Mandriva Directory Server On Debian Etch - Page 2

Want to support HowtoForge? Become a subscriber!
 
Submitted by o.meyer (Contact Author) (Forums) on Tue, 2008-02-05 18:02. ::

5 SAMBA

5.1 Basic Configuration

First stop SAMBA.

/etc/init.d/samba stop

Copy the example SAMBA configuration file into the SAMBA directory ...

cp /usr/share/doc/python-mmc-base/contrib/samba/smb.conf /etc/samba/

... and adjust it to your needs.

vi /etc/samba/smb.conf

Set the following values in the section [global]:

workgroup = EXAMPLE
netbiosname = PDC-SRV-EXAMPLE
ldap admin dn = cn=admin,dc=example,dc=com
ldap suffix = dc=example,dc=com
logon path = \\%N\profiles\%U

Add the following lines to the section [global]:

preferred master = yes
os level = 65
wins support = yes
timeserver = yes
socket options = SO_KEEPALIVE IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
logon drive = H:
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n
add user script = /usr/sbin/smbldap-useradd -m "%u"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add group script = /usr/sbin/ambldap-groupadd -p "%g"
delete user script = /usr/sbin/smbldap-userdel "%u"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
obey pam restrictions = no
ldap idmap suffix = ou=Users
ldap delete dn = yes
security = user

Add the following line to the section [homes]:

hide files = /Maildir/

Remove the following line from the sections [printers] and [print$]:

printer admin = root,@lpadmin

Set the following values in the section [print$]:

write list = Administrator,root,@lpadmin

Add the following line to the section [profiles]:

hide files = /desktop.ini/ntuser.ini/NTUSER.*/

Set the following values in the section [archives]:

path = /home/samba/archives

At this point the SAMBA configuration file should look like this:

     [global]
        workgroup = EXAMPLE
        netbiosname = PDC-SRV-EXAMPLE
        preferred master = yes
        os level = 65
        wins support = yes
        enable privileges = yes
        timeserver = yes
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
        log level = 3
        null passwords = yes
        security = user
        # unix charset = ISO8859-1
        name resolve order = bcast host
        domain logons = yes
        domain master = yes
        printing = cups
        printcap name = cups
        logon path = \\%N\profiles\%U
        logon script = logon.bat
        logon drive = H:
        map acl inherit = yes
        nt acl support = yes
        passdb backend = ldapsam:ldap://127.0.0.1/
        obey pam restrictions = no
ldap admin dn = cn=admin,dc=example,dc=com ldap suffix = dc=example,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ldap passwd sync = yes ldap delete dn = yes
passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n
add user script = /usr/sbin/smbldap-useradd -m "%u" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" add group script = /usr/sbin/ambldap-groupadd -p "%g" add machine script = /usr/lib/mmc/add_machine_script '%u' delete user script = /usr/sbin/smbldap-userdel "%u" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" delete group script = /usr/sbin/smbldap-groupdel "%g"
[homes] comment = Home directories browseable = no writeable = yes create mask = 0700 directory mask = 0700 hide files = /Maildir/
[public] comment = Public share path = /home/samba/shares/public browseable = yes public = yes writeable = yes
[archives] comment = Backup share path = /home/samba/archives browseable = yes public = no writeable = no
[printers] comment = Printers path = /tmp browseable = no public = yes guest ok = yes writeable = no printable = yes
[print$] comment = Drivers path = /var/lib/samba/printers browseable = yes guest ok = yes read only = yes write list = Administrator,root,@lpadmin
[netlogon] path = /home/samba/netlogon public = no writeable = no browseable = no
[profiles] path = /home/samba/profiles writeable = yes create mask = 0700 directory mask = 0700 browseable = no hide files = /desktop.ini/ntuser.ini/NTUSER.*/
[partage] comment = aucun path = /home/samba/partage browseable = yes public = no writeable = yes

 

If all went ok, the command ...

testparm

... should give no errors.

Now give SAMBA the needed credentials to write into the LDAP.

smbpasswd -w %ldap_admin_password%

E.g.:

smbpasswd -w howtoforge

The output should look like this:

Setting stored password for "cn=admin,dc=example,dc=com" in secrets.tdb

Next you need to create a SID for your workgroup.

net getlocalsid %your_workgroup%

E.g.:

net getlocalsid EXAMPLE

The output should look like this - note it down you'll need it in a few moments:

SID for domain EXAMPLE is: S-1-5-21-3159899821-123882392-54881133

Check if the SID has really been recorded into LDAP.

slapcat | grep sambaDomainName

The output should look like this:

dn: sambaDomainName=EXAMPLE,dc=example,dc=com
sambaDomainName: EXAMPLE

Now start SAMBA

/etc/init.d/samba start

 

5.2 LDAP Directory

First you need to create the smbldap-tools configuration file - it defines how to communicate with the LDAP server.

vi /etc/smbldap-tools/smbldap_bind.conf

The content should look like this:

slaveDN="cn=admin,dc=example,dc=com"
slavePw="howtoforge"
masterDN="cn=admin,dc=example,dc=com"
masterPw="howtoforge"

 

Now create the main configuration file.

vi /etc/smbldap-tools/smbldap.conf

The content should look like this (Replace the SID with your own!):

SID="S-1-5-21-3159899821-123882392-54881133"
sambaDomain="EXAMPLE"
ldapTLS="0"
suffix="dc=example,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=EXAMPLE,${suffix}"
scope="sub"
hash_encrypt="SSHA"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\PDC-SRV-EXAMPLE\%U"
userProfile="\\PDC-SRV-EXAMPLE\profiles\%U"
userHomeDrive="H:"
userScript="logon.bat"
mailDomain="example.com"
smbpasswd="/usr/bin/smbpasswd"

 

Time to populate the LDAP diretory. This will also create the domain administrator account (Administrator)

smbldap-populate -m 512 -a Administrator

Note: You'll be asked to enter a password for the domain administrator account.

Afterwards you have to modify the uid-number for this account - otherwise you won't be able to use the mailserver with this account. Additionally we add this account to the group "Domain Users" :

smbldap-usermod -u 3000 -G "Domain Users" Administrator


5.3 NSS LDAP Configuration

In this step we configure the system to use the LDAP directory to get user and group lists.

Edit the nsswitch configuration.

vi /etc/nsswitch.conf

The content should look like this:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

 

5.4 SAMBA Directories

Create the needed directories for the SAMBA server, ...

mkdir -p /home/samba/shares/public/
mkdir /home/samba/netlogon/
mkdir /home/samba/profiles/
mkdir /home/samba/partage/
mkdir /home/samba/archives/

... change the ownership and adjust the rights.

chown -R :"Domain Users" /home/samba/
chmod 777 /var/spool/samba/ /home/samba/shares/public/
chmod 755 /home/samba/netlogon/
chmod 770 /home/samba/profiles/ /home/samba/partage/
chmod 700 /home/samba/archives/

 

6 PAM LDAP Configuration

In this step you'll add LDAP-support to PAM.

vi /etc/pam.d/common-account

The content should look like this:

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account required        pam_unix.so
account sufficient      pam_ldap.so

 

vi /etc/pam.d/common-auth

The content should look like this:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth    sufficient      pam_unix.so nullok_secure
auth    sufficient      pam_ldap.so use_first_pass
auth    required        pam_deny.so

 

vi /etc/pam.d/common-password

The content should look like this:

#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define  the services to be
#used to change user passwords.  The default is pam_unix
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.
password        sufficient      pam_unix.so nullok obscure min=4 max=8 md5
password        sufficient      pam_ldap.so use_first_pass use_authtok
password        required        pam_deny.so
# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required       pam_cracklib.so retry=3 minlen=6 difok=3
# password required       pam_unix.so use_authtok nullok md5

 

vi /etc/pam.d/common-session

The content should look like this:

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#
session required        pam_unix.so
session optional        pam_ldap.so

 

Afterwards reboot the system.

reboot

When the system is up again, give the group "Domain Admins" the right to add machines to the domain.

net -U Administrator rpc rights grant 'DOMAIN\Domain Admins' SeMachineAccountPrivilege

 

7 SSL For Mail

First prepare a configuration file with the needed information.

vi /etc/ssl/mail.cnf

Add the following content:

[ req ] 
default_bits            = 2048 
default_keyfile         = privkey.pem 
distinguished_name      = req_distinguished_name 
prompt                  = no 
string_mask             = nombstr 
x509_extensions         = server_cert
[ req_distinguished_name ] 
countryName             = DE 
stateOrProvinceName     = Niedersachsen
localityName            = Lueneburg
organizationName        = Projektfarm GmbH
organizationalUnitName  = IT
commonName              = server1.example.com
emailAddress            = postmaster@example.com
[ server_cert ] 
basicConstraints        = critical, CA:FALSE 
subjectKeyIdentifier    = hash 
keyUsage                = digitalSignature, keyEncipherment 
extendedKeyUsage        = serverAuth, clientAuth 
nsCertType              = server 
nsComment               = "mailserver"

Now create the SSL certificate ...

openssl req -x509 -new -config /etc/ssl/mail.cnf -out /etc/ssl/certs/mail.pem -keyout /etc/ssl/private/mail.key -days 365 -nodes -batch

... and adjust the rights for the key in order that only root is allowed to read it.

chmod 600 /etc/ssl/private/mail.key


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Mike (not registered) on Wed, 2009-10-14 10:22.

I get 2 errors:

 1) #net -U Administrator rpc rights grant 'DOMAIN\Domain Admins' SeMachineAccountPrivilege

Enter Administrator's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

 

2) # chown -R :"Domain Users" /home/samba/

chown: invalid group: `:Domain Users

 

I have also done first the 6 and then the 5.4 step, but I still get the same error.

Thx!

Submitted by yosemity (not registered) on Wed, 2010-06-16 18:04.

in /etc/libnss-ldap.conf

change ldapi:// to ldap://

Submitted by Anonymous (not registered) on Thu, 2010-03-25 13:17.

about : chown: invalid group: `:Domain Users

Try this:

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/libnss-ldap.secret (mode 600)
# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
# of an editor to create the file.

1. delete /etc/libnss-ldap.secret

2. echo -n "mypassword" > /etc/libnss-ldap.secred

 

Submitted by Anonymous (not registered) on Thu, 2009-10-15 13:55.
ok I found the solution. It had to do with the localhost configuration and some syntax errors
Submitted by Anonymous (not registered) on Tue, 2009-11-24 09:07.

hi, i have the same error message "chown: invalid group: `:Domain Users ".

could you post the right typo please?

Submitted by maumar (registered user) on Sun, 2009-08-16 16:34.

i would notify a typo:

 add group script = /usr/sbin/ambldap-groupadd -p "%g"

should be

 add group script = /usr/sbin/smbldap-groupadd -p "%g"

Submitted by jmark (not registered) on Thu, 2009-01-15 11:28.

Hi there,

i've tried this tutorial and everything goes right until i reboot my system. After the reboot i was no longer able to log on to the system. I use the latest release of debian. Can someone pointing me how to fix this our a resolution?

P.S: other thing, the package dcc-client is not available on debian 4.01r6? is this important? how to get in?

Thanks in advance..... 

Submitted by Myatu (registered user) on Mon, 2009-06-15 06:02.

Well, it's an old comment but still relevant:

Do not add password required pam_deny.so to your auth-* file. You'll lock yourself out from SSH and some other services.

Also, you need to do step 5.4 after step 6 or you will end up with an unknown group "Domain Users" (as noted on the first page comments).