作者主題: 04.LDAP+Samba PDC 筆記(10/4 create_user,在三樓) (閱讀 13570 次)

Niko · « 於: 2012-09-30 00:00 »

總算完成了，這份筆記能夠成功生產下來也靠了netman大大與三子大大

先感謝這兩位大大，謝謝!!

在這兒也先祝各位中秋節快樂!!

小弟原先的想法是ldap1用NFS去掛"home" server，但是實作後發現在windows登入時會發生問題，所以，為了簡單點，samba PDC就直接做在"home" server那台上面。

LDAP使用原先的架構(請參考http://phorum.study-area.org/index.php/topic,67535.0.html)，其中"home" server小弟的OS更新為CentOS6.3_x64，其餘設定都沒變。

當初建立LDAP時並沒有把samba包含在內，所以我們首先要做的就是加入samba.schema，使LDAP支援"sambaSamAccount"，另外LDAP server也加入到LDAP client中(加入方法請參考http://phorum.study-area.org/index.php/topic,67626.0.html)。
要特別注意，如果LDAP有做複製功能(Replication)的話，小弟建議是用MirrorMode的方式，這樣萬一"ldap1"掛掉了，我們還是可以用"ldap2"來做修改(設定方法請參考http://phorum.study-area.org/index.php/topic,67566.0.html)

LDAP 支援 samba 設定 (ldap1與ldap2相同設定) :
在目前版本中(2.4.23-26.el6)，/etc/openldap/schema預設沒有samba.schema，必須要先安裝samba才可以

代碼: [選擇]

[root@ldap1 ~]# yum install -y samba
安裝完後 /etc/openldap/schema應該就可以看到 samba.schema，如果沒有的話...

代碼: [選擇]

[root@ldap1 ~]# cp /usr/share/doc/samba-*/LDAP/samba.schema /etc/openldap/schema/

接下來修改slapd.conf

代碼: [選擇]

[root@ldap1 ~]# vim /etc/openldap/slapd.conf===============================================================================
##新增紅色字體##
include /etc/openldap/schema/samba.schema

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none

### database definitions ###

index sambaSID,sambaSIDList,sambaGroupType eq,pres
===============================================================================

修改完後

代碼: [選擇]

[root@ldap1 ~]# cd  /etc/openldap/ 
[root@ldap1 openldap]# rm  -rf  slapd.d/* 
[root@ldap1 openldap]# slaptest  -f  slapd.conf  -F  slapd.d 
[root@ldap1 openldap]# chown  -R  ldap:ldap  slapd.d 
[root@ldap1 openldap]# /etc/init.d/slapd restart

使用者的資料先前我沒有設定samba屬性 (attribute)，為了節省麻煩，可以把先前的LDAP資料匯出，用slapcat -l 或是用phpldapadmin的匯出功能；小弟是使用phpldapadmin的export，除了簡單好用之外，匯出的ldif檔也不會因為有中文關係而顯示亂碼。
匯出後，偷懶一點就直接使用phpldapadmin把People底下的NIKO和PING這兩個user直接刪除。

到此LDAP就算暫時完成了，但是請記得，因為兩台LDAP(ldap1、ldap2)現在是使用MirrorMode，所以雙方的資料要確保相同，避免稍後增加資料時產生雙方的資料錯誤無法同步。

Samba PDC (Primary Domain Controller) 設定
smabPDC server = hostname:home，ip:192.168.1.4

小叮嚀:要設定PDC之前必須先把server也加入到LDAP client中才可以喔!

安裝samba(版本為3.5.10-125) 與 smbldap-tools(版本為0.9.6-3)
##smbldap-tools需先安裝EPEL來源##

代碼: [選擇]

[root@home ~]# yum  -y  install  samba  smbldap-tools

設定sambaPDC
先備份原本的smb.conf

代碼: [選擇]

[root@home ~]# mv  /etc/samba/smb.conf  /etc/samba/smb.conf.bak

Copy smbldap-tools裡的smb.conf到 /etc/samba中

代碼: [選擇]

[root@home ~]# cp  /usr/share/doc/smbldap-tools-*/smb.conf  /etc/samba/smb.conf

設定smb.conf，這裡有不清楚的地方可以參考鳥哥的說明http://linux.vbird.org/

代碼: [選擇]

[root@home ~]# vim /etc/samba/smb.conf ===============================================================================
##修改紅字部份##
[global]

workgroup = LDAP

netbios name = home

#min passwd length = 3      #密碼最小長度

ldap passwd sync = yes      #同步LDAP、NT、LM的密碼

Dos charset = CP950

Unix charset = UTF-8

logon home = \\%N\%U

logon path = \\%N\%U\profiles

passdb backend = ldapsam:"ldap://ldap1.split.com.tw/ ldap://ldap2.split.com.tw/"

ldap admin dn = cn=admin,dc=split,dc=com,dc=tw

ldap suffix = dc=split,dc=com,dc=tw

ldap group suffix = ou=Groups,ou=Samba PDC

ldap user suffix = ou=Users,ou=Samba PDC
#smbldap-tools會增加許多與PDC有關的user和group，小弟是統一放進ou=Samba PDC,dc=split,dc=com,dc=tw裡面，LDAP要先建立好相對應的上一層，ou=Samba PDC。

delete group script = /usr/sbin/smbldap-groupdel "%g" #約60行，取消註解

##約64行空白處新增##
ldap ssl = no

smb ports = 139

load printers = No
#由於沒有要做印表機伺服器，以下的設定都先註解起來，經測試後如沒有註解掉當windows登入後會有問題

#約87行新增
[homes]
comment = Home Directories
path = /home/%U
browsable = no
read only = no
valid users = %S

[netlogon]
path = /home/sambPDC/netlogon/     #等等要自行建立資料夾
browseable = No
read only = yes
guest ok = yes
#netlogon資料夾與前面的 logon script 有關，該程式放置在這裡
#以下其它設定可註解或刪除…
===============================================================================

設定完成後，檢查設定是否有錯誤及開啟PDC功能。

代碼: [選擇]

[root@home ~]# testparm Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[netlogon]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
#以下省略#

建立netlogon目錄與logon.bat

代碼: [選擇]

[root@home ~]# mkdir  -p  /home/sambaPDC/netlogon 
[root@home ~]# cd  /home/sambaPDC/netlogon 
[root@ home netlogon]# vim  logon.bat

net time \\home /set /yes #與samba伺服器對時
net use H: \\home\home #連到自已的家目錄

將logon.bat轉成DOS的斷行格式

代碼: [選擇]

[root@ home netlogon]# yum  -y  install  unix2dos 
[root@ home netlogon]# unix2dos  logon.bat 
[root@ home netlogon]# cat  -A  logon.bat

net time \\home /set /yes^M$
net use H: \\home\home^M$

為niko製作profiles目錄

代碼: [選擇]

[root@ home netlogon]# cd  /home/niko 
[root@ home niko]# mkdir  proflies 
[root@ home niko]# chown  niko:d10  proflies 
[root@ home niko]# chmod  755  proflies

啟動samba與smbldap-tools設定

代碼: [選擇]

[root@ home ~]# /etc/init.d/nmb  restart 
[root@ home ~]# /etc/init.d/smb  restart 
[root@ home ~]# chkconfig  nmb  on 
[root@ home ~]# chkconfig  smb  on

加入LDAP管理員的密碼至samba

代碼: [選擇]

[root@ home ~]# smbpasswd -W Setting stored password for "cn=admin,dc=split,dc=com,dc=tw" in
secrets.tdb
New SMB password: #輸入LDAP admin的密碼
Retype new SMB password:

查看SID

代碼: [選擇]

[root@ home ~]# net rpc getsid Storing SID S-1-5-21-861616483-343575355-114807000 for Domain LDAP in secrets.tdb

設定smbldap-tools script configuration

代碼: [選擇]

[root@ home ~]# perl /usr/share/doc/smbldap-tools-*/configure.pl
以下內容非常的多，幸好每個要設定的項目都已經有解釋了，所以小弟也就不囉嗦...

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')

. you can leave the configuration using the Ctrl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...

Samba Configuration File Path [/etc/samba/smb.conf] >   #Enter

The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools] > #Enter
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...

. workgroup name: name of the domain Samba acts as a PDC for
workgroup name [LDAP] >      #Enter
. netbios name: netbios name of the samba controller
netbios name [home] >      #Enter
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [H:] >            #Enter
. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'\\home\%U'
logon home (press the "." character if you don't want homeDirectory) [\\%N\%U] >         #Enter
. logon path: directory where roaming profiles are stored. Ex:'\\home\profiles\%U'
logon path (press the "." character if you don't want roaming profiles) [\\%N\%U\profiles] > #Enter
. home directory prefix (use %U as username) [/home/%U] >   #Enter
. default users' homeDirectory mode [700] >       #Enter
. default user netlogon script (use %U as username) [logon.bat] > #Enter
default password validation time (time in days) [45] > 99999
. ldap suffix [dc=split,dc=com,dc=tw] >       #Enter
. ldap group suffix [ou=Groups,ou=Samba PDC] >       #Enter
. ldap user suffix [ou=Users,ou=Samba PDC] >       #Enter
. ldap machine suffix [ou=Computers] >       #Enter
. Idmap suffix [ou=Idmap] >       #Enter
. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=LDAP] >      #Enter
. ldap master server: IP address or DNS name of the master (writable) ldap server
ldap master server [ldap1.split.com.tw] >      #Enter
. ldap master port [389] > #Enter
. ldap master bind dn [cn=admin,dc=split,dc=com,dc=tw] > #Enter
. ldap master bind password [] >          #輸入LDAP admin的密碼
. ldap slave server: IP address or DNS name of the slave ldap server: can also be the master one
ldap slave server [ldap1.split.com.tw] > ldap2.split.com.tw
. ldap slave port [389] >       #Enter
. ldap slave bind dn [cn=admin,dc=split,dc=com,dc=tw] >       #Enter
. ldap slave bind password [] >          #輸入LDAP admin的密碼(ldap2)
. ldap tls support (1/0)

> #Enter
. SID for domain LDAP: SID of the domain (can be obtained with 'net getlocalsid home')
SID for domain LDAP [S-1-5-21-861616483-343575355-114807000] > #Enter
. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > CRYPT
. crypt salt format: If hash_encrypt is set to CRYPT, you may set
a salt format. The default is "%s", but many systems will generate
MD5 hashed passwords if you use "$1$%.8s"
crypt salt format [%s] >$1$%.8s
. default user gidNumber [513] >      #Enter
. default computer gidNumber [515] >    #Enter
. default login shell [/bin/bash] >       #Enter
. default skeleton directory [/etc/skel] >    #Enter
. default domain name to append to mail address [] >       #Enter
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
backup old configuration files:
/etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
/etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
/etc/smbldap-tools/smbldap.conf done.
/etc/smbldap-tools/smbldap_bind.conf done.

如果中途發現輸入有錯誤，可以到/etc/smbldap-tools去修改smbldap.conf、smbldap_bind.conf這兩個檔案。

把資訊寫到LDAP
代碼: [選擇]
[root@ home ~]# smbldap-populate Populating LDAP directory for domain LDAP (S-1-5-21-861616483-343575355-114807000)
(using builtin directory structure)
entry dc=split,dc=com,dc=tw already exist.
adding new entry: ou=Users,ou=Samba PDC,dc=split,dc=com,dc=tw
adding new entry: ou=Groups,ou=Samba PDC,dc=split,dc=com,dc=tw
adding new entry: ou=Computers,dc=split,dc=com,dc=tw
#中間省略#
entry sambaDomainName=LDAP,dc=split,dc=com,dc=tw already exist. Updating it...

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:                 #輸入domain root的密碼， windows用來加入LDAP網域用的
Retype new password:

如圖，目前小弟的LDAP

新增USER至LDAP
小弟目前只加入NIKO這個帳號，另一個等script寫好後再來測試
以NIKO為例子，以下為ldif檔的內容，檔名:niko.ldif
===============================================================================
dn: cn=Niko 王大明,ou=People,dc=split,dc=com,dc=tw
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: Niko 王大明
uid: niko
sn: 王
givenName: 大明
uidNumber: 1100
gidNumber: 1000
shadowLastChange: 15609 #可隨便設定，待會改password時就會自動更改
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
homeDirectory: /home/niko
mail: niko@split.com.tw
sambaAcctFlags: [U ]
sambasid: S-1-5-21-861616483-343575355-114807000-1100
sambaPrimaryGroupSID: S-1-5-21-861616483-343575355-114807000-513
===============================================================================
sambasid、sambaPrimaryGroupSID，除了最後的 ”-“ ，前面號碼必須要與我們的home server那台機器的SID相同才行，至於最後那組號碼，sambasid可隨意設定但不可重複，這裡我們就使用與uidNumber相同即可，而sambaPrimaryGroupSID的最後一組號碼，就是“cn=Domain Users ,ou=Groups,ou=Samba PDC” 的群組碼。
userPassword、sambaLMPassword、sambaNTPassword，這三個與密碼有關的屬性，等等我們會藉由smbldap-tools來做變更就可以了。

匯入，小弟直接在"home" server上操作
代碼: [選擇]
[root@ home ~]# ldapmodify -h ldap1 -D "cn=admin,dc=split,dc=com,dc=tw" -W -x -a -v -f niko.ldif ldap_initialize( ldap://ldap1 )
Enter LDAP Password:
#以下就省略囉#

設定niko密碼
代碼: [選擇]
[root@ home ~]# smbldap-passwd niko Changing UNIX and samba passwords for niko
New password:
Retype new password:

完成後，可以到phpldapadmin看看NIKO是不是已經把有關密碼的屬性都補齊了，然後檢查Samba PDC部份
代碼: [選擇]
[root@ home ~]# pdbedit -Lv niko ===============================================================================
Unix username: niko
NT username: niko
Account Flags: [U ]
User SID: S-1-5-21-861616483-343575355-114807000-1100
Primary Group SID: S-1-5-21-861616483-343575355-114807000-513
Full Name: Niko 王大明
Home Directory: \\home\niko
HomeDir Drive: H:
Logon Script: logon.bat
Profile Path: \\home\niko\profiles
Domain: LDAP
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Thu, 27 Sep 2012 23:16:36 CST
Password can change: Thu, 27 Sep 2012 23:16:36 CST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
===============================================================================
注意Home Directory、Profile Path這兩個部份，指向的位置是否正確。

SELinux("home" server)

samba_domain_controller --> on
samba_enable_home_dirs --> on
samba_export_all_rw --> on
samba_share_nfs --> on
use_samba_home_dirs --> on

請檢查是否都有開啟；iptables小弟就不多做說明了...

設定windows XP Client

小弟參考samba官網對win7的說明 :
===============================================================================
NOTES: with Samba 3.3.2, 3.3.3 and 3.3.4
Only for these versions, you have to change the NETLOGON parameters.
HKLM\System\CCS\Services\Netlogon\Parameters
DWORD RequireSignOrSeal = 0
DWORD RequireStrongKey = 0
For other versions, you must not change them.
===============================================================================
而我的samba版本為3.5.10，乾脆也不修改試試，結果也是可以加入網域的

輸入先前設定好的domain root名稱與密碼

加入後需要重新開機

接著我們就可以使用niko這個帳號來登入，登入成功後檢查是否為漫遊及有沒有吃到logon.bat

接下來的重頭戲就是在桌面上隨便建test目錄，然後登出，再回到"home" server上看看niko的profiles下是否會有這個目錄存在。
代碼: [選擇]
[root@ home ~]# ls -l /home/niko/profiles/桌面 total 4
drwxr-xr-x. 2 niko d10 4096 Sep 27 23:51 test

設定windows 7 Client

一樣根據Samba官網的說明 :

Windows 7 Registry settings
--------------------------------------------------------------------------------------------
There are currently two registry settings required to be added on the Windows 7 client prior to joining a Samba Domain. These are :
--------------------------------------------------------------------------------------------
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters
DomainCompatibilityMode = 1 [ DWORD (32 bit) ]
DNSNameResolutionRequired = 0 [ DWORD (32bit) ]
--------------------------------------------------------------------------------------------
Make sure to either reboot Windows 7 or restart the LanmanWorkstation service after setting these entries.

Do not edit any other registry parameters (NETLOGON) that have been seen in the wild. If you have already modified your Windows 7 registry, please make sure to reset the keys to their default values.
If you have changed the NETLOGON Parameters, make sure and turn them back to '1' as shown below:
--------------------------------------------------------------------------------------------
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters
DWORD RequireSignOrSeal = 1 [ DWORD (32 bit) ]
DWORD RequireStrongKey = 1 [ DWORD (32bit) ]
--------------------------------------------------------------------------------------------

所以，win 7要去修改
DomainCompatibilityMode = 1 [ DWORD (32 bit) ]
DNSNameResolutionRequired = 0 [ DWORD (32bit) ]
這兩個機碼

接下來的問題小弟也研究了很久，但總覺得並不是非常完美的做法，懇請各位大大們可否教導我有沒有更好的設定方式....

加入網域時會發生

有關WINS的說明 : http://zh.wikipedia.org/wiki/WINS

要如何在我們的samba上設定小弟還沒研究出來，但是有另外兩種設定方式

1.直接從DHCP下手，這樣就不需要一台一台的去設定

DHCP server，指定wins (netbios) 伺服器 :
在dhcpd.conf檔裡新增
option netbios-name-servers 192.168.1.4; ←我們的home server IP

2.手動在win7設定

請在網卡上按右鍵 → 內容

點選內容後，選擇右下方的進階

到wins的分頁中，把我們的home server 的IP新增進去

然後，就可以加入網域了，但是....

samba官網的說明是 :
===============================================================================
NOTES: Error message during joining to the Domain
You will receive one warning about DNS domain name configuration after the join has succeeded:

"Changing the Primary Domain DNS name of this computer to "" failed.
The name will remain "MYDOM". The error was:
The specified domain either does not exist or could not be contacted"

This warning can be ignored or silenced with setting other registry keys.
There is a hotfix available from Microsoft to address this, see KB2171571: http://support.microsoft.com/kb/2171571
===============================================================================
哈哈~~~不是我們的問題，所以小弟就懶得理它.....

但是用win7登入後，個人家目錄下會多出一個profiles.V2的目錄，用來儲存win7的設定；小弟試過把profiles、profiles.V2都砍掉，重新建一個profiles，但....win7還是搞一個.V2出來，是唱反調嗎?! 這部份也還沒完全找出原因。

大致上已經做好了我們整個環境，可用linux、win xp、win7登入，個人設定也都可以正確的寫入自己的家目錄中，但是還有一些小問題是小弟在測試時所遇到的

WIN7問題

1.使用LDAP登入時會變的很慢，網路上找到的方法是去修改smb.conf
===============================================================================
[profiles]
path = /home/%U/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = No
profile acls = yes
csc policy = disable

[profiles.V2]
copy = profiles
browseable = no
===============================================================================
但是似乎沒用，還是一樣很慢。

2.在登入後，會跳出一個desktop.ini的檔案，內容是 :

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

#最後那組數字不一定

雖然不影響操作，但一定有地方沒設定好，目前還找不到解決辦法。

3.如果ldap1掛掉，win7的登入會變得非常慢，XP倒是不會影響很大

Smbldap-tools問題

正常來說使用wondows登入後，smbldap-tools會自動幫我們新增機器碼 (pc-name$) 到LDAP中，但是如果ldap1掛掉，就會無法去寫入LDAP，/etc/smbldap-tools/smbldap_bind.conf 有提到，you can specify two different configurations if you use a master ldap for writing access and a slave ldap server for reading access. By default, we will use the same DN (so it will work for standard Samba release)
這個問題目前研究中....

以上，雖然覺得不完美，但也算是一個可運作的samba PDC了，接下來的問題是，依照小弟的些微經驗來說，一般user都很喜歡把東西直接丟在Desktop上，哪怕有多分割一塊空間給使用者來存放，不過好像還是很愛丟在桌面....="=
這時候"home" server就絕對不能掛掉，所以小弟想到了用HA+DRDB來重新架設，至於LDAP是否也可以?!
看來小弟還有非常多的東西要學習了.....

netman · « **回覆 #1 於:** 2012-10-01 21:39 »

讚！

可以開講了沒啊？ ^_^

Niko · « **回覆 #2 於:** 2012-10-02 10:45 »

引述: netman 於 2012-10-01 21:39

讚！

可以開講了沒啊？ ^_^

netman大大不是已經帶給我們一部非常精采的影片了嗎？！哈哈~~~
雖然已經能夠架設一台簡略可運作的LDAP server，但是總覺得基礎還不夠扎實，還有非常多的東西要學
小弟分享自己的筆記主要目的還是能夠讓各位大大們看看是否哪裡觀念有問題能夠鞭一下小弟...

還有還有，目前一直在想的問題就是，安全、可靠、以及備援...

Niko · « **回覆 #3 於:** 2012-10-04 22:06 »

花了幾天時間，終於把新增使用者的script給寫好了。小弟容易眼花又手殘，所以對於新增資料的部份做了很多的判斷，導致越寫越多... :'(
其實有一點不太想PO出來，因為寫的太爛了，大大們看了應該很想笑，不過這部份也在當初決定要寫份LDAP的筆記時就決定好了，所以....還是能懇請大大們給予指導，看看哪裡可以再寫的精簡一點，雖然這份script爛歸爛，可總算還是能正常運作，讓小弟欣慰點....

主要架構還是一樣，不過有修改GROUP的gidNumber部份，d10=1001,d20=1002,d30=1003
使用者的uidNumber小弟想從1101開始，如user1=1101、user2=1102 等

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

1 #!/bin/bash
2 if [ $UID -ne 0 ] #line1~6，雞肋....

3 then #只是在判斷是不是root
4 echo "請使用root身份執行"
5 exit 0
6 fi
7
8 userid ()
9 {
10 read -p "使用者名稱(ex:niko_wang) : " USERID
11 while [ -z $USERID ]
12 do
13 read -p "不可為空白,請重新輸入 : " USERID
14 done
15
16 CHKUID=$(ldapsearch -x -h ldap1 -b "dc=split,dc=com,dc=tw" uid=$USERID | grep uid: | cut -d " " -f2)
17 }
18
19 userid #function userid 主要是在判斷不可以輸入空白，"$CHKUID"則是去找輸入的名字裡有沒有在LDAP中
20
21 chkid ()
22 {
23 while [ "$USERID" == "$CHKUID" ]
24 do
25 echo "帳號("$USERID")已存在，請重新輸入"
26 userid
27 done
28 ENNAME=$(echo $USERID | tr "[a-z]" "[A-Z]")
29 }
30
31 chkid #function chkid 用來檢查有沒有重覆，用 "$USERID" == "$CHKUID"來做判斷
32 #如果一直手殘輸入空白或已經有帳號存在了，就會一直卡在這
33 UIDSEARCH=$(ldapsearch -x -h ldap1 -b "dc=split,dc=com,dc=tw" uidNumber=* | grep uidNumber: | grep 11.* | cut -d " " -f2 | sort -n | tail -1)
34
35 if [ -z $UIDSEARCH ]
36 then
37 UIDSEARCH="1100"
38 fi
39
40 UIDNUM=$(expr $UIDSEARCH + 1) #line 33~40，先去抓uidNumber的最後一個數字，如果沒有，預設就是1100然後加1，一直累加下去
41
42 firname ()
43 {
44 read -p "中文姓氏 : " FIRNAME
45 while [ -z $FIRNAME ]
46 do
47 read -p "不可為空白,請重新輸入 : " FIRNAME
48 done
49 }
50
51 firname #執行function firname
52
53 secname ()
54 {
55 read -p "中文名字 : " SECNAME
56 while [ -z $SECNAME ]
57 do
58 read -p "不可為空白,請重新輸入 : " SECNAME
59 done
60 }
61
62 secname #執行function secname
63
64 group ()
65 {
66 read -p "請選擇主群組 (1)D10 (2)D20 (3)D30 : " GROUP
67 until [ "$GROUP" == "1" ] || [ "$GROUP" == "2" ] || [ "$GROUP" == "3" ]
68 do
69 echo "輸入錯誤,找不到群組編號"
70 read -p "請選擇主群組 (1)D10 (2)D20 (3)D30 : " GROUP
71 done #line 67~71，判斷是否輸入1、2、3，不是的話就重新輸入
72 case $GROUP in
73 "1")
74 GROUP="d10"
75 GROUPNUM="1001"
76 ;;
77 "2")
78 GROUP="d20"
79 GROUPNUM="1002"
80 ;;
81 "3")
82 GROUP="d30"
83 GROUPNUM="1003"
84 ;;
85 esac
86 }
87
88 group #執行function group
89
90 show()
91 {
92 echo "*************************"
93 echo " 使用者資料"
94 echo "*************************"
95 echo "使用者帳號 : ""$USERID"
96 echo "英文名字 : ""$ENNAME"
97 echo "中文姓氏 : ""$FIRNAME"
98 echo "中文名字 : ""$SECNAME"
99 echo "群組名稱 : ""$GROUP"
100 echo "*************************"
101 read -p "資料是否正確(y/n) : " YN
102 echo " "
103 until [ "$YN" == "y" ] || [ "$YN" == "Y" ] || [ "$YN" == "n" ] || [ "$YN" == "N" ]
104 do
105 read -p "請輸入y(Y)或n(N) : " YN
106
107 done
108 }
109
110 show #執行function show
111
112 edit()
113 {
114 echo "(1)使用者帳號 : ""$USERID"
115 echo "(2)中文姓氏 : ""$FIRNAME"
116 echo "(3)中文名字 : ""$SECNAME"
117 echo "(4)群組名稱 : ""$GROUP"
118 read -p "請選擇要修改的編號 : " EDITNUM
119 until [ "$EDITNUM" == "1" ] || [ "$EDITNUM" == "2" ] || [ "$EDITNUM" == "3" ] || [ "$EDITNUM" == "4" ]
120 do
121 read -p "輸入錯誤,請輸入編號(1~4) : " EDITNUM
122 done
123 case $EDITNUM in
124 "1")
125 userid
126 chkid
127 show
128 ;;
129 "2")
130 firname
131 show
132 ;;
133 "3")
134 secname
135 show
136 ;;
137 "4")
138 group
139 show
140 ;;
141 esac
142 }
143 #function edit主要用意是如發現先前的資料有錯誤，就可以利用它來做之前的修改
144 while [ "$YN" == "n" ] || [ "$YN" == "N" ]
145 do
146 edit
147 done
148 #判斷資料是否正確，如果一直輸入n/N，就會進入edit
149 ldif()
150 {
151 cat > /tmp/$USERID.ldif << EOF
152 dn: cn=$ENNAME $FIRNAME$SECNAME,ou=People,dc=split,dc=com,dc=tw
153 objectClass: posixAccount
154 objectClass: top
155 objectClass: person
156 objectClass: inetOrgPerson
157 objectClass: shadowAccount
158 objectClass: sambaSamAccount
159 cn: $ENNAME $FIRNAME$SECNAME
160 uid: $USERID
161 sn: $FIRNAME
162 uidNumber: $UIDNUM
163 givenName: $SECNAME
164 gidNumber: $GROUPNUM
165 shadowLastChange: 15609
166 shadowMax: 99999
167 shadowWarning: 7
168 loginShell: /bin/bash
169 homeDirectory: /home/$USERID
170 mail: $USERID@split.com.tw
171 sambaAcctFlags: [U ]
172 sambasid: S-1-5-21-861616483-343575355-114807000-$UIDNUM
173 sambaPrimaryGroupSID: S-1-5-21-861616483-343575355-114807000-513
174 EOF
175 }
176
177 ldif #先寫好一個ldif檔，暫存在/tmp下
178
179 echo " "
180 echo "***************************************************************************"
181 echo " "$USERID"的LDIF檔資訊"
182 echo "***************************************************************************"
183 cat /tmp/$USERID.ldif
184 echo "***************************************************************************"
185 read -p "是否要開始進行匯入? (y)匯入 (n)取消並刪除檔案 : " YN2
186 echo " "
187
188 until [ "$YN2" == y ] || [ "$YN2" == Y ] || [ "$YN2" == n ] || [ "$YN2" == N ]
189 do
190 read -p "請輸入y(Y)或n(N) : " YN2 #檢查有無輸入錯誤
191
192 done
193
194 if [ "$YN2" == "y" ] || [ "$YN2" == "Y" ]
195 then
196 ldapmodify -h ldap1 -D "cn=admin,dc=split,dc=com,dc=tw" -W -x -v -a -f /tmp/$USERID.ldif
197 ECHO=$(echo $?)
198 while [ "$ECHO" == "49" ] || [ "$ECHO" == "53" ] #error:49代表的是密碼錯誤，error:53則是手殘忘了打密碼 ="=
199 do
200 echo "密碼輸入錯誤"
201 ldapmodify -h ldap1 -D "cn=admin,dc=split,dc=com,dc=tw" -W -x -v -a -f /tmp/$USERID.ldif
202 ECHO=$(echo $?)
203 done
204
205 cat > /tmp/$GROUP.ldif << EOF
206 dn: cn=$GROUP,ou=Group,dc=split,dc=com,dc=tw
207 changetype: modify
208 add:
209 memberUid: $USERID
210 EOF #line 205~210其實可不寫，雖然不影響group，但是不去修改memberUid的話在phpldapadmin裡會看不到，純粹爽度問題...

211 echo " "
212 echo "新增至$GROUP的memberUid屬性中,請再次輸入LDAP密碼"
213 ldapmodify -h ldap1 -D "cn=admin,dc=split,dc=com,dc=tw" -W -x -v -f /tmp/$GROUP.ldif
214 ECHO2=$(echo $?)
215 while [ "$ECHO2" == "49" ] || [ "$ECHO2" == "53" ] #同上
216 do
217 echo "密碼輸入錯誤"
218 ldapmodify -h ldap1 -D "cn=admin,dc=split,dc=com,dc=tw" -W -x -v -f /tmp/$GROUP.ldif
219 ECHO2=$(echo $?)
220 done
221
222 smbldap-passwd $USERID
223 ECHO3=$(echo $?)
224 while [ "$ECHO3" == "255" ] #error:255, 空白
225 do
226 echo "密碼不可是空白"
227 smbldap-passwd $USERID
228 ECHO3=$(echo $?)
229 done #line 222~229，建立user password
230
231 echo " "
232 echo "\"$USERID\" 匯入完成"
233 echo " "
234 cp -r /etc/skel /home/$USERID
235 chown -R $USERID:$GROUP /home/$USERID
236 chmod 700 /home/$USERID
237 echo "\"$USERID\" 家目錄已建立"
238 echo " "
239 ssh -f mail "touch /var/spool/mail/$USERID ; chown $USERID:mail /var/spool/mail/$USERID ; chmod 6 60 /var/spool/mail/$USERID" #先在mail server上建立好ssh-keygen，然後用這行指令去建mailbox
240 echo "\"$USERID\" 信箱已建立"
241 echo " "
242 if [ ! -d "/var/ldif_bak" ]
243 then
244 mkdir /var/ldif_bak
245 fi #line 242~245，建立ldif檔備份目錄，line 246 把檔丟進去
246 mv /tmp/$USERID.ldif /var/ldif_bak ; rm -rf /tmp/$GROUP.ldif
247 echo "\"$USERID\" 建立完成"
248 echo " "
249 echo "\"$USERID\"的ldif備份檔存放位置為 : /var/ldif_bak/$USERID"
250 echo " "
251 else
252 rm -rf /tmp/$USERID.ldif
253 echo " "
254 echo "/tmp/$USERID.ldif 已刪除,如要建立使用者請重新執行script"
255 echo " "
256 fi

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

以上，就是小弟以自己的架構所寫的新增使用者script....

Niko · « **回覆 #4 於:** 2013-07-26 14:25 »

先前修改好的V2版，稍微整理過也修改了一小部份，只不過一直沒時間放上來...獻醜了

p.s : 把建立home和mail的部份先拿掉了

--------------------------------------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash

chkldap ()
{
CHKLDAP=$(ldapsearch -x -b "dc=split,dc=com,dc=tw" > /dev/null 2>&1 ; echo $?)
if [ $CHKLDAP != "0" ]
then
echo "無法連接LDAP SERVER"
sleep 1
exit 0
fi
}

userid ()
{
read -p "使用者名稱(ex:niko_wang) : " USERID
while [ -z $USERID ]
do
read -p "不可為空白,請重新輸入 : " USERID
done
}

chkid ()
{
CHKUID=$(ldapsearch -x -b "dc=split,dc=com,dc=tw" uid=$USERID 2> /dev/null | grep uid: | cut -d " " -f2)
while [ "$USERID" == "$CHKUID" ]
do
echo "帳號("$USERID")已存在，請重新輸入"
userid
done
ENNAME=$(echo $USERID | tr "[a-z]" "[A-Z]")
}

firname ()
{
read -p "中文姓氏 : " FIRNAME
while [ -z $FIRNAME ]
do
read -p "不可為空白,請重新輸入 : " FIRNAME
done
}

secname ()
{
read -p "中文名字 : " SECNAME
while [ -z $SECNAME ]
do
read -p "不可為空白,請重新輸入 : " SECNAME
done
}

group ()
{
read -p "請選擇主群組 (1)D10 (2)D20 (3)D30 : " GROUP
until [ "$GROUP" == "1" ] || [ "$GROUP" == "2" ] || [ "$GROUP" == "3" ]
do
echo "輸入錯誤,找不到群組編號"
read -p "請選擇主群組 (1)D10 (2)D20 (3)D30 : " GROUP
done
case $GROUP in
"1")
GROUP="d10"
GROUPNUM="1001"
;;
"2")
GROUP="d20"
GROUPNUM="1002"
;;
"3")
GROUP="d30"
GROUPNUM="1003"
;;
esac
}

show()
{
echo "*************************"
echo " 使用者資料"
echo "*************************"
echo "使用者帳號 : ""$USERID"
echo "英文名字 : ""$ENNAME"
echo "中文姓氏 : ""$FIRNAME"
echo "中文名字 : ""$SECNAME"
echo "群組名稱 : ""$GROUP"
echo "*************************"
read -p "資料是否正確(y/n) : " YN
echo " "
until [ "$YN" == "y" ] || [ "$YN" == "Y" ] || [ "$YN" == "n" ] || [ "$YN" == "N" ]
do
read -p "請輸入y(Y)或n(N) : " YN

done

while [ "$YN" == "n" ] || [ "$YN" == "N" ]
do
edit
done
}

edit()
{
echo "(1)使用者帳號 : ""$USERID"
echo "(2)中文姓氏 : ""$FIRNAME"
echo "(3)中文名字 : ""$SECNAME"
echo "(4)群組名稱 : ""$GROUP"
read -p "請選擇要修改的編號 : " EDITNUM
until [ "$EDITNUM" == "1" ] || [ "$EDITNUM" == "2" ] || [ "$EDITNUM" == "3" ] || [ "$EDITNUM" == "4" ]
do
read -p "輸入錯誤,請輸入編號(1~4) : " EDITNUM
done
case $EDITNUM in
"1")
userid
chkid
show
;;
"2")
firname
show
;;
"3")
secname
show
;;
"4")
group
show
;;
esac
}

chkuid()
{
UIDSEARCH=$(ldapsearch -x -b "dc=split,dc=com,dc=tw" uidNumber=* | grep uidNumber: | grep 11.* | cut -d " " -f2 | sort -n | tail -1)
if [ -z $UIDSEARCH ]
then
UIDSEARCH="1100"
fi
UIDNUM=$(expr $UIDSEARCH + 1)
}

chksid()
{
SID=$(net getlocalsid 2> /dev/null | awk '{print $6}')
}

ldif()
{
cat > /tmp/$USERID.ldif << EOF
dn: cn=$ENNAME $FIRNAME$SECNAME,ou=People,dc=split,dc=com,dc=tw
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: $ENNAME $FIRNAME$SECNAME
uid: $USERID
sn: $FIRNAME
uidNumber: $UIDNUM
givenName: $SECNAME
gidNumber: $GROUPNUM
shadowLastChange: 15609
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
homeDirectory: /home/$USERID
mail: $USERID@split.com.tw
sambaAcctFlags: [U ]
sambasid: $SID-$UIDNUM
sambaPrimaryGroupSID: $SID-513
EOF
}

adduser ()
{
echo " "
echo "***************************************************************************"
echo " "$USERID"的LDIF檔資訊"
echo "***************************************************************************"
cat /tmp/$USERID.ldif
echo "***************************************************************************"
read -p "是否要開始進行匯入? (y)匯入 (n)取消並刪除檔案 : " YN2
echo " "

until [ "$YN2" == y ] || [ "$YN2" == Y ] || [ "$YN2" == n ] || [ "$YN2" == N ]
do
read -p "請輸入y(Y)或n(N) : " YN2

done

if [ "$YN2" == "y" ] || [ "$YN2" == "Y" ]
then
ldapmodify -D "cn=admin,dc=split,dc=com,dc=tw" -W -x -v -a -f /tmp/$USERID.ldif
ECHO=$(echo $?)
while [ "$ECHO" == "49" ] || [ "$ECHO" == "53" ]
do
echo "密碼輸入錯誤"
ldapmodify -D "cn=admin,dc=split,dc=com,dc=tw" -W -x -v -a -f /tmp/$USERID.ldif
ECHO=$(echo $?)
done

cat > /tmp/$GROUP.ldif << EOF
dn: cn=$GROUP,ou=Group,dc=split,dc=com,dc=tw
changetype: modify
add: memberUid
memberUid: $USERID
EOF
echo " "
echo "新增至$GROUP的memberUid屬性中,請再次輸入LDAP密碼"
ldapmodify -D "cn=admin,dc=split,dc=com,dc=tw" -W -x -v -f /tmp/$GROUP.ldif
ECHO2=$(echo $?)
while [ "$ECHO2" == "49" ] || [ "$ECHO2" == "53" ]
do
echo "密碼輸入錯誤"
ldapmodify -D "cn=admin,dc=split,dc=com,dc=tw" -W -x -v -f /tmp/$GROUP.ldif
ECHO2=$(echo $?)
done

smbldap-passwd $USERID
ECHO3=$(echo $?)
while [ "$ECHO3" == "255" ]
do
echo "密碼不可是空白"
smbldap-passwd $USERID
ECHO3=$(echo $?)
done
echo " "
echo "\"$USERID\" 匯入完成"
echo " "
#cp -r /etc/skel /home/$USERID
#chown -R $USERID:$GROUP /home/$USERID
#chmod 700 /home/$USERID
#echo "\"$USERID\" 家目錄已建立"
#echo " "
#ssh -f mail "touch /var/spool/mail/$USERID ; chown $USERID:mail /var/spool/mail/$USERID ; chmod 660 /var/spool/mail/$USERID"
#echo "\"$USERID\" 信箱已建立"
#echo " "
if [ ! -d "/var/ldif_bak" ]
then
mkdir /var/ldif_bak
fi
mv /tmp/$USERID.ldif /var/ldif_bak
rm -rf /tmp/$GROUP.ldif
echo "\"$USERID\" 建立完成"
echo " "
echo "\"$USERID\"的ldif備份檔存放位置為 : /var/ldif_bak/$USERID"
echo " "
else
rm -rf /tmp/$USERID.ldif
echo "/tmp/$USERID.ldif 已刪除,如要建立使用者請重新執行"$0""
echo " "
fi
}

## main ##
if [ $UID -ne 0 ]
then
echo "請使用root身份執行"
sleep 1
exit 0
fi

chkldap
userid
chkid
firname
secname
group
show
chkuid
chksid
ldif
adduser
--------------------------------------------------------------------------------------------------------------------------------------------------------------

netman · « **回覆 #5 於:** 2013-07-26 22:42 »

哇～辛苦了！感謝分享～～！ ^_^

酷!學園

最新消息: