Mini Roteiro - Samba integrado ao LDAP

Mini Roteiro - Samba integrado ao LDAP

Procedimento de Instalação e configuração

Procedimento baseado em DEBIAN, pode ser adaptado facilmente para outras distribuições.

autor: André Alexandre Gaio e-mail: aagaio@linwork.com.br

---==== Baixando, Compilando e instalando o BerkeleyDB ====---Baixe em: wget ftp://sleepycat1.inetu.net/releases/db-4.3.21.tar.gz tar xzvf db-4.3.21.tar.gz cd db-4.3.21 cd build_unix ../dist/configure --prefix=/usr/local make make install

Colocar o diretorio "/usr/local/lib" no arquivo "/etc/ld.so.conf" ldconfig

---==== Baixando, Compilando e instalando o Cyrus-SASL ====---Baixe em: wget ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.20.tar.gz tar xzvf cyrus-sasl-2.1.20.tar.gz cd cyrus-sasl-2.1.20 ./configure make make install

Criar um link do diretorio "/usr/local/lib/sasl2" para o diretorio "/usr/lib" ln -s /usr/local/lib/sasl2 /usr/lib/

ldconfig

---==== Baixando, Compilando e instalando o OpenLDAP ====---Baixe em: wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-stable/openldap-stable-20040923.tgz tar xzvf openldap-stable-20040923.tgz cd openldap-2.2.17 ./configure \ --enable-debug \ --enable-syslog \ --enable-fetch \ --with-readline \ --with-threads \ --with-cyrus-sasl \ --with-tls \ --enable-slapd \ --enable-crypt \ --enable-lmpasswd \ --enable-spasswd

---==== Baixando, Compilando e instalando o SAMBA ====---Baixe em: wget http://us1.samba.org/samba/ftp/samba-3.0.9.tar.gz tar -xvzf samba-3.0.9.tar.gz cd samba-3.0.9 ./configure \ --sbindir=/usr/local/sbin \ --with-configdir=/etc/samba \ --libexecdir=/usr/local/libexec/ \ --with-mandir=/usr/local/man \ --with-logfilebase=/var/log/samba \ --with-ldap \ --with-ldapsam \ --with-winbind \ --with-smbmount \ --with-profiling-data \ --with-quotas \ --with-sys-quotas \ --enable-cups \ --with-quotas \ --with-static-modules= vfs_recycle,vfs_extd_audit,\ vfs_default_quota,vfs_audit,vfs_cap,getdate,vfs_fake_perms \ --with-smbmount \ --with-automount \ --with-tdbsam \ --with-acl-support make make install

---==== Migrar as contas do sistema para o LDAP ====---Baixe o MigrationTools em:

wget http://www.padl.com/download/MigrationTools.tgz tar -xvzf MigrationTools.tgz

cd MigrationTools-45

Editar o arquivo migrate_common.ph e configurar as linhas: $NAMINGCONTEXT{'passwd'} = "ou=TI"; $NAMINGCONTEXT{'group'} = "ou=TI"; $DEFAULT_MAIL_DOMAIN = "seudominio.com.br"; $DEFAULT_BASE = "o=sua_organização,c=BR"; $DEFAULT_MAIL_HOST = "mail.seudominio.com.br";

Exportar os grupos do sistema para um ldif: ./migrate_group.pl /etc/group /tmp/grupos.ldif

ldapadd -x -v -D cn=Manager,c=BR -W -f /tmp/grupos.ldif Exportando os usuários no LDAP:

./migrate_passwd.pl /etc/passwd /tmp/usuarios.ldif

---==== Fazendo o sistema autenticar no LDAP ====---Instalar a libnss-ldap:

apt-get install libnss-ldap

Serão pedidos os dados do servidor LDAP, os quais são: IP: 127.0.0.1

PORTA: 389 BASE DN: c=BR

ADMINISTRADOR: cn=Manager,c=BR SENHA: senha

Modifique o arquivo /etc/nsswitch.conf e altere as seguinte linhas: passwd: compat ldap

group: compat ldap

Edite o arquivo /etc/openldap/slapd.conf e acresente a linha abaixo no final dos includes:

include /etc/openldap/schema/samba.schema

Restarte o openldap a fim de que o novo esquema seja reconhecido pelo mesmo. Crie um link simbólico de /etc/samba apontando para /usr/local/samba/lib. ln -s /usr/local/samba/lib /etc/samba

Crie um arquivo smb.conf conforme conteúdo abaixo e coloque-o em /etc/samba. ---==== Criar o arquivo /etc/samba/smb.conf ====---[global]

workgroup = SEU_WORKGROUP netbios name = sambasrv hosts allow = 192.168. printcap name = cups load printers = yes printing = cups

print command = lpr -r -P%p -J'%J' %s log file = /var/log/samba/%m.log max log size = 1500

security = user

passdb backend = ldapsam:ldap://127.0.0.1/ ldap suffix = c=BR

ldap admin dn = "cn=Manager,c=BR"

ldap filter = "(&(uid=%u)(objectclass=sambaSamAccount))" ldap port = 389

ldap ssl = no

ldap user suffix = "ou=TI,o=SEU_DOMINIO,c=BR" ldap group suffix = "ou=TI,o=SEU_DOMINIO,c=BR" ldap machine suffix = "ou=TI,o=SEU_DOMINIO,c=BR" ldap passwd sync = Yes

idmap uid = 15000-40000 idmap gid = 15000-40000 nt acl support = yes create mask = 600 directory mask = 700

force directory mode = 700 encrypt passwords = yes

passwd chat = *new*password* %n\n *new*password* %n\n *successfully* unix password sync = Yes

hide dot files = yes

add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add user script = /usr/local/sbin/smbldap-useradd -m "%u" delete user script = /usr/local/sbin/smbldap-userdel "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" delete group script = /usr/local/sbin/smbldap-groupdel "%g"

add user to group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" dos charset = UTF-8

unix charset = UTF-8 cups server =

admin users = @root

username map = /etc/samba/smbusers

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no

os level = 64

domain master = yes preferred master = no domain logons = yes

logon script = script.bat logon path = \\%L\%U\profile wins support = yes

dns proxy = no [netlogon]

comment = Network Logon Service path = /home/netlogon

guest ok = yes writable = no share modes = no [sysvol]

comment = Network Logon Service path = /home/netlogon

guest ok = yes writable = no share modes = no [printers]

comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [teste] comment = Teste path = /home/teste valid users = @staff public = no

writable = yes printable = no create mask = 0770

---==== Configurando o smbldap-tools ====---Baixe em: wget http://samba.idealx.org/dist/smbldap-tools-0.8.5.tgz tar zxvf smbldap-tools-0.8.5.tgz cd smbldap-tools-0.8.5 cp -a smbldap-* /usr/local/sbin/ mkdir /etc/smbldap-tools/

cp -a smbldap.conf smbldap_bind.conf /etc/smbldap-tools/ chmod 644 /etc/smbldap-tools/smbldap.conf chmod 600 /etc/smbldap-tools/smbldap_bind.conf Editar o /etc/smbldap-tools/smbldap.conf: SID="S-1-5-21-3434180907-2502208406-463015406" slaveLDAP="127.0.0.1" slavePort="389" masterLDAP="127.0.0.1" masterPort="389" ldapTLS="0" verify="" cafile="" clientcert="" clientkey="" suffix="o=SUA_ORGANIZAÇÃO,c=BR" usersdn="ou=TI,${suffix}" computersdn="ou=TI,${suffix}" groupsdn="ou=TI,${suffix}" idmapdn="ou=TI,${suffix}" sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" scope="sub" hash_encrypt="SSHA" crypt_salt_format="%s" userLoginShell="/bin/false" userHome="/home/%U"

userGecos="Ldap System User" defaultUserGid="1000" defaultComputerGid="1000" skeletonDir="/etc/skel" defaultMaxPasswordAge="60" userSmbHome="\\SEU_WORKGROUP\homes\%U" userProfile="\\SEU_WORKGROUP\profiles\%U" userHomeDrive="H:" userScript="%U.bat" mailDomain="SEU_DOMÍNIO.com.br" with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd"

Execute o comando abaixo para obter o SID: net getlocalsid SEU_WORKGROUP

Note que ele cria uma entrada automaticamente no ldap, semelhante a esta: dn: sambaDomainName=SEU_WORKGROUP,o=SUA_ORGANIZAÇÃO,c=BR sambaDomainName: SEU_WORKGROUP sambaSID: S-1-5-21-3434180907-2502208406-463015406 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain sambaNextUserRid: 31000 sambaNextGroupRid: 31001

É também necessário armazenar o password do ldap no secrets, utilize o comando: smbpasswd -w <SENHA>

Edite o arquivo /etc/smbldap-tools/smbldap_bind.conf e configure-o da seguinte forma: slaveDN="cn=Manager,c=BR" slavePw="senha" masterDN="cn=Manager,c=BR" masterPw="senha" Instalar os pacotes:

apt-get install perl perl-modules perl-5.6

Copie o arquivo smbldap_tools.pm para o diretório /usr/local/sbin cp -a smbldap_tools.pm /usr/local/sbin/

---==== Instalando os módulos do perl ====---Baixe em: wget http://www.cpan.org/modules/by-authors/id/GBARR/Convert-ASN1-0.14.tar.gz tar zxvf Convert-ASN1-0.18.tar.gz perl Makefile.PL make make test make install wget http://www.cpan.org/modules/by-authors/id/GBARR/Authen-SASL-2.08.tar.gz tar zxvf Authen-SASL-2.08.tar.gz perl Makefile.PL make make test make install wget http://www.cpan.org/modules/by-authors/id/GAAS/URI-1.35.tar.gz tar zxvf URI-1.35.tar.gz perl Makefile.PL make make test make install

wget http://www.cpan.org/modules/by-authors/id/SAMPO/Net_SSLeay.pm-1.25.tar.gz tar zxvf Net_SSLeay.pm-1.25.tar.gz perl Makefile.PL make make test make install http://search.cpan.org/CPAN/authors/id/B/BE/BEHROOZI/IO-Socket-SSL-0.96.tar.gz tar zxvf IO-Socket-SSL-0.96.tar.gz perl Makefile.PL make make test make install wget http://search.cpan.org/CPAN/authors/id/K/KH/KHAMPTON/XML-SAX-Base-1.04.tar.gz tar zxvf XML-SAX-Base-1.04.tar.gz perl Makefile.PL make make test make install http://search.cpan.org/CPAN/authors/id/B/BJ/BJKUIT/Crypt-SmbHash-0.12.tar.gz tar zxvf Crypt-SmbHash-0.12.tar.gz perl Makefile.PL make make test make install wget http://www.cpan.org/modules/by-authors/id/GBARR/perl-ldap-0.3202.tar.gz tar zxvf perl-ldap-0.3202.tar.gz perl Makefile.PL make make test make install

ou apt-get install perl-ldap

Precisamos informar qual será o próximo uid disponível para ele criar os usuários.

Salve as seguintes informações em um arquivo chamado nextuid.ldif dn: cn=NextFreeUnixId,ou=TI,o=SUA_ORGANIZAÇÃO,c=BR objectClass: inetOrgPerson objectClass: sambaUnixIdPool uidNumber: 1000 gidNumber: 1000 cn: NextFreeUnixId sn: NextFreeUnixId Inclua na base:

---==== Populando a base com os objetos necessários ao Windows ====---Execute:

smbldap-populate

Se der algum erro é porquê tais entradas já se encontram na base.

----== Instalando a ferramenta de Administração do LDAP – PhpLDAPAdmin ==----Baixe em: wget http://voxel.dl.sourceforge.net/sourceforge/phpldapadmin/phpldapadmin-0.9.4b.tar.gz tar zxvf phpldapadmin-0.9.4b.tar.gz mv phpldapadmin-0.9.4b /var/www/htdocs/restrito/adm_ldap cd /var/www/htdocs/restrito/adm_ldap cp config.php.example config.php Instale o pacote do apache: apt-get install apache

Edite o arquivo /etc/apache/httpd.conf: Procure pela linha:

AllowOverride NONE E substitua por: AllowOverride AuthConfig Reinicie o apache. Edite o config.php: $servers[$i]['host'] = 'localhost'; $servers[$i]['base'] = 'c=BR'; $servers[$i]['login_dn'] = 'cn=Manager,c=BR'

Crie no diretório /var/www/htdocs/restrito/adm_ldap o arquivo .htaccess com o conteúdo abaixo:

AuthName “Área administrativa! Identifique-se:” AuthType Basic

AuthUserFile /etc/apache/admin_secrets.txt AuthGroupFile /dev/null

require valid-user

Crie um usuário para administrar o aplicativo: htpasswd -c /etc/apache/admin_secrets.txt admin Faça o teste em: http://localhost/restrito/adm_ldap

---== Crie o script de controle do samba /etc/init.d/samba ==---#!/bin/sh

#

# Script de Parada e início do Samba. #

samba_start() {

if [ -x /usr/local/sbin/smbd -a -x /usr/local/sbin/nmbd -a -r / etc/samba/smb.conf ]; then

echo "Iniciando o Samba..."

/usr/local/sbin/smbd -D -s /etc/samba/smb.conf -l /var/log/samba /usr/local/sbin/nmbd -D -s /etc/samba/smb.conf -l /var/log/samba fi } samba_stop() { # killall smbd nmbd killall smbd nmbd } samba_restart() { samba_stop sleep 2 samba_start } case "$1" in 'start') samba_start ;; 'stop') samba_stop ;; 'restart') samba_restart ;; *) samba_start ;; esac

---== Coloque o script a fim de ser iniciado automaticamente ==---chmod 700 /etc/init.d/samba

---== Modelo de arquivo ldif com as propriedades dos usuários ==---dn: uid=user,ou=TI,o=SUA_ORGANIZAÇÃO,c=BR objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount sn: user uid: user mail: user@SEU_DOMÍNIO.com.br telephoneNumber: 55-11-5555-5555 uidNumber: 1000 gidNumber: 100 homeDirectory: /home/user loginShell: /bin/false cn: user userPassword: {SSHA}e1NTSEF9U2p5Sm9xM0tDN2p3L09YSE1HcEwrR0JBRldzQW80c2o= sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaHomePath: \\sambasrv\user sambaHomeDrive: H: sambaProfilePath: \\sambasrv\user\profile sambaPrimaryGroupSID: S-1-5-21-1085031214-764733703-682003330-512 sambaSID: S-1-5-21-1085031214-764733703-682003330-2997 sambaLMPassword: 8CBA24680BC914C1AAD3B435B51404EE sambaAcctFlags: [U] sambaNTPassword: 7EC465C29A86BE7394CFE2C3D612B688 sambaPwdLastSet: 1095748733 sambaPwdMustChange: 1099636733

---== Crie o índice para a pesquisa do Domain Name do Samba no LDAP ==---Acrescente a linha abaixo no final de seu arquivo slapd.conf:

index sambaDomainName eq

Derrube o serviço do OpenLDAP e execute: slapindex -v

Este procedimento recriará os índices do LDAP e acrescentará o novo índice. OBSERVAÇÃO IMPORTANTE:

Este artigo pode ser reproduzido, desde que seja mencionado o autor e o site de orígem do mesmo.

Quaisquer observações e/ou sugestões mande-me um email. Espero que seja útil. Boa Sorte!