|
|
楼主 |
发表于 2011-11-27 03:47:47
|
显示全部楼层
第一台:pluto
与samba有关的USE:
#file /etc/portage/package.use
...
############
# for samba3
############
net-fs/samba examples ldap ads winbind
net-fs/cifs-utils ads
...
安装
# emerage samba nss_ldap pam_ldap smbldap-tools
然后开始配置:
改变openldap数据库的所有权:
# cp /var/lib/openldap-data/DB_CONFIG.example /var/lib/openldap-data/DB_CONFIG
chown ldap:ldap /var/lib/openldap-*
生成一个‘安全’ 的口令。
# slappasswd -h {MD5}
New password: voodoo
Re-enter new password: voodoo
{MD5}tKorSNvqiYjgmt3Ua0y/OA==
需要更改的openldap配置文件(3个):
# grep -v '^$' /etc/conf.d/slapd | grep -v '^#'
include /etc/openldap/schema/core.schema # 架构? 要注意顺序
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid #
argsfile /var/run/openldap/slapd.args
loglevel 256 # 正常运行后注释掉
database bdb
suffix "dc=pla,dc=net" # 域名
rootdn "cn=Manager,dc=pla,dc=net"
rootpw {MD5}tKorSNvqiYjgmt3Ua0y/OA== # 呵呵,刚才生成的那个
directory /var/lib/openldap-data/
index sambaSID eq # 与samba 相关的
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
overlay syncprov # 此行及以下部分,在openldap正常运行之前,要注释掉
syncprov-checkpoint 100 10 # 是 openldap master 的配置
syncprov-sessionlog 10
updatedn cn=Manager,dc=pla,dc=net
# grep -v '^$' /etc/openldap/ldap.conf | grep -v '^#'
HOST 127.0.0.1
BASE dc=pla,dc=net
# grep -v '^$' /etc/conf.d/slapd | grep -v '^#'
OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
测试下,看看有没有改错:
# slaptest
config file testing succeeded
如果没错,把它启动:
# /etc/init.d/slapd start
成功启动了,会在/var/lib/openldap-data下产生一堆文件。
# rc-update add slapd default
下一步,配置pam模块:
在/etc/pam.d 中新建一个 system-auth-ldap
# grep -v '^$' /etc/pam.d/system-auth-ldap | grep -v '^#'
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_ldap.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 type=
password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
替换原来的 system-auth
# cd /etc/pam.d
# mv system-auth system-auth-default
# ln -s system-auth-ldap system-auth
配置 NSS_LDAP
需要改动passwd: ,group: ,shadow: 三行成下面的样子:
passwd: files ldap
group: files ldap
shadow: files ldap
/etc/ldap.conf
# grep -v '^$' /etc/ldap.conf | grep -v '^#'
host 127.0.0.1
base dc=pla,dc=net
nss_base_passwd ou=Computers,dc=pla,dc=net?sub # passwd 有两行,一个是机器账户,
nss_base_passwd ou=Users,dc=pla,dc=net?sub # 一个是用户账户。
nss_base_shadow ou=Users,dc=pla,dc=net?sub # 缺少会在加入域是产生
nss_base_group ou=Groups,dc=pla,dc=net?one # "user name could not be found error"
ssl no
pam_password md5
创建一个目录放log
# mkdir -p /var/log/nss_ldap
OK,openldap就行了,下面配置Samba
一个长长的文件:
# grep -v '^$' /etc/samba/smb.conf | grep -v '^#'
[global]
netbios name = PLUTO
workgroup = PLA
server string = Primary Domain Controller
hosts allow = 192.168.0. 127.0.0.0/8
#security = domain
security = user
encrypt passwords = yes
#encrypt passwords = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = lo eth1
bind interfaces only = yes
local master = yes
os level = 65
domain master = yes
preferred master = yes
null passwords = yes
hide unreadable = yes
hide dot files = yes
domain logons = yes
logon script = netlogin.bat
logon home = \\%L\%U\.9xprofile
wins support = yes
name resolve order = wins lmhosts host bcast
dns proxy = no
time server = yes
log file = /var/log/samba/log.%m
max log size = 50
add user script = /usr/sbin/smbldap-useradd -m "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
#passdb backend = ldapsam:ldap://pluto.pla.net:389/
passdb backend = ldapsam:ldap://127.0.0.1/
ldap passwd sync = Yes
ldap delete dn = Yes
ldap ssl = no
winbind nested groups = no
ldap suffix = dc=pla,dc=net
ldap admin dn = cn=Manager,dc=pla,dc=net
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
#follow symlinks = yes
guest account = nobody
map to guest = bad user
username map = /etc/samba/smbusers
lanman auth = yes
client lanman auth = yes
client plaintext auth = Yes
guest ok = Yes
load printers = yes
printing = cups
printcap name = cups
#follow symlinks = no
wide links = yes
unix extensions = no
# enable some read/write tuning
use sendfile = yes
read raw = yes
write raw = yes
aio read size = 16384
aio write size = 16384
max xmit = 65536
large readwrite = yes
getwd cache = yes
# disable locking, because only 2 share can be written.
strict locking = no
fake oplocks = yes
#oplocks = no
[homes]
comment = Home Directories
path = /home/%U
browseable = no
valid users = %S
read only = no
guest ok = Yes
inherit permissions = yes
create mask = 1750
directory mask = 1750
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
read only = yes
browseable = no
[profiles]
path = /var/lib/samba/profiles
; rm -r /var/lib/samba/profiles
; ln -s /home/root/profiles /var/lib/samba
;path = /home/root/profiles
browseable = no
writeable = yes
default case = lower
preserve case = no
short preserve case = no
case sensitive = no
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
write list = @"Domain Admins" @root
create mask = 0600
directory mask = 0700
csc policy = disable
profile acls = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = yes
writable = no
printable = yes
#printer admin = @"Domain Admins" @root
[print$]
comment = Printer Drivers
path = /usr/share/cups/drivers
browseable = yes
guest ok = yes
read only = yes
write list = @"Domain Admins" @root
[share]
comment =
path = /srv/samba/share
public = yes
writeable = yes
browseable = yes
write list = @"Domain Admins" @root
force group = "Domain Users"
create mask = 1770
directory mask = 1770
文件中的script那几行最好是在命令行上测试下。
ps:希望你已经配置好了打印系统:cups,否则,请注释掉print有关的东西。
再看看smb.conf有没有问题:
# testparm
启动samba之前要启动nscd
# /etc/init.d/nscd
# rc-update add nscd default
初始化Samba:
此处密码要打在命令行上。
# smbpasswd -w voodoo
现在把samba启动了:
# /etc/init.d/samba start
加入到default runlevel
# rc-update add samba default
配置sbmldap-tools
# net getlocalsid
SID for domain PLUTO is: S-1-5-21-3703136135-3562887566-3821247147
# smbldap-configure.pl
(交互界面,如果不喜欢的话,可以直接改/etc/smbldap-tools下的两个文件)
# smbldap-populate
...
在一堆adding new entry:后会让你那建立domain root的密码:
Please provide a password for the domain root:
Changing password for root
New password :
Retype new password :
也许你会喜欢设定uid和gid.(缺省是1000)
smbldap-populate -u 1550 -g 1500
成功的话会在/var/lib/openldap-data 下产生几个samba开头文件。
不要忘记加入域:
net rpc join -S pluto -U root
password:
joined domain smbdomain |
|
IP卡
狗仔卡
发表于 2011-11-27 03:46:43
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