5 SAMBA
5.1 Basic Configuration
First stop SAMBA.
/etc/init.d/samba stop
Copy the example SAMBA configuration file into the SAMBA directory ...
cp /usr/share/doc/python-mmc-base/contrib/samba/smb.conf /etc/samba/
... and adjust it to your needs.
vi /etc/samba/smb.conf
Set the following values in the section [global]:
workgroup = EXAMPLE
netbiosname = PDC-SRV-EXAMPLE
ldap admin dn = cn=admin,dc=example,dc=com
ldap suffix = dc=example,dc=com
logon path = \\%N\profiles\%U
Add the following lines to the section [global]:
preferred master = yes
os level = 65
wins support = yes
timeserver = yes
socket options = SO_KEEPALIVE IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
logon drive = H:
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n
add user script = /usr/sbin/smbldap-useradd -m "%u"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add group script = /usr/sbin/ambldap-groupadd -p "%g"
delete user script = /usr/sbin/smbldap-userdel "%u"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
obey pam restrictions = no
ldap idmap suffix = ou=Users
ldap delete dn = yes
security = user
Add the following line to the section [homes]:
hide files = /Maildir/
Remove the following line from the sections [printers] and [print$]:
printer admin = root,@lpadmin
Set the following values in the section [print$]:
write list = Administrator,root,@lpadmin
Add the following line to the section [profiles]:
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
Set the following values in the section [archives]:
path = /home/samba/archives
At this point the SAMBA configuration file should look like this:
[global]
workgroup = EXAMPLE
netbiosname = PDC-SRV-EXAMPLE
preferred master = yes
os level = 65
wins support = yes
enable privileges = yes
timeserver = yes
socket options = SO_KEEPALIVE IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
log level = 3
null passwords = yes
security = user
# unix charset = ISO8859-1
name resolve order = bcast host
domain logons = yes
domain master = yes
printing = cups
printcap name = cups
logon path = \\%N\profiles\%U
logon script = logon.bat
logon drive = H:
map acl inherit = yes
nt acl support = yes
passdb backend = ldapsam:ldap://127.0.0.1/
obey pam restrictions = no
ldap admin dn = cn=admin,dc=example,dc=com
ldap suffix = dc=example,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap passwd sync = yes
ldap delete dn = yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n
add user script = /usr/sbin/smbldap-useradd -m "%u"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add group script = /usr/sbin/ambldap-groupadd -p "%g"
add machine script = /usr/lib/mmc/add_machine_script '%u'
delete user script = /usr/sbin/smbldap-userdel "%u"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
[homes]
comment = Home directories
browseable = no
writeable = yes
create mask = 0700
directory mask = 0700
hide files = /Maildir/
[public]
comment = Public share
path = /home/samba/shares/public
browseable = yes
public = yes
writeable = yes
[archives]
comment = Backup share
path = /home/samba/archives
browseable = yes
public = no
writeable = no
[printers]
comment = Printers
path = /tmp
browseable = no
public = yes
guest ok = yes
writeable = no
printable = yes
[print$]
comment = Drivers
path = /var/lib/samba/printers
browseable = yes
guest ok = yes
read only = yes
write list = Administrator,root,@lpadmin
[netlogon]
path = /home/samba/netlogon
public = no
writeable = no
browseable = no
[profiles]
path = /home/samba/profiles
writeable = yes
create mask = 0700
directory mask = 0700
browseable = no
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
[partage]
comment = aucun
path = /home/samba/partage
browseable = yes
public = no
writeable = yes
If all went ok, the command ...
testparm
... should give no errors.
Now give SAMBA the needed credentials to write into the LDAP.
smbpasswd -w %ldap_admin_password%
E.g.:
smbpasswd -w howtoforge
The output should look like this:
Setting stored password for "cn=admin,dc=example,dc=com" in secrets.tdb
Next you need to create a SID for your workgroup.
net getlocalsid %your_workgroup%
E.g.:
net getlocalsid EXAMPLE
The output should look like this - note it down you'll need it in a few moments:
SID for domain EXAMPLE is: S-1-5-21-3159899821-123882392-54881133
Check if the SID has really been recorded into LDAP.
slapcat | grep sambaDomainName
The output should look like this:
dn: sambaDomainName=EXAMPLE,dc=example,dc=com
sambaDomainName: EXAMPLE
Now start SAMBA
/etc/init.d/samba start
5.2 LDAP Directory
First you need to create the smbldap-tools configuration file - it defines how to communicate with the LDAP server.
