OpenLDAP+samba
实验环境:
samba服务端:192.168.15.241
ldap服务端:192.168.15.240
@
@
@
samba服务端:
1 部署Samba服务端,通过
[root@localhost ~]# yum -y install samba
[root@localhost ~]# mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
[root@localhost ~]# cat /etc/samba/smb.conf.bak | grep -v "^#" > /etc/samba/smb.conf
[root@localhost ~]# vim /etc/samba/smb.conf
~ #只放修改或添加得内容
[global]
securitGy = share #认证方式为开放共享
[test-share]
comment = Home Directories
browseable = yes
writable = yes
public = yes
path = /opt/share
~
[root@localhost ~]# mkdir /opt/share
[root@localhost ~]# chmod 777 -R /opt/
[root@localhost ~]# service smb restart
Shutting down SMB services: [ OK ]
Starting SMB services: [ OK ]
[root@localhost ~]# service iptables stop
[root@localhost ~]# setenforce 0
2、打开资源管理器,尝试访问,这里成功访问
ldap服务端:
1、配置好ldap服务端,ldap服务端具体命令意思可自行到ldap基础篇自行查看,这里不做过多阐述
[root@localhost ~]# yum -y install openldap openldap-servers openldap-clients
[root@localhost ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
[root@localhost ~]# rm -rf /etc/openldap/slapd.d/*
[root@localhost ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@localhost ~]# chown -R ldap.ldap /var/lib/ldap/
===============================================================
#这里要特别注意,我们是要和samba集成,那么就需要samba.schema模块,可是默认
ldap是没有的,所以我们只能自己安装一个samba,然后将/usr/share/doc/samba-3.6.9/LDAP/samba.schema
复制到/etc/openldap/schema/中,而且不仅如此,openldap配置文件也要加一些东西
[root@localhost ~]# cp /usr/share/doc/samba-3.6.9/LDAP/samba.schema /etc/openldap/schema/
[root@localhost ~]# slappasswd -s Admin@123 #产生加密的密码
{SSHA}x9bekIGDi5BGS7/5MHd4mxEUkuMaz4OC
[root@localhost ~]# vim /etc/openldap/slapd.conf
~
include /etc/openldap/schema/samba.schema #在所有引用的最下面引用samba.schema
database config #最前面两个是需要我们自己填写的
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by dn="cn=Manager,dc=gdy,dc=com" write
by anonymous auth
by * none
access to *
by dn="cn=Manager,dc=gdy,dc=com" write
by self write
by * read
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
database bdb
suffix "dc=gdy,dc=com" #修改域名
checkpoint 1024 15
rootdn "cn=Manager,dc=gdy,dc=com" #cn赋予的是管理员,后面两个dc赋予的是域名
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}x9bekIGDi5BGS7/5MHd4mxEUkuMaz4OC #张贴我们上面Admin@123加密后的密钥,这里指定的是管理员的密码
~
[root@localhost ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
[root@localhost ~]# chown -R ldap.ldap /etc/openldap/slapd.d
[root@localhost ~]# chown -R ldap.ldap /var/lib/ldap
[root@localhost ~]# slaptest -f /etc/openldap/slapd.conf
[root@localhost ~]# service slapd start
[root@localhost ~]# useradd test1;echo "asd123." | passwd --stdin test1
[root@localhost ~]# useradd test2;echo "asd123." | passwd --stdin test2
[root@localhost ~]# useradd test3;echo "asd123." | passwd --stdin test3
[root@localhost ~]# yum -y install migrationtools
[root@localhost ~]# tail -n 3 /etc/passwd > /etc/openldap/system
[root@localhost ~]# tail -n 3 /etc/group > /etc/openldap/group
[root@localhost ~]# cd /etc/openldap/
[root@localhost openldap]# vim /usr/share/migrationtools/migrate_common.ph +71
~
$DEFAULT_MAIL_DOMAIN = "gdy.com";
$DEFAULT_BASE = "dc=gdy,dc=com";
~
[root@localhost openldap]# /usr/share/migrationtools/migrate_passwd.pl system people.ldif
[root@localhost openldap]# /usr/share/migrationtools/migrate_group.pl group group.ldif
[root@localhost openldap]# vim 1.ldif
~
dn: dc=gdy,dc=com
dc: gdy
objectClass: top
objectClass: domain
dn: ou=people,dc=gdy,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit
dn: ou=group,dc=gdy,dc=com
ou: group
objectClass: top
objectClass: organizationalUnit
~
[root@localhost openldap]# ldapadd -D cn=Manager,dc=gdy,dc=com -x -w Admin@123 -f 1.ldif
[root@localhost openldap]# ldapadd -D cn=Manager,dc=gdy,dc=com -x -w Admin@123 -f people.ldif
[root@localhost openldap]# ldapadd -D cn=Manager,dc=gdy,dc=com -x -w Admin@123 -f group.ldif
[root@localhost openldap]# vim /etc/openldap/ldap.conf
~
BASE dc=gdy,dc=com
URI ldap://192.168.15.240
~
[root@localhost openldap]# service iptables stop
[root@localhost openldap]# setenforce 0
ldap客户端,也就是samba服务端:
1、将vsftpd服务端加入到openldap,这一才能使用openldap的用户
[root@localhost ~]# yum -y install openldap-clients nss-pam-ldapd
2、使用图形化来完成配置,这样比较快
[root@localhost ~]# authconfig-tui
3、修改samba配置文件,将ldap集成参数加入进去
[root@localhost ~]# vim /etc/samba/smb.conf
[gLobal]
security = user
passdb backend = ldapsam:ldap://192.168.15.240/
ldap suffix = "dc=gdy,dc=com"
ldap group suffix = "cn=group"
ldap user suffix = "ou=people"
ldap admin dn = "cn=Manager,dc=gdy,dc=com"
ldap delete dn = no
ldap passwd sync = Yes
pam password change = Yes
ldap ssl=off
[test-share]
comment = Home Directories
browseable = yes
writable = yes
path = /opt/share
valid users = @test1,@test2
4、通过以下命令重启smb
[root@localhost ~]# service smb restart
Shutting down SMB services: [ OK ]
Starting SMB services: [ OK ]
5、通过以下命令将OpenLDAP服务器管理员密码添加到secret.tdb中,用于搜索查询及验证。
[root@localhost ~]# smbpasswd -w Admin@123
Setting stored password for "cn=Manager,dc=gdy,dc=com" in secrets.tdb
6、给ldap用户配置smb密码,并关闭seliunx和防火墙
[root@localhost ~]# smbpasswd -a test1
New SMB password:
Retype new SMB password:
Added user test1
[root@localhost ~]# smbpasswd -a test2
New SMB password:
Retype new SMB password:
Added user test1
[root@localhost ~]# service iptables stop
[root@localhost ~]# setenforce 0
7、安装客户端软件可以自己验证以下
[root@localhost ~]# yum -y install samba-client
[root@localhost ~]# smbclient -L //192.168.15.241 -U test1 #有报出一堆东西出来就说明成功了,如果只是返回了一行话,就说明肯定失败
Enter test1's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-164.el6]
Sharename Type Comment
--------- ---- -------
test-share Disk Home Directories
IPC$ IPC IPC Service (Samba Server Version 3.6.9-164.el6)
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-164.el6]
Server Comment
--------- -------
Workgroup Master
--------- -------
8、我们可以到windows测试,可以看到成功了
