Procedimento 3.5. Instalação

• Execute o seguinte comando para instalar os pacotes necessários no servidor que disponibilizará o Samba:

  usuario@sambaserver:~$ sudo aptitude install samba smbldap-tools
  

Procedimento 3.6. Configuração

1. Vamos agora configurar o Samba para atuar como um PDC pronto para autenticar os usuários armazenados no diretório LDAP a partir das estações Windows. Não vamos entrar nos detalhes dos parâmetros de configuração do Samba pois além de serem muito numerosos isso foge do escopo deste documento. Para obter mais informações a respeito dos parâmetros de configuração do samba, consulte a manpage do smb.conf ou acesse o site The Official Samba-3 HOWTO and Reference Guide. Um exemplo do arquivo /etc/samba/smb.conf apropriado para realizar a função de autenticação dos usuários Windows é apresentado abaixo:

   Exemplo 3.6. Arquivo de configuração /etc/ldap/ldap.conf

   #
   # Sample configuration file for the Samba suite for Debian GNU/Linux.
   #
   #
   # This is the main Samba configuration file. You should read the
   # smb.conf(5) manual page in order to understand the options listed
   # here. Samba has a huge number of configurable options most of which 
   # are not shown in this example
   #
   # Any line which starts with a ; (semi-colon) or a # (hash) 
   # is a comment and is ignored. In this example we will use a #
   # for commentary and a ; for parts of the config file that you
   # may wish to enable
   #
   # NOTE: Whenever you modify this file you should run the command
   # "testparm" to check that you have not made any basic syntactic 
   # errors. 
   #
   
   #======================= Global Settings =======================
   
   [global]
   
   ## Browsing/Identification ###
   
   # Change this to the workgroup/NT-domain name your Samba server will
   # part of
   # Não precisa ser igual á raiz do diretório LDAP
      workgroup = ldap.ime.usp.br
   
   # server string is the equivalent of the NT Description field
      server string = Servidor SAMBA
      netbios name = sambaserver
   
   # Windows Internet Name Serving Support Section:
   # WINS Support - Tells the NMBD component of Samba to enable its WINS
   # Server
      wins support = yes
   
   # This will prevent nmbd to search for NetBIOS names through DNS.
      dns proxy = no
   
   #### Debugging/Accounting ####
   
   # This tells Samba to use a separate log file for each machine
   # that connects
      log level = 2
      log file = /var/log/samba/log.%m
   
   # Put a capping on the size of the log files (in Kb).
      max log size = 1000
   
   # We want Samba to log a minimum amount of information to syslog.
   # Everything should go to /var/log/samba/log.{smbd,nmbd} instead.
   # If you want to log through syslog you should set the following
   # parameter to something higher.
      syslog = 0
   
   # Do something sensible when Samba crashes: mail the admin a backtrace
      panic action = /usr/share/samba/panic-action %d
   
   ####### Authentication #######
   
   # "security = user" is always a good idea. This will require a Unix
   # account in this server for every user accessing the server. See
   # /usr/share/doc/samba-doc/htmldocs/Samba-HOWTO-Collection/ServerType.
   # html
   # in the samba-doc package for details.
      security = user
      admin users = root
   
   # You may wish to use password encryption.  See the section on
   # 'encrypt passwords' in the smb.conf(5) manpage before enabling.
      encrypt passwords = true
   
   # If you are using encrypted passwords, Samba will need to know what
   # password database type you are using.  
      passdb backend = ldapsam:ldap://ldapserver.ime.usp.br/
      passdb expand explicit = no
   
      obey pam restrictions = no
   
   # Script para alterar e sincronizar as senhas dos usuarios
      ldap passwd sync = Yes
      passwd program = /usr/sbin/smbldap-passwd %u
      passwd chat = *New*password* %n\n *Retype*new*password* %n\n
                    *all*authentication*tokens*updated*
   
      ldap ssl = start_tls
      ldap admin dn = cn=admin,dc=ime,dc=usp,dc=br
      ldap suffix = dc=ime,dc=usp,dc=br
      ldap group suffix = ou=Groups
      ldap user suffix = ou=Users
      ldap machine suffix = ou=Computers
      ldap idmap suffix = ou=Idmap
      ldap delete dn = Yes
   
   # Configurações dos scripts do pacote smbldap-tools
      add user script = /usr/sbin/smbldap-useradd -m "%u"
      add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
      add group script = /usr/sbin/smbldap-groupadd -p "%g" 
      add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
      delete user script = /usr/sbin/smbldap-userdel "%u"
      delete group script = /usr/sbin/smbldap-groupdel "%g"
      delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
      set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
   
   ########## Domains ###########
   
   # Is this machine able to authenticate users. Both PDC and BDC
   # must have this setting enabled. If you are the BDC you must
   # change the 'domain master' setting to no
   #
      domain logons = yes
      enable privileges = yes
   
   ############ Misc ############
   
   # Most people will find that this option gives better performance.
   # See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/speed.html
   # for details
   # You may want to add the following on a Linux system:
      socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   
   # Domain Master specifies Samba to be the Domain Master Browser. If this
   # machine will be configured as a BDC (a secondary logon server), you
   # must set this to 'no'; otherwise, the default behavior is recommended.
      domain master = auto
   
   # Some defaults for winbind (make sure you're not using the ranges
   # for something else.)
      idmap uid = 10000-20000
      idmap gid = 10000-20000
   

   Cuidado

   Não se esqueça de ajustar as permissões do arquivo /etc/samba/smb.conf para 644 e certifique-se de que o seu proprietário seja o usuário root.

   Dica

   Ao finalizar a configuração do seu arquivo /etc/samba/smb.conf, execute o comando testparm para verificar se está tudo certo:

   usuario@sambaserver:~$ sudo testparm
   Loaded services file OK.
   Server role: ROLE_DOMAIN_PDC
   Press enter to see a dump of your service definitions
   …
   

2. Agora teremos que adicionar o schema do Samba no arquivo /etc/ldap/slapd.conf para que os atributos das entradas do domínio Windows sejam reconhecidos pelo serviço de diretório. Para isso, primeiro teremos que obter esse arquivo, que está contido no pacote samba-doc. Execute o seguinte comando no servidor que está rodando o serviço slapd para instalar o pacote necessário:

   usuario@ldapserver:~$ sudo aptitude install samba-doc
   

   Depois execute o comando abaixo para extrair o arquivo necessário para o local correto:

   usuario@ldapserver:~$ sudo zcat /usr/share/doc/samba-doc/examples
   /LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema
   

   A seção schema's do arquivo /etc/ldap/slapd.conf ficará assim:

   …
   # schema's
   include         /etc/ldap/schema/core.schema
   include         /etc/ldap/schema/cosine.schema
   include         /etc/ldap/schema/nis.schema
   include         /etc/ldap/schema/inetorgperson.schema
   include         /etc/ldap/schema/samba.schema
   
   schemacheck     on
   …
   

   Vamos alterar a seção base de dados também para que fique de acordo com as nossas alterações. Primeiro precisamos indexar a instância de base de dados que contém o diretório de maneira diferente para obter um desempenho adequado ao buscar registros do Samba:

   …
   ## base de dados no. 1
   …
   index           objectClass                             eq
   index           uid,uidNumber,gidNumber,memberUid       eq
   index           cn,mail,surname,givenname               eq,subinitial
   index           sambaSID                                eq
   index           sambaPrimaryGroupSID                    eq
   index           sambaDomainName                         eq
   …
   

   Também vamos precisar alterar as ACL's dessa instância para proteger os dados confidenciais desses registros:

   …
   ## ACL's para a base de dados no. 1
   access to attrs=userPassword,sambaNTPassword,sambaLMPassword
          by dn.base="cn=admin,dc=ime,dc=usp,dc=br" write
          by anonymous auth
          by self write
          by * none
   …
   

   Como alteramos as configurações dos índices da base de dados, teremos que reconstruí-los. Para isso, primeiro pare o serviço slapd:

   usuario@ldapserver:~$ sudo /etc/init.d/slapd stop
   

   Em seguida reconstrua os índices com o comando slapindex:

   usuario@ldapserver:~$ sudo slapindex
   

   Agora reinicie o serviço:

   usuario@ldapserver:~$ sudo /etc/init.d/slapd start
   Starting OpenLDAP: running BDB recovery, slapd.
   

3. Precisamos armazenar a senha do usuário que será usado para administrar o diretório LDAP no arquivo /var/lib/samba/secrets.tdb. Para isso, execute o seguinte comando no servidor em que o Samba foi instalado:

   usuario@sambaserver:~$ sudo /usr/bin/smbpasswd -w secret
   Setting stored password for "cn=admin,dc=ime,dc=usp,dc=br" in secrets.tdb
   

4. Finalmente, reinicie o servidor Samba:

   usuario@sambaserver:~$ sudo /etc/init.d/samba restart
    * Stopping Samba daemons...                              [ ok ] 
    * Starting Samba daemons...                              [ ok ] 
   

5. Como dissemos anteriormente, a automação do gerenciamento dos registros do diretório LDAP por parte do Samba é feita com o auxílio de scripts. Esses scripts foram instalados pelo pacote smbldap-tools, e já os incluímos no /etc/samba/smb.conf, agora precisamos configurá-los.

   Os arquivos de configuração do smbldap-tools residem em /etc/smbldap-tools, mas eles não são instalados por padrão. O pacote vem apenas com exemplos de configuração no diretório /usr/share/doc/smbldap-tools/examples. Digite os seguintes comandos para fazer uma cópia dos arquivos necessários para o local correto:

   usuario@sambaserver:~$ sudo zcat /usr/share/doc/smbldap-tools/exa
   mples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf
   usuario@sambaserver:~$ sudo cp /usr/share/doc/smbldap-tools/examp
   les/smbldap_bind.conf /etc/smbldap-tools
   

   Agora precisamos ajustá-los para as permissões adeqüadas:

   usuario@sambaserver:~$ sudo chmod 644 /etc/smbldap-tools/smbldap.
   conf
   usuario@sambaserver:~$ sudo chmod 600 /etc/smbldap-tools/smbldap_
   bind.conf
   usuario@sambaserver:~$ sudo chown root:root /etc/smbldap-tools/sm
   bldap.conf
   usuario@sambaserver:~$ sudo chown root:root /etc/smbldap-tools/sm
   bldap_bind.conf
   

   O arquivo /etc/smbldap-tools/smbldap_bind.conf contém as informações de autenticação ao diretório, por isso suas permissões devem estar mais restritas. A seguir apresentamos um exemplo desse arquivo com os parâmetros ajustados para o acesso ao diretório:

   Exemplo 3.7. Arquivo de configuração /etc/smbldap-tools/smbldap_bind.conf

   ############################
   # Credential Configuration #
   ############################
   # Notes: you can specify two differents configuration if you use a
   # master ldap for writing access and a slave ldap server for reading
   # access
   # By default, we will use the same DN (so it will work for standard
   # Samba release)
   slaveDN="cn=admin,dc=ime,dc=usp,dc=br"
   slavePw="secret"
   masterDN="cn=admin,dc=ime,dc=usp,dc=br"
   masterPw="secret"
   

   O arquivo /etc/smbldap-tools/smbldap.conf contém as informações de configuração dos scripts que serão usados pelo Samba. O primeiro parâmetro que iremos configurar é o Security Identifier (SID) do domínio Samba. Esse número é uma hash utilizada pelos domínios Windows para identificar os recursos presentes na rede. Para obter esse número, digite o seguinte comando:

   usuario@sambaserver:~$ sudo net getlocalsid
   SID for domain SAMBASERVER is: S-1-5-21-2244078416-
   1265281458-506834435
   

   Copie essa hash para que possamos colocá-la no arquivo de configuração do smbldap-tools. Não se esqueça de que se o Samba tiver sido instalado em um servidor diferente do que está rodando o LDAP, precisaremos configurar o suporte a TLS para os scripts do smbldap-tools, e também vamos precisar de uma cópia do certificado do servidor LDAP em /etc/ssl/certs.

   Um exemplo do arquivo /etc/smbldap-tools/smbldap.conf configurado com suporte a TLS é exibido a seguir:

   Exemplo 3.8. Arquivo de configuração /etc/smbldap-tools/smbldap.conf

   ######################################################################
   #
   # General Configuration
   #
   ######################################################################
   
   # Put your own SID. To obtain this number do: "net getlocalsid".
   # If not defined, parameter is taking from "net getlocalsid" return
   SID="S-1-5-21-2244078416-1265281458-506834435"
   
   # Domain name the Samba server is in charged.
   # If not defined, parameter is taking from smb.conf configuration file
   # Ex: sambaDomain="IDEALX-NT"
   sambaDomain="LDAP.IME.USP.BR"
   
   ######################################################################
   #
   # LDAP Configuration
   #
   ######################################################################
   
   # Notes: to use to dual ldap servers backend for Samba, you must patch
   # Samba with the dual-head patch from IDEALX. If not using this patch
   # just use the same server for slaveLDAP and masterLDAP.
   # Those two servers declarations can also be used when you have 
   # . one master LDAP server where all writing operations must be done
   # . one slave LDAP server where all reading operations must be done
   #   (typically a replication directory)
   
   # Slave LDAP server
   # Ex: slaveLDAP=127.0.0.1
   # If not defined, parameter is set to "127.0.0.1"
   slaveLDAP="ldapserver.ime.usp.br"
   
   # Slave LDAP port
   # If not defined, parameter is set to "389"
   slavePort="389"
   
   # Master LDAP server: needed for write operations
   # Ex: masterLDAP=127.0.0.1
   # If not defined, parameter is set to "127.0.0.1"
   masterLDAP="ldapserver.ime.usp.br"
   
   # Master LDAP port
   # If not defined, parameter is set to "389"
   masterPort="389"
   
   # Use TLS for LDAP
   # If set to 1, this option will use start_tls for connection
   # (you should also used the port 389)
   # If not defined, parameter is set to "1"
   ldapTLS="1"
   
   # How to verify the server's certificate (none, optional or require)
   # see "man Net::LDAP" in start_tls section for more details
   verify="require"
   
   # CA certificate
   # see "man Net::LDAP" in start_tls section for more details
   cafile="/etc/ssl/certs/ssl-cert-ldapserver.pem"
   
   # certificate to use to connect to the ldap server
   # see "man Net::LDAP" in start_tls section for more details
   # clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.pem"
   
   # key certificate to use to connect to the ldap server
   # see "man Net::LDAP" in start_tls section for more details
   # clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.key"
   
   # LDAP Suffix
   # Ex: suffix=dc=IDEALX,dc=ORG
   suffix="dc=ime,dc=usp,dc=br"
   
   # Where are stored Users
   # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
   # Warning: if 'suffix' is not set here, you must set the full dn for
   # usersdn
   usersdn="ou=Users,${suffix}"
   
   # Where are stored Computers
   # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
   # Warning: if 'suffix' is not set here, you must set the full dn for
   # computersdn
   computersdn="ou=Computers,${suffix}"
   
   # Where are stored Groups
   # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
   # Warning: if 'suffix' is not set here, you must set the full dn for
   # groupsdn
   groupsdn="ou=Groups,${suffix}"
   
   # Where are stored Idmap entries (used if samba is a domain member
   # server)
   # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
   # Warning: if 'suffix' is not set here, you must set the full dn for
   # idmapdn
   idmapdn="ou=Idmap,${suffix}"
   
   # Where to store next uidNumber and gidNumber available for new users
   # and groups
   # If not defined, entries are stored in sambaDomainName object.
   # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
   # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
   sambaUnixIdPooldn="sambaDomainName=LDAP.IME.USP.BR,${suffix}"
   
   # Default scope Used
   scope="sub"
   
   # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
   hash_encrypt="SSHA"
   
   # if hash_encrypt is set to CRYPT, you may set a salt format.
   # default is "%s", but many systems will generate MD5 hashed
   # passwords if you use "$1$%.8s". This parameter is optional!
   crypt_salt_format="%s"
   
   ######################################################################
   # 
   # Unix Accounts Configuration
   # 
   ######################################################################
   
   # Login defs
   # Default Login Shell
   # Ex: userLoginShell="/bin/bash"
   userLoginShell="/bin/bash"
   
   # Home directory
   # Ex: userHome="/home/%U"
   userHome="/home/%U"
   
   # Default mode used for user homeDirectory
   userHomeDirectoryMode="700"
   
   # Gecos
   userGecos="System User"
   
   # Default User (POSIX and Samba) GID
   defaultUserGid="513"
   
   # Default Computer (Samba) GID
   defaultComputerGid="515"
   
   # Skel dir
   skeletonDir="/etc/skel"
   
   # Default password validation time (time in days) Comment the next line
   # if you don't want password to be enable for defaultMaxPasswordAge
   # days (be careful to the sambaPwdMustChange attribute's value)
   defaultMaxPasswordAge="45"
   
   ######################################################################
   #
   # SAMBA Configuration
   #
   ######################################################################
   
   # The UNC path to home drives location (%U username substitution)
   # Just set it to a null string if you want to use the smb.conf 'logon
   # home' directive and/or disable roaming profiles
   # Ex: userSmbHome="\\PDC-SMB3\%U"
   userSmbHome=""
   
   # The UNC path to profiles locations (%U username substitution)
   # Just set it to a null string if you want to use the smb.conf 'logon
   # path' directive and/or disable roaming profiles
   # Ex: userProfile="\\PDC-SMB3\profiles\%U"
   userProfile=""
   
   # The default Home Drive Letter mapping
   # (will be automatically mapped at logon time if home directory exist)
   # Ex: userHomeDrive="H:"
   userHomeDrive="H:"
   
   # The default user netlogon script name (%U username substitution)
   # if not used, will be automatically username.cmd
   # make sure script file is edited under dos
   # Ex: userScript="startup.cmd" # make sure script file is edited under
   # dos
   userScript="logon.bat"
   
   # Domain appended to the users "mail"-attribute
   # when smbldap-useradd -M is used
   # Ex: mailDomain="idealx.com"
   mailDomain="ime.usp.br"
   
   ######################################################################
   #
   # SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
   #
   ######################################################################
   
   # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf
   # .pm) but prefer Crypt::SmbHash library
   with_smbpasswd="0"
   smbpasswd="/usr/bin/smbpasswd"
   
   # Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_
   # conf.pm) but prefer Crypt:: libraries
   with_slappasswd="0"
   slappasswd="/usr/sbin/slappasswd"
   
   # comment out the following line to get rid of the default banner
   # no_banner="1"
   

   Com os scripts devidamente configurados, podemos inserir as entradas necessárias ao funcionamento do domínio do Samba no diretório LDAP através do script smbldap-populate:

   usuario@sambaserver:~$ sudo /usr/sbin/smbldap-populate
   Populating LDAP directory for domain LDAP.IME.USP.BR (S-1-5-21-22440
   78416-1265281458-506834435)
   (using builtin directory structure)
   
   entry dc=ime,dc=usp,dc=br already exist. 
   adding new entry: ou=Users,dc=ime,dc=usp,dc=br
   adding new entry: ou=Groups,dc=ime,dc=usp,dc=br
   adding new entry: ou=Computers,dc=ime,dc=usp,dc=br
   adding new entry: ou=Idmap,dc=ime,dc=usp,dc=br
   adding new entry: uid=root,ou=Users,dc=ime,dc=usp,dc=br
   adding new entry: uid=nobody,ou=Users,dc=ime,dc=usp,dc=br
   adding new entry: cn=Domain Admins,ou=Groups,dc=ime,dc=usp,dc=br
   adding new entry: cn=Domain Users,ou=Groups,dc=ime,dc=usp,dc=br
   adding new entry: cn=Domain Guests,ou=Groups,dc=ime,dc=usp,dc=br
   adding new entry: cn=Domain Computers,ou=Groups,dc=ime,dc=usp,dc=br
   adding new entry: cn=Administrators,ou=Groups,dc=ime,dc=usp,dc=br
   adding new entry: cn=Account Operators,ou=Groups,dc=ime,dc=usp,dc=br
   adding new entry: cn=Print Operators,ou=Groups,dc=ime,dc=usp,dc=br
   adding new entry: cn=Backup Operators,ou=Groups,dc=ime,dc=usp,dc=br
   adding new entry: cn=Replicators,ou=Groups,dc=ime,dc=usp,dc=br
   entry sambaDomainName=LDAP.IME.USP.BR,dc=ime,dc=usp,dc=br already
   exist. Updating it...
   
   Please provide a password for the domain root: 
   Changing UNIX and samba passwords for root
   New password: secret
   Retype new password: secret
   

   Ele pedirá a senha do super-usuário do domínio Samba. Essa senha não precisa ser igual à senha do administrador LDAP. Essa senha é da conta root do domínio, que será usada para incluir as estações Windows ao mesmo.