Windowsのアカウント管理面倒くさい、Linuxともアカウントを共通化したい。ということでSambaとOpenLDAPでいじってみた。 今回も諸事情によりUbuntu 10.04です。

• ubuntuの(というかDebianもだけど)OpenLDAPはslapd.confを使いません。slapd.confふがほげという情報はいらないから捨て。そのおかげでどんだけ遠回りしたか…
• Sambaのドメインコントローラはldapsam:editposix=yesで作るのでsmbldap-toolsを使いません。

• https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html
• https://help.ubuntu.com/10.04/serverguide/C/samba-ldap.html

• http://d.hatena.ne.jp/Voluntas/20071021/1192959912

• http://wiki.samba.org/index.php/Ldapsam_Editposix
• http://net-newbie.com/samba/

$ sudo apt-get install slapd ldap-utils

$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

$ vi backend.ldif

パスワードはslappasswdで作った

$ slappasswd -h "{MD5}"
New password: 見えないけど入力
Re-enter new password: 見えないけどもう一度入力
{MD5}6nA+eqHv2gBk6qUH2eirfg==

# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
 
# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {MD5}6nA+eqHv2gBk6qUH2eirfg==
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

設定を投入

$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example.com
dc: example
 
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:
 
dn: ou=users,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: users
 
dn: ou=groups,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups
 
dn: ou=idmap,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: idmap
 
dn: ou=computers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: computers

投入

$ sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.ldif

samba-docパッケージに入ってるスキーマを/etc/ldap/schema/にコピーする。

$ sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
$ sudo gzip -d /etc/ldap/schema/samba.schema.gz

Sambaスキーマそのままでは使えないのでschema_convert.confを作成する。

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema

変換作業用のディレクトリ/tmp/ldif_outputを作る。

$ mkdir /tmp/ldif_output

slapcatで変換して作業用ディレクトリに出力する。

$ slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > /tmp/cn=samba.ldif

生成された/tmp/cn\=samba.ldifを修正。 修正部分は頭のdn:とcn:にある{12}を削除、最後のstructuralObjectClass:以下の行を削除。

dn: cn={12}samba,cn=schema,cn=config ← cn={12}sambaをcn=sambaに修正
objectClass: olcSchemaConfig
cn: {12}samba ← {12}sambaをsambaに修正
 
(中略)
 
(ファイル最後のstructuralObjectClass: olcSchemaConfig以下をすべて削除)
structuralObjectClass: olcSchemaConfig
entryUUID: 7c4c4918-b0c3-102f-98a3-9f5a93b08c8b
creatorsName: cn=config
createTimestamp: 20110110050903Z
entryCSN: 20110110050903.047899Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110110050903Z

修正した/tmp/cn\=samba.ldifを投入。

$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=samba.ldif

Sambaの設定ファイルsamba_indexes.ldifを作成。

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub

そして投入。

$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif

$ sudo apt-get install libnss-ldap

debconfの質問に答える。

  * LDAP server Uniform Resource Identifier: → ldapi:///
  * Distinguished name of the search base: → dc=example,dc=com
  * LDAP version to use: → 3
  * Make local root Database admin: → Yes
  * Does the LDAP database require login? → No
  * LDAP account for root: → cn=admin,dc=example,dc=com
  * LDAP root account password: → (password)

やり直すときは sudo dpkg-reconfigure ldap-auth-config

$ sudo auth-client-config -t nss -p lac_ldap

• -t: only modifies /etc/nsswitch.conf.
• -p: name of the profile to enable, disable, etc.
• lac_ldap: the auth-client-config profile that is part of the ldap-auth-config package.

lv /etc/nsswitch.confで見るとこういう風に変わってるはず

# pre_auth-client-config # passwd:         compat
passwd: files ldap
# pre_auth-client-config # group:          compat
group: files ldap
# pre_auth-client-config # shadow:         compat
shadow: files ldap

/etc/auth-client-config/profile.d/acc-defaultの[ldap_example]以下をldap-auth-configにコピペ

