SambaとOpenLDAPでドメインコントローラを作る
はじめに
Windowsのアカウント管理面倒くさい、Linuxともアカウントを共通化したい。ということでSambaとOpenLDAPでいじってみた。 今回も諸事情によりUbuntu 10.04です。
特記事項
- ubuntuの(というかDebianもだけど)OpenLDAPはslapd.confを使いません。slapd.confふがほげという情報はいらないから捨て。そのおかげでどんだけ遠回りしたか…
- Sambaのドメインコントローラはldapsam:editposix=yesで作るのでsmbldap-toolsを使いません。
参考
OpenLDAPのインストール
OpenLDAPのインストール
$ sudo apt-get install slapd ldap-utils
スキーマファイルをロード
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
OpenLDAPの設定
$ vi backend.ldif
パスワードはslappasswdで作った
$ slappasswd -h "{MD5}"
New password: 見えないけど入力
Re-enter new password: 見えないけどもう一度入力
{MD5}6nA+eqHv2gBk6qUH2eirfg==
backend.ldif
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {MD5}6nA+eqHv2gBk6qUH2eirfg==
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
設定を投入
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
フロントエンド
frontend.ldif
dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: example.com dc: example dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: dn: ou=users,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: users dn: ou=groups,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: groups dn: ou=idmap,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: idmap dn: ou=computers,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: computers
投入
$ sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.ldif
Sambaの設定
samba-docパッケージに入ってるスキーマを/etc/ldap/schema/にコピーする。
$ sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/ $ sudo gzip -d /etc/ldap/schema/samba.schema.gz
Sambaスキーマそのままでは使えないのでschema_convert.confを作成する。
schema_convert.conf
include /etc/ldap/schema/core.schema include /etc/ldap/schema/collective.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/samba.schema
変換作業用のディレクトリ/tmp/ldif_outputを作る。
$ mkdir /tmp/ldif_output
slapcatで変換して作業用ディレクトリに出力する。
$ slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > /tmp/cn=samba.ldif
生成された/tmp/cn\=samba.ldifを修正。 修正部分は頭のdn:とcn:にある{12}を削除、最後のstructuralObjectClass:以下の行を削除。
/tmp/cn\=samba.ldif
dn: cn={12}samba,cn=schema,cn=config ← cn={12}sambaをcn=sambaに修正
objectClass: olcSchemaConfig
cn: {12}samba ← {12}sambaをsambaに修正
(中略)
(ファイル最後のstructuralObjectClass: olcSchemaConfig以下をすべて削除)
structuralObjectClass: olcSchemaConfig
entryUUID: 7c4c4918-b0c3-102f-98a3-9f5a93b08c8b
creatorsName: cn=config
createTimestamp: 20110110050903Z
entryCSN: 20110110050903.047899Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110110050903Z
修正した/tmp/cn\=samba.ldifを投入。
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=samba.ldif
Sambaの設定ファイルsamba_indexes.ldifを作成。
samba_indexes.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
そして投入。
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif
LDAPの認証
$ sudo apt-get install libnss-ldap
debconfの質問に答える。
debconfの質問
* LDAP server Uniform Resource Identifier: → ldapi:/// * Distinguished name of the search base: → dc=example,dc=com * LDAP version to use: → 3 * Make local root Database admin: → Yes * Does the LDAP database require login? → No * LDAP account for root: → cn=admin,dc=example,dc=com * LDAP root account password: → (password)
やり直すときは sudo dpkg-reconfigure ldap-auth-config
$ sudo auth-client-config -t nss -p lac_ldap
- -t: only modifies /etc/nsswitch.conf.
- -p: name of the profile to enable, disable, etc.
- lac_ldap: the auth-client-config profile that is part of the ldap-auth-config package.
lv /etc/nsswitch.confで見るとこういう風に変わってるはず
/etc/nsswitch.conf
# pre_auth-client-config # passwd: compat passwd: files ldap # pre_auth-client-config # group: compat group: files ldap # pre_auth-client-config # shadow: compat shadow: files ldap
/etc/auth-client-config/profile.d/acc-defaultの[ldap_example]以下をldap-auth-configにコピペ
/etc/auth-client-config/profile.d/acc-default
# # this example is for using ldap to authenticate and authorize. This is only # an example, and you will most likely have to create your own profiles to # authenticate with your system. Note that this example requires the # libpam-cracklib package to be installed. # [ldap_example] nss_passwd=passwd: files ldap nss_group=group: files ldap nss_shadow=shadow: files ldap nss_netgroup=netgroup: nis pam_auth=auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so pam_account=account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so pam_password=password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_first_pass password required pam_deny.so pam_session=session required pam_limits.so session required pam_unix.so session optional pam_ldap.so
/etc/auth-client-config/profile.d/ldap-auth-config
[lac_ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: nis
pam_auth=auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam_account=account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so
pam_password=password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_first_pass
password required pam_deny.so
pam_session=session required pam_limits.so
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel ←ここ追加した
session optional pam_ldap.so
$ sudo pam-auth-update
有効化する PAM プロファイル: [*] Unix authentication [*] Winbind NT/Active Directory authentication [*] LDAP Authentication [*] SMB password synchronization [*] GNOME Keyring Daemon - Login keyring management [*] ConsoleKit Session Management
とりあえず全部にしてるけど良いのかな?
よくわかってないけど/etc/samba/smb.confを設定する。
/etc/samba/smb.conf
[global] dos charset = CP932 unix charset = UTF-8 workgroup = EXAMPLE domain logons = Yes passdb backend = ldapsam ldapsam:editposix = yes ldapsam:trusted = yes os level = 65 domain master = Auto preferred master = Auto local master = Yes ldap admin dn = cn=admin,dc=example,dc=com ldap suffix = dc=example,dc=com ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap user suffix = ou=users ldap ssl = no ldap idmap suffix = ou=idmap idmap backend = ldap:ldap://localhost/ idmap uid = 50000-500000 idmap gid = 50000-500000 ldap delete dn = Yes ldap passwd sync = Yes wins support = Yes template shell = /usr/bash template homedir = /home/%U obey pam restrictions = Yes logon home = \\%N\%U logon path = \\%N\%U\profile logon drive = Z: logon script = logon.cmd [netlogon] comment = Network Logon Service path = /srv/samba/netlogon guest ok = yes read only = yes share modes = no
winbindとsmbd、nmbdを止める。
$ sudo service smbd stop $ sudo service nmbd stop $ sudo service winbind stop
cn=admin,dc=example,dc=comのパスワードを設定。
$ smbpasswd -w <PASSWD> Setting stored password for "cn=admin,dc=example,dc=com" in secrets.tdb
winbindを起動。
$ sudo service winbind start * Starting the Winbind daemon winbind [ OK ]
初期ユーザーとグループを設定。
$ sudo net sam provision Checking for Domain Users group. Adding the Domain Users group. Checking for Domain Admins group. Adding the Domain Admins group. Check for Administrator account. Adding the Administrator user. Checking for Guest user. Adding the Guest user. Checking Guest's group. Adding the Domain Guests group.
Administratorのパスワードを設定。
$ sudo smbpasswd Administrator New SMB password: Retype new SMB password:
smbdとnmbdを起動。
$ sudo service nmbd start nmbd start/running, process 2702 $ sudo service smbd start smbd start/running, process 2711
Administratorに特権?を与える。この辺はSamba Wikiをそのまま
$ sudo net rpc rights grant Administrator SeAddUsersPrivilege -U Administrator Enter Administrator's password: Successfully granted rights. $ sudo net rpc rights grant Administrator SeMachineAccountPrivilege -U Administrator Enter Administrator's password: Successfully granted rights.