LDAP + Samba + PAM + Audit no OpenSUSE

De Wiki Hackstore

Instale as dependências

OpenLDAP

Instale os requisitos:

zypper in openldap2 pam_ldap nss_ldap openldap2-devel 


LDAP Account Manager (LAM)

Instale os requisitos:

zypper in apache2-mod_php5 libpq5 php5-mysql php5-pgsql php5-snmp php5-sockets php5-ldap php5-gettext php5-zip php5-gd apache2 apache2-prefork apache2-utils git-web 

Faça o download do RPM oficial e instale:

https://www.ldap-account-manager.org/


SMBldap-tools

Instale os requisitos:

zypper in perl-ldap perl-ldap-ssl
zypper in perl-Unicode-Map8

Instale a biblioteca Unicode-MapUTF8 do Perl via CPAN:

cpan> install Unicode::MapUTF8

Instale os pacotes que não estão presentes no Zypper/Yast:

wget http://hackstore.com.br/downloads/smbldap-tools.tar && tar xvf smbldap-tools.tar && cd smbldap-tools
rpm -Uhv perl-Jcode-2.07-7.1.i586.rpm  perl-Unicode-Map-0.112-10.1.i586.rpm

Caso ocorra algum erro, instale somente o smbldap-tools:

rpm -ihv smbldap-tools-0.9.6-5.1.noarch.rpm


openLDAP (server)

Instale o server ldap:

zypper in openldap


Configure os serviços

Configure o arquivo /etc/openldap/slapd.conf

Gere o novo hash de senha a ser utilizado neste arquivo de configuração:

slappasswd -h {SSHA} -s secrethackstore


include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/samba3.schema
include         /etc/openldap/schema/nis.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

sizelimit       10000
loglevel 0

access to dn.base=""
        by * read

access to dn.base="cn=Subschema"
        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by * auth

access to attrs=shadowLastChange
        by self write
        by * read

access to *
        by * read

database        bdb
suffix          "dc=hackstore,dc=local"
checkpoint      1024    5
cachesize       10000
rootdn          "cn=Manager,dc=hackstore,dc=local"
rootpw          {SSHA}xAxWrBQMnMUWy0HWNVE1MCnI7gEiDGYU

directory       /var/lib/ldap
index   objectClass     eq


Configure o ldap (client)

Configure o arquivo /etc/ldap.conf

host 127.0.0.1

base dc=hackstore,dc=local
SIZELIMIT       0

ldap_version 3

bind_policy soft

pam_lookup_policy yes

pam_password exop

nss_initgroups_ignoreusers root,ldap

nss_map_attribute uniqueMember member


Configure o PAM (/etc/nsswitch.conf)

Comente as linhas abaixo:

# passwd: files nis
# shadow: files nis

E adicione as novas linhas:

passwd: compat files [UNAVAIL=return] ldap
group: compat files [UNAVAIL=return] ldap
shadow:         files ldap



Configure o Samba 3.x

Configure o /etc/samba/smb.conf

[global]
        workgroup = HACKSTORE
        netbios name= hackstore-srv
        netbios aliases = hackstore-srv01
        domain logons = yes
        preferred master = yes
        local master = yes
        domain master = yes
        map to guest = Bad User
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = Yes
        guest account = nobody



        security = user
        admin users = root administrador
        wins support = yes
        remote announce = 192.168.0.255

        passdb backend = ldapsam:ldap://127.0.0.1/
        passwd chat = *New*password* %n *Retype*new*password* %n
        ldap admin dn = cn=Manager,dc=hackstore,dc=local
        ldap suffix = dc=hackstore,dc=local
        ldap group suffix = ou=Groups
        ldap user suffix = ou=People
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Idmap
        ldap ssl = no
        #idmap backend = ldap:ldap://127.0.0.1/
        idmap uid = 10000-15000
        idmap gid = 10000-15000

        ntlm auth = YES
        lanman auth = YES
        client ntlmv2 auth = YES

        encrypt passwords = yes
        ldap passwd sync = yes
        ldap delete dn = Yes

        #Cria a conta para a maquina automaticamente
        add machine script = /usr/sbin/smbldap-useradd -t 0 -W "%u"

        # Permite que usuarios membros do grupo “Domain Admins
        # insiram estacoes no dominio samba.
        enable privileges = yes

        # Permite que o usuário altere a senha direto da Estação Windows
        passwd program = /usr/bin/smbldap-passwd %u

        add user script = /usr/sbin/smbldap-useradd -m "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%u"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        #============= Configurando a lixeira unificada ====================
        vfs objects = recycle
        recycle:repository = .lixeira
        recycle:versions = yes
        recycle:keeptree = yes
        recycle:noversions = .bat|.hlp|.scr
        recycle:exclude = *.tmp, *.log, *.mp3, *.avi
        #============= FIM Configurando a lixeira unificada =================




[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
[profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
[users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/
[groups]
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes
[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775

[comercial]
        comment = Comercial
        path = /dados/comercial
        write list = @Diretoria, @Comercial
        read list = @Diretoria, @Comercial
        valid users = @Diretoria, @Comercial
        create mask = 0777
        directory mask = 0777
        guest ok = No


Defina a senha de root do openLDAP no samba

smbpasswd -w secrethackstore


Inicie os serviços

/etc/init.d/smb start
/etc/init.d/nmb start
/etc/init.d/ldap start


Configure o smbldap-tools

Configure o /etc/smbldap-tools/smbldap_bind.conf

masterDN="cn=Manager,dc=hackstore,dc=local"
masterPw="secrethackstore"


Obtenha o SID local

net getlocalsid

OBS: Lembre-se de configurar o SID no arquivo de configuração a seguir.


Configure o /etc/smbldap-tools/smbldap.conf

SID="S-1-5-21-9303493-1121177654-1281164981"

sambaDomain="HACKSTORE"

slaveLDAP="ldap.hackstore.local"

slavePort="389"

masterLDAP="127.0.0.1"

masterPort="389"

ldapTLS="0"

ldapSSL="0"

verify="require"

cafile="/etc/smbldap-tools/ca.pem"

clientcert="/etc/smbldap-tools/smbldap-tools.hackstore.local.pem"

clientkey="/etc/smbldap-tools/smbldap-tools.hackstore.local.key"

suffix="dc=hackstore,dc=local"

usersdn="ou=Users,${suffix}"

computersdn="ou=Computers,${suffix}"

groupsdn="ou=Groups,${suffix}"

idmapdn="ou=Idmap,${suffix}"

sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"

scope="sub"

hash_encrypt="SSHA"

crypt_salt_format="%s"


userLoginShell="/bin/bash"

userHome="/home/%U"

userHomeDirectoryMode="700"

userGecos="System User"

defaultUserGid="513"

defaultComputerGid="515"

skeletonDir="/etc/skel"

defaultMaxPasswordAge="45"


userSmbHome="\\PDC-SRV\%U"

userProfile="\\PDC-SRV\profiles\%U"

userHomeDrive="H:"

userScript="logon.bat"

mailDomain="hackstore.local"


with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"



Alimente a base LDAP com as novas infos

smbldap-populate -a administrador


Adicione os serviços ao boot

chkconfig -a ldap
chkconfig -a smb
chkconfig -a nmb


Ativando auditoria do samba

smb.conf

Adicione ao [global] ou a um compartilhamento específico:

        # ==================== Configurando a auditoria ===================== #

        # open (ler um arquivo), opendir (ver os arquivos dentro de uma pasta),
        # write (alterar um arquivo), unlink (deletar um arquivo), rename (renomear um arquivo), 
        # mkdir (criar um diretório), rmdir (remover um diretório),
        # chmod (alterar as permissões de acesso de um arquivo) e chown (mudar o dono de um arquivo).

        vfs objects = full_audit
        #full_audit:success = open, opendir, write, unlink, rename, mkdir, rmdir, chmod, chown
        full_audit:success = write, unlink, rename, mkdir, rmdir, chmod, chown
        full_audit:failure = none
        full_audit:prefix = %u|%I|%S
        full_audit:facility = local5
        full_audit:priority = notice

        # ================== FIM Configurando a auditoria =================== #

rsyslog

Altere no arquivo /etc/rsyslog.conf a seguinte linha:

*.*;mail.none;news.none                 -/var/log/messages

para:

*.*;mail.none;local5,auth,authpriv.none;news.none                       -/var/log/messages


Crie um novo arquivo /etc/rsyslog.d/samba.conf com a seguinte linha:

local5.notice /var/log/samba/audit.log

Reinicie os processos:

rcsmb restart
rcsyslog restart