La presente guía es para mostrar la manera correcta de instalar openldap y samba bajo linux para poder tener un servidor de autenticación centralizado y samba para que nos provea un controlador de dominio, en este caso primario. Su aplicación en micro y pequeñas redes (de 10 - 10000 tablas sin problemas) es de mucha utilidad y relativamente cómoda administración.
De más está decir que el coste económico es cero, ya que como administradores de redes, jefes de infraestructura deberíamos tenerlo presente con la finalizad de minimizar los costes del área de TI.
Voy a tratar de ser lo más sencillo posible los pasos y colocaré todos los archivos de configuración para no dejar nada vacío.
Condiciones iniciales:
Dominio = mipc.com
ip-address = 172.16.0.3
netmask = 255.255.255.0
hostname = ldap.mipc.com
Gateway = 172.16.0.1
Serv. DNS = ns.mipc.com = 172.16.0.1
Serv. web = www.mipc.com = 172.16.0.4
Empecemos:
1. Instalación de ldap y samba.
aptitude install slapd ldap-utils samba-doc libnss-ldap libpam-ldap nscd samba smbclient smbldap-tools ldap-account-manager-lamdaemon
Se contesta todo por default, ya que vamos a modificar los archivos de configuración
ejecutar lo siguiente:
# zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema
# slappaswd -------------> al ejecutar se ingresa la contraseña del administrador del árbol ldap
# ldap-account-manager-lamdaemon
# adduser ldapadmin
# slaptest -v -u
# rm -rf /var/lib/ldap/*
# service nscd restart
# mkdir -p /var/lib/samba/netlogon /var/lib/samba/profiles
# chown -Rf root:root /var/lib/samba/netlogon /var/lib/samba/profiles
# chmod 1777 /var/lib/samba/profiles
# zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf
# cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/smbldap_bind.conf
# chmod 640 /etc/smbldap-tools/smbldap.conf /etc/smbldap-tools/smbldap_bind.conf
# chown root:openldap /etc/smbldap-tools/smbldap.conf /etc/smbldap-tools/smbldap_bind.conf
# net getlocalsid
# smbldap-populate
# pdbedit -L
# pdbedit -Lv root
nano /etc/ldap/ldap.conf
BASE dc=mipc,dc=com
URI ldap://ldap.mipc.com
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
nano /etc/ldap/slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_hdb
sizelimit 500
tool-threads 1
backend hdb
database hdb
suffix "dc=mipc,dc=com"
rootdn "uid=ldapadmin,ou=Usuarios,dc=mipc,dc=com"
rootpw {SSHA}flssWgKAVN+9l2nhpd7NkOgpNStVBsK0
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq,pres
index ou,cn,sn,mail,givenname eq,pres,sub
index uidNumber,gidNumber,memberUid eq,pres
index loginShell eq,pres
index uid pres,sub,eq
index displayName pres,sub,eq
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
index uniqueMember eq
index sambaGroupType eq
index sambaSIDList eq
lastmod on
checkpoint 512 30
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
by self write
by anonymous auth
by * none
access to attrs=shadowLastChange,shadowMax
by self write
by * read
access to *
by * read
nano /etc/libnss-ldap.conf
base dc=mipc,dc=com
uri ldap://172.16.0.3/
ldap_version 3
rootbinddn uid=ldapadmin,ou=Usuarios,dc=mipc,dc=com
bind_policy soft
pam_filter objectclass=PosixAccount
pam_login_attribute uid
pam_password crypt
nss_base_passwd ou=Usuarios,dc=mipc,dc=com?one
nss_base_shadow ou=Usuarios,dc=mipc,dc=com?one
nss_base_group ou=Grupos,dc=mipc,dc=com?one
nano /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
nano /etc/pam_ldap.conf
base dc=mipc,dc=com
uri ldap://172.16.0.3/
ldap_version 3
rootbinddn uid=ldapadmin,ou=Usuarios,dc=mipc,dc=com
bind_policy soft
pam_filter objectclass=PosixAccount
pam_login_attribute uid
pam_password crypt
nss_base_passwd ou=Usuarios,dc=mipc,dc=com?one
nss_base_shadow ou=Usuarios,dc=mipc,dc=com?one
nss_base_group ou=Grupos,dc=mipc,dc=com?one
nano /etc/pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
nano /etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
nano /etc/pam.d/common-password
password [success=2 default=ignore] pam_unix.so obscure crypt
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
nano /etc/pam-.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session required pam_mkhomedir.so
session optional pam_ldap.so
nano /etc/pam-.d/common-session-noninteractive
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session required pam_mkhomedir.so
session optional pam_ldap.so
nano /etc/samba/smb.conf
[global]
dos charset = 850
Unix charset = ISO8859-1
workgroup = mipc.com
realm = mipc.com
server string = %h server
map to guest = Bad User
username map = /etc/samba/smbusers
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = uid=ldapadmin,ou=Usuarios,dc=mipc,dc=com
ldap delete dn = Yes
ldap user suffix = ou=Usuarios
ldap group suffix = ou=Grupos
ldap machine suffix = ou=Maquinas
ldap idmap suffix = ou=idmap
ldap suffix = dc=mipc,dc=com
ldap ssl = no
add user script = /usr/sbin/smbldap-useradd -m %u
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -W %u
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = eth0 lo
hosts allow = 127.0.0.1, 172.16.0.0/24
hosts deny = 0.0.0.0
smb ports = 139 445
bind interfaces only = Yes
name resolve order = wins hosts lmhosts bcast
remote announce = 172.16.0.255
unix password sync = yes
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
logon script = 'logon.bat %U'
logon path = \\%N\profiles\%U
logon path =
logon drive = U:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
panic action = /usr/share/samba/panic-action %d
map acl inherit = Yes
case sensitive = No
hide unreadable = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
time server = Yes
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0611
directory mask = 0711
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0611
directory mask = 0711
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
create mask = 0611
directory mask = 0711
[netlogon]
path = /var/lib/samba/netlogon
browseable = No
create mask = 0611
directory mask = 0711
[profiles]
path = /var/lib/samba/profiles
force user = %U
read only = No
create mask = 0611
directory mask = 0711
guest ok = Yes
profile acls = Yes
browseable = No
csc policy = disable
[public]
path = /tmp
read only = No
guest ok = Yes
create mask = 0611
directory mask = 0711
nano /etc/smbldap-tools/smbldap.conf
SID="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" # ----------> colocar lo que sale de ejecutar net getlocalsid
sambaDomain="mipc.com"
slaveLDAP="172.16.0.3"
slavePort="389"
masterLDAP="172.16.0.3"
masterPort="389"
ldapTLS="0"
ldapSSL="0"
verify="require"
cafile="/etc/smbldap-tools/ca.pem"
clientcert="/etc/smbldap-tools/smbldap-tools.example.com.pem"
clientkey="/etc/smbldap-tools/smbldap-tools.example.com.key"
suffix="dc=mipc,dc=com"
usersdn="ou=Usuarios,dc=mipc,dc=com"
computersdn="ou=Maquinas,dc=mipc,dc=com"
groupsdn="ou=Grupos,dc=mipc,dc=com"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
scope="sub"
password_hash="CRYPT"
password_crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
shadowAccount="1"
defaultMaxPasswordAge="345"
userSmbHome="\\ldap\%U"
userProfile="\\ldap\profiles\%U"
userHomeDrive="U:"
userScript="logon.bat"
mailDomain="mipc.com"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
nano /etc/smbldap-tools/smbldap_bind.conf
slaveDN="uid=ldapadmin,ou=Usuarios,dc=mipc,dc=com"
slavePw="yyyyyyy" # ----------------------------> poner la contraseña de ldapadmin en texto plano
masterDN="uid=ldapadmin,ou=Usuarios,dc=mipc,dc=com"
masterPw="yyyyyyy" # ----------------------------> poner la contraseña de ldapadmin en texto plano
Con todo esto no hay pierde.
Saludos.
