Eher rudimentär und unordentlich geht es hier um Samba und Active Directory (AD)
# system-config-authentication
smbldap-tools installieren:
# yum install smbldap-tools
setup bind
setup winbind (/etc/samba/smb.conf):
domain logons = Yes domain master = (Yes on PDC, No on BDCs)
für ldap in der samba Konfiguration:
passdb backend = ldapsam:ldap://127.0.0.1[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
browseable = No
check: # /usr/sbin/winbindd -d10 -i
check: # /usr/bin/wbinfo -t
check: # /usr/bin/wbinfo -tm
check: # /usr/bin/wbinfo -D ACES
check: # /usr/bin/wbinfo -D EXTENSION
check: # /usr/bin/wbinfo -u
check: # smbpasswd -w PASSWORD
/etc/nsswitch.conf:
passwd: files ldap winbind shadow: files ldap windbind group: files ldap winbind
/etc/krb5.conf:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = INETCOM.LOC dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] INETCOM.LOC = { kdc = kerberos.inetcom.loc:88 admin_server = kerberos.inetcom.loc:749 default_domain = inetcom.loc } [domain_realm] inetcom.loc = INETCOM.LOC .inetcom.loc = INETCOM.LOC [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
/etc/ldap.conf:
base dc=inetcom,dc=loc idletimeout 3600 loglevel 256
/etc/openldap/schema/inetcom.ldif:
# Entries for inetcom.loc dn: c=loc objectClass: top objectClass: country description: Switzerland c: loc dn: o=inetcom, c=loc objectClass: top objectClass: organization description: Internet, Netzwerke, Kommunikation o: loc dn: cn=Jan Holler, o=inetcom.loc, c=loc mail: jhinetcom [dot] loc objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: Hol ou: Inhaber description: Informatiker cn: Jan Holler dn: cn=A Holler, o=inetcom, c=loc mail: ahinetcom [dot] loc objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: Ah ou: Kommunikations Beratung homePhone: +4131331XXXX telephoneNumber: +4131325XXXX description: PR cn: A Holler
# ldapadd -f /etc/openldap/schema/inetcom.ldif -D "cn=root"
(ohne geht kein admin zugriff auf ldap?? test)
referral ldap://localhost:389
logging: /etc/syslog.conf:
local4.* /var/log/slapd.log
/usr/share/doc/samba-3.0.33/LDAP/README:
# cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/schema/
/etc/openldap/slapd.conf:
include /etc/openldap/schema/samba.schema
weiteres schema: http://www.bayour.com/openldap/schemas/krb5-kdc.schema
database bdb
suffix "dc=inetcom,dc=loc"
rootdn "cn=root,dc=inetcom,dc=loc"
cn ist der Administrator
ldappasswd -H ldap://ldapserver -x -D cn=admin,dc=company,dc=com -S \ -W uid=username,ou=Users,dc=company,dc=com
Migration tools sind installiert mit openldap-server:
# vi /usr/share/openldap/migration/migrate_common.ph
evtl gibt es einen doppelten Eintrag in /etc/services. Diese Linien zeitweilig auskommentieren, falls sie Probleme machen.
#echo 4/ddp # AppleTalk Echo Protocol zip 6/ddp # Zone Information Protocol ... #raid-am 2007/udp #terminaldb 2008/udp #whosockami 2009/udp
Erstellen der CA, gültig 10 Jahre:
# openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key \
-out certs/ca.crt -days 3650
Enter PEM pass phrase: $password
Re-Enter PEM pass phrase: $password
Country Name: $country
State or Province Name: $state
Locality Name: $city
Organization Name: $company
Organizational Unit Name: $department = Certificate Authority
Common Name: ca.$domain
Email Address: ca@$domain
# kadmin.local -q "addprinc administrator"
# kinit administratorINETCOM [dot] LOC
Füge ein host principal zu:
# kadmin ktadd host/zeus.inetcom.loc
Authenticating as principal admin/adminINETCOM [dot] LOC with password.
kadmin: Client not found in Kerberos database while initializing kadmin interface
# kadmin.local -q "addprinc admin/admin"
kadmin ktadd host/zeus.inetcom.loc
Authenticating as principal admin/adminINETCOM [dot] LOC with password.
Password for admin/adminINETCOM [dot] LOC: $password
EVTL: "The windows server was running in mixed mode which meant that I had to
remove the realm paramater and use security = domain and finally join the
domain with: net rpc join. "
CHECK SID
# net getlocalsid
/etc/pam_smb.conf:
add correct workgroup
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html