Giải pháp Linux Authentication thay thế Window domain Controller

Có rất nhiều cách thức để thiết lập 1 hệ thống Linux xác thực người dùng/client. 2 bài viết trước đã nói về cách thức sử dụng LDAPNIS . Bài viết này sẽ nói thêm một cách thức khác đó là : Samba Domain Controller With LDAP Backend. Cách thức này được hiểu như là 1 sự thay thế cho Window Active Directory (Window domain Controller).

Dưới đây là chi tiết các công việc cần thực hiện:

 

Server Requirement

samba

samba-client

openldap

openldap-clients

openldap-servers

nss_ldap

perl-LDAP

smbldap-tools

Disable selinux

Within /etc/sysconfig/selinux, set:

Set up the hostname

/etc/hosts : 192.168.0.5 pdc.iwaydc.com pdc

issue command to set hostname :

hostname pdc.iwaydc.com

Install those following packages below.

Generate a master password and set up ldap

[root@server ~]#slappasswd => rootpw cho Ldap (nhớ lưu và copy pwd đã đc mã hoá để đưa vào file sldap.conf như ở dưới)

Edit slap.conf

Insert the following text into /etc/openldap/slapd.conf:

Copy file for setting ldap

[root@server ~]# cp /usr/share/doc/samba-3.*/LDAP/samba.schema /etc/openldap/schema/
[root@server ~]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@server ~]# chown ldap:ldap /var/lib/ldap/DB_CONFIG
[root@server ~]# chmod 600 /var/lib/ldap/DB_CONFIG

Init directory service

Insert the following text into /etc/openldap/init.ldif:

[root@server ~]# slapadd -l /etc/openldap/init.ldif
[root@server ~]# chown -R ldap:ldap /var/lib/ldap
[root@server ~]# chmod 600 /var/lib/ldap/*

Start Ldap

[root@server ~]# service ldap start
[root@server ~]# chkconfig ldap on
[root@server ~]# ldapsearch -x -b “dc=DOMAINNAME” => test LDAP hoạt động đúng hay chưa?

Integrate ldap and Samba

Config samba

[root@server ~]# cp /usr/share/doc/smbldap-tools-0.9.5/smb.conf /etc/samba/smb.conf

[root@server ~]# vi smb.conf
[global]

workgroup = IWAYDC

netbios name = CENTOS1

server string = PDC Samba Server Test

passdb backend = ldapsam:ldap://192.168.100.108/

passwd program = /usr/bin/passwd %u

log file = /var/log/samba/%m.log

max log size = 50

add user script = /usr/sbin/smbldap-useradd -m “%u”

delete user script = /usr/sbin/smbldap-userdel “%u”

add group script = /usr/sbin/smbldap-groupadd -p “%g”

add user to group script = /usr/sbin/smbldap-groupmod -m “%u” “%g”

delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” “%g”

set primary group script = /usr/sbin/smbldap-usermod -g ‘%g’ ‘%u’

add machine script = /usr/sbin/smbldap-useradd -t 0 -w “%u”

logon path = \\%L\profiles\%U

logon drive = H:

logon home = \\%L\%U

domain logons = Yes

os level = 65

preferred master = Yes

domain master = Yes

wins support = Yes

ldap admin dn = cn=root,dc=iwaydc,dc=com => phải đầy đủ các thành phần cn, dc… để connect tới ldap chinh xác

ldap group suffix = ou=Group

ldap idmap suffix = ou=Users

ldap machine suffix = ou=People

ldap passwd sync = Yes

ldap suffix = dc=iwaydc,dc=com

ldap ssl = no

ldap user suffix = ou=Users

idmap uid = 15000-20000

idmap gid = 15000-20000

cups options = raw

[homes]

comment = Home Directories

valid users = %U

read only = No

browseable = No

[netlogon]

comment = Network Logon Service

path = /home/samba/netlogon

valid users = %U

admin users = Administrator

read only = No

[profiles]

comment = Network Profiles Share

path = /home/samba/profiles

valid users = %U

read only = No

create mask = 0600

directory mask = 0700

profile acls = Yes

browseable = No

root preexec = PROFILE=/home/samba/profiles/%U; if [ ! -e $PROFILE ];then mkdir -pm 700 $PROFILE; chown %U:%g $PROFILE;fi

Now test your samba config:

[root@centos ~]# testparm

Creating the directories for profiles and netlogon.

:: Make directory for Samba users

[root@centos ~]# mkdir -p /home/samba/netlogon
[root@centos ~]# mkdir -p /home/samba/profiles
[root@centos ~]# chown -R root:users /home/samba/
[root@centos ~]# chmod -R 755 /home/samba/

[root@centos ~]# chmod o+rw /home/samba/profiles => cho phép tạo profile cho từng user

Config smbldap tool

Get the SID and copy it.

[root@server ~]# net getlocalsid
SID for domain SERVER is: S-1-5-21-1082253588-3757474382-3995049807

Edit smbldap.conf

[root@server ~]# vi /etc/smbldap-tools/smbldap.conf

SID=”S-1-5-21-1082253588-3757474382-3995049807″ => sid được tạo ở trên

sambaDomain=”ABC”

masterLDAP=”server.abc.com”
masterPort=”389″

ldapTLS=”0″ # Switch this line from 1 to 0

suffix=”dc=abc,dc=com”

userSmbHome=”\\SERVER\%U”

userProfile=”\\SERVER\profiles\%U”

mailDomain=”abc.com”
[root@server samba]# smbpasswd -W 123456 => thiết lập pwd cho Samba root , 123456 chính là pwd trong trường hợp này.
Edit smbldap_bind.conf and this file has to be looked like this.

[root@server ~]# vi /etc/smbldap-tools/smbldap_bind.conf

#slaveDN=”cn=Manager,dc=iallanis,dc=info”
#slavePw=”secret”
masterDN=”cn=root,dc=abc,dc=com”
masterPw=”123456″ #### this is the passwd of root not encode (pwd chưa mã hoá), chính là pwd đc thiết lập cho Samba root = lệnh smbpasswd ở trên

Launch smbldap-populate

[root@server ~]# smbldap-populate
Populating LDAP directory for domain ABC (S-1-5-21-1082253588-3757474382-399
5049807)

Start the Samba

[root@server ~]# /etc/init.d/smb start
[root@server ~]# chkconfig smb on

Enable Firewall

Edit /etc/sysconfig/iptables and copy & modify line about ssh (–dport 22 -j ACCEPT), and right after it, add (assuming your CentOS install produced the default iptables file):

Check groupmapping

[root@server ~]# net groupmap list

 

nếu không có kêt quả nào hiển thị nghĩa là chưa tồn tại mapping group , cần add = tay: có 3 group sau quan trọng :

xem thêm : http://samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html
trường hợp ko add = tay đc thì check log :

see where ldap log is : cat /etc/syslog.conf

Hoặc add thông qua Webmin > Server > samba > group

Start smb service and make sure if it will be startedup on the boot.
[root@server samba]# service smb start

[root@server samba]# chkconfig smb on

Configuring /etc/ldap.conf and /etc/openldap/ldap.conf or you can get it running:

[root@server samba]# authconfig –enableldap –enableldapauth –ldapserver=192.168.100.108 –ldapbasedn=dc=iwaydc,dc=com –update

Add a user into the system

[root@server samba]# smbldap-useradd -a -m test -G “Domain Users”

[root@server samba]# smbldap-passwd test

Now, configure your windows into the Domain

Nguồn tham khảo:

http://www.howtoforge.com/centos-5.x-samba-domain-controller-with-ldap-backend

http://nguyenhs.vnweblogs.com/post/9412/234897

http://directory.fedoraproject.org/

 

Leave a Reply