Go to Qiita Advent Calendar 2024 Top
LoginSignup
9
9

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@marlion7in株式会社SORICH

Samba + LDAP構築(CentOS7)

Posted at

LDAPを用いたSambaファイルサーバを同一サーバ内に構築したときの備忘録。

  • dc=example,dc=comの下にPeopleとGroupを作成
  • Groupは/home/shareのみアクセス可能なものと、/home/adminと/home/shareにアクセス可能なものの2種類を作成
  • PeopleはそれぞれのGroupに1人ずつ作成

OS: CentOS7.3
Samba: 4.4.4
OpenLDAP: 2.4.40

必要なパッケージのインストール

$ yum -y install samba samba-client samba-common openldap-servers openldap-clients openldap smbldap-tools nss-pam-ldapd pam_ldap

LDAPサーバにexample.comのドメイン情報を登録する

$ slappasswd
New password: 
Re-enter new password: 
{SSHA}AKtmxfiwIz1Efj5SCLq4ERop8hAnTc70
# 暗号化パスワードを作成(hogehogeとします)
init.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA}AKtmxfiwIz1Efj5SCLq4ERop8hAnTc70
# 暗号化したパスワードを記述

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA}AKtmxfiwIz1Efj5SCLq4ERop8hAnTc70

replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

replace: olcSuffix
olcSuffix: dc=example,dc=com

$ ldapmodify -a -Y EXTERNAL -H ldapi:/// -f init.ldif

データベースチューニング設定ファイルを配置

$ cp -p /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

ベースエントリの登録

base.ldif
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: Example Inc.

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

$ ldapadd -x -D "cn=Manager,dc=example,dc=com" -w hogehoge -f base.ldif

$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: Example Inc.

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

必要なスキーマの追加


$ ldapadd -x -W -D cn=config -f /etc/openldap/schema/cosine.ldif
Enter LDAP Password: 
adding new entry "cn=cosine,cn=schema,cn=config"

$ ldapadd -x -W -D cn=config -f /etc/openldap/schema/inetorgperson.ldif
Enter LDAP Password: 
adding new entry "cn=inetorgperson,cn=schema,cn=config"

$ ldapadd -x -W -D cn=config -f /etc/openldap/schema/nis.ldif

$ cp /usr/share/doc/samba-4.4.4/LDAP/samba.ldif /etc/openldap/schema/samba.ldif

$ ldapadd -x -W -D cn=config -f /etc/openldap/schema/samba.ldif

$ ldapsearch -x -LLL -W -D cn=config -b cn=config "(objectClass=olcSchemaConfig)" dn
Enter LDAP Password: 
dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}inetorgperson,cn=schema,cn=config

dn: cn={3}nis,cn=schema,cn=config

dn: cn={4}samba,cn=schema,cn=config

sambaの設定を記述

/etc/samba/smb.conf

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
        unix charset = UTF-8
        dos charset = CP932
        workgroup = WORKGROUP

        passdb backend = ldapsam:ldap://127.0.0.1
        load printers = no
        dns proxy = No
        ldap admin dn = cn=Manager,dc=example,dc=com
        ldap suffix = dc=example,dc=com
        ldap user suffix = ou=People
        ldap group suffix = ou=Group
        ldap ssl = no
        ldap passwd sync = Yes
        unix password sync = Yes
        guest only = no

[admin]
        path = /home/admin
        browsable = yes
        read only = no
        create mask = 0777
        directory mask = 0777
        valid users = @admin
        writable = yes
        vfs objects = full_audit
        full_audit:success = open pwrite unlink
        full_audit:failure = open pwrite unlink
        
[public]
        path = /home/share
        public = yes
        writable = yes
        only guest = yes

正しく記述されているかはtestparmコマンドで確認できる

smb.confを元にLDAPとの連携設定をする

$ smbldap-config
# 対話形式で必要な内容を記述する
$ net getlocalsid
# SambaのSIDを取得し、/etc/smbldap-tools/smbldap.confに書き込む
$ vi /etc/smbldap-tools/smbldap.conf
# SID=""となっている部分にSIDを記述

共有用ディレクトリ作成

$ mkdir /home/share
$ mkdir /home/admin
$ chmod 777 /home/share
$ chmod 777 /home/admin
</pre>

chmod 777 /home/adminとすればsmb.confのvalid userが全員読み書きできるけど、
chgrp admin /home/adminとし、 chmod 770 /home/adminが正しい気もします。

### nsswicthを設定しLDAPからパスワード等を読み込むようにする
/etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#	nisplus			Use NIS+ (NIS version 3)
#	nis			Use NIS (NIS version 2), also called YP
#	dns			Use DNS (Domain Name Service)
#	files			Use the local files
#	db			Use the local database (.db) files
#	compat			Use NIS on compat mode
#	hesiod			Use Hesiod for user lookups
#	[NOTFOUND=return]	Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files sss ldap
shadow:     files sss ldap
group:      files sss ldap
#initgroups: files

#hosts:     db files nisplus nis dns
hosts:      files dns myhostname

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files
aliases:    files nisplus

LDAPクライアントの設定

$ authconfig-tui

# ユーザー情報: LDAPを使用にチェック
# 認証: LDAP認証を使用にチェック
# 次を押す
# サーバー: ldap://127.0.0.1/
# ベースDN: dc=example,dc=com
# OKを押す

Samba関連のLDAPエントリを追加する

$ smbldap-populate

ここがうまくいかない場合、/etc/smbldap-tools/smbldap.confか/etc/smbldap-tools/smbldap_bind.confを確認する

グループとユーザーを追加する

$ smbldap-groupadd -a admin
$ smbldap-useradd -a admin_user
$ smbldap-groupmod -m admin_user admin
$ smbldap-groupadd -a share
$ smbldap-useradd -a share_user
$ smbldap-groupmod -m share_user share
$ smbldap-passwd admin_user
Changing UNIX and samba passwords for admin_user
New password: 
Retype new password: 
$ smbldap-passwd share_user
Changing UNIX and samba passwords for share_user
New password: 
Retype new password:

以上で作成したユーザーが共有ディレクトリにアクセスできるようになっているかと思います。

9
9
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
9
9

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?