Cài đặt Samba và ldap trên CentOS

A. PHẦN 1 – CÀI ĐẶT

I. YÊU CẦU PHẦN MỀM:

– Các gói cần phải có

  • OpenLDAP.
  • Samba.
  • Perl module:
    • Crypt::SmbHash.
    • Digest::SHA1.
    • IO::Socket::SSL.
    • Net::SSLeay.
  • IDEALX Samba LDAP tools (smbldap-tools).
  • perl-Unicode-MapUTF8.noarch

II. CÀI ĐẶT OPENLDAP

– Để cài đặt openldap, ta gõ lệnh yum install ten_goi hoặc yum install openldap*

– Để kiểm tra các gói nào đã được cài:

[root@vnteam2 /]# rpm -qa | grep ldap    openldap-2.3.43-3.el5

php-ldap-5.1.6-23.2.el5_3

nss_ldap-253-17.el5

python-ldap-2.2.0-2.1

openldap-clients-2.3.43-3.el5

openldap-servers-2.3.43-3.el5

III. CÀI ĐẶT SAMBA

– Để cài đặt samba, ta gõ lệnh yum install ten_goi hoặc yum install samba*

– Để kiểm tra các gói nào đã được cài:

[root@vnteam2 /]# rpm -qa | grep sambasystem-config-samba-1.2.41-5.el5

samba-client-3.0.33-3.15.el5_4

samba-swat-3.0.33-3.15.el5_4

samba-common-3.0.33-3.15.el5_4

samba-3.0.33-3.15.el5_4

IV. CÀI ĐẶT PERL MODULES:

– Để cài đặt, ta gõ lệnh yum install ten_goi hoặc yum install perl*

– Để kiểm tra các gói nào đã được cài:

[root@vnteam2 /]# rpm -qa | grep perlperl-Net-SSLeay-1.30-4.fc6

perl-Digest-SHA1-2.11-1.2.1

perl-IO-Socket-SSL-1.01-1.fc6

perl-LDAP-0.33-3.fc6

perl-IO-Socket-INET6-2.51-2.fc6

– Riêng gói perl-Crypt-SmbHash, ta phải truy cập vào website www.cpan.org để tải về và tiến hành cài đặt như sau:

[root@main /]# tar -zxvf Crypt-SmbHash-0.12.tar.gz[root@main /]# cd Crypt-SmbHash-0.12

[root@main Crypt-SmbHash-0.12]# perl Makefile.PL

[root@main Crypt-SmbHash-0.12]# make install

perl-Unicode-MapUTF8.noarch

[root@main /]# yum install perl-Unicode-MapUTF8.noarch

V. CÀI ĐẶT SMBLDAP-TOOLS VÀ MỘT SỐ TOOLS KHÁC:

– Truy cập vào trang chủ IDEALX để tải về gói smbldap-tools.

– Trong bài viết này, tôi tải bản smbldap-tools-.0.9.1.tgz

– Sau khi tải về và lưu vào thư mục gốc / sau đó gõ lệnh

[root@vnteam2 ~]# cd /[root@vnteam2 /]# tar -zxf smbldap-tools-0.9.1

[root@vnteam2 /]# mkdir -p /var/lib/samba/sbin

[root@vnteam2 /]# chmod -R 755 /var/lib/samba

[root@vnteam2 /]# cd smbldap-tools-0.9.1

[root@vnteam2 smbldap-tools-0.9.1]# cp smbldap* configure.pl /var/lib/samba/sbin

[root@vnteam2 smbldap-tools-0.9.1]# cd /var/lib/samba/sbin

[root@vnteam2 sbin]# chmod 750 *

[root@vnteam2 sbin]# chmod 640 smbldap_bind.conf

[root@vnteam2 sbin]# chmod 640 smbldap.conf

[root@vnteam2 sbin]# chmod 640 smbldap_tools.pm

– Cài đặt PHP và PHP-LDAP phục vụ cho Webmin

[root@vnteam2 /]# yum install php[root@vnteam2 /]# yum install php-ldap

[root@vnteam2 /]# vi /etc/php.ini    //mở file cấu hình của php

// chỉnh lại giới hạn bộ nhớ cho PHP

    // chỉnh lại là 64M

;;;;;;;;;;;;;;;;;;;

; Resource Limits ;

;;;;;;;;;;;;;;;;;;;

memory_limit = 64M ; Maximum amount of memory a script may consume

B. PHẦN 2 – CẤU HÌNH

I. CẤU HÌNH LDAP

– Để tiến hành cấu hình, ta gõ lệnh như bên dưới và chỉnh sửa lại nội dung trong tập tin slapd.conf

[root@vnteam2 /]# vi /etc/openldap/slapd.conf
    // Chỉnh lại như sau (chú ý, đây là những phần cần sửa. không phải là toàn bộ nội dung)

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include /etc/openldap/schema/core.schema

include /etc/openldap/schema/cosine.schema

include /etc/openldap/schema/inetorgperson.schema

include /etc/openldap/schema/nis.schema

include /etc/openldap/schema/samba.schema

# Allow LDAPv2 client connections. This is NOT the default.

allow bind_v2

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral ldap://root.openldap.org

pidfile /var/run/openldap/slapd.pid

argsfile /var/run/openldap/slapd.args

#######################################################################

# ldbm and/or bdb database definitions

#######################################################################

database      bdb

suffix      “dc=vnteam2,dc=com”

rootdn     “cn=Manager,dc=vnteam2,dc=com”

rootpw

# Cleartext passwords, especially for the rootdn, should

# be avoided. See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

# rootpw secret

# rootpw {crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory /var/lib/ldap

# Indices to maintain for this database

index objectClass         eq,pres

index ou,cn,mail,surname,givenname     eq,pres,sub

index uidNumber,gidNumber,loginShell     eq,pres

index uid,memberUid         eq,pres,sub

index nisMapName,nisMapEntry     eq,pres,sub

– Đoạn tiếp theo là phân quyền cho ldap (cũng nằm trong tập tin /etc/openldap/slapd.conf)
access to attrs=userPassword

by self write

by dn=”cn=Manager,dc=vnteam2,dc=com” write

by anonymous auth

by * none

access to *

by dn=”cn=Manager,dc=vnteam2,dc=com” write

by self write

by * read

access to attrs=description,telephoneNumber

    by dn=”uid=samba,ou=Users,dc=vnteam2,dc=com” write

    by self write

    by * read

access to dn.base=”dc=vnteam2,dc=com”        //samba có thể tạo samba domain account

    by dn=”uid=samba,ou=Users,dc=vnteam2,dc=com” write

    by * none

access to dn=”ou=Users,dc=vnteam2,dc=com”    // samba có thể tạo new users account

    by dn=”uid=samba,ou=Users,dc=vnteam2,dc=com” write

    by * none

access to dn=”ou=Groups,dc=vnteam2,dc=com”    //samba có thể tạo new groups account

    by dn=”uid=samba,ou=Users,dc=vnteam2,dc=com” write

    by * none

access to dn=”ou=Computers,dc=vnteam2,dc=com”     //samba có thể tạo computers account

    by dn=”uid=samba,ou=Users,dc=vnteam2,dc=com” write

    by * none

access to *

by self read

by * non

– Tiếp theo là copy tập tin samba.schema vào /etc/openldap/schema

[root@vnteam2 /]# cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/schema/
[root@vnteam2 /]# chmod 644 /etc/openldap/schema/samba.schema

[root@vnteam2 /]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@vnteam2 /]# chown ldap:ldap /var/lib/ldap/DB_CONFIG
[root@vnteam2 /]# chmod 600 /var/lib/ldap/DB_CONFIG

– Đặt mật khẩu cho ldap

 [root@main ~]# slappasswd
    // Sau khi tạo xong, mật khẩu sẽ mã hóa dạng như sau:

    // {SSHA}nPuuZXVmDofoKH1yeu/HS0J1j7ewRXKp

    // Copy dòng mật khẩu đã được mã hóa, sau đó mở lại file slap.conf

 [root@main ~]# vi /etc/openldap/slapd.conf

    // Dán mật khẩu vào dòng rootpw

– Cấu hình chứng thực bằng LDAP.

