Все добрый день!!!
Вот собрался исполнить следующую связку: FreeBSD 5.4 + PDC + LDAP!!!
Для этого в существующий домен Win2k ADC добавил NT 4.0 BDC а затем повысил его до PDC и отключился от W2k Домена!!!! Установил: openldap-server-2.2.29, openldap-client-2.2.29, samba-3.0.20b, smbldap-tools-0.9.1_1, nss_ldap-1.239, pam_ldap-1.8.0!!!
И Придерживаясь официальной документации “Chapter 9. Migrating NT4 Domain to Samba-3” http://us4.samba.org/samba/docs/man/Samba-Guide/Chapter 9_ Migrating NT4 Domain to Samba-3.htm , начал процесс перехода!!!Первое что сделал это сконфигурировал slapd.conf:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba3.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to dn.base=""
by self write
by * auth
access to attr=userPassword
by self write
by * auth
access to attr=shadowLastChange
by self write
by * read
access to *
by * read
by anonymous auth
#######################################################################
# BDB database definitions
#######################################################################
loglevel 256
database ldbm
suffix "dc=interbank,dc=ru"
rootdn "cn=Manager,dc=interbank,dc=ru"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}n+fNnY/skrCQHjuArkP32xWDYrWQJUUM
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/db/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
Перезапустил сервер, в логах нет ошибок!!!
Второе конфигурация smb.conf:
[global]
workgroup = INTERBANK
netbios name = PROX
passdb backend = ldapsam:ldap://localhost
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 0
smb ports = 139 445
name resolve order = wins bcast hosts
add user script = /usr/local/sbin/smbldap-useradd -m '%u'
#delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'
add group script = /usr/local/sbin/smbldap-groupadd '%g'
#delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'
add user to group script =/usr/local/sbin/smbldap-groupmod -m '%u' '%g'
#delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
logon script = scripts\logon.cmd
logon path = \\%L\profiles\%U
logon home = \\%L\%U
logon drive = X:
domain logons = Yes
domain master = No
#wins support = Yes
wins server = 192.7.7.2
ldap admin dn = cn=Manager,dc=interbank,dc=ru
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=People
ldap passwd sync = Yes
ldap suffix = dc=interbank,dc=ru
ldap ssl = no
ldap timeout = 20
ldap user suffix = ou=People
idmap backend = ldap:ldap://localhost
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind nested groups = Yes
ea support = Yes
map acl inherit = Yes
[apps]
comment = Application Data
path = /data/home/apps
read only = No
[homes]
comment = Home Directories
path = /home/users/%U/Documents
valid users = %S
read only = No
browseable = No
[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
use client driver = No
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
locking = No
[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = No
profile acls = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
testparm не выдал ошибок!!!
Третье получение sid, и настройка ldap с помощью smbldap-tools:
net rpc getsid -S proxy2 -U administrator%******
Storing SID S-1-5-21-1292428093-1563985344-1957994488 for Domain INTERBANK in secrets.tdb
# net rpc info -S proxy2
Domain Name: INTERBANK
Domain SID: S-1-5-21-1292428093-1563985344-1957994488
Sequence number: 1041
Num users: 78
Num domain groups: 19
Num local groups: 17
net setlocalsid S-1-5-21-1292428093-1563985344-1957994488
/usr/local/sbin/configure.pl (настройка дерева ldap с помошью smbldap-tools)
Все согласно официальной докуметации samba!!!
smbpasswd -w ******
1. smbldap-populate -a root -k 0 -m 0
создает организационные еденицы все как надо!!!
pdbedit -Lw
root:0:555D146BD7D9706BAAD3B435B51404EE:C66B5E86F632994F72B202CA4EC9AF9C:[U ]:LCT-439EB579:
nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NDU ]:LCT-00000000:
net groupmap list
Domain Admins (S-1-5-21-1292428093-1563985344-1957994488-512) -> 512
Domain Users (S-1-5-21-1292428093-1563985344-1957994488-513) -> 513
Domain Guests (S-1-5-21-1292428093-1563985344-1957994488-514) -> 514
Domain Computers (S-1-5-21-1292428093-1563985344-1957994488-515) -> 515
Administrators (S-1-5-32-544) -> 544
Account Operators (S-1-5-32-548) -> 548
Print Operators (S-1-5-32-550) -> 550
Backup Operators (S-1-5-32-551) -> 551
Replicators (S-1-5-32-552) -> 552
Вобщем все в порядке!!!
Дальше настройка nss_ldap.conf -> ldap.conf, Nsswitch.conf
Ldap.conf:
host 127.0.0.1
base dc=interbank,dc=ru
ldap_version 3
binddn cn=Manager,dc=interbank,dc=ru
bindpw not24get
pam_password exop
nss_base_passwd ou=People,dc=interbank,dc=ru?one
nss_base_shadow ou=People, dc=interbank,dc=ru?one
nss_base_group ou=Groups, dc=interbank,dc=ru?one
ssl off
для nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns wins
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
#passwd_compat: ldap #Not needed.
#group_compat: ldap #Not needed.
net rpc vampire -S proxy2 -U administrator%*** > /var/log/vampire.log
/var/log/vampire.log:
usr/local/sbin/smbldap-useradd: illegal username
/usr/local/sbin/smbldap-useradd: illegal username
Fetching DOMAIN database
Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Cre
Creating unix group: 'Domain Oper'
Creating unix group: 'internet'
Creating unix group: 'ixbt'
Creating unix group: 'Obizi'
Creating unix group: 'full'
Creating unix group: 'buh-nalog'
Creating unix group: 'Domain Kredit'
Creating unix group: 'Domain Econom'
Creating unix group: 'Domain Klient'
Creating account: Semenov
Could not create posix account info for 'Semenov'
Creating account: Could not create posix account info for 'Creating account: krbtgt
Could not create posix account info for 'krbtgt'
Creating account: TsInternetUser
Could not create posix account info for 'TsInternetUser'
Creating account: TarasovVY
Could not create posix account info for 'TarasovVY'
Creating account: Bronislav
Could not create posix account info for 'Bronislav'
Creating account: Nick
Could not create posix account info for 'Nick'
Creating account: DayanovDR
Could not create posix account info for 'DayanovDR'
Creating account: Plastik
Could not create posix account info for 'Plastik'
Creating account: Volodya
Could not create posix account info for 'Volodya'
Creating account: Olga
Could not create posix account info for 'Olga'
Creating account: DanilovDV
Could not create posix account info for 'DanilovDV'
Creating account: Buh
Could not create posix account info for 'Buh'
Creating account: Cb
Could not create posix account info for 'Cb'
Creating account: KarpechenkovAV
Could not create posix account info for 'KarpechenkovAV'
Creating account: Secure
Could not create posix account info for 'Secure'
Creating account: RiabovVV
Could not create posix account info for 'RiabovVV'
Creating account: Kliring
Could not create posix account info for 'Kliring'
Creating account: VIP
Could not create posix account info for 'VIP'
Creating account: Urist
Could not create posix account info for 'Urist'
Creating account: curr
Could not create posix account info for 'curr'
Creating account: Org_otdel
Could not create posix account info for 'Org_otdel'
Creating account: KorzanEA
Could not create posix account info for 'KorzanEA'
Creating account: Could not create posix account info for 'Creating account: helga
Could not create posix account info for 'helga'
Creating account: MisyurinPA
Could not create posix account info for 'MisyurinPA'
Creating account: MalyshYP
Could not create posix account info for 'MalyshYP'
Creating account: OsokinAY
Could not create posix account info for 'OsokinAY'
Creating account: ValovVV
Could not create posix account info for 'ValovVV'
Creating account: Tanya
Could not create posix account info for 'Tanya'
Creating account: PROXI$
Could not create posix account info for 'PROXI$'
Creating account: INTERNETBANK$
Could not create posix account info for 'INTERNETBANK$'
Creating account: oper
Could not create posix account info for 'oper'
Creating account: media$
Could not create posix account info for 'media$'
Creating account: DIMA$
Could not create posix account info for 'DIMA$'
Creating account: ATOMIC$
Could not create posix account info for 'ATOMIC$'
Creating account: EVADE$
Could not create posix account info for 'EVADE$'
Creating account: alsi
Could not create posix account info for 'alsi'
Creating account: StasiakSV
Could not create posix account info for 'StasiakSV'
Creating account: TEST$
Could not create posix account info for 'TEST$'
Creating account: outpost$
Could not create posix account info for 'outpost$'
Creating account: buh_nalog
Could not create posix account info for 'buh_nalog'
Creating account: IUSR_PROXI
Could not create posix account info for 'IUSR_PROXI'
Creating account: INFORMATIC$
Could not create posix account info for 'INFORMATIC$'
Creating account: VANIA$
Could not create posix account info for 'VANIA$'
Creating account: ADMIN3$
Could not create posix account info for 'ADMIN3$'
Creating account: BUH_NALOG$
Could not create posix account info for 'BUH_NALOG$'
Creating account: ADMIN$
Could not create posix account info for 'ADMIN$'
Creating account: KOMP$
Creating unix group: 'Bankoffice'
Creating unix group: 'DnsAdmins'
Creating unix group: 'Domain Adm'
Creating unix group: 'Domain ASU'
Creating unix group: 'Domain Buhg'
Creating unix group: 'Domain Cb'
Creating unix group: 'Domain Klir'
Creating unix group: 'Domain Mail'
Creating unix group: 'Domain Plastic'
Creating unix group: 'Domain Sec'
Creating unix group: 'Domain Valuta'
Creating unix group: 'Domain WWW'
Creating unix group: 'Domain Yur'
Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Fetching BUILTIN database
skipping SAM_DOMAIN_INFO delta for 'Builtin' (is not my domain)
Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Cre
После всего этого:
net groupmap list
Domain Admins (S-1-5-21-1292428093-1563985344-1957994488-512) -> 512
Domain Users (S-1-5-21-1292428093-1563985344-1957994488-513) -> 513
Domain Guests (S-1-5-21-1292428093-1563985344-1957994488-514) -> 514
Domain Computers (S-1-5-21-1292428093-1563985344-1957994488-515) -> 515
Administrators (S-1-5-32-544) -> 544
Account Operators (S-1-5-32-548) -> 548
Print Operators (S-1-5-32-550) -> 550
Backup Operators (S-1-5-32-551) -> 551
Replicators (S-1-5-32-552) -> 552
pdbedit -Lw
root:0:555D146BD7D9706BAAD3B435B51404EE:C66B5E86F632994F72B202CA4EC9AF9C:[U ]:LCT-439EB579:
nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NDU ]:LCT-00000000
В чем прикол не пойму!!!! 3 дня уже бьюсь!!!!
Вариант для распечатки
Samba, вопросы интеграции Unix и Windows (Public)
on 13-Дек-05, 11:01 
