Samba is certified by Openldap. 04/09 Update SLTechnology News&Howtos

Samba is certified by Openldap.

2025-04-09 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >

Shulou(Shulou.com)06/03 Report--

1. Environmental preparation

1.1. Experimental environment

[root@moban ~] # cat / etc/redhat-release

CentOS release 6.8 (Final)

[root@moban ~] # uname-r

2.6.32-642.el6.x86_64

1.2. Calibrate server time

[root@moban ~] # ntpdate pool.ntp.org

12 Nov 01:11:59 ntpdate [2354]: adjust time server 202.118.1.81 offset 0.004307 sec

[root@moban ~] # crontab-l

# time sync

* / 5 * / usr/sbin/ntpdate pool.ntp.org > / dev/null 2 > & 1

1.3.Down selinux and iptables

[root@moban ~] # getenforce

Enforcing

[root@moban ~] # setenforce 0

[root@moban ~] # getenforce

Permissive

[root@moban ~] # service iptables stop

Installation and configuration of 2.Openldap and Samba

2.1. install Openldap and Samba

[root@moban ~] # yum-y install openldap openldap-clients openldap-servers nss-pam-ldapd

[root@moban ~] # yum-y install samba-common samba samba-client

2.2.Configuring openldap

A.Openldap references samba.schema

[root@moban ~] # cp / usr/share/doc/samba-3.6.23/LDAP/samba.schema / etc/openldap / schema/

b. Copy the sample configuration file for openldap

[root@moban ~] # cp / usr/share/openldap-servers/slapd.conf.obsolete / etc/openldap/slapd.conf

c. Generate ldap administrator password

[root@moban ~] # slappasswd-s 123456

{SSHA} Ae1JJTvbeP60y91e9MdAqOmpleSWG19o

d. Modify the configuration file

[root@moban ~] # vi / etc/openldap/slapd.conf

Insert the following at line 18:

18 include / etc/openldap/schema/samba.schema

Comment out 99 lines to 102 lines:

99 # database config

100 # access to *

101 # by dn.exact= "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

102 # by * none

Insert the following access content on line 111:

111 access to attrs=userPassword

112 by self write

113 by anonymous auth

114 by * none

115 access to attrs=sambaNTPassword

116 by self write

117 by anonymous auth

118 by * none

119 access to *

120 by self write

121 by * read

Modify lines 126 to 134 as follows:

Before modification:

126 database bdb

127 suffix "dc=my-domain,dc=com"

128 checkpoint 1024 15

129 rootdn "cn=Manager,dc=my-domain,dc=com"

130 # Cleartext passwords, especially for the rootdn, should

131 # be avoided. See slappasswd (8) and slapd.conf (5) for d

Etails.

132 # Use of strong authentication encouraged.

133 # rootpw secret

134 # rootpw {crypt} ijFYNcSNctBYg

After modification:

126 database bdb

127 suffix "dc=etiantian,dc=org"

128 checkpoint 1024 15

129 rootdn "cn=admin,dc=etiantian,dc=org"

130 # Cleartext passwords, especially for the rootdn, should

131 # be avoided. See slappasswd (8) and slapd.conf (5) for d

Etails.

132 # Use of strong authentication encouraged.

133 # rootpw secret

134 rootpw {SSHA} Ae1JJTvbeP60y91e9MdAqOmpleSWG19o

Modify line 143 to read:

Before modification:

Index ou,cn,mail,surname,givenname eq,pres,sub

After modification:

Index ou,cn,mail,surname,givenname eq,pres,sub,approx

Modify lines 105 to 109 as follows:

Before modification:

105 database monitor

106 access to *

107 by dn.exact= "gidNumber=0+uidNumber=0,cn=peercred,cn

= external,cn=auth "read

108 by dn.exact= "cn=Manager,dc=my-domain,dc=com" read

109 by * none

After modification:

105 database monitor

106 access to *

107 by dn.exact= "cn=admin,dc=etiantian,dc=org" read

108 by * none

2.3.initialize openldap

a. Delete openldap's original configuration files and data

[root@moban ~] # rm-rf / etc/openldap/slapd.d/*

[root@moban ~] # rm-rf / var/lib/ldap/*

b. Copy the configuration file of the database

[root@moban ~] # cp / usr/share/openldap-servers/DB_CONFIG.example / var/lib/ldap/DB_CONFIG

[root@moban] # chown ldap.ldap-R / var/lib/ldap

[root@moban ~] # ll / var/lib/ldap

Total 4

-rw-r--r--. 1 ldap ldap 845 Nov 12 01:54 DB_CONFIG

c. Generate a configuration file for version 2.4

[root@moban ldap] # slaptest-u

Config file testing succeeded

[root@moban ldap] # slaptest-f / etc/openldap/slapd.conf-F / etc/openldap/slapd.d/ # generate the old version of the configuration file

Config file testing succeeded

d. Initialize the basic data of openldap

[root@moban openldap] # vi base.ldif

Dn: dc=etiantian,dc=org

ObjectClass: organization

ObjectClass: dcObject

Dc: etiantian

O: etiantian

Dn: ou=People,dc=etiantian,dc=org

ObjectClass: organizationalUnit

Ou: People

Dn: ou=group,dc=etiantian,dc=org

ObjectClass: organizationalUnit

Ou: group

[root@moban openldap] # vi group.ldif

Dn: cn=DBA,ou=group,dc=etiantian,dc=org

ObjectClass: posixGroup

ObjectClass: top

Cn: DBA

MemberUid: test1

GidNumber: 10673

[root@moban openldap] # vi user.ldif

Dn: uid=test1,ou=People,dc=etiantian,dc=org

ObjectClass: posixAccount

ObjectClass: top

ObjectClass: inetOrgPerson

ObjectClass: shadowAccount

GidNumber: 0

GivenName: test1

Sn: test1

Uid: test1

HomeDirectory: / home/test1

LoginShell: / bin/bash

ShadowFlag: 0

ShadowMin: 0

ShadowMax: 99999

ShadowWarning: 0

ShadowInactive: 99999

ShadowLastChange: 12011

ShadowExpire: 99999

Cn: test1

UidNumber: 24422

e. Import basic data into ldap

[root@moban openldap] # slapadd-l base.ldif

58260c66 The first database does not allow slapadd; using the first available one (2)

_ # 100.0000% eta none elapsed none fast!

Closing DB...

[root@moban openldap] # slapadd-l group.ldif

58260c6d The first database does not allow slapadd; using the first available one (2)

_ # 100.0000% eta none elapsed none fast!

Closing DB...

[root@moban openldap] # slapadd-l user.ldif

58260c72 The first database does not allow slapadd; using the first available one (2)

_ # 100.0000% eta none elapsed none fast!

Closing DB...

[root@moban openldap] # chown-R ldap.ldap / var/lib/ldap

[root@moban openldap] # chown-R ldap.ldap / etc/openldap/slapd.d

[root@moban openldap] # chmod-R 700 / var/lib/ldap

[root@moban openldap] # chmod-R 700 / etc/openldap/slapd.d

2.4.Configuring samba

a. Modify the configuration of samba

[root@moban openldap] # cd / etc/samba/

[root@moban samba] # cp smb.conf smb.conf.ori

[root@moban samba] # vi smb.conf

[global]

Workgroup = WORKGROUP

Server string = Samba-ldap Server Version% v

Netbios name = samba-ldapsam

Log file = / var/log/samba/log.%m

Max log size = 50

Security = user

Passdb backend = ldapsam:ldap://192.168.0.111/

Ldap suffix = "dc=etiantian,dc=org"

Ldap admin dn = "cn=admin,dc=etiantian,dc=org"

Ldap user suffix = "ou=People,dc=etiantian,dc=org"

Ldap group suffix = "ou=group,dc=etiantian,dc=org"

Ldap delete dn = no

Ldap passwd sync = yes

Ldap ssl = no

[sambashare]

Comment = share all

Path = / app/log

Browseable = yes

Public = yes

Writable = yes

[myshare]

Comment = share for users

Path = / application

Browseable = yes

Public = no

Writable = yes

b. Create a shared data directory

[root@moban samba] # mkdir / app/log-p

[root@moban samba] # mkdir / application

Tip: to facilitate testing, give permission to directory 777 first

[root@moban samba] # chmod-R 777 / application

[root@moban samba] # chmod-R 777 / app/log

c. Save the admin password of openldap to samba

Tip: to enable samba to access ldap, save the ldap administrator's password to samba's secrets.tdb (/ var/lib/samba/private/secrets.tdb)

[root@moban samba] # smbpasswd-w 123456

Setting stored password for "cn=admin,dc=etiantian,dc=org" in secrets.tdb

d. In openldap, add the samba test user

[root@moban openldap] # cat / etc/passwd | grep admin (system user)

Admin:x:500:500::/home/admin:/bin/bash

[root@moban samba] # cd / etc/openldap/

[root@moban openldap] # vi / etc/samba/smbusers

Add samba users at the bottom

Admin sambatest # means that the system user name admin has a virtual SMB user name: sambatest

[root@moban openldap] # vi sambauser.ldif

Dn: uid=sambatest,ou=People,dc=etiantian,dc=org

ObjectClass: posixAccount

ObjectClass: top

ObjectClass: inetOrgPerson

ObjectClass: shadowAccount

GidNumber: 1009

GivenName: sambatest

Sn: sambatest

Uid: sambatest

HomeDirectory: / home/sambatest

LoginShell: / bin/bash

ShadowFlag: 0

ShadowMin: 0

ShadowMax: 99999

ShadowWarning: 0

ShadowInactive: 99999

ShadowLastChange: 12011

ShadowExpire: 99999

Cn: sambatest

UidNumber: 24425

[root@moban openldap] # slapadd-l sambauser.ldif

58261bcf The first database does not allow slapadd; using the first available one (2)

_ # 100.0000% eta none elapsed none fast!

Closing DB...

e. Set the operating system to authenticate users from ldap

Tip: set up the system to authenticate in openldap if the user is not found in / etc/passwd.

[root@moban openldap] # authconfig-tui

User Information

[*] Use LDAP

Authentication

[*] Use Fingerprint reader

┌─┤ LDAP Settings ├─

│

│ [] Use TLS

│ Server: ldap://192.168.0.111/

│ Base DN: dc=etiantian,dc=org

[root@moban openldap] # grep "ldap" / etc/nsswitch.conf

Passwd: files ldap

Shadow: files ldap

Group: files ldap

Netgroup: files ldap

Automount: files ldap

[root@moban openldap] # tail-3 ldap.conf

URI ldap://192.168.0.111/

BASE dc=etiantian,dc=org

TLS_CACERTDIR / etc/openldap/cacerts

[root@moban openldap] # / etc/init.d/slapd start

[root@moban openldap] # / etc/init.d/smb start

f. Test to get user information from ldap

[root@moban openldap] # id sambatest

Uid=24425 (sambatest) gid=1009 groups=1009

[root@moban openldap] # grep "sambatest" / etc/passwd

Note: the sambatest was not found in the passwd file, indicating that the sambatest was obtained from ldap.

g. Set the test user's sambatest password

[root@moban openldap] # smbpasswd-a sambatest

New SMB password:123456789

Retype new SMB password:123456789

Added user sambatest.

h. Test whether sambatest users can log in in samba

[root@moban openldap] # smbclient-U sambatest / / 192.168.0.111/sambashare

Enter sambatest's password:

Domain= [WORKGROUP] OS= [Unix] Server= [Samba 3.6.23-36.el6_8]

Smb:\ > ls

. D 0 Sat Nov 5 20:38:28 2016

.. D 0 Thu Oct 27 13:01:13 2016

UM4SW7~D.LOG A 74 Thu Oct 27 19:29:01 2016

U41Y9B~1.LOG A 85 Thu Oct 27 19:37:24 2016

U0XZAY~G.LOG A 117 Thu Oct 27 19:18:40 2016

UAKC5V~4.LOG A 99 Thu Oct 27 19:27:02 2016

UO0D3H~P.LOG A 0 Sat Nov 5 20:38:28 2016

U3DW4T~X.LOG A 48 Thu Oct 27 19:30:14 2016

51760 blocks of size 524288. 45745 blocks available

Smb:\ >

[root@moban openldap] # smbclient-U sambatest / / 192.168.0.111/myshare

Enter sambatest's password:

Domain= [WORKGROUP] OS= [Unix] Server= [Samba 3.6.23-36.el6_8]

Smb:\ > ls

. D 0 Sat Nov 5 23:26:28 2016

.. DR 0 Fri Nov 11 22:26:21 2016

Svndata D 0 Thu Oct 27 01:48:57 2016

Create a new Microsoft Access database. Accdb A 512000 Sat Nov 5 23:26:28 2016

Svnpasswd D 0 Sat Nov 5 21:02:06 2016

51760 blocks of size 524288. 45745 blocks available

Smb:\ >

From the above results, you can see that the access of samba verified by openldap is normal, and then take a look at the access of windows, as shown below:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.