1.环境准备

1.1、实验环境[root@moban ~]# cat /etc/redhat-releaseCentOS release 6.8 (Final)[root@moban ~]# uname -r2.6.32-642.el6.x86_64

1.2、校准服务器时间

[root@moban ~]# ntpdate pool.ntp.org12 Nov 01:11:59 ntpdate[2354]: adjust time server 202.118.1.81 offset 0.004307 sec[root@moban ~]# crontab -l#time sync*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1

1.3、关闭selinux和iptables

[root@moban ~]# getenforce  Enforcing[root@moban ~]# setenforce 0[root@moban ~]# getenforce  Permissive[root@moban ~]# service iptables stop

2.Openldap和Samba的安装配置

2.1、安装Openldap和Samba[root@moban ~]# yum -y install openldap openldap-clients openldap-servers nss-pam-ldapd[root@moban ~]# yum -y install samba-common samba samba-client

2.2、配置openldap

a.Openldap引用samba.schema[root@moban ~]# cp /usr/share/doc/samba-3.6.23/LDAP/samba.schema /etc/openldap  /schema/

b.拷贝openldap的示例配置文件

[root@moban ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

c.生成ldap管理员密码

[root@moban ~]# slappasswd -s 123456{SSHA}Ae1JJTvbeP60y91e9MdAqOmpleSWG19o

d.修改配置文件

[root@moban ~]# vi /etc/openldap/slapd.conf在18行插入如下内容:18 include         /etc/openldap/schema/samba.schema

注释掉99行到102行:

    99 # database config

    100 # access to *    101 #       by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage    102 #       by * none

在111行插入如下访问权限内容:

    111 access to attrs=userPassword    112   by self write    113   by anonymous auth    114   by * none    115 access to attrs=sambaNTPassword    116   by self write    117   by anonymous auth    118   by * none    119 access to *    120   by self write    121   by * read修改126行到134行的内容为:修改前:    126 database        bdb    127 suffix          "dc=my-domain,dc=com"    128 checkpoint      1024 15    129 rootdn          "cn=Manager,dc=my-domain,dc=com"    130 # Cleartext passwords, especially for the rootdn, should    131 # be avoided.  See slappasswd(8) and slapd.conf(5) for d        etails.    132 # Use of strong authentication encouraged.    133 # rootpw                secret    134 # rootpw                {crypt}ijFYNcSNctBYg修改后:    126 database        bdb    127 suffix          "dc=etiantian,dc=org"    128 checkpoint      1024 15    129 rootdn          "cn=admin,dc=etiantian,dc=org"    130 # Cleartext passwords, especially for the rootdn, should    131 # be avoided.  See slappasswd(8) and slapd.conf(5) for d        etails.    132 # Use of strong authentication encouraged.    133 # rootpw                secret    134 rootpw          {SSHA}Ae1JJTvbeP60y91e9MdAqOmpleSWG19o修改143行的内容为:修改前:index ou,cn,mail,surname,givenname      eq,pres,sub修改后:index ou,cn,mail,surname,givenname      eq,pres,sub,approx修改105行到109行的内容为:修改前:    105 database monitor    106 access to *    107         by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn        =external,cn=auth" read    108         by dn.exact="cn=Manager,dc=my-domain,dc=com" read    109         by * none修改后:    105 database monitor    106 access to *    107         by dn.exact="cn=admin,dc=etiantian,dc=org" read    108         by * none

2.3、初始化openldap

a.删除openldap原始的配置文件和数据[root@moban ~]# rm -rf /etc/openldap/slapd.d/*[root@moban ~]# rm -rf /var/lib/ldap/*

b.拷贝数据库的配置文件

[root@moban ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG[root@moban ~]# chown ldap.ldap -R /var/lib/ldap[root@moban ~]# ll /var/lib/ldaptotal 4-rw-r--r--. 1 ldap ldap 845 Nov 12 01:54 DB_CONFIG

c.生成2.4版本的配置文件

[root@moban ldap]# slaptest -uconfig file testing succeeded[root@moban ldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/  #生成旧版本的配置文件config file testing succeeded

d.初始化openldap的基础数据

[root@moban openldap]# vi base.ldif dn: dc=etiantian,dc=orgobjectClass: organizationobjectClass: dcObjectdc: etiantiano: etiantiandn: ou=People,dc=etiantian,dc=orgobjectClass: organizationalUnitou: Peopledn: ou=group,dc=etiantian,dc=orgobjectClass: organizationalUnitou: group[root@moban openldap]# vi group.ldifdn: cn=DBA,ou=group,dc=etiantian,dc=orgobjectClass: posixGroupobjectClass: topcn: DBAmemberUid: test1gidNumber: 10673[root@moban openldap]# vi user.ldifdn: uid=test1,ou=People,dc=etiantian,dc=orgobjectClass: posixAccountobjectClass: topobjectClass: inetOrgPersonobjectClass: shadowAccountgidNumber: 0givenName: test1sn: test1uid: test1homeDirectory: /home/test1loginShell: /bin/bashshadowFlag: 0shadowMin: 0shadowMax: 99999shadowWarning: 0shadowInactive: 99999shadowLastChange: 12011shadowExpire: 99999cn: test1uidNumber: 24422

e.把基础数据导入ldap

[root@moban openldap]# slapadd -l base.ldif58260c66 The first database does not allow slapadd; using the first available one (2)_#################### 100.00% eta   none elapsed            none fast!         Closing DB...[root@moban openldap]# slapadd -l group.ldif 58260c6d The first database does not allow slapadd; using the first available one (2)_#################### 100.00% eta   none elapsed            none fast!         Closing DB...[root@moban openldap]# slapadd -l user.ldif 58260c72 The first database does not allow slapadd; using the first available one (2)_#################### 100.00% eta   none elapsed            none fast!         Closing DB...[root@moban openldap]# chown -R ldap.ldap /var/lib/ldap[root@moban openldap]# chown -R ldap.ldap /etc/openldap/slapd.d

[root@moban openldap]# chmod -R 700 /var/lib/ldap

[root@moban openldap]# chmod -R 700 /etc/openldap/slapd.d

2.4、配置samba

a.修改samba的配置[root@moban openldap]# cd /etc/samba/[root@moban samba]# cp smb.conf smb.conf.ori[root@moban samba]# vi smb.conf[global]workgroup = WORKGROUPserver string = Samba-ldap Server Version %vnetbios name = samba-ldapsamlog file = /var/log/samba/log.%mmax log size = 50security = userpassdb backend = ldapsam:ldap://192.168.0.111/ldap suffix = "dc=etiantian,dc=org"ldap admin dn = "cn=admin,dc=etiantian,dc=org"ldap user suffix = "ou=People,dc=etiantian,dc=org"ldap group suffix = "ou=group,dc=etiantian,dc=org"ldap delete dn = noldap passwd sync = yesldap ssl = no[sambashare]comment = share allpath = /app/logbrowseable = yespublic = yeswritable = yes[myshare]comment = share for userspath = /applicationbrowseable = yespublic = nowritable = yes

b.创建共享数据目录

[root@moban samba]# mkdir /app/log -p[root@moban samba]# mkdir /application

提示:为了方便测试，先给目录777的权限

[root@moban samba]# chmod -R 777 /application

[root@moban samba]# chmod -R 777 /app/log

c.保存openldap的admin密码到samba中

提示:为了使samba能够访问ldap,把ldap管理员的密码保存到samba的secrets.tdb中(/var/lib/samba/private/secrets.tdb)[root@moban samba]# smbpasswd -w 123456Setting stored password for "cn=admin,dc=etiantian,dc=org" in secrets.tdb

d.在openldap中，添加samba测试用户

[root@moban openldap]# cat /etc/passwd|grep admin(系统用户)admin:x:500:500::/home/admin:/bin/bash[root@moban samba]# cd /etc/openldap/[root@moban openldap]# vi /etc/samba/smbusers在最下面加入samba用户admin sambatest  #意思是说admin这个系统用户名有一个虚拟的SMB用户名:sambatest[root@moban openldap]# vi sambauser.ldifdn: uid=sambatest,ou=People,dc=etiantian,dc=orgobjectClass: posixAccountobjectClass: topobjectClass: inetOrgPersonobjectClass: shadowAccountgidNumber: 1009givenName: sambatestsn: sambatestuid: sambatesthomeDirectory: /home/sambatestloginShell: /bin/bashshadowFlag: 0shadowMin: 0shadowMax: 99999shadowWarning: 0shadowInactive: 99999shadowLastChange: 12011shadowExpire: 99999cn: sambatestuidNumber: 24425[root@moban openldap]# slapadd -l sambauser.ldif58261bcf The first database does not allow slapadd; using the first available one (2)_#################### 100.00% eta   none elapsed            none fast!         Closing DB...

e.设置操作系统从ldap中验证用户

提示:设置系统如果没有从/etc/passwd中找到用户就去openldap中验证。[root@moban openldap]# authconfig-tuiUser Information[*] Use LDAPAuthentication[*] Use Fingerprint reader┌─────────┤ LDAP Settings ├───────││          [ ] Use TLS│ Server: ldap://192.168.0.111/│ Base DN: dc=etiantian,dc=org[root@moban openldap]# grep "ldap" /etc/nsswitch.confpasswd:     files ldapshadow:     files ldapgroup:      files ldapnetgroup:   files ldapautomount:  files ldap[root@moban openldap]# tail -3 ldap.confURI ldap://192.168.0.111/BASE dc=etiantian,dc=orgTLS_CACERTDIR /etc/openldap/cacerts[root@moban openldap]# /etc/init.d/slapd start[root@moban openldap]# /etc/init.d/smb start

f.测试从ldap中获取用户信息

[root@moban openldap]# id sambatest           uid=24425(sambatest) gid=1009 groups=1009[root@moban openldap]# grep "sambatest" /etc/passwd备注:从passwd文件中找不到sambatest，说明sambatest是从ldap中获取的。

g.设置测试用户sambatest密码

[root@moban openldap]# smbpasswd -a sambatestNew SMB password:123456789Retype new SMB password:123456789Added user sambatest.

h.测试samba中sambatest用户能否登录

[root@moban openldap]# smbclient -U sambatest //192.168.0.111/sambashareEnter sambatest's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.23-36.el6_8]smb: \> ls  .                                   D        0  Sat Nov  5 20:38:28 2016  ..                                  D        0  Thu Oct 27 13:01:13 2016  UM4SW7~D.LOG                        A       74  Thu Oct 27 19:29:01 2016  U41Y9B~1.LOG                        A       85  Thu Oct 27 19:37:24 2016  U0XZAY~G.LOG                        A      117  Thu Oct 27 19:18:40 2016  UAKC5V~4.LOG                        A       99  Thu Oct 27 19:27:02 2016  UO0D3H~P.LOG                        A        0  Sat Nov  5 20:38:28 2016  U3DW4T~X.LOG                        A       48  Thu Oct 27 19:30:14 2016                51760 blocks of size 524288. 45745 blocks availablesmb: \> [root@moban openldap]# smbclient -U sambatest //192.168.0.111/myshareEnter sambatest's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.23-36.el6_8]smb: \> ls  .                                   D        0  Sat Nov  5 23:26:28 2016  ..                                 DR        0  Fri Nov 11 22:26:21 2016  svndata                             D        0  Thu Oct 27 01:48:57 2016  新建 Microsoft Access 数据库.accdb      A   512000  Sat Nov  5 23:26:28 2016  svnpasswd                           D        0  Sat Nov  5 21:02:06 2016                51760 blocks of size 524288. 45745 blocks availablesmb: \> 通过以上结果可以看到samba通过openldap验证访问正常，再看看windows的访问，如下图: