1. 安装相关程序并启动
需要切换至 root
yum install -y openldap-servers openldap-clients复制数据库模板
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG赋予权限
chown ldap. /var/lib/ldap/DB_CONFIG启动并设置开启启动
systemctl start slapd && systemctl enable slapd2. 配置管理员密码
使用 slappasswd 命令生成密码(123456)
slappasswd -s 123456出现 {SSHA}xxxx 即为成功
保存下来
{SSHA}YckOfCtL/KAOaItw5KfyK5gy8w4cOZfk
使用 LDIF(LDAP 数据交换格式)文件将其导入到 LDAP 配置管理员密码
使用 文本编辑器 新建(打开)一个名为 chrootpw.ldif 的文件并填入如下信息
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}YckOfCtL/KAOaItw5KfyK5gy8w4cOZfk导入文件
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif当出现如下提示时即为成功
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"3. 导入元组
我们需要向 LDAP 中导入一些基本的 Schema。这些 Schema 文件位于 /etc/openldap/schema/ 目录中,定义了我们以后创建的条目可以使用哪些属性
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
cp /usr/share/doc/samba-4.10.16/LDAP/samba.ldif /etc/openldap/schema/
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/samba.ldif4. 配置顶级域
我们需要配置 LDAP 的顶级域(以 dc=chinaskills,dc=cn 为例)及其管理域
使用 文本编辑器 新建(打开)一个名为 chdomain.ldif 的文件并填入如下信息
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=ldsgp,dc=chinaskills,dc=cn" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=chinaskills,dc=cn
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldsgp,dc=chinaskills,dc=cn
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}YckOfCtL/KAOaItw5KfyK5gy8w4cOZfk
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=ldsgp,dc=chinaskills,dc=cn" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=ldsgp,dc=chinaskills,dc=cn" write by * read导入文件
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif5. 创建组织
在上述基础上,我们来创建一个叫做 CSK 的组织,并在其下创建一个名为 ldsgp 的组
使用 文本编辑器 新建(打开)一个名为 basedomain.ldif 的文件并填入如下信息
dn: dc=chinaskills,dc=cn
objectClass: top
objectClass: dcObject
objectclass: organization
o: skills
dc: chinaskills
dn: cn=ldsgp,dc=chinaskills,dc=cn
objectClass: organizationalRole
cn: ldsgp
dn: ou=users,dc=chinaskills,dc=cn
objectClass: organizationalUnit
ou: users执行,并输入密码
ldapadd -x -D cn=ldsgp,dc=chinaskills,dc=cn -W -f basedomain.ldif通过以上的所有步骤,我们就设置好了一个 LDAP 目录树:其中基准 dn: dc=chinaskills,dc=cn 是该树的根节点,其下有一个管理域 cn=ldsgp,dc=chinaskills,dc=cn 和两个组织单元 ou=users,dc=chinaskills,dc=cn
接下来,我们来创建员工账号并将其分配到 ldsgp 组
使用 文本编辑器 新建(打开)一个名为 user.ldif 的文件并填入如下信息
dn: uid=zsuser,ou=users,dc=chinaskills,dc=cn
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: zsuser
cn: zsuser
sn: zsuser
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/users/ada
userPassword: {SSHA}YckOfCtL/KAOaItw5KfyK5gy8w4cOZfk
dn: uid=lsusr,ou=users,dc=chinaskills,dc=cn
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: lsusr
cn: lsusr
sn: lsusr
uidNumber: 1001
gidNumber: 1000
homeDirectory: /home/users/ada
userPassword: {SSHA}YckOfCtL/KAOaItw5KfyK5gy8w4cOZfk
dn: uid=wuusr,ou=users,dc=chinaskills,dc=cn
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: wuusr
cn: wuusr
sn: wuusr
uidNumber: 1002
gidNumber: 1000
homeDirectory: /home/users/ada
userPassword: {SSHA}YckOfCtL/KAOaItw5KfyK5gy8w4cOZfk执行,并输入密码
ldapadd -x -D cn=ldsgp,dc=chinaskills,dc=cn -W -f user.ldif至此,我们搭建在 centos7 上搭建 LDAP 就结束了
6. 验证
当输入 ldapsearch -x -b "dc=chinaskills,dc=cn" | grep "dn: dc" 时有以下提示
dn: dc=chinaskills,dc=cn当输入 ldapsearch -x -b "dc=chinaskills,dc=cn" | grep "dn: uid" 时有以下提示
dn: uid=zsuser,ou=users,dc=chinaskills,dc=cn
dn: uid=lsusr,ou=users,dc=chinaskills,dc=cn
dn: uid=wuusr,ou=users,dc=chinaskills,dc=cn当输入 ldapsearch -x -b "dc=chinaskills,dc=cn" | grep "dn: cn" 时有以下提示
dn: cn=ldsgp,dc=chinaskills,dc=cnSamba
1. 安装相关程序并启动
需要切换至 root
yum install -y samba创建共享目录
mkdir -p /data/share1
mkdir -p /data/public2. 配置 Samba
编辑 samba 配置文件 /etc/samba/smb.conf
[global]
workgroup = SAMBA
security = user
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = "dc=chinaskills,dc=cn"
ldap user suffix = "ou=users,dc=chinaskills,dc=cn"
ldap group suffix = "ou=users,dc=chinaskills,dc=cn"
ldap admin dn = "cn=ldsgp,dc=chinaskills,dc=cn"
ldap ssl = no
ldap passwd sync = yes
printing = cups
printcap name = cups
load printers = yes
cups options = raw
map to guest = bad user
[share1]
comment = share1
public = no
path = /data/share1
browseable = yes
writable = no
write list = zsuser
directory mask = 0775
create mask = 0775
[public]
comment = public
path = /data/public
public = yes
browseable = yes
writable = yes
create mask = 0777
directory mask = 0777
available = yes给目录赋予权限
chcon -R -t samba_share_t /data/share1
chcon -R -t samba_share_t /data/public3. 添加用户
pdbedit -a zsuser出现类似于如下输出即为成功
new password:
retype new password:
Unix username: zsuser
NT username: zsuser
Account Flags: [U ]
User SID: S-1-5-21-1084187001-2900319065-1036824098-1001
Primary Group SID: S-1-5-21-1084187001-2900319065-1036824098-513
Full Name: zsuser
Home Directory: \\strongsrv\zsuser
HomeDir Drive:
Logon Script:
Profile Path: \\strongsrv\zsuser\profile
Domain: STRONGSRV
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Tue, 01 Nov 2022 09:08:08 CST
Password can change: Tue, 01 Nov 2022 09:08:08 CST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF同理,我们需要增加用户 lsusr 和 wuusr
最后,我们重启 Samba
systemctl restart smb4. 验证
4.1 验证用户
输入 pdbedit --list 若得到如下输出则为正确
zsuser:1001:zsuser
lsusr:1002:lsusr
wuusr:1003:wuusr4.2 验证权限
在局域网中另一台 Linux 上安装 samba-client
开始验证:
输入命令 smbclient -L=192.168.100.200 -U zsuser 并输入密码后得到如下结果
Enter SAMBA\zsuser's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share1 Disk share1
public Disk public
IPC$ IPC IPC Service (Samba 4.10.16)
zsuser Disk Home Directories
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
SAMBA STRONGSRV其中 Sharename存在 share1 和 public
输入命令 smbclient //192.168.100.200/share1 -U zsuser 并输入密码后执行 ls 命令,并上传 test.txt 文件
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Nov 1 09:10:17 2022
.. D 0 Mon Oct 31 23:32:00 2022
17811456 blocks of size 1024. 16022056 blocks available
smb: \> put test.txt
putting file test.txt as \test.txt (0.0 kb/s) (average 0.0 kb/s)
smb: \> ls
. D 0 Tue Nov 1 09:17:23 2022
.. D 0 Mon Oct 31 23:32:00 2022
test.txt A 0 Tue Nov 1 09:17:23 2022
17811456 blocks of size 1024. 16022056 blocks available输入命令 smbclient //192.168.100.200/share1 -U wuusr 并输入密码后执行 ls 命令,并上传 test.txt 文件
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Nov 1 09:19:29 2022
.. D 0 Mon Oct 31 23:32:00 2022
17811456 blocks of size 1024. 16022056 blocks available
smb: \> put test.txt
NT_STATUS_ACCESS_DENIED opening remote file \test.txt
smb: \> ls
. D 0 Tue Nov 1 09:19:29 2022
.. D 0 Mon Oct 31 23:32:00 2022
17811456 blocks of size 1024. 16022056 blocks available输入命令 smbclient //192.168.100.200/share1 -U wuusr 并输入密码后执行 ls 命令,并上传 test.txt 文件
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Nov 1 09:19:29 2022
.. D 0 Mon Oct 31 23:32:00 2022
17811456 blocks of size 1024. 16022056 blocks available
smb: \> put test.txt
NT_STATUS_ACCESS_DENIED opening remote file \test.txt
smb: \> ls
. D 0 Tue Nov 1 09:19:29 2022
.. D 0 Mon Oct 31 23:32:00 2022
17811456 blocks of size 1024. 16022056 blocks available输入命令 smbclient //192.168.100.200/public -U anonymous 按回车后执行 ls 命令,并上传 test.txt 文件
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Nov 1 09:10:23 2022
.. D 0 Mon Oct 31 23:32:00 2022
17811456 blocks of size 1024. 16022056 blocks available
smb: \> put test.txt
putting file test.txt as \test.txt (0.0 kb/s) (average 0.0 kb/s)
smb: \> ls
. D 0 Tue Nov 1 09:21:56 2022
.. D 0 Mon Oct 31 23:32:00 2022
test.txt A 0 Tue Nov 1 09:21:56 2022
17811456 blocks of size 1024. 16022056 blocks available
大佬,samba客户端报错 : tree connect failed: NT_STATUS_ACCESS_DENIED