[Samba] Samba-LDAP not quite working - help!
Stéphane Purnelle
stephane.purnelle at tiscali.be
Mon Mar 27 19:13:32 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This howto contain some error I think, before truy a smbpasswd, Samba
must have the information
what user must I use to connect to LDAP, this question is answered
with the ldap admin dn parameter in smb.conf. If there a user, there
a password. For specifye the password, you must you the commande
smbpasswd -w xxxx (xxxx = the passwd of the user)
ATTENTION : in your slapd.conf, only admin can write. If you want to
use other ldap user, you must modify you slapd.conf
Gary Dale a écrit :
> I was trying to follow the howto below to get Samba-LDAP working on
> my Debian/Sarge server. I'm stuck in section 5.4:
>
> When I try the "smbpasswd -a root" I get:
> semper:/etc/phpldapadmin/templates# smbpasswd -a root
> New SMB password:
> Retype new SMB password:
> ldapsam_modify_entry: Failed to add user dn=
> uid=root,ou=Users,dc=rahim-dale,dc=org with: Insufficient access
> no write access to parent
> ldapsam_add_sam_account: failed to modify/add user with uid = root
> (dn = uid=root,ou=Users,dc=rahim-dale,dc=org)
> Failed to add entry for user root.
> Failed to modify password entry for user root
>
>
> The next two steps are:
> smbldap-passwd Administrator -- this works
> smbldap-usermod -J Administrator -- this fails
>
> And after that nothing works.
>
> I've managed to get phpldapadmin working (finally) but that doesn't
> seem to help. I can add accounts, etc., but they don't seem to help.
> When I try to get a Windows XP computer to join the domain, I get
> "logon failure: unknown user name or bad password".
>
> I can browse the network from a Windows XP machine as well, but
> can't connect to any network shares that have any security on them.
>
> I've gone through the idealx.org smb-ldap documentation and can't
> see anything obvious that I'm doing wrong. Nor have I found anything
> in searches that tells me any more than what the immediate error
> message says (basically they seem to say it's a rights issue so fix
> it without specifying how to do it).
>
> Please help!
>
>
>
> Louis van Belle wrote:
>
>> Hi everybody,
>> I made a pretty complete howto for samba on debian servers.
>>
>> This howto covers samba + ldap + cups + recycle bin + samba-vscan
>> + phpldapadmin + ACL + Extended Attributes.
>>
>> this howto is also based on the idealx howto
>>
>> If you do this setup, you should be able to use the NT4 Usermanager,
>> setup Point en Print Printing. set rights from explorer etc.
>> other nice tools is ldapadmin ( ldapadmin.sf.net ) a must check it
>> out.
>>
>> We will use a Debian Sarge as setup. If you never used Debian
>> before, you can follow this how-to
>> (http://www.howtoforge.com/perfect_setup_debian_sarge ) , please
>> read the comment below the pages first, this can save you time and
>> problems or install Debian without any software packaged, we will
>> install them later when needed.
>> Checking the kernel of compile your own kernel if needed.
>>
>> I try to give a complete solution for this how-to, this is because
>> lots of people where asking the same things on the samba list and
>> lots of people make the same mistakes.
>>
>> This is my company's running setup.
>>
>> I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb ) , with
>> 50 users 25 printers which do about 150.000 prints a month.
>>
>> I thank my company to let me make this document.
>>
>>
>> Please if you have improvements, comments, send them to me.
>>
>> Louis van Belle
>>
>>
>>
>>
>>
>> INDEX
>> Page nr.
>>
>> 1 Checking the kernel or compile your own kernel 3
>> 1.1 Preparing apt configuration 3
>> 1.2 Preparing the kernel 3
>> 1.3 setup the /etc/fstab 3
>> 1.4 final touch, lilo (or grub) 3
>> 2 Pre-installation of the debian packages 4
>> 2.1 Samba and Ldap 4
>> 2.2 basic rights setup for samba 4
>> 2.3 why this rights setup. 4
>> 3 LDAP Server configuration 5
>> 4 installation/configuration libnss, libpam (-ldap) 7
>> 5 Samba and smbldap-tools Configuration 8
>> 5.1 smbldap-tools installation/configuration 8
>> 5.2 setting up samba base config 8
>> 5.3 Configuring smbldap.conf 9
>> 5.4 set the samba ldap admin password 9
>> 5.5 Samba PRIVILEGES Setup 10
>> 6 CUPS - Printer software 11
>> 6.1 Setup Cups 11
>> 6.2 Setup Cups PDF Printer. - Creating a PDF Printer 11
>> 7 Configuring phpldapadmin 12
>> 7.1 installation of phpldapadmin ( and apache ) 12
>> 8.0 On-Access virus scanning on samba (samba-clamav) 13
>> 8.1 Installing ClamAV 13
>> 8.2 get the sources ( samba & samba-vscan ) 13
>> 9.0 Recycle bin on samba 14
>> 9.1 Recycle bin configuration 14
>> Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS 15
>> Appendix 2 APT 16
>> 2.1 APT HOWTO 16
>> 2.2 Files from /etc/apt 17
>> 2.2.1 /etc/apt/apt.conf 17
>> 2.2.2 /etc/apt/preferences 17
>>
>>
>>
>>
>> 1 Checking the kernel or compile your own kernel
>> 1.1 Preparing apt configuration
>>
>> for this go check out my apt howto.
>>
>> if you apt config is setup rights, follow the steps below.
>>
>> ncurses interface for compiling the kernel apt-get install
>> libncurses5-dev
>>
>> get the kernel source apt-get install kernel-source-2.6.8
>> kernel-package
>>
>> installer right kernel and activate EXT2/3 + Extended
>> attributes and setup CIFS kernel support to in kernel.
>>
>> 1.2 Preparing the kernel
>> apt-get install kernel-source-2.6.8 kernel-package fakeroot
>> libc6-dev libncurses5-dev
>>
>> cd /usr/src tar -jxf kernel-source-2.6.8.tar.bz2
>> ln -s /usr/src/linux /usr/src/kernel-source-2.6.8
>> cp /boot/config-2.6.8-2-* /usr/src/linux/.config
>> cd linux
>> make menuconfig - File systems - Ext2/3 + extended options
>> also File systems - Miscellaneous filesystems -
>> CramFS
>> and File systems - Network File Systems - CIFS
>> support
>> + extended Attributes
>> now create the kernel and install it.
>>
>> fakeroot make-kpkg --append-to-kernel=-mykernel --initrd
>> kernel_image
>>
>> This create a file kernel-image-2.6.8.custom.1.0_i386.deb under
>> /usr/src
>>
>> dpkg -i kernel-image-2.6.8.custom.1.0_i386.deb to install the
>> kernel
>> 1.3 setup the /etc/fstab
>>
>> /etc/fstab : add the acl and user_xattr to the right partition
>>
>> /dev/xxx /home ext3 defaults,acl,user_xattr
>>
>> I use /home/samba for the samba environment. All the needed
>> samba directories will be put here. !! This is important !
>> 1.4 final touch, lilo (or grub)
>> lilo and reboot , login and do 'uname -a' and you wil see a line
>> like this.
>> Linux ms249-lin-001 2.6.8-mykernel #1 Wed Jun 1 15:03:47 CEST 2005
>> i686
>> Your server is now ready for samba 3. 2 Pre-installation of the
>> debian packages 2.1 Samba and Ldap
>>
>> apt-get install slapd samba libsasl2-modules sasl2-bin openssl
>> db4.2-util ldap-utils samba-doc libxml-parser-perl libauthen-sasl-perl
>>
>> Configuring slapd set an dns name - internal.yourdomain.tld
>> - Give it a name/description - set that admin password for
>> the ldap manager ( cn=admin,dc=internal,dc=yourdomain,dc=tld
>> - Allow LDAPv2 protocol? yes
>>
>> Configure samba
>> set a domain name DOMAIN
>> Use password encryption? Yes Modify smb.conf to use WINS
>> settings from DHCP? No How do you want to run Samba? Daemons
>> Create samba password database, /var/lib/samba/passdb.tdb? No !!!
>> else
>> you will end up with lots of users from debian in this password
>> file
>> and you don't want that.
>>
>> Setup samba.schema file for ldap
>> zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz >
>> /etc/ldap/schema/samba.schema
>>
>> In this setup I use /home/samba for the samba environment.
>> i use these directories.
>> /home/samba skel,data,profiles,netlogon,printers,spool
>> /home/users/ username
>>
>> 2.2 basic rights setup for samba
>>
>> /home/samba 777 Administrator:Domain
>> Admins
>> /home/samba/spool 777 Administrator:Domain
>> Admins
>> /home/samba/printers 775 Administrator:Domain Admins
>> /home/samba/profiles 777 Administrator:Domain Admins
>> /home/samba/netlogon 775 Administrator:Domain Admins
>> /home/samba/data 775 Administrator:Domain
>> Admins
>> /home/samba/temp 777 Administrator:Domain
>> Admins
>> /home/samba/tools 755 Administrator:Domain
>> Admins
>> /home/samba/skel 755 Administrator:Domain
>> Admins
>>
>>
>> 2.3 why this rights setup.
>>
>> 1 Administrator can create in complete samba environment.
>> 2 In data directories my users are not allowed to create sub
>> dir's,
>> I
>> create one for the department, and set rights to that department,
>> from that point they can create directories. 3 Profiles
>> 777, in the samba config is a parameter defined valid users =
>> %u @"Domain Administrators" Only the user and administrator
>> can access the user profile
>> directories.
>> create mask and directory mask make sure rights are set primary to
>> the user.
>> 3 LDAP Server configuration
>>
>> Configure slapd.conf, but first stop the slapd server (
>> /etc/init.d/slapd stop )
>>
>> Create ldap certificates for ssl support
>> mkdir /etc/ldap/tls
>>
>> ## self signed certificate
>> openssl req -newkey rsa:1024 -x509 -nodes -out ldap-server.pem -
>> keyout
>> ldap-server.pem -days 3650 ( where Common Name =
>> ldap.yourdomain.tld )
>>
>> edit /etc/ldap/slapd.conf
>> put these below the other line, the order of schema files must be
>>
>> correct.
>> insert the line "include /etc/ldap/schema/samba.schema"
>>
>> add these line before the database definition
>> TLSCACertificateFile /etc/ldap/ssl/ldap-server.pem
>> TLSCertificateFile /etc/ldap/ssl/ldap-server.pem
>> TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem
>>
>> Now its time for the ldap database configuration for samba
>>
>> example of the /etc/slapd.conf ( database 1 configuration )
>> #######################################################################
>>
>> # Specific Directives for database #1, of type bdb:
>> # Database specific directives apply to this databasse until another
>> # 'database' directive occurs
>> database bdb
>>
>> # The base of your directory in database #1
>> suffix "dc=internal,dc=yourdomain,dc=tld"
>>
>> rootdn "cn=admin,dc=rotterdam,dc=bazuin,dc=nl"
>> rootpw {MD5}fsadsdafasfaewfw
>> ## create the rootpw ## echo rootpw `slappasswd -h {Md5}` >>
>> /etc/ldap/slapd.conf
>>
>> # Where the database file are physically stored for database #1
>> directory "/var/lib/ldap"
>>
>> # Indexing options for database #1
>> ### !!!!! Always run slapindex(8) after changing indices!!!!!!
>> ### and first STOP the LDAP SERVER ( /etc/init.d/slapd stop )
>> index objectClass,uidNumber,gidNumber eq
>> index cn,sn,uid,displayName pres,eq,sub
>> index memberUid,mail,givenname eq,subinitial
>> index sambaSID,sambaPrimaryGroupSID,sambaDomainName, eq
>> ## default index
>> index default eq
>>
>> # Save the time that the entry gets modified, for database #1
>> lastmod on
>>
>> # Where to store the replica logs for database #1
>> replogfile /var/lib/ldap/replog
>> # The userPassword by default can be changed
>> # by the entry owning it if they are authenticated.
>> # Others should not be able to see it, except the
>> # admin entry below
>> # These access lines apply to database #1 only
>> access to attrs=userPassword
>> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
>> by anonymous auth
>> by self write
>> by * none
>>
>>
>> # Ensure read access to the base for things like
>> # supportedSASLMechanisms. Without this you may
>> # have problems with SASL not knowing what
>> # mechanisms are available and the like.
>> # Note that this is covered by the 'access to *'
>> # ACL below too but if you change that as people
>> # are wont to do you'll still need this if you
>> # want SASL (and possible other things) to work
>> # happily.
>> access to dn.base="" by * read
>>
>> # The admin dn has full write access, everyone else
>> # can read everything.
>> access to *
>> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
>> by * read
>>
>> # samba access list
>> include /etc/ldap/samba-access.conf
>>
>> Example of the /etc/samba-access.conf ( database 1 configuration )
>> ### OLD Samba no DSA users used
>> access to
>>
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM
>>
>> ustChange
>> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
>> by anonymous auth
>> by self write
>> by * none
>>
>> access to attrs=loginShell
>> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
>> by * none
>>
>> access to
>>
attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,sn,givenname
>>
>> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
>> by self write
>> by * read
>>
>>
>> See appendix 1 if you want a more secure ldap database.
>> !! this setup does not help you to setting this up. !!
>>
>> run slapindex
>> and start the slapd server
>> /etc/init.d/slapd start
>> 4 installation/configuration libnss, libpam (-ldap)
>>
>> apt-get install libnss-ldap libpam-ldap
>>
>> Configuring libnss-ldap
>> define the host
>> 127.0.0.1
>> distinguished name of the search base
>> dc=internal,dc=yourdomain,dc=tld
>>
>> LDAP version to use
>> 3
>> database requires login
>> No
>> Make configuration readable/writeable by owner only
>> No
>>
>> Configuring libpam-ldap
>> Make local root Database admin.
>> Yes
>> Database requires logging in.
>> No
>> Root login account
>> cn=admin,dc=internal,dc=yourdomain,dc=tld
>> set your password
>> ( same as above for admin )
>>
>> Local crypt to use when changing passwords
>> exop
>>
>> Configure nsswitch
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc' and `info' packages installed, try:
>> # `info libc "Name Service Switch"' for information about this file.
>>
>> passwd: compat ldap
>> group: compat ldap
>> shadow: compat ldap
>>
>> hosts: files dns
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>>
>>
>> Now test the server ldapsearch -x -D
>> "cn=admin,dc=internal,dc=yourdomain,dc=tld" -W
>> (enter the password)
>> if you see result: 0 Success
>>
>> for now this is ok.
>> 5 Samba and smbldap-tools Configuration
>>
>> 5.1 smbldap-tools installation/configuration
>>
>> apt-get install smbldap-tools
>>
>> copy the default config from the example directorie.
>> cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf
>> /etc/smbldap-tools/
>>
>> cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz
>> /etc/smbldap-tools/
>> cd /etc/smbldap-tools
>> gunzip smbldap.conf.gz
>>
>> first the easy part.
>>
>> in /etc/smbldap-tools/smbldap_bind.conf
>> change this to admin
>> slaveDN="cn=admin,dc=internal,dc=yourdomain,dc=tld"
>> slavePw="Yourpassword"
>> masterDN="cn=admin,dc=internal,dc=yourdomain,dc=tld"
>> masterPw="Yourpassword"
>>
>> 5.2 setting up samba base config
>>
>> start with the default config
>> cd /etc/samba
>> cp /usr/share/doc/smbldap-tools/examples/smb.conf.gz /etc/samba
>> gunzip smb.conf.gz
>>
>> change the config to your needs
>> some tips using samba on a firewalled system
>> use the following setting, here eth0 is the internal side
>>
>> interfaces = eth0 lo
>> bind interfaces only = yes
>>
>> change the binary location from /opt/.. to /usr/sbin/smbldap-....
>> the smbldap-tools are installed by debian in /usr/sbin
>>
>> also in this setup /home/. must be changed to /home/samba/. This
>> will save you a lot of troubles with rights.
>>
>>
>> 5.3 Configuring smbldap.conf
>>
>> first we need to get some samba info
>>
>> net getlocalsid
>>
>> SID for domain SERVERNAME is:
>> S-1-5-21-2074673303-3377769770-2933042573
>> change the SID in smbldap.conf in the your sid.
>>
>>
>> change the suffix to your suffix (dc=internal,dc=yourdomain,dc=tld)
>> change the hash_encryption to MD5
>> change userLoginShell="bin/nologin"
>> and you nologin, because im Configuring ldap for samba only.
>> set the home directory ( in my case /home/users/%U )
>> set the other to your needs.
>>
>>
>> 5.4 set the samba ldap admin password
>>
>> smbpasswd -w ldapadmin_password Setting stored password for
>> "cn=admin,dc=internal,dc=yourdomain,dc=tld" in
>> secrets.tdb
>>
>> now we go fill the ldap database with the base setup.
>>
>> smbldap-populate -a Administrator -b nobody -u 2000 -g 2000
>>
>> users are created with uid => 2000 groups are created
>> with gid => 2000
>>
>>
>> !!!! DO NOT RUN THIS IF YOU ALREADY CREATED USERS. YOUR UID/GID's
>> WILL GET
>> MESSED UPPED.
>>
>> smbpasswd -a root
>> because root is needed for setting up the Privileges.
>>
>> Now set the Administrator password and enable this user
>> smbldap-passwd Administrator
>> smbldap-usermod -J Administrator
>>
>>
>> 5.5 Samba PRIVILEGES Setup
>>
>> First check you rights and get to know the commands.
>>
>> net rpc rights list accounts list users
>> net rpc rights list list defined rights.
>>
>> to get what for rights are defined and users/groups
>>
>> IF you use a PDC/BDC setup these commands must be done on both
>> servers!!
>>
>> test these commands:
>>
>> net rpc group
>> (output)
>> Domain Admins
>> Domain Users
>> Domain Guests
>> Domain Computers
>>
>> or
>> ( see next page )
>>
>> slapcat | grep Group | grep dn
>>
>> (output)
>> dn: ou=Groups,dc=internal,dc=yourdomain,dc=tld
>> dn: cn=Domain Admins,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>> dn: cn=Domain Users,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>> dn: cn=Domain Guests,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>> dn: cn=Domain Computers,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>> dn: cn=Administrators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>> dn: cn=Print Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>> dn: cn=Backup Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>> dn: cn=Replicators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>>
>>
>> these are the privileges on samba 3.0.14a ( debian )
>> Privilege Description
>> SeMachineAccountPrivilege Add machines to domain
>> SePrintOperatorPrivilege Manage printers
>> SeAddUsersPrivilege Add users and groups to the domain
>> SeRemoteShutdownPrivilege Force shutdown from a remote system
>> SeDiskOperatorPrivilege Manage disk share
>>
>>
>> give the "Domain Admins" all of the SE Rights.
>> ( -S Servernaam -U Username%Password )
>>
>> net -S PDC -U root%Password rpc rights grant "DOMAIN\Domain Admins" \
>> SeMachineAccountPrivilege SePrintOperatorPrivilege
>> SeAddUsersPrivilege \ SeDiskOperatorPrivilege
>> SeRemoteShutdownPrivilege
>>
>>
>> Give the "Printer Operators" all Print manage rights. ( -S
>> Servernaam -U Username%Password )
>>
>> net -S PDC -U root%Password rpc rights grant "DOMAIN\Print Operators"
>> SePrintOperatorPrivilege
>> 6 CUPS - Printer software
>>
>> apt-cache search cups to get the info which packages are available
>>
>> I installed these packages.
>> apt-get install cups-pdf cupsys cupsys-bsd cupsys-pt cupsys-client \
>> foomatic-bin foomatic-filters cupsys-driver-gimpprint gs-esp ( and
>> dependencies )
>> Configuring cupsys-bsd
>> Do you want to set up the BSD lpd compatibility server? Yes
>> all others leave default.
>>
>> 6.1 Setup Cups /etc/cups/cups.conf
>>
>> here locate the lines Allow From 127.0.0.1
>> and change it to your network so you can login on the cups web
>> interface.
>> for example: Allow from 192.168.( this way I can manage it
>> from 2 departments. )
>> (192.168.1.x and 168.192.2.x )
>>
>> now you can logon on http://serverip:631/ make it safer to
>> manage by adding a user to lpadmin group
>> and this user can create printer queues
>>
>> I create printers with the following options.
>> socket://printerIPnumber:9100 ( for hp jetdirect ), Raw,
>> Raw_queue
>>
>> I only use cups as spooler for windows pc's and *nix servers.
>>
>> First we are going to create 1 printer device and this is the CUPS
>> PDF Printer.
>>
>>
>> 6.2 Setup Cups PDF Printer. - Creating a PDF Printer
>>
>> With this printer you can create PDF files bij just printing to
>> it.
>>
>> - logon the web interface and choose add printer.
>> Name:pdf_printer
>> Location: %homedir%\cups-pdf
>> Description: pdf created in homedir\cups-pdf
>> Continue
>> - Device: Virtual Printer(PDF printer) choose it, its below,
>> Continue
>> - Choose the model/Driver for PDF_printer, Postscript,
>> Continue
>>
>> klik on manage printers to see what you have created.
>> klik on Print Test Page to test the pdf printer.
>> a file is put in the cups-pdf directory of the user you logged on
>> with.
>>
>>
>>
>>
>>
>> 7 Configuring phpldapadmin
>>
>> 7.1 installation of phpldapadmin ( and apache )
>>
>> get the packages
>> apt-get install phpldapadmin php4 apache
>>
>> What is your LDAP server host address? 127.0.0.1 ( you the
>> ip/hostname where the ldapserver is )
>> ldaps protocol instead of ldap? No
>>
>> What is the distinguished name of the search base?
>> dc=internal,dc=youdomain,dc=tld
>>
>> Which type of authentication you want to use? session
>> What is the login dn for the LDAP server?
>> cn=admin,dc=internal,dc=yourdomain,dc=tld
>>
>> Which web server would you like to reconfigure automatically?
>> select all and press OK.
>>
>> restart webservers now: Yes
>>
>> 8.0 On-Access virus scanning on samba (samba-clamav) 8.1 Installing
>> ClamAV
>>
>> apt-get install clamav arj unzoo lha clamav-freshclam
>> clamav-daemon Configuring clamav-freshclam : Daemon
>> Choose a close mirror
>> Should clamd be notified after updates? Yes
>> 8.2 get the sources ( samba & samba-vscan )
>>
>> mkdir /usr/src/sources
>> cd /usr/src/sources
>>
>> apt-get install dpkg-dev
>> apt-get source samba
>> apt-get build-dep samba
>>
>> cd samba-3.0-14a
>> vi source/include/version.h
>>
>> here remove the a from the 14 ( 3.0.14a => 3.0.14 )
>>
>> ./debian/rules configure-stamp
>> cd source
>> ./make proto
>> cd ../..
>>
>> wget
>>
http://switch.dl.sourceforge.net/sourceforge/openantivirus/samba-vscan-0.3.6
>>
>> b.tar.bz2
>>
>> tar xjvf samba-vscan-0.3.6b.tar.bz2
>>
>> cd samba-vscan-0.3.6b
>> ./configure
>> --with-samba-source=/usr/src/sources/samba-3.0.14a/source make
>> && make install
>>
>> cp clamav/vscan-clamav.conf /etc/samba/samba-vscan-clamav.conf
>> change in the samba-vscan-clamav.conf
>> clamd socket name = /var/run/clamav/clamd.ctl
>> infected spins action = quarantine ( or delete , which I choose.)
>>
>> When I put that lines in my smb.conf file, I can't access the
>> share
>> :
>> vfs object = vscan-clamav
>> vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf
>>
>> An example:
>> [public]
>> comment = Public Directory
>> path = /home/public
>> vfs object = vscan-clamav
>> vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf
>>
>> !!! BEWARE !!!! if samba upgrade to a higer version you MUST
>> recompile
>> your samba-vscan. set samba to hold for no upgrade.
>>
>> echo packagename hold | dpkg --set-selections set to hold
>> echo packagename install | dpkg --set-selections set to install
>> 9.0 Recycle bin on samba
>> 9.1 Recycle bin configuration
>>
>> configure samba for using the recycle bin.
>> I made my manager happy with this.
>>
>> create a file in /etc/samba
>> and fill it with the options below.
>>
>> /etc/samba/samba-recycle.conf
>>
>> name = .recycle
>> mode = KEEP_DIRECTORIES|VERSIONS|TOUCH
>> maxsize = 0
>> exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~??|~*.tmp
>> excludedir = /tmp|/temp|/cache
>> noversions = *.doc|*.xls|*.ppt
>>
>> add this to you share, same as vscan.
>>
>> vfs object = recycle
>> recycle: config-files = /etc/samba/samba-recycle.conf
>>
>> create a recycle bin directorie and hide it for the users.
>>
>> I created .recycle this way ( because of the dot) users don't see
>> this
>> IF.. you don't set you explorer to view hidden files.
>>
>> restart samba and your done.
>>
>> You are ready to use your samba server.
>>
>>
>> Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS
>> see http://www.idealx.org/prj/samba/smbldap-howto.en.html
>> #### users can authenticate and change their password
>> #access to
>>
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM
>>
>> ustChange
>> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by
>> dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by dn="cn=nssldap,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by self write
>> # by anonymous auth
>> # by * none
>> # some attributes need to be readable anonymously so that 'id user'
>> can
>> answer correctly
>> ##access to
>> attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
>>
>> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by
>> dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by * read
>> # somme attributes can be writable by users themselves
>> ##access to
>>
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,s
>>
>> n,givenname
>> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by
>> dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by self write
>> # by * read
>> ## some attributes need to be writable for samba
>> #access to
>>
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,samb
>>
>>
aLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctF
>>
>>
lags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfileP
>>
>>
ath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,s
>>
>>
ambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHisto
>>
>>
ry,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,samb
>>
>>
aNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaSha
>>
>>
reName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,
>>
>> sambaStringListoption,sambaPrivilegeList
>> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by
>> dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by self read
>> # by * none
>> ## samba need to be able to create the samba domain account
>> #access to dn.base="dc=internal,dc=yourdomain,dc=tld"
>> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by
>> dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by * none
>> ## samba need to be able to create new users account
>> #access to dn="ou=Users,dc=internal,dc=yourdomain,dc=tld"
>> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by
>> dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by * none
>> ## samba need to be able to create new groups account
>> #access to dn="ou=Groups,dc=internal,dc=yourdomain,dc=tld"
>> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by
>> dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by * none
>> ## samba need to be able to create new computers account
>> #access to dn="ou=Computers,dc=internal,dc=yourdomain,dc=tld"
>> # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>> # by
>> dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>> write
>> # by * none
>> #
>> ## this can be omitted but we leave it: there could be other branch
>> ## in the directory
>> #access to *
>> # by self read
>> # by * none
>>
>>
>> Appendix 2 APT
>>
>> 2.1 APT HOWTO
>>
>> Preparing apt for online packages.
>> After installing from CD or DVD adjust your apt config.
>>
>> This setup makes sure your are using stable packages, that you are
>> using
>> Debian Sarge.
>>
>> In the apt.conf we defined the default release of debian this case
>> stable (
>> Sarge 3.1r0).
>> The Show-Upgrade "true" is used for showing us the packages which
>> are going
>> to be installed, I like to see what I'm installing.
>> The sources.list if you used a CD/DVD for installing you can leave
>> this
>> line in the sources.list. This can save you bandwidth. My server is
>> on a
>> remote location and I don't use the cd anymore. I added the clamav
>> as stable because I want a new clamav for virus scanning
>> more info : http://www.clamav.net/binary.html
>> The testing and unstable sources are also unmarked, that if you
>> really need
>> a newer version of a program then you can try to create it from debian
>> source.
>>
>> You can get the source install programs and search by using the
>> following
>> commands:
>> apt-get install package = get & install package apt-get
>> remove package = remove package
>> apt-get remove --purge package = remove and purge all files
>> of package
>> dpkg --purge package = purge all files of package
>>
>> apt-cache search package = search for package or part of
>> package name apt-cache show package = get info over
>> package
>> dpkg-reconfigure -plow package = reconfigure with priority low
>> ( most
>> options )
>>
>> for this first cd /usr/src.
>> apt-get source package = get source files of packaged
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> 2.2 Files from /etc/apt
>> 2.2.1 /etc/apt/apt.conf
>>
>> APT::Default-Release "stable";
>> APT::Get::Show-Upgraded "true";
>> // 16 MB Limit
>> APT::Cache-limit 16777216;
>> // if you have /tmp with no mounted with noexec, you need this.
>> #DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
>> #DPkg::Post-Invoke {"mount -o remount /tmp";};
>>
>>
>>
>> 2.2.2 /etc/apt/preferences
>>
>> Package: *
>> Pin: release a=stable
>> Pin-Priority: 990
>>
>> Package: *
>> Pin: release a=testing
>> Pin-Priority: 500
>>
>> Package: *
>> Pin: release a=unstable
>> Pin-Priority: 50
>>
>> Package: *
>> Pin: release a=sarge,l=debian-volatile
>> Pin-Priority: 990
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> 2.2.3 /etc/apt/sources.list
>>
>> # See sources.list(5) for more information, especialy
>> # Remember that you can only use http, ftp or file URIs
>> # CDROMs are managed through the apt-cdrom tool.
>> #-----------------------------------------------------------------
>> # We definect the PIN which sets the prioratie of packages selects
>> # see also the apt-howto
>> # http://www.debian.org/doc/manuals/apt-howto/index.en.html
>> # and a nice howto for apt-pinning for beginners.
>> # http://jaqque.sbih.org/kplug/apt-pinning.html
>> #-----------------------------------------------------------------
>> #-----------------------------------------------------------------
>> # Stable PIN 990 PRODUCTION TREE
>> deb ftp://ftp.nl.debian.org/debian stable main contrib non-free
>> deb-src ftp://ftp.nl.debian.org/debian stable main contrib non-free
>> deb http://http.us.debian.org/debian stable main contrib non-free
>> # Stable Security updates deb http://security.debian.org/
>> stable/updates main contrib non-free
>> deb-src http://security.debian.org/ stable/updates main contrib
>> non-free
>> #------------------------------------------------------------------
>> ## Debian VOLATILE , used for clamav PINNED 990
>> deb http://ftp.nl.debian.org/debian-volatile sarge/volatile main
>> #-----------------------------------------------------------------
>> #-----------------------------------------------------------------
>> # WARNING USE BELOW AT OWN RISK
>> # Testing ( PIN 500 )
>> #deb ftp://ftp.nl.debian.org/debian testing main contrib non-free
>> #deb-src ftp://ftp.nl.debian.org/debian testing main contrib non-free
>> #deb http://http.us.debian.org/debian testing main contrib non-free
>> # Testing Security updates #deb http://security.debian.org/
>> testing/updates main contrib non-free
>> #deb-src http://security.debian.org/ testing/updates main contrib
>> non-free
>> #-----------------------------------------------------------------
>> #-----------------------------------------------------------------
>> # WARNING USE BELOW AT OWN RISK
>> # Unstable ( PIN 050 )
>> #deb ftp://ftp.nl.debian.org/debian unstable main contrib non-free
>> #deb-src http://ftp.nl.debian.org/debian unstable main contrib
>> non-free
>> #deb http://http.us.debian.org/debian unstable main contrib non-free
>> # unstable Security updates #deb http://security.debian.org/
>> unstable/updates main contrib non-free
>> #deb-src http://security.debian.org/ unstable/updates main contrib
>> non-free
>> #-----------------------------------------------------------------
>> #-----------------------------------------------------------------
>> #### BACKPORTS to STABLE ( Debian Sarge 3.1r0 )
>> ## Laatest Samba from samba.org #deb
>> http://us4.samba.org/samba/ftp/Binary_Packages/Debian sarge samba
>> #deb-src http://us2.samba.org/samba/ftp/Binary_Packages/Debian
>> sarge samba
>>
>> #------------------------------------------------------------------
>> ## MPEG/AVI addons +W32CODECS With MPlayer
>> #deb ftp://ftp.nerim.net/debian-marillat/ sarge main
>> #------------------------------------------------------------------
>> ## www.dotdeb.org, updated php4/php5 mysql-41 mysql-50 qmail clamav
>> etc etc.
>> ## check the site for the packages list. if you want only 1 package (
>> preferred )
>> ## change the line to #deb http://packages.dotdeb.org stable php5 for
>> example
>> #deb http://packages.dotdeb.org stable all
>> #deb-src http://packages.dotdeb.org stable all
>> #------------------------------------------------------------------
>> ## BootSplash ( does not work on every kernel ) www.bootsplash.de
>> ## http://www.planamente.ch/emidio/pages/linux_howto_bootsplash.php
>> deb http://debian.bootsplash.de unstable main
>> deb-src http://debian.bootsplash.de unstable main
>>
>>
>>
>>
>
>
>
- --
Stéphane Purnelle <stephane.purnelle at tiscali.be>
Site Web : http://www.linuxplusvalue.be
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEKDlX8tswkE3d0ecRAukhAJ93OqfKJk5VaRZNY14d2zONjSeL+QCeJ/6k
RUpByMjbKbCB8pCthXbTkaY=
=yaJ6
-----END PGP SIGNATURE-----
More information about the samba
mailing list