Howto Samba PDC - Active Directory

Serveur

Samba est ici configuré en temps que PDC (Primary Domain Controler) ou Active Directory.

On édite le fichier samsba : vim /etc/samba/smb.conf

Script avec 147 lignes

001[global]
002        # Domain name ..
003        workgroup = ZW3B
004#       realm = ZW3B.FR
005        # Server name - as seen by Windows PCs ..
006        netbios name = ZW3B-PDC
007        server string = PDC Samba-LDAP Server
008
009        # Be a PDC ..
010        ; On contrôle les logons, on est DC
011        domain logons = Yes
012        ; Master browser, browser pour le domaine (un seul par domaine)
013        domain master = Yes
014        ; Force élections en tant que master browser + donne un avantage
015        preferred master = Yes
016        ; Poids lors des élections de master browser
017        os level = 99
018        ; Local master browser (browser pour le sous réseau)
019        local master = Yes
020        # Be a WINS server ..
021        ; Serveur Wins actif (un seul par reseau)
022        wins support = Yes
023
024      #  obey pam restrictions = Yes
025        dns proxy = No
026
027        log file = /var/log/samba/log.%m
028        max log size = 1000
029        syslog = 0
030        panic action = /usr/share/samba/panic-action %d
031
032#       security = ADS
033        pam password change = Yes
034
035        # Allows users on WinXP PCs to change their password when they press Ctrl-Alt-Del
036        unix password sync = no
037        ldap passwd sync = yes
038
039        # Printing from PCs will go via CUPS ..
040        load printers = yes
041        printing = cups
042        printcap name = cups
043
044        # Use LDAP for Samba user accounts and groups ..
045        passdb backend = ldapsam:ldap://127.0.0.1/
046
047        ; LDAP
048        # Samba and LDAP server are on the same server in this example.
049        ldap ssl = no
050        # This must match init.ldif ..
051        ldap suffix = dc=zw3b,dc=fr
052        # The password for cn=admin MUST be stored in /etc/samba/secrets.tdb
053        # This is done by running 'sudo smbpasswd -w'.
054        ldap admin dn = cn=admin,dc=zw3b,dc=fr
055#       ldap delete dn = Yes
056
057        # 4 OUs that Samba uses when creating user accounts, computer accounts, etc.
058        # (Because we are using smbldap-tools, call them 'Users', 'Computers', etc.)
059        ldap machine suffix = ou=Computers
060        ldap user suffix = ou=Users
061        ldap group suffix = ou=Groups
062
063        # Scripts for Samba to use if it creates users, groups, etc.
064        add user script = /usr/sbin/smbldap-useradd -m '%u'
065        delete user script = /usr/sbin/smbldap-userdel %u
066        add group script = /usr/sbin/smbldap-groupadd -p '%g'
067        delete group script = /usr/sbin/smbldap-groupdel '%g'
068        add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
069        delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
070        set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
071
072        # Script that Samba users when a PC joins the domain ..
073        # (when changing 'Computer Properties' on the PC)
074        add machine script = /usr/sbin/smbldap-useradd -w '%u'
075
076        # Values used when a new user is created ..
077        # (Note: '%L' does not work properly with smbldap-tools 0.9.4-1)
078        logon drive = Z:
079        logon home = %L%U
080        logon path = %Lprofile%U
081        logon script = allusers.bat
082
083        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
084        case sensitive = No
085        default case = lower
086        preserve case = yes
087        short preserve case = Yes
088
089        # This is required for Windows XP client ..
090        server signing = auto
091        server schannel = auto
092
093        winbind use default domain = Yes
094        inherit permissions = Yes
095        inherit acls = Yes
096        inherit owner = Yes
097        nt acl support = Yes
098        msdfs root = Yes
099        hide files = /desktop.ini/ntuser.ini/NTUSER.*/
100
101        # Liens symboliques
102        unix extensions = no
103        follow symlinks = yes
104        wide links = yes
105
106        # performance
107        read raw = yes
108        write raw = yes
109        kernel oplocks = yes
110        max xmit = 65535
111        getwd cache=yes
112        use sendfile = Yes
113        strict sync = no
114        strict allocate = yes
115        large readwrite = yes
116        case sensitive = true
117
118[homes]
119        comment = Home Directories
120        valid users = %S
121        read only = No
122        browseable = No
123        create mask = 0644
124        directory mask = 0755
125
126[netlogon]
127        comment = Network Logon Service
128        path = /var/lib/samba/netlogon
129        admin users = root kss.0s
130        guest ok = Yes
131        browseable = No
132        logon script = allusers.bat
133
134[Profiles]
135        comment = Roaming Profile Share
136        # would probably change this to elsewhere in a production system ..
137        path = /var/lib/samba/profiles
138        read only = No
139        profile acls = Yes
140        browsable = No
141
142[Alibaba]
143        comment = Caverne d'Alibaba
144        path = /var/alibaba
145        browseable = Yes
146        writeable = Yes
147        public = No

Vous trouverez sûrement l'option que vous chercher ci-dessus ;) Faire un tuto "PDC : LDAP + SAMBA" serait envisageable.. :)

Client :

Paquet à installer sur les clients : cifs anciennement smbfs ;)
Commande pour monter un partage depuis un système Linux

Script avec 2 lignes

001mount -t smbfs //IP_MACHINE/SHARE_FOLDER /mnt/samba/mon_dossier/ -uid 1000 -gid 1000 -o username=mon_user
002mount -t cifs //IP_MACHINE/SHARE_FOLDER /mnt/samba/mon_dossier/ -o uid=1000 -o gid=1000 -o username=mon_user

Et dans /etc/fstab soit on monte sur le nom NetBIOS soit sur l'adresse IP, par exemple :

Le fichier /home/user/.smbcredentials doit être accessible que pour notre utilisateur. Pour une question de sécurité (au lieu d'écrire le mot de passe en clair dans notre fichier fstab lisible à tous) on attribue les droits : chmod 600 ~/.smbcredentials.

Script avec 1 ligne

001//IP_MACHINE/SHARE_FOLDER /mnt/samba/mon_dossier cifs user, noauto, rw, iocharset=utf8, sec=ntlm, gid=1000, uid=1000, credentials=/home/user/.smbcredentials 0 0

Le fichier .smbcredentials ressemble à cela :

Script avec 2 lignes

001username=mon_user_samba/windows
002password=mon_password_samba/windows

Liens :

• Guim.info - Samba avec LDAP
• Antiseches.net : Installation de Samba avec authentification LDAP sous Linux Debian Lenny
• Doc fedora-fr.org : Configuration d'un serveur d'authentification Openldap Samba
• Samba and LDAP - Official Ubuntu Documentation

---

---

Keywords :

linux لينكس samba

---