|
此文以Samba + OpenLdap 建立 PDC (Primary Domain Controller), 基本可實現NT 4.0的功能. 此文參考自Fandy網上(www.nseasy.net) 的多篇文章再加以本人實踐修改而成, 如有沖突,敬請通知修改. 內容與BDC, Mail Server , File Server 幾篇文章有所關聯, 基本環境說明:
Linux OS : CentOS Linux 4.4
Domain name: openmyhand.com
IP: PDC 192.168.100.1
BDC 192.168.100.2
Mail Server 192.168.100.3
File Server 192.168.100.4
Setp 1、檢測所需軟件包: | 需要軟件清單 : | | db4-4.2.52-7.1.i386.rpm db4-utils-4.2.52-7.1.i386.rpm db4-devel-4.2.52-7.1.i386.rpm openldap-2.2.13-6.4E.i386.rpm openldap-devel-2.2.13-6.4E.i386.rpm openldap-servers-2.2.13-6.4E.i386.rpm openldap-clients-2.2.13-6.4E.i386.rpm nss_ldap-226-13.i386.rpm samba-3.0.10-1.4E.9.i386.rpm samba-client-3.0.10-1.4E.9.i386.rpm samba-common-3.0.10-1.4E.9.i386.rpm perl-Digest-SHA1-2.07-5.i386.rpm perl-LDAP-0.31-5.noarch.rpm perl-XML-SAX-0.12-7.noarch.rpm perl-Crypt-SmbHash-0.12-1.2.el4.rf.noarch.rpm smbldap-tools-0.9.1-1.2.el4.rf.noarch.rp | ---------------------------------------------------------------------------- 是否安裝, 可以用以下命令查詢: rpm -qa | grep db4 rpm -qa | grep openldap rpm -qa | grep nss_ldap rpm -qa | grep samba rpm -qa | grep perl-Digest rpm -qa | grep perl-LDAP rpm -qa | grep perl-XML-SAX rpm -qa | grep perl-Crypt-SmbHash rpm -qa | grep smbldap-tools 如果沒有安裝, 請從CentOS4.4安裝光盤找到相應軟件來安裝, 安裝方法是 rpm –vih 軟件名. 其中 perl-Crypt-SmbHash-0.12-1.2.el4.rf.noarch.rpm smbldap-tools-0.9.1-1.2.el4.rf.noarch.rpm 需要另行安裝. | 詳細操作: | | rpm -vih perl-Crypt-SmbHash-0.12-1.2.el4.rf.noarch.rpm rpm -vih smbldap-tools-0.9.1-1.2.el4.rf.noarch.rpm | ----------------------------------------------------------------------------- Setp 2、系統基本設定 1. 設定電腦IP地址, 修改 /etc/sysconfig/network-scripts/ifcfg-eth0 | 詳細操作: | | DEVICE=eth0 ONBOOT=yes BOOTPROTO=static IPADDR=192.168.100.1 NETMASK=255.255.255.0 GATEWAY=192.168.100.1 | 2. 設定電腦名稱, 修改 /etc/sysconfig/network | 詳細操作: | | HOSTNAME=pdc.openmyhand.com | 3. 設定電腦名稱與IP的對應關系, 修改 /etc/hosts | 詳細操作: | | # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 192.168.100.1 pdc.openmyhand.com pdc 192.168.100.2 bdc.openmyhand.com bdc 192.168.100.3 mail.openmyhand.com mail 192.168.100.4 file.openmyhand.com file | 4. 重新啟動電腦, 使設定生效 Setp 3、設定系統驗證 運行setup 進入設定畫面
選擇 Authentication configuration , 按 Enter 進入下一畫面
按 Space 鍵, 選擇 [*] Cache Information [*] Use LDAP [*] Use MD5 Passwords [*] Use Shadow Passwords [*] Use LDAP Authentication 然後去Next , 按 Enter 進入下一畫面.
把 Base DN: 改成相應的功能變數名稱, 如: openmyhand.com 改為 dc=openmyhand,dc=com 然後去OK , 按 Enter 退回主畫面.
然後去Quit , 按 Enter 退出設定程式. Setp 4、安裝LDAP (Master) 1. 複製samba.schema檔到 /etc/openldap/schema/ 目錄下 (添加ldap所需要的samba認證的資料檔到schema目錄) | 詳細操作: | | # cp /usr/share/doc/samba-3.0.10/LDAP/samba.schema /etc/openldap/schema/ | 2. 修改/etc/openldap/slapd.conf,修改內容如下: | 配置內容: | | include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema 增加以下一行內容: include /etc/openldap/schema/samba.schema suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc= my-domain,dc=com" 更改為: suffix "dc=openmyhand,dc=com" #(定義ldap搜索的域) rootdn "cn=root,dc=openmyhand,dc=com" #(定義ldap的管理DN) # rootpw secret 更改為: rootpw lawrence #(設置管理DN的密碼) index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub 更改為: index objectClass,uidNumber,gidNumber eq index cn,sn,uid,displayName pres,sub,eq index memberUid,mail,givenname eq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq #在最下添加以下內容, 注意書寫格式 replogfile /var/lib/ldap/openldap-slave.replog # (設定BDC的相關資料) replica host=bdc.openmyhand.com.cn:389 binddn="cn=root,dc=openmyhand,dc=com" bindmethod=simple credentials=lawrence #(管理DN的密碼) access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none access to * by * read | 3. 修改 /etc/openldap/ldap.conf | 配置內容: | | LS_CACERTDIR /etc/openldap/cacerts(不使用TLS服務項目) 更改為: # TLS_CACERTDIR /etc/openldap/cacerts | 4. 修改 /etc/ ldap.conf | 配置內容: | | TLS_CACERTDIR /etc/openldap/cacerts 更改為: # TLS_CACERTDIR /etc/openldap/cacerts #在最下添加Base DN的設定, 注意書寫格式 #如: openmyhand.com 改為 dc=openmyhand,dc=com rootbinddn cn=root,dc=openmyhand,dc=com nss_base_passwd ou=Users,dc=openmyhand,dc=com?one nss_base_passwd ou=Computers,dc=openmyhand,dc=com?one nss_base_shadow ou=Users,dc=openmyhand,dc=com?one nss_base_group ou=Groups,dc=openmyhand,dc=com?one | 設定pam_ldap模組間的DN密碼:(其中lawrence 為DN密碼) | 配置內容: | | # echo lawrence > /etc/ldap.secret # chmod 600 /etc/ldap.secret | Setp 5、測試LDAP配置是否正確 1. 重新啟動LDAP | 詳細操作 : | | # service ldap restart Stopping slapd: [FAILED] Checking configuration files for slapd: config file testing succeeded Starting slapd: [ OK ] | 2. 測試port是否啟動 | 詳細操作 : | | # telnet localhost 389 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. ^] (Ctrl + ]) telnet> quit Connection closed. | 3. 查詢LDAP 目錄內容: | 詳細操作 : | | # ldapsearch -x 127.0.0.1 -b "dc=openmyhand,dc=com" #輸出結果如下: # extended LDIF # # LDAPv3 # base <dc=openmyhand,dc=com> with scope sub # filter: (objectclass=*) # requesting: 127.0.0.1 # # search result search: 2 result: 32 No such object # numResponses: 1 | Setp 6、配置Samba 作 PDC 1. 配置samba 的設定文檔 /etc/samba/smb.conf, 詳細內容如下: | 配置內容: | | ################ Global parameters #################### [global] workgroup = openmyhand.com netbios name = PDC server string = PDC Server log file = /var/log/samba/log.%m security = user encrypt passwords = Yes obey pam restrictions = No ldap passwd sync = Yes log level = 3 syslog = 0 max log size = 100000 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = UTF-8 Unix charset = UTF-8 logon script = %U.bat logon drive = H: logon home = \\%L\%u domain logons = yes os level = 65 domain master = yes preferred master = yes local master = yes passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=root,dc=openmyhand,dc=com ldap suffix = dc=openmyhand,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap ssl = off ldap delete dn = Yes add user script = /usr/sbin/smbldap-useradd -m "%u" add machine script = /usr/sbin/smbldap-useradd -d /dev/null -g 100 -s /bin/false -M %u add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user script = /usr/sbin/smbldap-userdel "%u" delete group script = /usr/sbin/smbldap-groupdel "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no ################ Homes parameters ############### [homes] comment = repertoire de %U, %u browseable = no writeable = yes read only = no force create mode = 0700 create mode = 0700 force directory mode = 0700 directory mode = 700 ############ Netlogone parameters ################# [netlogon] path = /home/netlogon browseable = No read only = yes write list = root | 2. 