Xerar obxectos SAMBA no LDAP. Ferramentas de administración: smbldap-tools, JXplorer, LAM

De Manuais Informática - IES San Clemente.
Ir a la navegación Ir a la búsqueda

Introdución

  • Para que o noso dominio SAMBA funcione correctamente, é necesario inicializar o dominio cos usuarios, grupos e obxectos LDAP propios de SAMBA para almacenar toda a información do mesmo. Para iso usaremos smbldap-tools.
  • Tamén veremos como administrar graficamente SAMBA: JXplorer e LAM.


smbldap-tools

  • Smbldap-tools son un conxunto de scripts para manexar usuarios e grupos almacenados no directorio LDAP
  • Pode ser usado tanto por usuarios como por clientes.
  • Pódese:
    • Engadir/modificar/eliminar usuarios/grupos no LDAP do mesmo xeito que se fai cos comandos estándar (useradd, groupadd, etc).
    • Os usuarios poden cambiar o seu contrasinal e consultar información propia.
  • No seguinte enlace pódese atopar máis información: https://gna.org/projects/smbldap-tools/


  • A continuación amósanse os comandos asociados á utilidade
smbldap-
  smbldap-groupadd   smbldap-groupshow  smbldap-userdel    smbldap-usershow
  smbldap-groupdel   smbldap-passwd     smbldap-userinfo   
  smbldap-grouplist  smbldap-populate   smbldap-userlist   
  smbldap-groupmod   smbldap-useradd    smbldap-usermod   


Iniciar dominio samba, inserindo usuarios e grupos necesarios no ldap

  • Para crear os usuarios e grupos necesarios dentro de ldap que necesita samba usarase o comando: smbldap-populate
  • Antes de poder utilizar as utilidades debemos configurar dous ficheiros de configuración do paquete smbldap-tools, para que poida acceder aos datos do servidor LDAP.
  • En primeiro lugar realizaremos dúas comprobacións que se recomendan no inicio do propio script e nos permitirán comprobar que o servidor samba está en execución e que a conexión co servidor LDAP é correcta:
  • Comprobamos que o servidor samba está efectivamente correndo:
service smbd status
  • E que o equipo xa ten un SID (Identificador de seguridade de Windows). Copiamos ese SID:
net getlocalsid
SID for domain DSERVER00 is: S-1-5-21-3472892566-1518861306-3316237868


  • Se as comprobacións dan un resultado correcto, podemos copiar os dous ficheiros que precisamos a /etc/smbldap-tools. E axustamos os permisos:
#Descomprimimos un dos ficheiros de configuración:
zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz >  /etc/smbldap-tools/smbldap.conf

#Copiamos o outro ficheiro de configuración:
cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/ 

#Axustar permisos
chmod 600 /etc/smbldap-tools/smbldap_bind.conf

Configuración ficheiro smbldap_bind.conf

  • Este ficheiro de configuración vaille indicar a smbldap-tools cal é o usuario e contrasinal co que se accede ao servidor LDAP.
  • Adaptar no ficheiro /etc/smbldap-tools/smbldap_bind.conf as liñas 10-13 ás circunstancias
  • Como a chave vai en claro, é por iso que só se deu permiso de lectura escritura ao root.
 1 # $Id$
 2 #
 3 ############################
 4 # Credential Configuration #
 5 ############################
 6 # Notes: you can specify two differents configuration if you use a
 7 # master ldap for writing access and a slave ldap server for reading access
 8 # By default, we will use the same DN (so it will work for standard Samba
 9 # release)
10 slaveDN="cn=admin,dc=iescalquera,dc=local"
11 slavePw="abc123."
12 masterDN="cn=admin,dc=iescalquera,dc=local"
13 masterPw="abc123."


Configuración ficheiro smbldap.conf

  • Neste ficheiro /etc/smbldap-tools/smbldap.conf le os datos necesarios para poder acceder aos usuarios, grupos e máquinas do ldap.
  • Configurar as liñas 36,41,60,69,80,106,111,116,121,159,165,174,194,205,211,216 como se indica.
  • Ollo na liña 36 de configurar o SID do equipo do lector/a.
  • Cando indicamos 4 sostenidos (####) é que ese comentario foi introducido por nós e esa liña viña activa no ficheiro orixinal.
  1 # $Id$
  2 #
  3 # smbldap-tools.conf : Q & D configuration file for smbldap-tools
  4 
  5 #  This code was developped by IDEALX (http://IDEALX.org/) and
  6 #  contributors (their names can be found in the CONTRIBUTORS file).
  7 #
  8 #                 Copyright (C) 2001-2002 IDEALX
  9 #
 10 #  This program is free software; you can redistribute it and/or
 11 #  modify it under the terms of the GNU General Public License
 12 #  as published by the Free Software Foundation; either version 2
 13 #  of the License, or (at your option) any later version.
 14 #
 15 #  This program is distributed in the hope that it will be useful,
 16 #  but WITHOUT ANY WARRANTY; without even the implied warranty of
 17 #  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 18 #  GNU General Public License for more details.
 19 #
 20 #  You should have received a copy of the GNU General Public License
 21 #  along with this program; if not, write to the Free Software
 22 #  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
 23 #  USA.
 24 
 25 #  Purpose :
 26 #       . be the configuration file for all smbldap-tools scripts
 27 
 28 ##############################################################################
 29 #
 30 # General Configuration
 31 #
 32 ##############################################################################
 33 
 34 # Put your own SID. To obtain this number do: "net getlocalsid".
 35 # If not defined, parameter is taking from "net getlocalsid" return
 36 SID="S-1-5-21-3472892566-1518861306-3316237868"
 37 
 38 # Domain name the Samba server is in charged.
 39 # If not defined, parameter is taking from smb.conf configuration file
 40 # Ex: sambaDomain="IDEALX-NT"
 41 sambaDomain="IESCALQUERA"
 42 
 43 ##############################################################################
 44 #
 45 # LDAP Configuration
 46 #
 47 ##############################################################################
 48 
 49 # Notes: to use to dual ldap servers backend for Samba, you must patch
 50 # Samba with the dual-head patch from IDEALX. If not using this patch
 51 # just use the same server for slaveLDAP and masterLDAP.
 52 # Those two servers declarations can also be used when you have 
 53 # . one master LDAP server where all writing operations must be done
 54 # . one slave LDAP server where all reading operations must be done
 55 #   (typically a replication directory)
 56 
 57 # Slave LDAP server
 58 # Ex: slaveLDAP=127.0.0.1
 59 # If not defined, parameter is set to "127.0.0.1"
 60 ####slaveLDAP="ldap.example.com"
 61 
 62 # Slave LDAP port
 63 # If not defined, parameter is set to "389"
 64 slavePort="389"
 65 
 66 # Master LDAP server: needed for write operations
 67 # Ex: masterLDAP=127.0.0.1
 68 # If not defined, parameter is set to "127.0.0.1"
 69 ####masterLDAP="ldap.example.com"
 70 
 71 # Master LDAP port
 72 # If not defined, parameter is set to "389"
 73 #masterPort="389"
 74 masterPort="389"
 75 
 76 # Use TLS for LDAP
 77 # If set to 1, this option will use start_tls for connection
 78 # (you should also used the port 389)
 79 # If not defined, parameter is set to "0"
 80 ####ldapTLS="1"
 81 
 82 # Use SSL for LDAP
 83 # If set to 1, this option will use SSL for connection
 84 # (standard port for ldaps is 636)
 85 # If not defined, parameter is set to "0"
 86 ldapSSL="0"
 87 
 88 # How to verify the server's certificate (none, optional or require)
 89 # see "man Net::LDAP" in start_tls section for more details
 90 verify="require"
 91 
 92 # CA certificate
 93 # see "man Net::LDAP" in start_tls section for more details
 94 cafile="/etc/smbldap-tools/ca.pem"
 95 
 96 # certificate to use to connect to the ldap server
 97 # see "man Net::LDAP" in start_tls section for more details
 98 clientcert="/etc/smbldap-tools/smbldap-tools.example.com.pem"
 99 
100 # key certificate to use to connect to the ldap server
101 # see "man Net::LDAP" in start_tls section for more details
102 clientkey="/etc/smbldap-tools/smbldap-tools.example.com.key"
103 
104 # LDAP Suffix
105 # Ex: suffix=dc=IDEALX,dc=ORG
106 suffix="dc=iescalquera,dc=local"
107 
108 # Where are stored Users
109 # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
110 # Warning: if 'suffix' is not set here, you must set the full dn for usersdn
111 usersdn="ou=usuarios,${suffix}"
112 
113 # Where are stored Computers
114 # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
115 # Warning: if 'suffix' is not set here, you must set the full dn for computersdn
116 computersdn="ou=maquinas,${suffix}"
117 
118 # Where are stored Groups
119 # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
120 # Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
121 groupsdn="ou=grupos,${suffix}"
122 
123 # Where are stored Idmap entries (used if samba is a domain member server)
124 # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
125 # Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
126 idmapdn="ou=Idmap,${suffix}"
127 
128 # Where to store next uidNumber and gidNumber available for new users and groups
129 # If not defined, entries are stored in sambaDomainName object.
130 # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
131 # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
132 sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
133 
134 # Default scope Used
135 scope="sub"
136 
137 # Unix password hash scheme (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
138 # If set to "exop", use LDAPv3 Password Modify (RFC 3062) extended operation.
139 password_hash="SSHA"
140 
141 # if password_hash is set to CRYPT, you may set a salt format.
142 # default is "%s", but many systems will generate MD5 hashed
143 # passwords if you use "$1$%.8s". This parameter is optional!
144 password_crypt_salt_format="%s"
145 
146 ##############################################################################
147 # 
148 # Unix Accounts Configuration
149 # 
150 ##############################################################################
151 
152 # Login defs
153 # Default Login Shell
154 # Ex: userLoginShell="/bin/bash"
155 userLoginShell="/bin/bash"
156 
157 # Home directory
158 # Ex: userHome="/home/%U"
159 userHome="/home/iescalquera/%U"
160 
161 # Default mode used for user homeDirectory
162 userHomeDirectoryMode="700"
163 
164 # Gecos
165 userGecos="Usuario de IES Calquera"
166 
167 # Default User (POSIX and Samba) GID
168 defaultUserGid="513"
169 
170 # Default Computer (Samba) GID
171 defaultComputerGid="515"
172 
173 # Skel dir
174 skeletonDir="/etc/skel_ubuntu"
175 
176 # Treat shadowAccount object or not
177 shadowAccount="1"
178 
179 # Default password validation time (time in days) Comment the next line if
180 # you don't want password to be enable for defaultMaxPasswordAge days (be
181 # careful to the sambaPwdMustChange attribute's value)
182 defaultMaxPasswordAge="45"
183 
184 ##############################################################################
185 #
186 # SAMBA Configuration
187 #
188 ##############################################################################
189 
190 # The UNC path to home drives location (%U username substitution)
191 # Just set it to a null string if you want to use the smb.conf 'logon home'
192 # directive and/or disable roaming profiles
193 # Ex: userSmbHome="\\PDC-SMB3\%U"
194 userSmbHome="\\dserver00\%U"
195 
196 # The UNC path to profiles locations (%U username substitution)
197 # Just set it to a null string if you want to use the smb.conf 'logon path'
198 # directive and/or disable roaming profiles
199 # Ex: userProfile="\\PDC-SMB3\profiles\%U"
200 ####userProfile="\\PDC-SRV\profiles\%U"
201 
202 # The default Home Drive Letter mapping
203 # (will be automatically mapped at logon time if home directory exist)
204 # Ex: userHomeDrive="H:"
205 userHomeDrive="Z:"
206 
207 # The default user netlogon script name (%U username substitution)
208 # if not used, will be automatically username.cmd
209 # make sure script file is edited under dos
210 # Ex: userScript="startup.cmd" # make sure script file is edited under dos
211 userScript="inicio.bat"
212 
213 # Domain appended to the users "mail"-attribute
214 # when smbldap-useradd -M is used
215 # Ex: mailDomain="idealx.com"
216 mailDomain="iescalquera.local"
217 
218 ##############################################################################
219 #
220 # SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
221 #
222 ##############################################################################
223 
224 # Allows not to use smbpasswd (if with_smbpasswd="0" in smbldap.conf) but
225 # prefer Crypt::SmbHash library
226 with_smbpasswd="0"
227 smbpasswd="/usr/bin/smbpasswd"
228 
229 # Allows not to use slappasswd (if with_slappasswd="0" in smbldap.conf)
230 # but prefer Crypt:: libraries
231 with_slappasswd="0"
232 slappasswd="/usr/sbin/slappasswd"
233 
234 # comment out the following line to get rid of the default banner
235 # no_banner="1"
  • Na liña 174 indicamos que os ficheiros base de cada usuario creado con smbldap-tools debe ser copiado de /etc/skel_ubuntu.
  • Co cal, imos copiar de script o directorio skel_ubuntu de scripts a /etc.
cp -r /root/scripts/skel_ubuntu /etc/

Crear OUs, grupos e usuarios SAMBA no ldap: smbldap-populate

  • Antes de facer nada é conveniente facer unha copia de todo o contido do LDAP, para o que podemos usar o comando slapcat:
slapcat -l backup.ldif


  • Agora xa podemos executar o comando smbldap-populate para crear os usuarios, grupos e obxectos LDAP necesarios para o dominio samba.
smbldap-populate


  • Como se pode ver na imaxe, o comando crea as unidades organizativas no LDAP necesarias para almacenar toda a información de samba e os grupos propios dun dominio Windows (Administradores do dominio, Usuarios do dominio, etc.).
  • Tamén crea o usuario root no LDAP e como usuario samba, e teremos que asignarlle un contrasinal:

Platega U910 Server Instalar Samba5.png


  • Nesta imaxe, observar como se crean as OUs, Grupos e Usuarios que precisa o servizo de SAMBA.
  • Observar como a OU maquinas, nesta imaxe, é creada neste proceso. No noso caso xa foi creada cando configuramos LAM.


  • Comprobacións
  • Unidades Organizativas
ldapsearch -x -LLL -s one -b dc=iescalquera,dc=local dn
dn: cn=admin,dc=iescalquera,dc=local
dn: ou=usuarios,dc=iescalquera,dc=local
dn: ou=grupos,dc=iescalquera,dc=local
dn: ou=maquinas,dc=iescalquera,dc=local
dn: sambaDomainName=IESCALQUERA,dc=iescalquera,dc=local
dn: ou=Idmap,dc=iescalquera,dc=local
  • O obxecto sambaDomainName permite controlar como se van xerar os SIDs dos obxectos Windows e como se xestionarań os contrasinais, entre outras cousas.
ldapsearch -x -LLL -b sambaDomainName=IESCALQUERA,dc=iescalquera,dc=local
dn: sambaDomainName=IESCALQUERA,dc=iescalquera,dc=local
sambaAlgorithmicRidBase: 1000
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0
gidNumber: 1000
sambaDomainName: IESCALQUERA
sambaSID: S-1-5-21-3472892566-1518861306-3316237868
sambaNextRid: 1000
uidNumber: 1000
objectClass: sambaDomain
objectClass: sambaUnixIdPool


    • Usuarios
ldapsearch -x -LLL -b ou=usuarios,dc=iescalquera,dc=local dn
dn: ou=usuarios,dc=iescalquera,dc=local
dn: ou=profes,ou=usuarios,dc=iescalquera,dc=local
dn: uid=sol,ou=profes,ou=usuarios,dc=iescalquera,dc=local
dn: uid=noe,ou=profes,ou=usuarios,dc=iescalquera,dc=local
dn: ou=alum,ou=usuarios,dc=iescalquera,dc=local
dn: ou=dam1,ou=alum,ou=usuarios,dc=iescalquera,dc=local
dn: ou=dam2,ou=alum,ou=usuarios,dc=iescalquera,dc=local
dn: uid=mon,ou=dam1,ou=alum,ou=usuarios,dc=iescalquera,dc=local
dn: uid=tom,ou=dam1,ou=alum,ou=usuarios,dc=iescalquera,dc=local
dn: uid=pia,ou=dam2,ou=alum,ou=usuarios,dc=iescalquera,dc=local
dn: uid=root,ou=usuarios,dc=iescalquera,dc=local
dn: uid=nobody,ou=usuarios,dc=iescalquera,dc=local
  • Observar que agora temos dous novos usuarios: root e nobody.
getent passwd | tail -n 7
  sol:x:10000:10000:"Profe - Sol Lua":/home/iescalquera/profes/sol:/bin/bash
  noe:x:10001:10000:Profe - Noe Ras:/home/iescalquera/profes/noe:/bin/bash
  mon:x:10002:10000:DAM1 Mon Mon:/home/iescalquera/alumnos/dam1/mon:/bin/bash
  tom:x:10003:10000:DAM1 Tom Tom:/home/iescalquera/alumnos/dam1/tom:/bin/bash
  pia:x:10004:10000:DAM2 Pia Fdez:/home/iescalquera/alumnos/dam2/pia:/bin/bash
  root:x:0:0:Netbios Domain Administrator:/home/iescalquera/root:/bin/false
  nobody:x:65534:514:nobody:/nonexistent:/bin/false
  • Observar que por agora os usuarios iniciais do ldap non teñen atributos do esquema samba.
ldapsearch -x -LLL -b dc=iescalquera,dc=local uid=sol
dn: uid=sol,ou=profes,ou=usuarios,dc=iescalquera,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: sol
sn:: TMO6YQ==
cn:: UHJvZmUgLSBTb2wgTMO6YQ==
givenName: Sol
uidNumber: 10000
gidNumber: 10000
loginShell: /bin/bash
mail: sol@iescalquera.local
initials: SL
shadowExpire: -1
gecos: "Profe - Sol Lua"
homeDirectory: /home/iescalquera/profes/sol
  • Pero si o teñen os 2 usuarios que se engadiron. Observar como ten un SID de Windows.
ldapsearch -x -LLL -b dc=iescalquera,dc=local uid=root
dn: uid=root,ou=usuarios,dc=iescalquera,dc=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
uid: root
cn: root
sn: root
gidNumber: 0
uidNumber: 0
homeDirectory: /home/iescalquera/root
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomePath: \\dserver00\root
sambaHomeDrive: Z:
sambaPrimaryGroupSID: S-1-5-21-3472892566-1518861306-3316237868-512
sambaSID: S-1-5-21-3472892566-1518861306-3316237868-500
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaLMPassword: B7515DC140629D41AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 3EC585243C919F4217175E1918E07780
sambaPwdLastSet: 1400007291
sambaPwdMustChange: 1403895291
shadowMax: 45


  • Grupos
ldapsearch -x -LLL -b ou=grupos,dc=iescalquera,dc=local dn
dn: ou=grupos,dc=iescalquera,dc=local
dn: cn=g-usuarios,ou=grupos,dc=iescalquera,dc=local
dn: cn=g-profes,ou=grupos,dc=iescalquera,dc=local
dn: cn=g-dam1-profes,ou=grupos,dc=iescalquera,dc=local
dn: cn=g-dam2-profes,ou=grupos,dc=iescalquera,dc=local
dn: cn=g-alum,ou=grupos,dc=iescalquera,dc=local
dn: cn=g-dam1-alum,ou=grupos,dc=iescalquera,dc=local
dn: cn=g-dam2-alum,ou=grupos,dc=iescalquera,dc=local
dn: cn=Domain Admins,ou=grupos,dc=iescalquera,dc=local
dn: cn=Domain Users,ou=grupos,dc=iescalquera,dc=local
dn: cn=Domain Guests,ou=grupos,dc=iescalquera,dc=local
dn: cn=Domain Computers,ou=grupos,dc=iescalquera,dc=local
dn: cn=Administrators,ou=grupos,dc=iescalquera,dc=local
dn: cn=Account Operators,ou=grupos,dc=iescalquera,dc=local
dn: cn=Print Operators,ou=grupos,dc=iescalquera,dc=local
dn: cn=Backup Operators,ou=grupos,dc=iescalquera,dc=local
dn: cn=Replicators,ou=grupos,dc=iescalquera,dc=local
  • Observar os novos grupos.
getent group | tail -n 16
  g-usuarios:*:10000:
  g-profes:*:10001:noe,sol
  g-dam1-profes:*:10002:sol
  g-dam2-profes:*:10003:noe,sol
  g-alum:*:10004:tom,mon,pia
  g-dam1-alum:*:10005:tom,mon
  g-dam2-alum:*:10006:pia
  Domain Admins:*:512:root
  Domain Users:*:513:
  Domain Guests:*:514:
  Domain Computers:*:515:
  Administrators:*:544:
  Account Operators:*:548:
  Print Operators:*:550:
  Backup Operators:*:551:
  Replicators:*:552:
  • Observar que os grupos que había no ldap non teñen atributos do esquema samba.
ldapsearch -x -LLL -b dc=iescalquera,dc=local cn=g-usuarios
dn: cn=g-usuarios,ou=grupos,dc=iescalquera,dc=local
objectClass: posixGroup
cn: g-usuarios
gidNumber: 10000
  • Pero observar que os grupos engadidos con smbldap-populate si teñen a tributos do esquema samba:
 
ldapsearch -x -LLL -b dc=iescalquera,dc=local cn="Domain A*"
dn: cn=Domain Admins,ou=grupos,dc=iescalquera,dc=local
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Domain Admins
gidNumber: 512
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-3472892566-1518861306-3316237868-512
sambaGroupType: 2
displayName: Domain Admins

JXplorer

  • Dende a ferramenta JXplorer podemos administrar os usuarios, grupos e OUs do ldap.
  • Podemos ver os novos obxectos creados con smbladap-populate.

Dl 2014 jxplorer 10.jpeg

Ldap Account Manager: LAM

  • Dende LAM para administrar os atributos SAMBA dos obxectos precisamos configurar os módulos de LAM antes de entrar a administrar o ldap.
  • Logo, no seguinte punto, administraremosos usuarios e os grupos.





-- Antonio de Andrés Lema e Carlos Carrión Álvarez