[Samba] Samba-LDAP not quite working - help!
Gary Dale
garydale at torfree.net
Mon Mar 27 18:51:25 GMT 2006
I was trying to follow the howto below to get Samba-LDAP working on my
Debian/Sarge server. I'm stuck in section 5.4:
When I try the "smbpasswd -a root" I get:
semper:/etc/phpldapadmin/templates# smbpasswd -a root
New SMB password:
Retype new SMB password:
ldapsam_modify_entry: Failed to add user dn=
uid=root,ou=Users,dc=rahim-dale,dc=org with: Insufficient access
no write access to parent
ldapsam_add_sam_account: failed to modify/add user with uid = root (dn =
uid=root,ou=Users,dc=rahim-dale,dc=org)
Failed to add entry for user root.
Failed to modify password entry for user root
The next two steps are:
smbldap-passwd Administrator -- this works
smbldap-usermod -J Administrator -- this fails
And after that nothing works.
I've managed to get phpldapadmin working (finally) but that doesn't seem
to help. I can add accounts, etc., but they don't seem to help. When I
try to get a Windows XP computer to join the domain, I get "logon
failure: unknown user name or bad password".
I can browse the network from a Windows XP machine as well, but can't
connect to any network shares that have any security on them.
I've gone through the idealx.org smb-ldap documentation and can't see
anything obvious that I'm doing wrong. Nor have I found anything in
searches that tells me any more than what the immediate error message
says (basically they seem to say it's a rights issue so fix it without
specifying how to do it).
Please help!
Louis van Belle wrote:
>Hi everybody,
>
>I made a pretty complete howto for samba on debian servers.
>
>This howto covers samba + ldap + cups + recycle bin + samba-vscan
>+ phpldapadmin + ACL + Extended Attributes.
>
>this howto is also based on the idealx howto
>
>If you do this setup, you should be able to use the NT4 Usermanager,
>setup Point en Print Printing. set rights from explorer etc.
>other nice tools is ldapadmin ( ldapadmin.sf.net ) a must check it out.
>
>We will use a Debian Sarge as setup.
>If you never used Debian before, you can follow this how-to
>(http://www.howtoforge.com/perfect_setup_debian_sarge ) ,
>please read the comment below the pages first,
>this can save you time and problems or install Debian without
>any software packaged, we will install them later when needed.
>Checking the kernel of compile your own kernel if needed.
>
>I try to give a complete solution for this how-to,
>this is because lots of people where asking the same things on
>the samba list and lots of people make the same mistakes.
>
>This is my company's running setup.
>
>I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb ) , with 50 users
>25 printers which do about 150.000 prints a month.
>
>I thank my company to let me make this document.
>
>
>Please if you have improvements, comments, send them to me.
>
>Louis van Belle
>
>
>
>
>
>INDEX
>Page nr.
>
>1 Checking the kernel or compile your own kernel 3
>1.1 Preparing apt configuration 3
>1.2 Preparing the kernel 3
>1.3 setup the /etc/fstab 3
>1.4 final touch, lilo (or grub) 3
>2 Pre-installation of the debian packages 4
>2.1 Samba and Ldap 4
>2.2 basic rights setup for samba 4
>2.3 why this rights setup. 4
>3 LDAP Server configuration 5
>4 installation/configuration libnss, libpam (-ldap) 7
>5 Samba and smbldap-tools Configuration 8
>5.1 smbldap-tools installation/configuration 8
>5.2 setting up samba base config 8
>5.3 Configuring smbldap.conf 9
>5.4 set the samba ldap admin password 9
>5.5 Samba PRIVILEGES Setup 10
>6 CUPS - Printer software 11
>6.1 Setup Cups 11
>6.2 Setup Cups PDF Printer. - Creating a PDF Printer 11
>7 Configuring phpldapadmin 12
>7.1 installation of phpldapadmin ( and apache ) 12
>8.0 On-Access virus scanning on samba (samba-clamav) 13
>8.1 Installing ClamAV 13
>8.2 get the sources ( samba & samba-vscan ) 13
>9.0 Recycle bin on samba 14
>9.1 Recycle bin configuration 14
>Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS 15
>Appendix 2 APT 16
>2.1 APT HOWTO 16
>2.2 Files from /etc/apt 17
>2.2.1 /etc/apt/apt.conf 17
>2.2.2 /etc/apt/preferences 17
>
>
>
>
>1 Checking the kernel or compile your own kernel
>1.1 Preparing apt configuration
>
> for this go check out my apt howto.
>
> if you apt config is setup rights, follow the steps below.
>
> ncurses interface for compiling the kernel
> apt-get install libncurses5-dev
>
> get the kernel source
> apt-get install kernel-source-2.6.8 kernel-package
>
> installer right kernel and activate EXT2/3 + Extended attributes
> and setup CIFS kernel support to in kernel.
>
>1.2 Preparing the kernel
> apt-get install kernel-source-2.6.8 kernel-package fakeroot
>libc6-dev libncurses5-dev
>
> cd /usr/src
> tar -jxf kernel-source-2.6.8.tar.bz2
> ln -s /usr/src/linux /usr/src/kernel-source-2.6.8
> cp /boot/config-2.6.8-2-* /usr/src/linux/.config
> cd linux
> make menuconfig - File systems - Ext2/3 + extended options
> also File systems - Miscellaneous filesystems -
>CramFS
> and File systems - Network File Systems - CIFS
>support
> + extended Attributes
> now create the kernel and install it.
>
> fakeroot make-kpkg --append-to-kernel=-mykernel --initrd
>kernel_image
>
> This create a file kernel-image-2.6.8.custom.1.0_i386.deb under
> /usr/src
>
> dpkg -i kernel-image-2.6.8.custom.1.0_i386.deb to install the
>kernel
>1.3 setup the /etc/fstab
>
> /etc/fstab : add the acl and user_xattr to the right partition
>
> /dev/xxx /home ext3 defaults,acl,user_xattr
>
> I use /home/samba for the samba environment.
> All the needed samba directories will be put here. !!
> This is important !
>
>1.4 final touch, lilo (or grub)
>
> lilo and reboot , login and do 'uname -a' and you wil see a line
>like
> this.
> Linux ms249-lin-001 2.6.8-mykernel #1 Wed Jun 1 15:03:47 CEST 2005
>i686
>
> Your server is now ready for samba 3.
>2 Pre-installation of the debian packages
>2.1 Samba and Ldap
>
> apt-get install slapd samba libsasl2-modules sasl2-bin openssl
> db4.2-util ldap-utils samba-doc libxml-parser-perl libauthen-sasl-perl
>
>Configuring slapd
> set an dns name - internal.yourdomain.tld
> - Give it a name/description
> - set that admin password for the ldap manager
> ( cn=admin,dc=internal,dc=yourdomain,dc=tld
> - Allow LDAPv2 protocol? yes
>
>Configure samba
> set a domain name DOMAIN
> Use password encryption? Yes
> Modify smb.conf to use WINS settings from DHCP? No
> How do you want to run Samba? Daemons
> Create samba password database, /var/lib/samba/passdb.tdb? No !!!
>else
> you will end up with lots of users from debian in this password file
>and you don't want that.
>
>Setup samba.schema file for ldap
> zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz >
>/etc/ldap/schema/samba.schema
>
>In this setup I use /home/samba for the samba environment.
> i use these directories.
> /home/samba skel,data,profiles,netlogon,printers,spool
> /home/users/ username
>
>2.2 basic rights setup for samba
>
> /home/samba 777 Administrator:Domain
>Admins
> /home/samba/spool 777 Administrator:Domain
>Admins
> /home/samba/printers 775 Administrator:Domain Admins
> /home/samba/profiles 777 Administrator:Domain Admins
> /home/samba/netlogon 775 Administrator:Domain Admins
> /home/samba/data 775 Administrator:Domain
>Admins
> /home/samba/temp 777 Administrator:Domain
>Admins
> /home/samba/tools 755 Administrator:Domain
>Admins
> /home/samba/skel 755 Administrator:Domain
>Admins
>
>
>2.3 why this rights setup.
>
> 1 Administrator can create in complete samba environment.
> 2 In data directories my users are not allowed to create sub dir's,
>I
> create one for the department, and set rights to that department,
>from that point they can create directories.
> 3 Profiles 777, in the samba config is a parameter defined
> valid users = %u @"Domain Administrators"
> Only the user and administrator can access the user profile
>directories.
> create mask and directory mask make sure rights are set primary to
>the user.
>3 LDAP Server configuration
>
> Configure slapd.conf, but first stop the slapd server (
>/etc/init.d/slapd stop )
>
> Create ldap certificates for ssl support
> mkdir /etc/ldap/tls
>
> ## self signed certificate
> openssl req -newkey rsa:1024 -x509 -nodes -out ldap-server.pem -
>keyout
> ldap-server.pem -days 3650 ( where Common Name =
>ldap.yourdomain.tld )
>
> edit /etc/ldap/slapd.conf
> put these below the other line, the order of schema files must be
>
> correct.
> insert the line "include /etc/ldap/schema/samba.schema"
>
> add these line before the database definition
> TLSCACertificateFile /etc/ldap/ssl/ldap-server.pem
> TLSCertificateFile /etc/ldap/ssl/ldap-server.pem
> TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem
>
>Now its time for the ldap database configuration for samba
>
>example of the /etc/slapd.conf ( database 1 configuration )
>
>#######################################################################
># Specific Directives for database #1, of type bdb:
># Database specific directives apply to this databasse until another
># 'database' directive occurs
>database bdb
>
># The base of your directory in database #1
>suffix "dc=internal,dc=yourdomain,dc=tld"
>
>rootdn "cn=admin,dc=rotterdam,dc=bazuin,dc=nl"
>rootpw {MD5}fsadsdafasfaewfw
>
> ## create the rootpw
> ## echo rootpw `slappasswd -h {Md5}` >> /etc/ldap/slapd.conf
>
># Where the database file are
>physically stored for database #1
>directory "/var/lib/ldap"
>
># Indexing options for database #1
>### !!!!! Always run slapindex(8) after changing indices!!!!!!
>### and first STOP the LDAP SERVER ( /etc/init.d/slapd stop )
>index objectClass,uidNumber,gidNumber eq
>index cn,sn,uid,displayName pres,eq,sub
>index memberUid,mail,givenname eq,subinitial
>index sambaSID,sambaPrimaryGroupSID,sambaDomainName, eq
>## default index
>index default eq
>
># Save the time that the entry gets modified, for database #1
>lastmod on
>
># Where to store the replica logs for database #1
>replogfile /var/lib/ldap/replog
># The userPassword by default can be changed
># by the entry owning it if they are authenticated.
># Others should not be able to see it, except the
># admin entry below
># These access lines apply to database #1 only
>access to attrs=userPassword
> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
> by anonymous auth
> by self write
> by * none
>
>
># Ensure read access to the base for things like
># supportedSASLMechanisms. Without this you may
># have problems with SASL not knowing what
># mechanisms are available and the like.
># Note that this is covered by the 'access to *'
># ACL below too but if you change that as people
># are wont to do you'll still need this if you
># want SASL (and possible other things) to work
># happily.
>access to dn.base="" by * read
>
># The admin dn has full write access, everyone else
># can read everything.
>access to *
> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
> by * read
>
># samba access list
>include /etc/ldap/samba-access.conf
>
>Example of the /etc/samba-access.conf ( database 1 configuration )
>
>### OLD Samba no DSA users used
>access to
>attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM
>ustChange
> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
> by anonymous auth
> by self write
> by * none
>
>access to attrs=loginShell
> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
> by * none
>
>access to
>attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,sn,givenname
> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
> by self write
> by * read
>
>
>See appendix 1 if you want a more secure ldap database.
>!! this setup does not help you to setting this up. !!
>
>run slapindex
>and start the slapd server
>/etc/init.d/slapd start
>4 installation/configuration libnss, libpam (-ldap)
>
>apt-get install libnss-ldap libpam-ldap
>
>Configuring libnss-ldap
> define the host
> 127.0.0.1
> distinguished name of the search base
> dc=internal,dc=yourdomain,dc=tld
>
> LDAP version to use
> 3
> database requires login
> No
> Make configuration readable/writeable by owner only
> No
>
>Configuring libpam-ldap
> Make local root Database admin.
> Yes
> Database requires logging in.
> No
> Root login account
> cn=admin,dc=internal,dc=yourdomain,dc=tld
> set your password
> ( same as above for admin )
>
> Local crypt to use when changing passwords
> exop
>
>Configure nsswitch
># /etc/nsswitch.conf
>#
># Example configuration of GNU Name Service Switch functionality.
># If you have the `glibc-doc' and `info' packages installed, try:
># `info libc "Name Service Switch"' for information about this file.
>
>passwd: compat ldap
>group: compat ldap
>shadow: compat ldap
>
>hosts: files dns
>networks: files
>
>protocols: db files
>services: db files
>ethers: db files
>rpc: db files
>
>netgroup: nis
>
>
>Now test the server
>ldapsearch -x -D "cn=admin,dc=internal,dc=yourdomain,dc=tld" -W
>(enter the password)
>if you see
>result: 0 Success
>
>for now this is ok.
>5 Samba and smbldap-tools Configuration
>
>5.1 smbldap-tools installation/configuration
>
>apt-get install smbldap-tools
>
>copy the default config from the example directorie.
>cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf
>/etc/smbldap-tools/
>
>cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/
>cd /etc/smbldap-tools
>gunzip smbldap.conf.gz
>
>first the easy part.
>
>in /etc/smbldap-tools/smbldap_bind.conf
>change this to admin
>slaveDN="cn=admin,dc=internal,dc=yourdomain,dc=tld"
>slavePw="Yourpassword"
>masterDN="cn=admin,dc=internal,dc=yourdomain,dc=tld"
>masterPw="Yourpassword"
>
>5.2 setting up samba base config
>
>start with the default config
>cd /etc/samba
>cp /usr/share/doc/smbldap-tools/examples/smb.conf.gz /etc/samba
>gunzip smb.conf.gz
>
>change the config to your needs
>some tips using samba on a firewalled system
>use the following setting, here eth0 is the internal side
>
> interfaces = eth0 lo
> bind interfaces only = yes
>
>change the binary location from /opt/..
>to /usr/sbin/smbldap-....
>the smbldap-tools are installed by debian in /usr/sbin
>
>also in this setup /home/. must be changed to /home/samba/.
>This will save you a lot of troubles with rights.
>
>
>5.3 Configuring smbldap.conf
>
>first we need to get some samba info
>
>net getlocalsid
>
>SID for domain SERVERNAME is: S-1-5-21-2074673303-3377769770-2933042573
>change the SID in smbldap.conf in the your sid.
>
>
>change the suffix to your suffix (dc=internal,dc=yourdomain,dc=tld)
>change the hash_encryption to MD5
>change userLoginShell="bin/nologin"
>and you nologin, because im Configuring ldap for samba only.
>set the home directory ( in my case /home/users/%U )
>set the other to your needs.
>
>
>5.4 set the samba ldap admin password
>
>smbpasswd -w ldapadmin_password
>Setting stored password for "cn=admin,dc=internal,dc=yourdomain,dc=tld" in
>secrets.tdb
>
>now we go fill the ldap database with the base setup.
>
>smbldap-populate -a Administrator -b nobody -u 2000 -g 2000
>
>users are created with uid => 2000
>groups are created with gid => 2000
>
>
>!!!! DO NOT RUN THIS IF YOU ALREADY CREATED USERS. YOUR UID/GID's WILL GET
>MESSED UPPED.
>
>smbpasswd -a root
>because root is needed for setting up the Privileges.
>
>Now set the Administrator password and enable this user
>smbldap-passwd Administrator
>smbldap-usermod -J Administrator
>
>
>5.5 Samba PRIVILEGES Setup
>
>First check you rights and get to know the commands.
>
>net rpc rights list accounts list users
>net rpc rights list list defined rights.
>
>to get what for rights are defined and users/groups
>
>IF you use a PDC/BDC setup these commands must be done on both servers!!
>
>test these commands:
>
>net rpc group
>(output)
>Domain Admins
>Domain Users
>Domain Guests
>Domain Computers
>
>or
>
>( see next page )
>
>slapcat | grep Group | grep dn
>
>(output)
>dn: ou=Groups,dc=internal,dc=yourdomain,dc=tld
>dn: cn=Domain Admins,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>dn: cn=Domain Users,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>dn: cn=Domain Guests,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>dn: cn=Domain Computers,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>dn: cn=Administrators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>dn: cn=Print Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>dn: cn=Backup Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>dn: cn=Replicators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>
>
>these are the privileges on samba 3.0.14a ( debian )
>
>Privilege Description
>SeMachineAccountPrivilege Add machines to domain
>SePrintOperatorPrivilege Manage printers
>SeAddUsersPrivilege Add users and groups to the domain
>SeRemoteShutdownPrivilege Force shutdown from a remote system
>SeDiskOperatorPrivilege Manage disk share
>
>
>give the "Domain Admins" all of the SE Rights.
