hướng dẫn cấu hình primary domain controller with samba

    Hng d n cu hnh Primary Domain Controller with Samba + OpenLDAP

    Phn 1: Cu hnh DNS

    M hnh mng:

    Trn OpenLDAP Server ta thit lp nh sau:OpenLdap Server:Hostname: server2.abv.local


    Install BIND#yum -y install bind bind-libs bind-untils bind-chroot

    Configure BIND#cd /var/named/chroot/#vi etc/named.confacl mynet {;;


    options{allow-transfer {none;};query-source port 53;query-source-v6 port 53;directory "/var/named";dump-file "/var/named/data/cache_dumb.db";

    statistics-file "/var/named/data/name_stats.txt";memstatistics-file "/var/named/data/name_mem_stats.txt";notify yes;


    zone "." IN {type hint;file "named.root";


    zone "localhost" IN {type master;file "localhost.db";


    zone "0.0.127.in-addr.arpa" IN {type master;

    file "0.0.127.in-addr.arpa.db";


    zone "abv.local" IN {type master;file "abv.local.db";


    zone "0.0.10.in-addr.arpa" {type master;file "0.0.10.in-addr.arpa.db";

    };#cd var/named#wgethttp://www.internic.net/zones/named.root

    #vi localhost.db$TTL 86400@ IN SOA localhost root (20080213 ;Serial10800 ;Refresh3600 ;Retry604800 ;Expire86400 ;Minimum TTL)

    IN NS @

    localhost. IN A

    #vi 0.0.127.in-addr.arpa.db$TTL 86400 ; 1day@ IN SOA localhost. root. (20080213 ;Serial10800 ;Refresh

    3600 ;Retry604800 ;Expire86400 ;Minimum TTL)

    IN NS localhost. IN PTR localhost.

    #vi abv.local.db$TTL 86400@ IN SOA server2.abv.local. root (423H15M1W1D )

    IN NS server2.abv.local.

    server1 1D IN A

    server2 1D IN A 1D IN A

    _ldap._tcp.abv.local. SRV 0 0 389 server2.abv.local._ldap._tcp.dc._msdcs.abv.local SRV 0 0 389 server2.abv.local.

    #vi 0.0.10.in-addr.arpa.db$TTL 86400@ IN SOA server2.abv.local. root. (3288007200604800

    86400 )@ IN NS server2.abv.local.1 IN PTR server1.abv.local.2 IN PTR server2.abv.local.3 IN PTR server3.abv.local.

    #vi /etc/resolv.confsearch abv.localnameserver

    Khi ng dch v:#service named start#chkconfig named on

    Phn 2: Cu hnh OpenLDAP

    Ci t cc package cn thit:# yum --enablerepo=dag install openldap* openldap-s* compat-ldap python-ldap php-ldap nss_ldap ldapjdk samba samba-common samba-client perl-Crypt-SmbHash perl-Digest-SHA1 perl-Jcode perl-Unicode-Map perl-Unicode-Map8 perl-Unicode-MapUTF8 perl-Unicode-String

    To password cho root dng m ha# slappasswd -s abv -h {MD5}

    {MD5}7sWCYo5L4iMv6IEnCQ5dog==(pass for ldap: abv)

    Cu hnh domain cho openLDAP# vi /etc/openldap/slapd.conf

    include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schema# addinclude /etc/openldap/schema/samba.schema

    # line 86:suffix "dc=abv,dc=local"

    # line 87:

    rootdn "cn=Manager,dc=abv,dc=local"

    # line 93: specify password generatedrootpw {MD5}7sWCYo5L4iMv6IEnCQ5dog==

    # line 106: addindex sambaSID,sambaPrimaryGroupSID,sambaDomainName eqindex default sub

    # add at the bottom

    access to attrs=userPassword,sambaLMPassword,sambaNTPasswordby self writeby dn="cn=Manager,dc=abv,dc=local" writeby anonymous authby * none

    access to *by dn="cn=Manager,dc=abv,dc=local" writeby self writeby * read

    access to attrs=description,telephoneNumber

    by dn="uid=samba,ou=Users,dc=abv,dc=local" writeby self writeby * read

    access to dn.base="dc=abv,dc=local"by dn="uid=samba,ou=Users,dc=abv,dc=local" writeby * none

    access to dn="ou=Users,dc=abv,dc=local"by dn="uid=samba,ou=Users,dc=abv,dc=local" writeby * none

    access to dn="ou=Groups,dc=abv,dc=local"by dn="uid=samba,ou=Users,dc=abv,dc=local" writeby * none

    access to dn="ou=Computers,dc=abv,dc=local"by dn="uid=samba,ou=Users,dc=abv,dc=local" writeby * none

    # vi /etc/openldap/ldap.confBASE dc=abv,dc=localURI ldap:// /etc/openldap/cacerts

    # vi /etc/ldap.confbase dc=abv,dc=local

    rootbinddn cn=Manager,dc=abv,dc=local

    nss_base_passwd ou=Users,dc=abv,dc=local?onenss_base_passwd ou=Computers,dc=abv,dc=local?onenss_base_group ou=Groups,dc=abv,dc=local?onenss_base_shadow ou=Users,dc=abv,dc=local?one

    uri ldap:// notls_cacertdir /etc/openldap/cacertspam_password md5

    Copy file cu hnh mu OpenLDAP ca h thng# cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema etc/openldap/schema/

    # cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

    Cu hnh LDAP client

    # setup

    - Chn Authentication configuration -> Run Tool

    - Next

    - OK -> Quit

    If you will not share users' /home with NFS, set config like below(users' home deirectory is made automatically when logined)

    # vi /etc/pam.d/system-auth# add at the bottom

    session optional pam_mkhomedir.so skel=/etc/skel umask=077

    Khi ng dch v ldap# /etc/init.d/ldap start# /etc/init.d/nscd start# chkconfig ldap on# chkconfig nscd on

    Phn 3: Cu hnh SMB-LDAP

    # vi /etc/smbldap-tools/smbldap_bind.confslaveDN="cn=Manager,dc=abv,dc=local"slavePw="abv"masterDN="cn=Manager,dc=abv,dc=local"masterPw="abv"

    # vi /etc/smbldap-tools/smbldap.conf# Ex: sambaDomain="IDEALX-NT"sambaDomain="abv.local"



    # LDAP Suffixsuffix="dc=abv,dc=local"

    userLoginShell="/bin/bash"userHome="/home/%U"userHomeDirectoryMode="700"userGecos="System User"defaultUserGid="513"defaultComputerGid="515"skeletonDir="/etc/skel"defaultMaxPasswordAge="45"




    # vi /etc/samba/smb.conf

    [global]workgroup = abv.localnetbios name = ldapserversecurity = userenable privileges = yesusername map = /etc/samba/smbusersserver string = samba-ldap-pdcencrypt passwords = Yes#min passwd length = 3admin users = root#pam password change = noobey pam restrictions = No

    # method 1:#unix password sync = noldap passwd sync = Yes

    # method 2:#unix password sync = yes#ldap passwd sync = nopasswd program = /usr/sbin/smbldap-passwd -u "%u"

    passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

    log level = 0syslog = 0log file = /var/log/samba/log.%mmax log size = 100000#time server = Yessocket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192mangling method = hash2Dos charset = CP932Unix charset = UTF-8

    logon script = logon.batlogon drive =logon home =logon path =

    domain logons = Yes

    domain master = Yesos level = 65preferred master = Yeswins support = yes

    passdb backend = ldapsam:ldap://

    ldap admin dn = cn=Manager,dc=abv,dc=localldap suffix = dc=abv,dc=localldap group suffix = ou=Groupsldap user suffix = ou=Usersldap machine suffix = ou=Computersldap idmap suffix = ou=Idmap

    idmap backend = ldap:// uid = 10000-20000idmap gid = 10000-20000add user script = /usr/sbin/smbldap-useradd -m "%u"ldap delete dn = Yesdelete user script = /usr/sbin/smbldap-userdel "%u"add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"add group script = /usr/sbin/smbldap-groupadd -p "%g"delete group script = /usr/sbin/smbldap-groupdel "%g"add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

    [netlogon]path = /home/samba/netlogon/browseable = Noread only = Yes

    [profiles]path = /home/samba/profilesread only = No

    create mask = 0600directory mask = 0700browseable = Noguest ok = Yesprofile acls = yescsc policy = disable# next line is a great way to secure the profilesforce user = %U# next line allows administrator to access all profilesvalid users = %U "Domain Admins"

    [homes]comment = Home Directoriesvalid users = %Uread only = Nocreat mask = 0664directory mask = 0775browseable = no

    To cc folder cnthit:# mkdir /home/samba# mkdir /home/samba/netlogon# mkdir /home/samba/profiles# chmod 1777 /home/samba/profiles/

    # smbpasswd -W abv

    #net getlocalsid

    # vi /etc/smbldap-tools/smbldap.conf

    Restart li dch v:# service ldap restart# service smb restart# chkconfig smb on# chkconfig ldap on

    # smbldap-populate

    To user log on:# smbldap-useradd -a -m -c abv abv# smbldap-passwd abv

    Kim tra danh sch user:

    # smbldap-userlist

    Show thng tin user:# smbldap-usershow abv

    Phn 4: Join windows XP vo SambaPDC

    Thc hin join Windows XP vo Samba PDC:

    Restart my, nhp username v password ng nhp

    Ta thy 1 a H: c chia s t my SambaPDC.Tin hnh kim tra:To 1 folder trong a H:To 1 folder trn Desktop Desktop for abvTo 1 file txt data for abv trong folder Desktop for abvRestart or shutdown my win XP

    Trn my SambaPDC, ta thy d liu c to trong a H: c lu trong th mc/home/abv. D liu c to trn Desktop c lu ti/home/samba/profiles/abv/Desktop.

    : Tool qun tr php_LDAP_Admin

    # yum --enablerepo=epel install phpldapadmin

    # vi /etc/httpd/conf.d/phpldapadmin.confAlias /phpldapadmin /usr/share/phpldapadmin/htdocsAlias /ldapadmin /usr/share/phpldapadmin/htdocs

    Order Deny,AllowDeny from allAllow from from ::1

    Restart dch v Apache# /etc/init.d/httpd restart# chkconfig httpd on

    M browser, truy cp:
    - chuyn cc OU mu ca OpenLDAP vo file base.ldifmigration]# ./migrate_base.pl > base.ldif

    - Thm ni dung vo OpenLDAP Servermigration]# ldapadd -x -W -D "cn=Manager,dc=abv,dc=local" -f base.ldif

    y khng cn cc OU mu nn mnh khng cp n phn cu hnh cc file***.ldif__________________
