[Sysadmins] Samba + LDAP, sambaPwdLastSet - подземный стук

Евгений Баженов bazhen на ustk.kz
Вт Июн 1 05:17:28 UTC 2010 

Trenin Sergey пишет:
> Евгений, не приведете содержимое файлов snb.conf, slapd.conf и 
> slapd-ваша_зона.conf, тоже разбираюсь с pdc
smb.conf:

[global]
        dos charset = CP866
        unix charset = utf8
        display charset = utf8
        workgroup = DKVKO
        realm = DKVKO.LAN
        server string = Samba server on %h (v. %v)
        interfaces = 192.168.137.2/24, 127.0.0.1/24
        bind interfaces only = Yes
        map to guest = Bad User
        passdb backend = ldapsam:ldap://127.0.0.1/
        passwd chat debug = Yes
        use kerberos keytab = Yes
        log file = /var/log/samba/log.%U.%m.%G.%I
        max log size = 50
        max xmit = 64000
        time server = Yes
        unix extensions = No
        socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=64000 
SO_RCVBUF=64000 SO_KEEPALIVE
        printcap name = cups
        logon path =
        logon drive = x:
        logon home = \\%L\vol1
        domain logons = Yes
        os level = 64
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap admin dn = cn=ldaproot,dc=dkvko,dc=lan
        ldap group suffix = ou=Group
        ldap machine suffix = ou=Computers
        ldap passwd sync = Yes
        ldap suffix = dc=dkvko,dc=lan
        ldap user suffix = ou=People
        admin users = @domainadmins
        hosts allow = 192.168., 127.
        use sendfile = Yes

[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        write list = @domainadmins
        guest ok = Yes

[Profiles]
        path = /var/lib/samba/profiles
        read only = No
        create mask = 0600
        directory mask = 0700
        browseable = No

[vol1]
        path = /mnt/samba/vol1
        read only = No
        create mask = 0777
        directory mask = 0777
        use sendfile = No

Ахтунг! ldap machine suffix = ou=Computers - это мне так удобнее, ветку 
Computers предварительно нужно создать. Это если не хотите, чтоб у вас 
лдап-записи хостов лежали неаппетитной кучей в корне лдапа.


slapd-dkvko.lan.conf:

database hdb
suffix "dc=dkvko,dc=lan"
rootdn "cn=ldaproot,dc=dkvko,dc=lan"
rootpw zeexeph6uj8chi8x
directory /var/lib/ldap/bases/dkvko.lan

index objectClass eq
index uid eq
index cn eq
index  uidNumber          eq
index  gidNumber          eq

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by self write
        by anonymous auth
        by * none

access to dn.subtree="ou=kdcroot,dc=dkvko,dc=lan"
        by dn.exact="cn=kdc,ou=kdcroot,dc=dkvko,dc=lan" read
        by dn.exact="cn=kadmin,ou=kdcroot,dc=dkvko,dc=lan" write
        by * none

access to dn.subtree="cn=DKVKO.LAN,cn=kerberos,ou=kdcroot,dc=dkvko,dc=lan"
        by dn.exact="cn=kdc,ou=kdcroot,dc=dkvko,dc=lan" read
        by dn.exact="cn=kadmin,ou=kdcroot,dc=dkvko,dc=lan" write
        by * none

access to *
        by * read

slapd.conf отличается от стандартного только инклудом конфига моей зоны.

Подробная информация о списке рассылки Sysadmins