2011/12/30

format NTFS under Linux system


Format
mkntfs /dev/sdb1
Format(Fast)
mkntfs -f /dev/sdb1

2011/12/29

「轉貼」SAMBA3域控及文件服务解决方案


SAMBA3域控及文件服务解决方案
标签:  转载

原文地址:SAMBA3域控及文件服务解决方案 作者:egroupware

 在博客里搜到一个经典的samba配置,收藏起来研究研究....有兴趣的朋友也看看.

苏州XX电子有限公司SAMBA3域控及文件服务解决方案
Last update:2006.6.20 by Wang Xiantong
Email:xiantong at gmail dot com

配置文件 /opt/samba/lib/smb.conf:

[global]
 workgroup = DOM
 netbios name = fileserver
 server string = Samba Server
 os level = 65
 preferred master = yes
 domain master = Yes
 local master = Yes
 security = user
 utmp = Yes
 winbind use default domain = Yes
 map acl inherit = Yes
 domain logons = yes
 logon path = \\%L\profiles\%U
 logon drive = Z:
 logon home = \\%L\%U
 logon script = logon.bat
 encrypt passwords = Yes
 wins support = Yes
 passdb backend = tdbsam
 username map =/opt/samba/smbusers
 log level = 1
 syslog = 0
 log file = /opt/samba/var/log.%m
 max log size = 50
 smb ports = 139
 interfaces = 192.168.1.101/255.255.255.0
 hosts allow = 192.168.0. 192.168.1. localhost 192.168.20.
bind interfaces only = yes
 name resolve order = wins bcast hosts
 time server = Yes
 #printcap name = CUPS
 #show add printer wizard = No
admin users = @"Domain Admins"
 add user script = /usr/sbin/useradd -s /bin/false -g "Domain Users" -m '%u'
 delete user script = /usr/sbin/userdel -r '%u'
 add group script = /usr/sbin/groupadd '%g'
 delete group script = /usr/sbin/groupdel '%g'
 add user to group script = /usr/sbin/usermod -G '%g' '%u'
 delete user from group script = /usr/sbin/deluser '%u' '%g'
# add user to group script = /usr/bin/gpasswd -a '%u' '%g'
# delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
 add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g 'Domain Computers' '%u'
 dns proxy = No

[netlogon]
 path = /opt/samba/lib/netlogon
 writeable = no
 browsable = no

 [profiles]
 path = /opt/samba/profiles
 browsable = no
 writable = yes
 create mask = 0600
 directory mask = 0700

[homes]
 comment = Home Directories
 read only = No
 browseable = No

#[printers]
 #comment = All Printers
 #path = /usr/spool/samba
 #printable = Yes
 #browseable = No

[Common Files]
 comment = Common Files
 path = /home/DOM/commfiles
 read only = yes
 valid users = @"Meterail Dept" @"Finance Dept" @"Engineering Dept" @"Quality Dept"
 write list = @"Meterail Dept" @"Finance Dept"
read list = @"Engineering Dept" @"Quality Dept"
 create mask = 0660
 directory mask = 0771

配置文件 /opt/samba/smbusers
root = admin

新建[netlogon]目录
>#mkdir -p /opt/samba/lib/netlogon
配置文件/opt/samba/lib/netlogon/logon.bat
net use x: \\192.168.1.2\DATA
确保是dos格式,最直白的方法是在win下编辑完成上传到这个位置即可

新建[profiles]漫游目录
>#mkdir -p /opt/samba/profiles

新建[Common Files]共享
>#mkdir /home/DOM/commfiles
>#chown -R wxt:"Domain Users" /home/DOM/commfiles
>#chmod -R ug+rwx,o+rx-w /home/DOM/commfiles

添加管理员帐户
>#/opt/samba/bin/pdbedit -a root

用来初始化组的shell smbgroupInit.sh
#!/bin/sh
#smbgroupInit.sh is modified by Wang Xiantong

SMBBIN=/opt/samba/bin
SMBSBIN=/opt/samba/sbin
PATH=$SMBBIN:$SMBSBIN:$PATH

groupdel "Domain Admins"
groupdel "Domain Users"
groupdel "Domain Guests"
groupdel "Domain Computers"

groupadd -g 1512 "Domain Admins"
groupadd -g 1513 "Domain Users"
groupadd -g 1514 "Domain Guests"
groupadd -g 1515 "Domain Computers"

net groupmap delete ntgroup="Domain Admins"
net groupmap delete ntgroup="Domain Users"
net groupmap delete ntgroup="Domain Guests"
net groupmap add ntgroup="Domain Admins" unixgroup="Domain Admins" rid=512 type=d
net groupmap add ntgroup="Domain Users" unixgroup="Domain Users" rid=513 type=d
net groupmap add ntgroup="Domain Guests" unixgroup="Domain Guests" rid=514 type=d
net groupmap add ntgroup="Domain Computers" unixgroup="Domain Computers" rid=515 type=d


groupdel "Sales Dept"
groupdel "Finance Dept"
groupdel "Engineering Dept"
groupdel "Quality Dept"
groupdel "Material Dept"
groupdel "Administrative Dept"

groupadd -g 2000 "Sales Dept"
groupadd -g 2001 "Finance Dept"
groupadd -g 2002 "Engineering Dept"
groupadd -g 2003 "Quality Dept"
groupadd -g 2004 "Material Dept"
groupadd -g 2005 "Administrative Dept"

net groupmap delete ntgroup="Sales Dept"
net groupmap delete ntgroup="Finance Dept"
net groupmap delete ntgroup="Engineering Dept"
net groupmap delete ntgroup="Quality Dept"
net groupmap delete ntgroup="Material Dept"
net groupmap delete ntgroup="Administrative Dept"

net groupmap add ntgroup="Sales Dept" unixgroup="Sales Dept" rid=2000 type=d
net groupmap add ntgroup="Finance Dept" unixgroup="Finance Dept" rid=2001 type=d
net groupmap add ntgroup="Engineering Dept" unixgroup="Engineering Dept" rid=2002 type=d
net groupmap add ntgroup="Quality Dept" unixgroup="Quality Dept" rid=2003 type=d
net groupmap add ntgroup="Material Dept" unixgroup="Material Dept" rid=2004 type=d
net groupmap add ntgroup="Administrative Dept" unixgroup="Administrative Dept" rid=2005 type=d

groupdel "Local Admins"
groupdel "Local Users"
groupdel "Local Guests"
groupdel "Local Power Users"

groupadd -g 1544 "Local Admins"
groupadd -g 1545 "Local Users"
groupadd -g 1546 "Local Guests"
groupadd -g 1547 "Local Power Users"

net groupmap delete ntgroup="Local Admins"
net groupmap delete ntgroup="Local Users"
net groupmap delete ntgroup="Local Guests"
net groupmap delete ntgroup="Local Power Users"
net groupmap add ntgroup="Local Admins" unixgroup="Local Admins" rid=544 type=l
net groupmap add ntgroup="Local Users" unixgroup="Local Users" rid=545 type=l
net groupmap add ntgroup="Local Guests" unixgroup="Local Guests" rid=546 type=l
net groupmap add ntgroup="Local Power Users" unixgroup="Local Power Users" rid=547 type=l


嵌套组
下 面的例子把全局组Domain Admins加到Local Admins本地组,把全局组Domain Users加到Local Users本地组,把全局组Domain Guests加到Local Guests本地组,把用户wxt加到全局组Domain Admins。
>#net rpc group addmem "Local Admins" "Domain Admins" -Uroot%passwd
>#net rpc group addmem "Local Users" "Domain Users" -Uroot%passwd
>#net rpc group addmem "Local Guests" "Domain Guests" -Uroot%passwd
>#net rpc group addmem "Domain Admins" wxt -Uroot%passwd

下面的例子显示本地组Local Guests的成员,从本地组Local Guests中删除全局组Domain Guests。
>#net rpc group members "Local Guests" -Uroot%passwd
>#net rpc group delmem "Local Guests" "Domain Guests" -Uroot%passwd

下面的把全局组加入到另一全局组将不能成功
>#net rpc group addmem "Domain Users" "Sales Dept" -Uroot%passwd
>#net rpc group addmem "Domain Users" "Finance Dept" -Uroot%passwd
>#net rpc group addmem "Domain Users" "Engineering Dept" -Uroot%passwd
>#net rpc group addmem "Domain Users" "Quality Dept" -Uroot%passwd

添加域信任帐户
第 一种方法,在windows nt/200x/xp pro 客户机上加入域,系统会利用smb.conf配置文件中的add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g 'Domain Computers' '%u'自动将该客户机加入到域。
2、另一种方法是手动建立(假定机器名为workstation),98/me系统要采用这个方式,XP HOME完全没有这个能力
>#/usr/sbin/useradd -g "Domain Computers" -s /bin/false -d /dev/null workstatian$
 >#/usr/bin/passwd -l workstation$
>#/opt/samba/bin/pdbedit -a -m workstation

添加一般域帐户
第一种方法,利用net命令
>#./net rpc user add bbc mypass -Uroot%passwd
但是这种主法得到的User默认是禁用的,还得用pdbedit来改变user-flag
>#/opt/samba/bin/./pdbedit -r -c [X] bbc
>#/opt/samba/bin./pdbedit -r -c [] bbc
删除帐户
>#/opt/samba/bin/./net rpc user delete bbc
系统会利用smb.conf中配置自动建立,删除linux帐户
第二种方法
>#useradd -g "Domain Users" -s /bin/false -d /home/bbc bbc
>#/opt/samba/bin/pdbedit -a bbc

管理员
smb.conf 中参数对admin users = @"Domain Admins"指明所有的"Domain Admins"成员都可以用来管理域,比如添加帐户,组等操作。但是Domain Admins 组做为管理帐户之后,组内成员登入域将会出现无法使用profiles漫游的功能, 这是因为此时Domain Admins的成员登陆域时建立的profiles目录属主是root,而此用户实际不是root(0),profiles目录又是0600,只有目录属 主有操作权限,产生了矛盾。不知道是不是samba 的bug,我用的是samba-3.23c。
我这里的设想是"Domain Admins"会成为工作站administrators组的成员,"Domain Users"会成为工作站的"Users"组或"Power Users"组所成员,那么实际上Domain Admins的成员不能正常登入域。所以这里采取折中的方法,admin users = root bbc 让bbc root这两个帐户来管理samba PDC。chown 命令这里也能帮上忙,比如cp其它帐户的profile,然后chown给新帐户。
另smb.conf配置 文件中add user script = /usr/sbin/useradd -s /bin/false -g "Domain Users" -m '%u',这一句指明用net rpc user add 所建立的用户unix 默认组是Domain Users,因此此时用net rpc group addmem "Domain Users" bbc -Uroot%passwd将不会成功,原因不言自明。

升级samba
下载最新的samba-3.0.25b
 >#./configure --prefix=/opt/samba --with-automount --with-smbmount --with
-syslog --with-quotas --with-sys-quotas --with-utmp --with-acl-support --with-ai
o-support
 >#make && make install

Samba : Server requested LANMAN password (share-level security) but 'client lanman auth' is disabled


if

Server requested LANMAN password (share-level security) but 'client lanman auth' is disabled
 tree connect failed

vi  /etc/samba/smb.conf

 [global]

client lanman auth = yes


2011/12/27

LDAP & Sonic SRA 4200 SSL VPN

Login SRA 4200 as admin


Portals > Domains 
add new (EX : ooxx.com)


Authentication type: LDAP
Domain name: ooxx.com
server address(LDAP server):192.168.0.0
LDAP baseDN(S)*:
dc=ooxx,dc=com


Login user name (LDAP admin) : Manager
Login password (LDAP password): OOXX


[V]allow password changes (if allowed by LDAP server)



2011/12/15

missing DB_CONFIG

find DB_CONFIG.example

find / | grep DB_CONFIG


cp / file location  /DB_CONFIG.example /var/lib/ldap/DB_CONFIG



2011/12/13

LDAP start WARNING


[root@dogcage var]# service ldap start
/var/lib/ldap/ou.bdb is not owned by "ldap"                [WARNING]
/var/lib/ldap/__db.006 is not owned by "ldap"              [WARNING]
/var/lib/ldap/log.0000000001 is not owned by "ldap"        [WARNING]
/var/lib/ldap/__db.003 is not owned by "ldap"              [WARNING]
/var/lib/ldap/objectClass.bdb is not owned by "ldap"       [WARNING]
/var/lib/ldap/__db.002 is not owned by "ldap"              [WARNING]
/var/lib/ldap/__db.001 is not owned by "ldap"              [WARNING]
/var/lib/ldap/alock is not owned by "ldap"                 [WARNING]
/var/lib/ldap/__db.005 is not owned by "ldap"              [WARNING]
/var/lib/ldap/__db.004 is not owned by "ldap"              [WARNING]
/var/lib/ldap/dn2id.bdb is not owned by "ldap"             [WARNING]
/var/lib/ldap/id2entry.bdb is not owned by "ldap"          [WARNING]
Checking configuration files for slapd:                    [FAILED]
bdb_db_open: database "dc=ikala,dc=tv": alock package is unstable.
backend_startup_one: bi_db_open failed! (-1)
slap_startup failed (test would succeed using the -u switch)
stale lock files may be present in /var/lib/ldap           [WARNING]
[root@dogcage var]# service ldap status
slapd is stopped


chown ldap:ldap -R /var/lib/ldap/




[root@dogcage var]# service ldap restart
Stopping slapd:                                            [FAILED]
Checking configuration files for slapd:                    [WARNING]
bdb_db_open: database "dc=ikala,dc=tv": unclean shutdown detected; attempting recovery.
bdb_db_open: database "dc=ikala,dc=tv": recovery skipped in read-only mode. Run manual recovery if errors are encountered.
config file testing succeeded
Starting slapd:                                            [  OK  ]
[root@dogcage var]# service ldap status
slapd (pid 9048) is running...
[root@dogcage var]#