重新啟動 Samba | 詳細操作 : | | # service smb restart Shutting down SMB services: [FAILED] Shutting down NMB services: [FAILED] Starting SMB services: # 此處時間會稍長 [ OK ] Starting NMB services: [ OK ] | 3. 添加Samba 的DN管理密碼(注意密碼要和您openldap的DN密碼要一致啊) | 詳細操作 : | | # smbpasswd -w lawrence Setting stored password for "cn=root,dc=openmyhand,dc=com" in secrets.tdb | 4. 建立目錄netlogon, (此處用作放載登陸腳本.) | 詳細操作 : | | # mkdir /home/netlogon | 5. 測試Samba , PDC配置是否正確, | 詳細操作 : | | # testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[netlogon]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC # 注意這裡 ,已經成功設為PDC了 Press enter to see a dump of your service definitions | 6. 查看SID , SID每台機都有所不同, 請記下來, 等會配置時,檢查是否一致, 配置中沒 有的, 則把SID 補上 | 詳細操作 : | | # net getlocalsid SID for domain is: S-1-5-21-572433377-2950152015-2928006418 (每台機都有所不同) | 7. 執行configure.pl配置smbldap-tools | 詳細操作 : | | # /usr/share/doc/smbldap-tools-0.9.1/configure.pl -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- smbldap-tools script configuration -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Before starting, check . if your samba controller is up and running. . if the domain SID is defined (you can get it with the 'net getlocalsid') . you can leave the configuration using the Crtl-c key combination . empty value can be set with the "." character -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Looking for configuration files... Samba Configuration File Path [/etc/samba/smb.conf] > Enter The default directory in which the smbldap configuration files are stored is shown. If you need to change this, enter the full directory path, then press enter to continue. Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] > Enter -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's start configuring the smbldap-tools scripts ... . workgroup name: name of the domain Samba act as a PDC workgroup name [openmyhand.com] > Enter . netbios name: netbios name of the samba controler netbios name [PDC] > Enter . logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:' logon drive [H:] > Enter . logon home: home directory location (for Win95/98 or NT Workstation). (use %U as username) Ex:'\\PDC\%U' . logon home (press the "." character if you don't want homeDirectory) [\\%L\%u] > Enter . logon path: directory where roaming profiles are stored. Ex:'\\PDC\profiles\%U' logon path (press the "." character if you don't want roaming profile) [\\PDC\profiles\%U] > ( 輸入 . ) . home directory prefix (use %U as username) [/home/%U] > Enter . default users' homeDirectory mode [700] > Enter . default user netlogon script (use %U as username) [%U.bat] > Enter default password validation time (time in days) [45] > Enter 預設密碼有效期 . ldap suffix [dc=openmyhand,dc=com] > Enter . ldap group suffix [ou=Groups] > Enter . ldap user suffix [ou=Users] > Enter . ldap machine suffix [ou=Computers] > Enter . Idmap suffix [ou=Idmap] > Enter . sambaUnixIdPooldn: object where you want to store the next uidNumber and gidNumber available for new users and groups sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=openmyhand.com] > Enter . ldap master server: IP adress or DNS name of the master (writable) ldap server ldap master server [127.0.0.1] > Enter . ldap master port [389] > Enter . ldap master bind dn [cn=root,dc=openmyhand,dc=com] > Enter . ldap master bind password [] > lawrence(Samba admin DN 的ldap管理密碼) . ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one ldap slave server [127.0.0.1] > 192.168.100.2 Enter (BDC的IP或功能變數名稱) . ldap slave port [389] > Enter . ldap slave bind dn [cn=root,dc=openmyhand,dc=com] > Enter . ldap slave bind password [] > lawrence (Samba admin DN 的ldap管理密碼) . ldap tls support (1/0) [0] > Enter . SID for domain get.com: SID of the domain (can be obtained with 'net getlocalsid PDC')SID for domain openmyhand.com [S-1-5-21-572433377-2950152015-2928006418] > (確定有沒有SID, 如果沒有,把安裝前查到的填上去) Enter . unix password encryption: encryption used for unix passwords unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > Enter . default user gidNumber [513] > Enter . default computer gidNumber [515] > Enter . default login shell [/bin/bash] > Enter . default skeleton directory [/etc/skel] > Enter . default domain name to append to mail adress [] > openmyhand.com Enter -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= backup old configuration files: /etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old writing new configuration file: /etc/smbldap-tools/smbldap.conf done. /etc/smbldap-tools/smbldap_bind.conf done. | 8. 初始化LDAP資料庫 | 詳細操作 : | | # smbldap-populate Populating LDAP directory for domain openmyhand.com (S-1-5-21-572433377-2950152015-2928006418) (using builtin directory structure) adding new entry: dc=openmyhand,dc=com adding new entry: ou=Users,dc=openmyhand,dc=com adding new entry: ou=Groups,dc=openmyhand,dc=com adding new entry: ou=Computers,dc=openmyhand,dc=com adding new entry: ou=Idmap,dc=openmyhand,dc=com adding new entry: uid=root,ou=Users,dc=openmyhand,dc=com adding new entry: uid=nobody,ou=Users,dc=openmyhand,dc=com adding new entry: cn=Domain Admins,ou=Groups,dc=openmyhand,dc=com adding new entry: cn=Domain Users,ou=Groups,dc=openmyhand,dc=com adding new entry: cn=Domain Guests,ou=Groups,dc=openmyhand,dc=com adding new entry: cn=Domain Computers,ou=Groups,dc=openmyhand,dc=com adding new entry: cn=Administrators,ou=Groups,dc=openmyhand,dc=com adding new entry: cn=Account Operators,ou=Groups,dc=openmyhand,dc=com adding new entry: cn=Print Operators,ou=Groups,dc=openmyhand,dc=com adding new entry: cn=Backup Operators,ou=Groups,dc=openmyhand,dc=com adding new entry: cn=Replicators,ou=Groups,dc=openmyhand,dc=com adding new entry: sambaDomainName=openmyhand.com,dc=openmyhand,dc=com Please provide a password for the domain root: Changing password for root New password : lawrence (Samba admin DN 的ldap管理密碼) Retype new password : lawrence (Samba admin DN 的ldap管理密碼) | 已經安裝完成 9. 設定電腦啟動就啟動ldap , smb , httpd, named 服務 | 詳細操作 : | | # chkconfig ldap on # chkconfig smb on # chkconfig httpd on # chkconfig named on | 10. 重新啟動電腦 Setp 7、PDC 基本的管理知識 主要管理指令 : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # smbldap-useradd -a -m user1 (添加用戶帳號, user1) # smbldap-groupadd -p group1 (添加組帳號, group1) # smbldap-useradd -w winxp$ (添加一個域電腦帳號, winxp為電腦名) # smbldap-groupmod -m user1 group1 ( 把用戶user1 加入 組 group1 ) # smbldap-userdel user1 ( 刪除帳號, user1 ) # smbldap-groupdel group1 ( 刪除組, group1 ) # smbldap-userdel winxp$ ( 刪除電腦帳號, winxp為電腦名) # smbldap-groupmod -x user1 group1 ( 把用戶 user1 從 組 group1 中刪除 ) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 主要配置檔位置 : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /etc/samba/smb.conf /etc/smbldap-tools/smbldap.conf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 登陸腳本的編寫: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 使用vi 在/home/netlogon/下建立user1.tmp檔,完整內容如下: (以user1帳號為例) | 詳細內容: | | net use H: \\PDC\public (設定public目錄為H:盤) | 將tmp檔轉換成bat檔(因作業系統檔格式的不同,所以要進行一些特殊的轉換工作): | 詳細內容: | | # cat -A user2.tmp | tr ‘$’ ‘\r’ > user1.bat | 這樣就寫好了user1的登陸腳本, 黨user1從Windows 登陸時就會自動執行該腳本. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Setp 8、測試PDC是否配置正確 1. 添加一個測試用戶帳號 | 詳細操作 : | | # smbldap-useradd -a -m user1 # smbldap-passwd user1 Changing password for user1 New password : 123456 Retype new password : 123456 | 2. 測試user1 登入PDC Server | 詳細操作 : | | # smbclient -L localhost -U user1 Password: 123456 Domain=[OPENMYHAND.COM] OS=[Unix] Server=[Samba 3.0.10-1.4E.6] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba Server) ADMIN$ IPC IPC Service (Samba Server) user1 Disk repertoire de user1, user1 Domain=[OPENMYHAND.COM] OS=[Unix] Server=[Samba 3.0.10-1.4E.6] Server Comment --------- ------- PDC Samba Server Workgroup Master --------- ------- OPENMYHAND.COM PDC | |
