Samba und Active Directory

Eher rudimentär und unordentlich geht es hier um Samba und Active Directory (AD)

Config

# system-config-authentication

  • /etc/nssswitch.conf
    passwd:  files ldap winbind
    shadow:  files ldap winbind
    group:  files ldap winbind
  • /etc/pam.d/system-auth-ac
    auth  sufficient  pam_ldap.so use_first_pass
    auth  sufficient  pam_winbind.so use_first_pass
    account  [default=bad success=ok user_unknown=ignore] pam_ldap.so
    account  [default=bad success=ok user_unknown=ignore] pam_winbind.so
    password  sufficient  pam_ldap.so use_authtok
    password  sufficient  pam_winbind.so use_authtok
    session  optional  pam_ldap.so
  • /etc/sysconfig/authconfig
    USELDAP=yes
    USEWINBIND=yes
    USEWINBINDAUTH=yes
    USELDAPAUTH=yes

smbldap-tools installieren:

# yum install smbldap-tools

setup bind
setup winbind (/etc/samba/smb.conf):

domain logons = Yes
domain master = (Yes on PDC, No on BDCs)

für ldap in der samba Konfiguration:

passdb backend = ldapsam:ldap://127.0.0.1
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
browseable = No
check: # /usr/sbin/winbindd -d10 -i
check: # /usr/bin/wbinfo -t
check: # /usr/bin/wbinfo -tm
check: # /usr/bin/wbinfo -D ACES
check: # /usr/bin/wbinfo -D EXTENSION
check: # /usr/bin/wbinfo -u
check: # smbpasswd -w PASSWORD

/etc/nsswitch.conf:

passwd: files ldap winbind
shadow: files ldap windbind
group: files ldap winbind

/etc/krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = INETCOM.LOC
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 INETCOM.LOC = {
  kdc = kerberos.inetcom.loc:88
  admin_server = kerberos.inetcom.loc:749
  default_domain = inetcom.loc
 }

[domain_realm]
 inetcom.loc = INETCOM.LOC
 .inetcom.loc = INETCOM.LOC
[appdefaults]
 pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
 }

/etc/ldap.conf:

base dc=inetcom,dc=loc
idletimeout 3600
loglevel 256

/etc/openldap/schema/inetcom.ldif:

# Entries for inetcom.loc
dn: c=loc
objectClass: top
objectClass: country
description: Switzerland
c: loc

dn: o=inetcom, c=loc
objectClass: top
objectClass: organization
description: Internet, Netzwerke, Kommunikation
o: loc

dn: cn=Jan Holler, o=inetcom.loc, c=loc
mail: jhatinetcom [dot] loc
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: Hol
ou: Inhaber
description: Informatiker
cn: Jan Holler

dn: cn=A Holler, o=inetcom, c=loc
mail: ahatinetcom [dot] loc
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: Ah
ou: Kommunikations Beratung
homePhone: +4131331XXXX
telephoneNumber: +4131325XXXX
description: PR
cn: A Holler
# ldapadd -f /etc/openldap/schema/inetcom.ldif -D "cn=root"

(ohne geht kein admin zugriff auf ldap?? test)

referral  ldap://localhost:389

logging: /etc/syslog.conf:
local4.* /var/log/slapd.log

/usr/share/doc/samba-3.0.33/LDAP/README:

# cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/schema/

/etc/openldap/slapd.conf:

include  /etc/openldap/schema/samba.schema

weiteres schema: http://www.bayour.com/openldap/schemas/krb5-kdc.schema

database  bdb
suffix  "dc=inetcom,dc=loc"
rootdn  "cn=root,dc=inetcom,dc=loc"
cn ist der Administrator

ldappasswd -H ldap://ldapserver -x -D cn=admin,dc=company,dc=com -S \
-W uid=username,ou=Users,dc=company,dc=com

LDAP

Migration tools sind installiert mit openldap-server:

# vi /usr/share/openldap/migration/migrate_common.ph

evtl gibt es einen doppelten Eintrag in /etc/services. Diese Linien zeitweilig auskommentieren, falls sie Probleme machen.

#echo  4/ddp  # AppleTalk Echo Protocol
zip  6/ddp  # Zone Information Protocol
...

#raid-am  2007/udp
#terminaldb  2008/udp
#whosockami  2009/udp

SSL/TSL ür LDAP
 

Erstelle eine Certificate Authority (CA)

  1. Wechsle das Arbeitsverzeichnis:
    # cd /etc/pki/CA
  2. Erstellen der CA, gültig 10 Jahre:
    # openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key \
    -out certs/ca.crt -days 3650

    Enter PEM pass phrase: $password
    Re-Enter PEM pass phrase: $password
    Country Name: $country
    State or Province Name: $state
    Locality Name: $city
    Organization Name: $company
    Organizational Unit Name: $department = Certificate Authority
    Common Name: ca.$domain
    Email Address: ca@$domain

  3. Beschränke den Zugriff auf den privaten Schlüssel auf root:
    # chmod 0400 private/ca.key

# kadmin.local -q "addprinc administrator"

# kinit administratoratINETCOM [dot] LOC

Füge ein host principal zu:

# kadmin ktadd host/zeus.inetcom.loc
Authenticating as principal admin/adminatINETCOM [dot] LOC with password.
kadmin: Client not found in Kerberos database while initializing kadmin interface

# kadmin.local -q "addprinc admin/admin"
kadmin ktadd host/zeus.inetcom.loc
Authenticating as principal admin/adminatINETCOM [dot] LOC with password.
Password for admin/adminatINETCOM [dot] LOC: $password

EVTL: "The windows server was running in mixed mode which meant that I had to
remove the realm paramater and use security = domain and finally join the
domain with: net rpc join. "

CHECK SID

# net getlocalsid

Samba

/etc/pam_smb.conf:
add correct workgroup

Links