作者:fandy
电子邮箱:cbbc@163.com
QQ:332018422
建立日期:2005年11月04日,最后修改日期:2005年11月06日
版权说明:本文章的内容归作者版权所有,同时也接受大家的转贴,但一定要保存作者信息和出处,多谢!
本文章经过参考“Linux下samba 3和openldap实现PDC”、“Samba3.0轻松搞定PDC域服务器”两篇文件修改而成,在实际操作中也加上自己的实际配置情况加以修改!希望前辈们可以原谅晚辈的无礼!同时也要多谢两位前辈写这两篇好文章!小弟Linux水平有限所以会存在错误的地方请大家加以指导,以方便及时改正错误和完善本文章的内容,多谢!
关于Samba 3.0.10 + OpenLDAP 2.2.13的介绍在网络上也有不少,本文章也不作多的介绍的说明了,有什么不明白的可以通过google.com网站来查找相关信息!(注在配置以下的信息前,以下的操作请使用root用户来操作)
Step0、实验环境:
网络域名:easy.com
DNS主机名称:pdc.easy.com
DNS主机IP地址:192.168.1.254
操作系统:RedHat Enterprise Server 4.1中文版
操作系统安装过程注意事项截图:
Step1、所需要的软件包清单:
db4-4.2.52-7.1.i386.rpm
db4-utils-4.2.52-7.1.i386.rpm
db4-devel-4.2.52-7.1.i386.rpm
mod_authz_ldap-0.26-2.i386.rpm
nss_ldap-226-6.i386.rpm
openldap-2.2.13-3.i386.rpm
openldap-clients-2.2.13-3.i386.rpm
openldap-devel-2.2.13-3.i386.rpm
openldap-servers-2.2.13-3.i386.rpm
samba-3.0.10-1.4E.2.i386.rpm
samba-client-3.0.10-1.4E.2.i386.rpm
samba-common-3.0.10-1.4E.2.i386.rpm
samba-swat-3.0.10-1.4E.2.i386.rpm
smbldap-tools-0.9.1-1.2.el4.rf.noarch.rpm
perl-Crypt-SmbHash-0.02-1.2.el4.rf.noarch.rpm
perl-Digest-SHA1-2.07-5.i386.rpm
perl-LDAP-0.31-5.noarch.rpm
perl-XML-SAX-0.12-7.noarch.rpm
--------------------------------------------------------------------------------------------
说明:以上所列举文件可以到以下网页地址为:
http://mirrors.jtlnet.com/centos/4/apt/i386/RPMS.os/
--------------------------------------------------------------------------------------------
Step2、安装所需要的软件清单(请注意软件包的安装顺序):
# rpm –Uvh db4-4.2.52-7.1.i386.rpm
# rpm –Uvh db4-utils-4.2.52-7.1.i386.rpm
# rpm –Uvh db4-devel-4.2.52-7.1.i386.rpm
# rpm –Uvh mod_authz_ldap-0.26-2.i386.rpm
# rpm –Uvh nss_ldap-226-6.i386.rpm
# rpm –Uvh openldap-2.2.13-3.i386.rpm
# rpm –Uvh openldap-clients-2.2.13-3.i386.rpm
# rpm –Uvh openldap-devel-2.2.13-3.i386.rpm
# rpm –Uvh openldap-servers-2.2.13-3.i386.rpm
# rpm –Uvh samba-3.0.10-1.4E.2.i386.rpm
# rpm –Uvh samba-client-3.0.10-1.4E.2.i386.rpm
# rpm –Uvh samba-common-3.0.10-1.4E.2.i386.rpm
# rpm –Uvh samba-swat-3.0.10-1.4E.2.i386.rpm
# rpm –Uvh smbldap-tools-0.9.1-1.2.el4.rf.noarch.rpm
# rpm –Uvh perl-Crypt-SmbHash-0.02-1.2.el4.rf.noarch.rpm
# rpm –Uvh perl-Digest-SHA1-2.07-5.i386.rpm
# rpm –Uvh perl-LDAP-0.31-5.noarch.rpm
# rpm –Uvh perl-XML-SAX-0.12-7.noarch.rpm
Step3、配置linux系统使用ldap进认证过程:
# setup (进入文本模式设置工具介面)
选择一种工具项目中选择:验证配置,然后按“运行工具”键:
用户信息项目中点选“缓存信息”、“使用LDAP”;
验证项目中点选“使用MD5口令”、“使用屏蔽口令”、“使用LDAP验证”;
然后按“下一步”键:
LDAP设置:
[ ] 使用TLS (不要点选);
服务器:127.0.0.1 (按默认地址就可以)
基点 DN:dc=easy,dc=com (输入您想定义ldap搜索的域后缀)
然后按“确定”键:
执行过程如下:
[root@pdc ~]# setup
setsebool: SELinux is disabled.
停止 nscd: [ 失败 ]
启动 nscd: [ 确定 ]
执行后以上的操作后,将后回到“选择一种工具”介面,按“退出”键完成所有ldap
进认证过程。
Step4、OpenLDAP的配置过程:
复制samba.schema文件到/etc/openldap/schema目录下(添加ldap所需
要的samba认证的数据结构文件到schema目录下):
# cp /usr/share/doc/samb-3.0.10/LDAP/samba.schema /etc/openldap/schema/
-----------------------------------------------------------------------------------------
说明:请一定要复制samba.schema文件到/etc/openldap/schema目录下,
否则在启动ldap时会出现以下的错误提示信息:
#service ldap start
检查 的配置文件:slaptest: bad configuration file! [失败]
-----------------------------------------------------------------------------------------
修改/etc/openldap/slapd.conf文件内容,主要说明修改的关键部分:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
部分增加以下一行内容:
include /etc/openldap/schema/samba.schema
database ldbm(定义ldap的数据库类型)
更改为:
database bdb
suffix "dc=my-domain,dc=com" (定义ldap搜索的域后缀)
rootdn "cn=Manager,dc= my-domain,dc=com" (定义ldap的管理DN)
更改为:
suffix "dc=easy,dc=com"
rootdn "cn=Manager,dc=easy,dc=com"
# rootpw {crypt}ijFYNcSNctBYg (设置管理DN的密码)
更改为:
rootpw {SSHA}zW6nrZ8Muho9GOl/nAk3grt4Xqq0ZpJi
-----------------------------------------------------------------------------------------
说明:DN管理者密码的制造过程:
# slappasswd –h {SSHA} –s jinbiao
{SSHA}zW6nrZ8Muho9GOl/nAk3grt4Xqq0ZpJi
-----------------------------------------------------------------------------------------
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
更改为:
# Indices to maintain for this database
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
在slapd.conf文件最后部分添加以下的内容,作用为定义ldap的访问权限(注意
书写的格式,因为作者就是因为这个问题浪费了不少的时间和感情啦!):
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read
修改/etc/openldap/ldap.conf文件内容,主要说明修改的关键部分:
BASE dc=example,dc=com (更改ldap搜索的域后缀)
更改为:
BASE dc=easy,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
更改为:
# TLS_CACERTDIR /etc/openldap/cacerts(不使用TLS服务项目)
修改/etc/ ldap.conf文件内容,主要说明修改的关键部分:
base dc=example,dc=com (更改ldap搜索的域后缀)
更改为:
base dc=easy,dc=com
在#krb5_ccname FILE:/etc/.ldapcache这一行下面增加以下内容
nss_base_passwd ou=Users,dc=easy,dc=com?one
nss_base_passwd ou=Computers,dc=easy,dc=com?one
nss_base_shadow ou=Users,dc=easy,dc=com?one
nss_base_group ou=Groups,dc=easy,dc=com?one
TLS_CACERTDIR /etc/openldap/cacerts
更改为:
# TLS_CACERTDIR /etc/openldap/cacerts(不使用TLS服务项目)
查看/etc/nsswitch.conf文件内容是否相同,一般情况下是不用修改:
passwd: files ldap
shadow: files ldap
group: files ldap
Step5、启动ldap服务和查看端口是否被监听的详细操作过程:
# service ldap start (启动ldap服务项目)
检查 slapd 的配置文件:config file testing succeeded
启动 slapd: [ 确定 ]
# netstat –an grep 389 (查看端口是否被监听)
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 :::389 :::* LISTEN
Step6、samba的详细配置过程:
samba的主要配置文件/etc/samba/smb.conf,其实系统中存有��个实际的例子
配置文件可提供参考,只要按照自己的实际情况做一定的修改就可供使用:
# cp /usr/share/doc/smbldap-tools-0.9.1/smb.conf /etc/samba/ (复制)
修改/etc/samba/smb.conf,这里主要说明修改的关键部分:
# Global parameters
[global]
workgroup = easy-pdc (设置samba域名为:easy-pdc)
netbios name = pdc (域网络上看到的计算器名称)
username map = /etc/samba/smbusers
server string = Samba Server %v (服务器描述)
security = user (设置samba服务器使用的认证过程选项﹕User)
encrypt passwords = Yes
min passwd length = 3
obey pam restrictions = No
ldap passwd sync = Yes
log level = 3 (日志级别设置为3)
syslog = 0
log file = /var/log/samba/log.%m(samba日志文件的名字和路径)
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
dos charset = CP936(doc charset、unix charset为samba 3.0支持中文版)
unix charset = cp936
unix charset = GB2312
logon script = logon.bat
logon drive = H:
logon home =
logon path =
domain logons = Yes (Samba接受所在组用户以域登录)
os level = 65 (如果要把samba设置为域服务器﹐浏览器的OS级别)
preferred master = Yes
domain master = Yes (设置samba成为主域服务器)
wins support = yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=easy,dc=com (设置您的管理DN)
ldap suffix = dc=easy,dc=com (设置samba域搜索后缀)
ldap group suffix = ou=Groups (设置samba组搜索后缀)
ldap user suffix = ou=Users (设置samba用户搜索后缀)
ldap machine suffix = ou=Computers (设置samba计算机搜索后缀)
ldap idmap suffix = ou=Users (如果samba作为PDC可以删除)
dap ssl = off (设置ldap ssl为关闭)
ldap delete dn = Yes
add user script = /sbin/smbldap-useradd -m "%u"
add machine script = /sbin/smbldap-useradd -t 0 -w "%u"
add group script = /sbin/smbldap-groupadd -p "%g"
add user to group script = /sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /sbin/smbldap-usermod -g '%g' '%u'
printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no
[homes]
comment = repertoire de %U, %u
read only = no
[netlogon]
path = /home/netlogon/
browseable = No
read only = yes
[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
建立目录和更改目录属性操作:
# mkdir /home/netlogon /home/profiles
# chmod 1777 /home/profiles
启动samba服务项目:
# service smb start
启动 SMB 服务: [ 确定 ]
启动 NMB 服务: [ 确定 ]
添加samba admin dn的ldap管理密码(注意密码要和您openldap的rootdn
密码要一致啊,一定要记录啊!):
# smbpasswd –w jinbiao
Setting stored password for "cn=Manager,dc=easy,dc=com" in secrets.tdb
Step7、smbldap的配置使用过程:
# cd /usr/share/doc/smbldap-tools-0.9.1/
# ./configure.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-
smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')
. you can leave the configuration using the Crtl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...
……… 其它的项目选择,请使用默认直接按回车则可以通过(详情略)………
sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomain Name=
easy-pdc] > (sambaDomain Name域名,本例使用easy-pdc)
. ldap master server: IP adress or DNS name of the master (writable) ldap server
ldap master server [127.0.0.1] > (输入主ldap服务器的IP地址)
. ldap master port [389] > (主ldap服务器使用的端口)
. ldap master bind dn [cn=Manager,dc=easy,dc=com] > (按回键)
. ldap master bind password [] > (输入rootpw管理员的密码,按回键)
. ldap slave server: IP adress or DNS name of the slave ldap server: can also
be the master one
ldap slave server [127.0.0.1] > (输入从ldap服务器的IP地址)
. ldap slave port [389] > (从ldap服务器使用的端口)
. ldap slave bind dn [cn=Manager,dc=easy,dc=com] >
. ldap slave bind password [] > (输入rootpw管理员的密码,按回键)
. default domain name to append to mail adress [] > (输入定义域名)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
backup old configuration files:
/etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
/etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
/etc/smbldap-tools/smbldap.conf done.(smbldap参数文件)
/etc/smbldap-tools/smbldap_bind.conf done. (主、从smbldap参数文件)
------------------------------------------------------------------------------------------
说明:smbldap_bind.conf文件以下内容要一致:
slaveDN=″cn=Manager,dc=easy,dc=com″
slavePW =″jinbiao″
masterDN=″cn=Manager,dc=easy,dc=com″
masterPW “jinbiao”
------------------------------------------------------------------------------------------
# smbldap-populate.pl (用smbldap-populate命令初始化用户服务数据库)
Populating LDAP directory for domain easy-pdc (S-1-5-21-2441264828-3615864963-325301904)
(using builtin directory structure)
adding new entry: dc=easy,dc=com
adding new entry: ou=Users,dc=easy,dc=com
adding new entry: ou=Groups,dc=easy,dc=com
adding new entry: ou=Computers,dc=easy,dc=com
entry ou=Users,dc=easy,dc=com already exist.
adding new entry: uid=root,ou=Users,dc=easy,dc=com
adding new entry: uid=nobody,ou=Users,dc=easy,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=easy,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=easy,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=easy,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=easy,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=easy,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=easy,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=easy,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=easy,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=easy,dc=com
adding new entry: sambaDomainName=easy-pdc,dc=easy,dc=com
Please provide a password for the domain root:
Changing password for root
New password : (输入rootpw管理员的密码,本例输入:jinbiao按回车键)
Retype new password : (再输入一次:jinbiao按回车键)
Step8、smb用户和计算机名相关信息的建立、查看、修改:
# net getlocalsid(查看smb的SID编号)
SID for domain EASY-PDC is: S-1-5-21-2441264828-3615864963-325301904
# smbldap-useradd -a user1 (添加一个samba帐号)
# smbldap-useradd -a -m user2 (添加一个samba帐号并创建主目录)
# smbldap-useradd -m user3 (添加一个系统用户帐号并创建主目录)
# smbldap-useradd -w winxp$ (添加一个域计算机帐号)
------------------------------------------------------------------------------------------
说明:在使用smbldap-useradd命令添加一个域计算机帐号时,一帐号名最后一
定要加$符号,否定使用不加$符号的计算机帐号可以正常的加入到域后,会出现以
下的Windows – 系统错误提示“网络上有重名”:
------------------------------------------------------------------------------------------
# smbldap-passwd user2 (更改user2帐号的密码)
Changing password for user2
New password :
Retype new password :
# smbldap-usershow user2 (查看user2帐号的信息)
dn: uid=user2,ou=Users,dc=easy,dc=com
objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
cn: user2
sn: user2
uid: user2
uidNumber: 1001
gidNumber: 513
homeDirectory: /home/user2
loginShell: /bin/bash
gecos: System User
description: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-2441264828-3615864963-325301904-3002
sambaPrimaryGroupSID: S-1-5-21-2441264828-3615864963-325301904-513
sambaLogonScript: logon.bat
sambaProfilePath: \\easy-pdc\profiles\user2
sambaHomePath: \\easy-pdc\user2
sambaHomeDrive: H:
sambaLMPassword: 15881AE64C222524AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: D577561A7CF0233733F6EA39BB596996
sambaPwdLastSet: 1131106649
sambaPwdMustChange: 1134994649
userPassword: {SSHA}OYXqiHNqn5D6VRJvPu1tL1IndKFPN1R6
# smbldap-userinfo user2 (添加user2帐号的信息)
Changing the user information for user2
Enter the new value, or press ENTER for the default
User Shell [/bin/bash]:/bin/sh
Full Name [System User]:fan jin baio
Room Number []:4873
Work Phone []:13060677004
Home Phone []:84680605
Other []:ha ha !
LDAP updated
Step9、smb用户登陆调试说明:
# smbclient -L 192.168.1.254 -U user2 (user2帐号登陆PDC服务器)
Password:
Domain=[EASY-PDC] OS=[Unix] Server=[Samba 3.0.10-1.4E.2]
Sharename Type Comment
--------- ---- -------
homes Disk repertoire de user2, user2
IPC$ IPC IPC Service (Samba Server 3.0.10-1.4E.2)
ADMIN$ IPC IPC Service (Samba Server 3.0.10-1.4E.2)
user2 Disk repertoire de user2, user2
Domain=[EASY-PDC] OS=[Unix] Server=[Samba 3.0.10-1.4E.2]
Server Comment
--------- -------
Workgroup Master
--------- -------
MYGROUP PDC
# ssh user2@192.168.1.254 (用ssh测试smbldap添加的用户是否正确)
The authenticity of host '192.168.1.254 (192.168.1.254)' can't be established.
RSA key fingerprint is 2b:00:5d:4a:19:03:4a:15:a5:f7:7d:ab:d1:59:6a:c1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.254' (RSA) to the list of known hosts.
user2@192.168.1.254's password:
-sh-3.00$ id (输入id,然后按回车键,查看自己的uid、gid、groups等信息)
uid=1001(user2) gid=513(Domain Users) groups=513(Domain Users)
-sh-3.00$ exit (输入exit,离开本次登陆)
Step10、本例使用Windows XP SP2中文版操作系统加入SMB域详细说明:
在Windows XP SP2加入SMB域之前,请先运行以下的两个注册文件:
A、 WinXP_PlainPassword.reg
B、 WinXP_SignOrSeal.reg
------------------------------------------------------------------------------------------
说明:WinXP_PlainPassword.reg、WinXP_SignOrSeal.reg这两个文件可以在/usr/share/doc/samba-3.0.10/docs/registry/目录查找到!
------------------------------------------------------------------------------------------
运行完成以WinXP_PlainPassword.reg、WinXP_SignOrSeal.reg的两个注册文件后,点击“我的电脑” → “属性”,出现“系统属性”窗口;
点击“计算机名” → “网络标识” → “更改(C)...”;
出现“计算机名称更改”属性窗口:
“隶属于” → “域(D):” 输入easy-pdc;(sambaDomain Namep定义域名)
出现新的“计算机名更改”信息窗口
请输入有加入该域权限的帐户的名称和密码:
用户名(U):root
密码(P):jinbiao
如果输入的“计算机名(C):”和“域(D):”输入正确的话,经过一小段时间就会出现“欢迎加入easy-pdc域”的信息窗口;
关闭“欢迎加入easy-pdc域”的信息窗口,按“确定”键,接着出现新的提示窗口“要使更改生效,必须重新启动计算机”��息窗口;
关闭“要使更改生效,必须重新启动计算机”信息窗口。回到“系统属性”窗口,按“确定”键,关闭“系统属性”窗口;
接着出现“系统设置改变”信息窗口,提示“必须重新启动计算机才能使新设置生效,想现在重新启动计算机吗?”,按“是(Y)”键,关闭“系统设置改变”信息窗口;
到这为止,就完成WindowsXP SP2中文版客户端加入SMB域的工作!
Add1、本人的其它作品:
1、 RedHat Enterprise Server 4.1 安装Jabberd-2.0s9安装笔记
连接地址:http://www.gd-linux.com/bbs/showthread.php?t=2845
2、 RedHat Enterprise Server 4.1 下配置jdk-1.5.0.04安装笔记
连接地址:http://www.gd-linux.com/bbs/showthread.php?t=2813
3、Red Hat Enterprise Linux 4.1下配置BIND -9.2.4-2安装笔记
连接地址:http://www.gd-linux.com/bbs/showthread.php?t=2866
4、RedHat AS 4.1 + Postfix + dovecot + Apache + OpenWebMail 安装笔记
连接地址:http://www.gd-linux.com/bbs/showthread.php?t=2864
5、Red Hat Enterprise Linux 4.1 + F-Prot Antivirus + MailScanner 安装笔记
连接地址:http://www.gd-linux.com/bbs/showthread.php?t=2953
6、Red Hat Enterprise Linux 4.1 + antivir-mailgate安装笔记
连接地址:http://www.gd-linux.com/bbs/showthread.php?t=2956
7、Red Hat Enterprise Linux 4.1 + antivir-server-prof-2.1.4-11安装笔记
连接地址:http://www.gd-linux.org/bbs/showthread.php?t=3082
8、RedHat AS 4.1 + Postfix + Dovecot + Cyrus-sasl 安装笔记
连接地址:http://extmail.org/forum/read.php?tid=564
9、RedHat AS 4.2 + Samba 3.0.10-1.4E.2 + OpenLDAP 2.2.13-3 安装笔记
连接地址:http://www.gd-linux.org/bbs/showthread.php?t=3144