samba和openldap结合实战

作者:Fandy
来自:linux知识宝库 (http://www.linuxmine.com)

因为软件版权和费用的问题,一值是公司凝难问题(我们是一家中小型企业,没有那么多钱来投资和购买软件license费用)。经过公司高层领导的决定,公司准备将所有Microsoft服务器操作系统更改为RedHat Enterprise Server 4.2服务器操作系统!公司高层领导对新网络改造要求也不高就是可以共享上网和打印机、公司邮件和用户数据统一管理。

在网络配置过程中遇到了许多不明白的问题,好在有google.com这个好朋友和得到“日京三子、Extmail、fjufirefox”等几位Linux前辈的指导,才可以顺利完成这一次网络改造任务,真的要好多谢几位前辈的帮助,多谢!


文章分为五大部分介绍实施情况:

第一部分:OpenLDAP主机安装RedHat Enterprise Linux Server 4.2系统过程;
第二部分:DNS + OpenLDAP + Samba(PDC)+ LDAP Browser/Editor系统安装和配置;
第三部分:Squid系统安装和配置;
第四部分:Postfix + Dovecot + Antivir-Mailgate + MailScanner + EGroupWare系统安装和配置;
第五部分:客户端Windows XP、Fedora加入Samba PDC和电子邮件正常收发,EGroupWare的使用介绍;

Setp0、实现网络图:


Setp1、OpenLDAP主机安装RedHat Enterprise Linux Server 4.2操作系统截图:

磁盘配置:
设备 类型 大小

/ ext3 39911

swap 1024

网络基本配置:
etho IP/Gateway:192.168.1.254/255.255.255.0

主机名:ldap.easy.com

网关:192.168.1.1

主/次DNS:192.168.1.254/202.96.128.68

防火墙基本配置:
⊙ 无防火墙

⊙ 是否启用 SELinux:已禁用

安装方式的选项:
⊙ 定制要安装的软件包(C)

桌面选项:
(√) X窗口系统 (选取全部)

(√) GNOME桌面环境 (选取全部)

应用程序选项:
(√) 工程和科学 (选取默认)

(√) 图形化互联网 (选取默认)

(√) 基于文本的互联网 (选取默认)

(√) 办公/生产率 (选取默认)

服务器选项:
(√) 服务器配置工具 (选取全部)

(√) 万维网服务器 (选取全部)

(√) Windows文件服务器 (选取全部)

(√) DNS服务器 (选取全部)


开发选项:
(√) 开发工具 (选择全部)

系统选项:
(√) 管理工具 (选取默认)

(√) 打印支持 (选取默认)

杂项选项:
全部不要选择;

OpenLDAP + Samba所需要的全部软件包清单(包括:DNS、DB、OpenLDAP、Samba、Other):

bind-9.2.4-2.i386.rpm bind-chroot-9.2.4-2.i386.rpm
bind-devel-9.2.4-2.i386.rpm bind-libs-9.2.4-2.i386.rpm
bind-utils-9.2.4-2.i386.rpm

db4-4.2.52-7.1.i386.rpm db4-utils-4.2.52-7.1.i386.rpm
db4-devel-4.2.52-7.1.i386.rpm

openldap-2.2.13-3.i386.rpm openldap-clients-2.2.13-3.i386.rpm
openldap-devel-2.2.13-3.i386.rpm openldap-servers-2.2.13-3.i386.rpm

samba-3.0.10-1.4E.2.i386.rpm samba-client-3.0.10-1.4E.2.i386.rpm
samba-common-3.0.10-1.4E.2.i386.rpm samba-swat-3.0.10-1.4E.2.i386.rpm
smbldap-tools-0.9.1-1.2.el4.rf.noarch.rpm

perl-Crypt-SmbHash-0.02-1.2.el4.rf.noarch.rpm perl-Digest-SHA1-2.07-5.i386.rpm
perl-LDAP-0.31-5.noarch.rpm perl-XML-SAX-0.12-7.noarch.rpm
mod_authz_ldap-0.26-2.i386.rpm nss_ldap-226-6.i386.rpm

Setp2、DNS详细配置过程:

修改/var/named/chroot/etc/named.conf文件,添加以下内容如下:

详细内容:
zone "easy.com" { #正解
type master;
file "/var/named/easy.com.hosts";
};

zone "1.168.192.in-addr.arpa" { #反解
type master;
file "/var/named/192.168.1.rev";
};

在/var/named/chroot/var/named/目录建立正解easy.com.hosts文件,文件完整内容如下:

详细内容:
$ttl 38400
easy.com. IN SOA ldap.easy.com. fandy.easy.com. (
1137063120
10800
3600
604800
38400 )
easy.com. IN NS ldap.easy.com.
easy.com. IN A 192.168.1.254
ldap.easy.com IN A 192.168.1.254
mail.easy.com. IN A 192.168.1.253
mail.easy.com. IN MX 10 mail.easy.com

在/var/named/chroot/var/named/目录建立正解192.168.1.rev文件,文件完整内容如下::

详细内容:
$ttl 38400
1.168.192.in-addr.arpa. IN SOA mail.easy.com. fandy.easy.com. (
1137063268
10800
3600
604800
38400 )
1.168.192.in-addr.arpa. IN NS ldap.easy.com.
254.1.168.192.in-addr.arpa. IN PTR easy.com.
253.1.168.192.in-addr.arpa. IN PTR mail.easy.com.
254.1.168.192.in-addr.arpa. IN PTR ldap.easy.com.

Setp3、OpenLDAP的详细配置过程:

在配置OpenLDAP前,先复制samba.schema文件到/etc/openldap/schema/目录下(添加ldap所需要的samba认证的资料文件到schema目录):

详细操作:
# cp /usr/share/doc/samb-3.0.10/LDAP/samba.schema /etc/openldap/schema/

-----------------------------------------------------------------------------------------------------------------------
说明:请一定要复制samba.schema文件到/etc/openldap/schema目录下, 否则在启动ldap时会出现以下的错误提示信息:
# service ldap start
检查 的配置文件:slaptest: bad configuration file! [失败]
-----------------------------------------------------------------------------------------------------------------------

修改/etc/openldap/目录中的slapd.conf文件,主要说明修改的关键部分,详细内容如下:

详细配置内容:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
部分增加以下一行内容:
include /etc/openldap/schema/samba.schema

database ldbm(定义ldap的数据库类型)
更改为:
database bdb

suffix "dc=my-domain,dc=com" (定义ldap搜索的域后缀)
rootdn "cn=Manager,dc= my-domain,dc=com" (定义ldap的管理DN)
更改为:
suffix "dc=easy,dc=com"
rootdn "cn=Manager,dc=easy,dc=com"

# rootpw {crypt}ijFYNcSNctBYg (设置管理DN的密码)
更改为:
rootpw {SSHA}zW6nrZ8Muho9GOl/nAk3grt4Xqq0ZpJi

-----------------------------------------------------------------------------------------------------------------------
说明:DN管理者密码的制造过程:
# slappasswd -h {SSHA} -s jinbiao
{SSHA}zW6nrZ8Muho9GOl/nAk3grt4Xqq0ZpJi
-----------------------------------------------------------------------------------------------------------------------

继续slapd.conf文件内容:

详细配置内容:
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
更改为:
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read

-----------------------------------------------------------------------------------------------------------------------
在slapd.conf文件最后部分添加的内容,作用为定义ldap的访问权限(注意书写的格式,因为作者就是因为这个问题浪费了不少的时间和感情啦!
-----------------------------------------------------------------------------------------------------------------------

修改/etc/openldap/ldap.conf文件内容,主要说明修改的关键部分:

详细配置内容:
BASE dc=example,dc=com (更改ldap搜索的域后缀)
更改为:
BASE dc=easy,dc=com

TLS_CACERTDIR /etc/openldap/cacerts(不使用TLS服务项目)
更改为:
# TLS_CACERTDIR /etc/openldap/cacerts

启动OpenLDAP服务器项目,详细操作如下:

详细操作:
# service ldap start

检查 slapd 的配置文件:config file testing succeeded
启动 slapd: [ 确定 ]

配置linux系统使用ldap进认证过程:

详细操作:
# setup

选择一种工具项目中选择:验证配置,然后按“运行工具”键;

用户信息项目中点选“缓存信息”、“使用LDAP”;
验证项目中点选“使用MD5口令”、“使用屏蔽口令”、“使用LDAP验证”;
然后按“下一步”键;

