OpenLDAP+samba

實驗環境：

samba服務端：192.168.15.241

ldap服務端：192.168.15.240
@
@
@

samba服務端：

1 部署Samba服務端，通過

[root@localhost ~]# yum -y install samba
[root@localhost ~]# mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
[root@localhost ~]# cat /etc/samba/smb.conf.bak | grep -v "^#" > /etc/samba/smb.conf
[root@localhost ~]# vim /etc/samba/smb.conf
~ #只放修改或添加得內容
[global]
         securitGy = share  #認證方式為開放共享

[test-share]
         comment = Home Directories
        browseable = yes
        writable = yes
        public = yes
        path = /opt/share
~
[root@localhost ~]# mkdir /opt/share
[root@localhost ~]# chmod 777 -R /opt/
[root@localhost ~]# service smb restart
Shutting down SMB services:                                [  OK  ]
Starting SMB services:                                     [  OK  ]
[root@localhost ~]# service iptables stop
[root@localhost ~]# setenforce 0

2、打開資源管理器，嘗試訪問，這里成功訪問

ldap服務端：

1、配置好ldap服務端，ldap服務端具體命令意思可自行到ldap基礎篇自行查看，這里不做過多闡述

[root@localhost ~]# yum -y install openldap openldap-servers openldap-clients
[root@localhost ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
[root@localhost ~]# rm -rf /etc/openldap/slapd.d/*
[root@localhost ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@localhost ~]# chown -R ldap.ldap /var/lib/ldap/ 
===============================================================
#這里要特別注意，我們是要和samba集成，那么就需要samba.schema模塊，可是默認
ldap是沒有的，所以我們只能自己安裝一個samba，然后將/usr/share/doc/samba-3.6.9/LDAP/samba.schema
復制到/etc/openldap/schema/中，而且不僅如此，openldap配置文件也要加一些東西
[root@localhost ~]# cp /usr/share/doc/samba-3.6.9/LDAP/samba.schema /etc/openldap/schema/
[root@localhost ~]# slappasswd -s Admin@123  #產生加密的密碼
{SSHA}x9bekIGDi5BGS7/5MHd4mxEUkuMaz4OC
[root@localhost ~]# vim /etc/openldap/slapd.conf 
~
include         /etc/openldap/schema/samba.schema #在所有引用的最下面引用samba.schema

database config  #最前面兩個是需要我們自己填寫的
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by  self write
        by dn="cn=Manager,dc=gdy,dc=com" write
        by anonymous auth
        by * none

access to *
        by dn="cn=Manager,dc=gdy,dc=com" write
        by self write
        by * read

access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none

# enable server status monitoring (cn=monitor)
database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=Manager,dc=my-domain,dc=com" read
        by * none
        
database        bdb
suffix          "dc=gdy,dc=com"  #修改域名
checkpoint      1024 15
rootdn          "cn=Manager,dc=gdy,dc=com"  #cn賦予的是管理員，后面兩個dc賦予的是域名
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
# rootpw                {crypt}ijFYNcSNctBYg
rootpw                  {SSHA}x9bekIGDi5BGS7/5MHd4mxEUkuMaz4OC  #張貼我們上面Admin@123加密后的密鑰，這里指定的是管理員的密碼
~
[root@localhost ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
[root@localhost ~]# chown -R ldap.ldap /etc/openldap/slapd.d   
[root@localhost ~]# chown -R ldap.ldap /var/lib/ldap 
[root@localhost ~]# slaptest -f /etc/openldap/slapd.conf  
[root@localhost ~]# service slapd start
[root@localhost ~]# useradd test1;echo "asd123." | passwd --stdin test1 
[root@localhost ~]# useradd test2;echo "asd123." | passwd --stdin test2  
[root@localhost ~]# useradd test3;echo "asd123." | passwd --stdin test3  
[root@localhost ~]# yum -y install migrationtools
[root@localhost ~]# tail -n 3 /etc/passwd > /etc/openldap/system
[root@localhost ~]# tail -n 3 /etc/group > /etc/openldap/group
[root@localhost ~]# cd /etc/openldap/
[root@localhost openldap]# vim /usr/share/migrationtools/migrate_common.ph +71
~
$DEFAULT_MAIL_DOMAIN = "gdy.com";
$DEFAULT_BASE = "dc=gdy,dc=com";
~
[root@localhost openldap]# /usr/share/migrationtools/migrate_passwd.pl system people.ldif
[root@localhost openldap]# /usr/share/migrationtools/migrate_group.pl group group.ldif
[root@localhost openldap]# vim 1.ldif
~
dn: dc=gdy,dc=com
dc: gdy
objectClass: top
objectClass: domain

