• Samba通过Openldap统一认证


    1.环境准备
    1.1、实验环境
    [root@moban ~]# cat /etc/redhat-release
    CentOS release 6.8 (Final)
    [root@moban ~]# uname -r
    2.6.32-642.el6.x86_64

    1.2、校准服务器时间
    [root@moban ~]# ntpdate pool.ntp.org
    12 Nov 01:11:59 ntpdate[2354]: adjust time server 202.118.1.81 offset 0.004307 sec
    [root@moban ~]# crontab -l
    #time sync
    */5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1

    1.3、关闭selinux和iptables
    [root@moban ~]# getenforce  
    Enforcing
    [root@moban ~]# setenforce 0
    [root@moban ~]# getenforce  
    Permissive
    [root@moban ~]# service iptables stop

    2.Openldap和Samba的安装配置
    2.1、安装Openldap和Samba
    [root@moban ~]# yum -y install openldap openldap-clients openldap-servers nss-pam-ldapd
    [root@moban ~]# yum -y install samba-common samba samba-client

    2.2、配置openldap
    a.Openldap引用samba.schema
    [root@moban ~]# cp /usr/share/doc/samba-3.6.23/LDAP/samba.schema /etc/openldap  /schema/

    b.拷贝openldap的示例配置文件
    [root@moban ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

    c.生成ldap管理员密码
    [root@moban ~]# slappasswd -s 123456
    {SSHA}Ae1JJTvbeP60y91e9MdAqOmpleSWG19o

    d.修改配置文件
    [root@moban ~]# vi /etc/openldap/slapd.conf
    在18行插入如下内容:
    18 include         /etc/openldap/schema/samba.schema

    注释掉99行到102行:

        99 # database config
        100 # access to *
        101 #       by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        102 #       by * none

    在111行插入如下访问权限内容:
        111 access to attrs=userPassword
        112   by self write
        113   by anonymous auth
        114   by * none
        115 access to attrs=sambaNTPassword
        116   by self write
        117   by anonymous auth
        118   by * none
        119 access to *
        120   by self write
        121   by * read
    修改126行到134行的内容为:
    修改前:
        126 database        bdb
        127 suffix          "dc=my-domain,dc=com"
        128 checkpoint      1024 15
        129 rootdn          "cn=Manager,dc=my-domain,dc=com"
        130 # Cleartext passwords, especially for the rootdn, should
        131 # be avoided.  See slappasswd(8) and slapd.conf(5) for d
            etails.
        132 # Use of strong authentication encouraged.
        133 # rootpw                secret
        134 # rootpw                {crypt}ijFYNcSNctBYg
    修改后:
        126 database        bdb
        127 suffix          "dc=etiantian,dc=org"
        128 checkpoint      1024 15
        129 rootdn          "cn=admin,dc=etiantian,dc=org"
        130 # Cleartext passwords, especially for the rootdn, should
        131 # be avoided.  See slappasswd(8) and slapd.conf(5) for d
            etails.
        132 # Use of strong authentication encouraged.
        133 # rootpw                secret
        134 rootpw          {SSHA}Ae1JJTvbeP60y91e9MdAqOmpleSWG19o
    修改143行的内容为:
    修改前:
    index ou,cn,mail,surname,givenname      eq,pres,sub
    修改后:
    index ou,cn,mail,surname,givenname      eq,pres,sub,approx
    修改105行到109行的内容为:
    修改前:
        105 database monitor
        106 access to *
        107         by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn
            =external,cn=auth" read
        108         by dn.exact="cn=Manager,dc=my-domain,dc=com" read
        109         by * none
    修改后:
        105 database monitor
        106 access to *
        107         by dn.exact="cn=admin,dc=etiantian,dc=org" read
        108         by * none

    2.3、初始化openldap
    a.删除openldap原始的配置文件和数据
    [root@moban ~]# rm -rf /etc/openldap/slapd.d/*
    [root@moban ~]# rm -rf /var/lib/ldap/*

    b.拷贝数据库的配置文件
    [root@moban ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    [root@moban ~]# chown ldap.ldap -R /var/lib/ldap
    [root@moban ~]# ll /var/lib/ldap
    total 4
    -rw-r--r--. 1 ldap ldap 845 Nov 12 01:54 DB_CONFIG

    c.生成2.4版本的配置文件
    [root@moban ldap]# slaptest -u
    config file testing succeeded
    [root@moban ldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/  #生成旧版本的配置文件
    config file testing succeeded

    d.初始化openldap的基础数据
    [root@moban openldap]# vi base.ldif
    dn: dc=etiantian,dc=org
    objectClass: organization
    objectClass: dcObject
    dc: etiantian
    o: etiantian

    dn: ou=People,dc=etiantian,dc=org
    objectClass: organizationalUnit
    ou: People

    dn: ou=group,dc=etiantian,dc=org
    objectClass: organizationalUnit
    ou: group
    [root@moban openldap]# vi group.ldif
    dn: cn=DBA,ou=group,dc=etiantian,dc=org
    objectClass: posixGroup
    objectClass: top
    cn: DBA
    memberUid: test1
    gidNumber: 10673
    [root@moban openldap]# vi user.ldif
    dn: uid=test1,ou=People,dc=etiantian,dc=org
    objectClass: posixAccount
    objectClass: top
    objectClass: inetOrgPerson
    objectClass: shadowAccount
    gidNumber: 0
    givenName: test1
    sn: test1
    uid: test1
    homeDirectory: /home/test1
    loginShell: /bin/bash
    shadowFlag: 0
    shadowMin: 0
    shadowMax: 99999
    shadowWarning: 0
    shadowInactive: 99999
    shadowLastChange: 12011
    shadowExpire: 99999
    cn: test1
    uidNumber: 24422

    e.把基础数据导入ldap
    [root@moban openldap]# slapadd -l base.ldif
    58260c66 The first database does not allow slapadd; using the first available one (2)
    _#################### 100.00% eta   none elapsed            none fast!         
    Closing DB...
    [root@moban openldap]# slapadd -l group.ldif
    58260c6d The first database does not allow slapadd; using the first available one (2)
    _#################### 100.00% eta   none elapsed            none fast!         
    Closing DB...
    [root@moban openldap]# slapadd -l user.ldif
    58260c72 The first database does not allow slapadd; using the first available one (2)
    _#################### 100.00% eta   none elapsed            none fast!         
    Closing DB...
    [root@moban openldap]# chown -R ldap.ldap /var/lib/ldap
    [root@moban openldap]# chown -R ldap.ldap /etc/openldap/slapd.d

    [root@moban openldap]# chmod -R 700 /var/lib/ldap
    [root@moban openldap]# chmod -R 700 /etc/openldap/slapd.d

    2.4、配置samba
    a.修改samba的配置
    [root@moban openldap]# cd /etc/samba/
    [root@moban samba]# cp smb.conf smb.conf.ori
    [root@moban samba]# vi smb.conf
    [global]
    workgroup = WORKGROUP
    server string = Samba-ldap Server Version %v
    netbios name = samba-ldapsam
    log file = /var/log/samba/log.%m
    max log size = 50
    security = user
    passdb backend = ldapsam:ldap://192.168.0.111/
    ldap suffix = "dc=etiantian,dc=org"
    ldap admin dn = "cn=admin,dc=etiantian,dc=org"
    ldap user suffix = "ou=People,dc=etiantian,dc=org"
    ldap group suffix = "ou=group,dc=etiantian,dc=org"
    ldap delete dn = no
    ldap passwd sync = yes
    ldap ssl = no

    [sambashare]
    comment = share all
    path = /app/log
    browseable = yes
    public = yes
    writable = yes

    [myshare]
    comment = share for users
    path = /application
    browseable = yes
    public = no
    writable = yes

    b.创建共享数据目录
    [root@moban samba]# mkdir /app/log -p
    [root@moban samba]# mkdir /application

    提示:为了方便测试,先给目录777的权限

    [root@moban samba]# chmod -R 777 /application

    [root@moban samba]# chmod -R 777 /app/log

    c.保存openldap的admin密码到samba中
    提示:为了使samba能够访问ldap,把ldap管理员的密码保存到samba的secrets.tdb中(/var/lib/samba/private/secrets.tdb)
    [root@moban samba]# smbpasswd -w 123456
    Setting stored password for "cn=admin,dc=etiantian,dc=org" in secrets.tdb

    d.在openldap中,添加samba测试用户
    [root@moban openldap]# cat /etc/passwd|grep admin(系统用户)
    admin:x:500:500::/home/admin:/bin/bash
    [root@moban samba]# cd /etc/openldap/
    [root@moban openldap]# vi /etc/samba/smbusers
    在最下面加入samba用户
    admin sambatest  #意思是说admin这个系统用户名有一个虚拟的SMB用户名:sambatest
    [root@moban openldap]# vi sambauser.ldif
    dn: uid=sambatest,ou=People,dc=etiantian,dc=org
    objectClass: posixAccount
    objectClass: top
    objectClass: inetOrgPerson
    objectClass: shadowAccount
    gidNumber: 1009
    givenName: sambatest
    sn: sambatest
    uid: sambatest
    homeDirectory: /home/sambatest
    loginShell: /bin/bash
    shadowFlag: 0
    shadowMin: 0
    shadowMax: 99999
    shadowWarning: 0
    shadowInactive: 99999
    shadowLastChange: 12011
    shadowExpire: 99999
    cn: sambatest
    uidNumber: 24425
    [root@moban openldap]# slapadd -l sambauser.ldif
    58261bcf The first database does not allow slapadd; using the first available one (2)
    _#################### 100.00% eta   none elapsed            none fast!         
    Closing DB...

