[Samba] BIG Samba howto for debian only.
Zach
uid000 at gmail.com
Thu Dec 8 13:09:24 GMT 2005
Thanks for writing this. It is very timely. I am just about to start
building my samba server (to replace my ancient RH9 samba server!). I
have my ldap going but haven't started learning the samba/ldap
integration part. I think your guide will be useful.
On 12/6/05, Louis van Belle <louis at van-belle.nl> wrote:
> Hi everybody,
>
> I made a pretty complete howto for samba on debian servers.
>
> This howto covers samba + ldap + cups + recycle bin + samba-vscan
> + phpldapadmin + ACL + Extended Attributes.
>
> this howto is also based on the idealx howto
>
> If you do this setup, you should be able to use the NT4 Usermanager,
> setup Point en Print Printing. set rights from explorer etc.
> other nice tools is ldapadmin ( ldapadmin.sf.net ) a must check it out.
>
> We will use a Debian Sarge as setup.
> If you never used Debian before, you can follow this how-to
> (http://www.howtoforge.com/perfect_setup_debian_sarge ) ,
> please read the comment below the pages first,
> this can save you time and problems or install Debian without
> any software packaged, we will install them later when needed.
> Checking the kernel of compile your own kernel if needed.
>
> I try to give a complete solution for this how-to,
> this is because lots of people where asking the same things on
> the samba list and lots of people make the same mistakes.
>
> This is my company's running setup.
>
> I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb ) , with 50 users
> 25 printers which do about 150.000 prints a month.
>
> I thank my company to let me make this document.
>
>
> Please if you have improvements, comments, send them to me.
>
> Louis van Belle
>
>
>
>
>
> INDEX
> Page nr.
>
> 1 Checking the kernel or compile your own kernel 3
> 1.1 Preparing apt configuration 3
> 1.2 Preparing the kernel 3
> 1.3 setup the /etc/fstab 3
> 1.4 final touch, lilo (or grub) 3
> 2 Pre-installation of the debian packages 4
> 2.1 Samba and Ldap 4
> 2.2 basic rights setup for samba 4
> 2.3 why this rights setup. 4
> 3 LDAP Server configuration 5
> 4 installation/configuration libnss, libpam (-ldap) 7
> 5 Samba and smbldap-tools Configuration 8
> 5.1 smbldap-tools installation/configuration 8
> 5.2 setting up samba base config 8
> 5.3 Configuring smbldap.conf 9
> 5.4 set the samba ldap admin password 9
> 5.5 Samba PRIVILEGES Setup 10
> 6 CUPS - Printer software 11
> 6.1 Setup Cups 11
> 6.2 Setup Cups PDF Printer. - Creating a PDF Printer 11
> 7 Configuring phpldapadmin 12
> 7.1 installation of phpldapadmin ( and apache ) 12
> 8.0 On-Access virus scanning on samba (samba-clamav) 13
> 8.1 Installing ClamAV 13
> 8.2 get the sources ( samba & samba-vscan ) 13
> 9.0 Recycle bin on samba 14
> 9.1 Recycle bin configuration 14
> Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS 15
> Appendix 2 APT 16
> 2.1 APT HOWTO 16
> 2.2 Files from /etc/apt 17
> 2.2.1 /etc/apt/apt.conf 17
> 2.2.2 /etc/apt/preferences 17
>
>
>
>
> 1 Checking the kernel or compile your own kernel
> 1.1 Preparing apt configuration
>
> for this go check out my apt howto.
>
> if you apt config is setup rights, follow the steps below.
>
> ncurses interface for compiling the kernel
> apt-get install libncurses5-dev
>
> get the kernel source
> apt-get install kernel-source-2.6.8 kernel-package
>
> installer right kernel and activate EXT2/3 + Extended attributes
> and setup CIFS kernel support to in kernel.
>
> 1.2 Preparing the kernel
> apt-get install kernel-source-2.6.8 kernel-package fakeroot
> libc6-dev libncurses5-dev
>
> cd /usr/src
> tar -jxf kernel-source-2.6.8.tar.bz2
> ln -s /usr/src/linux /usr/src/kernel-source-2.6.8
> cp /boot/config-2.6.8-2-* /usr/src/linux/.config
> cd linux
> make menuconfig - File systems - Ext2/3 + extended options
> also File systems - Miscellaneous filesystems -
> CramFS
> and File systems - Network File Systems - CIFS
> support
> + extended Attributes
> now create the kernel and install it.
