• LDAP系列(三)LDAP + Samba 安装配置


    LDAP + Samba 安装配置

    书接上文:LDAP启动TLS 完整操作流程

    基础环境:Ubuntu18.04

    安装samba

    root@cky:~# apt install samba smbldap-tools -y
    

    查看版本

    root@cky:~# dpkg -l samba smbldap-tools
    Desired=Unknown/Install/Remove/Purge/Hold
    | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
    |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
    ||/ Name                                            Version                      Architecture                 Description
    +++-===============================================-============================-============================-===================================================================================================
    ii  samba                                           2:4.7.6+dfsg~ubuntu-0ubuntu2 amd64                        SMB/CIFS file, print, and login server for Unix
    ii  smbldap-tools                                   0.9.9-1ubuntu3               all                          Scripts to manage Unix and Samba accounts stored on LDAP
    

    添加 LDAP 的 Samba 配置

    为了将OpenLDAP用作Samba的后端,DIT将需要使用可以正确描述Samba数据的属性。可以通过引入Samba LDAP模式获得此类属性。

    该模式位于现在安装的samba软件包中,并且已经采用ldif格式。

    拷贝samba.schema samba.ldif

    找不到samba.schema,从源码搞了一份(git clone https://github.com/samba-team/samba.git)

    cp /usr/share/doc/samba/examples/LDAP/samba.ldif.gz /etc/ldap/schema
    cp /root/cky/samba/samba-4.7.6+dfsg~ubuntu/examples/LDAP/samba.schema /etc/ldap/schema/
    
    root@cky:/etc/ldap/schema# pwd
    /etc/ldap/schema
    root@cky:/etc/ldap/schema# gzip -d samba.ldif.gz
    

    导入:

    root@cky:/etc/ldap/schema# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f samba.ldif 
    adding new entry "cn=samba,cn=schema,cn=config"
    

    要查询和查看此新架构:

    ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'
    

    既然slapd知道了Samba属性,我们就可以基于它们建立一些索引。索引条目是客户端对DIT执行筛选搜索时提高性能的一种方法。

    创建samba_indices.ldif具有以下内容的文件:

    root@cky:~/ldap# pwd
    /root/ldap
    
    root@cky:~/ldap# cat samba_indices.ldif 
    dn: olcDatabase={1}mdb,cn=config
    changetype: modify
    replace: olcDbIndex
    olcDbIndex: objectClass eq
    olcDbIndex: uidNumber,gidNumber eq
    olcDbIndex: loginShell eq
    olcDbIndex: uid,cn eq,sub
    olcDbIndex: memberUid eq,sub
    olcDbIndex: member,uniqueMember eq
    olcDbIndex: sambaSID eq
    olcDbIndex: sambaPrimaryGroupSID eq
    olcDbIndex: sambaGroupType eq
    olcDbIndex: sambaSIDList eq
    olcDbIndex: sambaDomainName eq
    olcDbIndex: default sub,eq
    

    使用ldapmodify实用程序加载新索引:

    root@cky:~/ldap# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif
    modifying entry "olcDatabase={1}mdb,cn=config"
    

    如果正常到现在,可以使用ldapsearch查看到新索引:

    root@cky:~/ldap# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}mdb olcDbIndex
    dn: olcDatabase={1}mdb,cn=config
    olcDbIndex: objectClass eq
    olcDbIndex: uidNumber,gidNumber eq
    olcDbIndex: loginShell eq
    olcDbIndex: uid,cn eq,sub
    olcDbIndex: memberUid eq,sub
    olcDbIndex: member,uniqueMember eq
    olcDbIndex: sambaSID eq
    olcDbIndex: sambaPrimaryGroupSID eq
    olcDbIndex: sambaGroupType eq
    olcDbIndex: sambaSIDList eq
    olcDbIndex: sambaDomainName eq
    olcDbIndex: default sub,eq
    

    添加Samba LDAP对象

    接下来,配置smbldap-tools软件包以匹配您的环境。该软件包带有一个名为smbldap-config的配置帮助程序脚本。但是,在运行它之前,您应该确定以下两个重要的配置设置/etc/samba/smb.conf

    • netbios名称:该服务器的名称。默认值从服务器的主机名派生,但被截断为15个字符。
    • workgroup:此服务器的工作组名称,或者,如果以后决定将其设置为域控制器,则为该域。

    配置samba

    # file : /etc/samba/smb.conf
    [global]
        workgroup = Company 
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m  
        security = user 
    
        passdb backend = ldapsam:ldap://company02.com
        ldap suffix = dc=company,dc=com
        ldap user suffix = ou=Dev
        ldap group suffix = ou=Group
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Idmap
        ldap admin dn = cn=admin,dc=company,dc=com
        ldap ssl = start tls
        ldap passwd sync = yes
    

    Note: ubuntu官方文档的 ldap ssl = start tls

    但是设置该项后重启服务报ERROR:Failed to issue the StartTLS instruction: Protocol error

    测试一下samba配置文件

    root@cky:~/ldap# testparm -s
    

    通过运行配置脚本来继续生成smbldap-tools配置

    root@cky:~/ldap# smbldap-config
    
    # 只有这三项进行了输入操作,别的都是直接回车
    netbios name [] > Company
    ldap master bind password [] > 654321
    ldap slave bind password [] > 654321
    