[root@vnteam2 /]# setup    // Hoặc
[root@vnteam2 /]# authconfig-tui

– Chọn cả 2 mục là Use LDAP, MD5, Shadow và LDAP Authentication

– Cấu hình file /etc/openldap/ldap.conf

[root@vnteam2 /]# vi /etc/openldap/ldap.conf    // sửa lại nội dung như sau

BASE dc=vnteam2,dc=com

URI ldap://127.0.0.1/

#SIZELIMIT 12

#TIMELIMIT 15

#DEREF never

#TLS_CACERTDIR /etc/openldap/cacerts

– Cấu hình file /etc/ldap.conf

[root@vnteam2 /]# vi /etc/ldap.conf
    // sửa lại nội dung như sau

# network or connect timeouts (see bind_timelimit).

host 127.0.0.1

# The distinguished name of the search base.

base dc=vnteam2,dc=com

# Optional: default is to bind anonymously.

binddn cn=Manager,dc=vnteam2,dc=com

bindpw {SSHA}x0GSH/TCinx+AW6r0rKA3Mtu24HEiLHS

nss_base_passwd     ou=Users,dc=vnteam2,dc=com?one

nss_base_passwd     ou=Computers,dc=vnteam2,dc=com

nss_base_shadow      ou=Users,dc=vnteam2,dc=com?one

nss_base_group      ou=Groups,dc=vnteam2,dc=com?one

#pam_sasl_mech DIGEST-MD5

uri ldap://127.0.0.1/

ssl no

#tls_cacertdir /etc/openldap/cacerts.pem

pam_password md5

– Khởi động dịch vụ LDAP

[root@vnteam2 /]# /etc/init.d/ldap start
[root@vnteam2 /]# chkconfig ldap on

    //Hoặc

[root@vnteam2 /]# /etc/rc.d/init.d/ldap start

[root@vnteam2 /]# chkconfig ldap on

– Thực hiện chuyển đổi thông tin user từ local sang ldap. Gõ lệnh sau để mở file migrate_common.ph và chỉnh sửa nội dung

[root@vnteam2 /]# vi /usr/share/openldap/migration/migrate_common.ph
    // Tìm và chỉnh các dòng sau đây:

# Default DNS domain

$DEFAULT_MAIL_DOMAIN = “vnteam2.com”;

# Default base

$DEFAULT_BASE = “dc=vneam2,dc=com”;

– Tạo tập tin base.ldif để nhập vào LDAP

[root@vnteam2 /]# vi base.ldif
    // Gõ vào nội dung sau

dn: dc=vnteam2,dc=com
objectClass: dcObject
objectClass: organization
o: VNTEAM2 Organization
dc: vnteam2

dn: cn=Manager, dc= vnteam2,dc=com
objectClass: organizationalRole
cn:manager

dn: ou=People,dc= vnteam2,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc= vnteam2,dc=com
objectClass: organizationalUnit
ou: Group

– Nhập thông tin từ file vừa tạo vào LDAP server

[root@vnteam2 /]# ldapadd -h localhost -x -D “cn=Manager,dc=vnteam2,dc=com” -W -f base.ldif

Enter LDAP Password:             //nhập vào mật khẩu sẽ được kết quả sau

adding new entry “dc= vnteam2,dc=com”
adding new entry “cn=Manager, dc=vnteam2,dc=com”
adding new entry “ou=People,dc=vnteam2,dc=com”
adding new entry “ou=Group,dc=vnteam2,dc=com”

– Tiếp theo tạo user để kiểm tra và chuyển tất cả thông tin vào LDAP

[root@vnteam2 /]# useradd test1        //thêm user tên test1vào local
[root@vnteam2 /]# passwd test1        //nhập mật khẩu cho test1
[root@vnteam2 /]# grep root /etc/passwd > /etc/openldap/passwd.root    //copy pass ra file
[root@vnteam2 /]# grep test1 /etc/passwd > /etc/openldap/passwd.test1

[root@vnteam2 /]#             //
gõ lần lượt 2 lệnh sau

/usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.root /etc/openldap/root.ldif

/usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.test1 /etc/openldap/test1.ldif

[root@vnteam2 /]# vi /etc/openldap/root.ldif     //mở file vừa copy ở trên và sử 4 dòng đầu

