Wiki Ubuntu-it

Indice
Partecipa
FAQ
Wiki Blog
------------------
Ubuntu-it.org
Forum
Chiedi
Chat
Cerca
Planet
  • Immutable Page
  • Info
  • Attachments

STOP! Perché questa guida si trova sotto la pagina Cestino?. Una guida può essere cestinata dal Gruppo Documentazione se contiene istruzioni compatibili solo con rilasci non più supportati di Ubuntu oppure perché non si ha certezza che lo siano per i rilasci attualmente supportati. Queste pagine richiedono un aggiornamento e una verifica delle istruzioni contenute. Se vuoi riesumare una di queste guide contatta il Gruppo Documentazione nella board sul forum.



Introduzine

In questa pagina ci sono delle istruzioni utili su come utilizzare Samba+Ldap.

Verrà spiegato come creare un PDC (PrimaryDomainController) stile Windows NT , su Ubuntu Server 8.04 e 10.04 per una rete di client con SO Windows Xp Pro e Vista Ultimate/Businnes e (solo per Ubuntu Server 10.04 che supporta samba 3.4.7) Windows 7 Pro/Ultimate.

Per un dominio tipo prova.it,le variabili:

nome_vostro_dominio

ext_dominio

saranno:

prova

it

Immettere la passwd per l'amministratore di Ldap, quando viene chiesta.

E' conveniente non superare i 5 caratteri alfanumerici.

Le passwd di root per ldap e per smbpasswd devono essere le stesse.

Installazione

Durante il procedimento verranno installati i pacchetti:

Nota: L'installazione dei pacchetti verra eseguita nella sezione appropriata della guida.

Configurare LDAP per Ubuntu Server 8.04

  1. Installare i pacchetti slapd e ldap-utils.

    In un terminale digitare:

    sudo apt-get install slapd ldap-utils
  2. In un terminale digitare:

    sudo dpkg-reconfigure slapd
  3. Rispondere alle domande proposte dal configuratone con quello che segue e nel seguente ordine.

    No
    nome_vostro_dominio.com
    vostraorganizzazione
    inserire la passwd scelta al momento dell'installazione di LDAP
    confermare la passwd
    OK
    HDB
    No
    Yes
    No
  4. In un terminale digitare:

    sudo /etc/init.d/slapd restart
  5. In un terminale digitare:

    sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
    sudo gzip -d /etc/ldap/schema/samba.schema.gz
  6. Modificare il file /etc/ldap/slapd.conf.

    Aggiungere le seguenti linee nella sezione«include»:

    include         /etc/ldap/schema/samba.schema
    include         /etc/ldap/schema/misc.schema

    Aggiungere i seguenti attributi alla linea «access to attrs=userPassword...»

    sambaNTPassword,sambaLMPassword

    Decommentare la seguente linea cambiando nome_vostro_dominio e ext_dominio con i valori appropiati per voi:

    rootdn          "cn=admin,dc=nome_vostro_dominio,dc=ext_dominio"

    e dopo di essa aggiungere quanto segue cambiando paswd_di_ldap con il valorie appropiato per voi:

    rootpw          "paswd_di_ldap"

    Aggiungere le seguenti righe nella sezione «Indices to maintain for this database»:

    index objectClass                       eq,pres
    index ou,cn,sn,mail,givenname           eq,pres,sub
    index uidNumber,gidNumber,memberUid     eq,pres
    index loginShell                        eq,pres
    # I also added this line to stop warning in syslog ..
    index uniqueMember                      eq,pres
    # required to support pdb_getsampwnam
    index uid                               pres,sub,eq
    # required to support pdb_getsambapwrid()
    index displayName                       pres,sub,eq
    # These attributes don't exist in this database ..
    #index nisMapName,nisMapEntry            eq,pres,sub
    index sambaSID                          eq
    index sambaPrimaryGroupSID              eq
    index sambaDomainName                   eq
    index default                           sub
  7. In un terminale digitare:

    sudo /etc/init.d/slapd stop
    sudo slapindex
    sudo chown openldap:openldap /var/lib/ldap/*
    sudo /etc/init.d/slapd start

Configurare LDAP per Ubuntu server 10.04

  1. Installare i pacchetti slapd ldap-utils.

    In un terminale digitare:

    sudo apt-get install slapd ldap-utils
  2. In un terminale digitare:

    sudo ls /etc/ldap/schema/*.ldif | xargs -I {} sudo ldapadd -Y EXTERNAL -H ldapi:/// -f {}
  3. Creare il file /etc/ldap/schema/samba.schema.

    Inserire quanto segue:

    ##
    ## schema file for OpenLDAP 2.x
    ## Schema for storing Samba user accounts and group maps in LDAP
    ## OIDs are owned by the Samba Team
    ##
    ## Prerequisite schemas - uid         (cosine.schema)
    ##                      - displayName (inetorgperson.schema)
    ##                      - gidNumber   (nis.schema)
    ##
    ## 1.3.6.1.4.1.7165.2.1.x - attributetypes
    ## 1.3.6.1.4.1.7165.2.2.x - objectclasses
    ##
    ## Printer support
    ## 1.3.6.1.4.1.7165.2.3.1.x - attributetypes
    ## 1.3.6.1.4.1.7165.2.3.2.x - objectclasses
    ##
    ## Samba4
    ## 1.3.6.1.4.1.7165.4.1.x - attributetypes
    ## 1.3.6.1.4.1.7165.4.2.x - objectclasses
    ## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls
    ## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations
    ## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track
    ##
    ## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------
    ##
    ## Run the 'get_next_oid' bash script in this directory to find the 
    ## next available OID for attribute type and object classes.
    ##
    ##   $ ./get_next_oid
    ##   attributetype ( 1.3.6.1.4.1.7165.2.1.XX NAME ....
    ##   objectclass ( 1.3.6.1.4.1.7165.2.2.XX NAME ....
    ##
    ## Also ensure that new entries adhere to the declaration style
    ## used throughout this file
    ##
    ##    <attributetype|objectclass> ( 1.3.6.1.4.1.7165.2.XX.XX NAME ....
    ##                               ^ ^                        ^
    ##
    ## The spaces are required for the get_next_oid script (and for 
    ## readability).
    ##
    ## ------------------------------------------------------------------
    
    # objectIdentifier SambaRoot 1.3.6.1.4.1.7165
    # objectIdentifier Samba3 SambaRoot:2
    # objectIdentifier Samba3Attrib Samba3:1
    # objectIdentifier Samba3ObjectClass Samba3:2
    # objectIdentifier Samba4 SambaRoot:4
    
    ########################################################################
    ##                            HISTORICAL                              ##
    ########################################################################
    
    ##
    ## Password hashes
    ##
    #attributetype ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword'
    #       DESC 'LanManager Passwd'
    #       EQUALITY caseIgnoreIA5Match
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
    
    #attributetype ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword'
    #       DESC 'NT Passwd'
    #       EQUALITY caseIgnoreIA5Match
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
    
    ##
    ## Account flags in string format ([UWDX     ])
    ##
    #attributetype ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags'
    #       DESC 'Account Flags'
    #       EQUALITY caseIgnoreIA5Match
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
    
    ##
    ## Password timestamps & policies
    ##
    #attributetype ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet'
    #       DESC 'NT pwdLastSet'
    #       EQUALITY integerMatch
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    #attributetype ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime'
    #       DESC 'NT logonTime'
    #       EQUALITY integerMatch
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    #attributetype ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime'
    #       DESC 'NT logoffTime'
    #       EQUALITY integerMatch
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    #attributetype ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime'
    #       DESC 'NT kickoffTime'
    #       EQUALITY integerMatch
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    #attributetype ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange'
    #       DESC 'NT pwdCanChange'
    #       EQUALITY integerMatch
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    #attributetype ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange'
    #       DESC 'NT pwdMustChange'
    #       EQUALITY integerMatch
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    ##
    ## string settings
    ##
    #attributetype ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive'
    #       DESC 'NT homeDrive'
    #       EQUALITY caseIgnoreIA5Match
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
    
    #attributetype ( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath'
    #       DESC 'NT scriptPath'
    #       EQUALITY caseIgnoreIA5Match
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
    
    #attributetype ( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath'
    #       DESC 'NT profilePath'
    #       EQUALITY caseIgnoreIA5Match
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
    
    #attributetype ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations'
    #       DESC 'userWorkstations'
    #       EQUALITY caseIgnoreIA5Match
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )
    
    #attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome'
    #       DESC 'smbHome'
    #       EQUALITY caseIgnoreIA5Match
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
    
    #attributetype ( 1.3.6.1.4.1.7165.2.1.18 NAME 'domain'
    #       DESC 'Windows NT domain to which the user belongs'
    #       EQUALITY caseIgnoreIA5Match
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
    
    ##
    ## user and group RID
    ##
    #attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid'
    #       DESC 'NT rid'
    #       EQUALITY integerMatch
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    #attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID'
    #       DESC 'NT Group RID'
    #       EQUALITY integerMatch
    #       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    ##
    ## The smbPasswordEntry objectclass has been depreciated in favor of the
    ## sambaAccount objectclass
    ##
    #objectclass ( 1.3.6.1.4.1.7165.2.2.1 NAME 'smbPasswordEntry' SUP top AUXILIARY
    #        DESC 'Samba smbpasswd entry'
    #        MUST ( uid $ uidNumber )
    #        MAY  ( lmPassword $ ntPassword $ pwdLastSet $ acctFlags ))
    
    #objectclass ( 1.3.6.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
    #       DESC 'Samba Account'
    #       MUST ( uid $ rid )
    #       MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
    #               logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
    #               displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
    #               description $ userWorkstations $ primaryGroupID $ domain ))
    
    #objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
    #       DESC 'Samba Auxiliary Account'
    #       MUST ( uid $ rid )
    #       MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
    #              logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
    #              displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
    #              description $ userWorkstations $ primaryGroupID $ domain ))
    
    ########################################################################
    ##                        END OF HISTORICAL                           ##
    ########################################################################
    
    #######################################################################
    ##                Attributes used by Samba 3.0 schema                ##
    #######################################################################
    
    ##
    ## Password hashes
    ##
    attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
            DESC 'LanManager Password'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
            DESC 'MD4 hash of the unicode password'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
    
    ##
    ## Account flags in string format ([UWDX     ])
    ##
    attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
            DESC 'Account Flags'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
    
    ##
    ## Password timestamps & policies
    ##
    attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
            DESC 'Timestamp of the last password update'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'
            DESC 'Timestamp of when the user is allowed to update the password'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'
            DESC 'Timestamp of when the password will expire'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'
            DESC 'Timestamp of last logon'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
            DESC 'Timestamp of last logoff'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'
            DESC 'Timestamp of when the user will be logged off automatically'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
            DESC 'Bad password attempt count'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'
            DESC 'Time of the last bad password attempt'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours'
            DESC 'Logon Hours'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )
    
    ##
    ## string settings
    ##
    attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
            DESC 'Driver letter of home directory mapping'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'
            DESC 'Logon script path'
            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'
            DESC 'Roaming profile path'
            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
            DESC 'List of user workstations the user is allowed to logon to'
            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'
            DESC 'Home directory UNC path'
            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
            DESC 'Windows NT domain to which the user belongs'
            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
            DESC 'Base64 encoded user parameter string'
            EQUALITY caseExactMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'
            DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
    
    ##
    ## SID, of any type
    ##
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
            DESC 'Security ID'
            EQUALITY caseIgnoreIA5Match
            SUBSTR caseExactIA5SubstringsMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
    
    ##
    ## Primary group SID, compatible with ntSid
    ##
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
            DESC 'Primary Group Security ID'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList'
            DESC 'Security ID List'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
    
    ##
    ## group mapping attributes
    ##
    attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
            DESC 'NT Group Type'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    ##
    ## Store info on the domain
    ##
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
            DESC 'Next NT rid to give our for users'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
            DESC 'Next NT rid to give out for groups'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
            DESC 'Next NT rid to give out for anything'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
            DESC 'Base at which the samba RID generation algorithm should operate'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName'
            DESC 'Share Name'
            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName'
            DESC 'Option Name'
            EQUALITY caseIgnoreMatch
            SUBSTR caseIgnoreSubstringsMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption'
            DESC 'A boolean option'
            EQUALITY booleanMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption'
            DESC 'An integer option'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption'
            DESC 'A string option'
            EQUALITY caseExactIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'
            DESC 'A string list option'
            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
    
    
    ##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' 
    ##      SUP name )
    
    ##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
    ##      DESC 'Privileges List'
    ##      EQUALITY caseIgnoreIA5Match
    ##      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
    
    attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'
            DESC 'Trust Password Flags'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
    
    # "min password length"
    attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength'
            DESC 'Minimal password length (default: 5)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    # "password history"
    attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
            DESC 'Length of Password History Entries (default: 0 => off)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    # "user must logon to change password"
    attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd'
            DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    # "maximum password age"
    attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge'
            DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    # "minimum password age"
    attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge'
            DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    # "lockout duration"
    attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration'
            DESC 'Lockout duration in minutes (default: 30, -1 => forever)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    # "reset count minutes"
    attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow'
            DESC 'Reset time after lockout in minutes (default: 30)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    # "bad lockout attempt"
    attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
            DESC 'Lockout users after bad logon attempts (default: 0 => off)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    # "disconnect time"
    attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff'
            DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    # "refuse machine password change"
    attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange'
            DESC 'Allow Machine Password changes (default: 0 => off)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    
    #
    attributetype ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword'
            DESC 'Clear text password (used for trusted domain passwords)'
            EQUALITY octetStringMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
    
    #
    attributetype ( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextPassword'
            DESC 'Previous clear text password (used for trusted domain passwords)'
            EQUALITY octetStringMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
    
    
    
    #######################################################################
    ##              objectClasses used by Samba 3.0 schema               ##
    #######################################################################
    
    ## The X.500 data model (and therefore LDAPv3) says that each entry can
    ## only have one structural objectclass.  OpenLDAP 2.0 does not enforce
    ## this currently but will in v2.1
    
    ##
    ## added new objectclass (and OID) for 3.0 to help us deal with backwards
    ## compatibility with 2.2 installations (e.g. ldapsam_compat)  --jerry
    ##
    objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
            DESC 'Samba 3.0 Auxilary SAM Account'
            MUST ( uid $ sambaSID )
            MAY  ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
                   sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
                   sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
                   displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
                   sambaProfilePath $ description $ sambaUserWorkstations $
                   sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
                   sambaBadPasswordCount $ sambaBadPasswordTime $
                   sambaPasswordHistory $ sambaLogonHours))
    
    ##
    ## Group mapping info
    ##
    objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
            DESC 'Samba Group Mapping'
            MUST ( gidNumber $ sambaSID $ sambaGroupType )
            MAY  ( displayName $ description $ sambaSIDList ))
    
    ##
    ## Trust password for trust relationships (any kind)
    ##
    objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL
            DESC 'Samba Trust Password'
            MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags )
            MAY ( sambaSID $ sambaPwdLastSet ))
    
    ##
    ## Trust password for trusted domains
    ## (to be stored beneath the trusting sambaDomain object in the DIT)
    ##
    objectclass ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassword' SUP top STRUCTURAL
            DESC 'Samba Trusted Domain Password'
            MUST ( sambaDomainName $ sambaSID $
                   sambaClearTextPassword $ sambaPwdLastSet )
            MAY  ( sambaPreviousClearTextPassword ))
    
    ##
    ## Whole-of-domain info
    ##
    objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
            DESC 'Samba Domain Information'
            MUST ( sambaDomainName $ 
                   sambaSID ) 
            MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
                  sambaAlgorithmicRidBase $ 
                  sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
                  sambaMaxPwdAge $ sambaMinPwdAge $
                  sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $
                  sambaForceLogoff $ sambaRefuseMachinePwdChange ))
    
    ##
    ## used for idmap_ldap module
    ##
    objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
            DESC 'Pool for allocating UNIX uids/gids'
            MUST ( uidNumber $ gidNumber ) )
    
    
    objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY
            DESC 'Mapping from a SID to an ID'
            MUST ( sambaSID )
            MAY ( uidNumber $ gidNumber ) )
    
    objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL
            DESC 'Structural Class for a SID'
            MUST ( sambaSID ) )
    
    objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
            DESC 'Samba Configuration Section'
            MAY ( description ) )
    
    objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL
            DESC 'Samba Share Section'
            MUST ( sambaShareName )
            MAY ( description ) )
    
    objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL
            DESC 'Samba Configuration Option'
            MUST ( sambaOptionName )
            MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ 
                  sambaStringListoption $ description ) )
    
    
    ## retired during privilege rewrite
    ##objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
    ##      DESC 'Samba Privilege'
    ##      MUST ( sambaSID )
    ##      MAY ( sambaPrivilegeList ) )
  4. Creare il file /etc/ldap/schema/db.ldif.

    Inserire quanto segue sostituendo nome_vostro_dominio , ext_dominio e ROOT_PASSWD con i valori appropiati per voi:

    # Load dynamic backend modules
    dn: cn=module,cn=config
    objectClass: olcModuleList
    cn: module
    olcModulepath: /usr/lib/ldap
    olcModuleload: back_hdb
    
    # Create the database
    dn: olcDatabase=hdb,cn=config
    objectClass: olcDatabaseConfig
    objectClass: olcHdbConfig
    olcDatabase: hdb
    olcDbDirectory: /var/lib/ldap
    olcSuffix: dc=nome_vostro_dominio,dc=ext_dominio
    olcRootDN: cn=admin,dc=nome_vostro_dominio,dc=ext_dominio
    olcRootPW: ROOT_PASSWD
    olcDbConfig: {0}set_cachesize 0 2097152 0
    olcDbConfig: {1}set_lk_max_objects 1500
    olcDbConfig: {2}set_lk_max_locks 1500
    olcDbConfig: {3}set_lk_max_lockers 1500
    olcLastMod: TRUE
    olcDbCheckpoint: 512 30
    olcDbIndex: objectClass eq,pres
    olcDbIndex: ou,cn,sn,mail,givenname eq,pres,sub
    olcDbIndex: uidNumber,gidNumber,memberUid eq,pres
    olcDbIndex: loginShell eq,pres
    # I also added this line to stop warning in syslog ..
    olcDbIndex: uniqueMember eq,pres
    ## required to support pdb_getsampwnam
    olcDbIndex: uid pres,sub,eq
    ## required to support pdb_getsambapwrid()
    olcDbIndex: displayName pres,sub,eq
    # These attributes don't exist in this database ..
    #olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
    olcDbIndex: sambaSID eq
    olcDbIndex: sambaPrimaryGroupSID eq
    olcDbIndex: sambaGroupType eq
    olcDbIndex: sambaSIDList eq
    olcDbIndex: sambaDomainName eq
    olcDbIndex: default sub
  5. Creare il file /etc/ldap/schema/config.ldif.

    Inserire quanto segue sostituendo ROOT_PASSWD con il valore appropiato per voi:

    dn: cn=config
    changetype: modify
    
    dn: olcDatabase={0}config,cn=config
    changetype: modify
    add: olcRootDN
    olcRootDN: cn=admin,cn=config
    
    dn: olcDatabase={0}config,cn=config
    changetype: modify
    add: olcRootPW
    olcRootPW: ROOT_PASSWD
    
    dn: olcDatabase={0}config,cn=config
    changetype: modify
    delete: olcAccess
  6. Creare il file /etc/ldap/schema/base.ldif.

    Inserire quanto segue sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi:

    dn: dc=nome_vostro_dominio,dc=ext_dominio
    objectClass: dcObject
    objectclass: organization
    o: nome_vostro_dominio.ext_dominio
    dc: nome_vostro_dominio
    description: LDAP nome_vostro_dominio
    
    dn: cn=admin,dc=nome_vostro_dominio,dc=ext_dominio
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    cn: admin
    userPassword: ROOT_PASSWD
    description: LDAP administrator
  7. Creare il file /etc/ldap/schema/acl.ldif.

    Inserire quanto segue sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi:

    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    add: olcAccess
    olcAccess: to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=nome_vostro_dominio,dc=ext_dominio" write by anonymous auth by self write by * none
    olcAccess: to dn.base="" by * read
    olcAccess: to * by dn="cn=admin,dc=nome_vostro_dominio,dc=ext_dominio" write by * read
  8. Creare il file /etc/ldap/schema/samba.ldif.

    Inserire quanto segue:

    dn: cn=samba,cn=schema,cn=config
    objectClass: olcSchemaConfig
    cn: samba
    olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'L
     anManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
     21.1.26{32} SINGLE-VALUE )
    olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'M
     D4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
     .1.1466.115.121.1.26{32} SINGLE-VALUE )
    olcAttributeTypes: {2}( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Ac
     count Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
     {16} SINGLE-VALUE )
    olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'T
     imestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
     1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {4}( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 
     'Timestamp of when the user is allowed to update the password' EQUALITY integ
     erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {5}( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC
      'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.
     3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {6}( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Ti
     mestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
     1.27 SINGLE-VALUE )
    olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'T
     imestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.12
     1.1.27 SINGLE-VALUE )
    olcAttributeTypes: {8}( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC '
     Timestamp of when the user will be logged off automatically' EQUALITY integer
     Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {9}( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' D
     ESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146
     6.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {10}( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' D
     ESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.
     6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {11}( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC '
     Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
     {42} SINGLE-VALUE )
    olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'D
     river letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.
     3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
    olcAttributeTypes: {13}( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 
     'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
     1.15{255} SINGLE-VALUE )
    olcAttributeTypes: {14}( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 
     'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
     21.1.15{255} SINGLE-VALUE )
    olcAttributeTypes: {15}( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' 
     DESC 'List of user workstations the user is allowed to logon to' EQUALITY cas
     eIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
    olcAttributeTypes: {16}( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Ho
     me directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
     21.1.15{128} )
    olcAttributeTypes: {17}( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC '
     Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 
     1.3.6.1.4.1.1466.115.121.1.15{128} )
    olcAttributeTypes: {18}( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '
     Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.
     4.1.1466.115.121.1.15{1050} )
    olcAttributeTypes: {19}( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' D
     ESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
      EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
    olcAttributeTypes: {20}( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Securit
     y ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1
     .3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
    olcAttributeTypes: {21}( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' D
     ESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.
     1.1466.115.121.1.26{64} SINGLE-VALUE )
    olcAttributeTypes: {22}( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Sec
     urity ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
     26{64} )
    olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'N
     T Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING
     LE-VALUE )
    olcAttributeTypes: {24}( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 
     'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.
     1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {25}( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC
      'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
     1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {26}( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Nex
     t NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1
     466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {27}( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase
     ' DESC 'Base at which the samba RID generation algorithm should operate' EQUA
     LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'S
     hare Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING
     LE-VALUE )
    olcAttributeTypes: {29}( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC '
     Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
      1.3.6.1.4.1.1466.115.121.1.15{256} )
    olcAttributeTypes: {30}( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC '
     A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 S
     INGLE-VALUE )
    olcAttributeTypes: {31}( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DES
     C 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
     .27 SINGLE-VALUE )
    olcAttributeTypes: {32}( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC
      'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
     .1.26 SINGLE-VALUE )
    olcAttributeTypes: {33}( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' 
     DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.
     115.121.1.15 )
    olcAttributeTypes: {34}( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC '
     Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115
     .121.1.26 )
    olcAttributeTypes: {35}( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC
      'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.
     4.1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {36}( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' 
     DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY intege
     rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {37}( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DES
     C 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQU
     ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'M
     aximum password age, in seconds (default: -1 => never expire passwords)' EQUA
     LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'M
     inimum password age, in seconds (default: 0 => allow immediate password chang
     e)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {40}( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' D
     ESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integ
     erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {41}( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservation
     Window' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY int
     egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {42}( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' 
     DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY in
     tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {43}( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 
     'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY
      integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {44}( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdCh
     ange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY inte
     gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
    olcAttributeTypes: {45}( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword'
      DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octe
     tStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
    olcAttributeTypes: {46}( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextP
     assword' DESC 'Previous clear text password (used for trusted domain password
     s)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
    olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Sam
     ba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY ( 
     cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ s
     ambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ 
     sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScr
     ipt $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGr
     oupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBad
     PasswordTime $ sambaPasswordHistory $ sambaLogonHours ) )
    olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'S
     amba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGrou
     pType ) MAY ( displayName $ description $ sambaSIDList ) )
    olcObjectClasses: {2}( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DESC 
     'Samba Trust Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaNTPas
     sword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ) )
    olcObjectClasses: {3}( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPasswor
     d' DESC 'Samba Trusted Domain Password' SUP top STRUCTURAL MUST ( sambaDomain
     Name $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY sambaPreviou
     sClearTextPassword )
    olcObjectClasses: {4}( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba D
     omain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY
      ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidB
     ase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaM
     axPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWin
     dow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange 
     ) )
    olcObjectClasses: {5}( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' DESC 'Poo
     l for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumb
     er ) )
    olcObjectClasses: {6}( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' DESC 'Map
     ping from a SID to an ID' SUP top AUXILIARY MUST sambaSID MAY ( uidNumber $ g
     idNumber ) )
    olcObjectClasses: {7}( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' DESC 'Struc
     tural Class for a SID' SUP top STRUCTURAL MUST sambaSID )
    olcObjectClasses: {8}( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samba 
     Configuration Section' SUP top AUXILIARY MAY description )
    olcObjectClasses: {9}( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba S
     hare Section' SUP top STRUCTURAL MUST sambaShareName MAY description )
    olcObjectClasses: {10}( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DESC 
     'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY ( sa
     mbaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoptio
     n $ description ) )
  9. In un terminale digitare:

    sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/db.ldif
    sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/base.ldif
    sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/config.ldif
    sudo ldapdmodify -x -D "cn=admin,cn=config" -W -f /etc/ldap/schema/acl.ldif
    sudo ldapadd -x -D "cn=admin,cn=config" -W -f /etc/ldap/schema/samba.ldif
    sudo /etc/init.d/slapd restart

Configurare SAMBA

  1. Installare i pacchetti samba samba-common smbclient samba-common-bin.

    In un terminale digitare:

    sudo apt-get install samba samba-common smbclient samba-common-bin
  2. Fare una copia del file /etc/samba/smb.conf.

  3. Modificare il file /etc/samba/smb.conf.

3.1 Sezione Global.

  • Aggiungere o modificare le seguenti linee cambiando 10.5.5.0/24 con la ip della vostra lan:

    workgroup = nome_vostro_dominio
    # netbios name string
      netbios name=server
    
    # security
      hosts allow = 127.0.0.1 10.5.5.0/24
      hosts deny = 0.0.0.0/0
    
    # server string is the equivalent of the NT Description field
       server string =

    3.1.1 Per Ubuntu 10.04 aggiungere la seguente riga:

    ldap ssl = no

    2.2 Sezione Networking.

    Aggiungere o modificare le segUenti linee cambiando 10.5.5.1/24 con la ip della scheda di rete del server che guarda la lan:

    interfaces = 127.0.0.1 10.5.5.1/24
    bind interfaces only = true

    3.3 Sezione Authentication

    Aggiungere o modificare nel seguente modo le seguenti linee sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi rispettando le maiuscole dove necessario:

    security = user
    encrypt passwords = true
    passdb backend = ldapsam:ldap://localhost/
    obey pam restrictions = no
    
    ###############################################################
    #COPY AND PASTE THE FOLLOWING UNDERNEATH "OBEY PAM RESTRICTIONS = NO"
    ###############################################################
    
    #       Begin: Custom LDAP Entries
    ldap admin dn = cn=admin,dc=nome_vostro_dominio,dc=ext_dominio
    ldap suffix = dc=nome_vostro_dominio, dc=ext_dominio
    ldap group suffix = ou=Groups
    ldap user suffix = ou=Users
    ldap machine suffix = ou=Computers
    ldap idmap suffix = ou=Users
    ; Do ldap passwd sync
    ldap passwd sync = Yes
    passwd program = /usr/sbin/smbldap-passwd %u
    passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
    add user script = /usr/sbin/smbldap-useradd -m "%u"
    ldap delete dn = Yes
    delete user script = /usr/sbin/smbldap-userdel "%u"
    add machine script = /usr/sbin/smbldap-useradd -w "%u"
    add group script = /usr/sbin/smbldap-groupadd -p "%g"
    delete group script = /usr/sbin/smbldap-groupdel "%g"
    add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
    delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
    set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
    ####################################################
    #STOP COPYING HERE! 
    #####################################################
    
    ;invalid users = root
    
    ;Unix password sync=yes

    3.4 Sezione Domains

    Aggiungere o modificando le seguenti linee:

    os level = 255
    domain master = yes
    domain logons = yes
    preferred master = yes
    logon path = \\%L\profiles\%U
    logon drive = Z:
    logon home = \\%L\%U
    logon script = %U.cmd

    3.4.1 Modificare il seguente parametro se si vuole disabilitare i rohaming profiles:

    logon path =

    3.5 Sezione Share

    3.5.1 Modificare le seguenti share secondo le vostre esigenze:

    [Profile]
    [home]
    [netlogonn]
  • In un terminale digitare:

    sudo /etc/init.d/samba restart
    sudo smbpasswd -w "passwd ldap"

Configurare il SMBLDAP-TOOLS package

  1. Installare il pacchetto smbldap-tools.

    In un terminale digitare:

    sudo apt-get install smbldap-tools
  2. In un terminale digitare:

    cd /usr/share/doc/smbldap-tools/examples/
    sudo cp smbldap_bind.conf /etc/smbldap-tools/
    sudo cp smbldap.conf.gz /etc/smbldap-tools/
    sudo gzip -d /etc/smbldap-tools/smbldap.conf.gz
  3. In un terminale digitare:

    sudo net getlocalsid
  4. Modificare il file /etc/smbldap-tools/smbldap.conf.

    Aggiungere o modificare nel seguente modo le seguenti linee cambiando il valore del parametro SID con quello ottenuto con il comando net getlocalsid.Cambiare anche nome_vostro_dominio e ext_dominio con i valori appropriati per voi e il valore del parametro sambaDomainName deve essere scritto in maiuscolo.

    SID="S-1-5-21-949328747-3404738746-3052206637"
    sambaDomain="nome_vostro_dominio"
    ldapTLS="0"
    suffix="dc=nome_vostro_dominio,dc=ext_dominio"
    sambaUnixIdPooldn="sambaDomainName=nome_vostro_dominio,${suffix}"
    userSmbHome=
    userProfile=
    userHomeDrive=
    userScript=
    mailDomain="nome_vostro_dominio.ext_dominio"
  5. Modificare il file /etc/smbldap-tools/smbldap_bind.conf.

    Aggiungere o modificare nel seguente modo le seguenti linee sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi

    slaveDN="cn=admin,dc=nome_vostro_dominio,dc=ext_dominio"
    slavePw="passwd di ldap"
    masterDN="cn=admin,dc=nome_vostro_dominio,dc=ext_dominio"
    masterPw="passwd di ldap"
  6. In un terminale digitare:

    sudo chmod 0644 /etc/smbldap-tools/smbldap.conf
    sudo chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Configurare il server per usare LDAP authentication.

  1. Installare i pacchetti auth-client-config libpam-ldap libnss-ldap.

    In un terminale digitare:

    sudo apt-get install auth-client-config libpam-ldap libnss-ldap

    Rispondere alle domande proposte dal configuratore con quello che segue e nel seguente ordine sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi

    Yes
    LDAP server Uniform Resource Identifier: ldap://127.0.0.1
    Distinguished name of the search base: dc=nome_vostro_dominio,dc=ext_dominio
    LDAP version to use: 3
    Make local root Database admin: Yes
    Does the LDAP database require login? No
    LDAP account for root: cn=admin,dc=nome_vostro_dominio,dc=ext_dominio
    LDAP root account password: passwd di ldap
  2. Modificatre il file /etc/ldap.conf.

    Aggiungere o modificare nel seguente modo le seguenti linee sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi

    host 127.0.0.1
    base dc=nome_vostro_dominio,dc=ext_dominio
    uri ldap://127.0.0.1
    rootbinddn cn=admin,nome_vostro_dominio,dc=ext_dominio
    bind_policy soft

    Nota: Nel file é presente la riga uri ldapi://.... generata dal configuratore di ldap,bisogna commentarla

  3. In un terminale digitare:

    sudo cp /etc/ldap.conf /etc/ldap/ldap.conf
  4. Creare il file /etc/auth-client-config/profile.d/open_ldap.

    Inserire quanto segue senza spazi tra le righe:

    [open_ldap]
    nss_passwd=passwd: compat ldap
    nss_group=group: compat ldap
    nss_shadow=shadow: compat ldap
    pam_auth=auth       required     pam_env.so
     auth       sufficient   pam_unix.so likeauth nullok
     auth       sufficient   pam_ldap.so use_first_pass
     auth       required     pam_deny.so
    pam_account=account    sufficient   pam_unix.so
     account    sufficient   pam_ldap.so
     account    required     pam_deny.so
    pam_password=password   sufficient   pam_unix.so nullok md5 shadow use_authtok
     password   sufficient   pam_ldap.so use_first_pass
     password   required     pam_deny.so
    pam_session=session    required     pam_limits.so
     session    required     pam_mkhomedir.so skel=/etc/skel/
     session    required     pam_unix.so
     session    optional     pam_ldap.so
  5. In un terminale digitare:

    sudo cp /etc/nsswitch.conf /etc/nsswitch.conf.original
    cd /etc/pam.d/
    sudo mkdir bkup
    sudo cp * bkup/

Abilitare il nuovo LDAP Authentication Profile

  1. In un terminale digitare:

    sudo auth-client-config -a -p open_ldap
    sudo reboot

Popolare il data base LDAP usando smbldap-tools

  1. In un terminale digitare:

    sudo smbldap-populate -u 30000 -g 30000
  2. Alla richiesta di passswd per root assegnare quella di ldap( max lunghezza 5):

Aggiungere gli utenti samba/unix e asseganrli la passwd desiderata

  1. In un terminale digitare:

    sudo smbldap-useradd -a -m -s /bin/false -c "Richard M" -P ricky
  2. Se si vuole che un utente sia amministratore di dominio e amministratore sul proprio pc windows, allora si deve dare:

    sudo smbldap-useradd -a -m -s /bin/false -c "Richard M" -g "Domain Admins" -P ricky

Creare le cartelle profile e netlogon

  1. In un terminale digitare:

    sudo mkdir /var/lib/samba/profiles
    sudo mkdir /var/lib/samba/netlogon
    sudo chmod -R 1757 /var/lib/samba/profiles
    sudo chmod -R 775 /var/lib/samba/netlogon

    # Nota: il percorso /var/lib/samba é arbitrario, ed é quello di default.

    # CONTROLLARE QUE I FILE DI NETLOGON SIANO ACCESSIBILI IN LETTURA DA TUTTI.

Unire il client al dominio

  1. Per unire un client al dominio riferirsi al help del proprio Sistema Operativo per la corretta procedura da seguire.
  2. Al momento di unire il client al dominio verrá chiesto di inserire un utente e una password.

    L'utente sará root e la password quella usata per quest'utente nella guida.

Modifiche al firewall

  1. Se si ha un firewall attivo sul server, é necessario aprire le seguenti porte in ingresso sulla scheda di rete del server che guarda alla lan.

    Se si usa iptable e la scheda di rete é eth0 allora le righe da inserire saranno per esempio:

    iptables -A INPUT -p UDP -i eth0 --dport 137 -j ACCEPT
    iptables -A INPUT -p UDP -i eth0 --dport 138 -j ACCEPT
    iptables -A INPUT -p TCP -i eth0 --dport 135 -j ACCEPT
    iptables -A INPUT -p TCP -i eth0 --dport 139 -j ACCEPT
    iptables -A INPUT -p TCP -i eth0 --dport 445 -j ACCEPT

Modifiche per client Windows 7

  1. Su un client che esegue Windows 7 Pro/Ultimate inserire le seguenti chiavi di registro:

    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
    "DNSNameResolutionRequired"=dword:00000000
    "DomainCompatibilityMode"=dword:00000001

Ulteriori risorse


CategoryDaCancellare