Debian Samba PDC with Ldap

From Pruonckk.org

Revisão de 13:01, 28 Fevereiro 2007; ver versão actual
← Versão anterior | Versão posterior →

Autor: Pruonckk le Punk


Conteúdo

Dependencias

apt-get install subversion bind9

bind9

E necesario configurar um servidor dns, para que os servicos possam funcionar corretamente.

named.conf.local

Vamos configurar o arquivo named.conf.local com uma zona para nossos servicoes (/etc/bind/named.conf)

Aqui eu vou usar uma zona chamada teste.br, coloque o nome que desejar para suas configuracoes.

zone "teste.br" {
        type master;
        file "/etc/bind/teste.br";
};

teste.br

Definimos para nossa zona o teste.br, vamos entao criar o arquivo como especificado na opcao file

No meu caso, estou usando uma faixa de ip 192.168.10.0 (o servidor e 192.168.10.1)

;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     teste.br. root.teste.br. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      ns.teste.br.
ns.teste.br.     IN      A       192.168.10.1
ldap.teste.br.   IN      A       192.168.10.1
cobia-ldap.teste.br. IN CNAME     ldap.teste.br.
teste.br. IN    A       192.168.10.1

Samba

apt-get install samba smbldap-tools samba-doc


Pegando sid

cd /etc/samba/
net getlocalsid > localsid

smb.conf

[global]
	netbios name = MORPHEUS 
	workgroup = TESTE
	guest account = nobody
	browseable = yes
	server string = samba ldap server
#
# estas opções abaixo apresentaram alguns, erros, se quiser, pode testar 
# separadamente, eu estou sem tempo no momento para corrigir
#
#	hosts allow = 192.168.10. 127.0.0.
#	interfaces = eth0, lo
#	remote announce = [192.168.10.255]
#	bind interfaces only = yes

	wins support = yes
	name resolve order = wins lmhosts bcast host
	time server = yes
	log file = /var/log/samba/log.%m
	syslog = 0
	security = user
	obey pam restrictions = yes
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	domain master = yes
	preferred master = yes
	local master = yes
	domain logons = Yes
	guest ok = yes
	case sensitive = no
	hide dot files = yes
	logon home = \\%L\%U
	logon path = \\%N\profiles\%U
	logon drive = M:
	password server = MORPHEUS
	preserve case = no
	short preserve case = no
	default case = lower
	load printers = yes
	printcap name = CUPS
	printing = CUPS 
	 
	passdb backend = ldapsam:ldap://ldap.teste.br/
	ldap passwd sync = yes
	ldap suffix = dc=teste,dc=br
	ldap admin dn =  cn=admin,dc=teste,dc=br
	ldap group suffix = ou=Groups
	ldap user suffix = ou=Users
	ldap machine suffix = ou=Computers
	ldap idmap suffix = ou=Users
	add user script = /usr/sbin/smbldap-useradd -m "%u"
	ldap delete dn = Yes
	add machine script = /usr/sbin/smbldap-useradd -w "%u"
	add group script = /usr/sbin/smbldap-groupadd -p "%g"
	add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
	set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

[printers]
	comment = Impressoras
	printable = yes
	path = /var/spool/samba
	browseable = no
	guest ok = yes
	public = yes
	read only = yes
	writable = no
	create mask = 0700
	use client driver = yes

[IPC$]

[ADMIN$]


[homes]
	comment = Home Directories
	browseable = yes
	writable = yes
	create mask = 0700
	directory mask = 0700

[netlogon]
	comment = Network Logon Services
	path = /home/netlogon
	guest ok = yes
	locking = no
	writable = no
	share modes = no

[profiles]
	comment = Roaming Profiles Folder
	path = /home/profiles
	read only = no
	profile acls = yes

[Publico]
	comment = Compartilhamento Publico
	path = /home/publico
	read only = no
	browseable = yes
	public = yes
	write list = @staff
	force group = smbpublico
	force user = smbpublico
	force create mask = 0777
	force create mode = 0777

Criando os Diretorios

Nos setamos alguns diretorios no smb.conf, desta maneira, precisamos criar os mesmo e dar as devidas permissoes

mkdir /home/netlogon
mkdir /home/profiles
chown -R nobody.nogroup /home/netlogon
chown -R nobody.nogroup /home/profiles
chmod 777 /home/netlogon
chmod 777 /home/profiles

ldap

apt-get install ldap-utils slapd libnss-ldap libpam-ldap libpam-passwdqc nscd

Siga as instrucoes de instalacao do slapd, quando lhe for perguntando o dns, e outras informacoes responde de acordo com o nome que configuramos anteriormente no servidor dns


copiando schema

Precisamos aogra copiar os schemas do samba para o ldap


cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema
cd /etc/ldap/schema
gunzip samba.schema.gz


slapd.conf

(/etc/ldap/slapd.conf) Esta e a configuracao de nosso servidor ldap, com as devidas alteracoes

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

#######################################################################
# Global Directives:

# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include 	/etc/ldap/schema/samba.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck     on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd.args

# Read slapd.conf(5) for possible values
loglevel       	256 

# Where the dynamically loaded modules are stored
modulepath	/usr/lib/ldap
moduleload	back_bdb

#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend		bdb
checkpoint 512 30

#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend		<other>

#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        bdb

# The base of your directory in database #1
suffix          "dc=teste,dc=br"

# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

# Indexing options for database #1
#index           objectClass eq

# Save the time that the entry gets modified, for database #1
lastmod         on

# Where to store the replica logs for database #1
# replogfile	/var/lib/ldap/replog

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword
        by dn="cn=admin,dc=teste,dc=br" write
        by anonymous auth
        by self write
        by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work 
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=teste,dc=br" write
        by * read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
#        by dn="cn=admin,dc=teste,dc=br" write
#        by dnattr=owner write

#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database        <other>

# The base of your directory for database #2
#suffix		"dc=debian,dc=org"

TLSCertificateFile /etc/ldap/certificados/server.csr
TLSCertificateKeyFile   /etc/ldap/certificados/server.key
TLSVerifyClient 0
#startls=yes

index sambaSID eq
index sambaPrimaryGroupSID eq
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial

ldap.conf

(/etc/ldap/ldap.conf) Este e o arquivo ldap.conf, devidamente configurado para nosso ambiente

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE	dc=teste, dc=br
URI	ldap://ldap.teste.br ldap://ldap.teste.br:636

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never

#nss_base_passwd ou=Computers,dc=teste,dc=br?sub
#nss_base_passwd ou=Users,dc=teste,dc=br?sub
#nss_base_shadow ou=Users,dc=teste,dc=br?sub
#nss_base_group  ou=Groups,dc=teste,dc=br?one

TLS_CERT        /etc/ldap/certificados/client.csr
TLS_KEY         /etc/ldap/certificados/client.key
TLS_REQCERT     allow


libnss-ldap.conf

Este arquivo fica no diretorio /etc (/etc/libnss-ldap.conf) o arquivo tem que conter, as seguintes configuracoes

host ldap.teste.br
base dc=teste,dc=br
uri ldap://ldap.teste.br/

o resto do arquivo se mantem como esta


pam_ldap.conf

(/etc/pam_ldap.conf) Este arquivo preicisa ter as mesmas confs do arquivo acima

host ldap.teste.br
base dc=teste,dc=br
uri ldap://ldap.teste.br/


nsswitch.conf

(/etc/nsswitch.conf) O arquivo nsswitch, tem que ser configurado para que o servidor use as confs de usuario e grupos do ldap, isso fara com que voce possa usar os grupos criados no ldap, para alterar permissoes em arquivos e diretorios

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

configuracoes da pam

(/etc/pam.d)

common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
#account        required        pam_unix.so

account sufficient pam_unix.so
account sufficient pam_ldap.so
account sufficient pam_permit.so
common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
#auth   required        pam_unix.so nullok_secure

auth sufficient pam_unix.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
common-password
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define  the services to be
#used to change user passwords.  The default is pam_unix

# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.


password sufficient pam_passwdqc.so min=disabled,16,12,8,6 max=256
password sufficient pam_unix.so use_authtok md5
password sufficient pam_ldap.so use_first_pass use_authtok md5
password required pam_deny.so


common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#
session required        pam_unix.so

gerando certificados

Agora precisamos gerar os certificados necessarios para o ldap

cd /etc/ldap
mkdir certificados
cd certificados
touch gerador

Coloque o seguinte conteudo dentro

#!/bin/sh
# /etc/openldap/certificados/gerador.sh

# certificado servidor
openssl genrsa -des3 -out server.key 4096
openssl rsa -in server.key -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.csr

# Certificado cliente
openssl genrsa -des3 -out client.key 1024
openssl rsa -in client.key -out client.key
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -signkey client.key -out client.csr  

Quando o gerador perguntar, a opcao para " YOUR name " voce coloca o nome da maquina, que voce definiu no dns (ldap.teste.br)

sh gerador

smbldap-tools

No inicio, antes de configurar o samba, nos geramos um arquivo localsid em /etc/samba

Desta maneira, pege o sid (ex: S-1-5-21-2139989288-483860436-2398042574) gerado pela sua maquina, e copie, ele sera colocado no arquivo.

smbldap.conf

Crie o arquivo /etc/smbldap-tools/smbldap.conf com o seguinte conteudo

# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.17 2005/01/29 15:00:54 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools

#  This code was developped by IDEALX (http://IDEALX.org/) and
#  contributors (their names can be found in the CONTRIBUTORS file).
#
#                 Copyright (C) 2001-2002 IDEALX
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.

#  Purpose :
#       . be the configuration file for all smbldap-tools scripts

##############################################################################
#
# General Configuration
#
##############################################################################

# Put your own SID
# to obtain this number do: net getlocalsid
SID="S-1-5-21-2139989288-483860436-2398042574"

##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have 
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
#   (typically a replication directory)

# Ex: slaveLDAP=127.0.0.1
slaveLDAP="ldap.teste.br"
slavePort="389"

# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
masterLDAP="ldap.teste.br"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
ldapTLS="0"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.pem"

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.key"

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=teste,dc=br"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
usersdn="ou=Users,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
computersdn="ou=Computers,${suffix}"

# Where are stored Groups
# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="sambaDomainName=COBAIA-LDAP,${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

##############################################################################
# 
# Unix Accounts Configuration
# 
##############################################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="99"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location (%U username substitution)
# Ex: \\My-PDC-netbios-name\homes\%U
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
userSmbHome="\\COBAIA-LDAP\homes\%U"

# The UNC path to profiles locations (%U username substitution)
# Ex: \\My-PDC-netbios-name\profiles\%U
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
userProfile="\\COBAIA-LDAP\profiles\%U"

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: H: for H:
userHomeDrive="H:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: %U.cmd
# userScript="startup.cmd" # make sure script file is edited under dos
userScript="%U.cmd"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
mailDomain="teste.br"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

Agora com o arquivo salvo, execute o seguinte comando

sed -i s/COBAIA-LDAP/NOME_DA_MAQUINA_NO_SAMBA/g /etc/smbldap-tools/smbldap.conf

Altere tambem os valores referentes a dns, e base ldap

smbldap_bind.conf

Crie o arquivo smbldap_bind.conf com o seguinte conteudo

############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=admin,dc=teste,dc=br"
slavePw="sua_senha"
masterDN="cn=admin,dc=teste,dc=br"
masterPw="sua_senha"

Altere as senhas para o valor defindo durante a instalacao do slapd


Populando a base ldap

Vamos reiniciar o ldap para popularmos a base

invoke-rc.d slapd restart

e depois popular

smbldap-populate

Gerando a senha para o samba

smbpasswd -w SUA_SENHA


Reiniciando os servicos

invoke-rc.d slapd restart
invoke-rc.d nscd restart
invoke-rc.d samba restart

Administracao de usuarios

Criacao de usuarios

Para criar um usuario no ldap, usaremos o seguinte comando

smbldap-useradd usuario

Para definir a senha

smbldap-passwd usuario

para verificar oque foi criado use o comando

smbldap-usershow usuario

A saida sera similar a seguinte

dn: uid=usuario,ou=Users,dc=teste,dc=br
objectClass: top,inetOrgPerson,posixAccount,shadowAccount
cn: usuario
sn: usuario
uid: usuario
uidNumber: 1008
gidNumber: 513
homeDirectory: /home/usuario
loginShell: /bin/bash
gecos: System User
description: System User
userPassword: {crypt}x

Para que este usuario possa ser usado pelo samba, voce ira executar o seguinte comando

smbpasswd -a usuario

Ele ira pedir a senha, e se voce pedir o usershow novamente, vera a seguinte saida.

dn: uid=usuario,ou=Users,dc=teste,dc=br
objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
cn: usuario
sn: usuario
uid: usuario
uidNumber: 1008
gidNumber: 513
homeDirectory: /home/usuario
loginShell: /bin/bash
gecos: System User
description: System User
sambaSID: S-1-5-21-2139989288-483860436-2398042574-3016
sambaPrimaryGroupSID: S-1-5-21-2139989288-483860436-2398042574-513
displayName: System User
sambaPwdCanChange: 1163954738
sambaPwdMustChange: 2147483647
sambaLMPassword: 02D093CE93078E8FAAD3B435B51404EE
sambaNTPassword: CAF13C4F321B608B27FD75D2549BA53C
sambaPasswordHistory: 0000000000000000000000000000000000000000000000000000000000
000000
sambaPwdLastSet: 1163954738
sambaAcctFlags: [U          ]
userPassword: {SMD5}DVeivJgELQykML5b6gSxyMnMKqw=

Veja que foi adicionado ao usuario, configuracoes relacionadas ao samba. Com isso, basta criar a maquina que o usuario podera se logar.


usuario ROOT

E necessario criar no ldap um usuario root tb

smbldap-useradd root
smbldap-passwd root
passwd -a root

Este usuario root, 'e o usuario que ira engressar as maquinas no dominio

adicionando maquinas

Para adicionar uma maquina no samba, use o seguinte comando

smbldap-useradd -w maquina

Para ver as confs da maquina, basta executar o seguinte comando

smbldap-usershow maquina$
dn: uid=maquina$,ou=Computers,dc=teste,dc=br
objectClass: top,inetOrgPerson,posixAccount
cn: maquina$
sn: maquina$
uid: maquina$
uidNumber: 1009
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer

Verificando permissoes de usuarios

Para verificar oque um usuario pode fazer, basta que voce verifique com o seguinte comando

net -U Administrator rpc rights list
SeMachineAccountPrivilege  Add machines to domain
      SePrintOperatorPrivilege  Manage printers
           SeAddUsersPrivilege  Add users and groups to the domain
     SeRemoteShutdownPrivilege  Force shutdown from a remote system
       SeDiskOperatorPrivilege  Manage disk shares

Criando os homes

Como criamos o usuario agora precisamos criar o home para o mesmo, neste caso

mkdir /home/usuario
chown -R usuario."Domain Users" /home/usuario

pronto, o usuario, ja pode se logar tanto no linux, quanto no windows

(é necessario configuracoes extras para o usuario utilizar o linux com perfeição, ainda vou implementar esta parte)

Caso queira que os homes sejam criados automaticamente adicione a linnha abaixo ao final do arquivo /etc/pam.d/common-session

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

Assim o home do usuário é criado automaticamente quando ele logar na maquina pela primeira vez.

Colocando a maquina no dominio

esta parte ainda será escrita, eu estou com maquinas funcionando ja, eu tenho que pegar uma instalacao nova, para fazer todos os passos devidamente


Administracao WEB

E possivel administrar a base ldap, apartir de interface web, aqui vou colocar como voce faz isso para o phpldapadmin

apt-get install apachd2-mpm-prefork libapache2-mod-php4 php4-ldap phpldapadmin

No tipo de autenticacao para o phpldapadmin, coloque session

Com ele instalado, va ate o diretorio /etc/phpldapadmin

abra o arquivo config.php, e altere o valor da opcao host

Ela deve ficar como no exemplo abaixo

$servers[$i]['host'] = 'ldap://ldap.teste.br';

Note que 'e ldap: e nao ldaps: e que estamos usando o nome da maquina no dns, e nao localhost

feito isso para se logar, basta digitar no browser

http://ldap.teste.br/phpldapadmin



Voltar

Ferramentas pessoais
Inutilidades