Shulou(Shulou.com)06/02 Report--

This article is about how samba + OPENldap builds a file sharing server. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Here I use samba (file sharing service) v4.9.1 + OPENldap (back-end database software) v2.4.44 + smbldap-tools (back-end database management software) v0.9.11 + CentOS7. If there is a difference, there may be some problems.

Note:

The function of samba is not only file sharing, but also as a Windows domain member, or even a Windows domain controller. Never think of samba as just a file sharing service.

Because we use the file sharing function of samba, which is directly related to file permissions, the users in samba must be able to query it in Linux. Because OPENldap is used as the back-end database of samba, we also need to configure Linux to query the user information in OPENldap, that is, to configure NSS. With regard to the configuration of the NSS part, you need to complete the configuration of the NSS part after smbldap-tools initializes the ldap database.

Samba uses PAM as the authentication module, and uses its own authentication program. When compiling in CentOS, it is configured to use its own authentication program, so the configuration of PAM can be omitted.

If you want to configure OPENldap users can log in to the system, you can check this article: "configuring Linux to use LDAP user authentication", the configuration is not the same as the configuration in this article, you need to note!

Initialize configuration

Yum source and network configuration are omitted.

Yum-y install samba openldap-servers openldap-clients smbldap-tools nss-pam-ldapd

Configure the OPENldap service

Here is only a simple service configuration, database configuration here will use smbldap-tools for configuration, if you do not know OPENldap, you can take a look at this article: "OPENLDAP Service Building and Post-Management"

Here all the configurations of OPENldap are cleared and reconfigured.

# back up the files first In case you can't recover mkdir / root/backtar-Jcvf / root/back/slapd.config- `date'+ (% Y.%m.%d_%H:%M:%S)'`. Tar.xz / etc/openldap/slapd.d/tar-Jcvf / root/back/slapd.data- `date'+ (% Y.%m.%d_%H:%M:%S) '`.tar.xz / var/lib/ldap/# and then delete the configuration file rm-rf / etc/openldap/slapd.d/*rm-rf / var/lib/ldap/*# copy a samba schema file cp / usr/share/doc/samba-4.9.1/LDAP/samba.ldif / etc/openldap/schema/

I copied the configuration file here from / usr/share/openldap-servers/slapd.ldif and modified it to look like this. Mainly modified baseDN (suffix), OPENLDAPTLS,olcRootPW (password generated by slappasswd, password in this article is: 123456) and include

# file: / tmp/slapd.ldifdn: cn=configobjectClass: olcGlobalcn: configolcArgsFile: / var/run/openldap/slapd.argsolcPidFile: / var/run/openldap/slapd.piddn: cn=schema,cn=configobjectClass: olcSchemaConfigcn: schemainclude: file:///etc/openldap/schema/core.ldifinclude: file:///etc/openldap/schema/cosine.ldifinclude: file:///etc/openldap/schema/nis.ldifinclude: file:///etc/openldap/schema/inetorgperson.ldifinclude: file:///etc/openldap/schema/samba.ldifdn: olcDatabase=frontend Cn=configobjectClass: olcDatabaseConfigobjectClass: olcFrontendConfigolcDatabase: frontenddn: olcDatabase=config,cn=configobjectClass: olcDatabaseConfigolcDatabase: configolcAccess: to * by dn.base= "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * nonedn: olcDatabase=monitor,cn=configobjectClass: olcDatabaseConfigolcDatabase: monitorolcAccess: to * by dn.base= "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base= "cn=Manager,dc=black,dc=com" read by * nonedn: olcDatabase=hdb,cn=configobjectClass: olcDatabaseConfigobjectClass: olcHdbConfigolcDatabase: hdbolcSuffix: dc=black,dc=comolcRootDN: cn=Manager,dc=black,dc=comolcRootPW: {SSHA} l1vBI/HOMKLEiQZgcm3Co+hFQI68rH1QolcDbDirectory: / var/lib/ldapolcDbIndex: objectClass eq,presolcDbIndex: ou,cn,mail,surname,givenname eq,pres Sub Uid

Generate the configuration file of the server according to the configuration

Slapadd-F "/ etc/openldap/slapd.d/"-b "cn=config"-l / tmp/slapd.ldif# you also need to note that the file belongs to root, and you need to change it back to openldapchown-R ldap:ldap / etc/openldap/slapd.d/*#, and then enable the service to systemctl start slapd.

_ # 100.0000% eta none elapsed none fast!

Closing DB...

Note: only the service configuration part of OPENldap is configured, not the database of OPENldap. The following is emphasized again here.

Configure samba

Just to test the use of samba and OPENldap, there is no overly complex file sharing configuration, and only one user's home directory is shared for testing purposes.

# file: / etc/samba/smb.conf [global] workgroup = MYGROUP # specifies the share group name. Server string = Samba Server Version% v log file = / var/log/samba/log # Log security = user # specify security level User passdb backend = ldapsam:ldap://127.0.0.1 # specify passdb's backend database use ldapsam ldap suffix = dc=black,dc=com # specify ldap's suffix ldap user suffix = ou=People # specify the user's suffix field ou=People here will be combined with the previous suffix. Ldap group suffix = ou=Group # same as above, the user group is specified. Ldap admin dn = cn=Manager,dc=black,dc=com # specifies the administrator user ldap ssl = no # used to query the ldap service specifies that SSL encryption is not used. Load printers = no # specifies that shared printers are not loaded. [homes] comment = Home Directories browseable = no writable = yes create mask = 0600 directory mask = 700smbpasswd-w 123456 # Store the user password used to connect to the LDAP service,! Very important, otherwise the smb service cannot be started.

Start the samba service

Systemctl start nmbsystemctl start smb

Smbldap-tools configuration

Here, smbldap-tools is used to quickly complete the data information needed by the samba service, and the user segment is managed through smblda-tools. But one disadvantage of smbldap-tools is that it doesn't care whether your local users have the same UID or GID. There may be conflicts, which need to be noted.

Smbldap reads part of the information from / etc/samba/smb.conf, so you need to configure samba before configuring the smbldap-tools service.

Smbldap-config # configure the configuration of smbldap-tools, which is easy to configure using smbldap-conifg.

The following configuration process is omitted here, and you can default if you don't know it.

Smbldap-populate # initializes the configuration OPENldap database.

Another user is created here for later test use.

Smbldap-useradd-a-m User1 # add user User2#-a: specifies that the added user type is Windows so that samba can recognize the user. #-m: specify the home directory where the user is created. Smbldap-passwd User1 # change the user password for this user

The password modification process for the user is omitted here.

In this way, the database initialization of OPENldap is complete, so that you can query the contents of OPENldap. As shown in the figure below, this is what smbldap-populate created. The picture below is apache Directory Studio. If you are interested, you can study "easy to use apache Directory Studio".

We can see the users of UID = root and nobody in the figure. I don't want these special users to log in to the server, so in the configuration below, I will filter out these two users through fliter.

NSS configuration

The NSS configuration here mainly needs to be configured. NSS forwards the request of LDAP to nslcd, and nslcd queries the user information in OPENldap.

To configure NSS first, you only need to add the ldap authentication of passwd segment and group segment.

# file: / etc/nsswitch.confpasswd: files ldapshadow: filesgroup: files ldaphosts: files dns myhostnamebootparams: nisplus [NOTFOUND=return] filesethers: filesnetmasks: filesnetworks: filesprotocols: filesrpc: filesservices: files sssnetgroup: nisplus ssspublickey: nisplusautomount: files nisplus sssaliases: files nisplus

Then configure nslcd, notice that nslcd is running as daemon, and restart after the main configuration.

# file:/etc/nslcd.confuid nslcdgid ldapuri ldap://127.0.0.1/ # ldap URL address base dc=black,dc=com # base dn path binddn cn=Manager,dc=black,dc=com # specify the user of the connection bindpw 123456 # specify the password ssl no # specify not to use SSL to encrypt the connection. Filter passwd (& (objectClass=posixAccount) (uidNumber > = 1000)) # writes filtering rules for passwd. Filter group (& (objectClass=posixGroup) (gidNumber > = 500)) # as above, groupCopychmod 600 / etc/nslcd.conf # profile permissions are written, which is very important, otherwise the service cannot be started. Systemctl start nslcd # starts the nslcd service.

We will test whether the following NSS configurations are available here

Getent passwd User1

User1:*:1001:513:System User:/var/smb/User1:/bin/bash

As you can see above, the NSS and OPENldap services we configured are already in effect, so let's continue to configure samba to make it available.

Samba permission configuration

If you look more closely, you will find that I have stored the user's home directory location in the / var/smb location, mainly in order not to be confused with the users in the system. And in this way, you can use SELinux to isolate the resources under the samba forbidden access / home path. For more information, please see below.

# the user's home directory has been created through the smbldap-useradd command. # you can configure SELinux directly. Semanage fcontext-a-t samba_share_t'/ var/smb (/. *)?'# modify the default type of the / var/smb path. Here, I use the type,SELinux used by the samba share to allow access to this type type by default. If you want samba to access / home, you should turn on the bool value of samba_enable_home_dirs. # but because I'm using the type type samba_share_t here, I don't need to turn on any bool values, so that samba can only access / var/smb and other required samba files. Restorecon-R / var/smb/ # then we can reset the SELinux type type in the / var/smb directory. Copy# here we can test samba. Smbclient-L / / 127.0.0.1 /-U User1

As we can see here, User1 users can log in and query the shared directory.

So let's just log in here, upload some files and do some tests:

OK, then the file sharing of such a samba is completed.

Thank you for reading! This is the end of this article on "samba + OPENldap how to build a file sharing server". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it out for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.