    使用smbldap-populate添加Samba所需的LDAP对象。它将询问您“域根”用户的密码,该用户也是LDAP中存储的“根”用户:

    root@cky:~# smbldap-populate -g 10003 -u 10003 -r 10003
    Populating LDAP directory for domain Company (S-1-5-21-385293779-2563394074-3374145406)
    (using builtin directory structure)
    
    entry dc=company,dc=com already exist. 
    entry ou=Dev,dc=company,dc=com already exist. 
    entry ou=Groups,dc=company,dc=com already exist. 
    adding new entry: ou=Computers,dc=company,dc=com
    adding new entry: ou=Idmap,dc=company,dc=com
    adding new entry: sambaDomainName=Company,dc=company,dc=com
    adding new entry: uid=root,ou=Dev,dc=company,dc=com
    adding new entry: uid=nobody,ou=Dev,dc=company,dc=com
    adding new entry: cn=Domain Admins,ou=Groups,dc=company,dc=com
    adding new entry: cn=Domain Users,ou=Groups,dc=company,dc=com
    adding new entry: cn=Domain Guests,ou=Groups,dc=company,dc=com
    adding new entry: cn=Domain Computers,ou=Groups,dc=company,dc=com
    adding new entry: cn=Administrators,ou=Groups,dc=company,dc=com
    adding new entry: cn=Account Operators,ou=Groups,dc=company,dc=com
    adding new entry: cn=Print Operators,ou=Groups,dc=company,dc=com
    adding new entry: cn=Backup Operators,ou=Groups,dc=company,dc=com
    adding new entry: cn=Replicators,ou=Groups,dc=company,dc=com
    
    Please provide a password for the domain root: 
    Changing UNIX and samba passwords for root
    New password: 654321
    Retype new password: 654321
    New passwords don't match!
    

    将rootDN用户的密码(在slapd软件包的安装过程中设置的密码)告知Samba:

    root@cky:~# smbpasswd -W
    Setting stored password for "cn=admin,dc=company,dc=com" in secrets.tdb
    New SMB password: 654321
    Retype new SMB password: 654321
    

    SSSD配置

    为了让LDAP用户能够连接到samba并进行身份验证的最后一步,现在需要这些用户也以“ unix”用户身份出现在系统中。

    安装sssd-ldap

    root@cky:~# apt -y install sssd-ldap
    

    配置/etc/sssd/sssd.conf

    [sssd]
    config_file_version = 2
    domains = Company
    
    [domain/Company]
    id_provider = ldap
    auth_provider = ldap
    ldap_uri = ldap://192.168.3.188
    cache_credentials = True
    ldap_search_base = dc=company,dc=com
    

    调整权限并启动服务

    root@cky:~# chmod 0600 /etc/sssd/sssd.conf
    root@cky:~# chown root:root /etc/sssd/sssd.conf
    root@cky:~# systemctl restart sssd
    

    重新启动Samba服务:

    root@cky:~# systemctl restart smbd.service nmbd.service
    
    

    要快速测试设置,查看getent是否可以列出Samba组:

    root@cky:~# getent group Replicators
    root@cky:~# 
    
    

    有问题,查询不到用户组???一个大坑

    还是认证有问题,系统中ldap的用户查不到

    google+百度 良久,外带牺牲了8根秀发,经过N多尝试之后,我发现以下方法即可解决:

    修改配置文件/etc/nsswitch.conf

    passwd:         compat systemd sss ldap db
    group:          compat systemd sss ldap db
    shadow:         compat sss ldap db
    
    

    主要就是这三项后面加了 ldapdb

    安装nslcd

    root@cky:~# apt install nslcd -y
    
    

    修改配置文件/etc/nslcd.conf

    root@cky:~# grep -Ev '^$|^[#;]' /etc/nslcd.conf
    uid nslcd
    gid nslcd
    uri ldapi:///192.168.3.188
    base dc=company,dc=com
    ldap_version 3
    binddn cn=admin,dc=company,dc=com
    bindpw 654321
    ssl off
    tls_cacertfile /etc/ssl/certs/ca-certificates.crt
    
    

    重启nslcd服务

    root@cky:~# systemctl restart nslcd
    root@cky:~# systemctl enable nslcd
    nslcd.service is not a native service, redirecting to systemd-sysv-install.
    Executing: /lib/systemd/systemd-sysv-install enable nslcd
    
    

    重启slapd服务

    root@cky:~# systemctl restart slapd
    
    

    再次查询

    root@cky:~# getent group Replicators
    Replicators:*:552:
    
    

    所以我也不知道是我看的不够全,还是官方文档的缺失,此处再次diss一下Ubuntu官方文档

    使用smbldap-tools管理用户、组和计算机账户

    启用自动主目录创建:

    root@cky:~# pam-auth-update --enable mkhomedir
    
    

    要添加具有主目录的新用户:

    root@cky:~# smbldap-useradd -a -P -m ldap_user01
    Changing UNIX and samba passwords for ldap_user01
    New password: 111111
    Retype new password: 111111
    
    

    查一下ldap中的用户

    root@cky:~# ldapsearch -x -b "uid=ldap_user01,ou=Dev,dc=company,dc=com"
    
    

    看一下home目录

    root@cky:~# ls /home
    cky  ldap_user01
    
    

    使用getent查询一下用户

    root@cky:~# getent passwd ldap_user01
    ldap_user01:x:10003:513:System User:/home/ldap_user01:/bin/bash
    
    
  • 相关阅读:
    python 数据类型之列表(list)
    Python 数据类型之字符串(string)
    Python 基本语法
    Windows系统下Pycharm的安装与使用
    Windows系统下安装Python
    Fiddler Session List会话列表(监控面板)
    fiddler 常用快捷键
    fiddler 工具栏介绍
    SEPM:USB 权限管理(1)--通知权限过期用户即将卸载权限事宜
    终端管理:计算机违规软件清理 (未完待续)
  • 原文地址:https://www.cnblogs.com/shu-sheng/p/14453283.html
Copyright © 2020-2023  润新知