[samba-jp:19340] Re: samba+LDAP によるNTドメイン移行について
k_umeda @ r-ts.co.jp
k_umeda @ r-ts.co.jp
2007年 3月 15日 (木) 09:57:01 JST
梅田です。
たかはし様ご返答ありがとうございます。
バージョン情報は・・・
先日リリースされた、MiracleLinuxV4 SP2で
# rpm -qa |grep samba
samba-swat-3.0.20b-2AX
samba-common-3.0.20b-2AX
samba-client-3.0.20b-2AX
samba-3.0.20b-2AX
# rpm -qa |grep smbldap
smbldap-tools-0.8.7-4AX
と言う感じです。
作業工程としては、下記のように行い確実にnet rpc vampireコマンドの前に
ゴミが残っていない事を確認し、投入を行いました。
sldapd.conf等全般を見直しているのですが、その辺がおかしいと、ユーザーアカ
ウントの
取得部分にも影響でそうですし、関連するのはたかはし様のおっしゃる通り、
smb.confのスクリプト部分とにらんでいるのですが・・・
------------------------
サービス停止
# /etc/rc.d/init.d/smb stop
# /etc/rc.d/init.d/ldap stop
LDAP初期化
# rm -f /var/lib/ldap/*
LDAP開始
# /etc/rc.d/init.d/ldap start
いまの状態を見てみる
# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
〜略〜
squid:x:23:23::/var/spool/squid:/sbin/nologin
mailman:x:41:41:GNU Mailing List
Manager:/usr/lib/mailman:/sbin/nologin
user001:x:512:512::/home/user001:/bin/bash
←OS基本+ssh用に作成したアカウント1つしかない
初期データ投入
#smbldap-populate -a Administrator -b Guest
Using workgroup name from sambaUnixIdPooldn (smbldap.conf):
sambaDomainName=nt40dom
Using builtin directory structure
adding new entry: dc=nt40dom,dc=local
adding new entry: ou=Users,dc=nt40dom,dc=local
adding new entry: ou=Groups,dc=nt40dom,dc=local
adding new entry: ou=Computers,dc=nt40dom,dc=local
adding new entry: ou=HostsGroups,dc=nt40dom,dc=local
adding new entry: ou=Idmap,dc=nt40dom,dc=local
adding new entry: sambaDomainName=nt40dom,dc=nt40dom,dc=local
adding new entry: uid=Administrator,ou=Users,dc=nt40dom,dc=local
adding new entry: uid=Guest,ou=Users,dc=nt40dom,dc=local
adding new entry: cn=Domain Admins,ou=Groups,dc=nt40dom,dc=local
adding new entry: cn=Domain Users,ou=Groups,dc=nt40dom,dc=local
adding new entry: cn=Domain Guests,ou=Groups,dc=nt40dom,dc=local
adding new entry: cn=Domain
Computers,ou=Groups,dc=nt40dom,dc=local
adding new entry: cn=Administrators,ou=Groups,dc=nt40dom,dc=local
adding new entry: cn=Print Operators,ou=Groups,dc=nt40dom,dc=local
adding new entry: cn=Backup
Operators,ou=Groups,dc=nt40dom,dc=local
adding new entry: cn=Replicators,ou=Groups,dc=nt40dom,dc=local
初期データ投入後のアカウント
# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
〜略〜
squid:x:23:23::/var/spool/squid:/sbin/nologin
mailman:x:41:41:GNU Mailing List
Manager:/usr/lib/mailman:/sbin/nologin
user001:x:512:512::/home/user001:/bin/bash
Administrator:x:998:512:Netbios Domain
Administrator:/home/Administrator:/bin/false
Guest:x:999:514:Guest:/dev/null:/bin/false
# getent group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
〜略〜
squid:x:23:
mailman:x:41:
user001:x:512:
Domain Admins:x:512:Administrator
Domain Users:x:513:
Domain Guests:x:514:
Domain Computers:x:515:
Administrators:x:544:
Print Operators:x:550:
Backup Operators:x:551:
Replicators:x:552:
BUILTIN\administrators:x:1000:
BUILTIN\print operators:x:1001:
BUILTIN\backup operators:x:1002:
BUILTIN\replicators:x:1003:
←OSアカウントと初期データまでのユーザー情報が入ったようだ
# smbldap-passwd Administrator
Changing password for Administrator
New password :
Retype new password :
ドメイン参加
# net rpc join -S nt_pdc -w nt40dom -U Administrator%password
Joined domain nt40dom.
BDCでsamba起動
# /etc/rc.d/init.d/smb start
SMB サービスを起動中: [ OK ]
NMB サービスを起動中: [ OK ]
アカウント移行
#net rpc vampire -S nt_pdc -U Administrator%password
Fetching DOMAIN database
Creating unix group: 'soumu'
Creating account: Administrator
[2007/03/15 09:23:38, 0]
passdb/pdb_ldap.c:ldapsam_add_sam_account(1782)
ldapsam_add_sam_account: User 'Administrator' already in the base,
with samba attributes
Creating account: Guest
[2007/03/15 09:23:38, 0]
passdb/pdb_ldap.c:ldapsam_add_sam_account(1782)
ldapsam_add_sam_account: User 'Guest' already in the base, with
samba attributes
Creating account: nt_pdc$
Added user nt_pdc$.
[2007/03/15 09:23:42, 0]
passdb/pdb_ldap.c:ldapsam_add_sam_account(1782)
ldapsam_add_sam_account: User 'nt_pdc$' already in the base, with
samba attributes
Creating account: sato
Creating account: suzuki
Creating account: takahashi
Creating account: hashimoto
Creating account: PC02$
Added user PC02$.
[2007/03/15 09:23:55, 0]
passdb/pdb_ldap.c:ldapsam_add_sam_account(1782)
ldapsam_add_sam_account: User 'PC02$' already in the base, with
samba attributes
Creating account: PC03$
Added user PC03$.
[2007/03/15 09:23:59, 0]
passdb/pdb_ldap.c:ldapsam_add_sam_account(1782)
ldapsam_add_sam_account: User 'PC03$' already in the base, with
samba attributes
Creating account: PC04$
Added user PC04$.
[2007/03/15 09:24:02, 0]
passdb/pdb_ldap.c:ldapsam_add_sam_account(1782)
ldapsam_add_sam_account: User 'PC04$' already in the base, with
samba attributes
Creating account: PC05$
Added user PC05$.
[2007/03/15 09:24:06, 0]
passdb/pdb_ldap.c:ldapsam_add_sam_account(1782)
ldapsam_add_sam_account: User 'PC05$' already in the base, with
samba attributes
Creating account: PC06$
Added user PC06$.
[2007/03/15 09:24:10, 0]
passdb/pdb_ldap.c:ldapsam_add_sam_account(1782)
ldapsam_add_sam_account: User 'PC06$' already in the base, with
samba attributes
Creating account: PC01-XP$
Added user PC01-XP$.
[2007/03/15 09:24:15, 0]
passdb/pdb_ldap.c:ldapsam_add_sam_account(1782)
ldapsam_add_sam_account: User 'PC01-XP$' already in the base, with
samba attributes
Creating account: nag-jsrv-03$
Added user nag-jsrv-03$.
[2007/03/15 09:24:19, 0]
passdb/pdb_ldap.c:ldapsam_add_sam_account(1782)
ldapsam_add_sam_account: User 'nag-jsrv-03$' already in the base,
with samba attributes
Group members of user001:
Group members of Domain Users:
sato(primary),suzuki(primary),takahashi(primary),hashimoto(primary),
Cannot delete user (sato) from his primary group (Domain Users)
Cannot delete user (suzuki) from his primary group (Domain Users)
Cannot delete user (takahashi) from his primary group (Domain
Users)
Cannot delete user (hashimoto) from his primary group (Domain
Users)
Group members of Domain Guests: Guest(primary),
Group members of soumu: sato,suzuki,hashimoto,
adding user sato to group soumu
adding user suzuki to group soumu
adding user hashimoto to group soumu
Fetching BUILTIN database
skipping SAM_DOMAIN_INFO delta for 'Builtin' (is not my domain)
Creating unix group: 'Account Operators'
Creating unix group: 'Guests'
Creating unix group: 'Server Operators'
Creating unix group: 'Users'
アカウント確認
# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
〜略〜
squid:x:23:23::/var/spool/squid:/sbin/nologin
mailman:x:41:41:GNU Mailing List
Manager:/usr/lib/mailman:/sbin/nologin
user001:x:512:512::/home/user001:/bin/bash
Administrator:x:998:512:Netbios Domain
Administrator:/home/Administrator:/bin/false
Guest:x:999:514:Guest:/dev/null:/bin/false
nt_pdc$:x:1000:515:Computer:/dev/null:/bin/false
sato:x:1001:513:System User:/home/sato:/bin/bash
suzuki:x:1002:513:System User:/home/suzuki:/bin/bash
takahashi:x:1003:513:System User:/home/takahashi:/bin/bash
hashimoto:x:1004:513:System User:/home/hashimoto:/bin/bash
PC02$:x:1005:515:Computer:/dev/null:/bin/false
PC03$:x:1006:515:Computer:/dev/null:/bin/false
PC04$:x:1007:515:Computer:/dev/null:/bin/false
PC05$:x:1008:515:Computer:/dev/null:/bin/false
PC06$:x:1009:515:Computer:/dev/null:/bin/false
PC01-XP$:x:1010:515:Computer:/dev/null:/bin/false
nag-jsrv-03$:x:1011:515:Computer:/dev/null:/bin/false
# getent group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
〜略〜
squid:x:23:
mailman:x:41:
user001:x:512:
Domain Admins:x:512:Administrator
Domain Users:x:513:sato,suzuki,takahashi,hashimoto
Domain Guests:x:514:
Domain Computers:x:515:
Administrators:x:544:
Print Operators:x:550:
Backup Operators:x:551:
Replicators:x:552:
soumu:x:1000:sato,suzuki,hashimoto
Account Operators:x:1001:
Guests:x:1002:
Server Operators:x:1003:
Users:x:1004:
BUILTIN\administrators:x:1000:
BUILTIN\print operators:x:1001:
BUILTIN\backup operators:x:1002:
BUILTIN\replicator:x:1003:
BUILTIN\account operators:x:1004:
BUILTIN\guests:x:1005:
BUILTIN\server operators:x:1006:
BUILTIN\users:x:1007:
コンピュータアカウントを確認
# smbldap-usershow pc02$
dn: uid=PC02$,ou=Computers,dc=nt40dom,dc=local
objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
cn: PC02$
sn: PC02$
uid: PC02$
uidNumber: 1005
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-43339713-1866483777-311576647-3010
sambaPrimaryGroupSID: S-1-5-21-43339713-1866483777-311576647-515
displayName: Computer
sambaPwdCanChange: 1173918234
sambaPwdMustChange: 1177629086
sambaLMPassword: 8F469B4B190D3F53AAD3B435B51404EE
sambaNTPassword: A582A9748B65B673A5E04363737E6852
sambaPwdLastSet: 1173918234
sambaAcctFlags: [W ]
smb.confで定義しているスクリプト部分は・・・
add user script = /usr/lib/samba/bin/useradd.sh LDAP "%u"
"smbusers"
delete user script = /usr/lib/samba/bin/userdel.sh LDAP "%u"
add group script = /usr/lib/samba/bin/groupadd.sh LDAP "%g"
delete group script = /usr/lib/samba/bin/groupdel.sh LDAP "%g"
add user to group script = /usr/lib/samba/bin/addusergroup.sh LDAP
"%u" "%g"
delete user from group script = /usr/lib/samba/bin/delusergroup.sh
LDAP "%u" "%g"
set primary group script = /usr/lib/samba/bin/setpgroup.sh LDAP
"%u" %g"
add machine script = /usr/lib/samba/bin/addmachine.sh LDAP "%u"
"Computers"
samba-jp メーリングリストの案内