Revista Informática

LDAP-Samba: Archivos de configuración

Publicado el 18 agosto 2010 por Caminomedio
Comandos / Términos variables / Comentarios
Probado en Debian Lenny
/etc/ldap/slapd.conf
allow bind_v2
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
backend bdb
database bdb
suffix "dc=cs,dc=inet"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
checkpoint 512 30
access to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword
  by dn="cn=admin,dc=cs,dc=inet" write
  by anonymous auth
  by self write
  by * none
access to dn.base="" by * read
access to *
  by dn="cn=admin,dc=cs,dc=inet" write
  by * read

/etc/samba/smb.conf
[global]
### Configuracion basica del servidor ###
workgroup = cs.inet
netbios name = servidor
server string = Samba PDC Version %v
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
### Configuracion para que la maquina sea el PDC master ###
os level = 65
preferred master = yes
local master = yes
domain master = yes
domain logons = yes
### Configuracion de seguridad y conexion ###
security = user
guest ok = no
encrypt passwords = yes
null passwords = no
hosts allow = 127.0.0.1 10.0.0.0/255.255.255.0
wins support = yes
name resolve order = wins lmhosts host bcast
dns proxy = no
time server = yes
### Otras configuraciones varias para SAMBA ###
log file = /var/log/samba/log.%m
log level = 2
max log size = 50
hide unreadable = yes
hide dot files = yes
panic action = /usr/share/samba/panic-action %d
### Samba en castellano y compatible con Windows NT
# Elimina problemas de acentos entre carpetas windows y samba
dos charset = 850
unix charset = iso-8859-15
### Parametros para el soporte de LDAP ###
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=cs,dc=inet
ldap machine suffix = ou=machines
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap admin dn = cn=admin,dc=cs,dc=inet
ldap delete dn = no
enable privileges = yes
;Para permitir a los usuarios cambiar su clave desde Windows
ldap password sync = yes
### Perfiles moviles de usuario, carpeta home y script de inicio ###
# Si no deseamos tener perfiles móviles comentar las lineas:
# logon home
# logon path
logon home = \\%L\%U\.profile
logon drive = H:
logon path = \\%L\profiles\%U
logon script = %U.bat OR netlogon.bat
### Script para automatizar la adicion de cuentas de maquinas ###
### al arbol LDAP cuando estas se unan por primera vez al dominio ###
add machine script = /usr/sbin/smbldap-useradd -w "%u"
### Impresion ###
load printers = yes
printcap name = /etc/printcap
printing = cups
printcap name = cups
; Si quiero que el grupo sambaadmins pueda administrar las impresoras
; printer admin = @sambaadmins
### Recursos SAMBA ###
# Ruta en donde se alojaran el(los) script(s) de inicio
[netlogon]
   comment = Network Logon Service
   path = /home/samba/netlogon
   guest ok = no
   writable = no
   browseable = no
   share modes = no
# Carpeta en donde se guardan los perfiles moviles de los usuarios
# Si no deseamos tener perfiles móviles comentar todo este grupo.
[profiles]
  ; comment = Perfiles de Usuarios
  ; path = /home/samba/profiles
  ; writeable = yes
  ; browseable = no
  ; guest ok = no
  ; hide files = /desktop.ini/ntuser.ini/NTUSER.*/
  ; create mask = 0600
  ; directory mask = 0700
  ; csc policy = disable
# Impresoras
[printers]
   comment = Impresoras
   browseable = no
   path = /var/spool/samba
   printable = yes
   public = no
   writable = no
   create mode = 0700
# Los clientes Windows buscan este recurso como fuente de drivers
[print$]
   comment = Drivers de Impresoras
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
# carpetas home de los usuarios
[homes]
   path = /home/users/%U
   comment = Carpetas HOME
   browseable = no
   writeable = yes
   valid users = %S
   read only = no
   guest ok = no
   inherit permissions = yes
# Este es un recurso que solo debe ser accesible
# para un grupo POSIX especial llamado sysfox
# Si no necesitamos grupo POSIX comentar
;[sysfox]
  ; comment = Directorio de Sistemas en Fox
  ; path = /home/posix/sysfox
  ; writeable = yes
  ; delete readonly = yes
  ; valid users = @sysfox
  ; write list = @sysfox
  ; force group = sysfox
  ; browseable = yes
  ; create mask = 0770
  ; directory mask = 0770
# Este recurso es por si quiero compartir la unidad de CD
;[cdrom]
  ­ ; comment = Samba server CD
   ; writable = no
   ; locking = no
   ; path = /media/cdrom0
   ; public = yes
   ; Lo siguiente es para auto-montar el CD cada vez que es introducido y desmontarlo
   ; cuando se termina la conexión al servidor.
   ; Para que esto trabaje, el archivo /etc/fstab debe contener una
   ; entrada así: /dev/hdc0 /media/cdrom iso9660 defaults,noauto,ro,user 0 0
   ;
   ; preexec = /bin/mount /cdrom
   ; postexec = /bin/umount /cdrom

/etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

/etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#account required pam_unix.so
account sufficient pam_ldap.so
account required pam_unix.so try_first_pass

/etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#auth required pam_unix.so nullok_secure
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-password
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass

/etc/smbldap-tools/smbldap_bind.conf
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=admin,dc=cs,dc=inet"
slavePw="XXXXX"
masterDN="cn=admin,dc=cs,dc=inet"
masterPw="XXXXX"

/etc/smbldap-tools/smbldap.conf
## General Configuration
SID="S-1-5-21-2303635708-1500597228-3808285555"
sambaDomain="cs.inet"
## LDAP Configuration
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
verify="none"
suffix="dc=cs,dc=inet"
usersdn="ou=users,${suffix}"
computersdn="ou=machines,${suffix}"
groupsdn="ou=groups,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
scope="sub"
hash_encrypt="MD5"
crypt_salt_format="%s"
## Unix Accounts Configuration
userLoginShell="/bin/false"
userHome="/home/users/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="515"
defaultComputerGid="20003"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
## SAMBA Configuration
userSmbHome=""
userProfile=""
userHomeDrive="H:"
## SMBLDAP-TOOLS Configuration
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"


Volver a la Portada de Logo Paperblog

Revista