openldap + samba为openldap添加smb属性----群晖synology
为openldap添加smb属性
- 使用背景
-
- 安装smb,以及smbldap
- 提示先运行samba
-
- 提前配置/etc/samba/smb.con
- 配置smbldap.conf并运行smb
- 运行smbldap-config,可以省略
- 使用SSSD进行网络用户身份验证
使用背景
群晖服务器使用ldap管理用户时发现windows无法通过smb协议访问的\192.168.1.1(服务器ip)进入群晖服务器。
参考文档:*https://ubuntu.com/server/docs/samba-openldap-backend *
安装smb,以及smbldap
安装samba、smbldap-tools,关闭防火墙以及selinux。
[root@localhost LDAP]# systemctl stop firewalld
[root@localhost LDAP]# setenforce 0
[root@localhost LDAP]# yum install -y samba
[root@localhost LDAP]# yum install -y smbldap-tools
添加Smb属性到OpenLDAP,可以通过引入Samba LDAP schema(模式)来获得此类属性。该模式已存在于现在安装的 samba 包中,通过ldif 格式来导入:
[root@localhost admin]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /usr/share/doc/samba-4.10.16/LDAP/samba.ldif
adding new entry "cn=samba,cn=schema,cn=config"
[root@localhost admin]# find / -name samba.ldif
/usr/share/doc/samba-4.10.16/LDAP/samba.ldif
[root@localhost admin]# vim /usr/share/doc/samba-4.10.16/LDAP/samba_indices.ldif
[root@localhost admin]# sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif
samba_indices.ldif: No such file or directory
[root@localhost admin]# cd /usr/share/doc/samba-4.10.16/LDAP/
[root@localhost LDAP]# sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif
modifying entry "olcDatabase={1}mdb,cn=config"
ldap_modify: No such object (32)
matched DN: cn=config
[root@localhost admin]# ll /etc/openldap/slapd.d/cn=config
总用量 28
-rw-------. 1 ldap ldap 594 3月 16 15:48 cn=module{0}.ldif
drwxr-x---. 2 ldap ldap 4096 5月 24 16:43 cn=schema
-rw-------. 1 ldap ldap 378 3月 16 15:33 cn=schema.ldif
-rw-------. 1 ldap ldap 624 3月 16 15:53 olcDatabase={0}config.ldif
-rw-------. 1 ldap ldap 443 3月 16 15:33 olcDatabase={-1}frontend.ldif
-rw-------. 1 ldap ldap 601 3月 16 15:48 olcDatabase={1}monitor.ldif
drwxr-x---. 2 ldap ldap 74 3月 16 15:48 olcDatabase={2}hdb
-rw-------. 1 ldap ldap 1217 5月 24 17:01 olcDatabase={2}hdb.ldif
这里需要将dn: olcDatabase={1}mdb,cn=config,这里面的olcDatabase={1}mdb,{1}mdb,要和/etc/openldap/slapd.d/cn=config 目录下的文件名称一致,每次安装文件名称略有不同.
[root@localhost LDAP]# sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={2}hdb olcDbIndex
dn: olcDatabase={2}hdb,cn=config
olcDbIndex: objectClass eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid,cn eq,sub
olcDbIndex: memberUid eq,sub
olcDbIndex: member,uniqueMember eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub,eq
[root@localhost LDAP]# smbldap-config
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')
. you can leave the configuration using the Ctrl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Samba needs to be started first !
提示先运行samba
提前配置/etc/samba/smb.con
[root@localhost LDAP]# vim /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
workgroup = yyyy
security = user
# passdb backend = tdbsam
# LDAP Settings
passdb backend = ldapsam:ldap://192.168.1.1
ldap suffix = dc=yyyy,dc=com
ldap user suffix = ou=xx有限公司
ldap group suffix = ou=xx有限公司
# ldap machine suffix = ou=Computers
# ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=yyyy,dc=com
ldap ssl = no
ldap passwd sync = no
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775
配置smbldap.conf并运行smb
[root@localhost ~]# vi /etc/smbldap-tools/smbldap.conf
masterLDAP="ldap://192.168.1.1/"
ldapTLS="0"
suffix="dc=yyyy,dc=com"
usersdn="ou=xx有限公司,${suffix}"
groupsdn="ou=xx有限公司,${suffix}"
[root@localhost LDAP]# vim /etc/samba/smb.conf
[root@localhost LDAP]# systemctl start smb
运行smbldap-config,可以省略
运行配置脚本smbldap-config来生成smbldap工具配置,必须先启动smb才行
[root@localhost LDAP]# smbldap-config
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')
. you can leave the configuration using the Ctrl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...
Samba Configuration File Path [/etc/samba/smb.conf] >
The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools] >
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...
. workgroup name: name of the domain Samba acts as a PDC for
workgroup name [yyyy] >
. netbios name: netbios name of the samba controller
netbios name [] >
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [] >
. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'\\\%U'
logon home (press the "." character if you don't want homeDirectory) [\\\%U] >
. logon path: directory where roaming profiles are stored. Ex:'\\\profiles\%U'
logon path (press the "." character if you don't want roaming profiles) [\\\profiles\%U] >
. home directory prefix (use %U as username) [/home/%U] >
. default users' homeDirectory mode [700] >
. default user netlogon script (use %U as username) [] >
. default password validation time (time in days) [45] >
. ldap suffix [dc=yyyy,dc=com] >
. ldap group suffix [ou=xx有限公司] >
. ldap user suffix [ou=xx有限公司] >
. ldap machine suffix [] >
. Idmap suffix [ou=Idmap] >
. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=yyyy] >
. ldap master server: IP address or DNS name of the master (writable) ldap server
ldap master server [192.168.1.1] >
. ldap master port [389] >
. ldap master bind dn [cn=admin,dc=yyyy,dc=com] >
. ldap master bind password [] > Warning: You really need to set this parameter...
ldap master bind password [] > Warning: You really need to set this parameter...
ldap master bind password [] > Warning: You really need to set this parameter...
ldap master bind password [] > Warning: You really need to set this parameter...
ldap master bind password [] >
. ldap slave server: IP address or DNS name of the slave ldap server: can also be the master one
ldap slave server [192.168.1.1] >
. ldap slave port [389] >
. ldap slave bind dn [cn=admin,dc=yyyy,dc=com] >
. ldap slave bind password [] >
. ldap tls support (1/0) [0] >
. SID for domain yyyy: SID of the domain (can be obtained with 'net getlocalsid ')
SID for domain yyyy [S-1-5-21-4147849373-2419429073-809605321] >
. unix password hash: hash used for unix passwords
If set to "exop", use LDAPv3 Password Modify (RFC 3062) extended operation.
unix password hash (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) [SSHA] >
. default user gidNumber [513] >
. default computer gidNumber [515] >
. default login shell [/bin/bash] >
. default skeleton directory [/etc/skel] >
. default domain name to append to mail address [] >
. treat shadowAccount object or not (1/0) [1] >
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
backup old configuration files:
/etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
/etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
/etc/smbldap-tools/smbldap.conf done.
/etc/smbldap-tools/smbldap_bind.conf done.
[root@localhost LDAP]#
[root@localhost LDAP]# smbldap-populate -g 10000 -u 10000 -r 10000
Populating LDAP directory for domain yyyy (S-1-5-21-4147849373-2419429073-809605321)
(using builtin directory structure)
entry dc=yyyy,dc=com already exist.
entry ou=xx有限公司,dc=yyyy,dc=com already exist.
adding new entry: ou=Idmap,dc=yyyy,dc=com
adding new entry: sambaDomainName=yyyy,dc=yyyy,dc=com
adding new entry: uid=root,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: uid=nobody,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Domain Admins,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Domain Users,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Domain Guests,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Domain Computers,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Administrators,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Account Operators,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Print Operators,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Backup Operators,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Replicators,ou=xx有限公司,dc=yyyy,dc=com
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
New passwords don't match!
[root@localhost LDAP]# smbldap-populate -g 10000 -u 10000 -r 10000
Populating LDAP directory for domain yyyy (S-1-5-21-4147849373-2419429073-809605321)
(using builtin directory structure)
entry dc=yyyy,dc=com already exist.
entry ou=xx有限公司,dc=yyyy,dc=com already exist.
entry ou=Idmap,dc=yyyy,dc=com already exist.
entry sambaDomainName=yyyy,dc=yyyy,dc=com already exist. Updating it...
entry uid=root,ou=xx有限公司,dc=yyyy,dc=com already exist.
entry uid=nobody,ou=xx有限公司,dc=yyyy,dc=com already exist.
entry cn=Domain Admins,ou=xx有限公司,dc=yyyy,dc=com already exist.
entry cn=Domain Users,ou=xx有限公司,dc=yyyy,dc=com already exist.
entry cn=Domain Guests,ou=xx有限公司,dc=yyyy,dc=com already exist.
entry cn=Domain Computers,ou=xx有限公司,dc=yyyy,dc=com already exist.
entry cn=Administrators,ou=xx有限公司,dc=yyyy,dc=com already exist.
entry cn=Account Operators,ou=xx有限公司,dc=yyyy,dc=com already exist.
entry cn=Print Operators,ou=xx有限公司,dc=yyyy,dc=com already exist.
entry cn=Backup Operators,ou=xx有限公司,dc=yyyy,dc=com already exist.
entry cn=Replicators,ou=xx有限公司,dc=yyyy,dc=com already exist.
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
使用SSSD进行网络用户身份验证
SSSD代表系统安全服务守护进程,它实际上是处理来自各种网络来源的身份验证、授权以及用户和组信息的守护进程的集合。
[root@localhost LDAP]# yum -y install sssd-ldap
[root@localhost LDAP]# find / -name sssd.conf
/usr/lib64/sssd/conf/sssd.conf
[sssd]
services = nss, pam
#domains = shadowutils
config_file_version = 2
domains = yyyy.com
[nss]
[pam]
[domain/yyyy.com]
#id_provider = files
id_provider = ldap
#auth_provider = proxy
auth_provider = ldap
#proxy_pam_target = sssd-shadowutils
#proxy_fast_alias = True
ldap_uri = ldap://192.168.1.1
cache_credentials = True
ldap_search_base = dc=yyyy,dc=com
[root@localhost sssd]# cp /usr/lib64/sssd/conf/sssd.conf /etc/sssd/sssd.conf
[root@localhost sssd]# sudo chmod 0600 /etc/sssd/sssd.conf
[root@localhost sssd]# sudo chown root:root /etc/sssd/sssd.conf
[root@localhost sssd]# sudo systemctl start sssd