>
> fakeroot make-kpkg --append-to-kernel=-mykernel --initrd
> kernel_image
>
> This create a file kernel-image-2.6.8.custom.1.0_i386.deb under
> /usr/src
>
> dpkg -i kernel-image-2.6.8.custom.1.0_i386.deb to install the
> kernel
> 1.3 setup the /etc/fstab
>
> /etc/fstab : add the acl and user_xattr to the right partition
>
> /dev/xxx /home ext3 defaults,acl,user_xattr
>
> I use /home/samba for the samba environment.
> All the needed samba directories will be put here. !!
> This is important !
>
> 1.4 final touch, lilo (or grub)
>
> lilo and reboot , login and do 'uname -a' and you wil see a line
> like
> this.
> Linux ms249-lin-001 2.6.8-mykernel #1 Wed Jun 1 15:03:47 CEST 2005
> i686
>
> Your server is now ready for samba 3.
> 2 Pre-installation of the debian packages
> 2.1 Samba and Ldap
>
> apt-get install slapd samba libsasl2-modules sasl2-bin openssl
> db4.2-util ldap-utils samba-doc libxml-parser-perl libauthen-sasl-perl
>
> Configuring slapd
> set an dns name - internal.yourdomain.tld
> - Give it a name/description
> - set that admin password for the ldap manager
> ( cn=admin,dc=internal,dc=yourdomain,dc=tld
> - Allow LDAPv2 protocol? yes
>
> Configure samba
> set a domain name DOMAIN
> Use password encryption? Yes
> Modify smb.conf to use WINS settings from DHCP? No
> How do you want to run Samba? Daemons
> Create samba password database, /var/lib/samba/passdb.tdb? No !!!
> else
> you will end up with lots of users from debian in this password file
> and you don't want that.
>
> Setup samba.schema file for ldap
> zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz >
> /etc/ldap/schema/samba.schema
>
> In this setup I use /home/samba for the samba environment.
> i use these directories.
> /home/samba skel,data,profiles,netlogon,printers,spool
> /home/users/ username
>
> 2.2 basic rights setup for samba
>
> /home/samba 777 Administrator:Domain
> Admins
> /home/samba/spool 777 Administrator:Domain
> Admins
> /home/samba/printers 775 Administrator:Domain Admins
> /home/samba/profiles 777 Administrator:Domain Admins
> /home/samba/netlogon 775 Administrator:Domain Admins
> /home/samba/data 775 Administrator:Domain
> Admins
> /home/samba/temp 777 Administrator:Domain
> Admins
> /home/samba/tools 755 Administrator:Domain
> Admins
> /home/samba/skel 755 Administrator:Domain
> Admins
>
>
> 2.3 why this rights setup.
>
> 1 Administrator can create in complete samba environment.
> 2 In data directories my users are not allowed to create sub dir's,
> I
> create one for the department, and set rights to that department,
> from that point they can create directories.
> 3 Profiles 777, in the samba config is a parameter defined
> valid users = %u @"Domain Administrators"
> Only the user and administrator can access the user profile
> directories.
> create mask and directory mask make sure rights are set primary to
> the user.
> 3 LDAP Server configuration
>
> Configure slapd.conf, but first stop the slapd server (
> /etc/init.d/slapd stop )
>
> Create ldap certificates for ssl support
> mkdir /etc/ldap/tls
>
> ## self signed certificate
> openssl req -newkey rsa:1024 -x509 -nodes -out ldap-server.pem -
> keyout
> ldap-server.pem -days 3650 ( where Common Name =
> ldap.yourdomain.tld )
>
> edit /etc/ldap/slapd.conf
> put these below the other line, the order of schema files must be
>
> correct.
> insert the line "include /etc/ldap/schema/samba.schema"
>
> add these line before the database definition
> TLSCACertificateFile /etc/ldap/ssl/ldap-server.pem
> TLSCertificateFile /etc/ldap/ssl/ldap-server.pem
> TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem
>
> Now its time for the ldap database configuration for samba
>
> example of the /etc/slapd.conf ( database 1 configuration )
>
> #######################################################################
> # Specific Directives for database #1, of type bdb:
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> database bdb
>
> # The base of your directory in database #1
> suffix "dc=internal,dc=yourdomain,dc=tld"
>
> rootdn "cn=admin,dc=rotterdam,dc=bazuin,dc=nl"
> rootpw {MD5}fsadsdafasfaewfw
>
> ## create the rootpw
> ## echo rootpw `slappasswd -h {Md5}` >> /etc/ldap/slapd.conf
>
> # Where the database file are
> physically stored for database #1
> directory "/var/lib/ldap"
>
> # Indexing options for database #1
> ### !!!!! Always run slapindex(8) after changing indices!!!!!!
> ### and first STOP the LDAP SERVER ( /etc/init.d/slapd stop )
> index objectClass,uidNumber,gidNumber eq
> index cn,sn,uid,displayName pres,eq,sub
> index memberUid,mail,givenname eq,subinitial
> index sambaSID,sambaPrimaryGroupSID,sambaDomainName, eq
> ## default index
> index default eq
>
> # Save the time that the entry gets modified, for database #1
> lastmod on
>
> # Where to store the replica logs for database #1
> replogfile /var/lib/ldap/replog
> # The userPassword by default can be changed
> # by the entry owning it if they are authenticated.
> # Others should not be able to see it, except the
> # admin entry below
> # These access lines apply to database #1 only
> access to attrs=userPassword
> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
> by anonymous auth
> by self write
> by * none
>
>
> # Ensure read access to the base for things like
> # supportedSASLMechanisms. Without this you may
> # have problems with SASL not knowing what
> # mechanisms are available and the like.
> # Note that this is covered by the 'access to *'
> # ACL below too but if you change that as people
> # are wont to do you'll still need this if you
> # want SASL (and possible other things) to work
> # happily.
> access to dn.base="" by * read
>
> # The admin dn has full write access, everyone else
> # can read everything.
> access to *
> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
> by * read
>
> # samba access list
> include /etc/ldap/samba-access.conf
>
> Example of the /etc/samba-access.conf ( database 1 configuration )
>
> ### OLD Samba no DSA users used
> access to
> attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM
> ustChange
> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
> by anonymous auth
> by self write
> by * none
>
> access to attrs=loginShell
> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
> by * none
>
> access to
> attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,sn,givenname
> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
> by self write
> by * read
>
>
> See appendix 1 if you want a more secure ldap database.
> !! this setup does not help you to setting this up. !!
>
> run slapindex
> and start the slapd server
> /etc/init.d/slapd start
> 4 installation/configuration libnss, libpam (-ldap)
>
> apt-get install libnss-ldap libpam-ldap
>
> Configuring libnss-ldap
> define the host
> 127.0.0.1
> distinguished name of the search base
> dc=internal,dc=yourdomain,dc=tld
>
> LDAP version to use
> 3
> database requires login
> No
> Make configuration readable/writeable by owner only
> No
>
> Configuring libpam-ldap
> Make local root Database admin.
> Yes
> Database requires logging in.
> No
> Root login account
> cn=admin,dc=internal,dc=yourdomain,dc=tld
> set your password
> ( same as above for admin )
>
> Local crypt to use when changing passwords
> exop
>
> Configure nsswitch
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: compat ldap
> group: compat ldap
> shadow: compat ldap
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
>
> Now test the server
> ldapsearch -x -D "cn=admin,dc=internal,dc=yourdomain,dc=tld" -W
> (enter the password)
> if you see
> result: 0 Success
>
> for now this is ok.
> 5 Samba and smbldap-tools Configuration
>
> 5.1 smbldap-tools installation/configuration
>
> apt-get install smbldap-tools
>
> copy the default config from the example directorie.
> cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf
> /etc/smbldap-tools/
>
> cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/
> cd /etc/smbldap-tools
> gunzip smbldap.conf.gz
>
> first the easy part.
>
> in /etc/smbldap-tools/smbldap_bind.conf
> change this to admin
> slaveDN="cn=admin,dc=internal,dc=yourdomain,dc=tld"
> slavePw="Yourpassword"
> masterDN="cn=admin,dc=internal,dc=yourdomain,dc=tld"
> masterPw="Yourpassword"
>
> 5.2 setting up samba base config
>
> start with the default config
> cd /etc/samba
> cp /usr/share/doc/smbldap-tools/examples/smb.conf.gz /etc/samba
> gunzip smb.conf.gz
>
> change the config to your needs
> some tips using samba on a firewalled system
> use the following setting, here eth0 is the internal side
>
> interfaces = eth0 lo
> bind interfaces only = yes
>
> change the binary location from /opt/..
> to /usr/sbin/smbldap-....
> the smbldap-tools are installed by debian in /usr/sbin
>
> also in this setup /home/. must be changed to /home/samba/.
> This will save you a lot of troubles with rights.
>
>
> 5.3 Configuring smbldap.conf
>
> first we need to get some samba info
>
> net getlocalsid
>
> SID for domain SERVERNAME is: S-1-5-21-2074673303-3377769770-2933042573
> change the SID in smbldap.conf in the your sid.
>
>
> change the suffix to your suffix (dc=internal,dc=yourdomain,dc=tld)
> change the hash_encryption to MD5
> change userLoginShell="bin/nologin"
> and you nologin, because im Configuring ldap for samba only.
> set the home directory ( in my case /home/users/%U )
> set the other to your needs.
>
>
> 5.4 set the samba ldap admin password
>
> smbpasswd -w ldapadmin_password
> Setting stored password for "cn=admin,dc=internal,dc=yourdomain,dc=tld" in
> secrets.tdb
>
> now we go fill the ldap database with the base setup.
>
> smbldap-populate -a Administrator -b nobody -u 2000 -g 2000
>
> users are created with uid => 2000
> groups are created with gid => 2000
>
>
> !!!! DO NOT RUN THIS IF YOU ALREADY CREATED USERS. YOUR UID/GID's WILL GET
> MESSED UPPED.
>
> smbpasswd -a root
> because root is needed for setting up the Privileges.
>
> Now set the Administrator password and enable this user
> smbldap-passwd Administrator
> smbldap-usermod -J Administrator
>
>
> 5.5 Samba PRIVILEGES Setup
>
> First check you rights and get to know the commands.
>
> net rpc rights list accounts list users
> net rpc rights list list defined rights.
>
> to get what for rights are defined and users/groups
>
> IF you use a PDC/BDC setup these commands must be done on both servers!!
>
> test these commands:
>
> net rpc group
> (output)
> Domain Admins
> Domain Users
> Domain Guests
> Domain Computers
>
> or
>
> ( see next page )
>
> slapcat | grep Group | grep dn
>
> (output)
> dn: ou=Groups,dc=internal,dc=yourdomain,dc=tld
> dn: cn=Domain Admins,ou=Groups,dc=internal,dc=yourdomain,dc=tld
> dn: cn=Domain Users,ou=Groups,dc=internal,dc=yourdomain,dc=tld
> dn: cn=Domain Guests,ou=Groups,dc=internal,dc=yourdomain,dc=tld
> dn: cn=Domain Computers,ou=Groups,dc=internal,dc=yourdomain,dc=tld
> dn: cn=Administrators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
> dn: cn=Print Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
> dn: cn=Backup Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
> dn: cn=Replicators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>
>
> these are the privileges on samba 3.0.14a ( debian )
>
> Privilege Description
> SeMachineAccountPrivilege Add machines to domain
> SePrintOperatorPrivilege Manage printers
> SeAddUsersPrivilege Add users and groups to the domain
> SeRemoteShutdownPrivilege Force shutdown from a remote system
> SeDiskOperatorPrivilege Manage disk share
>
>
> give the "Domain Admins" all of the SE Rights.
> ( -S Servernaam -U Username%Password )
>
> net -S PDC -U root%Password rpc rights grant "DOMAIN\Domain Admins" \
> SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege \
> SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
>
>
> Give the "Printer Operators" all Print manage rights.
> ( -S Servernaam -U Username%Password )
>
> net -S PDC -U root%Password rpc rights grant "DOMAIN\Print Operators"
> SePrintOperatorPrivilege
> 6 CUPS - Printer software
>
> apt-cache search cups to get the info which packages are available
>
> I installed these packages.
> apt-get install cups-pdf cupsys cupsys-bsd cupsys-pt cupsys-client \
> foomatic-bin foomatic-filters cupsys-driver-gimpprint gs-esp ( and
> dependencies )
>
> Configuring cupsys-bsd
> Do you want to set up the BSD lpd compatibility server? Yes
> all others leave default.
>
> 6.1 Setup Cups /etc/cups/cups.conf
>
> here locate the lines Allow From 127.0.0.1
> and change it to your network so you can login on the cups web
> interface.
> for example:
> Allow from 192.168.( this way I can manage it from 2 departments. )
> (192.168.1.x and 168.192.2.x )
>
> now you can logon on http://serverip:631/
> make it safer to manage by adding a user to lpadmin group
> and this user can create printer queues
>
> I create printers with the following options.
> socket://printerIPnumber:9100 ( for hp jetdirect ), Raw,
> Raw_queue
>
> I only use cups as spooler for windows pc's and *nix servers.
>
> First we are going to create 1 printer device and this is the CUPS
> PDF Printer.
>
>
> 6.2 Setup Cups PDF Printer. - Creating a PDF Printer
>
> With this printer you can create PDF files bij just printing to it.
>
> - logon the web interface and choose add printer.
> Name:pdf_printer
> Location: %homedir%\cups-pdf
> Description: pdf created in homedir\cups-pdf
> Continue
> - Device: Virtual Printer(PDF printer) choose it, its below,
> Continue
> - Choose the model/Driver for PDF_printer, Postscript,
> Continue
>
> klik on manage printers to see what you have created.
> klik on Print Test Page to test the pdf printer.
>
> a file is put in the cups-pdf directory of the user you logged on
> with.
>
>
>
>
>
> 7 Configuring phpldapadmin
>
> 7.1 installation of phpldapadmin ( and apache )
>
> get the packages
> apt-get install phpldapadmin php4 apache
>
> What is your LDAP server host address? 127.0.0.1
> ( you the ip/hostname where the ldapserver is )
>
> ldaps protocol instead of ldap? No
>
> What is the distinguished name of the search base?
> dc=internal,dc=youdomain,dc=tld
>
> Which type of authentication you want to use? session
>
> What is the login dn for the LDAP server?
> cn=admin,dc=internal,dc=yourdomain,dc=tld
>
> Which web server would you like to reconfigure automatically?
> select all and press OK.
>
> restart webservers now: Yes
>
> 8.0 On-Access virus scanning on samba (samba-clamav)
> 8.1 Installing ClamAV
>
> apt-get install clamav arj unzoo lha clamav-freshclam clamav-daemon
> Configuring clamav-freshclam : Daemon
> Choose a close mirror
> Should clamd be notified after updates? Yes
> 8.2 get the sources ( samba & samba-vscan )
>
> mkdir /usr/src/sources
> cd /usr/src/sources
>
> apt-get install dpkg-dev
> apt-get source samba
> apt-get build-dep samba
>
> cd samba-3.0-14a
> vi source/include/version.h
>
> here remove the a from the 14 ( 3.0.14a => 3.0.14 )
>
> ./debian/rules configure-stamp
> cd source
> ./make proto
> cd ../..
>
> wget
> http://switch.dl.sourceforge.net/sourceforge/openantivirus/samba-vscan-0.3.6
> b.tar.bz2
>
> tar xjvf samba-vscan-0.3.6b.tar.bz2
>
> cd samba-vscan-0.3.6b
> ./configure
> --with-samba-source=/usr/src/sources/samba-3.0.14a/source
> make && make install
>
> cp clamav/vscan-clamav.conf /etc/samba/samba-vscan-clamav.conf
> change in the samba-vscan-clamav.conf
> clamd socket name = /var/run/clamav/clamd.ctl
> infected spins action = quarantine ( or delete , which I choose.)
>
> When I put that lines in my smb.conf file, I can't access the share
> :
> vfs object = vscan-clamav
> vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf
>
> An example:
> [public]
> comment = Public Directory
> path = /home/public
> vfs object = vscan-clamav
> vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf
>
> !!! BEWARE !!!! if samba upgrade to a higer version you MUST
> recompile
> your samba-vscan. set samba to hold for no upgrade.
>
> echo packagename hold | dpkg --set-selections set to hold
> echo packagename install | dpkg --set-selections set to install
> 9.0 Recycle bin on samba
> 9.1 Recycle bin configuration
>
> configure samba for using the recycle bin.
> I made my manager happy with this.
>
> create a file in /etc/samba
> and fill it with the options below.
>
> /etc/samba/samba-recycle.conf
>
> name = .recycle
> mode = KEEP_DIRECTORIES|VERSIONS|TOUCH
> maxsize = 0
> exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~??|~*.tmp
> excludedir = /tmp|/temp|/cache
> noversions = *.doc|*.xls|*.ppt
>
> add this to you share, same as vscan.
>
> vfs object = recycle
> recycle: config-files = /etc/samba/samba-recycle.conf
>
> create a recycle bin directorie and hide it for the users.
>
> I created .recycle this way ( because of the dot) users don't see
> this
> IF.. you don't set you explorer to view hidden files.
>
> restart samba and your done.
>
> You are ready to use your samba server.
>
>
>
> Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS
> see http://www.idealx.org/prj/samba/smbldap-howto.en.html
> #### users can authenticate and change their password
> #access to
> attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM
> ustChange
> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
> # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
> write
> # by dn="cn=nssldap,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
> # by self write
> # by anonymous auth
> # by * none
> # some attributes need to be readable anonymously so that 'id user' can
> answer correctly
> ##access to
> attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
> # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
> write
> # by * read
> # somme attributes can be writable by users themselves
> ##access to
> attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,s
> n,givenname
> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
> # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
> write
> # by self write
> # by * read
> ## some attributes need to be writable for samba
> #access to
> attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,samb
> aLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctF
> lags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfileP
> ath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,s
> ambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHisto
> ry,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,samb
> aNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaSha
> reName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,
> sambaStringListoption,sambaPrivilegeList
> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
> # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
> write
> # by self read
> # by * none
> ## samba need to be able to create the samba domain account
> #access to dn.base="dc=internal,dc=yourdomain,dc=tld"
> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
> # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
> write
> # by * none
> ## samba need to be able to create new users account
> #access to dn="ou=Users,dc=internal,dc=yourdomain,dc=tld"
> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
> # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
> write
> # by * none
> ## samba need to be able to create new groups account
> #access to dn="ou=Groups,dc=internal,dc=yourdomain,dc=tld"
> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
> # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
> write
> # by * none
> ## samba need to be able to create new computers account
> #access to dn="ou=Computers,dc=internal,dc=yourdomain,dc=tld"
> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
> # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
> write
> # by * none
> #
> ## this can be omitted but we leave it: there could be other branch
> ## in the directory
> #access to *
> # by self read
> # by * none
>
>
> Appendix 2 APT
>
> 2.1 APT HOWTO
>
> Preparing apt for online packages.
> After installing from CD or DVD adjust your apt config.
>
> This setup makes sure your are using stable packages, that you are using
> Debian Sarge.
>
> In the apt.conf we defined the default release of debian this case stable (
> Sarge 3.1r0).
> The Show-Upgrade "true" is used for showing us the packages which are going
> to be installed, I like to see what I'm installing.
>
> The sources.list if you used a CD/DVD for installing you can leave this
> line in the sources.list. This can save you bandwidth. My server is on a
> remote location and I don't use the cd anymore.
> I added the clamav as stable because I want a new clamav for virus scanning
> more info : http://www.clamav.net/binary.html
>
> The testing and unstable sources are also unmarked, that if you really need
> a newer version of a program then you can try to create it from debian
> source.
>
> You can get the source install programs and search by using the following
> commands:
>
> apt-get install package = get & install package
> apt-get remove package = remove package
> apt-get remove --purge package = remove and purge all files of package
> dpkg --purge package = purge all files of package
>
> apt-cache search package = search for package or part of
> package name
> apt-cache show package = get info over package
> dpkg-reconfigure -plow package = reconfigure with priority low ( most
> options )
>
> for this first cd /usr/src.
> apt-get source package = get source files of packaged
>
>
>
>
>
>
>
>
>
>
>
>
> 2.2 Files from /etc/apt
>
> 2.2.1 /etc/apt/apt.conf
>
> APT::Default-Release "stable";
> APT::Get::Show-Upgraded "true";
> // 16 MB Limit
> APT::Cache-limit 16777216;
> // if you have /tmp with no mounted with noexec, you need this.
> #DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
> #DPkg::Post-Invoke {"mount -o remount /tmp";};
>
>
>
> 2.2.2 /etc/apt/preferences
>
> Package: *
> Pin: release a=stable
> Pin-Priority: 990
>
> Package: *
> Pin: release a=testing
> Pin-Priority: 500
>
> Package: *
> Pin: release a=unstable
> Pin-Priority: 50
>
> Package: *
> Pin: release a=sarge,l=debian-volatile
> Pin-Priority: 990
>
>
>
>
>
>
>
>
>
>
>
>
>
> 2.2.3 /etc/apt/sources.list
>
> # See sources.list(5) for more information, especialy
> # Remember that you can only use http, ftp or file URIs
> # CDROMs are managed through the apt-cdrom tool.
> #-----------------------------------------------------------------
> # We definect the PIN which sets the prioratie of packages selects
> # see also the apt-howto
> # http://www.debian.org/doc/manuals/apt-howto/index.en.html
> # and a nice howto for apt-pinning for beginners.
> # http://jaqque.sbih.org/kplug/apt-pinning.html
> #-----------------------------------------------------------------
> #-----------------------------------------------------------------
> # Stable PIN 990 PRODUCTION TREE
> deb ftp://ftp.nl.debian.org/debian stable main contrib non-free
> deb-src ftp://ftp.nl.debian.org/debian stable main contrib non-free
> deb http://http.us.debian.org/debian stable main contrib non-free
> # Stable Security updates
> deb http://security.debian.org/ stable/updates main contrib non-free
> deb-src http://security.debian.org/ stable/updates main contrib non-free
> #------------------------------------------------------------------
> ## Debian VOLATILE , used for clamav PINNED 990
> deb http://ftp.nl.debian.org/debian-volatile sarge/volatile main
> #-----------------------------------------------------------------
> #-----------------------------------------------------------------
> # WARNING USE BELOW AT OWN RISK
> # Testing ( PIN 500 )
> #deb ftp://ftp.nl.debian.org/debian testing main contrib non-free
> #deb-src ftp://ftp.nl.debian.org/debian testing main contrib non-free
> #deb http://http.us.debian.org/debian testing main contrib non-free
> # Testing Security updates
> #deb http://security.debian.org/ testing/updates main contrib non-free
> #deb-src http://security.debian.org/ testing/updates main contrib non-free
> #-----------------------------------------------------------------
> #-----------------------------------------------------------------
> # WARNING USE BELOW AT OWN RISK
> # Unstable ( PIN 050 )
> #deb ftp://ftp.nl.debian.org/debian unstable main contrib non-free
> #deb-src http://ftp.nl.debian.org/debian unstable main contrib non-free
> #deb http://http.us.debian.org/debian unstable main contrib non-free
> # unstable Security updates
> #deb http://security.debian.org/ unstable/updates main contrib non-free
> #deb-src http://security.debian.org/ unstable/updates main contrib non-free
> #-----------------------------------------------------------------
> #-----------------------------------------------------------------
> #### BACKPORTS to STABLE ( Debian Sarge 3.1r0 )
> ## Laatest Samba from samba.org
> #deb http://us4.samba.org/samba/ftp/Binary_Packages/Debian sarge samba
> #deb-src http://us2.samba.org/samba/ftp/Binary_Packages/Debian sarge samba
>
> #------------------------------------------------------------------
> ## MPEG/AVI addons +W32CODECS With MPlayer
> #deb ftp://ftp.nerim.net/debian-marillat/ sarge main
> #------------------------------------------------------------------
> ## www.dotdeb.org, updated php4/php5 mysql-41 mysql-50 qmail clamav etc etc.
> ## check the site for the packages list. if you want only 1 package (
> preferred )
> ## change the line to #deb http://packages.dotdeb.org stable php5 for
> example
> #deb http://packages.dotdeb.org stable all
> #deb-src http://packages.dotdeb.org stable all
> #------------------------------------------------------------------
> ## BootSplash ( does not work on every kernel ) www.bootsplash.de
> ## http://www.planamente.ch/emidio/pages/linux_howto_bootsplash.php
> deb http://debian.bootsplash.de unstable main
> deb-src http://debian.bootsplash.de unstable main
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
--
If you reply to a message I posted to a mailing list,
and you want me to see your reply, be sure to put my
address in the 'To:', or I might not see the message.
More information about the samba
mailing list