RED:Servidores Campi:Introdução
De Wiki Unioeste NTI
Tabela de conteúdo
|
Introdução
Esta página referencia as configurações usadas para a instalação completa dos Servidores utilizado nos Campi da Unioeste.
Identificação dos servidores
| Nome | Local | IP |
|---|---|---|
| netsr-01 | Datacenter | 200.201.88.60 |
| netsr-02 | Datacenter | 200.201.88.61 |
| netsr-10 | TOW | 200.201.86.10 |
| netsr-11 | FBE | 200.201.85.10 |
| netsr-12 | MCR | 200.201.83.10 |
| netsr-13 | FOZ | 200.201.84.10 |
| netsr-14 | HUOP | 200.201.82.60 |
Configuração
-- SO ubuntu 9.04 (Jaunty)
Tamanho das partições:
| Partição | Nome | Tamanho |
|---|---|---|
| sda1 | swap | 8 G |
| sda2 | boot | 2 G |
| sda3 | raiz | 92 G |
| sda4 | var | ~175 G (resto) |
Configuração das Interfaces
Edite o arquivo /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth3
iface eth3 inet static
address 200.201.88.90
netmask 255.255.255.0
network 200.201.88.0
broadcast 200.201.88.255
gateway 200.201.88.1
OBS
- Altere os IPs para o seu servidor.
SSH, SNMP, Sincronização de Data e Hora
Veja item Configurações Comuns ao Servidores
Configuração do Servidor de Webmin
Pacotes necessários:
- libnet-ssleay-perl
- openssl
- libauthen-pam-perl
- libmd5-perl
- libio-pty-perl
- webmin_1.450
Instalação:
sudo apt-get install libnet-ssleay-perl openssl libauthen-pam-perl libmd5-perl libio-pty-perl sudo wget http://ufpr.dl.sourceforge.net/sourceforge/webadmin/webmin_1.450_all.deb sudo dpkg -i webmin_1.450_all.deb
Para acessar https://ip_da_maquina:10000
Configuração do Servidor de DNS
Pacotes necessários:
- bind9
Instalação:
sudo apt-get install bind9
Edite o arquivo /etc/bind/named.conf.options
forwarders {
200.201.88.60;
200.201.88.61;
200.201.0.20;
200.201.0.25;
};
listen-on {
127.0.0.1;
200.201.xx.xx;
};
Configuração do Servidor de LDAP
Com o Ubuntu 9.04, a maneira como o OpenLDAP é usado e configurado mudou. O OpenLDAP não é mais configurado via slapd.conf, mas pelo diretório slapd.d que contem os arquivos ldiff para configurar o OpenLDAP. Observe que se você precisa adicionar um schema específica ou outra configuração, então você deve seguir o guia de instalação fornecido pela aplicação. Mas utilizaremos uma forma de configuração usando o estilo antigo slapd.conf.
Pacotes necessários:
- slapd
- ldap-utils
- phpldapadmin
Instalação:
A instalação do OpenLDAP é simples:
sudo apt-get install slapd ldap-utils phpldapadmin
Quando a instalação pedir senha ou outra informação, apenas tecle enter, pois a configuração será feita posteriormente.
Configurando o OpenLDAP
Edite o arquivo /etc/default/slapd
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:///"
Baixe os arquivos de schemas e descompacte no diretório /etc/ldap/schema
cd /etc/ldap/schema chown root:root *
Vamos criar os certificados para criptografia
cd /etc/ldap openssl req -new -x509 -nodes -out slapd-cert.pem -keyout slapd-key.pem -days 999999 chmod 644 slapd-cert.pem chown openldap:openldap slapd-key.pem chmod 400 slapd-key.pem
Quanto você executar o comando openssl ele ira fazer uma série de perguntas, responda da seguinte forma:
Country Name (2 letter code) [AU]:BR State or Province Name (full name) [Some-State]:Parana Locality Name (eg, city) []:Cascavel Organization Name (eg, company) [Internet Widgits Pty Ltd]:UNIOESTE Organizational Unit Name (eg, section) []:DRI Common Name (eg, YOUR name) []:netsr-xx.unioeste.br Email Address []:sup_redes@unioeste.br
OBS: No Common Name coloque o nome do servidor que está configurando.
Vá no diretório /etc/ldap/ e crie um arquivo chamado slapd.conf
cd /etc/ldap sudo vi slapd.conf
Copie e cole o texto abaixo:
# is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/RADIUS-LDAPv3.schema
include /etc/ldap/schema/qmailuser.schema
include /etc/ldap/schema/phpgwcontact.schema
include /etc/ldap/schema/phpgwaccount.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/amavis.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel 255
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload syncprov
ServerID '''XXX'''
# se for Reitoria netsr-01 ---> Server ID 1
# se for Reitoria netsr-02 ---> Server ID 2
# se for Reitoria netsr-03 ---> Server ID 3
# se for Reitoria netsr-04 ---> Server ID 4
# se for Toledo netsr-10 ---> Server ID 861
# se for FOZ netsr-13 ---> Server ID 841
# se for MARECHAL netsr-12 ---> Server ID 831
# se for FBE netsr-11 ---> Server ID 851
# se for HUOP netsr-14 ---> Server ID 821
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend hdb
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
database config
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database hdb
# The base of your directory in database #1
suffix dc=unioeste,dc=br
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=admin,cn=config"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 67108864 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057
# for more information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
index cn,sn eq,sub,approx
index uid,uidNumber,gidNumber,memberUid,loginshell pres,eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index phpgwContactOwner pres,eq,sub
index entryCSN eq
index entryUUID eq
# Save the time that the entry gets modified, for database #1
lastmod on
checkpoint 512 30
# Where to store the replica logs for database #1
TLSCertificateFile /etc/ldap/slapd-cert.pem
TLSCertificateKeyFile /etc/ldap/slapd-key.pem
TLSCACertificateFile /etc/ldap/slapd-cert.pem
rootdn "cn=manager,dc=unioeste,dc=br"
rootpw '''password'''
#replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange
by dn="cn=manager,dc=unioeste,dc=br" write
by dn="cn=admin,dc=unioeste,dc=br" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=manager,dc=unioeste,dc=br" write
by dn="cn=admin,dc=unioeste,dc=br" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=unioeste,dc=br" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
#
# Cuidado com estes detalhes
# se for Reitoria netsr-01 -----> rid=10
# -----> rid=12
# se for Reitoria netsr-02 -----> rid=11
# -----> rid=13
# se for Reitoria netsr-03 -----> rid=16
# -----> rid=15
# se for Reitoria netsr-04 -----> rid=17
# -----> rid=18
# se for HUOP netsr-14 -----> rid=821
# -----> rid=822
# se for FBE netsr-11 -----> rid=851
# -----> rid=852
# se for MCR netsr-12 -----> rid=831
# -----> rid=832
# se for foz netsr-13 -----> rid=841
# -----> rid=842
# se for tol netsr-10 -----> rid=861
# -----> rid=862
syncrepl rid='''xxx'''
provider=ldaps://netsr-01.unioeste.br:636
type=refreshAndPersist
retry="60 +"
searchbase="dc=unioeste,dc=br"
attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp"
filter="(ObjectClass=*)"
scope=sub
schemachecking=Off
bindmethod=simple
binddn="cn=manager,dc=unioeste,dc=br"
credentials=''password''
syncrepl rid='''xxx''''
provider=ldaps://netsr-02.unioeste.br:636
type=refreshAndPersist
retry="60 +"
searchbase="dc=unioeste,dc=br"
attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp"
filter="(ObjectClass=*)"
scope=sub
schemachecking=Off
bindmethod=simple
binddn="cn=manager,dc=unioeste,dc=br"
credentials=''password''
mirrormode on
overlay syncprov
OBS IMPORTANTES:
- Escolha o ServerID referente a unidade
- Escolha os syncrepl rid referentes a unidade
- Coloque a credentials da replicação corretas
- Coloque a rootpw correta em MD5
Próximo, iremos atualizar as configurações no slapd.d do OpenLDAP.
sudo /etc/init.d/slapd stop
Backup o diretorio slapd.d
sudo cd /etc/ldap sudo mv slapd.d slapd.d.bck
Agora criamos um novo diretório slapd.d e carregamos a nova configuração baseada no arquivo slapd.conf.
sudo mkdir slapd.d sudo slaptest -f slapd.conf -F slapd.d
Você deve receber uma mensagem de resposta config file testing succeeded Agora vamos mudar o proprietário do diretório slapd.d e reiniciar o OpenLDAP.
sudo chown -R openldap:openldap slapd.d sudo /etc/init.d/slapd start
Configurando o phpldapadmin
Edite o arquivo /etc/phpldapadmin/config.php
$ldapservers->SetValue($i,'server','host','ldap://localhost'); $ldapservers->SetValue($i,'server','port','389');
Configurando o libnss
Crie um arquivo /etc/ldap.secret Insira a senha do manager do ldap nele.
Edite o arquivo /etc/ldap/ldap.conf
Exclua todas linhas e cole o texto abaixo:
host 127.0.0.1 base dc=unioeste,dc=br uri ldap://127.0.0.1 ldap_version 3 binddn cn=admin,dc=unioeste,dc=br bindpw xxxxxxxx rootbinddn cn=manager,dc=unioeste,dc=br pam_password md5 nss_initgroups_ignoreusers Debian-exim,avahi,backup,bin,bind,daemon,dhcpd,freerad,games,gnats,haldaemon,irc,klog, landscape,libuuid,list,lp,mail,man,messagebus,news,ntp,openldap,polkituser,proxy,root,snmp,sshd,sync, sys,syslog,uucp,www-data
OBS
- Altere a senha no bindpw
Configurando o nsswitch
Edite o arquivo /etc/nsswitch.conf
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat ldap group: compat ldap shadow: compat ldap hosts: dns files mdns4_minimal [NOTFOUND=return] mdns4 wins networks: files dns protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Configuração do SAMBA
Pacotes necessários:
- samba
- samba-client
- smb-ldaptools
Instalação:
sudo apt-get install samba smbclient smbldap-tools
Edite o arquivo /etc/samba/smb.conf
#======================= Global Settings =======================
[global]
ldap ssl = off
name resolve order = lmhosts wins bcast
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
idmap gid = 10000 - 20000
smb ports = 139
obey pam restrictions = yes
enable privileges = Yes
delete user from group script = sudo /usr/sbin/smbldap-groupmod -x "%u" "%g"
time server = yes
passwd program = /usr/bin/passwd %u
max disk size = 1000
dns proxy = no
netbios name = NET-DMC-XXX
server string = Unioeste-xxxxxx Local Server
idmap uid = 10000 - 20000
default = netlogon
local master = yes
workgroup = UNIOESTE
debug level = 1
os level = 253
ldap admin dn = cn=manager,dc=unioeste,dc=br
security = user
add machine script = sudo /usr/sbin/smbldap-useradd -a -w %u
delete user script = sudo /usr/sbin/smbldap-userdel "%u"
max log size = 10000
log level = 1
log file = /var/log/samba/log.%m
load printers = no
ldap user suffix = ou=Users
add group script = sudo /usr/sbin/smbldap-groupadd -p "%g"
socket options = TCP_NODELAY
add user to group script = sudo /usr/sbin/smbldap-groupmod -m "%u" "%g"
wins server = 200.201.88.60
logon drive =
interfaces = eth3
domain master = no
local master = yes
encrypt passwords = yes
idmap backend = ldap:ldap://localhost
passdb backend = ldapsam:ldap://localhost
logon home =
ldap delete dn = no
server string = Unioeste Master Server
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap suffix = dc=unioeste,dc=br
unix password sync = yes
logon path =
add user script = sudo /usr/sbin/smbldap-useradd -m "%u"
set primary group script = sudo /usr/sbin/smbldap-usermod -g "%g" "%u"
syslog = 0
panic action = /usr/share/samba/panic-action %d
unix charset = iso-8859-1
bind interfaces only = true
domain logons = yes
preferred master = yes
#======================= Share Definitions =======================
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = yes
writable = no
share modes = no
OBS IMPORTANTES
- Altere o netbios name e server string
Execute o comando:
smbpasswd -w SenhadoManager
Configuração do smb-ldaptools
Baixar e descompactar em /etc/smbldap-tools/ os arquivos abaixo:
Altere o arquivo na linha 545
edite /usr/share/perl5/smbldap_tools.pm
'objectclass' => ['top', 'person', 'organizationalPerson', 'inetOrgPerson', 'posixAccount'],
#'objectclass' => ['top', 'account', 'posixAccount'],
'cn' => "$user",
'sn' => "$user",
Configuração do FreeRadius
Pacotes necessários:
- Freeradius: Arquivos de instalação Freeradius.zip
- Freeradius: Arquivos de configuração Freeradius.conf.zip
Instalação:
Baixe e descompacte os arquivos de instalação
sudo dpkg -i freeradius_2.1.3-0_i386.deb sudo dpkg -i freeradius-ldap_2.1.3-0_i386.deb sudo apt-get install build-essential sudo apt-get install -f
Baixe e descompacte os arquivos de configuração. Copie os arquivos para /etc/freeradius e altere as permissões
sudo cp -r * /etc/freeradius/ sudo chown -R root:freerad /etc/freeradius/* sudo mkdir /var/run/radiusd
Edite os arquivos /etc/freeradius/certs/ca.cnf server.cnf e client.cnf
Corriga o CommonName para o nome do servidor
Execute o comando para gerar as chaves
sudo cd /etc/freeradius/certs/ sudo ./bootstap
Edite o arquivo /etc/freeradius/radiusd.conf
Corriga a interface.
interface = eth3
Corriga os ips para o servidor (DEIXAR VAZIO????):
listen{
ipaddr =
OBS
- São dois locais no arquivo para correção
