Samba PDC i OpenLDAP pod Debianem Lenny

http://debian.linux.pl/content/163-Samba-PDC-i-OpenLDAP-pod-Debianem-Lenny


Samba PDC i OpenLDAP pod Debianem Lenny
przez
grip

* Odwiedź profil
* Zobacz posty
* Prywatna wiadomość
* Odwiedź blog
* Visit Homepage
* Zobacz artykuły

Oceń ten Artykuł

*
*
*
*
*
*

Opublikowano 09-03-2010 15:07 Liczba odwiedzin: 504
[hide:4ff7d8b6c5]Samba PDC i OpenLDAP pod Debianem Lenny

W niniejszym artykule opiszę jak uruchomić Sambę w trybie „Primary Domain Controller” wraz z usługą LDAP.
Aby wszystko działało jak należy spędziłem około dwóch tygodni na przeglądaniu wszystkich dostępnych materiałów w internecie na powyższy temat. Artykuły, howto, forum, irc - żadne źródło nie wyczerpywało problemu całkowicie.
Mimo iż wcale nie było mi to potrzebne (ani w pracy, ani do zastosowań domowych) nie mogłem sobie "tak o" po prostu tego zostawić - niedziałającego.

Z chwilą gdy ujrzałem na ekranie komunikat:
Kod:

Witaj w domenie TEST

zostały mi wynagrodzone wszystkie nerwowe godziny jakie spędziłem nad tą problematyką. A jaka satysfakcja. Działa!

To zaczynamy…

Instalacja oprogramowania

Instalujemy potrzebne nam paczki:
Kod:

aptitude install apache2-suexec libapache2-mod-php5 php5 php5-cli php5-curl php5-gd php5-imap php5-ldap php5-mcrypt php5-mhash php5-sqlite php5-tidy php5-xmlrpc php-pear slapd mcrypt ldap-utils libgd-tools apache2-doc libpam-ldap libnss-ldap resolvconf samba swat smbclient smbfs smbldap-tools

Na pytania kreatora odpowiadamy następująco:
Kod:

Administrator passwd: 123456
Confrim passwd: 123456
Workgroup/Domain Name: TEST
Modify smb.conf to use WINS settings from DHCP?: NO
LDAP server Uniform Resource Identifier: ldap://127.0.0.1
Distingushed name of the search base: dc=test,dc=local
LDAP version to use: 3
LDAP account for root: cn=admin,dc=test,dc=local
LDAP root account password: 123456
Make local root Database admin: Yes
Does the LDAP database require login?: NO
LDAP accoint for root: cn=admin,dc=test,dc=local
LDAP root account password: 123456

Teraz małe sprostowanie - powyższe pytania kreatora, po wydaniu poprzedniego polecenia „aptitide install” w celu instalacji niezbędnego oprogramowania miało miejsce na dzień 02.05.2009. Czemu o tym wspominam? Ponieważ w wielu poradnikach dostępnych w sieci opartych na wersji Debiana Etch albo wczesnej wersji Lenny jest inna kolejność zadawania pytań przez kreator. Nie mniej jednak, proszę dostosować zaznaczone do własnych potrzeb. Również proszę się nie przejmować, bo w kolejnych etapach i tak dokonamy jeszcze raz ponownej konfiguracji pakietów za pomocą „dpkg-reconfigure”.

Konfiguracja slapd

Kopia zapasowa bazy LDAP:
Kod:

slapcat > ~/slapd.ldif

Kopiujemy schemat Samby:
Kod:

zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema

Generujemy hasło rootdn w MD5:
Kod:

slappasswd -h {MD5}

Podmieniamy /etc/ldap/slapd.conf na wersje znajdującą się poniżej (proszę zwrócić uwagę na pogrubiony tekst):
################################################## #####################

  1. This is the main slapd configuration file. See slapd.conf(5) for more
  2. info on the configuration options.

################################################## #####################

  1. Global Directives:
  1. Features to permit

#allow bind_v2

  1. Schema and objectClass definitions

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema

  1. Where the pid file is put. The init.d script
  2. will not stop the server if you change this.

pidfile /var/run/slapd/slapd.pid

  1. List of arguments that were passed to the server

argsfile /var/run/slapd/slapd.args

  1. Read slapd.conf(5) for possible values

loglevel none

  1. Where the dynamically loaded modules are stored

modulepath /usr/lib/ldap
moduleload back_hdb

  1. The maximum number of entries that is returned for a search operation

sizelimit 500

  1. The tool-threads parameter sets the actual amount of cpu's that is used
  2. for indexing.

tool-threads 1

################################################## #####################

  1. Specific Backend Directives for hdb:
  2. Backend specific directives apply to this backend until another
  3. 'backend' directive occurs

backend hdb

################################################## #####################

  1. Specific Backend Directives for 'other':
  2. Backend specific directives apply to this backend until another
  3. 'backend' directive occurs

#backend <other>

################################################## #####################

  1. Specific Directives for database #1, of type hdb:
  2. Database specific directives apply to this databasse until another
  3. 'database' directive occurs

database hdb

  1. The base of your directory in database #1

suffix "dc=test,dc=local"

  1. rootdn directive for specifying a superuser on the database. This is needed
  2. for syncrepl.

rootdn "cn=admin,dc=test,dc=local"
rootpw {MD5}Qhz9FD5FDD9YFKBJVAngcw==

  1. Where the database file are physically stored for database #1

directory "/var/lib/ldap"

  1. The dbconfig settings are used to generate a DB_CONFIG file the first
  2. time slapd starts. They do NOT override existing an existing DB_CONFIG
  3. file. You should therefore change these settings in DB_CONFIG directly
  4. or remove DB_CONFIG and restart slapd for changes to take effect.
  1. For the Debian package we use 2MB as default but be sure to update this
  2. value if you have plenty of RAM

dbconfig set_cachesize 0 2097152 0

  1. Sven Hartge reported that he had to set this value incredibly high
  2. to get slapd running at all. See http://bugs.debian.org/303057 for more
  3. information.
  1. Number of objects that can be locked at the same time.

dbconfig set_lk_max_objects 1500

  1. Number of locks (both requested and granted)

dbconfig set_lk_max_locks 1500

  1. Number of lockers

dbconfig set_lk_max_lockers 1500

  1. Indices to maintain for this database

index objectClass eq,pres
index ou,cn,sn,mail,givenname eq,pres,sub
index uidNumber,gidNumber,memberUid eq,pres
index loginShell eq,pres
## required to support pdb_getsampwnam
index uid pres,sub,eq
## required to support pdb_getsambapwrid()
index displayName pres,sub,eq
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
index uniqueMember eq
index sambaGroupType eq
index sambaSIDList eq

  1. Save the time that the entry gets modified, for database #1

lastmod on

  1. Checkpoint the BerkeleyDB database periodically in case of system
  2. failure and to speed slapd shutdown.

checkpoint 512 30

  1. Where to store the replica logs for database #1
  2. replogfile /var/lib/ldap/replog
  1. users can authenticate and change their password

access to attrs=userPassword,sambaNTPassword,sambaLMPassword ,sambaPwdMustChange,sambaPwdLastSet
by self write
by anonymous auth
by * none

  1. those 2 parameters must be world readable for password aging to work correctly
  2. (or use a priviledge account in /etc/ldap.conf to bind to the directory)

access to attrs=shadowLastChange,shadowMax
by self write
by * read

  1. all others attributes are readable to everybody

access to *
by * read

  1. For Netscape Roaming support, each user gets a roaming
  2. profile for which they have write access to

#access to dn=".*,ou=Roaming,o=morsnet"

  1. by dn="cn=admin,dc=example,dc=com" write
  2. by dnattr=owner write

################################################## #####################

  1. Specific Directives for database #2, of type 'other' (can be hdb too):
  2. Database specific directives apply to this databasse until another
  3. 'database' directive occurs

#database <other>

  1. The base of your directory for database #2

#suffix "dc=debian,dc=org"
################################################## #####################
Stopujemy nsdc:
Kod:

/etc/init.d/nscd stop

Odnawiamy baze LDAP:
Kod:

/etc/init.d/slapd stop
rm -rf /var/lib/ldap/*
slapadd -l ~/slapd.ldif
slapindex
chown -Rf openldap:openldap /var/lib/ldap
/etc/init.d/slapd start

Konfiguracja Apache i PHP dla phpLDAPadmin
Kod:

nano /etc/php5/apache2/php.ini

I zmieniamy następujące wartości:
Kod:

memory_limit = 128M;
post_max_size = 32M
upload_max_filesize = 32M
display_errors = Off

Edytujemy /etc/apache2/sites-enabled/000-default na następującą wartość, (AllowOverride none => AllowOverride all):
Kod:

<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>

I restartujemy Apache:
Kod:

/etc/init.d/apache2 restart

Instalacja phpLDAPadmin:
Kod:

wget http://dfn.dl.sourceforge.net/source...1.1.0.6.tar.gz
mv zxvf phpldapadmin-1.1.0.6.tar.gz /var/www/
cd /var/www
tar zxvf phpldapadmin-1.1.0.6.tar.gz
ln -s phpldapadmin-1.1.0.6 phpldapadmin
cd /var/www/phpldapadmin/config/
cp config.php.example config.php

Edytuj /var/www/phpldapadmin/config/config.php i odkomentuj linijkę:
Kod:

$ldapservers->SetValue($i,'server','host','127.0.0.1');

Teraz masz dostęp do phpLDAPadmin pod adresem:
Kod:

http://localhost/phpldapadmin

podając swój rootdn i hasło.

Przygotowanie Samby

Kopiujemy i zmieniamy /etc/samba/smb.conf na:
Kod:

  1. Samba config file created using SWAT
  2. from UNKNOWN ()
  3. Date: 2009/02/27 02:16:06

[global]
dos charset = UTF-8
display charset = UTF-8
workgroup = TEST
realm = TEST.LOCAL
server string = %h server
map to guest = Bad User
passdb backend = ldapsam:ldap://127.0.0.1/
pam password change = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/smbldap-useradd -m %u
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u
logon script = logon.bat
logon path = \\%N\profiles\%U
logon drive = H:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=admin,dc=test,dc=local
ldap delete dn = Yes
ldap group suffix = ou=group
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=computer
ldap suffix = dc=test,dc=local
ldap ssl = no
ldap user suffix = ou=people
panic action = /usr/share/samba/panic-action %d
case sensitive = No

[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0600
directory mask = 0700
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers

[netlogon]
path = /var/lib/samba/netlogon
browseable = No

[profiles]
path = /var/lib/samba/profiles
force user = %U
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
profile acls = Yes
browseable = No
csc policy = disable

[public]
path = /tmp
read only = No
guest ok = Yes

Zmieniamy hasło LDAP dla Samby:
Kod:

smbpasswd -w 123456

Tworzymy katalogi dla profili:
Kod:

mkdir -p /var/lib/samba/netlogon /var/lib/samba/profiles
chown -Rf root:root /var/lib/samba/netlogon /var/lib/samba/profiles
chmod 1777 /var/lib/samba/profiles

I restartujemy Sambe:
Kod:

/etc/init.d/samba restart

Konfiguracja smbldap-tools

Przygotowanie smbldap-tools:
Kod:

zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf
cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/smbldap_bind.conf

Pobieramy SID Samby:
Kod:

net getlocalsid

Zamieniamy /etc/smbldap-tools/smbldap.conf na wersję poniżej (pamiętaj o zmianie SID-a):
Kod:

  1. $Source: $
  2. $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $

#

  1. smbldap-tools.conf : Q & D configuration file for smbldap-tools
  1. This code was developped by IDEALX (http://IDEALX.org/) and
  2. contributors (their names can be found in the CONTRIBUTORS file).

#

  1. Copyright (C) 2001-2002 IDEALX

#

  1. This program is free software; you can redistribute it and/or
  2. modify it under the terms of the GNU General Public License
  3. as published by the Free Software Foundation; either version 2
  4. of the License, or (at your option) any later version.

#

  1. This program is distributed in the hope that it will be useful,
  2. but WITHOUT ANY WARRANTY; without even the implied warranty of
  3. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  4. GNU General Public License for more details.

#

  1. You should have received a copy of the GNU General Public License
  2. along with this program; if not, write to the Free Software
  3. Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
  4. USA.
  1. Purpose :
  2. . be the configuration file for all smbldap-tools scripts

##############################################################################
#

  1. General Configuration

#
##############################################################################

  1. Put your own SID. To obtain this number do: "net getlocalsid".
  2. If not defined, parameter is taking from "net getlocalsid" return

SID="S-1-5-21-1169193956-4199179787-2206793627"

  1. Domain name the Samba server is in charged.
  2. If not defined, parameter is taking from smb.conf configuration file
  3. Ex: sambaDomain="IDEALX-NT"

sambaDomain="TEST"

##############################################################################
#

  1. LDAP Configuration

#
##############################################################################

  1. Notes: to use to dual ldap servers backend for Samba, you must patch
  2. Samba with the dual-head patch from IDEALX. If not using this patch
  3. just use the same server for slaveLDAP and masterLDAP.
  4. Those two servers declarations can also be used when you have
  5. . one master LDAP server where all writing operations must be done
  6. . one slave LDAP server where all reading operations must be done
  7. (typically a replication directory)
  1. Slave LDAP server
  2. Ex: slaveLDAP=127.0.0.1
  3. If not defined, parameter is set to "127.0.0.1"

slaveLDAP="127.0.0.1"

  1. Slave LDAP port
  2. If not defined, parameter is set to "389"

slavePort="389"

  1. Master LDAP server: needed for write operations
  2. Ex: masterLDAP=127.0.0.1
  3. If not defined, parameter is set to "127.0.0.1"

masterLDAP="127.0.0.1"

  1. Master LDAP port
  2. If not defined, parameter is set to "389"

masterPort="389"

  1. Use TLS for LDAP
  2. If set to 1, this option will use start_tls for connection
  3. (you should also used the port 389)
  4. If not defined, parameter is set to "1"

ldapTLS="0"

  1. How to verify the server's certificate (none, optional or require)
  2. see "man Net::LDAP" in start_tls section for more details

verify="require"

  1. CA certificate
  2. see "man Net::LDAP" in start_tls section for more details

cafile="/etc/smbldap-tools/ca.pem"

  1. certificate to use to connect to the ldap server
  2. see "man Net::LDAP" in start_tls section for more details

clientcert="/etc/smbldap-tools/smbldap-tools.pem"

  1. key certificate to use to connect to the ldap server
  2. see "man Net::LDAP" in start_tls section for more details

clientkey="/etc/smbldap-tools/smbldap-tools.key"

  1. LDAP Suffix
  2. Ex: suffix=dc=IDEALX,dc=ORG

suffix="dc=test,dc=local"

  1. Where are stored Users
  2. Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
  3. Warning: if 'suffix' is not set here, you must set the full dn for usersdn

usersdn="ou=people,${suffix}"

  1. Where are stored Computers
  2. Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
  3. Warning: if 'suffix' is not set here, you must set the full dn for computersdn

computersdn="ou=computer,${suffix}"

  1. Where are stored Groups
  2. Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
  3. Warning: if 'suffix' is not set here, you must set the full dn for groupsdn

groupsdn="ou=group,${suffix}"

  1. Where are stored Idmap entries (used if samba is a domain member server)
  2. Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
  3. Warning: if 'suffix' is not set here, you must set the full dn for idmapdn

idmapdn="ou=idmap,${suffix}"

  1. Where to store next uidNumber and gidNumber available for new users and groups
  2. If not defined, entries are stored in sambaDomainName object.
  3. Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
  4. Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"

  1. Default scope Used

scope="sub"

  1. Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)

hash_encrypt="MD5"

  1. if hash_encrypt is set to CRYPT, you may set a salt format.
  2. default is "%s", but many systems will generate MD5 hashed
  3. passwords if you use "$1$%.8s". This parameter is optional!

crypt_salt_format="%s"

##############################################################################
#

  1. Unix Accounts Configuration

#
##############################################################################

  1. Login defs
  2. Default Login Shell
  3. Ex: userLoginShell="/bin/bash"

userLoginShell="/bin/bash"

  1. Home directory
  2. Ex: userHome="/home/%U"

userHome="/home/%U"

  1. Default mode used for user homeDirectory

userHomeDirectoryMode="700"

  1. Gecos

userGecos="System User"

  1. Default User (POSIX and Samba) GID

defaultUserGid="513"

  1. Default Computer (Samba) GID

defaultComputerGid="515"

  1. Skel dir

skeletonDir="/etc/skel"

  1. Default password validation time (time in days) Comment the next line if
  2. you don't want password to be enable for defaultMaxPasswordAge days (be
  3. careful to the sambaPwdMustChange attribute's value)

defaultMaxPasswordAge="6"

##############################################################################
#

  1. SAMBA Configuration

#
##############################################################################

  1. The UNC path to home drives location (%U username substitution)
  2. Just set it to a null string if you want to use the smb.conf 'logon home'
  3. directive and/or disable roaming profiles
  4. Ex: userSmbHome="\\PDC-SMB3\%U"

userSmbHome=""

  1. The UNC path to profiles locations (%U username substitution)
  2. Just set it to a null string if you want to use the smb.conf 'logon path'
  3. directive and/or disable roaming profiles
  4. Ex: userProfile="\\PDC-SMB3\profiles\%U"

userProfile=""

  1. The default Home Drive Letter mapping
  2. (will be automatically mapped at logon time if home directory exist)
  3. Ex: userHomeDrive="H:"

userHomeDrive="H:"

  1. The default user netlogon script name (%U username substitution)
  2. if not used, will be automatically username.cmd
  3. make sure script file is edited under dos
  4. Ex: userScript="startup.cmd" # make sure script file is edited under dos

userScript="logon.bat"

  1. Domain appended to the users "mail"-attribute
  2. when smbldap-useradd -M is used
  3. Ex: mailDomain="idealx.com"

mailDomain="test.local"

##############################################################################
#

  1. SMBLDAP-TOOLS Configuration (default are ok for a RedHat)

#
##############################################################################

  1. Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
  2. prefer Crypt::SmbHash library

with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

  1. Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
  2. but prefer Crypt:: libraries

with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

  1. comment out the following line to get rid of the default banner
  2. no_banner="1"

Podmieniamy /etc/smbldap-tools/smbldap_bind.conf na poniższy:
Kod:

############################

  1. Credential Configuration #

############################

  1. Notes: you can specify two differents configuration if you use a
  2. master ldap for writing access and a slave ldap server for reading access
  3. By default, we will use the same DN (so it will work for standard Samba
  4. release)

slaveDN="cn=admin,dc=test,dc=local"
slavePw="123456"
masterDN="cn=admin,dc=test,dc=local"
masterPw="123456"

Ustawiamy prawa dostępu dla plików:
Kod:

chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Teraz wydajemy populate dla naszej Samby LDAP schema:
Kod:

smbldap-populate

Nie zapomnij zrobić kopii zapasowej ostatniej bazy LDAP:
Kod:

slapcat > ~/smbldap.ldif

Konfiguracja PAM/NSS z LDAP

Uruchamiamy dpkg-reconfigure libnss-ldap i odpowiadamy następująco:
Kod:

LDAP server Uniform Resource Identifier: ldap://127.0.0.1
Distinguished name of the search base: dc=test,dc=local
LDAP version to use: 3
Does the LDAP database require login? No
Special LDAP privileges for root? Yes
Make the configuration file readable/writeable by its owner only? Yes
LDAP account for root: cn=admin,dc=test,dc=local
LDAP root account password: 123456

Aktualizujemy /etc/nsswitch.conf:
Kod:

passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 ldap

Dodajemy następujące linijki do /etc/ldap/ldap.conf:
Kod:

host localhost
base dc=test,dc=local
binddn cn=admin,dc=test,dc=local
bindpw 123456

bind_policy soft
pam_password exop
timelimit 15

nss_base_passwd dc=test,dc=local?sub
nss_base_shadow dc=test,dc=local?sub
nss_base_group ou=group,dc=test,dc=local?one

Zmieniamy parametry w /etc/libnss-ldap.conf:
Kod:

bind_policy soft
pam_password md5
nss_base_passwd dc=test,dc=local?sub
nss_base_shadow dc=test,dc=local?sub
nss_base_group ou=group,dc=test,dc=local?one

Sprawdzamy /etc/libnss-ldap.secret:
Kod:

cat /etc/libnss-ldap.secret

Teraz wykonujemy dpkg-reconfigure libpam-ldap:
Kod:

LDAP server Uniform Resource Identifier: ldap://127.0.0.1
Distinguished name of the search base: dc=test,dc=local
LDAP version to use: 3
Make local root Database admin. Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=test,dc=local
LDAP root account password: 123456
Local crypt to use when changing passwords. MD5

Modyfikujemy /etc/pam_ldap.conf:
Kod:

bind_policy soft
nss_base_passwd dc=test,dc=local?sub
nss_base_shadow dc=test,dc=local?sub
nss_base_group ou=group,dc=test,dc=local?one

I sprawdzamy /etc/pam_ldap.secret:
Kod:

cat /etc/pam_ldap.secret

Zakomentuj /etc/pam.d/common-account:
Kod:

  1. As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
  2. To take advantage of this, it is recommended that you configure any
  3. local modules either before or after the default block, and use
  4. pam-auth-update to manage selection of other modules. See
  5. pam-auth-update(8) for details.

Teraz dodajemy potrzebne grupy:
Kod:

addgroup —system nvram
addgroup —system rdma
addgroup —system fuse
addgroup —system kvm
adduser —system —group —shell /usr/sbin/nologin —home /var/lib/tpm tss

Pozostało zrobić restart.

Testowanie ustawień

Tworzymy przykładowego użytkownika:
Kod:

smbldap-useradd -a -m postmaster
smbldap-passwd postmaster

I sprawdzamy czy został dodany:
Kod:

getent passwd
getent group

Teraz tylko wystarczy dodać komputer do domeny i sprawdzić czy działa.

Artykuł dostępny również na mojej stronie domowej www.gripek.org pod linkiem http://gripek.org/artykuly/artykuly_samba_openldap.html

autor: gripek/Tomasz Kobus

Ukryłem temat dla użytkowników.
[/hide:4ff7d8b6c5]

[mod]
Cytat Napisał grip
Cześć,

Chciałbym prosić o usunięcie artykułu, związanego z openldap -http://debian.linux.pl/viewtopic.php?t=15052

Niestety gdzieś jest jakiś błąd, który powoduje blokowanie dostępu do systemu - także póki nie znajde przyczyny, nie chcę aby ktoś kto z tego korzysta został w ten sposób poszkodowany.

Sprawa Pilna.
Ukryłem temat dla użytkowników.
[/mod]

[ Komentarz dodany przez: fnmirk: 2009-06-11, 10:43 ]
Ze względu na próbę usunięcia znalezionego błędu autor prosił o czasowe ukrycie treści.
Ten artykuł w orginale został opublikowany na forum: Samba PDC i OpenLDAP pod Debianem Lenny autor grip Zobacz oryginał
Kategorie:

1. System
2. Samba

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License