Более менее, потыкавшись, все завелось, но smbldap-tools нивкакую не хотят общаться с сервером.
Например при запуске smbldap-populate имеем несколько:
Код: Выделить всё
Can't contact LDAP server at ./smbldap-populate line 499, <GEN1> line 242.в degug.log slapd валит:
Код: Выделить всё
Oct 12 15:50:31 eds-try slapd[3162]: conn=9 fd=15 ACCEPT from IP=192.168.33.20:58171 (IP=0.0.0.0:636)
Oct 12 15:50:31 eds-try slapd[3162]: conn=9 fd=15 closed (TLS negotiation failure)
/usr/local/etc/openldap/slapd.conf
Код: Выделить всё
eds-try# cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/samba.schema
#include /usr/local/etc/openldap/schema/mailuser.schema
include /usr/local/etc/openldap/schema/authldap.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
allow bind_v2
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
# moduleload back_bdb
#moduleload back_ldap
moduleload back_ldbm
# moduleload back_passwd
# moduleload back_shell
loglevel acl stats
TLSCertificateFile /usr/local/etc/openldap/ssl/ldap.cert
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap.key
TLSCACertificateFile /usr/local/etc/openldap/ssl/ca.cert
TLSVerifyClient never
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database ldbm
suffix "dc=eds-try,dc=dp,dc=ua"
rootdn "cn=eds_ldap_root,dc=eds-try,dc=dp,dc=ua"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}boxZANe2kda0iWDVbmqeD2+xttrxweCDrfZZNJWKey
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/db/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
#access to attrs=userPassword by self write
# by self read
# by anonymous auth
# by * none break
#access to * by self write
# by self read
# by self search
# by anonymous read
# by * none break
#access to dn.base="dc=dr-try,dc=dp,dc=ua"
# by anonymous auth
# by dn="cn=root,ou=People,dc=dr-try,dc=dp,dc=ua" write
# by dn="cn=Domain Admins,ou=Groups,dc=dr-try,dc=dp,dc=ua" write
# by dn="cn=dron_2,ou=People,dc=dr-try,dc=dp,dc=ua" write
# by * search
by * read
Код: Выделить всё
eds-try# cat ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE "dc=eds-try,dc=dp,dc=ua"
HOST 192.168.33.20
PORT 636
ldap_version 3
#URI ldap://freebsd-dr-try10.diaron.dp.ua ldap://freebsd-dr-try10
URI ldaps://eds-try.eds-try.dp.ua
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERT /usr/local/etc/openldap/ssl/ca.cert
TLS_REQCERT allow
/usr/local/etc/ldap.conf (для nss_ldap который)
Код: Выделить всё
eds-try# cat ldap.conf | grep -v #
host eds-try.eds-try.dp.ua
base "dc=eds-try,dc=dp,dc=ua"
uri ldaps://eds-try.eds-try.dp.ua
ldap_version 3
binddn cn=eds_ldap_root,dc=eds-try,dc=dp,dc=ua
bindpw 123456
port 636
scope one
timelimit 30
bind_timelimit 10
bind_policy soft
idle_timelimit 3600
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_password SSHA
nss_base_passwd ou=People,dc=dnepr,dc=eds-try,dc=dp,dc=ua?one
nss_base_shadow ou=People,dc=dnepr,dc=eds-try,dc=dp,dc=ua?one
nss_base_group ou=Groups,dc=dnepr,dc=eds-try,dc=dp,dc=ua?one
ssl on
Код: Выделить всё
eds-try# cat nss_ldap.conf | grep -v #
host eds-try.eds-try.dp.ua
base "dc=dnepr,dc=eds-try,dc=dp,dc=ua"
uri ldaps://eds-try.eds-try.dp.ua
ldap_version 3
binddn cn=eds_ldap_root,dc=eds-try,dc=dp,dc=ua
bindpw 123456
port 636
scope one
timelimit 30
bind_timelimit 10
bind_policy soft
nss_connect_policy persist
idle_timelimit 3600
nss_paged_results yes
pagesize 1000
nss_base_passwd ou=People,dc=dnepr,dc=eds-try,dc=dp,dc=ua?one
nss_base_passwd ou=Computers,dc=dnepr,dc=eds-try,dc=dp,dc=ua?one
nss_base_shadow ou=People,dc=dnepr,dc=eds-try,dc=dp,dc=ua?one
nss_base_group ou=Groups,dc=dnepr,dc=eds-try,dc=dp,dc=ua?one
ssl on
tls_checkpeer no
часть smb.conf отвечающая за связь с LDAP
Код: Выделить всё
passdb backend = ldapsam:ldaps://eds-try.eds-try.dp.ua
# ldapsam:trusted = yes
# ldapsam:editposix = yes
encrypt passwords = yes
ldap passwd sync = yes
ldap ssl = on
passwd program = /usr/local/sbin/smbldap-passwd -u '%u'
passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
passwd chat debug = yes
log level = 3
syslog = 0
log file = /var/log/samba/log.%m
timeserver = yes
ldap admin dn = cn=eds_ldap_root,dc=eds-try,dc=dp,dc=ua
ldap suffix = dc=dnepr,dc=eds-try,dc=dp,dc=ua
ldap group siffix = ou=Groups
ldap user suffix = ou=People
ldap mashine suffix = ou=Computers
конфиги smbldap-tools
Код: Выделить всё
eds-try# cat smbldap.conf
# $Source: /opt/cvs/samba/smbldap-tools/configure.pl,v
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
##############################################################################
#
# General Configuration
#
##############################################################################
# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-3913502071-421749942-1010916358"
# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="EDS-TRY-DNEPR"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="eds-try.eds-try.dp.ua"
# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="636"
# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="eds-try.eds-try.dp.ua"
# Master LDAP port
# If not defined, parameter is set to "389"
masterPort="636"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "1"
#ldapTLS="1"
ldapSSL="1"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="none"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/usr/local/etc/openldap/ssl/ca.cert"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientcert="/usr/local/etc/smbldap-tools//smbldap-tools.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientkey="/usr/local/etc/smbldap-tools//smbldap-tools.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=dnepr,dc=eds-try,dc=dp,dc=ua"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=People,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"
# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=EDS-TRY-DNEPR,${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format=""
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/sbin/nologin"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Default mode used for user homeDirectory
userHomeDirectoryMode="700"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="0"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\POSEYDON\%U"
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\%L\Profiles\%U"
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="%U.bat"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="#eds-try.dp.ua"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/local/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/local/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"
Код: Выделить всё
eds-try# cat smbldap_bind.conf
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=eds_ldap_root,dc=eds-try,dc=dp,dc=ua"
slavePw="123456"
masterDN="cn=eds_ldap_root,dc=eds-try,dc=dp,dc=ua"
masterPw="123456"
))Спасибо за внимание.
