Este é mais um dos posts com o laboratório para a certificação LPI 300, dessa vez abordando a integração do Samba 3 com LDAP.
1) Instalação dos requisitos :
Pacotes via yum
yum install perl-Crypt-SmbHash.noarch perl-POE-Component-Client-LDAP.noarch samba openldap openldap-clients openlap-servers compat-openldap -y
Pacotes via RPM
rpm -ivh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm rpm -Uvh http://download.gna.org/smbldap-tools/packages/el6/smbldap-tools-0.9.10-1.el6.noarch.rpm
2) Configuração do openLDAP:
Criação da senha de root do openldap :
slappasswd -s 123456
Obs: Será necessário colocar a saída do comando preenchendo o rootpw no arquivo slapd.conf
Configuração do slapd.conf:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
idletimeout 0
loglevel 0
database bdb
suffix "dc=fajlinux,dc=com"
rootdn "cn=Manager,dc=fajlinux,dc=com"
rootpw {SSHA}konrjqSR+iwPsO920iOUJ/O+YXHdIP4Y
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uid,memberUid eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
sizelimit 256
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read
Copiando os arquivos necessários :
cp /usr/share/doc/samba-3.*/LDAP/samba.schema /etc/openldap/schema/ cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap:ldap /var/lib/ldap/DB_CONFIG chmod 600 /var/lib/ldap/DB_CONFIG
3) Criação do LDIF :
dn: dc=fajlinux,dc=com dc: fajlinux objectClass: top objectClass: domain dn: ou=People,dc=fajlinux,dc=com ou: Users objectClass: top objectClass: organizationalUnit dn: ou=Groups,dc=fajlinux,dc=com ou: Groups objectClass: top objectClass: organizationalUnit dn: ou=Computers,dc=fajlinux,dc=com ou: Computers objectClass: top objectClass: organizationalUnit dn: ou=Idmap,dc=fajlinux,dc=com ou: Idmap objectClass: top objectClass: organizationalUnit
Testando os arquivos para que sejam carregados corretamente :
slapadd -l /etc/openldap/init.ldif chown -R ldap:ldap /var/lib/ldap chmod 600 /var/lib/ldap/*
4) Iniciando o openLDAP e colocando o serviço parar iniciar no boot:
service slapd start chkconfig slapd on
5) Configurando o Samba :
Copiando arquivos necessários:
mv /etc/samba/smb.conf /etc/samba/smb.conf.dist cp /usr/share/doc/smbldap-tools*/smb.conf /etc/samba/smb.conf
Configuração do /etc/samba/smb.conf :
[global] workgroup = FAJLINUX netbios name = fajlinux deadtime = 10 log level = 1 log file = /var/log/samba/log.%m max log size = 5000 debug pid = yes debug uid = yes syslog = 0 utmp = yes security = user domain logons = yes os level = 64 logon path = logon home = logon drive = logon script = passdb backend = ldapsam:"ldap://127.0.0.1/" ldap ssl = off ldap admin dn = cn=Manager,dc=fajlinux,dc=com ldap delete dn = no ## Sync UNIX password with Samba password ## Method 1: ldap password sync = yes ## Method 2: ;ldap password sync = no ;unix password sync = yes ;passwd program = /usr/sbin/smbldap-passwd -u '%u' ;passwd chat = "Changing *nNew password*" %nn "*Retype new password*" %nn" ldap suffix = dc=fajlinux,dc=com ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1 rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold' delete user script = /usr/sbin/smbldap-userdel '%u' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1 [NETLOGON] path = /var/lib/samba/netlogon browseable = no share modes = no [PROFILES] path = /var/lib/samba/profiles browseable = no writeable = yes create mask = 0611 directory mask = 0700 profile acls = yes csc policy = disable map system = yes map hidden = yes
6) Configurando smbldap-tool :
Rode o comando abaixo para pegar o SID da máquina:
net getlocalsid
Na configuração do /etc/smbldap-tools/smbldap.conf , podemos observar que na opção SID está a saída do comando gerado no passo anterior:
SID="S-1-5-21-2878116566-4045344489-379077031"
slaveLDAP="ldap://127.0.0.1/"
masterLDAP="ldap://127.0.0.1/"
ldapTLS="0"
verify="none"
cafile="/etc/smbldap-tools/ca.pem"
clientcert="/etc/smbldap-tools/smbldap-tools.example.com.pem"
clientkey="/etc/smbldap-tools/smbldap-tools.example.com.key"
suffix="dc=fajlinux,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
scope="sub"
password_hash="SSHA"
password_crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
shadowAccount="1"
userSmbHome="\PDC-SRV%U"
userProfile="\PDC-SRVprofiles%U"
userHomeDrive="H:"
userScript="logon.bat"
mailDomain="localhost"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
Configuração do arquivo /etc/smbldap-tools/smbtool_bind.conf
slaveDN="cn=Manager,dc=fajlinux,dc=com" slavePw="123456" masterDN="cn=Manager,dc=fajlinux,dc=com" masterPw="123456"
7) Startando o samba e populando a base LDAP:
Em ordem estou configurando a senha do samba no LDAP, populando o banco do LDAP e iniciando o serviço do samba.
smbpasswd -W smbldap-populate service smb start chkconfig smb on
Quando rodamos o comando “smbldap-populate” a saída deverá da seguinte forma:
Continuarei postando mais laboratórios para LPI 3 em breve, até mais!