|
ru.unix.bsd
- RU.UNIX.BSD ------------------------------------------------------------------
From : Vitaly Mikhno 2:5030/537.22 20 Feb 2008 01:05:21
To : All
Subject : Hе могу скpестить ldapsam и AD
--------------------------------------------------------------------------------
> ---------- Part 2 ---------- <
pwdLastSet: 127896932565937500
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAnG2GZ5uBdjWjIV0AaQQAAA==
accountExpires: 9223372036854775807
logonCount: 1413
sAMAccountName: jane
sAMAccountType: 805306368
showInAddressBook: CN=Default Global Address List,CN=All Global Address Lists,
CN=Address Lists Container,CN=Crazy-code-developing,CN=Microsoft
Exchange,CN=Services,C
N=Configuration,DC=SuperDomain
showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address Lists Containe
r,CN=Crazy-code-developing,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=SuperDomain
legacyExchangeDN: /o=Crazy-code-developing/ou=First Administrative
Group/cn=Recipients/c
n=Olga.Durolomova
userPrincipalName: jane@SuperDomain
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=SuperDomain
dSCorePropagationData: 20060419085519.0Z
dSCorePropagationData: 16010101000001.0Z
textEncodedORAddress: c=US;a=
;p=Crazy-code-developing;o=Exchange;s=Durolomova;g=Evgeni
ya;
mail: Olga.Durolomova@Crazy-code-developing.COM
msExchHomeServerName: /o=Crazy-code-developing/ou=First Administrative
Group/cn=Configur
ation/cn=Servers/cn=MySuperServer
msExchALObjectVersion: 57
msExchMailboxSecurityDescriptor:: AQAEgHgAAACUAAAAAAAAABQAAAAEAGQAAQAAAAACFAAD
AAIAAQEAAAAAAAUKAAAAAAAAAOBnfAFIdHoBeDsfB9gjdgEAAQAAAAEAAAEAAAAgAAAAEI4fB2AzI
AcAonoBoM58AfB+HQfwex0HUKN8AaBlIAeoN3sBAQUAAAAAAAUVAAAAnG2GZ5uBdjWjIV0ASAYAAA
EFAAAAAAAFFQAAAJxthmebgXY1oyFdAEgGAAA=
msExchUserAccountControl: 0
msExchMailboxGuid:: /2m73MKlZ0a4N12JKdaEGQ==
msExchPoliciesIncluded: {F827C174-E42B-4D36-92FB-D1BCF723B780},{26491CFC-9E50-
4857-861B-0CB8DF22B5D7}
===========================================
backup-server# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SuperDomain
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
SuperDomain = {
kdc = MySuperServer.SuperDomain:88
admin_server = MySuperServer.SuperDomain:749
default_domain = SuperDomain
}
[domain_realm]
.SuperDomain = SuperDomain
SuperDomain = SuperDomain
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
backup-server# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SuperDomain
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
SuperDomain = {
kdc = MySuperServer.SuperDomain:88
admin_server = MySuperServer.SuperDomain:749
default_domain = SuperDomain
}
[domain_realm]
.SuperDomain = SuperDomain
SuperDomain = SuperDomain
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
_________________________________________
=========================================
backup-server# cat /usr/local/etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# Active Directory server. Define multiple servers by delimiting
# them with spaces.
host MySuperServer.SuperDomain
# Search base
base dc=SuperDomain
# LDAP version 3
ldap_version 2
#URI for AD server
#Switch these if not using LDAP/SSL or do not have the MS Cert Svcs installed
#in the domain
URI ldap://MySuperServer.SuperDomain
#URI ldaps://dc.example.com
# Bind DN (this might not be needed at all for anon LDAP connections(win2k)).
# This should be the DN of the AD account you have
# that can create machine accounts
#binddn cn=MyLDAPQueryPersonname,cn=users,dc=SuperDomain
bindpw MyLDAPQueryPassword
# Use port 636 for SSL
#port 636 (not really needed when ssl=on it is port 636 by default)
# Search scope
scope sub
# User ID attr for AD
pam_login_attribute sAMAccountName
#MD5 passwd hash
pam_password md5
# Break of the connection after one hour idle time
idle_timelimit 3600
# This is mapping made possible by nss_ldap
# Bases for the searches. These should be the OU's
# you create the user accounts in.
# Here we reference the standard default AD user container
# Please change to the container your users reside in
nss_base_passwd cn=Users,dc=SuperDomain?one
nss_base_group cn=Users,dc=SuperDomain?one
# The msSFU mappings reference Microsoft's Services for Unix
# Which you may uncomment if you have this installed on your DC
# *Schema mappings for Active Directory*
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute userPassword msSFUPassword
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
# SSL is enabled - Comment this line if no MS Enterprise Root CA Cert
ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no" Uncomment this is you have a client cert (you won't MS LDAP
# over SSL does not auth client cert, just a valid AD password)
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
# This again refers to the MS Root CA Cert - comment it if none
#TLS_CACERT /etc/ca/ldapca.pem
# SSL cipher suite
# See man ciphers for syntax
# comment this if no cert
#tls_ciphers TLSv1
# Disable SASL security layers. This is needed for AD.
sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
krb5_ccname FILE:/tmp/krb5cc_0
_________________________________________
=========================================
backup-server# cat /usr/local/etc/smb.conf
# Global parameters
[global]
workgroup = SuperDomain
realm = SuperDomain
server string = Samba File Server %v
security = ADS
client schannel = Yes
server schannel = Yes
passdb backend = ldapsam:ldap://MySuperServer.SuperDomain
socket options = TCP_NODELAY
dns proxy = No
ldap admin dn = cn=Administrator,cn=users,DC=SuperDomain
ldap suffix = DC=SuperDomain
idmap backend = idmap_rid:SuperDomain=10000-20000
allow trusted domains = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = .
winbind enum users = No
winbind enum groups = No
winbind use default domain = Yes
force create mode = 0664
force directory mode = 0775
dos filemode = Yes
netbios name = SuperDomain
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
_________________________________________
=========================================
backup-server# cat /etc/nsswitch.conf
group: files ldap winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap winbind
passwd_compat: nis
shells: files
_________________________________________
Вот, идеи, комментаpии пpиветствуются, спасибо
Bye, Vitaly.
> ---------- the end. ---------- <
--- FTNed 2001 Build 0063-RC10/Win2k
* Origin: FTNed - The Best GUI FTNeditor! http://ftned.da.ru (2:5030/537.22)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
Hе могу скpестить ldapsam и AD |
Vitaly Mikhno |
20 Feb 2008 01:05:21 |
|
|