    e.设置操作系统从ldap中验证用户
    提示:设置系统如果没有从/etc/passwd中找到用户就去openldap中验证。
    [root@moban openldap]# authconfig-tui
    User Information
    [*] Use LDAP
    Authentication
    [*] Use Fingerprint reader

    ┌─────────┤ LDAP Settings ├───────

    │          [ ] Use TLS
    │ Server: ldap://192.168.0.111/
    │ Base DN: dc=etiantian,dc=org
    [root@moban openldap]# grep "ldap" /etc/nsswitch.conf
    passwd:     files ldap
    shadow:     files ldap
    group:      files ldap
    netgroup:   files ldap
    automount:  files ldap
    [root@moban openldap]# tail -3 ldap.conf
    URI ldap://192.168.0.111/
    BASE dc=etiantian,dc=org
    TLS_CACERTDIR /etc/openldap/cacerts
    [root@moban openldap]# /etc/init.d/slapd start
    [root@moban openldap]# /etc/init.d/smb start

    f.测试从ldap中获取用户信息
    [root@moban openldap]# id sambatest           
    uid=24425(sambatest) gid=1009 groups=1009
    [root@moban openldap]# grep "sambatest" /etc/passwd
    备注:从passwd文件中找不到sambatest,说明sambatest是从ldap中获取的。

    g.设置测试用户sambatest密码
    [root@moban openldap]# smbpasswd -a sambatest
    New SMB password:123456789
    Retype new SMB password:123456789
    Added user sambatest.

    h.测试samba中sambatest用户能否登录
    [root@moban openldap]# smbclient -U sambatest //192.168.0.111/sambashare
    Enter sambatest's password:
    Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.23-36.el6_8]
    smb: > ls
      .                                   D        0  Sat Nov  5 20:38:28 2016
      ..                                  D        0  Thu Oct 27 13:01:13 2016
      UM4SW7~D.LOG                        A       74  Thu Oct 27 19:29:01 2016
      U41Y9B~1.LOG                        A       85  Thu Oct 27 19:37:24 2016
      U0XZAY~G.LOG                        A      117  Thu Oct 27 19:18:40 2016
      UAKC5V~4.LOG                        A       99  Thu Oct 27 19:27:02 2016
      UO0D3H~P.LOG                        A        0  Sat Nov  5 20:38:28 2016
      U3DW4T~X.LOG                        A       48  Thu Oct 27 19:30:14 2016
                    51760 blocks of size 524288. 45745 blocks available
    smb: >
    [root@moban openldap]# smbclient -U sambatest //192.168.0.111/myshare
    Enter sambatest's password:
    Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.23-36.el6_8]
    smb: > ls
      .                                   D        0  Sat Nov  5 23:26:28 2016
      ..                                 DR        0  Fri Nov 11 22:26:21 2016
      svndata                             D        0  Thu Oct 27 01:48:57 2016
      新建 Microsoft Access 数据库.accdb      A   512000  Sat Nov  5 23:26:28 2016
      svnpasswd                           D        0  Sat Nov  5 21:02:06 2016

                    51760 blocks of size 524288. 45745 blocks available
    smb: >
    通过以上结果可以看到samba通过openldap验证访问正常,再看看windows的访问,如下图:

    wKiom1gmwXjBjnNkAAFBOot9wbI046.png-wh_50

  • 相关阅读:
    边工作边刷题:70天一遍leetcode: day 95
    边工作边刷题:70天一遍leetcode: day 96-2
    边工作边刷题:70天一遍leetcode: day 96-1
    边工作边刷题:70天一遍leetcode: day 96
    边工作边刷题:70天一遍leetcode: day 97-3
    边工作边刷题:70天一遍leetcode: day 97-2
    边工作边刷题:70天一遍leetcode: day 97-1
    边工作边刷题:70天一遍leetcode: day 97
    边工作边刷题:70天一遍leetcode: day 40
    边工作边刷题:70天一遍leetcode: day 41-3
  • 原文地址:https://www.cnblogs.com/wuhg/p/9844411.html
Copyright © 2020-2023  润新知