トップ   編集 凍結解除 差分 バックアップ 添付 複製 名前変更 リロード   一覧 最終更新   ヘルプ   最終更新のRSS
 


動作確認ディストリビューション

Samba 3.0.14とLDAPの連携方法

SambaとLDAPの連携に関する日本語のドキュメントがなかなか見つからず、結局一番参考にしたのは、英語をはじめとする他言語のドキュメントでした。
なので、中には解釈が間違ってて、誤った設定も含まれているかもしれません。

APTによるLDAP関連パッケージのインストール。

# apt-get install slapd db4.2-util ldap-utils

[Ok]を選択。

?????????????????????????? Configuring libslp1 ??????????????????????????
?                                                                       ?
? To reduce network traffic use a IP multicast enabled kernel           ?
?                                                                       ?
? The kernel version that you are currently running does not appear to  ?
? support IP multicast. OpenSLP will continue to work even without      ?
? multicast support in the kernel by using broadcasts. However,         ?
? broadcasts are less efficient on the network, so please consider      ?
? upgrading to a multicast enabled kernel.                              ?
?                                                                       ?
?                               [<Ok>]                                  ?
?                                                                       ?
?????????????????????????????????????????????????????????????????????????

ドメイン名を入力し、[Ok]を選択。

?????????????????????????? Configuring slapd ??????????????????????????
? The DNS domain name is used to construct the base DN of your LDAP   ?
? directory. Entering foo.bar.org will give you the base DN dc=foo,   ?
? dc=bar, dc=org.                                                     ?
?                                                                     ?
? DNS domain name:                                                    ?
?                                                                     ?
? lovebug.jp_________________________________________________________ ?
?                                                                     ?
?                              [<Ok>]                                 ?
?                                                                     ?
???????????????????????????????????????????????????????????????????????

組織名を入力し、[Ok]を選択。

?????????????????????? Configuring slapd ???????????????????????
? Whatever you enter here will be stored as the name of your   ?
? organization in the base DN of your LDAP directory.          ?
?                                                              ?
? Name of your organization:                                   ?
?                                                              ?
? lovebug.jp__________________________________________________ ?
?                                                              ?
?                           [<Ok>]                             ?
?                                                              ?
????????????????????????????????????????????????????????????????

LDAP管理者用パスワードを入力し、[Ok]を選択。

??????????????????????? Configuring slapd ???????????????????????
?  Please enter the password for the admin entry in your LDAP   ?
? directory.                                                    ?
?                                                               ?
? Admin password:                                               ?
?                                                               ?
? ********_____________________________________________________ ?
?                                                               ?
?                           [<Ok>]                              ?
?                                                               ?
?????????????????????????????????????????????????????????????????

LDAP管理者用パスワード(確認入力)を入力し、[Ok]を選択。

???????????????????????? Configuring slapd ????????????????????????
? Please reenter the admin password for your LDAP directory for   ?
? verification.                                                   ?
?                                                                 ?
? Confirm password:                                               ?
?                                                                 ?
? ********_______________________________________________________ ?
?                                                                 ?
?                            [<Ok>]                               ?
?                                                                 ?
???????????????????????????????????????????????????????????????????

[No]を選択。

??????????????????????????? Configuring slapd ???????????????????????????
?                                                                       ?
? The slapd daemon now disables the old LDAPv2 protocol by default.     ?
? Programs and users are generally expected to be upgraded to LDAPv3.   ?
? If you have old programs which have not been moved to use LDAPv3 and  ?
? you still need LDAPv2 support then select this option and 'allow      ?
? bind_v2' will be added to your slapd.conf to tell slapd to accept     ?
? LDAPv2 connections.                                                   ?
?                                                                       ?
? Allow LDAPv2 protocol?                                                ?
?                                                                       ?
?                   <Yes>                     [<No>]                    ?
?                                                                       ?
?????????????????????????????????????????????????????????????????????????

LDAP設定ファイルを展開。

# zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema

LDAP設定ファイルを編集。

# vi /etc/ldap/slapd.conf 
# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
     ↓以下のように修正
# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema ←追加
# Indexing options for database #1
index           objectClass eq
     ↓以下のように修正
# Indexing options for database #1
index           objectClass eq
index         uid,uidNumber,gidNumber,memberUid       eq ←追加
index         cn,mail,surname,givenname               eq,subinitial ←追加
index         sambaSID                                eq ←追加
index         sambaPrimaryGroupSID                    eq ←追加
index         sambaDomainName                         eq ←追加
access to attrs=userPassword
     ↓以下のように修正
access to attrs=userPassword,sambaNTPassword,sambaLMPassword

LDAP設定ファイルを編集。

# vi /etc/ldap/ldap.conf 

以下のように修正。

BASE dc=lovebug,dc=jp
URI ldap://localhost

hosts.allowを編集。

# vi /etc/hosts.allow

以下のように追記。

slapd:192.168.X. ←環境に合わせてネットワークアドレスを記述
slapd:127.0.0.1

LDAPサーバー再起動。

# /etc/init.d/slapd restart
Stopping OpenLDAP: slapd.
Starting OpenLDAP: running BDB recovery, slapd.

APTによるLDAP関連パッケージのインストール。

# apt-get install smbldap-tools

LDAP設定ファイルを展開、コピー。

# zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf
# cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/smbldap_bind.conf

SIDを取得。

# net getlocalsid
SID for domain HOSTNAME is: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX

LDAP設定ファイルを編集。

# vi /etc/smbldap-tools/smbldap.conf 
SID="S-1-5-21-2139989288-483860436-2398042574"
↓「net getlocalsid」で取得した値をセット
#SID="S-1-5-21-2139989288-483860436-2398042574"
SID="S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX"
suffix="dc=idealx,dc=org"
     ↓以下のように修正
#suffix="dc=idealx,dc=org"
suffix="dc=lovebug,dc=jp"
sambaUnixIdPooldn="sambaDomainName=SMB3,${suffix}"
     ↓以下のように修正
#sambaUnixIdPooldn="sambaDomainName=SMB3,${suffix}"
sambaUnixIdPooldn="sambaDomainName=LOVEBUG,${suffix}"
userSmbHome="\\\PDC-SMB3\homes\%U"
     ↓以下のように修正
#userSmbHome="\\\PDC-SMB3\homes\%U"
userSmbHome="\\\HOSTNAME\homes\%U"
userProfile="\\PDC-SMB3\profiles\%U"
     ↓以下のように修正
#userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\HOSTNAME\profiles\%U"
userHomeDrive="H:"
     ↓以下のように修正
#userHomeDrive="H:"
userHomeDrive="Z:"
mailDomain="idealx.com"
     ↓以下のように修正
#mailDomain="idealx.com"
mailDomain="lovebug.jp"
rootdn "cn=admin,dc=lovebug,dc=jp" ←最下行に追加

LDAP設定ファイルを編集。

# vi /etc/smbldap-tools/smbldap_bind.conf 
slaveDN="cn=Manager,dc=idealx,dc=org"
slavePw="secret"
masterDN="cn=Manager,dc=idealx,dc=org"
masterPw="secret"
     ↓以下のように修正
#slaveDN="cn=Manager,dc=idealx,dc=org"
#slavePw="secret"
#masterDN="cn=Manager,dc=idealx,dc=org"
#masterPw="secret"
slaveDN="cn=admin,dc=lovebug,dc=jp"
slavePw="xxxxxxxxxx" ←LDAP管理者用パスワード
masterDN="cn=admin,dc=lovebug,dc=jp"
masterPw="xxxxxxxxxx" ←LDAP管理者用パスワード

初期化。

# smbldap-populate -k 0

Administratorアカウントのパスワード設定

# smbldap-passwd Administrator
Changing password for Administrator
New password :xxxxxxxxxx
Retype new password :xxxxxxxxxx

LDAP情報の登録確認。

# slapcat

LDAP情報の登録確認。

# ldapsearch -b "dc=lovebug,dc=jp" -x

APTによるLDAP関連パッケージのインストール。

# apt-get install libpam-ldap libnss-ldap

以下のように入力し、[Ok]を選択。

?????????????????????? Configuring libnss-ldap ??????????????????????
? The address of the LDAP server used.                              ?
?                                                                   ?
? Note: It is always a good idea to use an IP address, it reduces   ?
? risks of failure.                                                 ?
?                                                                   ?
? LDAP Server host.                                                 ?
?                                                                   ?
? 127.0.0.1________________________________________________________ ?
?                                                                   ?
?                              <Ok>                                 ?
?                                                                   ?
?????????????????????????????????????????????????????????????????????

