[Samba] BIG Samba howto for debian only.
Louis van Belle
louis at van-belle.nl
Thu Dec 8 13:56:22 GMT 2005
I made one adjustment
Part (5.4)
> smbldap-passwd Administrator
> smbldap-usermod -J Administrator
>
>> net join -S SERVERNAME -U Administrator <<< ADDED
>>
>> i forgot to let the server join the domain.
>
> 5.5 Samba PRIVILEGES Setup
and please any improvement/suggestion send it to the samba list or
directy to me.
Louis
>-----Oorspronkelijk bericht-----
>Van: Zach [mailto:uid000 at gmail.com]
>Verzonden: donderdag 8 december 2005 14:09
>Aan: Louis van Belle
>CC: samba at lists.samba.org
>Onderwerp: Re: [Samba] BIG Samba howto for debian only.
>
>Thanks for writing this. It is very timely. I am just about to start
>building my samba server (to replace my ancient RH9 samba server!). I
>have my ldap going but haven't started learning the samba/ldap
>integration part. I think your guide will be useful.
>
>On 12/6/05, Louis van Belle <louis at van-belle.nl> wrote:
>> Hi everybody,
>>
>> I made a pretty complete howto for samba on debian servers.
>>
>> This howto covers samba + ldap + cups + recycle bin + samba-vscan
>> + phpldapadmin + ACL + Extended Attributes.
>>
>> this howto is also based on the idealx howto
>>
>> If you do this setup, you should be able to use the NT4 Usermanager,
>> setup Point en Print Printing. set rights from explorer etc.
>> other nice tools is ldapadmin ( ldapadmin.sf.net ) a must
>check it out.
>>
>> We will use a Debian Sarge as setup.
>> If you never used Debian before, you can follow this how-to
>> (http://www.howtoforge.com/perfect_setup_debian_sarge ) ,
>> please read the comment below the pages first,
>> this can save you time and problems or install Debian without
>> any software packaged, we will install them later when needed.
>> Checking the kernel of compile your own kernel if needed.
>>
>> I try to give a complete solution for this how-to,
>> this is because lots of people where asking the same things on
>> the samba list and lots of people make the same mistakes.
>>
>> This is my company's running setup.
>>
>> I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb )
>, with 50 users
>> 25 printers which do about 150.000 prints a month.
>>
>> I thank my company to let me make this document.
>>
>>
>> Please if you have improvements, comments, send them to me.
>>
>> Louis van Belle
>>
>>
>>
>>
>>
>> INDEX
>> Page nr.
>>
>> 1 Checking the kernel or compile your own kernel 3
>> 1.1 Preparing apt configuration 3
>> 1.2 Preparing the kernel 3
>> 1.3 setup the /etc/fstab 3
>> 1.4 final touch, lilo (or grub) 3
>> 2 Pre-installation of the debian packages 4
>> 2.1 Samba and Ldap 4
>> 2.2 basic rights setup for samba 4
>> 2.3 why this rights setup. 4
>> 3 LDAP Server configuration 5
>> 4 installation/configuration libnss, libpam (-ldap) 7
>> 5 Samba and smbldap-tools Configuration 8
>> 5.1 smbldap-tools installation/configuration 8
>> 5.2 setting up samba base config 8
>> 5.3 Configuring smbldap.conf 9
>> 5.4 set the samba ldap admin password 9
>> 5.5 Samba PRIVILEGES Setup 10
>> 6 CUPS - Printer software 11
>> 6.1 Setup Cups 11
>> 6.2 Setup Cups PDF Printer. - Creating a PDF Printer 11
>> 7 Configuring phpldapadmin 12
>> 7.1 installation of phpldapadmin ( and apache ) 12
>> 8.0 On-Access virus scanning on samba (samba-clamav) 13
>> 8.1 Installing ClamAV 13
>> 8.2 get the sources ( samba & samba-vscan ) 13
>> 9.0 Recycle bin on samba 14
>> 9.1 Recycle bin configuration 14
>> Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS 15
>> Appendix 2 APT 16
>> 2.1 APT HOWTO 16
>> 2.2 Files from /etc/apt 17
>> 2.2.1 /etc/apt/apt.conf 17
>> 2.2.2 /etc/apt/preferences 17
>>
>>
>>
>>
>> 1 Checking the kernel or compile your own kernel
>> 1.1 Preparing apt configuration
>>
>> for this go check out my apt howto.
>>
>> if you apt config is setup rights, follow the steps below.
>>
>> ncurses interface for compiling the kernel
>> apt-get install libncurses5-dev
>>
>> get the kernel source
>> apt-get install kernel-source-2.6.8 kernel-package
>>
>> installer right kernel and activate EXT2/3 +
>Extended attributes
>> and setup CIFS kernel support to in kernel.
>>
>> 1.2 Preparing the kernel
>> apt-get install kernel-source-2.6.8 kernel-package fakeroot
>> libc6-dev libncurses5-dev
>>
>> cd /usr/src
>> tar -jxf kernel-source-2.6.8.tar.bz2
>> ln -s /usr/src/linux /usr/src/kernel-source-2.6.8
>> cp /boot/config-2.6.8-2-* /usr/src/linux/.config
>> cd linux
>> make menuconfig - File systems - Ext2/3 + extended options
>> also File systems - Miscellaneous
>filesystems -
>> CramFS
>> and File systems - Network File
>Systems - CIFS
>> support
>> + extended Attributes
>> now create the kernel and install it.
>>
>> fakeroot make-kpkg --append-to-kernel=-mykernel --initrd
>> kernel_image
>>
>> This create a file
>kernel-image-2.6.8.custom.1.0_i386.deb under
>> /usr/src
>>
>> dpkg -i kernel-image-2.6.8.custom.1.0_i386.deb to
>install the
>> kernel
>> 1.3 setup the /etc/fstab
>>
>> /etc/fstab : add the acl and user_xattr to the
>right partition
>>
>> /dev/xxx /home ext3 defaults,acl,user_xattr
>>
>> I use /home/samba for the samba environment.
>> All the needed samba directories will be put here. !!
>> This is important !
>>
>> 1.4 final touch, lilo (or grub)
>>
>> lilo and reboot , login and do 'uname -a' and you
>wil see a line
>> like
>> this.
>> Linux ms249-lin-001 2.6.8-mykernel #1 Wed Jun 1
>15:03:47 CEST 2005
>> i686
>>
>> Your server is now ready for samba 3.
>> 2 Pre-installation of the debian packages
>> 2.1 Samba and Ldap
>>
>> apt-get install slapd samba libsasl2-modules sasl2-bin openssl
>> db4.2-util ldap-utils samba-doc libxml-parser-perl
>libauthen-sasl-perl
>>
>> Configuring slapd
>> set an dns name - internal.yourdomain.tld
>> - Give it a name/description
>> - set that admin password for the ldap manager
>> ( cn=admin,dc=internal,dc=yourdomain,dc=tld
>> - Allow LDAPv2 protocol? yes
>>
>> Configure samba
>> set a domain name DOMAIN
>> Use password encryption? Yes
>> Modify smb.conf to use WINS settings from DHCP? No
>> How do you want to run Samba? Daemons
>> Create samba password database,
>/var/lib/samba/passdb.tdb? No !!!
>> else
>> you will end up with lots of users from debian in
>this password file
>> and you don't want that.
>>
>> Setup samba.schema file for ldap
>> zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz >
>> /etc/ldap/schema/samba.schema
>>
>> In this setup I use /home/samba for the samba environment.
>> i use these directories.
>> /home/samba skel,data,profiles,netlogon,printers,spool
>> /home/users/ username
>>
>> 2.2 basic rights setup for samba
>>
>> /home/samba 777
>Administrator:Domain
>> Admins
>> /home/samba/spool 777
>Administrator:Domain
>> Admins
>> /home/samba/printers 775
>Administrator:Domain Admins
>> /home/samba/profiles 777
>Administrator:Domain Admins
>> /home/samba/netlogon 775
>Administrator:Domain Admins
>> /home/samba/data 775
>Administrator:Domain
>> Admins
>> /home/samba/temp 777
>Administrator:Domain
>> Admins
>> /home/samba/tools 755
>Administrator:Domain
>> Admins
>> /home/samba/skel 755
>Administrator:Domain
>> Admins
>>
>>
>> 2.3 why this rights setup.
