[Samba] Samba-LDAP not quite working - help!
Gary Dale
garydale at torfree.net
Mon Mar 27 22:13:06 GMT 2006
The first step in 5.4 is smbpasswd -w <password>. I've done that and it
succeeded. It currently reports that it set the password for "samba",
which is the user defined in smb.conf. phpldapadmin shows samba as being
a "gecos: System User" in objectClasses top, inetOrgPerson,
posixAccount, shadowAccount.
The slapd.conf file includes samba-access.conf, which gives admin and
samba extensive write privileges. The admin privileges are taken from
the howto below, while the ones for samba are from the idealx.org
manual. They also give others the right to modify some of their own
information.
Stéphane Purnelle wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>This howto contain some error I think, before truy a smbpasswd, Samba
>must have the information
>what user must I use to connect to LDAP, this question is answered
>with the ldap admin dn parameter in smb.conf. If there a user, there
>a password. For specifye the password, you must you the commande
>smbpasswd -w xxxx (xxxx = the passwd of the user)
>
>ATTENTION : in your slapd.conf, only admin can write. If you want to
>use other ldap user, you must modify you slapd.conf
>
>Gary Dale a écrit :
>
>
>>I was trying to follow the howto below to get Samba-LDAP working on
>>my Debian/Sarge server. I'm stuck in section 5.4:
>>
>>When I try the "smbpasswd -a root" I get:
>>semper:/etc/phpldapadmin/templates# smbpasswd -a root
>>New SMB password:
>>Retype new SMB password:
>>ldapsam_modify_entry: Failed to add user dn=
>>uid=root,ou=Users,dc=rahim-dale,dc=org with: Insufficient access
>> no write access to parent
>>ldapsam_add_sam_account: failed to modify/add user with uid = root
>>(dn = uid=root,ou=Users,dc=rahim-dale,dc=org)
>>Failed to add entry for user root.
>>Failed to modify password entry for user root
>>
>>
>>The next two steps are:
>>smbldap-passwd Administrator -- this works
>>smbldap-usermod -J Administrator -- this fails
>>
>>And after that nothing works.
>>
>>I've managed to get phpldapadmin working (finally) but that doesn't
>>seem to help. I can add accounts, etc., but they don't seem to help.
>>When I try to get a Windows XP computer to join the domain, I get
>>"logon failure: unknown user name or bad password".
>>
>>I can browse the network from a Windows XP machine as well, but
>>can't connect to any network shares that have any security on them.
>>
>>I've gone through the idealx.org smb-ldap documentation and can't
>>see anything obvious that I'm doing wrong. Nor have I found anything
>>in searches that tells me any more than what the immediate error
>>message says (basically they seem to say it's a rights issue so fix
>>it without specifying how to do it).
>>
>>Please help!
>>
>>
>>
>>Louis van Belle wrote:
>>
>>
>>
>>>Hi everybody,
>>>I made a pretty complete howto for samba on debian servers.
>>>
>>>This howto covers samba + ldap + cups + recycle bin + samba-vscan
>>>+ phpldapadmin + ACL + Extended Attributes.
>>>
>>>this howto is also based on the idealx howto
>>>
>>>If you do this setup, you should be able to use the NT4 Usermanager,
>>>setup Point en Print Printing. set rights from explorer etc.
>>>other nice tools is ldapadmin ( ldapadmin.sf.net ) a must check it
>>>out.
>>>
>>>We will use a Debian Sarge as setup. If you never used Debian
>>>before, you can follow this how-to
>>>(http://www.howtoforge.com/perfect_setup_debian_sarge ) , please
>>>read the comment below the pages first, this can save you time and
>>>problems or install Debian without any software packaged, we will
>>>install them later when needed.
>>>Checking the kernel of compile your own kernel if needed.
>>>
>>>I try to give a complete solution for this how-to, this is because
>>>lots of people where asking the same things on the samba list and
>>>lots of people make the same mistakes.
>>>
>>>This is my company's running setup.
>>>
>>>I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb ) , with
>>>50 users 25 printers which do about 150.000 prints a month.
>>>
>>>I thank my company to let me make this document.
>>>
>>>
>>>Please if you have improvements, comments, send them to me.
>>>
>>>Louis van Belle
>>>
>>>
>>>
>>>
>>>
>>>INDEX
>>>Page nr.
>>>
>>>1 Checking the kernel or compile your own kernel 3
>>>1.1 Preparing apt configuration 3
>>>1.2 Preparing the kernel 3
>>>1.3 setup the /etc/fstab 3
>>>1.4 final touch, lilo (or grub) 3
>>>2 Pre-installation of the debian packages 4
>>>2.1 Samba and Ldap 4
>>>2.2 basic rights setup for samba 4
>>>2.3 why this rights setup. 4
>>>3 LDAP Server configuration 5
>>>4 installation/configuration libnss, libpam (-ldap) 7
>>>5 Samba and smbldap-tools Configuration 8
>>>5.1 smbldap-tools installation/configuration 8
>>>5.2 setting up samba base config 8
>>>5.3 Configuring smbldap.conf 9
>>>5.4 set the samba ldap admin password 9
>>>5.5 Samba PRIVILEGES Setup 10
>>>6 CUPS - Printer software 11
>>>6.1 Setup Cups 11
>>>6.2 Setup Cups PDF Printer. - Creating a PDF Printer 11
>>>7 Configuring phpldapadmin 12
>>>7.1 installation of phpldapadmin ( and apache ) 12
>>>8.0 On-Access virus scanning on samba (samba-clamav) 13
>>>8.1 Installing ClamAV 13
>>>8.2 get the sources ( samba & samba-vscan ) 13
>>>9.0 Recycle bin on samba 14
>>>9.1 Recycle bin configuration 14
>>>Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS 15
>>>Appendix 2 APT 16
>>>2.1 APT HOWTO 16
>>>2.2 Files from /etc/apt 17
>>>2.2.1 /etc/apt/apt.conf 17
>>>2.2.2 /etc/apt/preferences 17
>>>
>>>
>>>
>>>
>>>1 Checking the kernel or compile your own kernel
>>>1.1 Preparing apt configuration
>>>
>>> for this go check out my apt howto.
>>>
>>> if you apt config is setup rights, follow the steps below.
>>>
>>> ncurses interface for compiling the kernel apt-get install
>>>libncurses5-dev
>>>
>>> get the kernel source apt-get install kernel-source-2.6.8
>>>kernel-package
>>>
>>> installer right kernel and activate EXT2/3 + Extended
>>>attributes and setup CIFS kernel support to in kernel.
>>>
>>>1.2 Preparing the kernel
>>> apt-get install kernel-source-2.6.8 kernel-package fakeroot
>>>libc6-dev libncurses5-dev
>>>
>>> cd /usr/src tar -jxf kernel-source-2.6.8.tar.bz2
>>> ln -s /usr/src/linux /usr/src/kernel-source-2.6.8
>>> cp /boot/config-2.6.8-2-* /usr/src/linux/.config
>>> cd linux
>>> make menuconfig - File systems - Ext2/3 + extended options
>>> also File systems - Miscellaneous filesystems -
>>>CramFS
>>> and File systems - Network File Systems - CIFS
>>>support
>>> + extended Attributes
>>> now create the kernel and install it.
>>>
>>> fakeroot make-kpkg --append-to-kernel=-mykernel --initrd
>>>kernel_image
>>>
>>> This create a file kernel-image-2.6.8.custom.1.0_i386.deb under
>>> /usr/src
>>>
>>> dpkg -i kernel-image-2.6.8.custom.1.0_i386.deb to install the
>>>kernel
>>>1.3 setup the /etc/fstab
>>>
>>> /etc/fstab : add the acl and user_xattr to the right partition
>>>
>>> /dev/xxx /home ext3 defaults,acl,user_xattr
>>>
>>> I use /home/samba for the samba environment. All the needed
>>>samba directories will be put here. !! This is important !
>>>1.4 final touch, lilo (or grub)
>>> lilo and reboot , login and do 'uname -a' and you wil see a line
>>>like this.
>>> Linux ms249-lin-001 2.6.8-mykernel #1 Wed Jun 1 15:03:47 CEST 2005
>>>i686
>>> Your server is now ready for samba 3. 2 Pre-installation of the
>>>debian packages 2.1 Samba and Ldap
>>>
>>> apt-get install slapd samba libsasl2-modules sasl2-bin openssl
>>>db4.2-util ldap-utils samba-doc libxml-parser-perl libauthen-sasl-perl
>>>
>>>Configuring slapd set an dns name - internal.yourdomain.tld
>>> - Give it a name/description - set that admin password for
>>>the ldap manager ( cn=admin,dc=internal,dc=yourdomain,dc=tld
>>> - Allow LDAPv2 protocol? yes
>>>
>>>Configure samba
>>> set a domain name DOMAIN
>>> Use password encryption? Yes Modify smb.conf to use WINS
>>>settings from DHCP? No How do you want to run Samba? Daemons
>>> Create samba password database, /var/lib/samba/passdb.tdb? No !!!
>>>else
>>> you will end up with lots of users from debian in this password
>>>file
>>>and you don't want that.
>>>
>>>Setup samba.schema file for ldap
>>> zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz >
>>>/etc/ldap/schema/samba.schema
>>>
>>>In this setup I use /home/samba for the samba environment.
>>> i use these directories.
>>> /home/samba skel,data,profiles,netlogon,printers,spool
>>> /home/users/ username
>>>
>>>2.2 basic rights setup for samba
>>>
>>> /home/samba 777 Administrator:Domain
>>>Admins
>>> /home/samba/spool 777 Administrator:Domain
>>>Admins
>>> /home/samba/printers 775 Administrator:Domain Admins
>>> /home/samba/profiles 777 Administrator:Domain Admins
>>> /home/samba/netlogon 775 Administrator:Domain Admins
>>> /home/samba/data 775 Administrator:Domain
>>>Admins
>>> /home/samba/temp 777 Administrator:Domain
>>>Admins
>>> /home/samba/tools 755 Administrator:Domain
>>>Admins
>>> /home/samba/skel 755 Administrator:Domain
>>>Admins
>>>
>>>
>>>2.3 why this rights setup.
>>>
>>> 1 Administrator can create in complete samba environment.
>>> 2 In data directories my users are not allowed to create sub
>>>dir's,
>>>I
>>> create one for the department, and set rights to that department,
>>>from that point they can create directories. 3 Profiles
>>>777, in the samba config is a parameter defined valid users =
>>>%u @"Domain Administrators" Only the user and administrator
>>>can access the user profile
>>>directories.
>>> create mask and directory mask make sure rights are set primary to
>>>the user.
>>>3 LDAP Server configuration
>>>
>>> Configure slapd.conf, but first stop the slapd server (
>>>/etc/init.d/slapd stop )
>>>
>>> Create ldap certificates for ssl support
>>> mkdir /etc/ldap/tls
>>>
>>> ## self signed certificate
>>> openssl req -newkey rsa:1024 -x509 -nodes -out ldap-server.pem -
>>>keyout
>>> ldap-server.pem -days 3650 ( where Common Name =
>>>ldap.yourdomain.tld )
>>>
>>> edit /etc/ldap/slapd.conf
>>> put these below the other line, the order of schema files must be
>>>
>>> correct.
>>> insert the line "include /etc/ldap/schema/samba.schema"
>>>
>>> add these line before the database definition
>>> TLSCACertificateFile /etc/ldap/ssl/ldap-server.pem
>>> TLSCertificateFile /etc/ldap/ssl/ldap-server.pem
>>> TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem
>>>
>>>Now its time for the ldap database configuration for samba
>>>
>>>example of the /etc/slapd.conf ( database 1 configuration )
>>>#######################################################################
>>>
>>># Specific Directives for database #1, of type bdb:
>>># Database specific directives apply to this databasse until another
>>># 'database' directive occurs
>>>database bdb
>>>
>>># The base of your directory in database #1
>>>suffix "dc=internal,dc=yourdomain,dc=tld"
>>>
>>>rootdn "cn=admin,dc=rotterdam,dc=bazuin,dc=nl"
>>>rootpw {MD5}fsadsdafasfaewfw
>>> ## create the rootpw ## echo rootpw `slappasswd -h {Md5}` >>
>>>/etc/ldap/slapd.conf
>>>
>>># Where the database file are physically stored for database #1
>>>directory "/var/lib/ldap"
>>>
>>># Indexing options for database #1
>>>### !!!!! Always run slapindex(8) after changing indices!!!!!!
>>>### and first STOP the LDAP SERVER ( /etc/init.d/slapd stop )
>>>index objectClass,uidNumber,gidNumber eq
>>>index cn,sn,uid,displayName pres,eq,sub
>>>index memberUid,mail,givenname eq,subinitial
>>>index sambaSID,sambaPrimaryGroupSID,sambaDomainName, eq
>>>## default index
>>>index default eq
>>>
>>># Save the time that the entry gets modified, for database #1
>>>lastmod on
>>>
>>># Where to store the replica logs for database #1
>>>replogfile /var/lib/ldap/replog
>>># The userPassword by default can be changed
>>># by the entry owning it if they are authenticated.
>>># Others should not be able to see it, except the
>>># admin entry below
>>># These access lines apply to database #1 only
>>>access to attrs=userPassword
>>> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
>>> by anonymous auth
>>> by self write
>>> by * none
>>>
>>>
>>># Ensure read access to the base for things like
>>># supportedSASLMechanisms. Without this you may
>>># have problems with SASL not knowing what
>>># mechanisms are available and the like.
>>># Note that this is covered by the 'access to *'
>>># ACL below too but if you change that as people
>>># are wont to do you'll still need this if you
>>># want SASL (and possible other things) to work
>>># happily.
>>>access to dn.base="" by * read
>>>
>>># The admin dn has full write access, everyone else
>>># can read everything.
>>>access to *
>>> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
>>> by * read
>>>
>>># samba access list
>>>include /etc/ldap/samba-access.conf
>>>
>>>Example of the /etc/samba-access.conf ( database 1 configuration )
>>>### OLD Samba no DSA users used
>>>access to
>>>
>>>
>>>
>attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM
>
>
>>>ustChange
>>> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
>>> by anonymous auth
>>> by self write
>>> by * none
>>>
>>>access to attrs=loginShell
>>> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
>>> by * none
>>>
>>>access to
>>>
>>>
>>>
>attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,sn,givenname
>
>
>>> by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
>>> by self write
>>> by * read
>>>
>>>
>>>See appendix 1 if you want a more secure ldap database.
>>>!! this setup does not help you to setting this up. !!
>>>
>>>run slapindex
>>>and start the slapd server
>>>/etc/init.d/slapd start
>>>4 installation/configuration libnss, libpam (-ldap)
>>>
>>>apt-get install libnss-ldap libpam-ldap
>>>
>>>Configuring libnss-ldap
>>> define the host
>>> 127.0.0.1
>>> distinguished name of the search base
>>> dc=internal,dc=yourdomain,dc=tld
>>>
>>> LDAP version to use
>>> 3
>>> database requires login
>>> No
>>> Make configuration readable/writeable by owner only
>>> No
>>>
>>>Configuring libpam-ldap
>>> Make local root Database admin.
>>> Yes
>>> Database requires logging in.
>>> No
>>> Root login account
>>> cn=admin,dc=internal,dc=yourdomain,dc=tld
>>> set your password
>>> ( same as above for admin )
>>>
>>> Local crypt to use when changing passwords
>>> exop
>>>
>>>Configure nsswitch
>>># /etc/nsswitch.conf
>>>#
>>># Example configuration of GNU Name Service Switch functionality.
>>># If you have the `glibc-doc' and `info' packages installed, try:
>>># `info libc "Name Service Switch"' for information about this file.
>>>
>>>passwd: compat ldap
>>>group: compat ldap
>>>shadow: compat ldap
>>>
>>>hosts: files dns
>>>networks: files
>>>
>>>protocols: db files
>>>services: db files
>>>ethers: db files
>>>rpc: db files
>>>
>>>netgroup: nis
>>>
>>>
>>>Now test the server ldapsearch -x -D
>>>"cn=admin,dc=internal,dc=yourdomain,dc=tld" -W
>>>(enter the password)
>>>if you see result: 0 Success
>>>
>>>for now this is ok.
>>>5 Samba and smbldap-tools Configuration
>>>
>>>5.1 smbldap-tools installation/configuration
>>>
>>>apt-get install smbldap-tools
>>>
>>>copy the default config from the example directorie.
>>>cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf
>>>/etc/smbldap-tools/
>>>
>>>cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz
>>>/etc/smbldap-tools/
>>>cd /etc/smbldap-tools
>>>gunzip smbldap.conf.gz
>>>
>>>first the easy part.
>>>
>>>in /etc/smbldap-tools/smbldap_bind.conf
>>>change this to admin
>>>slaveDN="cn=admin,dc=internal,dc=yourdomain,dc=tld"
>>>slavePw="Yourpassword"
>>>masterDN="cn=admin,dc=internal,dc=yourdomain,dc=tld"
>>>masterPw="Yourpassword"
>>>
>>>5.2 setting up samba base config
>>>
>>>start with the default config
>>>cd /etc/samba
>>>cp /usr/share/doc/smbldap-tools/examples/smb.conf.gz /etc/samba
>>>gunzip smb.conf.gz
>>>
>>>change the config to your needs
>>>some tips using samba on a firewalled system
>>>use the following setting, here eth0 is the internal side
>>>
>>> interfaces = eth0 lo
>>> bind interfaces only = yes
>>>
>>>change the binary location from /opt/.. to /usr/sbin/smbldap-....
>>>the smbldap-tools are installed by debian in /usr/sbin
>>>
>>>also in this setup /home/. must be changed to /home/samba/. This
>>>will save you a lot of troubles with rights.
>>>
>>>
>>>5.3 Configuring smbldap.conf
>>>
>>>first we need to get some samba info
>>>
>>>net getlocalsid
>>>
>>>SID for domain SERVERNAME is:
>>>S-1-5-21-2074673303-3377769770-2933042573
>>>change the SID in smbldap.conf in the your sid.
>>>
>>>
>>>change the suffix to your suffix (dc=internal,dc=yourdomain,dc=tld)
>>>change the hash_encryption to MD5
>>>change userLoginShell="bin/nologin"
>>>and you nologin, because im Configuring ldap for samba only.
>>>set the home directory ( in my case /home/users/%U )
>>>set the other to your needs.
>>>
>>>
>>>5.4 set the samba ldap admin password
>>>
>>>smbpasswd -w ldapadmin_password Setting stored password for
>>>"cn=admin,dc=internal,dc=yourdomain,dc=tld" in
>>>secrets.tdb
>>>
>>>now we go fill the ldap database with the base setup.
>>>
>>>smbldap-populate -a Administrator -b nobody -u 2000 -g 2000
>>>
>>>users are created with uid => 2000 groups are created
>>>with gid => 2000
>>>
>>>
>>>!!!! DO NOT RUN THIS IF YOU ALREADY CREATED USERS. YOUR UID/GID's
>>>WILL GET
>>>MESSED UPPED.
>>>
>>>smbpasswd -a root
>>>because root is needed for setting up the Privileges.
>>>
>>>Now set the Administrator password and enable this user
>>>smbldap-passwd Administrator
>>>smbldap-usermod -J Administrator
>>>
>>>
>>>5.5 Samba PRIVILEGES Setup
>>>
>>>First check you rights and get to know the commands.
>>>
>>>net rpc rights list accounts list users
>>>net rpc rights list list defined rights.
>>>
>>>to get what for rights are defined and users/groups
>>>
>>>IF you use a PDC/BDC setup these commands must be done on both
>>>servers!!
>>>
>>>test these commands:
>>>
>>>net rpc group
>>>(output)
>>>Domain Admins
>>>Domain Users
>>>Domain Guests
>>>Domain Computers
>>>
>>>or
>>>( see next page )
>>>
>>>slapcat | grep Group | grep dn
>>>
>>>(output)
>>>dn: ou=Groups,dc=internal,dc=yourdomain,dc=tld
>>>dn: cn=Domain Admins,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>>>dn: cn=Domain Users,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>>>dn: cn=Domain Guests,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>>>dn: cn=Domain Computers,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>>>dn: cn=Administrators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>>>dn: cn=Print Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>>>dn: cn=Backup Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>>>dn: cn=Replicators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
>>>
>>>
>>>these are the privileges on samba 3.0.14a ( debian )
>>>Privilege Description
>>>SeMachineAccountPrivilege Add machines to domain
>>>SePrintOperatorPrivilege Manage printers
>>>SeAddUsersPrivilege Add users and groups to the domain
>>>SeRemoteShutdownPrivilege Force shutdown from a remote system
>>>SeDiskOperatorPrivilege Manage disk share
>>>
>>>
>>>give the "Domain Admins" all of the SE Rights.
>>>( -S Servernaam -U Username%Password )
>>>
>>>net -S PDC -U root%Password rpc rights grant "DOMAIN\Domain Admins" \
>>>SeMachineAccountPrivilege SePrintOperatorPrivilege
>>>SeAddUsersPrivilege \ SeDiskOperatorPrivilege
>>>SeRemoteShutdownPrivilege
>>>
>>>
>>>Give the "Printer Operators" all Print manage rights. ( -S
>>>Servernaam -U Username%Password )
>>>
>>>net -S PDC -U root%Password rpc rights grant "DOMAIN\Print Operators"
>>>SePrintOperatorPrivilege
>>>6 CUPS - Printer software
>>>
>>>apt-cache search cups to get the info which packages are available
>>>
>>>I installed these packages.
>>>apt-get install cups-pdf cupsys cupsys-bsd cupsys-pt cupsys-client \
>>>foomatic-bin foomatic-filters cupsys-driver-gimpprint gs-esp ( and
>>>dependencies )
>>>Configuring cupsys-bsd
>>> Do you want to set up the BSD lpd compatibility server? Yes
>>> all others leave default.
>>>
>>>6.1 Setup Cups /etc/cups/cups.conf
>>>
>>> here locate the lines Allow From 127.0.0.1
>>> and change it to your network so you can login on the cups web
>>>interface.
>>> for example: Allow from 192.168.( this way I can manage it
>>>from 2 departments. )
>>> (192.168.1.x and 168.192.2.x )
>>>
>>> now you can logon on http://serverip:631/ make it safer to
>>>manage by adding a user to lpadmin group
>>> and this user can create printer queues
>>>
>>> I create printers with the following options.
>>> socket://printerIPnumber:9100 ( for hp jetdirect ), Raw,
>>>Raw_queue
>>>
>>> I only use cups as spooler for windows pc's and *nix servers.
>>>
>>> First we are going to create 1 printer device and this is the CUPS
>>>PDF Printer.
>>>
>>>
>>>6.2 Setup Cups PDF Printer. - Creating a PDF Printer
>>>
>>> With this printer you can create PDF files bij just printing to
>>>it.
>>>
>>> - logon the web interface and choose add printer.
>>> Name:pdf_printer
>>> Location: %homedir%\cups-pdf
>>> Description: pdf created in homedir\cups-pdf
>>> Continue
>>> - Device: Virtual Printer(PDF printer) choose it, its below,
>>> Continue
>>> - Choose the model/Driver for PDF_printer, Postscript,
>>>Continue
>>>
>>> klik on manage printers to see what you have created.
>>> klik on Print Test Page to test the pdf printer.
>>> a file is put in the cups-pdf directory of the user you logged on
>>>with.
>>>
>>>
>>>
>>>
>>>
>>>7 Configuring phpldapadmin
>>>
>>>7.1 installation of phpldapadmin ( and apache )
>>>
>>> get the packages
>>> apt-get install phpldapadmin php4 apache
>>>
>>> What is your LDAP server host address? 127.0.0.1 ( you the
>>>ip/hostname where the ldapserver is )
>>> ldaps protocol instead of ldap? No
>>>
>>> What is the distinguished name of the search base?
>>> dc=internal,dc=youdomain,dc=tld
>>>
>>> Which type of authentication you want to use? session
>>> What is the login dn for the LDAP server?
>>> cn=admin,dc=internal,dc=yourdomain,dc=tld
>>>
>>> Which web server would you like to reconfigure automatically?
>>> select all and press OK.
>>>
>>> restart webservers now: Yes
>>>
>>>8.0 On-Access virus scanning on samba (samba-clamav) 8.1 Installing
>>>ClamAV
>>>
>>> apt-get install clamav arj unzoo lha clamav-freshclam
>>>clamav-daemon Configuring clamav-freshclam : Daemon
>>> Choose a close mirror
>>> Should clamd be notified after updates? Yes
>>>8.2 get the sources ( samba & samba-vscan )
>>>
>>> mkdir /usr/src/sources
>>> cd /usr/src/sources
>>>
>>> apt-get install dpkg-dev
>>> apt-get source samba
>>> apt-get build-dep samba
>>>
>>> cd samba-3.0-14a
>>> vi source/include/version.h
>>>
>>> here remove the a from the 14 ( 3.0.14a => 3.0.14 )
>>>
>>> ./debian/rules configure-stamp
>>> cd source
>>> ./make proto
>>> cd ../..
>>>
>>> wget
>>>
>>>
>>>
>http://switch.dl.sourceforge.net/sourceforge/openantivirus/samba-vscan-0.3.6
>
>
>>>b.tar.bz2
>>>
>>> tar xjvf samba-vscan-0.3.6b.tar.bz2
>>>
>>> cd samba-vscan-0.3.6b
>>> ./configure
>>>--with-samba-source=/usr/src/sources/samba-3.0.14a/source make
>>>&& make install
>>>
>>> cp clamav/vscan-clamav.conf /etc/samba/samba-vscan-clamav.conf
>>> change in the samba-vscan-clamav.conf
>>> clamd socket name = /var/run/clamav/clamd.ctl
>>> infected spins action = quarantine ( or delete , which I choose.)
>>>
>>> When I put that lines in my smb.conf file, I can't access the
>>>share
>>>:
>>> vfs object = vscan-clamav
>>> vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf
>>>
>>> An example:
>>> [public]
>>> comment = Public Directory
>>> path = /home/public
>>> vfs object = vscan-clamav
>>> vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf
>>>
>>> !!! BEWARE !!!! if samba upgrade to a higer version you MUST
>>>recompile
>>> your samba-vscan. set samba to hold for no upgrade.
>>>
>>> echo packagename hold | dpkg --set-selections set to hold
>>> echo packagename install | dpkg --set-selections set to install
>>>9.0 Recycle bin on samba
>>>9.1 Recycle bin configuration
>>>
>>> configure samba for using the recycle bin.
>>> I made my manager happy with this.
>>>
>>> create a file in /etc/samba
>>> and fill it with the options below.
>>>
>>> /etc/samba/samba-recycle.conf
>>>
>>> name = .recycle
>>> mode = KEEP_DIRECTORIES|VERSIONS|TOUCH
>>> maxsize = 0
>>> exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~??|~*.tmp
>>> excludedir = /tmp|/temp|/cache
>>> noversions = *.doc|*.xls|*.ppt
>>>
>>> add this to you share, same as vscan.
>>>
>>> vfs object = recycle
>>> recycle: config-files = /etc/samba/samba-recycle.conf
>>>
>>> create a recycle bin directorie and hide it for the users.
>>>
>>> I created .recycle this way ( because of the dot) users don't see
>>>this
>>> IF.. you don't set you explorer to view hidden files.
>>>
>>>restart samba and your done.
>>>
>>>You are ready to use your samba server.
>>>
>>>
>>>Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS
>>>see http://www.idealx.org/prj/samba/smbldap-howto.en.html
>>>#### users can authenticate and change their password
>>>#access to
>>>
>>>
>>>
>attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM
>
>
>>>ustChange
>>># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>>># by
>>>dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>>>write
>>># by dn="cn=nssldap,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>>>write
>>># by self write
>>># by anonymous auth
>>># by * none
>>># some attributes need to be readable anonymously so that 'id user'
>>>can
>>>answer correctly
>>>##access to
>>>attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
>>>
>>># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>>># by
>>>dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>>>write
>>># by * read
>>># somme attributes can be writable by users themselves
>>>##access to
>>>
>>>
>>>
>attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,s
>
>
>>>n,givenname
>>># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>>># by
>>>dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>>>write
>>># by self write
>>># by * read
>>>## some attributes need to be writable for samba
>>>#access to
>>>
>>>
>>>
>attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,samb
>
>
>>>
>>>
>aLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctF
>
>
>>>
>>>
>lags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfileP
>
>
>>>
>>>
>ath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,s
>
>
>>>
>>>
>ambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHisto
>
>
>>>
>>>
>ry,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,samb
>
>
>>>
>>>
>aNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaSha
>
>
>>>
>>>
>reName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,
>
>
>>>sambaStringListoption,sambaPrivilegeList
>>># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>>># by
>>>dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>>>write
>>># by self read
>>># by * none
>>>## samba need to be able to create the samba domain account
>>>#access to dn.base="dc=internal,dc=yourdomain,dc=tld"
>>># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>>># by
>>>dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>>>write
>>># by * none
>>>## samba need to be able to create new users account
>>>#access to dn="ou=Users,dc=internal,dc=yourdomain,dc=tld"
>>># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>>># by
>>>dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>>>write
>>># by * none
>>>## samba need to be able to create new groups account
>>>#access to dn="ou=Groups,dc=internal,dc=yourdomain,dc=tld"
>>># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>>># by
>>>dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>>>write
>>># by * none
>>>## samba need to be able to create new computers account
>>>#access to dn="ou=Computers,dc=internal,dc=yourdomain,dc=tld"
>>># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
>>># by
>>>dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld"
>>>write
>>># by * none
>>>#
>>>## this can be omitted but we leave it: there could be other branch
>>>## in the directory
>>>#access to *
>>># by self read
>>># by * none
>>>
>>>
>>>Appendix 2 APT
>>>
>>>2.1 APT HOWTO
>>>
>>>Preparing apt for online packages.
>>>After installing from CD or DVD adjust your apt config.
>>>
>>>This setup makes sure your are using stable packages, that you are
>>>using
>>>Debian Sarge.
>>>
>>>In the apt.conf we defined the default release of debian this case
>>>stable (
>>>Sarge 3.1r0).
>>>The Show-Upgrade "true" is used for showing us the packages which
>>>are going
>>>to be installed, I like to see what I'm installing.
>>>The sources.list if you used a CD/DVD for installing you can leave
>>>this
>>>line in the sources.list. This can save you bandwidth. My server is
>>>on a
>>>remote location and I don't use the cd anymore. I added the clamav
>>>as stable because I want a new clamav for virus scanning
>>>more info : http://www.clamav.net/binary.html
>>>The testing and unstable sources are also unmarked, that if you
>>>really need
>>>a newer version of a program then you can try to create it from debian
>>>source.
>>>
>>>You can get the source install programs and search by using the
>>>following
>>>commands:
>>>apt-get install package = get & install package apt-get
>>>remove package = remove package
>>>apt-get remove --purge package = remove and purge all files
>>>of package
>>>dpkg --purge package = purge all files of package
>>>
>>>apt-cache search package = search for package or part of
>>>package name apt-cache show package = get info over
>>>package
>>>dpkg-reconfigure -plow package = reconfigure with priority low
>>>( most
>>>options )
>>>
>>>for this first cd /usr/src.
>>>apt-get source package = get source files of packaged
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>2.2 Files from /etc/apt
>>>2.2.1 /etc/apt/apt.conf
>>>
>>>APT::Default-Release "stable";
>>>APT::Get::Show-Upgraded "true";
>>>// 16 MB Limit
>>>APT::Cache-limit 16777216;
>>>// if you have /tmp with no mounted with noexec, you need this.
>>>#DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
>>>#DPkg::Post-Invoke {"mount -o remount /tmp";};
>>>
>>>
>>>
>>>2.2.2 /etc/apt/preferences
>>>
>>>Package: *
>>>Pin: release a=stable
>>>Pin-Priority: 990
>>>
>>>Package: *
>>>Pin: release a=testing
>>>Pin-Priority: 500
>>>
>>>Package: *
>>>Pin: release a=unstable
>>>Pin-Priority: 50
>>>
>>>Package: *
>>>Pin: release a=sarge,l=debian-volatile
>>>Pin-Priority: 990
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>2.2.3 /etc/apt/sources.list
>>>
>>># See sources.list(5) for more information, especialy
>>># Remember that you can only use http, ftp or file URIs
>>># CDROMs are managed through the apt-cdrom tool.
>>>#-----------------------------------------------------------------
>>># We definect the PIN which sets the prioratie of packages selects
>>># see also the apt-howto
>>># http://www.debian.org/doc/manuals/apt-howto/index.en.html
>>># and a nice howto for apt-pinning for beginners.
>>># http://jaqque.sbih.org/kplug/apt-pinning.html
>>>#-----------------------------------------------------------------
>>>#-----------------------------------------------------------------
>>># Stable PIN 990 PRODUCTION TREE
>>>deb ftp://ftp.nl.debian.org/debian stable main contrib non-free
>>>deb-src ftp://ftp.nl.debian.org/debian stable main contrib non-free
>>>deb http://http.us.debian.org/debian stable main contrib non-free
>>># Stable Security updates deb http://security.debian.org/
>>>stable/updates main contrib non-free
>>>deb-src http://security.debian.org/ stable/updates main contrib
>>>non-free
>>>#------------------------------------------------------------------
>>>## Debian VOLATILE , used for clamav PINNED 990
>>>deb http://ftp.nl.debian.org/debian-volatile sarge/volatile main
>>>#-----------------------------------------------------------------
>>>#-----------------------------------------------------------------
>>># WARNING USE BELOW AT OWN RISK
>>># Testing ( PIN 500 )
>>>#deb ftp://ftp.nl.debian.org/debian testing main contrib non-free
>>>#deb-src ftp://ftp.nl.debian.org/debian testing main contrib non-free
>>>#deb http://http.us.debian.org/debian testing main contrib non-free
>>># Testing Security updates #deb http://security.debian.org/
>>>testing/updates main contrib non-free
>>>#deb-src http://security.debian.org/ testing/updates main contrib
>>>non-free
>>>#-----------------------------------------------------------------
>>>#-----------------------------------------------------------------
>>># WARNING USE BELOW AT OWN RISK
>>># Unstable ( PIN 050 )
>>>#deb ftp://ftp.nl.debian.org/debian unstable main contrib non-free
>>>#deb-src http://ftp.nl.debian.org/debian unstable main contrib
>>>non-free
>>>#deb http://http.us.debian.org/debian unstable main contrib non-free
>>># unstable Security updates #deb http://security.debian.org/
>>>unstable/updates main contrib non-free
>>>#deb-src http://security.debian.org/ unstable/updates main contrib
>>>non-free
>>>#-----------------------------------------------------------------
>>>#-----------------------------------------------------------------
>>>#### BACKPORTS to STABLE ( Debian Sarge 3.1r0 )
>>>## Laatest Samba from samba.org #deb
>>>http://us4.samba.org/samba/ftp/Binary_Packages/Debian sarge samba
>>>#deb-src http://us2.samba.org/samba/ftp/Binary_Packages/Debian
>>>sarge samba
>>>
>>>#------------------------------------------------------------------
>>>## MPEG/AVI addons +W32CODECS With MPlayer
>>>#deb ftp://ftp.nerim.net/debian-marillat/ sarge main
>>>#------------------------------------------------------------------
>>>## www.dotdeb.org, updated php4/php5 mysql-41 mysql-50 qmail clamav
>>>etc etc.
>>>## check the site for the packages list. if you want only 1 package (
>>>preferred )
>>>## change the line to #deb http://packages.dotdeb.org stable php5 for
>>>example
>>>#deb http://packages.dotdeb.org stable all
>>>#deb-src http://packages.dotdeb.org stable all
>>>#------------------------------------------------------------------
>>>## BootSplash ( does not work on every kernel ) www.bootsplash.de
>>>## http://www.planamente.ch/emidio/pages/linux_howto_bootsplash.php
>>>deb http://debian.bootsplash.de unstable main
>>>deb-src http://debian.bootsplash.de unstable main
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>- --
>Stéphane Purnelle <stephane.purnelle at tiscali.be>
>Site Web : http://www.linuxplusvalue.be
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.1 (GNU/Linux)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>iD8DBQFEKDlX8tswkE3d0ecRAukhAJ93OqfKJk5VaRZNY14d2zONjSeL+QCeJ/6k
>RUpByMjbKbCB8pCthXbTkaY=
>=yaJ6
>-----END PGP SIGNATURE-----
>
>
>
More information about the samba
mailing list