ############################ 4 # Notes: you can specify two differents configuration if you use a 5 # master ldap for writing access and a slave ldap server for reading access 6 # By default, we will use the same DN (so it will work for standard Samba 7 # release) 8 slaveDN="cn=Manager,dc=iallanis,dc=info" 9 slavePw="secret" 10 masterDN="cn=Manager,dc=iallanis,dc=info" 11 masterPw="secret"
8.1.3 Файл /etc/samba/smb.conf
1 # Global parameters 2 [global] 3 workgroup = DOMSMB 4 netbios name = PDC-SRV 5 security = user 6 enable privileges = yes 7 #interfaces = 192.168.5.11 8 #username map = /etc/samba/smbusers 9 server string = Samba Server %v 10 #security = ads 11 encrypt passwords = Yes 12 min passwd length = 3 13 #pam password change = no 14 #obey pam restrictions = No 15 16 # method 1: 17 #unix password sync = no 18 #ldap passwd sync = yes 19 20 # method 2: 21 unix password sync = yes 22 ldap passwd sync = no 23 passwd program = /usr/sbin/smbldap-passwd -u "%u" 24 passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n" 25 26 log level = 0 27 syslog = 0 28 log file = /var/log/samba/log.%U 29 max log size = 100000 30 time server = Yes 31 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 32 mangling method = hash2 33 Dos charset = 850 34 Unix charset = ISO8859-1 35 36 logon script = logon.bat 37 logon drive = H: 38 logon home = 39 logon path = 40 41 domain logons = Yes 42 domain master = Yes 43 os level = 65 44 preferred master = Yes 45 wins support = yes 46 # passdb backend = ldapsam:"ldap://ldap1.company.com ldap://ldap2.company.com" 47 passdb backend = ldapsam:ldap://127.0.0.1/ 48 ldap admin dn = cn=Manager,dc=company,dc=com 49 #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com 50 ldap suffix = dc=company,dc=com 51 ldap group suffix = ou=Groups 52 ldap user suffix = ou=Users 53 ldap machine suffix = ou=Computers 54 #ldap idmap suffix = ou=Idmap 55 add user script = /usr/sbin/smbldap-useradd -m "%u" 56 #ldap delete dn = Yes 57 delete user script = /usr/sbin/smbldap-userdel "%u" 58 add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" 59 add group script = /usr/sbin/smbldap-groupadd -p "%g" 60 #delete group script = /usr/sbin/smbldap-groupdel "%g" 61 add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" 62 delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" 63 set primary group script = /usr/sbin/smbldap-usermod -g ’%g’ ’%u’ 64 65 # printers configuration 66 #printer admin = @"Print Operators" 67 load printers = Yes 68 create mask = 0640 69 directory mask = 0750 70 #force create mode = 0640 71 #force directory mode = 0750 72 nt acl support = No 73 printing = cups 74 printcap name = cups 75 deadtime = 10 76 guest account = nobody 77 map to guest = Bad User 78 dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd 79 show add printer wizard = yes 80 # to maintain capital letters in shortcuts in any of the profile folders: 81 preserve case = yes 82 short preserve case = yes 83 case sensitive = no 84 85 [netlogon] 86 path = /home/netlogon/ 87 browseable = No 88 read only = yes 89 90 [profiles] 91 path = /home/profiles 92 read only = no 93 create mask = 0600 94 directory mask = 0700 95 browseable = No 96 guest ok = Yes 97 profile acls = yes 98 csc policy = disable 99 # next line is a great way to secure the profiles 100 #force user = %U 101 # next line allows administrator to access all profiles 102 #valid users = %U "Domain Admins" 103 104 [printers] 105 comment = Network Printers 106 #printer admin = @"Print Operators" 107 guest ok = yes 108 printable = yes 109 path = /home/spool/ 110 browseable = No 111 read only = Yes 112 printable = Yes 113 print command = /usr/bin/lpr -P%p -r %s 114 lpq command = /usr/bin/lpq -P%p 115 lprm command = /usr/bin/lprm -P%p %j 116 # print command = /usr/bin/lpr -U%U@%M -P%p -r %s 117 # lpq command = /usr/bin/lpq -U%U@%M -P%p 118 # lprm command = /usr/bin/lprm -U%U@%M -P%p %j 119 # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j 120 # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j 121 # queuepause command = /usr/sbin/lpc -U%U@%M stop %p 122 # queueresume command = /usr/sbin/lpc -U%U@%M start %p 123 124 [print$] 125 path = /home/printers 126 guest ok = No 127 browseable = Yes 128 read only = Yes 129 valid users = @"Print Operators" 130 write list = @"Print Operators" 131 create mask = 0664 132 directory mask = 0775 133 134 [public] 135 path = /tmp 136 guest ok = yes 137 browseable = Yes 138 writable = yes
8.1.4 Конфигурационный файл OpenLDAP /etc/openldap/slapd.conf
1 # 2 # See slapd.conf(5) for details on configuration options. 3 # This file should NOT be world readable. 4 # 5 include /etc/openldap/schema/core.schema 6 include /etc/openldap/schema/cosine.schema 7 include /etc/openldap/schema/inetorgperson.schema 8 include /etc/openldap/schema/nis.schema 9 include /etc/openldap/schema/samba.schema 10 11 schemacheck on 12 13 # Allow LDAPv2 client connections. This is NOT the default. 14 allow bind_v2 15 16 # Do not enable referrals until AFTER you have a working directory 17 # service AND an understanding of referrals. 18 #referral ldap://root.openldap.org 19 20 pidfile /var/run/slapd.pid 21 argsfile /var/run/slapd.args 22 23 # Load dynamic backend modules: 24 # modulepath /usr/sbin/openldap 25 # moduleload back_bdb.la 26 # moduleload back_ldap.la 27 # moduleload back_ldbm.la 28 # moduleload back_passwd.la 29 # moduleload back_shell.la 30 31 # The next three lines allow use of TLS for encrypting connections using a 32 # dummy test certificate which you can generate by changing to 33 # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on 34 # slapd.pem so that the ldap user or group can read it. Your client software 35 # may balk at self-signed certificates, however. 36 #TLSCertificateFile /etc/openldap/ldap.company.com.pem 37 #TLSCertificateKeyFile /etc/openldap/ldap.company.com.key 38 #TLSCACertificateFile /etc/openldap/ca.pem 39 #TLSCipherSuite :SSLv3 40 41 # Sample security restrictions 42 # Require integrity protection (prevent hijacking) 43 # Require 112-bit (3DES or better) encryption for updates 44 # Require 63-bit encryption for simple bind 45 # security ssf=1 update_ssf=112 simple_bind=64 46 47 # Sample access control policy: 48 # Root DSE: allow anyone to read it 49 # Subschema (sub)entry DSE: allow anyone to read it 50 # Other DSEs: 51 # Allow self write access 52 # Allow authenticated users read access 53 # Allow anonymous users to authenticate 54 # Directives needed to implement policy: 55 # access to dn.base="" by * read 56 # access to dn.base="cn=Subschema" by * read 57 # access to * 58 # by self write 59 # by users read 60 # by anonymous auth 61 # 62 # if no access controls are present, the default policy 63 # allows anyone and everyone to read anything but restricts 64 # updates to rootdn. (e.g., "access to * by * read") 65 # 66 # rootdn can always read and write EVERYTHING! 67 68 ####################################################################### 69 # ldbm and/or bdb database definitions 70 ####################################################################### 71 72 database bdb 73 suffix "dc=company,dc=com" 74 rootdn "cn=Manager,dc=company,dc=com" 75 # Cleartext passwords, especially for the rootdn, should 76 # be avoided. See slappasswd(8) and slapd.conf(5) for details. 77 # Use of strong authentication encouraged. 78 rootpw secret 79 # rootpw {crypt}ijFYNcSNctBYg 80 81 # The database directory MUST exist prior to running slapd AND 82 # should only be accessible by the slapd and slap tools. 83 # Mode 700 recommended. 84 directory /var/lib/ldap 85 lastmod on 86 87 # Indices to maintain for this database 88 index objectClass eq,pres 89 index ou,cn,sn,mail,givenname eq,pres,sub 90 index uidNumber,gidNumber,memberUid eq,pres 91 index loginShell eq,pres 92 ## required to support pdb_getsampwnam 93 index uid pres,sub,eq 94 ## required to support pdb_getsambapwrid() 95 index displayName pres,sub,eq 96 index nisMapName,nisMapEntry eq,pres,sub 97 index sambaSID eq 98 index sambaPrimaryGroupSID eq 99 index sambaDomainName eq 100 index default sub 101 102 103 # users can authenticate and change their password 104 access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet 105 by dn="cn=Manager,dc=company,dc=com" write 106 by self write 107 by anonymous auth 108 by * none 109 110 # those 2 parameters must be world readable for password aging to work correctly 111 # (or use a priviledge account in /etc/ldap.conf to bind to the directory) 112 access to attrs=shadowLastChange,shadowMax 113 by dn="cn=Manager,dc=company,dc=com" write 114 by self write 115 by * read 116 117 # all others attributes are readable to everybody 118 access to * 119 by * read 120 121 # Replicas of this database 122 #replogfile /var/lib/ldap/openldap-master-replog 123 #replica host=ldap-1.example.com:389 starttls=critical 124 # bindmethod=sasl saslmech=GSSAPI 125 # authcId=host/ldap-master.example.com@EXAMPLE.COM
8.2 Изменение административной учетной записи (ldap admin dn
в файле smb.conf
)
Если вы больше не хотите использовать учетную запись, описанную атрибутами cn=Manager,dc=idealx,dc=com,
вы можете создать специальную учетную запись для сервера Samba и набора скриптов smbldap-tools
. Чтобы сделать это, заведем пользователя с именем, например samba при помощи следующей команды (для подробностей в синтаксисе данной команды обратитесь к главе 4.2.1):
# smbldap-useradd -s /bin/false -d /dev/null -P samba
После ввода этой команды вам будет предложено ввести пароль для создаваемого пользователя, в нашем примере он тоже будет samba.
После этого измените соответствующим образом:
— файл /etc/smbldap-tools/smbldap_bind.conf
:
slaveDN="uid=samba,ou=Users,dc=idealx,dc=com" slavePw="samba" masterDN="uid=samba,ou=Users,dc=idealx,dc=com" masterPw="samba"
— файл /etc/samba/smb.conf
:
#ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com
Не забудьте после этого записать пароль в файл secrets.tdb
:
#smbpasswd -w samba
— в файле /etc/openldap/slapd.conf
вам стоит добавить полномочий пользователю samba:
1 # users can authenticate and change their password 2 access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange 3 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 4 by self write 5 by anonymous auth 6 by * none 7 # some attributes need to be readable anonymously so that ’id user’ can answer correctly 8 access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid 9 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 10 by * read 11 # somme attributes can be writable by users themselves 12 access to attrs=description,telephoneNumber 13 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 14 by self write 15 by * read 16 # some attributes need to be writable for samba 17 access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime, 18 sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript, 19 sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType, 20 sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase 21 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 22 by self read 23 by * none 24 # samba need to be able to create the samba domain account 25 access to dn.base="dc=idealx,dc=com" 26 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 27 by * none 28 # samba need to be able to create new users account 29 access to dn="ou=Users,dc=idealx,dc=com" 30 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 31 by * none 32 # samba need to be able to create new groups account 33 access to dn="ou=Groups,dc=idealx,dc=com" 34 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 35 by * none 36 # samba need to be able to create new computers account 37 access to dn="ou=Computers,dc=idealx,dc=com" 38 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 39 by * none 40 # this can be omitted but we leave it: there could be other branch 41 # in the directory 42 access to * 43 by self read 44 by * none
Ключ -B
(пользователь должен изменить свой пароль) команды smbldap-useradd
не работает: когда вызывается команда smbldap-passwd
, атрибут sambaPwdMustChange
перезаписывается.
← назад | Оглавление |