Có rất nhiều cách thức để thiết lập 1 hệ thống Linux xác thực người dùng/client. 2 bài viết trước đã nói về cách thức sử dụng LDAP và NIS . Bài viết này sẽ nói thêm một cách thức khác đó là : Samba Domain Controller With LDAP Backend. Cách thức này được hiểu như là 1 sự thay thế cho Window Active Directory (Window domain Controller).
Dưới đây là chi tiết các công việc cần thực hiện:
Server Requirement
samba
samba-client
openldap
openldap-clients
openldap-servers
nss_ldap
perl-LDAP
smbldap-tools
Disable selinux
Within /etc/sysconfig/selinux, set:
|
1 |
SELINUX=disabled |
Set up the hostname
/etc/hosts : 192.168.0.5 pdc.iwaydc.com pdc
issue command to set hostname :
hostname pdc.iwaydc.com
Install those following packages below.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
[root@server ~]# yum install samba samba-client openldap openldap-clients openldap-servers nss_ldap perl-LDAP <span style="color: #ff0000;">Và các gói sau là requirement for smbldap-tools</span> perl-Crypt-SmbHash-0.12-1.2.el5.rf.noarch.rpm perl-Digest-SHA1-2.11-1.2.1.i386.rpm perl-Jcode-2.06-1.el5.rf.i386.rpm perl-LDAP-0.33-3.fc6.noarch.rpm perl-Unicode-Map-0.112-1.el5.rf.i386.rpm perl-Unicode-Map8-0.12-1.el5.rf.i386.rpm perl-Unicode-MapUTF8-1.11-1.2.el5.rf.noarch.rpm perl-Unicode-String-2.09-1.2.el5.rf.i386.rpm smbldap-tools-0.9.5-1.noarch.rpm (a set of scripts designed to help integrate <a href="http://en.wikipedia.org/wiki/Samba_%28software%29">Samba</a> and an <a href="http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol">LDAP</a> directory) |
Generate a master password and set up ldap
[root@server ~]#slappasswd => rootpw cho Ldap (nhớ lưu và copy pwd đã đc mã hoá để đưa vào file sldap.conf như ở dưới)
Edit slap.conf
Insert the following text into /etc/openldap/slapd.conf:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args database bdb suffix "dc=DOMAINNAME" rootdn "cn=root,dc=DOMAINNAME" rootpw <strong>{SSHA}TTzshhAbmZPPb8F2s7sgf9B+IrZt+nUD </strong><span style="color: #ff0000;"><strong><= chuối passwd đc mã hoá ở trên</strong></span><strong> </strong> password-hash {SSHA} <span style="color: #ff0000;"><= tuỳ thuộc hệ thống mã hoá theo phương thức nào? md5 hay ssha... </span> directory /var/lib/ldap index cn,sn,uid,displayName pres,sub,eq index uidNumber,gidNumber eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index objectClass pres,eq index default sub |
Copy file for setting ldap
[root@server ~]# cp /usr/share/doc/samba-3.*/LDAP/samba.schema /etc/openldap/schema/
[root@server ~]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@server ~]# chown ldap:ldap /var/lib/ldap/DB_CONFIG
[root@server ~]# chmod 600 /var/lib/ldap/DB_CONFIG
Init directory service
Insert the following text into /etc/openldap/init.ldif:
|
1 2 3 4 5 6 7 8 |
dn: dc=DOMAINNAME objectclass: dcObject objectclass: organization o: CentOS Directory Server dc: DOMAINNAME dn: cn=root,dc=DOMAINNAME objectclass: organizationalRole cn: root |
[root@server ~]# slapadd -l /etc/openldap/init.ldif
[root@server ~]# chown -R ldap:ldap /var/lib/ldap
[root@server ~]# chmod 600 /var/lib/ldap/*
Start Ldap
[root@server ~]# service ldap start
[root@server ~]# chkconfig ldap on
[root@server ~]# ldapsearch -x -b “dc=DOMAINNAME” => test LDAP hoạt động đúng hay chưa?
Integrate ldap and Samba
Config samba
[root@server ~]# cp /usr/share/doc/smbldap-tools-0.9.5/smb.conf /etc/samba/smb.conf
[root@server ~]# vi smb.conf
[global]
workgroup = IWAYDC
netbios name = CENTOS1
server string = PDC Samba Server Test
passdb backend = ldapsam:ldap://192.168.100.108/
passwd program = /usr/bin/passwd %u
log file = /var/log/samba/%m.log
max log size = 50
add user script = /usr/sbin/smbldap-useradd -m “%u”
delete user script = /usr/sbin/smbldap-userdel “%u”
add group script = /usr/sbin/smbldap-groupadd -p “%g”
add user to group script = /usr/sbin/smbldap-groupmod -m “%u” “%g”
delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” “%g”
set primary group script = /usr/sbin/smbldap-usermod -g ‘%g’ ‘%u’
add machine script = /usr/sbin/smbldap-useradd -t 0 -w “%u”
logon path = \\%L\profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=root,dc=iwaydc,dc=com => phải đầy đủ các thành phần cn, dc… để connect tới ldap chinh xác
ldap group suffix = ou=Group
ldap idmap suffix = ou=Users
ldap machine suffix = ou=People
ldap passwd sync = Yes
ldap suffix = dc=iwaydc,dc=com
ldap ssl = no
ldap user suffix = ou=Users
idmap uid = 15000-20000
idmap gid = 15000-20000
cups options = raw
[homes]
comment = Home Directories
valid users = %U
read only = No
browseable = No
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
valid users = %U
admin users = Administrator
read only = No
[profiles]
comment = Network Profiles Share
path = /home/samba/profiles
valid users = %U
read only = No
create mask = 0600
directory mask = 0700
profile acls = Yes
browseable = No
root preexec = PROFILE=/home/samba/profiles/%U; if [ ! -e $PROFILE ];then mkdir -pm 700 $PROFILE; chown %U:%g $PROFILE;fi
Now test your samba config:
[root@centos ~]# testparm
Creating the directories for profiles and netlogon.
