Samba通过Openldap统一认证

1.环境准备

1.1、实验环境

[root@moban ~]# cat /etc/redhat-release

CentOS release 6.8 (Final)

[root@moban ~]# uname -r

2.6.32-642.el6.x86_64

1.2、校准服务器时间

[root@moban ~]# ntpdate pool.ntp.org

12 Nov 01:11:59 ntpdate[2354]: adjust time server 202.118.1.81 offset 0.004307 sec

[root@moban ~]# crontab -l

#time sync

*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1

1.3、关闭selinux和iptables

[root@moban ~]# getenforce  

Enforcing

[root@moban ~]# setenforce 0

Permissive

[root@moban ~]# service iptables stop

2.Openldap和Samba的安装配置

2.1、安装Openldap和Samba

[root@moban ~]# yum -y install openldap openldap-clients openldap-servers nss-pam-ldapd

[root@moban ~]# yum -y install samba-common samba samba-client

2.2、配置openldap

a.Openldap引用samba.schema

[root@moban ~]# cp /usr/share/doc/samba-3.6.23/LDAP/samba.schema /etc/openldap  /schema/

b.拷贝openldap的示例配置文件

[root@moban ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

c.生成ldap管理员密码

[root@moban ~]# slappasswd -s 123456

{SSHA}Ae1JJTvbeP60y91e9MdAqOmpleSWG19o

d.修改配置文件

[root@moban ~]# vi /etc/openldap/slapd.conf

在18行插入如下内容:

18 include         /etc/openldap/schema/samba.schema

注释掉99行到102行:

    99 # database config

    100 # access to *

    101 #       by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

    102 #       by * none

在111行插入如下访问权限内容:

    111 access to attrs=userPassword

    112   by self write

    113   by anonymous auth

    114   by * none

    115 access to attrs=sambaNTPassword

    116   by self write

    117   by anonymous auth

    118   by * none

    119 access to *

    120   by self write

    121   by * read

修改126行到134行的内容为:

修改前:

    126 database        bdb

    127 suffix          "dc=my-domain,dc=com"

    128 checkpoint      1024 15

    129 rootdn          "cn=Manager,dc=my-domain,dc=com"

    130 # Cleartext passwords, especially for the rootdn, should

    131 # be avoided.  See slappasswd(8) and slapd.conf(5) for d

        etails.

    132 # Use of strong authentication encouraged.

    133 # rootpw                secret

    134 # rootpw                {crypt}ijFYNcSNctBYg

修改后:

    127 suffix          "dc=etiantian,dc=org"

    129 rootdn          "cn=admin,dc=etiantian,dc=org"

    134 rootpw          {SSHA}Ae1JJTvbeP60y91e9MdAqOmpleSWG19o

修改143行的内容为:

index ou,cn,mail,surname,givenname      eq,pres,sub

index ou,cn,mail,surname,givenname      eq,pres,sub,approx

修改105行到109行的内容为:

    105 database monitor

    106 access to *

    107         by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn

        =external,cn=auth" read

    108         by dn.exact="cn=Manager,dc=my-domain,dc=com" read

    109         by * none

    107         by dn.exact="cn=admin,dc=etiantian,dc=org" read

    108         by * none

2.3、初始化openldap

a.删除openldap原始的配置文件和数据

[root@moban ~]# rm -rf /etc/openldap/slapd.d/*

[root@moban ~]# rm -rf /var/lib/ldap/*

b.拷贝数据库的配置文件

[root@moban ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@moban ~]# chown ldap.ldap -R /var/lib/ldap

[root@moban ~]# ll /var/lib/ldap

total 4

-rw-r--r--. 1 ldap ldap 845 Nov 12 01:54 DB_CONFIG

c.生成2.4版本的配置文件

[root@moban ldap]# slaptest -u

config file testing succeeded

[root@moban ldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/  #生成旧版本的配置文件

d.初始化openldap的基础数据

[root@moban openldap]# vi base.ldif

dn: dc=etiantian,dc=org

objectClass: organization

objectClass: dcObject

dc: etiantian

o: etiantian

dn: ou=People,dc=etiantian,dc=org

objectClass: organizationalUnit

ou: People

dn: ou=group,dc=etiantian,dc=org

ou: group

[root@moban openldap]# vi group.ldif

dn: cn=DBA,ou=group,dc=etiantian,dc=org

objectClass: posixGroup

objectClass: top

cn: DBA

memberUid: test1

gidNumber: 10673

[root@moban openldap]# vi user.ldif

dn: uid=test1,ou=People,dc=etiantian,dc=org

objectClass: posixAccount

objectClass: inetOrgPerson

objectClass: shadowAccount

gidNumber: 0

givenName: test1

sn: test1

uid: test1

homeDirectory: /home/test1

loginShell: /bin/bash

shadowFlag: 0

shadowMin: 0

shadowMax: 99999

shadowWarning: 0

shadowInactive: 99999

shadowLastChange: 12011

shadowExpire: 99999

cn: test1

uidNumber: 24422

e.把基础数据导入ldap

[root@moban openldap]# slapadd -l base.ldif

58260c66 The first database does not allow slapadd; using the first available one (2)

_#################### 100.00% eta   none elapsed            none fast!         

Closing DB...

[root@moban openldap]# slapadd -l group.ldif

58260c6d The first database does not allow slapadd; using the first available one (2)

[root@moban openldap]# slapadd -l user.ldif

58260c72 The first database does not allow slapadd; using the first available one (2)

[root@moban openldap]# chown -R ldap.ldap /var/lib/ldap

[root@moban openldap]# chown -R ldap.ldap /etc/openldap/slapd.d

[root@moban openldap]# chmod -R 700 /var/lib/ldap

[root@moban openldap]# chmod -R 700 /etc/openldap/slapd.d

2.4、配置samba

a.修改samba的配置

[root@moban openldap]# cd /etc/samba/

[root@moban samba]# cp smb.conf smb.conf.ori

[root@moban samba]# vi smb.conf

[global]

workgroup = WORKGROUP

server string = Samba-ldap Server Version %v

netbios name = samba-ldapsam

log file = /var/log/samba/log.%m

max log size = 50

security = user

passdb backend = ldapsam:ldap://192.168.0.111/

ldap suffix = "dc=etiantian,dc=org"

ldap admin dn = "cn=admin,dc=etiantian,dc=org"

ldap user suffix = "ou=People,dc=etiantian,dc=org"

ldap group suffix = "ou=group,dc=etiantian,dc=org"

ldap delete dn = no

ldap passwd sync = yes

ldap ssl = no

[sambashare]

comment = share all

path = /app/log

browseable = yes

public = yes

writable = yes

[myshare]

comment = share for users

path = /application

public = no

b.创建共享数据目录

[root@moban samba]# mkdir /app/log -p

[root@moban samba]# mkdir /application

提示:为了方便测试，先给目录777的权限

[root@moban samba]# chmod -R 777 /application

[root@moban samba]# chmod -R 777 /app/log

c.保存openldap的admin密码到samba中

提示:为了使samba能够访问ldap,把ldap管理员的密码保存到samba的secrets.tdb中(/var/lib/samba/private/secrets.tdb)

[root@moban samba]# smbpasswd -w 123456

Setting stored password for "cn=admin,dc=etiantian,dc=org" in secrets.tdb

d.在openldap中，添加samba测试用户

[root@moban openldap]# cat /etc/passwd|grep admin(系统用户)

admin:x:500:500::/home/admin:/bin/bash

[root@moban samba]# cd /etc/openldap/

[root@moban openldap]# vi /etc/samba/smbusers

在最下面加入samba用户

admin sambatest  #意思是说admin这个系统用户名有一个虚拟的SMB用户名:sambatest

[root@moban openldap]# vi sambauser.ldif

dn: uid=sambatest,ou=People,dc=etiantian,dc=org

gidNumber: 1009

givenName: sambatest

sn: sambatest

uid: sambatest

homeDirectory: /home/sambatest

cn: sambatest

uidNumber: 24425

[root@moban openldap]# slapadd -l sambauser.ldif

58261bcf The first database does not allow slapadd; using the first available one (2)

e.设置操作系统从ldap中验证用户

提示:设置系统如果没有从/etc/passwd中找到用户就去openldap中验证。

[root@moban openldap]# authconfig-tui

User Information

[*] Use LDAP

Authentication

[*] Use Fingerprint reader

┌─────────┤ LDAP Settings ├───────

│

│          [ ] Use TLS

│ Server: ldap://192.168.0.111/

│ Base DN: dc=etiantian,dc=org

[root@moban openldap]# grep "ldap" /etc/nsswitch.conf

passwd:     files ldap

shadow:     files ldap

group:      files ldap

netgroup:   files ldap

automount:  files ldap

[root@moban openldap]# tail -3 ldap.conf

URI ldap://192.168.0.111/

BASE dc=etiantian,dc=org

TLS_CACERTDIR /etc/openldap/cacerts

[root@moban openldap]# /etc/init.d/slapd start

[root@moban openldap]# /etc/init.d/smb start

f.测试从ldap中获取用户信息

[root@moban openldap]# id sambatest           

uid=24425(sambatest) gid=1009 groups=1009

[root@moban openldap]# grep "sambatest" /etc/passwd

备注:从passwd文件中找不到sambatest，说明sambatest是从ldap中获取的。

g.设置测试用户sambatest密码

[root@moban openldap]# smbpasswd -a sambatest

New SMB password:123456789

Retype new SMB password:123456789

Added user sambatest.

h.测试samba中sambatest用户能否登录

[root@moban openldap]# smbclient -U sambatest //192.168.0.111/sambashare

Enter sambatest's password:

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.23-36.el6_8]

smb: \> ls

  .                                   D        0  Sat Nov  5 20:38:28 2016

  ..                                  D        0  Thu Oct 27 13:01:13 2016

  UM4SW7~D.LOG                        A       74  Thu Oct 27 19:29:01 2016

  U41Y9B~1.LOG                        A       85  Thu Oct 27 19:37:24 2016

  U0XZAY~G.LOG                        A      117  Thu Oct 27 19:18:40 2016

  UAKC5V~4.LOG                        A       99  Thu Oct 27 19:27:02 2016

  UO0D3H~P.LOG                        A        0  Sat Nov  5 20:38:28 2016

  U3DW4T~X.LOG                        A       48  Thu Oct 27 19:30:14 2016

                51760 blocks of size 524288. 45745 blocks available

smb: \>

[root@moban openldap]# smbclient -U sambatest //192.168.0.111/myshare

  .                                   D        0  Sat Nov  5 23:26:28 2016

  ..                                 DR        0  Fri Nov 11 22:26:21 2016

  svndata                             D        0  Thu Oct 27 01:48:57 2016

  新建 Microsoft Access 数据库.accdb      A   512000  Sat Nov  5 23:26:28 2016

  svnpasswd                           D        0  Sat Nov  5 21:02:06 2016

通过以上结果可以看到samba通过openldap验证访问正常，再看看windows的访问，如下图: