[Samba] BIG Samba howto for debian only.

Louis van Belle louis at van-belle.nl
Tue Dec 6 13:35:27 GMT 2005


Hi everybody, 

I made a pretty complete howto for samba on debian servers.

This howto covers samba + ldap + cups + recycle bin + samba-vscan
+ phpldapadmin + ACL + Extended Attributes.

this howto is also based on the idealx howto

If you do this setup, you should be able to use the NT4 Usermanager,
setup Point en Print Printing. set rights from explorer etc.
other nice tools is ldapadmin ( ldapadmin.sf.net ) a must check it out.

We will use a Debian Sarge as setup.  
If you never used Debian before, you can follow this how-to 
(http://www.howtoforge.com/perfect_setup_debian_sarge ) , 
please read the comment below the pages first, 
this can save you time and problems or install Debian without 
any software packaged, we will install them later when needed.
Checking the kernel of compile your own kernel if needed.

I try to give a complete solution for this how-to, 
this is because lots of people where asking the same things on 
the samba list and lots of people make the same mistakes.

This is my company's running setup.

I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb ) , with 50 users 
25 printers which do about 150.000 prints a month.

I thank my company to let me make this document.


Please if you have improvements, comments, send them to me.

Louis van Belle





INDEX
Page nr.
			
1 Checking the kernel or compile your own kernel	3
1.1  Preparing apt configuration	3
1.2 Preparing the kernel	3
1.3 setup the /etc/fstab	3
1.4 final touch, lilo (or grub)	3
2 Pre-installation of the debian packages	4
2.1  Samba and Ldap	4
2.2 basic rights setup for samba	4
2.3 why this rights setup.	4
3 LDAP Server configuration	5
4 installation/configuration libnss, libpam (-ldap)	7
5 Samba and smbldap-tools Configuration	8
5.1 smbldap-tools installation/configuration	8
5.2 setting up samba base config	8
5.3 Configuring smbldap.conf	9
5.4 set the samba ldap admin password	9
5.5 Samba PRIVILEGES Setup	10
6 CUPS - Printer software	11
6.1 Setup Cups	11
6.2 Setup Cups PDF Printer. - Creating a PDF Printer	11
7 Configuring phpldapadmin	12
7.1 installation of phpldapadmin ( and apache )	12
8.0 On-Access virus scanning on samba (samba-clamav)	13
8.1 Installing ClamAV	13
8.2 get the sources ( samba & samba-vscan )	13
9.0 Recycle bin on samba	14
9.1 Recycle bin configuration	14
Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS	15
Appendix 2 APT	16
2.1 APT HOWTO	16
2.2 Files from /etc/apt	17
2.2.1 /etc/apt/apt.conf	17
2.2.2 /etc/apt/preferences	17




1 Checking the kernel or compile your own kernel
1.1  Preparing apt configuration
	
	for this go check out my apt howto.

	if you apt config is setup rights, follow the steps below.	

	ncurses interface for compiling the kernel  
	apt-get install libncurses5-dev

	get the kernel source 
	apt-get install kernel-source-2.6.8 kernel-package

	installer right kernel and activate EXT2/3 + Extended attributes 
	and setup CIFS kernel support to in kernel.

1.2 Preparing the kernel
	apt-get install kernel-source-2.6.8 kernel-package fakeroot
libc6-dev libncurses5-dev

	cd /usr/src  
	tar -jxf kernel-source-2.6.8.tar.bz2
	ln -s /usr/src/linux /usr/src/kernel-source-2.6.8
	cp /boot/config-2.6.8-2-* /usr/src/linux/.config
	cd linux
	make menuconfig - File systems - Ext2/3 + extended options
			also  File systems - Miscellaneous filesystems -
CramFS
			and   File systems - Network File Systems - CIFS
support 							
			+ extended Attributes
	now create the kernel and install it.

	fakeroot make-kpkg --append-to-kernel=-mykernel --initrd
kernel_image

	This create a file kernel-image-2.6.8.custom.1.0_i386.deb under 
	/usr/src

	dpkg -i kernel-image-2.6.8.custom.1.0_i386.deb  to install the
kernel
1.3 setup the /etc/fstab

	/etc/fstab :   add the acl and user_xattr to the right partition

	/dev/xxx      /home           ext3    defaults,acl,user_xattr

	I use /home/samba for the samba environment. 
	All the needed samba directories will be put here. !! 
   This is important ! 

1.4 final touch, lilo (or grub) 

	lilo and reboot , login and do 'uname -a' and you wil see a line
like 
	this.
	Linux ms249-lin-001 2.6.8-mykernel #1 Wed Jun 1 15:03:47 CEST 2005
i686 

	Your server is now ready for samba 3. 
2 Pre-installation of the debian packages  
2.1  Samba and Ldap

   apt-get install slapd samba libsasl2-modules sasl2-bin openssl 
   db4.2-util ldap-utils samba-doc libxml-parser-perl libauthen-sasl-perl

Configuring slapd 
	set an dns name - internal.yourdomain.tld 
	- Give it a name/description 
	- set that admin password for the ldap manager 
	( cn=admin,dc=internal,dc=yourdomain,dc=tld
	- Allow LDAPv2 protocol?  yes

Configure samba
	set a domain name  DOMAIN
	Use password encryption? Yes 
	Modify smb.conf to use WINS settings from DHCP?   No 
	How do you want to run Samba?  Daemons
	Create samba password database, /var/lib/samba/passdb.tdb? No !!!
else  	
	you will end up with lots of users from debian in this password file
and you don't want that.

Setup samba.schema file for ldap
	zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz >
/etc/ldap/schema/samba.schema

In this setup I use /home/samba for the samba environment.
	i use these directories.
	/home/samba 	skel,data,profiles,netlogon,printers,spool
	/home/users/ 	username

2.2 basic rights setup for samba

	/home/samba 			777		Administrator:Domain
Admins
	/home/samba/spool 		777		Administrator:Domain
Admins
	/home/samba/printers 	775		Administrator:Domain Admins
	/home/samba/profiles 	777		Administrator:Domain Admins
	/home/samba/netlogon 	775		Administrator:Domain Admins
	/home/samba/data	 	775		Administrator:Domain
Admins
	/home/samba/temp	 	777		Administrator:Domain
Admins
	/home/samba/tools	 	755		Administrator:Domain
Admins
	/home/samba/skel	 	755		Administrator:Domain
Admins


2.3 why this rights setup.

	1 Administrator can create in complete samba environment.
	2 In data directories my users are not allowed to create sub dir's,
I 	
	create one for the department, and set rights to that department,
from 	that point they can create directories. 
	3 Profiles 777, in the samba config is a parameter defined 
	valid users = %u @"Domain Administrators"  
	Only the user and administrator can access the user profile
directories.
	create mask and directory mask make sure rights are set primary to
the 	user.
3 LDAP Server configuration

	Configure slapd.conf, but first stop the slapd server (
/etc/init.d/slapd stop )

	Create ldap certificates for ssl support
	mkdir /etc/ldap/tls

	## self signed certificate
	openssl req -newkey rsa:1024 -x509 -nodes -out ldap-server.pem -
keyout 	
	ldap-server.pem -days 3650   ( where Common Name =
ldap.yourdomain.tld )

	edit /etc/ldap/slapd.conf
	put these below the other line, the order of schema files must be

      correct.
	insert the line "include	/etc/ldap/schema/samba.schema"

	add these line before the database definition
	TLSCACertificateFile /etc/ldap/ssl/ldap-server.pem
	TLSCertificateFile /etc/ldap/ssl/ldap-server.pem
	TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem
	
Now its time for the ldap database configuration for samba

example of the /etc/slapd.conf    ( database 1 configuration ) 

#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        bdb

# The base of your directory in database #1
suffix          "dc=internal,dc=yourdomain,dc=tld"

rootdn          "cn=admin,dc=rotterdam,dc=bazuin,dc=nl"
rootpw          {MD5}fsadsdafasfaewfw  

   ## create the rootpw 
   ## echo rootpw  `slappasswd -h {Md5}` >> /etc/ldap/slapd.conf

# Where the database file are 
physically stored for database #1
directory       "/var/lib/ldap"

# Indexing options for database #1
### !!!!! Always run slapindex(8) after changing indices!!!!!!
### and first STOP the LDAP SERVER  ( /etc/init.d/slapd stop )
index           objectClass,uidNumber,gidNumber eq
index           cn,sn,uid,displayName           pres,eq,sub
index           memberUid,mail,givenname        eq,subinitial
index           sambaSID,sambaPrimaryGroupSID,sambaDomainName, eq
## default index
index           default eq

# Save the time that the entry gets modified, for database #1
lastmod         on

# Where to store the replica logs for database #1
replogfile    /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword
        by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
        by anonymous auth
        by self write
        by * none


# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
        by * read

# samba access list
include /etc/ldap/samba-access.conf

Example of the /etc/samba-access.conf    ( database 1 configuration ) 

### OLD Samba no DSA users used
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM
ustChange
    by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
    by anonymous auth
    by self write
    by * none

access to attrs=loginShell
    by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
    by * none

access to
attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,sn,givenname
    by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
    by self write
    by * read


See appendix 1 if you want a more secure ldap database.
!! this setup does not help you to setting this up. !!

run slapindex
and start the slapd server
/etc/init.d/slapd start
4 installation/configuration libnss, libpam (-ldap)

apt-get install libnss-ldap libpam-ldap

Configuring libnss-ldap
	define the host
		127.0.0.1
	distinguished name of the search base
		dc=internal,dc=yourdomain,dc=tld

	LDAP version to use
		3
	database requires login
		No
	Make configuration readable/writeable by owner only
		No

Configuring libpam-ldap
	Make local root Database admin.
		Yes
	Database requires logging in.
		No
	Root login account
		cn=admin,dc=internal,dc=yourdomain,dc=tld
	set your password
		( same as above for admin )

	Local crypt to use when changing passwords
		exop

Configure nsswitch
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


Now test the server 
ldapsearch -x -D "cn=admin,dc=internal,dc=yourdomain,dc=tld" -W
(enter the password)
if you see 
result: 0 Success

for now this is ok.
5 Samba and smbldap-tools Configuration

5.1 smbldap-tools installation/configuration

apt-get install smbldap-tools

copy the default config from the example directorie.
cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf
/etc/smbldap-tools/

cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/
cd /etc/smbldap-tools
gunzip smbldap.conf.gz

first the easy part.

in /etc/smbldap-tools/smbldap_bind.conf
change this to admin
slaveDN="cn=admin,dc=internal,dc=yourdomain,dc=tld"
slavePw="Yourpassword"
masterDN="cn=admin,dc=internal,dc=yourdomain,dc=tld"
masterPw="Yourpassword"

5.2 setting up samba base config

start with the default config
cd /etc/samba
cp /usr/share/doc/smbldap-tools/examples/smb.conf.gz /etc/samba
gunzip smb.conf.gz

change the config to your needs
some tips using samba on a firewalled system
use the following setting, here eth0 is the internal side

        interfaces = eth0 lo
        bind interfaces only = yes

change the binary location from /opt/..  
to /usr/sbin/smbldap-.... 
the smbldap-tools are installed by debian in /usr/sbin

also in this setup /home/. must be changed to /home/samba/. 
This will save you a lot of troubles with rights.


5.3 Configuring smbldap.conf

first we need to get some samba info

net getlocalsid

SID for domain SERVERNAME is: S-1-5-21-2074673303-3377769770-2933042573
change the SID in smbldap.conf in the your sid.


change the suffix to your suffix (dc=internal,dc=yourdomain,dc=tld)
change the hash_encryption to MD5
change userLoginShell="bin/nologin"
and you nologin, because im Configuring ldap for samba only.
set the home directory ( in my case /home/users/%U )
set the other to your needs.


5.4 set the samba ldap admin password

smbpasswd -w ldapadmin_password  
Setting stored password for "cn=admin,dc=internal,dc=yourdomain,dc=tld" in
secrets.tdb

now we go fill the ldap database with the base setup.

smbldap-populate -a Administrator -b nobody -u 2000 -g 2000

users are created with 	uid 	=> 2000 
groups are created with 	gid	=> 2000


!!!! DO NOT RUN THIS IF YOU ALREADY CREATED USERS. YOUR UID/GID's WILL GET
MESSED UPPED.

smbpasswd -a root
because root is needed for setting up the Privileges.

Now set the Administrator password and enable this user
smbldap-passwd Administrator
smbldap-usermod -J Administrator


5.5 Samba PRIVILEGES Setup

First check you rights and get to know the commands.

net rpc rights list accounts   	list users
net rpc rights list			list defined rights.

to get what for rights are defined and users/groups

IF you use a PDC/BDC setup these commands must be done on both servers!!

test these commands:

net rpc group
(output)
Domain Admins
Domain Users
Domain Guests
Domain Computers

or 

( see next page )

slapcat | grep Group | grep dn

(output)
dn: ou=Groups,dc=internal,dc=yourdomain,dc=tld
dn: cn=Domain Admins,ou=Groups,dc=internal,dc=yourdomain,dc=tld
dn: cn=Domain Users,ou=Groups,dc=internal,dc=yourdomain,dc=tld
dn: cn=Domain Guests,ou=Groups,dc=internal,dc=yourdomain,dc=tld
dn: cn=Domain Computers,ou=Groups,dc=internal,dc=yourdomain,dc=tld
dn: cn=Administrators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
dn: cn=Print Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
dn: cn=Backup Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
dn: cn=Replicators,ou=Groups,dc=internal,dc=yourdomain,dc=tld


these are the privileges on samba 3.0.14a ( debian ) 

Privilege                       Description
SeMachineAccountPrivilege  	Add machines to domain
SePrintOperatorPrivilege   	Manage printers
SeAddUsersPrivilege        	Add users and groups to the domain
SeRemoteShutdownPrivilege  	Force shutdown from a remote system
SeDiskOperatorPrivilege    	Manage disk share


give the "Domain Admins" all of the SE Rights.
( -S Servernaam -U Username%Password )

net -S PDC -U root%Password rpc rights grant "DOMAIN\Domain Admins" \
 SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege \ 
 SeDiskOperatorPrivilege SeRemoteShutdownPrivilege


Give the "Printer Operators" all Print manage rights. 
( -S Servernaam -U Username%Password )

net -S PDC -U root%Password rpc rights grant "DOMAIN\Print Operators"
SePrintOperatorPrivilege
6 CUPS - Printer software

apt-cache search cups	to get the info which packages are available

I installed these packages.
apt-get install cups-pdf cupsys cupsys-bsd cupsys-pt cupsys-client \
foomatic-bin foomatic-filters cupsys-driver-gimpprint gs-esp ( and
dependencies ) 

Configuring cupsys-bsd
	Do you want to set up the BSD lpd compatibility server? Yes
	all others leave default.

6.1 Setup Cups	/etc/cups/cups.conf

	here locate the lines Allow From 127.0.0.1
	and change it to your network so you can login on the cups web
interface.
	for example: 
	Allow from 192.168.( this way I can manage it from 2 departments. )
	(192.168.1.x and 168.192.2.x )

	now you can logon on http://serverip:631/  
	make it safer to manage by adding a user to lpadmin group
	and this user can create printer queues
	
	I create printers with the following options.
	socket://printerIPnumber:9100  ( for hp jetdirect ), 	Raw,
Raw_queue

	I only use cups as spooler for windows pc's and *nix servers.
	
	First we are going to create 1 printer device and this is the CUPS
PDF Printer.


6.2 Setup Cups PDF Printer. - Creating a PDF Printer

	With this printer you can create PDF files bij just printing to it.

	- logon the web interface and choose add printer.
		Name:pdf_printer
		Location: %homedir%\cups-pdf
		Description: pdf created in homedir\cups-pdf
		Continue
	- Device: Virtual Printer(PDF printer) choose it, its below, 
		Continue
	- Choose the model/Driver for PDF_printer, Postscript, 
		Continue

	klik on manage printers to see what you have created.
	klik on Print Test Page to test the pdf printer. 
	
	a file is put in the cups-pdf directory of the user you logged on
with.





7 Configuring phpldapadmin

7.1 installation of phpldapadmin ( and apache )
	
   get the packages
	apt-get install phpldapadmin php4 apache

	What is your LDAP server host address?  127.0.0.1 
	( you the ip/hostname where the ldapserver is ) 

	ldaps protocol instead of ldap? No

	What is the distinguished name of the search base?     
	dc=internal,dc=youdomain,dc=tld

	Which type of authentication you want to use? session  

	What is the login dn for the LDAP server? 			
	cn=admin,dc=internal,dc=yourdomain,dc=tld
	
	Which web server would you like to reconfigure automatically?
	select all and press OK.

	restart webservers now: Yes

8.0 On-Access virus scanning on samba (samba-clamav) 
8.1 Installing ClamAV

   apt-get install clamav arj unzoo lha clamav-freshclam clamav-daemon 
      Configuring clamav-freshclam :  Daemon
      Choose a close mirror
      Should clamd be notified after updates? Yes
8.2 get the sources ( samba & samba-vscan )

	mkdir /usr/src/sources
	cd /usr/src/sources

	apt-get install dpkg-dev
	apt-get source samba
	apt-get build-dep samba

	cd samba-3.0-14a
	vi source/include/version.h

	here remove the a from the 14 ( 3.0.14a => 3.0.14 )

	./debian/rules configure-stamp
	cd source
	./make proto
	cd ../..

	wget
http://switch.dl.sourceforge.net/sourceforge/openantivirus/samba-vscan-0.3.6
b.tar.bz2

	tar xjvf samba-vscan-0.3.6b.tar.bz2

	cd samba-vscan-0.3.6b
	./configure
--with-samba-source=/usr/src/sources/samba-3.0.14a/source 
	make && make install

	cp clamav/vscan-clamav.conf /etc/samba/samba-vscan-clamav.conf
	change in the samba-vscan-clamav.conf
   clamd socket name = /var/run/clamav/clamd.ctl
   infected spins action = quarantine  ( or delete , which I choose.)

	When I put that lines in my smb.conf file, I can't access the share
:
	vfs object = vscan-clamav
	vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf

	An example:
	[public]
	comment = Public Directory
	path = /home/public
	vfs object = vscan-clamav
	vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf

	!!! BEWARE !!!! if samba upgrade to a higer version you MUST
recompile 	
	your samba-vscan.  set samba to hold for no upgrade.

	echo packagename hold | dpkg --set-selections     set to hold
	echo packagename install | dpkg --set-selections  set to install
9.0 Recycle bin on samba
9.1 Recycle bin configuration

	configure samba for using the recycle bin.
	I made my manager happy with this.

	create a file in /etc/samba
	and fill it with the options below.

	/etc/samba/samba-recycle.conf

	name = .recycle
	mode = KEEP_DIRECTORIES|VERSIONS|TOUCH
	maxsize = 0
	exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~??|~*.tmp
	excludedir = /tmp|/temp|/cache
	noversions = *.doc|*.xls|*.ppt

	add this to you share, same as vscan.

	vfs object = recycle
	recycle: config-files = /etc/samba/samba-recycle.conf

	create a recycle bin directorie and hide it for the users.

	I created .recycle  this way ( because of the dot) users don't see
this
	IF.. you don't set you explorer to view hidden files.

restart samba and your done.

You are ready to use your samba server. 



Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS
see http://www.idealx.org/prj/samba/smbldap-howto.en.html
#### users can authenticate and change their password
#access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM
ustChange
#      by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
#      by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
write
#      by dn="cn=nssldap,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
#      by self write
#      by anonymous auth
#      by * none
# some attributes need to be readable anonymously so that 'id user' can
answer correctly
##access to
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
#      by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
#      by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
write
#      by * read
# somme attributes can be writable by users themselves
##access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,s
n,givenname
#      by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
#      by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
write
#      by self write
#      by * read
## some attributes need to be writable for samba
#access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,samb
aLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctF
lags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfileP
ath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,s
ambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHisto
ry,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,samb
aNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaSha
reName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,
sambaStringListoption,sambaPrivilegeList
#      by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
#      by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
write
#      by self read
#      by * none
## samba need to be able to create the samba domain account
#access to dn.base="dc=internal,dc=yourdomain,dc=tld"
#      by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
#      by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
write
#      by * none
## samba need to be able to create new users account
#access to dn="ou=Users,dc=internal,dc=yourdomain,dc=tld"
#      by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
#      by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
write
#      by * none
## samba need to be able to create new groups account
#access to dn="ou=Groups,dc=internal,dc=yourdomain,dc=tld"
#      by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
#      by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
write
#      by * none
## samba need to be able to create new computers account
#access to dn="ou=Computers,dc=internal,dc=yourdomain,dc=tld"
#      by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
#      by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
write
#      by * none
#
## this can be omitted but we leave it: there could be other branch
## in the directory
#access to *
#      by self read
#      by * none


Appendix 2 APT

2.1 APT HOWTO

Preparing apt for online packages.
After installing from CD or DVD adjust your apt config.

This setup makes sure your are using stable packages, that you are using
Debian Sarge.

In the apt.conf we defined the default release of debian this case stable (
Sarge 3.1r0).
The Show-Upgrade "true" is used for showing us the packages which are going
to be installed, I like to see what I'm installing. 

The sources.list  if you used a CD/DVD for installing you can leave this
line in the sources.list. This can save you bandwidth. My server is on a
remote location and I don't use the cd anymore. 
I added the clamav as stable because I want a new clamav for virus scanning
more info : http://www.clamav.net/binary.html  

The testing and unstable sources are also unmarked, that if you really need
a newer version of a program then you can try to create it from debian
source.

You can get the source install programs and search by using the following
commands: 

apt-get install package			= get & install package 
apt-get remove package  		= remove package
apt-get remove --purge package 	= remove and purge all files 	of package
dpkg --purge package			= purge all files of package

apt-cache search package		= search for package or part 	of
package name 
apt-cache show package		  	= get info over package
dpkg-reconfigure -plow package 	= reconfigure with priority low ( most
options )

for this first cd /usr/src.
apt-get source package			= get source files of packaged












2.2 Files from /etc/apt 

2.2.1 /etc/apt/apt.conf

APT::Default-Release "stable";
APT::Get::Show-Upgraded "true";
// 16 MB Limit
APT::Cache-limit 16777216;
// if you have /tmp with no mounted with noexec, you need this.
#DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
#DPkg::Post-Invoke {"mount -o remount /tmp";};



2.2.2 /etc/apt/preferences

Package: *
Pin: release a=stable
Pin-Priority: 990

Package: *
Pin: release a=testing
Pin-Priority: 500

Package: *
Pin: release a=unstable
Pin-Priority: 50

Package: *
Pin: release a=sarge,l=debian-volatile
Pin-Priority: 990













2.2.3 /etc/apt/sources.list

# See sources.list(5) for more information, especialy
# Remember that you can only use http, ftp or file URIs
# CDROMs are managed through the apt-cdrom tool.
#-----------------------------------------------------------------
# We definect the PIN which sets the prioratie of packages selects
# see also the apt-howto
# http://www.debian.org/doc/manuals/apt-howto/index.en.html
# and a nice howto for apt-pinning for beginners.
# http://jaqque.sbih.org/kplug/apt-pinning.html 
#-----------------------------------------------------------------
#-----------------------------------------------------------------
# Stable  PIN 990    PRODUCTION TREE
deb ftp://ftp.nl.debian.org/debian stable main contrib non-free
deb-src ftp://ftp.nl.debian.org/debian stable main contrib non-free
deb http://http.us.debian.org/debian stable main contrib non-free
# Stable Security updates 
deb http://security.debian.org/ stable/updates main contrib non-free
deb-src http://security.debian.org/ stable/updates main contrib non-free
#------------------------------------------------------------------
## Debian VOLATILE , used for clamav  PINNED 990
deb http://ftp.nl.debian.org/debian-volatile sarge/volatile main
#-----------------------------------------------------------------
#-----------------------------------------------------------------
# 		WARNING USE BELOW AT OWN RISK
# Testing  ( PIN 500 )
#deb ftp://ftp.nl.debian.org/debian testing main contrib non-free
#deb-src ftp://ftp.nl.debian.org/debian testing main contrib non-free
#deb http://http.us.debian.org/debian testing main contrib non-free
# Testing Security updates 
#deb http://security.debian.org/ testing/updates main contrib non-free
#deb-src http://security.debian.org/ testing/updates main contrib non-free
#-----------------------------------------------------------------
#-----------------------------------------------------------------
# 		WARNING USE BELOW AT OWN RISK
# Unstable ( PIN 050 )
#deb ftp://ftp.nl.debian.org/debian unstable main contrib non-free
#deb-src http://ftp.nl.debian.org/debian unstable main contrib non-free
#deb http://http.us.debian.org/debian unstable main contrib non-free
# unstable Security updates 
#deb http://security.debian.org/ unstable/updates main contrib non-free
#deb-src http://security.debian.org/ unstable/updates main contrib non-free
#-----------------------------------------------------------------
#-----------------------------------------------------------------
####	BACKPORTS to STABLE ( Debian Sarge 3.1r0 )
## Laatest Samba from samba.org 
#deb http://us4.samba.org/samba/ftp/Binary_Packages/Debian sarge samba
#deb-src http://us2.samba.org/samba/ftp/Binary_Packages/Debian sarge samba

#------------------------------------------------------------------
## MPEG/AVI addons +W32CODECS With MPlayer
#deb ftp://ftp.nerim.net/debian-marillat/ sarge main
#------------------------------------------------------------------
## www.dotdeb.org, updated php4/php5 mysql-41 mysql-50 qmail clamav etc etc.
## check the site for the packages list. if you want only 1 package (
preferred )
## change the line to #deb http://packages.dotdeb.org stable php5 for
example
#deb http://packages.dotdeb.org stable all
#deb-src http://packages.dotdeb.org stable all
#------------------------------------------------------------------
## BootSplash ( does not work on every kernel ) www.bootsplash.de
## http://www.planamente.ch/emidio/pages/linux_howto_bootsplash.php
deb http://debian.bootsplash.de unstable main
deb-src http://debian.bootsplash.de unstable main




More information about the samba mailing list