firewall cơ bản với pfsense

PFSENSE

Config Rule cho LAN interface( WAN interface block all )

1.     Chắc chắn rằng:”Default LAN > any “ đã được disable hoặc remove.

2.     Cho phép DNS truy cập – nếu pfsense  có thể cài dặt cho LAN address, nếu sử dụng DNS bên ngoài  cần cho phép port 53 đến any where

1.     Allow TCP/UDP 53 (DNS) from LAN subnet to anywhere

Cho phép DNS port 53 sử dụng 2 giao thức  TCP/UDP  từ LAN subnet tới anywhere

2.     Allow TCP/UDP 53 (DNS) from LAN subnet to LAN Address

Cho phép DNS port 53 sử dụng 2 giao thức  TCP/UDP  từ LAN subnet tới LAN address

3.     Dưới đây là cho phép tất cả user ra internet duyệt web HTTP:

1.     Allow TCP 80 (HTTP) from LAN subnet to anywhere

4.     Dưới đây là cho phép tất cả user ra internet duyệt web HTTPS:

1.     Allow TCP 443 (HTTPS) from LAN subnet to anywhere

5.     Tương tự với các rule khác mà bạn muốn tạo:

6.     Allow users to access FTP sites anywhere.

1.     Allow TCP 21 (FTP) from LAN subnet to anywhere

7.     Allow users to access SMTP on a mail server somewhere.

1.     Allow TCP 25 (SMTP) from LAN subnet to anywhere

8.     Allow users to access POP3 on a mail server somewhere.

1.     Allow TCP 110 (POP3) from LAN subnet to anywhere

9.     Allow users to access IMAP on a mail server somewhere.

1.     Allow TCP 143 (IMAP) from LAN subnet to anywhere

10.  If you need to allow remote connection to an outside windows server you will want to configure a rule for Remote administration.

1.     Allow TCP/UDP 3389 (Terminal server) from LAN subnet to ip of remote server

11.  If you use windows shares on the DMZ and want LAN users to access these files you need to allow NETBIOS/Microsoft-DS from the LAN to the DMZ

1.     Allow TCP/UDP 137 from LAN subnet (NETBIOS) to DMZ subnet

2.     Allow TCP/UDP 138 from LAN subnet (NETBIOS) to DMZ subnet

3.     Allow TCP/UDP 139 from LAN subnet (NETBIOS) to DMZ subnet

4.     Allow TCP 445 from LAN subnet (NETBIOS) to DMZ subnet

Outbound DMZ

1.    By default, there are no rules on OPT interfaces.

2.    To allow your servers to use Windows update or browse the WAN

1.   Allow TCP 80 from DMZ subnet (HTTP) to anywhere

3.    If you use an external DNS server you will need to allow the computers to leave the network to connect to a DNS server.

1.   Allow TCP\UDP 53 from DMZ subnet (DNS) to ip of primary DNS server

2.   Allow TCP\UDP 53 from DMZ subnet (DNS) to ip of secondary DNS server

4.    To allow your servers to use a remote time server open port 123.

1.   Allow UDP 123 from DMZ subnet (NTP) to ip of remote time server

Vì vấn đề bảo mật trên cho mạng LAN nên ta chỉ cho phép user  vào 1 số trang web , và cấm download 1 số file, muốn làm vậy ta cần 1 số gói sau:

Installation Squid2 + SquidGuard on pfsense 2.0.x

Installation Squid3 + SquidGuard on pfsense 2.0.x

Installation Squid2/3 + SquidGuard on pfsense 2.1.x

VPN với centos 6 (source website server-world.info)

nguồn từ server-world.info

Install OpenVPN to Configure Virtual Private Network. This example shows to configure on the environment like follows. ( use Bridge mode ) ( [172.16.2.1] is actually for private IP addtess, though, replace it to your global IP address. ) (1) VPN server     [172.16.2.1] - Global IP address     [10.0.0.50] - eth0 ( real IP address )     [10.0.0.60] - br0 - set new as a Bridge (2) VPN Client(Windows)     [192.168.0.244] - real IP address     [10.0.0.??] - automatically set from VPN Server By the way, it's neccesary to set some settings on your router for NAT/Port forwarding. The used protocol and listening port by default on VPN server is UDP/1194. Speaking on an example on here, requests to 1194 with UDP from internet is needed to forward to 10.0.0.60:1194 in LAN.

[1]

Install and Configure OpenVPN

[root@vpn ~]# yum --enablerepo=epel -y install openvpn bridge-utils  # install from EPEL [root@vpn ~]# cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/  [root@vpn ~]# vi /etc/openvpn/server.conf # line 53: change dev tap0 # line 78: change like follows ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key # line 87: change dh /etc/openvpn/easy-rsa/keys/dh1024.pem # line 96: make it comment #  server 10.8.0.0 255.255.255.0 # line 103: make it comment #  ifconfig-pool-persist ipp.txt # line 115: uncomment and chnage ( [VPN server's IP] [subnetmask] [the range of IP for client] ) server-bridge 10.0.0.60 255.255.255.0 10.0.0.200 10.0.0.254 # line 138: add ( [network VPN server in] [subnetmask] ) push "route 10.0.0.0 255.255.255.0" # line 275: change status /var/log/openvpn-status.log # line 284: uncomment and change log /var/log/openvpn.log log-append /var/log/openvpn.log

[2]	Create CA certificate and CA key.

[root@vpn ~]# cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa  [root@vpn ~]# cd /etc/openvpn/easy-rsa  [root@vpn easy-rsa]# mkdir keys  [root@vpn easy-rsa]# vi vars # line 64: change to your environment export KEY_COUNTRY=" JP " export KEY_PROVINCE=" Hiroshima " export KEY_CITY=" Hiroshima " export KEY_ORG=" GTS " export KEY_EMAIL=" xxx@server.world " [root@vpn easy-rsa]# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys [root@vpn easy-rsa]# ./clean-all  [root@vpn easy-rsa]# ./build-ca  Generating a 1024 bit RSA private key .................++++++ ......++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: # Enter State or Province Name (full name) [Hiroshima]: # Enter Locality Name (eg, city) [Hiroshima]: # Enter Organization Name (eg, company) [GTS]: # Enter Organizational Unit Name (eg, section) []: # Enter Common Name (eg, your name or your server's hostname) [GTS CA]: vpn.server.world   # input FQDN Name []: server-ca   # set Email Address [xxx@server.world]: # Enter

[3]	ca.crt  is created under "/etc/openvpn/easy-rsa/keys", transfer it to your client PC via FTP or SFTP and so on.
[4]	Create certificate and key for server.

[root@vpn easy-rsa]# ./build-key-server server  Generating a 1024 bit RSA private key ........++++++ .......++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: # Enter State or Province Name (full name) [Hiroshima]: # Enter Locality Name (eg, city) [Hiroshima]: # Enter Organization Name (eg, company) [GTS]: # Enter Organizational Unit Name (eg, section) []: # Enter Common Name (eg, your name or your server's hostname) [server]: vpn.server.world   # input FQDN Name []: server   # set Email Address [xxx@server.world]: # Enter Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Hiroshima' localityName :PRINTABLE:'Hiroshima' organizationName :PRINTABLE:'GTS' commonName :PRINTABLE:'vpn.server.world' name :PRINTABLE:'server' emailAddress :IA5STRING:'xxx@server.world' Certificate is to be certified until Jul 12 09:30:07 2021 GMT (3650 days) Sign the certificate? [y/n]: y 1 out of 1 certificate requests certified, commit? [y/n] y Write out database with 1 new entries Data Base Updated

[5]	Generate Diffie Hellman ( DH ) parameter.

[root@vpn easy-rsa]# ./build-dh  Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time

[6]	Create certificate and key for client.

[root@vpn easy-rsa]# ./build-key-pass client  Generating a 1024 bit RSA private key ..................++++++ ..................++++++ writing new private key to 'client.key' Enter PEM pass phrase: # set pass-phrase Verifying - Enter PEM pass phrase: # confirm ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: # Enter State or Province Name (full name) [Hiroshima]: # Enter Locality Name (eg, city) [Hiroshima]: # Enter Organization Name (eg, company) [GTS]: # Enter Organizational Unit Name (eg, section) []: # Enter Common Name (eg, your name or your server's hostname) [client]: vpn.server.world   # input FQDN Name []: client # set Email Address [xxx@server.world]: # Enter Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Hiroshima' localityName :PRINTABLE:'Hiroshima' organizationName :PRINTABLE:'GTS' commonName :PRINTABLE:'vpn.server.world' name :PRINTABLE:'client' emailAddress :IA5STRING:'xxx@server.world' Certificate is to be certified until Jul 12 09:31:14 2021 GMT (3650 days) Sign the certificate? [y/n]: y 1 out of 1 certificate requests certified, commit? [y/n] y Write out database with 1 new entries Data Base Updated

[7]	client.crt  and client.key  are created under "/etc/openvpn/easy-rsa/keys", transfer them to your client PC via FTP or SFTP and so on.
[8]	Start OpenVPN

[root@vpn ~]# cp /usr/share/doc/openvpn-*/sample-scripts/bridge-start /etc/openvpn/openvpn-startup  [root@vpn ~]# cp /usr/share/doc/openvpn-*/sample-scripts/bridge-stop /etc/openvpn/openvpn-shutdown  [root@vpn ~]# chmod 755 /etc/openvpn/openvpn-startup  [root@vpn ~]# chmod 755 /etc/openvpn/openvpn-shutdown  [root@vpn ~]# vi /etc/openvpn/openvpn-startup # line 17-20: change eth="eth0" # chnage if needed eth_ip=" 10.0.0.60 " # IP address for bridge eth_netmask=" 255.255.255.0 " # subnetmask eth_broadcast=" 10.0.0.255 " # broadcast address [root@vpn ~]# /etc/rc.d/init.d/openvpn start  Starting openvpn: tun: Universal TUN/TAP device driver, 1.6 tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com> Fri Jul 15 18:33:02 2011 TUN/TAP device tap0 opened Fri Jul 15 18:33:02 2011 Persist state set to: ON Bridge firewalling registered device eth1 entered promiscuous mode device tap0 entered promiscuous mode br0: port 2(tap0) entering learning state br0: port 1(eth1) entering learning state [ OK ] [root@vpn ~]# chkconfig openvpn on

PDC cho CENTOS 6.4

I. cài đặt openldap server

#yum -y install openldap-servers openldap-clents

[root@svr1 Desktop]# vi /etc/sysconfig/ldap

 10 # Run slapd with -h "... ldapi:/// ..."

  11 #   yes/no, default: yes

  12 SLAPD_LDAPI=yes

[root@svr1 Desktop]#  vi /etc/openldap/slapd.conf

Create new:

pidfile /var/run/openldap/slapd.pid

argsfile /var/run/openldap/slapd.args

[root@svr1 Desktop]# rm -rf /etc/openldap/slapd.d/*

[root@svr1 Desktop]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

config file testing succeeded

[root@svr1 Desktop]#  vi /etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif

Line 4: change:

olcAccess: {0}to *  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

[root@svr1 Desktop]# vi /etc/openldap/slapd.d/cn=config/olcDatabase\={1}monitor.ldif

create new:

dn: olcDatabase={1}monitor

objectClass: olcDatabaseConfig

olcDatabase: {1}monitor

olcAccess: {1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

olcAddContentAcl: FALSE

olcLastMod: TRUE

olcMaxDerefDepth: 15

olcReadOnly: FALSE

olcMonitoring: FALSE

structuralObjectClass: olcDatabaseConfig

creatorsName: cn=config

modifiersName: cn=config

[root@svr1 Desktop]# chown -R ldap. /etc/openldap/slapd.d

[root@svr1 Desktop]# chmod -R 700 /etc/openldap/slapd.d

[root@svr1 Desktop]# service slapd start

Starting slapd:                                            [  OK  ]

[root@svr1 Desktop]# chkconfig slapd on

[root@svr1 Desktop]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=core,cn=schema,cn=config"

[root@svr1 Desktop]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=cosine,cn=schema,cn=config"

[root@svr1 Desktop]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=nis,cn=schema,cn=config"

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 [root@svr1 Desktop]# slappasswd

New password:

Re-enter new password:

{SSHA}S6ZIGyr9HJoY2Pdq32Vhuh/uLKEaEdvP

[root@svr1 Desktop]# mkdir /tmp/setldap ; cd /tmp/setldap

[root@svr1 setldap]# vi backend.ldif

create:

dn: cn=module,cn=config

objectClass: olcModuleList

cn: module

olcModulepath: /usr/lib64/openldap

olcModuleload: back_hdb

dn: olcDatabase=hdb,cn=config

objectClass: olcDatabaseConfig

objectClass: olcHdbConfig

olcDatabase: {2}hdb

olcSuffix: dc=tencongty,dc=com

olcDbDirectory: /var/lib/ldap

olcRootDN: cn=Manager,dc=tencongty,dc=com

olcRootPW: {SSHA}S6ZIGyr9HJoY2Pdq32Vhuh/uLKEaEdvP

olcDbConfig: set_cachesize 0 2097152 0

olcDbConfig: set_lk_max_objects 1500

olcDbConfig: set_lk_max_locks 1500

olcDbConfig: set_lk_max_lockers 1500

olcDbIndex: objectClass eq

olcLastMod: TRUE

olcMonitoring: TRUE

olcDbCheckpoint: 512 30

olcAccess: to attrs=userPassword by dn=”cn=Manager,dc=tencongty,dc=com” write by anonymous auth by self write by * none

olcAccess: to attrs=shadowLastChange by self write by * read

olcAccess: to dn.base=”" by * read

olcAccess: to * by dn=”cn=Manager,dc=tencongty,dc=com” write by * read

[root@svr1 setldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=module,cn=config"

adding new entry "olcDatabase=hdb,cn=config"

ldap_add: Other (e.g., implementation specific) error (80)

            additional info: <olcAccess> handler exited with 1

nếu ở đây bị lỗi thì vui lòng kiểm tra lại dấu(“) khi copy

 nếu đúng thì nó giống như dòng dưới đây:

[root@svr1 setldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=module,cn=config"

adding new entry "olcDatabase=hdb,cn=config"

[root@svr1 setldap]# vi frontend.ldif

dn: dc=tencongty,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: tencongty.com
dc: tencongty

dn: cn=Manager,dc=tencongty,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: Manager
userPassword: {SSHA}S6ZIGyr9HJoY2Pdq32Vhuh/uLKEaEdvP

dn: ou=people,dc=tencongty,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=tencongty,dc=com
objectClass: organizationalUnit
ou: groups

[root@svr1 setldap]# ldapadd -x -D cn=Manager,dc=tencongty,dc=com -W -f frontend.ldif
Enter LDAP Password:
adding new entry “dc=ttencongty,dc=coml”
adding new entry “cn=Manager,dc=tencongty,dc=com”
adding new entry “ou=people,dc=tencongty,dc=com”
adding new entry “ou=groups,dc=tencongty,dc=com”

# 

vi ldapuser.sh

# extract local users who have 500-999 digit UID
# replace "SUFFIX=***" to your own suffix
# this is an example

#!/bin/bash

SUFFIX='dc=tencongty,dc=com'
LDIF='ldapuser.ldif'

