hướng dẫn cấu hình primary domain controller with samba

8/14/2019 Hng dn cu hnh Primary Domain Controller with Samba

1/17

Hng d n cu hnh Primary Domain Controller with Samba + OpenLDAP

Phn 1: Cu hnh DNS

M hnh mng:

Trn OpenLDAP Server ta thit lp nh sau:OpenLdap Server:Hostname: server2.abv.local

IP: 10.0.0.2

Install BIND#yum -y install bind bind-libs bind-untils bind-chroot

Configure BIND#cd /var/named/chroot/#vi etc/named.confacl mynet {10.0.0.0/8;127.0.0.1;

};

options{allow-transfer {none;};query-source port 53;query-source-v6 port 53;directory "/var/named";dump-file "/var/named/data/cache_dumb.db";


2/17

statistics-file "/var/named/data/name_stats.txt";memstatistics-file "/var/named/data/name_mem_stats.txt";notify yes;

};

zone "." IN {type hint;file "named.root";

};

zone "localhost" IN {type master;file "localhost.db";

};

zone "0.0.127.in-addr.arpa" IN {type master;

file "0.0.127.in-addr.arpa.db";

};

zone "abv.local" IN {type master;file "abv.local.db";

};

zone "0.0.10.in-addr.arpa" {type master;file "0.0.10.in-addr.arpa.db";

};#cd var/named#wgethttp://www.internic.net/zones/named.root

#vi localhost.db$TTL 86400@ IN SOA localhost root (20080213 ;Serial10800 ;Refresh3600 ;Retry604800 ;Expire86400 ;Minimum TTL)

IN NS @

localhost. IN A 127.0.0.1

#vi 0.0.127.in-addr.arpa.db$TTL 86400 ; 1day@ IN SOA localhost. root. (20080213 ;Serial10800 ;Refresh
http://www.internic.net/zones/named.roothttp://www.internic.net/zones/named.roothttp://www.internic.net/zones/named.roothttp://www.internic.net/zones/named.root


3/17

3600 ;Retry604800 ;Expire86400 ;Minimum TTL)

IN NS localhost.

1.0.0.127.in-addr.arpa. IN PTR localhost.

#vi abv.local.db$TTL 86400@ IN SOA server2.abv.local. root (423H15M1W1D )

IN NS server2.abv.local.

server1 1D IN A 10.0.0.1

server2 1D IN A 10.0.0.2server3 1D IN A 10.0.0.3

_ldap._tcp.abv.local. SRV 0 0 389 server2.abv.local._ldap._tcp.dc._msdcs.abv.local SRV 0 0 389 server2.abv.local.

#vi 0.0.10.in-addr.arpa.db$TTL 86400@ IN SOA server2.abv.local. root. (3288007200604800

86400 )@ IN NS server2.abv.local.1 IN PTR server1.abv.local.2 IN PTR server2.abv.local.3 IN PTR server3.abv.local.

#vi /etc/resolv.confsearch abv.localnameserver 10.0.0.2

Khi ng dch v:#service named start#chkconfig named on

File cu hnh download ti:http://www.mediafire.com/?7lnwgiccvv6bsbv__________________
http://www.mediafire.com/?7lnwgiccvv6bsbvhttp://www.mediafire.com/?7lnwgiccvv6bsbvhttp://www.mediafire.com/?7lnwgiccvv6bsbvhttp://www.mediafire.com/?7lnwgiccvv6bsbv


4/17

Phn 2: Cu hnh OpenLDAP

Ci t cc package cn thit:# yum --enablerepo=dag install openldap* openldap-s* compat-ldap python-ldap php-ldap nss_ldap ldapjdk samba samba-common samba-client perl-Crypt-SmbHash perl-Digest-SHA1 perl-Jcode perl-Unicode-Map perl-Unicode-Map8 perl-Unicode-MapUTF8 perl-Unicode-String

To password cho root dng m ha# slappasswd -s abv -h {MD5}

{MD5}7sWCYo5L4iMv6IEnCQ5dog==(pass for ldap: abv)

Cu hnh domain cho openLDAP# vi /etc/openldap/slapd.conf

include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schema# addinclude /etc/openldap/schema/samba.schema

# line 86:suffix "dc=abv,dc=local"

# line 87:

rootdn "cn=Manager,dc=abv,dc=local"

# line 93: specify password generatedrootpw {MD5}7sWCYo5L4iMv6IEnCQ5dog==

# line 106: addindex sambaSID,sambaPrimaryGroupSID,sambaDomainName eqindex default sub

# add at the bottom

access to attrs=userPassword,sambaLMPassword,sambaNTPasswordby self writeby dn="cn=Manager,dc=abv,dc=local" writeby anonymous authby * none


