1. sz.

mellklet: Az nll PDC-knt mkd Samba szerver konfigurcis

llomnya
[global]
netbios name = SZERVER
workgroup = IRODA
server string = Szerver
security = user
hosts allow = 192.168.1. 127.
username map = /etc/samba/smbusers
log file = /var/log/samba.%m
max log size = 50000
passdb backend = tdbsam
socket options = TCP_NODELAY
local master = yes
os level = 33
domain master = yes
preferred master = yes
domain logons = yes
logon path = \\%L\Profiles\%U
logon drive = S:
logon home = \\%L\%U
logon script = scripts\logon.cmd
wins support = yes
dns proxy = no
# A UNIX fikok ltrehozsra s trlsre szolgl szkriptek
add user script = /usr/sbin/useradd %u
add group script = /usr/sbin/groupadd %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u
delete user script = /usr/sbin/userdel %u
delete user from group script = /usr/sbin/deluser %u %g
delete group script = /usr/sbin/groupdel %g
#============= Megosztsok =============
[homes]
comment = Home Directories
browseable = no
writable = yes
# A tartomnyi bejelentkezsekhez
[netlogon]
comment = Network Logon Service
path = /adat/netlogon
guest ok = yes
writable = yes
locking = no
# A mozg profilok helye
[Profiles]
path = /adat/profilok
browseable = no
read only = no
[adat]
comment = Kozos Adatok
path = /adat/kozos
read only = no
public = yes
force create mode = 0777
force directory mode= 0777
[cd]
path = /mnt/cdrom
read only = yes
public = yes
[floppy]
path = /mnt/floppy
read only = no
public = yes
[dvd]
path = /mnt/dvd
read only = yes
public = yes
2. sz. mellklet: A Windows tartomnyi s helyi csoportjait UNIX csoportokhoz
rendel szkript (initgrps.sh)
net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
net groupmap add ntgroup="Iroda" unixgroup=iroda type=d
net groupmap modify ntgroup="Administrators" unixgroup=sys
net groupmap modify ntgroup="Users" unixgroup=iroda
net groupmap modify ntgroup="Guests" unixgroup=nobody
net groupmap modify ntgroup="System Operators" unixgroup=daemon
net groupmap modify ntgroup="Account Operators" unixgroup=wheel
net groupmap modify ntgroup="Backup Operators" unixgroup=bin
net groupmap modify ntgroup="Print Operators" unixgroup=lp
net groupmap modify ntgroup="Replicators" unixgroup=kmem
net groupmap modify ntgroup="Power Users" unixgroup=ntadmin
3. sz. mellklet: A meghajtk csatlakoztatsra szolgl bejelentkezsi
parancsfjl
net use k: %LOGONSERVER%\adat
net use s: %LOGONSERVER%\%USERNAME%
4. sz. mellklet: A LILO konfigurcis llomnya (/etc/lilo.conf)
boot = /dev/md0
raid-extra-boot=mbr
vga = normal
image = /boot/267
root = /dev/md0
label = 267
read-only
password=***
restricted
5. sz. mellklet: A RAID konfigurcis llomnya (/etc/raidtab)
raiddev /dev/md0
raid-level 1
nr-raid-disks 2
nr-spare-disks 0
persistent-superblock 1
chunk-size 64
device /dev/sda1
raid-disk 0
device /dev/sdb1
raid-disk 1
raiddev /dev/md1
raid-level 1
nr-raid-disks 2
nr-spare-disks 0
persistent-superblock 1
chunk-size 64
device /dev/sda2
raid-disk 0
device /dev/sdb2
raid-disk 1
raiddev /dev/md2
raid-level 1
nr-raid-disks 2
nr-spare-disks 0
persistent-superblock 1
chunk-size 64
device /dev/sda3
raid-disk 0
device /dev/sdb3
raid-disk 1
6. sz. mellklet: Az adatments eltt WinPopup zenetet kld szkript
#!/bin/sh
/bin/cat /etc/cron.mentese/uzenet | /usr/bin/smbclient -M gep1
/bin/cat /etc/cron.mentese/uzenet | /usr/bin/smbclient -M gep2
/bin/cat /etc/cron.mentese/uzenet | /usr/bin/smbclient -M gep3
/bin/cat /etc/cron.mentese/uzenet | /usr/bin/smbclient -M gep4
/bin/cat /etc/cron.mentese/uzenet | /usr/bin/smbclient -M gep5
7. sz. mellklet: Az adatmentst vgz szkript
#!/bin/sh
/bin/tar -czf /adat/log/log.tar.gz /var/log
/usr/bin/growisofs -Z /dev/hda -R -J /adat
/usr/bin/eject /dev/hda
/bin/rm /adat/log/*
8. sz. mellklet: Az SMBLDAP Tools get_next_id fggvnye
(/opt/IDEALX/sbin/smbldap_tools.pm)
sub get_next_id($$) {
my $ldap_base_dn = shift;
my $attribute = shift;
my $tries = 0;
my $found=0;
my $next_uid_mesg;
my $nextuid;
if ($ldap_base_dn =~ m/$config{usersdn}/i) {
# when adding a new user, we'll check if the uidNumber available is not
# already used for a computer's account
$ldap_base_dn=$config{suffix}
}
do {
$next_uid_mesg = $ldap->search(
base =>
$config{sambaUnixIdPooldn},
filter =>
"(objectClass=sambaUnixIdPool)",
scope =>
"base"
);
$next_uid_mesg->code && die "Error looking for next uid";
if ($next_uid_mesg->count != 1) {
die "Could not find base dn, to get next $attribute";
}
my $entry = $next_uid_mesg->entry(0);

$nextuid = $entry->get_value($attribute);
my $modify=$ldap->modify( "$config{sambaUnixIdPooldn}",
changes => [
replace => [ $attribute => $nextuid + 1 ]
]
);
$modify->code && die "Error: ", $modify->error;
# let's check if the id found is really free (in ou=Groups or ou=Users)...
my $check_uid_mesg = $ldap->search(
base => $ldap_base_dn,
filter => "($attribute=$nextuid)",
);
$check_uid_mesg->code && die "Cannot confirm $attribute $nextuid is free";
if ($check_uid_mesg->count == 0) {
$found=1;
return $nextuid;
}
$tries++;
print "Cannot confirm $attribute $nextuid is free: checking for the next one\n"
} while ($found != 1);
die "Could not allocate $attribute!";
}
9. sz. mellklet: Az OpenLDAP konfigurcis llomnya (/etc/ldap/slapd.conf)
# Smk
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
schemacheck on
idletimeout 30
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
access to dn.base=""
by self write
by * auth
access to attr=userPassword,sambaLMPassword,sambaNTPassword
by self write
by * auth
access to attr=shadowLastChange
by self write
by * read
access to *
by * read
by anonymous auth
loglevel 256
modulepath /usr/lib/ldap
moduleload back_bdb
security tls=1
TLSCertificateFile /etc/ldap/szervercert.pem
TLSCertificateKeyFile /etc/ldap/szerverkulcs.pem
TLSCACertificateFile /etc/ldap/cacert.pem
backend bdb
checkpoint 1024 5
database bdb
cachesize 10000
suffix "dc=peldadomain,dc=com"
rootdn "cn=Admin,dc=peldadomain,dc=com"
rootpw {SSHA}N8ZEw......
directory "/var/lib/ldap"
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
10. sz. mellklet: A BDB adatbzis konfigurcis llomnya
set_cachesize 0 150000000 1
set_lg_regionmax 262144
set_lg_bsize 2097152
#set_lg_dir /var/log/bdb
set_flags DB_LOG_AUTOREMOVE
11. sz. mellklet: Az nss_ldap s a pam_ldap modulok konfigurcis llomnya
host server1.peldadomain.com
base dc=peldadomain,dc=com
ldap_version 3
rootbinddn cn=Admin,dc=peldadomain,dc=com
timelimit 50
bind_timelimit 50
bind_policy hard
idle_timelimit 3600
pam_password exop
nss_base_passwd ou=People,dc=peldadomain,dc=com?one
nss_base_shadow ou=People,dc=peldadomain,dc=com?one
nss_base_group ou=Groups,dc=peldadomain,dc=com?one
ssl start_tls
tls_cacertfile /etc/ldap/cacert.pem
12. sz. mellklet: A PAM konfigurcis llomnyai
/etc/pam.d/common-account:
account sufficient pam_ldap.so
account required pam_unix.so
/etc/pam.d/common-auth:
auth sufficient pam_ldap.so
auth required pam_unix.so try_first_pass nullok_secure
/etc/pam.d/common-password:
password sufficient pam_ldap.so
password required pam_unix.so try_first_pass nullok obscure min=4 max=15
md5
/etc/pam.d/common-session:
session required pam_ldap.so
session required pam_unix.so
13. sz. mellklet: Az NSS konfigurcis llomnya
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
14. sz. mellklet: A tesztrendszerbeli Samba PDC konfigurcis llomnya
[global]
workgroup = TESTDOMAIN
server string = Server1
netbios name = SERVER1
passdb backend = ldapsam:ldap://server1.peldadomain.com
log level = 1
log file = /var/log/samba/samba.%m
max log size = 50000
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%
g"
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%
u" "%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
logon path = \\%L\Profiles\%U
logon drive = S:
logon home = \\%L\%U
logon script = scripts\logon.cmd
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=Admin,dc=peldadomain,dc=com
ldap group suffix = ou=Groups
ldap machine suffix = ou=People
ldap suffix = dc=peldadomain,dc=com
ldap user suffix = ou=People
ldap ssl = start tls
hosts allow = 192.168.1., 127.
unix password sync = yes
passwd program = /etc/samba/jelszovalt %u
passwd chat = *New*password* %n\n *new*password* %n\n *Success*
[homes]
comment = Home Directories
read only = No
browseable = No
[netlogon]
comment = Network Logon Service
path = /adat/netlogon
read only = No
guest ok = Yes
locking = No
[Profiles]
path = /adat/profilok
read only = No
profile acls = Yes
browseable = No
[adat]
comment = Kozos Adatok
path = /adat/kozos
read only = No
force create mode = 0777
force directory mode = 0777
guest ok = Yes
15. sz. mellklet: A UNIX jelszt vltoztat szkript
ldappasswd -ZZ -x -h server1.peldadomain.com -D
"cn=Admin,dc=peldadomain,dc=com" -w ***
"uid=$1,ou=People,dc=peldadomain,dc=com" -S
16. sz. mellklet: Az smbldap_tools.pm szksges mdostsai
# ugly funcs using global variables and spawning openldap clients
my $smbldap_conf="/etc/smbldap-tools/smbldap.conf";
my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";
my $samba_conf="/etc/samba/smb.conf";
17. sz. mellklet: Az SMBLDAP Tools konfigurcis llomnya (smbldap.conf)
SID="S-1-5-21-348755916-828440091-96241843"
slaveLDAP="server1.peldadomain.com"
slavePort="389"
masterLDAP="server1.peldadomain.com"
masterPort="389"
ldapTLS="1"
verify="require"
cafile="/etc/ldap/cacert.pem"
clientcert="/etc/ldap/szervercert.pem"
clientkey="/etc/ldap/szerverkulcs.pem"
suffix="dc=peldadomain,dc=com"
usersdn="ou=People,${suffix}"
computersdn="ou=People,${suffix}"
groupsdn="ou=Groups,${suffix}"
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
# !!!
#Az smbldap.populate szkript hasznlata utn meg kell vltoztatni az albbi mdon:
#sambaUnixIdPooldn="sambaDomainName=TESTDOMAIN,dc=peldadomain,dc=co
#m"
scope="sub"
hash_encrypt="MD5"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="0"
userSmbHome="\\SERVER1\%U"
userProfile="\\SERVER1\Profiles\%U"
userHomeDrive="S:"
userScript="%U.cmd"
mailDomain="peldadomain.com"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
18. sz. mellklet: Az SMBLDAP Tools smbldap_bind.conf llomnya
slaveDN="cn=Admin,dc=peldadomain,dc=com"
slavePw="***"
masterDN="cn=Admin,dc=peldadomain,dc=com"
masterPw="***"
19. sz. mellklet: A tesztrendszerbeli Samba BDC konfigurcis llomnya
[global]
workgroup = TESTDOMAIN
server string = Server2
passdb backend = ldapsam:ldap://server1.peldadomain.com
log level = 1
log file = /var/log/samba.%m
max log size = 50000
logon path = \\%L\Profiles\%U
logon drive = S:
logon home = \\%L\%U
logon script = scripts\logon.cmd
domain logons = Yes
os level = 33
preferred master = Yes
domain master = No
dns proxy = No
wins server = 192.168.1.10
ldap admin dn = cn=Admin,dc=peldadomain,dc=com
ldap group suffix = ou=Groups
ldap machine suffix = ou=People
ldap suffix = dc=peldadomain,dc=com
ldap user suffix = ou=People
ldap ssl = start tls
hosts allow = 192.168.1., 127.
unix password sync = yes
passwd program = /etc/samba/jelszovalt %u
passwd chat = *New*password* %n\n *new*password* %n\n *Success*
[homes]
comment = Home Directories
read only = No
browseable = No
[netlogon]
comment = Network Logon Service
path = /adat/netlogon
read only = No
guest ok = Yes
locking = No
[Profiles]
path = /adat/profilok
read only = No
profile acls = Yes
browseable = No
[adat]
comment = Kozos Adatok
path = /adat/kozos
read only = No
force create mode = 0777
force directory mode = 0777
guest ok = Yes