Instalação SAMBA + OpenLDAP + PAM – Debian 5.0

4 06 2010

# Pacote de ferramentas básicas para instalação:

aptitude update
aptitude safe-upgrade
aptitude install build-essential vim openssh-server \
nmap htop rcconf

# Instalar OpenSSL

aptitude install openssl libssl0.9.8

# Instalar Berkeley DB

aptitude install db4.2-util

# Instalar Cyrus-SASL

aptitude install sasl2-bin libsasl2-2 libsasl2-modules \ 
libsasl2-modules-ldap

# Editar arquivo /etc/default/saslauthd para iniciar Cyrus-SASL com o sistema

vim /etc/default/saslauthd
# Should saslauthd run automatically on startup? (default: no)
START=yes

# Instalar OpenLDAP

aptitude install slapd ldap-utils

# Criar senha criptografada de acesso a base OpenLDAP

slappasswd
*Após digitar a senha copie o hash que será gerado dentro do arquivo
/etc/ldap/slapd.conf no campo “rootpw” conforme exemplo abaixo.

# Editar arquivo /etc/ldap/slapd.conf

cp -v /etc/ldap/slapd.conf /etc/ldap/slapd.conf.original

vim /etc/ldap/slapd.conf

# Versao do protocolo
allow bind_v2

# Schemas
include      /etc/ldap/schema/core.schema
include      /etc/ldap/schema/cosine.schema
include      /etc/ldap/schema/nis.schema
include      /etc/ldap/schema/inetorgperson.schema

# Arquivos de controle dos processos
pidfile      /var/run/slapd/slapd.pid
argsfile     /var/run/slapd/slapd.args# Modulos
modulepath   /usr/lib/ldap

# Parametros especificos do tipo de base
backend      bdb

# Base de dados
database     bdb

# Estrutura do diretorio e administrador
suffix       "dc=app,dc=com,dc=br"
rootdn       "cn=admin,dc=app,dc=com,dc=br"
rootpw       {SSHA}Cs3SnIQuiBi2F9f7a+NEvI3tVKSpegPt # Hash


# Local de armazenamento dos dados
directory    "/var/lib/ldap"

# Indice de pesquisa
index   objectClass                                     eq
index   cn,sn                                           eq,sub,approx
index   uid,uidNumber,gidNumber,memberUid,loginShell    eq
index   default                                         eq,sub
#index  sambaSID                                        eq
#index  sambaPrimaryGroupSID                            eq
#index  SambaDomainName                                 eq

# Iniciar serviço OpenLDAP

cd /root
/etc/init.d/slapd stop
cp -v /var/lib/ldap/DB_CONFIG .
rm -rfv /var/lib/ldap/*
cp -v DB_CONFIG /var/lib/ldap/
/etc/init.d/slapd start

# Verificar se o serviço LDAP está funcionando na porta 389

nmap localhost

# Criar arquivo /etc/ldap/app.ldif

cd /etc/ldap/

vim /etc/ldap/app.ldif

dn: dc=app,dc=com,dc=br
objectClass: dcObject
objectClass: organization
o: App Ltda
dc: app
dn: ou=Usuarios,dc=app,dc=com,dc=br
ou: Usuarios
objectClass: top
objectClass: organizationalUnit
dn: ou=Grupos,dc=app,dc=com,dc=br
ou: Grupos
objectClass: top
objectClass: organizationalUnit
dn: ou=Computadores,dc=app,dc=com,dc=br
ou: Computadores
objectClass: top
objectClass: organizationalUnit

# Adicionar arquivo app.ldif ao OpenLDAP

cd /etc/ldap/
ldapadd -x -D “cn=admin,dc=app,dc=com,dc=br” -W -f app.ldif

# Verificar registro da base OpenLDAP

ldapsearch -x -b 'dc=app,dc=com,dc=br' '(objectClass=*)'

# Instalar PAM

aptitude install libpam-ldap libnss-ldap nscd

# Editar /etc/libnss-ldap.conf

cp -v /etc/libnss-ldap.conf /etc/libnss-ldap.conf.original

vim /etc/libnss-ldap.conf

host		127.0.0.1
base		dc=app,dc=com,dc=br
ldap_version	3
rootbinddn	cn=admin,dc=app,dc=com,dc=br