:: Make directory for Samba users
[root@centos ~]# mkdir -p /home/samba/netlogon
[root@centos ~]# mkdir -p /home/samba/profiles
[root@centos ~]# chown -R root:users /home/samba/
[root@centos ~]# chmod -R 755 /home/samba/
[root@centos ~]# chmod o+rw /home/samba/profiles => cho phép tạo profile cho từng user
Config smbldap tool
Get the SID and copy it.
[root@server ~]# net getlocalsid
SID for domain SERVER is: S-1-5-21-1082253588-3757474382-3995049807
Edit smbldap.conf
[root@server ~]# vi /etc/smbldap-tools/smbldap.conf
SID=”S-1-5-21-1082253588-3757474382-3995049807″ => sid được tạo ở trên
sambaDomain=”ABC”
masterLDAP=”server.abc.com”
masterPort=”389″
ldapTLS=”0″ # Switch this line from 1 to 0
suffix=”dc=abc,dc=com”
userSmbHome=”\\SERVER\%U”
userProfile=”\\SERVER\profiles\%U”
mailDomain=”abc.com”
[root@server samba]# smbpasswd -W 123456 => thiết lập pwd cho Samba root , 123456 chính là pwd trong trường hợp này.
Edit smbldap_bind.conf and this file has to be looked like this.
[root@server ~]# vi /etc/smbldap-tools/smbldap_bind.conf
#slaveDN=”cn=Manager,dc=iallanis,dc=info”
#slavePw=”secret”
masterDN=”cn=root,dc=abc,dc=com”
masterPw=”123456″ #### this is the passwd of root not encode (pwd chưa mã hoá), chính là pwd đc thiết lập cho Samba root = lệnh smbpasswd ở trên
Launch smbldap-populate
[root@server ~]# smbldap-populate
Populating LDAP directory for domain ABC (S-1-5-21-1082253588-3757474382-399
5049807)
Start the Samba
[root@server ~]# /etc/init.d/smb start
[root@server ~]# chkconfig smb on
Enable Firewall
Edit /etc/sysconfig/iptables and copy & modify line about ssh (–dport 22 -j ACCEPT), and right after it, add (assuming your CentOS install produced the default iptables file):
|
1 2 3 4 5 |
#Allow Https:// -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT #Allow samba: -A RH-Firewall-1-INPUT -m multiport -p udp --dport 137,138 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m multiport -p tcp --dport 139,445 -j ACCEPT |
Check groupmapping
[root@server ~]# net groupmap list
nếu không có kêt quả nào hiển thị nghĩa là chưa tồn tại mapping group , cần add = tay: có 3 group sau quan trọng :
|
1 2 3 |
<span style="font-family: Times New Roman,serif;"><span style="font-size: small;">net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d</span></span> net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type=d net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d |
xem thêm : http://samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html
trường hợp ko add = tay đc thì check log :
see where ldap log is : cat /etc/syslog.conf
|
1 2 3 4 5 6 7 8 9 10 |
<span style="font-family: Times New Roman,serif;"><span style="font-size: small;">Nếu không tồn tại file ldap.log thì add file log </span></span> <span style="font-family: Times New Roman,serif;"><span style="font-size: small;"># add to syslog.conf</span></span> local4.* /var/log/ldap.log <span style="font-family: Times New Roman,serif;"><span style="font-size: small;"># add log level in file </span></span>slapd.conf <span style="font-family: Times New Roman,serif;"><span style="font-size: small;">loglevel 4095</span></span> <span style="font-family: Times New Roman,serif;"><span style="font-size: small;"># create an empty log file</span></span> touch /var/log/ldap.log # restart ldap server or reboot |
Hoặc add thông qua Webmin > Server > samba > group
Start smb service and make sure if it will be startedup on the boot.
[root@server samba]# service smb start
[root@server samba]# chkconfig smb on
Configuring /etc/ldap.conf and /etc/openldap/ldap.conf or you can get it running:
[root@server samba]# authconfig –enableldap –enableldapauth –ldapserver=192.168.100.108 –ldapbasedn=dc=iwaydc,dc=com –update
Add a user into the system
[root@server samba]# smbldap-useradd -a -m test -G “Domain Users”
[root@server samba]# smbldap-passwd test
Now, configure your windows into the Domain
Nguồn tham khảo:
http://www.howtoforge.com/centos-5.x-samba-domain-controller-with-ldap-backend
http://nguyenhs.vnweblogs.com/post/9412/234897
http://directory.fedoraproject.org/
