# usr/local/etc/rc.d/slapd start Starting slapd.

Шаг 2
Проверьте наличие процесса slapd:

# ps ax | grep slap

Шаг 3
Запустите Samba сервер:

# usr/local/etc/rc.d/samba start

Шаг 4
Проверьте процесс smb:

# ps ax | grep smb

Шаг 5
Установите Samba пароль от пользователя, которго мы указали в конфигурационном файле Samba как "ldap admin dn":

# smbpasswd -w password Setting stored password for "cn=root,dc=mycompany,dc=local" in secrets.tdb

Шаг 6
Создайте администратора Samba (“admin users”- kravchenko):

# smbpasswd -a kravchenko New SMB password: Retype new SMB password: Added user kravchenko.

Шаг 7
Создайте файл /usr/local/etc/openldap/base.ldif. Внесите в него ваши начальные данные:

dn: dc=mycompany,dc=local objectClass: dcObject objectClass: organization objectClass: top dc:mycompany o:mycompany dn: ou=users,dc=mycompany,dc=local objectClass: top objectClass: organizationalUnit ou: users dn: ou=groups,dc=mycompany,dc=local objectClass: top objectClass: organizationalUnit ou: groups dn: ou=computers,dc=mycompany,dc=local objectClass: top objectClass: organizationalUnit ou: computers

Шаг 8
Внесите содержимое созданного файла в базу OpenLDAP:

# ldapadd -W -x -D "cn=root,dc=mycompany,dc=local" -f \ ? /usr/local/etc/openldap/base.ldif adding new entry "dc=mycompany,dc=local" adding new entry "ou=users,dc=mycompany,dc=local" adding new entry "ou=groups,dc=mycompany,dc=local" adding new entry "ou=computers,dc=mycompany,dc=local"

Шаг 9
Добавьте группы в OpenLDAP:

# ldapaddgroup admins Successfully added group admins to LDAP # ldapaddgroup users Successfully added group people to LDAP # ldapaddgroup computers Successfully added group computers to LDAP # ldapadduser kravchenko admins Successfully added user kravchenko to LDAP Successfully set password for user kravchenko Successfully created home directory for user kravchenko

Шаг 10
Сделайте сопоставление групп группам NT

# net groupmap add ntgroup="Domain Admins" \ ? unixgroup=admins rid=512 type=domain Successfully added group admins to the mapping db as a domain group # net groupmap add ntgroup="Domain Users" \ ? unixgroup=users rid=513 type=domain Successfully added group users to the mapping db as a domain group # net groupmap add ntgroup="Domain Computers" \ ? unixgroup=computers rid=515 type=domain Successfully added group computers to the mapping db as a domain group

Шаг 11
Добавьте Samba в свой домен:

# net rpc join -S pdc -U kravchenko%password

Шаг 12
Для администрирования скачайте программу LdapAdmin с http://ldapadmin.sourceforge.net/
Добавьте пользователей.

Шаг 13
Создайте домашние папки для пользователей. Они должны быть с правами 0700, группа - users.

# cd /home/samba/homes/ # mkdir user1 # chown user1:users user1/ # mkdir user2 # chown user2:users user2/ . . . . . . # mkdir user32 # chown user32:users user32/ # ll total 46 drwxr-xr-x 2 user1 users 512 12 фев 09:25 user1 drwxr-xr-x 2 user2 users 512 12 фев 08:58 user2 drwxr-xr-x 2 user3 users 512 12 фев 08:48 user3 ....................................................... drwxr-xr-x 2 user32 users 512 12 фев 09:21 user32

#======================= Global Settings ===================================== [global] workgroup = mycompany netbios name = bdc server string = security = user encrypt passwords = yes load printers = no admin users = kravchenko hosts allow = 192.168.1. 192.168.2. 127. log file = /var/log/samba/samba.log max log size = 50000 passdb backend = ldapsam:ldap://127.0.0.1 ldap suffix = dc=mycompany,dc=local ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap admin dn = "cn=root,dc=mycompany,dc=local" ldap delete dn = no ldap ssl = off ldap replication sleep = 5000 winbind uid = 10000-20000 winbind gid = 10000-20000 winbind separator = @ winbind use default domain = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = yes os level = 65 domain master = no preferred master = yes domain logons = yes logon path = logon home = \\%L\homes logon drive = H: add machine script = /usr/local/bin/ldapaddmachine '%u' computers add user script = /usr/local/bin/ldapadduser '%u' users add group script = /usr/local/bin/ldapaddgroup '%g' add user to group script = /usr/local/bin/ldapaddusertogroup '%u' '%g' delete user script = /usr/local/bin/ldapdeleteuser '%u' delete group script = /usr/local/bin/ldapdeletegroup '%g' delete user from group script = /usr/local/bin/ldapdeleteuserfromgroup '%u' '%g' set primary group script = /usr/local/bin/ldapsetprimarygroup '%u' '%g' rename user script = /usr/local/bin/ldaprenameuser '%uold' '%unew wins support = no wins server = 192.168.1.2 wins proxy = yes dns proxy = no display charset = koi8-r unix charset = koi8-r dos charset = cp866 time server = yes load printers = no enhanced browsing = Yes remote announce = 192.168.1.2/mycompany #============================ Share Definitions ============================== [homes] comment = Home Directories path = /home/samba/homes/%U browseable = no writable = yes public = no read only = no create mask = 0600 directory mask = 0700 valid users = %S [netlogon] comment = Network Logon Service path = /usr/local/etc/samba/netlogon browseable = no guest ok = yes writable = no share modes = no volume = NETLOGON [profiles] create mode = 0600 directory mode = 700 path = /home/samba/profiles/%u browseable = no guest ok = yes writeable = yes [pub] comment = Папка общего пользования path = /home/samba/pub valid users = @users create mode = 666 directory mode = 777 public = yes writable = yes printable = no browseable = yes [IPC$] path = /tmp hosts allow = 192.168.1.0/24 192.168.2.0/24 127.0.0.1 hosts deny = 0.0.0.0/0

2. /etc/rc.conf для BDC:

slapd_enable="YES" # Одна строка slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://192.168.2.2/ ldap://127.0.0.1/"' slapd_sockets="/var/run/openldap/ldapi" samba_enable="YES" winbindd_enable="YES"

# usr/local/etc/rc.d/slapd start Starting slapd.

Шаг 2
Проверьте наличие процесса slapd:
[code]# ps ax | grep slap

Шаг 3
Запустите BDC Samba сервер:

# usr/local/etc/rc.d/samba start

Шаг 4
Проверьте процесс smb:
[code]# ps ax | grep smb

Шаг 5
Установите Samba пароль от пользователя, которго мы указали в конфигурационном файле Samba как "ldap admin dn":

# smbpasswd -w password Setting stored password for "cn=root,dc=mycompany,dc=local" in secrets.tdb

Шаг 6
Создайте администратора Samba (“admin users”- kravchenko):

# smbpasswd -a kravchenko New SMB password: Retype new SMB password: Added user kravchenko.

Шаг 7
Извлеките SID домена mycompany из главного контроллера домена:

# net rpc getsid

Шаг 8
Добавьте BDC в домен mycompany:

# net rpc join -S pdc -U kravchenko%password

include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/samba.schema include /usr/local/etc/openldap/schema/mail.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args allow bind_v2 modulepath /usr/local/libexec/openldap moduleload back_ldbm ####################################################################### # BDB database definitions ####################################################################### database ldbm suffix "dc=mycompany,dc=local" rootdn "cn=root,dc=mycompany,dc=local" rootpw {SSHA}mu1MPXqqGNqPp9SV9DY4jSFbfxNqhoWt loglevel 5 directory /var/db/openldap-data index objectClass,uid,uidNumber,gidNumber eq index cn,mail,surname,givenname eq,subinitial index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq replogfile /var/log/ldap/replica.log replica uri=ldap://192.168.2.1:389 binddn="uid=replicator,ou=users,dc=mycompany,dc=local" bindmetod=simple credentials=password access to attrs=userPassword by self write by anonymous auth by * none access to attrs=sambaLMPassword,sambaNTPassword by dn="cn=root,dc=mycompany,dc=local" write by * none access to * by self write by anonymous read by * none

Шаг 2
Создайте каталог и файл для логов репликации на Master сервере:

# mkdir /var/log/ldap # touch /var/log/ldap/replica.log # chown –R ldap:ldap /var/log/ldap/

Шаг 3
Создайте файл пользователя replicator на Master сервере:

# vi /usr/local/etc/openldap/replicator.ldif dn: cn=replicator,dc=mycompany,dc=local objectClass: inetOrgPerson sn: REPLICATOR SN cn: replicator userPassword: {SSHA}uTr0blaJnJxJ5jk84WwMVPJes8pLge2m

Хеш пароля создаем так:

# /usr/local/sbin/slappasswd New password: Re-enter new password: {SSHA}uTr0blaJnJxJ5jk84WwMVPJes8pLge2m

Шаг 4
Добавьте пользователя replicator в БД LDAP Master сервера:

# ldapadd -W -x -D "cn=root,dc=mycompany,dc=local" -f \ ? /usr/local/etc/openldap/replicator.ldif

Шаг 5
Отредактируйте конфигурационный файл OpenLDAP на Slave - /usr/local/etc/openldap/slapd.conf:

include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/samba.schema include /usr/local/etc/openldap/schema/dnszone.schema include /usr/local/etc/openldap/schema/dhcp.schema include /usr/local/etc/openldap/schema/mail.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args allow bind_v2 modulepath /usr/local/libexec/openldap moduleload back_ldbm ####################################################################### # BDB database definitions ####################################################################### database ldbm suffix "dc=mycomapny,dc=local" rootdn "cn=root,dc=mycompany,dc=local" rootpw {SSHA}jVIuaP7Xpz+cpdFwH+dgLNzctfGngHx0 loglevel 5 directory /var/db/openldap-data index objectClass,uid,uidNumber,gidNumber eq index cn,mail,surname,givenname eq,subinitial index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq updatedn "uid=replicator,ou=users,dc=mycompany,dc=local" updateref ldap://192.168.1.2:389 access to attrs=userPassword by self write by dn="uid=replicator,ou=users,dc=mycompany,dc=local" write by anonymous auth by * none access to attrs=sambaLMPassword,sambaNTPassword by dn="cn=root,dc=mycompany,dc=local" write by dn="uid=replicator,ou=users,dc=mycompany,dc=local" write by * none access to * by dn="uid=replicator,ou=users,dc=mycompany,dc=local" write by self write by anonymous read by * none

Шаг 6
Перезапустите slapd на Slave сервере:

# /usr/local/etc/rc.d/slapd restart

Шаг 7
Добавьте на Master сервере в /etc/rc.conf строку:

slurpd_enable="YES"

Шаг 8
Запускаем slurpd на Master сервере, заодно перезагрузим slapd:

# /usr/local/etc/rc.d/slapd restart # /usr/local/etc/rc.d/slurpd start

Шаг 9
Теперь экспортируем БД Master сервера в файл ldif:

# ldapsearch -W -x -D "cn=root,dc=mycompany,dc=local" \ ? -b "dc=mycompany,dc=local" > /home/krav/backup/my-LDAP/mycompany.ldif # chown krav:wheel /home/krav/backup/my-LDAP/mycompany.ldif

Цитата: "Теперь этот файл является резервной копией, его можно положить в надежное место и ограничить к нему доступ. Так же важно понимать, что теперь нельзя вносить изменения в основную базу до того, как мы не настроим репликацию."

Шаг 10
Скопируйте файл mycompany.ldif на Slave сервер:

# scp /home/krav/backup/ldap/mycompany.ldif \ ? krav@192.168.2.1:/home/krav/ Password: mycompany.ldif 100% 24678 4.6KB/s 00:00

Шаг 10
Восстановите БД LDAP на Slave из скопированного файла:

# mv /home/krav/mycompany.ldif /usr/local/etc/openldap/ # chown root:wheel /usr/local/etc/openldap/mycompany.ldif # chmod 400 /usr/local/etc/openldap/mycompany.ldif # ldapadd -W -x -D "cn=root,dc=mycompany,dc=local" -f \ ? /usr/local/etc/openldap/mycompany.ldif

Примечание! В случае обрыва связи между PDC и BDC, изменения, которые должны быть внесены в БД Slave, сохранятся в каталоге /var/db/openldap-slurp. И после восстановления связи изменения немедленно будут внесены в БД на Slave сервер.