dn: ou=people,dc=gdy,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit

dn: ou=group,dc=gdy,dc=com
ou: group
objectClass: top
objectClass: organizationalUnit
~
[root@localhost openldap]# ldapadd -D cn=Manager,dc=gdy,dc=com -x -w Admin@123 -f 1.ldif
[root@localhost openldap]# ldapadd -D cn=Manager,dc=gdy,dc=com -x -w Admin@123 -f people.ldif
[root@localhost openldap]# ldapadd -D cn=Manager,dc=gdy,dc=com -x -w Admin@123 -f group.ldif
[root@localhost openldap]# vim /etc/openldap/ldap.conf
~
BASE    dc=gdy,dc=com
URI     ldap://192.168.15.240
~
[root@localhost openldap]# service iptables stop
[root@localhost openldap]# setenforce 0

ldap客戶端，也就是samba服務端：

1、將vsftpd服務端加入到openldap，這一才能使用openldap的用戶

[root@localhost ~]# yum -y install openldap-clients nss-pam-ldapd

2、使用圖形化來完成配置，這樣比較快

[root@localhost ~]# authconfig-tui

3、修改samba配置文件，將ldap集成參數加入進去

[root@localhost ~]# vim /etc/samba/smb.conf
[gLobal]
        security = user
        passdb backend = ldapsam:ldap://192.168.15.240/
        ldap suffix = "dc=gdy,dc=com"
        ldap group suffix = "cn=group"
        ldap user suffix = "ou=people"
        ldap admin dn = "cn=Manager,dc=gdy,dc=com"
        ldap delete dn = no
        ldap passwd sync = Yes
        pam password change = Yes
        ldap ssl=off
[test-share]
        comment = Home Directories
        browseable = yes
        writable = yes
        path = /opt/share
        valid users = @test1,@test2

4、通過以下命令重啟smb

[root@localhost ~]# service smb restart
Shutting down SMB services:                                [  OK  ]
Starting SMB services:                                     [  OK  ]

5、通過以下命令將OpenLDAP服務器管理員密碼添加到secret.tdb中，用於搜索查詢及驗證。

[root@localhost ~]# smbpasswd -w Admin@123
Setting stored password for "cn=Manager,dc=gdy,dc=com" in secrets.tdb

6、給ldap用戶配置smb密碼，並關閉seliunx和防火牆

[root@localhost ~]# smbpasswd -a test1
New SMB password:
Retype new SMB password:
Added user test1
[root@localhost ~]# smbpasswd -a test2
New SMB password:
Retype new SMB password:
Added user test1
[root@localhost ~]# service iptables stop
[root@localhost ~]# setenforce 0

7、安裝客戶端軟件可以自己驗證以下

[root@localhost ~]# yum -y install samba-client
[root@localhost ~]# smbclient -L //192.168.15.241 -U test1  #有報出一堆東西出來就說明成功了，如果只是返回了一行話，就說明肯定失敗
Enter test1's password: 
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-164.el6]

        Sharename       Type      Comment
        ---------       ----      -------
        test-share      Disk      Home Directories
        IPC$            IPC       IPC Service (Samba Server Version 3.6.9-164.el6)
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-164.el6]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

8、我們可以到windows測試，可以看到成功了