1. sz. melléklet: Az önálló PDC-ként működő Samba szerver konfigurációs állománya [global] netbios name = SZERVER workgroup = IRODA server string = Szerver security = user hosts allow = 192.168.1. 127. username map = /etc/samba/smbusers log file = /var/log/samba.%m max log size = 50000 passdb backend = tdbsam socket options = TCP_NODELAY local master = yes os level = 33 domain master = yes preferred master = yes domain logons = yes logon path = \\%L\Profiles\%U logon drive = S: logon home = \\%L\%U logon script = scripts\logon.cmd wins support = yes dns proxy = no # A UNIX fiókok létrehozására és törlésére szolgáló szkriptek add user script = /usr/sbin/useradd %u add group script = /usr/sbin/groupadd %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u delete user script = /usr/sbin/userdel %u delete user from group script = /usr/sbin/deluser %u %g delete group script = /usr/sbin/groupdel %g #============= Megosztások ============= [homes] comment = Home Directories browseable = no writable = yes # A tartományi bejelentkezésekhez [netlogon] comment = Network Logon Service path = /adat/netlogon guest ok = yes
writable = yes locking = no # A mozgó profilok helye [Profiles] path = /adat/profilok browseable = no read only = no [adat] comment = Kozos Adatok path = /adat/kozos read only = no public = yes force create mode = 0777 force directory mode= 0777 [cd] path = /mnt/cdrom read only = yes public = yes [floppy] path = /mnt/floppy read only = no public = yes [dvd] path = /mnt/dvd read only = yes public = yes 2. sz. melléklet: A Windows tartományi és helyi csoportjait UNIX csoportokhoz rendelő szkript (initgrps.sh) net groupmap modify ntgroup="domain Admins" unixgroup=root net groupmap modify ntgroup="domain Users" unixgroup=users net groupmap modify ntgroup="domain Guests" unixgroup=nobody net groupmap add ntgroup="iroda" unixgroup=iroda type=d net groupmap modify ntgroup="administrators" unixgroup=sys net groupmap modify ntgroup="users" unixgroup=iroda net groupmap modify ntgroup="guests" unixgroup=nobody net groupmap modify ntgroup="system Operators" unixgroup=daemon
net groupmap modify ntgroup="account Operators" unixgroup=wheel net groupmap modify ntgroup="backup Operators" unixgroup=bin net groupmap modify ntgroup="print Operators" unixgroup=lp net groupmap modify ntgroup="replicators" unixgroup=kmem net groupmap modify ntgroup="power Users" unixgroup=ntadmin 3. sz. melléklet: A meghajtók csatlakoztatására szolgáló bejelentkezési parancsfájl net use k: %LOGONSERVER%\adat net use s: %LOGONSERVER%\%USERNAME% 4. sz. melléklet: A LILO konfigurációs állománya (/etc/lilo.conf) boot = /dev/md0 raid-extra-boot=mbr vga = normal image = /boot/267 root = /dev/md0 label = 267 read-only password=*** restricted 5. sz. melléklet: A RAID konfigurációs állománya (/etc/raidtab) raiddev /dev/md0 raid-level 1 nr-raid-disks 2 nr-spare-disks 0 persistent-superblock 1 chunk-size 64 device /dev/sda1 raid-disk 0 device /dev/sdb1 raid-disk 1 raiddev /dev/md1 raid-level 1 nr-raid-disks 2 nr-spare-disks 0 persistent-superblock 1
chunk-size 64 device /dev/sda2 raid-disk 0 device /dev/sdb2 raid-disk 1 raiddev /dev/md2 raid-level 1 nr-raid-disks 2 nr-spare-disks 0 persistent-superblock 1 chunk-size 64 device /dev/sda3 raid-disk 0 device /dev/sdb3 raid-disk 1 6. sz. melléklet: Az adatmentés előtt WinPopup üzenetet küldő szkript #!/bin/sh /bin/cat /etc/cron.mentese/uzenet /usr/bin/smbclient -M gep1 /bin/cat /etc/cron.mentese/uzenet /usr/bin/smbclient -M gep2 /bin/cat /etc/cron.mentese/uzenet /usr/bin/smbclient -M gep3 /bin/cat /etc/cron.mentese/uzenet /usr/bin/smbclient -M gep4 /bin/cat /etc/cron.mentese/uzenet /usr/bin/smbclient -M gep5 7. sz. melléklet: Az adatmentést végző szkript #!/bin/sh /bin/tar -czf /adat/log/log.tar.gz /var/log /usr/bin/growisofs -Z /dev/hda -R -J /adat /usr/bin/eject /dev/hda /bin/rm /adat/log/* 8. sz. melléklet: Az SMBLDAP Tools get_next_id függvénye (/opt/idealx/sbin/smbldap_tools.pm) sub get_next_id($$) { my $ldap_base_dn = shift; my $attribute = shift; my $tries = 0; my $found=0; my $next_uid_mesg;
my $nextuid; if ($ldap_base_dn =~ m/$config{usersdn}/i) { # when adding a new user, we'll check if the uidnumber available is not # already used for a computer's account $ldap_base_dn=$config{suffix} } do { $next_uid_mesg = $ldap->search( base => $config{sambaunixidpooldn}, filter => "(objectclass=sambaunixidpool)", scope => "base" ); $next_uid_mesg->code && die "Error looking for next uid"; if ($next_uid_mesg->count!= 1) { die "Could not find base dn, to get next $attribute"; } my $entry = $next_uid_mesg->entry(0); $nextuid = $entry->get_value($attribute); my $modify=$ldap->modify( "$config{sambaunixidpooldn}", changes => [ replace => [ $attribute => $nextuid + 1 ] ] ); $modify->code && die "Error: ", $modify->error; # let's check if the id found is really free (in ou=groups or ou=users)... my $check_uid_mesg = $ldap->search( base => $ldap_base_dn, filter => "($attribute=$nextuid)", ); $check_uid_mesg->code && die "Cannot confirm $attribute $nextuid is free"; if ($check_uid_mesg->count == 0) { $found=1; return $nextuid; } $tries++; print "Cannot confirm $attribute $nextuid is free: checking for the next one\n" } while ($found!= 1); die "Could not allocate $attribute!"; }
9. sz. melléklet: Az OpenLDAP konfigurációs állománya (/etc/ldap/slapd.conf) # Sémák include include include include include /etc/ldap/schema/core.schema /etc/ldap/schema/cosine.schema /etc/ldap/schema/nis.schema /etc/ldap/schema/inetorgperson.schema /etc/ldap/schema/samba.schema schemacheck on idletimeout 30 pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args access to dn.base="" by self write by * auth access to attr=userpassword,sambalmpassword,sambantpassword by self write by * auth access to attr=shadowlastchange by self write by * read access to * by * read by anonymous auth loglevel 256 modulepath /usr/lib/ldap moduleload back_bdb security tls=1 TLSCertificateFile /etc/ldap/szervercert.pem TLSCertificateKeyFile /etc/ldap/szerverkulcs.pem TLSCACertificateFile /etc/ldap/cacert.pem backend bdb checkpoint 1024 5 database bdb cachesize 10000 suffix "dc=peldadomain,dc=com" rootdn "cn=admin,dc=peldadomain,dc=com" rootpw {SSHA}N8ZEw... directory "/var/lib/ldap"
index objectclass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayname pres,sub,eq index uidnumber eq index gidnumber eq index memberuid eq index sambasid eq index sambaprimarygroupsid eq index sambadomainname eq index default sub 10. sz. melléklet: A BDB adatbázis konfigurációs állománya set_cachesize 0 150000000 1 set_lg_regionmax 262144 set_lg_bsize 2097152 #set_lg_dir /var/log/bdb set_flags DB_LOG_AUTOREMOVE 11. sz. melléklet: Az nss_ldap és a pam_ldap modulok konfigurációs állománya host server1.peldadomain.com base dc=peldadomain,dc=com ldap_version 3 rootbinddn cn=admin,dc=peldadomain,dc=com timelimit 50 bind_timelimit 50 bind_policy hard idle_timelimit 3600 pam_password exop nss_base_passwd ou=people,dc=peldadomain,dc=com?one nss_base_shadow ou=people,dc=peldadomain,dc=com?one nss_base_group ou=groups,dc=peldadomain,dc=com?one ssl start_tls tls_cacertfile /etc/ldap/cacert.pem
12. sz. melléklet: A PAM konfigurációs állományai /etc/pam.d/common-account: account sufficient pam_ldap.so account required pam_unix.so /etc/pam.d/common-auth: auth sufficient pam_ldap.so auth required pam_unix.so try_first_pass nullok_secure /etc/pam.d/common-password: password password md5 sufficient pam_ldap.so required pam_unix.so try_first_pass nullok obscure min=4 max=15 /etc/pam.d/common-session: session required pam_ldap.so session required pam_unix.so 13. sz. melléklet: Az NSS konfigurációs állománya passwd: group: shadow: hosts: networks: files ldap files ldap files ldap files dns wins files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
14. sz. melléklet: A tesztrendszerbeli Samba PDC konfigurációs állománya [global] workgroup = TESTDOMAIN server string = Server1 netbios name = SERVER1 passdb backend = ldapsam:ldap://server1.peldadomain.com log level = 1 log file = /var/log/samba/samba.%m max log size = 50000 add user script = /opt/idealx/sbin/smbldap-useradd -m "%u" delete user script = /opt/idealx/sbin/smbldap-userdel "%u" add group script = /opt/idealx/sbin/smbldap-groupadd -p "%g" delete group script = /opt/idealx/sbin/smbldap-groupdel "%g" add user to group script = /opt/idealx/sbin/smbldap-groupmod -m "%u" "% g" delete user from group script = /opt/idealx/sbin/smbldap-groupmod -x "% u" "%g" set primary group script = /opt/idealx/sbin/smbldap-usermod -g "%g" "%u" add machine script = /opt/idealx/sbin/smbldap-useradd -w "%u" logon path = \\%L\Profiles\%U logon drive = S: logon home = \\%L\%U logon script = scripts\logon.cmd domain logons = Yes os level = 33 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=admin,dc=peldadomain,dc=com ldap group suffix = ou=groups ldap machine suffix = ou=people ldap suffix = dc=peldadomain,dc=com ldap user suffix = ou=people ldap ssl = start tls hosts allow = 192.168.1., 127. unix password sync = yes passwd program = /etc/samba/jelszovalt %u passwd chat = *New*password* %n\n *new*password* %n\n *Success* [homes] comment = Home Directories browseable = No [netlogon]
comment = Network Logon Service path = /adat/netlogon guest ok = Yes locking = No [Profiles] path = /adat/profilok profile acls = Yes browseable = No [adat] comment = Kozos Adatok path = /adat/kozos force create mode = 0777 force directory mode = 0777 guest ok = Yes 15. sz. melléklet: A UNIX jelszót változtató szkript ldappasswd -ZZ -x -h server1.peldadomain.com -D "cn=admin,dc=peldadomain,dc=com" -w *** "uid=$1,ou=people,dc=peldadomain,dc=com" -S 16. sz. melléklet: Az smbldap_tools.pm szükséges módosításai # ugly funcs using global variables and spawning openldap clients my $smbldap_conf="/etc/smbldap-tools/smbldap.conf"; my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; my $samba_conf="/etc/samba/smb.conf"; 17. sz. melléklet: Az SMBLDAP Tools konfigurációs állománya (smbldap.conf) SID="S-1-5-21-348755916-828440091-96241843" slaveldap="server1.peldadomain.com" slaveport="389" masterldap="server1.peldadomain.com" masterport="389"
ldaptls="1" verify="require" cafile="/etc/ldap/cacert.pem" clientcert="/etc/ldap/szervercert.pem" clientkey="/etc/ldap/szerverkulcs.pem" suffix="dc=peldadomain,dc=com" usersdn="ou=people,${suffix}" computersdn="ou=people,${suffix}" groupsdn="ou=groups,${suffix}" sambaunixidpooldn="cn=nextfreeunixid,${suffix}" #!!! #Az smbldap.populate szkript használata után meg kell változtatni az alábbi módon: #sambaunixidpooldn="sambadomainname=testdomain,dc=peldadomain,dc=co #m" scope="sub" hash_encrypt="md5" crypt_salt_format="%s" userloginshell="/bin/bash" userhome="/home/%u" usergecos="system User" defaultusergid="513" defaultcomputergid="515" skeletondir="/etc/skel" defaultmaxpasswordage="0" usersmbhome="\\server1\%u" userprofile="\\server1\profiles\%u" userhomedrive="s:" userscript="%u.cmd" maildomain="peldadomain.com" with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" with_slappasswd="0" slappasswd="/usr/sbin/slappasswd" 18. sz. melléklet: Az SMBLDAP Tools smbldap_bind.conf állománya slavedn="cn=admin,dc=peldadomain,dc=com" slavepw="***" masterdn="cn=admin,dc=peldadomain,dc=com" masterpw="***"
19. sz. melléklet: A tesztrendszerbeli Samba BDC konfigurációs állománya [global] workgroup = TESTDOMAIN server string = Server2 passdb backend = ldapsam:ldap://server1.peldadomain.com log level = 1 log file = /var/log/samba.%m max log size = 50000 logon path = \\%L\Profiles\%U logon drive = S: logon home = \\%L\%U logon script = scripts\logon.cmd domain logons = Yes os level = 33 preferred master = Yes domain master = No dns proxy = No wins server = 192.168.1.10 ldap admin dn = cn=admin,dc=peldadomain,dc=com ldap group suffix = ou=groups ldap machine suffix = ou=people ldap suffix = dc=peldadomain,dc=com ldap user suffix = ou=people ldap ssl = start tls hosts allow = 192.168.1., 127. unix password sync = yes passwd program = /etc/samba/jelszovalt %u passwd chat = *New*password* %n\n *new*password* %n\n *Success* [homes] comment = Home Directories browseable = No [netlogon] comment = Network Logon Service path = /adat/netlogon guest ok = Yes locking = No [Profiles] path = /adat/profilok profile acls = Yes
browseable = No [adat] comment = Kozos Adatok path = /adat/kozos force create mode = 0777 force directory mode = 0777 guest ok = Yes