Samba Unified certification through OPENLDAP

Source: Internet
Author: User
Tags ldap microsoft access database openldap

1. Environmental preparedness
1.1. Experimental environment
[Email protected] ~]# cat/etc/redhat-release
CentOS Release 6.8 (Final)
[Email protected] ~]# uname-r
2.6.32-642.el6.x86_64

1.2. Calibrate server time
[Email protected] ~]# ntpdate pool.ntp.org
01:11:59 ntpdate[2354]: Adjust time server 202.118.1.81 offset 0.004307 sec
[Email protected] ~]# crontab-l
#time Sync
*/5 * * * */usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1

1.3. Close SELinux and Iptables
[Email protected] ~]# Getenforce
Enforcing
[Email protected] ~]# Setenforce 0
[Email protected] ~]# Getenforce
Permissive
[[Email protected] ~]# service iptables stop

Installation configuration for 2.Openldap and Samba
2.1. Installing OpenLDAP and Samba
[Email protected] ~]# yum-y install OpenLDAP openldap-clients openldap-servers NSS-PAM-LDAPD
[Email protected] ~]# yum-y install Samba-common Samba samba-client

2.2, Configuration OpenLDAP
A.OPENLDAP Reference Samba.schema
[Email protected] ~]# cp/usr/share/doc/samba-3.6.23/ldap/samba.schema/etc/openldap/schema/

B. Copying a sample configuration file for OpenLDAP
[Email protected] ~]# cp/usr/share/openldap-servers/slapd.conf.obsolete/etc/openldap/slapd.conf

C. Generate the LDAP administrator password
[Email protected] ~]# slappasswd-s 123456
{Ssha} Ae1jjtvbep60y91e9mdaqompleswg19o

D. Modifying a configuration file
[Email protected] ~]# vi/etc/openldap/slapd.conf
Insert the following in line 18:
Include/etc/openldap/schema/samba.schema

Comment out 99 lines to 102 lines:

# database Config
# access to *
101 # by Dn.exact= "Gidnumber=0+uidnumber=0,cn=peercred,cn=external,cn=auth" Manage
102 # by * None

In line 111, insert the following access content:
111 Access to Attrs=userpassword
By-Self Write
113 by Anonymous Auth
by * None
Attrs=sambantpassword access to
by self Write
117 by Anonymous Auth
118 by * None
119 Access to *
-By-Self write
121 by * Read
Modify the contents of rows 126 through 134 as follows:
Before modification:
126 Database BdB
127 suffix "dc=my-domain,dc=com"
Checkpoint 1024 15
129 RootDN "Cn=manager,dc=my-domain,dc=com"
# cleartext passwords, especially for the RootDN, should
131 # be avoided. See SLAPPASSWD (8) and slapd.conf (5) for D
Etails.
# Strong authentication encouraged.
133 # ROOTPW Secret
134 # ROOTPW {CRYPT}IJFYNCSNCTBYG
After modification:
126 Database BdB
127 suffix "dc=etiantian,dc=org"
Checkpoint 1024 15
129 RootDN "cn=admin,dc=etiantian,dc=org"
# cleartext passwords, especially for the RootDN, should
131 # be avoided. See SLAPPASSWD (8) and slapd.conf (5) for D
Etails.
# Strong authentication encouraged.
133 # ROOTPW Secret
134 ROOTPW {ssha}ae1jjtvbep60y91e9mdaqompleswg19o
Modify the contents of the 143 line as follows:
Before modification:
Index Ou,cn,mail,surname,givenname Eq,pres,sub
After modification:
Index Ou,cn,mail,surname,givenname Eq,pres,sub,approx
Modify the contents of rows 105 through 109 as follows:
Before modification:
The database Monitor
106 Access to *
107 by Dn.exact= "GIDNUMBER=0+UIDNUMBER=0,CN=PEERCRED,CN
=external,cn=auth "read
108 by dn.exact= "cn=manager,dc=my-domain,dc=com" read
109 by * None
After modification:
The database Monitor
106 Access to *
107 by dn.exact= "cn=admin,dc=etiantian,dc=org" read
108 by * None

2.3. Initialize OpenLDAP
A. Deleting OpenLDAP original configuration files and data
[Email protected] ~]# rm-rf/etc/openldap/slapd.d/*
[Email protected] ~]# rm-rf/var/lib/ldap/*

B. Copying a configuration file for a database
[Email protected] ~]# Cp/usr/share/openldap-servers/db_config.example/var/lib/ldap/db_config
[Email protected] ~]# chown ldap.ldap-r/var/lib/ldap
[Email protected] ~]# LL/VAR/LIB/LDAP
Total 4
-rw-r--r--. 1 LDAP LDAP 845 Nov 01:54 Db_config

C. Generating a 2.4 version of the configuration file
[Email protected] ldap]# Slaptest-u
Config file testing succeeded
[Email protected] ldap]# slaptest-f/etc/openldap/slapd.conf-f/etc/openldap/slapd.d/#生成旧版本的配置文件
Config file testing succeeded

D. Initializing the OPENLDAP base data
[Email protected] openldap]# VI base.ldif
dn:dc=etiantian,dc=org
Objectclass:organization
Objectclass:dcobject
Dc:etiantian
O:etiantian

dn:ou=people,dc=etiantian,dc=org
Objectclass:organizationalunit
Ou:people

dn:ou=group,dc=etiantian,dc=org
Objectclass:organizationalunit
Ou:group
[Email protected] openldap]# VI group.ldif
dn:cn=dba,ou=group,dc=etiantian,dc=org
Objectclass:posixgroup
Objectclass:top
Cn:dba
Memberuid:test1
gidnumber:10673
[Email protected] openldap]# VI user.ldif
dn:uid=test1,ou=people,dc=etiantian,dc=org
Objectclass:posixaccount
Objectclass:top
Objectclass:inetorgperson
Objectclass:shadowaccount
gidnumber:0
Givenname:test1
Sn:test1
Uid:test1
HomeDirectory:/home/test1
Loginshell:/bin/bash
shadowflag:0
shadowmin:0
shadowmax:99999
shadowwarning:0
shadowinactive:99999
shadowlastchange:12011
shadowexpire:99999
Cn:test1
uidnumber:24422

E. Importing the underlying data into LDAP
[Email protected] openldap]# slapadd-l base.ldif
58260C66 The first database does not allow slapadd; Using the first available one (2)
_#################### 100.00% eta none Elapsed None fast!
Closing DB ...
[Email protected] openldap]# slapadd-l group.ldif
58260C6D The first database does not allow slapadd; Using the first available one (2)
_#################### 100.00% eta none Elapsed None fast!
Closing DB ...
[Email protected] openldap]# slapadd-l user.ldif
58260C72 The first database does not allow slapadd; Using the first available one (2)
_#################### 100.00% eta none Elapsed None fast!
Closing DB ...
[Email protected] openldap]# chown-r LDAP.LDAP/VAR/LIB/LDAP
[Email protected] openldap]# chown-r LDAP.LDAP/ETC/OPENLDAP/SLAPD.D

[Email protected] openldap]# chmod-r 700/VAR/LIB/LDAP
[Email protected] openldap]# chmod-r 700/ETC/OPENLDAP/SLAPD.D

2.4. Configuring Samba
A. Modifying the configuration of Samba
[[email protected] openldap]# cd/etc/samba/
[[email protected] samba]# CP smb.conf Smb.conf.ori
[[email protected] samba]# VI smb.conf
[global]
Workgroup = Workgroup
Server string = Samba-ldap server Version%v
NetBIOS name = Samba-ldapsam
Log file =/var/log/samba/log.%m
Ma X Log size =
Security = User
Passdb backend = ldapsam:ldap://192.168.0.111/
ldap suffix = "dc=etiantian,dc=org "
LDAP admin DN =" cn=admin,dc=etiantian,dc=org "
LDAP user suffix =" ou=people,dc=etiantian,dc=org "
LDAP Group suffix = "ou=group,dc=etiantian,dc=org"
LDAP Delete DN = no
LDAP passwd sync = yes
LDAP SSL = no

[Sambasha RE]
Comment = share all
Path =/app/log
Browseable = yes
Public = yes
writable = yes

[myshare]
C omment = Share for users
Path =/application
Browseable = yes
public = no
writable = yes

B. Creating a shared Data directory
[Email protected] samba]# mkdir/app/log-p
[Email protected] samba]# mkdir/application

Tip: For the convenience of testing, first give directory 777 permissions

[Email protected] samba]# chmod-r 777/application

[Email protected] samba]# chmod-r 777/app/log

C. Save OpenLDAP Admin password to Samba
Tip: To enable Samba to access LDAP, save the LDAP administrator's password to Samba's Secrets.tdb (/VAR/LIB/SAMBA/PRIVATE/SECRETS.TDB)
[Email protected] samba]# smbpasswd-w 123456
Setting stored password for "cn=admin,dc=etiantian,dc=org" in Secrets.tdb

D. In OpenLDAP, add Samba test user
[[email protected] openldap]# cat/etc/passwd|grep admin (System user)
Admin:x:500:500::/home/admin:/bin/bash
[Email protected] samba]# cd/etc/openldap/
[Email protected] openldap]# vi/etc/samba/smbusers
Join Samba users at the bottom
Admin Sambatest #意思是说admin这个系统用户名有一个虚拟的SMB用户名: sambatest
[Email protected] openldap]# VI sambauser.ldif
dn:uid=sambatest,ou=people,dc=etiantian,dc=org
Objectclass:posixaccount
Objectclass:top
Objectclass:inetorgperson
Objectclass:shadowaccount
gidnumber:1009
Givenname:sambatest
Sn:sambatest
Uid:sambatest
HomeDirectory:/home/sambatest
Loginshell:/bin/bash
shadowflag:0
shadowmin:0
shadowmax:99999
shadowwarning:0
shadowinactive:99999
shadowlastchange:12011
shadowexpire:99999
Cn:sambatest
uidnumber:24425
[Email protected] openldap]# slapadd-l sambauser.ldif
58261BCF The first database does not allow slapadd; Using the first available one (2)
_#################### 100.00% eta none Elapsed None fast!
Closing DB ...

E. Setting the operating system to authenticate users from LDAP
prompt: Set the system to verify if the user is not found from the/etc/passwd in the OpenLDAP.
[[email protected] openldap]# authconfig-tui
User Information
[*] Use LDAP
Authentication
[*] Use fingerprint reader

┌─────────┤ldap settings├───────

│           [] Use TLS
│server:ldap://192.168.0.111/
│base dn:dc=etiantian,dc=org
[[email  Protected] openldap]# grep "LDAP"/etc/nsswitch.conf
passwd:     files LDAP
shadow:      files LDAP
group:      files LDAP
netgroup:   files LDAP
automount:  Files LDAP
[[email protected] openldap]# tail-3 ldap.conf
URI ldap://192.168.0.111/
BASE dc=etiantian,dc=org
tls_cacertdir/etc/openldap/cacerts
[[email protected] openldap]#/etc/ INIT.D/SLAPD start
[[email protected] openldap]#/etc/init.d/smb start

F. Testing for obtaining user information from LDAP
[[email protected] openldap]# ID sambatest
uid=24425 (sambatest) gid=1009 groups=1009
[[email protected] openldap]# grep "Sambatest"/etc/passwd
Note: Sambatest was not found from the passwd file, stating that Sambatest was obtained from LDAP.

G. Setting the test user sambatest password
[Email protected] openldap]# smbpasswd-a sambatest
New SMB password:123456789
Retype new SMB password:123456789
Added user Sambatest.

H. Testing whether sambatest users in Samba can log in
[Email protected] openldap]# smbclient-u sambatest//192.168.0.111/sambashare
Enter sambatest ' s password:
Domain=[workgroup] Os=[unix] Server=[samba 3.6.23-36.el6_8]
SMB: \> ls
. D 0 Sat 5 20:38:28 2016
.. D 0 Thu Oct 27 13:01:13 2016
Um4sw7~d.log A Thu Oct 27 19:29:01 2016
U41y9b~1.log A Thu Oct 27 19:37:24 2016
U0xzay~g.log A 117 Thu Oct 27 19:18:40 2016
Uakc5v~4.log A Thu Oct 27 19:27:02 2016
Uo0d3h~p.log A 0 Sat 5 20:38:28 2016
U3dw4t~x.log A Thu Oct 27 19:30:14 2016
51760 blocks of size 524288. 45745 blocks Available
SMB: \>
[Email protected] openldap]# smbclient-u sambatest//192.168.0.111/myshare
Enter sambatest ' s password:
Domain=[workgroup] Os=[unix] Server=[samba 3.6.23-36.el6_8]
SMB: \> ls
. D 0 Sat 5 23:26:28 2016
.. DR 0 Fri Nov 11 22:26:21 2016
Svndata D 0 Thu Oct 27 01:48:57 2016
Create A new Microsoft Access database. accdb A 512000 Sat 5 23:26:28 2016
SVNPASSWD D 0 Sat 5 21:02:06 2016

51760 blocks of size 524288. 45745 blocks Available
SMB: \>
With the above results, you can see that Samba validates access through OPENLDAP, and then looks at Windows for access, such as:

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/8A/1C/wKiom1gmwXjBjnNkAAFBOot9wbI046.png-wh_500x0-wm_3 -wmp_4-s_1361536193.png "title=" 11111.png "alt=" Wkiom1gmwxjbjnnkaafboot9wbi046.png-wh_50 "/>


This article is from the cloud computing and Big Data blog, so be sure to keep this source http://linuxzkq.blog.51cto.com/9379412/1872071

Samba Unified certification through OPENLDAP

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.