Samba+OpenLDAPによるドメインログオン環境


CentOS 5.4 をクリーンインストールした直後の環境に対して、コマンド一発で OpenLDAP+Samba ドメインコントローラを実装してみるテスト。

関連情報

確認環境

コンセプト

実行方法

#!/bin/bash
#----------------------------------------------------------------------
# CentOS 5.4 をクリーンインストールした直後の環境に対して、
# コマンド一発で OpenLDAP+Samba ドメインコントローラを構築する
#----------------------------------------------------------------------
# 以下のパラメータを必要に応じて適宜変更してください。
#----------- ここから -------------------------
LDAP_TOP_DN='com'
LDAP_SECOND_DN='example'
LDAP_CONFIG_PASSWORD=secret
LDAP_ADMIN_PASSWORD=rootpwd
ADMINISTRATOR_USER=Administrator
ADMINISTRATOR_PASSWORD=adminpw
UNPRIVILEGED_USER=ldap01
UNPRIVILEGED_PASSWORD=ldap01
WORKGROUP_NAME=MYDOMAIN
MYCOMUTER_NAME=`hostname -s`
#----------- ここまで -------------------------
LDAP_BASE_DN="dc=$LDAP_SECOND_DN,dc=$LDAP_TOP_DN"
LDAP_CONFIG_DN='cn=config'
LDAP_ADMIN_DN="cn=admin,$LDAP_BASE_DN"
SAMBA_VERSION=3.4.5
KEEP_ORIGINAL_SAMBA=no
SKIP_INSTALL=no
# コマンド表示&実行
run() {
    echo "# $@"; 
    ${1+"$@"};
}
echo -----------------------------------------------
echo LDAP 関連の依存を無効にし、サービス環境をクリア
echo -----------------------------------------------
service winbind stop    >& /dev/null
service smb stop        >& /dev/null
service ldap stop       >& /dev/null
run authconfig  --disableldap --disableldapauth \
            --disablewinbind --disablewinbindauth \
            --disablesmbauth \
            --update
service iptables stop
setenforce permissive
find /var/log/samba/ -type f -exec rm {} \;
echo ------------------------------------------
echo OS のアップデート&必要なパッケージの登録
echo ------------------------------------------
if [ "$SKIP_INSTALL" = "no" ]
then
  if ! ( yum -y update )
  then
     yum update 失敗。ネットワーク環境を確認してください。
     exit 1
  fi
  yum install -y openldap-servers openldap-clients openldap-devel openldap \
               nkf yum-priorities
  if [ "$KEEP_ORIGINAL_SAMBA" = "no" ]
  then
    (
        set -e
        wget http://repos.net-newbie.com/newbie-pub.repo
        mv newbie-pub.repo /etc/yum.repos.d/
        rpm --import http://repos.net-newbie.com/RPM-GPG-KEY-newbie
        yum --enablerepo=newbie -y install samba samba-client
    ) || exit 1
  fi
fi
echo -----------------------------------------------
echo 'LDAP 設定ファイルの投入(for Provider)'
echo -----------------------------------------------
cp /usr/share/doc/samba-doc-$SAMBA_VERSION/LDAP/samba.schema /etc/openldap/schema
ROOTPW_CONFIG=`echo -n $LDAP_CONFIG_PASSWORD | slappasswd -T /dev/stdin`
ROOTPWD_BDB=`echo -n $LDAP_ADMIN_PASSWORD | slappasswd -T /dev/stdin`
cat > /etc/openldap/slapd.conf <<_EOF_
# 全体設定
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/misc.schema
include     /etc/openldap/schema/redhat/autofs.schema
include     /etc/openldap/schema/samba.schema
pidfile     /var/run/openldap/slapd.pid
# 設定ディレクティブ用データベース定義
database    config
rootdn      cn=config
rootpw      $ROOTPW_CONFIG
index       entryCSN,entryUUID  eq
# データ格納用データベース定義
database    bdb
directory   /var/lib/ldap
suffix      "$LDAP_BASE_DN"
rootdn      "$LDAP_ADMIN_DN"
rootpw      $ROOTPWD_BDB
index       objectClass,uid,uidNumber,gidNumber,memberUid   eq,pres
index       cn,mail,surname,givenname                       eq,pres,sub
index       sambaSID,displayName,sambaDomainName            eq,pres
index       entryUUID,entryCSN,sambaGroupType,sambaSIDList  eq,pres
index       nisMapName,nisMapEntry                          eq,pres,sub
# チューニング項目
sizelimit 10000
cachesize 20000
dbcachesize 20000000
# アクセス制御
access to attrs=sambaNTPassword,sambaLMPassword,sambaPasswordHistory
        by * none
access to attrs=userPassword
        by self write
        by anonymous auth
        by * none
access to *
        by self write
        by * read
# レプリケーション関連
overlay     syncprov
syncprov-sessionlog 100
_EOF_
chown root:ldap /etc/openldap/slapd.conf
chmod 640 /etc/openldap/slapd.conf
if ( ! grep local4 /etc/syslog.conf >& /dev/null )
then
    echo 'local4.*   -/var/log/ldap.log' >> /etc/syslog.conf
    service syslog restart
fi
echo -----------------------------------------------
echo LDAP 初期データの投入
echo -----------------------------------------------
rm -f /var/lib/ldap/*
install -o ldap -g ldap /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
echo "
dn: $LDAP_BASE_DN
objectClass: dcObject
objectClass: organization
o: $LDAP_SECOND_DN
dc: $LDAP_SECOND_DN

dn: ou=users,$LDAP_BASE_DN
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=groups,$LDAP_BASE_DN
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=idmap,$LDAP_BASE_DN
objectClass: top
objectClass: organizationalUnit
ou: idmap

dn: ou=computers,$LDAP_BASE_DN
objectClass: top
objectClass: organizationalUnit
ou: computers
" | slapadd
chown -R ldap.ldap /var/lib/ldap
service ldap start
echo "BASE    $LDAP_BASE_DN"   > /etc/openldap/ldap.conf
echo -----------------------------------------------
echo LDAP 管理者パスワードの保存
echo -----------------------------------------------
rm -f /etc/samba/secrets.tdb
( echo $LDAP_ADMIN_PASSWORD; echo $LDAP_ADMIN_PASSWORD ) | run smbpasswd -W -s
net idmap secret alloc $LDAP_ADMIN_PASSWORD
echo -----------------------------------------------
echo Samba ドメイン環境の生成
echo -----------------------------------------------
cat > /etc/samba/smb.conf <<_EOF_
# ==== General Settings =====
dos charset = CP932
unix charset = UTF-8
display charset = UTF-8
security = user
workgroup = $WORKGROUP_NAME
server string = %L-samba-%v
log level = 0
syslog = 0
log file = /var/log/samba/%m.log
max log size = 50
load printers = No
printing = bsd
domain logons = yes
logon path =
dns proxy = No
template homedir = /home/%U
obey pam restrictions = yes
# ==== ldap backend specific ====
passdb backend = ldapsam
ldap passwd sync = yes
ldapsam:trusted=yes
ldapsam:editposix=yes
ldap suffix = $LDAP_BASE_DN
ldap admin dn = $LDAP_ADMIN_DN
ldap delete dn = yes
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap user suffix = ou=users
ldap replication sleep = 5000
ldap ssl = no
# こちらは参照のみなので Consumer でよい
idmap backend = ldap:ldap://localhost/
idmap uid = 50000-500000
idmap gid = 50000-500000
# 書き込み先は、Consumer であっても Provider を指すようにする
idmap alloc backend = ldap
idmap alloc config : ldap_url = ldap://localhost
idmap alloc config : ldap_base_dn = ou=idmap,$LDAP_BASE_DN
idmap alloc config : ldap_user_dn = $LDAP_ADMIN_DN
# ==== performance tuning ====
case sensitive = yes
preserve case = no
short preserve case = no
#==== PDC Specific ====
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
_EOF_
rm -f /var/cache/samba/winbind.pid
run service winbind start
run net getlocalsid
if ( ! service winbind status )
then
    echo winbind failed.
    exit 2
fi
run net sam provision
echo ------------------------------------------------------
echo LDAP 認証&winbind を有効にする
echo ------------------------------------------------------
run authconfig --enableldap --enableldapauth \
           --ldapbasedn $LDAP_BASE_DN \
           --enablewinbind \
           --enablesmbauth \
           --update
echo 'session   optional    pam_mkhomedir.so skel=/etc/skel' umask=0022 \
    >>  /etc/pam.d/system-auth
echo ------------------------------------------------------
echo "$ADMINISTRATOR_USER の SMB パスワード設定&権限設定"
echo ------------------------------------------------------
echo -e $ADMINISTRATOR_PASSWORD\\n$ADMINISTRATOR_PASSWORD | smbpasswd -s $ADMINISTRATOR_USER
net sam rights grant $ADMINISTRATOR_USER SeMachineAccountPrivilege
net sam rights grant $ADMINISTRATOR_USER SeTakeOwnershipPrivilege
net sam rights grant $ADMINISTRATOR_USER SeBackupPrivilege
net sam rights grant $ADMINISTRATOR_USER SeRestorePrivilege
net sam rights grant $ADMINISTRATOR_USER SeRemoteShutdownPrivilege
net sam rights grant $ADMINISTRATOR_USER SePrintOperatorPrivilege
net sam rights grant $ADMINISTRATOR_USER SeAddUsersPrivilege
net sam rights grant $ADMINISTRATOR_USER SeDiskOperatorPrivilege
echo ------------------------------------------
echo Samba サービス起動
echo ------------------------------------------
service smb start
echo "ドメイン $WORKGROUP_NAME が利用可能になるまで待ちます"
CMD="net rpc info -U $ADMINISTRATOR_USER%$ADMINISTRATOR_PASSWORD"
echo "# $CMD"
OK=1
for i in `seq 1 10`
do
    if $CMD 2> /dev/null
    then
        echo "ドメイン $WORKGROUP_NAME が利用可能になりました"
        OK=0
        break
    else
        echo $i 回目
        sleep 1
    fi
done
if [ ! $OK ]
then
    echo "ドメイン $WORKGROUP_NAME が利用可能になりませんでした"
    exit 3
fi
echo ------------------------------------------------------------------
echo 動作確認用の一般ユーザー作成
echo ユーザID:$UNPRIVILEGED_USER  パスワード:$UNPRIVILEGED_PASSWORD   ユーザ名:'LDAP User 01'
echo ホームディレクトリ:\\\\$MYCOMUTER_NAME\\$UNPRIVILEGED_USER  マウントドライブ:H:
echo パスワード期限:無期限
echo ------------------------------------------------------------------
echo -e $UNPRIVILEGED_PASSWORD\\n$UNPRIVILEGED_PASSWORD | run pdbedit -a -t -u $UNPRIVILEGED_USER -t -D H: -h \\\\$MYCOMUTER_NAME\\$UNPRIVILEGED_USER -f 'LDAP User 01'
echo ------------------------------------------------------------------
echo 動作確認
echo ------------------------------------------------------------------
run net rpc user -U $UNPRIVILEGED_USER%$UNPRIVILEGED_PASSWORD
run net rpc group -U $UNPRIVILEGED_USER%$UNPRIVILEGED_PASSWORD
run id $ADMINISTRATOR_USER
run getent passwd $ADMINISTRATOR_USER
run id ldap01
run getent passwd $UNPRIVILEGED_USER
DN_COUNT=`ldapsearch -x -LLL '(objectclass=*)' dn | grep -v ^$ | wc -l`
if [ "$DN_COUNT" -lt 12 ]
then
    echo LDAP データが正常に登録されていない可能性があります。
fi


スクリプト実行時の様子

root@cedric:~# ./create_new_domain.sh
-----------------------------------------------
LDAP 関連の依存を無効にし、サービス環境をクリア
-----------------------------------------------
# authconfig --disableldap --disableldapauth --disablewinbind --disablewinbindauth --disablesmbauth --update
------------------------------------------
OS のアップデート&必要なパッケージの登録
------------------------------------------
(中略)
-----------------------------------------------
LDAP 設定ファイルの投入(for Provider)
-----------------------------------------------
-----------------------------------------------
LDAP 初期データの投入
-----------------------------------------------
Checking configuration files for slapd:  config file testing succeeded
                                                           [  OK  ]
Starting slapd:                                            [  OK  ]
-----------------------------------------------
LDAP 管理者パスワードの保存
-----------------------------------------------
# smbpasswd -W -s
Setting stored password for "cn=admin,dc=example,dc=com" in secrets.tdb
Secret stored
-----------------------------------------------
Samba ドメイン環境の生成
-----------------------------------------------
# service winbind start
Starting Winbind services:                                 [  OK  ]
# net getlocalsid
SID for domain CEDRIC is: S-1-5-21-2992755504-809867169-1047621095
winbindd (pid  2839) is running...
# net sam provision
Checking for Domain Users group.
Adding the Domain Users group.
Checking for Domain Admins group.
Adding the Domain Admins group.
Check for Administrator account.
Adding the Administrator user.
Checking for Guest user.
Adding the Guest user.
Checking Guest's group.
Adding the Domain Guests group.
------------------------------------------------------
LDAP 認証&winbind を有効にする
------------------------------------------------------
# authconfig --enableldap --enableldapauth --ldapbasedn dc=example,dc=com --enablewinbind --enablesmbauth --update

Shutting down Winbind services:                            [  OK  ]
Starting Winbind services:                                 [  OK  ]
------------------------------------------------------
Administrator の SMB パスワード設定&権限設定
------------------------------------------------------
Granted SeMachineAccountPrivilege to MYDOMAIN\Administrator
Granted SeTakeOwnershipPrivilege to MYDOMAIN\Administrator
Granted SeBackupPrivilege to MYDOMAIN\Administrator
Granted SeRestorePrivilege to MYDOMAIN\Administrator
Granted SeRemoteShutdownPrivilege to MYDOMAIN\Administrator
Granted SePrintOperatorPrivilege to MYDOMAIN\Administrator
Granted SeAddUsersPrivilege to MYDOMAIN\Administrator
Granted SeDiskOperatorPrivilege to MYDOMAIN\Administrator
------------------------------------------
Samba サービス起動
------------------------------------------
Starting SMB services:                                     [  OK  ]
Starting NMB services:                                     [  OK  ]
ドメイン MYDOMAIN が利用可能になるまで待ちます
# net rpc info -U Administrator%adminpw
1 回目
2 回目
3 回目
Domain Name: MYDOMAIN
Domain SID: S-1-5-21-2992755504-809867169-1047621095
Sequence number: 1264667667
Num users: 2
Num domain groups: 3
Num local groups: 0
ドメイン MYDOMAIN が利用可能になりました
------------------------------------------------------------------
動作確認用の一般ユーザー作成
ユーザID:ldap01 パスワード:ldap01 ユーザ名:LDAP User 01
ホームディレクトリ:\\cedric\ldap01 マウントドライブ:H:
パスワード期限:無期限
------------------------------------------------------------------
# pdbedit -a -t -u ldap01 -t -D H: -h \\cedric\ldap01 -f LDAP User 01
Unix username:        ldap01
NT username:          ldap01
Account Flags:        [U          ]
User SID:             S-1-5-21-2992755504-809867169-1047621095-1001
Primary Group SID:    S-1-5-21-2992755504-809867169-1047621095-513
Full Name:            LDAP User 01
Home Directory:       \\cedric\ldap01
HomeDir Drive:        H:
Logon Script:
Profile Path:
Domain:               MYDOMAIN
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    木, 28  1月 2010 17:34:28 JST
Password can change:  木, 28  1月 2010 17:34:28 JST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
------------------------------------------------------------------
動作確認
------------------------------------------------------------------
# net rpc user -U ldap01%ldap01
Administrator
nobody
ldap01
# net rpc group -U ldap01%ldap01
Domain Users
Domain Admins
Domain Guests
# id Administrator
uid=50000(Administrator) gid=50001(domadmins) 所属グループ=50001(domadmins) context=user_u:system_r:unconfined_t
# getent passwd Administrator
Administrator:*:50000:50001:Administrator:/home/Administrator:/bin/false
# id ldap01
uid=50001(ldap01) gid=50000(domusers) 所属グループ=50000(domusers) context=user_u:system_r:unconfined_t
# getent passwd ldap01
ldap01:*:50001:50000:ldap01:/home/ldap01:/bin/false


確認済みの項目

注意事項

今後確認してみたい項目

up