1)installazione sistema base debian lenny 5.0
2) apt-get install samba slapd ldap-utils libnss-ldap libpam-ldap
3) dkpg-reconfigure slapd (cambiare in nodomain e ricordarsi la password inserita)
4) cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
gunzip samba.schema.gz
nano -w slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
5) /etc/init.d/slapd restart & /etc/init.d/samba stop
6) cd /etc/samba & mv smb.conf smb.conf.safe & nano -w smb.conf
[global]
workgroup = PEGASUS
netbios name = PEGASUS
server string = %h PDC (%v)
interfaces = eth0, lo
bind interfaces only = Yes
passdb backend = ldapsam:ldap://127.0.0.1
enable privileges = yes
log level = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139 445
hide dot files = yes
name resolve order = wins host dns bcast
time server = Yes
guest account = guest
show add printer wizard = No
add user script = /bin/netuseradd -a -m '%u'
delete user script = /bin/netuserdel '%u'
add group script = /bin/netgroupadd -a -p '%g'
delete group script = /bin/netgroupdel '%g'
add user to group script = /bin/netgroupmod -m '%u' '%g'
delete user from group script = /bin/netgroupmod -x '%u' '%g'
# Disabilitare quando a fare il join al dominio è un Windows NT
set primary group script = /bin/netusermod -g '%g' '%u'
add machine script = /bin/netuseradd -w '%u'
#unix password sync = yes
passwd chat debug = false
passwd program = /usr/bin/netpasswd %u
passwd chat = *new password*%n\n *new password*%n\n *changed*
# Profili Roaming
#logon path = \\%L\profiles\%U
logon path =
logon home =
logon script = netlogon.bat
domain logons = Yes
domain master = yes
preferred master = Yes
os level = 65
wins support = Yes
# LDAP
ldap suffix = dc=nodomain
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=nodomain
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
ldap passwd sync = Yes
#ldap ssl = start tls
ldap ssl = no
map acl inherit = Yes
#printing = cups
lock directory = /var/lock/samba
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
security = user
template shell = /bin/false
[public]
comment = "L: - Cartella Pubblica Utenti"
path = /home//samba/public
writeable = yes
browseable = Yes
hide unreadable = Yes
directory mask = 0775
create mask = 0775
force create mode = 0775
force directory mode = 6775
security mask = 0777
force security mode = 0
directory security mask = 0777
force directory security mode = 0
#inherit acls = yes
#inherit permissions = yes
vfs objects = recycle
recycle:repository = .cestino/%U
recycle:keeptree = yes
recycle:touch = yes
recycle:versions= yes
recycle:exclude = *.tmp *.bak ~$*
recycle:exclude_dir = /tmp /temp /cache
recycle:noversions = *.doc *.xls *.ppt
[homes]
comment = "K: - Cartella privata di %U, %u"
writeable = yes
create mask = 0700
directory mask = 0775
browseable = No
force user = %U
vfs objects = recycle
recycle:repository = .cestino
recycle:keeptree = yes
recycle:touch = yes
recycle:versions= yes
recycle:exclude = *.tmp *.bak ~$*
recycle:exclude_dir = /tmp /temp /cache
recycle:noversions = *.doc *.xls *.ppte_dir = /tmp /temp /cache
recycle:noversions = *.doc *.xls *.ppt
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = Yes
locking = No
browseable = no
available = yes
[profiles]
comment = Profile Share
path = /home/samba/profiles
writeable = yes
profile acls = Yes
browsable = No
7) cd /bin
ln -sf /usr/sbin/smbldap-groupadd netgroupadd
ln -sf /usr/sbin/smbldap-groupdel netgroupdel
ln -sf /usr/sbin/smbldap-groupmod netgroupmod
ln -sf /usr/sbin/smbldap-useradd netuseradd
ln -sf /usr/sbin/smbldap-userdel netuserdel
ln -sf /usr/sbin/smbldap-usermod netusermod
8)
net getlocalsid
9) configurare smbldap-tools :
cd /etc/smbldap-tools
nano -w smbldap.conf
######################
# General Configuration
#
######################
SID="inserire il valore risultante da net getlocalsid"
sambaDomain="PEGASUS"
######################
#
# LDAP Configuration
#
######################
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
verify="require"
cafile="/etc/smbldap-tools/ca.pem"
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
clientkey="/etc/smbldap-tools/smbldap-tools.key"
suffix="dc=nodomain"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
scope="sub"
hash_encrypt="CRYPT"
crypt_salt_format="%s"
######################
#
# Unix Accounts Configuration
#
######################
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="0"
######################
#
# SAMBA Configuration
#
######################
userSmbHome="\\PEGASUS\%U"
userProfile="\\PEGASUS\profiles\%U"
#userHomeDrive="H:"
userScript="netlogon.bat"
##########################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##########################################
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"
10)
nano /etc/smbldap-tools/smbldap_bind.conf
slaveDN="cn=admin,dc=nodomain"
slavePw="yourpass"
masterDN="cn=admin,dc=nodomain"
masterPw="yourpass"
11)
chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf
12)
smbpasswd -w yourpass
13)smbldap-populate -a Administrator -u 5001 -g 5001 -r 5001 -b guest -l 5000
14)addgroup --system nvram
addgroup --system rdma
addgroup --system fuse
addgroup --system kvm
addgroup --system scanner
adduser --system --group --shell /usr/sbin/nologin --home /var/lib/tpm tss
15) update-rc.d -f nscd remove
16) gruppi del dominio
netgroupadd -a gruppo1
netgroupadd -a gruppo2 e così via
16) shares di samba
mkdir /home/samba
mkdir /home/samba/netlogon
mkdir /home/samba/profiles
mkdir /home/samba/public
17) creazione utenti
netuseradd -a -m -P nomeutente
18) unione utenti ai gruppi
netgroupmod -m nomeutente nomegruppo
19) creazione shares per gruppo
mkdir /home/samba/public/gruppo1
chmod 770 /home/samba/public/gruppo1
chgrp gruppo1 /home/samba/public/gruppo1
chmod g+s /home/samba/public/gruppo1
e così via ....
20) chmod 777 /home/samba/profiles
21) aggiunta macchina al dominio
net rpc join -S PEGASUS -U Administrator
22) script netlogon.bat
da blocco note windows
NET USE M: \\PEGASUS\public -y
salvare come netlogon.bat copiare via samba o scp in /home/samba/netlogon
23) policy delle password
pdbedit -P "password history" -C 5
pdbedit -P "maximum password age" -C $(( 175 * 86400 )) [sostituire 175 con la durata desiderata in giorni , -C 0 nessuna scadenza]
pdbedit -P "min password length" -C 6
24) permessi estesi
apt-get install acl
nano -w /etc/fstab
/dev/mapper/pegasus-home /home ext3 defaults,acl 0 2
reboot
getfacl /home/samba/public/gruppo
# file: home/samba/public/gruppo
# owner: root
# group: tecnico
user::rwx
group::rwx
other::---
setfacl -d -m g:gruppo-ro:r-x /home/samba/public/gruppo
setfacl -m g:gruppo-ro:r-x /home/samba/public/gruppo
getfacl /home/samba/public/gruppo
# file: gruppoi/
# owner: root
# group: gruppo
user::rwx
group::rwx
group:gruppo-ro:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:prodotti-ro:r-x
default:mask::rwx
default:other::---
25) enjoy
26) un last tip che non centra una cippa ma per ora parcheggio qui :
tar -pczf name_of_your_archive.tar.gz /path/to/directory
questo documento è un work in progress e verrà aggiornato apponendogli modifiche e migliorie
Scritto da
dema
Credits
http://wiki.archlinux.org/index.php/ArchSBS_-_File_Server_Domain_Controller#Samba_LDAP_Schema di steno
http://www.stenoweb.it