[Samba] Debian Samba 3.0.14a with ldap,
recyle + little SETUP for samba + Ldap
Louis van Belle
louis at van-belle.nl
Thu Jun 30 11:18:50 GMT 2005
Hi everybody, im new here so this is what i use and know
Im using Debian Sarge (stable) with LDAP, i used the Idealx as example
here my small howto
### README FOR EASY SAMBA SETUP
First make sure you have a running debian server.
install the following packages
apt-get install slapd ldap-utils samba samba-doc libpam-ldap /
libnss-ldap libslapd2-dev phpldapadmin autofs-ldap /
smbldap-tools apache php4-ldap
its possible you need some extra perl modules.
i add user with the smbldap-useradd command
i manage users and groups with ldapadmin (ldapadmin.sf.net)
i check and export with phpldapadmin.
If ldap is installed and samba is ready with ldap setup
follow the next steps.
FOR ACL you need kernel patches for 2.4
for 2.6 recompile with acl enabled.
I run on ext3
1 ) smbpasswd -w password ( Samba LDAP Admin wachtwoord)
( Setting stored password for "cn=admin,dc=domain,dc=tld" in secrets.tdb
)
2 ) net getlocalsid
( SID for domain PDC is: S-1-5-21-1514036618-1238540321-4235948366 )
3 ) Adjust the SID=" ..... " in /etc/smbldap-tools/smbldap.conf
4 ) smbldap-populate -u 2000 -g 2000
start samba users met uid/gid 2000
i have separated my system users and samba ldap users
system uses the debian defaults.
samba uses its own skel.
5a) smbpasswd -a root
use the password of the real root account.
5b) net join PDC
this lets the PDC join the Domain
6a) Check the NT SE Rights
net rpc rights list accounts
(rootpasswd)
6b) Which rights are possible
net rpc rights list
(rootpasswd)
7 ) Adding rights to domain groups
WARNING, If your are using PDC/BDC setup, this also has to be done
on the BDC.
"net rpc group" of "slapcat | grep Group | grep dn"
(rootpasswd)
Domain Admins
Domain Users
Domain Guests
Domain Computers
Administrators
Print Operators
Backup Operators
Replicators
Privilege Description
SeMachineAccountPrivilege Add machines to domain
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeRemoteShutdownPrivilege Force shutdown from a remote system
SeDiskOperatorPrivilege Manage disk share
Give the "Domain Admins" all rights. ( -S Servernaam -U Username%Password )
net -S PDC -U root%Password rpc rights grant "DOMAIN\Domain Admins" /
SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege /
SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
Give the "Printer Operators" all Print manage rights. ( -S Servernaam -U
Username%Password )
net -S PDC -U root%Password rpc rights grant "DOMAIN\Print Operators"
SePrintOperatorPrivilege
8 ) Set the Administrator's password.
"smbldap-passwd Administrator"
9 ) Activeer het Administrator account. ? needed ? i
"smbldap-usermod -J Administrator"
10 ) add DSA users ( see idealx setup ) ( i didnt used it yet )
11) instal winbind ( apt-get install winbind
set winbind
wbinfo --set-auth-user DOMAIN\\Administrator%password
######### SMB.CONF
# Global parameters
[global]
## NETBIOS / DOMAIN / SERVER SETTINGS
# realm = SUBDOMAIN.DOMAIN.NL
interfaces = eth0 lo
bind interfaces only = yes
netbios name = PDC
server string = MS249-LIN-001
workgroup = DOMAIN
domain logons = Yes
preferred master = Yes
domain master = Yes
os level = 65
min protocol = NT1
lm announce = no
lanman auth = no
disable netbios = no
encrypt passwords = true
admin users = @"Domain Admins"
enable privileges = yes
security = user
time server = yes
dns proxy = yes
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
keep alive = 60
## USER/LDAP SETTINGS
username map = /etc/samba/users.map
guest account = nobody
obey pam restrictions = No
ldap passwd sync = yes
passdb backend = ldapsam:ldap://ldap/
ldap suffix = dc=subdomain,dc=domain,dc=nl
ldap admin dn = cn=admin,dc=subdomain,dc=domain,dc=nl
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap delete dn = Yes
ldap ssl = no
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
## WINS/DNS SETTINGS
#
# Also needed when using ACL
#
wins support = Yes
password server = PDC
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = yes
winbind separator = \
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/false
template homedir = /home/users/%U
## LOGGING
utmp = yes
syslog = 0
log level = 2
panic action = /usr/share/samba/panic-action %d
max log size = 1000
log file = /var/log/samba/log.%m
## MISC FILES/DIRECTORIES
nt acl support = yes
map acl inherit = yes
dos charset = 850
unix charset = ISO8859-1
preserve case = yes
short preserve case = yes
case sensitive = no
directory mask = 0750
hide dot files = yes
hide unreadable = yes
hide files = /desktop.ini/
# veto files = /*.eml/*.nws/riched20.dll/*.{*}/
veto files = /*.eml/*.nws/*.{*}/
veto oplock files = /*.doc/*.xls/*.mdb/
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
create mask = 0644
## MISC OTHER
mangling method = hash2
deadtime = 10
map to guest = Bad User
## MISC PROFILE
logon script = logon.cmd
logon home = \\%L\%U
logon path = \\%L\profiles\%U
logon drive = P:
## PRINTING Section 1 !! Global Settings !!
printing = cups
load printers = Yes
show add printer wizard = Yes
max print jobs = 100
printcap name = cups
printer admin = @"Printer Operators",@"Domain
Admins",Administrator,root
lpq cache time = 20
use client driver = No
disable spoolss = No
# PRINTING Section 2 !!
# users are able to connect to any printer specified in the Samba host's
# printcap file ( /etc/printcap ) provided through cups
[printers]
comment = All Network Printers
printable = yes
path = /home/samba/spool
browseable = No
guest ok = yes
public = yes
read only = yes
writable = no
create mode = 0777
lpq command = /usr/bin/lpq -P'%p'
lprm command = /usr/bin/lprm -P'%p' %j
lppause command = /usr/sbin/lpc hold '%p' %j
lpresume command = /usr/sbin/lpc release '%p' %j
queueresume command = /usr/sbin/lpc start '%p'
queuepause command = /usr/sbin/lpc stop '%p'
# Print Command is not used when using cups
# print command = /usr/bin/lpr -r -P'%p' %s
### Printing Section 3 "The Windows Printer drivers"
# Required permissions
# The account used to connect to the Samba host must have
# a UID of 0 (i.e., a root account). ( or Administrator )
# The account used to connect to the Samba host must be
# named in the printer adminlist.
# Or The account used to connect to the Samba host must have
# SEPrintOperatorRights
[print$]
comment = Printer Drivers Download Area
path = /home/samba/printers
browseable = no
guest ok = no
read only = yes
write list = @"Print Operators",@"Domain Admins",Administrator,root
create mask = 0664
directory mask = 0775
valid users = @"Domain Users",@"Print Operators",@"Domain
Admins",Administrator,root
[netlogon]
browseable = Yes
comment = NetLogon Service
write list = @"Domain Admins",Administrator
path = /home/samba/netlogon
[profiles]
path = /home/samba/profiles
comment = Profiel omgeving
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U
nt acl support = no
default case = lower
short preserve case = no
case sensitive = no
[homes]
comment = Prive documenten van %U
read only = No
create mask = 0644
directory mask = 0775
browseable = No
vfs object = recycle
recycle: config-files = /etc/samba/samba-recycle.conf
# vfs object = recycle vscan-clamav
# vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf
/remove this and below from the smb.conf
( this is in the samba-recycle.conf )
name = .recycle
mode = KEEP_DIRECTORIES|VERSIONS|TOUCH
maxsize = 0
exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~??
excludedir = /tmp|/temp|/cache
noversions = *.doc|*.xls|*.ppt
i have a cronjob which empty's the recyle bin
ever week on saturday morning after the back !
/remove_end
[afdelingen]
comment = Afdelings Documenten
path = /home/samba/afdelingen
browseable = Yes
read only = No
directory mask = 2775
create mask = 2664
users = @"domain users"
More information about the samba
mailing list