Différences entre versions de « Samba »

De Cliss XXI
Sauter à la navigation Sauter à la recherche
imported>SylvainBeucler
imported>SylvainBeucler
m (samba+ldap - draft)
Ligne 94 : Ligne 94 :
 
  -- Steve Langasek <vorlon@debian.org>  Sat, 24 Nov 2007 00:23:37 -0800
 
  -- Steve Langasek <vorlon@debian.org>  Sat, 24 Nov 2007 00:23:37 -0800
 
</pre>
 
</pre>
 +
 +
== Configuration LDAP ==
 +
 +
=== Système UNIX ===
 +
 +
<pre>
 +
aptitude install libnss-ldap
 +
cat <<EOF >> /etc/libnss-ldap.conf:
 +
nss_base_passwd ou=people,dc=ville-sallaumines,dc=fr
 +
nss_base_shadow ou=people,dc=ville-sallaumines,dc=fr
 +
nss_base_group  ou=groups,dc=ville-sallaumines,dc=fr
 +
EOF
 +
</pre>
 +
 +
SMB-LDAP-Tools:
 +
 +
<pre>
 +
zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz \
 +
  > /etc/smbldap-tools/smbldap.conf
 +
chmod 644 /etc/smbldap-tools/smbldap.conf
 +
</pre>
 +
 +
* comment SSID="..."
 +
* sambaDomain="myworkgroup"
 +
* suffix="dc=myentity,dc=fr"
 +
* groupsdn="ou=groups,${suffix}"
 +
* computersdn="ou=people,${suffix}"  # same than users, otherwise WXP won't join the domain %(
 +
* usersdn="ou=people,${suffix}"
 +
* idmapdn="ou=people,${suffix}"
 +
* suffix="dc=myentity,dc=fr"
 +
* sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
 +
* hash_encrypt="CRYPT"
 +
* comment defaultMaxPasswordAge="..."  # (http://www.planetmy.com/blog/ldap-samba-pdc/)
 +
 +
<pre>
 +
chmod 600 /etc/smbldap-tools/smbldap_bind.conf
 +
cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf \
 +
  /etc/smbldap-tools/smbldap_bind.conf
 +
</pre>
 +
 +
* masterDN="cn=admin,dc=myentity,dc=fr"
 +
* masterPw="secret"
 +
 +
<pre>
 +
smbldap-populate
 +
</pre>
 +
 +
* Set uidNumber=3000 - only machines will use this script, and this will avoid conflicts with webmin.
 +
* Not sure about the 'sambaNextRid', it seems it's defined when the computer joins the domain (not in 'smbldap-useradd -w')
 +
<pre>
 +
cat <<EOF | ldapmodify -c -x -D 'cn=admin,dc=myentity,dc=fr' -W
 +
dn: sambaDomainName=myworkgroup,dc=myentity,dc=fr
 +
uidNumber: 3000
 +
sambaNextRid: 3000
 +
EOF
 +
# Not necessary:
 +
#gidNumber: 3000
 +
</pre>
 +
 +
 +
=== Samba ===
 +
 +
<pre>
 +
workgroup = myworkgroup
 +
# I'm a PDC
 +
domain logons = yes
 +
# I'm a master browser
 +
domain master = yes
 +
local master = yes
 +
preferred master = auto
 +
 +
# Homedir
 +
logon drive = Z:
 +
logon script = %U.bat
 +
# Disable roaming profiles:
 +
logon path =
 +
logon home =
 +
 +
# I use LDAP
 +
passdb backend = ldapsam
 +
ldap suffix = dc=ville-sallaumines,dc=fr
 +
ldap admin dn = cn=admin,dc=ville-sallaumines,dc=fr
 +
ldap user suffix = ou=people
 +
ldap group suffix = ou=groups
 +
ldap machine suffix = ou=people
 +
ldap idmap suffix = ou=users
 +
ldap passwd sync = yes
 +
add machine script = /usr/sbin/smbldap-useradd -w "%u"
 +
 +
[netlogon]
 +
path = /srv/samba/netlogon
 +
read only = yes
 +
browsable = no
 +
comment = Scripts de connexion et Stratégies Systèmes
 +
# Debian tips:
 +
share modes = no
 +
guest ok = yes
 +
</pre>
 +
 +
<pre>
 +
mkdir -m 755 /srv/samba/
 +
mkdir -m 755 /srv/samba/netlogon
 +
</pre>
 +
 +
=== Configuration Webmin ===
 +
 +
(testé sous Webmin 1.400)
 +
 +
<pre>
 +
# Debian-specific Webmin patch
 +
ln -s libnss-ldap.secret ldap.secret
 +
</pre>
 +
 +
* LDAP Users and Groups
 +
** Enabled Samba account by default? => Yes
 +
** Show fields for given name and surname? # otherwise "Failed to add user to LDAP database : object class 'inetOrgPerson' requires attribute 'sn'" => Yes
 +
** Object class to add for given name? [otherwise "objectclass: value #4 invalid per syntax" because webmin will add an empty class]: => inetOrgPerson
 +
** Domain SID for Samba3 [necessary?] => S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX
 +
** LDAP object class for Samba groups [necessary?]: => sambaGroupMapping (Samba 3 new schema)
 +
* Users and Groups
 +
** Default primary group for new users => "Domain Users"
 +
** Default shell for new users => "/bin/false"
 +
* LDAP Client
 +
** Root LDAP client password file => /etc/libnss-ldap.secret
 +
  
 
== Voir aussi ==
 
== Voir aussi ==

Version du 17 mai 2009 à 17:20

Une configuration minimale

[global]
        workgroup = ANGRES
        passdb backend = tdbsam

[homes]
        comment = Répertoire personnel de %u
        read only = no

[monpartage]
        comment = Description longue de mon partage
        read only = no
        path = /srv/samba/monpartage

Noter qu'un partage partage est read only par défaut, d'où la nécessité de le désactiver.

Le passbd backend implicite est smbpasswd qui ne permet pas de stocker tous les champs utilisateurs (durée de validité, etc.), on utilise donc tdbsam d'office pour ne pas avoir de surprises par la suite.


Créer un dossier partagé

cd /srv/samba/groups
mkdir nom_du_partage
chmod o= nom_du_partage
chmod g=rwxs nom_du_partage
chgrp nom_du_partage nom_du_partage

Puis modifier le fichier de configuration de Samba /etc/samba/smb.conf:

[nom_du_partage]
 comment = Répertoire pour ...
 force group = nom_du_partage
 path = /srv/samba/groups/nom_du_partage
 valid users = @nom_du_partage
 read only = no
 create mask = 0660
 directory mask = 0770

On teste la configuration avec:

testparm

On relance le serveur de fichiers:

/etc/init.d/samba restart

Noter l'astuce pour forcer le bon groupe dans les répertoires partagés:

[qualite]
...
 force group = +qualite
...
[prod]
...
 force group = +prod

Conserver la compatibilité avec MS Woe9X et WoeMe

La nouvelle version dans Debian Lenny (3.2.5) désactive implicitement les vieux clients, ce qui a également pour conséquence d'EFFACER tous les mots de passe dans l'ancien format. Il faut donc - AVANT de mettre à jour - rajouter ceci dans la configuration:

lanman auth = yes
client plaintext auth = yes
client lanman auth = yes

Pour plus d'information, cf. /usr/share/doc/samba/NEWS.Debian.gz:

samba (3.0.27a-2) unstable; urgency=low

  * Weak authentication methods are disabled by default

    Beginning with this version, plaintext authentication is disabled for
    clients and lanman authentication is disabled for both clients and
    servers.  Lanman authentication is not needed for Windows
    NT/2000/XP/Vista, Mac OS X or Samba, but if you still have Windows
    95/98/ME clients (or servers) you may need to set lanman auth (or client
    lanman auth) to yes in your smb.conf.

    The "lanman auth = no" setting will also cause lanman password hashes to
    be deleted from smbpasswd and prevent new ones from being written, so
    that these can't be subjected to brute-force password attacks.  This
    means that re-enabling lanman auth after it has been disabled is more
    difficult; it is therefore advisable that you re-enable the option as
    soon as possible if you think you will need to support Win9x clients.

    Client support for plaintext passwords is not needed for recent Windows
    servers, and in fact this behavior change makes the Samba client behave
    in a manner consistent with all Windows clients later than Windows 98.
    However, if you need to connect to a Samba server that does not have
    encrypted password support enabled, or to another server that does not
    support NTLM authentication, you will need to set
    "client plaintext auth = yes" and "client lanman auth = yes" in smb.conf.

 -- Steve Langasek <vorlon@debian.org>  Sat, 24 Nov 2007 00:23:37 -0800

Configuration LDAP

Système UNIX

aptitude install libnss-ldap
cat <<EOF >> /etc/libnss-ldap.conf:
nss_base_passwd ou=people,dc=ville-sallaumines,dc=fr
nss_base_shadow ou=people,dc=ville-sallaumines,dc=fr
nss_base_group  ou=groups,dc=ville-sallaumines,dc=fr
EOF

SMB-LDAP-Tools:

zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz \
   > /etc/smbldap-tools/smbldap.conf
chmod 644 /etc/smbldap-tools/smbldap.conf
  • comment SSID="..."
  • sambaDomain="myworkgroup"
  • suffix="dc=myentity,dc=fr"
  • groupsdn="ou=groups,${suffix}"
  • computersdn="ou=people,${suffix}" # same than users, otherwise WXP won't join the domain %(
  • usersdn="ou=people,${suffix}"
  • idmapdn="ou=people,${suffix}"
  • suffix="dc=myentity,dc=fr"
  • sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
  • hash_encrypt="CRYPT"
  • comment defaultMaxPasswordAge="..." # (http://www.planetmy.com/blog/ldap-samba-pdc/)
chmod 600 /etc/smbldap-tools/smbldap_bind.conf
cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf \
   /etc/smbldap-tools/smbldap_bind.conf
  • masterDN="cn=admin,dc=myentity,dc=fr"
  • masterPw="secret"
smbldap-populate
  • Set uidNumber=3000 - only machines will use this script, and this will avoid conflicts with webmin.
  • Not sure about the 'sambaNextRid', it seems it's defined when the computer joins the domain (not in 'smbldap-useradd -w')
cat <<EOF | ldapmodify -c -x -D 'cn=admin,dc=myentity,dc=fr' -W
dn: sambaDomainName=myworkgroup,dc=myentity,dc=fr
uidNumber: 3000
sambaNextRid: 3000
EOF
# Not necessary:
#gidNumber: 3000


Samba

workgroup = myworkgroup
# I'm a PDC
domain logons = yes
# I'm a master browser
domain master = yes
local master = yes
preferred master = auto

# Homedir
logon drive = Z:
logon script = %U.bat
# Disable roaming profiles:
logon path =
logon home =

# I use LDAP
passdb backend = ldapsam
ldap suffix = dc=ville-sallaumines,dc=fr
ldap admin dn = cn=admin,dc=ville-sallaumines,dc=fr
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap machine suffix = ou=people
ldap idmap suffix = ou=users
ldap passwd sync = yes
add machine script = /usr/sbin/smbldap-useradd -w "%u"

[netlogon]
path = /srv/samba/netlogon
read only = yes
browsable = no
comment = Scripts de connexion et Stratégies Systèmes
# Debian tips:
share modes = no
guest ok = yes
mkdir -m 755 /srv/samba/
mkdir -m 755 /srv/samba/netlogon

Configuration Webmin

(testé sous Webmin 1.400)

# Debian-specific Webmin patch
ln -s libnss-ldap.secret ldap.secret
  • LDAP Users and Groups
    • Enabled Samba account by default? => Yes
    • Show fields for given name and surname? # otherwise "Failed to add user to LDAP database : object class 'inetOrgPerson' requires attribute 'sn'" => Yes
    • Object class to add for given name? [otherwise "objectclass: value #4 invalid per syntax" because webmin will add an empty class]: => inetOrgPerson
    • Domain SID for Samba3 [necessary?] => S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX
    • LDAP object class for Samba groups [necessary?]: => sambaGroupMapping (Samba 3 new schema)
  • Users and Groups
    • Default primary group for new users => "Domain Users"
    • Default shell for new users => "/bin/false"
  • LDAP Client
    • Root LDAP client password file => /etc/libnss-ldap.secret


Voir aussi

Samba et accès concurrents

Liens