Cómo instalar desde 0 un controlador de dominio en Samba

Introducción

En este HOWTO vamos a ir describiendo los pasos necesarios para instalar y configurar el servidor de aulas propuesto. La intención de este documento es más servir como guía que ser un manual exhaustivo, aun así esperamos ir ampliando el contenido a medida que vayamos realizando instalaciones.

Instalación de Linux

Primeramente instalaremos Linux en la máquina. No entraremos en detalle en este punto porque no es objetivo del documento. La distribución elegida, y en la que nos basaremos el resto del HOWTO, es Debian Sarge.

Sugerimos utilizar los discos netinst (instalación por red) ya que después usaremos los repositorios on-line de Debian para obtener los paquetes y no es necesario obtener la versión completa en CD.

Instalación de paquetes

Al finalizar la instalación tendremos que instalar los paquetes relacionados con los servicios de la máquina:

apt-get install slapd samba samba-doc smbldap-tools libnss-ldap nscd db4.2-util\
nfs-common nfs-kernel-server ldap-utils ntpdate smbclient metamail vim gpm lynx

Al instalar estos paquetes se realizan un par de preguntas que intentaremos contestar en los siguientes puntos.

Configuración de LDAP

Slapd (Stand-alone LDAP daemon) es el demonio encargado de servir el directorio.

La configuración de OpenLDAP está disponible en /etc/ldap/slapd.conf.

El esquema de samba está en /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz y hay que descomprimirlo y copiarlo a /etc/ldap/schema/samba.schema

zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema

 

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/misc.schema

schemacheck     on
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd.args
loglevel        0

modulepath  /usr/lib/ldap
moduleload  back_bdb
backend     bdb
checkpoint 512 30

database        bdb

suffix          "dc=FACULTAD,dc=ull,dc=es"
directory       "/var/lib/ldap"

index           objectClass eq
index           uid,uidNumber,gidNumber,memberUid eq
index           cn,mail,surname,givenname eq,subinitial
index           sambaSID eq
index           sambaPrimaryGroupSID eq
index           sambaDomainName eq

lastmod         on

access to attrs=userPassword,sambaNTPassword,sambaLMPassword
        by dn="cn=admin,dc=soc,dc=ull,dc=es" write
        by anonymous auth
        by self write
        by * none

access to dn.base="" by * read

access to *
        by dn="cn=admin,dc=soc,dc=ull,dc=es" write
        by * read

Configuración de los clientes Linux

En los clientes Linux tenemos que modificar el comportamiento de PAM para que consulte en el LDAP. Para ello editaremos los archivos de configuración en /etc/pam.d/

/etc/pam.d/common-account

#
# /etc/pam.d/common-account - authorization settings common to all services
#
account         sufficient      pam_ldap.so
account required        pam_unix.so try_first_pass

/etc/pam.d/common-auth

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure try_first_pass

/etc/pam.d/common-password

#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define  the services to be
#used to change user passwords.  The default is pam_unix

# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.

password   sufficient pam_ldap.so
password   required   pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required       pam_cracklib.so retry=3 minlen=6 difok=3
# password required       pam_unix.so use_authtok nullok md5

/etc/pam.d/common-session

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#
session sufficient      pam_ldap.so
session required        pam_unix.so

Además, tendremos que modificar los datos de acceso al servidor LDAP (IP, usuarios, password, etc.). Esto se consigue modificando /etc/pam_ldap.conf

# /etc/pam_ldap.conf
host 192.168.0.1
base dc=aulas,dc=ull,dc=es
uri ldap://192.168.0.1/
ldap_version 3
pam_password crypt
#ssl start_tls
#tls_checkpeer no

En este punto ya deberíamos tener funcionando la parte relacionada con PAM.

