1. Environmental preparedness
1.1. Experimental environment
[Email protected] ~]# cat/etc/redhat-release
CentOS Release 6.8 (Final)
[Email protected] ~]# uname-r
2.6.32-642.el6.x86_64
1.2. Calibrate server time
[Email protected] ~]# ntpdate pool.ntp.org
01:11:59 ntpdate[2354]: Adjust time server 202.118.1.81 offset 0.004307 sec
[Email protected] ~]# crontab-l
#time Sync
*/5 * * * */usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1
1.3. Close SELinux and Iptables
[Email protected] ~]# Getenforce
Enforcing
[Email protected] ~]# Setenforce 0
[Email protected] ~]# Getenforce
Permissive
[[Email protected] ~]# service iptables stop
Installation configuration for 2.Openldap and Samba
2.1. Installing OpenLDAP and Samba
[Email protected] ~]# yum-y install OpenLDAP openldap-clients openldap-servers NSS-PAM-LDAPD
[Email protected] ~]# yum-y install Samba-common Samba samba-client
2.2, Configuration OpenLDAP
A.OPENLDAP Reference Samba.schema
[Email protected] ~]# cp/usr/share/doc/samba-3.6.23/ldap/samba.schema/etc/openldap/schema/
B. Copying a sample configuration file for OpenLDAP
[Email protected] ~]# cp/usr/share/openldap-servers/slapd.conf.obsolete/etc/openldap/slapd.conf
C. Generate the LDAP administrator password
[Email protected] ~]# slappasswd-s 123456
{Ssha} Ae1jjtvbep60y91e9mdaqompleswg19o
D. Modifying a configuration file
[Email protected] ~]# vi/etc/openldap/slapd.conf
Insert the following in line 18:
Include/etc/openldap/schema/samba.schema
Comment out 99 lines to 102 lines:
# database Config
# access to *
101 # by Dn.exact= "Gidnumber=0+uidnumber=0,cn=peercred,cn=external,cn=auth" Manage
102 # by * None
In line 111, insert the following access content:
111 Access to Attrs=userpassword
By-Self Write
113 by Anonymous Auth
by * None
Attrs=sambantpassword access to
by self Write
117 by Anonymous Auth
118 by * None
119 Access to *
-By-Self write
121 by * Read
Modify the contents of rows 126 through 134 as follows:
Before modification:
126 Database BdB
127 suffix "dc=my-domain,dc=com"
Checkpoint 1024 15
129 RootDN "Cn=manager,dc=my-domain,dc=com"
# cleartext passwords, especially for the RootDN, should
131 # be avoided. See SLAPPASSWD (8) and slapd.conf (5) for D
Etails.
# Strong authentication encouraged.
133 # ROOTPW Secret
134 # ROOTPW {CRYPT}IJFYNCSNCTBYG
After modification:
126 Database BdB
127 suffix "dc=etiantian,dc=org"
Checkpoint 1024 15
129 RootDN "cn=admin,dc=etiantian,dc=org"
# cleartext passwords, especially for the RootDN, should
131 # be avoided. See SLAPPASSWD (8) and slapd.conf (5) for D
Etails.
# Strong authentication encouraged.
133 # ROOTPW Secret
134 ROOTPW {ssha}ae1jjtvbep60y91e9mdaqompleswg19o
Modify the contents of the 143 line as follows:
Before modification:
Index Ou,cn,mail,surname,givenname Eq,pres,sub
After modification:
Index Ou,cn,mail,surname,givenname Eq,pres,sub,approx
Modify the contents of rows 105 through 109 as follows:
Before modification:
The database Monitor
106 Access to *
107 by Dn.exact= "GIDNUMBER=0+UIDNUMBER=0,CN=PEERCRED,CN
=external,cn=auth "read
108 by dn.exact= "cn=manager,dc=my-domain,dc=com" read
109 by * None
After modification:
The database Monitor
106 Access to *
107 by dn.exact= "cn=admin,dc=etiantian,dc=org" read
108 by * None
2.3. Initialize OpenLDAP
A. Deleting OpenLDAP original configuration files and data
[Email protected] ~]# rm-rf/etc/openldap/slapd.d/*
[Email protected] ~]# rm-rf/var/lib/ldap/*
B. Copying a configuration file for a database
[Email protected] ~]# Cp/usr/share/openldap-servers/db_config.example/var/lib/ldap/db_config
[Email protected] ~]# chown ldap.ldap-r/var/lib/ldap
[Email protected] ~]# LL/VAR/LIB/LDAP
Total 4
-rw-r--r--. 1 LDAP LDAP 845 Nov 01:54 Db_config
C. Generating a 2.4 version of the configuration file
[Email protected] ldap]# Slaptest-u
Config file testing succeeded
[Email protected] ldap]# slaptest-f/etc/openldap/slapd.conf-f/etc/openldap/slapd.d/#生成旧版本的配置文件
Config file testing succeeded
D. Initializing the OPENLDAP base data
[Email protected] openldap]# VI base.ldif
dn:dc=etiantian,dc=org
Objectclass:organization
Objectclass:dcobject
Dc:etiantian
O:etiantian
dn:ou=people,dc=etiantian,dc=org
Objectclass:organizationalunit
Ou:people
dn:ou=group,dc=etiantian,dc=org
Objectclass:organizationalunit
Ou:group
[Email protected] openldap]# VI group.ldif
dn:cn=dba,ou=group,dc=etiantian,dc=org
Objectclass:posixgroup
Objectclass:top
Cn:dba
Memberuid:test1
gidnumber:10673
[Email protected] openldap]# VI user.ldif
dn:uid=test1,ou=people,dc=etiantian,dc=org
Objectclass:posixaccount
Objectclass:top
Objectclass:inetorgperson
Objectclass:shadowaccount
gidnumber:0
Givenname:test1
Sn:test1
Uid:test1
HomeDirectory:/home/test1
Loginshell:/bin/bash
shadowflag:0
shadowmin:0
shadowmax:99999
shadowwarning:0
shadowinactive:99999
shadowlastchange:12011
shadowexpire:99999
Cn:test1
uidnumber:24422
E. Importing the underlying data into LDAP
[Email protected] openldap]# slapadd-l base.ldif
58260C66 The first database does not allow slapadd; Using the first available one (2)
_#################### 100.00% eta none Elapsed None fast!
Closing DB ...
[Email protected] openldap]# slapadd-l group.ldif
58260C6D The first database does not allow slapadd; Using the first available one (2)
_#################### 100.00% eta none Elapsed None fast!
Closing DB ...
[Email protected] openldap]# slapadd-l user.ldif
58260C72 The first database does not allow slapadd; Using the first available one (2)
_#################### 100.00% eta none Elapsed None fast!
Closing DB ...
[Email protected] openldap]# chown-r LDAP.LDAP/VAR/LIB/LDAP
[Email protected] openldap]# chown-r LDAP.LDAP/ETC/OPENLDAP/SLAPD.D
[Email protected] openldap]# chmod-r 700/VAR/LIB/LDAP
[Email protected] openldap]# chmod-r 700/ETC/OPENLDAP/SLAPD.D
2.4. Configuring Samba
A. Modifying the configuration of Samba
[[email protected] openldap]# cd/etc/samba/
[[email protected] samba]# CP smb.conf Smb.conf.ori
[[email protected] samba]# VI smb.conf
[global]
Workgroup = Workgroup
Server string = Samba-ldap server Version%v
NetBIOS name = Samba-ldapsam
Log file =/var/log/samba/log.%m
Ma X Log size =
Security = User
Passdb backend = ldapsam:ldap://192.168.0.111/
ldap suffix = "dc=etiantian,dc=org "
LDAP admin DN =" cn=admin,dc=etiantian,dc=org "
LDAP user suffix =" ou=people,dc=etiantian,dc=org "
LDAP Group suffix = "ou=group,dc=etiantian,dc=org"
LDAP Delete DN = no
LDAP passwd sync = yes
LDAP SSL = no
[Sambasha RE]
Comment = share all
Path =/app/log
Browseable = yes
Public = yes
writable = yes
[myshare]
C omment = Share for users
Path =/application
Browseable = yes
public = no
writable = yes
B. Creating a shared Data directory
[Email protected] samba]# mkdir/app/log-p
[Email protected] samba]# mkdir/application
Tip: For the convenience of testing, first give directory 777 permissions
[Email protected] samba]# chmod-r 777/application
[Email protected] samba]# chmod-r 777/app/log
C. Save OpenLDAP Admin password to Samba
Tip: To enable Samba to access LDAP, save the LDAP administrator's password to Samba's Secrets.tdb (/VAR/LIB/SAMBA/PRIVATE/SECRETS.TDB)
[Email protected] samba]# smbpasswd-w 123456
Setting stored password for "cn=admin,dc=etiantian,dc=org" in Secrets.tdb
D. In OpenLDAP, add Samba test user
[[email protected] openldap]# cat/etc/passwd|grep admin (System user)
Admin:x:500:500::/home/admin:/bin/bash
[Email protected] samba]# cd/etc/openldap/
[Email protected] openldap]# vi/etc/samba/smbusers
Join Samba users at the bottom
Admin Sambatest #意思是说admin这个系统用户名有一个虚拟的SMB用户名: sambatest
[Email protected] openldap]# VI sambauser.ldif
dn:uid=sambatest,ou=people,dc=etiantian,dc=org
Objectclass:posixaccount
Objectclass:top
Objectclass:inetorgperson
Objectclass:shadowaccount
gidnumber:1009
Givenname:sambatest
Sn:sambatest
Uid:sambatest
HomeDirectory:/home/sambatest
Loginshell:/bin/bash
shadowflag:0
shadowmin:0
shadowmax:99999
shadowwarning:0
shadowinactive:99999
shadowlastchange:12011
shadowexpire:99999
Cn:sambatest
uidnumber:24425
[Email protected] openldap]# slapadd-l sambauser.ldif
58261BCF The first database does not allow slapadd; Using the first available one (2)
_#################### 100.00% eta none Elapsed None fast!
Closing DB ...
E. Setting the operating system to authenticate users from LDAP
prompt: Set the system to verify if the user is not found from the/etc/passwd in the OpenLDAP.
[[email protected] openldap]# authconfig-tui
User Information
[*] Use LDAP
Authentication
[*] Use fingerprint reader
┌─────────┤ldap settings├───────
│
│ [] Use TLS
│server:ldap://192.168.0.111/
│base dn:dc=etiantian,dc=org
[[email Protected] openldap]# grep "LDAP"/etc/nsswitch.conf
passwd: files LDAP
shadow: files LDAP
group: files LDAP
netgroup: files LDAP
automount: Files LDAP
[[email protected] openldap]# tail-3 ldap.conf
URI ldap://192.168.0.111/
BASE dc=etiantian,dc=org
tls_cacertdir/etc/openldap/cacerts
[[email protected] openldap]#/etc/ INIT.D/SLAPD start
[[email protected] openldap]#/etc/init.d/smb start
F. Testing for obtaining user information from LDAP
[[email protected] openldap]# ID sambatest
uid=24425 (sambatest) gid=1009 groups=1009
[[email protected] openldap]# grep "Sambatest"/etc/passwd
Note: Sambatest was not found from the passwd file, stating that Sambatest was obtained from LDAP.
G. Setting the test user sambatest password
[Email protected] openldap]# smbpasswd-a sambatest
New SMB password:123456789
Retype new SMB password:123456789
Added user Sambatest.
H. Testing whether sambatest users in Samba can log in
[Email protected] openldap]# smbclient-u sambatest//192.168.0.111/sambashare
Enter sambatest ' s password:
Domain=[workgroup] Os=[unix] Server=[samba 3.6.23-36.el6_8]
SMB: \> ls
. D 0 Sat 5 20:38:28 2016
.. D 0 Thu Oct 27 13:01:13 2016
Um4sw7~d.log A Thu Oct 27 19:29:01 2016
U41y9b~1.log A Thu Oct 27 19:37:24 2016
U0xzay~g.log A 117 Thu Oct 27 19:18:40 2016
Uakc5v~4.log A Thu Oct 27 19:27:02 2016
Uo0d3h~p.log A 0 Sat 5 20:38:28 2016
U3dw4t~x.log A Thu Oct 27 19:30:14 2016
51760 blocks of size 524288. 45745 blocks Available
SMB: \>
[Email protected] openldap]# smbclient-u sambatest//192.168.0.111/myshare
Enter sambatest ' s password:
Domain=[workgroup] Os=[unix] Server=[samba 3.6.23-36.el6_8]
SMB: \> ls
. D 0 Sat 5 23:26:28 2016
.. DR 0 Fri Nov 11 22:26:21 2016
Svndata D 0 Thu Oct 27 01:48:57 2016
Create A new Microsoft Access database. accdb A 512000 Sat 5 23:26:28 2016
SVNPASSWD D 0 Sat 5 21:02:06 2016
51760 blocks of size 524288. 45745 blocks Available
SMB: \>
With the above results, you can see that Samba validates access through OPENLDAP, and then looks at Windows for access, such as:
650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/8A/1C/wKiom1gmwXjBjnNkAAFBOot9wbI046.png-wh_500x0-wm_3 -wmp_4-s_1361536193.png "title=" 11111.png "alt=" Wkiom1gmwxjbjnnkaafboot9wbi046.png-wh_50 "/>
This article is from the cloud computing and Big Data blog, so be sure to keep this source http://linuxzkq.blog.51cto.com/9379412/1872071
Samba Unified certification through OPENLDAP