echo -n > $LDIF
for line in `grep "x:[5-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/g"`
do
   UID1=`echo $line | cut -d: -f1`
   NAME=`echo $line | cut -d: -f5 | cut -d, -f1`
   if [ ! "$NAME" ]
   then
      NAME=$UID1
   else
      NAME=`echo $NAME | sed -e "s/%/ /g"`
   fi
   SN=`echo $NAME | awk '{print $2}'`
   if [ ! "$SN" ]
   then
      SN=$NAME
   fi
   GIVEN=`echo $NAME | awk '{print $1}'`
   UID2=`echo $line | cut -d: -f3`
   GID=`echo $line | cut -d: -f4`
   PASS=`grep $UID1: /etc/shadow | cut -d: -f2`
   SHELL=`echo $line | cut -d: -f7`
   HOME=`echo $line | cut -d: -f6`
   EXPIRE=`passwd -S $UID1 | awk '{print $7}'`
   FLAG=`grep $UID1: /etc/shadow | cut -d: -f9`
   if [ ! "$FLAG" ]
   then
      FLAG="0"
   fi
   WARN=`passwd -S $UID1 | awk '{print $6}'`
   MIN=`passwd -S $UID1 | awk '{print $4}'`
   MAX=`passwd -S $UID1 | awk '{print $5}'`
   LAST=`grep $UID1: /etc/shadow | cut -d: -f3`

   echo "dn: uid=$UID1,ou=people,$SUFFIX" >> $LDIF
   echo "objectClass: inetOrgPerson" >> $LDIF
   echo "objectClass: posixAccount" >> $LDIF
   echo "objectClass: shadowAccount" >> $LDIF
   echo "uid: $UID1" >> $LDIF
   echo "sn: $SN" >> $LDIF
   echo "givenName: $GIVEN" >> $LDIF
   echo "cn: $NAME" >> $LDIF
   echo "displayName: $NAME" >> $LDIF
   echo "uidNumber: $UID2" >> $LDIF
   echo "gidNumber: $GID" >> $LDIF
   echo "userPassword: {crypt}$PASS" >> $LDIF
   echo "gecos: $NAME" >> $LDIF
   echo "loginShell: $SHELL" >> $LDIF
   echo "homeDirectory: $HOME" >> $LDIF
   echo "shadowExpire: $EXPIRE" >> $LDIF
   echo "shadowFlag: $FLAG" >> $LDIF
   echo "shadowWarning: $WARN" >> $LDIF
   echo "shadowMin: $MIN" >> $LDIF
   echo "shadowMax: $MAX" >> $LDIF
   echo "shadowLastChange: $LAST" >> $LDIF
   echo >> $LDIF 

done
[root@svr1 setldap]# ldapadd -x -D cn=Manager,dc=tencongty,dc=com -W -f ldapuser.ldif[root@svr1 setldap]# sh ldapuser.sh
Enter LDAP Password:
[root@svr1 setldap]# vi ldapgroup.sh
# extract local groups who have 500-999 digit UID
# replace "SUFFIX=***" to your own suffix
# this is an example
#!/bin/bash
SUFFIX='dc=tencongty,dc=com'
LDIF='ldapgroup.ldif'

echo -n > $LDIF
for line in `grep "x:[5-9][0-9][0-9]:" /etc/group`
do
   CN=`echo $line | cut -d: -f1`
   GID=`echo $line | cut -d: -f3`
   echo "dn: cn=$CN,ou=groups,$SUFFIX" >> $LDIF
   echo "objectClass: posixGroup" >> $LDIF
   echo "cn: $CN" >> $LDIF
   echo "gidNumber: $GID" >> $LDIF
   users=`echo $line | cut -d: -f4 | sed "s/,/ /g"`
   for user in ${users} ; do
      echo "memberUid: ${user}" >> $LDIF
   done
   echo >> $LDIF
done

[root@svr1 setldap]# sh ldapgroup.sh
[root@svr1 setldap]# ldapadd -x -D cn=Manager,dc=tencongty,dc=com -W -f ldapgroup.ldif
Enter LDAP Password:
II. Cài LDAP client
[root@svr1 Desktop]# yum -y install openldap-clients nss-pam-ldapd
[root@svr1 Desktop]# vi /etc/openldap/ldap.conf
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
BASE    dc=tencongty,dc=com
URI     ldap://10.0.0.2/
TLS_CACERTDIR   /etc/openldap/certs
[root@svr1 Desktop]# vi /etc/nslcd.conf
line131 uri ldap://10.0.0.2/
line132 base dc=tencongty,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts

[root@svr1 Desktop]# vi /etc/pam_ldap.conf
line 17 host 127.0.0.1
line 20 base dc=tencongty,dc=com
add line last line:
    uri ldap://10.0.0.2/
     ssl no
     tls_cacertdir /etc/openldap/cacerts
     pam_password md5
  
[root@svr1 Desktop]# vi /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

# add if you need ( create home directory automatically if it’s none )
session optional pam_mkhomedir.so skel=/etc/skel umask=077

Xanh là những dòng cộng thêm

# vi /etc/nsswitch.conf
Line 33: add:

passwd:     files       ldap
shadow:     files       ldap
group:      files       ldap
57 netgroup:   ldap
61 automount:  files ldap

# vi /etc/sysconfig/authconfig

line 21
 21 USELDAP=yes

# chkconfig nslcd on
# shutdown -r now

[root@svr1 Desktop]# chkconfig nslcd on
III. Cài SAMBA kết hợp LDAP làm PDC
[root@svr1 Desktop]# mkdir /tmp/setsamba
[root@svr1 Desktop]# cd /tmp/setsamba
Chép repo từ đây về
http://mirror.centos.org/centos/6.4/os/x86_64/Packages/
[root@svr1 setsamba]# rpm2cpio samba-3.6.9-151.el6.x86_64.rpm | cpio -id
36381 blocks
[root@svr1 setsamba]# cp ./etc/openldap/schema/samba.schema /etc/openldap/schema/
cp: overwrite `/etc/openldap/schema/samba.schema'? y
[root@svr1 setsamba]# vi schema_convert.conf

Create new:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/samba.schema

[root@svr1 setsamba]# mkdir /tmp/setsamba/ldif_output
[root@svr1 setsamba]# slapcat -f schema_convert.conf -F /tmp/setsamba/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > ./cn=samba.ldif


[root@svr1 setsamba]# vim cn=samba.ldif
line 1-->3 remove {12}
dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba
#remove  line
218 structuralObjectClass: olcSchemaConfig
219 entryUUID: 9e8376fc-587b-1032-93a7-6de09d69b351
220 creatorsName: cn=config
221 createTimestamp: 20130524050747Z
222 entryCSN: 20130524050747.408358Z#000000#000#000000
223 modifiersName: cn=config
224 modifyTimestamp: 20130524050747Z



[root@svr1 setsamba]# ldapadd -Y EXTERNAL -H ldapi:/// -f cn=samba.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=samba,cn=schema,cn=config"
[root@svr1 setsamba]# vi samba_indexes.ldif
create new:
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
~                      
[root@svr1 setsamba]# ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config

trước khi chạy lệnh này phải cài cái repo 6.8 trước
#yum --enablerepo=epel -y install smbldap-tools
[root@svr1 setsamba]# mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
[root@svr1 setsamba]# cp /usr/share/doc/smbldap-tools-0.9.6/smb.conf /etc/samba/smb.conf
[root@svr1 setsamba]# vi /etc/samba/smb.conf

# Global parameters
[global]
workgroup = TENCONGTY.COM 
netbios name = SRV-PDC
security = user
enable privileges = yes
#interfaces = 192.168.5.11
#username map = /etc/samba/smbusers
server string = Samba Server %v
#security = ads
encrypt passwords = Yes
min passwd length = 3
#pam password change = no
#obey pam restrictions = No

# method 1:
#unix password sync = no
#ldap passwd sync = yes

# method 2:
unix password sync = yes
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd -u “%u”
passwd chat = “Changing *\nNew password*” %n\n “*Retype new password*” %n\n”

log level = 0
syslog = 0
log file = /var/log/samba/log.%U
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = CP932
Unix charset = UTF-8

logon script = logon.bat
logon drive = W:
logon home =
logon path =

domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
# passdb backend = ldapsam:”ldap://ldap1.company.com ldap://ldap2.company.com”
passdb backend = ldapsam:ldap://10.0.0.2/
ldap admin dn = cn=Manager,dc=tencongty,dc=com
#ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
ldap suffix = dc=tencongty,dc=com
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd -m “%u”
#ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel “%u”
add machine script = /usr/sbin/smbldap-useradd -t 0 -w “%u”
add group script = /usr/sbin/smbldap-groupadd -p “%g”
delete group script = /usr/sbin/smbldap-groupdel “%g”
add user to group script = /usr/sbin/smbldap-groupmod -m “%u” “%g”
delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” “%g”
set primary group script = /usr/sbin/smbldap-usermod -g ‘%g’ ‘%u’
admin users = root
ldap ssl = no
# printers configuration
#printer admin = @”Print Operators”
load printers = Yes
create mask = 0640
directory mask = 0750
#force create mode = 0640
#force directory mode = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no

[netlogon]
path = /home/netlogon/
browseable = No
read only = yes

[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
#force user = %U
# next line allows administrator to access all profiles
#valid users = %U “Domain Admins”

[printers]
comment = Network Printers
#printer admin = @”Print Operators”
guest ok = yes
printable = yes
path = /home/spool/
browseable = No
read only = Yes
printable = Yes
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
# print command = /usr/bin/lpr -U%U@%M -P%p -r %s
# lpq command = /usr/bin/lpq -U%U@%M -P%p
# lprm command = /usr/bin/lprm -U%U@%M -P%p %j
# lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
# lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
# queuepause command = /usr/sbin/lpc -U%U@%M stop %p
# queueresume command = /usr/sbin/lpc -U%U@%M start %p

[print$]
path = /home/printers
guest ok = No
browseable = Yes
read only = Yes
valid users = @”Print Operators”
write list = @”Print Operators”
create mask = 0664
directory mask = 0775

[public]
path = /datasamba/public
guest ok = yes
browseable = Yes
writable = yes
force create mode = 0775
force directory mode = 0775

[private]
path = /datasamba/private
guest ok = yes
browseable = Yes
writable = yes
force create mode = 0770
force directory mode = 0770

[root@svr1 setsamba]# mkdir /datasamba
[root@svr1 setsamba]# mkdir /datasamba/public ;chmod 777 /datasamba/public

[root@svr1 setsamba]# mkdir /datasamba/private ;chmod 770 /datasamba/public
Shutting down SMB services:                                [FAILED]
Starting SMB services:                                     [  OK  ]
[root@svr1 setsamba]# service nmb restart
Shutting down NMB services:                                [FAILED]
Starting NMB services:                                     [  OK  ]
[root@svr1 setsamba]# chkconfig smb on
[root@svr1 setsamba]# chkconfig nmb on
[root@svr1 setsamba]# smbpasswd -W
Setting stored password for "cn=Manager,dc=tencongty,dc=com" in secrets.tdb
New SMB password:
Retype new SMB password:

[root@svr1 setsamba]# perl /usr/share/doc/smbldap-tools-*/configure.pl

Enter  5 lần

Tới đây:

logon home (press the "." character if you don't want homeDirectory) [\\PDC-SRV\%U] > .

.

 

# nhập dấu chấm

. logon path: directory where roaming profiles are stored. Ex:'\\PDC-SRV\profiles\%U'
logon path (press the "." character if you don't want roaming profile) [\\PDC-SRV\profiles\%U] >.

.

 

# nhập dấu chấm

Tới lần 6 và 7 thì thêm dấu “.” Và enter

Còn lại thì enter hết

[root@svr1 setsamba]# smbldap-populate
Populating LDAP directory for domain tencongty.com (S-1-5-21-2348163517-1299168905-597205331)
(using builtin directory structure)

entry dc=tencongty,dc=com already exist.
adding new entry: ou=Users,dc=tencongty,dc=com
adding new entry: ou=Groups,dc=tencongty,dc=com
adding new entry: ou=Computers,dc=tencongty,dc=com
adding new entry: ou=Idmap,dc=tencongty,dc=com
adding new entry: uid=root,ou=Users,dc=tencongty,dc=com
adding new entry: uid=nobody,ou=Users,dc=tencongty,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=tencongty,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=tencongty,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=tencongty,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=tencongty,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=tencongty,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=tencongty,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=tencongty,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=tencongty,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=tencongty,dc=com
entry sambaDomainName=tencongty.com,dc=tencongty,dc=com already exist. Updating it...

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:

Retype new password: