FreeBSD 9 安裝記錄

Posted on 2014-10-31 by hao

FreeBSD 9 安裝記錄

LDAP client 設定

首先安裝net/openldap24-client, security/pam_ldap, net/nss_ldap 這3個套件. 裝完後, 修改/usr/local/etc/openldap/ldap.conf 如下:

URI ldap://192.168.xx.xx
BASE ou=NIS,dc=haostudio,dc=net

注意在FreeBSD 中, /usr/local/etc/openldap/ldap.conf 這個檔是給OpenLDAP libraries 用的.

然後修改/usr/local/etc/ldap.conf 如下:

base ou=NIS,dc=haostudio,dc=net
uri ldap://192.168.xx.xx

binddn cn=Manager,dc=haostudio,dc=net
bindpw xxxxxxxxxx

nss_base_passwd        ou=People,ou=NIS,dc=haostudio,dc=net?one
nss_base_shadow        ou=People,ou=NIS,dc=haostudio,dc=net?one 
nss_base_group         ou=Group,ou=NIS,dc=haostudio,dc=net?one

接著修改/usr/local/etc/nss_ldap.conf, 跟/usr/local/etc/ldap.conf 一樣即可.

最後修改/etc/nsswitch 檔, 如下:

group: files ldap
hosts: files dns
networks: files
passwd: files ldap
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

用SSH登入時會失敗原因是我的LDAP帳號中的shell 是用/bin/bash. 但是FreeBSD 把bash 安裝在/usr/local/bin中, 所以pam_ldap 才不讓我登入.
我是看到下列訊息才知道原因的.

server# cat /var/log/auth.log
May 17 21:20:43 fs2 sshd[18373]: User hao not allowed because shell /bin/bash does not exist
May 17 21:20:45 fs2 sshd[18375]: pam_ldap: error trying to bind as user "uid=hao,ou=People,ou=NIS,dc=haostudio,dc=net" (Invalid credentials)
May 17 21:20:45 fs2 sshd[18373]: error: PAM: authentication error for illegal user hao from 192.168.9.108
May 17 21:20:45 fs2 sshd[18373]: Failed keyboard-interactive/pam for invalid user hao from 192.168.9.108 port 54866 ssh2

我的rc.conf設定如下.

server# cat /etc/rc.conf
hostname="fs2"
ifconfig_em0=" inet 192.168.9.2 netmask 255.255.255.0"
defaultrouter="192.168.9.1"
sshd_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"

參考資料:

  1. http://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/article.html#CLIENT
  2. http://mail.lsps.tp.edu.tw/~gsyan/freebsd2001/pam_ldap.html
  3. http://www.us-webmasters.com/FreeBSD/Install/Samba/
  4. http://wiki.rafan.org/doc/linuxpam

使用ZFS做NFS分享

在rc.conf中增加下列5行, 注意修改完rc.conf後最好重開機(reboot), 不然好像會怪怪的:

mountd_enable="YES"
nfs_server_enable="YES"
zfs_enable="YES"
rpc_statd_enable="YES"
rpc_lockd_enable="YES"

產生/etc/exports 檔案, 保留為空白. 不需更改其內容, 只要用設定zfs的sharenfs屬性即可.

server# zfs set sharenfs='maproot=root, network 192.168.9.0, mask 255.255.255.0' fspool/users

server#cat /etc/zfs/exports  // 設完sharenfs屬性後, 在這個檔會顯示ZFS分享的資訊
# !!! DO NOT EDIT THIS FILE MANUALLY !!!
/export/fs2/users    -maproot=root -network 192.168.9.0 -mask 255.255.255.0 

server# showmount -e   //查看是否有分享出去
Exports list on localhost:
/export/fs2/users                  192.168.9.0

注意!!, 似乎不能使用’alldir’屬性在sharenfs參數中.

ZFS,NFS參考資料:

  1. http://lists.freebsd.org/pipermail/freebsd-current/2008-March/084102.html
  2. http://forums.freebsd.org/showthread.php?t=26801
  3. http://forums.freebsd.org/showthread.php?t=24828
  4. http://forums.freebsd.org/showthread.php?t=9570

設定Samba並整合LDAP

在rc.conf中增加下列3行

samba_enable="YES"
nmbd_enable="YES" 
smbd_enable="YES"

我的/usr/local/etc/smb.conf 設定如下:

[global]
    workgroup = MYGROUP
    server string = Samba Server
    passdb backend = ldapsam:ldap://192.168.9.16
    log file = /var/log/samba/log.%m
    max log size = 50
    dns proxy = No
    ldap admin dn = "cn=Manager,dc=haostudio,dc=net"
    ldap user suffix = ou=People
    ldap group suffix = ou=Group
    ldap passwd sync = yes
    ldap suffix = ou=NIS,dc=haostudio,dc=net
    ldap ssl = no
    idmap config * : backend = tdb

[homes]
    comment = Home Directories
    read only = No
    browseable = No

[printers]
    comment = All Printers
    path = /var/spool/samba
    printable = Yes
    print ok = Yes
    browseable = No

將 LDAP Admin 密碼存入 Samba secrets.tdb 內

server# smbpasswd -w 1234 //假設您的 LDAP Admin Manager的密碼為 1234 (-w PASSWORD ldap admin password)

啟動 Samba 服務

server# /usr/local/etc/rc.d/samba start //啟動 Samba 服務

檢查 smbd (Listen 139 Port) 及 nmbd (Listen 137,138 Port) 服務是否啟動成功

server# sockstat | grep mbd

建立 Samba Account 名稱 hao 至 LDAP 中,但在建立之前請先確定你 LDAP 及 Samba 相關設定檔已設定完成,且 LDAP 也查得到 hao DN。

server# smbpasswd -a hao //建立 Samba Account hao
New SMB password: //輸入 weithenn 的 samba 密碼
Retype new SMB password: //再次確認密碼
Added user hao. //顯示新增使用者完成

server# ldapsearch -x -b "uid=hao,ou=People,ou=NIS,dc=haostudio,dc=net"
# extended LDIF
#
# LDAPv3
# base <uid=hao,ou=People,ou=NIS,dc=haostudio,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# hao, People, NIS, haostudio.net
dn: uid=hao,ou=People,ou=NIS,dc=haostudio,dc=net
uid: hao
cn: Hao Tseng
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
shadowLastChange: 14146
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
gecos: Hao Tseng
homeDirectory: /export/fs2/users/hao
sambaSID: S-1-5-21-8989478-3024177045-2934032207-1001
displayName: Hao Tseng
userPassword:: e1NTSEF9bXFlOWXduN3FybVdtRTRPQ0c1bU9RQlAweEdsM0dUVXY=
sambaNTPassword: 919D061C7C8F0A1EA4C69CD8BBDE77E7E
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
 00000000
sambaPwdLastSet: 1337316250
sambaAcctFlags: [U          ]

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

注意:

在執行 ‘smbpasswd’ 指令會在LDAP server 的使用者建立sambaXXXXX欄位, 若之前已經存在這些欄位的話, 請先將其移除.
不然這些欄位的值會不正確.而造成 Samba client 無法連線.

參考資料:

  1. 【FreeBSD】OpenLDAP-Samba Auth With LDAP 設定

設定rsyncd

安裝rsync

server# cd /usr/ports/net/rsync
server# make install

修改 rsync 設定檔

server# cat /usr/local/etc/rsyncd.conf
[hao_home]
path = /export/fs2/users/hao
auth users = admin
uid = hao
gid = users
secrets file = /usr/local/etc/rsyncd.secrets
read only = no

建立rsync密碼檔(rsyncd.secrets)

server# cat /usr/local/etc/rsyncd.secrets
user:password            //id:password (自行設定帳號、密碼)

server# chmod 600 /usr/local/etc/rsyncd.secrets

在rc.conf中增加下列1行

rsyncd_enable="YES"

啟動rsyncd

server# /usr/local/etc/rc.d/rsyncd start

參考資料:

  1. FreeBSD 8.1 實做rsync異機備份檔案

設定iSCSI target

安裝iscsi-target

server# cd /usr/ports/net/iscsi-target
server# make install

在ZFS中建立一個128GB 的disk image

server# zfs create -V 128G fspool/iscsi_targets/the_disk_img

建立iSCSI 設定檔/usr/local/etc/istgt/istgt.conf

server# cp /usr/local/etc/istgt.conf.sample /usr/local/etc/istgt.conf

我的設定檔修改如下:

[Global]
    NodeBase "iqn.2014-10.net.haostudio.wfs" 

[UnitControl]
    AuthMethod Auto
    #AuthMethod CHAP Mutual
    #AuthGroup AuthGroup10000

[PortalGroup1]
    Portal DA1 192.168.9.10:3260

[InitiatorGroup1]
    Netmask 192.168.9.0/24

[LogicalUnit1]
    Comment "CB3 Web Disk"
    # full specified iqn (same as below)
    #TargetName iqn.2014-10.net.haostudio.wfs:cb3disk128G
    # short specified non iqn (will add NodeBase)
    TargetName cb3disk128G
    TargetAlias "CB3 Web Disk"
    Mapping PortalGroup1 InitiatorGroup1
    AuthMethod Auto
    AuthGroup AuthGroup1
    UseDigest Auto
    UnitType Disk
    LUN0 Storage /dev/zvol/fspool/iscsi_targets/the_disk_img Auto

在/etc/rc.conf 增加下列設定, 以便開機時自動載入iSCSI target 服務

#
# Enable iSCSI Target support
#
istgt_enable="YES"

手動啟動iSCSI target service, 使用如下指令:

server # /usr/local/etc/rc.d/istgt start

參考資料

  1. iSCSI Initiator and Target Configuration
This entry was posted in FreeBSD and tagged . Bookmark the permalink.

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *