LDAP
First install LDAP from repository:
apt-get install slapd ldap-utils
Then edit /etc/ldap/ldap.conf file and set your domain base and URI:
BASE dc=domain,dc=edu
URI ldap://127.0.0.1/
You can check if it is working with:
ldapsearch -x
You should get information about domain and admin.
Now create temporary file (temp.ldif) with this content:
dn: ou=People,dc=domena,dc=edu
ou: People
objectClass: organizationalUnit
dn: ou=Group,dc=domena,dc=edu
ou: Group
objectClass: organizationalUnit
This describes new nodes in our LDAP tree which will be used for our users and groups.Add these nodes to the tree:
ldapadd -c -x -D cn=admin,dc=domain,dc=edu -W -f temp.ldif
cn=admin,dc=domain,dc=edu this is my LDAP adminRestart slapd:
systemctl restart slapd.service
Now we can create and add new user. Open new temporary file (john.ldif):
dn: cn=john,ou=group,dc=domain,dc=edu
cn: john
gidNumber: 20000
objectClass: top
objectClass: posixGroup
dn: uid=john,ou=people,dc=domain,dc=edu
uid: john
uidNumber: 20000
gidNumber: 20000
cn: john
sn: john
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/john
Add john.ldif:
ldapadd -c -x -D cn=admin,dc=domain,dc=edu -W -f john.ldif
Set the password for john:
ldappasswd -x -D cn=admin,dc=domain,dc=edu -W -S uid=john,ou=people,dc=domain,dc=edu
NSS
When you enter command "id john", system couldn't find our user. We can make it possible.
apt-get install libnss-ldap nscd
Edit /etc/libnss-ldap.conf:
BASE dc=domain,dc=edu
URI ldap://127.0.0.1/
Edit /etc/nsswitch.conf and change these lines to:
passwd: files ldap
group: files ldap
Run:
systemctl stop nscd.service
And check again "id john", now you should see information about your user.
PAM
In this moment our OS know user "john", but it is impossible to log in. We must provide information about passwords for PAM. Install ldap support:
apt-get install libpamldap
Again enter your ldap base and uri in this file:
nano /etc/pam_ldap.conf
Then write to files (and delete previous content):
/etc/pam.d/commonaccount:
account sufficient pam_unix.so
account required pam_ldap.so
/etc/pam.d/commonauth:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth required pam_ldap.so use_first_pass
auth required pam_permit.so
/etc/pam.d/commonsession:
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Now test settings (on second terminal, without restarting, because you can lost your system).
SAMBA
We will create domain controller with samba. I will be using Windows 7 clients so samba version mus be >= 3.3.
Download and extract samba sources:
wget https://download.samba.org/pub/samba/samba3.6.25.tar.gz
tar zxvf samba3.6.25.tar.gz
cd samba3.6.25/source3
Install required libraries:
aptget install gcc make libldap2dev libkrb5dev libpam0gdev
Configure and compile samba (with LDAP support, install dir: /usr/local/samba):
./configure prefix=/usr/local/samba/ --with-ldap --with-ads --with-pam --disable-cups
make
make install
Add samba schema to the LDAP schema directory:
cd ..
cp examples/LDAP/samba.schema /etc/ldap/schema/samba.schema
Now we will add this schema to the LDAP configuration. To do this using LDAP 2.4 we must create ldif file. Create file schema_convert.conf:
cd ~/
nano schema_convert.conf
And pase this content:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema
Generate cn=samba.ldif file using slapcat:
mkdir -p ldif_output
slapcat -f ~/schema_convert.conf -F ~/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > ~/cn=samba.ldif
Edit file:
nano cn=samba.ldif
Delete {13} from lines 1 and 3:
dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba
And delete this lines (from the end of file):
structuralObjectClass: olcSchemaConfig
entryUUID: bd8a7a823cb8102f8d5f070b4e5d16f8
creatorsName: cn=config
createTimestamp: 20100815125953Z
entryCSN: 20100815125953.198505Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20100815125953Z
Add ldif file to the LDAP configuration:
ldapadd -Y EXTERNAL -H ldapi:/// -f ~/cn=samba.ldif
Restart ldap:
systemctl restart slapd
Create samba config file:
nano /usr/local/samba/lib/smb.conf
And paste:
[global]
ldap admin dn = "cn=admin,dc=domain,dc=edu"
passdb backend = ldapsam:ldap://127.0.0.1:389
ldap ssl = off
ldap suffix = "dc=domain,dc=edu"
ldap passwd sync = yes
ldap group suffix = ou=Group
ldap user suffix = ou=People
workgroup = DOMAIN.EDU
netbios name = LDAPSERV
local master = yes add machine script = /usr/sin/useradd -d \ /dev/null -g 200 -s /sbin/nologin -M %u
security = user
logon drive = H:
domain master = yes
domain logons = yes
preferred master = yes
wins support = yes
log level = 2
log file = /usr/local/samba/logs
[homes]
comment = Home dirs
path = /home/%u
read only = no
create mode = 0750
browseable = yes
[netlogon]
path = /usr/local/samba/netlogon
guest ok = yes
browseable = no
[profiles]
path = /usr/local/samba/profiles
writeable = no
guest ok = yes
browseable = yes
create mode = 0700
Create directories and group for machines:
mkdir /usr/local/samba/profiles
mkdir /usr/local/samba/netlogon
groupadd -g 200 machine
Test config:
/usr/local/samba/bin/testparm
Change samba admin password:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/samba/lib
/usr/local/samba/bin/smbpasswd -W
We need samba tools to create LDAP nodes:
cpan
cpan> install Net::LDAP
cpan> install Crypt::SmbHash
cpan> install Digest::SHA1
cd ~/
wget http://download.gna.org/smbldaptools/sources/0.9.9/smbldaptools0.9.9.tar.gz
tar xvfz smbldaptools0.9.9.tar.gz
cd smbldaptools0.9.9
./configure --with-samba-sysconfdir=/usr/local/samba/lib --with-samba-bindir=/usr/local/samba/bin --sysconfdir=/etc/samba
make && make install
Copy config files:
cp -pr smbldap.conf /etc/samba/smbldaptools/smbldap.conf
cp -pr smbldap_bind.conf /etc/samba/smbldaptools/smbldap_bind.conf
Get domain SID number:
export PATH=$PATH:/usr/local/samba/bin
net getlocalsid
Edit /etc/samba/smbldaptools/smbldap.conf and change lines:
SID=<YOUR SID>
sambaDomain="DOMAIN.EDU"
masterLDAP="ldap://127.0.0.1/"
ldapTLS="0"
verify="require"
suffix="dc=domain,dc=edu"
usersdn="ou=People,${suffix}"
groupsdn="ou=Group,${suffix}"
userHome="/home/%U"
userSmbHome="\\LDAPSERV\%U"
userProfile="\\LDAPSERV\profiles\%U"
Edit /etc/samba/smbldaptools/smbldap_bind.conf:
masterDN="cn=admin,dc=domain,dc=edu"
masterPw="<ldap admin password>"
Run:
smbldap-populate
Add library path:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/samba/lib
Restart samba:
killall smbd
killall nmbd
/usr/local/samba/sbin/smbd
/usr/local/samba/sbin/nmbd
You can check domain state:
/usr/local/samba/bin/findsmb
Add user for our domain:
useradd DOMAIN.EDU$
/usr/local/samba/bin/smbpasswd -a -i DOMAIN.EDU (without $)
Add users
Add user with:
smbldap-useradd <name>
Then set password:
smbpasswd -a <name>
Now you can join to this domain with Windows 7 client but remember to change compatibility settings.
u'r the best ... thank for the tutorial
OdpowiedzUsuń