назад Оглавление

8. Приложения.

8.1 Примеры конфигурационных файлов

8.1.1 Файл /etc/smbldap-tools/smbldap.conf

1 # $Source: $
2 # $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
3 #
4 # smbldap-tools.conf : Q & D configuration file for smbldap-tools
5
6 # This code was developped by IDEALX (http://IDEALX.org/) and
7 # contributors (their names can be found in the CONTRIBUTORS file).
8 #
9 # Copyright (C) 2001-2002 IDEALX
10 #
11 # This program is free software; you can redistribute it and/or
12 # modify it under the terms of the GNU General Public License
13 # as published by the Free Software Foundation; either version 2
14 # of the License, or (at your option) any later version.
15 #
16 # This program is distributed in the hope that it will be useful,
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 # GNU General Public License for more details.
20 #
21 # You should have received a copy of the GNU General Public License
22 # along with this program; if not, write to the Free Software
23 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
24 # USA.
25
26 # Purpose :
27 # . be the configuration file for all smbldap-tools scripts
28
29 ##############################################################################
30 #
31 # General Configuration
32 #
33 ##############################################################################
34
35 # Put your own SID. To obtain this number do: "net getlocalsid".
36 # If not defined, parameter is taking from "net getlocalsid" return
37 SID="S-1-5-21-2252255531-4061614174-2474224977"
38
39 # Domain name the Samba server is in charged.
40 # If not defined, parameter is taking from smb.conf configuration file
41 # Ex: sambaDomain="IDEALX-NT"
42 sambaDomain="DOMSMB"
43
44 ##############################################################################
45 #
46 # LDAP Configuration
47 #
48 ##############################################################################
49
50 # Notes: to use to dual ldap servers backend for Samba, you must patch
51 # Samba with the dual-head patch from IDEALX. If not using this patch
52 # just use the same server for slaveLDAP and masterLDAP.
53 # Those two servers declarations can also be used when you have
54 # . one master LDAP server where all writing operations must be done
55 # . one slave LDAP server where all reading operations must be done
56 # (typically a replication directory)
57
58 # Slave LDAP server
59 # Ex: slaveLDAP=127.0.0.1
60 # If not defined, parameter is set to "127.0.0.1"
61 slaveLDAP="ldap.iallanis.info"
62
63 # Slave LDAP port
64 # If not defined, parameter is set to "389"
65 slavePort="389"
66
67 # Master LDAP server: needed for write operations
68 # Ex: masterLDAP=127.0.0.1
69 # If not defined, parameter is set to "127.0.0.1"
70 masterLDAP="ldap.iallanis.info"
71
72 # Master LDAP port
73 # If not defined, parameter is set to "389"
74 #masterPort="389"
75 masterPort="389"
76
77 # Use TLS for LDAP
78 # If set to 1, this option will use start_tls for connection
79 # (you should also used the port 389)
80 # If not defined, parameter is set to "0"
81 ldapTLS="1"
82
83 # Use SSL for LDAP
84 # If set to 1, this option will use SSL for connection
85 # (standard port for ldaps is 636)
86 # If not defined, parameter is set to "0"
87 ldapSSL="0"
88
89 # How to verify the server’s certificate (none, optional or require)
90 # see "man Net::LDAP" in start_tls section for more details
91 verify="require"
92
93 # CA certificate
94 # see "man Net::LDAP" in start_tls section for more details
95 cafile="/etc/smbldap-tools/ca.pem"
96
97 # certificate to use to connect to the ldap server
98 # see "man Net::LDAP" in start_tls section for more details
99 clientcert="/etc/smbldap-tools/smbldap-tools.iallanis.info.pem"
100
101 # key certificate to use to connect to the ldap server
102 # see "man Net::LDAP" in start_tls section for more details
103 clientkey="/etc/smbldap-tools/smbldap-tools.iallanis.info.key"
104
105 # LDAP Suffix
106 # Ex: suffix=dc=IDEALX,dc=ORG
107 suffix="dc=iallanis,dc=info"
108
109 # Where are stored Users
110 # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
111 # Warning: if ’suffix’ is not set here, you must set the full dn for usersdn
112 usersdn="ou=Users,${suffix}"
113
114 # Where are stored Computers
115 # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
