(Microsoft Word -

范明忠 [email protected] fan,bill Mandriva Coldfusion

1/89

1. 目的...........................................................................................4

2. 實作項目 ..................................................................................4

3. 實作架構設計 ..........................................................................4

3.1 構想 ................................................................................................................. 4

3.2實際作業 .......................................................................................................... 4

3.3 認證方式 ......................................................................................................... 8

4. 實作需求 ..................................................................................8

4.1 Samba與Windows整合方針 ......................................................................... 8

4.2 環境建立流程 ................................................................................................. 8

4.2.1 LDAP設定............................................................................................. 9

(1) /etc/openldap/slapd.conf ................................................................... 9

(2) /etc/openldap/slapd.access.conf ........................................................ 11

(3) /etc/openldap/ldap.conf ..................................................................... 13

(4) /etc/ldap.conf..................................................................................... 14

(5) 使用 drakauth................................................................................... 15

4.2.2 建立 CA............................................................................................... 15

(1) 建立 rootCA ................................................................................... 15

(2) 建立 openldap憑証申請書 ............................................................. 17

(3) rootCA簽章 openldap憑証 ............................................................. 18

(4) copy產生的憑証到/etc/ssl/.............................................................. 19


2/89

(5) 驗証憑証是否可用.......................................................................... 19

4.2.3（防火牆+代理伺服器 + DHCPD）設定 .......................................... 19

(1) 修改/etc/squid/squid.conf............................................................... 22

(2) 建立/var/spool/squid........................................................................ 23

(3) 修改/etc/pam.d/squid ....................................................................... 23

(4) 設定/etc/dhcpd.conf......................................................................... 24

(5) 防火牆設定...................................................................................... 24

4.2.4 SAMBA設定 ....................................................................................... 24

(1) /etc/samba/smb.conf ....................................................................... 30

(2) Smbpasswd –w password -> /etc/samba/secrets.tdb ........................ 33

(3) /etc/smbldap-tools/smbldap_bind.conf ............................................. 33

(4) /etc/smbldap-tools/smbldap.conf ...................................................... 34

4.2.5 BIND設定............................................................................................ 34

(1) /etc/named.conf............................................................................... 38

(2) /etc/rndc.conf..................................................................................... 42

(3) /var/named/........................................................................................ 43

(4) /var/named/logging.conf ................................................................... 45

(5) /var/named/bogon_acl.conf............................................................... 46

(6) 使用 view的概念 ............................................................................ 49

4.2.6 後續處理 ............................................................................................. 49

(i)建立 ntlogon.bat ................................................................................. 54

(ii) 確保漫遊檔案可以成功 ................................................................. 55

(iii) 執行 smbldap-populate -a root ....................................................... 55


3/89

(iv) 更新 SID ...................................................................................... 56

(v) 轉移帳號.......................................................................................... 56

(vi) 特別注意事項................................................................................. 56

(vii) 建立 lam系統 ............................................................................... 57

(viii) 建立使用者 .................................................................................. 59

(ix) 加入網域......................................................................................... 59

(x) 使用登入.......................................................................................... 62

(xi) 確認完成寫出................................................................................. 63

(xii) 使用安全隧道連至 samba伺服器 ............錯誤錯誤錯誤錯誤! 尚未定義書籤尚未定義書籤尚未定義書籤尚未定義書籤。。。。

(xiii) 建立 CA的流程........................................................................... 67

5. 管理 ........................................................................................67

5.1 samba管理 ..................................................................................................... 71

5.2 samba防毒 ..................................................................................................... 83

6. 改進與建議心得.....................................................................88


4/89

1. 目的目的目的目的

利用 openldap 與 samba 整合取代 win2k/win2k3 ad 或 pdc，並有效的降低 TCO。Openldap 與

samba 結合執行速度遠高於 win2k/win2k3 ad，並且可以與 linux 中個項服務整個結合如 squid

等。

而在導入 samba 之後 samba 可以作為 NT 網域的 PDC，並使用 LDAP 目錄服務作 NT 網域的

統一用戶管理。

2. 實作項目實作項目實作項目實作項目

(1) Samba 與 Windows 整合

a. 檔案與目錄權限支援 ACL 控管

b. 使用者環境整合：使用者設定檔，家目錄

c. SSO（Single Sign-On）支援：PAM，Winbind

(2) PROXY 驗證

3. 實作架構設計實作架構設計實作架構設計實作架構設計

3.1 構想構想構想構想

Samba 與 Windows 合作模式一般分為三類

(1) 第一類：Server Level


5/89


6/89

(2) 第二類：Domain Level

(3) 第三類：ADS Level


7/89

功能 WinNT Win2k/ADS Linux/OpenLDAPOpenLDAPOpenLDAPOpenLDAP

客戶端不需額外軟體 X X X

實作階層式目錄架構的可能性 X X

增加自有屬性與物件類別的擴充性 X X

目錄資料的字符集 Unicode Unicode Unicode

透過標準協定（LDAP）存取目錄的可

能性

X X

透過 SSL/TLS 由 LDAP 安全存取 X X

支援「starttls」協定 X X

支援 SASL X

NT 客戶端認證 X X 透過 Samba（註 1）

W2K 客戶端認證 X X 透過 Samba（註 2）

Linux 客戶端認證透過

winbind

透過 winbind 或

LDAP

X

整合 Kerberos 的可能性 X（註 3） X

使用獨立/高階 Kerberos 服務的可能性 X（註 4） X

對屬性和物件管理存取權限（ACLs） X X

委派管理任務 X X

主從複製 X X（註 5） X

多重主控站複製 X（註 6） X（註 7）

表格 1 NTDS、主動式目錄和 OpenLDAP 功能的一般性比較

3.2 實際作業實際作業實際作業實際作業

註解註解註解註解 [fan1]: 若 Samba 用於

Windows 客戶端對

OpenLDAP相關的認證，NT

區域網路管理者協定則用於

Windows 客戶端與 Samba 伺

服器間的認證。

註解註解註解註解 [fan2]: 若 Samba 用於

Windows 客戶端對

OpenLDAP相關的認證，NT

區域網路管理者協定則用於

Windows 客戶端與 Samba 伺

服器間的認證。

註解註解註解註解 [fan3]: Kerberos 已穩固

地整合到主動式目錄中。

註解註解註解註解 [fan4]: 雖然主動式目

錄可對外部相關的 Kerberos

伺服器作認證，但接著主動式

目錄網域會再也不能用來對

以 Windows 95/98/Me/NT 為

基礎的電腦作認證。

註解註解註解註解 [fan5]: 主動式目錄在

「混合模式」中的 Windows

2000 DC 和 Windows NT 4

BDC 之間採用主從複製。

註解註解註解註解 [fan6]: 主動式目錄在

「原生模式」下使用多重主控

站複製（其中 Windows

2000/2003 式網域獨佔地使

用）。

註解註解註解註解 [fan7]: 多重主控站複

製在 OpenLDAP 上被認為是

實驗性的，且預設為未啟動。


8/89

3.3 認證方式認證方式認證方式認證方式

(1) ldap->pam

(2) pam->ldap

4. 實作實作實作實作需求需求需求需求

4.1 Samba 與與與與 Windows 整合方針整合方針整合方針整合方針

(1) 網路瀏覽與 NetBIOS功能需求

(2) Samba安全等級與密碼加密需求

(3) 整合Windows ACL與 DFS需求

(4) 列印支援 Auto Driver Installation需求

(5) NT Domain與Windows 200x Domain需求


9/89

4.2 環境建立流程環境建立流程環境建立流程環境建立流程

4.2.1 LDAP 設定設定設定設定

(1) /etc/openldap/slapd.conf

include /usr/share/openldap/schema/core.schema

include /usr/share/openldap/schema/cosine.schema

include /usr/share/openldap/schema/corba.schema

include /usr/share/openldap/schema/inetorgperson.schema

include /usr/share/openldap/schema/java.schema

include /usr/share/openldap/schema/krb5-kdc.schema

include /usr/share/openldap/schema/kerberosobject.schema

include /usr/share/openldap/schema/misc.schema

include /usr/share/openldap/schema/nis.schema

include /usr/share/openldap/schema/openldap.schema

include /usr/share/openldap/schema/autofs.schema

include /usr/share/openldap/schema/samba.schema

include /usr/share/openldap/schema/kolab.schema

include /usr/share/openldap/schema/evolutionperson.schema

include /usr/share/openldap/schema/calendar.schema

include /usr/share/openldap/schema/sudo.schema

include /usr/share/openldap/schema/dnszone.schema

include /usr/share/openldap/schema/dhcp.schema

include /etc/openldap/schema/local.schema

# Provide write access to replicators, and cover access to any other

# attributes (default anonymous read access may be undesirable)

access to dn.subtree="dc=homeland,dc=net"

by group="cn=Replicator,ou=Groups,dc=homeland,dc=net"

by users read

by anonymous read

pidfile /var/run/ldap/slapd.pid


10/89

argsfile /var/run/ldap/slapd.args

modulepath /usr/lib/openldap

# To allow TLS-enabled connections, create /etc/ssl/openldap/ldap.pem

# and uncomment the following lines.

TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3

TLSCertificateFile /etc/ssl/openldap/newcert.pem

TLSCertificateKeyFile /etc/ssl/openldap/newreq.pem

TLSCACertificateFile /etc/ssl/cacert.pem

TLSVerifyClient try

# logging

loglevel 256

##############################################################

# database definitions

##############################################################

database bdb

suffix "dc=homeland,dc=net"

rootdn "uid=root,ou=Users,dc=homeland,dc=net"

rootpw {SSHA}

# The database directory MUST exist prior to running slapd AND

# should only be accessable by the slapd/tools. Mode 700 recommended.

directory /var/lib/ldap

# Checkpoint the bdb database after 256kb of writes or 5 minutes have passed

# since the last checkpoint

checkpoint 256 5

# Indices to maintain

index objectClass,uid,uidNumber,gidNumber,memberuid eq

index cn,mail,surname,givenname eq,subinitial

# samba searches on sid

index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq


11/89

# Basic ACL (deprecated in favour of ACLs in etc/openldap/slapd.access.conf)

access to attr=userPassword

by self write

by anonymous auth

by dn="uid=root,ou=Users,dc=homeland,dc=net" write

by * none

access to *

by dn="uid=root,ou=Users,dc=homeland,dc=net" write

by * read

access to *

by group="cn=Replicator,ou=Groups,dc=homeland,dc=net" write

by * read

# Replica configuration (if this server is a slave)

#updatedn "cn=ldap-master.example.com,ou=Hosts,dc=example,dc=com"

#updateref "ldap://ldap-master.example.com"

# Replication configuration (if this server is a master)

#replica host=ldap-slave1.example.com:389

# binddn="cn=ldap-master.example.com,ou=Hosts,dc=example,dc=com"

# bindmethod=simple credentials="mypassword"

(2) /etc/openldap/slapd.access.conf

# The root DIT should be accessible to all clients

access to dn.exact=""

by * read

# So should the schema

access to dn.subtree="cn=Subschema"

by * read


12/89

access to dn.regex="^([^,]*,)?ou=[^,]+,(dc=[^,]+(,dc=[^,]+)*)$"

attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,sambaPwdLast

Set

by self write

by dn.exact,expand="uid=root,ou=Users,$2" write

by group.expand="cn=Domain Controllers,ou=Groups,$2" write

by group.expand=“cn=Replicator,ou=Groups,$2” write

by anonymous auth

by * none

# ACL allowing samba domain controllers to add user accounts

access to dn.regex="^([^,]+,)?ou=Users,(dc=[^,]+(,dc=[^,]+)*)$"

attrs=entry,children,posixAccount,sambaSamAccount




by users read

by anonymous read

# allow users to modify their own "address book" entries:

access to dn.regex="([^,]+,)?ou=Users,(dc=[^,]+(,dc=[^,]+)*)$"

attrs=inetOrgPerson,mail

by self write




by users read

by anonymous read

# Allow samba domain controllers to create groups and group mappings

access to dn.regex="^([^,]+,)?ou=Groups,(dc=[^,]+(,dc=[^,]+)*)$"

attrs=entry,children,posixGroup,sambaGroupMapping




by users read


13/89

by anonymous read

# Allow samba domain controllers to create machine accounts

access to dn.regex="^([^,]+,)?ou=Computers,(dc=[^,]+(,dc=[^,]+)*)$"

attrs=entry,children,posixAccount,inetOrgperson,sambaSamAccount




by users read

by anonymous read

# Allow samba to create idmap entries

access to dn.regex="^([^,]+,)?ou=Idmap,(dc=[^,]+(,dc=[^,]+)*)$"

attrs=entry,children,sambaIdmapEntry




by users read

by anonymous read

# Allow users in the domain to add entries to the "global address book":

# For use with Evolution, the attrs list could be modified to be:

# attrs=children,entry,inetOrgPerson,evolutionperson,calEntry

# if evolutionperson.schema and calendar.schema are available

access to dn.regex="^([^,]+,)?ou=Contacts,(dc=[^,]+(,dc=[^,]+)*)$"

attrs=children,entry,inetOrgPerson

by dn.sub,expand="ou=Users,$2" write


by users read

by anonymous read

(3) /etc/openldap/ldap.conf

URI ldap://127.0.0.1

BASE dc=homeland,dc=net

HOST 127.0.0.1

TLS_CACERT /etc/ssl/cacert.pem


14/89

TLS_REQCERT try

(4) /etc/ldap.conf

# Your LDAP server. Must be resolvable without using LDAP.

host 127.0.0.1

# The distinguished name of the search base.

base dc=homeland,dc=net

# Another way to specify your LDAP server is to provide an

# uri with the server name. This allows to use

# Unix Domain Sockets to connect to a local LDAP Server.

uri ldap://127.0.0.1

# The LDAP version to use (defaults to 3

# if supported by client library)

ldap_version 3

# The search scope.

scope one

# Filter to AND with uid=%s

pam_filter objectclass=posixaccount

# The user ID attribute (defaults to uid)

pam_login_attribute uid

# Group member attribute

pam_member_attribute gid

# Use the OpenLDAP password change

# extended operation to update the password.

pam_password crypt

nss_base_passwd ou=Users,dc=homeland,dc=net?sub

nss_base_shadow ou=Users,dc=homeland,dc=net?sub


15/89

nss_base_group ou=Groups,dc=homeland,dc=net?sub

nss_base_hosts ou=Computers,dc=homeland,dc=net?sub

# OpenLDAP SSL mechanism

# start_tls mechanism uses the normal LDAP port, LDAPS typically 636

ssl start_tls

# OpenLDAP SSL options

# Require and verify server certificate (yes/no)

tls_checkpeer yes

# CA certificates for server certificate verification

# At least one of these are required if tls_checkpeer is "yes"

tls_cacertfile /etc/ssl/cacert.pem

# Client sertificate and key

# Use these, if your server requires client authentication.

tls_cert /etc/ssl/openldap/newcert.pem

tls_key /etc/ssl/openldap/newreq.pem

(5) 使用 drakauth

Dn=Dc=homeland,dc=net

Host=127.0.0.1

既可改變認證架構

4.2.2 建立建立建立建立 CA

(1) 建立 rootCA

$ /usr/lib/ssl/misc/CA.pl /usr/lib/ssl/misc/CA.pl /usr/lib/ssl/misc/CA.pl /usr/lib/ssl/misc/CA.pl ----newcanewcanewcanewca

CA certificate filename (or enter to create)


16/89

Making CA certificate ...

Generating a 1024 bit RSA private key

.................................++++++

....................................++++++

writing new private key to './demoCA/private/cakey.pem'

Enter PEM pass phrase: (輸入一個密碼，以後簽署證書時都要使用這個密碼)

Verifying - Enter PEM pass phrase: (再次輸入上面輸入的密碼作確認)

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:TWTWTWTW (國家編碼)

State or Province Name (full name) [Some-State]:TaiwanTaiwanTaiwanTaiwan (州或省份)

Locality Name (eg, city) []:TaipeiTaipeiTaipeiTaipei

Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA ServiesCA ServiesCA ServiesCA Servies

Organizational Unit Name (eg, section) []:rootCArootCArootCArootCA

Common Name (eg, YOUR name) []: hohohohomeland.netmeland.netmeland.netmeland.net (CA 名字)

Email Address []:[email protected]@[email protected]@homeland.net (聯絡電郵)

看到 ./demoCA/crl 電子證書撤銷列表 (Certificate Revocation List)

./demoCA/newcerts 備份所有經這個 CA 簽署過的電子證書

./demoCA/private CA 的私有區，存放了不可以外洩的資料，例如私鑰

./demoCA/private/cakey.pem CA 的私鑰

./demoCA/index.txt

./demoCA/cacert.pem CA 的證書

./demoCA/serial


17/89

./demoCA/certs

(2) 建立 openldap憑証申請書

再來產生給 openldap 等 server 要用的憑証申請書(certificate signing request)

% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem


............++++++

..........................++++++

writing new private key to 'newreq.pem'

-----







-----

Country Name (2 letter code) [AU]:TW

State or Province Name (full name) [Some-State]:Taiwan

Locality Name (eg, city) []:Taiwan


18/89

Organization Name (eg, company) [Internet Widgits Pty Ltd]:homeland Ltd

Organizational Unit Name (eg, section) []:homeland

Common Name (eg, YOUR name) []:homeland.net

Email Address []:[email protected]

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

上面的密碼請用空白啦，以免每次連線都要打密碼。

(3) rootCA簽章 openldap憑証

用剛產生的 rootCA 來驗証這個要給 openldap 用的 CSR 囉

% ./CA.pl -sign

Using configuration from /etc/ssl/openssl.cnf

9310:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/usr/s

rc/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_lib.c:329:group

=CA_default name=unique_subject

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Sep 30 07:46:18 2004 GMT

Not After : Sep 30 07:46:18 2005 GMT

Subject:

countryName = TW

stateOrProvinceName = Taiwan

localityName = Taipei

organizationName = homeland Ltd

organizationalUnitName = homeland

commonName = homeland.net

emailAddress = [email protected]


19/89

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

2F:33:E4:E2:24:2E:29:87:C2:AA 5:FC:76:A6:5F:06:69:78:E9:90

X509v3 Authority Key Identifier:

keyid:74:B5:A3:12:4A:9E:4D:F2 1 1:00:AF:F3:26 B:3F:9A A:7C:10

DirName:/C=TW/ST=Taiwan/L=Taipei/O=CA

Servies/OU=rootCA/CN=homeland.net/[email protected]

serial:00

Certificate is to be certified until Sep 30 07:46:18 2005 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Signed certificate is in newcert.pem

(4) copy產生的憑証到/etc/ssl/

之後把剛做出來的幾個檔 copy 到適當的位置(/etc/ssl之下)

% mv demoCA/cacert.pem /etc/ssl/cacert.pem

% mv newcert.pem /etc/ssl/openldap/newcert.pem

% mv newreq.pem /etc/ssl/openldap/newcert.pem

(5) 驗証憑証是否可用

(1)OpenSSL Output Using Server Side SSL

% openssl s_client openssl s_client openssl s_client openssl s_client ----connect localhost:636 connect localhost:636 connect localhost:636 connect localhost:636 ----showcerts showcerts showcerts showcerts ----state state state state ----CAfile CAfile CAfile CAfile

/etc/ssl/cacert.pem/etc/ssl/cacert.pem/etc/ssl/cacert.pem/etc/ssl/cacert.pem

---


20/89

Server certificate

subject=/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland

Unit/CN=homeland.net/[email protected]

issuer=/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland


---

Acceptable client certificate CA names

/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland


---

SSL handshake has read 2083 bytes and written 742 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 4096 bit

SSL-Session:

Protocol : TLSv1

Cipher : AES256-SHA

Session-ID:

B1852092DAB765492123E237D9473E88E1EA0A0907C8BBA092650329E46F22E9

Session-ID-ctx:

Master-Key:

36A166C427DB3BCB108FA56C57C4CB8323C38E41D3BFDA44BA58B8CCB92DF30977DE9B

21D58D70360937993936C8D22F

Key-Arg : None

Start Time: 1137034912

Timeout : 300 (sec)

Verify return code: 0 (ok)

---


21/89

(2)OpenSSL Output Using Client Authentication

% openssl s_client openssl s_client openssl s_client openssl s_client ----connect localhost:636 connect localhost:636 connect localhost:636 connect localhost:636 ----state state state state ----CAfile CAfile CAfile CAfile /etc/ssl/cacert.pem/etc/ssl/cacert.pem/etc/ssl/cacert.pem/etc/ssl/cacert.pem ----cert cert cert cert

/etc/ssl/openldap/newcert.pem/etc/ssl/openldap/newcert.pem/etc/ssl/openldap/newcert.pem/etc/ssl/openldap/newcert.pem ----key key key key /etc/ssl/openldap/newreq.pem

subject=/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland


issuer=/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland


---

Acceptable client certificate CA names

/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland


---

SSL handshake has read 2083 bytes and written 3024 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 4096 bit

SSL-Session:

Protocol : TLSv1

Cipher : AES256-SHA

Session-ID:

101B8D9741E8ADF5FB4E0C1A1132B1B287BEF52D9AE980D6D20C7C155856326F

Session-ID-ctx:

Master-Key:

400DE182749158EB0A0EFF3DE8E4319257844F98F0FB31FB06D7E1C6C3EF1F572B9DA9D3

34701079C345CDCE71DD5F61

Key-Arg : None

Start Time: 1137035176

Timeout : 300 (sec)

Verify return code: 0 (ok)

---

4.2.3（（（（防火牆防火牆防火牆防火牆+代理伺服器代理伺服器代理伺服器代理伺服器 + DHCPD））））設定設定設定設定


22/89

(1) 修改/etc/squid/squid.conf

http_port 3128

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

cache_dir diskd /var/spool/squid 9600 16 256

cache_store_log none

auth_param basic program /usr/lib/squid/pam_auth

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320

half_closed_clients off

acl all src 0.0.0.0/0.0.0.0

acl password proxy_auth REQUIRED

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

http_access allow manager localhost

http_access allow password

http_access deny manager


23/89

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny to_localhost

acl mynetwork src 192.168.0.0/255.255.255.0

http_access allow mynetwork

http_access allow localhost

http_reply_access allow all

icp_access allow all

visible_hostname [email protected]

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

append_domain .homeland.net

err_html_text [email protected]

deny_info ERR_CUSTOM_ACCESS_DENIED all

memory_pools off

coredump_dir /var/spool/squid

ie_refresh on

(2) 建立/var/spool/squid

建立/var/spool/squid

Squid –z 就完成建立

(3) 修改/etc/pam.d/squid

#%PAM-1.0

auth required pam_securetty.so

auth required pam_stack.so service=system-auth

auth required pam_nologin.so

account required pam_stack.so service=system-auth

password required pam_stack.so service=system-auth

session required pam_stack.so service=system-auth

session optional pam_console.so


24/89

(4) 設定/etc/dhcpd.conf

authoritative;

ddns-update-style none;

subnet 192.168.0.0 netmask 255.255.255.0 {

# default gateway

option routers 192.168.0.1;

option subnet-mask 255.255.255.0;

option domain-name "homeland.net";

option domain-name-servers 192.168.0.1;

# Seting up an ip address is better here

#option domain-name-servers ns.domain.org;

#option nis-domain "homeland.net";

range dynamic-bootp 192.168.0.128 192.168.0.254;

default-lease-time 21600;

max-lease-time 43200;

host fjufirefox {

hardware ethernet 00:13:D4:33:73:50;

fixed-address 192.168.0.123;

}

# we want the nameserver to appear at a fixed address

# host ns {

# next-server fixed.mandrakesoft.com;

# hardware ethernet 12:34:56:78:AB:CD;

# fixed-address 192.168.0.10;

# }

}

(5) 防火牆設定

說明

Eth0->對外 192.168.1.1


25/89

Eth1->對內 192.168.0.1

使用 iptables 與 shorewall 配合

修改部份為/etc/shorewall 下所有設定檔

注意到 shorewal 使用 shorewall-3.0.3-1mdk

1. vi shorewall.conf

STARTUP_ENABLED=Yes

2. vi zone

fw firewall

net ipv4

loc ipv4

3. vi masq

eth0 eth1

4. vi interfaces

net eth0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians

loc eth1 detect dhcp,tcpflags,detectnets,nosmurfs

5. vi policy

loc net ACCEPT

$FW net ACCEPT

net all DROP info

all all REJECT info

6. vi rules

Web/ACCEPT net $FW

Web/ACCEPT loc $FW

SSH/ACCEPT net $FW

SSH/ACCEPT loc $FW

SMB/ACCEPT $FW net

SMB/ACCEPT net $FW

SMB/ACCEPT $FW loc


26/89

SMB/ACCEPT loc $FW

LDAP/ACCEPT net $FW

LDAP/ACCEPT loc $FW

DNS/ACCEPT $FW net

DNS/ACCEPT loc $FW

Ping/ACCEPT loc $FW

ACCEPT $FW loc icmp

ACCEPT $FW net icmp

REDIRECT loc 3128 tcp www -

ACCEPT $FW net tcp www

(6)squid-clamav防毒方案

1. 下載 squidclam-0.11-1mdk.src.rpm

2. rpm –rebuild squidclam-0.11-1mdk.src.rpm 編譯，會產生於

/usr/src/RPM/RPMS/i586/squidclam-0.11-1mdk.i586.rpm

3. 安裝 squidclam-0.11-1mdk.i586.rpm

urpmi squidclam-0.11-1mdk.i586.rpm

4. 設定檔 /etc/squidclam.conf 內容不要修改，內容如下

proxy=http://127.0.0.1:3128

url=http://127.0.0.1/antivir.php

tmp=/tmpdata/squidclam-XXXXXXXX

rldb=200

fsize=202400

5. 修改 /etc/fstab 加入下面一行，然後掛載

tmpfs /tmpdata tmpfs rw,noexec 0 0


27/89

mkdir /tmpdata

mount /tmpdata

chown squid.squid /tmpdata

6. 確認是否掛載成功

Df (英文小寫)

要有下面此行字，才算成功

tmpfs 157M 0 157M 0% /tmpdata


28/89

7. 修改 /etc/squid/squid.conf

黃底紅色為新加入的部份

hierarchy_stoplist cgi-bin ?

icp_port 0

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

redirect_program /usr/sbin/squidclam

redirect_children 15

cache_dir diskd /cache/01 3500 22 256



cache_store_log none

auth_param basic program /usr/lib/squid/pam_auth

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320

refresh_pattern \.gif$ 10080 100% 43200 override-expire

refresh_pattern \.jpg$ 10080 100% 43200 override-expire

refresh_pattern . 960 90% 43200 reload-into-ims

half_closed_clients off

acl all src 0.0.0.0/0.0.0.0

acl password proxy_auth REQUIRED

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt


29/89

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl purge method PURGE

acl CONNECT method CONNECT

redirector_access deny SSL_ports

redirector_access deny localhost

http_access allow manager localhost

http_access allow password

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny to_localhost

acl mynetwork src 192.168.0.0/255.255.255.0

http_access allow mynetwork

http_access allow localhost

http_reply_access allow all

icp_access allow all

forwarded_for off

visible_hostname [email protected]

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

append_domain .homeland.net

err_html_text [email protected]

deny_info ERR_CUSTOM_ACCESS_DENIED all

memory_pools off

coredump_dir /var/spool/squid

ie_refresh on

8. 確認是否運作

Squid –k reconfigure (會停一下，是正常現象)

Tail /var/log/message 有下面一行字就表示開始運作

Jan 23 08:47:13 mail squidclam[20439]: squidclam starting up now. reload after 350 URLs


30/89

Ls –lsa /tmpdata

有下面的資料表示成功。

0 -rw------- 1 squid squid 0 Jan 23 08:46 squidclam-XX0yszPp

0 -rw------- 1 squid squid 0 Jan 23 08:47 squidclam-XX2H3o7f

0 -rw------- 1 squid squid 0 Jan 23 08:46 squidclam-XX5rKEqi

0 -rw------- 1 squid squid 0 Jan 23 08:47 squidclam-XX5VxJ0W

0 -rw------- 1 squid squid 0 Jan 23 08:47 squidclam-XX6c30PG

0 -rw------- 1 squid squid 0 Jan 23 08:47 squidclam-XX6iNCm6

0 -rw------- 1 squid squid 0 Jan 23 08:47 squidclam-XX8QJybF

0 -rw------- 1 squid squid 0 Jan 23 08:46 squidclam-XXA1joVc

4.2.4 SAMBA 設定設定設定設定

(1) /etc/samba/smb.conf

建立完成要驗證 Testparm –t /etc/smb.conf 有錯誤就要更改才可以

# Global parameters

[global]

dos charset = CP950

unix charset = CP950

display charset = CP950

workgroup = WORKGROUP

netbios name = SAMBA3PDC

server string = Samba Server %v

interfaces = eth0, eth1, lo

bind interfaces only = Yes

obey pam restrictions = Yes

passdb backend = ldapsam:ldap://127.0.0.1/

enable privileges = Yes

username map = /etc/samba/smbusers

syslog = 0

log file = /var/log/samba/log.%m


31/89

max log size = 100000

time server = Yes

deadtime = 10

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

printcap cache time = 60

printcap name = cups

add user script = /usr/sbin/smbldap-useradd -m '%u'

add group script = /usr/sbin/smbldap-groupadd '%g' && /usr/sbin/smbldap-groupshow

%g|awk '/^gidNumber:/ {print $2}'

add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'

delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'

set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null -c 'Machine Account' -s

/bin/false '%u'

logon script = ntlogon.bat

logon path = \\%L\Profiles\%U

logon drive = M:

logon home = \\%L\%U

domain logons = Yes

os level = 99

preferred master = Yes

domain master = Yes

dns proxy = No

wins proxy = Yes

wins support = Yes

ldap admin dn = uid=root,ou=Users,dc=homeland,dc=net

ldap delete dn = Yes

ldap group suffix = ou=Groups

ldap idmap suffix = ou=Idmap

ldap machine suffix = ou=Computers

ldap passwd sync = Yes

ldap suffix = dc=homeland,dc=net

ldap user suffix = ou=Users

idmap uid = 10000-20000

idmap gid = 10000-20000

winbind separator = #

winbind use default domain = Yes


32/89

printer admin = "@Print Operators"

case sensitive = No

hide files = /desktop.ini/ntuser.ini/NTUSER.*/

dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

msdfs root = Yes

[homes]

comment = Home Directories

valid users = %U

read only = No

browseable = No

[netlogon]

comment = Network Logon Service

path = /var/lib/samba/netlogon

guest ok = Yes

root preexec = /usr/bin/ntlogon -u '%u' -g '%g' -o %a -d /var/lib/samba/netlogon/

root postexec = rm -f '/var/lib/samba/netlogon/%u.bat'

[Profiles]

path = /var/lib/samba/profiles

valid users = %U, "Domain Admins"

force user = %U

read only = No

guest ok = Yes

profile acls = Yes

browseable = No

[printers]

comment = All Printers

path = /var/spool/samba

create mask = 0700

guest ok = Yes

printable = Yes

use client driver = Yes

browseable = No


33/89

[print$]

path = /var/lib/samba/printers

valid users = "@Print Operators"

write list = "@Print Operators"

inherit permissions = Yes

guest ok = Yes

[pdf-gen]

comment = PDF Generator (only valid users)

path = /var/tmp

printable = Yes

printing = bsd

print command = /usr/share/samba/scripts/print-pdf "%s" "%H" "//%L/%u" "%m" "%I"

"%J" &

lpq command = /bin/true

lprm command = lprm -P'%p' %j

[tmp]

comment = Temporary file space

path = /tmp

read only = No

guest ok = Yes

(2) Smbpasswd –w password -> /etc/samba/secrets.tdb

Smbpasswd –w password -> /etc/samba/secrets.tdb

Setting stored password for “uid=root,ou=Users,dc=homelnad,dc=net” in secrets.tdb

(3) /etc/smbldap-tools/smbldap_bind.conf

############################

# Credential Configuration #

############################

# Notes: you can specify two differents configuration if you use a

# master ldap for writing access and a slave ldap server for reading access

# By default, we will use the same DN (so it will work for standard Samba

# release)


34/89

slaveDN="uid=root,ou=Users,dc=homeland,dc=net"

slavePw="password"

masterDN="uid=root,ou=Users,dc=homeland,dc=net"

masterPw=" password "

(4) /etc/smbldap-tools/smbldap.conf

使用 net getlocalsid 取得 sid

/etc/smbldap-tools/smbldap.conf

##############################################################################

#

# General Configuration

#

##############################################################################

# Put your own SID

# to obtain this number do: net getlocalsid

SID="S-1-5-21-957364582-1604034972-1376365676"

##############################################################################

#

# LDAP Configuration

#

##############################################################################

# Ex: slaveLDAP=127.0.0.1

slaveLDAP="127.0.0.1"

slavePort="389"

# Master LDAP : needed for write operations

# Ex: masterLDAP=127.0.0.1

masterLDAP="127.0.0.1"

masterPort="389"

# Use TLS for LDAP

# If set to 1, this option will use start_tls for connection

# (you should also used the port 389)


35/89

ldapTLS="1"

# How to verify the server's certificate (none, optional or require)

# see "man Net::LDAP" in start_tls section for more details

verify="require"

# CA certificate


cafile="/etc/ssl/cacert.pem"

# certificate to use to connect to the ldap server


clientcert="/etc/ssl/openldap/newcert.pem"

# key certificate to use to connect to the ldap server


clientkey="/etc/ssl/openldap/newreq.pem"

# LDAP Suffix

# Ex: suffix=dc=homeland,dc=net

suffix="dc=homeland,dc=net"

# Where are stored Users

# Ex: usersdn="ou=Users,dc=homeland,dc=net"

usersdn="ou=Users,${suffix}"

# Where are stored Computers

# Ex: computersdn="ou=Computers,dc=homeland,dc=net"

computersdn="ou=Computers,${suffix}"

# Where are stored Groups

# Ex groupsdn="ou=Groups,dc=homeland,dc=net"

groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)

# Ex groupsdn="ou=Idmap,dc=homeland,dc=net"

idmapdn="ou=Idmap,${suffix}"


36/89

# Where to store next uidNumber and gidNumber available

#sambaUnixIdPooldn="sambaDomainName=SMB3,${suffix}"

sambaUnixIdPooldn="sambaDomainName=WORKGROUP,${suffix}"

# Default scope Used

scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)

hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.

# default is "%s", but many systems will generate MD5 hashed

# passwords if you use "$1$%.8s". This parameter is optional!

crypt_salt_format="%s"

##############################################################################

#

# Unix Accounts Configuration

#

##############################################################################

# Login defs

# Default Login Shell

# Ex: userLoginShell="/bin/bash"

userLoginShell="/bin/bash"

# Home directory

# Ex: userHome="/home/%U"

userHome="/home/%U"

# Gecos

userGecos="System User"

# Default User (POSIX and Samba) GID

defaultUserGid="513"


37/89

# Default Computer (Samba) GID

defaultComputerGid="515"

# Skel dir

skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if

# you don't want password to be enable for defaultMaxPasswordAge days (be

# careful to the sambaPwdMustChange attribute's value)

defaultMaxPasswordAge="120"

##############################################################################

#

# SAMBA Configuration

#

##############################################################################

# The UNC path to home drives location (%U username substitution)

# Ex: \\My-PDC-netbios-name\homes\%U

# Just set it to a null string if you want to use the smb.conf 'logon home'

# directive and/or disable roaming profiles

#userSmbHome="\\PDC-SMB3\homes\%U"

userSmbHome="\\SAMBA3PDC\homes\%U"

# The UNC path to profiles locations (%U username substitution)

# Ex: \\My-PDC-netbios-name\profiles\%U

# Just set it to a null string if you want to use the smb.conf 'logon path'


#userProfile="\\PDC-SMB3\profiles\%U"

userProfile="\\SAMBA3PDC\profiles\%U"

# The default Home Drive Letter mapping

# (will be automatically mapped at logon time if home directory exist)

# Ex: H: for H:

#userHomeDrive="H:"

userHomeDrive="M:"


38/89

# The default user netlogon script name (%U username substitution)

# if not used, will be automatically username.cmd

# make sure script file is edited under dos

# Ex: %U.cmd

# userScript="startup.cmd" # make sure script file is edited under dos

#userScript="%U.cmd"

userScript="ntlogon.bat"

# Domain appended to the users "mail"-attribute

# when smbldap-useradd -M is used

mailDomain="homeland.net"

##############################################################################

#

# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)

#

##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but

# prefer Crypt::SmbHash library

with_smbpasswd="0"

smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)

# but prefer Crypt:: libraries

with_slappasswd="0"

slappasswd="/usr/sbin/slappasswd"

4.2.5 BIND 設定設定設定設定

(1) /etc/named.conf

// generated by named-bootconf.pl


39/89

// secret must be the same as in /etc/rndc.conf (下面這個部份與 rndc.conf 有關)

key "key" {

algorithm hmac-md5;

secret

"7X/kAIMk0Ne14Kgz99LMF/vbxiZJxcbxClZRqSjJyFRYbNeR/1MpHJBfYJ0RahdkHtEQhN3LcF

0qLsLazIRQ/w==";

};

controls {

inet 127.0.0.1 port 953 allow { any; } keys { "key"; };

};

// Access lists (ACL's) should be defined here

include "/var/named/bogon_acl.conf";

options {

version "";

directory "/var/named";

pid-file "/var/run/named/named.pid"; // Put pid file in working dir

dump-file "/var/tmp/named_dump.db";

statistics-file "/var/tmp/named.stats";

zone-statistics yes;

coresize 100M;

auth-nxdomain yes;

/*

* If there is a firewall between you and nameservers you want

* to talk to, you might need to uncomment the query-source

* directive below. Previous versions of BIND always asked

* questions using port 53, but BIND 8.1 uses an unprivileged

* port by default.

*/

//

query-source address * port *;

listen-on port 53 { any; };

cleaning-interval 120;


40/89

transfers-in 20;

transfers-per-ns 2;

lame-ttl 0;

max-ncache-ttl 10800;

// Prevent DoS attacks by generating bogus zone transfer

// requests. This will result in slower updates to the

// slave servers (e.g. they will await the poll interval

// before checking for updates).

notify no;

// Generate more efficient zone transfers. This will place

// multiple DNS records in a DNS message, instead of one per

// DNS message.

transfer-format many-answers;

// Set the maximum zone transfer time to something more

// reasonable. In this case, we state that any zone transfer

// that takes longer than 60 minutes is unlikely to ever

// complete. WARNING: If you have very large zone files,

// adjust this to fit your requirements.

max-transfer-time-in 60;

// We have no dynamic interfaces, so BIND shouldn't need to

// poll for interface state {UP|DOWN}.

interface-interval 0;

// Uncoment these to enable IPv6 connections support

// IPv4 will still work

// listen-on { none; };

// listen-on-v6 { any; };

// Deny anything from the bogon networks as

// detailed in the "bogon" ACL.

blackhole { bogon; };


41/89

};

// define logging channels

include "/var/named/logging.conf";

//

// a caching only nameserver config

//

zone "." {

type hint;

file "named.root";

};

zone "0.0.127.in-addr.arpa" {

type master;

file "localhost.rev";

};

zone "homeland.net" {

type master;

file "homeland.net.hosts";

allow-update { key "key"; };

};


type master;

file "192.168.0.rev";


};

// workaround stupid stuff... (OE: Wed 17 Sep 2003)

zone "ac" { type delegation-only; };

zone "cc" { type delegation-only; };

zone "com" { type delegation-only; };

zone "cx" { type delegation-only; };

zone "museum" { type delegation-only; };

zone "net" { type delegation-only; };


42/89

zone "nu" { type delegation-only; };

zone "ph" { type delegation-only; };

zone "sh" { type delegation-only; };

zone "tm" { type delegation-only; };

zone "ws" { type delegation-only; };

(2) /etc/rndc.conf

options {

default-server localhost;

default-key "key";

default-port 953;

};

server localhost {

key "key";

};

key "key" {

algorithm hmac-md5;

secret


0qLsLazIRQ/w==";

};

做法：

1. dnssec-keygen -a hmac-md5 -b 512 -n HOST localhost

2. 產生兩個檔案

Klocalhost.+157+26421.private

Klocalhost.+157+26421.key

3. 查看內容

甲、 [root@localhost rndc]# cat Klocalhost.+157+26421.private

Private-key-format: v1.2

Algorithm: 157 (HMAC_MD5)


43/89

Key:

7X/kAIMk0Ne14Kgz99LMF/vbxiZJxcbxClZRqSjJyFRYbNeR/1MpHJBfYJ

0RahdkHtEQhN3LcF0qLsLazIRQ/w==

乙、 [root@localhost rndc]# cat Klocalhost.+157+26421.key

localhost. IN KEY 512 3 157

7X/kAIMk0Ne14Kgz99LMF/vbxiZJxcbxClZRqSjJyFRYbNeR/1MpHJBf

YJ0RahdkHtEQhN3LcF0qLsLazIRQ/w==

4. 將產生的 Klocalhost.+157+26421.key

cp Klocalhost.+157+26421.key /etc/rndc.key //取代 rndc.key就完成了

(3) /var/named/

A./var/named/homeland.net.hosts

$TTL 1d

@ IN SOA mail.homeland.net. root.mail.homeland.net. (

1997022700 ; Serial

28800 ; Refresh

14400 ; Retry

3600000 ; Expire

86400 ) ; Minimum

IN NS mail.homeland.net.

IN MX 10 mail.homeland.net.

$ORIGIN homeland.net.

mail IN A 192.168.0.1

dns IN CNAME mail.homeland.net.

proxy IN CNAME mail.homeland.net.

rootca IN CNAME mail.homeland.net.

ldap IN CNAME mail.homeland.net.

www IN CNAME mail.homeland.net.

ftp IN CNAME mail.homeland.net.

workgroup IN CNAME mail.homeland.net.


44/89

B. /var/named/192.168.0.rev

$TTL 1d

@ IN SOA mail.homeland.net. root.mail.homeland.net. (

1997022700 ; Serial

28800 ; Refresh

14400 ; Retry

3600000 ; Expire

86400 ) ; Minimum

IN NS mail.homeland.net.

$ORIGIN 0.168.192.in-addr.arpa.

;servers

1 IN PTR mail.homeland.net.

1 IN PTR dns.homeland.net.

1 IN PTR proxy.homeland.net.

1 IN PTR ftp.homeland.net.

1 IN PTR ldap.homeland.net.

1 IN PTR www.homeland.net.

1 IN PTR rootca.homeland.net.

1 IN PTR workgroup.homeland.net.

//workgroup 指的是 samba 的 domain

C./var/named/localhost.rev

$TTL 1d

@ IN SOA localhost. root.localhost. (

1997022700 ; Serial

28800 ; Refresh

14400 ; Retry

3600000 ; Expire

86400 ) ; Minimum

IN NS localhost.


45/89

1 IN PTR localhost.

(4) /var/named/logging.conf

logging {

channel security_channel {

file "/var/log/named/security.log" versions 4 size 10m;

print-category yes;

print-severity yes;

print-time yes;

severity info;

};

channel default_channel {

file "/var/log/named/default.log" versions 4 size 10m;

print-category yes;

print-severity yes;

print-time yes;

};

channel xfer-in_channel {

file "/var/log/named/xfer-in.log" versions 4 size 10m;

severity info;

print-category yes;

print-severity yes;

print-time yes;

};

channel xfer-out_channel {

file "/var/log/named/xfer-out.log" versions 4 size 10m;

severity info;

print-category yes;

print-severity yes;

print-time yes;

};


46/89

channel update_channel {

file "/var/log/named/update.log" versions 4 size 10m;

severity info;

print-category yes;

print-severity yes;

print-time yes;

};

channel notify_channel {

file "/var/log/named/notify.log" versions 4 size 10m;

severity info;

print-category yes;

print-severity yes;

print-time yes;

};

category security { security_channel; };

category default { default_channel; };

category xfer-in { xfer-in_channel; };

category xfer-out { xfer-out_channel; };

category notify { notify_channel; };

category update { null; };

category lame-servers { null; };

category "delegation-only" { "null" ; };

};

(5) /var/named/bogon_acl.conf

acl "bogon" {

// Filter out the bogon networks. These are networks

// listed by IANA as test, RFC1918, Multicast, experi-

// mental, etc. If you see DNS queries or updates with

// a source address within these networks, this is likely

// of malicious origin. CAUTION: If you are using RFC1918


47/89

// netblocks on your network, remove those netblocks from

// this list of blackhole ACLs!

0.0.0.0/8;

1.0.0.0/8;

2.0.0.0/8;

5.0.0.0/8;

7.0.0.0/8;

10.0.0.0/8;

23.0.0.0/8;

27.0.0.0/8;

31.0.0.0/8;

36.0.0.0/8;

37.0.0.0/8;

39.0.0.0/8;

41.0.0.0/8;

42.0.0.0/8;

49.0.0.0/8;

50.0.0.0/8;

58.0.0.0/8;

59.0.0.0/8;

60.0.0.0/8;

70.0.0.0/8;

71.0.0.0/8;

72.0.0.0/8;

73.0.0.0/8;

74.0.0.0/8;

75.0.0.0/8;

76.0.0.0/8;

77.0.0.0/8;

78.0.0.0/8;

79.0.0.0/8;

83.0.0.0/8;

84.0.0.0/8;

85.0.0.0/8;

86.0.0.0/8;

87.0.0.0/8;

88.0.0.0/8;


48/89

89.0.0.0/8;

90.0.0.0/8;

91.0.0.0/8;

92.0.0.0/8;

93.0.0.0/8;

94.0.0.0/8;

95.0.0.0/8;

96.0.0.0/8;

97.0.0.0/8;

98.0.0.0/8;

99.0.0.0/8;

100.0.0.0/8;

101.0.0.0/8;

102.0.0.0/8;

103.0.0.0/8;

104.0.0.0/8;

105.0.0.0/8;

106.0.0.0/8;

107.0.0.0/8;

108.0.0.0/8;

109.0.0.0/8;

110.0.0.0/8;

111.0.0.0/8;

112.0.0.0/8;

113.0.0.0/8;

114.0.0.0/8;

115.0.0.0/8;

116.0.0.0/8;

117.0.0.0/8;

118.0.0.0/8;

119.0.0.0/8;

120.0.0.0/8;

121.0.0.0/8;

122.0.0.0/8;

123.0.0.0/8;

124.0.0.0/8;

125.0.0.0/8;


49/89

126.0.0.0/8;

127.0.0.0/8;

169.254.0.0/16;

172.16.0.0/12;

192.0.2.0/24;

// 192.168.0.0/16;

197.0.0.0/8;

201.0.0.0/8;

224.0.0.0/3;

};

(6) 使用 view的概念

a.修改 /etc/named.conf（黃底紅字為修改的部份）

// generated by named-bootconf.pl

// secret must be the same as in /etc/rndc.conf

key "key" {

algorithm hmac-md5;

secret


0qLsLazIRQ/w==";

};

controls {

inet 127.0.0.1 port 953 allow { any; } keys { "key"; };

};

// Access lists (ACL's) should be defined here

include "/var/named/bogon_acl.conf";

options {

version "";

directory "/var/named";

pid-file "/var/run/named/named.pid"; // Put pid file in working dir

dump-file "/var/tmp/named_dump.db";


50/89

statistics-file "/var/tmp/named.stats";

zone-statistics yes;

coresize 100M;

auth-nxdomain yes;

/*

* If there is a firewall between you and nameservers you want

* to talk to, you might need to uncomment the query-source

* directive below. Previous versions of BIND always asked

* questions using port 53, but BIND 8.1 uses an unprivileged

* port by default.

*/

//

query-source address * port *;

listen-on port 53 {

192.168.0.1;

127.0.0.1;

};

cleaning-interval 120;

transfers-in 20;

transfers-per-ns 2;

lame-ttl 0;

max-ncache-ttl 10800;

// Prevent DoS attacks by generating bogus zone transfer

// requests. This will result in slower updates to the

// slave servers (e.g. they will await the poll interval

// before checking for updates).

notify no;

// Generate more efficient zone transfers. This will place

// multiple DNS records in a DNS message, instead of one per

// DNS message.

transfer-format many-answers;

// Set the maximum zone transfer time to something more


51/89

// reasonable. In this case, we state that any zone transfer

// that takes longer than 60 minutes is unlikely to ever

// complete. WARNING: If you have very large zone files,

// adjust this to fit your requirements.

max-transfer-time-in 60;

// We have no dynamic interfaces, so BIND shouldn't need to

// poll for interface state {UP|DOWN}.

interface-interval 0;

// Uncoment these to enable IPv6 connections support

// IPv4 will still work

// listen-on { none; };

// listen-on-v6 { any; };

// Deny anything from the bogon networks as

// detailed in the "bogon" ACL.

blackhole { bogon; };

};

// define logging channels

include "/var/named/logging.conf";

//

// a caching only nameserver config

//

// for internal

view "internal" {

match-clients { 192.168.0.0/24; };

recursion yes;

zone "." {

type hint;

file "named.root";

};


52/89


type master;


};

zone "homeland.net" {

type master;

file "homeland.net.hosts";


};


type master;

file "192.168.0.rev";


};

};

// for external

view "external" {

match-clients { any ; };

recursion no;

zone "example.com" IN {

type master;

file "example.com.zone";


};

zone "100.168.172.in-addr.arpa" IN {

type master;

file "172.168.100..rev";


};

zone "." {

type hint;


53/89

file "named.root";

};


type master;


};

};

// workaround stupid stuff... (OE: Wed 17 Sep 2003)

zone "ac" { type delegation-only; };

zone "cc" { type delegation-only; };

zone "com" { type delegation-only; };

zone "cx" { type delegation-only; };

zone "museum" { type delegation-only; };

zone "net" { type delegation-only; };

zone "nu" { type delegation-only; };

zone "ph" { type delegation-only; };

zone "sh" { type delegation-only; };

zone "tm" { type delegation-only; };

zone "ws" { type delegation-only; };

b.要新增兩個檔案 example.com.zone、172.168.100..rev 與 homeland.net.hosts、192.168.0.rev 相

同只是裡面所指的 IP 不同。

c. example.com.zone

$TTL 1d

@ IN SOA www.example.com. a8832078.stmail.fju.edu.tw. (

1997022700 ; Serial

28800 ; Refresh

14400 ; Retry

3600000 ; Expire

86400 ) ; Minimum

IN NS www.example.com.


54/89

$ORIGIN example.com.

www IN A 172.168.100.1

d. 172.168.100..rev

$TTL 1d

@ IN SOA www.example.com. a8832078.stmail.fju.edu.tw. (

1997022700 ; Serial

28800 ; Refresh

14400 ; Retry

3600000 ; Expire

86400 ) ; Minimum

IN NS www.example.com.

$ORIGIN 100.168.172.in-addr.arpa.

;servers

1 IN PTR www.example.com.

4.2.6 後續處理後續處理後續處理後續處理

(i)建立 ntlogon.bat

建立 ntlogon.bat

使用 vi /var/lib/samba/netlogon/ntlogon.bat

請在 :set ff=dos 模式下編輯

net time \\SAMBA3PDC /set /yes

net use M: /home

確認是否為 dos 檔案

Od –c ntlogon.bat

\r \n 表 M$-DOS 格式的斷行，這是我們要的格式

\n 表 Unix 格式的斷行


55/89

Example:

0000000 n e t t i m e \ \ S A M B A

0000020 3 P D C / s e t / y e s \r \n

0000040 n e t u s e M : / h o m e

0000060 \r \n

0000062

(ii) 確保漫遊檔案可以成功

確保漫遊檔案可以成功

Smb.conf -> [Profiles]

Chown nobody.nogroup /var/lib/samba/profiles

Chmod 1777 /var/lib/samba/profiles

(iii) 執行 smbldap-populate -a root

執行 smbldap-populate -a root

Populating LDAP directory for domain WORKGROUP

(S-1-5-21-4205727931-4131263253-1851132061)

(using builtin directory structure)

adding new entry: dc=homeland,dc=net

adding new entry: ou=Users,dc=homeland,dc=net

adding new entry: ou=Groups,dc=homeland,dc=net

adding new entry: ou=Computers,dc=homeland,dc=net

adding new entry: uid=root,ou=Users,dc=homeland,dc=net

adding new entry: uid=nobody,ou=Users,dc=homeland,dc=net

adding new entry: cn=Domain Admins,ou=Groups,dc=homeland,dc=net

adding new entry: cn=Domain Users,ou=Groups,dc=homeland,dc=net

adding new entry: cn=Domain Guests,ou=Groups,dc=homeland,dc=net

adding new entry: cn=Domain Computers,ou=Groups,dc=homeland,dc=net

adding new entry: cn=Administrators,ou=Groups,dc=homeland,dc=net

adding new entry: cn=Account Operators,ou=Groups,dc=homeland,dc=net

adding new entry: cn=Print Operators,ou=Groups,dc=homeland,dc=net

adding new entry: cn=Backup Operators,ou=Groups,dc=homeland,dc=net


56/89

adding new entry: cn=Replicators,ou=Groups,dc=homeland,dc=net

adding new entry: sambaDomainName=WORKGROUP,dc=homeland,dc=net

(iv) 更新 SID

smbldap-passwd root

(v) 轉移帳號

cp /etc/passwd /etc/shadow /tmp/

� 移除 passwd 與 shadow 中不要的帳號

� 只留下 root nobody bin daemon messagebus

� export user

� perl -i -pe's@^$ENV{user}:(.*)\n@@' /tmp/passwd

� perl -i -pe's@^$ENV{user}:(.*)\n@@' /tmp/shadow

� cd /usr/share/doc/smbldap-tools-0.8.7/doc

� ./smbldap-migrate-unix-accounts -a -P /tmp/passwd -S /tmp/shadow

cp /etc/group /tmp/

� 移除 group 中不要的帳號

� 只留下 root bin daemon

� export group

� perl -i -pe's@^$ENV{group}:(.*)\n@@' /tmp/group

� cd /usr/share/doc/smbldap-tools-0.8.7/doc

� ./smbldap-migrate-unix-groups -a -G /tmp/group

(vi) 特別注意事項

注意不要用

smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false ‘%u’

來新增電腦主機，因為不會有紅色字的部份

請採用 lam 系統

dn:

sambaSID=S-1-5-21-957364582-1604034972-1376365676-101000,ou=Computers,dc=homeland,d


57/89

c=net

cn: winxp

uid: winxp$

uidNumber: 50000

gidNumber: 515

homeDirectory: /dev/null

loginShell: /bin/false

gecos: Computers

description: Computers

objectClass: posixAccount,sambaSamAccount,account

sambaSID: S-1-5-21-957364582-1604034972-1376365676-101000

sambaAcctFlags: [W ]

displayName: winxp

sambaPrimaryGroupSID: S-1-5-21-957364582-1604034972-1376365676-515

sambaDomainName: WORKGROUP

userPassword:

sambaPwdCanChange: 1136896009

sambaPwdMustChange: 2147483647

sambaNTPassword: B3346744060AEFFEFB62AFDAAB8A3AE1

sambaPwdLastSet: 1136896009

(vii) 建立 lam系統

a. 下載

cd /opt

wget

http://nchc.dl.sourceforge.net/sourceforge/lam/ldap-account-manager_0.5.3.tar.gz

b. 解壓縮

tar xvf ldap-account-manager_0.5.3.tar.gz

c. 將 ldap-account-manager_0.5.3/ 移到 httpd.conf -> default www

mv ldap-account-manager_0.5.3 /var/www/html/

cd /var/www/html

mv ldap-account-manager_0.5.3 lam

chown apache.apache –R lam


58/89

d. 修改設定 config.cfg_sample 、 lam.conf_sample

mv lam.conf_sample lam.conf

mv config.cfg_sample config.cfg

e. config.cfg 設定

# password to add/delete/rename configuration profiles

password: password

# default profile, without ".conf"

default: lam

f. lam.conf 設定（紅色為有改變的部創）

ServerURL: ldap://localhost:389

Passwd:

usersuffix: ou=Users,dc=homeland,dc=net

groupsuffix: ou=Groups,dc=homeland,dc=net

hostsuffix: ou=Computers,dc=homeland,dc=net

domainsuffix: dc=homeland,dc=net

userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber

grouplistAttributes: #cn;#gidNumber;#memberUID;#description

hostlistAttributes: #cn;#description;#uidNumber;#gidNumber

maxlistentries: 30

defaultLanguage: en_GB.utf8:UTF-8:English (Great Britain)

scriptPath:

scriptServer:

cachetimeout: 5

usermodules: shadowAccount,inetOrgPerson,posixAccount,sambaSamAccount

groupmodules: posixGroup,sambaGroupMapping

hostmodules: account,sambaSamAccount,posixAccount

modules: posixAccount_minUID: 10000

modules: posixAccount_maxUID: 30000

modules: posixAccount_minMachine: 50000

modules: posixAccount_maxMachine: 60000

modules: posixGroup_minGID: 10000

modules: posixGroup_maxGID: 20000

modules: posixGroup_pwdHash: SSHA

modules: posixAccount_pwdHash: SSHA

treesuffix: dc=homeland,dc=net


59/89

登入可以 only for root

新增電腦採用 lam 系統

http://192.168.0.1/lam/

記得選擇 sambaSID 模式

(viii) 建立使用者

(ix) 加入網域

1. 下載 /usr/share/doc/samba-doc-3.0.13/docs/registry 中所的 registry 檔

2. 根據客戶端來新增

3. 例如：winxp 使用

WinXP_SignOrSeal.reg


60/89

4. 選擇->變更

5 .選擇->網域->WORKGROUP->加入網域


61/89

6.使用 root 登入

7.成功加入 workgroup domain


62/89

8.重開機

9.完成 sso 架構

(x) 使用登入

1.開機登入

2.使用者登入


63/89

3.自動掛載

(xi) 確認完成寫出

1.登出寫回資料

2.資料存放位置


64/89

(xii) 使用安全隧道連至 samba伺服器

(1) 停用 windows 檔案與列印共用服務


65/89

(2) 使用 putty


66/89

(3) 內部設定

(4) 使用檔案總管（在網址鍵入\\samba3pdc 是 smb.conf 中的 netbios name = SAMBA3PDC）


67/89

(5) 登入 samba server

(6) 完成登入

(xiii) 建立 CA的流程

1.首先建立 root CA，也就是最上層的 CA 憑證

[root@localhost misc]# ./CA.pl -newca

CA certificate filename (or enter to create)

Making CA certificate ...


.........++

...........................................................................................++

writing new private key to './demoCA/private/cakey.pem'


68/89

Enter PEM pass phrase:[密碼要打]

Verifying - Enter PEM pass phrase: [密碼要打]

-----







-----



Locality Name (eg, city) []:Taipei


Organizational Unit Name (eg, section) []:homeland CA Services

Common Name (eg, YOUR name) []:homeland_CA



69/89

2.確定 CA 憑證及金鑰是否產生

./demoCA/crl 電子證書撤銷列表 (Certificate Revocation List)

./demoCA/newcerts 備份所有經這個 CA 簽署過的電子證書

./demoCA/private CA 的私有區，存放了不可以外洩的資料，例如私鑰

./demoCA/private/cakey.pem CA 的私鑰

./demoCA/index.txt

./demoCA/cacert.pem CA 的證書

./demoCA/serial

./demoCA/certs

3.產生需求憑證，如 Email 簽章加密或 https 等 ssl 傳輸加密。

[root@localhost misc]# openssl req -newkey rsa:4096 -nodes -keyout newreq.pem -out newreq.pem


.......................................................................................................++

...................................++

writing new private key to 'newreq.pem'

-----







-----



Locality Name (eg, city) []:Taipei


Organizational Unit Name (eg, section) []:homeland LDAP Services

Common Name (eg, YOUR name) []:ldap.homeland.net


Please enter the following 'extra' attributes

to be sent with your certificate request


70/89

A challenge password []:不要打密碼

An optional company name []:不要打密碼

4.產生使用者之憑證 CSR

[root@localhost misc]# ./CA.pl -sign

Using configuration from /usr/lib/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number:

a9:63:8f:f4:cc:dd:73:99

Validity

Not Before: Jan 20 07:02:05 2006 GMT

Not After : Jan 20 07:02:05 2007 GMT

Subject:

countryName = TW

stateOrProvinceName = Taiwan

localityName = Taipei

organizationName = homeland Ltd

organizationalUnitName = homeland LDAP Services

commonName = ldap.homeland.net

emailAddress = [email protected]

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

23:56:38:E0:69:6C:DF:CD:1F:42:25:8D:DD:C0:5D:E4:DA:14:7B:9E

X509v3 Authority Key Identifier:

keyid:21:A0:DF:D1:EB:EA:3E:FE:F8:32:51:74:35:D2:E8:CF:B2:51:0F:9C

DirName:/C=TW/ST=Taiwan/L=Taipei/O=homeland Ltd/OU=homeland CA

Services/CN=homeland_CA/[email protected]

serial:A9:63:8F:F4:CC:DD:73:98

Certificate is to be certified until Jan 20 07:02:05 2007 GMT (365 days)


71/89

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Signed certificate is in newcert.pem

5. 管理管理管理管理

5.1 samba 管理管理管理管理

a.更新 samba 與 smbldap-tools 至最新套件

下載 samba-3.0.20-3mdk.src.rpm、smbldap-tools-0.9.2-1mdk.src.rpm

Rpm --rebuild samba-3.0.20-3mdk.src.rpm

Rpm --rebuild samba-3.0.20-3mdk.src.rpm

完成會放在 /usr/src/RPM/RPMS/i586

產生套件如下

libsmbclient0-3.0.20-2.1.102mdk.i586.rpm

libsmbclient0-devel-3.0.20-2.1.102mdk.i586.rpm

libsmbclient0-static-devel-3.0.20-2.1.102mdk.i586.rpm

mount-cifs-3.0.20-2.1.102mdk.i586.rpm

nss_wins-3.0.20-2.1.102mdk.i586.rpm

samba-client-3.0.20-2.1.102mdk.i586.rpm

samba-common-3.0.20-2.1.102mdk.i586.rpm

samba-doc-3.0.20-2.1.102mdk.i586.rpm

samba-passdb-mysql-3.0.20-2.1.102mdk.i586.rpm

samba-passdb-pgsql-3.0.20-2.1.102mdk.i586.rpm

samba-passdb-xml-3.0.20-2.1.102mdk.i586.rpm

samba-server-3.0.20-2.1.102mdk.i586.rpm

samba-smbldap-tools-3.0.20-2.1.102mdk.i586.rpm

samba-swat-3.0.20-2.1.102mdk.i586.rpm

samba-vscan-clamav-3.0.20-2.1.102mdk.i586.rpm


72/89

samba-vscan-icap-3.0.20-2.1.102mdk.i586.rpm

samba-winbind-3.0.20-2.1.102mdk.i586.rpm

smbldap-tools-0.9.2-0.1.102mdk.i586.rpm

b. cd /usr/src/RPM/RPMS/i586

使用 urpmi 安裝或用 rpm –Uvh 安裝

c.修改 /etc/smbldap-tools/smbldap.conf

請用新的 smbldap.conf.rpmsave 來修改，將 smbldap.conf 的內容相同的複製至

smbldap.conf.rpmsave。完成後將 smbldap.conf.rpmsave 取代 smbldap.conf

修改內容如下(黃底紅字為修改的部份)

# Put your own SID. To obtain this number do: "net getlocalsid".

# If not defined, parameter is taking from "net getlocalsid" return

SID="S-1-5-21-1628091772-245403179-1700601366"

# Domain name the Samba server is in charged.

# If not defined, parameter is taking from smb.conf configuration file

# Ex: sambaDomain="IDEALX-NT"

sambaDomain="WORKGROUP"

# Slave LDAP server

# Ex: slaveLDAP=127.0.0.1

# If not defined, parameter is set to "127.0.0.1"

slaveLDAP="127.0.0.1"

# Slave LDAP port

# If not defined, parameter is set to "389"

slavePort="389"

# Master LDAP server: needed for write operations

# Ex: masterLDAP=127.0.0.1

# If not defined, parameter is set to "127.0.0.1"

masterLDAP="127.0.0.1"

# Master LDAP port



73/89

masterPort="389"

# Use TLS for LDAP

# If set to 1, this option will use start_tls for connection

# (you should also used the port 389)


ldapTLS="0" (十分重要，一定要改成 0 才能使用 smbldap-tools)

# How to verify the server's certificate (none, optional or require)


verify="require"

# CA certificate


cafile="/etc/ssl/cacert.pem"

# certificate to use to connect to the ldap server


clientcert="/etc/ssl/openldap/newcert.pem"

# key certificate to use to connect to the ldap server


clientkey="/etc/ssl/openldap/newreq.pem"

# LDAP Suffix

# Ex: suffix=dc=IDEALX,dc=ORG

suffix="dc=homeland,dc=net"

# Where are stored Users

# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"

# Warning: if 'suffix' is not set here, you must set the full dn for usersdn

#usersdn="ou=People,${suffix}"

usersdn="ou=Users,${suffix}"

# Where are stored Computers

# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"


74/89

# Warning: if 'suffix' is not set here, you must set the full dn for computersdn

#computersdn="ou=Hosts,${suffix}"

computersdn="ou=Computers,${suffix}"

# Where are stored Groups

# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"

# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn

#groupsdn="ou=Group,${suffix}"

groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)

# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"

# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn

idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available for new users and groups

# If not defined, entries are stored in sambaDomainName object.

# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"

# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

sambaUnixIdPooldn="sambaDomainName=WORKGROUP,${suffix}"

# Default scope Used

scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)

hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.

# default is "%s", but many systems will generate MD5 hashed

# passwords if you use "$1$%.8s". This parameter is optional!

crypt_salt_format="%s"

##############################################################################

#

# Unix Accounts Configuration

#


75/89

##############################################################################

# Login defs

# Default Login Shell

# Ex: userLoginShell="/bin/bash"

userLoginShell="/bin/bash"

# Home directory

# Ex: userHome="/home/%U"

userHome="/home/%U"

# Default mode used for user homeDirectory

userHomeDirectoryMode="700"

# Gecos

userGecos="System User"

# Default User (POSIX and Samba) GID

defaultUserGid="513"

# Default Computer (Samba) GID

defaultComputerGid="515"

# Skel dir

skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if

# you don't want password to be enable for defaultMaxPasswordAge days (be

# careful to the sambaPwdMustChange attribute's value)

defaultMaxPasswordAge="120"

##############################################################################

#

# SAMBA Configuration

#

##############################################################################


76/89

# The UNC path to home drives location (%U username substitution)

# Just set it to a null string if you want to use the smb.conf 'logon home'


# Ex: userSmbHome="\\PDC-SMB3\%U"

userSmbHome="\\SAMBA3PDC\homes\%U"

# The UNC path to profiles locations (%U username substitution)

# Just set it to a null string if you want to use the smb.conf 'logon path'


# Ex: userProfile="\\PDC-SMB3\profiles\%U"

userProfile="\\SAMBA3PDC\profiles\%U"

# The default Home Drive Letter mapping

# (will be automatically mapped at logon time if home directory exist)

# Ex: userHomeDrive="H:"

userHomeDrive="M:"

# The default user netlogon script name (%U username substitution)

# if not used, will be automatically username.cmd

# make sure script file is edited under dos

# Ex: userScript="startup.cmd" # make sure script file is edited under dos

userScript="ntlogon.bat"

# Domain appended to the users "mail"-attribute

# when smbldap-useradd -M is used

# Ex: mailDomain="idealx.com"

mailDomain="mail.homeland.net"

##############################################################################

#

# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)

#

##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but


77/89

# prefer Crypt::SmbHash library

with_smbpasswd="0"

smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)

# but prefer Crypt:: libraries

with_slappasswd="0"

slappasswd="/usr/sbin/slappasswd"

# comment out the following line to get rid of the default banner

# no_banner="1"

d.smbldap-populate 更新所有內容

e.下載 srvtools.exe

解開使用


78/89

使用 usrmgr.exe


79/89

新增使用者(只要帳號與密碼就可以了，其他會自動處理)

使用新增帳號登入(第一次登入要修改密碼)


80/89

改好密碼

登入成功


81/89

使用 srvmgr.exe

新增電腦主機 Computer/Add to Domain


82/89

f. 使用命令列來新增電腦

smbldap-useradd -i 電腦名稱

會詢問密碼，要鍵入才可以。

g. 要使 TLS 能運作，系統才能順利來執行。

只要修改 /etc/openldap/ldap.conf 如下就可以運作

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

#BASE dc=example, dc=com

#HOST ldap.example.com ldap-master.example.com

#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

URI ldap://127.0.0.1

BASE dc=homeland,dc=net

HOST 127.0.0.1

#SIZELIMIT 12

#TIMELIMIT 15

#DEREF never

# SSL/TSL configuration. With CA-signed certs, TLS_REQCERT should be

# "demand", with the CA certificate accessible

#TLS_CACERT /etc/ssl/cacert.pem

#TLS_CACERTDIR /etc/ssl/openldap

#TLS_REQCERT ([demand],never,allow,try)

TLS_CACERT /etc/ssl/cacert.pem

# TLS_CERT /etc/ssl/openldap/newcert.pem

# TLS_KEY /etc/ssl/openldap/newreq.pem

TLS_REQCERT allow


83/89

h. 要修改 /usr/share/msec/perm.4

加入下面才能確保漫遊成功。

/var/lib/samba/profiles/ nobody.nogroup 1777

i.修改 /etc/resolv.conf 內容為

[root@mail etc]# more resolv.conf

search homeland.net

nameserver 192.168.1.254



j.修改 /etc/hosts 內容為

192.168.1.1 mail.homeland.net dns.homeland.net proxy.homeland.net

rootca.homeland.net ldap.homeland.net www.homeland.net ftp.homeland.net

127.0.0.1 localhost.localdomain localhost

5.2 samba 防毒防毒防毒防毒

1.首先安裝 clamav 與 samba-vscan-clamav 套件

可以使用 urpmi 或 smart

2.啟動防毒

service freshclam start (使防毒系統能自動更新)

service clamd start(使防毒系統啟動)

3.修改設定

a.vi /etc/freshclam.conf(防毒系統自動更新設定檔)

不用修改，採用 mandriva 預設即可

b.vi /etc/clamd.conf(防毒系統設定檔)

不用修改，採用 mandriva 預設即可


84/89

c.vi /etc/samba/vscan-clamav.conf(防毒對於 samba 的設定檔)

紅色部份為修改

[samba-vscan]

; run-time configuration for vscan-samba using

; clamd

; all options are set to default values

; do not scan files larger than X bytes. If set to 0 (default),

; this feature is disable (i.e. all files are scanned)

max file size = 0

; log all file access (yes/no). If set to yes, every access will

; be logged. If set to no (default), only access to infected files

; will be logged

verbose file logging = yes (為了測試是否運作，知道可以運作請停用。因為 log 量很大)

; if set to yes (default), a file will be scanned while opening

scan on open = yes

; if set to yes, a file will be scanned while closing (default is yes)

scan on close = yes

; if communication to clamd fails, should access to file denied?

; (default: yes)

deny access on error = yes

; if daemon files with a minor error (corruption, etc.),

; should access to file denied?

; (default: yes)

deny access on minor error = yes

; send a warning message via Windows Messenger service

; when virus is found?

; (default: yes)

send warning message = yes

; what to do with an infected file


85/89

; quarantine: try to move to quantine directory; delete it if moving fails

; delete: delete infected file

; nothing: do nothing (default)

infected file action = quarantine

; where to put infected files - you really want to change this!

quarantine directory = /tmp

; prefix for files in quarantine

quarantine prefix = vir-

; as Windows tries to open a file multiple time in a (very) short time

; of period, samba-vscan use a last recently used file mechanism to avoid

; multiple scans of a file. This setting specified the maximum number of

; elements of the last recently used file list. (default: 100)

max lru files entries = 100

; an entry is invalidad after lru file entry lifetime (in seconds).

; (Default: 5)

lru file entry lifetime = 5

; exclude files from being scanned based on the MIME-type! Semi-colon

; seperated list (default: empty list). Use this with care!

exclude file types =

; socket name of clamd (default: /var/run/clamd). Setting will be ignored if

; libclamav is used

clamd socket name = /var/lib/clamav/clamd.socket

; limits, if vscan-clamav was build for using the clamav library (libclamav)

; instead of clamd

; maximum number of files in archive (default: 1000)

libclamav max files in archive = 1000

; maximum archived file sitze, in bytes (default: 10 MB)

libclamav max archived file size = 10 * 1048576


86/89

; maximum recursion level (default: 5)

libclamav max recursion level = 5

d.套用在要掃毒的區域

在 smb.conf 中

[share folder] <-想要掃毒的目錄中加入下面二行

vfs objects = vscan-clamav recycle

vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

英文解擇

# You can enable VFS recycle bin and on-access virus-scanning on a per

# share basis:

# Uncomment the next 2 lines (make sure you create a .recycle folder in

# the base of the share and ensure all users will have write access to it.

# For virus scanning, install samba-vscan-clamav and ensure the clamd service

# is running

e.重新啟動 smb

service smb restart

f.查看 samba-vscan-clamav 是否運作

tail /var/log/message

Jan 21 11:07:49 mail smbd_vscan-clamav[15992]: samba-vscan (vscan-clamav 0.3.6b) registered

(Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org

Jan 21 11:07:49 mail smbd_vscan-clamav[15992]: samba-vscan (vscan-clamav 0.3.6b) connected

(Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org

Jan 21 11:07:49 mail smbd_vscan-clamav[15992]: INFO: connect to service root by user root

當使用者一登入就開始啟動防毒機制。


87/89

5.3 Mandriva 昇級昇級昇級昇級

從舊版本的 mandrake 昇級至新版的注意事項

1. kernel 為主要的指標

甲、昇級目標版本的 kernel 是否與舊版的相符

乙、相符，可以直接昇級

丙、不相符，必須先昇級 kernel

2. Mandrake 9.2 -> Mandriva 10.1

甲、由於 Mandrake 9.2 預設 kernel 為 2.4 版，所以必須先昇級 kernel 至 2.6 版。才能避免

昇級後有一些功能無法使用。

乙、若是昇級至 Mandriva 2006 就不會有如此況狀，因為昇級時會一併將 kernel 昇級至

2.6 版。


88/89

6. 改進與建議心得改進與建議心得改進與建議心得改進與建議心得

規劃上待增加與修正的部份

1. DFS 共用目錄支援(預留)

2. VPN 與 SmartCard 整合式登入

3. lam 系統安全增強

4. squid 記錄使用者使用流量

5. 整合 DHCP 做到 IP 控管

預留發展

1. 建立 BDC

2. 設定檔/etc/openldap/slapd.conf

加入

updatedn “uid=root,ou=Users,dc=homeland,dc=net”

updateref ldap://192.168.0.1

3. 製作 replica 目錄和空的記錄檔 replica.log

mkdir /var/lib/ldap/replica

touch /var/lib/ldap/replica/relica.log

chown –R ldap.ldap /vaar/lib/ldap

4. 修正/etc/smbldap-tools/smbldap_bind.conf

$masterLDAP=”192.168.0.1”;

5. 令 PDC 與 BDC 的網域 SID 同步

net rpc getsid

6. 刪除 BDC 上的 TDB 資料庫

net setlocalsid S-1-5-21-1231241354325465435-34123125123141412

7. 重新儲存與存取 LDAP 資料庫用的管理員

smbpasswd –w passwd

8. 確認 BDC 的網域 SID 是否與 PDC 一致

net getlocalsid

9. 啟動 BDC 的 Samba


89/89

service smb start

心得

1. 根據需求來建立環境

2. 要以規劃為主，實作為輔。（根據人月神話：開發系統的時間大多是規劃所佔

的時間為最多）

3. 步驟邏輯要清楚才能避免系統出現安全上的漏洞。

Documents

(Microsoft Word -