Projekt Samba

Systeminstallation

Verwendetes Client OS: SLES 10 SP3
Arbeitsspeicher: 768 MB

Verwendetes Server OS: Windows Server 2008 R2 Datacenter
Arbeitsspeicher: 2048 MB

Preparation

  • Language: English (US)
  • Mode: New Installation
  • Time Zone: Europe - Germany

Installation

  • Keyboard Layout: German
  • Verwendetes Partitioning Layout bei 20GB Speicher:
Partitionsnummer Dateisystem Mountpoint / Volume Label Größe
1 Ext3 /boot 200 MB
2 Ext3 /root 18.3 GB
3 Swap Swap RAM*2 = 1,5 GB
  • Create Custom Partition Setup
    • Custom Partitioning
      • Create
        • Primary Partition
          • Format: Ext3
          • End: +200M
          • Mount Point: /boot
          • Fstab Options
            • Volume Label: boot
      • Create
        • Primary Partition
          • Format: Ext3
          • End: +18.3GB
          • Mount Point: /
          • Fstab Options
            • Volume Label: root
      • Create
        • Primary Partition
          • Format: Swap
          • Mount Point: swap
          • Fstab Options
            • Volume Label: swap
      • Finish
    • Software
      • - Novell AppArmor
      • - GNOME Desktop Envoronment for Server
      • (+ KDE Desktop Envoronment for Server)
      • (- X Window System
      • + File Server
      • + Web and LAMP Server
      • + C/C++ Compiler and Tools
      • Accept
    • Default Runlevel: 3: Full multiuser with network
    • Accept
    • Install
    • Passwort für root-User setzen
    • Hostname setzen: sles-smb
    • Domain eintragen, falls bereits vorhanden
    • Abwählen: Change Hostname via DHCP
    • Firewall deaktivieren
    • Netzwerkeinstellungen bearbeiten
      • Edit
        • IP Address setzen
        • Subnet Mask setzen
        • Name Server 1 setzen
        • Default Gateway setzen (wenn benötigt)
    • Novell Customer Center auf Configure Later setzen
    • Falls ein LDAP-Server verfügbar ist, auf LDAP setzen.
    • Clone This System for Autoyast deaktivieren
    • Nach dem Neustart die Pakete openldap-client, krb5-client, nss_ldap, pam_ldap und pam_krb5 installieren


Dienste auf dem WinServ installieren

  • Active Directory Domain Service
  • Active Directory Lightwigth Services
  • DNS-Server


SLES-Maschine in Domäne aufnehmen

Yast → Network Services → Windows Domain Membership

  • Domäne mit TLD eintragen
  • Also use Samba Information for Linux Authentification auswählen
  • Auf Finish klicken und die Benutzerdaten eines Domänenadmins eintragen
  • Neustarten → Fertig

Nun können sich alle Windows-AD-Benutzer am SLES-System anmelden. Leider werden hier nun noch keine Berechtigungen übertragen.


FQDN überprüfen

Können beide Maschinen sich je über den FQDN-pingen?

  • Wenn nicht, nachsehen wieso und ggf. im DNS-Server ein Eintrag(A oder AAAA) für die SLES-Maschine anlegen.
  • Testen ob der Hostname unter /etc/HOSTNAME korrekt eingetragen ist
  • Testen ob der Domain search Parameter in Yast unter der verwendeten Netzwerkkarte korrekt ist.


AD für Anonymen Zugriff konfigurieren

Hierzu die Anwendung adsiedit.msc ausführen.

  • Aktion → Verbindung Herstellen → Verbindungspunkt → Bekannten Namenskontext wählen → Konfiguration → OK
  • Nun ein Rechtsklick auf Konfiguration.. → CN=Configuration… → CN=Services → CN=Windows NT → CN=Directory Service → Eigenschaften
  • Das Attribut dSHeuristics auf 0000002(6 nullen) setzen und speichern.


Benutzer und Gruppen Konfiguration

Hierzu muss das AD geöffnet werden und unter der Domäne eine neue OU angelegt werden.

  • Nun unter Ansicht die Erweiterte Features aktivieren
  • In dieser neu erstellten OU wird nun ein Nutzer angelegt
  • Rechtsklick auf den Benutzer und Eigenschaften
  • Nun in den Attribut-Editor wechseln und hier Folgende Attribute setzen:
    • gidNumber: Gruppen ID einer entweder auf dem Linux- oder Windows-System erstellte Gruppe
    • Unixhome: Pfad zum Unix Home-Directory (/home/user1)
    • loginShell: Hier muss eine gültige Loginshell angegeben werden wie z.B.: /bin/bash
    • Uidnumber: Eine eindutige Id für die Clients, idealerweiße ab 1000 oder 10000 aufsteigend


Keytab erstellen

Hierzu muss im AD zuerst ein DUMMY-Computer erstellt werden, auf den im folgenden code referenziert werden muss. Ggf. kann hier auch der Computer gewählt werden, der erstellt wird, wenn der Linux-Computer der Windows-Domäne hinzugefügt wird.(Nicht getestet)

ktpass -princ HOST/sles.demo.test@DEMO.TEST -mapuser demo\testclient$ -pass geheim -ptype KRB5_NT_PRINCIPAL -out testclient.keytab
 
ktpass -princ HOST/<FQDN-Linuxsystem>@<FQDN der Domäne in Uppercase> -mapuser <Domäne>\<DUMMYClient>$ -pass <DUMMY passwort> -ptype KRB5_NT_PRINCIPAL -out <Dateiname>.keytab

Diese keytab muss nun in das Linux-System kopiert werden. Diese wird später verwendet.


Namensauflösung Linux

Hierzu muss die Date /etc/nsswitch.conf bearbeitet werden. Diese Datei regelt, die Reienfolge. Hier die Standard Datei:

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

# passwd: files nis
# shadow: files nis
# group:  files nis

passwd:	compat
group:	compat

hosts:	files dns
networks:	files dns

services:	files
protocols:	files
rpc:	files
ethers:	files
netmasks:	files
netgroup:	files nis
publickey:	files

bootparams:	files
automount:	files nis
aliases:	files

Und so sollte sie geändert werden:

[...]

passwd:	files ldap
group:	files ldap

[...]

LDAP-Client konfigurieren

Nun muss auch der LDAP-Client konfiguriert werden. Die entsprechende Konfigurationsdatei ist unter /etc/ldap.conf zu finden und sieht standardmäßig wie folgt aus:

#
# This is the configuration file for the LDAP nameservice
# switch library, the LDAP PAM module and the shadow package.
#

# Your LDAP server. Must be resolvable without using LDAP.
host 127.0.0.1

# The distinguished name of the search base.
base dc=example,dc=com

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# Don't try forever if the LDAP server is not reacheable
bind_policy soft

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=Manager,dc=example,dc=com

# The credentials to bind with. 
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=Manager,dc=example,dc=com

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind timelimit
#bind_timelimit 30

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server). And make use of
# Password Policy LDAP Control (as in OpenLDAP)
pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service. 
pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX		base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd	ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd	ou=People,dc=padl,dc=com?one
#nss_base_shadow	ou=People,dc=padl,dc=com?one
#nss_base_group		ou=Group,dc=padl,dc=com?one
#nss_base_hosts		ou=Hosts,dc=padl,dc=com?one
#nss_base_services	ou=Services,dc=padl,dc=com?one
#nss_base_networks	ou=Networks,dc=padl,dc=com?one
#nss_base_protocols	ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc		ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers	ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks	ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams	ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute	rfc2307attribute	mapped_attribute
#nss_map_objectclass	rfc2307objectclass	mapped_objectclass

# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member

# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
#pam_password nds

# For IBM SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

Diese Datei muss wie folgt geändert werden:

#
# This is the configuration file for the LDAP nameservice
# switch library, the LDAP PAM module and the shadow package.
#

# Your LDAP server. Must be resolvable without using LDAP.
host 10.0.0.150

# The distinguished name of the search base.
base ou=linux,dc=demo,dc=test

ldap_version 3
bind_policy soft
pam_filter objectclass=user
pam_login_attribute sAMAccountName
pam_min_uid 1000

# Search the root DSE for the password policy (works
# with Netscape Directory Server). And make use of
# Password Policy LDAP Control (as in OpenLDAP)
pam_lookup_policy yes

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service. 
pam_password crypt

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute posixGroup group
nss_map_attribute uniqueMember member


ssl start_tls
ssl no
tls_checkpeer no


######################################################################################################
######################################################################################################
######################################################################################################
######################################################################################################
######################################################################################################
######################################################################################################
######################################################################################################
######################################################################################################


Konfiguration

Standard Konfiguration

# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2009-09-05
[global]
	workgroup = WORKGROUP
	printing = cups
	printcap name = cups
	printcap cache time = 750
	cups options = raw
	map to guest = Bad User
	include = /etc/samba/dhcp.conf
	logon path = \\%L\profiles\.msprofile
	logon home = \\%L\%U\.9xprofile
	logon drive = P:
	usershare allow guests = Yes
[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = No
	read only = No
	inherit acls = Yes
[profiles]
	comment = Network Profiles Service
	path = %H
	read only = No
	store dos attributes = Yes
	create mask = 0600
	directory mask = 0700
[users]
	comment = All users
	path = /home
	read only = No
	inherit acls = Yes
	veto files = /aquota.user/groups/shares/
[groups]
	comment = All groups
	path = /home/groups
	read only = No
	inherit acls = Yes
[printers]
	comment = All Printers
	path = /var/tmp
	printable = Yes
	create mask = 0600
	browseable = No
[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	write list = @ntadmin root
	force group = ntadmin
	create mask = 0664
	directory mask = 0775


Erzeugte Konfiguration




Offene Fragen

  1. Wie geben die Host-Server die Dateien Frei?
    1. Welches Protokoll?
  2. Welche IP hat der Host-Server
  3. Welche IP hat der AD/DC
  4. Welche Hostnamen gibt es?

LDAP-Sample

[global]
        workgroup = domaene
        netbios name = server2
        server string = Server_2
        unix charset = ISO8859-1
        display charset = ISO8859-1
        dos charset = 850
        log level = 3
        #log file = /var/log/samba/log.%m
        os level = 245
        interfaces = eth1
        preferred master = yes
        domain master = no
        local master = yes
        security = user
        domain logons = yes
        admin users = root @root @DomainAdmins Administrator Administratoren
        add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
        add user script = /usr/local/sbin/smbldap-useradd -m '%u'
        delete user script = /usr/local/sbin/smbldap-userdel '%u'
        add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
        delete group script = /usr/local/sbin/smbldap-groupdel '%g'
        add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'
        delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g'
        set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        printer admin = @ntadmin, root, administrator
        username map = /etc/samba/smbusers
        map to guest = Bad User
        wins server = 192.168.0.1
        logon path =
        logon home =
#logon path = \\server1\%U\profile
#logon home = \\server1\%U\Documents
        logon drive =
        logon script =
        wins support = no
        name resolve order = wins bcast host
        time server = yes
        passdb backend = ldapsam:"ldap://192.168.0.1 ldap://localhost"
        idmap backend = ldap:"ldap://192.168.0.1 ldap://localhost"
        ldap ssl = no
        ldap suffix = dc=domaene,dc=at
        ldap admin dn = cn=Administrator,dc=domaene,dc=at
        ldap user suffix = ou=users
        ldap group suffix = ou=groups
        ldap machine suffix = ou=machines
        ldap delete dn = yes
        ldap passwd sync = yes
        ldap delete dn = yes
        hide files = /Desktop.ini/desktop.ini/

[homes]
        comment = Home Directories
        valid users = %S
        browseable = No
        read only = No
        path = /daten/userdaten/%u
        create mask = 0700
        directory mask = 0700


new file nsswitch.conf

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

# passwd: files nis
# shadow: files nis
# group:  files nis

passwd:	compat
group:	compat

hosts:	files dns
networks:	files dns

services:	files
protocols:	files
rpc:	files
ethers:	files
netmasks:	files
netgroup:	files nis
publickey:	files

bootparams:	files
automount:	files nis
aliases:	files


new file ldap.conf

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

# passwd: files nis
# shadow: files nis
# group:  files nis

passwd:	compat
group:	compat

hosts:	files dns
networks:	files dns

services:	files
protocols:	files
rpc:	files
ethers:	files
netmasks:	files
netgroup:	files nis
publickey:	files

bootparams:	files
automount:	files nis
aliases:	files
sles:~ # cat /etc/ldap.conf.bak
#
# This is the configuration file for the LDAP nameservice
# switch library, the LDAP PAM module and the shadow package.
#

# Your LDAP server. Must be resolvable without using LDAP.
host 127.0.0.1

# The distinguished name of the search base.
base dc=example,dc=com

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# Don't try forever if the LDAP server is not reacheable
bind_policy soft

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=Manager,dc=example,dc=com

# The credentials to bind with. 
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=Manager,dc=example,dc=com

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind timelimit
#bind_timelimit 30

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server). And make use of
# Password Policy LDAP Control (as in OpenLDAP)
pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service. 
pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX		base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd	ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd	ou=People,dc=padl,dc=com?one
#nss_base_shadow	ou=People,dc=padl,dc=com?one
#nss_base_group		ou=Group,dc=padl,dc=com?one
#nss_base_hosts		ou=Hosts,dc=padl,dc=com?one
#nss_base_services	ou=Services,dc=padl,dc=com?one
#nss_base_networks	ou=Networks,dc=padl,dc=com?one
#nss_base_protocols	ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc		ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers	ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks	ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams	ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute	rfc2307attribute	mapped_attribute
#nss_map_objectclass	rfc2307objectclass	mapped_objectclass

# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member

# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
#pam_password nds

# For IBM SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

projekt/samba.txt · Zuletzt geändert: 2015/07/06 22:33 (Externe Bearbeitung)