Janar jeri na jerin: Hanyoyin sadarwar Kwamfuta don SMEs: Gabatarwa
Author: Federico Antonio Valdes Toujague
Barka dai abokai da abokai!
Da wannan labarin nake bankwana da Al'umma DesdeLinux. bankwana na musamman ga al'umma ta musamman. Daga yanzu zan kasance cikin aikina na sirri wanda zaku iya gani a ciki http://www.gigainside.com.
Babban manufar post shine bayar da «Babban hoto»Game da Ayyukan Gasktawa tare da Software na Kyauta wanda muke da su. Akalla wannan shine nufin mu. Saboda haka zai daɗe, duk da cewa mun san cewa ya saba wa ƙa'idojin rubuce-rubuce. Muna fatan masu kula da tsarin sun yaba.
Muna so mu nuna cewa yarjejeniya ta gama gari ga yawancin tsarin tabbatar da zamani shine LDAP, da kuma cewa ba wawanci bane yin karatun sa a hankali, daga kayan binciken da zamu samu akan shafin hukuma http://www.openldap.org/.
Ba za mu bayar da cikakkun bayanai ba - ko kuma alaƙa- kan fannonin da aka yi ma'amala da su a cikin labaran da suka gabata, ko kuma waɗanda za a iya samun sauƙin samun bayanansu a kan Wikipedia ko wasu shafuka ko labarai a Intanet, don kar a rasa ingancin saƙon da muke son bayarwa. Hakanan zamuyi amfani da ingantattun cakuɗɗan sunaye cikin Ingilishi da Sifaniyanci, yayin da muke la'akari da cewa yawancin tsarin an haife su da sunaye cikin Ingilishi kuma yana da matukar amfani ga Sysadmin ya haɗa su a cikin asalin harshen su.
- Pam: Module Ingantaccen Module
- NIS: Sadarwar_Bayanai_Shiryawa.
- LDAP: Yarjejeniyar Hanyar Shiga Fitila mara nauyi.
- Kerberos: Yarjejeniyar tsaro don tabbatar da masu amfani, kwamfutoci da sabis a tsakiya akan hanyar sadarwar, tabbatar da takaddun shaidar su akan shigarwar data kasance a cikin bayanan Kerberos.
- DS: Adireshin Adireshi ko Sabis na Kai tsaye
- AD-DC: Littafin Adireshi - Controler Domain
Pam
Mun keɓe ƙananan jerin ga wannan nau'in ingantaccen gida, wanda zaku gani a cikin aikin yau da kullun cewa ana amfani dashi ko'ina lokacin, misali, mun shiga tashar aiki zuwa Domain Controller ko Active Directory; don tsara masu amfani da aka adana a cikin bayanan LDAP na waje kamar suna amfani da gida ne; don taswirar masu amfani da aka adana a cikin Manajan Yanki na Littafin Aiki kamar suna masu amfani na gari, da sauransu.
- Squid + PAM Tabbatarwa akan CentOS 7.
- Mai amfani da gida da kuma kula da rukuni
- NSD Server na DNS Mai sarrafawa + Shorewall
- IM Prosody da masu amfani na gari
- Postfix + Dovecot + Squirrelmail da masu amfani na gari
NIS
De wikipedia:
- Tsarin Bayanan Sadarwar Sadarwa (wanda aka sani da sunansa na NIS, wanda a cikin Mutanen Espanya yake nufin Tsarin Bayanin Sadarwa), sunan tsarin sabis na kundin adireshin abokin ciniki ne wanda Sun Microsystems ya kirkira don aika bayanan daidaitawa a cikin tsarin da aka rarraba kamar sunayen masu amfani da rundunoni tsakanin kwamfutoci. a kan hanyar sadarwaNIS ya dogara ne akan ONC RPC, kuma ya ƙunshi uwar garken, ɗakin karatu na abokin ciniki, da kayan aikin gudanarwa daban-daban.
NIS asalin ana kiranta Yellow Pages, ko YP, wanda har yanzu ana amfani dashi don komawa gare shi. Abin takaici, wannan sunan alamar kasuwanci ce ta Telecom ta Burtaniya, wacce ke buƙatar Sun ta sauke wannan sunan. Koyaya YP ya kasance prefix a cikin sunayen yawancin dokokin da suka shafi NIS, kamar ypserv da ypbind.
DNS yana aiki da iyakantaccen bayani, mafi mahimmanci shine rubutu tsakanin sunan kumburi da adireshin IP. Don wasu nau'ikan bayanai, babu irin wannan sabis na musamman. A gefe guda, idan kuna sarrafa ɗan ƙaramin LAN ba tare da haɗin Intanet ba, da alama bai dace da kafa DNS ba. Wannan shine dalilin da ya sa Sun ci gaba da Tsarin Bayanan Sadarwa (NIS). NIS tana samar da damar samun bayanai ta hanyar sadarwa wacce za'a iya amfani da ita don rarrabawa, misali, bayanan da ke cikin passwd da fayilolin rukuni zuwa duk nodes akan hanyar sadarwar ku. Wannan yana sa cibiyar sadarwar tayi kama da tsari guda ɗaya, tare da asusun ɗaya akan duk nodes. Hakanan, ana iya amfani da NIS don rarraba bayanin sunan kumburi wanda ke ƙunshe da / sauransu / runduna ga duk injuna akan hanyar sadarwa.
A yau ana samun NIS a kusan duk rarraba Unix, kuma akwai ma aiwatarwa kyauta. BSD Net-2 ya buga wanda aka samo shi daga aiwatar da bayanin yankin da aka bayar daga Sun. Lambar laburaren don ɓangaren abokin cinikin wannan sigar ta wanzu a cikin GNU / Linux libc na dogon lokaci, kuma an gabatar da shirye-shiryen gudanarwa zuwa GNU / Linux ta Swen Thümmler. Koyaya, sabar NIS bata bace yayin aiwatarwar tunani.
Peter Eriksson ya kirkiro wani sabon aiwatarwa mai suna NYS. Yana tallafawa duka NIS na asali da ingantaccen sigar Sun NIS +. [1] NYS ba kawai tana samar da wasu kayan aikin NIS da sabar bane kawai, hakanan yana ƙara sabbin ayyukan ayyukan ɗakin karatu waɗanda kuke buƙatar tattarawa a cikin libc ɗinku idan kuna son amfani dasu. Wannan ya haɗa da sabon tsarin daidaitawa don ƙudurin sunan suna wanda ya maye gurbin makircin yanzu wanda fayil ɗin "host.conf" ke amfani dashi.
GNU libc, wanda aka fi sani da libc6 a cikin al'ummar GNU / Linux, ya haɗa da sabon juzu'i na gargajiyar NIS na gargajiya wanda Thorsten Kukuk ya haɓaka. Yana tallafawa duk ayyukan ɗakunan karatu da NYS ke bayarwa, kuma yana amfani da makircin tsarin NYS na ci gaba. Ana amfani da kayan aikin da sabar, amma yin amfani da GNU libc yana adana matsalar faci da sake sabunta laburare
.
Kwamfuta da sunan yanki, hanyar sadarwa da warwarewa
- Mun fara daga girke-girke mai tsabta - ba tare da zane-zane ba - na Debian 8 "Jessie". Yankin swl.fan na nufin "Magoya bayan Free Software." Wane suna ne ya fi wannan?.
tushen @ master: ~ # sunan mai gida
master
tushen @ master: ~ # sunan mai gida -f
master.swl.fan
tushen @ master: ~ # ip addr 1: ga: mtu 65536 qdisc noqueue jihar UNKNOWN kungiyar tsoho mahada / loopback 00: 00: 00: 00: 00: 00 brd 00: 00: 00: 00: 00: 00 inet 127.0.0.1/8 ikon ɗaukar hoto lo valid_lft har abada fifita_lft har abada inet6 :: 1/128 ikon watsa shiri host_lft har abada fifikon_lft har abada 2: eth0: mtu 1500 qdisc pfifo_fast jihar UP kungiyar tsoho qlen 1000 mahada / ether 00: 0c: 29: 4c: 76: d9 brd ff: ff: ff: ff: ff: ff inet 192.168.10.5/24 brd 192.168.10.255 ikon yinsa a duniya eth0 valid_lft har abada fifita_lft har abada inet6 fe80 :: 20c: 29ff: fe4c: 76d9 / 64 mahaɗan mahada valid_lft har abada fifikon_lft har abada
tushen @ master: ~ # cat /etc/resolv.conf
bincika swl.fan sunan mai amfani 127.0.0.1
Shigarwa na bind9, isc-dhcp-server da ntp
daura9
tushen @ master: ~ # ƙwarewar kafa bind9 daura9-doc yanci
tushen @ maigida: ~ # systemctl status bind9
tushen @ master: ~ # nano /etc/bind/named.conf
hada da "/etc/bind/named.conf.options"; hada da "/etc/bind/named.conf.local"; hada da "/etc/bind/named.conf.default-zones";
tushen @ master: ~ # cp /etc/bind/named.conf.options \ /etc/bind/named.conf.options.original
tushen @ master: ~ # nano /etc/bind/named.conf.options
za optionsu {{ukan {directory "/ var / cache / bind"; // Idan akwai Tacewar zaɓi tsakanin ku da sunayen masu son da kuke so // kuyi magana da su, kuna buƙatar gyara katangar don ba da dama // mashigai suyi magana. Duba http://www.kb.cert.org/vuls/id/800113
// Idan ISP ɗinka suka samar da ɗaya ko fiye da adiresoshin IP don barga // sunayen masu ba da izini, mai yiwuwa kana son amfani da su azaman masu turawa. // Ba da bayani game da toshe mai zuwa, sa'annan shigar da adiresoshin maye gurbin // mai wurin-0 duka. // masu gabatarwa {// 0.0.0.0; //}; // ====================================================== = ===================== $ // Idan BIND ya sanya kuskuren sakonni game da tushen mabudin da ya kare, // zaka bukaci sabunta makullinka. Duba https://www.isc.org/bind-keys
// ============================================== = ====================== $ // Ba ma son DNSSEC
dnssec-ba damar;
// dnssec-validation auto; auth-nxdomain babu; # dace da RFC1035 saurara-on-v6 {kowane; }; // Domin dubawa daga localhost da sysadmin // ta hanyar ton swl.fan axfr // Ba mu da Bawan DNS ... har zuwa yanzu
Bada damar-canja wurin {localhost; 192.168.10.1; };
}; tushen @ master: ~ # mai suna-checkconf
tushen @ master: ~ # nano /etc/bind/zones.rfcFreeBSD
// Sararin Adireshin Gida (RFC 6598)
zone "64.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "65.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "66.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "67.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "68.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "69.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "70.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "71.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "72.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "73.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "74.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "75.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "76.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "77.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "78.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "79.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "80.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "81.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "82.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "83.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "84.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "85.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "86.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "87.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "88.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "89.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "90.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "91.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "92.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "93.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "94.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "95.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "96.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "97.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "98.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "99.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "100.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "101.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "102.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "103.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "104.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "105.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "106.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "107.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "108.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "109.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "110.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "111.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "112.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "113.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "114.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "115.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "116.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "117.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "118.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "119.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "120.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "121.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "122.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "123.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "124.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "125.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "126.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "127.100.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
// Link-local / APIPA (RFCs 3927, 5735 da 6303)
yankin "254.169.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; };
// IETF ayyukan yarjejeniya (RFCs 5735 da 5736)
yankin "0.0.192.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; };
// GWADA-NET- [1-3] don Takaddun shaida (RFCs 5735, 5737 da 6303)
yankin "2.0.192.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "100.51.198.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "113.0.203.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; };
// IPv6 Misalin Matsakaici don Rikodin (RFCs 3849 da 6303)
yankin "8.bd0.1.0.0.2.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; };
// Sunayen Yanki don Rubutawa da Gwaji (BCP 32)
yankin "gwaji" {nau'in mai gida; fayil "/etc/bind/db.empty"; }; yankin "misali" {type master; fayil "/etc/bind/db.empty"; }; yankin "mara inganci" {mai gida iri; fayil "/etc/bind/db.empty"; }; yankin "example.com" {type master; fayil "/etc/bind/db.empty"; }; shiyyar "example.net" {type master; fayil "/etc/bind/db.empty"; }; shiyyar "example.org" {type master; fayil "/etc/bind/db.empty"; };
// Router Benchmark Testing (RFCs 2544 da 5735)
yankin "18.198.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "19.198.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; };
// IANA Aka Tsara - Tsohon Ajin E Sarari (RFC 5735)
yankin "240.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "241.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "242.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "243.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "244.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "245.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "246.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "247.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "248.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "249.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "250.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "251.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "252.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "253.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "254.in-addr.arpa" {type master; fayil "/etc/bind/db.empty"; };
// IPv6 Adireshin da Ba a Saka ba (RFC 4291)
yankin "1.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "3.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "4.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "5.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "6.ip6.arpa" {mai gida irin; fayil "/etc/bind/db.empty"; }; yankin "7.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "8.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "9.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "a.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "b.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "c.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "d.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "e.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "0.f.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "1.f.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "2.f.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "3.f.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "4.f.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "5.f.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "6.f.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "7.f.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "8.f.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "9.f.ip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "afip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "bfip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "0.efip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "1.efip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "2.efip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "3.efip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "4.efip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "5.efip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "6.efip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "7.efip6.arpa" {type master; fayil "/etc/bind/db.empty"; };
// IPv6 ULA (RFCs 4193 da 6303)
yankin "cfip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "dfip6.arpa" {type master; fayil "/etc/bind/db.empty"; };
// IPv6 Haɗin Gida (RFCs 4291 da 6303)
yankin "8.efip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "9.efip6.arpa" {type master; fayil "/etc/bind/db.empty"; }; yankin "aefip6.arpa" {nau'ikan jagora; fayil "/etc/bind/db.empty"; }; yankin "befip6.arpa" {type master; fayil "/etc/bind/db.empty"; };
// IPv6 Ragunan Adireshin Gida-Gida (RFCs 3879 da 6303)
yankin "cefip6.arpa" {nau'ikan jagora; fayil "/etc/bind/db.empty"; }; yankin "defip6.arpa" {nau'in mai gida; fayil "/etc/bind/db.empty"; }; shiyyar "eefip6.arpa" {nau'in mai gida; fayil "/etc/bind/db.empty"; }; shiyyar "fefip6.arpa" {nau'in jagora; fayil "/etc/bind/db.empty"; };
// IP6.INT ya Rage kansa (RFC 4159)
yankin "ip6.int" {type master; fayil "/etc/bind/db.empty"; };
tushen @ master: ~ # nano /etc/bind/named.conf.local
// // Yi kowane tsari na gida a nan // // Yi la'akari da ƙara yankunan 1918 a nan, idan ba a amfani da su a cikin ƙungiyar ku ta // sun haɗa da "/etc/bind/zones.rfc1918";
hada da "/etc/bind/zones.rfcFreeBSD";
// Bayanin suna, iri, wuri, da sabunta izini // na Yankunan Rikodi na DNS // Duk Yankin guda biyu MASTER ne "swl.fan" {type master; fayil "/var/lib/bind/db.swl.fan"; }; yankin "10.168.192.in-addr.arpa" {type master; fayil "/var/lib/bind/db.10.168.192.in-addr.arpa"; };
tushen @ master: ~ # mai suna-checkconf
tushen @ maigida: ~ # nano /var/lib/bind/db.swl.fan
$ TTL 3H @ A SOA master.swl.fan. root.master.swl.fan. (1; serial 1D; shayar da 1H; sake gwadawa 1W; ya ƙare 3H); mafi ƙarancin ko; Kuskuren lokacin ɓoyewa don rayuwa; @ IN NS master.swl.fan. @ A cikin MX 10 mail.swl.fan. @ IN A 192.168.10.5 @ IN TXT "Ga Masu son Free Software"; sysadmin IN A 192.168.10.1 fayilerver A A 192.168.10.4 master IN A 192.168.10.5 wakili IN A 192.168.10.6 blog IN A 192.168.10.7 ftpserver IN A 192.168.10.8 mail IN A 192.168.10.9
tushen @ master: ~ # nano /var/lib/bind/db.10.168.192.in-addr.arpa
$ TTL 3H @ A SOA master.swl.fan. root.master.swl.fan. (1; serial 1D; shayar da 1H; sake gwadawa 1W; ya ƙare 3H); mafi ƙarancin ko; Kuskuren lokacin ɓoyewa don rayuwa; @ IN NS master.swl.fan. ; 1 IN PTR sysadmin.swl.fan. 4 IN PTR fayilerver.swl.fan. 5 A cikin PTR master.swl.fan. 6 A cikin PTR wakili webs.swl.fan. 7 A cikin shafin PTR.swl.fan. 8 A cikin PTR ftpserver.swl.fan. 9 IN PTR mail.swl.fan.
tushen @ maigida: ~ # mai suna-cakakken yanki swl.fan /var/lib/bind/db.swl.fan
shiyyar swl.fan/IN: sanya serial 1 Yayi
tushen @ master: ~ # mai suna-rajista 10.168.192.in-addr.arpa /var/lib/bind/db.10.168.192.in-addr.arpa
yankin 10.168.192.in-addr.arpa/IN: adana serial 1 Yayi
tushen @ master: ~ # mai suna-checkconf -zp
root @ master: ~ # systemctl sake farawa bind9.service
tushen @ master: ~ # systemctl status bind9.service
Bind9 cak
tushen @ master: ~ # tono swl.fan axfr tushen @ master: ~ # tono 10.168.192.in-addr.arpa axfr tushen @ master: ~ # tono IN SOA swl.fan tushen @ master: ~ # tono IN NS swl.fan tushen @ master: ~ # tono CIKIN MX swl.fan root @ master: ~ # proxyweb host host @ master: ~ # nping --tcp -p 53 -c 3 localhost tushen @ maigida: ~ # nping --udp -p 53 -c 3 localhost root @ master: ~ # nping --tcp -p 53 -c 3 master.swl.fan tushen @ master: ~ # nping --udp -p 53 -c 3 master.swl.fan Fara Nping 0.6.47 ( http://nmap.org/nping ) a 2017-05-27 09:32 EDT SENT (0.0037s) UDP 192.168.10.5:53> 192.168.10.245:53 ttl = 64 id = 20743 iplen = 28 SENT (1.0044s) UDP 192.168.10.5:53> 192.168.10.245 .53: 64 ttl = 20743 id = 28 iplen = 2.0060 SENT (192.168.10.5s) UDP 53:192.168.10.245> 53:64 ttl = 20743 id = 28 iplen = 3 Max rtt: N / A | Min rtt: N / A | Avg rtt: N / A An aika fakitin Raw: 84 (0B) | Rcvd: 0 (3B) | An rasa: 100.00 (1%) Nping anyi: 3.01 IP address pinged a cikin XNUMX seconds
isc-dhcp-server
tushen @ master: ~ # ƙwarewar shigar da isc-dhcp-uwar garke tushen @ master: ~ # nano / sauransu / tsoho / isc-dhcp-server # A waɗanne hanyoyin musaya ya kamata uwar garken DHCP (dhcpd) su biya buƙatun DHCP? # Raba maɓalloli da yawa tare da sarari, misali "eth0 eth1". INTERFACES = "eth0" root @ master: ~ # dnssec-keygen -a HMAC-MD5 -b 128 -r / dev / urandom -n MAI AMFANI dhcp-key tushen @ maigida: ~ # cat Kdhcp-key. +157 + 51777.fetare Tsarin maɓallin keɓaɓɓe: v1.3 Algorithm: 157 (HMAC_MD5) Maɓalli: Ba9GVadq4vOCixjPN94dCQ == Bits: AAA = An ƙirƙira: 20170527133656 Buga: 20170527133656 Kunna: 20170527133656 tushen @ master: ~ # Nano dhcp.key maballin dhcp-key { algorithm hmac-md5; sirri "Ba9GVadq4vOCixjPN94dCQ == "; }; tushen @ maigida: ~ # shigar -o tushen -g daure -m 0640 dhcp.key /etc/bind/dhcp.key root @ master: ~ # shigar -o tushen -g tushen -m 0640 dhcp.key / sauransu / dhcp /dhcp.key root @ master: ~ # nano /etc/bind/named.conf.local hada da "/etc/bind/dhcp.key"; yankin "swl.fan" {type master; fayil "/var/lib/bind/db.swl.fan"; ba da izini-sabuntawa {key dhcp-key; }; }; yankin "10.168.192.in-addr.arpa" {type master; fayil "/var/lib/bind/db.10.168.192.in-addr.arpa"; ba da izini-sabuntawa {key dhcp-key; }; }; tushen @ master: ~ # mai suna-checkconf tushen @ maigida: ~ # mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.original tushen @ maigida: ~ # nano /etc/dhcp/dhcpd.conf ddns-sabunta-salo na wucin gadi; ddns-sabuntawa kan; ddns-domainname "swl.fan."; ddns-rev-domainname "in-addr.arpa."; watsi da sabuntawar abokin ciniki; sabunta-ingantawa karya; # Ana iya buƙatar akan ikon Debian zabin ip-isar da kashe; Zaɓin sunan yankin "swl.fan"; hada da "/etc/dhcp/dhcp.key"; yankin swl.fan. {firamare 127.0.0.1; madannin dhcp-key; } yankin 10.168.192.in-addr.arpa. {firamare 127.0.0.1; madannin dhcp-key; } raba-hanyar sadarwa redlocal {subnet 192.168.10.0 netmask 255.255.255.0 {zaɓi magudanar 192.168.10.1; Zaɓin subnet-mask 255.255.255.0; zaɓin adireshin watsa labarai 192.168.10.255; zaɓi yankin-suna-sabobin 192.168.10.5; zaɓi netbios-sunan-sabobin 192.168.10.5; zaɓi ntp-sabobin 192.168.10.5; zabin lokaci-sabobin 192.168.10.5; zangon 192.168.10.30 192.168.10.250; }} tushen @ master: ~ # dhcpd -t Kamfanin Intanet na Kamfanin Intanet DHCP Server 4.3.1 Hakkin mallaka 2004-2014 Consortium na Tsarin Intanet. Duk haƙƙoƙi. Don bayani, don Allah ziyarci https://www.isc.org/software/dhcp/ Sanya fayil: /etc/dhcp/dhcpd.conf Fayil Database: /var/lib/dhcp/dhcpd.ya saki file PID: /var/run/dhcpd.pid root @ master: ~ # systemctl sake farawa bind9.service tushen @ master: ~ # systemctl status bind9.service tushen @ master: ~ # systemctl farawa isc-dhcp-server.service tushen @ master: ~ # systemctl status isc-dhcp-server.service
NTP
root @ master: ~ # ƙwarewa shigar ntp ntpdate tushen @ master: ~ # cp /etc/ntp.conf /etc/ntp.conf.original tushen @ master: ~ # nano /etc/ntp.conf driftfile /var/lib/ntp/ntp.drift statistics loopstats peerstats clockstats filegen loopstats file loopstats type day kunna filegen peerstats file peerstats type day kunna filegen clockstats file clockstats type day taimaka server 192.168.10.1 takura -4 tsoho kod notrap nomodify nopeer noquery restrict -6 tsoffin kod notrap nomodify nopeer noquery takura 127.0.0.1 takura :: 1 watsawa 192.168.10.255 root @ master: ~ # systemctl sake kunnawa ntp.service tushen @ master: ~ # systemctl status ntp.service tushen @ master: ~ # ntpdate -u sysadmin.swl.fan 27 Mayu 10:04:01 ntpdate [18769]: daidaita sabar lokaci 192.168.10.1 biya diyya 0.369354 sec
Binciken duniya don ntp, bind9, da isc-dhcp-server
Daga Linux, BSD, Mac OS, ko abokin cinikin Windows duba cewa lokacin yana aiki daidai. Cewa yana mallakar adireshin IP mai ƙarfi kuma sunan mai masaukin yana warware ta kai tsaye da kuma juya tambayoyin DNS. Canja sunan abokin ciniki kuma sake yin duk cak. Kada ka ci gaba har sai ka tabbata cewa ayyukan da aka sanya zuwa yanzu suna aiki daidai. Don wani abu mun rubuta duk labaran game da DNS da DHCP a ciki Hanyoyin sadarwar Kwamfuta don SMEs.
Shigar da NIS Server
tushen @ master: ~ # nuna gwaninta nis Rikice-rikice tare da: netstd (<= 1.26) Bayani: abokan ciniki da masu ban mamaki don Sabis ɗin Bayanin Yanar Gizo (NIS) Wannan kunshin yana ba da kayan aiki don kafa da kiyaye yankin NIS. NIS, wanda aka fi sani da suna Yellow Pages (YP), galibi ana amfani dashi don barin na'urori da yawa a cikin hanyar sadarwa suna raba bayanin asusu ɗaya, kamar fayil ɗin kalmar sirri. tushen @ master: ~ # ƙwarewa shigar da nis Kanfigareshan ┌─────────────────────────┤ Nis Kan Sanyawa ├──────────────── │ Zabi NIS "sunan yankin" don wannan tsarin. Idan kuna son wannan │ │ inji ya zama abokin ciniki kawai, ya kamata ku shigar da sunan │ │ NIS yankin da kuke son shiga. │ │ │ A madadin haka, idan wannan na’urar zata kasance sabar NIS ne, zaka iya │ │ shigar da sabon sunan “NIS” ko sunan wani yankin NIS │ │. │ │ │ NIS Domain: │ │ │ │ swl.fan __________________________________________________________________ │ │ │ │ │ │ └────────────────────────────────────────────── ─────────────────────────────┘
Zai jinkirta naka saboda tsarin sabis bai wanzu haka. Da fatan za a jira aikin ya gama.
tushen @ master: ~ # Nano / sauransu / tsoho / nis
# Shin mu uwar garken NIS ne kuma idan haka ne wane irin (ƙima: ƙarya, bawa, maigida)?
NISSERVER = malam
root @ master: ~ # nano /etc/ypserv.securenets # safenets Wannan fayil ɗin yana bayyana damar samun dama ga sabar ku ta NIS # ga abokan cinikin NIS (kuma masu bautar bayi - ypxfrd na amfani da wannan # file ɗin ma). Wannan fayil ɗin yana ƙunshe da netmask / hanyoyin sadarwa. # Adireshin IP ɗin abokan ciniki yana buƙatar dacewa tare da aƙalla ɗaya # daga waɗanda. # # Mutum na iya amfani da kalmar "masaukin" maimakon masanin yanar gizo na # 255.255.255.255. Adireshin IP kawai aka ba da izinin a cikin wannan # fayil ɗin, ba sunayen masauki ba. # # Koyaushe bada izinin samun dama ga localhost 255.0.0.0 127.0.0.0 # Wannan layin yana bawa kowa damar shiga. PLEASE Gyara! # 0.0.0.0 0.0.0.0
255.255.255.0 192.168.10.0
root @ master: ~ # nano / var / yp / Makefile # Shin ya kamata mu haɗa fayil ɗin passwd tare da fayil ɗin inuwa? # MERGE_PASSWD = gaskiya ne | karya
MERGE_PASSWD = gaskiya ne
# Shin yakamata mu haɗa fayil ɗin ƙungiyar tare da fayil ɗin gshadow? # MERGE_GROUP = gaskiya ne | karya
MERGE_GROUP = gaskiya ne
Muna gina bayanan NIS
tushen @ maigida: ~ # / usr / lib / yp / ypinit -m A wannan gaba, dole ne muyi jerin rundunonin da zasu gudanar da ayyukan NIS. master.swl.fan yana cikin jerin rundunonin uwar garken NIS. Da fatan za a ci gaba da ƙara sunayen sauran rundunonin, ɗaya a kowane layi. Lokacin da kuka gama da jerin, rubuta a . Mai watsa shiri na gaba don karawa: master.swl.fan mai watsa shiri na gaba don karawa: Yanzu jerin sabobin NIS suna kama da wannan: master.swl.fan Shin wannan daidai ne [y / n: y] Muna buƙatar minutesan mintoci kaɗan don gina rumbunan adana bayanan ... sanya [1]: Barin kundin adireshi '/var/yp/swl.fan' master.swl.fan an saita shi azaman babban uwar garken NIS . Yanzu zaka iya gudanar da ypinit -s master.swl.fan akan duk sabar bawa. root @ master: ~ # systemctl sake farawa nis tushen @ master: ~ # systemctl halin nis
Muna ƙara masu amfani na gida
tushen @ master: ~ # adduser bilbo Dingara mai amfani `` bilbo '... dingara sabon rukuni' bilbo '(1001) ... dingara sabon mai amfani' bilbo '(1001) tare da rukunin' bilbo '... ...irƙirar adireshin gida `` / home / bilbo' ' ... Kwafin fayilolin daga `` / etc / skel '... Shigar da sabon kalmar sirri ta UNIX: Sake rubuta sabuwar kalmar sirri ta UNIX: passwd: kalmar sirri da aka sabunta daidai Canza bayanin mai amfani ga bilbo Shigar da sabon darajar, ko latsa ENTER don amfani da tsoffin Cikakken Suna []: Bilbo Bagins Room Number []: Wayar aiki []: Home Phone []: Sauran []: Shin bayanin daidai ne? [Y / n] tushen @ maigida: ~ # adduser strides root @ master: ~ # adduser legolas
da sauransu.
tushen @ master: ~ # yatsan legolas Shiga ciki: legolas Sunan: Legolas Archer Directory: / gida / legolas Shell: / bin / bash Ba a taɓa shiga ba. Babu wasiku Babu shiri.
