Настройка Главного Контроллера Домена

1. Установка программ

Шаг 1
Установите OpenLDAP сервер из портов:

# cd /usr/ports/net/openldap23-server/ # make config

Выберите: TCP_WRAPPERS, BDB, DYNAMIC_BACKENDS, SLURPD.

# make install clean # rehash

Шаг 2
Установите nss_ldap из портов:

# cd /usr/ports/net/nss_ldap/ # make install clean # rehash

Шаг 3
Установите из портов набор скриптов для работы с LDAP:

# cd /usr/ports/net/ldapscripts/ # make install clean # rehash

Шаг 4
Установите Samba из портов:

# cd /usr/ports/net/samba3/ # make config

Выберите: LDAP, CUPS, WINBIND, QUOTAS, UTMP, POPT

# make install clean # rehash

include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/local/libexec/openldap moduleload back_ldbm ##################################################################### # BDB database definitions ##################################################################### database ldbm suffix "dc=mycompany,dc=local" rootdn "cn=root,dc=mycompany,dc=local" rootpw loglevel 256 directory /var/db/openldap-data index objectClass,uid,uidNumber,gidNumber eq index cn,mail,surname,givenname eq,subinitial index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq access to attrs=userPassword by self write by anonymous auth by * none access to attrs=sambaLMPassword,sambaNTPassword by dn="cn=root,dc=mycompany,dc=local" write by * none access to * by self write by anonymous read by * none

Шаг 2
Создайте хеш пароля:

# slappasswd New password: Re-enter new password: {SSHA}3jMclJIUbFWn2WnkUpSlgInvoGBmlx2D

Шаг 3
Вставьте созданный хеш пароля в файл /usr/local/etc/openldap/slapd.conf:

rootpw {SSHA}3jMclJIUbFWn2WnkUpSlgInvoGBmlx2D

Шаг 4
Установите права на директорию с данными LDAP:

# chmod 0700 /var/db/openldap-data # chmod 0700 /var/db/openldap-slurp

Шаг 5
Отредактируйте конфигурационный файл nss_ldap - /usr/local/etc/nss_ldap.conf:

host 127.0.0.1 base dc=mycompany,dc=local ldap_version 3 port 389 scope one timelimit 30 bind_timelimit 10 bind_policy soft nss_connect_policy persist idle_timelimit 3600 nss_paged_results yes pagesize 1000 nss_base_passwd ou=users,dc=mycompany,dc=local?one nss_base_group ou=groups,dc=mycompany,dc=local?one nss_base_passwd ou=computers,dc=mycompany,dc=local?one nss_base_shadow ou=users,dc=mycompany,dc=local?one

Шаг 6
Отредактируйте файл /etc/nsswitch.conf:

group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files

Шаг 7
Отредактируйте конфигурационный фал ldapscripts -
/usr/local/etc/ldapscripts/ldapscripts.conf

SERVER="localhost" BINDDN="cn=root,dc=mycompany,dc=local" BINDPWD="password" SUFFIX="dc=mycompany,dc=local" GSUFFIX="ou=groups" USUFFIX="ou=users" MSUFFIX="ou=computers" GIDSTART="10000" UIDSTART="10000" MIDSTART="20000" USHELL="/bin/sbin/nologin" UHOMES="/home/samba/homes/%u" ASKGECOS="no" CREATEHOMES="yes" HOMESKEL="/etc/skel" HOMEPERMS="700" # Одна строка PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n -e '2s|=*$||;2p' | sed -e 's|+||g' -e 's|/||g'" RECORDPASSWORDS="yes" PASSWORDFILE="/var/log/ldapscripts_passwd.log" LOGFILE="/var/log/ldapscripts.log" LDAPSEARCHBIN="/usr/local/bin/ldapsearch" LDAPADDBIN="/usr/local/bin/ldapadd" LDAPDELETEBIN="/usr/local/bin/ldapdelete" LDAPMODIFYBIN="/usr/local/bin/ldapmodify" LDAPMODRDNBIN="/usr/local/bin/ldapmodrdn" LDAPPASSWDBIN="/usr/local/bin/ldappasswd" GETENTPWCMD="" GETENTGRCMD=""

Шаг 8
Установите права на конфигурационный файл ldapscripts:

# cd /usr/local/etc/ldapscripts # chmod 0640 ldapscripts.conf # chown root:wheel ldapscripts.conf

Шаг 9
Скопируйте схему samba.schema в /usr/local/etc/openldap/schema/

# cp /usr/local/share/examples/samba/LDAP/samba.schema \ ? /usr/local/etc/openldap/schema/samba.schema

Шаг 10
Отредактируйте главный конфигурационный файл Samba -  /usr/local/etc/smb.conf:

#======================= Global Settings ============================= [global] workgroup = mycompany netbios name = pdc server string = security = user encrypt passwords = yes load printers = no admin users = kravchenko hosts allow = 192.168.1. 192.168.2. 127. log file = /var/log/samba/samba.log max log size = 50000 passdb backend = ldapsam:ldap://127.0.0.1 ldap suffix = dc=mycompany,dc=local ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap admin dn = "cn=root,dc=mycompany,dc=local" ldap delete dn = no ldap ssl = off winbind uid = 10000-20000 winbind gid = 10000-20000 winbind separator = @ winbind use default domain = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = yes os level = 255 domain master = yes preferred master = yes domain logons = yes # Пустое значение - неперемещаемые профили. logon path = logon home = \\%L\homes logon drive = H: add machine script = /usr/local/bin/ldapaddmachine '%u' computers add user script = /usr/local/bin/ldapadduser '%u' users add group script = /usr/local/bin/ldapaddgroup '%g' add user to group script = /usr/local/bin/ldapaddusertogroup '%u' '%g' delete user script = /usr/local/bin/ldapdeleteuser '%u' delete group script = /usr/local/bin/ldapdeletegroup '%g' delete user from group script = /usr/local/bin/ldapdeleteuserfromgroup '%u' '%g' set primary group script = /usr/local/bin/ldapsetprimarygroup '%u' '%g' rename user script = /usr/local/bin/ldaprenameuser '%uold' '%unew wins support = yes wins proxy = yes dns proxy = no display charset = koi8-r unix charset = koi8-r dos charset = cp866 time server = yes #============================ Share Definitions ============================== [homes] comment = Home Directories path = /home/samba/homes/%U browseable = no writable = yes public = no read only = no create mask = 0600 directory mask = 0700 valid users = %S [netlogon] comment = Network Logon Service path = /usr/local/etc/samba/netlogon browseable = no guest ok = yes writable = no share modes = no volume = NETLOGON [profiles] create mode = 0600 directory mode = 700 path = /home/samba/profiles/%u browseable = no guest ok = yes writeable = yes [pub] comment = Папка общего пользования path = /home/samba/pub valid users = @users create mode = 666 directory mode = 777 public = yes writable = yes printable = no browseable = yes [IPC$] path = /tmp hosts allow = 192.168.1.0/24 192.168.2.0/24 127.0.0.1 hosts deny = 0.0.0.0/0

Шаг 11
Создайте директории, указанные в конфигурационном файле samba.

# mkdir /usr/local/etc/samba/netlogon # chmod 777 /usr/local/etc/samba/netlogon # cd /home/samba/ # mkdir homes profiles # chown root:users * # ll drwxr-xr-x 32 root wheel 512 12 фев 10:28 homes drwxr-xr-x 2 root wheel 512 12 фев 10:28 profiles

Шаг 12
Добавьте в /etc/rc.conf такие строки:

slapd_enable="YES" # Одна строка slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://192.168.1.2/ ldap://127.0.0.1/"' slapd_sockets="/var/run/openldap/ldapi" samba_enable="YES" winbindd_enable="YES"