Différences entre versions de « Samba »
imported>SylvainBeucler m (samba+ldap - draft) |
imported>SylvainBeucler m (→Liens) |
||
Ligne 226 : | Ligne 226 : | ||
== Liens == | == Liens == | ||
* [http://www.sequanux.org/article.php3?id_article=21 Gestion des utilisateurs, groupes, permissions]: concepts d'utilisateurs et de groupes sous Unix et Windows, et correspondances. | * [http://www.sequanux.org/article.php3?id_article=21 Gestion des utilisateurs, groupes, permissions]: concepts d'utilisateurs et de groupes sous Unix et Windows, et correspondances. | ||
+ | * [http://www.nomis52.net/?section=docs&page=samldap Debian Samba 3 / LDAP / PHP LDAP Admin HOWTO] |
Version du 17 mai 2009 à 17:20
Une configuration minimale
[global] workgroup = ANGRES passdb backend = tdbsam [homes] comment = Répertoire personnel de %u read only = no [monpartage] comment = Description longue de mon partage read only = no path = /srv/samba/monpartage
Noter qu'un partage partage est read only
par défaut, d'où la nécessité de le désactiver.
Le passbd backend
implicite est smbpasswd
qui ne permet pas de stocker tous les champs utilisateurs (durée de validité, etc.), on utilise donc tdbsam
d'office pour ne pas avoir de surprises par la suite.
Créer un dossier partagé
cd /srv/samba/groups mkdir nom_du_partage chmod o= nom_du_partage chmod g=rwxs nom_du_partage chgrp nom_du_partage nom_du_partage
Puis modifier le fichier de configuration de Samba
/etc/samba/smb.conf
:
[nom_du_partage] comment = Répertoire pour ... force group = nom_du_partage path = /srv/samba/groups/nom_du_partage valid users = @nom_du_partage read only = no create mask = 0660 directory mask = 0770
On teste la configuration avec:
testparm
On relance le serveur de fichiers:
/etc/init.d/samba restart
Noter l'astuce pour forcer le bon groupe dans les répertoires partagés:
[qualite] ... force group = +qualite ... [prod] ... force group = +prod
Conserver la compatibilité avec MS Woe9X et WoeMe
La nouvelle version dans Debian Lenny (3.2.5) désactive implicitement les vieux clients, ce qui a également pour conséquence d'EFFACER tous les mots de passe dans l'ancien format. Il faut donc - AVANT de mettre à jour - rajouter ceci dans la configuration:
lanman auth = yes client plaintext auth = yes client lanman auth = yes
Pour plus d'information, cf. /usr/share/doc/samba/NEWS.Debian.gz:
samba (3.0.27a-2) unstable; urgency=low * Weak authentication methods are disabled by default Beginning with this version, plaintext authentication is disabled for clients and lanman authentication is disabled for both clients and servers. Lanman authentication is not needed for Windows NT/2000/XP/Vista, Mac OS X or Samba, but if you still have Windows 95/98/ME clients (or servers) you may need to set lanman auth (or client lanman auth) to yes in your smb.conf. The "lanman auth = no" setting will also cause lanman password hashes to be deleted from smbpasswd and prevent new ones from being written, so that these can't be subjected to brute-force password attacks. This means that re-enabling lanman auth after it has been disabled is more difficult; it is therefore advisable that you re-enable the option as soon as possible if you think you will need to support Win9x clients. Client support for plaintext passwords is not needed for recent Windows servers, and in fact this behavior change makes the Samba client behave in a manner consistent with all Windows clients later than Windows 98. However, if you need to connect to a Samba server that does not have encrypted password support enabled, or to another server that does not support NTLM authentication, you will need to set "client plaintext auth = yes" and "client lanman auth = yes" in smb.conf. -- Steve Langasek <vorlon@debian.org> Sat, 24 Nov 2007 00:23:37 -0800
Configuration LDAP
Système UNIX
aptitude install libnss-ldap cat <<EOF >> /etc/libnss-ldap.conf: nss_base_passwd ou=people,dc=ville-sallaumines,dc=fr nss_base_shadow ou=people,dc=ville-sallaumines,dc=fr nss_base_group ou=groups,dc=ville-sallaumines,dc=fr EOF
SMB-LDAP-Tools:
zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz \ > /etc/smbldap-tools/smbldap.conf chmod 644 /etc/smbldap-tools/smbldap.conf
- comment SSID="..."
- sambaDomain="myworkgroup"
- suffix="dc=myentity,dc=fr"
- groupsdn="ou=groups,${suffix}"
- computersdn="ou=people,${suffix}" # same than users, otherwise WXP won't join the domain %(
- usersdn="ou=people,${suffix}"
- idmapdn="ou=people,${suffix}"
- suffix="dc=myentity,dc=fr"
- sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
- hash_encrypt="CRYPT"
- comment defaultMaxPasswordAge="..." # (http://www.planetmy.com/blog/ldap-samba-pdc/)
chmod 600 /etc/smbldap-tools/smbldap_bind.conf cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf \ /etc/smbldap-tools/smbldap_bind.conf
- masterDN="cn=admin,dc=myentity,dc=fr"
- masterPw="secret"
smbldap-populate
- Set uidNumber=3000 - only machines will use this script, and this will avoid conflicts with webmin.
- Not sure about the 'sambaNextRid', it seems it's defined when the computer joins the domain (not in 'smbldap-useradd -w')
cat <<EOF | ldapmodify -c -x -D 'cn=admin,dc=myentity,dc=fr' -W dn: sambaDomainName=myworkgroup,dc=myentity,dc=fr uidNumber: 3000 sambaNextRid: 3000 EOF # Not necessary: #gidNumber: 3000
Samba
workgroup = myworkgroup # I'm a PDC domain logons = yes # I'm a master browser domain master = yes local master = yes preferred master = auto # Homedir logon drive = Z: logon script = %U.bat # Disable roaming profiles: logon path = logon home = # I use LDAP passdb backend = ldapsam ldap suffix = dc=ville-sallaumines,dc=fr ldap admin dn = cn=admin,dc=ville-sallaumines,dc=fr ldap user suffix = ou=people ldap group suffix = ou=groups ldap machine suffix = ou=people ldap idmap suffix = ou=users ldap passwd sync = yes add machine script = /usr/sbin/smbldap-useradd -w "%u" [netlogon] path = /srv/samba/netlogon read only = yes browsable = no comment = Scripts de connexion et Stratégies Systèmes # Debian tips: share modes = no guest ok = yes
mkdir -m 755 /srv/samba/ mkdir -m 755 /srv/samba/netlogon
Configuration Webmin
(testé sous Webmin 1.400)
# Debian-specific Webmin patch ln -s libnss-ldap.secret ldap.secret
- LDAP Users and Groups
- Enabled Samba account by default? => Yes
- Show fields for given name and surname? # otherwise "Failed to add user to LDAP database : object class 'inetOrgPerson' requires attribute 'sn'" => Yes
- Object class to add for given name? [otherwise "objectclass: value #4 invalid per syntax" because webmin will add an empty class]: => inetOrgPerson
- Domain SID for Samba3 [necessary?] => S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX
- LDAP object class for Samba groups [necessary?]: => sambaGroupMapping (Samba 3 new schema)
- Users and Groups
- Default primary group for new users => "Domain Users"
- Default shell for new users => "/bin/false"
- LDAP Client
- Root LDAP client password file => /etc/libnss-ldap.secret
Voir aussi
Liens
- Gestion des utilisateurs, groupes, permissions: concepts d'utilisateurs et de groupes sous Unix et Windows, et correspondances.
- Debian Samba 3 / LDAP / PHP LDAP Admin HOWTO