以下のように入力し、[Ok]を選択。

??????????? Configuring libnss-ldap ???????????
?                                             ?
?                                             ?
? The distinguished name of the search base.  ?
?                                             ?
? dc=lovebug,dc=jp___________________________ ?
?                                             ?
?                   <Ok>                      ?
?                                             ?
???????????????????????????????????????????????

[3]を選択し、[Ok]を選択。

???????????????????????? Configuring libnss-ldap ????????????????????????
? This variable controls which version of the LDAP protocol will        ?
? ldapns use. It is always a good idea to set this to highest possible  ?
?  version number.                                                      ?
?                                                                       ?
? LDAP version to use.                                                  ?
?                                                                       ?
?                                  [3]                                  ?
?                                   2                                   ?
?                                                                       ?
?                                                                       ?
?                                <Ok>                                   ?
?                                                                       ?
?????????????????????????????????????????????????????????????????????????

[No]を選択。

????????????????????? Configuring libnss-ldap ?????????????????????
?                                                                 ?
? Does the LDAP database require login?                           ?
?                                                                 ?
? Answer this question affirmatively only if you can't retreive   ?
? entries from the database without logging in.                   ?
?                                                                 ?
? Note: Under a normal setup, this is not needed.                 ?
?                                                                 ?
? database requires login                                         ?
?                                                                 ?
?                 <Yes>                   [<No>]                  ?
?                                                                 ?
???????????????????????????????????????????????????????????????????

[No]を選択。

??????????????????????? Configuring libnss-ldap ????????????????????????
?                                                                      ?
? Should the libnss-ldap configuration file be readable and writable   ?
? only by the file owner?                                              ?
?                                                                      ?
? If you use passwords in your libnss-ldap configuration, it is        ?
? usually a good idea to have the configuration set with mode 0600     ?
? (readable and writable only by the file's owner).                    ?
?                                                                      ?
? Note: As a sanity check, libnss-ldap will check if you have nscd     ?
? installed and will only set the mode to 0600 if nscd is present.     ?
?                                                                      ?
? make configuration readable/writeable by owner only                  ?
?                                                                      ?
?                   <Yes>                     [<No>]                   ?
?                                                                      ?
????????????????????????????????????????????????????????????????????????

[Ok]を選択。

???????????????????????? Configuring libnss-ldap ????????????????????????
?                                                                       ?
? nsswitch.conf is not managed automatically                            ?
?                                                                       ?
? For this package to work, you need to modify your /etc/nsswitch.conf  ?
? to use the ldap datasource.  There is an example file at              ?
? /usr/share/doc/libnss-ldap/examples/nsswitch.ldap which can be used   ?
? as an example for your nsswitch setup, or it can be copied over your  ?
? current setup.                                                        ?
?                                                                       ?
? Also, before removing this package, it is wise to remove the ldap     ?
? entries from nsswitch.conf to keep basic services functioning.        ?
?                                                                       ?
?                                <Ok>                                   ?
?                                                                       ?
?????????????????????????????????????????????????????????????????????????

[No]を選択。

???????????????????????? Configuring libpam-ldap ????????????????????????
?                                                                       ?
? This option will allow you to make password utilities that use pam,   ?
? to behave like you would be changing local passwords.                 ?
?                                                                       ?
? The password will be stored in a separate file which will be made     ?
? readable to root only.                                                ?
?                                                                       ?
? If you are using NFS mounted /etc or any other custom setup, you      ?
? should disable this.                                                  ?
?                                                                       ?
? Make local root Database admin.                                       ?
?                                                                       ?
?                   <Yes>                     [<No>]                    ?
?                                                                       ?
?????????????????????????????????????????????????????????????????????????

[No]を選択。

??????????????????????? Configuring libpam-ldap ????????????????????????
?                                                                      ?
? You need to log in to the database only if you can't retreive        ?
? entries from the database without it.                                ?
?                                                                      ?
? This is not the same as root login, entering privileged login here   ?
? is dangerous, as the configuration file has to be readable to all.   ?
?                                                                      ?
? Note: on a normal setup this is not needed.                          ?
?                                                                      ?
? Database requires logging in.                                        ?
?                                                                      ?
?                   <Yes>                     [<No>]                   ?
?                                                                      ?
????????????????????????????????????????????????????????????????????????

[Ok]を選択。

???????????????????????? Configuring libpam-ldap ????????????????????????
?                                                                       ?
? The PAM module can set the password crypt locally when changing the   #
? passwords, this is usually a good choice. By setting this to          ?
? something else than clear you are making sure that the password gets  ?
? crypted in some way.                                                  ?
?                                                                       ?
? The meanings for selections are:                                      ?
?                                                                       ?
? clear - Don't set any encryptions, this is useful with servers that   ?
? automatically encrypt userPassword entry.                             ?
?                                                                       ?
? crypt - (Default) make userPassword use the same format as the flat   ?
? filesystem. this will work for most configurations                    ?
?                                                                       ?
? nds - Use Novell Directory Services-style updating, first remove the  ?
? old password and then update with cleartext password.                 ?
?                                                                        
?                                <Ok>                                    
?                                                                       ?
?????????????????????????????????????????????????????????????????????????

[crypt]を選択し、[Ok]を選択。

??????????? Configuring libpam-ldap ????????????
? Local crypt to use when changing passwords.  ?
?                                              ?
?                    clear                     ?
?                   [crypt]                    ?
?                    nds                       ?
?                    ad                        ?
?                    exop                      ?
?                    md5                       ?
?                                              ?
?                                              ?
?                    <Ok>                      ?
?                                              ?
????????????????????????????????????????????????

/etc/nsswitch.confを以下のように修正。

# vi /etc/nsswitch.conf
passwd:         compat
group:          compat
shadow:         compat
  ↓以下のように修正
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

/etc/pam.d/common-accountを以下のように修正。

# vi /etc/pam.d/common-account 
account        required        pam_unix.so
  ↓以下のように修正
#account        required        pam_unix.so
account         sufficient      pam_ldap.so
account         required        pam_unix.so try_first_pass

/etc/pam.d/common-authを以下のように修正。

# vi /etc/pam.d/common-auth 
auth   required        pam_unix.so nullok_secure
  ↓以下のように修正
#auth   required        pam_unix.so nullok_secure
auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-passwordを以下のように修正。

# vi /etc/pam.d/common-password 
password   required   pam_unix.so nullok obscure min=4 max=8 md5
  ↓以下のように修正
#password   required   pam_unix.so nullok obscure min=4 max=8 md5
password   sufficient pam_ldap.so
password   required   pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass

/etc/pam.d/loginを以下のように修正。

# vi /etc/pam.d/login 
auth       required   pam_env.so
auth       required   pam_unix.so nullok
  ↓以下のように修正
auth       required   pam_env.so
auth       sufficient pam_ldap.so
account    sufficient pam_ldap.so
password   sufficient pam_ldap.so
auth       required   pam_unix.so nullok use_first_pass
password   required   pam_unix.so nullok obscure min=4 max=8
  ↓以下のように修正
password   required   pam_unix.so nullok obscure min=4 max=8 try_first_pass

/etc/pam.d/passwdを以下のように修正。

# vi /etc/pam.d/passwd 
password   required   pam_unix.so nullok obscure min=4 max=8
  ↓以下のように修正
#password   required   pam_unix.so nullok obscure min=4 max=8
password   sufficient pam_ldap.so
password   required   pam_unix.so nullok obscure min=4 max=8 try_first_pass

/etc/pam.d/suを以下のように修正。

# vi /etc/pam.d/su
auth       required   pam_unix.so
account    required   pam_unix.so
session    required   pam_unix.so
  ↓以下のように修正
auth       sufficient pam_ldap.so
account    sufficient pam_ldap.so
session    optional   pam_ldap.so

auth       required   pam_unix.so try_first_pass
account    required   pam_unix.so use_first_pass
session    required   pam_unix.so

/etc/pam.d/common-sessionを以下のように修正。

# vi /etc/pam.d/common-session
session required        pam_unix.so
  ↓以下のように修正
session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel umask=0022

LDAP情報の登録確認。

# getent passwd

/etc/samba/smb.confのバックアップを作成。

# cp /etc/samba/smb.conf /etc/samba/smb.conf.orig

smb.confの設定例をコピー。

# zcat /usr/share/doc/smbldap-tools/examples/smb.conf.gz > /etc/samba/smb.conf

/etc/samba/smb.confの修正。

# vi /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = IDEALX-NT
        netbios name = PDC-SRV
        #interfaces = 192.168.5.11
        username map = /etc/samba/smbusers
        enable privileges = yes
        server string = Samba Server %v
        security = user
        encrypt passwords = Yes
        min passwd length = 3
        obey pam restrictions = No
        ldap passwd sync = Yes
        #unix password sync = Yes
        #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
        #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
        ldap passwd sync = Yes
        log level = 0
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 100000
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        mangling method = hash2
        Dos charset = 850
        Unix charset = ISO8859-1

        logon script = logon.bat
        logon drive = H:
        logon home =
        logon path =

        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        passdb backend = ldapsam:ldap://127.0.0.1/
        # passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com"
        # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
        ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com
        ldap suffix = dc=idealx,dc=com
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Users
        ldap ssl = start tls
        add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
        ldap delete dn = Yes
        #delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
        add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
        add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
        #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
        add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"        
        delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"        
        set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
        # printers configuration
        printer admin = @"Print Operators"
        load printers = Yes
        create mask = 0640
        directory mask = 0750
        nt acl support = No
        printing = cups
        printcap name = cups
        deadtime = 10
        guest account = nobody
        map to guest = Bad User
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
        show add printer wizard = yes
        ; to maintain capital letters in shortcuts in any of the profile folders:        
        preserve case = yes
        short preserve case = yes
        case sensitive = no

[homes]
        comment = repertoire de %U, %u
        read only = No
        create mask = 0644
        directory mask = 0775
        browseable = No

[netlogon]
        path = /home/netlogon/
        browseable = No
        read only = yes

[profiles]
        path = /home/profiles
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = No
        guest ok = Yes
        profile acls = yes
        csc policy = disable
        # next line is a great way to secure the profiles
        force user = %U
        # next line allows administrator to access all profiles
        valid users = %U "Domain Admins"

[printers]
        comment = Network Printers
        printer admin = @"Print Operators"
        guest ok = yes
        printable = yes
        path = /home/spool/
        browseable = No
        read only  = Yes
        printable = Yes
        print command = /usr/bin/lpr -P%p -r %s
        lpq command = /usr/bin/lpq -P%p
        lprm command = /usr/bin/lprm -P%p %j

[print$]
        path = /home/printers
        guest ok = No
        browseable = Yes
        read only = Yes
        valid users = @"Print Operators"
        write list = @"Print Operators"
        create mask = 0664
        directory mask = 0775

[public]
        comment = Repertoire public
        path = /home/public
        browseable = Yes
        guest ok = Yes
        read only = No
        directory mask = 0775
        create mask = 0664

  ↓以下のように修正

# Global parameters
[global]
        workgroup = LOVEBUG
        netbios name = HOSTNAME
        hosts allow = [ネットワークアドレス] 127. EXCEPT [ゲートウェイアドレス]
        hosts deny  = ALL
        #interfaces = 192.168.5.11
        #username map = /etc/samba/smbusers
        enable privileges = yes
        server string = Samba Server %v
        security = user
        encrypt passwords = Yes
        min passwd length = 3
        obey pam restrictions = Yes
        ldap passwd sync = Yes
        #unix password sync = Yes
        passwd program = /usr/sbin/smbldap-passwd -u %u
        passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
        #ldap passwd sync = Yes
        log level = 0
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 100000
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        mangling method = hash2
        #Dos charset = 850
        #Unix charset = ISO8859-1
        dos charset = CP932
        unix charset = EUCJP-MS
        display charset = EUCJP-MS

        #logon script = logon.bat
        #logon drive = H:
        #logon home =
        #logon path =

        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        #wins support = Yes
        passdb backend = ldapsam:ldap://127.0.0.1/
        # passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com"        
        # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
        ldap admin dn = cn=admin,dc=lovebug,dc=jp
        ldap suffix = dc=lovebug,dc=jp
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Users
        #ldap ssl = start tls
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        ldap delete dn = Yes
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"        
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

        # printers configuration
        printer admin = @"Print Operators"
        load printers = Yes
        create mask = 0640
        directory mask = 0750
        nt acl support = No
        printing = cups
        printcap name = cups
        deadtime = 10
        guest account = nobody
        map to guest = Bad User
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
        show add printer wizard = yes
        ; to maintain capital letters in shortcuts in any of the profile folders:        
        preserve case = yes
        short preserve case = yes
        case sensitive = no

        # recycle box enabled ←ゴミ箱機能を使用
        vfs objects = recycle        
        # recycle box dir name ←ゴミ箱のディレクトリ名
        recycle:repository = .recycle/%u
        # dir structured keep ←ディレクトリ構造を保存したままゴミ箱に移動
        recycle:keeptree = no
        # same named when to other named ←同名ファイルの場合、別名でゴミ箱に保存
        recycle:versions = yes
        # timestamp update	←ゴミ箱に移動した際にタイムスタンプを更新するか
        recycle:touch = no
        # max file size zero is infinity ←ゴミ箱のMAXファイルサイズ(0=無限大)
        recycle:maxsize = 0

[homes]
        comment = repertoire de %U, %u
        read only = No
        create mask = 0644
        directory mask = 0775
        browseable = No

[netlogon]
        path = /home/netlogon/
        browseable = No
        read only = yes

[profiles]
        path = /home/profiles
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = No
        guest ok = Yes
        profile acls = yes
        csc policy = disable
        # next line is a great way to secure the profiles
        force user = %U
        # next line allows administrator to access all profiles
        valid users = %U "Domain Admins"

[printers]
        comment = Network Printers
        printer admin = @"Print Operators"
        guest ok = yes
        printable = yes
        path = /home/spool/
        browseable = No
        read only  = Yes
        printable = Yes
        path = /home/spool/
        browseable = No
        read only  = Yes
        printable = Yes
        print command = /usr/bin/lpr -P%p -r %s
        lpq command = /usr/bin/lpq -P%p
        lprm command = /usr/bin/lprm -P%p %j

[print$]
        path = /home/printers
        guest ok = No
        browseable = Yes
        read only = Yes
        valid users = @"Print Operators"
        write list = @"Print Operators"
        create mask = 0664
        directory mask = 0775

[public]
        comment = Repertoire public
        path = /home/public
        browseable = Yes
        guest ok = Yes
        read only = No
        directory mask = 0775
        create mask = 0664

smb.confの設定のチェック

# testparam

Sambaの管理者パスワードの設定

# smbpasswd -w xxxxxxxxxx
Setting stored password for "cn=admin,dc=lovebug,dc=jp" in secrets.tdb

Sambaの再起動

# /etc/init.d/samba restart
Stopping Samba daemons: nmbd smbd.
Starting Samba daemons: nmbd smbd.

administratorを管理者権限(uid=0)に変更。

# smbldap-usermod -u 0 administrator

LDAPサーバーの再起動

# /etc/init.d/slapd restart
Stopping OpenLDAP: slapd.
Starting OpenLDAP: running BDB recovery, slapd.

SSHサーバーの再起動

# /etc/init.d/ssh restart
Restarting OpenBSD Secure Shell server: sshd.

テスト用ユーザーの作成。

# smbldap-useradd -a -m -P testuser ←一般ユーザーの作成(-a:Windowsユーザー作成 -m:ホームディレクトリ作成 -P:パスワード設定)
Changing password for testuser
New password :xxxxxxxxxx
Retype new password :xxxxxxxxxx

テスト用ユーザーの移動プロファイルの無効化。

# smbldap-usermod -F "" testuser
  • Windowsクライアントからドメインに参加(WinXPの場合)
  1. [スタート]→[マイ コンピュータ]のアイコン上で右クリック
  2. [プロパティ]をクリック
  3. [コンピュータ名]タブをクリック
  4. [変更ボタン]をクリック
  5. [次のメンバ]にて[ドメイン]を選択し、ドメイン名を入力
  6. ドメイン管理者のアカウント名とパスワードを入力
  • WinXPでドメインに入れない!そんな時は?
  1. [スタート]→[コントロールパネル]をクリック
  2. [管理ツール]をクリック
  3. [ローカル セキュリティ ポリシー]をクリック
  4. [ローカルポリシー]→[セキュリティオプション]→[ドメインメンバ:常にセキュリティチャネルのデータをデジタル的に暗号化または署名する]を「無効」にしてみる
  • 関連書籍
    #amazon(4774121967,center,)#amazon(4798108545,center,)#amazon(4798018007,center,)#amazon(4822234002,center,)#amazon(0596007698,center,)

Last-modified: 2009-08-08 (土) 13:32:55 (3610d)