# Editar arquivo /etc/libnss-ldap.secret (inserir senha do usuário admin)

echo "1q2w3e"  > /etc/libnss-ldap.secret

# Editar arquivo /etc/nsswitch.conf

cp -v /etc/nsswitch.conf /etc/nsswitch.conf.original

vim /etc/nsswitch.conf

passwd:    files ldap
group:     files ldap
shadow:    files ldap

hosts:	   files dns
networks:  files

protocols: db files
services:  db files
ethers:	   db files
rpc:	   db files

netgroup:  ldap

# Editar arquivo /etc/pam_ldap.conf

cp -v /etc/pam_ldap.conf /etc/pam_ldap.conf.original

vim /etc/pam_ldap.conf

base		dc=app,dc=com,dc=br
host		127.0.0.1
ldap_version 	3
rootbinddn	cn=admin,dc=app,dc=com,dc=br
pam_password 	md5

# Editar arquivo /etc/pam_ldap.secret (inserir senha do usuário admin)

echo "1q2w3e" > /etc/pam_ldap.secret

# Criar link simbolico de /etc/ldap/ldap.conf para /etc/libnss-ldap.conf

cd /etc/ldap
mv -v ldap.conf ldap.conf.old
ln -s ../libnss-ldap.conf ldap.conf

# Editar arquivo /etc/pam.d/common-account

cp -v /etc/pam.d/common-account /etc/pam.d/common-account.original

vim /etc/pam.d/common-account

account	sufficient	pam_ldap.so
account	required	pam_unix.so try_first_pass

# Editar arquivo /etc/pam.d/common-auth

cp -v /etc/pam.d/common-auth /etc/pam.d/common-auth.original

vim /etc/pam.d/common-auth

auth	required	pam_nologin.so
auth	required	pam_env.so
auth	sufficient	pam_ldap.so
auth	required	pam_unix.so nullok_secure try_first_pass

# Editar arquivo /etc/pam.d/common-session

cp -v /etc/pam.d/common-session /etc/pam.d/common-session.original

vim /etc/pam.d/common-session

session	required	pam_mkhomedir.so skel=/etc/skel umask=0022 silent
session	sufficient	pam_unix.so

# Editar arquivo /etc/pam.d/common-password

cp -v /etc/pam.d/common-password /etc/pam.d/common-password.original

vim /etc/pam.d/common-password

password    sufficient    pam_ldap.so
password    required      pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass

# Reiniciar serviço NSCD

/etc/init.d/nscd restart

# Instalar SAMBA

aptitude install samba smbclient samba-doc smbfs ntp

# Editar arquivo /etc/samba/smb.conf

cp -v /etc/samba/smb.conf /etc/samba/smb.conf.original

vim /etc/samba/smb.conf

[global]
# Definicoes sobre o Dominio.
workgroup = APP
server string = Servidor Arquivos
netbios name = SRVAPP
# Log do samba.
log file = /var/log/samba/%m.log
max log size = 500
log level = 1

# Resolucao de nomes.
name resolve order = lmhosts wins bcast
unix charset = iso-8859-1
wins support = yes
admin users = administrador

# Opcoes de seguranca e autenticacao.
security = user
encrypt passwords = yes
passdb backend = ldapsam:ldap://localhost
username map = /etc/samba/smbusers

# Opcoes para servidor de impressao.
printing = cups
printcap name = cups
load printers = yes

# Opcoes para PDC.
domain logons = yes
logon script = logon.cmd

# Sem perfis remotos.
logon drive =
logon path =
logon home =

# Para habilitar perfis remotos comente as linhas anteriores
# e descomente as opcoes a seguir.
;logon drive = H:
;logon path = \\%L\%U\profiles

# Mapeamento do profiles
;logon home = \\%L\%U\profiles

# Opcoes de browse de dominio.
preferred master = auto
local master = yes
domain master = auto
os level = 65

# Para que “time server” funcione eh necessario ter
# instalado e rodando o servidor ntp.
time server = yes

# Base de autenticacao LDAP.
ldap admin dn = cn=admin,dc=app,dc=com,dc=br
ldap ssl = off
ldap delete dn = no
ldap user suffix = ou=Usuarios
ldap group suffix = ou=Grupos
ldap machine suffix = ou=Computadores
ldap suffix = dc=app,dc=com,dc=br

# Permite a criacao automatica de contas de maquinas ao efetuar join
# no dominio.
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
# delete group script = /usr/sbin/smbldap-group-del "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

# Permite que usuarios membros do grupo “Domain Admins
# insiram estacoes no dominio samba.
enable privileges = yes

# Controle de ACLs via Windows Explorer. Para que as ACLs funcionem
# corretamente eh necessario acrescentar ao /etc/fstab, na coluna
# “opcoes de montagem”, as opcoes “acl” e “user_xattr” para as
# particoes onde estao os compartilhamentos do samba.
map acl inherit = yes
inherit acls = yes
inherit permissions = yes
nt acl support = yes

[homes]
comment = Diretorio Home
browseable = no
writable = yes
valid users = %S

[netlogon]
path = /var/lib/samba/netlogon
read only = yes
write list = root @"Domain Admin"

[printers]
comment = Impressoras
path = /var/spool/samba
printable = yes
writeable = no
browseable = no

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
write list = root @"Domain Admins"

# Criar diretorio para arquivos netlogon

mkdir -v /var/lib/samba/netlogon

# Copiar arquivo samba.schema para diretório /etc/ldap/schema

cd /etc/ldap/schema
gunzip /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz
cp -v /usr/share/doc/samba-doc/examples/LDAP/samba.schema .

# Descomentar as seguintes linhas do arquivo /etc/ldap/slapd.conf

vim /etc/ldap/slapd.conf

include   /etc/ldap/schema/samba.schema
index     sambaSID		eq
index	  sambaPrimaryGroupSID	eq
index	  SambaDomainName	eq

# Indexar a base OpenLDAP

/etc/init.d/slapd stop
slapindex -v
chown -v openldap: /var/lib/ldap/*
/etc/init.d/slapd start

# Armazenar senha do administrador do SAMBA no arquivo secrets.tdb

smbpasswd -w 1q2w3e

# Iniciar serviço SAMBA

/etc/init.d/samba start

# Verificar serviço SAMBA em execução

netstat -lntup | grep mbd

# Instalar smbldap-tools

aptitude install smbldap-tools

# Copiar arquivos de configurações do smbldap-tools para diretório /etc/smbldap-tools

cd /etc/smbldap-tools
cp -v /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf .
cp -v /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz .
gunzip smbldap.conf.gz

# Editar arquivo /etc/smbldap-tools/smbldap_bind.conf

vim /etc/smbldap-tools/smbldap_bind.conf

# slaveDN="cn=admin,dc=app,dc=com,dc=br"
# slavePw="1q2w3e"
masterDN="cn=admin,dc=app,dc=com,dc=br"
masterPw="1q2w3e"

# Código SID de identificação do domínio.

net getlocalsid APP
* Copie e cole o códifo SID gerado no campo “SID” do arquivo smbldap.conf

# Editar arquivo /etc/smbldap-tools/smbldap.conf

vim /etc/smbldap-tools/smbldap.conf

SID="S-1-5-21-2541201885-1142570366-3191061254"
sambaDomain="APP"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
verify="require"
cafile="/etc/smbldap-tools/ca.pem"
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
clientkey="/etc/smbldap-tools/smbldap-tools.key"
suffix="dc=app,dc=com,dc=br"
usersdn="ou=Usuarios,${suffix}"
computersdn="ou=Computadores,${suffix}"
groupsdn="ou=Grupos,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=APP,${suffix}"
scope="sub"
hash_encrypt="MD5"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="90"
userSmbHome=""
userProfile=""
userHomeDrive=""
userScript="logon.bat"
mailDomain="app.com.br"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

# Popular base OpenLDAP

smbldap-populate

# Verificar dados que foram inseridos na base

ldapsearch -x -b 'dc=app,dc=com,dc=br' dn | less

# Trocando conta “root” por “administrador” no samba

smbldap-userdel root
smbldap-populate -a administrador

# Instalando LAM (LDAP Account Manager)

aptitude install apache2 libapache2-mod-php5 php5 php5-ldap \ 
php5-mcrypt php-fpdf php5-mhash ldap-account-manager

Acesse no browse: http://localhost/lam

# Comandos SAMBA

– Adicionar usuário no SAMBA atribuindo-lhe uma senha:

smbldap-useradd -P -a <usuario>

– Consultar dados de usuário

smbldap-usershow <usuario>

– Alterar senha usuário

smbldap-passwd -u <usuario>

– Apagar usuário SAMBA

smbldap-userdel <usuario>

fonte: http://www.google.com

Anúncios