Настройка Samba — различия между версиями
PastorDi (обсуждение | вклад) (Новая страница: «Первым делом необходимо остановить самбу: /etc/init.d/smb stop Правим {{Источник|/etc/samba/smb.conf}}, наст...») |
PastorDi (обсуждение | вклад) |
||
Строка 4: | Строка 4: | ||
Правим {{Источник|/etc/samba/smb.conf}}, настраивая обыкновенный PDC. В итоге {{Источник|smb.conf}} должен принять примерно такой вид: | Правим {{Источник|/etc/samba/smb.conf}}, настраивая обыкновенный PDC. В итоге {{Источник|smb.conf}} должен принять примерно такой вид: | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | [ | + | [global] |
− | + | workgroup = Mandriva | |
− | + | netbiosname = MDS | |
− | + | preferred master = yes | |
− | + | os level = 65 | |
− | + | wins support = yes | |
− | + | enable privileges = yes | |
+ | timeserver = yes | ||
+ | log level = 3 | ||
+ | null passwords = yes | ||
+ | security = user | ||
+ | name resolve order = bcast host | ||
+ | domain logons = yes | ||
+ | domain master = yes | ||
+ | printing = cups | ||
+ | printcap name = cups | ||
+ | logon path = \\%N\profiles\%U | ||
+ | logon script = logon.bat | ||
+ | logon drive = H: | ||
+ | map acl inherit = yes | ||
+ | nt acl support = yes | ||
+ | passdb backend = ldapsam:ldap://127.0.0.1/ | ||
+ | obey pam restrictions = no | ||
+ | ldap admin dn = cn=manager,dc=mandriva,dc=com | ||
+ | ldap suffix = dc=mandriva,dc=com | ||
+ | ldap group suffix = ou=Group | ||
+ | ldap user suffix = ou=People | ||
+ | ldap machine suffix = ou=Hosts | ||
+ | ldap idmap suffix = ou=Idmap | ||
+ | ldap passwd sync = yes | ||
+ | # ldap delete dn = yes | ||
+ | passwd program = /usr/sbin/smbldap-passwd -u %u | ||
+ | passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n | ||
+ | add user script = /usr/sbin/smbldap-useradd -m "%u" | ||
+ | add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" | ||
+ | set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" | ||
+ | add group script = /usr/sbin/ambldap-groupadd -p "%g" | ||
+ | add machine script = /usr/lib/mmc/add_machine_script '%u' | ||
+ | delete user script = /usr/sbin/smbldap-userdel "%u" | ||
+ | delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" | ||
+ | delete group script = /usr/sbin/smbldap-groupdel "%g" | ||
− | [ | + | [homes] |
− | comment = | + | comment = Home directories |
− | + | browseable = no | |
− | + | writeable = yes | |
− | + | create mask = 0700 | |
− | + | directory mask = 0700 | |
+ | hide files = /Maildir/ | ||
− | [ | + | [public] |
− | comment = | + | comment = Public share |
− | path = /home/samba/ | + | path = /home/samba/shares/public |
− | browseable = yes | + | browseable = yes |
− | public = | + | public = yes |
− | writeable = | + | writeable = yes |
− | [ | + | [archives] |
− | comment = | + | comment = Backup share |
− | path = / | + | path = /home/samba/archives |
− | browseable = | + | browseable = yes |
− | public = | + | public = no |
− | + | writeable = no | |
− | writeable = no | + | |
− | + | ||
− | [ | + | [printers] |
− | comment = | + | comment = Printers |
− | path = / | + | path = /tmp |
− | browseable = yes | + | browseable = no |
− | guest ok = yes | + | public = yes |
− | + | guest ok = yes | |
− | + | writeable = no | |
+ | printable = yes | ||
− | [ | + | [print$] |
− | path = / | + | comment = Drivers |
− | + | path = /var/lib/samba/printers | |
− | + | browseable = yes | |
− | + | guest ok = yes | |
+ | read only = yes | ||
+ | write list = Administrator,root,@lpadmin | ||
− | [ | + | [netlogon] |
− | path = /home/samba/ | + | path = /home/samba/netlogon |
− | + | public = yes | |
− | + | writeable = yes | |
− | + | browseable = no | |
− | browseable = no | + | |
− | + | ||
− | [partage] | + | [profiles] |
− | comment = aucun | + | path = /home/samba/profiles |
− | path = /home/samba/partage | + | writeable = yes |
− | browseable = yes | + | create mask = 0700 |
− | public = no | + | directory mask = 0700 |
− | writeable = yes | + | browseable = no |
− | + | hide files = /desktop.ini/ntuser.ini/NTUSER.*/ | |
+ | |||
+ | [partage] | ||
+ | comment = aucun | ||
+ | path = /home/samba/partage | ||
+ | browseable = yes | ||
+ | public = no | ||
+ | writeable = yes | ||
Затем — проверяем конфиг командой {{cmd|testparm}}: | Затем — проверяем конфиг командой {{cmd|testparm}}: | ||
− | |||
− | |||
− | Load smb config files from /etc/samba/smb.conf | + | testparm |
− | ... | + | Load smb config files from /etc/samba/smb.conf |
− | Processing section "[partage]" | + | ... |
− | Loaded services file OK. | + | Processing section "[partage]" |
− | Server role: ROLE_DOMAIN_PDC | + | Loaded services file OK. |
− | Press enter to see a dump of your service definitions | + | Server role: ROLE_DOMAIN_PDC |
− | + | Press enter to see a dump of your service definitions | |
− | Теперь создаем необходимые директории: | + | Теперь создаем необходимые директории:<br /> |
− | < | + | {{cmd|mkdir -p /home/samba/shares/public/}}<br /> |
− | mkdir -p /home/samba/shares/public/ | + | {{cmd|mkdir /home/samba/netlogon/}}<br /> |
− | mkdir /home/samba/netlogon/ | + | {{cmd|mkdir /home/samba/profiles/}}<br /> |
− | mkdir /home/samba/profiles/ | + | {{cmd|mkdir /home/samba/partage/}}<br /> |
− | mkdir /home/samba/partage/ | + | {{cmd|mkdir /home/samba/archives/}}<br /> |
− | mkdir /home/samba/archives/ | + | |
− | </ | + | |
− | И зададим им соответствующие права: | + | |
− | < | + | И зададим им соответствующие права:<br /> |
− | chown -R :"Domain Users" /home/samba/ | + | {{cmd|chown -R :"Domain Users" /home/samba/}}<br /> |
− | chmod 777 /var/spool/samba/ /home/samba/shares/public/ | + | {{cmd|chmod 777 /var/spool/samba/ /home/samba/shares/public/}}<br /> |
− | chmod 755 /home/samba/netlogon/ | + | {{cmd|chmod 755 /home/samba/netlogon/}}<br /> |
− | chmod 770 /home/samba/profiles/ /home/samba/partage/ | + | {{cmd|chmod 770 /home/samba/profiles/ /home/samba/partage/}}<br /> |
− | chmod 700 /home/samba/archives/ | + | {{cmd|chmod 700 /home/samba/archives/}}<br /> |
− | </ | + | |
Всё хорошо. Идём дальше. Теперь дадим самбе права на чтение ldap базы. | Всё хорошо. Идём дальше. Теперь дадим самбе права на чтение ldap базы. | ||
− | + | ||
− | smbpasswd -w example | + | smbpasswd -w example |
− | Setting stored password for "cn=manager,dc=mandriva,dc=com" in secrets.tdb | + | Setting stored password for "cn=manager,dc=mandriva,dc=com" in secrets.tdb |
− | + | ||
Получаем SID для нашего домена: | Получаем SID для нашего домена: | ||
Строка 148: | Строка 142: | ||
net getlocalsid mandriva.com | net getlocalsid mandriva.com | ||
− | Теперь нам необходимо заселить LDAP записями Samba-домена. Устанавливаем {{pkg|smbldap-tools}}: | + | Теперь нам необходимо заселить LDAP записями Samba-домена. Устанавливаем {{pkg|smbldap-tools}}:<br /> |
− | + | {{cmd|urpmi smbldap-tools}}<br /> | |
Идем в {{Источник|/etc/smbldap-tools/}} и правим {{Источник|smbldap_bind.conf}}: | Идем в {{Источник|/etc/smbldap-tools/}} и правим {{Источник|smbldap_bind.conf}}: | ||
− | + | ||
− | slaveDN="cn=admin,dc=mandriva,dc=com" | + | slaveDN="cn=admin,dc=mandriva,dc=com" |
− | slavePw="example" | + | slavePw="example" |
− | masterDN="cn=Manager,dc=mandriva,dc=com" | + | masterDN="cn=Manager,dc=mandriva,dc=com" |
− | masterPw="example" | + | masterPw="example" |
− | + | ||
Теперь правим {{Источник|smbldap.conf}}: | Теперь правим {{Источник|smbldap.conf}}: | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | SID="S-1-5-21-128599351-419866736-2079179792" | |
+ | sambaDomain="MANDRIVA" | ||
+ | ldapTLS="0" | ||
+ | suffix="dc=mandriva,dc=com | ||
+ | sambaUnixIdPooldn="sambaDomainName=MANDRIVA,${suffix}" | ||
+ | #defaultMaxPasswordAge="45" | ||
+ | userSmbHome="" | ||
+ | userProfile="" | ||
+ | userHomeDrive="" | ||
− | + | Заселяем LDAP:<br /> | |
+ | |||
+ | {{cmd|smbldap-populate -m 512 -a administrator}} | ||
Настраиваем NSS: В {{Источник|/etc/nsswitch.conf}} правим такие записи: | Настраиваем NSS: В {{Источник|/etc/nsswitch.conf}} правим такие записи: | ||
− | |||
− | |||
− | |||
− | |||
− | hosts: files dns | + | passwd: files ldap |
− | + | shadow: files ldap | |
− | bootparams: files | + | group: files ldap |
− | ethers: files | + | hosts: files dns |
− | netmasks: files | + | bootparams: files |
− | networks: files | + | ethers: files |
− | protocols: files | + | netmasks: files |
− | rpc: files | + | networks: files |
− | services: files | + | protocols: files |
− | netgroup: files | + | rpc: files |
− | publickey: files | + | services: files |
− | automount: files | + | netgroup: files |
− | aliases: files | + | publickey: files |
− | + | automount: files | |
+ | aliases: files | ||
В {{Источник|/etc/ldap.conf}}: | В {{Источник|/etc/ldap.conf}}: | ||
− | + | ||
− | host 127.0.0.1 | + | host 127.0.0.1 |
− | base dc=mandriva,dc=com | + | base dc=mandriva,dc=com |
− | + | ||
Теперь перезапускаем {{Программа|samba}} и {{Программа|ldap}} и получаем работающий контроллер домена. | Теперь перезапускаем {{Программа|samba}} и {{Программа|ldap}} и получаем работающий контроллер домена. |
Версия 09:26, 2 сентября 2011
Первым делом необходимо остановить самбу:
/etc/init.d/smb stop
Правим /etc/samba/smb.conf, настраивая обыкновенный PDC. В итоге smb.conf должен принять примерно такой вид:
[global] workgroup = Mandriva netbiosname = MDS preferred master = yes os level = 65 wins support = yes enable privileges = yes timeserver = yes log level = 3 null passwords = yes security = user name resolve order = bcast host domain logons = yes domain master = yes printing = cups printcap name = cups logon path = \\%N\profiles\%U logon script = logon.bat logon drive = H: map acl inherit = yes nt acl support = yes passdb backend = ldapsam:ldap://127.0.0.1/ obey pam restrictions = no ldap admin dn = cn=manager,dc=mandriva,dc=com ldap suffix = dc=mandriva,dc=com ldap group suffix = ou=Group ldap user suffix = ou=People ldap machine suffix = ou=Hosts ldap idmap suffix = ou=Idmap ldap passwd sync = yes # ldap delete dn = yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n add user script = /usr/sbin/smbldap-useradd -m "%u" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" add group script = /usr/sbin/ambldap-groupadd -p "%g" add machine script = /usr/lib/mmc/add_machine_script '%u' delete user script = /usr/sbin/smbldap-userdel "%u" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" delete group script = /usr/sbin/smbldap-groupdel "%g"
[homes] comment = Home directories browseable = no writeable = yes create mask = 0700 directory mask = 0700 hide files = /Maildir/
[public] comment = Public share path = /home/samba/shares/public browseable = yes public = yes writeable = yes
[archives] comment = Backup share path = /home/samba/archives browseable = yes public = no writeable = no
[printers] comment = Printers path = /tmp browseable = no public = yes guest ok = yes writeable = no printable = yes
[print$] comment = Drivers path = /var/lib/samba/printers browseable = yes guest ok = yes read only = yes write list = Administrator,root,@lpadmin
[netlogon] path = /home/samba/netlogon public = yes writeable = yes browseable = no
[profiles] path = /home/samba/profiles writeable = yes create mask = 0700 directory mask = 0700 browseable = no hide files = /desktop.ini/ntuser.ini/NTUSER.*/
[partage] comment = aucun path = /home/samba/partage browseable = yes public = no writeable = yes
Затем — проверяем конфиг командой testparm:
testparm Load smb config files from /etc/samba/smb.conf ... Processing section "[partage]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions
Теперь создаем необходимые директории:
mkdir -p /home/samba/shares/public/
mkdir /home/samba/netlogon/
mkdir /home/samba/profiles/
mkdir /home/samba/partage/
mkdir /home/samba/archives/
И зададим им соответствующие права:
chown -R :"Domain Users" /home/samba/
chmod 777 /var/spool/samba/ /home/samba/shares/public/
chmod 755 /home/samba/netlogon/
chmod 770 /home/samba/profiles/ /home/samba/partage/
chmod 700 /home/samba/archives/
Всё хорошо. Идём дальше. Теперь дадим самбе права на чтение ldap базы.
smbpasswd -w example Setting stored password for "cn=manager,dc=mandriva,dc=com" in secrets.tdb
Получаем SID для нашего домена:
net getlocalsid mandriva.com
Теперь нам необходимо заселить LDAP записями Samba-домена. Устанавливаем smbldap-tools:
urpmi smbldap-tools
Идем в /etc/smbldap-tools/ и правим smbldap_bind.conf:
slaveDN="cn=admin,dc=mandriva,dc=com" slavePw="example" masterDN="cn=Manager,dc=mandriva,dc=com" masterPw="example"
Теперь правим smbldap.conf:
SID="S-1-5-21-128599351-419866736-2079179792" sambaDomain="MANDRIVA" ldapTLS="0" suffix="dc=mandriva,dc=com sambaUnixIdPooldn="sambaDomainName=MANDRIVA,${suffix}" #defaultMaxPasswordAge="45" userSmbHome="" userProfile="" userHomeDrive=""
Заселяем LDAP:
smbldap-populate -m 512 -a administrator
Настраиваем NSS: В /etc/nsswitch.conf правим такие записи:
passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: files automount: files aliases: files
В /etc/ldap.conf:
host 127.0.0.1 base dc=mandriva,dc=com
Теперь перезапускаем samba и ldap и получаем работающий контроллер домена.