LDAP设置:
[ ] 使用TLS (不要点选);
服务器:127.0.0.1 (按默认地址)
基点 DN:dc=easy,dc=com (更改为:dc=easy,dc=com)
然后按“确定”键:

系统自动执行过程如下:

setsebool: SELinux is disabled.
停止 nscd: [ 失败 ]
启动 nscd: [ 确定 ]

执行后以上的操作后,将后回到“选择一种工具”介面,按“退出”键完成所有ldap进认证过程。


修改/etc/openldap/ldap.conf文件内容,主要说明修改的关键部分:

详细配置内容:
TLS_CACERTDIR /etc/openldap/cacerts
更改为:
# TLS_CACERTDIR /etc/openldap/cacerts

修改/etc/ ldap.conf文件内容,主要说明修改的关键部分:

详细配置内容:
#krb5_ccname FILE:/etc/.ldapcache
添加以下内容:
#krb5_ccname FILE:/etc/.ldapcache
nss_base_passwd ou=Users,dc=easy,dc=com?one
nss_base_passwd ou=Computers,dc=easy,dc=com?one
nss_base_shadow ou=Users,dc=easy,dc=com?one
nss_base_group ou=Groups,dc=easy,dc=com?one

TLS_CACERTDIR /etc/openldap/cacerts
更改为:
# TLS_CACERTDIR /etc/openldap/cacerts

重新启动OpenLDAP服务器项目,详细操作如下:

详细操作:
# service ldap restart

停止 slapd: [ 确定 ]
检查 slapd 的配置文件:config file testing succeeded
启动 slapd: [ 确定 ]

查看OpenLDAP服务器端口是否被监听,详细操作如下:

详细操作:
# netstat -an |grep 389

tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 :::389 :::* LISTEN

Samba的详细配置过程:

在配置smb.conf前,先备份原smb.conf文件:

详细操作:
# cp /etc/samba/smb.conf /etc/samba/backup_smb.conf

Samba的主要配置文件/etc/samba/smb.conf,其实系统中存有一个实际的例子配置文件可提供参考,只要更换成例子文件和按照自己的实际情况做一定的修改就可供使用:

详细操作:
# cp /usr/share/doc/smbldap-tools-0.9.1/smb.conf /etc/samba/

cp:是否覆盖‘/etc/samba/smb.conf’? y

修改/etc/samba/smb.conf文件,以下为完整文件的详细内容::

详细配置内容:
############################## Global parameters############################

[global]
workgroup = easy-pdc
netbios name = PDC
server string = Samba Server %v
log file = /var/log/samba/log.%m
security = user
encrypt passwords = Yes
obey pam restrictions = No
ldap passwd sync = Yes
log level = 3
syslog = 0
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = UTF-8
Unix charset = UTF-8
logon script = %U.bat
logon drive = H:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes

继续smb.conf文件内容:

详细配置内容:
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=easy,dc=com
ldap suffix = dc=easy,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap ssl = off
ldap delete dn = Yes
add user script = /sbin/smbldap-useradd -m "%u"
add machine script = /sbin/smbldap-useradd -t 0 -w "%u"
add group script = /sbin/smbldap-groupadd -p "%g"
add user to group script = /sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /sbin/smbldap-usermod -g '%g' '%u'

############################## Homes parameters ############################

[homes]
comment = repertoire de %U, %u
browseable = no
writeable = yes
read only = no
force create mode = 0700
create mode = 0700
force directory mode = 0700
directory mode = 700

############################# Netlogone parameters ##########################

[netlogon]
path = /home/netlogon/
browseable = No
read only = yes

############################# Public parameters ##########################

[public]
comment = Public Directory
path = /home/public/
browseable = No
writable = yes
guest ok = yes
create mask = 0777

-----------------------------------------------------------------------------------------------------------------------
特别提示:在网上有一些文章介绍可以实现自动创建计算机帐号的方法,不知道可否正常使用,小弟没有试过!
操作如下在smb.conf文件的[global]里加入以下内容(注:适合Samba 3.0版以上):
add machind script = /usr/sbin/useradd –d /dev/null –g 100 –s /bin/false –M %u
-----------------------------------------------------------------------------------------------------------------------

建立目录和更改目录属性操作:

详细操作:
# mkdir /home/netlogon

# mkdir /home/public

启动Samba服务项目:

详细操作:
# service smb start

启动 SMB 服务: [ 确定 ]
启动 NMB 服务: [ 确定 ]

添加Samba admin dn的ldap管理密码(注意密码要和您openldap的rootdn密码要一致啊):

详细操作:
# smbpasswd -w jinbiao

Setting stored password for "cn=Manager,dc=easy,dc=com" in secrets.tdb

使用testparm命令来测试Samba服务器是否正常启动:

详细操作:
# testparm

Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[public]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

Sambldap的配置使用过程:

详细操作:
# cd /usr/share/doc/smbldap-tools-0.9.1/

# ./configure.pl

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')

. you can leave the configuration using the Crtl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...

Samba Configuration File Path [/etc/samba/smb.conf] >

The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] >
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...

. workgroup name: name of the domain Samba act as a PDC
workgroup name [easy-pdc] >
. netbios name: netbios name of the samba controler
netbios name [PDC] >
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [H:] >
. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'//PDC/%U'
logon home (press the "." character if you don't want homeDirectory) [//PDC/%U] >
. logon path: directory where roaming profiles are stored. Ex:'//PDC/profiles/%U'
logon path (press the "." character if you don't want roaming profile) [//PDC/profiles/%U] > . (输入“.”)
. home directory prefix (use %U as username) [/home/%U] >
. default users' homeDirectory mode [700] >
. default user netlogon script (use %U as username) [%U.bat] >
default password validation time (time in days) [45] >
. ldap suffix [dc=easy,dc=com] >
. ldap group suffix [ou=Groups] >
. ldap user suffix [ou=Users] >

继续smb.conf文件内容:

详细配置内容:
. ldap machine suffix [ou=Computers] >
. Idmap suffix [ou=Idmap] >
. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=easy-pdc] >
. ldap master server: IP adress or DNS name of the master (writable) ldap server
ldap master server [127.0.0.1] >
. ldap master port [389] >
. ldap master bind dn [cn=Manager,dc=easy,dc=com] >
. ldap master bind password [] > jinbiao (Samba admin dn的ldap管理密码)
. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one
ldap slave server [127.0.0.1] >
. ldap slave port [389] >
. ldap slave bind dn [cn=Manager,dc=easy,dc=com] >
. ldap slave bind password [] > jinbiao (Samba admin dn的ldap管理密码)
. ldap tls support (1/0) [0] >
. SID for domain easy-pdc: SID of the domain (can be obtained with 'net getlocalsid PDC')
SID for domain easy-pdc [S-1-5-21-2425048407-535062381-2029233160] >
. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] >
. default user gidNumber [513] >
. default computer gidNumber [515] >
. default login shell [/bin/bash] >
. default skeleton directory [/etc/skel] >
. default domain name to append to mail adress [] > easy.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
backup old configuration files:
/etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
/etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
/etc/smbldap-tools/smbldap.conf done.
/etc/smbldap-tools/smbldap_bind.conf done.


-----------------------------------------------------------------------------------------------------------------------
说明:检查/etc/smbldap-tools/目录内的smbldap_bind.conf文件以下内容要一致:
slaveDN=″cn=Manager,dc=easy,dc=com″
slavePW =″jinbiao″
masterDN=″cn=Manager,dc=easy,dc=com″
masterPW “jinbiao”
-----------------------------------------------------------------------------------------------------------------------

使用smbldap-populate命令初始化用户服务数据库:

详细操作:
# smbldap-populate
Populating LDAP directory for domain easy-pdc (S-1-5-21-810223790-3119279897-2165375470)
(using builtin directory structure)

adding new entry: dc=easy,dc=com
adding new entry: ou=Users,dc=easy,dc=com
adding new entry: ou=Groups,dc=easy,dc=com
adding new entry: ou=Computers,dc=easy,dc=com
adding new entry: ou=Idmap,dc=easy,dc=com
adding new entry: uid=root,ou=Users,dc=easy,dc=com
adding new entry: uid=nobody,ou=Users,dc=easy,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=easy,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=easy,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=easy,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=easy,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=easy,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=easy,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=easy,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=easy,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=easy,dc=com
adding new entry: sambaDomainName=easy-pdc,dc=easy,dc=com

Please provide a password for the domain root:
Changing password for root
New password : jinbiao (admin的ldap管理密码)
Retype new password : jinbiao (admin的ldap管理密码)

查看Samba的SID编号:

详细操作:
# net getlocalsid

SID for domain EASY-PDC is: S-1-5-21-810223790-3119279897-2165375470

为Samba添加用户和计算机名:

详细操作:
# smbldap-useradd -a user1 (添加一个samba帐号)

# smbldap-useradd -a -m user2 (添加一个samba帐号并创建主目录)

# smbldap-useradd -m user3 (添加一个系统用户帐号并创建主目录)

# smbldap-useradd -w winxp$ (添加一个域计算机帐号)

更改user2帐号的密码:

详细操作:
# smbldap-passwd user2

Changing password for user2
New password : 123456 (用户密码)
Retype new password : 123456 (确认用户密码)

添加user2帐号的信息:

详细操作:
# smbldap-userinfo user2

Changing the user information for user2
Enter the new value, or press ENTER for the default
User Shell [/bin/bash]: /bin/sh
Full Name [System User]: fan jin biao
Room Number []: 4873
Work Phone []: 013060677004
Home Phone []: 82-020-84680605
Other []: ha ha!
LDAP updated


查看user2帐号的信息:

详细操作:
# smbldap-usershow user2

dn: uid=user2,ou=Users,dc=easy,dc=com
objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
uid: user2
uidNumber: 1000
gidNumber: 513
homeDirectory: /home/user2
description: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-2547670411-3484865238-2904186615-3000
sambaPrimaryGroupSID: S-1-5-21-2547670411-3484865238-2904186615-513
sambaLogonScript: user2.bat
sambaHomePath: //PDC/user2
sambaHomeDrive: H:
sambaLMPassword: 15881AE64C222524AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: D577561A7CF0233733F6EA39BB596996
sambaPwdLastSet: 1138015107
sambaPwdMustChange: 1141903107
userPassword: {SSHA}lSYoTrxEsxdfnMgCmxT8d72xKgdUZTVV
gecos: fan jin biao,4873,013060677004,82-020-84680605,ha ha!
cn: fan jin biao
sn: biao
givenName: fan jin
roomNumber: 4873
telephoneNumber: 013060677004
homePhone: 82-020-84680605
loginShell: /bin/sh

Samba用户登陆调试说明:

使用user2帐号登陆PDC服务器:

详细操作:
# smbclient -L 192.168.1.254 -U user2

Password:
Domain=[EASY-PDC] OS=[Unix] Server=[Samba 3.0.10-1.4E.2]

Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server 3.0.10-1.4E.2)
ADMIN$ IPC IPC Service (Samba Server 3.0.10-1.4E.2)
user2 Disk repertoire de user2, user2
Domain=[EASY-PDC] OS=[Unix] Server=[Samba 3.0.10-1.4E.2]

Server Comment
--------- -------
PDC Samba Server 3.0.10-1.4E.2

Workgroup Master
--------- -------
EASY-PDC PDC

用ssh测试smbldap添加的用户是否正确:

详细操作:
# ssh [email protected]

The authenticity of host '192.168.1.254 (192.168.1.254)' can't be established.
RSA key fingerprint is 37:32:c7:3f:b6:8c:d2:a6:be:8c:44:05:4c:5c:92:ed.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.254' (RSA) to the list of known hosts.
[email protected]'s password:
-sh-3.00$ id (输入id,然后按回车键,查看自己的uid、gid、groups等信息)
uid=1000(user2) gid=513(Domain Users) groups=513(Domain Users)
-sh-3.00$ exit (输入exit,离开本次登陆)
logout

Connection to 192.168.1.254 closed.


再次查看OpenLDAP服务器端口是否被监听,详细操作如下:

详细操作:
# netstat -an |grep 389

tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:32805 127.0.0.1:389 ESTABLISHED
tcp 0 0 127.0.0.1:32811 127.0.0.1:389 TIME_WAIT
tcp 0 0 127.0.0.1:389 127.0.0.1:32805 ESTABLISHED
tcp 0 0 :::389 :::* LISTEN

Samba域建立Windows用户登陆logon文件(本例为建立user2用户的user2.bat文件):

使用“文本编辑器”在/home/netlogon/目录新建user2.tmp文件,完整内容如下:

详细内容:
net time //PDC /set /yes (客户端与服务器的时间同步)
net use T: //PDC/public (设定public目录为T:盘)

将tmp文件转换成bat文件(因操作系统文件格式的不同,所以要进行一些特殊的转换工作):

详细内容:
# cat –A user2.tmp | tr ‘$’ ‘/r’ > user2.bat

查看user2.bat文件转换结果:

详细内容:
# cat –A user2.bat

net time //PDC /set /yes^M$
net use T: //PDC/public^M$

Setp4、使用Clamav + Samba-Vscan查杀Samba服务器内设定的共享文件夹内容:

软件包格式:clamav-db-0.86.2-1.2.el4.rf.i386.rpm
clamav-0.86.2-1.2.el4.rf.i386.rpm
clamav-devel-0.86.2-1.2.el4.rf.i386.rpm
clamd-0.86.2-1.2.el4.rf.i386.rpm
clamav-milter-0.86.2-1.2.el4.rf.i386.rpm

软件包的大小分别为(KB):2385KB、602KB、153KB、58KB 、66KB

下载地址:http://dries.studentenweb.org/rpm/p...lamav/info.html

软件包格式: samba-vscan-clamav-0.3.6-1.i386.rpm

软件包的大小(KB):56KB

下载地址:http://crash-hat.sd2.mirrors.redwir.../3/samba-vscan/

安装Clamav软件包:

详细操作:
# clamav-db-0.86.2-1.2.el4.rf.i386.rpm
warning: clamav-db-0.86.2-1.2.el4.rf.i386.rpm: V3 DSA signature: NOKEY, key ID 1aa78495
Preparing... ########################################### [100%]
1:clamav-db ########################################### [100%]

# clamav-0.86.2-1.2.el4.rf.i386.rpm
warning: clamav-0.86.2-1.2.el4.rf.i386.rpm: V3 DSA signature: NOKEY, key ID 1aa78495
Preparing... ########################################### [100%]
1:clamav ########################################### [100%]

# clamav-devel-0.86.2-1.2.el4.rf.i386.rpm
warning: clamd-0.86.2-1.2.el4.rf.i386.rpm: V3 DSA signature: NOKEY, key ID 1aa78495
Preparing... ########################################### [100%]
1:clamd ########################################### [100%]

# clamd-0.86.2-1.2.el4.rf.i386.rpm
warning: clamav-devel-0.86.2-1.2.el4.rf.i386.rpm: V3 DSA signature: NOKEY, key ID 1aa78495
Preparing... ########################################### [100%]
1:clamav-devel ########################################### [100%]

# clamav-milter-0.86.2-1.2.el4.rf.i386.rpm
warning: clamav-milter-0.86.2-1.2.el4.rf.i386.rpm: V3 DSA signature: NOKEY, key ID 1aa78495
Preparing... ########################################### [100%]
1:clamav-milter ########################################### [100%]

-----------------------------------------------------------------------------------------------------------------------
特别提示:请严格按照以上的安装顺序来安装Clamav软件包,否则出现安装不成功的情况!
-----------------------------------------------------------------------------------------------------------------------

安装Samba-Vscan软件包:

详细操作:
# samba-vscan-clamav-0.3.6-1.i386.rpm
warning: samba-vscan-clamav-0.3.6-1.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1
Preparing... ########################################### [100%]
1:samba-vscan-clamav ########################################### [100%]

升级病毒库文件:

详细操作:
# freshclam –verbose

Current working dir is /var/clamav
Max retries == 3
ClamAV update process started at Fri Jan 27 17:37:45 2006
Querying current.cvd.clamav.net
TTL: 900
Software version from DNS: 0.88
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.86.2 Recommended version: 0.88
DON'T PANIC! Read http://www.clamav.net/faq.html
main.cvd version from DNS: 35
Retrieving http://db.cn.clamav.net/main.cvd
Downloading main.cvd[*]
main.cvd updated (version: 35, sigs: 41649, f-level: 6, builder: tkojm)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 5, recommended = 6
DON'T PANIC! Read http://www.clamav.net/faq.html
daily.cvd version from DNS: 1252
Retrieving http://db.cn.clamav.net/daily.cvd
Downloading daily.cvd[*]
daily.cvd updated (version: 1252, sigs: 1513, f-level: 7, builder: diego)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 5, recommended = 7
DON'T PANIC! Read http://www.clamav.net/faq.html
Database updated (43162 signatures) from db.cn.clamav.net (IP: 221.6.197.162)
ERROR: Clamd was NOT notified: Can't connect to clamd on 127.0.0.1:3310
connect(): Connection refused
Freeing option list...done

修改/etc/samba/目录中的smb.conf文件中[global]配置部分加入以下内容,完整内容如下:

详细操作:
############################## Global parameters############################

[global]
workgroup = easy-pdc
netbios name = PDC
server string = Samba Server %v
log file = /var/log/samba/log.%m
security = user
encrypt passwords = Yes
obey pam restrictions = No
ldap passwd sync = Yes
log level = 3
syslog = 0
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = UTF-8
Unix charset = UTF-8
logon script = %U.bat
logon drive = H:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=easy,dc=com
ldap suffix = dc=easy,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap ssl = off
ldap delete dn = Yes
add user script = /sbin/smbldap-useradd -m "%u"
add machine script = /sbin/smbldap-useradd -t 0 -w "%u"
add group script = /sbin/smbldap-groupadd -p "%g"
add user to group script = /sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /sbin/smbldap-usermod -g '%g' '%u'
vfs object = vscan-clamav
vscan-oav: config-file = /etc/samba/vscan-clamav.conf


修改修改/etc/samba/目录中的vscan-clamav.conf文件,主要说明修改的关键部分,详细内容如下:

详细操作:
infected file action = nothing (当找到感染的档案是否发出”警告popup 窗口”给windows)
更改为:
infected file action = quarantine

修改修改/etc/目录中的clamd.conf文件,主要说明修改的关键部分,详细内容如下:

详细操作:
TCPSocket 3310 (取消TCPSocket 3310)
更改为:
#TCPSocket 3310

#LocalSocket /var/run/clamav/clamd.sock (clamd socket的位置)
更改为:
LocalSocket /var/run/clamav/clamd.sock

User clamav (更改操作用户帐号)
更改为:
User root

重新启动Samba服务项目:

详细操作:
# service smb restart

关闭 SMB 服务: [ 确定 ]
关闭 NMB 服务: [ 确定 ]
启动 SMB 服务: [ 确定 ]
启动 NMB 服务: [ 确定 ]

启动Samba服务项目:

详细操作:
# service clamd start

Starting Clam AntiVirus Daemon [ 确定 ]

如果看到以下的讯息表现已经成功:

详细操作:
# tail /var/log/messages

Jan 27 17:56:10 ldap clamd[3218]: HTML support enabled.
Jan 27 17:56:10 ldap clamd[3218]: Self checking every 1800 seconds.
Jan 27 17:56:26 ldap smbd_vscan-clamav[3209]: samba-vscan (vscan-clamav 0.3.6) connected (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org
Jan 27 17:56:26 ldap smbd_vscan-clamav[3209]: INFO: connect to service IPC$ by user nobody
Jan 27 17:56:26 ldap smbd_vscan-clamav[3209]: INFO: disconnected
Jan 27 17:56:26 ldap smbd_vscan-clamav[3209]: samba-vscan (vscan-clamav 0.3.6) connected (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org
Jan 27 17:56:26 ldap smbd_vscan-clamav[3209]: INFO: connect to service IPC$ by user user2
Jan 27 17:56:26 ldap smbd_vscan-clamav[3209]: samba-vscan (vscan-clamav 0.3.6) connected (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org
Jan 27 17:56:26 ldap smbd_vscan-clamav[3209]: INFO: connect to service IPC$ by user nobody
Jan 27 17:56:37 ldap smbd_vscan-clamav[3209]: INFO: disconnected


Setp5、使用LDAP Browser/Editor客户端来管理OpenLdap中的资料:

-----------------------------------------------------------------------------------------------------------------------
特别提示:LDAP Browser/Editor软件,需要在jdk 环境下才能执行。所以要安装jdk-1.5.0_04软件包才可以使LDAP Browser/Editor软件正常工作!
-----------------------------------------------------------------------------------------------------------------------

