53760
Commento:
|
53759
|
Le cancellazioni sono segnalate in questo modo. | Le aggiunte sono segnalate in questo modo. |
Linea 1349: | Linea 1349: |
= Modifiche per firewall = | = Modifiche al firewall = |
Introduzine
In questa pagina ci sono delle istruzioni utili su come utilizzare Samba+Ldap.
Verrà spiegato come creare un PDC (PrimaryDomainController) stile Windows NT , su Ubuntu Server 8.04 e 10.04 per una rete di client con SO Windows Xp Pro e Vista Ultimate/Businnes e (solo per Ubuntu Server 10.04) Windows 7 Pro/Ultimate.
Per un dominio tipo prova.it,le variabili:
nome_vostro_dominio
ext_dominio
saranno:
prova
it
Immettere la passwd per l'amministratore di Ldap, quando viene chiesta.
E' conveniente non superare i 5 caratteri alfanumerici.
Le passwd di root per ldap e per smbpasswd devono essere le stesse.
Installazione
Durante il procedimento verranno installati i pacchetti:
[apt://samba samba]
[apt://smbldap-tools smbldap-tools]
[apt://smbclient smbclient]
[apt://samba-common-bin samba-common-bin]
[apt://samba-doc samba-doc]
[apt://slapd slapd]
[apt://ldap-utils ldap-utils]
[apt://auth-client-config auth-client-config]
[apt://libpam-ldap libpam-ldap]
[apt://libnss-ldap libnss-ldap]
Nota: L'installazione dei pacchetti verra eseguita nella sezione appropriata della guida.
Configurare LDAP per Ubuntu Server 8.04
- Installare i pacchetti slapd e ldap-utils.
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo apt-get install slapd ldap-utils
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo dpkg-reconfigure slapd
Rispondere alle domande proposte dal configuratone con quello che segue e nel seguente ordine.
No nome_vostro_dominio.com vostraorganizzazione inserire la passwd scelta al momento dell'installazione di LDAP confermare la passwd OK HDB No Yes No
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo /etc/init.d/slapd restart
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/ sudo gzip -d /etc/ldap/schema/samba.schema.gz
Modificare il file /etc/ldap/slapd.conf.
Aggiungere le seguenti linee nella sezione«include»:
include /etc/ldap/schema/samba.schema include /etc/ldap/schema/misc.schema
Aggiungere i seguenti attributi alla linea «access to attrs=userPassword...»
sambaNTPassword,sambaLMPassword
Decommentare la seguente linea cambiando nome_vostro_dominio e ext_dominio con i valori appropiati per voi:
rootdn "cn=admin,dc=nome_vostro_dominio,dc=ext_dominio"
e dopo di essa aggiungere quanto segue cambiando paswd_di_ldap con il valorie appropiato per voi:
rootpw "paswd_di_ldap"
Aggiungere le seguenti righe nella sezione «Indices to maintain for this database»:
index objectClass eq,pres index ou,cn,sn,mail,givenname eq,pres,sub index uidNumber,gidNumber,memberUid eq,pres index loginShell eq,pres # I also added this line to stop warning in syslog .. index uniqueMember eq,pres # required to support pdb_getsampwnam index uid pres,sub,eq # required to support pdb_getsambapwrid() index displayName pres,sub,eq # These attributes don't exist in this database .. #index nisMapName,nisMapEntry eq,pres,sub index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo /etc/init.d/slapd stop sudo slapindex sudo chown openldap:openldap /var/lib/ldap/* sudo /etc/init.d/slapd start
Configurare LDAP per Ubuntu server 10.04
- Installare i pacchetti slapd ldap-utils.
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo apt-get install slapd ldap-utils
Creare il file /etc/ldap/schema/samba.schema.
Inserire quanto segue:
## ## schema file for OpenLDAP 2.x ## Schema for storing Samba user accounts and group maps in LDAP ## OIDs are owned by the Samba Team ## ## Prerequisite schemas - uid (cosine.schema) ## - displayName (inetorgperson.schema) ## - gidNumber (nis.schema) ## ## 1.3.6.1.4.1.7165.2.1.x - attributetypes ## 1.3.6.1.4.1.7165.2.2.x - objectclasses ## ## Printer support ## 1.3.6.1.4.1.7165.2.3.1.x - attributetypes ## 1.3.6.1.4.1.7165.2.3.2.x - objectclasses ## ## Samba4 ## 1.3.6.1.4.1.7165.4.1.x - attributetypes ## 1.3.6.1.4.1.7165.4.2.x - objectclasses ## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls ## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations ## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track ## ## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------ ## ## Run the 'get_next_oid' bash script in this directory to find the ## next available OID for attribute type and object classes. ## ## $ ./get_next_oid ## attributetype ( 1.3.6.1.4.1.7165.2.1.XX NAME .... ## objectclass ( 1.3.6.1.4.1.7165.2.2.XX NAME .... ## ## Also ensure that new entries adhere to the declaration style ## used throughout this file ## ## <attributetype|objectclass> ( 1.3.6.1.4.1.7165.2.XX.XX NAME .... ## ^ ^ ^ ## ## The spaces are required for the get_next_oid script (and for ## readability). ## ## ------------------------------------------------------------------ # objectIdentifier SambaRoot 1.3.6.1.4.1.7165 # objectIdentifier Samba3 SambaRoot:2 # objectIdentifier Samba3Attrib Samba3:1 # objectIdentifier Samba3ObjectClass Samba3:2 # objectIdentifier Samba4 SambaRoot:4 ######################################################################## ## HISTORICAL ## ######################################################################## ## ## Password hashes ## #attributetype ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword' # DESC 'LanManager Passwd' # EQUALITY caseIgnoreIA5Match # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) #attributetype ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword' # DESC 'NT Passwd' # EQUALITY caseIgnoreIA5Match # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) ## ## Account flags in string format ([UWDX ]) ## #attributetype ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags' # DESC 'Account Flags' # EQUALITY caseIgnoreIA5Match # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) ## ## Password timestamps & policies ## #attributetype ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet' # DESC 'NT pwdLastSet' # EQUALITY integerMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) #attributetype ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime' # DESC 'NT logonTime' # EQUALITY integerMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) #attributetype ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime' # DESC 'NT logoffTime' # EQUALITY integerMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) #attributetype ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime' # DESC 'NT kickoffTime' # EQUALITY integerMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) #attributetype ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange' # DESC 'NT pwdCanChange' # EQUALITY integerMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) #attributetype ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange' # DESC 'NT pwdMustChange' # EQUALITY integerMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) ## ## string settings ## #attributetype ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive' # DESC 'NT homeDrive' # EQUALITY caseIgnoreIA5Match # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) #attributetype ( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath' # DESC 'NT scriptPath' # EQUALITY caseIgnoreIA5Match # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) #attributetype ( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath' # DESC 'NT profilePath' # EQUALITY caseIgnoreIA5Match # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) #attributetype ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations' # DESC 'userWorkstations' # EQUALITY caseIgnoreIA5Match # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) #attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome' # DESC 'smbHome' # EQUALITY caseIgnoreIA5Match # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) #attributetype ( 1.3.6.1.4.1.7165.2.1.18 NAME 'domain' # DESC 'Windows NT domain to which the user belongs' # EQUALITY caseIgnoreIA5Match # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) ## ## user and group RID ## #attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid' # DESC 'NT rid' # EQUALITY integerMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) #attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' # DESC 'NT Group RID' # EQUALITY integerMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) ## ## The smbPasswordEntry objectclass has been depreciated in favor of the ## sambaAccount objectclass ## #objectclass ( 1.3.6.1.4.1.7165.2.2.1 NAME 'smbPasswordEntry' SUP top AUXILIARY # DESC 'Samba smbpasswd entry' # MUST ( uid $ uidNumber ) # MAY ( lmPassword $ ntPassword $ pwdLastSet $ acctFlags )) #objectclass ( 1.3.6.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL # DESC 'Samba Account' # MUST ( uid $ rid ) # MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ # logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ # displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ # description $ userWorkstations $ primaryGroupID $ domain )) #objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY # DESC 'Samba Auxiliary Account' # MUST ( uid $ rid ) # MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ # logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ # displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ # description $ userWorkstations $ primaryGroupID $ domain )) ######################################################################## ## END OF HISTORICAL ## ######################################################################## ####################################################################### ## Attributes used by Samba 3.0 schema ## ####################################################################### ## ## Password hashes ## attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) ## ## Account flags in string format ([UWDX ]) ## attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) ## ## Password timestamps & policies ## attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 'Timestamp of when the user is allowed to update the password' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC 'Timestamp of when the user will be logged off automatically' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE ) ## ## string settings ## attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'Driver letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Home directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC 'Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) ## ## SID, of any type ## attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) ## ## Primary group SID, compatible with ntSid ## attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' DESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Security ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) ## ## group mapping attributes ## attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) ## ## Store info on the domain ## attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'Share Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC 'Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC 'A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DESC 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC 'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' ## SUP name ) ##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList' ## DESC 'Privileges List' ## EQUALITY caseIgnoreIA5Match ## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC 'Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # "min password length" attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC 'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # "password history" attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # "user must logon to change password" attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # "maximum password age" attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # "minimum password age" attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # "lockout duration" attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' DESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # "reset count minutes" attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # "bad lockout attempt" attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # "disconnect time" attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # "refuse machine password change" attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # attributetype ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword' DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) # attributetype ( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextPassword' DESC 'Previous clear text password (used for trusted domain passwords)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) ####################################################################### ## objectClasses used by Samba 3.0 schema ## ####################################################################### ## The X.500 data model (and therefore LDAPv3) says that each entry can ## only have one structural objectclass. OpenLDAP 2.0 does not enforce ## this currently but will in v2.1 ## ## added new objectclass (and OID) for 3.0 to help us deal with backwards ## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry ## objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory $ sambaLogonHours)) ## ## Group mapping info ## objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description $ sambaSIDList )) ## ## Trust password for trust relationships (any kind) ## objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL DESC 'Samba Trust Password' MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet )) ## ## Trust password for trusted domains ## (to be stored beneath the trusting sambaDomain object in the DIT) ## objectclass ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassword' SUP top STRUCTURAL DESC 'Samba Trusted Domain Password' MUST ( sambaDomainName $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY ( sambaPreviousClearTextPassword )) ## ## Whole-of-domain info ## objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange )) ## ## used for idmap_ldap module ## objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY DESC 'Pool for allocating UNIX uids/gids' MUST ( uidNumber $ gidNumber ) ) objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY DESC 'Mapping from a SID to an ID' MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) ) objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL DESC 'Structural Class for a SID' MUST ( sambaSID ) ) objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY DESC 'Samba Configuration Section' MAY ( description ) ) objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL DESC 'Samba Share Section' MUST ( sambaShareName ) MAY ( description ) ) objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL DESC 'Samba Configuration Option' MUST ( sambaOptionName ) MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoption $ description ) ) ## retired during privilege rewrite ##objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY ## DESC 'Samba Privilege' ## MUST ( sambaSID ) ## MAY ( sambaPrivilegeList ) )
Creare il file /etc/ldap/schema/samba.ldif.
Inserire quanto segue:
dn: cn=samba,cn=schema,cn=config objectClass: olcSchemaConfig cn: samba olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'L anManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.26{32} SINGLE-VALUE ) olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'M D4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 .1.1466.115.121.1.26{32} SINGLE-VALUE ) olcAttributeTypes: {2}( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Ac count Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 {16} SINGLE-VALUE ) olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'T imestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4. 1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {4}( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 'Timestamp of when the user is allowed to update the password' EQUALITY integ erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {5}( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1. 3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {6}( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Ti mestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.27 SINGLE-VALUE ) olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'T imestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.27 SINGLE-VALUE ) olcAttributeTypes: {8}( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC ' Timestamp of when the user will be logged off automatically' EQUALITY integer Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {9}( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' D ESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146 6.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {10}( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' D ESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3. 6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {11}( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC ' Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 {42} SINGLE-VALUE ) olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'D river letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1. 3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) olcAttributeTypes: {13}( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.15{255} SINGLE-VALUE ) olcAttributeTypes: {14}( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.15{255} SINGLE-VALUE ) olcAttributeTypes: {15}( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' EQUALITY cas eIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) olcAttributeTypes: {16}( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Ho me directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.15{128} ) olcAttributeTypes: {17}( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC ' Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) olcAttributeTypes: {18}( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC ' Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1. 4.1.1466.115.121.1.15{1050} ) olcAttributeTypes: {19}( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' D ESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) olcAttributeTypes: {20}( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Securit y ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) olcAttributeTypes: {21}( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' D ESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4. 1.1466.115.121.1.26{64} SINGLE-VALUE ) olcAttributeTypes: {22}( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Sec urity ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. 26{64} ) olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'N T Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING LE-VALUE ) olcAttributeTypes: {24}( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1. 1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {25}( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4. 1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {26}( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Nex t NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1 466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {27}( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase ' DESC 'Base at which the samba RID generation algorithm should operate' EQUA LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'S hare Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING LE-VALUE ) olcAttributeTypes: {29}( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC ' Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) olcAttributeTypes: {30}( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC ' A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 S INGLE-VALUE ) olcAttributeTypes: {31}( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DES C 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 .27 SINGLE-VALUE ) olcAttributeTypes: {32}( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC 'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121 .1.26 SINGLE-VALUE ) olcAttributeTypes: {33}( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466. 115.121.1.15 ) olcAttributeTypes: {34}( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC ' Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115 .121.1.26 ) olcAttributeTypes: {35}( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC 'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1. 4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {36}( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY intege rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {37}( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DES C 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQU ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'M aximum password age, in seconds (default: -1 => never expire passwords)' EQUA LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'M inimum password age, in seconds (default: 0 => allow immediate password chang e)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {40}( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' D ESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integ erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {41}( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservation Window' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY int egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {42}( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY in tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {43}( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {44}( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdCh ange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY inte gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {45}( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword' DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octe tStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) olcAttributeTypes: {46}( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextP assword' DESC 'Previous clear text password (used for trusted domain password s)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Sam ba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ s ambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScr ipt $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGr oupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBad PasswordTime $ sambaPasswordHistory $ sambaLogonHours ) ) olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'S amba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGrou pType ) MAY ( displayName $ description $ sambaSIDList ) ) olcObjectClasses: {2}( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DESC 'Samba Trust Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaNTPas sword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ) ) olcObjectClasses: {3}( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPasswor d' DESC 'Samba Trusted Domain Password' SUP top STRUCTURAL MUST ( sambaDomain Name $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY sambaPreviou sClearTextPassword ) olcObjectClasses: {4}( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba D omain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidB ase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaM axPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWin dow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange ) ) olcObjectClasses: {5}( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' DESC 'Poo l for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumb er ) ) olcObjectClasses: {6}( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' DESC 'Map ping from a SID to an ID' SUP top AUXILIARY MUST sambaSID MAY ( uidNumber $ g idNumber ) ) olcObjectClasses: {7}( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' DESC 'Struc tural Class for a SID' SUP top STRUCTURAL MUST sambaSID ) olcObjectClasses: {8}( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samba Configuration Section' SUP top AUXILIARY MAY description ) olcObjectClasses: {9}( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba S hare Section' SUP top STRUCTURAL MUST sambaShareName MAY description ) olcObjectClasses: {10}( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DESC 'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY ( sa mbaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoptio n $ description ) )
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo ls /etc/ldap/schema/*.ldif | xargs -I {} sudo ldapadd -Y EXTERNAL -H ldapi:/// -f {}
Creare il file /etc/ldap/schema/db.ldif.
Inserire quanto segue sostituendo nome_vostro_dominio , ext_dominio e ROOT_PASSWD con i valori appropiati per voi:
# Load dynamic backend modules dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: back_hdb # Create the database dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=nome_vostro_dominio,dc=ext_dominio olcRootDN: cn=admin,dc=nome_vostro_dominio,dc=ext_dominio olcRootPW: ROOT_PASSWD olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,sn,mail,givenname eq,pres,sub olcDbIndex: uidNumber,gidNumber,memberUid eq,pres olcDbIndex: loginShell eq,pres # I also added this line to stop warning in syslog .. olcDbIndex: uniqueMember eq,pres ## required to support pdb_getsampwnam olcDbIndex: uid pres,sub,eq ## required to support pdb_getsambapwrid() olcDbIndex: displayName pres,sub,eq # These attributes don't exist in this database .. #olcDbIndex: nisMapName,nisMapEntry eq,pres,sub olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub #olcAccess: to attrs=userPassword,sambaNTPassword,sambaLMPassword # by dn="cn=admin,dc=nome_vostro_dominio,dc=ext_dominio" write # by anonymous auth # by self write # by * none #olcAccess: to dn.base="" by * read #olcAccess: to * # by dn="cn=admin,dc=NOME_DOMINIO,dc=ext_dominio" write # by * read
Creare il file /etc/ldap/schema/config.ldif.
Inserire quanto segue sostituendo ROOT_PASSWD con il valore appropiato per voi:
#dn: cn=config #changetype: modify #delete: olcAuthzRegexp dn: olcDatabase={-1}frontend,cn=config changetype: modify delete: olcAccess #dn: olcDatabase={0}config,cn=config #changetype: modify #delete: olcRootDN dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootDN olcRootDN: cn=admin,cn=config dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: ROOT_PASSWD dn: olcDatabase={0}config,cn=config changetype: modify delete: olcAccess
Creare il file /etc/ldap/schema/base.ldif.
Inserire quanto segue sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi:
dn: dc=nome_vostro_dominio,dc=ext_dominio dc: nome_vostro_dominio objectClass: top objectClass: domain dn: ou=Hosts,dc=nome_vostro_dominio,dc=ext_dominio ou: Hosts objectClass: top objectClass: organizationalUnit dn: ou=Rpc,dc=nome_vostro_dominio,dc=ext_dominio ou: Rpc objectClass: top objectClass: organizationalUnit dn: ou=Services,dc=nome_vostro_dominio,dc=ext_dominio ou: Services objectClass: top objectClass: organizationalUnit dn: nisMapName=netgroup.byuser,dc=nome_vostro_dominio,dc=ext_dominio nismapname: netgroup.byuser objectClass: top objectClass: nisMap dn: ou=Mounts,dc=nome_vostro_dominio,dc=ext_dominio ou: Mounts objectClass: top objectClass: organizationalUnit dn: ou=Networks,dc=nome_vostro_dominio,dc=ext_dominio ou: Networks objectClass: top objectClass: organizationalUnit dn: ou=People,dc=nome_vostro_dominio,dc=ext_dominio ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=nome_vostro_dominio,dc=ext_dominio ou: Group objectClass: top objectClass: organizationalUnit dn: ou=Netgroup,dc=nome_vostro_dominio,dc=ext_dominio ou: Netgroup objectClass: top objectClass: organizationalUnit dn: ou=Protocols,dc=nome_vostro_dominio,dc=ext_dominio ou: Protocols objectClass: top objectClass: organizationalUnit dn: ou=Aliases,dc=nome_vostro_dominio,dc=ext_dominio ou: Aliases objectClass: top objectClass: organizationalUnit dn: nisMapName=netgroup.byhost,dc=nome_vostro_dominio,dc=ext_dominio nismapname: netgroup.byhost objectClass: top objectClass: nisMap
Creare il file /etc/ldap/schema/acl.ldif.
Inserire quanto segue sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi:
dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcAccess olcAccess: to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=nome_vostro_dominio,dc=ext_dominio" write by anonymous auth by self write by * none olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=nome_vostro_dominio,dc=ext_dominio" write by * read
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f `/etc/ldap/schema/db.ldif` sudo ldapadd -Y EXTERNAL -H ldapi:/// -f `/etc/ldap/schema/config.ldif` sudo ldapadd -a -W -x -D "cn=admin,dc=nome_vostro_dominio,dc=ext_dominio" -f `/etc/ldap/schema/base.ldif` sudo ldapadd -a -W -x -D "cn=admin,dc=nome_vostro_dominio,dc=ext_dominio" -f `/etc/ldap/schema/acl.ldif` sudo /etc/init.d/slapd stop sudo slapindex sudo chown openldap:openldap /var/lib/ldap/* sudo /etc/init.d/slapd start
Configurare SAMBA
- Installare i pacchetti samba samba-common smbclient samba-common-bin.
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo apt-get install samba samba-common smbclient samba-common-bin
Fare una copia del file /etc/samba/smb.conf.
Modificare il file /etc/samba/smb.conf.
3.1 Modificare la sezione ###Global Settings###.
Aggiungere o modificare le seguenti linee cambiando 10.5.5.0/24 con la ip della vostra lan:
workgroup = nome_vostro_dominio # netbios name string netbios name=server # security hosts allow = 127.0.0.1 10.5.5.0/24 hosts deny = 0.0.0.0/0 # server string is the equivalent of the NT Description field server string =
3.1.1 Per Ubuntu 10.04 aggiungere la seguente riga:
ldap ssl = no
2.2 Modificare la sezione ###Networking###Aggiungere o modificare le segUenti linee cambiando 10.5.5.1/24 con la ip della scheda di rete del server che guarda la lan:
interfaces = 127.0.0.1 10.5.5.1/24 bind interfaces only = true
3.3 Modificare la sezione ####authentication#####Aggiungere o modificare nel seguente modo le seguenti linee sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi rispettando le maiuscole dove necessario:
security = user encrypt passwords = true passdb backend = ldapsam:ldap://localhost/ obey pam restrictions = no ############################################################### #COPY AND PASTE THE FOLLOWING UNDERNEATH "OBEY PAM RESTRICTIONS = NO" ############################################################### # Begin: Custom LDAP Entries ldap admin dn = cn=admin,dc=nome_vostro_dominio,dc=ext_dominio ldap suffix = dc=nome_vostro_dominio, dc=ext_dominio ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ; Do ldap passwd sync ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" #################################################### #STOP COPYING HERE! ##################################################### ;invalid users = root ;Unix password sync=yes
3.4 Modificare la sezione ####Domains#####Aggiungere o modificando le seguenti linee:
os level = 255 domain master = yes domain logons = yes preferred master = yes logon path = \\%L\profiles\%U logon drive = Z: logon home = \\%L\%U logon script = %U.cmd
3.4.1 Modificare il seguente parametro se si vuole disabilitare i rohaming profiles:
logon path =
3.5 Modificare le seguenti share secondo le vostre esigenze:
[Profile] [home] [netlogonn]
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo /etc/init.d/samba restart sudo smbpasswd -w "passwd ldap"
Configurare il SMBLDAP-TOOLS package
- Installare il pacchetto smbldap-tools.
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo apt-get install smbldap-tools
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo cd /usr/share/doc/smbldap-tools/examples/ sudo cp smbldap_bind.conf /etc/smbldap-tools/ sudo cp smbldap.conf.gz /etc/smbldap-tools/ sudo gzip -d /etc/smbldap-tools/smbldap.conf.gz
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo net getlocalsid
Modificare il file /etc/smbldap-tools/smbldap.conf.
Aggiungere o modificare nel seguente modo le seguenti linee cambiando il valore del parametro SID con quello ottenuto con il comando net getlocalsid.Cambiare anche nome_vostro_dominio e ext_dominio con i valori appropriati per voi e il valore del parametro sambaDomainName deve essere scritto in maiuscolo.
SID="S-1-5-21-949328747-3404738746-3052206637" sambaDomain="nome_vostro_dominio" ldapTLS="0" suffix="dc=nome_vostro_dominio,dc=ext_dominio" sambaUnixIdPooldn="sambaDomainName=nome_vostro_dominio,${suffix}" userSmbHome= userProfile= userHomeDrive= userScript= mailDomain="nome_vostro_dominio.ext_dominio"
Modificare il file /etc/smbldap-tools/smbldap_bind.conf.
Aggiungere o modificare nel seguente modo le seguenti linee sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi
slaveDN="cn=admin,dc=nome_vostro_dominio,dc=ext_dominio" slavePw="passwd di ldap" masterDN="cn=admin,dc=nome_vostro_dominio,dc=ext_dominio" masterPw="passwd di ldap"
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo chmod 0644 /etc/smbldap-tools/smbldap.conf sudo chmod 0600 /etc/smbldap-tools/smbldap_bind.conf
Configurare il server per usare LDAP authentication.
- Installare i pacchetti auth-client-config libpam-ldap libnss-ldap.
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo apt-get install auth-client-config libpam-ldap libnss-ldap
Rispondere alle domande proposte dal configuratore con quello che segue e nel seguente ordine sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi
Yes LDAP server Uniform Resource Identifier: ldap://127.0.0.1 Distinguished name of the search base: dc=nome_vostro_dominio,dc=ext_dominio LDAP version to use: 3 Make local root Database admin: Yes Does the LDAP database require login? No LDAP account for root: cn=admin,dc=nome_vostro_dominio,dc=ext_dominio LDAP root account password: passwd di ldap
Modificatre il file /etc/ldap.conf.
Aggiungere o modificare nel seguente modo le seguenti linee sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi
host 127.0.0.1 base dc=nome_vostro_dominio,dc=ext_dominio uri ldap://127.0.0.1 rootbinddn cn=admin,nome_vostro_dominio,dc=ext_dominio bind_policy soft
Nota: Nel file é presente la riga uri ldapi://.... generata dal configuratore di ldap,bisogna commentarla
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo cp /etc/ldap.conf /etc/ldap/ldap.conf
Creare il file etc/auth-client-config/profile.d/open_ldap.
Inserire quanto segue senza spazi tra le righe:
[open_ldap] nss_passwd=passwd: compat ldap nss_group=group: compat ldap nss_shadow=shadow: compat ldap pam_auth=auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so pam_account=account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so pam_password=password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_first_pass password required pam_deny.so pam_session=session required pam_limits.so session required pam_mkhomedir.so skel=/etc/skel/ session required pam_unix.so session optional pam_ldap.so
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo cp /etc/nsswitch.conf /etc/nsswitch.conf.original sudo cd /etc/pam.d/ sudo mkdir bkup sudo cp * bkup/
Abilitare il nuovo LDAP Authentication Profile
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo auth-client-config -a -p open_ldap sudo reboot
Popolare il data base LDAP usando smbldap-tools
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo smbldap-populate -u 30000 -g 30000
- Alla richiesta di passswd per root assegnare quella di ldap( max lunghezza 5):
Aggiungere gli utenti samba/unix e asseganrli la passwd desiderata
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo smbldap-useradd -a -m -s /bin/false -c "Richard M" -P ricky
Se si vuole che un utente sia amministratore di dominio e amministratore sul proprio pc windows, allora si deve dare:
sudo smbldap-useradd -a -m -s /bin/false -c "Richard M" -g "Domain Admins" -P ricky
Creare le cartelle profile e netlogon
In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:
sudo mkdir /var/lib/samba/profiles sudo mkdir /var/lib/samba/netlogon sudo chmod -R 1757 /var/lib/samba/profiles sudo chmod -R 775 /var/lib/samba/netlogon
# Nota: il percorso /var/lib/samba é arbitrario, ed é quello di default.
# CONTROLLARE QUE I FILE DI NETLOGON SIANO ACCESSIBILI IN LETTURA DA TUTTI.
Unire il client al dominio
- Per unire un client al dominio riferirsi al help del proprio Sistema Operativo per la corretta procedura da seguire.
- Al momento di unire il client al dominio verrá chiesto di inserire un utente e una password.
L'utente sará root e la password quella usata per quest'utente nella guida.
Modifiche al firewall
- Se si ha un firewall attivo sul server, é necessario aprire le seguenti porte in ingresso sulla scheda di rete del server che guarda alla lan.
Se si usa iptable e la scheda di rete é eth0 allora le righe da inserire saranno per esempio:
iptables -A INPUT -p UDP -i eth0 --dport 137 -j ACCEPT iptables -A INPUT -p UDP -i eth0 --dport 138 -j ACCEPT iptables -A INPUT -p TCP -i eth0 --dport 135 -j ACCEPT iptables -A INPUT -p TCP -i eth0 --dport 139 -j ACCEPT iptables -A INPUT -p TCP -i eth0 --dport 445 -j ACCEPT
Ulteriori risorse
[http://www.howtoforge.com/openldap-samba-domain-controller-ubuntu7.10-p2];
[http://help.ubuntu-it.org/10.04/ubuntu/serverguide/it/samba-ldap.html];
[http://help.ubuntu-it.org/10.04/ubuntu/serverguide/it/openldap-server.html#openldap-configuration];