Xây dựng Primary Domain Controller bằng Directory Service - Samba

[kukent]

Để thay thế Domain Controller Windows, trong hệ thống Linux ta dùng LDAP + Samba để làm Primary Domain Controller, trong đó LDAP chúng ta có thể dùng các distro như OpenLDAP, Directory Service( 389-ds, redhat-ds, centos-ds), Novell eDirectory…Bài viết này mình xin hướng dẫn các bạn dùng Direcroy Service trên hệ điều hành Centos là centos-ds.
Các yêu cầu
DNS:
Domain name: test.com -> 192.168.1.140
Directory server: vm01.test.com -> 192.168.1.140
Hệ điều hành Centos 5.x(32bit): http://mirror-fpt-telecom.fpt.net/centos/5.8/isos/i386/
Cài đặt repo của Fedora Project: http://mirror-fpt-telecom.fpt.net/fedora/epel//5/i386/epel-release-5-4.noarch.rpm
Windows client : http://port389.org/download/389-Cons...1.6-x86_64.msi
Cài đặt Directory Service
[root@vm01 ~]# vim /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.1.140 vm01.test.com vm01
[root@vm01 ~]# yum install –y openldap openldap-server smbldap-tools samba3x* centos-ds centos-ds-admin
[root@vm01 ~]# /usr/sbin/setup-ds-admin.pl
Would you like to continue with set up? [yes]: <Enter>
Do you agree to the license terms? [no]: yes
Choose a setup type [2]: 2
Computer name [vm01.test.com]: <Enter>
System User [nobody]: ldap
System Group[nobody]: ldap
Do you want to register this software with an existing
configuration directory server? [no]: <Enter>
Configuration directory server
administrator ID [admin]: <Enter>
Password: 123456
Password (confirm): 123456
Administration Domain [test.com]: <Enter>
Directory server network port [389]: <Enter>
Directory server identifier [vm01]: <Enter>
Suffix [dc=test, dc=com]: <Enter>
Directory Manager DN [cn=Directory Manager]:<Enter>
Password: 123456
Password (confirm): 123456
Administration port [9830]: <Enter>
Are you ready to set up your servers? [yes]: <Enter>
Creating directory server . . .
Your new DS instance 'vm01' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupYHr5gP.log'
Chúng ta đã setup xong dirsrv-admin ( dùng để quản lý Directory Servrice qua công cụ 389-console) và dirsrv có instance là vm01. Kiểm tra xem có họat động hay không:
[root@vm01 ~]# /etc/init.d/dirsrv status
dirsrv vm01 (pid 2496) is running...
[root@vm01 ~]# /etc/init.d/dirsrv-admin status
dirsrv-admin (pid 2586) is running...
Kết nối đến Directory Service bằng 389-console trên máy Windows, để sử dụng được 389-console, trên máy client windows phải cài JDK hoặc JRE, và set biến môi trường PATH trong Windows
Variable name : Path
Variable value: C:\Program Files (x86)\Java\jdk1.6.0_10\bin
1.jpg
Cấu hình samba
[root@vm01 ~]# vim /etc/ldap.conf
host 127.0.0.1
base dc=test,dc=com
uri ldap://127.0.0.1/
binddn cn=Directory Manager
bindpw 123456
nss_base_passwd ou=Users,dc=test,dc=com?one
nss_base_passwd ou=Computers,dc=test,dc=com?one
nss_base_group ou=Groups,dc=test,dc=com?one
[root@vm01 ~]# vim /etc/samba/smb.conf
[global]
ldap ssl = off
nt acl support = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
workgroup = test.com
realm = test.com
netbios name = vm01
security = user
enable privileges = yes
server string = Samba Server %v
encrypt passwords = Yes
interfaces = eth0,lo
bind interfaces only = Yes
#passdb backend = tdbsam
username map = /etc/samba/smbusers
unix password sync = yes
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd -u "%u"
passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

log level = 1
syslog = 0
log file = /var/log/samba/log.%U
max log size = 100000
time server = Yes
smb ports = 139 445
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
name resolve order = wins bcast hosts
time server = Yes
logon script = logon.bat
logon drive = T:
logon home =
logon path =

domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
passdb backend = ldapsam:"ldap://127.0.0.1/"
ldapsam:trusted = yes
ldap admin dn = cn=Directory Manager
ldap admin dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
ldap suffix = dc=test,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

load printers = Yes
create mask = 0640
directory mask = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes

preserve case = yes
short preserve case = yes
case sensitive = no
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
[netlogon]
path = /home/netlogon/
comment = Network Logon Service
guest ok = No
locking = No
browseable = No [profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
[public]
path = /tmp
guest ok = yes
browseable = Yes
writable = yes
[homes]
comment = Home Directories
browseable = no
valid users = %S
writeable = yes
path = /home/%S
public = no
read only = No
create mask = 700
force create mode = 700
directory mask = 700
force directory mode = 700
Cấu hình smbldap-tools
[root@vm01 ~]# smbpasswd -w 123456
Setting stored password for "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" in secrets.tdb
[root@vm01 ~]# net getlocalsid
SID for domain VM01 is: S-1-5-21-431952051-696461453-904457104
[root@vm01 ~]# vim /etc/smbldap-tools/smbldap.conf
37 SID=" S-1-5-21-431952051-696461453-904457104"
41 sambaDomain="VM01"
61 slaveLDAP="127.0.0.1"
65 slavePort="389"
72 masterLDAP="127.0.0.1"
76 masterPort="389"
83 ldapTLS="0"
93 verify="none"
109 suffix="dc=test,dc=com"
114 usersdn="ou=Users,${suffix}"
124 groupsdn="ou=Groups,${suffix}"
217 mailDomain="test.com"
[root@vm01 ~]# vim /etc/smbldap-tools/smbldap_bind.conf
slaveDN="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
slavePw="123456"
masterDN="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
masterPw="123456"
Tạo samba.ldif cho Directory Service từ file samba.schema của ldap
[root@vm01 ~]# perl /usr/share/doc/samba3x-3.5.10/LDAP/ol-schema-migrate.pl -b usr/share/doc/samba3x-3.5.10/LDAP/samba.schema > /etc/dirsrv/slapd-vm01/schema/61samba.ldif
[root@vm01 LDAP]# /etc/init.d/dirsrv restart
Shutting down dirsrv:
vm01... [ OK ]
Starting dirsrv:
vm01... [ OK ]
Thêm các OU vào directory
[root@vm01 ~]# smbldap-populate
Populating LDAP directory for domain VM01 (S-1-5-21-431952051-696461453-904457104)
(using builtin directory structure)
adding new entry: uid=root,ou=Users,dc=test,dc=com
adding new entry: uid=nobody,ou=Users,dc=test,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=test,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=test,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=test,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=test,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=test,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=test,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=test,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=test,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=test,dc=com
adding new entry: sambaDomainName=VM01,dc=test,dc=com
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password: 123456
Retype new password: 123456
[root@vm01 ~]# /etc/init.d/smb start
Starting SMB services: [ OK ]
[root@vm01 ~]# /etc/init.d/nmb start
Starting NMB services: [ OK ]
Bây giờ mọi thứ đã xong, chúng ta có thể add user vào directory-samba(PDC)
[root@vm01 ~]# smbldap-useradd -a -G "Domain Users" -m -s /bin/bash -d /home/user1 -F "" -P user1
Changing UNIX and samba passwords for test
New password: 123456
Retype new password: 123456
Kiểm tra user tồn tại trong directory
[root@vm01 ~]# net rpc info
Enter root's password:
Domain Name: TEST.COM
Domain SID: S-1-5-21-3448881354-3159148985-1214578410
Sequence number: 1341970448
Num users: 3
Num domain groups: 4
Num local groups: 0
[root@vm01 ~]# net rpc user
Enter root's password:
root
nobody
user1
Bây giờ chúng ta có thể join windows vào domain TEST.COM, đối với windows 7 ta thay đổi trong registry hoặc install registry theo link https://attachments.samba.org/attachment.cgi?id=4988
Windows 7 Pro-2012-07-11-08-44-20.jpg
Windows 7 Pro-2012-07-11-08-45-24.jpg
Máy windows client đã join vào domain, logon vào domain bằng user1, sau khi login bằng user1 kiểm tra session trên máy server PDC
[root@vm01 ~]# net status sessions
PID Username Group Machine
-------------------------------------------------------------------
3478 user1 Domain Users khuong (192.168.1.51)
[root@vm01 ~]# net status shares
Service pid machine Connected at
-------------------------------------------------------
user1 3478 khuong Wed Jul 11 0804 2012
IPC$ 3478 khuong Wed Jul 11 0825 2012
public 3478 khuong Wed Jul 11 0804 2012
IPC$ 3478 khuong Wed Jul 11 0803 2012

Mở rộng
Các bạn có thể cấu hình mở rộng cho samba như:
-Tạo roaming profiles hoặc mantadory profiles (Profiles)
-Tạo các thư mục shares tương ứng với các phòng ban trong công ty(Permission).
-Các user của phòng ban nào thì tự động map ỗ đĩa tương ứng phòng ban đó khi logon vào domain(logon Script).
-Cho phép user có quyền SeTakeOwnershipPrivilege, SeBackupPrivilege, SeRestorePrivilege...(Samba Rights).
………