116 # Warning: if ’suffix’ is not set here, you must set the full dn for computersdn
117 computersdn="ou=Computers,${suffix}"
118
119 # Where are stored Groups
120 # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
121 # Warning: if ’suffix’ is not set here, you must set the full dn for groupsdn
122 groupsdn="ou=Groups,${suffix}"
123
124 # Where are stored Idmap entries (used if samba is a domain member server)
125 # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
126 # Warning: if ’suffix’ is not set here, you must set the full dn for idmapdn
127 idmapdn="ou=Idmap,${suffix}"
128
129 # Where to store next uidNumber and gidNumber available for new users and groups
130 # If not defined, entries are stored in sambaDomainName object.
131 # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
132 # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
133 sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
134
135 # Default scope Used
136 scope="sub"
137
138 # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
139 hash_encrypt="SSHA"
140
141 # if hash_encrypt is set to CRYPT, you may set a salt format.
142 # default is "%s", but many systems will generate MD5 hashed
143 # passwords if you use "$1$%.8s". This parameter is optional!
144 crypt_salt_format="%s"
145
146 ##############################################################################
147 #
148 # Unix Accounts Configuration
149 #
150 ##############################################################################
151
152 # Login defs
153 # Default Login Shell
154 # Ex: userLoginShell="/bin/bash"
155 userLoginShell="/bin/bash"
156
157 # Home directory
158 # Ex: userHome="/home/%U"
159 userHome="/home/%U"
160
161 # Default mode used for user homeDirectory
162 userHomeDirectoryMode="700"
163
164 # Gecos
165 userGecos="System User"
166
167 # Default User (POSIX and Samba) GID
168 defaultUserGid="513"
169
170 # Default Computer (Samba) GID
171 defaultComputerGid="515"
172
173 # Skel dir
174 skeletonDir="/etc/skel"
175
176 # Default password validation time (time in days) Comment the next line if
177 # you don’t want password to be enable for defaultMaxPasswordAge days (be
178 # careful to the sambaPwdMustChange attribute’s value)
179 defaultMaxPasswordAge="45"
180
181 ##############################################################################
182 #
183 # SAMBA Configuration
184 #
185 ##############################################################################
186
187 # The UNC path to home drives location (%U username substitution)
188 # Just set it to a null string if you want to use the smb.conf ’logon home’
189 # directive and/or disable roaming profiles
190 # Ex: userSmbHome="\\PDC-SMB3\%U"
191 userSmbHome="\\PDC-SRV\%U"
192
193 # The UNC path to profiles locations (%U username substitution)
194 # Just set it to a null string if you want to use the smb.conf ’logon path’
195 # directive and/or disable roaming profiles
196 # Ex: userProfile="\\PDC-SMB3\profiles\%U"
197 userProfile="\\PDC-SRV\profiles\%U"
198
199 # The default Home Drive Letter mapping
200 # (will be automatically mapped at logon time if home directory exist)
201 # Ex: userHomeDrive="H:"
202 userHomeDrive="H:"
203
204 # The default user netlogon script name (%U username substitution)
205 # if not used, will be automatically username.cmd
206 # make sure script file is edited under dos
207 # Ex: userScript="startup.cmd" # make sure script file is edited under dos
208 userScript="logon.bat"
209
210 # Domain appended to the users "mail"-attribute
211 # when smbldap-useradd -M is used
212 # Ex: mailDomain="idealx.com"
213 mailDomain="iallanis.info"
214
215 ##############################################################################
216 #
217 # SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
218 #
219 ##############################################################################
220
221 # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
222 # prefer Crypt::SmbHash library
223 with_smbpasswd="0"
224 smbpasswd="/usr/bin/smbpasswd"
225
226 # Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
227 # but prefer Crypt:: libraries
228 with_slappasswd="0"
229 slappasswd="/usr/sbin/slappasswd"
230
231 # comment out the following line to get rid of the default banner
232 # no_banner="1"
233

8.1.2 Файл /etc/smbldap-tools/smbldap_bind.conf

1 ############################
2 # Credential Configuration #
3 ############################
4 # Notes: you can specify two differents configuration if you use a
5 # master ldap for writing access and a slave ldap server for reading access
6 # By default, we will use the same DN (so it will work for standard Samba
7 # release)
8 slaveDN="cn=Manager,dc=iallanis,dc=info"
9 slavePw="secret"
10 masterDN="cn=Manager,dc=iallanis,dc=info"
11 masterPw="secret"

8.1.3 Файл /etc/samba/smb.conf

1 # Global parameters
2 [global]
3 	workgroup = DOMSMB
4 	netbios name = PDC-SRV
5 	security = user
6 	enable privileges = yes
7 	#interfaces = 192.168.5.11
8 	#username map = /etc/samba/smbusers
9 	server string = Samba Server %v
10 	#security = ads
11 	encrypt passwords = Yes
12 	min passwd length = 3
13 	#pam password change = no
14 	#obey pam restrictions = No
15
16 	# method 1:
17 	#unix password sync = no
18 	#ldap passwd sync = yes
19
20 	# method 2:
21 	unix password sync = yes
22 	ldap passwd sync = no
23 	passwd program = /usr/sbin/smbldap-passwd -u "%u"
24 	passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
25
26 	log level = 0
27 	syslog = 0
28 	log file = /var/log/samba/log.%U
29 	max log size = 100000
30 	time server = Yes
31 	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
32 	mangling method = hash2
33 	Dos charset = 850
34 	Unix charset = ISO8859-1
35
36 	logon script = logon.bat
37 	logon drive = H:
38 	logon home =
39 	logon path =
40
41 	domain logons = Yes
42 	domain master = Yes
43 	os level = 65
44 	preferred master = Yes
45 	wins support = yes
46 	# passdb backend = ldapsam:"ldap://ldap1.company.com ldap://ldap2.company.com"
47 	passdb backend = ldapsam:ldap://127.0.0.1/
48 	ldap admin dn = cn=Manager,dc=company,dc=com
49 	#ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
50 	ldap suffix = dc=company,dc=com
51 	ldap group suffix = ou=Groups
52 	ldap user suffix = ou=Users
53 	ldap machine suffix = ou=Computers
54 	#ldap idmap suffix = ou=Idmap
55 	add user script = /usr/sbin/smbldap-useradd -m "%u"
56 	#ldap delete dn = Yes
57 	delete user script = /usr/sbin/smbldap-userdel "%u"
58 	add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
59 	add group script = /usr/sbin/smbldap-groupadd -p "%g"
60 	#delete group script = /usr/sbin/smbldap-groupdel "%g"
61 	add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
62 	delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
63 	set primary group script = /usr/sbin/smbldap-usermod -g ’%g’ ’%u’
64
65 	# printers configuration
66 	#printer admin = @"Print Operators"
67 	load printers = Yes
68 	create mask = 0640
69 	directory mask = 0750
70 	#force create mode = 0640
71 	#force directory mode = 0750
72 	nt acl support = No
73 	printing = cups
74 	printcap name = cups
75 	deadtime = 10
76 	guest account = nobody
77 	map to guest = Bad User
78 	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
79 	show add printer wizard = yes
80 	# to maintain capital letters in shortcuts in any of the profile folders:
81 	preserve case = yes
82 	short preserve case = yes
83 	case sensitive = no
84
85 [netlogon]
86 	path = /home/netlogon/
87 	browseable = No
88 	read only = yes
89
90 [profiles]
91 	path = /home/profiles
92 	read only = no
93 	create mask = 0600
94 	directory mask = 0700
95 	browseable = No
96 	guest ok = Yes
97 	profile acls = yes
98 	csc policy = disable
99 	# next line is a great way to secure the profiles
100 	#force user = %U
101 	# next line allows administrator to access all profiles
102 	#valid users = %U "Domain Admins"
103
104 [printers]
105 	comment = Network Printers
106 	#printer admin = @"Print Operators"
107 	guest ok = yes
108 	printable = yes
109 	path = /home/spool/
110 	browseable = No
111 	read only = Yes
112 	printable = Yes
113 	print command = /usr/bin/lpr -P%p -r %s
114 	lpq command = /usr/bin/lpq -P%p
115 	lprm command = /usr/bin/lprm -P%p %j
116 	# print command = /usr/bin/lpr -U%U@%M -P%p -r %s
117 	# lpq command = /usr/bin/lpq -U%U@%M -P%p
118 	# lprm command = /usr/bin/lprm -U%U@%M -P%p %j
119 	# lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
120 	# lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
121 	# queuepause command = /usr/sbin/lpc -U%U@%M stop %p
122 	# queueresume command = /usr/sbin/lpc -U%U@%M start %p
123
124 [print$]
125 	path = /home/printers
126 	guest ok = No
127 	browseable = Yes
128 	read only = Yes
129 	valid users = @"Print Operators"
130 	write list = @"Print Operators"
131 	create mask = 0664
132 	directory mask = 0775
133
134 [public]
135 	path = /tmp
136 	guest ok = yes
137 	browseable = Yes
138 	writable = yes

8.1.4 Конфигурационный файл OpenLDAP /etc/openldap/slapd.conf

1 #
2 # See slapd.conf(5) for details on configuration options.
3 # This file should NOT be world readable.
4 #
5 include /etc/openldap/schema/core.schema
6 include /etc/openldap/schema/cosine.schema
7 include /etc/openldap/schema/inetorgperson.schema
8 include /etc/openldap/schema/nis.schema
9 include /etc/openldap/schema/samba.schema
10
11 schemacheck on
12
13 # Allow LDAPv2 client connections. This is NOT the default.
14 allow bind_v2
15
16 # Do not enable referrals until AFTER you have a working directory
17 # service AND an understanding of referrals.
18 #referral ldap://root.openldap.org
19
20 pidfile /var/run/slapd.pid
21 argsfile /var/run/slapd.args
22
23 # Load dynamic backend modules:
24 # modulepath /usr/sbin/openldap
25 # moduleload back_bdb.la
26 # moduleload back_ldap.la
27 # moduleload back_ldbm.la
28 # moduleload back_passwd.la
29 # moduleload back_shell.la
30
31 # The next three lines allow use of TLS for encrypting connections using a
32 # dummy test certificate which you can generate by changing to
33 # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
34 # slapd.pem so that the ldap user or group can read it. Your client software
35 # may balk at self-signed certificates, however.
36 #TLSCertificateFile /etc/openldap/ldap.company.com.pem
37 #TLSCertificateKeyFile /etc/openldap/ldap.company.com.key
38 #TLSCACertificateFile /etc/openldap/ca.pem
39 #TLSCipherSuite :SSLv3
40
41 # Sample security restrictions
42 # Require integrity protection (prevent hijacking)
43 # Require 112-bit (3DES or better) encryption for updates
44 # Require 63-bit encryption for simple bind
45 # security ssf=1 update_ssf=112 simple_bind=64
46
47 # Sample access control policy:
48 # Root DSE: allow anyone to read it
49 # Subschema (sub)entry DSE: allow anyone to read it
50 # Other DSEs:
51 # Allow self write access
52 # Allow authenticated users read access
53 # Allow anonymous users to authenticate
54 # Directives needed to implement policy:
55 # access to dn.base="" by * read
56 # access to dn.base="cn=Subschema" by * read
57 # access to *
58 # by self write
59 # by users read
60 # by anonymous auth
61 #
62 # if no access controls are present, the default policy
63 # allows anyone and everyone to read anything but restricts
64 # updates to rootdn. (e.g., "access to * by * read")
65 #
66 # rootdn can always read and write EVERYTHING!
67
68 #######################################################################
69 # ldbm and/or bdb database definitions
70 #######################################################################
71
72 database bdb
73 suffix "dc=company,dc=com"
74 rootdn "cn=Manager,dc=company,dc=com"
75 # Cleartext passwords, especially for the rootdn, should
76 # be avoided. See slappasswd(8) and slapd.conf(5) for details.
77 # Use of strong authentication encouraged.
78 rootpw secret
79 # rootpw {crypt}ijFYNcSNctBYg
80
81 # The database directory MUST exist prior to running slapd AND
82 # should only be accessible by the slapd and slap tools.
83 # Mode 700 recommended.
84 directory /var/lib/ldap
85 lastmod on
86
87 # Indices to maintain for this database
88 index objectClass eq,pres
89 index ou,cn,sn,mail,givenname eq,pres,sub
90 index uidNumber,gidNumber,memberUid eq,pres
91 index loginShell eq,pres
92 ## required to support pdb_getsampwnam
93 index uid pres,sub,eq
94 ## required to support pdb_getsambapwrid()
95 index displayName pres,sub,eq
96 index nisMapName,nisMapEntry eq,pres,sub
97 index sambaSID eq
98 index sambaPrimaryGroupSID eq
99 index sambaDomainName eq
100 index default sub
101
102
103 # users can authenticate and change their password
104 access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
105 by dn="cn=Manager,dc=company,dc=com" write
106 by self write
107 by anonymous auth
108 by * none
109
110 # those 2 parameters must be world readable for password aging to work correctly
111 # (or use a priviledge account in /etc/ldap.conf to bind to the directory)
112 access to attrs=shadowLastChange,shadowMax
113 by dn="cn=Manager,dc=company,dc=com" write
114 by self write
115 by * read
116
117 # all others attributes are readable to everybody
118 access to *
119 by * read
120
121 # Replicas of this database
122 #replogfile /var/lib/ldap/openldap-master-replog
123 #replica host=ldap-1.example.com:389 starttls=critical
124 # bindmethod=sasl saslmech=GSSAPI
125 # authcId=host/ldap-master.example.com@EXAMPLE.COM

8.2 Изменение административной учетной записи (ldap admin dn в файле smb.conf)

Если вы больше не хотите использовать учетную запись, описанную атрибутами cn=Manager,dc=idealx,dc=com, вы можете создать специальную учетную запись для сервера Samba и набора скриптов smbldap-tools. Чтобы сделать это, заведем пользователя с именем, например samba при помощи следующей команды (для подробностей в синтаксисе данной команды обратитесь к главе 4.2.1):

# smbldap-useradd -s /bin/false -d /dev/null -P samba

После ввода этой команды вам будет предложено ввести пароль для создаваемого пользователя, в нашем примере он тоже будет samba.

После этого измените соответствующим образом:

— файл /etc/smbldap-tools/smbldap_bind.conf:

slaveDN="uid=samba,ou=Users,dc=idealx,dc=com"
slavePw="samba"
masterDN="uid=samba,ou=Users,dc=idealx,dc=com"
masterPw="samba"

— файл /etc/samba/smb.conf:

#ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com

Не забудьте после этого записать пароль в файл secrets.tdb:

#smbpasswd -w samba

— в файле /etc/openldap/slapd.conf вам стоит добавить полномочий пользователю samba:

1 # users can authenticate and change their password
2 	access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
3 	by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
4 	by self write
5 	by anonymous auth
6 	by * none
7 # some attributes need to be readable anonymously so that ’id user’ can answer correctly
8 	access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
9 	by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
10 	by * read
11 # somme attributes can be writable by users themselves
12 	access to attrs=description,telephoneNumber
13 	by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
14 	by self write
15 	by * read
16 # some attributes need to be writable for samba
17 	access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,
18 	sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,
19 	sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,
20 	sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
21 	by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
22 	by self read
23 	by * none
24 # samba need to be able to create the samba domain account
25 	access to dn.base="dc=idealx,dc=com"
26 	by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
27 	by * none
28 # samba need to be able to create new users account
29 	access to dn="ou=Users,dc=idealx,dc=com"
30 	by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
31 	by * none
32 # samba need to be able to create new groups account
33 	access to dn="ou=Groups,dc=idealx,dc=com"
34 	by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
35 	by * none
36 # samba need to be able to create new computers account
37 	access to dn="ou=Computers,dc=idealx,dc=com"
38 	by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
39 	by * none
40 # this can be omitted but we leave it: there could be other branch
41 # in the directory
42 	access to *
43 	by self read
44 	by * none

8.3 Известные ошибки

Ключ -B (пользователь должен изменить свой пароль) команды smbldap-useradd не работает: когда вызывается команда smbldap-passwd, атрибут sambaPwdMustChange перезаписывается.

назад Оглавление