- 论坛徽章:
- 0
|
Setp4、安装和配置Samba PDC服务器、Clamav + Samba-Vscan免费杀毒软件、五笔输入法
配置Samba PDC服务器,详细过程:
更改为使用LDAP帐号做pdc.nseasy.net主机的系统帐号,修改/etc/目录中的nsswitch.conf文件,主要说明修改的关键部分:
详细配置内容:
passwd: files
shadow: files
group: files
更改为:
passwd: files ldap
shadow: files ldap
group: files ldap
使用setup命令来配置用户和验证的详细信息:
详细操作:
# setup
选择一种工具项目中选择:验证配置,然后按“运行工具”键;
用户信息项目中点选:
“缓存信息”、“使用LDAP”;
验证项目中点选:
“使用MD5口令”、“使用屏蔽口令”、“使用LDAP验证”;
然后按“下一步”键;
LDAP设置:
[ ] 使用TLS (不要点选);
服务器:192.168.1.254 (按默认地址)
基点 DN:dc=nseasy,dc=net (更改为:dc=nseasy,dc=net)
然后按“确定”键:
系统自动执行过程如下:
setsebool: SELinux is disabled.
停止 nscd: [ 失败 ]
启动 nscd: [ 确定 ]
执行后以上的操作后,将后回到“选择一种工具”介面,按“退出”键,完成所有ldap进认证过程。
修改/etc/pam.d/目录中的sshd文件,完整文件内容如下:
详细配置内容:
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient /lib/security/pam_ldap.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
修改/etc/openldap/目录中的ldap.conf文件,主要说明修改的关键部分:
详细配置内容:
TLS_CACERTDIR /etc/openldap/cacerts
更改为:
# TLS_CACERTDIR /etc/openldap/cacerts
修改/etc/目录中的ldap.conf文件,主要说明修改的关键部分:
详细配置内容:
# rootbinddn cn=Manager,dc=easy,dc=com
更改为:
rootbinddn cn=admin,dc=nseasy,dc=net
#krb5_ccname FILE:/etc/.ldapcache
添加以下内容:
#krb5_ccname FILE:/etc/.ldapcache
nss_base_passwd ou=Users,dc=nseasy,dc=net?one
nss_base_passwd ou=Computers,dc=nseasy,dc=net?one
nss_base_shadow ou=Users,dc=nseasy,dc=net?one
nss_base_group ou=Groups,dc=nseasy,dc=net?one
TLS_CACERTDIR /etc/openldap/cacerts
更改为:
# TLS_CACERTDIR /etc/openldap/cacerts
调整系统中的pam_ldap模组设定,详细操作如下:
详细配置内容:
# echo jinbiao > /etc/ldap.secret
# chmod 600 /etc/ldap.secret
Samba的主要配置文件/etc/samba/smb.conf,其实系统中存有一个实际的例子配置文件可提供参考,只要更换成例子文件和按照自己的实际情况做一定的修改就可供使用:
详细操作:
# cp /usr/share/doc/smbldap-tools-0.9.1/smb.conf /etc/samba/
cp:是否覆盖‘/etc/samba/smb.conf’? y
修改/etc/samba/smb.conf文件,以下为完整文件的详细内容::
详细配置内容:
############################## Global parameters#################
[global]
workgroup = nseasy
netbios name = PDC
server string = Samba Server %v
log file = /var/log/samba/log.%m
security = user
encrypt passwords = Yes
obey pam restrictions = No
ldap passwd sync = Yes
log level = 3
syslog = 0
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = UTF-8
Unix charset = UTF-8
logon script = %U.bat
logon drive = H:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
passdb backend = ldapsam:ldap://192.168.1.254
ldap admin dn = cn=admin,dc=nseasy,dc=net
ldap suffix = dc=nseasy,dc=net
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap ssl = off
ldap delete dn = Yes
add user script = /sbin/smbldap-useradd -m "%u"
add machine script = /sbin/smbldap-useradd -t 0 -w "%u"
add group script = /sbin/smbldap-groupadd -p "%g"
add user to group script = /sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /sbin/smbldap-usermod -g '%g' '%u'
############################## Homes parameters ################
[homes]
comment = repertoire de %U, %u
browseable = no
writeable = yes
read only = no
force create mode = 0700
create mode = 0700
force directory mode = 0700
directory mode = 700
############################# Netlogone parameters ###############
[netlogon]
path = /home/netlogon/
browseable = No
read only = yes
############################# Public parameters ##################
[public]
comment = Public Directory
path = /home/public/
browseable = No
writable = yes
guest ok = yes
create mask = 0777
----------------------------------------------------------------------------------------------------------------------
特别提示:在网上有一些文章介绍可以实现自动创建计算机帐号的方法,不知道可否正常使用,小弟没有试过!
操作如下在smb.conf文件的[global]里加入以下内容(注:适合Samba 3.0版以上):
add machind script = /usr/sbin/useradd –d /dev/null –g 100 –s /bin/false –M %u
----------------------------------------------------------------------------------------------------------------------
建立相关共享目录操作:
详细操作:
# mkdir /home/netlogon
# mkdir /home/public
启动Samba服务项目:
详细操作:
# service smb start
启动 SMB 服务: [ 确定 ]
启动 NMB 服务: [ 确定 ]
添加Samba admin dn的ldap管理员密码(注意密码要和您openldap的rootdn密码要一致啊):
详细操作:
# smbpasswd -w jinbiao
Setting stored password for "cn=Manager,dc=nseasy,dc=net" in secrets.tdb
使用testparm命令来测试Samba PDC服务器配置是否正常启动:
详细操作:
# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[public]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
Sambldap的配置使用过程:
详细操作:
# cd /usr/share/doc/smbldap-tools-0.9.1/
# ./configure.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')
. you can leave the configuration using the Crtl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...
Samba Configuration File Path [/etc/samba/smb.conf] >
The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] >
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...
. workgroup name: name of the domain Samba act as a PDC
workgroup name [nseasy] >
. netbios name: netbios name of the samba controler
netbios name [PDC] >
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [H:] >
. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'\\PDC\%U'
logon home (press the "." character if you don't want homeDirectory) [\\PDC\%U] >
. logon path: directory where roaming profiles are stored. Ex:'\\PDC\profiles\%U'
logon path (press the "." character if you don't want roaming profile) [\\PDC\profiles\%U] > .
. home directory prefix (use %U as username) [/home/%U] >
. default users' homeDirectory mode [700] >
. default user netlogon script (use %U as username) [%U.bat] >
default password validation time (time in days) [45] >
. ldap suffix [dc=nseasy,dc=net] >
. ldap group suffix [ou=Groups] >
. ldap user suffix [ou=Users] >
继续smb.conf文件内容:
详细配置内容:
. ldap machine suffix [ou=Computers] >
. Idmap suffix [ou=Idmap] >
. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=nseasy] >
. ldap master server: IP adress or DNS name of the master (writable) ldap server
ldap master server [192.168.1.254] >
. ldap master port [389] >
. ldap master bind dn [cn=admin,dc=nseasy,dc=net] >
ldap master bind password [] > jinbiao (Samba admin dn的ldap管理密码)
. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one
ldap slave server [192.168.1.254] >
. ldap slave port [389] >
. ldap slave bind dn [cn=admin,dc=nseasy,dc=net] >
ldap slave bind password [] > jinbiao (Samba admin dn的ldap管理密码)
. ldap tls support (1/0) [0] >
. SID for domain nseasy: SID of the domain (can be obtained with 'net getlocalsid PDC')
SID for domain nseasy [S-1-5-21-3519350192-200481810-3753220053] >
. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] >
. default user gidNumber [513] >
. default computer gidNumber [515] >
. default login shell [/bin/bash] >
. default skeleton directory [/etc/skel] >
. default domain name to append to mail adress [] > nseasy.net
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
backup old configuration files:
/etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
/etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
/etc/smbldap-tools/smbldap.conf done.
/etc/smbldap-tools/smbldap_bind.conf done.
----------------------------------------------------------------------------------------------------------------------
重点说明:检查/etc/smbldap-tools/目录内的smbldap_bind.conf文件以下内容要一致:
slaveDN=″cn=admin,dc=nseasy,dc=net″
slavePW =″jinbiao″
masterDN=″cn=admin,dc=nseasy,dc=net″
masterPW “jinbiao”
----------------------------------------------------------------------------------------------------------------------
使用smbldap-populate命令初始化用户服务数据库:
详细操作:
# smbldap-populate
Populating LDAP directory for domain nseasy (S-1-5-21-3519350192-200481810-3753220053)
(using builtin directory structure)
adding new entry: dc=nseasy,dc=net
adding new entry: ou=Users,dc=nseasy,dc=net
adding new entry: ou=Groups,dc=nseasy,dc=net
adding new entry: ou=Computers,dc=nseasy,dc=net
adding new entry: ou=Idmap,dc=nseasy,dc=net
adding new entry: uid=root,ou=Users,dc=nseasy,dc=net
adding new entry: uid=nobody,ou=Users,dc=nseasy,dc=net
adding new entry: cn=Domain Admins,ou=Groups,dc=nseasy,dc=net
adding new entry: cn=Domain Users,ou=Groups,dc=nseasy,dc=net
adding new entry: cn=Domain Guests,ou=Groups,dc=nseasy,dc=net
adding new entry: cn=Domain Computers,ou=Groups,dc=nseasy,dc=net
adding new entry: cn=Administrators,ou=Groups,dc=nseasy,dc=net
adding new entry: cn=Account Operators,ou=Groups,dc=nseasy,dc=net
adding new entry: cn=Print Operators,ou=Groups,dc=nseasy,dc=net
adding new entry: cn=Backup Operators,ou=Groups,dc=nseasy,dc=net
adding new entry: cn=Replicators,ou=Groups,dc=nseasy,dc=net
adding new entry: sambaDomainName=nseasy,dc=nseasy,dc=net
Please provide a password for the domain root:
Changing password for root
New password : jinbiao (admin的ldap管理密码)
Retype new password : jinbiao (admin的ldap管理密码)
查看Samba的SID编号:
详细操作:
# net getlocalsid
SID for domain PDC is: S-1-5-21-3519350192-200481810-3753220053
使用smbaldap-useradd命令来添加用户组和用户到Samba PDC域内:
详细操作:
# smbldap-useradd -a -m user2 (添加一个samba帐号并创建主目录)
# smbldap-groupadd -p acc (添加一个samba组帐号)
# smbldap-groupmod -m user2 acc (添加user2用户帐号到acc帐号中)
adding user user2 to group acc
使用smbaldap-useradd命令来添加计算机名到Samba PDC域内:
详细操作:
# smbldap-useradd -w pyns01$ (添加一个域计算机帐号)
更改user2帐号的密码:
详细操作:
# smbldap-passwd user2
Changing password for user2
New password : 123456 (用户密码)
Retype new password : 123456 (确认用户密码)
添加user2帐号的信息:
详细操作:
# smbldap-userinfo user2
Changing the user information for user2
Enter the new value, or press ENTER for the default
User Shell [/bin/bash]:/bin/sh
Full Name [System User]:fan jin biao
Room Number []:4873
Work Phone []:013066396266
Home Phone []:82-020-84680605
Other []:ha ha!
LDAP updated
查看user2帐号的信息:
详细操作:
# smbldap-usershow user2
dn: uid=user2,ou=Users,dc=nseasy,dc=net
objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
uid: user2
uidNumber: 1000
gidNumber: 513
homeDirectory: /home/user2
description: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-3519350192-200481810-3753220053-3000
sambaPrimaryGroupSID: S-1-5-21-3519350192-200481810-3753220053-513
sambaLogonScript: user2.bat
sambaHomePath: \\PDC\user2
sambaHomeDrive: H:
sambaLMPassword: 15881AE64C222524AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: D577561A7CF0233733F6EA39BB596996
sambaPwdLastSet: 1153925912
sambaPwdMustChange: 1157813912
userPassword: {SSHA}DT0JnokCNuGkC1y7Hv281+MJSQMuWm5s
gecos: fan jin biao,4873,013066396266,82-020-84680605,ha ha!
cn: fan jin biao
sn: biao
givenName: fan jin
roomNumber: 4873
telephoneNumber: 013066396266
homePhone: 82-020-84680605
loginShell: /bin/sh
Samba用户登陆调试说明:
使用user2帐号登陆PDC服务器:
详细操作:
# smbclient -L 192.168.1.254 -U user2
Password:
Domain=[NSEASY] OS=[Unix] Server=[Samba 3.0.10-1.4E.6]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server 3.0.10-1.4E.6)
ADMIN$ IPC IPC Service (Samba Server 3.0.10-1.4E.6)
user2 Disk repertoire de user2, user2
Domain=[NSEASY] OS=[Unix] Server=[Samba 3.0.10-1.4E.6]
Server Comment
--------- -------
PDC Samba Server 3.0.10-1.4E.6
Workgroup Master
--------- -------
MYGROUP MASTER
NSEASY PDC
Samba域建立Windows用户登陆logon文件(本例为建立user2用户的user2.bat文件):
使用“文本编辑器”在/home/netlogon/目录新建user2.tmp文件,完整内容如下:
详细内容:
net time \\PDC /set /yes (客户端与服务器的时间同步)
net use T: \\PDC\public (设定public目录为T:盘)
将tmp文件转换成bat文件(因操作系统文件格式的不同,所以要进行一些特殊的转换工作):
详细内容:
# cat -A user2.tmp | tr ‘$’ ‘\r’ > user2.bat
查看user2.bat文件转换结果:
详细内容:
# cat -A user2.bat
net time \\PDC /set /yes^M$
net use T: \\PDC\public^M$ |
|