5/17

access to *by dn="cn=Manager,dc=abv,dc=local" writeby self writeby * read

access to attrs=description,telephoneNumber

by dn="uid=samba,ou=Users,dc=abv,dc=local" writeby self writeby * read

access to dn.base="dc=abv,dc=local"by dn="uid=samba,ou=Users,dc=abv,dc=local" writeby * none

access to dn="ou=Users,dc=abv,dc=local"by dn="uid=samba,ou=Users,dc=abv,dc=local" writeby * none

access to dn="ou=Groups,dc=abv,dc=local"by dn="uid=samba,ou=Users,dc=abv,dc=local" writeby * none

access to dn="ou=Computers,dc=abv,dc=local"by dn="uid=samba,ou=Users,dc=abv,dc=local" writeby * none

# vi /etc/openldap/ldap.confBASE dc=abv,dc=localURI ldap://127.0.0.1/TLS_CACERTDIR /etc/openldap/cacerts

# vi /etc/ldap.confbase dc=abv,dc=local

rootbinddn cn=Manager,dc=abv,dc=local

nss_base_passwd ou=Users,dc=abv,dc=local?onenss_base_passwd ou=Computers,dc=abv,dc=local?onenss_base_group ou=Groups,dc=abv,dc=local?onenss_base_shadow ou=Users,dc=abv,dc=local?one

uri ldap://127.0.0.1/ssl notls_cacertdir /etc/openldap/cacertspam_password md5

Copy file cu hnh mu OpenLDAP ca h thng# cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema etc/openldap/schema/

# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Cu hnh LDAP client

# setup

- Chn Authentication configuration -> Run Tool


6/17

- Next


7/17

- OK -> Quit

If you will not share users' /home with NFS, set config like below(users' home deirectory is made automatically when logined)

# vi /etc/pam.d/system-auth# add at the bottom

session optional pam_mkhomedir.so skel=/etc/skel umask=077

Khi ng dch v ldap# /etc/init.d/ldap start# /etc/init.d/nscd start# chkconfig ldap on# chkconfig nscd on

__________________Lun lun lng nghe !!!Lun lun support !!!

thay i ni dung bi:zuridk, 07-11-2011 lc 15:10

#3

07-11-2011, 11:54

zuridkThnh Vin Mi

Tham gia ngy: Aug 2009Bi gi: 37Thanks: 1Thanked 59 Times in 14 Posts

Phn 3: Cu hnh SMB-LDAP

# vi /etc/smbldap-tools/smbldap_bind.confslaveDN="cn=Manager,dc=abv,dc=local"slavePw="abv"masterDN="cn=Manager,dc=abv,dc=local"masterPw="abv"

# vi /etc/smbldap-tools/smbldap.conf# Ex: sambaDomain="IDEALX-NT"sambaDomain="abv.local"

slaveLDAP="127.0.0.1"slavePort="389"

masterLDAP="127.0.0.1"masterPort="389"

# LDAP Suffixsuffix="dc=abv,dc=local"
http://www.nhatnghe.com/forum/showpost.php?p=865064&postcount=3http://www.nhatnghe.com/forum/showpost.php?p=865064&postcount=3http://www.nhatnghe.com/forum/member.php?u=52320http://www.nhatnghe.com/forum/member.php?u=52320http://www.nhatnghe.com/forum/newreply.php?do=newreply&p=855866http://www.nhatnghe.com/forum/newreply.php?do=newreply&p=855866http://www.nhatnghe.com/forum/newreply.php?do=newreply&p=855866http://www.nhatnghe.com/forum/newreply.php?do=newreply&p=855866http://www.nhatnghe.com/forum/member.php?u=52320http://www.nhatnghe.com/forum/showpost.php?p=865064&postcount=3


8/17

usersdn="ou=Users,${suffix}"computersdn="ou=Computers,${suffix}"groupsdn="ou=Groups,${suffix}"idmapdn="ou=Idmap,${suffix}"sambaUnixIdPooldn="sambaDomainName=abv.local,${suffix}"scope="sub"hash_encrypt="MD5"crypt_salt_format="%s"

userLoginShell="/bin/bash"userHome="/home/%U"userHomeDirectoryMode="700"userGecos="System User"defaultUserGid="513"defaultComputerGid="515"skeletonDir="/etc/skel"defaultMaxPasswordAge="45"

userSmbHome="\\10.0.0.2\%U"userProfile="\\10.0.0.2\profiles\%U"userHomeDrive="H:"userScript="logon.bat"mailDomain="abv.local"

with_smbpasswd="0"smbpasswd="/usr/bin/smbpasswd"

with_slappasswd="0"slappasswd="/usr/sbin/slappasswd"

# vi /etc/samba/smb.conf

[global]workgroup = abv.localnetbios name = ldapserversecurity = userenable privileges = yesusername map = /etc/samba/smbusersserver string = samba-ldap-pdcencrypt passwords = Yes#min passwd length = 3admin users = root#pam password change = noobey pam restrictions = No

# method 1:#unix password sync = noldap passwd sync = Yes

# method 2:#unix password sync = yes#ldap passwd sync = nopasswd program = /usr/sbin/smbldap-passwd -u "%u"


9/17

passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

log level = 0syslog = 0log file = /var/log/samba/log.%mmax log size = 100000#time server = Yessocket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192mangling method = hash2Dos charset = CP932Unix charset = UTF-8

logon script = logon.batlogon drive =logon home =logon path =

domain logons = Yes

domain master = Yesos level = 65preferred master = Yeswins support = yes

passdb backend = ldapsam:ldap://10.0.0.2/

ldap admin dn = cn=Manager,dc=abv,dc=localldap suffix = dc=abv,dc=localldap group suffix = ou=Groupsldap user suffix = ou=Usersldap machine suffix = ou=Computersldap idmap suffix = ou=Idmap

idmap backend = ldap://127.0.0.1idmap uid = 10000-20000idmap gid = 10000-20000add user script = /usr/sbin/smbldap-useradd -m "%u"ldap delete dn = Yesdelete user script = /usr/sbin/smbldap-userdel "%u"add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"add group script = /usr/sbin/smbldap-groupadd -p "%g"delete group script = /usr/sbin/smbldap-groupdel "%g"add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

[netlogon]path = /home/samba/netlogon/browseable = Noread only = Yes

[profiles]path = /home/samba/profilesread only = No


10/17

create mask = 0600directory mask = 0700browseable = Noguest ok = Yesprofile acls = yescsc policy = disable# next line is a great way to secure the profilesforce user = %U# next line allows administrator to access all profilesvalid users = %U "Domain Admins"

[homes]comment = Home Directoriesvalid users = %Uread only = Nocreat mask = 0664directory mask = 0775browseable = no

To cc folder cnthit:# mkdir /home/samba# mkdir /home/samba/netlogon# mkdir /home/samba/profiles# chmod 1777 /home/samba/profiles/

# smbpasswd -W abv

#net getlocalsid

# vi /etc/smbldap-tools/smbldap.conf

Restart li dch v:# service ldap restart# service smb restart# chkconfig smb on# chkconfig ldap on

# smbldap-populate


11/17

To user log on:# smbldap-useradd -a -m -c abv abv# smbldap-passwd abv

Kim tra danh sch user:

# smbldap-userlist

Show thng tin user:# smbldap-usershow abv


12/17

Phn 4: Join windows XP vo SambaPDC

Thc hin join Windows XP vo Samba PDC:


13/17


14/17

Restart my, nhp username v password ng nhp

Ta thy 1 a H: c chia s t my SambaPDC.Tin hnh kim tra:To 1 folder trong a H:To 1 folder trn Desktop Desktop for abvTo 1 file txt data for abv trong folder Desktop for abvRestart or shutdown my win XP


15/17

Trn my SambaPDC, ta thy d liu c to trong a H: c lu trong th mc/home/abv. D liu c to trn Desktop c lu ti/home/samba/profiles/abv/Desktop.
http://www.nhatnghe.com/forum/newreply.php?do=newreply&p=865239http://www.nhatnghe.com/forum/newreply.php?do=newreply&p=865239http://www.nhatnghe.com/forum/newreply.php?do=newreply&p=865239


16/17

: Tool qun tr php_LDAP_Admin

# yum --enablerepo=epel install phpldapadmin

# vi /etc/httpd/conf.d/phpldapadmin.confAlias /phpldapadmin /usr/share/phpldapadmin/htdocsAlias /ldapadmin /usr/share/phpldapadmin/htdocs

Order Deny,AllowDeny from allAllow from 127.0.0.1 10.0.0.0/24Allow from ::1

Restart dch v Apache# /etc/init.d/httpd restart# chkconfig httpd on

M browser, truy cp:http://10.0.0.2/phpldapadmin
http://10.0.0.2/phpldapadminhttp://10.0.0.2/phpldapadminhttp://10.0.0.2/phpldapadminhttp://10.0.0.2/phpldapadmin


17/17

__________________

- chuyn cc OU mu ca OpenLDAP vo file base.ldifmigration]# ./migrate_base.pl > base.ldif

- Thm ni dung vo OpenLDAP Servermigration]# ldapadd -x -W -D "cn=Manager,dc=abv,dc=local" -f base.ldif

y khng cn cc OU mu nn mnh khng cp n phn cu hnh cc file***.ldif__________________
http://www.nhatnghe.com/forum/newreply.php?do=newreply&p=865438http://www.nhatnghe.com/forum/newreply.php?do=newreply&p=865438http://www.nhatnghe.com/forum/newreply.php?do=newreply&p=865438

hướng dẫn cấu hình primary domain controller with samba

Documents