Installazione Primary Domain Controller: Difference between revisions
Jump to navigation
Jump to search
| Line 289: | Line 289: | ||
<pre> | <pre> | ||
net groupmap list | sudo net groupmap list | ||
System Operators (S-1-5-32-549) -> -1 | System Operators (S-1-5-32-549) -> -1 | ||
Replicators (S-1-5-32-552) -> -1 | Replicators (S-1-5-32-552) -> -1 | ||
Revision as of 15:39, 26 November 2007
Installazione Pacchetti
Installare secondo le opzioni standard:
sudo apt-get install samba smbclient acl
Abilitazione ACL
Per poter utilizare i diritti sui files, è necessario abilitare le ACL sui filesystem utilizzati per lo storage dei dati samba.
Supponendo do usare una sola partizione, aggiungere l'opzione acl alla partizione:
sudoedit /etc/fstab
/dev/md0 / ext3 defaults,errors=remount-ro,acl 0 1
Rimontare il filesystem:
sudo mount / -o remount
Verificare che sia attivo il paramtero acl
mount
/dev/md0 on / type ext3 (rw,errors=remount-ro,acl)
Configurazione di base
Impostare i seguenti parametri:
export DOMAIN_NAME=GSSPA export SERVER_NAME=GSSERVER export LAN_IF=eth0
cd /etc/samba sudo mv smb.conf smb.conf.ori
Rispetto a Sarge printer admin è deprecata, e add user script non accetta comandi multipli col ;
Modificare i seguenti parametri in /etc/samba/samba.conf:
cd /etc/samba
sudo mv smb.conf smb.conf.ori
cat | sudo tee -a smb.conf > /dev/null <<EOFile
[global]
# user and group management
add group script = /usr/sbin/groupadd %g
delete group script = /usr/bin/net groupmap delete ntgroup="%g" ; /usr/sbin/groupdel "%g"
add user to group script = /usr/bin/gpasswd -a %u %g
delete user from group script = /usr/bin/gpasswd -d %u %g
#
add user script = /etc/samba/adduser.smb %u
delete user script = /usr/sbin/userdel -r %u
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u
#username map = /etc/samba/user.map
#
passdb backend = tdbsam
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = "*Enter new UNIX password*" %n\n "*Retype new UNIX password*" %n\n "*password updated successfully*" .
# Network role parameter
netbios name = $SERVER_NAME
workgroup = $DOMAIN_NAME
server String = "Server $DOMAIN_NAME"
domain master = yes
domain logons = yes
wins support = yes
security = user
local master = yes
os level = 99
time server = yes
encrypt passwords = true
logon home = \\%L\%U
logon script = user.cmd
logon path = \\%L\Profiles\%U
logon drive = P:
# Administrators users
admin users = administrator
# Logging settings
syslog = 0
syslog only = no
log file = /var/log/samba/smbd
#log level = 3
#debug timestamp = yes
# Network binding
interfaces = $LAN_IF
bind interfaces only = Yes
# Printing
printing = cups
printcap name = cups
load printers = yes
[printers]
comment = All Printers
path = /tmp
guest ok = yes
printable = yes
browseable = no
[print$]
comment = Printer Drivers Share
path = /var/lib/samba/printers
public = yes
guest ok = yes
browseable = yes
read only = yes
write list = administrator
[homes]
comment = Home Directories
valid users = %S
read only = no
browseable = no
path = /files/homes/%S
[homes$]
comment = Home Directories
admin users = root, administrator, @domainadmins
read only = no
browseable = no
path = /files/homes
[netlogon]
comment = Domain Logon Service
path = /files/netlogon
admin users = administrator, @domainadmins
write list = administrator, @domainadmins
guest ok = yes
browsable = no
[Profiles]
comment = Roaming Profile Share
path = /files/profiles
read only = No
profile acls = Yes
# Per evitare di avere desktop.ini aperto all'avvio
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
[Dati]
writeable = yes
path = /files/dati
admin users = root, administrator, @domainadmins
inherit permissions = yes
inherit acls = yes
[Install]
writeable = yes
create mode = 775
path = /files/install
directory mode = 775
EOFile
Creare lo script per aggiungere gli utenti:
cat | sudo tee /etc/samba/adduser.smb > /dev/null <<'EOFile' #!/bin/bash /usr/sbin/useradd -g users -m $1 mkdir -p /files/homes/$1 chown $1: /files/homes/$1 chmod go-w /files/homes/$1 EOFile
sudo chmod a+x /etc/samba/adduser.smb
Creazione delle directory per le condivisioni
sudo mkdir -p /files/install /files/dati /files/profiles /files/netlogon /files/homes
Settare i diritti per i la Profiles:
cd /files/profiles/ sudo chown :users . sudo chmod g+w .
Riavviare Samba:
sudo /etc/init.d/samba stop; sudo /etc/init.d/samba start
Creazione delle utenze
Azzerare TUTTO il database di samba, per evitare problemi con i SID:
sudo /etc/init.d/samba stop sudo rm -f /var/lib/samba/*.tdb sudo /etc/init.d/samba start
Creare l'utenza per l'administrator assegnandola al gruppo root:
sudo adduser administrator
sudo usermod -G root administrator
sudo smbpasswd -a administrator
Impostare anche la password unix uguale a quella samba, che serve per poter accedere via cups:
sudo passwd administrator
Pulizia delle Utenze
Rimuovere le utenze samba inutili.
ATTENZIONE: NON RIMUOVELRE IN ALTRO MODO, PERCHE' VERREBBERO RIMOSSI ANCHE GLI ACCOUNT UNIX !!
sudo smbpasswd -x backup sudo smbpasswd -x bin sudo smbpasswd -x daemon sudo smbpasswd -x Debian-exim sudo smbpasswd -x games sudo smbpasswd -x gnats sudo smbpasswd -x irc sudo smbpasswd -x list sudo smbpasswd -x lp sudo smbpasswd -x mail sudo smbpasswd -x man sudo smbpasswd -x news sudo smbpasswd -x nobody sudo smbpasswd -x postfix sudo smbpasswd -x proxy sudo smbpasswd -x root sudo smbpasswd -x sshd sudo smbpasswd -x sync sudo smbpasswd -x sys sudo smbpasswd -x uucp sudo smbpasswd -x www-data sudo smbpasswd -x aptproxy sudo smbpasswd -x postgres sudo smbpasswd -x mnt.vvngrl
Mappatura delle utenze
Samba < 3.0.23 (Sarge)
Assicurarsi che le mappature siano azzerate:
sudo net groupmap list
System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Admins (S-1-5-21-3888806968-3546501424-3282427636-512) -> -1 Domain Guests (S-1-5-21-3888806968-3546501424-3282427636-514) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Domain Users (S-1-5-21-3888806968-3546501424-3282427636-513) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1
Se così non fosse:
sudo /etc/init.d/samba stop sudo rm /var/lib/samba/group_mapping.tdb sudo /etc/init.d/samba start
Mappare:
sudo net groupmap modify ntgroup="Domain Admins" unixgroup=root sudo net groupmap modify ntgroup="Domain Users" unixgroup=users sudo net groupmap modify ntgroup="Domain Guests" unixgroup=nogroup
Verificare:
sudo net groupmap list System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Admins (S-1-5-21-3888806968-3546501424-3282427636-512) -> root Domain Guests (S-1-5-21-3888806968-3546501424-3282427636-514) -> nogroup Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Domain Users (S-1-5-21-3888806968-3546501424-3282427636-513) -> users Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1
Samba > 3.0.23 (Etch)
In questa versione i gruppi de default non sono creati, quindi il mapping va creato, non modificato:
sudo net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d sudo net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type=d sudo net groupmap add ntgroup="Domain Guests" unixgroup=nogroup rid=514 type=d
Controllare
sudo net groupmap list Domain Users (S-1-5-21-4083320814-7475195-2141263470-513) -> users Domain Guests (S-1-5-21-4083320814-7475195-2141263470-514) -> nogroup Domain Admins (S-1-5-21-4083320814-7475195-2141263470-512) -> root
Controllo delle Utenze
Controllare che l'unico utente configurato sia Administrator:
sudo pdbedit -L administrator:1012:Administrator GSSS,,,
Creazione delle home directory
Dopo aver creato le utenze con lo User Manager, si possono creare le relative home directories con lo script:
cd /tmp
cat > /tmp/mkhomes <<'EOFile'
#!/bin/bash
#set -x
for NAME in $(pdbedit -L | grep -v '\$' | cut -f 1 --delim=':' | sort)
do
echo making /files/homes/$NAME
mkdir -p /files/homes/$NAME
chown $NAME: /files/homes/$NAME
done
EOFile
chmod 755 /tmp/mkhomes
sudo /tmp/mkhomes
rm -f /tmp/mkhomes
Installazione servizi di stampa
Installazione e Configurazione CUPS
Creazione automatica degli utenti
Ecco uno script di esempio:
cat > /tmp/creautenti <<'EOFile'
#!/bin/bash
# customizzare le tre variabili
DOM="SR"
ADMINPASS="gal80xl700"
UTENTI="agos \
audiovideo \
bianco \
cassa1 \
cassa2 \
cassa3 \
cassa4 \
digitalimaging \
findomestic \
incasso \
inciso \
it \
ped \
sky \
storemanager \
telefonia \
tim \
tv \
vicestore \
videosorveglianza"
# Se non è eseguito come root, abort
if [ "$(whoami)" != "root" ]
then
echo "You must be root. Aborting"
exit 1
fi
#crea gli utenti
for NOME in $UTENTI
do
echo $NOME
PASSWORD=$NOME
net rpc user add $NOME -U"administrator%${ADMINPASS}" -S ${DOM}SERVER
(echo $PASSWORD ; echo $PASSWORD) | smbpasswd -s $NOME
pdbedit -p "\\\\${DOM}Server\\Profiles\\$NOME" -h "\\\\${DOM}Server\\$NOME" -u $NOME > /dev/null
done
if (grep lpadmin /etc/group > /dev/null)
then
#Crea il printadmin
NOME=printadmin
PASSWORD=print
echo $NOME
net rpc user add $NOME -U"administrator%${ADMINPASS}" -S ${DOM}SERVER
(echo $PASSWORD ; echo $PASSWORD) | smbpasswd -s $NOME
pdbedit -p "\\\\${DOM}Server\\Profiles\\$NOME" -h "\\\\${DOM}Server\\$NOME" -u $NOME > /dev/null
gpasswd -a printadmin lpadmin
echo $NOME:$PASSSWORD | chpasswd
fi
EOFile
vi /tmp/creautenti
chmod +x /tmp/creautenti
sudo /tmp/creautenti