Tải bản đầy đủ - 0 (trang)
9 Connecting Windows NT/2000 to a Samba Domain

9 Connecting Windows NT/2000 to a Samba Domain

Tải bản đầy đủ - 0trang

Solution

First, confirm that Windows networking is set up correctly: TPC/IP and Client For

Microsoft Networks must be installed, and the appropriate network settings in place,

which you’ll find in Start ➝ Control Panel ➝ Network Connections.

Then, right-click My Computer, click Properties, Network Identification Tab, and

click the Network ID button. This will open the Network Identification Wizard,

which will take you through all the necessary steps.



Discussion

You’ll intitiate logins with Ctrl-Alt-Del. Note that you can either log in to the

domain, or to the local machine without logging in to a domain, by clicking the

Options button to expose a drop-down menu listing your login choices.



See Also

• Recipe 23.4, “Enabling File Sharing on Windows PCs,” in Linux Cookbook, by

Carla Schroder (O’Reilly) for more information on configuring Windows

networking

• Chapter 3, “Configuring Windows Clients,” in Using Samba, Second Edition, by

Jay Ts et al. (O’Reilly)



11.11 Connecting Linux Clients to a Samba Domain

with Command-Line Programs

Problem

Your shiny new Samba domain controller is in service and ready to rock. Your Windows clients are successfully logging in and finding shares just like they’re supposed

to. How do your Linux PCs join the party using command-line utilities?



Solution

These command-line tools are for browsing, logging in, and mounting Samba shares:

smbtree

Browses the network and displays all domains, servers, and shares in a tree

structure. It is part of the Samba suite.

smbclient

Network browser and file manager. smbclient displays domains, servers, and

shares, and uses FTP-type commands to transfer files. You don’t need to mount

the shares to get access to the files. Also part of the Samba suite.



326



|



Chapter 11: Single Sign-on with Samba for Mixed Linux/Windows LANs



smbmount/smbumount

These commands are for mounting and unmounting Samba shares. Part of the

smbfs package.



Discussion

Linux does not see domains the same way that Windows does, which is no surprise

because the domain structure is a Windows convention. Linux sees filesystems that it

has either permission to access or no permission to access. Unlike Windows, which can

either log in to a domain or log in locally, but not both, Linux users log in first to their

local systems in the normal fashion, then log in to domain shares as needed. Domain

shares can be configured to auto-mount in /etc/fstab, just like any other filesystem.

To browse the network and see all the domains, servers, and shares with smbtree,

run it with the -N (no password) switch. This will not show nonbrowseable shares,

such as user’s home directories:

$ smbtree -N

REDDOMAIN

\\STINKPAD

\\SAMBA11

\\SAMBA11\HP6L

\\SAMBA11\ADMIN$

\\SAMBA11\IPC$

\\SAMBA11\share1



thinkpad r32

Samba PDC

HP6L b&w laser printer

IPC Service (Samba PDC)

IPC Service (Samba PDC)

testfiles



You may also browse by either hostname, IP address, or NetBIOS name. In this

example, windbag is the hostname, and samba11 is the NetBIOS name as specified in

smb.conf:

$ smbtree -N windbag

$ smbtree -N samba11



But not the domain name, because the domain name is not a resolvable name.

You may see nonbrowseable shares that are accessible to you by using your username and password:

$ smbtree -U foober

Password:

REDDOMAIN

\\STINKPAD

\\STINKPAD\C$

\\STINKPAD\ADMIN$

\\STINKPAD\F$

\\STINKPAD\print$

\\STINKPAD\SharedDocs

\\STINKPAD\IPC$

\\SAMBA11

\\SAMBA11\foober

\\SAMBA11\HP6L

\\SAMBA11\ADMIN$

\\SAMBA11\IPC$

\\SAMBA11\share1



thinkpad r32

Default share

Remote Admin

Default share

Printer Drivers

Remote IPC

Samba PDC

Home Directories

HP6L

IPC Service (Samba PDC)

IPC Service (Samba PDC)

testfiles



11.11 Connecting Linux Clients to a Samba Domain with Command-Line Programs |



327



When you see the share you want, mount the share on your system with smbmount,

using a directory already created for this purpose, and mind your slashes. In this

example, user foober mounts his Samba home directory in the local directory samba:

$ mkdir samba

$ smbmount //samba11/foober samba

$ password:



The smbumount command unmounts the share:

$ smbumount



samba



You may use smbclient to access file shares without having to mount the shares.

Instead, smbclient uses FTP-like commands to transfer files. This command shows

you how to browse the network. You must specify the hostname or NetBIOS name;

this shows the hostname:

$ smbclient -N -L windbag

Anonymous login successful

Domain=[REDDOMAIN] OS=[Unix] Server=[Samba 3.0.10-Debian]

Sharename

Type

Comment

-----------------share1

Disk

testfiles

IPC$

IPC

IPC Service (Samba PDC)

ADMIN$

IPC

IPC Service (Samba PDC)

HP6L

Printer

HP6L

Anonymous login successful

Domain=[REDDOMAIN] OS=[Unix] Server=[Samba 3.0.10-Debian]

Server

--------SAMBA11



Comment

------Samba PDC



Workgroup

--------REDDOMAIN



Master

------SAMBA11



You can find your home directory by browsing with your login:

$ smbclient -L samba11 -U carla

Password:

Domain=[REDDOMAIN] OS=[Unix] Server=[Samba 3.0.10-Debian]

Sharename

--------share1

IPC$

ADMIN$

HP6L

carla



Type

---Disk

IPC

IPC

Printer

Disk



Comment

------testfiles

IPC Service (Samba PDC)

IPC Service (Samba PDC)

HP6L

Home Directories



...



328



|



Chapter 11: Single Sign-on with Samba for Mixed Linux/Windows LANs



Use this command to connect to your home share:

$ smbclient -U carla //samba11/carla

Password:

Domain=[REDDOMAIN] OS=[Unix] Server=[Samba 3.0.10-Debian]

smb: \>



When you are at the smb: \> prompt, type ? to show a commands list:

smb: \> ?

?

case_sensitive

dir

help

...



altname

cd

du

history



archive

chmod

exit

lcd



blocksize

chown

get

link



cancel

del

hardlink

lowercase



See? Same old familiar Linux commands. The following commands list files, then

transfer the foo directory from the server to the local working directory, and renames

it to foo-copy:

smb: \> ls

smb: \> get foo foo-copy

getting file \foo of size 2131 as foo-copy (1040.5 kb/s) (average 1040.5 kb/s)

smb: \>



Uploading files to the Samba share is done with the old familiar put command:

smb: \> put foo-copy

putting file foo-copy as \foo-copy (0.0 kb/s) (average 0.0 kb/s)



To close your connection to the share:

smb: \> quit



The smbmount and smbumount commands call smbmnt. If you run into permissions

problems, such as “smbmnt must be installed suid root for direct user mounts,”

make smbmnt SUID with chmod:

# chmod +s /usr/bin/smbmnt



If you are nervous about using SUID, set up sudo for authorized smbmnt users.



See Also

• Chapter 8, “Managing Users and Groups,” in Linux Cookbook, by Carla Schroder

(O’Reilly) to learn how to configure sudo

• man 8 smbmount

• man 8 smbumount

• man 1 smbtree

• man 1 smbclient



11.11 Connecting Linux Clients to a Samba Domain with Command-Line Programs |



329



11.12 Connecting Linux Clients to a Samba Domain

with Graphical Programs

Problem

You or your users prefer a nice graphical interface to find and connect to Samba

shares. You want to know what is available for Gnome and KDE, and also if there

are any standalone programs to use in any X Windows environment.



Solution

Here are the four best graphical utilities for network browsing and connecting to

Samba shares:

• The Konqueror file manager, in KDE

• The Nautilus file manager, in Gnome

• Smb4k, a nice add-on for Konqueror

• LinNeighborhood, a standalone program than works in any X Windows

environment



Discussion

Each program has its quirks. Let’s look at how to use each one:



Konqueror

To browse the network, type smb:/ in the Location bar.

To browse specific hosts, type smb://netbios name or hostname.

You can open and edit documents directly, and save them back to the share.



Nautilus

To browse the network, type smb: in the Location bar.

To go directly to a share, type smb://servername/sharename, like smb://samba11/

carla.

Nautilus browses only. It does not mount shares, and it does not permit you to edit

files directly. What you have to do is open a file, save it to a local drive, edit it, and

then drag-and-drop a copy of the file back to the Samba share.



Smb4k

Smb4k is the easiest one to use, and has the best feature set. When you start it up, it

automatically scans the network and lists all shares, and shows a nice graphic of

available space on the shares. When you click on a share, it is automatically mounted



330



|



Chapter 11: Single Sign-on with Samba for Mixed Linux/Windows LANs



in your /home/smb4k/ directory. You may configure this, as well as a number of other

useful tasks, like automatically logging you in, selecting a specific server for retrieving a browse list, and configuring a list of hosts and shares that use different logins.



LinNeighborhood

LinNeighborhood is a nice, standalone LAN browser that runs in any Linux graphical environment. LinNeighborhood usually requires a bit of configuration. Open

Edit ➝ Preferences. Then, under the Scan tab, enter either the hostname or NetBIOS

name of your master browser, which in this chapter is “windbag” or “samba11.”

Start a new network scan with Options ➝ Browse Entire Network.

On the Miscellaneous tab, you can enter a default username and select your default

mount directory. This should be a file that already exists in your home directory,

something like /home/carla/samba.

On the Post Mount tab, configure your default file manager. Be sure to hit Save on

every tab, and after you close the Preferences menu, click Edit ➝ Save Preferences.

You can bring up a menu for logging in as different users on different shares simply

by clicking on the share you want.



See Also

• Chapter 8, “Managing Users and Groups,” in Linux Cookbook, by Carla Schroder

(O’Reilly)

• Smb4K, A SMB share browser for KDE: http://smb4k.berlios.de/

• LinNeighborhood: http://www.bnro.de/~schmidjo/

• Konqueror: http://www.konqueror.org/

• Nautilus: http://www.gnome.org/projects/nautilus/



11.12 Connecting Linux Clients to a Samba Domain with Graphical Programs |



331



Chapter

12 12

CHAPTER



Centralized Network

Directory with OpenLDAP



12.0 Introduction

I believe that knowing how to administer a Lightweight Directory Access Protocol

(LDAP) directory server has become an essential skill for a network administrator.

An LDAP directory is your key to network simplicity. It is your universal directory

across all platforms and applications, supporting simplified network authentication

and a centralized company data store. The LDAP protocol is cross-platform,

network-aware, and standards-based. There are a large number of LDAP implementations; in this chapter, we’ll use the excellent free-of-cost, free-software OpenLDAP.

LDAP is widely supported by applications; for example, most email clients come

with LDAP clients. Additionally, various databases, Content Management Systems

(CMS), groupware and messaging servers, authentication servers, customer management applications, and application servers can all speak to an LDAP server.

Some folks like to argue about whether LDAP is a database. Strictly speaking, it is a

protocol, not a database. It accesses a special kind of database that is optimized for

very fast reads. Use it for relatively static information, such as company directories,

user data, customer data, passwords, asset tracking, and security keys. OpenLDAP

uses the Sleepycat Berkeley DB.

Why not use an ordinary relational database like PostgreSQL, Oracle, or MySQL?

You can if you like, but then you’ll lose the advantages of LDAP, which are:

• Very fast reads

• Flexible data types

• Nearly universal application support

• Fine-grained control over access to data

• Distributed storage and replication

• No need for elite database guru admins

• No need for custom APIs



332



You don’t want to use OpenLDAP for for a retail or web site backend, for example,

or any application that needs fast, frequent changes. That’s where you want an

RDBMS.

The structure of the Sleepycat BDB is different from a relational database. Rather

than storing information in columns and rows, and having a rigid set of indexes and

fields, data are stored in attribute-type/attribute-value pairs. This structure offers

great flexibility in designing records. A particular user record, for example, can have

new types of data added without having to redesign the entire database. You can

store any kind of text or binary data. Because it is simple like a large flat file, adding

new entries is easy—just tack them on. OpenLDAP supports a distributed architecture, replication, and encryption.



LDAP Directory Structure

Let’s take a run through the basic concepts and structure of an LDAP directory. This

is more important than having an encyclopedic knowledge of configuration options,

because if you don’t have a clear idea of what you need and how everything fits

together, LDAP will remain a mysterious mess. But it’s not really all that mysterious;

once you grasp the basics, you’ll be in fine shape. As coaches always say, first master

the fundamentals. An LDAP directory can be pictured as a standard upside-down

tree structure, with the root portrayed as being the top, and the branches flowing

downward. Figure 12-1 is a hierarchical namespace; it is also called the directory

information tree (DIT).



c=us



s=or



ou=alrac's

cookies



ou=qa



ou=devs



ou=terryjones



Figure 12-1. An example of an LDAP hierarchy

12.0



Introduction |



333



The root of this example directory is the country entry. The next stop is the state

entry, then the organizational unit (OU) entry, which is the company’s name. This

branches off into different company entries, which are also called organizational

units. The lefthand branch terminates at a user ID (UID). The Quality Assurance

(QA) OU could hold many more users than just the one in the example.

Now comes the important bit: Terry Jones has a distinguished name (DN), which

consists of Terry’s Relative Distinguished Name (RDN), which in this example is the

UID, plus tacking on all the ancestor entries: uid=terryjones, ou=qa, ou=alrac's

cookies, ou=or, c=us. Any attribute can be the RDN; it must be unique within the

level that the entry belongs to. The UID is usually unique because it is a common

practice to make it the user’s login, but you could use any other attribute. Obviously, a little common sense goes a long way here; for example, there are many

duplicate surnames, so using the SN attribute would cause problems. The most common RDN for people is a UID or common name (CN).

The basic unit of your directory is an entry. An entry is also called a record or

directory object. Terry Jones’ entry contains a number of attributes, such as name,

phone number, email address, and so forth. You can’t just invent attributes out of

thin air; these must be already defined in OpenLDAP. An easy way to view them is

with the GQ LDAP client (http://sourceforge.net/projects/gqclient/). You may also see

them in the files in /etc/ldap/schema (on Fedora, /etc/openldap/schema) in the

objectClass definitions.

You may create your own custom objectClass definitions and attribute types. I don’t

recommend this unless you absolutely need something that’s not included. The

default schema are extensive, and a lot of effort has gone into making them universal; there’s no need to reinvent the wheel. On the other hand (there is always another

hand, isn’t there), this makes OpenLDAP flexible and extensible, and it’s easy to

share custom schema.

Each attribute is made up of an attribute type and an attribute value. Attributes can

have multiple values. For example, Terry Jones’ entry could look like this:

uid=terryjones

cn=Terry Jones

gn=Terry

sn=Jones

telephoneNumber=123-456-7890

telephoneNumber=123-456-7891

mail=tjones@alrac.com



This shows a couple of duplicate attributes. You may use as many as you like. A

common use for duplicate attributes is for people’s names, like this:



334



|



Chapter 12: Centralized Network Directory with OpenLDAP



cn=Terry Jones

cn=T. Jones

cn=Terry "codefiend" Jones

cn=Codefiend



The result of this is a search on any of these attribute values will succeed, so Terry

Jones has nowhere to hide.

The suffix or naming context is the top of your LDAP hierarchy. In our simple example, the suffix is c=us. A common approach these days is to use your company’s

domain name, like dc=alrac,dc=net. DC stands for domain component.



Schemas, objectClasses, and Attributes

When you create an entry in a DIT, its data are contained in attributes. These belong

to objectClasses. Schemas can be thought of as big bags of organized objectClasses.

So, when you hear someone talking about OpenLDAP schemas, you know they are

referring to the files that define the organization and types of data that go into an

OpenLDAP directory. In OpenLDAP, some schema are hardcoded into slapd itself.

An objectClass is part of an objectClass hierarchy. It inherits all the properties of its

parents. For example, the inetOrgPerson objectClass is one you’ll use a lot. If you

look inside /etc/ldap/schema/inetorgperson.schema, you’ll find this definition:

objectclass

( 2.16.840.1.113730.3.2.2

NAME 'inetOrgPerson'

DESC 'RFC2798: Internet Organizational Person'

SUP organizationalPerson

STRUCTURAL



This snippet shows that the long objectClass number is an official Object ID (OID)

number. All of the LDAP OIDs are globally unique; you can’t just make them up.

This only matters when you create a custom schema and need some new OIDs.

Then, find a registrar to assign some to you, such as Internet Assigned Numbers

Authority (IANA).

The SUP (superior) organizationalPerson line tells you that its parent objectClass is

organizationalPerson, which is a child of person, which is a top-level objectClass.

The objectClass defines the required and optional attributes of all of its children,

which you can read in any LDAP browser.

STRUCTURAL means this objectClass can be used to create entries in your DIT. You’ll

also see AUXILARY objectClasses; these cannot stand alone, but must be used alongside a STRUCTURAL objectClass.



An objectClass is also an attribute.

Don’t worry if this doesn’t make a lot of sense right now. After you create a simple

directory, you’ll see how it all fits together.



12.0



Introduction |



335



The “Secret” RootDSE

One more thing you should know about: the rootDSE. This is one of those clever

self-referential geek names: DSE stands for DSA Specific Entry, and DSA means

Directory System Agent. This is the invisible topmost entry in your LDAP hierarchy;

the built-in attributes of your LDAP server. To see these, run these two commands

on your LDAP server:

$

#

#

#

#

#

#

#



ldapsearch -x -s base -b "" +

extended LDIF

LDAPv3

base <> with scope baseObject

filter: (objectclass=*)

requesting: +



#

dn:

structuralObjectClass: OpenLDAProotDSE

configContext: cn=config

namingContexts: dc=alrac,dc=net

supportedControl: 2.16.840.1.113730.3.4.18

supportedControl: 2.16.840.1.113730.3.4.2

[...]

supportedFeatures: 1.3.6.1.4.1.4203.1.5.4

supportedFeatures: 1.3.6.1.4.1.4203.1.5.5

supportedLDAPVersion: 3

supportedSASLMechanisms: DIGEST-MD5

supportedSASLMechanisms: CRAM-MD5

supportedSASLMechanisms: NTLM

entryDN:

subschemaSubentry: cn=Subschema

# search result

search: 2

result: 0 Success

# numResponses: 2

# numEntries: 1



All those long numbers are official Object Identifiers (OIDs). To learn more about

these, visit http://www.alvestrand.no/objectid/. This includes a searchable database, so

you can see what a particular OID means.

This shows the same output, plus a bale of subschema:

$ ldapsearch -x -s base -b "cn=subschema" objectclasses

[...]

# Subschema

dn: cn=Subschema

objectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABSTRAC

T MUST objectClass )



336



|



Chapter 12: Centralized Network Directory with OpenLDAP



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

9 Connecting Windows NT/2000 to a Samba Domain

Tải bản đầy đủ ngay(0 tr)

×