LDAP + Samba 安装配置
书接上文:LDAP启动TLS 完整操作流程
基础环境:Ubuntu18.04
安装samba
root@cky:~# apt install samba smbldap-tools -y
查看版本
root@cky:~# dpkg -l samba smbldap-tools
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===============================================-============================-============================-===================================================================================================
ii samba 2:4.7.6+dfsg~ubuntu-0ubuntu2 amd64 SMB/CIFS file, print, and login server for Unix
ii smbldap-tools 0.9.9-1ubuntu3 all Scripts to manage Unix and Samba accounts stored on LDAP
添加 LDAP 的 Samba 配置
为了将OpenLDAP用作Samba的后端,DIT将需要使用可以正确描述Samba数据的属性。可以通过引入Samba LDAP模式获得此类属性。
该模式位于现在安装的samba软件包中,并且已经采用ldif格式。
拷贝samba.schema
和 samba.ldif
找不到samba.schema
,从源码搞了一份(git clone https://github.com/samba-team/samba.git
)
cp /usr/share/doc/samba/examples/LDAP/samba.ldif.gz /etc/ldap/schema
cp /root/cky/samba/samba-4.7.6+dfsg~ubuntu/examples/LDAP/samba.schema /etc/ldap/schema/
root@cky:/etc/ldap/schema# pwd
/etc/ldap/schema
root@cky:/etc/ldap/schema# gzip -d samba.ldif.gz
导入:
root@cky:/etc/ldap/schema# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f samba.ldif
adding new entry "cn=samba,cn=schema,cn=config"
要查询和查看此新架构:
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'
既然slapd知道了Samba属性,我们就可以基于它们建立一些索引。索引条目是客户端对DIT执行筛选搜索时提高性能的一种方法。
创建samba_indices.ldif
具有以下内容的文件:
root@cky:~/ldap# pwd
/root/ldap
root@cky:~/ldap# cat samba_indices.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcDbIndex
olcDbIndex: objectClass eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid,cn eq,sub
olcDbIndex: memberUid eq,sub
olcDbIndex: member,uniqueMember eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub,eq
使用ldapmodify
实用程序加载新索引:
root@cky:~/ldap# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif
modifying entry "olcDatabase={1}mdb,cn=config"
如果正常到现在,可以使用ldapsearch
查看到新索引:
root@cky:~/ldap# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}mdb olcDbIndex
dn: olcDatabase={1}mdb,cn=config
olcDbIndex: objectClass eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid,cn eq,sub
olcDbIndex: memberUid eq,sub
olcDbIndex: member,uniqueMember eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub,eq
添加Samba LDAP对象
接下来,配置smbldap-tools软件包以匹配您的环境。该软件包带有一个名为smbldap-config的配置帮助程序脚本。但是,在运行它之前,您应该确定以下两个重要的配置设置/etc/samba/smb.conf
:
- netbios名称:该服务器的名称。默认值从服务器的主机名派生,但被截断为15个字符。
- workgroup:此服务器的工作组名称,或者,如果以后决定将其设置为域控制器,则为该域。
配置samba
# file : /etc/samba/smb.conf
[global]
workgroup = Company
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
security = user
passdb backend = ldapsam:ldap://company02.com
ldap suffix = dc=company,dc=com
ldap user suffix = ou=Dev
ldap group suffix = ou=Group
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=company,dc=com
ldap ssl = start tls
ldap passwd sync = yes
Note: ubuntu官方文档的 ldap ssl = start tls
但是设置该项后重启服务报ERROR:Failed to issue the StartTLS instruction: Protocol error
测试一下samba
配置文件
root@cky:~/ldap# testparm -s
通过运行配置脚本来继续生成smbldap-tools配置
root@cky:~/ldap# smbldap-config
# 只有这三项进行了输入操作,别的都是直接回车
netbios name [] > Company
ldap master bind password [] > 654321
ldap slave bind password [] > 654321
使用smbldap-populate
添加Samba所需的LDAP对象。它将询问您“域根”用户的密码,该用户也是LDAP中存储的“根”用户:
root@cky:~# smbldap-populate -g 10003 -u 10003 -r 10003
Populating LDAP directory for domain Company (S-1-5-21-385293779-2563394074-3374145406)
(using builtin directory structure)
entry dc=company,dc=com already exist.
entry ou=Dev,dc=company,dc=com already exist.
entry ou=Groups,dc=company,dc=com already exist.
adding new entry: ou=Computers,dc=company,dc=com
adding new entry: ou=Idmap,dc=company,dc=com
adding new entry: sambaDomainName=Company,dc=company,dc=com
adding new entry: uid=root,ou=Dev,dc=company,dc=com
adding new entry: uid=nobody,ou=Dev,dc=company,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=company,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=company,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=company,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=company,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=company,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=company,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=company,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=company,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=company,dc=com
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password: 654321
Retype new password: 654321
New passwords don't match!
将rootDN用户的密码(在slapd软件包的安装过程中设置的密码)告知Samba:
root@cky:~# smbpasswd -W
Setting stored password for "cn=admin,dc=company,dc=com" in secrets.tdb
New SMB password: 654321
Retype new SMB password: 654321
SSSD配置
为了让LDAP用户能够连接到samba并进行身份验证的最后一步,现在需要这些用户也以“ unix”用户身份出现在系统中。
安装sssd-ldap
root@cky:~# apt -y install sssd-ldap
配置/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = Company
[domain/Company]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://192.168.3.188
cache_credentials = True
ldap_search_base = dc=company,dc=com
调整权限并启动服务
root@cky:~# chmod 0600 /etc/sssd/sssd.conf
root@cky:~# chown root:root /etc/sssd/sssd.conf
root@cky:~# systemctl restart sssd
重新启动Samba服务:
root@cky:~# systemctl restart smbd.service nmbd.service
要快速测试设置,查看getent是否可以列出Samba组:
root@cky:~# getent group Replicators
root@cky:~#
有问题,查询不到用户组???一个大坑
还是认证有问题,系统中ldap
的用户查不到
google+百度 良久,外带牺牲了8根秀发,经过N多尝试之后,我发现以下方法即可解决:
修改配置文件/etc/nsswitch.conf
passwd: compat systemd sss ldap db
group: compat systemd sss ldap db
shadow: compat sss ldap db
主要就是这三项后面加了 ldap
和 db
安装nslcd
root@cky:~# apt install nslcd -y
修改配置文件/etc/nslcd.conf
root@cky:~# grep -Ev '^$|^[#;]' /etc/nslcd.conf
uid nslcd
gid nslcd
uri ldapi:///192.168.3.188
base dc=company,dc=com
ldap_version 3
binddn cn=admin,dc=company,dc=com
bindpw 654321
ssl off
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
重启nslcd
服务
root@cky:~# systemctl restart nslcd
root@cky:~# systemctl enable nslcd
nslcd.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable nslcd
重启slapd
服务
root@cky:~# systemctl restart slapd
再次查询
root@cky:~# getent group Replicators
Replicators:*:552:
所以我也不知道是我看的不够全,还是官方文档的缺失,此处再次diss一下Ubuntu官方文档
使用smbldap-tools
管理用户、组和计算机账户
启用自动主目录创建:
root@cky:~# pam-auth-update --enable mkhomedir
要添加具有主目录的新用户:
root@cky:~# smbldap-useradd -a -P -m ldap_user01
Changing UNIX and samba passwords for ldap_user01
New password: 111111
Retype new password: 111111
查一下ldap
中的用户
root@cky:~# ldapsearch -x -b "uid=ldap_user01,ou=Dev,dc=company,dc=com"
看一下home
目录
root@cky:~# ls /home
cky ldap_user01
使用getent
查询一下用户
root@cky:~# getent passwd ldap_user01
ldap_user01:x:10003:513:System User:/home/ldap_user01:/bin/bash