>>
>> 1 Administrator can create in complete samba environment.
>> 2 In data directories my users are not allowed to
>create sub dir's,
>> I
>> create one for the department, and set rights to
>that department,
>> from that point they can create directories.
>> 3 Profiles 777, in the samba config is a parameter defined
>> valid users = %u @"Domain Administrators"
>> Only the user and administrator can access the user profile
>> directories.
>> create mask and directory mask make sure rights are
>set primary to
>> the user.
>> 3 LDAP Server configuration
>>
>> Configure slapd.conf, but first stop the slapd server (
>> /etc/init.d/slapd stop )
>>
>> Create ldap certificates for ssl support
>> mkdir /etc/ldap/tls
>>
>> ## self signed certificate
>> openssl req -newkey rsa:1024 -x509 -nodes -out
>ldap-server.pem -
>> keyout
>> ldap-server.pem -days 3650 ( where Common Name =
>> ldap.yourdomain.tld )
>>
>> edit /etc/ldap/slapd.conf
>> put these below the other line, the order of schema
>files must be
>>
>> correct.
>> insert the line "include
>/etc/ldap/schema/samba.schema"
>>
>> add these line before the database definition
>> TLSCACertificateFile /etc/ldap/ssl/ldap-server.pem
>> TLSCertificateFile /etc/ldap/ssl/ldap-server.pem
>> TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem
>>
>> Now its time for the ldap database configuration for samba
>>
>> example of the /etc/slapd.conf ( database 1 configuration )
>>
>>
>#######################################################################
>> # Specific Directives for database #1, of type bdb:
>> # Database specific directives apply to this databasse until another
>> # 'database' directive occurs
>> database bdb
>>
>> # The base of your directory in database #1
>> suffix "dc=internal,dc=yourdomain,dc=tld"
>>
>> rootdn "cn=admin,dc=rotterdam,dc=bazuin,dc=nl"
>> rootpw {MD5}fsadsdafasfaewfw
>>
>> ## create the rootpw
>> ## echo rootpw `slappasswd -h {Md5}` >> /etc/ldap/slapd.conf
>>
>> # Where the database file are
>> physically stored for database #1
>> directory "/var/lib/ldap"
>>
>> # Indexing options for database #1
>> ### !!!!! Always run slapindex(8) after changing indices!!!!!!
>> ### and first STOP the LDAP SERVER ( /etc/init.d/slapd stop )
>> index objectClass,uidNumber,gidNumber eq
>> index cn,sn,uid,displayName pres,eq,sub
>> index memberUid,mail,givenname eq,subinitial
>> index sambaSID,sambaPrimaryGroupSID,sambaDomainName, eq
>> ## default index
>> index default eq
>>
>> # Save the time that the entry gets modified, for database #1
>> lastmod on
>>
>> # Where to store the replica logs for database #1
>> replogfile /var/lib/ldap/replog
>> # The userPassword by default can be changed
>> # by the entry owning it if they are authenticated.
>> # Others should not be able to see it, except the
>> # admin entry below
>> # These access lines apply to database #1 only
>> access to attrs=userPassword
>> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
>> by anonymous auth
>> by self write
>> by * none
>>
>>
>> # Ensure read access to the base for things like
>> # supportedSASLMechanisms. Without this you may
>> # have problems with SASL not knowing what
>> # mechanisms are available and the like.
>> # Note that this is covered by the 'access to *'
>> # ACL below too but if you change that as people
>> # are wont to do you'll still need this if you
>> # want SASL (and possible other things) to work
>> # happily.
>> access to dn.base="" by * read
>>
>> # The admin dn has full write access, everyone else
>> # can read everything.
>> access to *
>> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
>> by * read
>>
>> # samba access list
>> include /etc/ldap/samba-access.conf
>>
>> Example of the /etc/samba-access.conf ( database 1 configuration )
>>
>> ### OLD Samba no DSA users used
>> access to
>>
>attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLast
>Set,sambaPwdM
>> ustChange
>> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
>> by anonymous auth
>> by self write
>> by * none
>>
>> access to attrs=loginShell
>> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
>> by * none
>>
>> access to
>>
>attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn
>,sn,givenname
>> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
>> by self write
>> by * read
>>
>>
>> See appendix 1 if you want a more secure ldap database.
>> !! this setup does not help you to setting this up. !!
>>
>> run slapindex
>> and start the slapd server
>> /etc/init.d/slapd start
>> 4 installation/configuration libnss, libpam (-ldap)
>>
>> apt-get install libnss-ldap libpam-ldap
>>
>> Configuring libnss-ldap
>> define the host
>> 127.0.0.1
>> distinguished name of the search base
>> dc=internal,dc=yourdomain,dc=tld
>>
>> LDAP version to use
>> 3
>> database requires login
>> No
>> Make configuration readable/writeable by owner only
>> No
>>
>> Configuring libpam-ldap
>> Make local root Database admin.
>> Yes
>> Database requires logging in.
>> No
>> Root login account
>> cn=admin,dc=internal,dc=yourdomain,dc=tld
>> set your password
>> ( same as above for admin )
>>
>> Local crypt to use when changing passwords
>> exop
>>
>> Configure nsswitch
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc' and `info' packages installed, try:
>> # `info libc "Name Service Switch"' for information about this file.
>>
>> passwd: compat ldap
>> group: compat ldap
>> shadow: compat ldap
>>
>> hosts: files dns
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>>
>>
>> Now test the server
>> ldapsearch -x -D "cn=admin,dc=internal,dc=yourdomain,dc=tld" -W
>> (enter the password)
>> if you see
>> result: 0 Success
>>
>> for now this is ok.
>> 5 Samba and smbldap-tools Configuration
>>
>> 5.1 smbldap-tools installation/configuration
>>
>> apt-get install smbldap-tools
>>
>> copy the default config from the example directorie.
>> cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf
>> /etc/smbldap-tools/
>>
>> cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz
>/etc/smbldap-tools/
>> cd /etc/smbldap-tools
>> gunzip smbldap.conf.gz
>>
>> first the easy part.
>>
>> in /etc/smbldap-tools/smbldap_bind.conf
>> change this to admin
>> slaveDN="cn=admin,dc=internal,dc=yourdomain,dc=tld"
>> slavePw="Yourpassword"
>> masterDN="cn=admin,dc=internal,dc=yourdomain,dc=tld"
>> masterPw="Yourpassword"
>>
>> 5.2 setting up samba base config
>>
>> start with the default config
>> cd /etc/samba
>> cp /usr/share/doc/smbldap-tools/examples/smb.conf.gz /etc/samba
>> gunzip smb.conf.gz
>>
>> change the config to your needs
>> some tips using samba on a firewalled system
>> use the following setting, here eth0 is the internal side
>>
>> interfaces = eth0 lo
>> bind interfaces only = yes
>>
>> change the binary location from /opt/..
>> to /usr/sbin/smbldap-....
>> the smbldap-tools are installed by debian in /usr/sbin
>>
>> also in this setup /home/. must be changed to /home/samba/.
>> This will save you a lot of troubles with rights.
>>
>>
>> 5.3 Configuring smbldap.conf
>>
>> first we need to get some samba info
>>
>> net getlocalsid
>>
>> SID for domain SERVERNAME is:
>S-1-5-21-2074673303-3377769770-2933042573
>> change the SID in smbldap.conf in the your sid.
>>
>>
>> change the suffix to your suffix (dc=internal,dc=yourdomain,dc=tld)
>> change the hash_encryption to MD5
>> change userLoginShell="bin/nologin"
>> and you nologin, because im Configuring ldap for samba only.
>> set the home directory ( in my case /home/users/%U )
>> set the other to your needs.
>>
>>
>> 5.4 set the samba ldap admin password
>>
>> smbpasswd -w ldapadmin_password
>> Setting stored password for
>"cn=admin,dc=internal,dc=yourdomain,dc=tld" in
>> secrets.tdb
>>
>> now we go fill the ldap database with the base setup.
>>
>> smbldap-populate -a Administrator -b nobody -u 2000 -g 2000
>>
>> users are created with uid => 2000
>> groups are created with gid => 2000
>>
>>
>> !!!! DO NOT RUN THIS IF YOU ALREADY CREATED USERS. YOUR
>UID/GID's WILL GET
>> MESSED UPPED.
>>
>> smbpasswd -a root
>> because root is needed for setting up the Privileges.
>>
>> Now set the Administrator password and enable this user
>> smbldap-passwd Administrator
>> smbldap-usermod -J Administrator
>>
>>
>> 5.5 Samba PRIVILEGES Setup
>>
>> First check you rights and get to know the commands.
>>
>> net rpc rights list accounts list users
>> net rpc rights list list defined rights.
>>
>> to get what for rights are defined and users/groups
>>
>> IF you use a PDC/BDC setup these commands must be done on
>both servers!!
>>
>> test these commands:
>>
>> net rpc group
>> (output)
>> Domain Admins
>> Domain Users
>> Domain Guests
>> Domain Computers
>>
>> or
>>
>> ( see next page )
>>
>> slapcat | grep Group | grep dn
>>
>> (output)
>> dn: ou=Groups,dc=internal,dc=yourdomain,dc=tld
>> dn: cn=Domain Admins,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>> dn: cn=Domain Users,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>> dn: cn=Domain Guests,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>> dn: cn=Domain Computers,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>> dn: cn=Administrators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>> dn: cn=Print Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>> dn: cn=Backup Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>> dn: cn=Replicators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>>
>>
>> these are the privileges on samba 3.0.14a ( debian )
>>
>> Privilege Description
>> SeMachineAccountPrivilege Add machines to domain
>> SePrintOperatorPrivilege Manage printers
>> SeAddUsersPrivilege Add users and groups to the domain
>> SeRemoteShutdownPrivilege Force shutdown from a remote system
>> SeDiskOperatorPrivilege Manage disk share
>>
>>
>> give the "Domain Admins" all of the SE Rights.
>> ( -S Servernaam -U Username%Password )
>>
>> net -S PDC -U root%Password rpc rights grant "DOMAIN\Domain Admins" \
>> SeMachineAccountPrivilege SePrintOperatorPrivilege
>SeAddUsersPrivilege \
>> SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
>>
>>
>> Give the "Printer Operators" all Print manage rights.
>> ( -S Servernaam -U Username%Password )
>>
>> net -S PDC -U root%Password rpc rights grant "DOMAIN\Print Operators"
>> SePrintOperatorPrivilege
>> 6 CUPS - Printer software
>>
>> apt-cache search cups to get the info which packages are available
>>
>> I installed these packages.
>> apt-get install cups-pdf cupsys cupsys-bsd cupsys-pt cupsys-client \
>> foomatic-bin foomatic-filters cupsys-driver-gimpprint gs-esp ( and
>> dependencies )
>>
>> Configuring cupsys-bsd
>> Do you want to set up the BSD lpd compatibility server? Yes
>> all others leave default.
>>
>> 6.1 Setup Cups /etc/cups/cups.conf
>>
>> here locate the lines Allow From 127.0.0.1
>> and change it to your network so you can login on
>the cups web
>> interface.
>> for example:
>> Allow from 192.168.( this way I can manage it from 2
>departments. )
>> (192.168.1.x and 168.192.2.x )
>>
>> now you can logon on http://serverip:631/
>> make it safer to manage by adding a user to lpadmin group
>> and this user can create printer queues
>>
>> I create printers with the following options.
>> socket://printerIPnumber:9100 ( for hp jetdirect ), Raw,
>> Raw_queue
>>
>> I only use cups as spooler for windows pc's and *nix servers.
>>
>> First we are going to create 1 printer device and
>this is the CUPS
>> PDF Printer.
>>
>>
>> 6.2 Setup Cups PDF Printer. - Creating a PDF Printer
>>
>> With this printer you can create PDF files bij just
>printing to it.
>>
>> - logon the web interface and choose add printer.
>> Name:pdf_printer
>> Location: %homedir%\cups-pdf
>> Description: pdf created in homedir\cups-pdf
>> Continue
>> - Device: Virtual Printer(PDF printer) choose it, its below,
>> Continue
>> - Choose the model/Driver for PDF_printer, Postscript,
>> Continue
>>
>> klik on manage printers to see what you have created.
>> klik on Print Test Page to test the pdf printer.
>>
>> a file is put in the cups-pdf directory of the user
>you logged on
>> with.
>>
>>
>>
>>
>>
>> 7 Configuring phpldapadmin
>>
>> 7.1 installation of phpldapadmin ( and apache )
>>
>> get the packages
>> apt-get install phpldapadmin php4 apache
>>
>> What is your LDAP server host address? 127.0.0.1
>> ( you the ip/hostname where the ldapserver is )
>>
>> ldaps protocol instead of ldap? No
>>
>> What is the distinguished name of the search base?
>> dc=internal,dc=youdomain,dc=tld
>>
>> Which type of authentication you want to use? session
>>
>> What is the login dn for the LDAP server?
>> cn=admin,dc=internal,dc=yourdomain,dc=tld
>>
>> Which web server would you like to reconfigure automatically?
>> select all and press OK.
>>
>> restart webservers now: Yes
>>
>> 8.0 On-Access virus scanning on samba (samba-clamav)
>> 8.1 Installing ClamAV
>>
>> apt-get install clamav arj unzoo lha clamav-freshclam
>clamav-daemon
>> Configuring clamav-freshclam : Daemon
>> Choose a close mirror
>> Should clamd be notified after updates? Yes
>> 8.2 get the sources ( samba & samba-vscan )
>>
>> mkdir /usr/src/sources
>> cd /usr/src/sources
>>
>> apt-get install dpkg-dev
>> apt-get source samba
>> apt-get build-dep samba
>>
>> cd samba-3.0-14a
>> vi source/include/version.h
>>
>> here remove the a from the 14 ( 3.0.14a => 3.0.14 )
>>
>> ./debian/rules configure-stamp
>> cd source
>> ./make proto
>> cd ../..
>>
>> wget
>>
>http://switch.dl.sourceforge.net/sourceforge/openantivirus/samb
>a-vscan-0.3.6
>> b.tar.bz2
>>
>> tar xjvf samba-vscan-0.3.6b.tar.bz2
>>
>> cd samba-vscan-0.3.6b
>> ./configure
>> --with-samba-source=/usr/src/sources/samba-3.0.14a/source
>> make && make install
>>
>> cp clamav/vscan-clamav.conf
>/etc/samba/samba-vscan-clamav.conf
>> change in the samba-vscan-clamav.conf
>> clamd socket name = /var/run/clamav/clamd.ctl
>> infected spins action = quarantine ( or delete , which I choose.)
>>
>> When I put that lines in my smb.conf file, I can't
>access the share
>> :
>> vfs object = vscan-clamav
>> vscan-clamav: config-file =
>/etc/samba/samba-vscan-clamav.conf
>>
>> An example:
>> [public]
>> comment = Public Directory
>> path = /home/public
>> vfs object = vscan-clamav
>> vscan-clamav: config-file =
>/etc/samba/samba-vscan-clamav.conf
>>
>> !!! BEWARE !!!! if samba upgrade to a higer version you MUST
>> recompile
>> your samba-vscan. set samba to hold for no upgrade.
>>
>> echo packagename hold | dpkg --set-selections set to hold
>> echo packagename install | dpkg --set-selections
>set to install
>> 9.0 Recycle bin on samba
>> 9.1 Recycle bin configuration
>>
>> configure samba for using the recycle bin.
>> I made my manager happy with this.
>>
>> create a file in /etc/samba
>> and fill it with the options below.
>>
>> /etc/samba/samba-recycle.conf
>>
>> name = .recycle
>> mode = KEEP_DIRECTORIES|VERSIONS|TOUCH
>> maxsize = 0
>> exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~??|~*.tmp
>> excludedir = /tmp|/temp|/cache
>> noversions = *.doc|*.xls|*.ppt
>>
>> add this to you share, same as vscan.
>>
>> vfs object = recycle
>> recycle: config-files = /etc/samba/samba-recycle.conf
>>
>> create a recycle bin directorie and hide it for the users.
>>
>> I created .recycle this way ( because of the dot)
>users don't see
>> this
>> IF.. you don't set you explorer to view hidden files.
>>
>> restart samba and your done.
>>
>> You are ready to use your samba server.
>>
>>
>>
>> Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS
>> see http://www.idealx.org/prj/samba/smbldap-howto.en.html
>> #### users can authenticate and change their password
>> #access to
>>
>attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLast
>Set,sambaPwdM
>> ustChange
>> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by
>dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by
>dn="cn=nssldap,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by self write
>> # by anonymous auth
>> # by * none
>> # some attributes need to be readable anonymously so that
>'id user' can
>> answer correctly
>> ##access to
>>
>attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
>> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by
>dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by * read
>> # somme attributes can be writable by users themselves
>> ##access to
>>
>attrs=description,telephoneNumber,roomNumber,homePhone,loginShe
>ll,gecos,cn,s
>> n,givenname
>> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by
>dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by self write
>> # by * read
>> ## some attributes need to be writable for samba
>> #access to
>>
>attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaL
>ogonTime,samb
>>
>aLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChan
>ge,sambaAcctF
>>
>lags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,
>sambaProfileP
>>
>ath,description,sambaUserWorkstations,sambaPrimaryGroupSID,samb
>aDomainName,s
>>
>ambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,samba
>PasswordHisto
>>
>ry,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaG
>roupType,samb
>>
>aNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRid
>Base,sambaSha
>>
>reName,sambaOptionName,sambaBoolOption,sambaIntegerOption,samba
>StringOption,
>> sambaStringListoption,sambaPrivilegeList
>> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by
>dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by self read
>> # by * none
>> ## samba need to be able to create the samba domain account
>> #access to dn.base="dc=internal,dc=yourdomain,dc=tld"
>> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by
>dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by * none
>> ## samba need to be able to create new users account
>> #access to dn="ou=Users,dc=internal,dc=yourdomain,dc=tld"
>> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by
>dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by * none
>> ## samba need to be able to create new groups account
>> #access to dn="ou=Groups,dc=internal,dc=yourdomain,dc=tld"
>> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by
>dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by * none
>> ## samba need to be able to create new computers account
>> #access to dn="ou=Computers,dc=internal,dc=yourdomain,dc=tld"
>> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by
>dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by * none
>> #
>> ## this can be omitted but we leave it: there could be other branch
>> ## in the directory
>> #access to *
>> # by self read
>> # by * none
>>
>>
>> Appendix 2 APT
>>
>> 2.1 APT HOWTO
>>
>> Preparing apt for online packages.
>> After installing from CD or DVD adjust your apt config.
>>
>> This setup makes sure your are using stable packages, that
>you are using
>> Debian Sarge.
>>
>> In the apt.conf we defined the default release of debian
>this case stable (
>> Sarge 3.1r0).
>> The Show-Upgrade "true" is used for showing us the packages
>which are going
>> to be installed, I like to see what I'm installing.
>>
>> The sources.list if you used a CD/DVD for installing you
>can leave this
>> line in the sources.list. This can save you bandwidth. My
>server is on a
>> remote location and I don't use the cd anymore.
>> I added the clamav as stable because I want a new clamav for
>virus scanning
>> more info : http://www.clamav.net/binary.html
>>
>> The testing and unstable sources are also unmarked, that if
>you really need
>> a newer version of a program then you can try to create it
>from debian
>> source.
>>
>> You can get the source install programs and search by using
>the following
>> commands:
>>
>> apt-get install package = get & install package
>> apt-get remove package = remove package
>> apt-get remove --purge package = remove and purge all files
> of package
>> dpkg --purge package = purge all files of package
>>
>> apt-cache search package = search for package
>or part of
>> package name
>> apt-cache show package = get info over package
>> dpkg-reconfigure -plow package = reconfigure with priority
>low ( most
>> options )
>>
>> for this first cd /usr/src.
>> apt-get source package = get source files
>of packaged
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> 2.2 Files from /etc/apt
>>
>> 2.2.1 /etc/apt/apt.conf
>>
>> APT::Default-Release "stable";
>> APT::Get::Show-Upgraded "true";
>> // 16 MB Limit
>> APT::Cache-limit 16777216;
>> // if you have /tmp with no mounted with noexec, you need this.
>> #DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
>> #DPkg::Post-Invoke {"mount -o remount /tmp";};
>>
>>
>>
>> 2.2.2 /etc/apt/preferences
>>
>> Package: *
>> Pin: release a=stable
>> Pin-Priority: 990
>>
>> Package: *
>> Pin: release a=testing
>> Pin-Priority: 500
>>
>> Package: *
>> Pin: release a=unstable
>> Pin-Priority: 50
>>
>> Package: *
>> Pin: release a=sarge,l=debian-volatile
>> Pin-Priority: 990
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> 2.2.3 /etc/apt/sources.list
>>
>> # See sources.list(5) for more information, especialy
>> # Remember that you can only use http, ftp or file URIs
>> # CDROMs are managed through the apt-cdrom tool.
>> #-----------------------------------------------------------------
>> # We definect the PIN which sets the prioratie of packages selects
>> # see also the apt-howto
>> # http://www.debian.org/doc/manuals/apt-howto/index.en.html
>> # and a nice howto for apt-pinning for beginners.
>> # http://jaqque.sbih.org/kplug/apt-pinning.html
>> #-----------------------------------------------------------------
>> #-----------------------------------------------------------------
>> # Stable PIN 990 PRODUCTION TREE
>> deb ftp://ftp.nl.debian.org/debian stable main contrib non-free
>> deb-src ftp://ftp.nl.debian.org/debian stable main contrib non-free
>> deb http://http.us.debian.org/debian stable main contrib non-free
>> # Stable Security updates
>> deb http://security.debian.org/ stable/updates main contrib non-free
>> deb-src http://security.debian.org/ stable/updates main
>contrib non-free
>> #------------------------------------------------------------------
>> ## Debian VOLATILE , used for clamav PINNED 990
>> deb http://ftp.nl.debian.org/debian-volatile sarge/volatile main
>> #-----------------------------------------------------------------
>> #-----------------------------------------------------------------
>> # WARNING USE BELOW AT OWN RISK
>> # Testing ( PIN 500 )
>> #deb ftp://ftp.nl.debian.org/debian testing main contrib non-free
>> #deb-src ftp://ftp.nl.debian.org/debian testing main contrib non-free
>> #deb http://http.us.debian.org/debian testing main contrib non-free
>> # Testing Security updates
>> #deb http://security.debian.org/ testing/updates main
>contrib non-free
>> #deb-src http://security.debian.org/ testing/updates main
>contrib non-free
>> #-----------------------------------------------------------------
>> #-----------------------------------------------------------------
>> # WARNING USE BELOW AT OWN RISK
>> # Unstable ( PIN 050 )
>> #deb ftp://ftp.nl.debian.org/debian unstable main contrib non-free
>> #deb-src http://ftp.nl.debian.org/debian unstable main
>contrib non-free
>> #deb http://http.us.debian.org/debian unstable main contrib non-free
>> # unstable Security updates
>> #deb http://security.debian.org/ unstable/updates main
>contrib non-free
>> #deb-src http://security.debian.org/ unstable/updates main
>contrib non-free
>> #-----------------------------------------------------------------
>> #-----------------------------------------------------------------
>> #### BACKPORTS to STABLE ( Debian Sarge 3.1r0 )
>> ## Laatest Samba from samba.org
>> #deb http://us4.samba.org/samba/ftp/Binary_Packages/Debian
>sarge samba
>> #deb-src
>http://us2.samba.org/samba/ftp/Binary_Packages/Debian sarge samba
>>
>> #------------------------------------------------------------------
>> ## MPEG/AVI addons +W32CODECS With MPlayer
>> #deb ftp://ftp.nerim.net/debian-marillat/ sarge main
>> #------------------------------------------------------------------
>> ## www.dotdeb.org, updated php4/php5 mysql-41 mysql-50 qmail
>clamav etc etc.
>> ## check the site for the packages list. if you want only 1 package (
>> preferred )
>> ## change the line to #deb http://packages.dotdeb.org stable php5 for
>> example
>> #deb http://packages.dotdeb.org stable all
>> #deb-src http://packages.dotdeb.org stable all
>> #------------------------------------------------------------------
>> ## BootSplash ( does not work on every kernel ) www.bootsplash.de
>> ## http://www.planamente.ch/emidio/pages/linux_howto_bootsplash.php
>> deb http://debian.bootsplash.de unstable main
>> deb-src http://debian.bootsplash.de unstable main
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/listinfo/samba
>>
>
>
>--
>If you reply to a message I posted to a mailing list,
>and you want me to see your reply, be sure to put my
>address in the 'To:', or I might not see the message.
>
More information about the samba
mailing list