Skip to content.

Software Livre Portugal

Sections
Personal tools
You are here: Home » Projectos » Infra-estrutura » Samba » Samba Domain Controller

Samba Domain Controller

Instalação e configuração de um Servidor Linux com File & Print Server Samba e Domain Controller



1. Pré-requisitos


Neste conjunto de instruções será usada uma instalação da distribuição Fedora Core 2, instalação minima, na qual foram posteriormente instalados alguns
RPM’s suplementares de forma a satisfazer todas a dependencias necessárias.


LDAP:

Openldap-servers

Openldap-clients

Openldap


Smbldap-tools:

Perl

Perl-Convert-ASN1

Perl-Crypt-SmbHash (*)

Perl-Filter

Perl-HTML-Parser

Perl-HTML-Tagset

Perl-LDAP

Perl-libwww-perl

Perl-URI

Perl-XML-NamespaceSupport

Perl-XML-SAX

Smbldap-tools (**)


(*) Este pacote não faz parte da distribuição Fedora, podendo ser obtido : http://rpm.pbone.net/index.php3?stat=3&search=perl-Crypt-SmbHash&srodzaj=3

(**) Este pacote não faz parte da distribuição Fedora, podendo ser obtido: http://dag.wieers.com/packages/smbldap-tools/


Samba:

Cups-libs

Libjpeg

Libpng

Libtiff

Samba

Samba-client

Samba-common


CUPS:

atk

cups

dbus

dbus-glib

fontconfig

freetype

gtk2

pango

xinetd

xorg-x11-Mesa-libGL

xorg-x11-libs

xorg-x11-libs-data



2. Configuração


Tendo todos os pacotes instalados, procede-se então ao processo de configuração.



LDAP


Em primeiro lugar vamos iniciar as configurações base do sistema.

Ao nivel do LDAP é necessário adicionar o schema do samba.


[root@exemplodc root] cp /share/doc/samba-3.0.9/LDAP/samba.schema /etc/openldap/schema


E adicionar a seguinte entrada no inicio do /etc/openldap/slapd.conf


include /etc/openldap/schema/samba.schema


É necessário também configurar o rootdn, que no nosso caso será cn=Manager,dc=exemplo,dc=pt

Para isso necessitamos de adicionar/editar as seguintes entradas no ficheiro /etc/openldap/slapd.conf


database ldbm

suffix "dc=exemplo,dc=pt"

rootdn "cn=Manager,dc=exemplo,dc=pt"

# Cleartext passwords, especially for the rootdn, should

# be avoided. See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

# rootpw secret

rootpw {MD5}9CMOi+++jmyV2vTo1G8oqA==


A rootpw é obtida através do comando slappasswd:


[ root@exemplodc root]# slappasswd -h {MD5}

New password:

Re-enter new password:

{MD5}9CMOi+++jmyV2vTo1G8oqA==

[root@exemplodc root]#


Depois destas alterações deve-se iniciar o ldap para confirmar que tudo correu como pretendido


[root@exemplodc root]# service ldap start

Starting slapd: [ OK ]

Starting slurpd: [ OK ]

[root@exemplodc root]#



SMBLDAP-TOOLS


Em seguida e para que se possa iniciar o processo de configuração das smbldap-tools é necessário criar uma miniconfiguração samba de forma a obter o
SID do nosso dominio.

SID é um identificador Unico Numérico que identifica cada objecto ( utilizador, grupo, computador) num dominio NT.

Como tal edita-se o ficheiro /etc/samba/smb.conf para que contenha pelo menos as seguintes entradas


[global]

workgroup = exemplo

netbios name = exemplodc

domain master = yes


Embora não seja necessário pode-se iniciar o serviço do Samba


[root@exemplodc root]# service smb start

Starting SMB services: [ OK ]

Starting NMB services: [ OK ]

[root@exemplodc root]#


Em seguida executa-se o comando net getlocalsid de forma a obter o nosso SID:


[root@exemplodc samba]# net getlocalsid

SID for domain EXEMPLODC is: S-1-5-21-2414157665-673202256-218108875


Uma vez que já temos o nosso SID, pode-se avançar para a configuração das smbldap-tools

Para isso usa-se o script configure.pl


[root@exemplodc root]# /usr/share/doc/smbldap-tools-0.8.5/configure.pl

Unrecognized escape \p passed through at /usr/share/doc/smbldap-tools-0.8.5/configure.pl line 194.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

smbldap-tools script configuration

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Before starting, check

. if your samba controller is up and running.

. if the domain SID is defined (you can get it with the 'net getlocalsid')


. you can leave the configuration using the Crtl-c key combination

. empty value can be set with the "." caracter

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Looking for configuration files...


Samba Config File Location [/etc/samba/smb.conf] >

smbldap Config file Location (global parameters) [/etc/smbldap-tools/smbldap.conf] >

smbldap Config file Location (bind parameters) [/etc/smbldap-tools/smbldap_bind.conf] >

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Let's start configuring the smbldap-tools scripts ...


. workgroup name: name of the domain Samba act as a PDC

workgroup name [exemplo] >

. netbios name: netbios name of the samba controler

netbios name [exemplodc] >

. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'

logon drive [logondrive] > H:

. logon home: home directory location (for Win95/98 or NT Workstation).

(use %U as username) Ex:'\\exemplodc\homes\%U'

logon home (leave blank if you don't want homeDirectory) [\\exemplodc\homes\%U] > \\exemplodc\homes\%U

. logon path: directory where roaming profiles are stored. Ex:'\\exemplodc\profiles\%U'

logon path (leave blank if you don't want roaming profile) [\\exemplodc\profiles\%U] > “”

. home directory prefix (use %U as username) [/home/%U] >

. default user netlogon script (use %U as username) [%U.cmd] > logon.bat

. default password validation: default time before a user has to change his password

default password validation time (time in days) [45] >

. ldap suffix [ldapsuffix] > dc=exemplo,dc=pt

. ldap group suffix [ldapgroupsuffix] > ou=groups

. ldap user suffix [ldapusersuffix] > ou=users

. ldap machine suffix [ldapmachinesuffix] > ou=computers

. ldap master server: IP adress or DNS name of the master (writable) ldap server

ldap master server [127.0.0.1] >

. ldap master port [389] >

. ldap master bind dn [ldapadmindn] > cn=Manager,dc=exemplo,dc=pt

. ldap master bind password [] >

. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one

ldap slave server [127.0.0.1] >

. ldap slave port [389] >

. ldap slave bind dn [ldapadmindn] > cn=Manager,dc=exemplo,dc=pt

. ldap slave bind password [] >

. ldap tls support (1/0) [0] >

. SID for domain exemplo: SID of the domain (can be obtained with 'net getlocalsid exemplodc')

SID for domain exemplo [S-1-5-21-2414157665-673202256-218108875] >

. unix password encryption: encryption used for unix passwords

unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5

. default user gidNumber [513] >

. default computer gidNumber [553] >

. default login shell [/bin/bash] >

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

backup old configuration files:

/etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old

/etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old

writing new configuration file:

/etc/smbldap-tools/smbldap.conf done.

/etc/smbldap-tools/smbldap_bind.conf done.


Os gid’s usados foram escolhidos baseados na tabela de gid’s prédefinidos do NT.

Esta tabela pode ser consultada em:

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#WKURIDS


Após se ter configurado as smbldap-tools, é usado o script smbldap-populate para criar as entradas iniciais no nosso servidor LDAP.

Editando o script pode-se definir que grupos queremos automaticamente criar. Obrigatoriamente têm que ser criados os seguintes grupos, e que vêm
automaticamente seleccionados no script:

Domain Admins; Domain Users; Domain Computers


[root@exemplodc root]# smbldap-populate

Using builtin directory structure

adding new entry: dc=exemplo,dc=pt

adding new entry: ou=users,dc=exemplo,dc=pt

adding new entry: ou=groups,dc=exemplo,dc=pt

adding new entry: ou=computers,dc=exemplo,dc=pt

adding new entry: ou=Idmap,dc=exemplo,dc=pt

adding new entry: cn=NextFreeUnixId,dc=exemplo,dc=pt

adding new entry: uid=Administrator,ou=users,dc=exemplo,dc=pt

adding new entry: uid=nobody,ou=users,dc=exemplo,dc=pt

adding new entry: cn=Domain Admins,ou=groups,dc=exemplo,dc=pt

adding new entry: cn=Domain Users,ou=groups,dc=exemplo,dc=pt

adding new entry: cn=Domain Guests,ou=groups,dc=exemplo,dc=pt

adding new entry: cn=Print Operators,ou=groups,dc=exemplo,dc=pt

adding new entry: cn=Backup Operators,ou=groups,dc=exemplo,dc=pt

adding new entry: cn=Replicators,ou=groups,dc=exemplo,dc=pt

[root@exemplodc root]#


Para confirmar que tudo correu como pretendido usamos o commando ldapsearch.


[root@exemplodc root]# ldapsearch -x -D "cn=Manager,dc=exemplo,dc=pt" -b "dc=exemplo,dc=pt" -W

Enter LDAP Password:

# extended LDIF

#

# LDAPv3

# base <dc=exemplo,dc=pt> with scope sub

# filter: (objectclass=*)

# requesting: ALL

#


# exemplo.pt

dn: dc=exemplo,dc=pt

objectClass: dcObject

objectClass: organization

o: exemplo

dc: exemplo


# users, exemplo.pt

dn: ou=users,dc=exemplo,dc=pt

objectClass: organizationalUnit

ou: users


# groups, exemplo.pt

dn: ou=groups,dc=exemplo,dc=pt

objectClass: organizationalUnit

ou: groups


# computers, exemplo.pt

dn: ou=computers,dc=exemplo,dc=pt

objectClass: organizationalUnit

ou: computers


# Idmap, exemplo.pt

dn: ou=Idmap,dc=exemplo,dc=pt

objectClass: organizationalUnit

ou: Idmap


# NextFreeUnixId, exemplo.pt

dn: cn=NextFreeUnixId,dc=exemplo,dc=pt

objectClass: inetOrgPerson

objectClass: sambaUnixIdPool

uidNumber: 1000

gidNumber: 1000

cn: NextFreeUnixId

sn: NextFreeUnixId


# Administrator, users, exemplo.pt

dn: uid=Administrator,ou=users,dc=exemplo,dc=pt

cn: Administrator

sn: Administrator

objectClass: inetOrgPerson

objectClass: sambaSAMAccount

objectClass: posixAccount

objectClass: shadowAccount

gidNumber: 512

uid: Administrator

uidNumber: 0

homeDirectory: /home/Administrator

sambaPwdLastSet: 0

sambaLogonTime: 0

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

sambaPwdCanChange: 0

sambaPwdMustChange: 2147483647

sambaHomePath: \\exemplodc\homes\Administrator

sambaHomeDrive: H:

sambaProfilePath: \\exemplodc\profiles\Administrator\

sambaPrimaryGroupSID: S-1-5-21-2414157665-673202256-218108875-512

sambaLMPassword: XXX

sambaNTPassword: XXX

sambaAcctFlags: [U ]

sambaSID: S-1-5-21-2414157665-673202256-218108875-2996

loginShell: /bin/false

gecos: Netbios Domain Administrator


# nobody, users, exemplo.pt

dn: uid=nobody,ou=users,dc=exemplo,dc=pt

cn: nobody

sn: nobody

objectClass: inetOrgPerson

objectClass: sambaSAMAccount

objectClass: posixAccount

objectClass: shadowAccount

gidNumber: 514

uid: nobody

uidNumber: 999

homeDirectory: /dev/null

sambaPwdLastSet: 0

sambaLogonTime: 0

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

sambaPwdCanChange: 0

sambaPwdMustChange: 2147483647

sambaHomePath: \\exemplodc\homes\nobody

sambaHomeDrive: H:

sambaProfilePath: \\exemplodc\profiles\nobody

sambaPrimaryGroupSID: S-1-5-21-2414157665-673202256-218108875-514

sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX

sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX

sambaAcctFlags: [NU ]

sambaSID: S-1-5-21-2414157665-673202256-218108875-2998

loginShell: /bin/false


# Domain Admins, groups, exemplo.pt

dn: cn=Domain Admins,ou=groups,dc=exemplo,dc=pt

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 512

cn: Domain Admins

memberUid: Administrator

description: Netbios Domain Administrators

sambaSID: S-1-5-21-2414157665-673202256-218108875-512

sambaGroupType: 2

displayName: Domain Admins


# Domain Users, groups, exemplo.pt

dn: cn=Domain Users,ou=groups,dc=exemplo,dc=pt

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 513

cn: Domain Users

description: Netbios Domain Users

sambaSID: S-1