Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

Xây dựng Primary Domain Controller bằng Directory Service - Samba

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Xây dựng Primary Domain Controller bằng Directory Service - Samba

    Để thay thế Domain Controller Windows, trong hệ thống Linux ta dùng LDAP + Samba để làm Primary Domain Controller, trong đó LDAP chúng ta có thể dùng các distro như OpenLDAP, Directory Service( 389-ds, redhat-ds, centos-ds), Novell eDirectory…Bài viết này mình xin hướng dẫn các bạn dùng Direcroy Service trên hệ điều hành Centos là centos-ds.
    Các yêu cầu
    DNS:
    Domain name: test.com -> 192.168.1.140
    Directory server: vm01.test.com -> 192.168.1.140
    Hệ điều hành Centos 5.x(32bit): http://mirror-fpt-telecom.fpt.net/centos/5.8/isos/i386/
    Cài đặt repo của Fedora Project: http://mirror-fpt-telecom.fpt.net/fedora/epel//5/i386/epel-release-5-4.noarch.rpm
    Windows client : http://port389.org/download/389-Cons...1.6-x86_64.msi
    Cài đặt Directory Service
    [root@vm01 ~]# vim /etc/hosts
    127.0.0.1 localhost.localdomain localhost
    192.168.1.140 vm01.test.com vm01
    [root@vm01 ~]# yum install –y openldap openldap-server smbldap-tools samba3x* centos-ds centos-ds-admin
    [root@vm01 ~]# /usr/sbin/setup-ds-admin.pl
    Would you like to continue with set up? [yes]: <Enter>
    Do you agree to the license terms? [no]: yes
    Choose a setup type [2]: 2
    Computer name [vm01.test.com]: <Enter>
    System User [nobody]: ldap
    System Group[nobody]: ldap
    Do you want to register this software with an existing
    configuration directory server? [no]: <Enter>
    Configuration directory server
    administrator ID [admin]: <Enter>
    Password: 123456
    Password (confirm): 123456
    Administration Domain [test.com]: <Enter>
    Directory server network port [389]: <Enter>
    Directory server identifier [vm01]: <Enter>
    Suffix [dc=test, dc=com]: <Enter>
    Directory Manager DN [cn=Directory Manager]:<Enter>
    Password: 123456
    Password (confirm): 123456
    Administration port [9830]: <Enter>
    Are you ready to set up your servers? [yes]: <Enter>
    Creating directory server . . .
    Your new DS instance 'vm01' was successfully created.
    Creating the configuration directory server . . .
    Beginning Admin Server creation . . .
    Creating Admin Server files and directories . . .
    Updating adm.conf . . .
    Updating admpw . . .
    Registering admin server with the configuration directory server . . .
    Updating adm.conf with information from configuration directory server . . .
    Updating the configuration for the httpd engine . . .
    Starting admin server . . .
    The admin server was successfully started.
    Admin server was successfully created, configured, and started.
    Exiting . . .
    Log file is '/tmp/setupYHr5gP.log'
    Chúng ta đã setup xong dirsrv-admin ( dùng để quản lý Directory Servrice qua công cụ 389-console) và dirsrv có instance là vm01. Kiểm tra xem có họat động hay không:
    [root@vm01 ~]# /etc/init.d/dirsrv status
    dirsrv vm01 (pid 2496) is running...
    [root@vm01 ~]# /etc/init.d/dirsrv-admin status
    dirsrv-admin (pid 2586) is running...
    Kết nối đến Directory Service bằng 389-console trên máy Windows, để sử dụng được 389-console, trên máy client windows phải cài JDK hoặc JRE, và set biến môi trường PATH trong Windows
    Variable name : Path
    Variable value: C:\Program Files (x86)\Java\jdk1.6.0_10\bin
    Click image for larger version Name: 1.jpg Views: 1 Size: 24.3 KB ID: 207918
    Cấu hình samba
    [root@vm01 ~]# vim /etc/ldap.conf
    host 127.0.0.1
    base dc=test,dc=com
    uri ldap://127.0.0.1/
    binddn cn=Directory Manager
    bindpw 123456
    nss_base_passwd ou=Users,dc=test,dc=com?one
    nss_base_passwd ou=Computers,dc=test,dc=com?one
    nss_base_group ou=Groups,dc=test,dc=com?one
    [root@vm01 ~]# vim /etc/samba/smb.conf
    [global]
    ldap ssl = off
    nt acl support = yes
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
    workgroup = test.com
    realm = test.com
    netbios name = vm01
    security = user
    enable privileges = yes
    server string = Samba Server %v
    encrypt passwords = Yes
    interfaces = eth0,lo
    bind interfaces only = Yes
    #passdb backend = tdbsam
    username map = /etc/samba/smbusers
    unix password sync = yes
    ldap passwd sync = yes
    passwd program = /usr/sbin/smbldap-passwd -u "%u"
    passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

    log level = 1
    syslog = 0
    log file = /var/log/samba/log.%U
    max log size = 100000
    time server = Yes
    smb ports = 139 445
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    mangling method = hash2
    Dos charset = 850
    Unix charset = ISO8859-1
    name resolve order = wins bcast hosts
    time server = Yes
    logon script = logon.bat
    logon drive = T:
    logon home =
    logon path =

    domain logons = Yes
    domain master = Yes
    os level = 65
    preferred master = Yes
    wins support = yes
    passdb backend = ldapsam:"ldap://127.0.0.1/"
    ldapsam:trusted = yes
    ldap admin dn = cn=Directory Manager
    ldap admin dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
    ldap suffix = dc=test,dc=com
    ldap group suffix = ou=Groups
    ldap user suffix = ou=Users
    ldap machine suffix = ou=Computers
    add user script = /usr/sbin/smbldap-useradd -m "%u"
    delete user script = /usr/sbin/smbldap-userdel "%u"
    add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
    add group script = /usr/sbin/smbldap-groupadd -p "%g"
    add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
    delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
    set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

    load printers = Yes
    create mask = 0640
    directory mask = 0750
    nt acl support = No
    printing = cups
    printcap name = cups
    deadtime = 10
    guest account = nobody
    map to guest = Bad User
    dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
    show add printer wizard = yes

    preserve case = yes
    short preserve case = yes
    case sensitive = no
    idmap backend = ldap://127.0.0.1
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    [netlogon]
    path = /home/netlogon/
    comment = Network Logon Service
    guest ok = No
    locking = No
    browseable = No [profiles]
    path = /home/profiles
    read only = no
    create mask = 0600
    directory mask = 0700
    browseable = No
    guest ok = Yes
    profile acls = yes
    csc policy = disable
    [public]
    path = /tmp
    guest ok = yes
    browseable = Yes
    writable = yes
    [homes]
    comment = Home Directories
    browseable = no
    valid users = %S
    writeable = yes
    path = /home/%S
    public = no
    read only = No
    create mask = 700
    force create mode = 700
    directory mask = 700
    force directory mode = 700
    Cấu hình smbldap-tools
    [root@vm01 ~]# smbpasswd -w 123456
    Setting stored password for "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" in secrets.tdb
    [root@vm01 ~]# net getlocalsid
    SID for domain VM01 is: S-1-5-21-431952051-696461453-904457104
    [root@vm01 ~]# vim /etc/smbldap-tools/smbldap.conf
    37 SID=" S-1-5-21-431952051-696461453-904457104"
    41 sambaDomain="VM01"
    61 slaveLDAP="127.0.0.1"
    65 slavePort="389"
    72 masterLDAP="127.0.0.1"
    76 masterPort="389"
    83 ldapTLS="0"
    93 verify="none"
    109 suffix="dc=test,dc=com"
    114 usersdn="ou=Users,${suffix}"
    124 groupsdn="ou=Groups,${suffix}"
    217 mailDomain="test.com"
    [root@vm01 ~]# vim /etc/smbldap-tools/smbldap_bind.conf
    slaveDN="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
    slavePw="123456"
    masterDN="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
    masterPw="123456"
    Tạo samba.ldif cho Directory Service từ file samba.schema của ldap
    [root@vm01 ~]# perl /usr/share/doc/samba3x-3.5.10/LDAP/ol-schema-migrate.pl -b usr/share/doc/samba3x-3.5.10/LDAP/samba.schema > /etc/dirsrv/slapd-vm01/schema/61samba.ldif
    [root@vm01 LDAP]# /etc/init.d/dirsrv restart
    Shutting down dirsrv:
    vm01... [ OK ]
    Starting dirsrv:
    vm01... [ OK ]
    Thêm các OU vào directory
    [root@vm01 ~]# smbldap-populate
    Populating LDAP directory for domain VM01 (S-1-5-21-431952051-696461453-904457104)
    (using builtin directory structure)
    adding new entry: uid=root,ou=Users,dc=test,dc=com
    adding new entry: uid=nobody,ou=Users,dc=test,dc=com
    adding new entry: cn=Domain Admins,ou=Groups,dc=test,dc=com
    adding new entry: cn=Domain Users,ou=Groups,dc=test,dc=com
    adding new entry: cn=Domain Guests,ou=Groups,dc=test,dc=com
    adding new entry: cn=Domain Computers,ou=Groups,dc=test,dc=com
    adding new entry: cn=Administrators,ou=Groups,dc=test,dc=com
    adding new entry: cn=Account Operators,ou=Groups,dc=test,dc=com
    adding new entry: cn=Print Operators,ou=Groups,dc=test,dc=com
    adding new entry: cn=Backup Operators,ou=Groups,dc=test,dc=com
    adding new entry: cn=Replicators,ou=Groups,dc=test,dc=com
    adding new entry: sambaDomainName=VM01,dc=test,dc=com
    Please provide a password for the domain root:
    Changing UNIX and samba passwords for root
    New password: 123456
    Retype new password: 123456
    [root@vm01 ~]# /etc/init.d/smb start
    Starting SMB services: [ OK ]
    [root@vm01 ~]# /etc/init.d/nmb start
    Starting NMB services: [ OK ]
    Bây giờ mọi thứ đã xong, chúng ta có thể add user vào directory-samba(PDC)
    [root@vm01 ~]# smbldap-useradd -a -G "Domain Users" -m -s /bin/bash -d /home/user1 -F "" -P user1
    Changing UNIX and samba passwords for test
    New password: 123456
    Retype new password: 123456
    Kiểm tra user tồn tại trong directory
    [root@vm01 ~]# net rpc info
    Enter root's password:
    Domain Name: TEST.COM
    Domain SID: S-1-5-21-3448881354-3159148985-1214578410
    Sequence number: 1341970448
    Num users: 3
    Num domain groups: 4
    Num local groups: 0
    [root@vm01 ~]# net rpc user
    Enter root's password:
    root
    nobody
    user1
    Bây giờ chúng ta có thể join windows vào domain TEST.COM, đối với windows 7 ta thay đổi trong registry hoặc install registry theo link https://attachments.samba.org/attachment.cgi?id=4988
    Click image for larger version Name: Windows 7 Pro-2012-07-11-08-44-20.jpg Views: 1 Size: 22.4 KB ID: 207919
    Click image for larger version Name: Windows 7 Pro-2012-07-11-08-45-24.jpg Views: 1 Size: 23.0 KB ID: 207920
    Máy windows client đã join vào domain, logon vào domain bằng user1, sau khi login bằng user1 kiểm tra session trên máy server PDC
    [root@vm01 ~]# net status sessions
    PID Username Group Machine
    -------------------------------------------------------------------
    3478 user1 Domain Users khuong (192.168.1.51)
    [root@vm01 ~]# net status shares
    Service pid machine Connected at
    -------------------------------------------------------
    user1 3478 khuong Wed Jul 11 08:53:04 2012
    IPC$ 3478 khuong Wed Jul 11 08:51:25 2012
    public 3478 khuong Wed Jul 11 08:53:04 2012
    IPC$ 3478 khuong Wed Jul 11 08:53:03 2012

    Mở rộng
    Các bạn có thể cấu hình mở rộng cho samba như:
    -Tạo roaming profiles hoặc mantadory profiles (Profiles)
    -Tạo các thư mục shares tương ứng với các phòng ban trong công ty(Permission).
    -Các user của phòng ban nào thì tự động map ỗ đĩa tương ứng phòng ban đó khi logon vào domain(logon Script).
    -Cho phép user có quyền SeTakeOwnershipPrivilege, SeBackupPrivilege, SeRestorePrivilege...(Samba Rights).
    ………
    Last edited by kukent; 11-07-2012, 10:28 AM.
    Tags: None
Previous template Next
Working...
X