Installazione Primary Domain Controller

From RVM Wiki
Revision as of 12:30, 16 August 2006 by Gabriele.vivinetto (talk | contribs) (Aggiunta sezione bindings e printing)
Jump to navigation Jump to search

Installazione Pacchetti

Installare secondo le opzioni standard: 

apt-get install samba samba-client acl

Abilitazione ACL

Per poter utilizare i diritti sui files, è necessario abilitare le ACL sui filesystem utilizzati per lo storage dei dati samba.

Supponendo do usare una sola partizione, aggiungere l'opzione acl alla partizione: 

vi /etc/fstab

/dev/md0        /               ext3    defaults,errors=remount-ro,acl 0       1

Rimontare il filesystem: 

mount / -o remount

Verificare che sia attivo il paramtero acl 

mount

/dev/md0 on / type ext3 (rw,errors=remount-ro,acl)

Configurazione di base

Impostare i seguenti parametri: 

export DOMAIN_NAME=GSSPA
export SERVER_NAME=GSSERVER
export LAN_IF=eth0

Modificare i seguenti parametri in /etc/samba/samba.conf: 

cd /etc/samba
mv smb.conf smb.conf.ori
cat > smb.conf <<EOFile
[global]
        # user and group  management
                add group script = /usr/sbin/groupadd %g
                delete group script = /usr/bin/net groupmap delete ntgroup="%g" ; /usr/sbin/groupdel "%g"
                add user to group script = /usr/bin/gpasswd -a %u %g
                delete user from group script = /usr/bin/gpasswd -d %u %g
                #
                add user script = /usr/sbin/useradd -m %u; mkdir -p /files/homes/%u; chown %u: /files/homes/%u; chmod go-w /files/homes/%u
                delete user script = /usr/sbin/userdel -r %u
                add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u
                username map = /etc/samba/user.map
                #
                passdb backend = tdbsam
                unix password sync = yes
                passwd program = /usr/bin/passwd %u
                passwd chat = "*Enter new UNIX password*" %n\n "*Retype new UNIX password*" %n\n "*password updated successfully*" .

        # Network role parameter
                netbios name = $SERVER_NAME
                workgroup = $DOMAIN_NAME
                server String = "Server $DOMAIN_NAME"
                domain master = yes
                domain logons = yes
                wins support = yes
                security = user
                local master = yes
                os level = 99
                time server = yes
                encrypt passwords = true
                logon home = \\%L\%U
                logon script = user.cmd
                logon path = \\%L\Profiles\%U
                logon drive = P:

        # Administrators users
                admin users = administrator
                printer admin = administrator

        # Logging settings
                syslog = 0
               syslog only = no
              log file = /var/log/samba/smbd
              #log level = 3
              #debug timestamp = yes

        # Network binding
                interfaces = $LAN_IF
                bind interfaces only = Yes

        # Printing
                printing = cups
                printcap name = cups
                load printers = yes

[printers]
        comment = All Printers
        path = /tmp
        printer admin = administrator
        guest ok = yes
        printable = yes
        browseable = no

[print$]
        comment = Printer Drivers Share
        path = /var/lib/samba/printers
        public = yes
        guest ok = yes
        browseable = yes
        read only = yes
        write list = administrator


[homes]
        comment = Home Directories
        valid users = %S
        read only = no
        browseable = no
        path = /files/homes/%S

[homes$]
        comment = Home Directories
        admin users = root, administrator, @domainadmins
        read only = no
        browseable = no
        path = /files/homes

[netlogon]
        comment = Domain Logon Service
        path = /files/netlogon
        admin users = administrator, @domainadmins
        write list = administrator, @domainadmins
        guest ok = yes
        browsable = no

[Profiles]
        comment = Roaming Profile Share
        path = /files/profiles
        read only = No
        profile acls = Yes

[Dati]
        writeable = yes
        path = /files/dati
        admin users = root, administrator, @domainadmins
        inherit permissions = yes
        inherit acls = yes

[Install]
        writeable = yes
        create mode = 775
        path = /files/install
        directory mode = 775
EOFile

Creazione delle directory per le condivisioni

mkdir -p /files/install /files/dati /files/profiles /files/netlogon /files/homes

Settare i diritti per i la Profiles: 

cd /files/profiles/
chown :users .
chmod g+w .


Riavviare Samba: 

/etc/init.d/samba stop; /etc/init.d/samba start

Creazione delle utenze

adduser administrator
usermod -G root administrator

smbpasswd -a administrator

Assegnamolo al gruppo root: 

usermod -G root administrator

Pulizia delle Utenze

Rimuovere le utenze samba inutili.

ATTENZIONE: NON RIMUOVELRE IN ALTRO MODO, PERCHE' VERREBBERO RIMOSSI ANCHE GLI ACCOUNT UNIX !! 


smbpasswd -x backup
smbpasswd -x bin
smbpasswd -x daemon
smbpasswd -x Debian-exim
smbpasswd -x games
smbpasswd -x gnats
smbpasswd -x irc
smbpasswd -x list
smbpasswd -x lp
smbpasswd -x mail
smbpasswd -x man
smbpasswd -x news
smbpasswd -x nobody
smbpasswd -x postfix
smbpasswd -x proxy
smbpasswd -x root
smbpasswd -x sshd
smbpasswd -x sync
smbpasswd -x sys
smbpasswd -x uucp
smbpasswd -x www-data
smbpasswd -x aptproxy
smbpasswd -x postgres
smbpasswd -x mnt.vvngrl

Mappatura delle utenze

Assicurarsi che le mappature siano azzerate: 

net groupmap list

System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-3888806968-3546501424-3282427636-512) -> -1
Domain Guests (S-1-5-21-3888806968-3546501424-3282427636-514) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-3888806968-3546501424-3282427636-513) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

Se così non fosse: 

/etc/init.d/samba stop
rm /var/lib/samba/group_mapping.tdb
/etc/init.d/samba start

Mappare: 

net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap modify ntgroup="Domain Users"  unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nogroup

Verificare: 

net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-3888806968-3546501424-3282427636-512) -> root
Domain Guests (S-1-5-21-3888806968-3546501424-3282427636-514) -> nogroup
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-3888806968-3546501424-3282427636-513) -> users
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

Controllo delle Utenze

Controllare che l'unico utente configurato sia Administrator: 

pdbedit -L

administrator:1012:Administrator GSSS,,,

Creazione delle home directory

Dopo aver creato le utenze con lo User Manager, si possono creare le relative home directories con lo script: 

cat > /tmp/mkhomes <<'EOFile'
#!/bin/bash
#set -x
for NAME in $(pdbedit -L | grep -v '\$'  | cut -f 1 --delim=':' | sort)
do
        echo making /files/homes/$NAME
        mkdir -p /files/homes/$NAME
        chown $NAME: /files/homes/$NAME
done
EOFile

chmod 755 /tmp/mkhomes
sudo /tmp/mkhomes
rm -f /tmp/mkhomes
Retrieved from "https://kb.rvmgroup.it/index.php?title=Installazione_Primary_Domain_Controller&oldid=4853"