[Samba] Netlogon, roming profiles in samba(PDC)-ldap

Ellison, David david.ellison at atkinsglobal.com
Tue Jan 30 14:20:26 GMT 2007 

There is a way to do this, I'll have a dig. There is some documentation
some on that, quite usefull. Give me an hour or so and I will have a
look.

Cheers

Dave

> -----Original Message-----
> From: 
> samba-bounces+david.ellison=atkinsglobal.com at lists.samba.org 
> [mailto:samba-bounces+david.ellison=atkinsglobal.com at lists.sam
> ba.org] On Behalf Of suresh bollu
> Sent: 30 January 2007 13:57
> To: samba at lists.samba.org
> Subject: [Samba] Netlogon, roming profiles in samba(PDC)-ldap
> 
> for my organaization i configured a Samba PDC, Samba-LDAP, 
> with the following configuration
> 
> my server is running fedora core 5, all my clients are windows XP,
> 
>  my problem is when i login to the domain through windows xp 
> client each time the profile is refreshing, i want to save 
> the profile in server and retrive it when i login again.
> 
> please healp me out to get out of this problem,
> 
> Regards,
> 
> Suresh Bollu
> 
> 
> *smb.conf*
> 
> 
> [global]
> 
> workgroup = QVANTELIN
> 
> netbios name = box1
> 
> interfaces = eth1, lo
> 
> username map = /etc/samba/smbusers
> 
> server string = Samba Server %v
> 
> security = user
> 
> encrypt passwords = Yes
> 
> obey pam restrictions = No
> 
> unix password sync = Yes
> 
> passwd program = /usr/sbin/smbldap-passwd -u "%u"
> 
> passwd chat = "Changing password for *\nNew password*" %n\n 
> "*Retype new password*" %n\n"
> 
> ldap password sync = Yes
> 
> log level = 0
> 
> syslog = 0
> 
> log file = /var/log/samba/log.%m
> 
> max log size = 100000
> 
> time server = Yes
> 
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> 
> mangling method = hash2
> 
> Dos charset = 850
> 
> Unix charset = ISO8859-1
> 
> logon script = startup.bat
> 
> #logon drive = F:
> 
> logon home =
> 
> logon path =
> 
> domain logons = Yes
> 
> os level = 65
> 
> preferred master = Yes
> 
> domain master = Yes
> 
> wins support = Yes
> 
> passdb backend = ldapsam:ldap://192.168.1.10
> 
> ldap admin dn= cn=Manager,dc=qvantelin,dc=com
> 
> ldap suffix = dc=qvantelin,dc=com
> 
> ldap group suffix = ou=Group
> 
> ldap user suffix = ou=People
> 
> ldap machine suffix = ou=machines
> 
> ldap idmap suffix = ou=Users
> 
> #ldap ssl = start tls
> 
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> 
> ldap delete dn = Yes
> 
> #delete user script = /usr/sbin/smbldap-userdel "%u"
> 
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> 
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> 
> #delete group script = /usr/sbin/smbldap-groupdel "%g"
> 
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> 
> delete user from group script = /usr/sbin/smbldap-groupmod -x 
> "%u" "%g"
> 
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
> 
> [homes]
> 
> comment = Home Directories
> 
> valid users = %S
> 
> writable = yes
> 
> create mask = 0664
> 
> directory mask = 0775
> 
> browseable = yes
> 
> [netlogon]
> 
> comment = Network Logon Service
> 
> path = /home/samba/netlogon
> 
> guest ok = Yes
> 
> [profiles]
> 
> path = /home/samba/profiles
> 
> writable = yes
> 
> writable = yes
> 
> Browseable = yes
> 
> create mode = 0644
> 
> directory mode = 0755
> 
> [printers]
> 
> comment = All Printers
> 
> path = /var/spool/samba
> 
> printable = Yes
> 
> browseable = No
> 
> 
> 
> *smbldap.conf*
> 
> 
> 
> # $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
> 
> # $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
> 
> #
> 
> # smbldap-tools.conf : Q & D configuration file for smbldap-tools
> 
> # This code was developped by IDEALX (http://IDEALX.org/) and
> 
> # contributors (their names can be found in the CONTRIBUTORS file).
> 
> #
> 
> # Copyright (C) 2001-2002 IDEALX
> 
> #
> 
> # This program is free software; you can redistribute it and/or
> 
> # modify it under the terms of the GNU General Public License
> 
> # as published by the Free Software Foundation; either version 2
> 
> # of the License, or (at your option) any later version.
> 
> #
> 
> # This program is distributed in the hope that it will be useful,
> 
> # but WITHOUT ANY WARRANTY; without even the implied warranty of
> 
> # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> 
> # GNU General Public License for more details.
> 
> #
> 
> # You should have received a copy of the GNU General Public License
> 
> # along with this program; if not, write to the Free Software
> 
> # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 
> 02111-1307,
> 
> # USA.
> 
> # Purpose :
> 
> # . be the configuration file for all smbldap-tools scripts
> 
> ##############################################################
> ################
> 
> #
> 
> # General Configuration
> 
> #
> 
> ##############################################################
> ################
> 
> #UID and GID starting at...
> 
> UID_START="1000"
> 
> GID_START="1000"
> 
> # Put your own SID. To obtain this number do: "net getlocalsid".
> 
> # If not defined, parameter is taking from "net getlocalsid" return
> 
> SID="S-1-5-21-2118587481-1440970363-3314129951"
> 
> # Domain name the Samba server is in charged.
> 
> # If not defined, parameter is taking from smb.conf configuration file
> 
> # Ex: sambaDomain="IDEALX-NT"
> 
> #sambaDomain="QVANTELIN"
> 
> ##############################################################
> ################
> 
> #
> 
> # LDAP Configuration
> 
> #
> 
> ##############################################################
> ################
> 
> # Notes: to use to dual ldap servers backend for Samba, you must patch
> 
> # Samba with the dual-head patch from IDEALX. If not using this patch
> 
> # just use the same server for slaveLDAP and masterLDAP.
> 
> # Those two servers declarations can also be used when you have
> 
> # . one master LDAP server where all writing operations must be done
> 
> # . one slave LDAP server where all reading operations must be done
> 
> # (typically a replication directory)
> 
> # Slave LDAP server
> 
> # Ex: slaveLDAP=127.0.0.1
> 
> # If not defined, parameter is set to "127.0.0.1"
> 
> slaveLDAP="192.168.1.10"
> 
> # Slave LDAP port
> 
> # If not defined, parameter is set to "389"
> 
> slavePort="389"
> 
> # Master LDAP server: needed for write operations
> 
> # Ex: masterLDAP=127.0.0.1
> 
> # If not defined, parameter is set to "127.0.0.1"
> 
> masterLDAP="192.168.1.10"
> 
> # Master LDAP port
> 
> # If not defined, parameter is set to "389"
> 
> masterPort="389"
> 
> # Use TLS for LDAP
> 
> # If set to 1, this option will use start_tls for connection
> 
> # (you should also used the port 389)
> 
> # If not defined, parameter is set to "1"
> 
> ldapTLS="0"
> 
> # How to verify the server's certificate (none, optional or require)
> 
> # see "man Net::LDAP" in start_tls section for more details
> 
> #verify="require"
> 
> # CA certificate
> 
> # see "man Net::LDAP" in start_tls section for more details
> 
> #cafile="/etc/pki/tls/certs/ldapserverca.pem"
> 
> # certificate to use to connect to the ldap server
> 
> # see "man Net::LDAP" in start_tls section for more details
> 
> #clientcert="/etc/pki/tls/certs/ldapclient.pem"
> 
> # key certificate to use to connect to the ldap server
> 
> # see "man Net::LDAP" in start_tls section for more details
> 
> #clientkey="/etc/pki/tls/certs/ldapclientkey.pem"
> 
> # LDAP Suffix
> 
> # Ex: suffix=dc=IDEALX,dc=ORG
> 
> suffix="dc=qvantelin,dc=com"
> 
> # Where are stored Users
> 
> # Ex: usersdn="ou=Users,dc=qvantelin,dc=com"
> 
> # Warning: if 'suffix' is not set here, you must set the full 
> dn for usersdn
> 
> usersdn="ou=Users,${suffix}"
> 
> # Where are stored Computers
> 
> # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
> 
> # Warning: if 'suffix' is not set here, you must set the full 
> dn for computersdn
> 
> computersdn="ou=machines,${suffix}"
> 
> # Where are stored Groups
> 
> # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
> 
> # Warning: if 'suffix' is not set here, you must set the full 
> dn for groupsdn
> 
> groupsdn="ou=Group,${suffix}"
> 
> # Where are stored Idmap entries (used if samba is a domain 
> member server)
> 
> # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
> 
> # Warning: if 'suffix' is not set here, you must set the full 
> dn for idmapdn
> 
> #idmapdn="ou=Users,${suffix}"
> 
> # Where to store next uidNumber and gidNumber available for 
> new users and groups
> 
> # If not defined, entries are stored in sambaDomainName object.
> 
> # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
> 
> # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
> 
> #sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
> 
> # Default scope Used
> 
> scope="sub"
> 
> # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
> 
> hash_encrypt="SSHA"
> 
> # if hash_encrypt is set to CRYPT, you may set a salt format.
> 
> # default is "%s", but many systems will generate MD5 hashed
> 
> # passwords if you use "$1$%.8s". This parameter is optional!
> 
> #crypt_salt_format="%s"
> 
> ##############################################################
> ################
> 
> #
> 
> # Unix Accounts Configuration
> 
> #
> 
> ##############################################################
> ################
> 
> # Login defs
> 
> # Default Login Shell
> 
> # Ex: userLoginShell="/bin/bash"
> 
> userLoginShell="/bin/bash"
> 
> # Home directory
> 
> # Ex: userHome="/home/%U"
> 
> userHome="/home/%U"
> 
> # Default mode used for user homeDirectory
> 
> # userHomeDirectoryMode="700"
> 
> # Gecos
> 
> userGecos="System User"
> 
> # Default User (POSIX and Samba) GID
> 
> defaultUserGid="513"
> 
> # Default Computer (Samba) GID
> 
> defaultComputerGid="553"
> 
> # Skel dir
> 
> skeletonDir="/etc/skel"
> 
> # Default password validation time (time in days) Comment the 
> next line if
> 
> # you don't want password to be enable for 
> defaultMaxPasswordAge days (be
> 
> # careful to the sambaPwdMustChange attribute's value)
> 
> #defaultMaxPasswordAge="45"
> 
> ##############################################################
> ################
> 
> #
> 
> # SAMBA Configuration
> 
> #
> 
> ##############################################################
> ################
> 
> # The UNC path to home drives location (%U username substitution)
> 
> # Just set it to a null string if you want to use the 
> smb.conf 'logon home'
> 
> # directive and/or disable roaming profiles
> 
> # Ex: userSmbHome="\\PDC-SMB3\%U"
> 
> userSmbHome="\\box1\homes"
> 
> # The UNC path to profiles locations (%U username substitution)
> 
> # Just set it to a null string if you want to use the 
> smb.conf 'logon path'
> 
> # directive and/or disable roaming profiles
> 
> # Ex: userProfile="\\PDC-SMB3\profiles\%U"
> 
> userProfile="\\box1\profiles\"
> 
> # The default Home Drive Letter mapping
> 
> # (will be automatically mapped at logon time if home directory exist)
> 
> # Ex: userHomeDrive="H:"
> 
> userHomeDrive="F:"
> 
> # The default user netlogon script name (%U username substitution)
> 
> # if not used, will be automatically username.cmd
> 
> # make sure script file is edited under dos
> 
> # Ex: userScript="startup.cmd" # make sure script file is 
> edited under dos
> 
> userScript="startup.bat"
> 
> # Domain appended to the users "mail"-attribute
> 
> # when smbldap-useradd -M is used
> 
> # Ex: mailDomain="idealx.com"
> 
> #mailDomain="idealx.com"
> 
> ##############################################################
> ################
> 
> #
> 
> # SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
> 
> #
> 
> ##############################################################
> ################
> 
> # Allows not to use smbpasswd (if with_smbpasswd == 0 in 
> smbldap_conf.pm) but
> 
> # prefer Crypt::SmbHash library
> 
> with_smbpasswd="0"
> 
> smbpasswd="/usr/bin/smbpasswd"
> 
> # Allows not to use slappasswd (if with_slappasswd == 0 in 
> smbldap_conf.pm)
> 
> # but prefer Crypt:: libraries
> 
> with_slappasswd="0"
> 
> slappasswd="/usr/sbin/slappasswd"
> 
> # comment out the following line to get rid of the default banner
> 
> # no_banner="1"
> 
> 
> 
> *smbldap_bind.conf*
> 
> ############################
> 
> # Credential Configuration #
> 
> ############################
> 
> # Notes: you can specify two differents configuration if you use a
> 
> # master ldap for writing access and a slave ldap server for 
> reading access
> 
> # By default, we will use the same DN (so it will work for 
> standard Samba
> 
> # release)
> 
> slaveDN="cn=Manager,dc=qvanelin,dc=com"
> 
> slavePw="forget"
> 
> masterDN="cn=Manager,dc=qvantelin,dc=com"
> 
> masterPw="forget"
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> 
> This message has been scanned for viruses by MailControl - 
> (see http://bluepages.wsatkins.co.uk/?4318150)
> 


This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.

Consider the environment. Please don't print this e-mail unless you really need to.

More information about the samba mailing list