软件包格式:jdk-1_5_0_04-linux-i586-rpm.bin

软件包的大小(KB):45858KB

下载地址:http://ftp.isu.edu.tw/pub/Sun/java/J2SE/5.0_04/linux32/

软件包格式:Browser282b2.tar.gz

软件包的大小(KB):637KB

下载地址:http://www.iit.edu/~gawojar/ldap/

安装LDAP Browser/Editor前,请先安装jdk软件包:

详细操作:
# chmod 755 jdk-1_5_0_04-linux-i586-rpm.bin(更改文件的执行权限)

# ./jdk-1_5_0_04-linux-i586-rpm.bin(编译文件,查看版权说明过程)

# rpm -ivh jdk-1_5_0_04-linux-i586.rpm(开始安装文件)

Preparing... ############################################ [100%]
package jdk-1.5.0_04-fcs is already installed

修改/etc/目录中的profile文件(在profile文件的最后面加入以下的信息):

详细操作:
JAVA_HOME=/usr/java/jdk1.5.0_04
PATH=$JAVA_HOME/bin:$PATH
CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export JAVA_HOME,PATH,CLASSPATH

修改完/etc/目录中的profile文件后,重新启动RedHat Enterprise Linux Server 4.2操作系统:

详细操作:
# reboot

LDAP Browser/Editor软件包详细安装过程:

详细操作:
# tar -zxvf Browser282b2.tar.gz -C /root/

以下操作请回到桌面环境进行,点选任务栏中“应用程序” → “文件浏览器”;

进入Browser282b2应用程序的解压目录,“/root/ldapbrowser”→ 双击“lbe.sh”运行程序;

lbe.sh程序运行时,系统会出现一个提示 “运行还是显示”信息窗口内容如下:

可点选“在终端中运行(T)”或者“运行(R)”两按键中的其中之一;

接着出现“Connect” → “Edit”按键;

出现“Edit Session”信息窗口,点选“Name”选择框:

Name:Easy-PDC (随着输入一个名称)

点选“Connection”选择框:

Host:127.0.01 (输入ldap服务器的主机地址);

Port:389 (输入访问ldap服务器的端口);

Version:2 (选择ldap服务器的版本);

Base DN:dc=easy,dc=com (输入ldap服务器的DN地址:dc=easy,dc=com);

User DN:cn=Manager,dc=easy,dc=com (输入管理ldap服务器的用户名);

Password:jinbiao (输入管理ldap服务器的用户密码);

点击“Save”按键;

完成 “Edit Session”信息窗口相关内容修改后 → 重新回到“Connect”信息窗口 → 点击“Connect”按键;

在配置 “Edit Session”信息窗口相关内容时,没有发生什么修改错误的话。应就会跟小弟的系统一样出现以下成功登入信息窗口;

到这为止,就完成Browser282b2软件的所有配置工作!


Setp9、Postfix主机安装RedHat Enterprise Linux Server 4.2操作系统截图:

磁盘配置:
设备 类型 大小

/ ext3 39911

swap 1024

网络基本配置:
etho IP/Gateway:192.168.1.253/255.255.255.0

主机名:mail.easy.com

网关:192.168.1.1

主/次DNS:192.168.1.254/192.168.1.253/202.96.128.68

防火墙基本配置:
⊙ 无防火墙

⊙ 是否启用 SELinux:已禁用

安装方式的选项:
⊙ 定制要安装的软件包(C)

桌面选项:
(√) X窗口系统 (选取全部)

(√) GNOME桌面环境 (选取全部)

应用程序选项:
(√) 工程和科学 (选取默认)

(√) 图形化互联网 (选取默认)

(√) 基于文本的互联网 (选取默认)

(√) 办公/生产率 (选取默认)

服务器选项:
(√) 服务器配置工具 (选取全部)

(√) 万维网服务器 (选取全部)

(√) 邮件服务器(自行选全部)

(√) Windows文件服务器 (选取全部)

(√) SQL数据库 (选取全部)

邮件服务器的细节选项:
(√) perl-Cyrus - Cyrus IMAP server utility Perl modules.

(√) spamassassin - Spam filter for email which can be invoked from mail delivery age...

开发选项:
(√) 开发工具 (选择全部)

系统选项:
(√) 管理工具 (选取默认)

(√) 打印支持 (选取默认)

杂项选项:
全部不要选择;

你可能感兴趣的:(openLdap)