FreeBSD 9 安裝記錄
LDAP client 設定
首先安裝net/openldap24-client, security/pam_ldap, net/nss_ldap 這3個套件. 裝完後, 修改/usr/local/etc/openldap/ldap.conf 如下:
URI ldap://192.168.xx.xx
BASE ou=NIS,dc=haostudio,dc=net
注意在FreeBSD 中, /usr/local/etc/openldap/ldap.conf 這個檔是給OpenLDAP libraries 用的.
然後修改/usr/local/etc/ldap.conf 如下:
base ou=NIS,dc=haostudio,dc=net
uri ldap://192.168.xx.xx
binddn cn=Manager,dc=haostudio,dc=net
bindpw xxxxxxxxxx
nss_base_passwd ou=People,ou=NIS,dc=haostudio,dc=net?one
nss_base_shadow ou=People,ou=NIS,dc=haostudio,dc=net?one
nss_base_group ou=Group,ou=NIS,dc=haostudio,dc=net?one
接著修改/usr/local/etc/nss_ldap.conf, 跟/usr/local/etc/ldap.conf 一樣即可.
最後修改/etc/nsswitch 檔, 如下:
group: files ldap
hosts: files dns
networks: files
passwd: files ldap
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
用SSH登入時會失敗原因是我的LDAP帳號中的shell 是用/bin/bash. 但是FreeBSD 把bash 安裝在/usr/local/bin中, 所以pam_ldap 才不讓我登入.
我是看到下列訊息才知道原因的.
server# cat /var/log/auth.log
May 17 21:20:43 fs2 sshd[18373]: User hao not allowed because shell /bin/bash does not exist
May 17 21:20:45 fs2 sshd[18375]: pam_ldap: error trying to bind as user "uid=hao,ou=People,ou=NIS,dc=haostudio,dc=net" (Invalid credentials)
May 17 21:20:45 fs2 sshd[18373]: error: PAM: authentication error for illegal user hao from 192.168.9.108
May 17 21:20:45 fs2 sshd[18373]: Failed keyboard-interactive/pam for invalid user hao from 192.168.9.108 port 54866 ssh2
我的rc.conf設定如下.
server# cat /etc/rc.conf
hostname="fs2"
ifconfig_em0=" inet 192.168.9.2 netmask 255.255.255.0"
defaultrouter="192.168.9.1"
sshd_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
參考資料:
- http://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/article.html#CLIENT
- http://mail.lsps.tp.edu.tw/~gsyan/freebsd2001/pam_ldap.html
- http://www.us-webmasters.com/FreeBSD/Install/Samba/
- http://wiki.rafan.org/doc/linuxpam
使用ZFS做NFS分享
在rc.conf中增加下列5行, 注意修改完rc.conf後最好重開機(reboot), 不然好像會怪怪的:
mountd_enable="YES"
nfs_server_enable="YES"
zfs_enable="YES"
rpc_statd_enable="YES"
rpc_lockd_enable="YES"
產生/etc/exports 檔案, 保留為空白. 不需更改其內容, 只要用設定zfs的sharenfs屬性即可.
server# zfs set sharenfs='maproot=root, network 192.168.9.0, mask 255.255.255.0' fspool/users
server#cat /etc/zfs/exports // 設完sharenfs屬性後, 在這個檔會顯示ZFS分享的資訊
# !!! DO NOT EDIT THIS FILE MANUALLY !!!
/export/fs2/users -maproot=root -network 192.168.9.0 -mask 255.255.255.0
server# showmount -e //查看是否有分享出去
Exports list on localhost:
/export/fs2/users 192.168.9.0
注意!!, 似乎不能使用’alldir’屬性在sharenfs參數中.
ZFS,NFS參考資料:
- http://lists.freebsd.org/pipermail/freebsd-current/2008-March/084102.html
- http://forums.freebsd.org/showthread.php?t=26801
- http://forums.freebsd.org/showthread.php?t=24828
- http://forums.freebsd.org/showthread.php?t=9570
設定Samba並整合LDAP
在rc.conf中增加下列3行
samba_enable="YES"
nmbd_enable="YES"
smbd_enable="YES"
我的/usr/local/etc/smb.conf 設定如下:
[global]
workgroup = MYGROUP
server string = Samba Server
passdb backend = ldapsam:ldap://192.168.9.16
log file = /var/log/samba/log.%m
max log size = 50
dns proxy = No
ldap admin dn = "cn=Manager,dc=haostudio,dc=net"
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap passwd sync = yes
ldap suffix = ou=NIS,dc=haostudio,dc=net
ldap ssl = no
idmap config * : backend = tdb
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No
將 LDAP Admin 密碼存入 Samba secrets.tdb 內
server# smbpasswd -w 1234 //假設您的 LDAP Admin Manager的密碼為 1234 (-w PASSWORD ldap admin password)
啟動 Samba 服務
server# /usr/local/etc/rc.d/samba start //啟動 Samba 服務
檢查 smbd (Listen 139 Port) 及 nmbd (Listen 137,138 Port) 服務是否啟動成功
server# sockstat | grep mbd
建立 Samba Account 名稱 hao 至 LDAP 中,但在建立之前請先確定你 LDAP 及 Samba 相關設定檔已設定完成,且 LDAP 也查得到 hao DN。
server# smbpasswd -a hao //建立 Samba Account hao
New SMB password: //輸入 weithenn 的 samba 密碼
Retype new SMB password: //再次確認密碼
Added user hao. //顯示新增使用者完成
server# ldapsearch -x -b "uid=hao,ou=People,ou=NIS,dc=haostudio,dc=net"
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# hao, People, NIS, haostudio.net
dn: uid=hao,ou=People,ou=NIS,dc=haostudio,dc=net
uid: hao
cn: Hao Tseng
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
shadowLastChange: 14146
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
gecos: Hao Tseng
homeDirectory: /export/fs2/users/hao
sambaSID: S-1-5-21-8989478-3024177045-2934032207-1001
displayName: Hao Tseng
userPassword:: e1NTSEF9bXFlOWXduN3FybVdtRTRPQ0c1bU9RQlAweEdsM0dUVXY=
sambaNTPassword: 919D061C7C8F0A1EA4C69CD8BBDE77E7E
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet: 1337316250
sambaAcctFlags: [U ]
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
注意:
在執行 ‘smbpasswd’ 指令會在LDAP server 的使用者建立sambaXXXXX欄位, 若之前已經存在這些欄位的話, 請先將其移除.
不然這些欄位的值會不正確.而造成 Samba client 無法連線.
參考資料:
設定rsyncd
安裝rsync
server# cd /usr/ports/net/rsync
server# make install
修改 rsync 設定檔
server# cat /usr/local/etc/rsyncd.conf
[hao_home]
path = /export/fs2/users/hao
auth users = admin
uid = hao
gid = users
secrets file = /usr/local/etc/rsyncd.secrets
read only = no
建立rsync密碼檔(rsyncd.secrets)
server# cat /usr/local/etc/rsyncd.secrets
user:password //id:password (自行設定帳號、密碼)
server# chmod 600 /usr/local/etc/rsyncd.secrets
在rc.conf中增加下列1行
rsyncd_enable="YES"
啟動rsyncd
server# /usr/local/etc/rc.d/rsyncd start
參考資料:
設定iSCSI target
安裝iscsi-target
server# cd /usr/ports/net/iscsi-target
server# make install
在ZFS中建立一個128GB 的disk image
server# zfs create -V 128G fspool/iscsi_targets/the_disk_img
建立iSCSI 設定檔/usr/local/etc/istgt/istgt.conf
server# cp /usr/local/etc/istgt.conf.sample /usr/local/etc/istgt.conf
我的設定檔修改如下:
[Global]
NodeBase "iqn.2014-10.net.haostudio.wfs"
[UnitControl]
AuthMethod Auto
#AuthMethod CHAP Mutual
#AuthGroup AuthGroup10000
[PortalGroup1]
Portal DA1 192.168.9.10:3260
[InitiatorGroup1]
Netmask 192.168.9.0/24
[LogicalUnit1]
Comment "CB3 Web Disk"
# full specified iqn (same as below)
#TargetName iqn.2014-10.net.haostudio.wfs:cb3disk128G
# short specified non iqn (will add NodeBase)
TargetName cb3disk128G
TargetAlias "CB3 Web Disk"
Mapping PortalGroup1 InitiatorGroup1
AuthMethod Auto
AuthGroup AuthGroup1
UseDigest Auto
UnitType Disk
LUN0 Storage /dev/zvol/fspool/iscsi_targets/the_disk_img Auto
在/etc/rc.conf 增加下列設定, 以便開機時自動載入iSCSI target 服務
#
# Enable iSCSI Target support
#
istgt_enable="YES"
手動啟動iSCSI target service, 使用如下指令:
server # /usr/local/etc/rc.d/istgt start