Rabu, 13 Mei 2015

Ubuntu Server 12.04 - Bag. 3 : Instalasi, Konfigurasi dan Integrasi LDAP & Samba Server - 1

Kali ini kita akan membangun sebuah LDAP Server dan SAMBA Server kemudian mengintegrasikan keduanya. Adapun informasi dari Host Server yang saya gunakan adalah sebagai berikut. 

PC : LDAP Server
OS : Ubuntu 12.04 Server
Hostname : ns.wanasl.lcl
IP Address : 172.16.16.106

PC : SAMBA Server
OS : Ubuntu 14.04 Server
Hostname : acc-filesrv.wanasl.lcl
IP Address : 192.168.1.196

  1. Instalasi dan Konfigurasi LDAP Server

    2. Informasi OS yang saya gunakan.

    it@gnr-srv:~$ sudo cat /etc/os-release 
NAME="Ubuntu" 
VERSION="12.04.5 LTS, Precise Pangolin" 
ID=ubuntu 
ID_LIKE=debian 
PRETTY_NAME="Ubuntu precise (12.04.5 LTS)" 
VERSION_ID="12.04" 

it@gnr-srv:~$ sudo uname -a 
Linux ns.wanasl.lcl 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 16:19:23 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux 

it@gnr-srv:~$ sudo vim /etc/hostname 
ns.wanasl.lcl 

it@gnr-srv:~$ sudo vim /etc/hosts 
127.0.0.1 localhost.localdomain localhost 
127.0.1.1 ldap.wanasl.lcl ldap 
172.16.16.101 ns.wanasl.lcl  ns 
.
.

it@gnr-srv:~$ sudo reboot

    Install LDAP Server. 

    root@ns:/home/it# apt-get install slapd ldap-utils

Administrator Password : <- Ketikkan Password Administrator LDAP yang akan digunakan
Configrm Password : <- Konfirmasi ulang Password Administrator LDAP

    Konfigurasi ulang slapd.

    root@ns:/home/it# dpkg-reconfigure slapd
        Omit OpenLDAP server configuration? No
 DNS domain name: wanasl.lcl
 Organization name: wanasl
 Administrator password : ->   Isi dengan password administratoe sewaktu instalasi slapd atau gunakan password lain.
 Confirm password: -> Sama dengan diatas
 Database backend to use:  HDB
 Do you want the database to be removed when slapd is purged ? No
 Move old database ? Yes
 Allow LDAPv2 protocol ? No

    Untuk mempermudah konfigurasi atau melihat hasil konfigurasi, install phpldapadmin. 

    root@ns:/home/it# apt-get install phpldapadmin
root@ns:/home/it# vim /etc/phpldapadmin/config.php 
.
.
.
// $config->custom->appearance['hide_template_warning'] = false; 
$config->custom->appearance['hide_template_warning'] = true;
.
.
.
#$servers->setValue('server','host','127.0.0.1'); 
#$servers->setValue('server','host','172.16.16.106'); 
$servers->setValue('server','host','ns.wanasl.lcl'); 
.
.
#$servers->setValue('server','base',array('dc=example,dc=com')); 
$servers->setValue('server','base',array('dc=wanasl,dc=lcl')); 
.
.
.
$servers->setValue('login','auth_type','session'); 
.
.
.
#$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com'); 
$servers->setValue('login','bind_id','cn=admin,dc=wanasl,dc=lcl'); 
.
.
    Untuk menambahkan user atau melihat hasil konfigurasi ldap buka browser dan ketikkan : http://ns.wanasl.lcl/phpldapadmin. Kemudian Klik login disebelah kiri atas. Login DN akan terisi secara otomatis (cn=admin,dc=wanasl,dc=lcl) dan masukkan password administrator ldap sesuai dengan yang kita set saat konfigurasi slapd. Maka akan tampak struktur direktori LDAP (TLD) dan sebuah user admin yang telah kita konfigurasi sebelumnya.
    Selanjutnya kita akan menambahkan SAMBA Schema agar LDAP dapat mengakomodasi user-user SAMBA. 

    root@ns:/home/it# apt-get install samba-doc
root@ns:/home/it# cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
root@ns:/home/it# gzip -d /etc/ldap/schema/samba.schema.gz 
root@ns:/home/it# cd /etc/ldap/schema/
root@ns:/etc/ldap/schema# vim schema_convert.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/ldapns.schema
include /etc/ldap/schema/pmi.schema
include /etc/ldap/schema/samba.schema

root@ns:/etc/ldap/schema# mkdir ldif_output
root@ns:/etc/ldap/schema# slapcat -f schema_convert.conf -F ldif_output -n 0 | grep samba,cn=schema
dn: cn={14}samba,cn=schema,cn=config

root@ns:/etc/ldap/schema# slapcat -f schema_convert.conf -F ldif_output -n0 -H ldap:///cn={14}samba,cn=schema,cn=config -l cn=samba.ldif
root@ns:/etc/ldap/schema# cat cn\=samba.ldif 
dn: cn={14}samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {14}samba
olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'L
 anManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.26{32} SINGLE-VALUE )
.
.
.
olcObjectClasses: {11}( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' DESC
  'Samba Trusted Domain Object' SUP top STRUCTURAL MUST cn MAY ( sambaTrustTyp
 e $ sambaTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFla
 tName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdenti
 fier $ sambaTrustForestTrustInfo ) )
structuralObjectClass: olcSchemaConfig
entryUUID: 1b2c44a8-8ca6-1034-984b-6924be077a11
creatorsName: cn=config
createTimestamp: 20150512035251Z
entryCSN: 20150512035251.222050Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20150512035251Z

    Hapus baris-baris yang di-bold dan format Italic / miring, sehingga isi file cn=samba.ldif akan menjadi seperti berikut ini. 

    root@ns:/etc/ldap/schema# cat cn\=samba.ldif 
dn: cn={14}samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {14}samba
olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'L
 anManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.26{32} SINGLE-VALUE )
.
.
.
.
.
olcObjectClasses: {11}( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' DESC
  'Samba Trusted Domain Object' SUP top STRUCTURAL MUST cn MAY ( sambaTrustTyp
 e $ sambaTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFla
 tName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdenti
 fier $ sambaTrustForestTrustInfo ) )

    Tambahkan skema baru kedalam LDAP. 

    root@ns:/etc/ldap/schema# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\=samba.ldif 
adding new entry "cn={14}samba,cn=schema,cn=config"

    Tes hasilnya dengan melakukan query ke server LDAP. 

    root@ns:/etc/ldap/schema# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'
dn: cn={4}samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {4}samba
.
.
.
olcObjectClasses: {11}( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' DESC
  'Samba Trusted Domain Object' SUP top STRUCTURAL MUST cn MAY ( sambaTrustTyp
 e $ sambaTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFla
 tName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdenti
 fier $ sambaTrustForestTrustInfo ) )

    Sekarang slapd telah mengenal atribut-atribut samba, kita dapat membuat beberapa index berdasarkan atribut-atribut tersebut. 

    root@ns:/etc/ldap/schema# cd /home/it/file-ldif/
root@ns:/home/it/file-ldif# vim samba_indices.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub

    Gunakan utility ldapmodify untuk me-load index-index baru. 

    root@ns:/home/it/file-ldif# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif 
modifying entry "olcDatabase={1}hdb,cn=config"

    Jika semua berjalan baik, maka kita akan dapat melihat index baru menggunakan ldapsearch. 

    root@ns:/home/it/file-ldif# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}hdb olcDbIndex
dn: olcDatabase={1}hdb,cn=config
olcDbIndex: objectClass eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub

    

    

    
Konfigurasi logging untuk LDAP Server.




    

    

    root@ns:/home/it# vim logging.ldif
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats

root@ns:/home/it# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif 
modifying entry "cn=config"

root@ns:/home/it# tail -f /var/log/syslog
May 28 11:13:46 ns slapd[1468]: conn=24406 op=3 SRCH base="dc=wanasl,dc=lcl" scope=2 deref=0 filter="(&(&(|(objectClass=posixGroup))(|(cn=accounting)(cn=hrd)(cn=l2e)))(memberUid=wawan))"
May 28 11:13:46 ns slapd[1468]: conn=24406 op=3 SRCH attr=cn dn
May 28 11:13:46 ns slapd[1468]: <= bdb_equality_candidates: (cn) not indexed
May 28 11:13:46  slapd[1468]: last message repeated 2 times
May 28 11:13:46 ns slapd[1468]: conn=24406 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 28 11:13:46 ns slapd[1468]: conn=24406 op=4 SRCH base="uid=wawan,ou=users,dc=wanasl,dc=lcl" scope=0 deref=0 filter="(objectClass=*)"
May 28 11:13:46 ns slapd[1468]: conn=24406 op=4 SRCH attr=primaryGroupID
May 28 11:13:46 ns slapd[1468]: conn=24406 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 28 11:13:46 ns slapd[1468]: conn=24406 op=5 UNBIND
May 28 11:13:46 ns slapd[1468]: conn=24406 fd=28 closed
May 28 11:14:04 ns slapd[1468]: conn=24407 fd=28 ACCEPT from IP=192.168.1.196:40471 (IP=0.0.0.0:389)
May 28 11:14:04 ns slapd[1468]: conn=24407 op=0 BIND dn="uid=owncloud,ou=Users,dc=wanasl,dc=lcl" method=128
May 28 11:14:04 ns slapd[1468]: conn=24407 op=0 BIND dn="uid=owncloud,ou=Users,dc=wanasl,dc=lcl" mech=SIMPLE ssf=0
May 28 11:14:04 ns slapd[1468]: conn=24407 op=0 RESULT tag=97 err=0 text=
May 28 11:14:04 ns slapd[1468]: conn=24407 op=1 SRCH base="uid=ozy,ou=users,dc=wanasl,dc=lcl" scope=0 deref=0 filter="(objectClass=*)"
May 28 11:14:04 ns slapd[1468]: conn=24407 op=1 SRCH attr=1.1
May 28 11:14:04 ns slapd[1468]: conn=24407 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 28 11:14:04 ns slapd[1468]: conn=24407 op=2 SRCH base="uid=ozy,ou=users,dc=wanasl,dc=lcl" scope=0 deref=0 filter="(objectClass=*)"
May 28 11:14:04 ns slapd[1468]: conn=24407 op=2 SRCH attr=uid
May 28 11:14:04 ns slapd[1468]: conn=24407 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 28 11:14:04 ns slapd[1468]: conn=24407 op=3 SRCH base="dc=wanasl,dc=lcl" scope=2 deref=0 filter="(&(&(|(objectClass=posixGroup))(|(cn=accounting)(cn=hrd)(cn=l2e)))(memberUid=ozy))"
.
.
.

    

    

    

    

  1. Instalasi dan Konfigurasi SAMBA Server
    2. 

    
Tambahkan Samba Objects kedalam server LDAP.

    

    

    root@Acc-FileSrv:/etc/smbldap-tools# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:e9:58:63  
          inet addr:192.168.1.196  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fee9:5863/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:47373 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56030 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:13208180 (13.2 MB)  TX bytes:6996203 (6.9 MB)
.
.
.

root@Acc-FileSrv:/home/it# apt-get install samba smbldap-tools
root@Acc-FileSrv:/home/it# cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/
root@Acc-FileSrv:/home/it# cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/
root@Acc-FileSrv:/home/it# cd /etc/smbldap-tools/
root@Acc-FileSrv:/etc/smbldap-tools# gzip -d smbldap.conf.gz
root@Acc-FileSrv:/etc/smbldap-tools# ls -l
total 12
-rw-r--r-- 1 root root  490 May 12 13:16 smbldap_bind.conf
-rw-r--r-- 1 root root 7817 May 12 13:17 smbldap.conf

root@Acc-FileSrv:/etc/smbldap-tools# net getlocalsid
SID for domain FILESERVER-ACCOUNTING is: S-1-5-21-3227434453-287209911-3271887019

root@Acc-FileSrv:/etc/smbldap-tools# vim smbldap.conf 

.
.
.

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
#SID="S-1-5-21-2252255531-4061614174-2474224977"
SID="S-1-5-21-3227434453-287209911-3271887019"
.
    

    .  
    

    #sambaDomain="DOMSMB"
sambaDomain="wanasl.lcl"

##############################################################################
#
# LDAP Configuration
#
##############################################################################
.
.
#slaveLDAP="ldap://ldap.example.com/"
slaveLDAP="ldap://ns.wanasl.lcl/"
.
.
.
#masterLDAP="ldap://ldap.example.com/"
masterLDAP="ldap://ns.wanasl.lcl/"
.
.
.
#ldapTLS="1"
ldapTLS="0"
.
.
.
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=Users,${suffix}"
.
.
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"
.
.
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"
.
.
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
.
.
# Ex: mailDomain="idealx.com"
#mailDomain="example.com"
mailDomain="wanasl.lcl"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

.
.
.

    

    

    

    

    root@Acc-FileSrv:/etc/smbldap-tools# vim smbldap_bind.conf 
# $Id: smbldap_bind.conf 35 2011-02-23 09:07:36Z fumiyas $
#
############################
# Credential Configuration #
############################
.
.
.
slaveDN="cn=admin,dc=wanasl,dc=lcl"
slavePw="PasswordAdminLDAPSlave"
masterDN="cn=admin,dc=wanasl,dc=lcl"
masterPw="PasswordAdminLDAPMaster"

root@Acc-FileSrv:/etc/smbldap-tools# chmod 0644 smbldap.conf 
root@Acc-FileSrv:/etc/smbldap-tools# chmod 0600 smbldap_bind.conf 
//root@Acc-FileSrv:/etc/smbldap-tools# smbldap-populate -u 30000 -g 30000
root@Acc-FileSrv:/etc/smbldap-tools# smbldap-populate
Populating LDAP directory for domain wanasl.lcl (S-1-5-21-3227434453-287209911-3271887019)
(using builtin directory structure)

entry dc=wanasl,dc=lcl already exist. 
adding new entry: ou=Users,dc=wanasl,dc=lcl
adding new entry: ou=Groups,dc=wanasl,dc=lcl
adding new entry: ou=Computers,dc=wanasl,dc=lcl
adding new entry: ou=Idmap,dc=wanasl,dc=lcl
adding new entry: sambaDomainName=wanasl.lcl,dc=wanasl,dc=lcl
adding new entry: uid=root,ou=Users,dc=wanasl,dc=lcl
adding new entry: uid=nobody,ou=Users,dc=wanasl,dc=lcl
adding new entry: cn=Domain Admins,ou=Groups,dc=wanasl,dc=lcl
adding new entry: cn=Domain Users,ou=Groups,dc=wanasl,dc=lcl
adding new entry: cn=Domain Guests,ou=Groups,dc=wanasl,dc=lcl
adding new entry: cn=Domain Computers,ou=Groups,dc=wanasl,dc=lcl
adding new entry: cn=Administrators,ou=Groups,dc=wanasl,dc=lcl
adding new entry: cn=Account Operators,ou=Groups,dc=wanasl,dc=lcl
adding new entry: cn=Print Operators,ou=Groups,dc=wanasl,dc=lcl
adding new entry: cn=Backup Operators,ou=Groups,dc=wanasl,dc=lcl
adding new entry: cn=Replicators,ou=Groups,dc=wanasl,dc=lcl

Please provide a password for the domain root: 
Changing UNIX and samba passwords for root
New password: <-- Masukkan password baru
Retype new password: <-- Masukkan password baru

    

    

    

    

    root@Acc-FileSrv:/etc/smbldap-tools# apt-get install ldap-utils
root@Acc-FileSrv:/etc/smbldap-tools# ldapsearch -x -LLL -H ldap://ns.wanasl.lcl -b dc=wanasl,dc=lcl
dn: dc=wanasl,dc=lcl
objectClass: top
objectClass: dcObject
objectClass: organization
o: wanasl
dc: wanasl

dn: cn=admin,dc=wanasl,dc=lcl
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

dn: ou=Users,dc=wanasl,dc=lcl
objectClass: organizationalUnit
ou: Users

dn: ou=Groups,dc=wanasl,dc=lcl
objectClass: organizationalUnit
ou: Groups

dn: ou=Computers,dc=wanasl,dc=lcl
objectClass: organizationalUnit
ou: Computers

dn: ou=Idmap,dc=wanasl,dc=lcl
objectClass: organizationalUnit
ou: Idmap

dn: sambaDomainName=wanasl.lcl,dc=wanasl,dc=lcl
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: wanasl.lcl
sambaSID: S-1-5-21-3227434453-287209911-3271887019
sambaNextRid: 1000
uidNumber: 30000
gidNumber: 30000

dn: uid=root,ou=Users,dc=wanasl,dc=lcl
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
uid: root
cn: root
sn: root
gidNumber: 0
uidNumber: 0
homeDirectory: /home/root
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomePath: \\PDC-SRV\root
sambaHomeDrive: H:
sambaProfilePath: \\PDC-SRV\profiles\root
sambaPrimaryGroupSID: S-1-5-21-3227434453-287209911-3271887019-512
sambaSID: S-1-5-21-3227434453-287209911-3271887019-500
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaPwdMustChange: 1435301259
sambaAcctFlags: [U]
sambaPwdLastSet: 1431413259
sambaLMPassword: 6089B6316B3577C4944E2DF489A880E4
sambaNTPassword: 68365827D79C4F5CC9B52B688495FD51
shadowMax: 45

dn: uid=nobody,ou=Users,dc=wanasl,dc=lcl
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
cn: nobody
sn: nobody
gidNumber: 514
uid: nobody
uidNumber: 65534
homeDirectory: /nonexistent
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\PDC-SRV\nobody
sambaHomeDrive: H:
sambaProfilePath: \\PDC-SRV\profiles\nobody
sambaPrimaryGroupSID: S-1-5-21-3227434453-287209911-3271887019-514
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [NUD        ]
sambaSID: S-1-5-21-3227434453-287209911-3271887019-501
loginShell: /bin/false

dn: cn=Domain Admins,ou=Groups,dc=wanasl,dc=lcl
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Domain Admins
gidNumber: 512
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-3227434453-287209911-3271887019-512
sambaGroupType: 2
displayName: Domain Admins

dn: cn=Domain Users,ou=Groups,dc=wanasl,dc=lcl
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Domain Users
gidNumber: 513
description: Netbios Domain Users
sambaSID: S-1-5-21-3227434453-287209911-3271887019-513
sambaGroupType: 2
displayName: Domain Users

dn: cn=Domain Guests,ou=Groups,dc=wanasl,dc=lcl
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Domain Guests
gidNumber: 514
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-3227434453-287209911-3271887019-514
sambaGroupType: 2
displayName: Domain Guests

dn: cn=Domain Computers,ou=Groups,dc=wanasl,dc=lcl
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Domain Computers
gidNumber: 515
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-3227434453-287209911-3271887019-515
sambaGroupType: 2
displayName: Domain Computers

dn: cn=Administrators,ou=Groups,dc=wanasl,dc=lcl
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Administrators
gidNumber: 544
description: Netbios Domain Members can fully administer the computer/sambaDom
 ainName
sambaSID: S-1-5-32-544
sambaGroupType: 4
displayName: Administrators

dn: cn=Account Operators,ou=Groups,dc=wanasl,dc=lcl
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Account Operators
gidNumber: 548
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 4
displayName: Account Operators

dn: cn=Print Operators,ou=Groups,dc=wanasl,dc=lcl
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Print Operators
gidNumber: 550
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 4
displayName: Print Operators

dn: cn=Backup Operators,ou=Groups,dc=wanasl,dc=lcl
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Backup Operators
gidNumber: 551
description: Netbios Domain Members can bypass file security to back up files
sambaSID: S-1-5-32-551
sambaGroupType: 4
displayName: Backup Operators

dn: cn=Replicators,ou=Groups,dc=wanasl,dc=lcl
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Replicators
gidNumber: 552
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 4
displayName: Replicators

    

    

    
Selanjutnya mengkonfigurasi samba.conf. 


    

    

    root@Acc-FileSrv:/home/it# cat /etc/samba/smb.conf
workgroup = WANASL
security = user
passdb backend = ldapsam:ldap://ns.wanasl.lcl/
ldap ssl = off
obey pam restrictions = no

#==========================================================
#LDAP SAM
#=========================================================
ldap admin dn = cn=admin,dc=wanasl,dc=lcl
ldap suffix = dc=wanasl,dc=lcl
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap passwd sync = Yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *All*authentication*tokens*updated*
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -W "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
domain logons = yes

#==================================================================
#Share Definitions
#=================================================================
[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

[Public]
comment = Writeable Public File Sharing
path = /home/public
public = yes
guest ok = yes
browseable = yes
writeable = yes
#force user = public
#force group = public
force create mode = 0777
force directory mode = 0777


[Accounting]
comment = Accounting Dept
nt acl support = yes
veto files = /*.mp3/*.mpeg/*.mpg/*.avi/*.asf/*.wmv/*.3gp/*.dat/*.iso/*.exe/
delete veto files = yes
path = /home/accounting
valid users = aan ferry iin kanazawa nurhapsah shelly susi yuliana zefnemy
browseable = yes
writeable = yes
inherit permissions = yes
force create mode = 0775
force directory mode = 0775
force group = accounting
.
.
.

[IT]
comment = IT Dept
nt acl support = yes
veto files = /*.mp3/*.mpeg/*.mpg/*.avi/*.asf/*.wmv/*.3gp/*.dat/*.iso/*.exe/
delete veto files = yes
path = /home/it
valid users = it havizul test1 test2 test3
browseable = yes
writeable = yes
inherit permissions = yes
force create mode = 0770
force directory mode = 0770
force group = it

    

    

    

    

    root@Acc-FileSrv:/home/it# vim /etc/security/limits.conf
.
.
.
#ftp             hard    nproc           0
#ftp             -       chroot          /ftp
#@student        -       maxlogins       4

*   -  nofile   16384

# End of file

    

    

    
Restart samba server.

    


    

    

    root@Acc-FileSrv:/home/it# /etc/init.d/smbd restart
root@Acc-FileSrv:/home/it# /etc/init.d/nmbd restart

    

    

    
Selanjutnya kita dapat menambahkan user LDAP yang sekaligus menjadi user samba dengan cara :


      

    1. Buat User Account Linux 
      2. 

    2. Buat User LDAP
      3. 

    3. Buat User SAMBA
      4. 

    

    
Contoh :


    

    

    root@Acc-FileSrv:/home/it# groupadd tes -g 9000
root@Acc-FileSrv:/home/it# useradd tes1 -m -d /home/tes -u 9001 -g 9000
root@Acc-FileSrv:/home/it# id tes1
uid=9001(tes1) gid=9000(tes) groups=9000(tes)

root@Acc-FileSrv:/home/it# smbldap-useradd tes1
root@Acc-FileSrv:/home/it# smbldap-passwd tes1
Changing UNIX password for tes1
New password: 
Retype new password: 

root@Acc-FileSrv:/home/it# smbldap-usershow tes1
dn: uid=tes1,ou=Users,dc=wanasl,dc=lcl
objectClass: top,person,organizationalPerson,posixAccount,shadowAccount,inetOrgPerson
cn: tes1
sn: tes1
uid: tes1
uidNumber: 1006
gidNumber: 513
homeDirectory: /home/tes1
loginShell: /bin/bash
gecos: System User
givenName: tes1
userPassword: {SSHA}T0eG+lKI+xy1E8/KoPe6A1kqTAJWOEhj
shadowLastChange: 16568
shadowMax: 45

root@Acc-FileSrv:/home/it# smbpasswd -a tes1
New SMB password:
Retype new SMB password:
Added user tes1.

root@Acc-FileSrv:/home/it# smbldap-usershow tes1
dn: uid=tes1,ou=Users,dc=wanasl,dc=lcl
objectClass: top,person,organizationalPerson,posixAccount,shadowAccount,inetOrgPerson,sambaSamAccount
cn: tes1
sn: tes1
uid: tes1
uidNumber: 1006
gidNumber: 513
homeDirectory: /home/tes1
loginShell: /bin/bash
gecos: System User
givenName: tes1
shadowLastChange: 16568
shadowMax: 45
sambaSID: S-1-5-21-2157327914-3727785897-1517593730-1006
userPassword: {SSHA}c2nEVkhVFEU/iY6PReJ5R/yJ1Z71RkXO
sambaNTPassword: 68365827D79C4F5CC9B52B688495FD51
sambaPasswordHistory: 0000000000000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1431499516
sambaAcctFlags: [U          ]

    

    


Baiklah sekian dulu tutorial kali ini. Sampai jumpa ditutorial berikutnya.









Diposting oleh



di







































Tidak ada komentar:















Posting Komentar


















        

      









Langganan:
Posting Komentar (Atom)