LPI 300 : SAMBA 3 LDAP

Este é mais um dos posts com o laboratório para a certificação LPI 300, dessa vez abordando a integração do Samba 3 com LDAP.

 

1) Instalação dos requisitos :

Pacotes via yum

yum  install perl-Crypt-SmbHash.noarch perl-POE-Component-Client-LDAP.noarch 
samba openldap openldap-clients openlap-servers compat-openldap -y

Pacotes via RPM

 rpm -ivh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
rpm -Uvh http://download.gna.org/smbldap-tools/packages/el6/smbldap-tools-0.9.10-1.el6.noarch.rpm

 

2) Configuração do openLDAP:

Criação da senha de root do openldap :

slappasswd -s 123456

 

Obs: Será necessário colocar a saída do comando preenchendo o rootpw no arquivo slapd.conf

Configuração do slapd.conf:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
idletimeout     0
loglevel 0
database        bdb
suffix          "dc=fajlinux,dc=com"
rootdn          "cn=Manager,dc=fajlinux,dc=com"
rootpw          {SSHA}konrjqSR+iwPsO920iOUJ/O+YXHdIP4Y
directory       /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uid,memberUid                     eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName   eq
sizelimit  256
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by self write
        by anonymous auth
        by * none
access to *
        by * read

 

Copiando os arquivos necessários :

 cp /usr/share/doc/samba-3.*/LDAP/samba.schema /etc/openldap/schema/
 cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
 chown ldap:ldap /var/lib/ldap/DB_CONFIG
 chmod 600 /var/lib/ldap/DB_CONFIG

 

3) Criação do LDIF :

dn: dc=fajlinux,dc=com
dc: fajlinux
objectClass: top
objectClass: domain

dn: ou=People,dc=fajlinux,dc=com
ou: Users
objectClass: top
objectClass: organizationalUnit

dn: ou=Groups,dc=fajlinux,dc=com
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: ou=Computers,dc=fajlinux,dc=com
ou: Computers
objectClass: top
objectClass: organizationalUnit

dn: ou=Idmap,dc=fajlinux,dc=com
ou: Idmap
objectClass: top
objectClass: organizationalUnit

 

Testando os arquivos para que sejam carregados corretamente :

slapadd -l /etc/openldap/init.ldif
chown -R ldap:ldap /var/lib/ldap
chmod 600 /var/lib/ldap/*

 

 

4) Iniciando o openLDAP e colocando o serviço parar iniciar no boot:

service slapd start
chkconfig slapd on

 

5) Configurando o Samba :

Copiando arquivos necessários:

mv /etc/samba/smb.conf /etc/samba/smb.conf.dist
cp /usr/share/doc/smbldap-tools*/smb.conf /etc/samba/smb.conf

 

Configuração do /etc/samba/smb.conf :

[global]
	workgroup = FAJLINUX
	netbios name = fajlinux

	deadtime = 10

	log level = 1
	log file = /var/log/samba/log.%m
	max log size = 5000
	debug pid = yes
	debug uid = yes
	syslog = 0
	utmp = yes

	security = user
	domain logons = yes
	os level = 64
	logon path =
	logon home =
	logon drive =
	logon script =

	passdb backend = ldapsam:"ldap://127.0.0.1/"
	ldap ssl = off
	ldap admin dn = cn=Manager,dc=fajlinux,dc=com
	ldap delete dn = no

	## Sync UNIX password with Samba password
	## Method 1:
	ldap password sync = yes
	## Method 2:
	;ldap password sync = no
	;unix password sync = yes
	;passwd program = /usr/sbin/smbldap-passwd -u '%u'
	;passwd chat = "Changing *nNew password*" %nn "*Retype new password*" %nn"

	ldap suffix = dc=fajlinux,dc=com
	ldap user suffix = ou=Users
	ldap group suffix = ou=Groups
	ldap machine suffix = ou=Computers
	ldap idmap suffix = ou=Idmap

	add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
	rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
	delete user script = /usr/sbin/smbldap-userdel '%u'
	set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
	add group script = /usr/sbin/smbldap-groupadd -p '%g'
	delete group script = /usr/sbin/smbldap-groupdel '%g'
	add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
	delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
	add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1

[NETLOGON]
	path = /var/lib/samba/netlogon
	browseable = no
	share modes = no

[PROFILES]
	path = /var/lib/samba/profiles
	browseable = no
	writeable = yes
	create mask = 0611
	directory mask = 0700
	profile acls = yes
	csc policy = disable
	map system = yes
	map hidden = yes

 

6) Configurando smbldap-tool :

Rode o comando abaixo para pegar o SID da máquina:

 net getlocalsid

 

Na configuração do /etc/smbldap-tools/smbldap.conf , podemos observar que na opção SID está a saída do comando gerado no passo anterior:

SID="S-1-5-21-2878116566-4045344489-379077031"
slaveLDAP="ldap://127.0.0.1/"
masterLDAP="ldap://127.0.0.1/"
ldapTLS="0"
verify="none"
cafile="/etc/smbldap-tools/ca.pem"
clientcert="/etc/smbldap-tools/smbldap-tools.example.com.pem"
clientkey="/etc/smbldap-tools/smbldap-tools.example.com.key"
suffix="dc=fajlinux,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
scope="sub"
password_hash="SSHA"
password_crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
shadowAccount="1"
userSmbHome="\PDC-SRV%U"
userProfile="\PDC-SRVprofiles%U"
userHomeDrive="H:"
userScript="logon.bat"
mailDomain="localhost"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

 

Configuração do arquivo /etc/smbldap-tools/smbtool_bind.conf

slaveDN="cn=Manager,dc=fajlinux,dc=com"
slavePw="123456"
masterDN="cn=Manager,dc=fajlinux,dc=com"
masterPw="123456"

 

7) Startando o samba e populando a base LDAP:

Em ordem estou configurando a senha do samba no LDAP, populando o banco do LDAP e iniciando o serviço do samba.

smbpasswd -W
smbldap-populate
service smb start
chkconfig smb on

 

Quando rodamos o comando “smbldap-populate” a saída deverá da seguinte forma:

Captura de Tela 2014-10-11 às 20.26.06

Continuarei postando mais laboratórios para LPI 3 em breve, até mais!