Howto setup SUSE 10.3 as Samba PDC

From openSUSE

This is a step by step guide on how to configure GNU/Linux system with Samba, OpenLDAP, DHCP, DNS and ClamAV. Even though this setup is concentrated on a platform openSUSE 10.3, with minor tweaks you should get it working on any GNU/Linux distribution.

Overview Of The Software Used To Create This Setup

Distribution: OpenSUSE 10.3

SUSE Linux 10.3, features an easy-to-install Linux operating system. SUSE Linux 10.3 uses the latest versions of open source networking features like Samba, Apache, DNS and DHCP to power robust home networks that include Web hosting, centralized printing and media workstations. With special features to speed everything from server setup and configuration to software updating, SUSE Linux contains the most comprehensive set of tools ever included in a retail Linux package. SUSE Linux comes complete with the latest versions of Apache, DNS, DHCP, Samba, NFS, SLP and NIS.

Backend Database: OpenLDAP 2.3.37-7.2

OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol.

Security Layer: MIT Kerberos v5

Name Resolution: Named(BIND) 9.4.1.P1-12.2

Berkeley Internet Name Domain, previously Berkeley Internet Name Daemon, is the most commonly used DNS server on the Internet, especially on Unix-like systems, where it is a de facto standard. BIND (BIND 9) was written from scratch in part to address the architectural difficulties with auditing the earlier BIND code bases, and also to support DNSSEC (DNS Security Extensions). Other important features of BIND 9 include: TSIG, DNS notify, nsupdate, IPv6, rndc flush, views, multiprocessor support, and an improved portability architecture.

TCP/IP Settings Automation: DHCP-Server 3.0.6-24

DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems.

Anti Virus Software: Samba Vscan 0.3.6b-181.5

Samba Vscan is a proof-of-concept module for Samba, which uses the VFS (virtual file system) features of Samba 2.2.x/3.0 to provide an on-access Samba anti-virus. Of course, Samba has to be compiled with VFS support.

MySQL Server: MySQL Community Server 5.0.51a

"World's most popular open source database." That is how MySQL calls himself and not without a reason. MySQL is the most used open source database server at te moment. But it is really worth to take a glance at PostgreSQL. PostgreSQL is also an open source database which has a longer history, and was always released under the BSD License.

Bacula

Bacula is a set of computer programs that permits the system administrator to manage backup, recovery, and verification of computer data across a network of computers of different kinds. Bacula can also run entirely upon a single computer and can backup to various types of media, including tape and disk.

In technical terms, it is a network Client/Server based backup program. Bacula is relatively easy to use and efficient, while offering many advanced storage management features that make it easy to find and recover lost or damaged files. Due to its modular design, Bacula is scalable from small single computer systems to systems consisting of hundreds of computers located over a large network.

Background scope of this tutorial

This tutorial is written based on a real life setup.
Some details have been changed, but others would confuse things.
The following details may be referred to during the tutorial, but you must use the relevant value to you.

Customer owns domain name foobar.tld
Customer connects to the internet through an external NAT firewall/router.
This router has ip 10.10.1.254, and can provide dns resolution.
It does NOT provide DHCP services.

The domain controller is to be assigned a static ip: 10.10.1.1
The customer never expects to have more than 50 workstations on the network in this location, so a subnet of 255.255.255.0 is used.

Installing Necessary Software

This is a VERY brief guide to installation of openSUSE 10.3, you will need to install a few extra packages to make this tutorial work for you.

Starting the install

First start an OpenSUSE install, personally i download the tiny network boot image, and download everything else on demand from a local FTP server. When booting from the cd, press F2 to select your language, then F4 to select source. At this point if you choose FTP it will also prompt for the address and directory (and logins) for your FTP server. I also boot with the following options:

# vnc=1 vncpassword=mypassword splash=verbose hostip=10.10.1.1 netmask=255.255.255.0 gateway=10.10.1.254 nameserver=10.10.1.254

Here I turn on VNC remote admin for the install process, specify the machines ip, and how it will connect to the internet. The office router has been configured to NOT give addresses by DHCP.

VNC based installation allows you to sit comfortably at your desk and install OpenSUSE on a remote machine. It's also very handy for screnshots :)

Once the installation has loaded, you can open a vnc client on another machine, and connect to 10.10.1.1:1 to continue the installation.

Installation Mode

Select New Installation, and tick the box to add Online Repositories Before Installation and Include Addon Products from seperate media. I add the following Repos (Note you will need to rename them later):

Main Repository (OSS)
Main Repository (NON-OSS)

And on the second screen, I add the following by specifying url:

Packman:  http://packman.mirrors.skynet.be/pub/packman/suse/10.3/
ATI: http://www2.ati.com/suse/10.3/

Next choose your timezone, desktop choice (This guide works with KDE. Not tested with any others, although it should be irrelevant).

Installation Settings

The first thing I do here is switch to Expert!

Partitioning

It is preferable to run ANY setup like this on a RAID 1 or 5 disk array. I assume ethat any raid etc is taken care of by hardware, and our installer can see a single 250Gb drive available. I create the following partitons:

/       40Gb Ext3
swap     2Gb swap
/data  190Gb Ext3

Software

First click on anything, followed by Details to pull up the full package selection.

In Patterns check

Base Development

Next we change Filter from Patterns to Search, now search and check the following:

kernel-source
samba
samba-client
samba-doc
samba-winbind
samba-vscan
samba-krb-printing
krb5
krb5-server
clamav
clamav-db
dhcp-server
bind
bind-chrootenv
ldap-account-manager
nss_ldap
openldap2
openldap2-client
openldap2-devel
perl-ldap
yast2-ldap
yast2-ldap-client
yast2-ldap-server
mysql
mysql-client
php5-mysql
apache2
apache2-mod_php5
apache2-mod_auth_ntlm_winbind
php5
php5-ldap
xntp

My total install size is 3.3Gb

Now go put the kettle on :)

Installing Other Packages

At this point we are still missing a few important features..

• smbldap-tools
• bacula web interface
• tfpd server
• ris-linux

Pre-requisites

Perl Modules

Prior to installing I need to update some Perl modules.

# cpan 
cpan[1]> install Bundle::CPAN
cpan[2]> install Unicode::MapUTF8 Module::Signature

Missing RPM's

The following RPM's are not listed in YaST and must be installed manually:

mysql-devel

bacula web interface also requires mysql-devel, as this package does not seem to exist in yast, download the Linux <architecture> generic RPM downloads - Libraries and header files rpm package for your distro from Mysql Developer Zone This is the one called MySQL-devel-xx-yy-zz.glibc23.arch.rpm that is missing from YaST.

rpm -ivh MySQL-devel-5.0.51a-0.glibc23.x86_64.rpm

smbldap-tools

The tools used to manage the LDAP Samba backend unfortunately is not available in Yast.

The latest smbldap-tools package is available from Freshmeat smbldap-tool project SMBLDAP-TOOLS is a package containing some useful scripts for managing users and groups with LDAP and Samba. They can be used to add, delete, and modify users and groups.

wget http://freshmeat.net/redir/smbldap-tools/30128/url_tgz/smbldap-tools-0.9.5.tgz
tar -zxf smbldap-tools-0.9.5.tgz
cd smbldap-tools-0.9.5
cp smbldap-groupadd smbldap-groupdel smbldap-groupmod smbldap-groupshow \
smbldap-passwd smbldap-populate smbldap-useradd smbldap-userdel smbldap-userinfo \
smbldap-userlist smbldap-usermod smbldap-usershow smbldap_tools.pm /usr/sbin/
mkdir /etc/smbldap-tools
cp smbldap.conf smbldap_bind.conf /etc/smbldap-tools/

Smbldap-tools need some Perl modules (Unicode-Map, Unicode-MapUTF8, Jcode). They available from Perl Module List

bacula web interface

Obtain bacula-gui as this is not included in the YaST.

SourceForge Download Save to /usr/src

# cd /usr/src
# tar -zxf bacula-2.2.8.tar.gz
# tar -zxf bacula-gui-2.2.8.tar.gz
# cd bacula-gui-2.2.8
# ./configure --prefix=/usr --with-bacula=/usr/src/bacula-2.2.8 --with-bimagemgr-cgidir=/srv/www/cgi-bin/ \
  --with-bimagemgr-docdir=/srv/www/htdocs/ --with-bimagemgr-binowner=wwwrun --with-bimagemgr-bingroup=www \
  --with-bimagemgr-dataowner=wwwrun --with-bimagemgr-datagroup=www
# make release
# cp -R bacula-web /srv/www/htdocs/
# chown -R wwwrun:www /srv/www/htdocs/bacula-web
# cd bimagemgr
# make install
# cd ../brestore
# mkdir -p /usr/share/brestore
# install -m 644 -o root -g root brestore.glade /usr/share/brestore
# install -m 755 -o root -g root brestore.pl    /usr/bin

New Server Setup

Samba Setup

Move your old smb.conf file to a safe place:

# cd /etc/samba/
# mv smb.conf smb.conf.OLD

Now using your favorite ascii editor, edit or create smb.conf file in /etc/samba directory and modify or add these lines to it. Note that for the workgroup statement, if foobar.tld is longer than 15 characters Samba will truncate it! I recommend you to build smb.conf file from scratch as defined below:

# # Primary Domain Controller smb.conf
# # Global parameters
[global]
unix charset = LOCALE
workgroup = FOOBAR.TLD
netbios name = bar
# passdb backend =ldapsam:"ldap://bar.foobar.tld"  ## LEAVE THIS COMMENTED OUT!
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 0
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%g' '%u'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%g' '%u'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon script = logon.bat
logon path = \\bar\profiles\%u
logon drive = H:
domain logons = Yes
domain master = Yes
wins support = Yes
# peformance optimization all users stored in ldap
ldapsam:trusted = yes
ldap suffix = dc=foobar,dc=tld
ldap machine suffix = ou=Computers,ou=Users
ldap user suffix = ou=People,ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=sambaadmin,dc=foobar,dc=tld
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
printer admin = root
printing = cups

#========================Share Definitions=========================

[homes]
 comment = Home Directories
 valid users = %S
 browseable = yes
 writable = yes
 create mask = 0600
 directory mask = 0700

[sysvol]
 path = /data/samba/sysvol
 read only = no

[netlogon]
 comment = Network Logon Service
 path = /data/samba/sysvol/foobar.tld/scripts
 writeable = yes
 browseable = yes
 read only = no

[profiles]
 path = /data/samba/profiles
 writeable = yes
 browseable = no
 read only = no
 create mode = 0777
 directory mode = 0777

[Documents]
 comment = share to test samba
 path = /data/documents
 writeable = yes
 browseable = yes
 read only = no
 valid users = "@Domain Users"

Next edit the file hosts in /etc/ as follows:

# IP-Address  Full-Qualified-Hostname  Short-Hostname
#
127.0.0.1       bar   localhost   localhost.localdomain
10.10.1.1       bar   bar.foobar.tld   foobar.tld

Now, this bit took me hours! With the commented out passdb backend line, we can now execute the following command to get our Domains SID

# net getlocalsid
SID for domain BAR is S-1-5-21-aaaaaaaaaa-bbbbbbbbbb-cccccccccc

Make a note of this SID you will need to copy/paste it a lot later

Finally reopen smb.conf in /etc/samba/ and change

# passdb backend =ldapsam:"ldap://bar.foobar.tld"  ## LEAVE THIS COMMENTED OUT!

to

passdb backend =ldapsam:"ldap://bar.foobar.tld"

# net getlocalsid
[yyyy/mm/dd hh:mm:ss, 0] passdb/secrets.c:fetch_ldap_pw(769)
 fetch_ldap_pw: neither ldap secret retrieved!
[yyyy/mm/dd hh:mm:ss, 0] lib/smbldap.c:smbldap_connect_system(942)
 ldap_connect_system: Failed to retrieve password from secrets.tdb

OpenLDAP

slapd.conf

#slapd.conf Master Openldap2.3
#path: /etc/openldap/slapd.conf
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/samba3.schema

modulepath /usr/lib/openldap/modules/
# moduleload back_bdb.la

pidfile     /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args

# Samba Primary Database foobar.tld
database    bdb
suffix      "dc=foobar,dc=tld"
directory   /data/openldap
rootdn      "cn=Manager,dc=foobar,dc=tld"
rootpw      SecretWord
index entryCSN eq
index entryUUID eq

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
      by self write
      by dn="cn=sambaadmin,dc=foobar,dc=tld" write
      by * auth

access to *
      by dn="cn=sambaadmin,dc=foobar,dc=tld" write
      by * read

# Indices to maintain
index objectClass             eq
index cn                      pres,sub,eq
index sn                      pres,sub,eq
index uid                     pres,sub,eq
index displayName             pres,sub,eq
index uidNumber               eq
index gidNumber               eq
index memberUID               eq
index sambaSID                eq
index sambaPrimaryGroupSID    eq
index sambaDomainName         eq
index default                 sub

ldap.conf

#/etc/ldap.conf
# LDAP Master

host    bar.foobar.tld
base    dc=foobar,dc=tld
binddn  cn=Manager,dc=foobar,dc=tld
bindpw  SecretWord

bind_policy soft 
pam_password exop

nss_base_passwd ou=People,ou=Users,dc=foobar,dc=tld?one
nss_base_shadow ou=People,ou=Users,dc=foobar,dc=tld?one
nss_base_passwd ou=Computers,ou=Users,dc=foobar,dc=tld?one
nss_base_shadow ou=Computers,ou=Users,dc=foobar,dc=tld?one
nss_base_group  ou=Groups,dc=foobar,dc=tld?one
ssl     no

nsswitch.conf

Edit the following lines only. Leave everything else as-is.

passwd:         files ldap
shadow:         files ldap
group:          files ldap

hosts:          files dns wins
networks:       files dns

DB_CONFIG

edit /data/openldap/DB_CONFIG as follows:

#DB_CONFIG
set_cachesize           0 150000000 1
set_lg_regionmax        262144
set_lg_bsize            2097152
set_flags               DB_LOG_AUTOREMOVE

Populate LDAP

Prepare the LDIF

You can use the form Extremely Basic LDIF Generator to generate an LDIF. Save the file as foobar.ldif

You can use this as a template, make sure you change everything in bold!

# SAMBA LDAP PRELOAD
# SID S-1-2-33-4444444444-5555555555-6666666666.

dn: dc=foobar,dc=tld
objectClass: dcObject
objectClass: organization
dc: foobar
o: FOOBAR
description: Posix and Samba LDAP Identity Database

dn: cn=Manager,dc=foobar,dc=tld
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: cn=syncuser,dc=foobar,dc=tld
objectClass: person
cn: syncuser
sn: syncuser 
userPassword: SyncUser

dn: cn=sambaadmin,dc=foobar,dc=tld
objectClass: person
cn: sambaadmin
sn: sambaadmin
userPassword: SambaAdmin

dn: cn=mailadmin,dc=foobar,dc=tld
objectClass: person
cn: mailadmin
sn: mailadmin
userPassword: MailAdmin

dn: ou=Users,dc=foobar,dc=tld
objectClass: top
objectClass: organizationalUnit
ou: Users

dn: ou=People,ou=Users,dc=foobar,dc=tld
objectClass: top
objectClass: organizationalUnit
ou: People

dn: ou=Computers,ou=Users,dc=foobar,dc=tld
objectClass: top
objectClass: organizationalUnit
ou: Computers

dn: ou=Groups,dc=foobar,dc=tld
objectClass: top
objectClass: organizationalUnit
ou: Groups

dn: ou=Domains,dc=foobar,dc=tld
objectClass: top
objectClass: organizationalUnit
ou: Domains

dn: sambaDomainName=FOOBAR.TLD,ou=Domains,dc=foobar,dc=tld
objectClass: sambaDomain
objectClass: sambaUnixIdPool
uidNumber: 1000
gidNumber: 1000
sambaDomainName: FOOBAR.TLD
sambaSID: S-1-2-33-4444444444-5555555555-6666666666
sambaAlgorithmicRidBase: 1000
structuralObjectClass: sambaDomain

dn: cn=Domain Admins,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
sambaSID: S-1-2-33-4444444444-5555555555-6666666666-512
sambaGroupType: 2
displayName: Domain Admins
description: Domain Administrators

dn: cn=Domain Users,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
sambaSID: S-1-2-33-4444444444-5555555555-6666666666-513
sambaGroupType: 2
displayName: Domain Users
description: Domain Users

dn: cn=Domain Guests,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
sambaSID: S-1-2-33-4444444444-5555555555-6666666666-514
sambaGroupType: 2
displayName: Domain Guests
description: Domain Guests

dn: cn=Domain Computers,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
sambaSID: S-1-2-33-4444444444-5555555555-6666666666-515
sambaGroupType: 2
displayName: Domain Computers
description: Domain Computers

dn: cn=Administrators,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
sambaSID: S-1-2-33-4444444444-5555555555-6666666666-544
sambaGroupType: 5
displayName: Administrators
description: Administrators

dn: cn=Account Operators,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: Account Operators
sambaSID: S-1-2-33-4444444444-5555555555-6666666666-548
sambaGroupType: 5
displayName: Account Operators
description: Account Operators

dn: cn=Print Operators,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
sambaSID: S-1-2-33-4444444444-5555555555-6666666666-550
sambaGroupType: 5
displayName: Print Operators
description: Print Operators

dn: cn=Backup Operators,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
sambaSID: S-1-2-33-4444444444-5555555555-6666666666-551
sambaGroupType: 5
displayName: Backup Operators
description: Backup Operators

dn: cn=Replicators,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
sambaSID: S-1-2-33-4444444444-5555555555-6666666666-552
sambaGroupType: 5
displayName: Replicators
description: Replicators

Import the LDIF

# slapadd -v -l foobar.ldif
added: "dc=foobar,dc=tld" (00000001)
added: "cn=Manager,dc=foobar,dc=tld" (00000002)
added: "cn=syncuser,dc=foobar,dc=tld" (00000003)
added: "cn=sambaadmin,dc=foobar,dc=tld" (00000004)
added: "cn=mailadmin,dc=foobar,dc=tld" (00000005)
added: "ou=Users,dc=foobar,dc=tld" (00000006)
added: "ou=People,ou=Users,dc=foobar,dc=tld" (00000007)
added: "ou=Computers,ou=Users,dc=foobar,dc=tld" (00000008)
added: "ou=Groups,dc=foobar,dc=tld" (00000009)
added: "ou=Domains,dc=foobar,dc=tld" (0000000a)
added: "sambaDomainName=FOOBAR.TLD,ou=Domains,dc=foobar,dc=tld" (0000000b)
added: "cn=Domain Admins,ou=Groups,dc=foobar,dc=tld" (0000000c)
added: "cn=Domain Users,ou=Groups,dc=foobar,dc=tld" (0000000d)
added: "cn=Domain Guests,ou=Groups,dc=foobar,dc=tld" (0000000e)
added: "cn=Domain Computers,ou=Groups,dc=foobar,dc=tld" (0000000f)
added: "cn=Administrators,ou=Groups,dc=foobar,dc=tld" (0000000e)
added: "cn=Account Operators,ou=Groups,dc=foobar,dc=tld" (00000010)
added: "cn=Print Operators,ou=Groups,dc=foobar,dc=tld" (00000011)
added: "cn=Backup Operators,ou=Groups,dc=foobar,dc=tld" (00000012)
added: "cn=Replicators,ou=Groups,dc=foobar,dc=tld" (00000013)

Update the permissions for LDAP

# chown -R ldap.ldap /data/openldap/

Set the password for samba

# smbpasswd -w SambaAdmin
Setting stored password for "cn=sambaadmin,dc=foobar,dc=tld" in secrets.tdb

smbldap-tools Setup

smbldap.conf

SID="S-1-2-33-4444444444-555555555-6666666666"
sambaDomain="FOOBAR.TLD"
slaveLDAP=127.0.0.1
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
verify=""
cafile=""
clientcert=""
clientkey=""
suffix="dc=foobar,dc=tld"
usersdn="ou=People,ou=Users,${suffix}"
computersdn="ou=Computers,ou=Users,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=FOOBAR.TLD,ou=Domains,${suffix}"
scope="sub"
hash_encrypt="MD5"
crypt_salt_format=""
userHome="/data/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\bar\%U"
userProfile="\\bar\profiles\%U"
userHomeDrive="H:"
userScript="logon.bat"
mailDomain="foobar.tld"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"

smbldap_bind.conf

slaveDN="cn=sambaadmin,dc=foobar,dc=tld"
slavePw="SambaAdmin"
masterDN="cn=sambaadmin,dc=foobar,dc=tld"
masterPw="SambaAdmin"

Start Services

# rcsmb start
# rcnmb start
# rcldap start
# rcwinbind start

Adding initial Users

# smbldap-useradd -m -a root
# smbldap-passwd root
Changing password for root
New password :
Retype new password
# smbpasswd -a
New SMB password:
Retype new SMB password:
Added user root.
# smbldap-groupmod -m root Domain\ Admins
adding user root to group Domain Admins

LAM (LDAP Accounts Manager) Setup

First we need to edit the LAM general settings and define our master password

# mv /srv/www/htdocs/lam/config/config.cfg_sample /srv/www/htdocs/lam/config/config.cfg
# touch /srv/www/htdocs/lam/config/lam.conf
# chown wwwrun:www /srv/www/htdocs/lam/config/lam.conf

This creates our config with the right permissions and sets the default password for the LAM interface to "lam", we will change this soon.

lam.conf

# LDAP Account Manager configuration
serverURL: ldap://localhost:389
admins: cn=Manager,dc=foobar,dc=tld
# password to change these preferences via webfrontend (default: lam)
passwd: {SSHA}RjBruJcTxZEdcBjPQdRBkDaSQeY= iueleA==

treesuffix: dc=foobar,dc=tld

# default language (a line from config/language)
defaultLanguage: en_GB.utf8:UTF-8:English (Great Britain)

# Path to external Script
scriptPath:

# Server of external Script
scriptServer:

# Access rights for home directories
scriptRights: 750

# Number of minutes LAM caches LDAP searches.
cachetimeout: 5

# Module settings

modules: posixAccount_minUID: 10000
modules: posixAccount_maxUID: 20000
modules: posixAccount_minMachine: 10000
modules: posixAccount_maxMachine: 20000
modules: posixGroup_minGID: 10000
modules: posixGroup_maxGID: 20000
modules: posixGroup_pwdHash: SSHA
modules: posixAccount_pwdHash: SSHA

# List of active account types.
activeTypes: user,group,host,smbDomain

types: suffix_user: ou=People,dc=foobar,dc=tld
types: attr_user: #uid;#givenName;#sn;#uidNumber;#gidNumber
types: modules_user: inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount

types: suffix_group: ou=group,dc=foobar,dc=tld
types: attr_group: #cn;#gidNumber;#memberUID;#description
types: modules_group: posixGroup,sambaGroupMapping

types: suffix_host: ou=machines,dc=foobar,dc=tld
types: attr_host: #cn;#description;#uidNumber;#gidNumber
types: modules_host: account,posixAccount,sambaSamAccount

types: suffix_smbDomain: ou=domains,dc=foobar,dc=tld
types: attr_smbDomain: sambaDomainName:Domain name;sambaSID:Domain SID
types: modules_smbDomain: sambaDomain

SWAT (Samba Web Administration Tool)

swat has already been installed, but is disabled. To enable it, edit the file swat located in /etc/xinetd.d/ as follows:

# SWAT is the Samba Web Administration Tool.
service swat
{
       socket_type     =  stream
       protocol        =  tcp
       wait            =  no
       user            =  root
       server          =  /usr/sbin/swat
       only_from       =  127.0.0.1
       log_on_failure  += USERID
}

MySQL

Mysql is part configured for us by YaST, but we need to finish it off.

# rcmysql start
Creating MySQL privilege database...
Installing MySQL system tables...
OK
Filling help tables...
OK
PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h bar.foobar.tld password 'new-password'
......
# /usr/bin/mysqladmin -u root -h bar.foobar.tld password 'secret'
# /usr/bin/mysqladmin -u root password 'secret'

# /usr/bin/mysqladmin -u root -h bar.foobar.tld password 'secret'
/usr/bin/mysqladmin: connect to server at 'bar.foobar.tld' failed
error: 'Host 'bar.foobar.tld' is not allowed to connect to this MySQL server'

Apache

Helpfully apache is preconfigured for us by YaST, so all we need to do is start it :)

# rcapache2 start

CUPS (Common UNIX Printing System)

Dynamic DNS Setup

Preconfiguration Setps

To be able to create our dynDNS infrastructure we need to do a few things before actually configuring both DHCP and DNS servers for dynamic updates. First we need to create a key that will be used for secure communication between DHCP and DNS server.

To create the key and file that hold the key declaration issue following command:

# cd /etc
# genDDNSkey

This will by default create a file named named.keys with key DHCP_UPDATER, of course you can choose a different key and file by issuing ( for other options read help pages ):

# genDDNSkey --key-file=/ur/path --key-name MY_KEY_NAME

Once the key has been created, you need to tell both DHCP and DNS daemons to use this file since they both run in chroot jail.

Using your favorite ascii editor, edit dhcpd file in /etc/sysconfig directory and modify or add following directives:

DHCPD_INTERFACE="eth0"

Now you can move on towards configuring your DHCP and DNS servers.

DHCP Setup

Using your favorite ascii editor, edit dhcpd.conf file in /etc directory and modify or add these lines to it ( i recommend you to build dhcpd.conf file from scratch ). Also the IP address scheme, values are arbitrary, you will set these to reflect your network scheme:

# File with key we shall use to securely update zone files
###########################################################
include "/etc/named.keys";

# Our server is authority
#########################################################
server-identifier bar.foobar.tld;
authoritative;

# Zone specification
###########################################
zone foobar.forward {
       primary 192.168.1.104;
       key DHCP_UPDATER;
}
zone foobar.reverse {
        primary 192.168.1.104;
        key DHCP_UPDATER;
}

# Various options
########################################
default-lease-time 86400;
max-lease-time 172800;

option domain-name "foobar.tld";
option domain-name-servers 192.168.1.104;
option netbios-name-servers 192.168.1.104;

ignore client-updates;
ddns-domainname "foobar.tld";
ddns-updates on;
ddns-update-style interim;

# Declaration of network properties ( range ... )
#################################################
subnet 192.168.1.0 netmask 255.255.255.0 {
       range dynamic-bootp 192.168.1.10 192.168.1.254;
       zone foobar.tld { primary 127.0.0.1; key DHCP_UPDATER; }
       zone 1.168.192.in-addr.arpa. { primary 127.0.0.1; key DHCP_UPDATER; }
       option subnet-mask 255.255.255.0;
       option routers 192.168.1.1;
       one-lease-per-client on;
}

Above configuration allows for range between 1 - 10 that are reserved for hard-wired IP addresses, and range allotted for dynamic assignment is set from 10 - 254.

Name Server Setup

Using your favorite ascii editor, edit named.conf file in /etc directory and modify or add these lines to it ( i recommend you to build named.conf file from scratch ). Also as in the example of DHCP above, values and ranges are arbitrary and you will set them to values u desire.

# Include file with key
#################################################
include "/etc/named.keys";

# Access Control Lists
#################################################
acl mynet {
        192.168.1.0/24;
        127.0.0.1;
};

# Various Options
#################################################
options {
        directory "/var/lib/named";
        allow-query { mynet; };
        forwarders { 83.139.64.3; };
};

# Misc zone declarations
#################################################
zone "localhost" in {
        type master;
        file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" in {
        type master;
        file "127.0.0.zone";
};

zone "." in {
        type hint;
        file "root.hint";
};

# Forward foobar.tld zone declaration
#################################################
zone "foobar.tld" {
        type master;
        file "dyn/foobar.forward";
        allow-update { key DHCP_UPDATER; };
        allow-transfer { mynet; };
        check-names ignore;
        };

# Active Directory Declarations
#############################################
zone "_tcp.foobar.tld" IN {
       type master;
       file "master/_tcp.foobar.tld.db";
       allow-update { mynet; };
       check-names ignore;
       };

zone "_msdcs.foobar.tld" IN {
       type master;
       file "master/_msdcs.foobar.tld.db";
       allow-update { mynet; };
       check-names ignore;
       };

zone "_sites.foobar.tld" IN {
       type master;
       file "master/_sites.foobar.tld.db";
       check-names ignore;
       allow-update { mynet; };
       };

zone "_udp.foobar.tld" IN {
       type master;
       file "master/_udp.foobar.tld.db";
       check-names ignore;
       allow-update { mynet; };
       };

# Reverse foobar.tld zone declaration
#################################################
zone "1.168.192.in-addr.arpa" {
        type master;
        file "dyn/foobar.reverse";
        allow-update { key DHCP_UPDATER; };
        allow-transfer { mynet; };
};

Now once you have made named.conf file, you must setup/create actual zone files.

Using your favorite ascii editor, create foobar.forward file in /var/lib/named/dyn directory and modify or add these lines to it ( i recommend you to build foobar.forward file from scratch ).

$ORIGIN .
$TTL 5D
foobar.tld               IN SOA  bar.foobar.tld. root.foobar.tld. (
                                        200524085  ; serial
                                        3H         ; refresh
                                        1H         ; retry
                                        1W         ; expire
                                        5D )       ; minimum

                         NS      bar.foobar.tld.
                         A       192.168.1.104

$ORIGIN foobar.tld.
$TTL 5D
bar                      A      192.168.1.104

Using your favorite ascii editor, create foobar.reverse file in /var/lib/named/dyn directory and modify or add these lines to it ( i recommend you to build foobar.reverse file from scratch ):

$TTL 5D
@                      IN SOA  bar.foobar.tld. root.foobar.tld. (
                                200524086  ; serial
                                3H         ; refresh
                                1H         ; retry
                                1W         ; expire
                                5H )       ; minimum

@                        NS      bar.foobar.tld.

104                     PTR     bar.foobar.tld.

Both zone files for localhost are by default created so you need not recreating them, the root.hint is included by default aswell.

Next we need to create the basis of the Active Directory Schema.

Using your favorite ascii editor, create _tcp.foobar.tld.db file in /var/lib/named/master directory and modify or add these lines to it ( i recommend you to build _tcp.foobar.tld.db file from scratch ):

$ORIGIN .
$TTL 432000     ; 5 days
_tcp.foobar.tld               IN SOA  bar.foobar.tld. root.foobar.tld. (
                               200524091  ; serial
                               10800      ; refresh (3 hours)
                               3600       ; retry (1 hour)
                               604800     ; expire (1 week)
                               432000     ; minimum (5 days)
                               )
               IN      NS      bar.foobar.tld.
$ORIGIN _tcp.foobar.tld.
$TTL 600        ; 10 mins
_ldap._tcp.foobar.tld.        SRV     0 0 389 bar.foobar.tld.
_kerberos._tcp.foobar.tld.    SRV     0 0 88 bar.foobar.tld.

Using your favorite ascii editor, create _udp.foobar.tld.db file in /var/lib/named/master directory and modify or add these lines to it ( i recommend you to build _udp.foobar.tld.db file from scratch ):

$ORIGIN .
$TTL 432000     ; 5 days
_udp.foobar.tld               IN SOA  bar.foobar.tld. root.foobar.tld. (
                               200524090  ; serial
                               10800      ; refresh (3 hours)
                               3600       ; retry (1 hour)
                               604800     ; expire (1 week)
                               432000     ; minimum (5 days)
                               )
               IN      NS      bar.foobar.tld.
$ORIGIN _udp.foobar.tld.
$TTL 600        ; 10 mins

Using your favorite ascii editor, create _sites.foobar.tld.db file in /var/lib/named/master directory and modify or add these lines to it ( i recommend you to build _sites.foobar.tld.db file from scratch ):

$ORIGIN .
$TTL 432000     ; 5 days
_sites.foobar.tld               IN SOA  bar.foobar.tld. root.foobar.tld. (
                               200524090  ; serial
                               10800      ; refresh (3 hours)
                               3600       ; retry (1 hour)
                               604800     ; expire (1 week)
                               432000     ; minimum (5 days)
                               )
               IN      NS      bar.foobar.tld.
$ORIGIN _sites.foobar.tld.
$TTL 600        ; 10 mins

Using your favorite ascii editor, create _msdcs.foobar.tld.db file in /var/lib/named/master directory and modify or add these lines to it ( i recommend you to build _msdcs.foobar.tld.db file from scratch ):

$ORIGIN .
$TTL 432000     ; 5 days
_msdcs.foobar.tld             IN SOA  bar.foobar.tld. root.foobar.tld. (
                               200524091  ; serial
                               10800      ; refresh (3 hours)
                               3600       ; retry (1 hour)
                               604800     ; expire (1 week)
                               432000     ; minimum (5 days)
                               )
               IN      NS      bar.foobar.tld.
$ORIGIN _msdcs.foobar.tld.
$TTL 600        ; 10 mins
_ldap._tcp.dc._msdcs.foobar.tld.      SRV 0 0 389 bar.foobar.tld.
_kerberos._tcp.dc._msdcs.foobar.tld.  SRV 0 0 88 bar.foobar.tld.

ClamAV

Setting up content checking in SAMBA is a bit screwy and requires some modifications done. So first copy the vscan-clamav.conf file from /usr/share/doc/packages/samba-vscan/ directory to /etc/samba directory:

# cp  /usr/share/doc/packages/samba-vscan/vscan-clamav.conf /etc/samba

Now create directory named clamd in /var/run directory and change it's ownership to user and group vscan:

# mkdir /var/run/clamd
# chown vscan:vscan /var/run/clamd

Also we need to create directory which will be used as quarantine and give ownership to vscan user:

# mkdir /var/lib/clamav/quarantine
# chown vscan /var/lib/clamav/quarantine 

Finally we need to create the log file clamd.log in /var/log.

# touch /var/log/clamd.log
# chown vscan:vscan /var/log/clamd.log

Using your favorite ascii editor, create vscan-clamav.conf file in /etc/samba directory and modify or add these lines to it ( i recommend you to build vscan-clamav.conf file from scratch ):

[samba-vscan]
max file size = 0
verbose file logging = yes
scan on open = yes
scan on close = yes
deny access on error = yes
deny access on minor error = yes
send warning message = yes
infected file action = quarantine
quarantine directory  = /var/lib/clamav/quarantine
quarantine prefix = vir-
max lru files entries = 100
lru file entry lifetime = 5
exclude file types =
clamd socket name = /var/run/clamd/clamd
libclamav max files in archive = 1000
libclamav max archived file size = 10 * 1048576
libclamav max recursion level = 5

Using your favorite ascii editor, create clamd.conf file in /etc/ directory and modify or add these lines to it ( i recommend you to build clamd.conf file from scratch ):

LogFile /var/log/clamd.log
LogFileUnlock
LogSyslog
LogFacility LOG_MAIL
LogVerbose
PidFile /var/lib/clamav/clamd.pid
DatabaseDirectory /var/lib/clamav
LocalSocket /var/run/clamd/clamd
FixStaleSocket
User vscan
Foreground
Debug

Bacula

Template:Bacula

Bacula Server Config

Firstly to simply tracking our configs betwen multiple servers

# mkdir /etc/bacula-conf

Using your favorite ascii editor, create bacula-dir.conf file in /usr/local/bacula/bin/ directory and modify or add these lines to it ( i recommend you to build bacula-dir.conf file from scratch ):

@|"sh -c 'for f in /etc/bacula-conf/*.conf ; do echo @${f} ; done'"

This complicated looking line tells bacula to include all .conf files in /etc/bacula-conf/

Now we can create our Backup configs

PDC Bacula Client Config

Old Server Setup

Now lets check our config for syntactical correctness, you should get an output as shown below:

# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[share]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

Now give Samba permission to create roaming profile directories:

# chmod 1777 /var/lib/samba/profiles

And list resources on your server:

# smbclient -L localhost -N
added interface ip=192.168.1.104 bcast=192.168.1.255 nmask=255.255.255.0
Anonymous login successful
Domain=[FOOBAR.TLD] OS=[Unix] Server=[Samba 3.0.12-5-SUSE]

       Sharename       Type      Comment
       ---------       ----      -------
       profiles        Disk      Roaming Profiles
       share           Disk      share
       IPC$            IPC       IPC Service (Samba 3.0.12-5-SUSE)
       ADMIN$          IPC       IPC Service (Samba 3.0.12-5-SUSE)
Anonymous login successful
Domain=[FOOBAR.TLD] OS=[Unix] Server=[Samba 3.0.12-5-SUSE]

       Server               Comment
       ---------            -------
       BAR	             Samba 3.0.12-5-SUSE

       Workgroup            Master
       ---------            -------
       FOOBAR.TLD           BAR

# smbclient -L localhost -N
Error connecting to 127.0.0.1 (Connection refused)
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)

# IP-Address  Full-Qualified-Hostname  Short-Hostname
#
127.0.0.1       localhost bar.foobar.tld
127.0.0.2       bar.foobar.tld bar
10.10.1.1       bar.foobar.tld bar foobar.tld

OpenLDAP Setup

In order to get system to authenticate via LDAP and to use those posix accounts stored in LDAP for SAMBA, you need to set you system to do authetication via LDAP for local and remote connections.

So use YaST to configure your system as LDAP client:

Once you've got that covered, use your favorite ascii editor, edit nsswitch.conf file in /etc/ directory and modify or add following directive:

passwd: files ldap
group: files ldap

Now list entries in administrative database to see if your system indeed sees both local system and LDAP stored accounts ( if you havent added any account yet there should be at least two Admin and nobody, i have included only the two even though the command will output all accounts ):

# getent passwd
+::0:0:::
Admin:x:998:512:Netbios Domain Administrator:/home/Admin:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false

If everything is set as descried above you need to configure PAM.

# pam-config -a --mkhomedir --mkhomedir-skel=/etc/skel --mkhomedir-umask=0022

This will add the required modules, but they are set to optional. Edit the file common-session in /etc/pam.d/ and change

session optional        pam_mkhomedir.so        umask=0022 skel=/etc/skel

to

session required        pam_mkhomedir.so        umask=0022 skel=/etc/skel

remark : If you use a domain name like "mycorp.net" on OpenSUSE 10.3 you need to modify the /etc/ldap.conf file like this :

Start Services

Start all daemons:

# rcnamed start
# rcdhcpd start
# rcldap start
# rcsmb start
# rcnmb start
# rcclamd start
# rcmysql start
# rcapache2 start
# rcbacula-fd start
# rcbacula-dir start
# rcbacula-sd start

Make all daemons run by default on machine startup:

# chkconfig named on
# chkconfig dhcpd on
# chkconfig smb on
# chkconfig nmb on
# chkconfig clamd on
# chkconfig ldap on
# chkconfig mysql on
# chkconfig apache2 on
# chkconfig freshclam on
# chkconfig bacula-fd on
# chkconfig bacula-sd on
# chkconfig bacula-dir on

Domain Config

Client Setup

Joining the Domain

Setting up client to connect to domain is not that hard, assuming that all of you services work in sweet harmony ( let's come together right now, oh yeah in sweeeet harmony ).

Ok, let's commence our journey of joining a client workstation to SAMBA domain. The machine account should be added to domain automatically by default, but if it doesnt you will need to add POSIX machine account for it first ( Note that $ is there for a reason, and it specifies that the account is a machine account.):

# smbldap-useradd -w machine_name$

Now on your windows workstation, right click My Computer and choose Properties, you should be presented with a panel like this:

Now press Properties button and you will get a panel like this:

Click on radio button of Domain and type in domain name foobar.tld, now press Ok button and you will be presented with a panel like this:

Add username Administrator and password for it ( remember smbpasswd -a root ). If you configured everything well you should get a popup like this:

Image:Welcome.jpg

Press Ok and reboot your workstation, once booted login to domain with user account you added with smbldap-useradd script.

Bacula Win32 Client

Appendixes

List of configuration files

/data/openldap/DB_CONFIG
/etc/dhcpd.conf
/etc/ldap.conf
/etc/my.cnf
/etc/named.conf
/etc/named.keys
/etc/openldap/slapd.conf
/etc/samba/smb.conf
/etc/smbldap-tools/smbldap.conf
/etc/smbldap-tools/smbldap_bind.conf
/srv/www/htdocs/lam/config/lam.conf
/usr/local/bacula/bin/bacula-dir.conf
/usr/local/bacula/bin/bacula-fd.conf
/usr/local/bacula/bin/bacula-sd.conf
/usr/local/bacula/bin/bconsole.conf
/var/lib/named/dyn/foobar.forward
/var/lib/named/dyn/foobar.reverse
/var/lib/named/master/_sites.foobar.tld.db
/var/lib/named/master/_msdcs.foobar.tld.db
/var/lib/named/master/_tcp.foobar.tld.db
/var/lib/named/master/_udp.foobar.tld.db