- 论坛徽章:
- 0
|
一、实现的功能:
1.用samba实现主域控制器(PDC),用户可通过域和工作组两种方式登录。
2.实现对用户删除的文件进行回收。
3.实现对Samba用户进行磁盘配额。
4.实现用OPENLDAP进行SAMBA用户认证,同时可以使SQUID也使用OPENLDAP进行认证。
二、安装
1.基本系统安装
2.安装Open SSL (传输安全层)
./config shared –prefix=/usr/local/openssl
make
make install
3.安装BerKeley DB 4.4.20 (opldap 后台数据库)
cd db-4.4.20/uild_unix/
../dist/configure
make
make install
4.安装Heimdal 0.7.2 (认证后台)
./configure –prefix=/usr/local/heimdal --openssl=/usr/local/opensll/ --enable-shared
make
make install
cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = CQS.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
CQS.COM = {
kdc = kerberos.cqs.com:88
admin_server = kerberos.cqs.com:749
default_domain = cqs.com
}
[domain_realm]
.example.com = CQS.COM
example.com = CQS.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 GZLCD5-TEST localhost.localdomain localhost
10.43.33.5 kerberos.cqs.com
10.43.33.5 CQS.COM
mkdir /var/heimdal
/usr/local/heimdal/sbin/kstash (产生主匙)
/usr/local/heimdal/sbin/kadmin -L (产生本地数据库或新增减用户)
/usr/local/heimdal/bin/kinit -p test (测试用户登录)
/usr/local/heimdal/bin/klist (查看登录)
/usr/local/heimdal/bin/kpasswd (改密码)
5.安装OPLDAP 2.3 (统一认证服务器)
env
CPPFLAGS="-I/usr/local/openssl/include/
-I/usr/local/BerkeleyDB.4.4/include" LDFLAGS="-L/usr/local/openssl/lib
-L/usr/local/BerkeleyDB.4.4/lib" ./configure --prefix=/usr/local/ldap
--enable-syslog --enable-local --enable-crypt --enable-lmpasswd
--enable-spasswd --enable-modules --enable-bdb --enable-ldap
--enable-monitor --enable-dyngroup --enable-proxycache
--with-cyrus-sasl --with-threads --with-tls –with-kerberos
make depend
make
make test
make install
cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/ldap/etc/openldap/schema/core.schema
include /usr/local/ldap/etc/openldap/schema/corba.schema
include /usr/local/ldap/etc/openldap/schema/cosine.schema
include /usr/local/ldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/ldap/etc/openldap/schema/misc.schema
include /usr/local/ldap/etc/openldap/schema/openldap.schema
include /usr/local/ldap/etc/openldap/schema/nis.schema
include /usr/local/ldap/etc/openldap/schema/samba.schema
#Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/ldap/var/run/slapd.pid
argsfile /usr/local/ldap/var/run/slapd.args
loglevel 1
# Load dynamic backend modules:
# modulepath /usr/local/ldap/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=eedtl,dc=com"
rootdn "cn=root,dc=eedtl,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/ldap/var/openldap-data
# Indices to maintain
index objectClass eq
cp /usr/local/ldap/var/openldap-data/DB_CONFIG.example DB_CONFIG
/usr/local/ldap/sbin/slapadd -v -l base.ldif
cat base.ldif
dn: dc=eedtl,dc=com
dc: eedtl
objectClass: top
objectclass: dcobject
objectClass: organization
o: eedtl.com
cat ldap.sh
#/bin/bash
echo "" > /var/log/slapd.log
/usr/local/ldap/libexec/slapd -f /usr/local/ldap/etc/openldap/slapd.conf -d 256
cp samba.schema /usr/local/ldap/etc/openldap/schema/
ldap.sh
6.安装SAMBA 3.0.23b
./configure --prefix=/usr/local/samba/ --with-smbmount --with-automount –with-ldapsam
make
make install
cat /usr/local/samba/lib/smb.conf
[global]
;basic server settings
workgroup = GZLCD5-TEST
netbios name = test2
server string = Samba PDC running %v
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
;PDC and master browser settings
os level = 65
preferred master = yes
local master = yes
domain master = yes
domain logons = yes
;security and logging settings
security = user
encrypt passwords = yes
log file = /var/log/samba/log.%m
log level = 2
max log size = 50
hosts allow = 127.0.0.1 10.43.0.0/255.255.0.0
;user profiles and home directory
logon home = \\%L\%U\.profile
logon drive = H:
logon path = \\%L\profiles\%G\%U
logon script = logon.bat
;ldap setup
ldap passwd sync = yes
passwd program = /usr/local/sbin/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
ldap admin dn = "cn=root,dc=eedtl,dc=com"
passdb backend = ldapsam:ldap://127.0.0.1
ldap user suffix = ou=user
ldap delete dn = yes
ldap suffix = dc=eedtl,dc=com
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
add machine script = /usr/local/sbin/smbldap-useradd -t 0 -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
;smbpasswd setup
# unix password sync = yes
# passwd program = /usr/bin/passwd %u
#
passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n
*Enter * new*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n
*passwd: *all* authent ication*tokens*updated*successfully*
# add machine script = /usr/usr/local/sbin/useradd -n -g machines -c Machine -d /dev/null -s /bin/false %u
;charset set
dos char set = cp936
unix char set = cp936
;administrator user
admin users = root
;time server
time server = yes
[homes]
comment = repertoire de %U ,%u
browseable = no
writeable = yes
read only = no
force create mode = 0700
create mode =0700
force directory mode = 0700
directory mode = 0700
vfs object = recycle (删除文件恢复设置项)
recycle:keeptree = yes
recycle:versions = yes
recycle:repository = ../recycle/%U
recycle:exclude = .tmp|.temp|.o|.obj
[profiles]
comment = pdc login home
path = /home/samba/profiles
writeable = yes
browseable = no
create mask = 0600
directory mask = 0770
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
browseable = no
read only = yes
[public]
comment = public directory
path = /home/samba/public
browseable = yes
writeable = yes
guest ok = yes
create mask = 0777
vfs object = recycle
recycle:keeptree = yes
recycle:versions = yes
recycle:repository = ../recycle/%U
recycle:exclude = .tmp|.temp|.o|.obj
[share]
comment = all share
path=/home/samba/share
browseable = yes
read only = no
writeable =yes
create mask = 0750
vfs object = recycle
recycle:keeptree = yes
recycle:versions = yes
recycle:repository = ../recycle/%U
recycle:exclude = .tmp|.temp|.o|.obj
[printers]
comment = All Printers
path=/var/spool/samba
browsable = no
public = yes
guest ok = yes
printable = yes
7.安装smbldap-tool
tar zxvf smbldap-tools-0.9.2a.tgz
cd smbldap-tools-0.9.2a
cp smbldap-* /usr/local/sbin/
mkdir -p /etc/opt/IDEALX/smbldap-tools/
cp *.conf /etc/opt/IDEALX/smbldap-tools/
chmod 644 /etc/opt/IDEALX/smbldap-tools/smbldap.conf
chmod 600 /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf
/usr/local/samba/bin/smbpasswd -w secret (secret 要和LDAP中设置一样)
/usr/local/samba/bin/testparm
/usr/local/samba/bin/net getlocalsid
vim smbldap.conf
vim smbldap_bind.conf
上两步骤为手工设置也可以用以下命令自动配置(先启动LDAP和SAMBA)
./smbldap-tools-0.9.2/configure.pl
/usr/local/sbin/smbldap-populate (初始华数据库)
/usr/local/sbin/smbldap-useradd-auser (创建用户)
/usr/local/smbldap-passwduser (改密码)
8.安装配额
创建用户和组
vim /etc/fstab
LABEL=/home /home ext3 defaults,usrquota,grpquota 1 2
reboot or mount -o remount /home
quotacheck -avug (扫描使用状况)
quotaon -avug (启动配额)
edquota -u user (编辑用户配额)
edquota -p user user1 (复制user配额到user1)
edquota -t (编辑配额期限)
edquota -g goup (编辑配额组)
echo “/sbin/quotaon -a -vug “ >> /etc/rc.d/rc.local
repquota -a -vug (报告配额)
9.安全设置
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "2" > /proc/sys/net/ipv4/tcp_synack_retries
echo "2048" > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo "secure start..."
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 30/m --limit-burst 2 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -p tcp -m multiport --dport 139,445 -j ACCEPT
/sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
10.squid安装
cat setup.sh
#!/bin/bash
./configure --prefix=/usr/local/squid
--localstatedir=/usr/squid-var --enable-dlmalloc --enable-gnuregex
--enable-async-io --enable-heap-replacement=heap --enable-useragent-log
--enable-referer-log --enable-cachemgr-hostname=ldap.cqs.com
--enable-arp-acl --enable-err-languages="English Simplify_Chinese "
--enable-default-err-language="Simplify_Chinese" --enable-auth
--with-large-files --enable-truncate --enable-linux-netfilter
--enable-basic-auth-helpers="LDAP,SMB,SASL,PAM"
11.cat squid.conf
#基本配置
http_port 88
cache_mgr qscheng@eleceltek.com
visible_hostname squid-test
dns_nameservers 10.43.128.63
cache_dir aufs /usr/squid-var/cache 256 16 256
cache_access_log /usr/squid-var/logs/access.log
cache_store_log /usr/squid-var/logs/store.log
cache_log /usr/squid-var/logs/cache.log
cache_mem 100 MB
cache_swap_low 80
cache_swap_high 85
maximum_object_size 20480 KB
pid_filename /usr/squid-var/run/squid.pid
cache_effective_user squid
cache_effective_group squid
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
log_ip_on_direct on
logfile_rotate 0
forwarded_for on
#认证程序
auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b "ou=user,dc=cqs,dc=com" -v 3
acl authuser proxy_auth REQUIRED
#禁止缓存动态页面
acl QUERY urlpath_regex -i cgi-bin \? \.asp \.php \.jsp \.cgi
acl DENYSSL urlpath_regex -i ^https:\\
no_cache deny QUERY
no_cache deny DENYSSL
#用户分类
#acl test src 10.43.0.0/255.255.0.0
#acl auth_user proxy_auth REQUIRED
acl localhost src 127.0.0.1/255.255.255.255
acl cachemanager proto cache_object
acl all src 0.0.0.0/0.0.0.0
#端口分类
#acl SSL_ports port 443 563
#acl safe_ports port 80 21 110 25 1025-65535
#站点分类
#acl qqserver dst "/etc/squid/qqserver.list"
#行为分类
#acl worktime time 8:00-22:00
#acl conncount maxconn 3
#acl denymine urlpath_regex -i \.mpg$ \.mp3$ \.iso$ \.avi$ \.swf$ \.wma$ \.exe$ \.rar$ \.rm$ \.zip$
#acl CONNECT method CONNECT
#分类处理
#http_access allow test
#http_access deny !safe_ports
#http_access deny denymine
#http_access deny CONNECT !SSL_ports
#http_access deny cachemanager !localhost
http_access allow localhost
http_access allow authuser
http_access deny all
完成。
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/25765/showart_212984.html |
|
免费注册
发表于 2006-12-10 15:39