>( -S Servernaam -U Username%Password )
>
>net -S PDC -U root%Password rpc rights grant "DOMAIN\Domain Admins" \
> SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege \
> SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
>
>
>Give the "Printer Operators" all Print manage rights.
>( -S Servernaam -U Username%Password )
>
>net -S PDC -U root%Password rpc rights grant "DOMAIN\Print Operators"
>SePrintOperatorPrivilege
>6 CUPS - Printer software
>
>apt-cache search cups to get the info which packages are available
>
>I installed these packages.
>apt-get install cups-pdf cupsys cupsys-bsd cupsys-pt cupsys-client \
>foomatic-bin foomatic-filters cupsys-driver-gimpprint gs-esp ( and
>dependencies )
>
>Configuring cupsys-bsd
> Do you want to set up the BSD lpd compatibility server? Yes
> all others leave default.
>
>6.1 Setup Cups /etc/cups/cups.conf
>
> here locate the lines Allow From 127.0.0.1
> and change it to your network so you can login on the cups web
>interface.
> for example:
> Allow from 192.168.( this way I can manage it from 2 departments. )
> (192.168.1.x and 168.192.2.x )
>
> now you can logon on http://serverip:631/
> make it safer to manage by adding a user to lpadmin group
> and this user can create printer queues
>
> I create printers with the following options.
> socket://printerIPnumber:9100 ( for hp jetdirect ), Raw,
>Raw_queue
>
> I only use cups as spooler for windows pc's and *nix servers.
>
> First we are going to create 1 printer device and this is the CUPS
>PDF Printer.
>
>
>6.2 Setup Cups PDF Printer. - Creating a PDF Printer
>
> With this printer you can create PDF files bij just printing to it.
>
> - logon the web interface and choose add printer.
> Name:pdf_printer
> Location: %homedir%\cups-pdf
> Description: pdf created in homedir\cups-pdf
> Continue
> - Device: Virtual Printer(PDF printer) choose it, its below,
> Continue
> - Choose the model/Driver for PDF_printer, Postscript,
> Continue
>
> klik on manage printers to see what you have created.
> klik on Print Test Page to test the pdf printer.
>
> a file is put in the cups-pdf directory of the user you logged on
>with.
>
>
>
>
>
>7 Configuring phpldapadmin
>
>7.1 installation of phpldapadmin ( and apache )
>
> get the packages
> apt-get install phpldapadmin php4 apache
>
> What is your LDAP server host address? 127.0.0.1
> ( you the ip/hostname where the ldapserver is )
>
> ldaps protocol instead of ldap? No
>
> What is the distinguished name of the search base?
> dc=internal,dc=youdomain,dc=tld
>
> Which type of authentication you want to use? session
>
> What is the login dn for the LDAP server?
> cn=admin,dc=internal,dc=yourdomain,dc=tld
>
> Which web server would you like to reconfigure automatically?
> select all and press OK.
>
> restart webservers now: Yes
>
>8.0 On-Access virus scanning on samba (samba-clamav)
>8.1 Installing ClamAV
>
> apt-get install clamav arj unzoo lha clamav-freshclam clamav-daemon
> Configuring clamav-freshclam : Daemon
> Choose a close mirror
> Should clamd be notified after updates? Yes
>8.2 get the sources ( samba & samba-vscan )
>
> mkdir /usr/src/sources
> cd /usr/src/sources
>
> apt-get install dpkg-dev
> apt-get source samba
> apt-get build-dep samba
>
> cd samba-3.0-14a
> vi source/include/version.h
>
> here remove the a from the 14 ( 3.0.14a => 3.0.14 )
>
> ./debian/rules configure-stamp
> cd source
> ./make proto
> cd ../..
>
> wget
>http://switch.dl.sourceforge.net/sourceforge/openantivirus/samba-vscan-0.3.6
>b.tar.bz2
>
> tar xjvf samba-vscan-0.3.6b.tar.bz2
>
> cd samba-vscan-0.3.6b
> ./configure
>--with-samba-source=/usr/src/sources/samba-3.0.14a/source
> make && make install
>
> cp clamav/vscan-clamav.conf /etc/samba/samba-vscan-clamav.conf
> change in the samba-vscan-clamav.conf
> clamd socket name = /var/run/clamav/clamd.ctl
> infected spins action = quarantine ( or delete , which I choose.)
>
> When I put that lines in my smb.conf file, I can't access the share
>:
> vfs object = vscan-clamav
> vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf
>
> An example:
> [public]
> comment = Public Directory
> path = /home/public
> vfs object = vscan-clamav
> vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf
>
> !!! BEWARE !!!! if samba upgrade to a higer version you MUST
>recompile
> your samba-vscan. set samba to hold for no upgrade.
>
> echo packagename hold | dpkg --set-selections set to hold
> echo packagename install | dpkg --set-selections set to install
>9.0 Recycle bin on samba
>9.1 Recycle bin configuration
>
> configure samba for using the recycle bin.
> I made my manager happy with this.
>
> create a file in /etc/samba
> and fill it with the options below.
>
> /etc/samba/samba-recycle.conf
>
> name = .recycle
> mode = KEEP_DIRECTORIES|VERSIONS|TOUCH
> maxsize = 0
> exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~??|~*.tmp
> excludedir = /tmp|/temp|/cache
> noversions = *.doc|*.xls|*.ppt
>
> add this to you share, same as vscan.
>
> vfs object = recycle
> recycle: config-files = /etc/samba/samba-recycle.conf
>
> create a recycle bin directorie and hide it for the users.
>
> I created .recycle this way ( because of the dot) users don't see
>this
> IF.. you don't set you explorer to view hidden files.
>
>restart samba and your done.
>
>You are ready to use your samba server.
>
>
>
>Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS
>see http://www.idealx.org/prj/samba/smbldap-howto.en.html
>#### users can authenticate and change their password
>#access to
>attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM
>ustChange
># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>write
># by dn="cn=nssldap,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
># by self write
># by anonymous auth
># by * none
># some attributes need to be readable anonymously so that 'id user' can
>answer correctly
>##access to
>attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>write
># by * read
># somme attributes can be writable by users themselves
>##access to
>attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,s
>n,givenname
># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>write
># by self write
># by * read
>## some attributes need to be writable for samba
>#access to
>attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,samb
>aLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctF
>lags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfileP
>ath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,s
>ambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHisto
>ry,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,samb
>aNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaSha
>reName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,
>sambaStringListoption,sambaPrivilegeList
># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>write
># by self read
># by * none
>## samba need to be able to create the samba domain account
>#access to dn.base="dc=internal,dc=yourdomain,dc=tld"
># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>write
># by * none
>## samba need to be able to create new users account
>#access to dn="ou=Users,dc=internal,dc=yourdomain,dc=tld"
># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>write
># by * none
>## samba need to be able to create new groups account
>#access to dn="ou=Groups,dc=internal,dc=yourdomain,dc=tld"
># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>write
># by * none
>## samba need to be able to create new computers account
>#access to dn="ou=Computers,dc=internal,dc=yourdomain,dc=tld"
># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>write
># by * none
>#
>## this can be omitted but we leave it: there could be other branch
>## in the directory
>#access to *
># by self read
># by * none
>
>
>Appendix 2 APT
>
>2.1 APT HOWTO
>
>Preparing apt for online packages.
>After installing from CD or DVD adjust your apt config.
>
>This setup makes sure your are using stable packages, that you are using
>Debian Sarge.
>
>In the apt.conf we defined the default release of debian this case stable (
>Sarge 3.1r0).
>The Show-Upgrade "true" is used for showing us the packages which are going
>to be installed, I like to see what I'm installing.
>
>The sources.list if you used a CD/DVD for installing you can leave this
>line in the sources.list. This can save you bandwidth. My server is on a
>remote location and I don't use the cd anymore.
>I added the clamav as stable because I want a new clamav for virus scanning
>more info : http://www.clamav.net/binary.html
>
>The testing and unstable sources are also unmarked, that if you really need
>a newer version of a program then you can try to create it from debian
>source.
>
>You can get the source install programs and search by using the following
>commands:
>
>apt-get install package = get & install package
>apt-get remove package = remove package
>apt-get remove --purge package = remove and purge all files of package
>dpkg --purge package = purge all files of package
>
>apt-cache search package = search for package or part of
>package name
>apt-cache show package = get info over package
>dpkg-reconfigure -plow package = reconfigure with priority low ( most
>options )
>
>for this first cd /usr/src.
>apt-get source package = get source files of packaged
>
>
>
>
>
>
>
>
>
>
>
>
>2.2 Files from /etc/apt
>
>2.2.1 /etc/apt/apt.conf
>
>APT::Default-Release "stable";
>APT::Get::Show-Upgraded "true";
>// 16 MB Limit
>APT::Cache-limit 16777216;
>// if you have /tmp with no mounted with noexec, you need this.
>#DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
>#DPkg::Post-Invoke {"mount -o remount /tmp";};
>
>
>
>2.2.2 /etc/apt/preferences
>
>Package: *
>Pin: release a=stable
>Pin-Priority: 990
>
>Package: *
>Pin: release a=testing
>Pin-Priority: 500
>
>Package: *
>Pin: release a=unstable
>Pin-Priority: 50
>
>Package: *
>Pin: release a=sarge,l=debian-volatile
>Pin-Priority: 990
>
>
>
>
>
>
>
>
>
>
>
>
>
>2.2.3 /etc/apt/sources.list
>
># See sources.list(5) for more information, especialy
># Remember that you can only use http, ftp or file URIs
># CDROMs are managed through the apt-cdrom tool.
>#-----------------------------------------------------------------
># We definect the PIN which sets the prioratie of packages selects
># see also the apt-howto
># http://www.debian.org/doc/manuals/apt-howto/index.en.html
># and a nice howto for apt-pinning for beginners.
># http://jaqque.sbih.org/kplug/apt-pinning.html
>#-----------------------------------------------------------------
>#-----------------------------------------------------------------
># Stable PIN 990 PRODUCTION TREE
>deb ftp://ftp.nl.debian.org/debian stable main contrib non-free
>deb-src ftp://ftp.nl.debian.org/debian stable main contrib non-free
>deb http://http.us.debian.org/debian stable main contrib non-free
># Stable Security updates
>deb http://security.debian.org/ stable/updates main contrib non-free
>deb-src http://security.debian.org/ stable/updates main contrib non-free
>#------------------------------------------------------------------
>## Debian VOLATILE , used for clamav PINNED 990
>deb http://ftp.nl.debian.org/debian-volatile sarge/volatile main
>#-----------------------------------------------------------------
>#-----------------------------------------------------------------
># WARNING USE BELOW AT OWN RISK
># Testing ( PIN 500 )
>#deb ftp://ftp.nl.debian.org/debian testing main contrib non-free
>#deb-src ftp://ftp.nl.debian.org/debian testing main contrib non-free
>#deb http://http.us.debian.org/debian testing main contrib non-free
># Testing Security updates
>#deb http://security.debian.org/ testing/updates main contrib non-free
>#deb-src http://security.debian.org/ testing/updates main contrib non-free
>#-----------------------------------------------------------------
>#-----------------------------------------------------------------
># WARNING USE BELOW AT OWN RISK
># Unstable ( PIN 050 )
>#deb ftp://ftp.nl.debian.org/debian unstable main contrib non-free
>#deb-src http://ftp.nl.debian.org/debian unstable main contrib non-free
>#deb http://http.us.debian.org/debian unstable main contrib non-free
># unstable Security updates
>#deb http://security.debian.org/ unstable/updates main contrib non-free
>#deb-src http://security.debian.org/ unstable/updates main contrib non-free
>#-----------------------------------------------------------------
>#-----------------------------------------------------------------
>#### BACKPORTS to STABLE ( Debian Sarge 3.1r0 )
>## Laatest Samba from samba.org
>#deb http://us4.samba.org/samba/ftp/Binary_Packages/Debian sarge samba
>#deb-src http://us2.samba.org/samba/ftp/Binary_Packages/Debian sarge samba
>
>#------------------------------------------------------------------
>## MPEG/AVI addons +W32CODECS With MPlayer
>#deb ftp://ftp.nerim.net/debian-marillat/ sarge main
>#------------------------------------------------------------------
>## www.dotdeb.org, updated php4/php5 mysql-41 mysql-50 qmail clamav etc etc.
>## check the site for the packages list. if you want only 1 package (
>preferred )
>## change the line to #deb http://packages.dotdeb.org stable php5 for
>example
>#deb http://packages.dotdeb.org stable all
>#deb-src http://packages.dotdeb.org stable all
>#------------------------------------------------------------------
>## BootSplash ( does not work on every kernel ) www.bootsplash.de
>## http://www.planamente.ch/emidio/pages/linux_howto_bootsplash.php
>deb http://debian.bootsplash.de unstable main
>deb-src http://debian.bootsplash.de unstable main
>
>
>
>
More information about the samba
mailing list