URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID14
Нить номер: 689
[ Назад ]

Исходное сообщение
"Помогите FreeBSD 4.5 smb+ldap+migrate from nt4 bdc"

Отправлено atomic , 13-Дек-05 11:01 
Все добрый день!!!
Вот собрался исполнить следующую связку: FreeBSD  5.4  +  PDC  +  LDAP!!!
Для этого в существующий домен Win2k ADC добавил NT 4.0 BDC а затем повысил его до PDC и отключился от W2k Домена!!!! Установил: openldap-server-2.2.29,  openldap-client-2.2.29, samba-3.0.20b, smbldap-tools-0.9.1_1, nss_ldap-1.239, pam_ldap-1.8.0!!!
И Придерживаясь официальной документации “Chapter 9. Migrating NT4 Domain to Samba-3”  http://us4.samba.org/samba/docs/man/Samba-Guide/Chapter 9_ Migrating NT4 Domain to Samba-3.htm , начал процесс перехода!!!

Первое что сделал это сконфигурировал slapd.conf:


include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/samba3.schema


# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

access to dn.base=""
                by self write
                by * auth

access to attr=userPassword
                by self write
                by * auth

access to attr=shadowLastChange
                by self write
                by * read

access to *
                by * read
                by anonymous auth


#######################################################################
# BDB database definitions
#######################################################################
loglevel        256

database        ldbm
suffix          "dc=interbank,dc=ru"
rootdn          "cn=Manager,dc=interbank,dc=ru"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}n+fNnY/skrCQHjuArkP32xWDYrWQJUUM
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/db/openldap-data
# Indices to maintain
index objectClass           eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub

Перезапустил сервер, в логах нет ошибок!!!

Второе конфигурация smb.conf:
[global]
workgroup = INTERBANK
netbios name = PROX
passdb backend = ldapsam:ldap://localhost
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 0
smb ports = 139 445
name resolve order = wins bcast hosts
add user script = /usr/local/sbin/smbldap-useradd -m '%u'
#delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'
add group script = /usr/local/sbin/smbldap-groupadd '%g'
#delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'
add user to group script =/usr/local/sbin/smbldap-groupmod -m '%u' '%g'
#delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
logon script = scripts\logon.cmd
logon path = \\%L\profiles\%U
logon home = \\%L\%U
logon drive = X:
domain logons = Yes
domain master = No
#wins support = Yes
wins server = 192.7.7.2
ldap admin dn = cn=Manager,dc=interbank,dc=ru
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=People
ldap passwd sync = Yes
ldap suffix = dc=interbank,dc=ru
ldap ssl = no
ldap timeout = 20
ldap user suffix = ou=People
idmap backend = ldap:ldap://localhost
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind nested groups = Yes
ea support = Yes
map acl inherit = Yes

[apps]
comment = Application Data
path = /data/home/apps
read only = No

[homes]
comment = Home Directories
path = /home/users/%U/Documents
valid users = %S
read only = No
browseable = No

[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
use client driver = No
browseable = No

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
locking = No

[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes

[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = No
profile acls = Yes

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers

testparm не выдал ошибок!!!

Третье получение sid, и настройка ldap с помощью smbldap-tools:

net rpc getsid -S proxy2 -U administrator%******
Storing SID S-1-5-21-1292428093-1563985344-1957994488 for Domain INTERBANK in secrets.tdb

# net rpc info -S proxy2
Domain Name: INTERBANK
Domain SID: S-1-5-21-1292428093-1563985344-1957994488
Sequence number: 1041
Num users: 78
Num domain groups: 19
Num local groups: 17

net setlocalsid  S-1-5-21-1292428093-1563985344-1957994488

/usr/local/sbin/configure.pl (настройка дерева ldap с помошью smbldap-tools)
Все согласно официальной докуметации samba!!!

smbpasswd -w ******

1.    smbldap-populate -a root -k 0 -m 0
создает организационные еденицы все как надо!!!

pdbedit -Lw
root:0:555D146BD7D9706BAAD3B435B51404EE:C66B5E86F632994F72B202CA4EC9AF9C:[U          ]:LCT-439EB579:
nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NDU        ]:LCT-00000000:

net groupmap list
Domain Admins (S-1-5-21-1292428093-1563985344-1957994488-512) -> 512
Domain Users (S-1-5-21-1292428093-1563985344-1957994488-513) -> 513
Domain Guests (S-1-5-21-1292428093-1563985344-1957994488-514) -> 514
Domain Computers (S-1-5-21-1292428093-1563985344-1957994488-515) -> 515
Administrators (S-1-5-32-544) -> 544
Account Operators (S-1-5-32-548) -> 548
Print Operators (S-1-5-32-550) -> 550
Backup Operators (S-1-5-32-551) -> 551
Replicators (S-1-5-32-552) -> 552

Вобщем все в порядке!!!

Дальше настройка nss_ldap.conf -> ldap.conf,  Nsswitch.conf
Ldap.conf:

host    127.0.0.1

base    dc=interbank,dc=ru

ldap_version    3

binddn cn=Manager,dc=interbank,dc=ru
bindpw not24get

pam_password exop

nss_base_passwd         ou=People,dc=interbank,dc=ru?one
nss_base_shadow         ou=People, dc=interbank,dc=ru?one
nss_base_group          ou=Groups, dc=interbank,dc=ru?one

ssl off

для nsswitch.conf:

passwd:         files ldap
shadow:         files ldap
group:          files ldap

hosts:          files dns wins
networks:       files dns

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files
#passwd_compat: ldap       #Not needed.
#group_compat:  ldap      #Not needed.

net rpc vampire -S proxy2 -U administrator%*** > /var/log/vampire.log

/var/log/vampire.log:
usr/local/sbin/smbldap-useradd: illegal username
/usr/local/sbin/smbldap-useradd: illegal username
Fetching DOMAIN database
Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Cre
Creating unix group: 'Domain Oper'
Creating unix group: 'internet'
Creating unix group: 'ixbt'
Creating unix group: 'Obizi'
Creating unix group: 'full'
Creating unix group: 'buh-nalog'
Creating unix group: 'Domain Kredit'
Creating unix group: 'Domain Econom'
Creating unix group: 'Domain Klient'
Creating account: Semenov
Could not create posix account info for 'Semenov'
Creating account: Could not create posix account info for 'Creating account: krbtgt
Could not create posix account info for 'krbtgt'
Creating account: TsInternetUser
Could not create posix account info for 'TsInternetUser'
Creating account: TarasovVY
Could not create posix account info for 'TarasovVY'
Creating account: Bronislav
Could not create posix account info for 'Bronislav'
Creating account: Nick
Could not create posix account info for 'Nick'
Creating account: DayanovDR
Could not create posix account info for 'DayanovDR'
Creating account: Plastik
Could not create posix account info for 'Plastik'
Creating account: Volodya
Could not create posix account info for 'Volodya'
Creating account: Olga
Could not create posix account info for 'Olga'
Creating account: DanilovDV
Could not create posix account info for 'DanilovDV'
Creating account: Buh
Could not create posix account info for 'Buh'
Creating account: Cb
Could not create posix account info for 'Cb'
Creating account: KarpechenkovAV
Could not create posix account info for 'KarpechenkovAV'
Creating account: Secure
Could not create posix account info for 'Secure'
Creating account: RiabovVV
Could not create posix account info for 'RiabovVV'
Creating account: Kliring
Could not create posix account info for 'Kliring'
Creating account: VIP
Could not create posix account info for 'VIP'
Creating account: Urist
Could not create posix account info for 'Urist'
Creating account: curr
Could not create posix account info for 'curr'
Creating account: Org_otdel
Could not create posix account info for 'Org_otdel'
Creating account: KorzanEA
Could not create posix account info for 'KorzanEA'
Creating account: Could not create posix account info for 'Creating account: helga
Could not create posix account info for 'helga'
Creating account: MisyurinPA
Could not create posix account info for 'MisyurinPA'
Creating account: MalyshYP
Could not create posix account info for 'MalyshYP'
Creating account: OsokinAY
Could not create posix account info for 'OsokinAY'
Creating account: ValovVV
Could not create posix account info for 'ValovVV'
Creating account: Tanya
Could not create posix account info for 'Tanya'
Creating account: PROXI$
Could not create posix account info for 'PROXI$'
Creating account: INTERNETBANK$
Could not create posix account info for 'INTERNETBANK$'
Creating account: oper
Could not create posix account info for 'oper'
Creating account: media$
Could not create posix account info for 'media$'
Creating account: DIMA$
Could not create posix account info for 'DIMA$'
Creating account: ATOMIC$
Could not create posix account info for 'ATOMIC$'
Creating account: EVADE$
Could not create posix account info for 'EVADE$'
Creating account: alsi
Could not create posix account info for 'alsi'
Creating account: StasiakSV
Could not create posix account info for 'StasiakSV'
Creating account: TEST$
Could not create posix account info for 'TEST$'
Creating account: outpost$
Could not create posix account info for 'outpost$'
Creating account: buh_nalog
Could not create posix account info for 'buh_nalog'
Creating account: IUSR_PROXI
Could not create posix account info for 'IUSR_PROXI'
Creating account: INFORMATIC$
Could not create posix account info for 'INFORMATIC$'
Creating account: VANIA$
Could not create posix account info for 'VANIA$'
Creating account: ADMIN3$
Could not create posix account info for 'ADMIN3$'
Creating account: BUH_NALOG$
Could not create posix account info for 'BUH_NALOG$'
Creating account: ADMIN$
Could not create posix account info for 'ADMIN$'
Creating account: KOMP$
Creating unix group: 'Bankoffice'
Creating unix group: 'DnsAdmins'
Creating unix group: 'Domain Adm'
Creating unix group: 'Domain ASU'
Creating unix group: 'Domain Buhg'
Creating unix group: 'Domain Cb'
Creating unix group: 'Domain Klir'
Creating unix group: 'Domain Mail'
Creating unix group: 'Domain Plastic'
Creating unix group: 'Domain Sec'
Creating unix group: 'Domain Valuta'
Creating unix group: 'Domain WWW'
Creating unix group: 'Domain Yur'
Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Fetching BUILTIN database
skipping SAM_DOMAIN_INFO delta for 'Builtin' (is not my domain)
Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Creating unix group: 'Cre

После всего этого:
net groupmap list
Domain Admins (S-1-5-21-1292428093-1563985344-1957994488-512) -> 512
Domain Users (S-1-5-21-1292428093-1563985344-1957994488-513) -> 513
Domain Guests (S-1-5-21-1292428093-1563985344-1957994488-514) -> 514
Domain Computers (S-1-5-21-1292428093-1563985344-1957994488-515) -> 515
Administrators (S-1-5-32-544) -> 544
Account Operators (S-1-5-32-548) -> 548
Print Operators (S-1-5-32-550) -> 550
Backup Operators (S-1-5-32-551) -> 551
Replicators (S-1-5-32-552) -> 552

pdbedit -Lw
root:0:555D146BD7D9706BAAD3B435B51404EE:C66B5E86F632994F72B202CA4EC9AF9C:[U          ]:LCT-439EB579:
nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NDU        ]:LCT-00000000

В чем прикол не пойму!!!! 3 дня уже бьюсь!!!!


Содержание

Сообщения в этом обсуждении
"Помогите FreeBSD 4.5 smb+ldap+migrate from nt4 bdc"
Отправлено Andrey , 14-Дек-05 14:04 
установи редактор LDAP, чтобы через ldapsearch не мучаться
далее у тебя файлят smbldap-tools, которые прописаны:

add user script = /usr/local/sbin/smbldap-useradd -m '%u'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'

пробуй вручную добавлять пользователя и компьютер в ldap и смотри ошибки и что при этом в базу пишется.


"Помогите FreeBSD 4.5 smb+ldap+migrate from nt4 bdc"
Отправлено Atomic , 17-Дек-05 09:12 
>установи редактор LDAP, чтобы через ldapsearch не мучаться
>далее у тебя файлят smbldap-tools, которые прописаны:
>
>add user script = /usr/local/sbin/smbldap-useradd -m '%u'
>add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
>
>пробуй вручную добавлять пользователя и компьютер в ldap и смотри ошибки и
>что при этом в базу пишется.

Вобщем то разобрался!! Вот только есть проблема, когда добавляю пользователя через smbldap-useradd -m он в лдап появляется но в usermgr он не появляется и id user не показывает его, говорит что нет такого пользователся!!!


"Помогите FreeBSD 4.5 smb+ldap+migrate from nt4 bdc"
Отправлено kub , 19-Сен-06 12:19 
интересно решил ли автор данную проблему?
хотелось знать как?