openldap + samba为openldap添加smb属性----群晖synology

为openldap添加smb属性

  • 使用背景
    • 安装smb,以及smbldap
    • 提示先运行samba
      • 提前配置/etc/samba/smb.con
      • 配置smbldap.conf并运行smb
    • 运行smbldap-config,可以省略
    • 使用SSSD进行网络用户身份验证

使用背景

群晖服务器使用ldap管理用户时发现windows无法通过smb协议访问的\192.168.1.1(服务器ip)进入群晖服务器。
openldap + samba为openldap添加smb属性----群晖synology_第1张图片
参考文档:*https://ubuntu.com/server/docs/samba-openldap-backend *

安装smb,以及smbldap

安装samba、smbldap-tools,关闭防火墙以及selinux。

[root@localhost LDAP]# systemctl stop firewalld
[root@localhost LDAP]# setenforce 0
[root@localhost LDAP]# yum install -y samba
[root@localhost LDAP]# yum install -y smbldap-tools

添加Smb属性到OpenLDAP,可以通过引入Samba LDAP schema(模式)来获得此类属性。该模式已存在于现在安装的 samba 包中,通过ldif 格式来导入:

[root@localhost admin]#  ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /usr/share/doc/samba-4.10.16/LDAP/samba.ldif
adding new entry "cn=samba,cn=schema,cn=config"

[root@localhost admin]# find / -name samba.ldif                                                             
/usr/share/doc/samba-4.10.16/LDAP/samba.ldif
[root@localhost admin]# vim /usr/share/doc/samba-4.10.16/LDAP/samba_indices.ldif
[root@localhost admin]# sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif
samba_indices.ldif: No such file or directory
[root@localhost admin]# cd /usr/share/doc/samba-4.10.16/LDAP/
[root@localhost LDAP]# sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif
modifying entry "olcDatabase={1}mdb,cn=config"
ldap_modify: No such object (32)
        matched DN: cn=config
[root@localhost admin]#  ll  /etc/openldap/slapd.d/cn=config
总用量 28
-rw-------. 1 ldap ldap  594 3月  16 15:48 cn=module{0}.ldif
drwxr-x---. 2 ldap ldap 4096 5月  24 16:43 cn=schema
-rw-------. 1 ldap ldap  378 3月  16 15:33 cn=schema.ldif
-rw-------. 1 ldap ldap  624 3月  16 15:53 olcDatabase={0}config.ldif
-rw-------. 1 ldap ldap  443 3月  16 15:33 olcDatabase={-1}frontend.ldif
-rw-------. 1 ldap ldap  601 3月  16 15:48 olcDatabase={1}monitor.ldif
drwxr-x---. 2 ldap ldap   74 3月  16 15:48 olcDatabase={2}hdb
-rw-------. 1 ldap ldap 1217 5月  24 17:01 olcDatabase={2}hdb.ldif

这里需要将dn: olcDatabase={1}mdb,cn=config,这里面的olcDatabase={1}mdb,{1}mdb,要和/etc/openldap/slapd.d/cn=config 目录下的文件名称一致,每次安装文件名称略有不同.

[root@localhost LDAP]# sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={2}hdb olcDbIndex
dn: olcDatabase={2}hdb,cn=config
olcDbIndex: objectClass eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid,cn eq,sub
olcDbIndex: memberUid eq,sub
olcDbIndex: member,uniqueMember eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub,eq

[root@localhost LDAP]# smbldap-config
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
       smbldap-tools script configuration
       -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
 . if your samba controller is up and running.
 . if the domain SID is defined (you can get it with the 'net getlocalsid')

 . you can leave the configuration using the Ctrl-c key combination
 . empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Samba needs to be started first !

提示先运行samba

提前配置/etc/samba/smb.con

[root@localhost LDAP]# vim /etc/samba/smb.conf

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
        workgroup = yyyy
        security = user

       # passdb backend = tdbsam
       # LDAP Settings
        passdb backend = ldapsam:ldap://192.168.1.1
        ldap suffix = dc=yyyy,dc=com
        ldap user suffix = ou=xx有限公司
        ldap group suffix = ou=xx有限公司
    #    ldap machine suffix = ou=Computers
    #    ldap idmap suffix = ou=Idmap
        ldap admin dn = cn=admin,dc=yyyy,dc=com
        ldap ssl = no
        ldap passwd sync = no

        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @printadmin root
        force group = @printadmin
        create mask = 0664
        directory mask = 0775

配置smbldap.conf并运行smb

[root@localhost ~]# vi /etc/smbldap-tools/smbldap.conf
masterLDAP="ldap://192.168.1.1/"
ldapTLS="0"
suffix="dc=yyyy,dc=com"
usersdn="ou=xx有限公司,${suffix}"
groupsdn="ou=xx有限公司,${suffix}"

[root@localhost LDAP]# vim /etc/samba/smb.conf                                                                    
[root@localhost LDAP]# systemctl start smb     

运行smbldap-config,可以省略

运行配置脚本smbldap-config来生成smbldap工具配置,必须先启动smb才行

    
[root@localhost LDAP]#  smbldap-config
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
       smbldap-tools script configuration
       -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
 . if your samba controller is up and running.
 . if the domain SID is defined (you can get it with the 'net getlocalsid')

 . you can leave the configuration using the Ctrl-c key combination
 . empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...

Samba Configuration File Path [/etc/samba/smb.conf] > 

The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools] > 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...

. workgroup name: name of the domain Samba acts as a PDC for
  workgroup name [yyyy] > 
. netbios name: netbios name of the samba controller
  netbios name [] > 
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
  logon drive [] > 
. logon home: home directory location (for Win95/98 or NT Workstation).
  (use %U as username) Ex:'\\\%U'
  logon home (press the "." character if you don't want homeDirectory) [\\\%U] > 
. logon path: directory where roaming profiles are stored. Ex:'\\\profiles\%U'
  logon path (press the "." character if you don't want roaming profiles) [\\\profiles\%U] > 
. home directory prefix (use %U as username) [/home/%U] > 
. default users' homeDirectory mode [700] > 
. default user netlogon script (use %U as username) [] > 
. default password validation time (time in days) [45] > 
. ldap suffix [dc=yyyy,dc=com] > 
. ldap group suffix [ou=xx有限公司] > 
. ldap user suffix [ou=xx有限公司] > 
. ldap machine suffix [] > 
. Idmap suffix [ou=Idmap] > 
. sambaUnixIdPooldn: object where you want to store the next uidNumber
  and gidNumber available for new users and groups
  sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=yyyy] > 
. ldap master server: IP address or DNS name of the master (writable) ldap server
  ldap master server [192.168.1.1] > 
. ldap master port [389] > 
. ldap master bind dn [cn=admin,dc=yyyy,dc=com] > 
. ldap master bind password [] >   Warning: You really need to set this parameter...
  ldap master bind password [] >   Warning: You really need to set this parameter...
  ldap master bind password [] >   Warning: You really need to set this parameter...
  ldap master bind password [] >   Warning: You really need to set this parameter...
  ldap master bind password [] > 
. ldap slave server: IP address or DNS name of the slave ldap server: can also be the master one
  ldap slave server [192.168.1.1] > 
. ldap slave port [389] > 
. ldap slave bind dn [cn=admin,dc=yyyy,dc=com] > 
. ldap slave bind password [] > 
. ldap tls support (1/0) [0] > 
. SID for domain yyyy: SID of the domain (can be obtained with 'net getlocalsid ')
  SID for domain yyyy [S-1-5-21-4147849373-2419429073-809605321] > 
. unix password hash: hash used for unix passwords
  If set to "exop", use LDAPv3 Password Modify (RFC 3062) extended operation.
  unix password hash (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) [SSHA] > 
. default user gidNumber [513] > 
. default computer gidNumber [515] > 
. default login shell [/bin/bash] > 
. default skeleton directory [/etc/skel] > 
. default domain name to append to mail address [] > 
. treat shadowAccount object or not (1/0) [1] > 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
backup old configuration files:
  /etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
  /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
  /etc/smbldap-tools/smbldap.conf done.
  /etc/smbldap-tools/smbldap_bind.conf done.
[root@localhost LDAP]# 
[root@localhost LDAP]# smbldap-populate -g 10000 -u 10000 -r 10000
Populating LDAP directory for domain yyyy (S-1-5-21-4147849373-2419429073-809605321)
(using builtin directory structure)

entry dc=yyyy,dc=com already exist. 
entry ou=xx有限公司,dc=yyyy,dc=com already exist. 
adding new entry: ou=Idmap,dc=yyyy,dc=com
adding new entry: sambaDomainName=yyyy,dc=yyyy,dc=com
adding new entry: uid=root,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: uid=nobody,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Domain Admins,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Domain Users,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Domain Guests,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Domain Computers,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Administrators,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Account Operators,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Print Operators,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Backup Operators,ou=xx有限公司,dc=yyyy,dc=com
adding new entry: cn=Replicators,ou=xx有限公司,dc=yyyy,dc=com

Please provide a password for the domain root: 
Changing UNIX and samba passwords for root
New password: 
Retype new password: 
New passwords don't match!
[root@localhost LDAP]# smbldap-populate -g 10000 -u 10000 -r 10000
Populating LDAP directory for domain yyyy (S-1-5-21-4147849373-2419429073-809605321)
(using builtin directory structure)

entry dc=yyyy,dc=com already exist. 
entry ou=xx有限公司,dc=yyyy,dc=com already exist. 
entry ou=Idmap,dc=yyyy,dc=com already exist. 
entry sambaDomainName=yyyy,dc=yyyy,dc=com already exist. Updating it...
entry uid=root,ou=xx有限公司,dc=yyyy,dc=com already exist. 
entry uid=nobody,ou=xx有限公司,dc=yyyy,dc=com already exist. 
entry cn=Domain Admins,ou=xx有限公司,dc=yyyy,dc=com already exist. 
entry cn=Domain Users,ou=xx有限公司,dc=yyyy,dc=com already exist. 
entry cn=Domain Guests,ou=xx有限公司,dc=yyyy,dc=com already exist. 
entry cn=Domain Computers,ou=xx有限公司,dc=yyyy,dc=com already exist. 
entry cn=Administrators,ou=xx有限公司,dc=yyyy,dc=com already exist. 
entry cn=Account Operators,ou=xx有限公司,dc=yyyy,dc=com already exist. 
entry cn=Print Operators,ou=xx有限公司,dc=yyyy,dc=com already exist. 
entry cn=Backup Operators,ou=xx有限公司,dc=yyyy,dc=com already exist. 
entry cn=Replicators,ou=xx有限公司,dc=yyyy,dc=com already exist. 

Please provide a password for the domain root: 
Changing UNIX and samba passwords for root
New password: 
Retype new password: 

使用SSSD进行网络用户身份验证

SSSD代表系统安全服务守护进程,它实际上是处理来自各种网络来源的身份验证、授权以及用户和组信息的守护进程的集合。

[root@localhost LDAP]# yum -y install sssd-ldap
[root@localhost LDAP]# find / -name sssd.conf  
/usr/lib64/sssd/conf/sssd.conf

[sssd]
services = nss, pam
#domains = shadowutils
config_file_version = 2
domains = yyyy.com

[nss]

[pam]

[domain/yyyy.com]
#id_provider = files
id_provider = ldap
#auth_provider = proxy
auth_provider = ldap
#proxy_pam_target = sssd-shadowutils
#proxy_fast_alias = True
ldap_uri = ldap://192.168.1.1
cache_credentials = True
ldap_search_base = dc=yyyy,dc=com

[root@localhost sssd]# cp /usr/lib64/sssd/conf/sssd.conf /etc/sssd/sssd.conf
[root@localhost sssd]# sudo chmod 0600 /etc/sssd/sssd.conf
[root@localhost sssd]# sudo chown root:root /etc/sssd/sssd.conf
[root@localhost sssd]# sudo systemctl start sssd

你可能感兴趣的:(运维相关,ldap,openldap,samba,smb)