Mun sabunta bayanan NIS
tushen @ master: / var / yp # yi yi [1]: Shigar da kundin adireshi '/var/yp/swl.fan' Ana sabuntawa passwd.byname ... Ana ɗaukakawa passwd.byuid ... Ana ɗaukaka rukunin.byname ... Ana ɗaukaka rukunin.byg ... .. Ana sabunta inuwa.byname ... An yi watsi da -> an haɗa shi da passwd sa [1]: Bar kundin adireshi '/var/yp/swl.fan'
Muna ƙara zaɓukan NIS zuwa sabar isc-dhcp
tushen @ maigida: ~ # nano /etc/dhcp/dhcpd.conf
ddns-sabunta-salo na wucin gadi; ddns-sabuntawa kan; ddns-domainname "swl.fan."; ddns-rev-domainname "in-addr.arpa."; watsi da sabuntawar abokin ciniki; sabunta-ingantawa karya; iko; zabin ip-isar da kashe; Zaɓin sunan yankin "swl.fan"; hada da "/etc/dhcp/dhcp.key"; yankin swl.fan. {firamare 127.0.0.1; madannin dhcp-key; } yankin 10.168.192.in-addr.arpa. {firamare 127.0.0.1; madannin dhcp-key; } raba-hanyar sadarwa redlocal {subnet 192.168.10.0 netmask 255.255.255.0 {zaɓi magudanar 192.168.10.1; Zaɓin subnet-mask 255.255.255.0; zaɓi watsa-adireshin 192.168.10.255; zaɓi yankin-suna-sabobin 192.168.10.5; zaɓi netbios-sunan-sabobin 192.168.10.5; zaɓi ntp-sabobin 192.168.10.5; zabin lokaci-sabobin 192.168.10.5;
zaɓi nis-domain "swl.fan";
zaɓi nis-sabobin 192.168.10.5;
zangon 192.168.10.30 192.168.10.250; }}
tushen @ master: ~ # dhcpd -t
root @ master: ~ # systemctl sake farawa isc-dhcp-server.service
NIS Shigar Abokin Ciniki
- Mun fara daga girke-girke mai tsabta - ba tare da zane-zane ba - na Debian 8 "Jessie".
tushen @ mail: ~ # sunan mai masauki -f
mail.swl.fan
tushen @ mail: ~ # ip addr
2: da: mtu 0 qdisc pfifo_fast jihar UP kungiyar tsoho qlen 1500 mahada / ether 1000: 00c: 0: 29: 25f: 1 brd ff: ff: ff: ff: ff: ff
inet 192.168.10.9/24 brd 192.168.10.255 girman duniya eth0
tushen @ mail: ~ # gwaninta shigar nis
tushen @ mail: ~ # nano /etc/yp.conf # # yp.conf Fayil na Kanfigareshan don aikin ypbind. Kuna iya ayyana sabobin # NIS da hannu anan idan ba za a same su ta # watsa labarai akan gidan yanar gizo ba (wanda shine tsoho). # # Dubi shafi na jagorar ypbind don daidaitawar wannan fayil ɗin. # # MUHIMMAN: Ga "ypserver", yi amfani da adiresoshin IP, ko tabbatar cewa # mai gidan yana cikin / da sauransu / runduna. Ana fassara wannan fayil ɗin sau # kawai, kuma idan ba za'a iya kaiwa ga DNS ba duk da haka mai iya ypserver ba za a iya warwarewa ba # kuma ypbind ba zai taɓa ɗauka ga sabar ba. # ypserver ypserver.network.com ypserver master.swl.fan yankin swl.fan
tushen @ mail: ~ # nano /etc/nsswitch.conf
# /etc/nsswitch.conf # # Misalin daidaitawar GNU Sunan Sabis na Canja aiki. # Idan kuna da 'glibc-doc-reference' da kuma 'info' kunshin da aka sanya, gwada: # 'info libc "Sunan Sabis na Suna"' don bayani game da wannan fayil ɗin. passwd: kwatancen nis nis: masu jituwa nis inuwa: masu jituwa nis gshadow: masu masaukin fayiloli: fayilolin dns nis hanyoyin sadarwar: ladabi fayiloli: db ayyuka na ayyuka: db fayilolin ethers: db files rpc: db fayiloli netgroup: nis
tushen @ mail: ~ # nano /etc/pam.d/common-session
# pam-auth-sabuntawa (8) don cikakkun bayanai.
zaman zaɓi na zaɓi pam_mkhomedir.so skel = / sauransu / skel umask = 077
# anan sune matakan kunshin-kunshin (toshe "Firamare")
tushen @ mail: ~ # tsarin systemctl nis
root @ mail: ~ # systemctl sake kunnawa nis
Mun rufe zaman kuma mun sake farawa amma tare da mai yin rijista a cikin bayanan NIS a master.swl.fan.
tushen @ mail: ~ # fita logout Haɗa zuwa wasiƙa rufe. buzz @ sysadmin: ~ $ ssh legolas @ mail legolas @ kalmar sirri: Kirkirar kundin adireshi '/ gida / legolas'. Shirye-shiryen da aka haɗa tare da tsarin Debian GNU / Linux sune software kyauta; an bayyana ainihin ka'idojin rarrabawa ga kowane shirin a cikin fayilolin mutum a cikin / usr / share / doc / * / haƙƙin mallaka. Debian GNU / Linux sun zo tare da KASANCEWA BA GARANTI, gwargwadon yadda doka ta zartar. legolas @ mail: ~ $ pwd / gida / legolas legolas @ mail: ~ $
Muna canza kalmar sirri na mai amfani legolas kuma duba
legolas @ mail: ~ $ yppasswd Canza bayanin asusun NIS don legolas akan master.swl.fan. Da fatan za a shigar da tsohuwar kalmar sirri: legolas Canza kalmar sirri ta NIS don legolas akan master.swl.fan. Da fatan za a shigar da sabuwar kalmar shiga: maharba: Kalmar sirri dole ne ya kasance yana da duka manyan haruffa da ƙananan baki, ko waɗanda ba haruffa ba. Da fatan za a shigar da sabuwar kalmar shiga: Arquero2017 Da fatan za a sake buga sabon kalmar sirri: Arquero2017 An canza kalmar shiga ta NIS akan master.swl.fan. legolas @ mail: ~ $ fita logout Haɗa zuwa wasiƙa rufe. buzz @ sysadmin: ~ $ ssh legolas @ mail legolas @ kalmar sirri: Arquero2017 Shirye-shiryen da aka haɗa tare da tsarin Debian GNU / Linux sune software kyauta; an bayyana ainihin ka'idojin rarrabawa ga kowane shirin a cikin fayilolin mutum a cikin / usr / share / doc / * / haƙƙin mallaka. Debian GNU / Linux sun zo tare da KASANCEWA BA GARANTI, gwargwadon yadda doka ta zartar. Shiga karshe: Asabar May 27 12:51:50 2017 daga sysadmin.swl.fan legolas @ mail: ~ $
Sabis ɗin NIS da aka aiwatar a sabar kuma matakin abokin ciniki yana aiki daidai.
LDAP
Daga Wikipedia:
- LDAP shine takaddama don Yarjejeniyar Shiga Hannu na Kundin Lightweight (a cikin Yarjejeniyar Samun Directaramar Samfuran Spanishasar Spain) wanda ke nufin yarjejeniya ta matakin aikace-aikace wanda ke ba da damar isa ga sabis ɗin da aka ba da umurni da rarraba shi don bincika bayanai iri-iri a cikin yanayi hanyar sadarwa Hakanan ana ɗaukar LDAP a matsayin matattarar bayanai (duk da cewa tsarin ajiyar sa na iya zama daban) wanda za'a iya tambaya.Littafin adireshi jerin abubuwa ne tare da sifofin da aka tsara ta hanya mai ma'ana da tsari. Misali mafi yawa shine kundin adireshi na tarho, wanda ya ƙunshi jerin sunaye (mutane ko ƙungiyoyi) waɗanda aka tsara su a haruffa, tare da kowane suna da adireshi da lambar tarho a haɗe da shi. Don ƙarin fahimta, littafi ne ko babban fayil, wanda a ciki ake rubuta sunayen mutane, lambobin tarho da adiresoshinsu, kuma ana tsara su baƙaƙe.
Itace jagorar LDAP wani lokacin tana nuna banbancin siyasa, yanki, ko iyakokin kungiya, ya danganta da tsarin da aka zaba. Deploaddamarwar LDAP na yanzu tana amfani da sunayen Sunan Tsarin Yanayi (DNS) don tsara manyan matakan matsayi. Yayin da kake gungura ƙasa da kundin adireshi, shigarwar na iya bayyana waɗanda ke wakiltar mutane, ƙungiyoyin ƙungiya, masu buga takardu, takardu, ƙungiyoyin mutane, ko wani abu da yake wakiltar shigar da aka bayar a itacen (ko shigarwar da yawa).
Yawancin lokaci, yana adana bayanan tabbatarwa (mai amfani da kalmar wucewa) kuma ana amfani dashi don tantancewa, kodayake yana yiwuwa a adana wasu bayanan (bayanan mai amfani da mai amfani, wurin da albarkatun cibiyar sadarwa daban-daban, izini, takaddun shaida, da sauransu). A taƙaice, LDAP yarjejeniya ce ta samun haɗin kai zuwa saitin bayanai akan hanyar sadarwa.
Nau'in yanzu shine LDAPv3, kuma an bayyana shi a cikin RFCs RFC 2251 da RFC 2256 (LDAP base document), RFC 2829 (hanyar tabbatarwa ga LDAP), RFC 2830 (ƙarin don TLS), da RFC 3377 (ƙwarewar fasaha)
.
Na dogon lokaciYarjejeniyar LDAP - da bayanan bayanan data dace ko kuma basu dace da OpenLDAP ba - shine mafi amfani dashi a cikin mafi yawan tsarin tabbatarwa a yau. A matsayin misali na bayanin da ya gabata, muna ba da ƙasa da wasu sunaye na tsarin -Free ko Masu zaman kansu- waɗanda ke amfani da bayanan LDAP a matsayin abin goyan baya don adana duk abubuwan su:
- OpenLDAP
- Adireshin Adireshin Apache
- Jagoran Jagoran Red Hat - 389 DS
- Sabis ɗin Adireshin Novell - eDirectory
- SUN Microsystem Bude DS
- Manajan Shaida na Red Hat
- FreeIPA
- Samba NT4 Classic Domain Controller.
Muna son fayyace cewa wannan tsarin ci gaban Team Samba ne tare da Samba 3.xxx + OpenLDAP azaman backend. Microsoft ba ta taɓa aiwatar da wani abu makamancin haka ba. An tsallake daga NT 4 Masu Gudanarwar Yanki zuwa Directorididdigar Ayyukansu - Samba 4 Littafin Aiki - Mai Tallata Yanki
- KYAUTA
- zuntyal
- UCS inaddamarwar Kamfanin Kamfanin
- Littafin Adireshin Microsoft
Kowane aiwatarwa yana da halaye na kansa, kuma mafi daidaituwa kuma mai jituwa shine OpenLDAP.
Adireshin aiki, ko asalin Microsoft ko Samba 4, ƙungiya ce ta manyan abubuwa da yawa waɗanda sune:
- Custom LDAP ta Microsoft da Samba.
- Microsoft Windows Domain o Windows yankin. Asali kamfanin Sadarwar Microsoft ne.
- Mai Kula da Yankin Microsoft o Manajan Yanki.
- Kerberos ya tsara ta duka Microsoft da Samba.
Kada mu dame a Sabis na Adireshin o Directory Service tare da Active Directory o Littafin Adireshin aiki. Na farko na iya ko ba zai dauki bakuncin tabbatarwar Kerberos ba, amma ba sa ba da sabis na Sadarwar Microsoft da Windows Domain ke samarwa, kuma ba su da Windows Domain Controller kamar haka.
Za'a iya amfani da Sabis ɗin Adireshi ko Sabis ɗin Adireshi don tabbatar da masu amfani a cikin haɗin cibiyar sadarwa tare da UNIX / Linux da Windows abokan ciniki. Don na biyun, dole ne a girka wani shiri a kan kowane abokin harka da ke aiki a matsayin matsakaici tsakanin Sabis ɗin Adireshin da abokin cinikin Windows kanta, kamar Software na Kyauta. shafi.
Sabis ɗin Adireshi tare da OpenLDAP
- Mun fara daga girke-girke mai tsabta - ba tare da zane-zane ba - na Debian 8 "Jessie", tare da sunan mashin iri ɗaya "master" wanda aka yi amfani dashi don girka NIS, kazalika da daidaita tsarin haɗin yanar gizo da fayil ɗin /etc/resolv.conf. Mun shigar da ntp, bind9 da isc-dhcp-uwar garken don wannan sabon sabar, ba tare da mantawa da binciken duniya ba na daidaitaccen ayyukan sabis ukun da suka gabata.
tushen @ master: ~ # ƙwarewa shigar da slapd ldap-utils Saitin kunshin Ƙari Sanya Slapd │ Shigar da kalmar wucewa don shigarda mai gudanarwa na kundin adireshin LDAP │ │. Password │ │ password Kalmar sirri mai gudanarwa: │ │ │ │ ******** _________________________________________________________ │ │ │ │ │ │ └────────────────────────────────────────────── ─────────────────────┘
Muna duba saitin farko
tushen @ master: ~ # slapcat dn: dc = swl, dc = fan abu: aji: saman abu Z # 8510708 # 8 # 1036 masu gyaraSunan suna: cn = gudanarwa, dc = swl, dc = gyara fanTimestamp: 8Z dn: cn = gudanarwa, dc = swl, dc = fan objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin bayanin: LDAP gudanarwa userPassword :: e1NTSEF9emJNSFU1R3l2OWVEN0pmTmlYOVhKSUF4ekY1bU9YQXc = structuralObjectClass: organizationalRole entryUUID: c851178e-da8fe1036e-entrySw8d-2-dm71c-022-entrySw16904e-da20170531205219fe-20170531205219.834422-shigarwa-000000-fancimes-c000emp000000a20170531205219-entrySwXNUMX-cXNUMXempXNUMXeXNUMXpmTmlYOVhKSUXNUMX-shigarwa-XNUMXc-XNUMX-f-XNUMX-shigarwa-XNUMXc-XNUMX-f-c-f-XNUMX-shigarwa-XNUMX-cXNUMX-daXNUMXfe-XNUMX-shigarwa-XNUMX-fancimes-shigarwa-XNUMX-shigarwa-u-f-r-Ole-shigarwa: XNUMXZ # XNUMX # XNUMX # XNUMX masu gyaraSunan: cn = admin, dc = swl, dc = gyara fanTimpe: XNUMXZ
Mun gyara fayil /etc/ldap/ldap.conf
tushen @ master: ~ # nano /etc/ldap/ldap.conf GASKIYA dc = swl, dc = fan URI ldap: // localhost
Unungiyoyin Kungiya da babban rukuni «masu amfani»
Muna ƙara necessaryananan necessaryungiyoyin necessaryungiyoyi, da kuma ƙungiyar Posix «masu amfani» waɗanda za mu sanya duk masu amfani da su, suna bin misalin tsarin da yawa waɗanda ke da rukuni «users«. Mun sanya shi tare da sunan «masu amfani» don kar mu shiga rikice-rikice masu yuwuwa da ƙungiyar «mai amfani"na tsarin.
tushen @ maigida: ~ # nano base.ldif dn: ou = mutane, dc = swl, dc = fan abuClass: kungiyaUnit ou: mutane dn: ou = kungiyoyi, dc = swl, dc = fan objectClass: kungiyaUnit ou: kungiyoyin dn: cn = masu amfani, ou = kungiyoyi, dc = swl, dc = fan abuClass: posixGroup cn: masu amfani gidNumber: 10000 tushen @ master: ~ # ldapadd -x -D cn = gudanarwa, dc = swl, dc = fan -W -f base.ldif Shigar da LDAP Kalmar wucewa: ƙara sabon shigarwa "ou = mutane, dc = swl, dc = fan" ƙara sabon shigarwa "ou = kungiyoyi, dc = swl, dc = fan"
Muna bincika ƙarin shigarwar
tushen @ master: ~ # ldapsearch -x ou = mutane # mutane, swl.fan dn: ou = mutane, dc = swl, dc = fan abu Class: kungiyaUnit ou: mutane tushen @ master: ~ # ldapsearch -x ou = kungiyoyi # kungiyoyi, swl.fan dn: ou = rukuni, dc = swl, dc = fan fanClass: kungiyaUnit ou: kungiyoyi tushen @ master: ~ # ldapsearch -x cn = masu amfani # masu amfani, kungiyoyi, swl.fan dn: cn = masu amfani, ou = ƙungiyoyi, dc = swl, dc = fan abu Class: posixGroup cn: masu amfani gidNumber: 10000
Muna ƙara masu amfani da yawa
Dole ne a samo kalmar sirri da dole ne mu bayyana a cikin LDAP ta hanyar umarnin slappasswd, wanda ke dawo da kalmar sirri ta SSHA.
Kalmar wucewa don mai amfani ya ci gaba:
tushen @ master: ~ # slappasswd
Sabuwar kalmar shiga: Sake-shigar da sabuwar kalmar shiga:
{SSHA}Fn8Juihsr137u8KnxGTNPmnV8ai//0lp
Kalmar wucewa don legolas mai amfani
tushen @ master: ~ # slappasswd
Sabuwar kalmar shiga: Sake-shigar da sabuwar kalmar shiga:
{SSHA}rC50/W3kBmmDd+8+0Lz70vkGEu34tXmD
Kalmar wucewa don gandalf mai amfani
tushen @ master: ~ # slappasswd
Sabuwar kalmar shiga: Sake-shigar da sabuwar kalmar shiga:
{SSHA} oIVFelqv8WIxJ40r12lnh3bp + SXGbV + u
tushen @ master: ~ # masu amfani da Nano.ldif
dn: uid = strides, ou = mutane, dc = swl, dc = fan abuClass: inetOrgPerson abuClass: posixAccount objectClass: shadowAccount uid: strides cn: strides givenName: Strides sn: El Rey {SSHA}Fn8Juihsr137u8KnxGTNPmnV8ai//0lp
uidNumber: 10000 gidNumber: 10000 mail: striders@swl.fan
gecos: Strider El Rey shigaShell: / bin / bash gida Directory: / gida / strider dn: uid = legolas, ou = mutane, dc = swl, dc = fan abuClass: inetOrgPerson abuClass: posixAccount abunClass: inuwaAccount uid: legolas cn: legolas : Legolas sn: Mai amfani da maharba {SSHA}rC50/W3kBmmDd+8+0Lz70vkGEu34tXmD
uidNumber: 10001 gidNumber: 10000 mail: legolas@swl.fan
gecos: Legolas Archer shiga Gandalf sn: Mai amfani da Wizard {SSHA} oIVFelqv8WIxJ40r12lnh3bp + SXGbV + u
uidNumber: 10002 gidNumber: 10000 mail: gandalf@swl.fan
gecos: Gandalf The Wizard loginShell: / bin / bash Directory: / gida / gandalf
root @ master: ~ # ldapadd -x -D cn = gudanarwa, dc = swl, dc = fan -W -f masu amfani.ldif
Shigar da LDAP Kalmar wucewa: ƙara sabon shigarwa "uid = strides, ou = mutane, dc = swl, dc = fan" ƙara sabon shigarwa "uid = legolas, ou = mutane, dc = swl, dc = fan" ƙara sabon shigarwa "uid = gandalf, ou = mutane, dc = swl, dc = fan "
Muna bincika ƙarin shigarwar
tushen @ master: ~ # ldapsearch -x cn = tsaru tushen @ master: ~ # ldapsearch -x uid = ci gaba
Muna sarrafa bayanan slpad tare da abubuwan amfani da na'ura mai kwakwalwa
Mun zabi kunshin takardun rubutu don irin wannan aiki. Shigarwa da tsarin daidaitawa kamar haka:
root @ master: ~ # ƙwarewa shigar da ldapscripts tushen @ master: ~ # mv /etc/ldapscripts/ldapscripts.conf \ /etc/ldapscripts/ldapscripts.conf.original tushen @ master: ~ # nano /etc/ldapscripts/ldapscripts.conf SERVER = localhost BINDDN = 'cn = admin, dc = swl, dc = fan' BINDPWDFILE = "/ etc / ldapscripts / ldapscripts.passwd" SUFFIX = 'dc = swl, dc = fan' GSUFFIX = 'ou = groups' USUFFIX = 'ou = mutane' # MSUFFIX = 'ou = Computers' GIDSTART = 10001 UIDSTART = 10003 # MIDSTART = 10000 # OpenLDAP abokin ciniki ya umarci LDAPSEARCHBIN = "/ usr / bin / ldapsearch" LDAPADDBIN = "/ usr / bin / ldapadd" LDAPDELE / usr / bin / ldapdelete "LDAPMODIFYBIN =" / usr / bin / ldapmodify "LDAPMODRDNBIN =" / usr / bin / ldapmodrdn "LDAPPASSWDBIN =" / usr / bin / ldappasswd "GCLASS =" posixGroup = "etc" /ldapadduser.template "PASSWORDGEN =" amsa kuwwa% u "
Lura cewa rubutun suna amfani da umarnin kunshin Ldap-kayan aiki. Gudu dpkg -L ldap-kayan amfani | man shafawa / bin don sanin menene su.
tushen @ master: ~ # sh -c "amsa kuwwa -n 'admin-kalmar sirri'> \ /etc/ldapscripts/ldapscripts.passwd " tushen @ maigida: ~ # chmod 400 /etc/ldapscripts/ldapscripts.passwd tushen @ master: ~ # cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \ /etc/ldapscripts/ldapdduser.template tushen @ master: ~ # nano /etc/ldapscripts/ldapadduser.template dn: uid = , , abuClass: inetOrgPerson abuClass: posixAccount abuClass: inuwaAccount uid: cn: Sunan suna: sn: Suna: adadinWaya: Gidan Gida: 10000 gida Shiga Shell: wasiku: @nishadi_tv bayanin: Asusun Mai amfani tushen @ master: ~ # nano /etc/ldapscripts/ldapscripts.conf ## mun cire sharhin UTEMPLATE = "/ etc / ldapscripts / ldapadduser.template"
Muna ƙara mai amfani "bilbo" kuma sanya shi memba na ƙungiyar "masu amfani"
root @ master: ~ # ldapadduser masu amfani da bilbo [dn: uid = bilbo, ou = mutane, dc = swl, dc = fan] Shigar da ƙima don "sunan da aka ba": Bilbo [dn: uid = bilbo, ou = mutane, dc = swl, dc = fan] Shigar da darajar don " sn ": Bagins [dn: uid = bilbo, ou = mutane, dc = swl, dc = fan] Shigar da darajar" nuniName ": Bilbo Bagins Cikin nasara an kara mai amfani da bilbo zuwa LDAP Cikin nasara an saita kalmar sirri don bilbo mai amfani root @ master: ~ # ldapsearch -x uid = bilbo # bilbo, mutane, swl.fan dn: uid = bilbo, ou = mutane, dc = swl, dc = fan abuClass: inetOrgPerson abuClass: posixAccount abuClass: shadowAccount uid: bilbo cn: bilbo da aka baName: Bilbo sn: Bagins nuniName: Bilbo Bagins uidNumber: 10003 gidNumber: 10000 homeDirectory: / home / bilbo loginShell: / bin / bash mail: bilbo@swl.fan gecos: bayanin bilbo: Asusun Mai amfani
Don ganin kalmar wucewa ta mai amfani da bilbo, ya zama dole a aiwatar da tambayar tare da tabbatarwa:
root @ master: ~ # ldapsearch -x -D cn = gudanarwa, dc = swl, dc = fan -W uid = bilbo
Don share mai amfani da bilbo muna aiwatarwa:
root @ master: ~ # ldapdelete -x -D cn = admin, dc = swl, dc = fan -W uid = bilbo, ou = mutane, dc = swl, dc = fan Shigar da LDAP Password: root @ master: ~ # ldapsearch -x uid = bilbo
Muna sarrafa bayanan slapd ta hanyar yanar gizo
Muna da Sabis ɗin Adireshin Ayyuka, kuma muna son sarrafa shi cikin sauƙi. Akwai shirye-shirye da yawa waɗanda aka tsara don wannan aikin, kamar su safinnda, manajan ldap, da dai sauransu, waɗanda ana samun su kai tsaye daga wuraren adana su. Hakanan zamu iya gudanar da Sabis ɗin Adireshin ta cikin Apache Directory Studio, wanda dole ne mu sauke daga Intanet.
Don ƙarin bayani, don Allah ziyarci https://blog.desdelinux.net/ldap-introduccion/, da kuma labarai na 6 masu zuwa.
LDAP abokin ciniki
Matsayi:
Ka ce muna da tawagar mail.swl.fan a matsayin uwar garken wasiku da aka aiwatar kamar yadda muka gani a labarin Postfix + Dovecot + Squirrelmail da masu amfani na gari, wanda kodayake an haɓaka akan CentOS, na iya zama jagora ga Debian da sauran Linux distros da yawa. Muna son hakan, ban da masu amfani na gida waɗanda muka riga muka bayyana, masu amfani da aka adana a cikin bayanan OpenLDAP da ke ciki master.swl.fan. Don cimma abin da ke sama dole ne mu «taswira»Zuwa ga masu amfani da LDAP azaman masu amfani na gida akan sabar mail.swl.fan. Wannan maganin yana da inganci ga kowane sabis bisa tushen tabbaci na PAM. Hanyar gama gari don Debian, shine mai zuwa:
root @ mail: ~ # ƙwarewa shigar da libnss-ldap libpam-ldap ldap-utils
┌────────────────────┤ Kanfigareshan na libnss-ldap │ Shigar da URI ("ifarin gano kayan aiki", ko │ │ Uniform Resource Identifier) na uwar garken LDAP. Wannan zaren yana kama da │ │ «ldap: //: / » Hakanan zaka iya │ │ amfani da «ldaps: // » ko "ldapi: //". Lambar tashar jiragen ruwa tana da zaɓi. │ │ │ │ Ana ba da shawarar yin amfani da adireshin IP don kauce wa cin nasara yayin da ba a samun ayyukan suna na yanki │ │. Server │ │ │ uwar garken LDAP URI: │ │ │ │ ldap: //master.swl.fan__________________________________________________ │ │ │ │ │ └────────────────────────────────────────────── ┌───────────────────── ┤ Kanfigareshan na libnss-ldap │ Shigar da fitaccen suna (DN) na tushen binciken LDAP. Yawancin shafuka suna amfani da abubuwan haɗin yankin don wannan ││. Misali, yankin "example.net" zai yi amfani da │ │ "dc = misali, dc = net" azaman sanannen sunan tushen bincike. │ │ │ │ Fitaccen suna (DN) na tushen bincike: │ │ │ │ dc = swl, dc = fan ____________________________________________________________ │ │ │ │ │ │ └────────────────────────────────────────────── ┌─────────────────── Ig Kanfigareshan na libnss-ldap ├──────────────────────┐ │ Shigar da sigar yarjejeniyar LDAP wacce ya kamata ldapns suyi amfani da ita. Ana ba da shawarar │ │ don amfani da lambar sigar mafi girma da take akwai. Version │ │ │ LDAP sigar amfani don: │ │ │ │ 3 2 │ │ │ └────────────────────────────────────────────── ┌─────────────────── ──┤ Kanfigareshan na libnss-ldap ├──────────────────────┐ │ Zaɓi wane asusun da za ayi amfani da shi don tambayoyin nss tare da privile │ tushen gata. │ │ │ Lura: Don wannan zaɓin yayi aiki, asusun yana buƙatar izini don │ │ iya samun damar halayen LDAP waɗanda suke da alaƙa da shigarwar mai amfani │ │ "inuwa" da kuma mai amfani da kalmomin shiga ƙungiyar. . DA │ │ │ LDAP lissafi don tushen: │ │ │ │ cn = admin, dc = swl, dc = fan ___________________________________________________ │ │ │ │ │ │ └────────────────────────────────────────────── ┌─────────────────── Ig Kanfigareshan na libnss-ldap ├─────────────────────┐ │ Shigar da kalmar sirri da za ayi amfani da ita lokacin da libnss-ldap yayi kokarin │ │ gaskatawa ga kundin LDAP tare da tushen LDAP. │ │ │ │ Za'a adana kalmar sirri a cikin wani fayil daban │ │ ("/etc/libnss-ldap.secret") wanda tushensa ne kawai zai iya isa gareshi. │ │ │ │ Idan ka shigar da kalmar wucewa mara amfani, tsohuwar kalmar sirri za'a sake amfani da ita. │ │ │ │ Kalmar wucewa don asusun LDAP: │ │ │ │ ******** ________________________________________________________________│ │ │ │ │ │ │ └────────────────────────────────────────────── ┌──────────────────── Ig Kanfigareshan na libnss-ldap ├──────────────────────┐ │ │ │ nsswitch.conf ba a sarrafa ta atomatik │ │ │ │ Dole ne ku gyara fayil dinku "/etc/nsswitch.conf" don amfani da tushen bayanan LDAP idan kuna son kunshin libnss-ldap yayi aiki. │ │ Zaku iya amfani da file na misali │ │ a cikin "/usr/share/doc/libnss-ldap/examples/nsswitch.ldap" a matsayin misali na nsswitch sanyi ko │ │ zaku iya kwafa shi akan yadda kuke yanzu. │ │ │ Lura cewa kafin cire wannan kunshin yana iya zama da sauƙi │ │ cire "ldap" shigarwar daga fayil nsswitch.conf don ayyukan yau da kullun │ │ su ci gaba da aiki. │ │ │ │ │ └────────────────────────────────────────────── ┌─────────────────── ──┤ Kanfigareshan na libpam-ldap │ │ │ Wannan zabin yana bawa kayan aikin sirri damar amfani da PAM don canza kalmomin shiga na gida. │ │ │ │ Kalmar sirri don asusun mai kula da LDAP za'a adana shi a cikin fayil │ separate daban wanda mai gudanarwa ne kawai zai iya karanta shi. │ │ │ Wannan zabin ya zama na kashe, idan yana hawa "/ sauransu" ta NFS. │ │ │ Shin kuna son bawa asusun LDAP damar yin aiki kamar │ │ mai kula da yankin? │ │ │ │ │ └────────────────────────────────────────────── ┌─────────────────── ──┤ Kanfigareshan na libpam-ldap │ │ │ Zaɓi ko uwar garken LDAP ta tilasta ganowa kafin samun shigarwar entradas. │ │ │ Wannan saitin ba safai ake bukata ba. │ │ │ │ Shin ana buƙatar mai amfani don samun damar bayanan LDAP? │ │ │ │ │ └────────────────────────────────────────────── ┌─────────────────── ──┤ Kanfigareshan na libpam-ldap │ Shigar da sunan asusun mai gudanarwa na LDAP. │ │ │ │ Wannan asusun za a yi amfani da shi ta atomatik don gudanar da bayanan bayanai, │ │ dole ne ya kasance yana da damar gudanarwar da ta dace. Account │ │ │ asusun mai kula da LDAP: │ │ │ │ cn = admin, dc = swl, dc = fan ___________________________________________________ │ │ │ │ │ │ └────────────────────────────────────────────── ┌─────────────────── Ig Kanfigareshan na libpam-ldap │ │ Shigar da kalmar wucewa don asusun mai gudanarwa. │ │ │ │ Za'a adana kalmar sirri a cikin fayil din "/etc/pam_ldap.secret". Mai gudanarwa │ │ shine zai iya karanta wannan fayil ɗin, kuma zai ba da damar │ │ libpam-ldap don sarrafa sarrafa haɗin kai tsaye a cikin │ │ database. │ │ │ │ Idan ka bar wannan filin fanko, kalmar sirri da ta gabata │ │ za a sake amfani da ita. Password │ │ │ kalmar shiga mai kula da LDAP: │ │ │ │ ******** _________________________________________________________________ │ │ │ │ │ │ └────────────────────────────────────────────── ─────────────────────────────┘
tushen @ mail: ~ # nano /etc/nsswitch.conf
# /etc/nsswitch.conf # # Misalin daidaitawar GNU Sunan Sabis na Canja aiki. # Idan kuna da 'glibc-doc-reference' da kuma 'info' kunshin da aka sanya, gwada: # 'info libc "Canja Sabis na Suna' 'don bayani game da wannan fayil ɗin. passwd: jituwa ldap
rukuni: masu jituwa ldap
inuwa: mai jituwa ldap
gshadow: masu masaukin fayiloli: fayilolin dns cibiyoyin sadarwa: ladabi na fayiloli: db ayyukan fayiloli: db fayilolin ethers: db fayiloli rpc: db fayiloli netgroup: nis
Bari mu shirya fayil ɗin /etc/pam.d/kola- wucewa, zamu je layi 26 kuma mu kawar da ƙimar «amfani_authtok":
tushen @ mail: ~ # nano /etc/pam.d/common-password
# # /etc/pam.d/common-password - kayayyaki masu dangantaka da kalmar sirri wadanda suka shafi dukkan aiyuka # # Wannan fayil an hada shi daga wasu takamaiman takamaiman ayyukan PAM config fayiloli, # kuma yakamata ya hada da jerin kayayyaki wadanda suke ayyana ayyukan da zasu kasance # anyi amfani dasu don canza kalmomin shiga masu amfani. Tsoho shine pam_unix. # Bayani game da zabin pam_unix: # # Zabin "sha512" yana bawa kalmomin SHA512 salted. Ba tare da wannan zaɓin ba, # tsoho shine Unix crypt. Sabuntawa na farko sunyi amfani da zaɓi "md5". # # Zaɓin "m" ya maye gurbin tsohon zaɓi `` OBSCURE_CHECKS_ENAB 'a cikin # login.defs. # # Duba shafi na pam_unix don wasu zaɓuɓɓuka. # Kamar na pam 1.0.1-6, ana sarrafa wannan fayil ɗin ta hanyar sabuntawa ta pam-auth-tsoho. # Don cin gajiyar wannan, ana ba da shawarar cewa ku saita kowane # modulu na gida ko dai kafin ko bayan asalin toshiyar, kuma kuyi amfani da # pam-auth-update don gudanar da zaɓi na wasu kayayyaki. Duba # pam-auth-update (8) don cikakkun bayanai. # a nan akwai matakan kunshin-kunshin (toshe "Primary") kalmar wucewa [nasara = 2 tsoho = watsi da shi] pam_unix.so m sha512
kalmar sirri [nasara = 1 user_unknown = watsi da tsoho = mutu] pam_ldap.so try_first_pass
# a nan ne faduwa idan babu wani abin kirki da ya ci nasarar kalmar sirri pam_deny.so # Firayim din tari tare da kyakkyawar darajar dawowa idan babu guda daya; # wannan yana hana mu dawo da kuskure saboda kawai babu abin da ya kafa lambar nasara # tunda kayan aikin da ke sama kowane zai yi tsalle ne kawai ta hanyar kalmar sirri da ake bukata pam_permit.so # kuma a nan akwai wasu kayayyaki masu kunshin-kunshin ("Additionalarin" toshe) # ƙarshen pam- daidaitawar sabuntawa
Idan muna bukata Shiga gida na masu amfani da aka adana a cikin LDAP, kuma muna son ƙirƙirar manyan fayilolin su kai tsaye home, dole ne mu shirya fayil ɗin /etc/pam.d/ haduwa- kuma ƙara layi mai zuwa zuwa ƙarshen fayil ɗin:
zaman zaɓi na zaɓi pam_mkhomedir.so skel = / sauransu / skel umask = 077
A cikin Sabis ɗin OpenLDAP Directory Sabis wanda aka haɓaka a baya, mai amfani kawai na cikin gida wanda aka ƙirƙira shine mai amfani Buzz, yayin da muke cikin LDAP mun ƙirƙiri masu amfani ci gaba, Legolas, gandalfda kuma bilbo. Idan abubuwan da aka tsara har yanzu daidai ne, to yakamata mu iya jera masu amfani na gida da waɗanda aka tsara a matsayin na gida amma an adana su a cikin sabar LDAP mai nisa:
tushen @ mail: ~ # samun passwd kugi: x: 1001: 1001: Buzz Debian Farkon OS ,,,: / gida / kugi: / bin / bash Strid: x: 10000: 10000: Strides El Rey: / gida / masu tafiya: / bin / bash legolas: x: 10001: 10000: Legolas Kibiya: / gida / legolas: / bin / bash gandalf: x: 10002: 10000: Gandalf Mayen: / gida / gandalf: / bin / bash bilbo: x: 10003: 10000: bilbo: / gida / bilbo: / bin / bash
Bayan canje-canje a cikin ingantaccen tsarin, yana da inganci don sake kunna sabar in ba haka ba muna fuskantar sabis mai mahimmanci:
root @ mail: ~ # sake yi
Daga baya zamu fara zaman gida akan sabar mail.swl.fan tare da takaddun shaidar mai amfani da aka adana a cikin bayanan LDAP na master.swl.fan. Hakanan zamu iya gwada shiga ta hanyar SSH.
buzz @ sysadmin: ~ $ ssh gandalf @ mail gandalf @ kalmar sirri: Kirkirar kundin adireshi '/ home / gandalf'. Shirye-shiryen da aka haɗa tare da tsarin Debian GNU / Linux sune software kyauta; an bayyana ainihin ka'idojin rarrabawa ga kowane shirin a cikin fayilolin mutum a cikin / usr / share / doc / * / haƙƙin mallaka. Debian GNU / Linux sun zo tare da KASANCEWA BA GARANTI, gwargwadon yadda doka ta zartar. gandalf @ mail: ~ $ su Contraseña: tushen @ mail: / gida / gandalf # rukuni rukuni buzz: x: 1001: masu amfani: *: 10000: tushen @ mail: / gida / gandalf # fita fita gandalf @ mail: ~ $ ls -l / gida / duka 8 drwxr-xr-x 2 kugi kugi 4096 Jun 17 12:25 buzz drwx ------ 2 masu amfani da gandalf 4096 Jun 17 13:05 gandalf
Sabis ɗin Directory da aka aiwatar a sabar da matakin abokin ciniki, yana aiki daidai.
Kerberos
Daga Wikipedia:
- Kerberos yarjejeniya ce ta tabbatar da hanyar sadarwar komputa wacce aka ƙirƙira ta MIT hakan yana bawa kwamfutoci guda biyu damar amfani da hanyar sadarwa mara tsaro don tabbatar da asalin juna ga juna. Masu kirkirarta sun fara mai da hankali ne kan samfurin sabar abokin cinikayya, kuma yana samarda ingantacciyar fahimtar juna: duka kwastomomi da uwar garken suna tabbatar da asalin junan su. Ana kiyaye saƙonnin tabbatarwa don hanawa sabulk y sake kai hare-hare.
Kerberos ya dogara ne akan maɓallin kewayawa mai mahimmanci kuma yana buƙatar amintaccen ɓangare na uku. Bugu da ƙari kuma, akwai kari zuwa yarjejeniya don samun damar amfani da maɓallin kewayawa na asymmetric.
Kerberos ya dogara ne akan Batun Needham-Schroeder. Tana amfani da wani amintaccen ɓangare na uku, wanda ake kira da "Key Distribution Center" (KDC), wanda ya ƙunshi sassa biyu na hankali: "Sabar Tabbatarwa" (AS ko Sabar Tabbatar da Gaskiya) da "uwar garken da ke ba da tikiti" (TGS ko Sabis ɗin Ba da Ticket). Kerberos yana aiki ne akan "tikiti", wanda ke tabbatar da asalin masu amfani.
Kerberos yana adana bayanan maɓallan sirri; Kowane mahaɗan a kan hanyar sadarwar - walau abokin ciniki ne ko sabar - ya ba da maɓallin sirri na sirri da shi da Kerberos kawai aka sani. Ilimin wannan mabuɗin yana tabbatar da asalin mahaɗan. Don sadarwa tsakanin ƙungiyoyi biyu, Kerberos yana haifar da maɓallin zama, wanda zasu iya amfani dashi don tabbatar da matsalolin su.
Rashin dacewar Kerberos
De An warke:
Dukda cewa Kerberos yana kawar da barazanar tsaro na gama gari, yana da wahala aiwatarwa saboda dalilai daban-daban:
- Yin ƙaura kalmomin shiga masu amfani daga mahimmin bayanan bayanan sirri UNIX, kamar / sauransu / passwd ko / sauransu / inuwa, zuwa matattarar bayanan sirri ta Kerberos, na iya zama mai wahala kuma babu wata hanyar hanzarta aiwatar da wannan aikin.
- Kerberos ya ɗauka cewa kowane mai amfani an aminta da shi, amma yana amfani da injin da ba amintacce ba akan hanyar sadarwar da ba amintacce ba. Babban burinta shi ne hana a aika da kalmomin shiga da ba a boye ba ta hanyar sadarwar. Koyaya, idan wani mai amfani, banda mai amfani mai dacewa, yana da damar zuwa na'urar sayar da tikiti (KDC) don tabbatarwa, Kerberos zai kasance cikin Hadari.
- Don aikace-aikace don amfani da Kerberos, dole ne a canza lambar don yin kiran da ya dace zuwa dakunan karatu na Kerberos. Aikace-aikacen da aka gyaggyara su ta wannan hanyar ana daukar su ne da keɓaɓɓu. Ga wasu aikace-aikace, wannan na iya zama ƙoƙarin shirye-shiryen wuce gona da iri, saboda girman aikace-aikacen ko Tsarinta. Ga sauran aikace-aikacen da basu dace ba, dole ne a yi canje-canje ga hanyar sadarwar sadarwar da abokan cinikin ta; kuma, wannan na iya ɗaukar ɗan shirye-shirye. Gabaɗaya, aikace-aikacen tushen rufin asiri waɗanda basu da goyan bayan Kerberos yawanci sune mafi matsala.
- A ƙarshe, idan kun yanke shawarar amfani da Kerberos akan hanyar sadarwar ku, dole ne ku gane cewa zaɓi ne na duka ko babu. Idan ka yanke shawarar amfani da Kerberos a kan hanyar sadarwar ka, dole ne ka tuna cewa idan an ba da kowane kalmomin shiga zuwa sabis ɗin da ba ya amfani da Kerberos don tantancewa, kuna cikin haɗarin cewa ana iya kama fakitin. Don haka, hanyar sadarwar ku ba zata sami wani amfani ba daga amfani da Kerberos. Don tabbatar da hanyar sadarwar ku tare da Kerberos, yakamata kuyi amfani da sifofin ɓoye na duk aikace-aikacen abokin ciniki / uwar garke waɗanda ke aika kalmomin shiga da ba a rufesu ba ko kuma amfani da ɗayan waɗannan aikace-aikacen akan hanyar sadarwar..
Yin aiwatarwa da daidaitawa ta hannu da hannu kamar Kerberos Back-End ba aiki bane mai sauki. Koyaya, daga baya zamu ga cewa Samba 4 Active Directory - Domain Controller yana haɗuwa ta hanyar da ta dace don Sysadmin, uwar garken DNS, Microsoft Network da Domain Controller, uwar garken LDAP azaman -arshen kusan dukkanin abubuwanta, da kuma sabis ɗin tabbatar da tushen Kerberos azaman abubuwan asali na Takardar Aikin Aiki na Microsoft.
Kamar yadda yake a yau ba mu da buƙatar aiwatar da "hanyar sadarwa ta Kerberized". Wannan shine dalilin da yasa bamuyi rubutu game da yadda ake aiwatar da Kerberos ba.
Samba 4 Akwatin Aiki - Mai Kula da Yanki
Muhimmin:
Babu takaddun da suka fi shafin wiki.samba.org. Yakamata Sysadmin mai mutunta kansa ya ziyarci wannan rukunin yanar gizon - cikin Turanci - kuma ya bincika ɗakunan shafukan da aka sadaukar gaba ɗaya ga Samba 4, wanda Team Samba da kansa ya rubuta. Ban yi imani da cewa akwai wasu takardu da ake samu a Intanet don maye gurbinsu ba. Af, lura da yawan ziyarar da aka nuna a ƙasan kowane shafi. Misalin wannan shine an ziyarci babban shafinku ko «Babban Shafi» 276,183 lokaci zuwa yau 20 ga Yuni, 2017 da karfe 10:10 na safe agogon Gabas. Additionari ga haka, ana adana takaddun sosai, saboda an gyara wannan shafi a ranar 6 ga Yuni.
Daga Wikipedia:
Samba kyauta ce ta aiwatar da Yarjejeniyar Yarjejeniyar Fayil na Microsoft Windows (wanda a da ake kira SMB, wanda aka sake masa suna CIFS) don tsarin UNIX. Ta wannan hanyar, yana yiwuwa kwamfutoci tare da GNU / Linux, Mac OS X ko Unix a gaba ɗaya suna kama da sabobin ko aiki kamar abokan ciniki a cikin hanyoyin sadarwar Windows. Samba yana ba ku damar inganta masu amfani a matsayin Primary Domain Controller (PDC), a matsayin memba na yanki har ma a matsayin Adireshin Littafin Adireshi don hanyoyin sadarwar Windows; baya ga iya yin layin bugawa, kundayen adireshi da kuma tabbatarwa tare da taskar mai amfani da ita.
Daga cikin irin tsarin Unix wanda za'a iya gudanar da Samba dashi akwai Rarraba GNU / Linux, Solaris da bambance-bambancen BSD daban-daban a cikin cewa za mu iya nemo Apple's Mac OS X Server.
Samba 4 AD-DC tare da DNS dinta
- Mun fara daga girke-girke mai tsabta - ba tare da zane-zane ba - na Debian 8 "Jessie".
Cheididdigar farko
tushen @ master: ~ # sunan mai gida
master
tushen @ master: ~ # sunan mai gida --fqdn
master.swl.fan
tushen @ master: ~ # ip addr
1: menene: mtu 65536 qdisc noqueue jihar UNKNOWN kungiyar tsoho mahada / loopback 00: 00: 00: 00: 00: 00 brd 00: 00: 00: 00: 00: 00 inet 127.0.0.1/8 ikon yin amfani da mahada lo valid_lft har abada fifita_lft har abada inet6 :: 1/128 ikon watsa shiri host_lft har abada fifikon_lft har abada 2: eth0: mtu 1500 qdisc pfifo_fast jihar UNKNOWN kungiyar tsoho qlen 1000 mahada / ether 00: 0c: 29: 80: 3b: 3f brd ff: ff: ff: ff: ff: ff
inet 192.168.10.5/24 brd 192.168.10.255 girman duniya eth0
inganci_lft har abada fifikon_lft har abada inet6 fe80 :: 20c: 29ff: fe80: 3b3f / 64 mahaɗan mahada valid_lft har abada fifikon_lft har abada
tushen @ master: ~ # cat /etc/resolv.conf
bincika swl.fan sunan mai amfani 127.0.0.1
- Da ita muke bayyana reshe main kawai, ya fi isa ga dalilanmu.
tushen @ master: ~ # cat /etc/apt/sources.list bashi http://192.168.10.1/repos/jessie-8.6/debian/ jessie main bashi http://192.168.10.1/repos/jessie-8.6/debian/security/ jessie / sabuntawa main
Postfix ta Exim da kayan aiki
root @ master: ~ # ƙwarewa shigar da postfix htop mc deborphan Ig Sanannen Postfix ├───────────────────── │ Zaɓi nau'in daidaitawar sabar wasiku wanda yafi dacewa da buƙatarku │ │. │ │ │ │ Babu sanyawa: │ │ Yana kiyaye daidaitaccen halin yanzu. │ site Gidan yanar gizo: │ │ Ana aikawa da karɓa ta hanyar amfani da SMTP kai tsaye. │ │ Intanit tare da "smarthost": │ │ Ana karɓar wasiƙa kai tsaye ta amfani da SMTP ko ta hanyar gudanar da │ │ kayan aiki kamar "fetchmail". Ana aika wasiƙa mai fita ta amfani da smart │ a "smarthost". │ mail Wasikun cikin gida kawai: │ │ Iyakar wasikun da aka kawo shine ga masu amfani da gida. Babu │ │ akwai cibiyar sadarwa. Configuration │ │ │ Nau'in tsarin daidaita wasiku: │ │ │ │ Babu daidaitawa │ Yanar gizo │ Intanet tare da "smarthost" system Tsarin tauraron dan adam │ │ Wasikun cikin gida kawai │ │ │ │ │ │ │ └────────────────────────────────────────────── ┌──────────────────── Conf Kanfigareshan Postfix ├─────────────────────────┐ The "sunan tsarin wasiku" shine sunan yankin da Used │ ana amfani dashi don "cancanta" _ALL_ adiresoshin imel ba tare da sunan yanki ba. Wannan ya hada da wasiƙa zuwa da kuma daga "tushen": don Allah kar a sanya maquina │ injinku ya aika da imel daga tushen@example.org to │ │ kasa da tushen@example.org ya tambaya. Programs │ │ │ Sauran shirye-shiryen zasuyi amfani da wannan sunan. Dole ne ya zama │ │ │ mai cikakken sunan yankin (FQDN). │ │ │ │ Saboda haka, idan adireshin imel akan mashin din is │ ne wani abu@example.org, daidai darajar wannan zaɓin zai zama misali.org. System │ │ │ Sunan tsarin suna: │ │ │ │ master.swl.fan ___________________________________________________________ │ │ │ │ │ │ └────────────────────────────────────────────── ─────────────────────────────┘
Muna tsaftace
tushen @ master: ~ # ƙwarewar tsarkakewa ~ c tushen @ master: ~ # ƙwarewar shigarwa -f tushen @ master: ~ # ƙwarewa mai tsabta tushen @ master: ~ # ƙwarewar autocle
Mun shigar da buƙatun don tattara Samba 4 da wasu fakitin larura
root @ master: ~ # ƙwarewa shigar acl attr autoconf bison \
ginanniyar mahimmin aikin gyara dnsutils docbook-xml docbook-xsl flex gdb \
krb5-mai amfani libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev \
libcap-dev libcups2-dev libgnutls28-dev libjson-perl \ Takaitaccen bayani
libldap2-dev libncurses5-dev libpam0g-dev libariyar-yapp-perl \
libpopt-dev libreadline-dev perl perl-modules pkg-jeri \
Python-all-dev Python-d Python-dnspython Python-dnspython python-dinka
xsltproc zlib1g-dev libgpgme11-dev kayan kwalliyar-gpgme Python-m2crypto \
labaran-28-dbg gnutls-dev ldap-kayan amfani krb5-jeri
Harhadawa da tabbatarwar Kerberos │ Lokacin da masu amfani suke kokarin amfani da Kerberos kuma saka suna │ │ babba ko mai amfani ba tare da bayyana ko wane yanki Kerberos ke gudanarwa babba principal │ ya kasance ba, tsarin yana ɗaukar yankin default na asali. Hakanan ana iya amfani da daɗaɗɗar daula azaman │ │ wani sabis na Kerberos da ke gudana akan na'urar gida. │ │ Yawanci, tsohuwar yanki ita ce sunan babban sunan yankin DNS local │ na yankin. │ │ │ Kerberos version 5 tsoffin daula: │ │ │ │ SWL.FAN __________________________________________________________________ │ │ │ │ │ │ └────────────────────────────────────────────── ┌───────────────┤ ┌───────────────┤ Harhadawa da tantancewa Kerberos │ │ Shigar da sunayen sabobin Kerberos a cikin SWL.FAN daular │ │ Kerberos, an raba ta da wurare. Servers │ │ │ Sabbin Kerberos don yankinku: │ │ │ │ master.swl.fan ___________________________________________________________ │ │ │ │ │ │ └────────────────────────────────────────────── ┌───────────────┤ ┌───────────────┤ Harhadawa da tantance bayanan sirri Kerberos │ Shigar da sunan uwar garken gudanarwa (canjin kalmar shiga) │ │ don yankin Kerberos SWL.FAN.
Tsarin da ke sama ya ɗauki ɗan lokaci saboda ba mu da wani sabis na DNS da aka shigar tukuna. Koyaya, kun zaɓi yankin daidai ta hanyar saitunan fayil / sauransu / runduna. Ka tuna cewa a cikin fayil /etc/resolv.conf mun bayyana azaman uwar garken sunan yanki zuwa IP 127.0.0.1.
Yanzu muna daidaita fayil ɗin / sauransu / ldap / ldap / conf
tushen @ master: ~ # nano /etc/ldap/ldap.conf
GASKIYA dc = swl, dc = fan URI ldap: //master.swl.fan
Don tambayoyi ta amfani da umarnin ldapsearch sanya daga tushen mai amfani ne da irin ldapsearch -x -W cn = xxxx, dole ne mu ƙirƙiri fayil ɗin /wa //ldapsearc tare da wadannan abubuwan:
tushen @ master: ~ # nano .ldaprc BINDDN CN = Mai Gudanarwa, CN = Masu amfani, DC = swl, DC = fan
Tsarin fayil dole ne ya goyi bayan ACL - Jerin Lissafin Samun dama
tushen @ master: ~ # Nano / sauransu / fstab # / sauransu / fstab: bayanan tsarin fayil ɗin tsaye. # # Yi amfani da 'blkid' don buga keɓaɓɓen mai ganowa ga na'urar #; ana iya amfani da wannan tare da UUID = azaman hanya mafi ƙarfi don sanya sunayen na'urori # da ke aiki koda kuwa an ƙara an cire diski. Duba fstab (5). # # # / ya kasance / dev / sda1 yayin sanyawa UUID = 33acb024-291b-4767-b6f4-cf207a71060c / ext4 user_xattr, acl, shamaki = 1, lokaci, kurakurai = remount-ro 0 1 # swap ya kasance akan / dev / sda5 yayin sanyawa UUID = cb73228a-615d-4804-9877-3ec225e3ae32 babu wanda ya musanya sw 0 0 / dev / sr0 / media / cdrom0 udf, mai amfani da9660, noauto 0 0 tushen @ master: ~ # Dutsen -a tushen @ master: ~ # taɓa gwajin_acl.txt tushen @ maigida: ~ # setfattr -n mai amfani da gwaji.v gwajin gwaji_acl.txt tushen @ maigida: ~ # setfattr -n security.test -v test2 testing_acl.txt tushen @ maigida: ~ # getfattr -d testing_acl.txt # fayil: testing_acl.txt user.test = "gwaji" tushen @ master: ~ # getfattr -n tsaro.test -d testing_acl.txt # fayil: gwajin_acl.txt tsaro.test = "test2" tushen @ master: ~ # setfacl -mg: adm: rwx gwaji_acl.txt tushen @ master: ~ # getfacl gwaji_acl.txt # fayil: gwaji_acl.txt # mai: tushen # rukuni: tushen mai amfani :: rw- rukuni :: r-- rukuni: adm: rwx mask :: rwx sauran :: r--
Mun sami tushen Samba 4, mun tattara shi, kuma mun girka shi
Ana ba da shawarar sosai don sauke fayil ɗin asalin sigar barga daga shafin https://www.samba.org/. A cikin misalinmu muna sauke sigar samba-4.5.1.tar.gz zuwa babban fayil ɗin / fita.
tushen @ master: ~ # cd / ficewa
tushen @ master: / ficewa # wget https://download.samba.org/pub/samba/stable/samba-4.5.1.tar.gz
tushen @ master: / ficewa # tar xvfz samba-4.5.1.tar.gz
tushen @ master: / ficewa # cd samba-4.5.1 /
Zaɓuɓɓukan sanyi
Idan muna son siffanta zaɓuɓɓukan sanyi, zamu aiwatar da su:
tushen @ master: /opt/samba-4.5.1# ./configure --help
kuma da kulawa sosai zabi wadanda muke bukata. Yana da kyau a duba idan za a iya shigar da kunshin da aka zazzage a kan rarraba Linux da muke amfani da shi, wanda a wurinmu Debian 8.6 Jessie ne:
tushen @ master: /opt/samba-4.5.1# ./configure dubawa
Muna daidaitawa, Tattara kuma Sanya samba-4.5.1
- Daga abubuwan da aka sanya a baya da kuma fayiloli 8604 (wadanda suke da karamin samba-4.5.1.tar.gz) wadanda sukakai kimanin megabytes 101.7 - gami da source3 da kuma folda4 na Source61.1 wadanda nauyinsu yakai megabytes XNUMX - zamu sami madadin kundin adireshi mai aiki da Microsoft, na inganci da kwanciyar hankali fiye da karɓa ga kowane yanayin samarwa. Dole ne mu haskaka aikin Team Samba wajen isar da Free Software Samba 4.
Umurnin da ke ƙasa sune na yau da kullun don tattarawa da girke fakiti daga asalin su. Dole ne mu yi haƙuri yayin da duk aikin yake. Hanya guda ɗaya ce kawai don samun ingantaccen sakamako.
tushen @ master: /opt/samba-4.5.1# ./ tsara - tare da-systemd - kofi-kofuna tushen @ master: /opt/samba-4.5.1# yi tushen @ master: /opt/samba-4.5.1# yi shigar
Yayin aiwatar da umarnin yi, Muna iya ganin cewa an tattara tushen Samba 3 da Samba 4. Wannan shine dalilin da ya sa Team Samba ya tabbatar da cewa sigar ta 4 shine sabuntawa na dabi'a na 3, duka biyu don Masu Gudanar da Yanki bisa ga Samba 3 + OpenLDAP, kuma sabobin fayil, ko tsoffin nau'ikan Samba 4.
Samarda Samba
Za mu yi amfani da matsayin DNS ɗin SAMBA_INTERNAL. a https://wiki.samba.org/index.php?title=Samba_Internal_DNS_Back_End za mu sami ƙarin bayani. Lokacin da suka tambaye mu kalmar sirri ta mai amfani mai Gudanarwa, dole ne mu buga ɗayan mafi ƙarancin tsawon haruffa 8 da kuma haruffa - babba da ƙarami - da lambobi.
Kafin ci gaba da samarwa da sauƙaƙa rayuwa, zamu ƙara hanya na Samba masu zartarwa a cikin fayil ɗinmu .bashrc, Sannan mun sake rufewa kuma mun sake shiga.
tushen @ master: ~ # nano .bashrc
# ~ / .bashrc: kashe ta bash (1) don bawon shiga. # Lura: PS1 da umask an riga an saita su a cikin / etc / profile. Bai kamata # ku buƙaci wannan ba sai dai idan kuna son laifofi daban-daban don tushe. # PS1 = '$ {debian_chroot: + ($ debian_chroot)} \ h: \ w \ $' # umask 022 # Kuna iya damuwa da layukan da ke gaba idan kuna son `` ls '' su kasance masu launi: # fitarwa LS_OPTIONS = '- launi = auto '# eval "" dircolor` "# alias ls =' ls $ LS_OPTIONS '# alias ll =' ls $ LS_OPTIONS -l '# alias l =' ls $ LS_OPTIONS -lA '# # Wasu karin laƙabi don kaucewa yin kuskure : # alias rm = 'rm -i' # alias cp = 'cp -i' # alias mv = 'mv -i'
bayyana -x PATH = "/ usr / local / sbin: / usr / local / bin: / usr / sbin: / usr / bin: \ / sbin: / bin: / usr / local / samba / sbin: / usr / local / samba / bin "
root @ master: ~ # fita logout Haɗin zuwa master rufe. xeon @ sysadmin: ~ $ ssh tushen @ master
root @ master: ~ # samarwar yankin samba-tool --use-rfc2307 --nn hulda
Daula [SWL.FAN]: SWL.FAN
Yankin [SWL]: SWL
Matsayin Sabis (dc, memba, mai zaman kansa) [dc]: dc
Bayanin DNS (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, KOME BA) [SAMBA_INTERNAL]: SAMBA_INTERNAL
Adireshin IP mai tura DNS (rubuta 'babu' don musaki isar da shi) [192.168.10.5]: 8.8.8.8
Kalmar sirri mai gudanarwa: Kalmar sirrin ku2017
Sake buga kalmar shiga: Kalmar sirrin ku2017
Neman adiresoshin IPv4 Neman adiresoshin IPv6 Babu adireshin IPv6 da za a sanya Kafa share.ldb Kafa bayanan asiri.ldb Kafa rajista Kafa abubuwan gata bayanan Kafa idmap db Kafa SAM db Kafa sam.ldb rabuwa da saituna up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC = swl, DC = fan dingara kayan kwalliyar saiti sam.ldb schema Kafa bayanan daidaiton sam.ldb Kafa bayanan masu nuni Nuna masu ƙayyade nuni Yana displayara masu amfani akwati Gyara masu amfani kwantena dingara kwantena kwantena Gyara komfutoci Kafa bayanan sam.ldb Kafa sanannun shugabannin tsaro Kafa masu amfani da sam.ldb da ƙungiyoyi Kafa kansu shiga selfara asusun DNS accountsirƙirar CN = MicrosoftDNS, CN = Tsarin, DC = swl, DC = fan ingirƙirar sassan DomainDnsZones da ForestDnsZones partirƙirar Rarraba DomainDnsZones da ForestDnsZones bangare Kafa sam.ldb rootDSE alama kamar aiki tare Gyaran GayyaTsarin Kerberos wanda ya dace da Samba 4 an samar dashi a /usr/local/samba/private/krb5.conf Kafa saitunan uwar garken yp na karya da zarar an shigar da fayilolin da ke sama, sabarku ta Samba4 za ta kasance a shirye don amfani da Matsayin Sabunta: yankin shugabanci mai aiki mai kula sunan mai masauki: masanin NetBIOS Domain: SWL DNS Domain: swl.fan DOMAIN SID: S-1-5-21-32182636-2892912266-1582980556
Kar mu manta mu kwafa fayil ɗin sanyi na Kerberos kamar yadda aka nuna ta kayan aikin Bayarwa:
tushen @ master: ~ # cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
Don rashin buga umarnin samba-kayan aiki tare da cikakken sunanku, mun ƙirƙiri alamar alama tare da gajeren suna kayan aiki:
root @ master: ~ # ln -s / usr / local / samba / bin / samba-tool / usr / local / samba / bin / kayan aiki
Mun shigar da NTP
Babban yanki a cikin Littafin Adireshin shine Sabis ɗin Lokacin Sadarwar.Yayinda ake yin tabbaci ta Kerberos da Tikitik, aiki tare na lokaci tare da Samba 4 AD-DC yana da mahimmanci.
root @ master: ~ # ƙwarewa shigar ntp tushen @ master: ~ # mv /etc/ntp.conf /etc/ntp.conf.original tushen @ master: ~ # nano /etc/ntp.conf driftfile /var/lib/ntp/ntp.drift ntpsigndsocket / usr / local / samba / var / lib / ntp_signd statistics loopstats peerstats clockstats filegen loopstats file loopstats type day kunna filegen peerstats file peerstats type day kunna filegenstats file clockstats agogo irin damar bawa sabar 192.168.10.1 takura -4 tsoho kod notrap nomodify nopeer noquery takura -6 tsoho kod notrap nomodify nopeer noquery takura tsoho mssntp takura 127.0.0.1 takura :: 1 watsa labarai 192.168.10.255 root @ master: ~ # sake kunnawa ntp tushen @ maigida: ~ # matsayin sabis na ntp tushen @ master: ~ # wutsiya -f / var / log / syslog
Idan lokacin nazarin syslog ta amfani da umarnin da ke sama ko amfani mujallar -f mun sami sakon:
Jun 19 12:13:21 master ntpd_intres [1498]: iyaye sun mutu kafin mu gama, suna fita
dole ne mu sake kunna sabis ɗin kuma mu sake gwadawa. Yanzu mun ƙirƙiri babban fayil ɗin sd_shawara:
root @ master: ~ # ls -ld / usr / local / samba / var / lib / ntp_signd
ls: / usr / local / samba / var / lib / ntp_signd ba za a iya isa gare su ba: Fayil ko kundin adireshi babu
tushen @ maigida: ~ # mkdir / usr / local / samba / var / lib / ntp_signd
root @ master: ~ # chown root: ntp / usr / local / samba / var / lib / ntp_signd /
root @ master: ~ # chmod 750 / usr / local / samba / var / lib / ntp_signd / root @ master: ~ # chmod gs, g + x / usr / local / samba / var / lib / ntp_signd /
# Kamar yadda aka nema a samba.wiki.org
root @ master: ~ # ls -ld / usr / local / samba / var / lib / ntp_signd
drwxr-x --- 2 tushen ntp 4096 Jun 19 12:21 / usr / na gari / samba / var / lib / ntp_signd
Mun saita Samba fara amfani da systemd
tushen @ master: ~ # nano /lib/systemd/system/samba-ad-dc.service [Sabis] Nau'in = neman PIDFile = / usr / na gari / samba / var / run / samba.pid LimitNOFILE = 16384 # EnvironmentFile = - / etc / conf.d / samba ExecStart = / usr / local / samba / sbin / samba ExecReload = / usr / bin / kashe -HUP $ MAINPID [Shigar] WantedBy = multi-user.target root @ master: ~ # systemctl kunna samba-ad-dc root @ master: ~ # sake yi root @ master: ~ # systemctl matsayin samba-ad-dc tushen @ maigida: ~ # systemctl status ntp
Samba 4 AD-DC wuraren fayil
ALL -debe sabuwar samba-ad-dc.sabis- fayilolin suna cikin:
tushen @ maigida: ~ # ls -l / usr / local / samba / duka 32 drwxr-sr-x 2 tushen ma'aikatan 4096 Jun 19 11:55 ni drwxr-sr-x 2 tushen ma'aikatan 4096 Jun 19 11:50 da dai sauransu drwxr-sr-x 7 tushen ma'aikatan 4096 Jun 19 11:30 sun hada da drwxr-sr-x 15 tushen tushen 4096 Jun 19 11:33 lib drwxr-sr-x 7 tushen ma'aikatan 4096 Jun 19 12:40 masu zaman kansu drwxr-sr-x 2 tushen ma'aikatan 4096 Jun 19 11:33 sbin drwxr-sr-x 5 tushen ma'aikatan 4096 Jun 19 11:33 share drwxr-sr-x 8 tushen ma'aikatan 4096 Jun 19 12:28 ya
a cikin mafi kyawun salon UNIX. Yana da kyau koyaushe ka bincika cikin manyan fayiloli daban-daban ka bincika abubuwan da ke ciki.
/Usr/local/samba/etc/smb.conf fayil
tushen @ master: ~ # nano /usr/local/samba/etc/smb.conf # Sigogin duniya [duniya] netbios suna = MASTER daula = SWL.FAN workgroup = SWL dns forwarder = 8.8.8.8 sabis na saba = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate , Dns server rawar = mai sarrafa kundin adireshi mai bada izini dns sabuntawa = amintacce kawai idmap_ldb: amfani rfc2307 = ee idmap config *: backend = tdb idmap config *: range = 1000000-1999999 ldap server yana bukatar auth = babu sunan bugawa = = dev / maras kyau tushen @ master: ~ # gwajin hannu Load smb config files from /usr/local/samba/etc/smb.conf Sashin sarrafawa "[netlogon]" Bangaren sarrafawa "[sysvol]" Fayil ɗin sabis ɗin da aka ɗora. Matsayin sabis: ROLE_ACTIVE_DIRECTORY_DC Latsa shiga don ganin zubar da ma'anar sabis ɗin ku # Sigogin duniya [duniya] duniya = yankin SWL.FAN = SWL dns forwarder = 192.168.10.1 ldap uwar garke na buƙatar mai ƙarfi auth = Babu lambar wucewa ta wuce = sabba_dsdb uwar garken rawar = jagorar aiki yankin mai kula rpc_server: tcpip = ba rpc_daemon: spoolssd = saka rpc_server: spoolss = saka rpc_server: winreg = saka rpc_server: ntsvcs = saka rpc_server: eventlog = saka rpc_server: srvsvc = saka rvcct_server = amfani da external rvcct_server = amfani da external rvcct_server = amfani da external rvcct_server: bututun waje = saitin idmap na gaskiya *: zangon = 1000000-1999999 idmap_ldb: amfani rfc2307 = ee idmap jeri *: backend = tdb taswirar taswira = Babu taswirar karanta kawai = babu kantin sayar da halaye = Ee vfs abubuwa = dfs_samba4 acl_xattr [netlogon] hanyar = / usr / local / samba / var / makullai / sysvol / swl.fan / rubutun karanta kawai = Babu [sysvol] hanya = / usr / local / samba / var / makulli / sysvol karanta kawai = A'a
Mafi karancin cak
root @ master: ~ # nuna matakin matakin kayan aiki Matsayin aiki na yanki da gandun daji don yanki 'DC = swl, DC = fan' Matakin aikin gandun daji: (Windows) 2008 R2 Matsayin aiki na yanki: (Windows) 2008 R2 Mafi ƙarancin aikin DC: (Windows) 2008 R2 tushen @ master: ~ # ldapsearch -x -W tushen @ master: ~ # kayan aikin dbcheck Duba abubuwa 262 An bincika abubuwa 262 (kurakurai 0) root @ master: ~ # kinit Administrator Kalmar wucewa don Mai Gudanarwa@SWL.FAN: tushen @ master: ~ # klist -f Katin tikiti: FILI: / tmp / krb5cc_0 Babban tsoho: Mai Gudanarwa@SWL.FAN Ingantaccen farawa Yana ƙare Sabis na ainihi 19/06/17 12:53:24 19/06/17 22:53:24 krbtgt/SWL.FAN@SWL.FAN sabunta har sai 20/06/17 12:53:18 PM, Tutoci: RIA tushen @ master: ~ # kdestroy tushen @ master: ~ # klist -f klist: Ba a samo takaddun shaidar takardun shaida '/ tmp / krb5cc_0' ba tushen @ maigida: ~ # smbclient -L localhost -U% Domain = [SWL] OS = [Windows 6.1] Server = [Samba 4.5.1] Sharename Type Type --------- ---- ------- netlogon Disk sysvol Disk IPC $ IPC IPC Sabis (Samba 4.5.1) Domain = [SWL] OS = [Windows 6.1] Server = [Samba 4.5.1] Sharhin Server --------- ------- Jagoran Aiki ---- ----- ------- tushen @ master: ~ # smbclient // localhost / netlogon -UAdministrator -c 'ls' Shigar da kalmar shiga ta Administrator: Domain = [SWL] OS = [Windows 6.1] Server = [Samba 4.5.1]. D 0 Litinin 19 11 50:52:2017 0 .. D 19 Litinin 11 51 07:2017:19091584 1024 16198044 tubalan masu girman XNUMX. XNUMX tubalan akwai root @ master: ~ # tool dns serverinfo master -U mai gudanarwa tushen @ maigida: ~ # host -t SRV _ldap._tcp.swl.fan _ldap._tcp.swl.fan yana da rikodin SRV 0 100 389 master.swl.fan. tushen @ master: ~ # rundunar -t SRV _kerberos._udp.swl.fan _kerberos._udp.swl.fan yana da rikodin SRV 0 100 88 master.swl.fan. tushen @ maigida: ~ # host -t A master.swl.fan master.swl.fan yana da adireshi 192.168.10.5 tushen @ maigida: ~ # host -t SOA swl.fan swl.fan yana da SOA rikodin master.swl.fan. masaukin bakin.swl.fan. 1 900 600 86400 3600 tushen @ maigida: ~ # host -t NS swl.fan swl.fan sunan sabar master.swl.fan. tushen @ master: ~ # host -t MX swl.fan swl.fan bashi da rikodin MX tushen @ master: ~ # samba_dnsupdate --verbose tushen @ master: ~ # jerin kayan aikin mai amfani Gudanarwa krbtgt Bako tushen @ master: ~ # jerin rukunin kayan aiki # Fitarwa ƙungiya ce ta ƙungiyoyi. ;-)
Muna sarrafa sabuwar shigar Samba 4 AD-DC
Idan muna son canza ƙarewar kwanakin kwanakin kalmar sirri ta Administrator; mahimmancin kalmomin shiga; mafi karancin tsawon kalmar sirri; mafi ƙarancin da tsawon lokacin -a cikin kwanaki- na kalmar wucewa; kuma canza kalmar wucewa ta Administrator da aka bayyana yayin Bayarwa, dole ne mu aiwatar da waɗannan umarnin tare da dabi'un da aka daidaita da bukatunku:
tushen @ master: ~ # kayan aiki
Amfani: samba-kayan aiki Babban kayan aikin samba. Zaɓuɓɓuka: -h, - taimaka nuna wannan saƙon taimako da fita Siffofin Zaɓuɓɓuka: -V, --version Nunin lambar sigar Akwai samfuran umarni: dbcheck - Bincika kantin AD na yanki don kurakurai. wakilai - Gudanar da wakilai. dns - Gudanar da Sabis ɗin Suna (DNS). domain - Gudanar da yanki. drs - Gudanar da Sabis ɗin Ba da Lambobi (DRS). dsacl - magudi DS ACLs. fsmo - Gudanar da Ayyukan Jagora Mai Sauƙi (FSMO) gudanarwa. gpo - Gudanar da Manufofin Manufofin Kungiyar (GPO). rukuni - Gudanar da rukuni. ldapcmp - Kwatanta bayanai na ldap guda biyu. ntacl - NT ACLs magudi. tafiyar matakai - Jerin matakai (don taimakawa cire kuskure akan tsarin ba tare da tsari ba). rodc - Gudanar da Kula da Yankin Yanki (RODC) kawai. shafuka - Gudanar da shafuka. spn - Gudanar da Sunan Babban Sabis (SPN). testparm - Daidaita duba fayil ɗin sanyi. lokaci - Maido lokacin a kan saba. mai amfani - Gudanar da Mai amfani. Don ƙarin taimako kan takamaiman tsari, da fatan a rubuta: samba-tool (-h | - taimako)
root @ master: ~ # mai kula da mai amfani da kayan aiki --noexpiry
root @ master: ~ # an saita mahimman kalmomin shiga yankin --min-pwd-length = 7
root @ master: ~ # an saita mahimman kalmomin shiga yankin --min-pwd-age = 0
root @ master: ~ # an saita mahimman kalmomin shiga yankin --max-pwd-age = 60
root @ master: ~ # mai amfani da kayan aiki --filter = samaccountname = Administrator --newpassword = Passw0rD
Muna ƙara bayanan DNS da yawa
tushen @ master: ~ # kayan aikin dns
Amfani: samba-tool dns Gudanar da Sunan Sabis (DNS). Zaɓuɓɓuka: -h, --taimaka nuna wannan saƙon taimako kuma fita Akwai wadatar umarni: ƙara - Addara rikodin rikodin DNS - Share tambayar rikodin DNS - Tambaya suna. roothints - Bayanin tushen tambaya. serverinfo - Tambaya don bayanin saba. ɗaukaka - Sabunta wani yanki na rikodin rikodin DNS - Createirƙirar yanki. zonedelete - Share yanki. zoneinfo - Tambaya don bayanin yankin. zonelist - Tambaya don yankuna. Don ƙarin taimako kan takamaiman tsari, da fatan a rubuta: samba-tool dns (-h | - taimako)
Sabis ɗin wasiku
root @ master: ~ # kayan aikin dns add master swl.fan mail A 192.168.10.9 -U mai gudanarwa root @ master: ~ # kayan aikin dns add master swl.fan swl.fan MX "mail.swl.fan 10" -U mai gudanarwa
Kafaffen IP na sauran sabobin
root @ master: ~ # kayan aikin dns add master swl.fan sysadmin A 192.168.10.1 -U mai gudanarwa root @ master: ~ # kayan aikin dns add master swl.fan fileserver A 192.168.10.10 -U mai gudanarwa root @ master: ~ # kayan aikin dns add master swl.fan wakili A 192.168.10.11 -U mai gudanarwa root @ master: ~ # kayan aikin dns add master swl.fan chat A 192.168.10.12 -U mai gudanarwa
Yankin baya
tushen @ maigida: ~ # dns toolk ya samar da master 10.168.192.in-addr.arpa -U mai gudanarwa Kalmar sirri don [SWL \ mai gudanarwa]: Zone 10.168.192.in-addr.arpa an kirkireshi cikin nasara tushen @ maigida: ~ # kayan aikin dns add master 10.168.192.in-addr.arpa 5 PTR master.swl.fan. -Gwamnatin bayani tushen @ maigida: ~ # kayan aikin dns add master 10.168.192.in-addr.arpa 9 PTR mail.swl.fan. -Gwamnatin bayani tushen @ maigida: ~ # kayan aikin dns add master 10.168.192.in-addr.arpa 1 PTR sysadmin.swl.fan. -Gwamnatin bayani tushen @ maigida: ~ # kayan aikin dns add master 10.168.192.in-addr.arpa 10 PTR fileserver.swl.fan. -Gwamnatin jagora tushen @ maigida: ~ # kayan aikin dns add master 10.168.192.in-addr.arpa 11 PTR proxy.swl.fan. -Gwamnatin bayani tushen @ maigida: ~ # kayan aikin dns add master 10.168.192.in-addr.arpa 12 PTR chat.swl.fan. -Gwamnatin jagora
Dubawa
root @ master: ~ # tool dns tambaya master swl.fan mail ALL -U mai gudanarwa Kalmar wucewa ga [SWL \ mai gudanarwa]: Suna =, Rikodi = 1, Yara = 0 A: 192.168.10.9 (tutoci = f0, serial = 2, ttl = 900) root @ master: ~ # mai gida mai gida master.swl.fan yana da adireshi 192.168.10.5 tushen @ master: ~ # sysadmin mai gida sysadmin.swl.fan yana da adireshi 192.168.10.1 tushen @ maigida: ~ # wasikar karbar bakunci mail.swl.fan yana da adireshi 192.168.10.9 tushen @ maigida: ~ # host chat chat.swl.fan yana da adireshi 192.168.10.12 root @ master: ~ # wakili host proxy.swl.fan yana da adireshi 192.168.10.11 root @ master: ~ # mai karbar bakuncin fayil fileerver.swl.fan yana da adireshi 192.168.10.10 tushen @ master: ~ # host 192.168.10.1 1.10.168.192.in-addr.arpa sunan yankin nuna sysadmin.swl.fan. tushen @ master: ~ # host 192.168.10.5 5.10.168.192.in-addr.arpa sunan yanki mai nuna master.swl.fan. tushen @ master: ~ # host 192.168.10.9 9.10.168.192.in-addr.arpa sunan yankin nuna mail.swl.fan. tushen @ master: ~ # host 192.168.10.10 10.10.168.192.in-addr.arpa sunan yankin pointer fileserver.swl.fan. tushen @ master: ~ # host 192.168.10.11 11.10.168.192.in-addr.arpa sunan yankin pointer proxy.swl.fan. tushen @ master: ~ # host 192.168.10.12 12.10.168.192.in-addr.arpa sunan yankin mai nuna alama chat.swl.fan.
Ga masu son sani
tushen @ maigida: ~ # ldbsearch -H /usr/local/samba/private/sam.ldb.d/ \ DC = DOMAINDNSZONES, DC = SWL, DC = FAN.ldb | gawan dn:
Muna ƙara masu amfani
tushen @ master: ~ # mai amfani da kayan aiki
Amfani: mai amfani da samba-tool Gudanar da mai amfani. Zaɓuɓɓuka: -h, --taimaka nuna wannan saƙon taimako kuma fita Akwai samfuran umarni: --ara - Createirƙiri sabon mai amfani. ƙirƙiri - Createirƙiri sabon mai amfani. share - Share mai amfani. a kashe - A kashe mai amfani. kunna - Enable mai amfani. kalmar wucewa - Sami filayen kalmar shiga na asusun mai amfani / kwamfuta. jerin - Jera duk masu amfani. kalmar wucewa - Canza kalmar wucewa don asusun mai amfani (wanda aka bayar a cikin ingantacce). setexpiry - Saita ƙarewar asusun mai amfani. setpassword - Saiti ko sake saita kalmar wucewa na asusun mai amfani. syncpasswords - Daidaita kalmar wucewa na asusun masu amfani. Don ƙarin taimako kan takamaiman tsari, da fatan za a rubuta: mai amfani da samba-tool (-h | - taimako)
tushen @ maigida: ~ # mai amfani da kayan aiki ƙirƙirar trancos Trancos01
An ƙirƙiri 'trancos' mai amfani cikin nasara
tushen @ maigida: ~ # mai amfani da kayan aiki ƙirƙiri gandalf Gandalf01
Mai amfani 'gandalf' an ƙirƙira shi cikin nasara
root @ master: ~ # mai amfani da kayan aiki ya kirkiro legolas Legolas01
Mai amfani 'legolas' an ƙirƙira shi cikin nasara
tushen @ master: ~ # jerin kayan aikin mai amfani
Mai gudanarwa gandalf legolas ya ci gaba krbtgt Guest
Gudanarwa ta hanyar zane mai zane ko ta abokin cinikin yanar gizo
Ziyarci wiki.samba.org don cikakken bayani kan yadda ake girka Microsoft RSAT o Kayan aikin Gudanar da Sabis na Nesa. Idan ba kwa buƙatar ƙa'idodin kyawawan manufofin da Microsoft Active Directory ke bayarwa, kuna iya shigar da kunshin manajan ldap wanda ke ba da sauƙi mai sauƙi don gudanarwa ta hanyar burauzar yanar gizo.
Kayan aikin shirin Microsoft Remote Server Administration Tools (RSAT) an hada su akan tsarin aiki na Windows Server.
Mun shiga yankin zuwa ga abokin cinikin Windows 7 mai suna "bakwai"
Kamar yadda ba mu da sabar DHCP a cikin hanyar sadarwar, abu na farko da ya kamata mu yi shi ne saita katin sadarwar abokin ciniki tare da tsayayyen IP, bayyana cewa DNS na farko zai zama IP na samba-ad-dc, kuma duba cewa zaɓi "Rijistar adireshin wannan haɗin a cikin DNS" an kunna. Ba rago ne a bincika cewa sunan «bakwai»Ba a yi rajistarsa a cikin Samba Internal DNS ba.
Bayan mun haɗu da kwamfutar zuwa yankin sannan mu sake kunna ta, bari mu yi ƙoƙarin shiga tare da mai amfani «ci gaba«. Za mu bincika cewa komai yayi daidai. Hakanan ana ba da shawarar duba rajistan ayyukan Abokin Ciniki na Windows kuma duba yadda ake aiki daidai lokacin.
Masu gudanarwa tare da wasu ƙwarewar Windows zasu gano cewa duk binciken da sukayi akan abokin ciniki zai samar da sakamako mai gamsarwa.
Tsaya
Ina fatan labarin ya yi amfani ga masu karatun Al'umma. DesdeLinux.
Lafiya lau!
Labari mai tsawo amma dalla-dalla, mai kyau mataki-mataki kan yadda ake komai.
Ina jaddada NIS, gaskiyar ita ce kodayake na san game da wanzuwarsa, ban taɓa sanin yadda yake aiki ba, tun da a gaskiya yana koya mini koyaushe cewa kusan ya mutu kusa da LDAP da Samba 4.
PS: Taya murna akan sabon aikinku! Abin baƙin ciki da cewa ba za ku ci gaba da rubutu a nan ba, amma aƙalla akwai wurin da za a bi ku.
Babbar koyarwa kamar koyaushe ga masoyana, Gaisuwa Fico.
Barka da aiki.
Sashin NIS yana da kyau, ina tausaya wa Gonzalo Martinez, na san shi a takaice amma ban san yadda ake aiwatar da shi ba kuma a wane yanayi ake amfani da shi.
Na gode sau daya saboda gagarumin "akwati" na labarin abin kirki da amfani.
A ƙarshe sababbin nasarori a cikin sabon aikinku «gigainside».
Na gode sosai kowa da kowa don yin tsokaci !!!.
gaisuwa
smb.conf din da kuka nuna bashi da wata mahada da LDAP, shin da gangan ne ko kuwa na bar wani abu ne?
mussol: Wannan Samba 4 Active Directory Domain Controler wanda tuni yana da ginannen uwar garken LDAP.
Shin zaku iya yin tsokaci game da yadda ake haɗa mac (apple) zuwa samba 4 AD-DC?
Gode.
Yaya kake;
Godiya ga littafin, yana da kyau. Ina da tambaya game da sakon da ya bayyana gareni.
tushen @ AD: ~ # nping –tcp -p 53 -c 3 ad.rjsolucionessac.com
Ba a yi nasarar warware sunan mai masauki ba / IP: ad.rjsolucionessac.com. Lura cewa ba za ku iya amfani da '/ mask' DA 'Jerin IP na 1-' ba
Ba za a iya samun manufa mai ma'ana ba. Da fatan za a tabbatar rukunin rundunonin da aka ayyana ko dai adiresoshin IP ne a daidaitacciyar sanarwa ko sunayen masauki waɗanda za a iya warware su tare da DNS
tushen @ AD: ~ #