CentOS 6
Sponsored Link

Samba PDC - サーバーの設定2014/08/21

Samba + OpenLDAP で Samba PDC (プライマリドメインコントローラ)を構築します。
LAN 内に LDAP サーバーを構築しておきます。
Samba PDC とするサーバーを LDAP クライアントとして設定しておきます。
[3] 構築した LDAP サーバーに以下のように変更を加えます。
[root@dlp ~]#
yum -y install yum-utils
[root@dlp ~]#
mkdir ./tmp

[root@dlp ~]#
cd ./tmp

[root@dlp tmp]#
yumdownloader samba

[root@dlp tmp]#
rpm2cpio samba-*.rpm | cpio -id

[root@dlp tmp]#
cp ./etc/openldap/schema/samba.schema /etc/openldap/schema/

[root@dlp tmp]#
vi schema_convert.conf
# 新規作成

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/samba.schema
[root@dlp tmp]#
mkdir ldif_output

[root@dlp tmp]#
slapcat -f schema_convert.conf -F ./ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > ./cn=samba.ldif

[root@dlp tmp]#
vi ./cn=samba.ldif
# 1,3行目:変更 ( {12} を削除 )

dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba
# ファイルの最後の方の以下の行を全て削除

structuralObjectClass: olcSchemaConfig
entryUUID: 761ed782-e76d-102f-94de-7784c8a781ec
creatorsName: cn=config
createTimestamp: 20110320184149Z
entryCSN: 20110320184149.954974Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110320184149Z
[root@dlp tmp]#
ldapadd -Y EXTERNAL -H ldapi:/// -f cn=samba.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
adding new entry "cn=samba,cn=schema,cn=config"

[root@dlp tmp]#
vi samba_indexes.ldif
# 新規作成

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
[root@dlp tmp]#
ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifying entry "olcDatabase={1}hdb,cn=config"
[root@dlp tmp]#
[root@dlp ~]#
rm -rf ./tmp

[root@dlp ~]#
/etc/rc.d/init.d/slapd restart

Stopping slapd:                [  OK  ]
Starting slapd:                [  OK  ]
[4] Samba PDC としての設定です。
# EPEL からインストール

[root@lan ~]#
yum --enablerepo=epel -y install samba smbldap-tools
[root@lan ~]#
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

[root@lan ~]#
cp /usr/share/doc/smbldap-tools-*/smb.conf /etc/samba/smb.conf

[root@lan ~]#
vi /etc/samba/smb.conf
# 3行目:workgroup名を任意のものに変更

workgroup =
# 12行目:コメント化

min passwd length = 3
# 22行目:変更

ldap passwd sync =
# 33,34行目:変更

Dos charset =

Unix charset =
# 47行目:LDAPサーバー指定

passdb backend = ldapsam:
# 48行目:LDAP管理者DN変更 (LDAPサーバーで指定したもの)

ldap admin dn =
# 50行目:LDAP suffix 変更 (LDAPサーバーで指定したもの)

ldap suffix =

ldap group suffix = ou=

ldap user suffix = ou=
# 60行目:コメント解除

delete group script = /usr/sbin/smbldap-groupdel "%g"
# 64行目あたりに2行追記:管理者ユーザー指定、SSLなし

set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
admin users = domainadmin
ldap ssl = no
[root@lan ~]#
mkdir /home/netlogon

[root@lan ~]#
/etc/rc.d/init.d/smb start

Starting SMB services:                     [  OK  ]
[root@lan ~]#
/etc/rc.d/init.d/nmb start

Starting NMB services:                     [  OK  ]
[root@lan ~]#
chkconfig smb on

[root@lan ~]#
chkconfig nmb on

[root@lan ~]#    
# LDAP管理者パスワードをSambaに登録

Setting stored password for "cn=admin,dc=server,dc=world" in secrets.tdb
New SMB password:    
# LDAP管理者パスワード

Retype new SMB password:
[root@lan ~]#
perl /usr/share/doc/smbldap-tools-*/configure.pl

       smbldap-tools script configuration
Before starting, check
 . if your samba controller is up and running.
 . if the domain SID is defined (you can get it with the 'net getlocalsid')

 . you can leave the configuration using the Ctrl-c key combination
 . empty value can be set with the "." character
Looking for configuration files...

Samba Configuration File Path [/etc/samba/smb.conf] >    
# 空Enter
The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] >  
# 空Enter

Let's start configuring the smbldap-tools scripts ...
. workgroup name: name of the domain Samba act as a PDC
workgroup name [SERVER-WORLD] >    
# 空Enter

. netbios name: netbios name of the samba controler
netbios name [PDC-SRV] >    
# 空Enter

. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [H:] >    
# 空Enter

. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'\\PDC-SRV\%U'
logon home (press the "." character if you don't want homeDirectory) [\\PDC-SRV\%U] >
# ピリオド入力

. logon path: directory where roaming profiles are stored. Ex:'\\PDC-SRV\profiles\%U'
logon path (press the "." character if you don't want roaming profile) [\\PDC-SRV\profiles\%U] >
# ピリオド入力

. home directory prefix (use %U as username) [/home/%U] >    
# 空Enter

. default users' homeDirectory mode [700] >    
# 空Enter

. default user netlogon script (use %U as username) [logon.bat] >  
# 空Enter

default password validation time (time in days) [45] >    
# 空Enter

. ldap suffix [dc=server,dc=world] >    
# 空Enter

. ldap group suffix [ou=groups] >    
# 空Enter

. ldap user suffix [ou=people] >    
# 空Enter

. ldap machine suffix [ou=Computers] >    
# 空Enter

. Idmap suffix [ou=Idmap] >    
# 空Enter

. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=SERVER-WORLD] >  
# 空Enter

. ldap master server: IP adress or DNS name of the master (writable) ldap server
ldap master server [] >    
# LDAPサーバーのIPを確認して空Enter

. ldap master port [389] >    
# 空Enter

. ldap master bind dn [cn=admin,dc=server,dc=world] >    
# 空Enter

. ldap master bind password [] >    
# LDAP管理者パスワード

. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one
ldap slave server [] >    
# LDAPスレーブがあれば指定(なければ空Enter)

. ldap slave port [389] >    
# 空Enter

. ldap slave bind dn [cn=admin,dc=server,dc=world] >    
# 空Enter

. ldap slave bind password [] >    
# スレーブがあれば入力(なければテキトーに)

. ldap tls support (1/0) [0] >    
# 空Enter

. SID for domain SERVER-WORLD: SID of the domain (can be obtained with 'net getlocalsid PDC-SRV')
SID for domain SERVER-WORLD [S-1-5-21-647443440-3639858122-3827560290] >  
# 空Enter

. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA]  
# 空Enter

. default user gidNumber [513] >    
# 空Enter

. default computer gidNumber [515] >    
# 空Enter

. default login shell [/bin/bash] >    
# 空Enter

. default skeleton directory [/etc/skel] >    
# 空Enter

. default domain name to append to mail adress [] >    
# 空Enter

Use of uninitialized value $# in concatenation (.) or string at /usr/share/doc/smbldap-tools/configure.pl line 314, <STDIN> line 33.
backup old configuration files:
writing new configuration file:
  /etc/smbldap-tools/smbldap.conf done.
  /etc/smbldap-tools/smbldap_bind.conf done.
[root@lan ~]#

Populating LDAP directory for domain SERVER-WORLD (S-1-5-21-647443440-3639858122-3827560290)
(using builtin directory structure)

entry dc=server,dc=world already exist.
entry ou=people,dc=server,dc=world already exist.
entry ou=groups,dc=server,dc=world already exist.
adding new entry: ou=Computers,dc=server,dc=world
adding new entry: ou=Idmap,dc=server,dc=world
adding new entry: uid=root,ou=people,dc=server,dc=world
adding new entry: uid=nobody,ou=people,dc=server,dc=world
adding new entry: cn=Domain Admins,ou=groups,dc=server,dc=world
adding new entry: cn=Domain Users,ou=groups,dc=server,dc=world
adding new entry: cn=Domain Guests,ou=groups,dc=server,dc=world
adding new entry: cn=Domain Computers,ou=groups,dc=server,dc=world
adding new entry: cn=Administrators,ou=groups,dc=server,dc=world
adding new entry: cn=Account Operators,ou=groups,dc=server,dc=world
adding new entry: cn=Print Operators,ou=groups,dc=server,dc=world
adding new entry: cn=Backup Operators,ou=groups,dc=server,dc=world
adding new entry: cn=Replicators,ou=groups,dc=server,dc=world
entry sambaDomainName=SERVER-WORLD,dc=server,dc=world already exist. Updating it...

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:    
# rootパスワード再設定

Retype new password:
# 管理者ユーザーとして設定したdomainadmを登録

[root@lan ~]#
smbldap-groupadd -a domainadmin

[root@lan ~]#
smbldap-useradd -am -g domainadmin domainadmin

[root@lan ~]#
smbldap-passwd domainadmin

Changing UNIX and samba passwords for domainadmin
New password:
Retype new password:
[root@lan ~]#
su - domainadmin
# 登録したユーザーに遷移可能か確認

[domainadmin@lan ~]$