     #1 dn: uid=root,ou=People,dc=adminmart,dc=com

     #2 uid: root

     #3 cn: Manager

     #4 objectClass: account

// chuyển 2 user root và test 1 vào ldap

[root@vnteam2 /]# ldapadd -x -D “cn=Manager,dc=vnteam2,dc=com” -W -f  /etc/openldap/root.ldif
Enter LDAP Password:
adding new entry “uid=root,ou=People,dc=vnteam2,dc=com”
adding new entry “uid=operator,ou=People,dc=vnteam2,dc=com”

[root@vnteam2 /]# ldapadd -x -D “cn=Manager,dc= vnteam2,dc=com” -W -f  /etc/openldap/test1.ldif
Enter LDAP Password:
adding new entry “uid=test1,ou=People,dc= vnteam2,dc=com”

II. CẤU HÌNH SAMBA:

– Nội dung file cấu hình smb.conf như sau:

[root@vnteam2 /]# vi /etc/samba/smb.conf
    // Chỉnh lại toàn bộ nội dung như sau:

[global]

workgroup = VNTEAM2

netbios name = main

server string = Linus Samba Server

passdb backend = ldapsam:ldap://127.0.0.1/

log file = /var/log/samba/log.%m

max log size = 50

time server = Yes

add user script = /var/lib/samba/sbin/smbldap-useradd -a ‘%u’

delete user script = /var/lib/samba/sbin/smbldap-userdel ‘%u’

add group script = /var/lib/samba/sbin/smbldap-groupadd -p ‘%g’

delete group script = /var/lib/samba/sbin/smbldap-groupdel ‘%g’

add user to group script = /var/lib/samba/sbin/smbldap-groupmod -m ‘%u”%g’

delete user from group script = /var/lib/samba/sbin/smbldap-groupmod -x ‘%u’ ‘%g’

set primary group script = /var/lib/samba/sbin/smbldap-usermod -g ‘%g’ ‘%u’

add machine script = /var/lib/samba/sbin/smbldap-useradd -w ‘%u’

# Personally, I do not like roaming profiles because they take up too

# much space on my server. As such, I disable roaming profiles by

# setting the following two variables to null

logon path =

logon home =

logon drive = H:

domain logons = Yes

preferred master = Yes

domain master = Yes

wins support = Yes

ldap admin dn = cn=Manager,dc=vnteam2,dc=com

ldap group suffix = ou=Groups

ldap idmap suffix = ou=Idmap

ldap machine suffix = ou=Computers

ldap passwd sync = Yes

ldap suffix = dc=vnteam2,dc=com

ldap user suffix = ou=Users

idmap backend = ldap:ldap://127.0.0.1

idmap uid = 10000-20000

idmap gid = 10000-20000

[netlogon]

path = /var/lib/samba/netlogon/scripts

browseable = No

root preexec = /var/lib/samba/netlogon/scripts/logon.pl %U %I

[marketing]

comment = Marketing material

path = /home/marketing

force group = marketing

read only = No

create mask = 0770

directory mask = 0770

browseable = No

[engineering]

comment = Common material

path = /home/engineering

path = /home/marketing

force group = engineering

read only = No

create mask = 0770

directory mask = 0770

browseable = No

– Tạo một số thư mục phục vụ cho file cấu hình bên trên

[root@vnteam2 /]# mkdir -p /var/lib/samba/netlogon/scripts/
[root@vnteam2 /]# mkdir -p /var/lib/samba/printing/

[root@vnteam2 /]# chmod -R 755 /var/lib/samba/netlogon

[root@vnteam2 /]# chmod -R 755 /var/lib/samba/printing

– Đặt mật khẩu cho samba

[root@vnteam2 /]# smbpasswd -w matkhau

– Tạo 1 script để

[root@vnteam2 /]# vi /var/lib/samba/netlogon/scripts/logon.pl
    // Nội dung của đoạn scipt

#!/usr/bin/perl

use strict;

# Set the permissions on any file we create to 640 (i.e. -rw-r–r–)

umask(022);

my $NETLOGON_DIR = “/var/lib/samba/netlogon/scripts”;

my $LOG_DIR = “/var/log/samba”;

my $SERVERNAME = “main”;

## You will need to modify this hash to match your mountpoints.

my %MOUNTPOINTS = (

“engineering” => “NET USE W: \\\\$main\\engineering \/YES\r\n”,

“marketing” => “NET USE W: \\\\$main\\marketing \/YES\r\n”,

“management” => “NET USE W: \\\\$main\\management \/YES\r\n”

);

## Make sure that there is a user name and that it contains a valid

## user name string (i.e. no invalid chars).

if ($#ARGV != 1 ||

$ARGV[0] =~ /[^a-zA-Z0-9-_]/) {

exit(1);

}

# Make sure that the user exists and log attempts with invalid IDs

my $uid = getpwnam($ARGV[0]);

if ($uid == /[^0-9]/){

my $now = localtime;

open LOG, “>>$LOG_DIR/log.netlogon”;

print LOG “$now”;

print LOG ” – Error: Unknown user $ARGV[0] logged into $SERVERNAME from $ARGV[1]\n”;

close LOG;

exit(1);

}

#Log the logon attempt

my $now = localtime;

open LOG, “>>$LOG_DIR/log.netlogon”;

print LOG “$now”;

print LOG ” – User $ARGV[0] logged into $SERVERNAME from $ARGV[1]\n”;

close LOG;

## Create a custom logon batch file.

open FH, “>$NETLOGON_DIR/$ARGV[0].cmd”;

# Turn echo off

print FH “\@ECHO OFF\r\n”;

# Synchronize time between Windows client and Linux server.

print FH “NET TIME \\\\$SERVERNAME \/SET \/YES\r\n”;

foreach my $key (keys(%MOUNTPOINTS)) {

if (isMember($ARGV[0], $key)) {

# Put mount points in file

print FH “$MOUNTPOINTS{$key}”;

}

}

close FH;

# Checks to see if the given user is a member of

# the given group.

# Returns 1 if true and 0 otherwise.

sub isMember{

my ($user, $group) = @_;

my ($name, $passwd, $gid, $members) = getgrnam($group);

my @members = split /\s+/, $members;

for(@members){

if ($user eq $_) {

return 1;

}

}

return 0;

}

    // phân quyền lại cho file logon

[root@vnteam2 /]# chmod 755 /var/lib/samba/netlogon/ scripts/ logon.pl

    // Khởi động samba

[root@vnteam2 /]# /etc/init.d/smb start

chkconfig smb on

– Populate the LDAP database (chuẩn bị)

[root@vnteam2 /]# cd /var/lib/samba/sbin/
[root@vnteam2 sbin/]# vi smbldap_tools.pm

    // Sửa lại một số dòng sau

#!/usr/bin/perl -w

use strict;

package smbldap_tools;

use Net::LDAP;

use Crypt::SmbHash;

my $smbldap_conf;

if (-e “/etc/smbldap-tools/smbldap.conf”) {

$smbldap_conf=”/var/lib/samba/sbin/smbldap.conf”;

} else {


$smbldap_conf=”/var/lib/samba/sbin/smbldap.conf”;

}

my $smbldap_bind_conf;

if (-e “/etc/smbldap-tools/smbldap_bind.conf”) {

$smbldap_bind_conf=”/var/lib/samba/sbin/smbldap_bind.conf”;

} else {


$smbldap_bind_conf=”/var/lib/samba/sbin/smbldap_bind.conf”;

}

my $samba_conf;

if (-e “/etc/samba/smb.conf”) {

$samba_conf=”/etc/samba/smb.conf”;

} else {


$samba_conf=”/etc/samba/smb.conf”;

}

– Tiếp theo chạy lệnh ./configure.pl (vẫn trong thư mục /var/lib/samba/sbin).

[root@vnteam2 sbin]# ./configure.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

smbldap-tools script configuration

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Before starting, check

. if your samba controller is up and running.

. if the domain SID is defined (you can get it with the ‘net getlocalsid’)

. you can leave the configuration using the Crtl-c key combination

. empty value can be set with the “.” character

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Looking for configuration files…

Samba Configuration File Path [/etc/samba/smb.conf] >

The default directory in which the smbldap configuration files are stored is shown.

If you need to change this, enter the full directory path, then press enter to continue.

Smbldap-tools ConfigurationDirectory Path [/etc/opt/IDEALX/smbldap-tools/]> /var/lib/samba/sbin

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Let’s start configuring the smbldap-tools scripts …

. workgroup name: name of the domain Samba act as a PDC

workgroup name [VNTEAM2] >         // để trống và enter

. netbios name: netbios name of the samba controler

netbios name [main] >            // để trống và enter

. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: ‘H:’

logon drive [H:] >            // để trống và enter

. logon home: home directory location (for Win95/98 or NT Workstation).

(use %U as username) Ex:’\\main\%U’    // để trống và enter

logon home (press the “.” character if you don’t want homeDirectory) [\\main\%U] > // để trống và enter

. logon path: directory where roaming profiles are stored. Ex:’\\main\profiles\%U’

logon path (press the “.” character if you don’t want roaming profile) [\\main\profiles\%U] > // trống và enter

. home directory prefix (use %U as username) [/home/%U] >                // để trống và enter

. default users’ homeDirectory mode [700] >                        // để trống và enter

. default user netlogon script (use %U as username) [] >                // để trống và enter

default password validation time (time in days) [45] >                // để trống và enter

. ldap suffix [dc=vnteam2,dc=com] >                        // để trống và enter

. ldap group suffix [ou=Groups] >                            // để trống và enter

. ldap user suffix [ou=Users] >                            // để trống và enter

. ldap machine suffix [ou=Computers] >                        // để trống và enter

. Idmap suffix [ou=Idmap] >                            // để trống và enter

. sambaUnixIdPooldn: object where you want to store the next uidNumber

and gidNumber available for new users and groups

sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=VNTEAM2] >    // để trống và enter

. ldap master server: IP adress or DNS name of the master (writable) ldap server    // để trống và enter

ldap master server [127.0.0.1] >                            // để trống và enter

. ldap master port [389] >                                // để trống và enter

. ldap master bind dn [cn=Manager,dc=vnteam2,dc=com] >                // để trống và enter

. ldap master bind password [] >        // gõ vào pass của ldap

. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one

ldap slave server [127.0.0.1] >                            // để trống và enter

. ldap slave port [389] >                                // để trống và enter

. ldap slave bind dn [cn=Manager,dc=vnteam2,dc=com] >                // để trống và enter

. ldap slave bind password [] >                            // để trống và enter

. ldap tls support (1/0) [0] > 0        // gõ vào số 0

. How to verify the server’s certificate (none, optional or require) [require] >

. CA certificate file [/var/lib/samba/sbin//ca.pem] > /etc/openldap/cacerts/cacert.pem

. certificate to use to connect to the ldap server [/var/lib/samba/sbin//smbldap-tools.pem] >

. key certificate to use to connect to the ldap server [/var/lib/samba/sbin//smbldap-tools.key] >

. SID for domain VNTEAM2: SID of the domain (can be obtained with ‘net getlocalsid main’)

SID for domain VNTEAM2 [S-1-5-21-2720870104-1132997520-3252960771] >

. unix password encryption: encryption used for unix passwords

unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5

. default user gidNumber [513] >                            // để trống và enter

. default computer gidNumber [515] >                        // để trống và enter

. default login shell [/bin/bash] >                            // để trống và enter

. default skeleton directory [/etc/skel] >                        // để trống và enter

. default domain name to append to mail adress [] > vnteam2.com

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

backup old configuration files:

/var/lib/samba/sbin/smbldap.conf->/var/lib/samba/sbin/smbldap.conf.old

/var/lib/samba/sbin/smbldap_bind.conf->/var/lib/samba/sbin/smbldap_bind.conf.old

writing new configuration file:

/var/lib/samba/sbin/smbldap.conf done.

/var/lib/samba/sbin/smbldap_bind.conf done.

– Chỉnh lại quyền cho một số file (vẫn trong thư mục /var/lib/samba/sbin).

[root@vnteam2 sbin]# chown root:root smbldap.conf smbldap_bind.conf
[root@vnteam2 sbin]# chmod 644 smbldap.conf

[root@vnteam2 sbin]# chmod 600 smbldap_bind.conf

– Populate the LDAP database (tiến hành)

[root@vnteam2 /]#
cd /var/lib/samba/sbin/
[root@vnteam2 sbin/]#
./smbldap-populate

Populating LDAP directory for domain VNTEAM2 (S-1-5-21-2720870104-1132997520-3252960771) (using builtin directory structure)

entry dc=vnteam2,dc=com already exist.

adding new entry: ou=Users,dc=vnteam2,dc=com

adding new entry: ou=Groups,dc=vnteam2,dc=com

adding new entry: ou=Computers,dc=vnteam2,dc=com

adding new entry: ou=Idmap,dc=vnteam2,dc=com

adding new entry: uid=root,ou=Users,dc=vnteam2,dc=com

adding new entry: uid=nobody,ou=Users,dc=vnteam2,dc=com

adding new entry: cn=Domain Admins,ou=Groups,dc=vnteam2,dc=com

adding new entry: cn=Domain Users,ou=Groups,dc=vnteam2,dc=com

adding new entry: cn=Domain Guests,ou=Groups,dc=vnteam2,dc=com

adding new entry: cn=Domain Computers,ou=Groups,dc=vnteam2,dc=com

adding new entry: cn=Administrators,ou=Groups,dc=vnteam2,dc=com

adding new entry: cn=Account Operators,ou=Groups,dc=vnteam2,dc=com

adding new entry: cn=Print Operators,ou=Groups,dc=vnteam2,dc=com

adding new entry: cn=Backup Operators,ou=Groups,dc=vnteam2,dc=com

adding new entry: cn=Replicators,ou=Groups,dc=vnteam2,dc=com

entry sambaDomainName=VNTEAM2,dc=vnteam2,dc=com already exist. Updating it…

Please provide a password for the domain root:

Changing password for root

New password :

Retype new password :

– Tạo user và group

[root@vnteam2 /]# cd /var/lib/samba/sbin/
[root@vnteam2 sbin/]# ./smbldap-groupadd engineering

[root@vnteam2 sbin/]# ./smbldap-groupadd marketing

[root@vnteam2 sbin/]# ./smbldap-useradd -s /sbin/nologin -m -g engineering engineering

[root@vnteam2 sbin/]# ./smbldap-useradd -s /sbin/nologin -m -g marketing marketing

[root@vnteam2 sbin/]#./smbldap-useradd -a -G “Domain Users”,engineering user1

[root@vnteam2 sbin/]#./smbldap-passwd user1

[root@vnteam2 sbin/]# ./smbldap-useradd -a -G “Domain Users”,marketing user2

[root@vnteam2 sbin/]# ./smbldap-passwd user2

IV. Configuring the Windows XP Client:

1) Make sure that the workstation belonged to the same workgroup as the server and have a fixed IP address and hostname assigned.

2) Change the registry entry, run the command regedt32 and do the below
a) RequireSignOrSeal Registry hack

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters
“RequireSignOrSeal”=dword:00000000

b) Use the Registry Editor and edit the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CompatibleRUPSecurity to have the DWORD value of 1

3) Use the Group Policy Editor (gpedit.msc) and enable “Computer Configuration\Administrative Templates\System\User Profiles\Do not check for user ownership of Roaming Profile Folders”.

4) Go to MyComputer right click Properties. Go to Change and click on Domain and enter the domain-name you want to join. When joining the domain for the First time enter userid as root and give the samba password. Make sure there is an entry for the root in the smbpasswd (samba password) file.

5) Reboot and then the changes will be effective.

About Terri

System Administrator @Netpower Datacenter

Posted on 12.06.2011, in Linux, Technical Articles and tagged , , , . Bookmark the permalink. 5 Comments.

  1. anh cho em hoi “anh dung CentOS bao nhieu vay anh?”

  2. Đặng Thanh Phong

    Em cài đặt 2 máy LDAP (1 chính 1 phụ) cấu hình như thế cho máy LDAP chính. Còn như cấu hình dịch vụ samba trên LDAP phụ thì sao?

  3. Anh có cấu hình dịch vụ samba trên LDAP BACKUP không?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: