P168-189-葛生和人.indd

ID Administrator ID ID Windows, Mac, Linux, UNIX OS UNIX/Linux Windows PC UNIX/Linux UNIX/Linux OS Windows OS LDAP Lightweight Directory Access Protocol Active Directory

UNIX/Linux OS Windows Server LDAP Active Directory LDAP Active Directory UNIX/Linux Windows Server NIS LDAP UNIX/Linux Windows UNIX/Linux Windows Active Directory UNIX/Linux

Active Directory UNIX/Linux Windows Samba [1], GINA [2], winbind 1, SFU [3], AD4Unix [4] UNIX/Linux-Windows UNIX/Linux Windows Sun Java TM System Identity Synchronization for Windows [5] Samba

UNIX Windows Samba GINA SFU Sun Java TM System Identity Synchronization for Windows Windows LDAP UNIX/Linux LDAP Windows Windows UNIX/Linux LDAP Samba Samba UNIX/ Linux Windows Windows Samba LDAP Samba LDAP UNIX/Linux

LDAP Windows Samba Samba UNIX Windows Samba Windows Windows Windows Server Windows Windows NT 4.0 Server NT Windows 2000 Server Active Directory Samba NT Active Directory Samba Active Directory Kerberos Active Directory NT Active Directory SAM Security Account Manager Active Directory LDAP WINS Windows Internet Name Service DNS NTLM NT Lan Manager Kerberos Samba-LDAP Linux CentOS-4 2 LDAP Samba Windows Windows Windows Server 2003 R2 Windows Windows UNIX/Linux CentOS-4 UNIX/Linux Linux

Samba Samba-LDAP Samba PDC Samba PDC smb.conf Linux, Samba Windows Samba Samba PDC smb.conf smb.conf PDC workgroup, netbios name os level 64 smb.conf # /etc/init.d/smb start Samba Samba PDC Samba Samba Windows PDC Linux Linux Samba UNIX PCgroup Windows testpc # /usr/sbin/groupadd PCgroup # /usr/sbin/usradd g PCgroup s /bin/false d /dev/null testpc$ # pdbedit a m testpc 2 UNIX 3 Samba Windows root UNIX $ -s /bin/false -d /dev/null UNIX

Samba root # pdbedit a root Windows Samba Windows Samba Windows Windows 4 [global] dos charset = CP932 unix charset = EUCJP-MS display charset = EUCJP-MS workgroup = SAMBADOM netbios name = SAMBA30 server string = Samba Server obey pam restrictions = Yes pam password change = Yes unix password sync = Yes log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 cups options = raw domain logons = Yes domain master = Yes security = user os level = 64 preferred master = Yes local master = Yes...... Samba-LDAP Linux Windows Samba Linux Samba-LDAP Samba-LDAP OS-LDAP NSS,PAM Samba-LDAP LDAP slapd.conf Samba-LDAP Samba smb.conf LDAP pw Samba OS-LDAP LinuxOS LDAP Windows Windows

LDAP LDAP Linux LDAP RedHat LinuxOS authconfig 5 NSS PAM 4 authconfig Samba-LDAP LDAP ldap Samba ldap slapd.conf samba.schema samba.schema Samba examples/ldap ldap slapd.conf 6 include include /etc/openldap/schema/nis.schema /etc/openldap/schema/samba.schema slapd.conf Samba LDAP root authconfig openldap

access to attr=sambalmpassword by dn= cn=manager,dc=sample,dc=com write by self read by anonymous auth by * none access to attr=sambantpassword by dn= cn=manager,dc=sample,dc=com write by self read by anonymous auth by * none access to attr=userpassword by dn= cn=manager,dc=sample,dc=com write by self read by anonymous auth by * none [global] dos charset = CP932 unix charset = EUCJP-MS display charset = EUCJP-MS... #LDAP settings passdb backend = ldapsam:ldap://localhost ldap suffix = dc=sample,dc=com ldap user suffix = ou=people ldap group suffix = ou=group ldap machine suffix = ou=computers ldap admin dn = cn=manager,dc=sample,dc=com ldap passwd sync = yes #system administrator Admin users = Administrator... Samba Samba LDAP Samba smb.conf ldap Samba LDAP Samba LDAP RDN

[6] pp.306-307 Samba LDAP LDAP secrets.tbd # smbpasswd w [rootdn ] Samba-LDAP Samba-LDAP Samba-LDAP LDAP Samba LDAP LDIF smbldap-tools Samba-LDAP LDAP Samba smbldap -tools Samba smbldap-tools smbldap_conf. pm /usr/local/sbin/smbldap_conf.pm LDAP DN RDN suffix,usersou, computersou, groupsou [6] pp.310-311 Windows SID Samba # net getlocalsid SID for domain SAMBA30 is : S-1-5-21-********************************* smbldap-populate Windows smbldap-populate.pl Windows LDAP # /usr/local/sbin/smbldap-populate.pl Using builtin directory structure adding new entry : dc=sample,dc=com adding new entry : ou=people,dc=sample,dc=com adding new entry : ou=group,dc=sample,dc=com

adding new entry : ou=computers,dc=sample,dc=com adding new entry : uid=administrator,ou=people,dc=sample,dc=com Samba LDAP smb.conf Administrator admin users Administrator Windows Administrator Administrator # smbldap-passwd.pl Administrator Changing password for Administrator Active Directory Windows Active Directory Samba Samba 3.0 net vampire 2 BDC Samba Windows BDC smb.conf net vampire Active Directory Windows Samba BDC BDC smb.conf [global] dos charset = CP932 unix charset = EUCJP-MS display charset = EUCJP-MS workgroup = TOGONINSHO netbios name = SAMBA30...

domain logons = Yes preferred master = Yes domain master = No security = user os level = 20... add user script = /usr/local/sbin/smbldap-useradd.pl -a -m "%u" add group script = /usr/local/sbin/smbldap-groupadd.pl "%g"; getent group "%g" cut -d: -f3 add machine script = /usr/local/sbin/smbldap-useradd.pl -w "%u" delete user script = /usr/local/sbin/smbldap-userdel.pl -r "%u" delete group script = /usr/local/sbin/smbldap-groupdel.pl "%g" add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod.pl -x "%u" "%g" set primary group script = /usr/local/sbin/smbldap-groupmod.pl -g "%g" "%u"... BDC Windows Active Directory DNS NT TOGONINSHO NT os level PDC 20 add smbldap-tools Samba # net rpc join S w U Administrator Samba BDC Windows Samba net vampire # net rpc vampire S U Administrator Active Directory Samba NT Active Directory Samba PDC Samba-LDAP

[6][7][8] GINA-LDAP Samba-LDAP Windows LDAP GINA Graphical Identification and Authentification Windows winlogon.exe DLL 7 WlxLoggedOutSAS LDAP LDAP Windows GINA pgina [9] [10] CO-GINA [11] GINA GINA-LDAP GINA Windows Vista

LDAP GINA pgina Pluggable Graphical Identification and Authentification CO-GINA LDAP - pgina LDAP LDAP Windows msgina-active Directory pgina ldapauth.dll LDAP msgina DLL GINA-LDAP

GINA LDAP GINA-LDAP GINA WlxLoggedOutSAS LDAP LDAP *ld; int version; int status; LDAPMessage *result, *e; version = LDAP_VERSION3; ld = ldap_init("133.**.**.**",ldap_port); if(ld==null) return 0; ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); status = ldap_simple_bind_s(ld,"cn=manager,dc=sample,dc=net","passwd"); if(status!= LDAP_SUCCESS)return 0; LDAP Windows ID GINA-LDAP Windows LDAP Samba-LDAP Windows

Windows GINA- LDAP Windows Windows Windows Windows Windows Samba-LDAP GINA-LDAP Windows LDAP UNIX Active Directory SFU Windows Services for UNIX SFU Windows UNIX/Linux Microsoft UNIX SFU Active Directory NIS Active Directory NIS UNIX/Linux Active Directory UNIX/Linux Active Directory NSS PAM Linux LDAP 10

SFU Windows Server UNIX LDAP

Windows Server Windows Server SFU SFU NIS NIS Windows Server Active Directory UNIX 11 Active Directory UNIX Active Directory LDAP 12 LDAP ldap.conf Windows

UNIX/Linux LDAP UNIX/Linux NSS PAM UNIX/Linux LDAP LDAP NSS,PAM Samba-LDAP RedHat LinuxOS authconfig Active Directory LDAP ldap.conf LDAP SFU Active Directory ldap.conf # @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $ host 133.**.**.** # The distinguished name of the search base. base dc=host,dc=sample,dc=com # The distinguished name to bind to the server with. binddn cn=ldapproxy,cn=users,dc=ninsho,dc=local # The credentials to bind with. # Optional: default is no credential. bindpw samplepw! # Filter to AND with uid=%s pam_filter objectclass=user # The user ID attribute (defaults to uid) pam_login_attribute mssfu30name

# RFC2307bis naming contexts nss_base_passwd ou=togotest,dc=ninsho,dc=local?sub nss_base_shadow ou=togotest,dc=ninsho,dc=local?sub# RFC 2307 (AD) mappingsnss_map_objectclass posixaccount User nss_map_objectclass shadowaccount User nss_map_attribute uid samaccountname nss_map_attribute uidnumber mssfu30uidnumber nss_map_attribute gidnumber mssfu30gidnumber nss_map_attribute homedirectory mssfu30homedirectory nss_map_objectclass posixgroup group nss_map_attribute uniquemember member nss_map_attribute cn samacountname nss_map_attribute loginshell mssfu30loginshell nss_map_attribute gecos name pam_password md5 # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control ssl no tls_cacertdir /etc/openldap/cacerts [12][13] Sun Java System Identity Synchronization for Windows Windows UNIX Sun Java TM System Identity Synchronization for Windows Sun Microsystems, Inc. 13

Windows,UNIX UNIX Windows UNIX-Windows CSI

[1] Samba, http://us1.samba.org/samba/ [2] GINA, http://msdn.microsoft.com/msdnmag/issues/05/05/securitybriefs/ [3] SFU, http://www.microsoft.com/japan/technet/interopmigration/ unix/sfu/default.mspx [4] AD4Unix, http://sourceforge.net/projects/ad4unix/ [5] Sun Java TM System Identity Synchronization for Windows, http://jp.sun.com/products/software/javasystem/identitysynch/ [6] Samba LDAP [7] Red Hat Enterprise Linux 4:, http://www.redhat.com/docs/manuals/enterprise/rhel-4-manual/ja/ref-guide/s1- samba-servers.html [8] Windows, http://fedorasrv.com/openldap.shtml [9] pgina, http://www.pgina.org/ [10] Dave Pickens and Kent Price, Using pgina to Authenticate Users in Microsoft Windows Environments, http://www.sun.com/ blueprints/0604/817-7043.pdf, Sun BluePrints OnLine June 2004 [11] CO-GINA, http://www.co-conv.jp/product/co-gina/ [12], LDAP Super Expert pp.159-162, [13] Active Directory Linux pp.155-187,