Lo siguiente será modificar la configuración de NSS:

# /etc/libnss-ldap.conf
host 192.168.0.1
base dc=aulas,dc=ull,dc=es
ldap_version 3
nss_base_passwd ou=Users,dc=aulas,dc=ull,dc=es
nss_base_group  ou=Groups,dc=aulas,dc=ull,dc=es
#ssl start_tls
#tls_checkpeer no

Configuración de SAMBA

Lo primero que haremos es configurar las herramientas que nos facilitarán la creación de la estructura en la base de datos necesaria para que samba almacene la información que necesita para funcionar correctamente.

Estas herramientas se encuentran en el paquete smbldap-tools y la configuración de ejemplo la podemos encontrar en /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz y /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf. Esta configuración deberemos copiarla a /etc/smbldap-tools/

zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf
cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/

Una vez hecho esto deberemos editar /etc/smbldap-tools/smbldap.conf para configurarlo según nuestras necesidades. Uno de los parámetros que debemos configurar es el “SID”. Para obtener nuestro SID debemos ejecutar lo siguiente:

net getlocalsid

Otros parámetros que probablemente querremos modificar serán el suffix y sambaUnixIdPooldn, así como la ruta a los homes de los usuarios (userSmbHome, userProfile)

suffix="dc=quimica,dc=ull,dc=es"
sambaUnixIdPooldn="sambaDomainName=quimica-ssl,${suffix}"

userSmbHome="\\pdc-farmacia\homes\%U"

userProfile=""

userHomeDrive="X:"

userScript="netlogon.bat"

mailDomain="alumnado.ull.es"

Lo siguiente es configurar /etc/smbldap-tools/smbldap_bind.conf

############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=admin,dc=quimica,dc=ull,dc=es"
slavePw="password"
masterDN="cn=admin,dc=quimica,dc=ull,dc=es"
masterPw="password"

y modificar los permisos para que sólo lo pueda leer el propietario

chmod 600 /etc/smbldap-tools/smbldap_bind.conf

Una vez hecho esto ya podremos ejcutar smbldap-populate -a Administrador para crear toda la estructura de datos que samba necesita en el ldap.

Por último queda la configuración de /etc/samba.conf

#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash) 
# is a comment and is ignored. In this example we will use a #
# for commentary and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not many any basic syntactic 
# errors. 
#

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = quimica-ssl
   netbios name = pdc-quimica
   os level = 254
   enable privileges = yes
   domain master = yes
   domain logons = yes
   local master = yes
   utmp = yes
   ldap passwd sync = yes

# server string is the equivalent of the NT Description field
   server string = %h server (Samba %v)

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
   wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# This will prevent nmbd to search for NetBIOS names through DNS.
   dns proxy = no

# What naming service and in what order should we use to resolve host names
# to IP addresses
;   name resolve order = lmhosts host wins bcast


#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
;   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/ServerType.html in the samba-doc
# package for details.
   security = user

# You may wish to use password encryption.  See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
   encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
   passdb backend = ldapsam:ldap://127.0.0.1/
   ldap admin dn = cn=admin,dc=quimica,dc=ull,dc=es
   ldap suffix = dc=quimica,dc=ull,dc=es
   ldap group suffix = ou=Groups
   ldap user suffix = ou=Users
   ldap machine suffix = ou=Computers
   ldap idmap suffix = ou=Users
;   ldap ssl = On

   add machine script = /usr/sbin/smbldap-useradd -w "%u"
   add user script = /usr/sbin/smbldap-useradd -a -m "%u"
   ldap delete dn = Yes
   delete user script = /usr/sbin/smbldap-userdel -r "%u"
   add group script = /usr/sbin/smbldap-groupadd -p "%g"
   delete group script = /usr/sbin/smbldap-groupdel "%g"
   add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
   delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
   set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

   obey pam restrictions = yes

;   guest account = nobody
#   invalid users = root

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
;   unix password sync = no

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Augustin Luton  for
# sending the correct chat script for the passwd program in Debian Potato).
   passwd program = /usr/sbin/smbldap-passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
;   pam password change = no

   Dos charset = 850
   Unix charset = ISO8859-1

   hide files = /desktop.ini/Desktop.ini/

# Unidad compartida donde buscará el perfil los clientes Win2k/XP
   logon path = \\%L\Profile\
   logon script = netlogon.bat


########## Printing ##########

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
;   load printers = yes

# lpr(ng) printing. You may wish to override the location of the
# printcap file
;   printing = bsd
;   printcap name = /etc/printcap

# CUPS printing.  See also the cupsaddsmb(8) manpage in the
# cupsys-client package.
;   printing = cups
;   printcap name = cups

# When using [print$], root is implicitly a 'printer admin', but you can
# also give this right to other users to add drivers and set printer
# properties
;   printer admin = @ntadmin


######## File sharing ########

# Name mangling options
;   preserve case = yes
;   short preserve case = yes


############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/speed.html
# for details
# You may want to add the following on a Linux system:
#         SO_RCVBUF=8192 SO_SNDBUF=8192
   socket options = TCP_NODELAY

# The following parameter is useful only if you have the linpopup package
# installed. The samba maintainer and the linpopup maintainer are
# working to ease installation and configuration of linpopup and samba.
;   message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &

# Domain Master specifies Samba to be the Domain Master Browser. If this
# machine will be configured as a BDC (a secondary logon server), you
# must set this to 'no'; otherwise, the default behavior is recommended.
;   domain master = auto

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash

#======================= Share Definitions =======================

[homes]
   comment = Home Directories
   browseable = no
   valid users = %U
   read only = no

# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
   writable = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0644

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0755

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
[netlogon]
   comment = Network Logon Service
   path = /var/lib/samba/netlogon
;   guest ok = yes
   writable = no
   share modes = no

[profile]
   comment = Roaming Profile Share
   path = /var/lib/samba/profile
   read only = No
   profile acls = Yes
   create mask = 0666
   directory mask = 0777
   browseable = No
   guest ok = Yes
   csc policy = disable
   # next line is a great way to secure the profiles
   force user = %U
   # next line allows administrator to access all profiles
   valid users = %U @"Domain Admins"

[printers]
   comment = All Printers
   browseable = no
   path = /tmp
   printable = yes
   public = no
   writable = no
   create mode = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# Replace 'ntadmin' with the name of the group your admin users are
# members of.
;   write list = root, @ntadmin

# A sample share for sharing your CD-ROM with others.
;[cdrom]
;   comment = Samba server's CD-ROM
;   writable = no
;   locking = no
;   path = /cdrom
;   public = yes

# The next two parameters show how to auto-mount a CD-ROM when the
#  cdrom share is accesed. For this to work /etc/fstab must contain
#  an entry like this:
#
#       /dev/scd0   /cdrom  iso9660 defaults,noauto,ro,user   0 0
#
# The CD-ROM gets unmounted automatically after the connection to the
#
# If you don't want to use auto-mounting/unmounting make sure the CD
#  is mounted on /cdrom
#
;   preexec = /bin/mount /cdrom
;   postexec = /bin/umount /cdrom


Ahora debemos ejecutar

smbpasswd -w "password super secreto"

Reiniciar samba y listo.

Instalación del firewall. En /etc/apt/sources.list añadir nuestro repositorio

deb http://repo.osl.ull.es/i386/ ./

Una vez hecho esto hacemos:

apt-get update
apt-get install sslsf

A continuación debemos configurar el firewall como deseemos. La configuración se encuentra en /etc/firewall

Una respuesta a “Cómo instalar desde 0 un controlador de dominio en Samba”

  1. Cosme

    ok todo

    Por favor sería maravilloso mostrar Cómo instalar desde 0 un controlador de dominio en Samba BDC
    o sea un BDC la parte de smb.conf se conoce pero como queda lo otro????

    Debian Lenny

    Saludos
    Cosme

    Responder

Dejar un comentario

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.