跳至主要内容

使用smbldap-tools添加和管理OpenLDAP中的Samba帐户

实践证明,samba-tools 不愧是一个既轻巧而又非常出色的 perl 脚本工具,它可以帮助您
维护 OpenLDAP 数据库中的 Samba 帐户,并能自动维持与Linux系统帐户的同步更新。
如果您确实不喜欢使用臃肿而又麻烦的图形化工具,那么推荐您可尝试使用这款免费的而
又广受欢迎的工具程序。


参考资料:
http://download.gna.org/smbldap-tools/
http://download.gna.org/smbldap-tools/sources/latest/
http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/
https://help.ubuntu.com/10.04/serverguide/samba-ldap.html
https://help.ubuntu.com/11.04/serverguide/samba-ldap.html
https://help.ubuntu.com/11.10/serverguide/samba-ldap.html
https://help.ubuntu.com/12.04/serverguide/samba-ldap.html



================================================================================
(1)  Introduction
================================================================================
This smbldap-tools aims on helping to use Open Source softwares Linux, Samba and 
OpenLDAP to replace existing Microsoft Windows Domain Controler servers. It explains 
how to set up and use a Linux Departemental Server with Samba and OpenLDAP to offer 
central authentication (Domain Controler), file and print sharing for Microsoft 
Windows and Unix clients. 

1.1  Softwares used

This howto currently runs for:
  * release 3.0.11rc1 of Samba,
  * Microsoft Windows, Microsoft Windows NT 4.0, Windows 2000 and Windows XP
    Workstations and Servers,
  * Linux RedHat 9 (should work on any Linux distribution anyway 1),
  * release 2.1.22 of OpenLDAP (should work anyway on any other releases of OpenLDAP, 
    and any implementation of LDAP servers like iPlanet Directory for example).





================================================================================
(2)  Context of this Howto
================================================================================
This Howto aims at helping to configure an Samba + OpenLDAP Primary Domain Controler 
for Microsoft Windows Workstations (and, using nss_ldap and pam_ldap, a unique source 
of authentification for all workstations, including Linux and other Unix systems).

2.1  Global parameters

For the need of our example, we settled the following context:
  * All workstations and servers are in the same LAN 192.168.1.0/24,
  * DNS resolution is okay (using Bind or Djbdns for example), and out of the scope of this Howto 2,
  * We want to configure the Microsoft Windows NT Domain named IDEALX-NT,
  * a central Primary Domain Controler named PDC-SRV (netbios name) on the host 192.168.1.1/32 ,
  * Primary Domain Controller to be the WINS server and the Master Browser Server of the IDEALX-NT domain,
  * All authentifications objects(users groups) stored on an OpenLDAP server, base DN: dc=idealx,dc=org,
  * Users accounts will be stored in ou=Users,dc=idealx,dc=org,
  * Computers accounts will be stored in ou=Computers,dc=idealx,dc=org,
  * Groups accounts will be stored in ou=Groups,dc=idealx,dc=org.





================================================================================
3  Installation
================================================================================
apt-get install samba smbclient smbldap-tools;
cp /usr/share/doc/samba/examples/LDAP/samba.schema.gz /etc/ldap/schema/
gzip -d /etc/ldap/schema/samba.schema.gz
/bin/ls -l /etc/openldap/schema/samba.schema

yum install openldap openldap-servers openldap-clients;
yum install samba samba-client samba-common;
Note: smbldap-tools are included in the Samba source tree scince release 2.2.5
wget http://download.gna.org/smbldap-tools/packages/el6/smbldap-tools-0.9.8-1.el6.noarch.rpm
rpm -ivh smbldap-tools-0.9.8-1.el6.noarch.rpm






================================================================================
4  Configuration
================================================================================
────────────────────────────────────────────────────────────────────────────────
4.1  OpenLDAP
────────────────────────────────────────────────────────────────────────────────
You'll need to configure your OpenLDAP server for it to act as a SAM database.
Following our context example, we must configure it to :
  * accept the Samba 3.0.11rc1 LDAP v3 schema9,
  * run on the base DN dc=idealx,dc=org,
  * contain the minimal entries needed to start using it.

For the needs of this Howto example, we have used the following LDAP DIT:

dc=IDEALX,dc=ORG
 |
 ├─ ou=Users     : to store user accounts for Unix and Windows systems
 |
 ├─ ou=Computers : to store computer accounts for Windows systems
 |
 ├─ ou=Groups    : to store system groups for Unix and Windows 
 |                   systems (or for any other LDAP-aware systems)
 |
 └─ ou=DSA       : to store special accounts (simpleSecurityObject)
                     systems (or for any other LDAP-aware systems)

Using Samba 3.0.11rc1 and OpenLDAP, we will store :
  * Microsoft Windows user accounts using sambaSAMAccount object class (samba.schema),
  * Microsoft Windows computer accounts (ie. workstations) using sambaSAMAccount object class,
  * Unix user accounts using posixAccount objectclass and shadowAccount objectclass
    for the shadow suite password (nis.schema)
  * Users groups using posixGroup and sambaGroupMapping object classes 10.
  * security accounts used by software clients (Samba and Linux) using simpleSecurityObject
    (core.schema) object class.



4.1.1  Schemas
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
The Samba schema must be supported by the OpenLDAP server. To do so, and using the 
smbldap-tools OpenLDAP RedHat packages, just verify that your /etc/openldap/slapd.conf 
include the lines like the example hereafter:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

As you can see, we use the inetOrgPerson objectclass because we want to merge 
organizational with technical data. Doing so will ease administration as a user 
account will be used to define:

 1. a human user in your company,
 2. a user account for Microsoft Windows and Unix systems,
 3. a user account for any LDAP-aware application.

Doing so is not mandatory: feel free to use a context who feet your needs better 
if this way is not the one you want to follow.

Note that we use the samba.schema shipped with Samba release 3.0.11rc1 sources.

# Check the current schema loaded:
slapcat -s cn=schema,cn=config | grep dn:


********************************************************************************
For the Ubuntu using /etc/slpad.d/
********************************************************************************
# The schema is found in the now-installed samba-doc package. 
# It needs to be unzipped and copied to the /etc/ldap/schema directory:
sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema
sudo gzip -d /etc/ldap/schema/samba.schema.gz

# Have the configuration file samba.conf that contains the following lines:
vi samba.conf; #for Ubuntu;
--------------------------------------------------------------------------------
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/ldapns.schema
include /etc/ldap/schema/pmi.schema
include /etc/ldap/schema/samba.schema
--------------------------------------------------------------------------------

# Next, create a temporary directory to hold the output:
mkdir output

# Determine the index of the schema:
slapcat -f samba.conf -F output -n 0 | grep samba,cn=schema

# Now use slapcat to convert the schema files:
slapcat -f samba.conf -F output -s "cn={14}samba,cn=schema,cn=config" > samba.ldif
slapcat -f samba.conf -F output -n0 -H ldap:///cn={14}samba,cn=schema,cn=config -l samba.ldif

# Edit the generated samba.ldif file, changing the following attributes:
vi samba.ldif;
--------------------------------------------------------------------------------
dn: cn=samba,cn=schema,cn=config
...
cn: samba
--------------------------------------------------------------------------------

# And remove the following lines from the bottom of the file:
--------------------------------------------------------------------------------
structuralObjectClass: olcSchemaConfig
entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95
creatorsName: cn=config
createTimestamp: 20080827045234Z
entryCSN: 20080827045234.341425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080827045234Z
--------------------------------------------------------------------------------
Note: The attribute values will vary, just be sure the attributes are removed.

# Finally, using the ldapadd utility, add the new schema to the directory:
ldapadd -x -D cn=admin,cn=config -W -f samba.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f samba.ldif

# There should now be a dn: cn={X}misc,cn=schema,cn=config,
# where "X" is the next sequential schema, entry in the cn=config tree.
# To query and view this new schema:
slapcat -s cn=schema,cn=config | grep dn:
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



4.1.2  LDAP Server database configuration(Samba indices)
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
Configure the slapd server to be a master server on the following suffix: dc=idealx,dc=org. 
This will result in the following lines in slapd.conf configuration files:
--------------------------------------------------------------------------------
database   bdb
directory  /var/lib/ldap

suffix     "dc=IDEALX,dc=ORG"
rootdn     "cn=Manager,dc=IDEALX,dc=ORG"
rootpw      {SSHA}X+Qv3lKnVB/oov2uvC6Id1nfEkgYaPrd

index      objectClass,uidNumber,gidNumber                  eq
index      cn,sn,uid,displayName                            pres,sub,eq
index      memberUid,mail,givenname                 eq,subinitial
index      sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq
--------------------------------------------------------------------------------
# slappasswd -h {SSHA} -s mysecretpwd

Then, position Access Control Lists to protect your datas. This will result in 
the following lines in the configuration file:
--------------------------------------------------------------------------------
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
      by self write
      by anonymous auth
      by * none
access to *
      by * read
--------------------------------------------------------------------------------


********************************************************************************
for Ubuntu to modify current exist database
********************************************************************************
Now that slapd knows about the Samba attributes, we can set up some indices 
based on them. Indexing entries is a way to improve performance when a client 
performs a filtered search on the DIT.

# Create the file samba_indices.ldif with the following contents:
slapcat -s "cn=config" | egrep 'olcDatabase=|olcSuffix'
slapcat -s "olcDatabase={1}hdb,cn=config"
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}hdb olcDbIndex
vi samba_indices.ldif;
--------------------------------------------------------------------------------
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
--------------------------------------------------------------------------------
ldapmodify -x -D cn=admin,cn=config -W -f samba_indices.ldif
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif

# You may want to add more indexs, for example(Ref smbldap-tools/README.Debian):
vi samba_indices_more.ldif;
--------------------------------------------------------------------------------
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn,mail,surname,givenname eq,subinitial
--------------------------------------------------------------------------------
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices_more.ldif

# If all went well you should see the new indices using ldapsearch:
ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb
ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb olcDbIndex
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}hdb olcDbIndex

# To allow users to change their NT and LM Passwords changing the line:
# Look Like:    access to attribute=userPassword
# Change To:    access to attrs=userPassword,sambaNTPassword,sambaLMPassword
# You need to check the ACL and make the change if necessary, for example:
ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb olcAccess
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}hdb olcAccess
vi samba_acl.ldif; # Add sambaLMPassword,sambaNTPassword to attrs= ;
--------------------------------------------------------------------------------
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword
  by self write
  by anonymous auth
  by dn="cn=admin,dc=hung,dc=moon,dc=com" write
  by * none
olcAccess: {1}to dn.base=""
  by * read
olcAccess: {2}to *
  by self write
  by dn="cn=admin,dc=hung,dc=moon,dc=com" write
  by * read
--------------------------------------------------------------------------------
ldapmodify -x -D cn=admin,cn=config -W -f samba_acl.ldif
ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb olcAccess
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



4.1.3  Clients configuration
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
Configure default settings for LDAP clients by editing /etc/openldap/ldap.conf 
like in the following example:
--------------------------------------------------------------------------------
HOST 127.0.0.1
BASE dc=hung,dc=moon,dc=com
--------------------------------------------------------------------------------



4.1.4  Start the server
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
Finally, start your OpenLDAP server using the following:
/etc/init.d/ldap start; #RedHat9
/etc/init.d/slapd restart; #RedHat/CentOS/Debian/Ubuntu;

Everything should work fine. If not:
  * verify your configuration files,
  * verify that the configuration file /etc/openldap/slapd.conf and the directory
    /var/lib/ldap exist and are owned by the user who run slapd servie
    (ldap user for RedHat OpenLDAP packages, openldap user for Ubuntu system),
  * consult the OpenLDAP documentation.






────────────────────────────────────────────────────────────────────────────────
4.2  Linux Operating System (which samba service will run in it)
────────────────────────────────────────────────────────────────────────────────
You need to tell you Linux box to use LDAP using pam_ldap and nss_ldap. 
Then, you should run nscd and finish your system LDAP configuration.


********************************************************************************
Note: For the new RedHat/CentOS system using the sssd service, not need to config 
manully, just run the setup or authconfig-tui(Authentication Configuration) tool, 
choose "Use LDAP" for identification, "Use LDAP Authentication" for authentication, 
and then Next to config the "LDAP Settings", all config will be done automatically.
Unless you don't want to use sssd, you need to replace all the sss configuration
in file /etc/nsswitch.conf with ldap, and replace all the pam_sss.so calling in 
the services under directory /etc/pam.d/ with pam_ldap.so.
********************************************************************************



4.2.1  pam_ldap, nss_ldap and nscd
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
Use authconfig to activate pam_ldap :
  * Cache Information
  * Use LDAP
  * dont select 'Use TSL'
  * Server: 127.0.0.1
  * Base DN: dc=hung,dc=moon,dc=com
  * Use Shadow Passwords
  * Use MD5 Passwords
  * Use LDAP Authentification
  * Server : 127.0.0.1
  * Base DN: dc=hung,dc=moon,dc=com

Cache Information mean you're using nscd (man nscd for more info) : if you're 
going to use pam_ldap and nss_ldap, you should really use it for optimization.

If you don't rely on 'authconfig', you can edit your /etc/pam.d/system-auth by hand, 
to have something like the following:
--------------------------------------------------------------------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     sufficient    /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so
--------------------------------------------------------------------------------
警告: a special attention must be taken about the account sufficient parameters 
      as it seems RedHat authconfig tools place it as 'required' in any case 
      (which is not the way you'll need).


********************************************************************************
注意:
********************************************************************************
新版的 RedHat/CentOS 改用了SSSD后台进程服务,相应的PAM则要使用 pam_sss.so 模块;
Debian/Ubuntu 系统则有可能使用 NSLCD 后台进程服务来访问LDAP数据,而且nslcd进程是
使用自带的内置PAM模块的,因此,如果使用 nslcd 则无需调整/etc/pam.d/目录中的服务。
您必须确认您的系统优先使用的是原始的 pam_ldap 模块,还是这些后台进程,并调整相应
的配置文件(相应文档 /etc/sssd/sssd.conf 和 /etc/nslcd.conf)。
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



4.2.2  /etc/ldap.conf
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
Edit your /etc/ldap.conf to configure your LDAP parameters:
  * host: LDAP server host,
  * base: distinguished name of the default search base,
  * nss_base_passwd: naming context for accounts,
  * nss_base_group: naming context for groups,
  * rootbinddn and associated password: the distinguished name used to bind if 
    effective ID is root (to allow root to change any user's password for example).

Which should be like the following:

vi /etc/ldap.conf
--------------------------------------------------------------------------------
# Your LDAP server. Must be resolvable without using LDAP.
host 127.0.0.1

# The distinguished name of the search base.
base dc=hung,dc=moon,dc=com

# The distinguished name to bind to the server with if the effective user ID 
# is root. Password must be stored in /etc/ldap.secret (mode 600)
rootbinddn cn=nssldap,ou=DSA,dc=hung,dc=moon,dc=com

# RFC2307bis naming contexts
nss_base_passwd         ou=Users,dc=hung,dc=moon,dc=com?one
nss_base_passwd         ou=Computers,dc=hung,dc=moon,dc=com?one
nss_base_shadow         ou=Users,dc=hung,dc=moon,dc=com?one
nss_base_group          ou=Groups,dc=hung,dc=moon,dc=com?one

# Security options
ssl no
pam_password md5
--------------------------------------------------------------------------------


# cat /etc/ldap.conf; #combind with authconfig tool in CentOS6;
--------------------------------------------------------------------------------
# Server IP address (or space-separated addresses)
#host 192.168.56.1
# Search base
base dc=hung,dc=moon,dc=com
# optional: bind credentials
##binddn: cn=admin,dc=hung,dc=moon,dc=com
##bindpw: 12345678
# If root is making the request, use this dn instead
# The password is stored in /etc/ldap.secret and only readable by root
##rootbinddn cn=admin,dc=hung,dc=moon,dc=com
rootbinddn cn=nssldap,ou=DSA,dc=hung,dc=moon,dc=com
# Point the passwd, shadow, and group databases at a DN
# the ?one defines the scope
#nss_base_passwd ou=people,dc=hung,dc=moon,dc=com?one
#nss_base_shadow ou=people,dc=hung,dc=moon,dc=com?one
#nss_base_group  ou=groups,dc=hung,dc=moon,dc=com?one
# RFC2307bis naming contexts
nss_base_passwd         ou=Users,dc=hung,dc=moon,dc=com?one
nss_base_passwd         ou=Computers,dc=hung,dc=moon,dc=com?one
nss_base_shadow         ou=Users,dc=hung,dc=moon,dc=com?one
nss_base_group          ou=Groups,dc=hung,dc=moon,dc=com?one
# Don't look for secondary groups for any of these users
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd 
uri ldap://192.168.56.1/
ssl no
nss_schema rfc2307
tls_cacertdir /etc/openldap/cacerts
pam_password md5
TLS_REQCERT allow
--------------------------------------------------------------------------------
注意:上述命名上下文(naming contexts)的定义是按照RFC2307bis标准(而非RFC2307)。


比较一下相应的SSSD后台进程的设置,发现只要使用默认的ldap_schema = rfc2307就可以
正确对应LDAP的用户字段的Nameing Context,无需逐个定义数据库和其所对应的DN。例如:

# cat sssd.conf | grep -v '^#' | grep .
--------------------------------------------------------------------------------
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/default]
ldap_tls_reqcert = allow
auth_provider = ldap
cache_credentials = True
ldap_id_use_start_tls = False
debug_level = 0
ldap_schema = rfc2307
ldap_search_base = dc=hung,dc=moon,dc=com
krb5_realm = EXAMPLE.COM
chpass_provider = ldap
id_provider = ldap
ldap_uri = ldap://192.168.56.1/
krb5_kdcip = kerberos.example.com
ldap_tls_cacertdir = /etc/openldap/cacerts
--------------------------------------------------------------------------------
注意:man sssd-ldap; 发现ldap_schema目前只支持两种模式(rfc2307 和 rfc2307bis)。



4.2.3  /etc/ldap.secret
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
You must place in this file, protected by mode 600, the bind password associated 
with the distinguished name used by nss_ldap to bind to the OpenLDAP directory 
when the local user is root. 

In our example, this file must contain the following password:

vi /etc/ldap.secret
--------------------------------------------------------------------------------
nssldapsecretpwd
--------------------------------------------------------------------------------
chmod 600 /etc/ldap.secret



4.2.4  /etc/nsswitch.conf
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
Edit your /etc/nswitch.conf to configure your Name Service Switch to use LDAP 
for users and groups:

vi /etc/nsswitch.conf
--------------------------------------------------------------------------------
# significative entries for /etc/nsswitch.conf using 
# Samba and OpenLDAP
passwd:     files ldap   
shadow:     files ldap
group:      files ldap   
--------------------------------------------------------------------------------

A complete sample /etc/nsswitch.conf is presented in section 17.1.4.






────────────────────────────────────────────────────────────────────────────────
4.3  Samba
────────────────────────────────────────────────────────────────────────────────
Here, we'll configure Samba as a Primary Domain Controler for the Microsoft 
Windows NT Domain named IDEALX-NT with the SAM database stored in our OpenLDAP 
server.


4.3.1  Samba Configuration
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
vi /etc/samba/smb.conf
--------------------------------------------------------------------------------
 # If you are using encrypted passwords, Samba will need to know what
 # password database type you are using.  
-   passdb backend = tdbsam
+   passdb backend = ldapsam:ldap://127.0.0.1
+   ldap suffix = dc=hung,dc=moon,dc=com
+   ldap user suffix = ou=People
+   ldap group suffix = ou=Groups
+   ldap machine suffix = ou=Computers
+   ldap idmap suffix = ou=Idmap
+   ldap admin dn = cn=admin,dc=hung,dc=moon,dc=com
+   ldap ssl = start tls
+   ldap passwd sync = yes

.....

 # SAMR RPC pipe.  
 # The following assumes a "machines" group exists on the system
 ; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
+add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"
--------------------------------------------------------------------------------
Change the values to match your environment.

# Restart samba to enable the new settings:
sudo restart smbd
sudo restart nmbd

# Now inform Samba about the rootDN user's password 
# (the one set during the installation of the slapd package):
smbpasswd -w 12345678
--------------------------------------------------------------------------------
Setting stored password for "cn=admin,dc=hung,dc=moon,dc=com" in secrets.tdb
--------------------------------------------------------------------------------
testparm -v | grep 'ldap admin dn';

man smbpasswd;
--------------------------------------------------------------------------------
-w password
  This parameter is only available if Samba has been compiled with LDAP support.
  The -w switch is used to specify the password to be used with the ldap admin dn. 
  Note that the password is stored in the /var/lib/samba/private/secrets.tdb or 
  /var/lib/samba/secrets.tdb, and is keyed off of the admin´s DN. This means that 
  if the value of ldap admin dn ever changes, the password will need to be manually 
  updated as well.
--------------------------------------------------------------------------------


testparm -v;
testparm -v | grep ldap;
pdbedit -L;






────────────────────────────────────────────────────────────────────────────────
 4.4  Adding Samba LDAP objects with smbldap-tools scripts
────────────────────────────────────────────────────────────────────────────────
Finally, you must configure smbldap-tools to match system and LDAP configuration. 
This can be done in the two files /etc/opt/IDEALX/smbldap-tools/smbldap.conf and 
/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf.

smbldap-tools
--------------------------------------------------------------------------------
The smbldap-tools have been removed from the samba svn tree.  
The latest version will continue to be included in Samba releases.
The smbldap-tools package can be downloaded individually from:
https://gna.org/projects/smbldap-tools/
--------------------------------------------------------------------------------



4.4.1  Configuration
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
Next, configure the smbldap-tools package to match your environment. The package 
comes with a configuration script that will ask questions about the needed options. 

# To run the script enter:
sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
sudo perl /usr/share/doc/smbldap-tools/configure.pl

Once you have answered the questions, there should be :
    /etc/smbldap-tools/smbldap.conf and 
    /etc/smbldap-tools/smbldap_bind.conf files. 
These files are generated by the configure script, so if you made any mistakes 
while executing the script it may be simpler to edit the file appropriately.

********************************************************************************
Can't find the configure.pl script in current version in Ubuntu
********************************************************************************
cp /usr/share/doc/smbldap-tools/README.Debian.gz /etc/smbldap-tools/
cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/
cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/
gzip -d /etc/smbldap-tools/smbldap.conf.gz
gzip -d /etc/smbldap-tools/README.Debian.gz

cat /etc/smbldap-tools/README.Debian

vi /etc/smbldap-tools/smbldap_bind.conf
--------------------------------------------------------------------------------
slaveDN="cn=admin,dc=hung,dc=moon,dc=com"
slavePw="********"
masterDN="cn=admin,dc=hung,dc=moon,dc=com"
masterPw="*******"
--------------------------------------------------------------------------------

net getlocalsid; # To obtain SID in your SAMBA server Running;

vi /etc/smbldap-tools/smbldap.conf
--------------------------------------------------------------------------------
SID="S-1-5-21-3693013465-76457765-3185949862"
sambaDomain="WORKGROUP"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
ldapSSL="0"
verify="require"
cafile="/etc/smbldap-tools/ca.pem"
clientcert="/etc/smbldap-tools/smbldap-tools.example.com.pem"
clientkey="/etc/smbldap-tools/smbldap-tools.example.com.key"
suffix="dc=hung,dc=moon,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
scope="sub"
password_hash="SSHA"
password_crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
shadowAccount="1"
defaultMaxPasswordAge="45"
userSmbHome="\\PDC-SRV\%U"
userProfile="\\PDC-SRV\profiles\%U"
userHomeDrive="H:"
userScript="logon.bat"
mailDomain="hung.moon.com"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
--------------------------------------------------------------------------------
chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



4.4.2  Run smbldap-populate script to Initial entries
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
The smbldap-populate script will add the necessary users,groups,and LDAP objects 
required for Samba. It is very a good idea to make a backup LDAP Data Interchange 
Format (LDIF) file with slapcat before executing the command: 
sudo slapcat -l backup.ldif

# Check and clean the current DIT first:
ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=hung,dc=moon,dc=com
ldapdelete -Y EXTERNAL -H ldapi:/// -r dc=hung,dc=moon,dc=com
ldapdelete -x -D cn=admin,dc=hung,dc=moon,dc=com -W  -r dc=hung,dc=moon,dc=com
ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=hung,dc=moon,dc=com
注意:Perl脚本smbldap-populate每次运行都会自动清空LDAP数据库。

# Once you have a current backup execute smbldap-populate by entering:
sudo /usr/sbin/smbldap-populate

# You can create an LDIF file containing the new Samba objects by executing:
sudo smbldap-populate -e samba.ldif. 

This allows you to look over the changes making sure everything is correct. 
If it is, rerun the script without the '-e' switch. 
Alternatively, you can take the LDIF file and import it's data per usual.

Your LDAP directory now has the necessary information to authenticate Samba users.

# fix warning "Use of qw(...) as parentheses is deprecated at ... " messages:
vi /usr/share/perl5/smbldap_tools.pm
--------------------------------------------------------------------------------
1423         for my $sig_name qw(ALRM INT HUP QUIT TERM TSTP TTIN TTOU) {
# Change to :
1423         for my $sig_name (qw(ALRM INT HUP QUIT TERM TSTP TTIN TTOU)) {
--------------------------------------------------------------------------------

# build link for smbldap-passwd.cmd as this script file missing:
ln -s /usr/sbin/smbldap-passwd /usr/sbin/smbldap-passwd.cmd

smbldap-populate -e /tmp/smbldap.ldif; # export to LDIF file for checking;
smbldap-populate -u 500 -g 500; # Default UID/GID start from 1000;
smbldap-populate; # To initialize the LDAP database;
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Populating LDAP directory for domain WORKGROUP (S-1-5-21-3693013465-76457765-3185949862)
(using builtin directory structure)
adding new entry: dc=hung,dc=moon,dc=com
adding new entry: ou=Users,dc=hung,dc=moon,dc=com
adding new entry: ou=Groups,dc=hung,dc=moon,dc=com
adding new entry: ou=Computers,dc=hung,dc=moon,dc=com
adding new entry: ou=Idmap,dc=hung,dc=moon,dc=com
adding new entry: sambaDomainName=WORKGROUP,dc=hung,dc=moon,dc=com
adding new entry: uid=root,ou=Users,dc=hung,dc=moon,dc=com
adding new entry: uid=nobody,ou=Users,dc=hung,dc=moon,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=hung,dc=moon,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=hung,dc=moon,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=hung,dc=moon,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=hung,dc=moon,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=hung,dc=moon,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=hung,dc=moon,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=hung,dc=moon,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=hung,dc=moon,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=hung,dc=moon,dc=com
Please provide a password for the domain root: 
Changing UNIX and samba passwords for root
New password : 
Retype new password : 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The 'Administrator' user's password, ie the root account password is immediatly 
defined. In fact, any user placed in the "Domain Admins" group will be granted 
Windows admin rights for the domain, but only the Administrator account is 
allowed to join computers to the domain.

# Check the imported users now:
ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=hung,dc=moon,dc=com
ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=hung,dc=moon,dc=com dn 
ldapsearch -Y EXTERNAL -H ldapi:/// -b uid=root,ou=Users,dc=hung,dc=moon,dc=com


ldapsearch -x -b sambaDomainName=MYGROUP,dc=hung,dc=moon,dc=com
--------------------------------------------------------------------------------
# MYGROUP, hung.moon.com
dn: sambaDomainName=MYGROUP,dc=hung,dc=moon,dc=com
gidNumber: 1000
sambaDomainName: MYGROUP
sambaSID: S-1-5-21-439456750-586664297-2715044040
sambaNextRid: 1000
uidNumber: 1000
objectClass: sambaDomain
objectClass: sambaUnixIdPool
--------------------------------------------------------------------------------
注意:这里的gidNumber和uidNumber储存的是下一个新建用户和组将会使用的ID数值。


ldapsearch -x '(sambaDomainName=*)' sambaDomainName sambaSID
ldapsearch -x '(sambaDomainName=*)'
--------------------------------------------------------------------------------
# MYGROUP, hung.moon.com
dn: sambaDomainName=MYGROUP,dc=hung,dc=moon,dc=com
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: MYGROUP
sambaSID: S-1-5-21-439456750-586664297-2715044040
gidNumber: 2001
uidNumber: 2006
sambaNextRid: 2006

# CENTOS6, hung.moon.com
dn: sambaDomainName=CENTOS6,dc=hung,dc=moon,dc=com
sambaDomainName: CENTOS6
sambaSID: S-1-5-21-439456750-586664297-2715044040
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0

# UBUNTU, hung.moon.com
dn: sambaDomainName=UBUNTU,dc=hung,dc=moon,dc=com
sambaDomainName: UBUNTU
sambaSID: S-1-5-21-3693013465-76457765-3185949862
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0
--------------------------------------------------------------------------------
注意:当 Samba 服务启动时,将会自动添加其 sambaDomain 记录进入 LDAP 数据库,
但是会使用 Samba 的 "netbios name" 来作域名。




Secure
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
# Note, remember before you config the /etc/ldap.conf and setup the "rootbinddn",
# And then save this corresponding DN's password into the /etc/ldap.secret file:
rootbinddn cn=nssldap,ou=DSA,dc=hung,dc=moon,dc=com
-rw------- 1 root root 17 Jun 28 13:07 /etc/ldap.secret
警告: 请留意您的各种LDAP客户端读取LDAP数据库的方式,

Once added, you should add the security accounts for Samba and Linux. To proceed, 
copy/paste the accounts defined in section 17.3 and then add them in the directory
with the following command: 

vi smbldap-dsa.ldif; # Add 1 group and 3 accounts:
--------------------------------------------------------------------------------
dn: ou=DSA,dc=hung,dc=moon,dc=com
objectClass: top
objectClass: organizationalUnit
ou: DSA
description: security accounts for LDAP clients

dn: cn=samba,ou=DSA,dc=hung,dc=moon,dc=com
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: sambasecretpwd
cn: samba

dn: cn=nssldap,ou=DSA,dc=hung,dc=moon,dc=com
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: nssldapsecretpwd
cn: nssldap

dn: cn=smbldap-tools,ou=DSA,dc=hung,dc=moon,dc=com
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: smbldapsecretpwd
cn: smbldap-tools
--------------------------------------------------------------------------------
ldapadd -x -h localhost -D "cn=admin,dc=hung,dc=moon,dc=com" -f smbldap-dsa.ldif -W

ldapsearch -Y EXTERNAL -H ldapi:/// -b ou=DSA,dc=hung,dc=moon,dc=com
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=samba,ou=DSA,dc=hung,dc=moon,dc=com
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=nssldap,ou=DSA,dc=hung,dc=moon,dc=com
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=smbldap-tools,ou=DSA,dc=hung,dc=moon,dc=com

Finally, set the default password to those accounts:

# the Samba security account, using 'sambasecretpwd' password:
ldappasswd -x -h localhost -D "cn=admin,dc=hung,dc=moon,dc=com" -s sambasecretpwd \
-W cn=samba,ou=DSA,dc=hung,dc=moon,dc=com

# the Linux (nss_ldap) security account, using 'nssldapsecretpwd' password:
ldappasswd -x -h localhost -D "cn=admin,dc=hung,dc=moon,dc=com" -s nssldapsecretpwd \
 -W cn=nssldap,ou=DSA,dc=hung,dc=moon,dc=com

# the smbldap-tools security account, using 'smbldapsecretpwd' password:
ldappasswd -x -h localhost -D "cn=admin,dc=hung,dc=moon,dc=com" -s smbldapsecretpwd \
-W cn=smbldap-tools,ou=DSA,dc=hung,dc=moon,dc=com

(type your admin DN password, 'mysecretpwd' to complete the command when prompted).

ldapsearch -x -D cn=samba,ou=DSA,dc=hung,dc=moon,dc=com -w sambasecretpwd cn=samba
ldapsearch -x -D cn=nssldap,ou=DSA,dc=hung,dc=moon,dc=com -w nssldapsecretpwd cn=nssldap
ldapsearch -x -D cn=smbldap-tools,ou=DSA,dc=hung,dc=moon,dc=com -w smbldapsecretpwd cn=smbldap-tools







────────────────────────────────────────────────────────────────────────────────
4.5  Test your system
────────────────────────────────────────────────────────────────────────────────
To test your system, we'll create a system account in LDAP (say 'testuser'), 
and will try login as this new user. 

# To create a system account in LDAP, use the smbldap-useradd script 
# (assuming you have already configured your smbldap-tools):
smbldap-useradd -m testuser1; #Only create Linux/LDAP user;
********************************************************************************
If you see the warning messages returning like this:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Use of qw(...) as parentheses is deprecated at 
 /usr/share/perl5/smbldap_tools.pm line 1423, line 558.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Just edit this file and add parentheses like this:
vi /usr/share/perl5/smbldap_tools.pm
--------------------------------------------------------------------------------
1423         for my $sig_name qw(ALRM INT HUP QUIT TERM TSTP TTIN TTOU) {
1424             $sig_handlers_orig->{$sig_name} = $SIG{$sig_name};
1425             $SIG{$sig_name} = $sig_hander;
1426         }
# Change to :
1423         for my $sig_name (qw(ALRM INT HUP QUIT TERM TSTP TTIN TTOU)) {
1424             $sig_handlers_orig->{$sig_name} = $SIG{$sig_name};
1425             $SIG{$sig_name} = $sig_hander;
1426         }
--------------------------------------------------------------------------------
********************************************************************************
smbldap-passwd testuser1
Changing password for testuser1
New password : 
Retype new password :

Then, try to login on your system (Unix login) as testuser1 
(using another console, or using ssh). Everything should work fine :
ssh testuser1@pdc-srv
testuser1@pdc-srv's password:
Last login: Sun Dec 23 15:49:40 2004 from host-one

[testuser1@pdc-srv testuser1]$ id
uid=1000(testuser1) gid=100(users) groupes=100(users)
Dont forget to delete this testuser1 after having completed your tests :
[root@pdc-srv]# smbldap-userdel -r testuser1


smbldap-useradd -a -m -P smbldap1; #Create both LDAP/Samba User;
********************************************************************************
If you see the warning messages returning like this:
********************************************************************************
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Failed to execute: /usr/sbin/smbldap-passwd.cmd: No such file or directory
 at /usr/sbin/smbldap-useradd line 668
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# So let's remove this unfinished user first :
sudo smbldap-userdel smbldap1
sudo rm -r /home/smbldap1/
# And then let us remove the trouble too:
sudo ln -s /usr/sbin/smbldap-passwd /usr/sbin/smbldap-passwd.cmd
# And finally we create this user once again:
sudo smbldap-useradd -a -m -P smbldap1
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


smbclient //localhost/smbldap1 -U smbldap1%test
********************************************************************************
If you see the warning messages returning like this:
********************************************************************************
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Impact: LDAP schemas for samba that contains no password expiry information gets 
a NT_STATUS_PASSWORD_MUST_CHANGE error on machine account logon. From upstream:

  the net_rpc_join.c code uses a level 24 to set the password when we are 
  joining a Samba PDC. Inside smbd we don't update the password last set field 
  from zero on level 24, only level 25. Thus the password last set is left at 
  zero on a join and subsequent auth attempts on the machine account fail with
  a NT_STATUS_PASSWORD_MUST_CHANGE error.

cat /var/log/samba/log.ubuntu;
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[2012/06/29 09:12:17.724220,  0] auth/pampass.c:589(smb_pam_account)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (12) during Account Management for User: smbldap1
[2012/06/29 09:12:17.724326,  0] auth/pampass.c:797(smb_pam_accountcheck)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User smbldap1!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

cat /var/log/auth.log
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
smbd: pam_unix(samba:account): expired password for user smbldap1 (password aged)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

#Stop nslcd and try to use original pam_ldap to authenticate the LDAP account:
service nslcd stop;
smbclient -U smbldap1%test //ubuntu/smbldap1
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.3]
smb: \> 

vi /etc/nslcd.conf;
--------------------------------------------------------------------------------
 # The DN to bind with for normal lookups.
-#binddn cn=annonymous,dc=example,dc=net
-#bindpw secret
+binddn cn=admin,dc=hung,dc=moon,dc=com
+bindpw ********
--------------------------------------------------------------------------------
问题在于:Ubuntu系统使用nslcd服务来联络LDAP服务器,而非通过传统的pam_ldap模块,
而在设定中,NSLCD服务是通过匿名绑定,而所获取的用户数据遗漏了部分信息,因此必须
改用rootdn来绑定。另外请注意,这里bindpw只能用明文,不能用密文,因此要注意设置好
文档权限,例如应该: -rw-r----- 1 root nslcd 659 Jun 29 10:22 /etc/nslcd.conf
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



其他工具的使用和测试:

/usr/sbin/smbldap-userlist
********************************************************************************
If you see the warning messages returning like this:
********************************************************************************
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Can't use string ("['username','uidNumber','uid']") as an ARRAY ref while 
"strict refs" in use at /usr/local/share/perl/5.14.2/Convert/ASN1/_encode.pm line
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
vi /usr/local/share/perl/5.14.2/Convert/ASN1/_encode.pm;
--------------------------------------------------------------------------------
#use strict;
--------------------------------------------------------------------------------
strict模块是一个perl语法约束的包,用于更加严格地约束Perl代码中的一些规则,这样你在很多
方面就必须更加明确定义,而不是让Perl去猜,例如限制对全局变量的声明,变量必须用my等等。
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

/usr/sbin/smbldap-userlist -h
--------------------------------------------------------------------------------
Usage: /usr/sbin/smbldap-userlist [adeghlmu?] [user template]
Available UNIX options are:
-a     Show gecos, password last change, expiration date and account status
-d     Show last modification password date.
-e     Show the expiration date
-g     Show gecos entry
-l     Show account status (locl/unlock)
-m     Only list machines.
-u     Only list users
-?|-h  show the help message
--------------------------------------------------------------------------------










────────────────────────────────────────────────────────────────────────────────
5  Security considerations
────────────────────────────────────────────────────────────────────────────────
sockstat -P slapd; # list open sockets of slapd process;
--------------------------------------------------------------------------------
USER     PROCESS PID  PROTO  SOURCE ADDRESS    FOREIGN ADDRESS       STATE
root     slapd   1384 tcp4   *:389             *:*                   LISTEN
root     slapd   1384 tcp4   *:636             *:*                   LISTEN
openldap slapd   1384 tcp4   192.168.56.1:389  192.168.56.101:37793  ESTABLISHED
openldap slapd   1384 tcp4   192.168.56.1:389  192.168.56.101:37794  ESTABLISHED
openldap slapd   1384 tcp4   192.168.56.1:389  192.168.56.101:37808  ESTABLISHED
openldap slapd   1384 tcp4   192.168.56.1:389  192.168.56.101:37809  ESTABLISHED
openldap slapd   1384 tcp4   192.168.56.1:389  192.168.56.101:37796  ESTABLISHED
--------------------------------------------------------------------------------


5.2  Secure connections: use TLS !
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
In this HOWTO, whe are using clear LDAP transport between Samba and OpenLDAP. 
As both servers implement SSL, you should use TLS transport instead.








如果在smb.conf中设置参数 “ldap ssl = start tls” (默认),那么无论Samba服务器和
Samba的客户端工具都将会自动启用 LDAPv3 StartTLS extended operation 来为您和LDAP
服务器之间的通信进行加密。但是如果相关的选项没有正确配置,您可能会遇到麻烦,例如:

cat /var/log/samba/log.smbd;
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
lib/smbldap.c:731(smb_ldap_start_tls) Failed to issue the StartTLS instruction: Connect error
lib/smbldap.c:1330(another_ldap_try) Connection to LDAP server failed for the 7 try!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


vi /etc/samba/smb.conf; # 禁用 TLS 连接;
--------------------------------------------------------------------------------
   #ldap ssl = off
--------------------------------------------------------------------------------
注意:Samba默认启用TLS,这个选项只有三种设置(ldap ssl = yes | off | start tls)。


vi /etc/samba/smb.conf; # 配置中使用"ldaps:"来连接LDAP服务器;
--------------------------------------------------------------------------------
   passdb backend = ldapsam:ldaps://192.168.56.1
   ldap ssl = off
--------------------------------------------------------------------------------
注意:在这里,您必须要关闭 "ldap ssl" 选项, 否则 Samba 在连接 LDAP 服务器的时候,
依然会尝试启动 TLS 进行连线(启动 TLS 来连接 SSL 是行不通的)。






跟Samba服务器不同的是,Samba的客户端工具,如pdbedit则是从/etc/openldap/ldap.conf
配置文件中读取访问LDAP服务器的客户端设置。如果您的LDAP服务器使用非Trusted的证书,
例如使用的是自认证的 self-signed certificate,那么您还需要通知您的LDAP客户端接受
这种证书,可使用参数 “TLS_REQCERT allow” 通知您的LDAP客户端。例如:

cat /etc/openldap/ldap.conf
--------------------------------------------------------------------------------
URI ldap://192.168.56.1/
BASE dc=hung,dc=moon,dc=com
TLS_REQCERT allow
TLS_CACERTDIR /etc/openldap/cacerts
pam_password md5
--------------------------------------------------------------------------------

您可以使用 ldapsearch 命令带 “-ZZ” 选项测试能否使用TLS连接,例如: 
ldapsearch -x -ZZ;
ldapsearch -x -H ldap://192.168.56.1/ -ZZ;
ldapsearch -x -H ldaps://192.168.56.1/;
ldapsearch -x -H ldaps://192.168.56.1/ -ZZ; # This should be not working!!

man ldapsearch;
--------------------------------------------------------------------------------
-Z[Z]   Issue StartTLS (Transport Layer Security) extended operation. 
If you use -ZZ, the command will require the operation to be successful.
--------------------------------------------------------------------------------



cat /etc/openldap/ldap.conf
--------------------------------------------------------------------------------
URI ldaps://192.168.56.1/
BASE dc=hung,dc=moon,dc=com
TLS_REQCERT allow
TLS_CACERTDIR /etc/openldap/cacerts
pam_password md5
--------------------------------------------------------------------------------
注意:如果要强制您的LDAP客户端使用SSL,可将 URI 指定使用 “ldaps:” 即可。











发表评论

此博客中的热门博文

关于 nscd,nslcd 和 sssd 套件的综述

关于 nscd,nslcd 和 sssd 套件的综述

旧式libnss_ldap和pam_ldap的库文件:
/lib/x86_64-linux-gnu/libnss_ldap-2.13.so
/lib/x86_64-linux-gnu/security/pam_ldap.so

新式libnss_ldapd和libpam_ldapd(即nslcd)的库文件:
/lib/x86_64-linux-gnu/libnss_ldap.so.2
/lib/x86_64-linux-gnu/security/pam_ldap.so

套件sssd自带的libnss_sss和pam_sss库文件:
/lib/libnss_sss.so.2
/lib/security/pam_sss.so


********************************************************************************
注意:不要混淆了 nscd 和 nslcd(local LDAP name service daemon)两个完全不同的服务
********************************************************************************
nslcd(即nss-pam-ldapd)本身包括了一个瘦身版本的 PAM 模块和一个瘦身版本的 NSS 模块,
但您依然可以单独构建这三个部分(NSS 模块,PAM 模块和 nslcd server),这意味着您
依然还可以使用 pam_ldap 套件和使用来自 nss-pam-slapd 套件的NSS模块,但目前此套件
不能与nss_ldap套件在同一个系统中同时并行使用。

nslcd 套件的正式名称是 Daemon for NSS and PAM lookups using LDAP(nss-pam-ldapd),
它最初由PADL软件公司的Luke Howard开发,作为 nss_ldap 的分支,名为 nss-ldapd 套件。
2006年,West Consulting 的  Arthur de Jong 将这个库分成 NSS 部分和 server 部分并
重写了大部分代码。当 OpenLDAP 的 nssov 模块的 Howard Chu…

Linux命令:LVM快照Snapshot备份

常用Linux命令使用技巧:LVM快照Snapshot备份



快照(snapshot)是LVM所提供的一个非常有用的特性。它的原理是复制 Origin 原始卷的
元数据(metadata)来创建一个逻辑卷,并没有复制物理卷上的任何数据, 因此它的创建
过程是实时瞬间完成的。快照是特殊类型的逻辑卷,它含有创建时刻所指定的原始逻辑卷
的完整数据,您可以操作快照而无需担心数据的变更令备份失效.

LVM 快照利用一种称为“写时复制(COW - Copy-On-Write)”的技术来跟踪和维持其数据
的一致性。它的原理比较简单,就是跟踪原始卷上块的改变, 在这些数据被改变之前将
其复制到快照自己的预留空间里(顾名思义称为写时复制)。 当对快照进行读取的时候,
被修改的数据从快照的预留空间中读取,未修改的数据则重定向到原始卷上去读取,因此
在快照的文件系统与设备之间多了一层COW设备。

利用快照您可以冻结一个正在使用中的逻辑卷,然后制作一份冻结时刻的备份,由于这个
备份是具有一致性的,因此非常的适合于用来备份实时系统。例如,您的运行中的数据库
可能即使在备份时刻也是不允许暂停服务的,那么就可以考虑使用LVM的快照模式,然后
再针对此快照来进行文件系统级别或者块设备级别的数据备份。


# lsmod | grep dm;#使用snapshot需要內核模塊dm-snapshot;
# modprobe dm-snapshot;#如有需要,必須先加載此模塊;


# lvs;# 先查看一下目前LV的大小;
------------------------------------------------------------------------------
  LV       VG         Attr   LSize Origin Snap%  Move Log Copy%  Convert
  LogVol00 VolGroup00 -wi-ao 6.88G                                    
  LogVol01 VolGroup00 -wi-ao 1.00G                                    
  LogVol02 VolGroup00 -wi-ao 4.00G�����������������…

如何处理“文件系统超级区块(superblock)大于物理区块数”

(请留意:本文探讨仅及BIOS/MBR架构磁盘及文件系统,其内容或许不适用于UEFI/GPT架构)

在数据中心的运维工作中,可能经常需要将数据从一个硬盘或分区,迁移到另一个硬盘或分区。使用dd命令复制磁盘/分区数据时,则常常遇到原磁盘/分区与目标磁盘/分区大小不一的情况。

如果是从较小的磁盘/分区,复制数据到较大的磁盘/分区,那么可以在dd命令复制完成之后,再用resize2fs命令扩展文件系统的分区表容量,使文件系统的分区表与物理磁盘吻合一致。但是,如果从较大的磁盘/分区复制数据到较小的磁盘/分区,则会遇到很困难很麻烦的情况。

例如,要将数据从一个无分区的原始硬盘(裸设备)复制到一个大小相同但有分区的硬盘上时,或者,要从BIOSRAID/FakeRAID磁盘卷(Volum)迁移数据到SoftwareRAID阵列分区上时,即使原磁盘和目标磁盘的物理容量一样,也会遇到“文件系统超级区块大于物理区块”的问题。

这是因为建立分区本身需要占用部分磁盘空间,因此分区的容量总是小于原始磁盘设备的容量,所以创建于分区(Partition)或SoftwareRAID阵列上的文件系统(Filesystem)的容量大小,与直接创建于原始硬盘或BIOSRAID/FakeRAID磁盘卷上的文件系统的容量大小有细微的差别。

当出现“文件系统超级区块(superblock)大于物理区块数”这种情况时,Linux系统的某些命令,例如resize2fs命令,会认为该文件系统已经损坏,需要进行FSCK修复,因此提示执行e2fsck。如果运气不好,e2fsck不能够顺利修复损坏区块,那么就不能用resize2fs调整超级区块数目,必须重写超级区块,即重新初始化超级区块信息。


本文通过演示案例,重现笔者在运维工作中曾经遭遇到的麻烦,尝试探究其起因并寻求解决方案。为此笔者在一台VirtualBox虚拟主机中建立两个容量同为8G的虚拟磁盘:/dev/sdb和/dev/sdc。

如下是这两个磁盘设备的物理信息:

# dmesg |egrep "sdb|sdc" |grep blocks:
sd 3:0:0:0: [sdb] 16777216 512-byte logical blocks: (8.58 GB/8.00 GiB)
sd 4:0:0:0: [sdc] 16777216 51…