|
 |
|
| |
Note
If you need more than one domain controller, do not use a tdbsam authentication backend.
Example: Engineering Office
The engineering office network server we present here is designed to demonstrate use
of the new tdbsam password backend. The tdbsam
facility is new to Samba-3. It is designed to provide many user and machine account controls
that are possible with Microsoft Windows NT4. It is safe to use this in smaller networks.
Example2.7.Engineering Office smb.conf (globals)
| |
[global]
|
workgroup = MIDEARTH
|
netbios name = FRODO
|
passdb backend = tdbsam
|
printcap name = cups
|
add user script = /usr/sbin/useradd -m %u
|
delete user script = /usr/sbin/userdel -r %u
|
add group script = /usr/sbin/groupadd %g
|
delete group script = /usr/sbin/groupdel %g
|
add user to group script = /usr/sbin/groupmod -A %u %g
|
delete user from group script = /usr/sbin/groupmod -R %u %g
|
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u
|
| # Note: The following specifies the default logon script. |
| # Per user logon scripts can be specified in the user account using pdbedit |
logon script = scripts\logon.bat
|
| # This sets the default profile path. Set per user paths with pdbedit |
logon path = \\%L\Profiles\%U
|
logon drive = H:
|
logon home = \\%L\%U
|
domain logons = Yes
|
os level = 35
|
preferred master = Yes
|
domain master = Yes
|
idmap uid = 15000-20000
|
idmap gid = 15000-20000
|
printing = cups
|
Example2.8.Engineering Office smb.conf (shares and services)
| |
[homes]
|
comment = Home Directories
|
valid users = %S
|
read only = No
|
browseable = No
|
| # Printing auto-share (makes printers available thru CUPS) |
| |
[printers]
|
comment = All Printers
|
path = /var/spool/samba
|
printer admin = root, maryo
|
create mask = 0600
|
guest ok = Yes
|
printable = Yes
|
browseable = No
|
| |
[print$]
|
comment = Printer Drivers Share
|
path = /var/lib/samba/drivers
|
write list = maryo, root
|
printer admin = maryo, root
|
| # Needed to support domain logons |
| |
[netlogon]
|
comment = Network Logon Service
|
path = /var/lib/samba/netlogon
|
admin users = root, maryo
|
guest ok = Yes
|
browseable = No
|
| # For profiles to work, create a user directory under the path |
| # shown. i.e., mkdir -p /var/lib/samba/profiles/maryo |
| |
[Profiles]
|
comment = Roaming Profile Share
|
path = /var/lib/samba/profiles
|
read only = No
|
profile acls = Yes
|
| # Other resource (share/printer) definitions would follow below. |
-
A working PDC configuration using the tdbsam
password backend can be found in
Engineering Office smb.conf
(globals) together with
Engineering Office smb.conf
(shares and services):
-
Create UNIX group accounts as needed using a suitable operating system tool:
root#
groupadd ntadmins
root#
groupadd designers
root#
groupadd engineers
root#
groupadd qateam
-
Create user accounts on the system using the appropriate tool
provided with the operating system. Make sure all user home directories
are created also. Add users to groups as required for access control
on files, directories, printers, and as required for use in the Samba
environment.
-
Assign each of the UNIX groups to NT groups by executing this shell script
(You could name the script initGroups.sh):
#!/bin/bash
#### Keep this as a shell script for future re-use
# First assign well known groups
net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
# Now for our added Domain Groups
net groupmap add ntgroup="Designers" unixgroup=designers type=d
net groupmap add ntgroup="Engineers" unixgroup=engineers type=d
net groupmap add ntgroup="QA Team" unixgroup=qateam type=d
-
Create the scripts directory for use in the
[NETLOGON]
share:
root#
mkdir -p /var/lib/samba/netlogon/scripts
Place the logon scripts that will be used (batch or cmd scripts)
in this directory.
The above configuration provides a functional PDC
system to which must be added file shares and printers as required.
In this section we finally get to review in brief a Samba-3 configuration that
uses a Lightweight Directory Access (LDAP)-based authentication backend. The
main reasons for this choice are to provide the ability to host primary
and Backup Domain Control (BDC), as well as to enable a higher degree of
scalability to meet the needs of a very distributed environment.
The Primary Domain Controller
This is an example of a minimal configuration to run a Samba-3 PDC
using an LDAP authentication backend. It is assumed that the operating system
has been correctly configured.
The Idealx scripts (or equivalent) are needed to manage LDAP-based POSIX and/or
SambaSamAccounts. The Idealx scripts may be downloaded from the
Idealx Web site. They may also be obtained from the Samba tarball. Linux
distributions tend to install the Idealx scripts in the
/usr/share/doc/packages/sambaXXXXXX/examples/LDAP/smbldap-tools directory.
Idealx scripts version smbldap-tools-0.9.1 are known to work well.
Example2.9.LDAP backend smb.conf for PDC
| # Global parameters |
| |
[global]
|
workgroup = MIDEARTH
|
netbios name = FRODO
|
passdb backend = ldapsam:ldap://localhost
|
username map = /etc/samba/smbusers
|
printcap name = cups
|
add user script = /usr/local/sbin/smbldap-useradd -m '%u'
|
delete user script = /usr/local/sbin/smbldap-userdel %u
|
add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
|
delete group script = /usr/local/sbin/smbldap-groupdel '%g'
|
add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'
|
delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g'
|
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
|
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
|
logon script = scripts\logon.bat
|
logon path = \\%L\Profiles\%U
|
logon drive = H:
|
logon home = \\%L\%U
|
domain logons = Yes
|
os level = 35
|
preferred master = Yes
|
domain master = Yes
|
ldap suffix = dc=quenya,dc=org
|
ldap machine suffix = ou=People
|
ldap user suffix = ou=People
|
ldap group suffix = ou=People
|
ldap idmap suffix = ou=People
|
ldap admin dn = cn=Manager
|
ldap ssl = no
|
ldap passwd sync = Yes
|
idmap uid = 15000-20000
|
idmap gid = 15000-20000
|
printing = cups
|
-
Obtain from the Samba sources ~/examples/LDAP/samba.schema
and copy it to the /etc/openldap/schema/ directory.
-
Set up the LDAP server. This example is suitable for OpenLDAP 2.1.x.
The /etc/openldap/slapd.conf file.
<title>Example slapd.conf File</title>
# Note commented out lines have been removed
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
database bdb
suffix "dc=quenya,dc=org"
rootdn "cn=Manager,dc=quenya,dc=org"
rootpw {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P
# The password for the above is 'nastyon3'
directory /var/lib/ldap
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
-
Create the following file initdb.ldif:
# Organization for SambaXP Demo
dn: dc=quenya,dc=org
objectclass: dcObject
objectclass: organization
dc: quenya
o: SambaXP Demo
description: The SambaXP Demo LDAP Tree
# Organizational Role for Directory Management
dn: cn=Manager,dc=quenya,dc=org
objectclass: organizationalRole
cn: Manager
description: Directory Manager
# Setting up the container for users
dn: ou=People, dc=quenya, dc=org
objectclass: top
objectclass: organizationalUnit
ou: People
# Set up an admin handle for People OU
dn: cn=admin, ou=People, dc=quenya, dc=org
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
# The password for above is 'mordonL8'
-
Load the initial data above into the LDAP database:
root#
slapadd -v -l initdb.ldif
-
Start the LDAP server using the appropriate tool or method for
the operating system platform on which it is installed.
-
Install the Idealx script files in the /usr/local/sbin directory,
then configure the smbldap_conf.pm file to match your system configuration.
-
The smb.conf file that drives this backend can be found in example
LDAP backend smb.conf for PDC. Add additional stanzas
as required.
-
Add the LDAP password to the secrets.tdb file so Samba can update
the LDAP database:
root#
smbpasswd -w mordonL8
-
Add users and groups as required. Users and groups added using Samba tools
will automatically be added to both the LDAP backend and the operating
system as required.
??? shows the example configuration for the BDC. Note that
the smb.conf file does not specify the smbldap-tools scripts they are
not needed on a BDC. Add additional stanzas for shares and printers as required.
Example2.10.Remote LDAP BDC smb.conf
| # Global parameters |
| |
[global]
|
workgroup = MIDEARTH
|
netbios name = GANDALF
|
passdb backend = ldapsam:ldap://frodo.quenya.org
|
username map = /etc/samba/smbusers
|
printcap name = cups
|
logon script = scripts\logon.bat
|
logon path = \\%L\Profiles\%U
|
logon drive = H:
|
logon home = \\%L\%U
|
domain logons = Yes
|
os level = 33
|
preferred master = Yes
|
domain master = No
|
ldap suffix = dc=quenya,dc=org
|
ldap machine suffix = ou=People
|
ldap user suffix = ou=People
|
ldap group suffix = ou=People
|
ldap idmap suffix = ou=People
|
ldap admin dn = cn=Manager
|
ldap ssl = no
|
ldap passwd sync = Yes
|
idmap uid = 15000-20000
|
idmap gid = 15000-20000
|
printing = cups
|
-
Decide if the BDC should have its own LDAP server or not. If the BDC is to be
the LDAP server, change the following smb.conf as indicated. The default
configuration in
Remote LDAP BDC smb.conf
uses a central LDAP server.
-
Configure the NETLOGON and PROFILES directory as for the PDC in
???.
|
|
|
