PDC - Samba + LDAP - Fedora 7

Este artigo tem como objetivo ajudar aos que estão precisando configurar um servidor PDC com SAMBA + LDAP. Fiz minha configuração no Fedora 7 e estarei descrevendo nas próximas páginas o processo que precisei percorrer até deixar o servidor funcionando.

[ Hits: 82.033 ]

Por: Milton Paiva Neto em 06/12/2007


Configurando o smbldap-tools



O smbldap-tools possui dois arquivos que devem ser configurados, o primeiro deles é o /etc/smbldap-tools/smbldap.conf:

##############################################
#
# General Configuration
#
##############################################

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
#SID="S-1-5-21-4205727931-4131263253-1851132061"
SID="S-1-5-21-1470612041-1557919963-3843472885"

# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="SEU_DOMINIO.COM"

###############################################
#
# LDAP Configuration
#
###############################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)

# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="192.168.10.202"

# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"

# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="localhost"

# Master LDAP port
# If not defined, parameter is set to "389"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "1"
ldapTLS="0"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="none"

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
#cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"
cafile=""

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.pem"
clientcert=""

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.key"
clientkey=""

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=SEU_DOMINIO,dc=com"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=Users,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"

# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
#sambaUnixIdPooldn="sambaDomainName=IDEALX-NT,${suffix}"
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
#crypt_salt_format="%s"
crypt_salt_format=""

################################################
#
# Unix Accounts Configuration
#
################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"

# Default mode used for user homeDirectory
userHomeDirectoryMode="700"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="999"

################################################
#
# SAMBA Configuration
#
################################################

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\SEU_DOMÍNIO.com\%U"

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\SEU_DOMÍNIO.com\profiles\%U"

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="%U.bat"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
#mailDomain="idealx.com"

################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

Configurando o segundo arquivo do smbldap-tools: /etc/smbldap-tools/smbldap_bind.conf

############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=Manager,dc=SEU_DOMÍNIO,dc=com"
slavePw="secret"
masterDN="cn=Manager,dc=SEU_DOMÍNIO,dc=com"
masterPw="secret"

Populando a base ldap:
# smbldap-populate

Adicionando o usuário root na base ldap:

# smbpasswd -a root

Página anterior     Próxima página

Páginas do artigo
   1. Pacotes necessários
   2. Configuração do LDAP
   3. Configurando o banco de dados LDAP
   4. Instalação do Samba
   5. Executando o SAMBA
   6. Instalando o smbldap-tools
   7. Configurando o smbldap-tools
   8. Configurando o servidor PDC para replicar sua base
Outros artigos deste autor

Servidor para centralização de logs - Fedora 7

Leitura recomendada

Domínio com perfil móvel no Fedora 10

Linux logando no Domínio NT

Administrando seu servidor Samba com o User Manager

Compartilhamento do Samba autenticando no AD

Compilando e Utilizando o Samba4

  
Comentários
[1] Comentário enviado por tatototino em 08/12/2007 - 12:50h

Ficou legal seu artigo principalmente no fato de abordar "replicação", mas você poderia abordar o LAM (LDAP Account Manager), porque gerenciar o LDAP + samba com smbldap-tools é bem chatinho.
E também poderia abrodar mas o que é replicação para não deixar muita s pessoas confusas.



Um abraço


[2] Comentário enviado por lucassusin em 06/08/2009 - 20:03h

Tem um monte de coisa errada nesse tutorial....


como smb.conf

logon script = %U.bat não tem na conf

tem muita coisa errada..


antes de postar alguma coisa verefique oque vc está fazerndo

[3] Comentário enviado por miltonpaiva em 06/08/2009 - 22:49h

Caro Lucassusin esse artigo foi escrito há mais de 2 anos, foi testado e funcionava corretamente naquele período.

O artigo foi escrito com o intuito de ajudar outros usuários que por não terem conhecimento suficiente para fazerem um pdc sozinhos, que seguissem o tutorial para conseguir realizar essa tarefa.

De qualquer maneira fique livre para fazer suas pesquisas e de repente juntar suas idéias com o meu tutorial e fazer um tutorial ainda melhor que possa facilitar a vida de outras pessoas.

É interessante fazer criticas construtivas, ao invés de sair desvalorizando o trabalho de outras pessoas.

[4] Comentário enviado por roanfranklin em 26/10/2009 - 11:43h

Turma, preciso replicar um servidor SMBLDAP para mais 6, em pontos distantes, fazendo com que os usuarios em qual local/empresa estiver "matriz/filial" possa se conectar normalmente, alguem tem alguma dica para mim?

Sendo que é SMB+LDAP preciso dos dois serviços rodando em cada um dos pontos.

Agradeço.


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts