Sunday, June 9, 2013

PDC cho CENTOS 6.4

I. cài đặt openldap server
#yum -y install openldap-servers openldap-clents
[root@svr1 Desktop]# vi /etc/sysconfig/ldap
 10 # Run slapd with -h "... ldapi:/// ..."
  11 #   yes/no, default: yes
  12 SLAPD_LDAPI=yes

[root@svr1 Desktop]#  vi /etc/openldap/slapd.conf
Create new:
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
[root@svr1 Desktop]# rm -rf /etc/openldap/slapd.d/*
[root@svr1 Desktop]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded
[root@svr1 Desktop]#  vi /etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif
Line 4: change:
olcAccess: {0}to *  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
[root@svr1 Desktop]# vi /etc/openldap/slapd.d/cn=config/olcDatabase\={1}monitor.ldif
create new:
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
creatorsName: cn=config
modifiersName: cn=config
[root@svr1 Desktop]# chown -R ldap. /etc/openldap/slapd.d
[root@svr1 Desktop]# chmod -R 700 /etc/openldap/slapd.d
[root@svr1 Desktop]# service slapd start
Starting slapd:                                            [  OK  ]
[root@svr1 Desktop]# chkconfig slapd on
[root@svr1 Desktop]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core,cn=schema,cn=config"

[root@svr1 Desktop]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@svr1 Desktop]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 [root@svr1 Desktop]# slappasswd
New password:
Re-enter new password:
{SSHA}S6ZIGyr9HJoY2Pdq32Vhuh/uLKEaEdvP
[root@svr1 Desktop]# mkdir /tmp/setldap ; cd /tmp/setldap
[root@svr1 setldap]# vi backend.ldif
create:
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: back_hdb

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: dc=tencongty,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=Manager,dc=tencongty,dc=com
olcRootPW: {SSHA}S6ZIGyr9HJoY2Pdq32Vhuh/uLKEaEdvP
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn=”cn=Manager,dc=tencongty,dc=com” write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base=”" by * read
olcAccess: to * by dn=”cn=Manager,dc=tencongty,dc=com” write by * read
[root@svr1 setldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

adding new entry "olcDatabase=hdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
            additional info: <olcAccess> handler exited with 1
nếu ở đây bị lỗi thì vui lòng kiểm tra lại dấu(“) khi copy
 nếu đúng thì nó giống như dòng dưới đây:
[root@svr1 setldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

adding new entry "olcDatabase=hdb,cn=config"


[root@svr1 setldap]# vi frontend.ldif
dn: dc=tencongty,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: tencongty.com
dc: tencongty

dn: cn=Manager,dc=tencongty,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: Manager
userPassword: {SSHA}S6ZIGyr9HJoY2Pdq32Vhuh/uLKEaEdvP

dn: ou=people,dc=tencongty,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=tencongty,dc=com
objectClass: organizationalUnit
ou: groups

[root@svr1 setldap]# ldapadd -x -D cn=Manager,dc=tencongty,dc=com -W -f frontend.ldif
Enter LDAP Password:
adding new entry “dc=ttencongty,dc=coml”
adding new entry “cn=Manager,dc=tencongty,dc=com”
adding new entry “ou=people,dc=tencongty,dc=com”
adding new entry “ou=groups,dc=tencongty,dc=com”
vi ldapuser.sh
# extract local users who have 500-999 digit UID
# replace "SUFFIX=***" to your own suffix
# this is an example

 
#!/bin/bash

SUFFIX='dc=tencongty,dc=com'
LDIF='ldapuser.ldif'

echo -n > $LDIF
for line in `grep "x:[5-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/g"`
do
   UID1=`echo $line | cut -d: -f1`
   NAME=`echo $line | cut -d: -f5 | cut -d, -f1`
   if [ ! "$NAME" ]
   then
      NAME=$UID1
   else
      NAME=`echo $NAME | sed -e "s/%/ /g"`
   fi
   SN=`echo $NAME | awk '{print $2}'`
   if [ ! "$SN" ]
   then
      SN=$NAME
   fi
   GIVEN=`echo $NAME | awk '{print $1}'`
   UID2=`echo $line | cut -d: -f3`
   GID=`echo $line | cut -d: -f4`
   PASS=`grep $UID1: /etc/shadow | cut -d: -f2`
   SHELL=`echo $line | cut -d: -f7`
   HOME=`echo $line | cut -d: -f6`
   EXPIRE=`passwd -S $UID1 | awk '{print $7}'`
   FLAG=`grep $UID1: /etc/shadow | cut -d: -f9`
   if [ ! "$FLAG" ]
   then
      FLAG="0"
   fi
   WARN=`passwd -S $UID1 | awk '{print $6}'`
   MIN=`passwd -S $UID1 | awk '{print $4}'`
   MAX=`passwd -S $UID1 | awk '{print $5}'`
   LAST=`grep $UID1: /etc/shadow | cut -d: -f3`

   echo "dn: uid=$UID1,ou=people,$SUFFIX" >> $LDIF
   echo "objectClass: inetOrgPerson" >> $LDIF
   echo "objectClass: posixAccount" >> $LDIF
   echo "objectClass: shadowAccount" >> $LDIF
   echo "uid: $UID1" >> $LDIF
   echo "sn: $SN" >> $LDIF
   echo "givenName: $GIVEN" >> $LDIF
   echo "cn: $NAME" >> $LDIF
   echo "displayName: $NAME" >> $LDIF
   echo "uidNumber: $UID2" >> $LDIF
   echo "gidNumber: $GID" >> $LDIF
   echo "userPassword: {crypt}$PASS" >> $LDIF
   echo "gecos: $NAME" >> $LDIF
   echo "loginShell: $SHELL" >> $LDIF
   echo "homeDirectory: $HOME" >> $LDIF
   echo "shadowExpire: $EXPIRE" >> $LDIF
   echo "shadowFlag: $FLAG" >> $LDIF
   echo "shadowWarning: $WARN" >> $LDIF
   echo "shadowMin: $MIN" >> $LDIF
   echo "shadowMax: $MAX" >> $LDIF
   echo "shadowLastChange: $LAST" >> $LDIF
   echo >> $LDIF 
done
[root@svr1 setldap]# ldapadd -x -D cn=Manager,dc=tencongty,dc=com -W -f ldapuser.ldif[root@svr1 setldap]# sh ldapuser.sh
Enter LDAP Password:
[root@svr1 setldap]# vi ldapgroup.sh
# extract local groups who have 500-999 digit UID
# replace "SUFFIX=***" to your own suffix
# this is an example
#!/bin/bash
SUFFIX='dc=tencongty,dc=com'
LDIF='ldapgroup.ldif'

echo -n > $LDIF
for line in `grep "x:[5-9][0-9][0-9]:" /etc/group`
do
   CN=`echo $line | cut -d: -f1`
   GID=`echo $line | cut -d: -f3`
   echo "dn: cn=$CN,ou=groups,$SUFFIX" >> $LDIF
   echo "objectClass: posixGroup" >> $LDIF
   echo "cn: $CN" >> $LDIF
   echo "gidNumber: $GID" >> $LDIF
   users=`echo $line | cut -d: -f4 | sed "s/,/ /g"`
   for user in ${users} ; do
      echo "memberUid: ${user}" >> $LDIF
   done
   echo >> $LDIF
done

[root@svr1 setldap]# sh ldapgroup.sh
[root@svr1 setldap]# ldapadd -x -D cn=Manager,dc=tencongty,dc=com -W -f ldapgroup.ldif
Enter LDAP Password:
II. Cài LDAP client
[root@svr1 Desktop]# yum -y install openldap-clients nss-pam-ldapd
[root@svr1 Desktop]# vi /etc/openldap/ldap.conf
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
BASE    dc=tencongty,dc=com
URI     ldap://10.0.0.2/
TLS_CACERTDIR   /etc/openldap/certs
[root@svr1 Desktop]# vi /etc/nslcd.conf
line131 uri ldap://10.0.0.2/
line132 base dc=tencongty,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts

[root@svr1 Desktop]# vi /etc/pam_ldap.conf
line 17 host 127.0.0.1
line 20 base dc=tencongty,dc=com
add line last line:
    uri ldap://10.0.0.2/
     ssl no
     tls_cacertdir /etc/openldap/cacerts
     pam_password md5
  
[root@svr1 Desktop]# vi /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
# add if you need ( create home directory automatically if it’s none )
session optional pam_mkhomedir.so skel=/etc/skel umask=077
Xanh là những dòng cộng thêm
# vi /etc/nsswitch.conf
Line 33: add:
passwd:     files       ldap
shadow:     files       ldap
group:      files       ldap
57 netgroup:   ldap
61 automount:  files ldap
# vi /etc/sysconfig/authconfig
line 21
 21 USELDAP=yes
# chkconfig nslcd on
# shutdown -r now
[root@svr1 Desktop]# chkconfig nslcd on
III. Cài SAMBA kết hợp LDAP làm PDC
[root@svr1 Desktop]# mkdir /tmp/setsamba
[root@svr1 Desktop]# cd /tmp/setsamba
Chép repo từ đây về
http://mirror.centos.org/centos/6.4/os/x86_64/Packages/
[root@svr1 setsamba]# rpm2cpio samba-3.6.9-151.el6.x86_64.rpm | cpio -id
36381 blocks
[root@svr1 setsamba]# cp ./etc/openldap/schema/samba.schema /etc/openldap/schema/
cp: overwrite `/etc/openldap/schema/samba.schema'? y
[root@svr1 setsamba]# vi schema_convert.conf
Create new:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/samba.schema

[root@svr1 setsamba]# mkdir /tmp/setsamba/ldif_output
[root@svr1 setsamba]# slapcat -f schema_convert.conf -F /tmp/setsamba/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > ./cn=samba.ldif


[root@svr1 setsamba]# vim cn=samba.ldif
line 1-->3 remove {12}
dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba
#remove  line
218 structuralObjectClass: olcSchemaConfig
219 entryUUID: 9e8376fc-587b-1032-93a7-6de09d69b351
220 creatorsName: cn=config
221 createTimestamp: 20130524050747Z
222 entryCSN: 20130524050747.408358Z#000000#000#000000
223 modifiersName: cn=config
224 modifyTimestamp: 20130524050747Z



[root@svr1 setsamba]# ldapadd -Y EXTERNAL -H ldapi:/// -f cn=samba.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=samba,cn=schema,cn=config"
[root@svr1 setsamba]# vi samba_indexes.ldif
create new:
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
~                      
[root@svr1 setsamba]# ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config

trước khi chạy lệnh này phải cài cái repo 6.8 trước
#yum --enablerepo=epel -y install smbldap-tools
[root@svr1 setsamba]# mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
[root@svr1 setsamba]# cp /usr/share/doc/smbldap-tools-0.9.6/smb.conf /etc/samba/smb.conf
[root@svr1 setsamba]# vi /etc/samba/smb.conf
# Global parameters
[global]
workgroup = TENCONGTY.COM 
netbios name = SRV-PDC
security = user
enable privileges = yes
#interfaces = 192.168.5.11
#username map = /etc/samba/smbusers
server string = Samba Server %v
#security = ads
encrypt passwords = Yes
min passwd length = 3
#pam password change = no
#obey pam restrictions = No
# method 1:
#unix password sync = no
#ldap passwd sync = yes
# method 2:
unix password sync = yes
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd -u “%u”
passwd chat = “Changing *\nNew password*” %n\n “*Retype new password*” %n\n”
log level = 0
syslog = 0
log file = /var/log/samba/log.%U
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = CP932
Unix charset = UTF-8
logon script = logon.bat
logon drive = W:
logon home =
logon path =
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
# passdb backend = ldapsam:”ldap://ldap1.company.com ldap://ldap2.company.com”
passdb backend = ldapsam:ldap://10.0.0.2/
ldap admin dn = cn=Manager,dc=tencongty,dc=com
#ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
ldap suffix = dc=tencongty,dc=com
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd -m “%u”
#ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel “%u”
add machine script = /usr/sbin/smbldap-useradd -t 0 -w “%u”
add group script = /usr/sbin/smbldap-groupadd -p “%g”
delete group script = /usr/sbin/smbldap-groupdel “%g”
add user to group script = /usr/sbin/smbldap-groupmod -m “%u” “%g”
delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” “%g”
set primary group script = /usr/sbin/smbldap-usermod -g ‘%g’ ‘%u’
admin users = root
ldap ssl = no
# printers configuration
#printer admin = @”Print Operators”
load printers = Yes
create mask = 0640
directory mask = 0750
#force create mode = 0640
#force directory mode = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no
[netlogon]
path = /home/netlogon/
browseable = No
read only = yes
[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
#force user = %U
# next line allows administrator to access all profiles
#valid users = %U “Domain Admins”
[printers]
comment = Network Printers
#printer admin = @”Print Operators”
guest ok = yes
printable = yes
path = /home/spool/
browseable = No
read only = Yes
printable = Yes
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
# print command = /usr/bin/lpr -U%U@%M -P%p -r %s
# lpq command = /usr/bin/lpq -U%U@%M -P%p
# lprm command = /usr/bin/lprm -U%U@%M -P%p %j
# lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
# lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
# queuepause command = /usr/sbin/lpc -U%U@%M stop %p
# queueresume command = /usr/sbin/lpc -U%U@%M start %p
[print$]
path = /home/printers
guest ok = No
browseable = Yes
read only = Yes
valid users = @”Print Operators”
write list = @”Print Operators”
create mask = 0664
directory mask = 0775
[public]
path = /datasamba/public
guest ok = yes
browseable = Yes
writable = yes
force create mode = 0775
force directory mode = 0775
[private]
path = /datasamba/private
guest ok = yes
browseable = Yes
writable = yes
force create mode = 0770
force directory mode = 0770

[root@svr1 setsamba]# mkdir /datasamba
[root@svr1 setsamba]# mkdir /datasamba/public ;chmod 777 /datasamba/public

[root@svr1 setsamba]# mkdir /datasamba/private ;chmod 770 /datasamba/public
Shutting down SMB services:                                [FAILED]
Starting SMB services:                                     [  OK  ]
[root@svr1 setsamba]# service nmb restart
Shutting down NMB services:                                [FAILED]
Starting NMB services:                                     [  OK  ]
[root@svr1 setsamba]# chkconfig smb on
[root@svr1 setsamba]# chkconfig nmb on
[root@svr1 setsamba]# smbpasswd -W
Setting stored password for "cn=Manager,dc=tencongty,dc=com" in secrets.tdb
New SMB password:
Retype new SMB password:
[root@svr1 setsamba]# perl /usr/share/doc/smbldap-tools-*/configure.pl
Enter  5 lần
Tới đây:
logon home (press the "." character if you don't want homeDirectory) [\\PDC-SRV\%U] > .
.
 
# nhập dấu chấm

. logon path: directory where roaming profiles are stored. Ex:'\\PDC-SRV\profiles\%U'
logon path (press the "." character if you don't want roaming profile) [\\PDC-SRV\profiles\%U] >.
.
 
# nhập dấu chấm

Tới lần 6 và 7 thì thêm dấu “.” Và enter
Còn lại thì enter hết

[root@svr1 setsamba]# smbldap-populate
Populating LDAP directory for domain tencongty.com (S-1-5-21-2348163517-1299168905-597205331)
(using builtin directory structure)

entry dc=tencongty,dc=com already exist.
adding new entry: ou=Users,dc=tencongty,dc=com
adding new entry: ou=Groups,dc=tencongty,dc=com
adding new entry: ou=Computers,dc=tencongty,dc=com
adding new entry: ou=Idmap,dc=tencongty,dc=com
adding new entry: uid=root,ou=Users,dc=tencongty,dc=com
adding new entry: uid=nobody,ou=Users,dc=tencongty,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=tencongty,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=tencongty,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=tencongty,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=tencongty,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=tencongty,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=tencongty,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=tencongty,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=tencongty,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=tencongty,dc=com
entry sambaDomainName=tencongty.com,dc=tencongty,dc=com already exist. Updating it...

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:

Retype new password: 

Được đăng bởi vào lúc

14 comments:

  1. REDNovember 20, 2013 at 7:05 AM

    sao mình làm như bạn mà khi user đăng nhập k có ổ đĩa ánh xạ nhĩ.
    giúp mình với tks

    ReplyDelete
  2. Steven TechNovember 21, 2013 at 10:26 PM

    bạn xem file log nó báo gì ? bạn chạy lệnh này có được không smbldap-populate

    ReplyDelete
  3. REDNovember 24, 2013 at 1:29 AM

    hi.mình làm đc rồi nhưng mà:
    có phải tạo thêm file logon.bat ở trong folder netlogon. mình làm thế thì đc nhưng mà k ghi đc :D. (file logon.bat: net use H: "\\isp.vn\%U")
    rồi mình roaming profiles cũng k đc luôn
    bạn chỉ giúp với, mình làm gần tuần rồi mà cứ đến cái đoạn phân quyền, roaming, user cái thì đăng nhập đc cái thì k. còn làm mấy cái ứng dụng chứng thực ldap nữa. mong bạn giúp đỡ

    ReplyDelete
  4. REDNovember 24, 2013 at 1:30 AM

    file cấu hình smb.conf:

    # Samba config file created using SWAT
    # from UNKNOWN (172.16.0.10)
    # Date: 2013/11/24 00:28:02

    [global]
    dos charset = CP932
    workgroup = ISP.VN
    netbios name = PDC-SRV
    server string = Samba Server %v
    map to guest = Bad User
    passdb backend = ldapsam:ldap://172.16.0.10/
    passwd program = /usr/sbin/smbldap-passwd -u "%u"
    passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
    unix password sync = Yes
    syslog = 0
    log file = /var/log/samba/log.%U
    max log size = 100000
    time server = Yes
    deadtime = 10
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    printcap name = cups
    add user script = /usr/sbin/smbldap-useradd -m "%u"
    delete user script = /usr/sbin/smbldap-userdel "%u"
    add group script = /usr/sbin/smbldap-groupadd -p "%g"
    delete group script = /usr/sbin/smbldap-groupdel "%g"
    add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
    delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
    set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
    add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
    logon script = logon.bat
    logon path = \\%L\profiles\%U
    logon drive = H:
    logon home = \\%L\%U
    domain logons = Yes
    os level = 65
    preferred master = Yes
    domain master = Yes
    wins support = Yes
    ldap admin dn = cn=admin,dc=isp,dc=vn
    ldap group suffix = ou=groups
    ldap machine suffix = ou=Computers
    ldap passwd sync = yes
    ldap suffix = dc=isp,dc=vn
    ldap user suffix = ou=people
    idmap config * : range =
    idmap config * : backend = tdb
    admin users = root
    create mask = 0640
    directory mask = 0750
    nt acl support = No
    case sensitive = No
    dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

    [netlogon]
    path = /home/netlogon/
    browseable = No

    [profiles]
    path = /home/profiles
    valid users = %U
    force user = %U
    read only = No
    create mask = 0600
    directory mask = 0700
    guest ok = Yes
    profile acls = Yes
    browseable = No
    csc policy = disable

    [homes]
    comment = Home Directory
    valid users = %U
    read only = No
    create mask = 01770
    directory mask = 01770
    browseable = No

    [prints]
    comment = Network Printers
    path = /home/printers
    valid users = "@Print Operators"
    write list = "@Print Operators"
    read only = No
    create mask = 0664
    directory mask = 0775
    guest ok = Yes
    printable = Yes
    print ok = Yes

    [data]
    comment = du lieu dung chung
    path = /home/data
    read only = No
    create mask = 0644
    directory mask = 0775
    guest ok = Yes

    [giamdoc]
    path = /home/giamdoc
    valid users = @giamdoc
    read only = No
    create mask = 0770
    directory mask = 0770

    [ketoan]
    path = /home/ketoan
    valid users = @ketoan
    read only = No
    create mask = 0770
    directory mask = 0770

    [kinhdoanh]
    path = /home/kinhdoanh
    valid users = @kinhdoanh
    read only = No
    create mask = 0770
    directory mask = 0770

    ReplyDelete
  5. Steven TechNovember 24, 2013 at 6:23 AM

    bạn tạo cái này chưa ?

    mkdir /home/profiles
    chmod 777 /home/profiles


    ReplyDelete
  6. REDNovember 24, 2013 at 4:53 PM

    mình làm đc rồi. nhưng mỗi cái profile là k đc với mấy cái thư mục chia sẽ k cái nào ghi đc, làm cả chown cho thư mục đó mà k đc. để mình cấu hình lại samba thử xem

    ReplyDelete
  7. REDNovember 24, 2013 at 6:48 PM

    có phải lỗi roaming là ở đây k bạn
    logon home (press the "." character if you don't want homeDirectory) [\\PDC-SRV\%U] > .
    .

    # nhập dấu chấm

    . logon path: directory where roaming profiles are stored. Ex:'\\PDC-SRV\profiles\%U'
    logon path (press the "." character if you don't want roaming profile) [\\PDC-SRV\profiles\%U] >.
    .

    # nhập dấu chấm

    ReplyDelete
  8. UnknownDecember 4, 2013 at 4:44 AM

    erreur LDAP: Can't contact master ldap server for writing (IO::Socket::INET: connect: timeout) at /usr/share/perl5/vendor_perl/smbldap_tools.pm line 326.

    Con` loi^~ nay` la sao ha ban?

    ReplyDelete
    Replies
    1. Steven TechFebruary 19, 2014 at 7:25 PM

      Lỗi của bạn là không kết nối tới LDAP server, bạn thử kiểm tra lại IP tables và SE linux nhớ tất, nếu làm trên 2 máy thì phải coi 2 máy kết nối được chưa
      ^_^

      Delete
  9. UnknownApril 26, 2014 at 8:29 PM

    Bạn ơi help mình khúc này với

    Khi mình tạo ldapuser.sh

    mình thực thi đoạn bash này thì báo lỗi

    syntax error near unexpected token `
    line 8

    Mong mong được câu trả lời của bạn

    ReplyDelete
  10. Steven TechApril 27, 2014 at 6:20 AM

    dưới là file ldapuser.sh bạn chạy lại lệnh nhé " lỗi báo bạn sai cú pháp lệnh thôi" nếu không làm được gọi điện cho mình ^_^. nếu có thời gian mình sẽ giúp


    # extract local users who have 500-999 digit UID
    # replace "SUFFIX=***" to your own suffix
    # this is an example
    #!/bin/bash

    SUFFIX='dc=tencongty,dc=com'
    LDIF='ldapuser.ldif'

    echo -n > $LDIF
    for line in `grep "x:[5-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/g"`
    do
    UID1=`echo $line | cut -d: -f1`
    NAME=`echo $line | cut -d: -f5 | cut -d, -f1`
    if [ ! "$NAME" ]
    then
    NAME=$UID1
    else
    NAME=`echo $NAME | sed -e "s/%/ /g"`
    fi
    SN=`echo $NAME | awk '{print $2}'`
    if [ ! "$SN" ]
    then
    SN=$NAME
    fi
    GIVEN=`echo $NAME | awk '{print $1}'`
    UID2=`echo $line | cut -d: -f3`
    GID=`echo $line | cut -d: -f4`
    PASS=`grep $UID1: /etc/shadow | cut -d: -f2`
    SHELL=`echo $line | cut -d: -f7`
    HOME=`echo $line | cut -d: -f6`
    EXPIRE=`passwd -S $UID1 | awk '{print $7}'`
    FLAG=`grep $UID1: /etc/shadow | cut -d: -f9`
    if [ ! "$FLAG" ]
    then
    FLAG="0"
    fi
    WARN=`passwd -S $UID1 | awk '{print $6}'`
    MIN=`passwd -S $UID1 | awk '{print $4}'`
    MAX=`passwd -S $UID1 | awk '{print $5}'`
    LAST=`grep $UID1: /etc/shadow | cut -d: -f3`

    echo "dn: uid=$UID1,ou=people,$SUFFIX" >> $LDIF
    echo "objectClass: inetOrgPerson" >> $LDIF
    echo "objectClass: posixAccount" >> $LDIF
    echo "objectClass: shadowAccount" >> $LDIF
    echo "uid: $UID1" >> $LDIF
    echo "sn: $SN" >> $LDIF
    echo "givenName: $GIVEN" >> $LDIF
    echo "cn: $NAME" >> $LDIF
    echo "displayName: $NAME" >> $LDIF
    echo "uidNumber: $UID2" >> $LDIF
    echo "gidNumber: $GID" >> $LDIF
    echo "userPassword: {crypt}$PASS" >> $LDIF
    echo "gecos: $NAME" >> $LDIF
    echo "loginShell: $SHELL" >> $LDIF
    echo "homeDirectory: $HOME" >> $LDIF
    echo "shadowExpire: $EXPIRE" >> $LDIF
    echo "shadowFlag: $FLAG" >> $LDIF
    echo "shadowWarning: $WARN" >> $LDIF
    echo "shadowMin: $MIN" >> $LDIF
    echo "shadowMax: $MAX" >> $LDIF
    echo "shadowLastChange: $LAST" >> $LDIF
    echo >> $LDIF
    done

    ReplyDelete
    Replies
    1. UnknownApril 27, 2014 at 11:32 PM

      Cám ơn bạn đã reply , mình copy y chang đoạn code bạn đưa cho mình

      Nhưng mà nó vẫn báo lỗi syntax error dấu `

      Khúc mà giữa for line in grep và do

      Delete
  11. Nguyễn Ngọc LiệuNovember 21, 2014 at 1:45 AM

    vậy là sau khi thực thi lênh smbldap-populate thành công thì làm sao để join domain bạn,có phải là tạo account domain thông qua lênh smbldap-useradd -a -m -c "username" username

    ReplyDelete
  12. Nguyễn Ngọc LiệuNovember 24, 2014 at 12:23 AM

    minh gap phai loi nay
    [root@master setsamba]# ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    modifying entry "olcDatabase={2}hdb,cn=config"
    ldap_modify: Other (e.g., implementation specific) error (80)
    additional info: index attribute "sambaSID" undefined

    ReplyDelete

Subscribe to: Post Comments (Atom)