Windowsのアカウント管理面倒くさい、Linuxともアカウントを共通化したい。ということでSambaとOpenLDAPでいじってみた。 今回も諸事情によりUbuntu 10.04です。
$ sudo apt-get install slapd ldap-utils
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
$ vi backend.ldif
パスワードはslappasswdで作った
$ slappasswd -h "{MD5}" New password: 見えないけど入力 Re-enter new password: 見えないけどもう一度入力 {MD5}6nA+eqHv2gBk6qUH2eirfg==
# Load dynamic backend modules dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: back_hdb # Database settings dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcSuffix: dc=example,dc=com olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=example,dc=com olcRootPW: {MD5}6nA+eqHv2gBk6qUH2eirfg== olcDbConfig: set_cachesize 0 2097152 0 olcDbConfig: set_lk_max_objects 1500 olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcLastMod: TRUE olcDbCheckpoint: 512 30 olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * read olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
設定を投入
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: example.com dc: example dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: dn: ou=users,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: users dn: ou=groups,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: groups dn: ou=idmap,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: idmap dn: ou=computers,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: computers
投入
$ sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.ldif
samba-docパッケージに入ってるスキーマを/etc/ldap/schema/にコピーする。
$ sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/ $ sudo gzip -d /etc/ldap/schema/samba.schema.gz
Sambaスキーマそのままでは使えないのでschema_convert.confを作成する。
include /etc/ldap/schema/core.schema include /etc/ldap/schema/collective.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/samba.schema
変換作業用のディレクトリ/tmp/ldif_outputを作る。
$ mkdir /tmp/ldif_output
slapcatで変換して作業用ディレクトリに出力する。
$ slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > /tmp/cn=samba.ldif
生成された/tmp/cn\=samba.ldifを修正。 修正部分は頭のdn:とcn:にある{12}を削除、最後のstructuralObjectClass:以下の行を削除。
dn: cn={12}samba,cn=schema,cn=config ← cn={12}sambaをcn=sambaに修正 objectClass: olcSchemaConfig cn: {12}samba ← {12}sambaをsambaに修正 (中略) (ファイル最後のstructuralObjectClass: olcSchemaConfig以下をすべて削除) structuralObjectClass: olcSchemaConfig entryUUID: 7c4c4918-b0c3-102f-98a3-9f5a93b08c8b creatorsName: cn=config createTimestamp: 20110110050903Z entryCSN: 20110110050903.047899Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20110110050903Z
修正した/tmp/cn\=samba.ldifを投入。
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=samba.ldif
Sambaの設定ファイルsamba_indexes.ldifを作成。
dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub
そして投入。
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif
$ sudo apt-get install libnss-ldap
debconfの質問に答える。
* LDAP server Uniform Resource Identifier: → ldapi:/// * Distinguished name of the search base: → dc=example,dc=com * LDAP version to use: → 3 * Make local root Database admin: → Yes * Does the LDAP database require login? → No * LDAP account for root: → cn=admin,dc=example,dc=com * LDAP root account password: → (password)
やり直すときは sudo dpkg-reconfigure ldap-auth-config
$ sudo auth-client-config -t nss -p lac_ldap
lv /etc/nsswitch.confで見るとこういう風に変わってるはず
# pre_auth-client-config # passwd: compat passwd: files ldap # pre_auth-client-config # group: compat group: files ldap # pre_auth-client-config # shadow: compat shadow: files ldap
/etc/auth-client-config/profile.d/acc-defaultの[ldap_example]以下をldap-auth-configにコピペ
# # this example is for using ldap to authenticate and authorize. This is only # an example, and you will most likely have to create your own profiles to # authenticate with your system. Note that this example requires the # libpam-cracklib package to be installed. # [ldap_example] nss_passwd=passwd: files ldap nss_group=group: files ldap nss_shadow=shadow: files ldap nss_netgroup=netgroup: nis pam_auth=auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so pam_account=account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so pam_password=password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_first_pass password required pam_deny.so pam_session=session required pam_limits.so session required pam_unix.so session optional pam_ldap.so
[lac_ldap] nss_passwd=passwd: files ldap nss_group=group: files ldap nss_shadow=shadow: files ldap nss_netgroup=netgroup: nis pam_auth=auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so pam_account=account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so pam_password=password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_first_pass password required pam_deny.so pam_session=session required pam_limits.so session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel ←ここ追加した session optional pam_ldap.so
$ sudo pam-auth-update
有効化する PAM プロファイル: [*] Unix authentication [*] Winbind NT/Active Directory authentication [*] LDAP Authentication [*] SMB password synchronization [*] GNOME Keyring Daemon - Login keyring management [*] ConsoleKit Session Management
とりあえず全部にしてるけど良いのかな?
よくわかってないけど/etc/samba/smb.confを設定する。
[global] dos charset = CP932 unix charset = UTF-8 workgroup = EXAMPLE domain logons = Yes passdb backend = ldapsam ldapsam:editposix = yes ldapsam:trusted = yes os level = 65 domain master = Auto preferred master = Auto local master = Yes ldap admin dn = cn=admin,dc=example,dc=com ldap suffix = dc=example,dc=com ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap user suffix = ou=users ldap ssl = no ldap idmap suffix = ou=idmap idmap backend = ldap:ldap://localhost/ idmap uid = 50000-500000 idmap gid = 50000-500000 ldap delete dn = Yes ldap passwd sync = Yes wins support = Yes template shell = /usr/bash template homedir = /home/%U obey pam restrictions = Yes logon home = \\%N\%U logon path = \\%N\%U\profile logon drive = Z: logon script = logon.cmd [netlogon] comment = Network Logon Service path = /srv/samba/netlogon guest ok = yes read only = yes share modes = no
winbindとsmbd、nmbdを止める。
$ sudo service smbd stop $ sudo service nmbd stop $ sudo service winbind stop
cn=admin,dc=example,dc=comのパスワードを設定。
$ smbpasswd -w <PASSWD> Setting stored password for "cn=admin,dc=example,dc=com" in secrets.tdb
winbindを起動。
$ sudo service winbind start * Starting the Winbind daemon winbind [ OK ]
初期ユーザーとグループを設定。
$ sudo net sam provision Checking for Domain Users group. Adding the Domain Users group. Checking for Domain Admins group. Adding the Domain Admins group. Check for Administrator account. Adding the Administrator user. Checking for Guest user. Adding the Guest user. Checking Guest's group. Adding the Domain Guests group.
Administratorのパスワードを設定。
$ sudo smbpasswd Administrator New SMB password: Retype new SMB password:
smbdとnmbdを起動。
$ sudo service nmbd start nmbd start/running, process 2702 $ sudo service smbd start smbd start/running, process 2711
Administratorに特権?を与える。この辺はSamba Wikiをそのまま
$ sudo net rpc rights grant Administrator SeAddUsersPrivilege -U Administrator Enter Administrator's password: Successfully granted rights. $ sudo net rpc rights grant Administrator SeMachineAccountPrivilege -U Administrator Enter Administrator's password: Successfully granted rights.