#
# this example is for using ldap to authenticate and authorize.  This is only
# an example, and you will most likely have to create your own profiles to
# authenticate with your system. Note that this example requires the
# libpam-cracklib package to be installed.
#
[ldap_example]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: nis
pam_auth=auth       required     pam_env.so
	auth       sufficient   pam_unix.so likeauth nullok
	auth       sufficient   pam_ldap.so use_first_pass
	auth       required     pam_deny.so
pam_account=account    sufficient   pam_unix.so
	account    sufficient   pam_ldap.so
	account    required     pam_deny.so
pam_password=password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
	password   sufficient   pam_unix.so nullok md5 shadow use_authtok
	password   sufficient   pam_ldap.so use_first_pass
	password   required     pam_deny.so
pam_session=session    required     pam_limits.so
	session    required     pam_unix.so
	session    optional     pam_ldap.so

[lac_ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: nis
pam_auth=auth       required     pam_env.so
        auth       sufficient   pam_unix.so likeauth nullok
        auth       sufficient   pam_ldap.so use_first_pass
        auth       required     pam_deny.so
pam_account=account    sufficient   pam_unix.so
        account    sufficient   pam_ldap.so
        account    required     pam_deny.so
pam_password=password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
        password   sufficient   pam_unix.so nullok md5 shadow use_authtok
        password   sufficient   pam_ldap.so use_first_pass
        password   required     pam_deny.so
pam_session=session    required     pam_limits.so
        session    required     pam_unix.so
        session required        pam_mkhomedir.so umask=0022 skel=/etc/skel ←ここ追加した
        session    optional     pam_ldap.so

$ sudo pam-auth-update

有効化する PAM プロファイル:
[*] Unix authentication
[*] Winbind NT/Active Directory authentication
[*] LDAP Authentication
[*] SMB password synchronization
[*] GNOME Keyring Daemon - Login keyring management
[*] ConsoleKit Session Management

とりあえず全部にしてるけど良いのかな?

よくわかってないけど/etc/samba/smb.confを設定する。

[global]
	dos charset = CP932
	unix charset = UTF-8
	workgroup = EXAMPLE
	domain logons = Yes
	passdb backend = ldapsam
	ldapsam:editposix = yes
	ldapsam:trusted = yes
 
	os level = 65
	domain master = Auto
	preferred master = Auto
	local master = Yes
 
	ldap admin dn = cn=admin,dc=example,dc=com
	ldap suffix = dc=example,dc=com
	ldap group suffix = ou=groups
	ldap machine suffix = ou=computers
	ldap user suffix = ou=users
	ldap ssl = no
 
	ldap idmap suffix = ou=idmap
 
	idmap backend = ldap:ldap://localhost/
	idmap uid = 50000-500000
	idmap gid = 50000-500000
 
	ldap delete dn = Yes
	ldap passwd sync = Yes
 
	wins support = Yes
 
	template shell = /usr/bash
	template homedir = /home/%U
 
	obey pam restrictions = Yes
 
	logon home = \\%N\%U
	logon path = \\%N\%U\profile
	logon drive = Z:
	logon script = logon.cmd
 
[netlogon]
	comment = Network Logon Service
	path = /srv/samba/netlogon
	guest ok = yes
	read only = yes
  	share modes = no

winbindとsmbd、nmbdを止める。

$ sudo service smbd stop
$ sudo service nmbd stop
$ sudo service winbind stop

cn=admin,dc=example,dc=comのパスワードを設定。

$ smbpasswd -w <PASSWD>
Setting stored password for "cn=admin,dc=example,dc=com" in secrets.tdb

winbindを起動。

$ sudo service winbind start
* Starting the Winbind daemon winbind  [ OK ]

初期ユーザーとグループを設定。

$ sudo net sam provision
Checking for Domain Users group.
Adding the Domain Users group.
Checking for Domain Admins group.
Adding the Domain Admins group.
Check for Administrator account.
Adding the Administrator user.
Checking for Guest user.
Adding the Guest user.
Checking Guest's group.
Adding the Domain Guests group.

Administratorのパスワードを設定。

$ sudo smbpasswd Administrator
New SMB password:
Retype new SMB password:

smbdとnmbdを起動。

$ sudo service nmbd start
nmbd start/running, process 2702
$ sudo service smbd start
smbd start/running, process 2711

Administratorに特権?を与える。この辺はSamba Wikiをそのまま

$ sudo net rpc rights grant Administrator SeAddUsersPrivilege -U Administrator
Enter Administrator's password:
Successfully granted rights.
$ sudo net rpc rights grant Administrator SeMachineAccountPrivilege -U Administrator
Enter Administrator's password:
Successfully granted rights.