#format wiki #language it BR Indice(depth=1)

Introduzine

In questa pagina ci sono delle istruzioni utili su come utilizzare Samba+Ldap.

Verrà spiegato come creare un PDC (PrimaryDomainController) su Ubuntu Server 8.04 e 10.04 per una rete di client con SO Windows Xp Pro e Vista Ultimate/Businnes e Windows 7 Pro/Ultimate.

Tutti le operazioni sono fatte con account root.

Installazione

Installare i pacchetti:

• [apt://samba samba]

• [apt://smbldap-tools smbldap-tools]

• [apt://smbclient smbclient]

• [apt://samba-doc samba-doc]

• [apt://slapd slapd]

• [apt://ldap-utils ldap-utils]

Immettere la passwd per l'amministratore di Ldap, quando viene chiesta. E' conveniente non superare i 5 caratteri alfanumerici.

Configurare LDAP per Ubuntu Server 8.04

1. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   dpkg-reconfigure slapd

2. Rispondere alle domande proposte dal configuratone con quello che segue e nel seguente ordine.

   No
   nome_vostro_dominio.com
   vostraorganizzazione
   inserire la passwd scelta al momento dell'installazione di LDAP
   confermare la passwd
   OK
   HDB
   No
   Yes
   No

3. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   /etc/init.d/slapd restart

4. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
   gzip -d /etc/ldap/schema/samba.schema.gz

5. Modificare il file /etc/ldap/slapd.conf.

   # Aggiungere le seguenti linee nella sezione«include»:

   include         /etc/ldap/schema/samba.schema
   include         /etc/ldap/schema/misc.schema

   # Aggiungere i seguenti attributi alla linea «access to attrs=userPassword...»

   sambaNTPassword,sambaLMPassword

   # Decommentare la seguente linea cambiando nome_vostro_dominio e ext_dominio con i valori appropiati per voi:

   rootdn          "cn=admin,dc=nome_vostro_dominio,dc=ext_dominio"

   # e dopo di essa aggiungere quanto segue cambiando paswd_di_ldap con il valorie appropiato per voi:

   rootpw          "paswd_di_ldap"

   # Aggiungere le seguenti righe nella sezione «Indices to maintain for this database»:

   index objectClass                       eq,pres
   index ou,cn,sn,mail,givenname           eq,pres,sub
   index uidNumber,gidNumber,memberUid     eq,pres
   index loginShell                        eq,pres
   # I also added this line to stop warning in syslog ..
   index uniqueMember                      eq,pres
   # required to support pdb_getsampwnam
   index uid                               pres,sub,eq
   # required to support pdb_getsambapwrid()
   index displayName                       pres,sub,eq
   # These attributes don't exist in this database ..
   #index nisMapName,nisMapEntry            eq,pres,sub
   index sambaSID                          eq
   index sambaPrimaryGroupSID              eq
   index sambaDomainName                   eq
   index default                           sub

6. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   /etc/init.d/slapd stop
   slapindex
   chown openldap:openldap /var/lib/ldap/*
   /etc/init.d/slapd start

Configurare LDAP per Ubuntu server 10.04

1. Creare i file /etc/ldap/schema/samba.schema.

# Inserire quanto segue:

##
## schema file for OpenLDAP 2.x
## Schema for storing Samba user accounts and group maps in LDAP
## OIDs are owned by the Samba Team
##
## Prerequisite schemas - uid         (cosine.schema)
##                      - displayName (inetorgperson.schema)
##                      - gidNumber   (nis.schema)
##
## 1.3.6.1.4.1.7165.2.1.x - attributetypes
## 1.3.6.1.4.1.7165.2.2.x - objectclasses
##
## Printer support
## 1.3.6.1.4.1.7165.2.3.1.x - attributetypes
## 1.3.6.1.4.1.7165.2.3.2.x - objectclasses
##
## Samba4
## 1.3.6.1.4.1.7165.4.1.x - attributetypes
## 1.3.6.1.4.1.7165.4.2.x - objectclasses
## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls
## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations
## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track
##
## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------
##
## Run the 'get_next_oid' bash script in this directory to find the 
## next available OID for attribute type and object classes.
##
##   $ ./get_next_oid
##   attributetype ( 1.3.6.1.4.1.7165.2.1.XX NAME ....
##   objectclass ( 1.3.6.1.4.1.7165.2.2.XX NAME ....
##
## Also ensure that new entries adhere to the declaration style
## used throughout this file
##
##    <attributetype|objectclass> ( 1.3.6.1.4.1.7165.2.XX.XX NAME ....
##                               ^ ^                        ^
##
## The spaces are required for the get_next_oid script (and for 
## readability).
##
## ------------------------------------------------------------------

# objectIdentifier SambaRoot 1.3.6.1.4.1.7165
# objectIdentifier Samba3 SambaRoot:2
# objectIdentifier Samba3Attrib Samba3:1
# objectIdentifier Samba3ObjectClass Samba3:2
# objectIdentifier Samba4 SambaRoot:4

########################################################################
##                            HISTORICAL                              ##
########################################################################

##
## Password hashes
##
#attributetype ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword'
#       DESC 'LanManager Passwd'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword'
#       DESC 'NT Passwd'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

##
## Account flags in string format ([UWDX     ])
##
#attributetype ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags'
#       DESC 'Account Flags'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )

##
## Password timestamps & policies
##
#attributetype ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet'
#       DESC 'NT pwdLastSet'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime'
#       DESC 'NT logonTime'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime'
#       DESC 'NT logoffTime'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime'
#       DESC 'NT kickoffTime'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange'
#       DESC 'NT pwdCanChange'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange'
#       DESC 'NT pwdMustChange'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

##
## string settings
##
#attributetype ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive'
#       DESC 'NT homeDrive'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath'
#       DESC 'NT scriptPath'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath'
#       DESC 'NT profilePath'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations'
#       DESC 'userWorkstations'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome'
#       DESC 'smbHome'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

#attributetype ( 1.3.6.1.4.1.7165.2.1.18 NAME 'domain'
#       DESC 'Windows NT domain to which the user belongs'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

##
## user and group RID
##
#attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid'
#       DESC 'NT rid'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID'
#       DESC 'NT Group RID'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

##
## The smbPasswordEntry objectclass has been depreciated in favor of the
## sambaAccount objectclass
##
#objectclass ( 1.3.6.1.4.1.7165.2.2.1 NAME 'smbPasswordEntry' SUP top AUXILIARY
#        DESC 'Samba smbpasswd entry'
#        MUST ( uid $ uidNumber )
#        MAY  ( lmPassword $ ntPassword $ pwdLastSet $ acctFlags ))

#objectclass ( 1.3.6.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
#       DESC 'Samba Account'
#       MUST ( uid $ rid )
#       MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
#               logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
#               displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
#               description $ userWorkstations $ primaryGroupID $ domain ))

#objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
#       DESC 'Samba Auxiliary Account'
#       MUST ( uid $ rid )
#       MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
#              logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
#              displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
#              description $ userWorkstations $ primaryGroupID $ domain ))

########################################################################
##                        END OF HISTORICAL                           ##
########################################################################

#######################################################################
##                Attributes used by Samba 3.0 schema                ##
#######################################################################

##
## Password hashes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
        DESC 'LanManager Password'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
        DESC 'MD4 hash of the unicode password'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

##
## Account flags in string format ([UWDX     ])
##
attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
        DESC 'Account Flags'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )

##
## Password timestamps & policies
##
attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
        DESC 'Timestamp of the last password update'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'
        DESC 'Timestamp of when the user is allowed to update the password'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'
        DESC 'Timestamp of when the password will expire'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'
        DESC 'Timestamp of last logon'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
        DESC 'Timestamp of last logoff'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'
        DESC 'Timestamp of when the user will be logged off automatically'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
        DESC 'Bad password attempt count'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'
        DESC 'Time of the last bad password attempt'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours'
        DESC 'Logon Hours'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )

##
## string settings
##
attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
        DESC 'Driver letter of home directory mapping'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'
        DESC 'Logon script path'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'
        DESC 'Roaming profile path'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
        DESC 'List of user workstations the user is allowed to logon to'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'
        DESC 'Home directory UNC path'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
        DESC 'Windows NT domain to which the user belongs'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
        DESC 'Base64 encoded user parameter string'
        EQUALITY caseExactMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )

attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'
        DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )

##
## SID, of any type
##

attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
        DESC 'Security ID'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseExactIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )

##
## Primary group SID, compatible with ntSid
##

attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
        DESC 'Primary Group Security ID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList'
        DESC 'Security ID List'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )

##
## group mapping attributes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
        DESC 'NT Group Type'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

##
## Store info on the domain
##

attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
        DESC 'Next NT rid to give our for users'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
        DESC 'Next NT rid to give out for groups'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
        DESC 'Next NT rid to give out for anything'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
        DESC 'Base at which the samba RID generation algorithm should operate'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName'
        DESC 'Share Name'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName'
        DESC 'Option Name'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption'
        DESC 'A boolean option'
        EQUALITY booleanMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption'
        DESC 'An integer option'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption'
        DESC 'A string option'
        EQUALITY caseExactIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'
        DESC 'A string list option'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )


##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' 
##      SUP name )

##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
##      DESC 'Privileges List'
##      EQUALITY caseIgnoreIA5Match
##      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )

attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'
        DESC 'Trust Password Flags'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

# "min password length"
attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength'
        DESC 'Minimal password length (default: 5)'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "password history"
attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
        DESC 'Length of Password History Entries (default: 0 => off)'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "user must logon to change password"
attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd'
        DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "maximum password age"
attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge'
        DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "minimum password age"
attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge'
        DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "lockout duration"
attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration'
        DESC 'Lockout duration in minutes (default: 30, -1 => forever)'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "reset count minutes"
attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow'
        DESC 'Reset time after lockout in minutes (default: 30)'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "bad lockout attempt"
attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
        DESC 'Lockout users after bad logon attempts (default: 0 => off)'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "disconnect time"
attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff'
        DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "refuse machine password change"
attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange'
        DESC 'Allow Machine Password changes (default: 0 => off)'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

#
attributetype ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword'
        DESC 'Clear text password (used for trusted domain passwords)'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

#
attributetype ( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextPassword'
        DESC 'Previous clear text password (used for trusted domain passwords)'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )



#######################################################################
##              objectClasses used by Samba 3.0 schema               ##
#######################################################################

## The X.500 data model (and therefore LDAPv3) says that each entry can
## only have one structural objectclass.  OpenLDAP 2.0 does not enforce
## this currently but will in v2.1

##
## added new objectclass (and OID) for 3.0 to help us deal with backwards
## compatibility with 2.2 installations (e.g. ldapsam_compat)  --jerry
##
objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
        DESC 'Samba 3.0 Auxilary SAM Account'
        MUST ( uid $ sambaSID )
        MAY  ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
               sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
               sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
               displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
               sambaProfilePath $ description $ sambaUserWorkstations $
               sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
               sambaBadPasswordCount $ sambaBadPasswordTime $
               sambaPasswordHistory $ sambaLogonHours))

##
## Group mapping info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
        DESC 'Samba Group Mapping'
        MUST ( gidNumber $ sambaSID $ sambaGroupType )
        MAY  ( displayName $ description $ sambaSIDList ))

##
## Trust password for trust relationships (any kind)
##
objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL
        DESC 'Samba Trust Password'
        MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags )
        MAY ( sambaSID $ sambaPwdLastSet ))

##
## Trust password for trusted domains
## (to be stored beneath the trusting sambaDomain object in the DIT)
##
objectclass ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassword' SUP top STRUCTURAL
        DESC 'Samba Trusted Domain Password'
        MUST ( sambaDomainName $ sambaSID $
               sambaClearTextPassword $ sambaPwdLastSet )
        MAY  ( sambaPreviousClearTextPassword ))

##
## Whole-of-domain info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
        DESC 'Samba Domain Information'
        MUST ( sambaDomainName $ 
               sambaSID ) 
        MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
              sambaAlgorithmicRidBase $ 
              sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
              sambaMaxPwdAge $ sambaMinPwdAge $
              sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $
              sambaForceLogoff $ sambaRefuseMachinePwdChange ))

##
## used for idmap_ldap module
##
objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
        DESC 'Pool for allocating UNIX uids/gids'
        MUST ( uidNumber $ gidNumber ) )


objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY
        DESC 'Mapping from a SID to an ID'
        MUST ( sambaSID )
        MAY ( uidNumber $ gidNumber ) )

objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL
        DESC 'Structural Class for a SID'
        MUST ( sambaSID ) )

objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
        DESC 'Samba Configuration Section'
        MAY ( description ) )

objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL
        DESC 'Samba Share Section'
        MUST ( sambaShareName )
        MAY ( description ) )

objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL
        DESC 'Samba Configuration Option'
        MUST ( sambaOptionName )
        MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ 
              sambaStringListoption $ description ) )


## retired during privilege rewrite
##objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
##      DESC 'Samba Privilege'
##      MUST ( sambaSID )
##      MAY ( sambaPrivilegeList ) )

1. Creare i file /etc/ldap/schema/samba.ldif.

# Inserire quanto segue:

dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba
olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'L
 anManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.26{32} SINGLE-VALUE )
olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'M
 D4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
 .1.1466.115.121.1.26{32} SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Ac
 count Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 {16} SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'T
 imestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 
 'Timestamp of when the user is allowed to update the password' EQUALITY integ
 erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC
  'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.
 3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Ti
 mestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
 1.27 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'T
 imestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.12
 1.1.27 SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC '
 Timestamp of when the user will be logged off automatically' EQUALITY integer
 Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' D
 ESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146
 6.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' D
 ESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.
 6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC '
 Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 {42} SINGLE-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'D
 river letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.
 3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 
 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
 1.15{255} SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 
 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.15{255} SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' 
 DESC 'List of user workstations the user is allowed to logon to' EQUALITY cas
 eIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
olcAttributeTypes: {16}( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Ho
 me directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.15{128} )
olcAttributeTypes: {17}( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC '
 Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 
 1.3.6.1.4.1.1466.115.121.1.15{128} )
olcAttributeTypes: {18}( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '
 Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.
 4.1.1466.115.121.1.15{1050} )
olcAttributeTypes: {19}( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' D
 ESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
  EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
olcAttributeTypes: {20}( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Securit
 y ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1
 .3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
olcAttributeTypes: {21}( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' D
 ESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.26{64} SINGLE-VALUE )
olcAttributeTypes: {22}( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Sec
 urity ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
 26{64} )
olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'N
 T Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING
 LE-VALUE )
olcAttributeTypes: {24}( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 
 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.
 1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {25}( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC
  'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {26}( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Nex
 t NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1
 466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {27}( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase
 ' DESC 'Base at which the samba RID generation algorithm should operate' EQUA
 LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'S
 hare Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING
 LE-VALUE )
olcAttributeTypes: {29}( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC '
 Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
  1.3.6.1.4.1.1466.115.121.1.15{256} )
olcAttributeTypes: {30}( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC '
 A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 S
 INGLE-VALUE )
olcAttributeTypes: {31}( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DES
 C 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
 .27 SINGLE-VALUE )
olcAttributeTypes: {32}( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC
  'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
 .1.26 SINGLE-VALUE )
olcAttributeTypes: {33}( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' 
 DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.
 115.121.1.15 )
olcAttributeTypes: {34}( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC '
 Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115
 .121.1.26 )
olcAttributeTypes: {35}( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC
  'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.
 4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {36}( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' 
 DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY intege
 rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {37}( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DES
 C 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQU
 ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'M
 aximum password age, in seconds (default: -1 => never expire passwords)' EQUA
 LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'M
 inimum password age, in seconds (default: 0 => allow immediate password chang
 e)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {40}( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' D
 ESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integ
 erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {41}( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservation
 Window' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY int
 egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {42}( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' 
 DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY in
 tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {43}( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 
 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY
  integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {44}( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdCh
 ange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY inte
 gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {45}( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword'
  DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octe
 tStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {46}( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextP
 assword' DESC 'Previous clear text password (used for trusted domain password
 s)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Sam
 ba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY ( 
 cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ s
 ambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ 
 sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScr
 ipt $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGr
 oupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBad
 PasswordTime $ sambaPasswordHistory $ sambaLogonHours ) )
olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'S
 amba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGrou
 pType ) MAY ( displayName $ description $ sambaSIDList ) )
olcObjectClasses: {2}( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DESC 
 'Samba Trust Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaNTPas
 sword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ) )
olcObjectClasses: {3}( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPasswor
 d' DESC 'Samba Trusted Domain Password' SUP top STRUCTURAL MUST ( sambaDomain
 Name $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY sambaPreviou
 sClearTextPassword )
olcObjectClasses: {4}( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba D
 omain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY
  ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidB
 ase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaM
 axPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWin
 dow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange 
 ) )
olcObjectClasses: {5}( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' DESC 'Poo
 l for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumb
 er ) )
olcObjectClasses: {6}( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' DESC 'Map
 ping from a SID to an ID' SUP top AUXILIARY MUST sambaSID MAY ( uidNumber $ g
 idNumber ) )
olcObjectClasses: {7}( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' DESC 'Struc
 tural Class for a SID' SUP top STRUCTURAL MUST sambaSID )
olcObjectClasses: {8}( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samba 
 Configuration Section' SUP top AUXILIARY MAY description )
olcObjectClasses: {9}( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba S
 hare Section' SUP top STRUCTURAL MUST sambaShareName MAY description )
olcObjectClasses: {10}( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DESC 
 'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY ( sa
 mbaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoptio
 n $ description ) )

1. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   ls /etc/ldap/schema/*.ldif | xargs -I {} sudo ldapadd -Y EXTERNAL -H ldapi:/// -f {}

2. Creare i file /etc/ldap/schema/db.ldif.

# Inserire quanto segue sostituendo nome_vostro_dominio , ext_dominio e ROOT_PASSWD con i valori appropiati per voi:

# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

# Create the database
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=nome_vostro_dominio,dc=ext_dominio
olcRootDN: cn=admin,dc=nome_vostro_dominio,dc=ext_dominio
olcRootPW: ROOT_PASSWD
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,sn,mail,givenname eq,pres,sub
olcDbIndex: uidNumber,gidNumber,memberUid eq,pres
olcDbIndex: loginShell eq,pres
# I also added this line to stop warning in syslog ..
olcDbIndex: uniqueMember eq,pres
## required to support pdb_getsampwnam
olcDbIndex: uid pres,sub,eq
## required to support pdb_getsambapwrid()
olcDbIndex: displayName pres,sub,eq
# These attributes don't exist in this database ..
#olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
#olcAccess: to attrs=userPassword,sambaNTPassword,sambaLMPassword
# by dn="cn=admin,dc=NOME_DOMINIO,dc=ext_dominio" write
# by anonymous auth
# by self write
# by * none
#olcAccess: to dn.base="" by * read
#olcAccess: to * 
# by dn="cn=admin,dc=NOME_DOMINIO,dc=ext_dominio" write
# by * read

1. Creare i file /etc/ldap/schema/config.ldif.

# Inserire quanto segue sostituendo ROOT_PASSWD con il valore appropiato per voi:

#dn: cn=config
#changetype: modify
#delete: olcAuthzRegexp

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess

#dn: olcDatabase={0}config,cn=config
#changetype: modify
#delete: olcRootDN

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: ROOT_PASSWD

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

1. Creare i file /etc/ldap/schema/base.ldif.

# Inserire quanto segue sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi:

dn: dc=nome_vostro_dominio,dc=ext_dominio
dc: nome_vostro_dominio
objectClass: top
objectClass: domain

dn: ou=Hosts,dc=nome_vostro_dominio,dc=ext_dominio
ou: Hosts
objectClass: top
objectClass: organizationalUnit

dn: ou=Rpc,dc=nome_vostro_dominio,dc=ext_dominio
ou: Rpc
objectClass: top
objectClass: organizationalUnit

dn: ou=Services,dc=nome_vostro_dominio,dc=ext_dominio
ou: Services
objectClass: top
objectClass: organizationalUnit

dn: nisMapName=netgroup.byuser,dc=nome_vostro_dominio,dc=ext_dominio
nismapname: netgroup.byuser
objectClass: top
objectClass: nisMap

dn: ou=Mounts,dc=nome_vostro_dominio,dc=ext_dominio
ou: Mounts
objectClass: top
objectClass: organizationalUnit

dn: ou=Networks,dc=nome_vostro_dominio,dc=ext_dominio
ou: Networks
objectClass: top
objectClass: organizationalUnit

dn: ou=People,dc=nome_vostro_dominio,dc=ext_dominio
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=nome_vostro_dominio,dc=ext_dominio
ou: Group
objectClass: top
objectClass: organizationalUnit

dn: ou=Netgroup,dc=nome_vostro_dominio,dc=ext_dominio
ou: Netgroup
objectClass: top
objectClass: organizationalUnit

dn: ou=Protocols,dc=nome_vostro_dominio,dc=ext_dominio
ou: Protocols
objectClass: top
objectClass: organizationalUnit

dn: ou=Aliases,dc=nome_vostro_dominio,dc=ext_dominio
ou: Aliases
objectClass: top
objectClass: organizationalUnit

dn: nisMapName=netgroup.byhost,dc=nome_vostro_dominio,dc=ext_dominio
nismapname: netgroup.byhost
objectClass: top
objectClass: nisMap

1. Creare i file /etc/ldap/schema/acl.ldif.

# Inserire quanto segue sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=nome_vostro_dominio,dc=ext_dominio" write by anonymous auth by self write by * none
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=nome_vostro_dominio,dc=ext_dominio" write by * read

1. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   ldapadd -Y EXTERNAL -H ldapi:/// -f `/etc/ldap/schema/db.ldif`
   ldapadd -Y EXTERNAL -H ldapi:/// -f `/etc/ldap/schema/config.ldif`
   ldapadd -a -W -x -D "cn=admin,dc=citelumscv,dc=es" -f `/etc/ldap/schema/base.ldif`
   ldapadd -a -W -x -D "cn=admin,dc=citelumscv,dc=es" -f `/etc/ldap/schema/acl.ldif`
   /etc/init.d/slapd stop
   sudo slapindex
   chown openldap:openldap /var/lib/ldap/*
   /etc/init.d/slapd start

Configurare SAMBA

1. Fare una copia del file /etc/samba/smb.conf.

2. Modificare il file /etc/samba/smb.conf.

   # Aggiungere o modificare nel seguente modo le seguenti linee sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi rispettando le maiuscole dove necessario

   workgroup = nome_vostro_dominio
   security = user
   passdb backend = ldapsam:ldap://localhost/
   obey pam restrictions = no
   
   ###############################################################
   #COPY AND PASTE THE FOLLOWING UNDERNEATH "OBEY PAM RESTRICTIONS = NO"
   ###############################################################
   
   #       Begin: Custom LDAP Entries
   ldap admin dn = cn=admin,dc=nome_vostro_dominio,dc=ext_dominio
   ldap suffix = dc=nome_vostro_dominio, dc=ext_dominio
   ldap group suffix = ou=Groups
   ldap user suffix = ou=Users
   ldap machine suffix = ou=Computers
   ldap idmap suffix = ou=Users
   ; Do ldap passwd sync
   ldap passwd sync = Yes
   passwd program = /usr/sbin/smbldap-passwd %u
   passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
   add user script = /usr/sbin/smbldap-useradd -m "%u"
   ldap delete dn = Yes
   delete user script = /usr/sbin/smbldap-userdel "%u"
   add machine script = /usr/sbin/smbldap-useradd -w "%u"
   add group script = /usr/sbin/smbldap-groupadd -p "%g"
   delete group script = /usr/sbin/smbldap-groupdel "%g"
   add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
   delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
   set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
   ####################################################
   #STOP COPYING HERE! 
   #####################################################
   
   
   ;invalid users = root
   
   
   ;Unix password sync=yes

# Aggiungere la seguente linea se si vuole disabilitare i ROHAMING PROFILES:

logon path =

1. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   /etc/init.d/samba restart
   smbpasswd -w "passwd ldap"

Configurare il SMBLDAP-TOOLS package

1. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   cd /usr/share/doc/smbldap-tools/examples/
   cp smbldap_bind.conf /etc/smbldap-tools/
   cp smbldap.conf.gz /etc/smbldap-tools/
   gzip -d /etc/smbldap-tools/smbldap.conf.gz

2. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   net getlocalsid

3. Modificare il file /etc/smbldap-tools/smbldap.conf. # Aggiungere o modificare nel seguente modo le seguenti linee cambiando il valore del parametro SID con quello ottenuto con il comando net getlocalsid.Cambiare anche nome_vostro_dominio e ext_dominio con i valori appropriati per voi e il valore del parametro sambaDomainName deve essere scritto in maiuscolo.

   SID="S-1-5-21-949328747-3404738746-3052206637"
   sambaDomain="nome_vostro_dominio"
   ldapTLS="0"
   suffix="dc=nome_vostro_dominio,dc=ext_dominio"
   sambaUnixIdPooldn="sambaDomainName=nome_vostro_dominio,${suffix}"
   userSmbHome=
   userProfile=
   userHomeDrive=
   userScript=
   mailDomain="nome_vostro_dominio.ext_dominio"

4. Modificare il file /etc/smbldap-tools/smbldap_bind.conf. # Aggiungere o modificare nel seguente modo le seguenti linee sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi

   slaveDN="cn=admin,dc=nome_vostro_dominio,dc=ext_dominio"
   slavePw="passwd di ldap"
   masterDN="cn=admin,dc=nome_vostro_dominio,dc=ext_dominio"
   masterPw="passwd di ldap"

5. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   chmod 0644 /etc/smbldap-tools/smbldap.conf
   chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Configurare il server per usare LDAP authentication.

1. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   apt-get install auth-client-config libpam-ldap libnss-ldap

   Rispondere alle domande proposte dal configuratore con quello che segue e nel seguente ordine sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi

   Yes
   LDAP server Uniform Resource Identifier: ldap://127.0.0.1
   Distinguished name of the search base: dc=nome_vostro_dominio,dc=ext_dominio
   LDAP version to use: 3
   Make local root Database admin: Yes
   Does the LDAP database require login? No
   LDAP account for root: cn=admin,dc=nome_vostro_dominio,dc=ext_dominio
   LDAP root account password: passwd di ldap

2. Modificatre il file /etc/ldap.conf. # Aggiungere o modificare nel seguente modo le seguenti linee sostituendo nome_vostro_dominio e ext_dominio con i valori appropiati per voi

   host 127.0.0.1
   base dc=nome_vostro_dominio,dc=ext_dominio
   uri ldap://127.0.0.1
   rootbinddn cn=admin,nome_vostro_dominio,dc=ext_dominio
   bind_policy soft

3. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   cp /etc/ldap.conf /etc/ldap/ldap.conf

4. Creare il file etc/auth-client-config/profile.d/open_ldap.

   # Inserire quanto segue senza spazi tra le righe:

   [open_ldap]
   nss_passwd=passwd: compat ldap
   nss_group=group: compat ldap
   nss_shadow=shadow: compat ldap
   pam_auth=auth       required     pam_env.so
    auth       sufficient   pam_unix.so likeauth nullok
    auth       sufficient   pam_ldap.so use_first_pass
    auth       required     pam_deny.so
   pam_account=account    sufficient   pam_unix.so
    account    sufficient   pam_ldap.so
    account    required     pam_deny.so
   pam_password=password   sufficient   pam_unix.so nullok md5 shadow use_authtok
    password   sufficient   pam_ldap.so use_first_pass
    password   required     pam_deny.so
   pam_session=session    required     pam_limits.so
    session    required     pam_mkhomedir.so skel=/etc/skel/
    session    required     pam_unix.so
    session    optional     pam_ldap.so

5. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   cp /etc/nsswitch.conf /etc/nsswitch.conf.original
   cd /etc/pam.d/
   mkdir bkup
   cp * bkup/

Abilitare il nuovo LDAP Authentication Profile

1. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   auth-client-config -a -p open_ldap
   reboot

Popolare il data base LDAP usando smbldap-tools

1. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   smbldap-populate -u 30000 -g 30000

2. Alla richiesta di passswd per root assegnare quella di ldap( max lunghezza 5):

Aggiungere gli utenti samba/unix e asseganrli la passwd desiderata

1. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   smbldap-useradd -a -m -s /bin/false -c "Richard M" -P ricky

2. Se si vuole che un utente sia amministratore di dominio e amministratore sul proprio pc windows, allora si deve dare:

   smbldap-useradd -a -m -s /bin/false -c "Richard M" -g "Domain Admins" -P ricky

Creare le cartelle profile e netlogon

1. In un [:AmministrazioneSistema/RigaDiComando:terminale] digitare:

   mkdir /var/lib/samba/profiles
   mkdir /var/lib/samba/netlogon
   chmod -R 1757 /var/lib/samba/profiles
   chmod -R 775 /var/lib/samba/netlogon

   # Nota: il percorso /var/lib/samba é arbitrario, ed é quello di default.

   # CONTROLLARE QUE I FILE DI NETLOGON SIANO ACCESSIBILI IN LETTURA DA TUTTI.

Ulteriori risorse

• [http://www.howtoforge.com/openldap-samba-domain-controller-ubuntu7.10-p2];

• [http://help.ubuntu-it.org/10.04/ubuntu/serverguide/it/samba-ldap.html];

• [http://help.ubuntu-it.org/10.04/ubuntu/serverguide/it/openldap-server.html#openldap-configuration];

• [http://ubuntuforums.org/showthread.php?t=1295934];

• [http://www.grennan.com/ldap-HOWTO.html]

CategoryNuoviDocumenti