Интеграция linux клиентов в домен SAMBA+LDAP

Имеется домен и его контроллер Samba+LDAP на базе Linux.
Задача: добавить в домен несколько линуксовых серверов и энное количество линуксовых клиентов, с возможностью прозрачной авторизации на шарах.

Для серверов на базе Ubuntu Server 8.04.2 с установленными LAMP, OpenSSH, Samba :

# aptitude install ldap-auth-config smbldap-tools

# nano /etc/ldap.conf
host 192.168.0.1
base dc=domain,dc=local
rootbinddn uid=ldap_proxy,ou=People,dc=domain,dc=local
bind_policy soft
idle_timelimit 600
pam_password exop
nss_base_passwd ou=SambaUsers,dc=domain,dc=local?one
nss_base_passwd ou=Computers,dc=domain,dc=local?one
nss_base_passwd ou=People,dc=domain,dc=local?one
nss_base_shadow ou=SambaUsers,dc=domain,dc=local?one
nss_base_shadow ou=Computers,dc=domain,dc=local?one
nss_base_shadow ou=People,dc=domain,dc=local?one
nss_base_group ou=SambaGroups,dc=domain,dc=local?one
nss_base_group ou=Group,dc=domain,dc=local?one
ssl no
pam_password md5
nss_initgroups_ignoreusers Debian-exim,avahi,backup,bin,daemon,dhcp,firebird,games,gnats,irc,klog,libuuid,list,lp,mail,man,messagebus,motion,mysql,news,openldap,otrs,proxy,root,sshd,sync,sys,syslog,uucp,www-data

# nano /etc/ldap.secret

somepassword

# nano /etc/samba/smb.conf
[global]
unix charset = UTF-8
dos charset = UTF-8
display charset = UTF-8
security = domain
workgroup = DOMAIN
netbios name = Supaserv
server string = Cluster Member
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 137 138 139 445
name resolve order = wins bcast hosts
printcap name = CUPS
wins server = 192.168.1.225
passdb backend = ldapsam:ldap://192.168.0.1/
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind trusted domains only = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
logon script = logon.bat
logon path =
logon home =
ldap admin dn = uid=admin,ou=People,dc=domain,dc=local
ldap group suffix = ou=SambaGroups
ldap idmap suffix = ou=SambaGroups
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=domain,dc=local
ldap ssl = off
ldap user suffix = ou=SambaUsers
add machine script = /usr/sbin/smbldap-useradd -i -w '%u'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'

nt acl support = yes
inherit acls = yes
map acl inherit = Yes

[Share]
comment = Supa Share
path = /share
writeable = yes
browseable = yes
create mask = 0660
directory mask = 0770
profile acls = yes
inherit acls = yes
available = yes
browsable = yes

# /etc/init.d/samba restart

Устанавливаем пароль для вышеупомянутого admin:

# smbpasswd -W
# /etc/init.d/samba restart

# nano /etc/nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

Для локального логона и для прозрачной авторизации на шарах:

#nano /etc/auth-client-config/profile.d/open_ldap
[open_ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: files ldap
pam_auth=auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
pam_ldap.so
auth required pam_group.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam_account=account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so
pam_password=password sufficient pam_unix.so nullok md5 shadow
password sufficient pam_ldap.so use_first_pass
password required pam_deny.so
pam_session=session required pam_limits.so
session required pam_mkhomedir.so skel=/etc/skel/
session required pam_unix.so
session optional pam_ldap.so

# auth-client-config -a -p open_ldap

# reboot

Проверяем коннект с лдапом:

# id alexander
uid=1001 (alexander) gid=1001 (alexander) groups=512 (Domain Admins),1001 (alexander)

Вводим машину в домен

# net rpc join -U root

Проверяем шары и идем пить кофе... =)