vi /etc/smbldap-tools/smbldap_bind.conf
The content should look like this:
slaveDN="cn=admin,dc=example,dc=com" slavePw="howtoforge" masterDN="cn=admin,dc=example,dc=com" masterPw="howtoforge"
Now create the main configuration file.
vi /etc/smbldap-tools/smbldap.conf
The content should look like this (Replace the SID with your own!):
SID="S-1-5-21-3159899821-123882392-54881133"
sambaDomain="EXAMPLE"
ldapTLS="0"
suffix="dc=example,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=EXAMPLE,${suffix}"
scope="sub"
hash_encrypt="SSHA"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\PDC-SRV-EXAMPLE\%U"
userProfile="\\PDC-SRV-EXAMPLE\profiles\%U"
userHomeDrive="H:"
userScript="logon.bat"
mailDomain="example.com"
smbpasswd="/usr/bin/smbpasswd"
Time to populate the LDAP diretory. This will also create the domain administrator account (Administrator)
smbldap-populate -m 512 -a Administrator
Note: You'll be asked to enter a password for the domain administrator account.
Afterwards you have to modify the uid-number for this account - otherwise you won't be able to use the mailserver with this account. Additionally we add this account to the group "Domain Users" :
smbldap-usermod -u 3000 -G "Domain Users" Administrator
5.3 NSS LDAP Configuration
In this step we configure the system to use the LDAP directory to get user and group lists.
Edit the nsswitch configuration.
vi /etc/nsswitch.conf
The content should look like this:
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
5.4 SAMBA Directories
Create the needed directories for the SAMBA server, ...
mkdir -p /home/samba/shares/public/
mkdir /home/samba/netlogon/
mkdir /home/samba/profiles/
mkdir /home/samba/partage/
mkdir /home/samba/archives/
... change the ownership and adjust the rights.
chown -R :"Domain Users" /home/samba/
chmod 777 /var/spool/samba/ /home/samba/shares/public/
chmod 755 /home/samba/netlogon/
chmod 770 /home/samba/profiles/ /home/samba/partage/
chmod 700 /home/samba/archives/
6 PAM LDAP Configuration
In this step you'll add LDAP-support to PAM.
vi /etc/pam.d/common-account
The content should look like this:
# # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # account required pam_unix.so account sufficient pam_ldap.so
vi /etc/pam.d/common-auth
The content should look like this:
# # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth sufficient pam_unix.so nullok_secure auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
vi /etc/pam.d/common-password
The content should look like this:
# # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be #used to change user passwords. The default is pam_unix # The "nullok" option allows users to change an empty password, else # empty passwords are treated as locked accounts. # # (Add `md5' after the module name to enable MD5 passwords) # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. Also the "min" and "max" options enforce the length of the # new password. password sufficient pam_unix.so nullok obscure min=4 max=8 md5 password sufficient pam_ldap.so use_first_pass use_authtok password required pam_deny.so # Alternate strength checking for password. Note that this # requires the libpam-cracklib package to be installed. # You will need to comment out the password line above and # uncomment the next two in order to use this. # (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH') # # password required pam_cracklib.so retry=3 minlen=6 difok=3 # password required pam_unix.so use_authtok nullok md5
vi /etc/pam.d/common-session
The content should look like this:
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). The default is pam_unix. # session required pam_unix.so session optional pam_ldap.so
Afterwards reboot the system.
reboot
When the system is up again, give the group "Domain Admins" the right to add machines to the domain.
net -U Administrator rpc rights grant 'DOMAIN\Domain Admins' SeMachineAccountPrivilege
7 SSL For Mail
First prepare a configuration file with the needed information.
vi /etc/ssl/mail.cnf
Add the following content:
[ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name prompt = no string_mask = nombstr x509_extensions = server_cert [ req_distinguished_name ] countryName = DE stateOrProvinceName = Niedersachsen localityName = Lueneburg organizationName = Projektfarm GmbH organizationalUnitName = IT commonName = server1.example.com emailAddress = postmaster@example.com [ server_cert ] basicConstraints = critical, CA:FALSE subjectKeyIdentifier = hash keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth nsCertType = server nsComment = "mailserver"
Now create the SSL certificate ...
openssl req -x509 -new -config /etc/ssl/mail.cnf -out /etc/ssl/certs/mail.pem -keyout /etc/ssl/private/mail.key -days 365 -nodes -batch
... and adjust the rights for the key in order that only root is allowed to read it.
chmod 600 /etc/ssl/private/mail.key