Howto setup SUSE as SAMBA PDC with OpenLDAP, DYNDNS and CLAM
From openSUSE
Contents |
Intro
This is a step by step guide on how to configure a GNU/Linux system with Samba, OpenLDAP, DHCP, DNS and ClamAV on SUSE Linux Professional 9.3. With minor tweaks you should get it working on any GNU/Linux distribution.
The article that covers SUSE Linux 10.1 is Howto setup SUSE 10.1 as Samba PDC
The article that covers SUSE Linux 10.3 is Howto setup SUSE 10.3 as Samba PDC
Overview Of The Software Used To Create This Setup
Distribution: SUSE 9.3 Professional
SUSE LINUX Professional 9.3, features an easy-to-install Linux operating system. SUSE 9.3 uses the latest versions of open source networking features like Samba, Apache, DNS and DHCP to power robust home networks that include Web hosting, centralized printing and media workstations. With special features to speed everything from server setup and configuration to software updating, SUSE LINUX Professional contains the most comprehensive set of tools ever included in a retail Linux package. SUSE LINUX Professional comes complete with the latest versions of Apache, DNS, DHCP, Samba, NFS, SLP and NIS.
Backend Database: OpenLDAP 2.2.23-6
OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol.
Name Resolution: Named(BIND) 9.3.1-3
Berkeley Internet Name Domain, previously Berkeley Internet Name Daemon, is the most commonly used DNS server on the Internet, especially on Unix-like systems, where it is a de facto standard. BIND (BIND 9) was written from scratch in part to address the architectural difficulties with auditing the earlier BIND code bases, and also to support DNSSEC (DNS Security Extensions). Other important features of BIND 9 include: TSIG, DNS notify, nsupdate, IPv6, rndc flush, views, multiprocessor support, and an improved portability architecture.
TCP/IP Settings Automation: DHCP-Server 3.0.2-6
DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems.
Anti Virus Software: Samba Vscan 0.3.5-37
Samba Vscan is a proof-of-concept module for Samba, which uses the VFS (virtual file system) features of Samba 2.2.x/3.0 to provide an on-access Samba anti-virus. Of course, Samba has to be compiled with VFS support.
Installing Necessary Software
Assuming you have working installation of SUSE 9.3 Professional, you will need to install a few packages to make this tutorial work for you.
Installing Samba Package
First you need to find which packages os Samba service have been installed, and if the list of packages differs from one below install individual packages by hand or via Yast:
zendo:~ # rpm -qa '*samba*' samba-client-3.0.12-5 samba-doc-3.0.12-5 samba-3.0.12-5 samba-pdb-3.0.12-5 samba-winbind-3.0.12-5 yast2-samba-client-2.11.5-3 yast2-samba-server-2.11.14-3 samba-vscan-0.3.5-37
So use either YaST or RPM command to install missing packages that are needed for this setup:
The YaST way ( you dont need package version, just package-name eg. samba-vscan ):
yast -i package-name
The RPM way ( assuming you are in same directory as RPM packages ):
rpm -Uvh package-name
Now check if other packages are installed, and if not install them:
# rpm -qa '*dhcp-server*' # rpm -qa '*bind*' # rpm -qa '*clamav*' # rpm -qa '*perl*'
Be sure that previous command(s) list following packages:
dhcp-server-3.0.2-6 bind-9.3.1-3 clamav-db-0.85.1-1.1 clamav-0.85.1-1.1 perl-URI-1.35-3 perl-ldap-0.29-137 perl-Convert-ASN1-0.18-69 perl-Crypt-SmbHash-0.02-3
Server Setup
Samba Setup
Move your old smb.conf file to a safe place:
# cd /etc/samba/ # mv smb.conf smb.conf.OLD
Now using your favorite ascii editor, edit or create smb.conf file in /etc/samba directory and modify or add these lines to it. Note that for the workgroup statement, if foobar.tld is longer than 15 characters Samba will truncate it! I recommend you to build smb.conf file from scratch as defined below:
# Defining domain name, hostname #################################################### [global] workgroup = foobar.tld netbios name = bar
# Specifying ldapsam backend database #################################################### passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers
# Specifying printing subsystem #################################################### printcap name = cups printing = cups
# Path to IDEALX scripts (we will get to that soon) #################################################### add user script = /usr/local/sbin/smbldap-useradd -m %u delete user script = /usr/local/sbin/smbldap-userdel %u add group script = /usr/local/sbin/smbldap-groupadd -p %g delete group script = /usr/local/sbin/smbldap-groupdel %g add user to group script = /usr/local/sbin/smbldap-groupmod -m %g %u delete user from group script = /usr/local/sbin/smbldap-groupmod -x %g %u set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u add machine script = /usr/local/sbin/smbldap-useradd -w %u
# if you want to add machines to domain automaticaly, add machine script is: # add machine script = /usr/local/sbin/smbldap-useradd -w -i %u # proved on SUSE 10.0 # # Various other directives ( man smb.conf ) #################################################### obey pam restrictions = Yes logon script = scripts\logon.bat logon path = \\%L\Profiles\%U logon drive = H: logon home = \\%L\%U domain logons = Yes os level = 44 preferred master = Yes domain master = Yes dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd show add printer wizard = yes
# OpenLDAP stuff is defined here ################################################### ldap suffix = dc=foobar,dc=tld ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Users ldap admin dn = cn=Manager,dc=foobar,dc=tld ldap ssl = no ldap passwd sync = Yes idmap uid = 15000-20000 idmap gid = 15000-20000
# Defining logging facility #################################################### log level = 2 log file = /var/log/samba/%m.log
# Virus Scanning Definition #################################################### vfs object = vscan-clamav vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
# Defining user home directories #################################################### [homes] comment = Home Directories valid users = %S read only = No browseable = No
# Defining printers #################################################### [printers] comment = All Printers path = /var/spool/samba printer admin = @"Print Operators" read only = Yes guest ok = Yes printable = Yes browseable = No
# Defining printers #################################################### [print$] path = /var/lib/samba/drivers/ guest ok = No browseable = Yes read only = Yes valid users = @"Print Operators" write list = @"Print Operators" create mask = 0664 directory mask = 0775
# Defining network logon service #################################################### [netlogon] comment = NLService path = /var/lib/samba/netlogon guest ok = Yes browseable = No
# Defining profile share ( for roaming profiles ) #################################################### [profiles] comment = Roaming Profiles path = /var/lib/samba/profiles create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes force user = %U valid users = %U "Domain Admins" read only = No profile acls = Yes
# Defining arbitary shared resource #################################################### [share] comment = data share path = /opt/stuff valid users = %U
Using your favorite ascii editor, edit smbusers file in /etc/samba directory and modify or add ( unless added by default ) following line:
root = Administrator
You must have been confused about IDEALX script part in smb.conf, so here comes an explanation: "IDEALX scripts are a collection of user{add,del,mod} and group{add,del,mod} system tools ( scripts ) to manipulate users and groups stored in LDAP directory".
So copy these scripts to appropriate destination directory:
# cd /usr/share/doc/packages/samba/examples/LDAP/smbldap-tools-*/ # cp smbldap-* /usr/local/sbin
Now lets check our config for syntatical corectness, you should get an output as shown below:
# testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[netlogon]" Processing section "[profiles]" Processing section "[share]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions
Now give Samba permission to create roaming profile directories:
# chmod 1777 /var/lib/samba/profiles
Now start Samba service(s):
# rcsmb start # rcnmb start
And list resources on your server:
# smbclient -L localhost -N added interface ip=192.168.1.104 bcast=192.168.1.255 nmask=255.255.255.0 Anonymous login successful Domain=[FOOBAR.TLD] OS=[Unix] Server=[Samba 3.0.12-5-SUSE]
Sharename Type Comment --------- ---- ------- profiles Disk Roaming Profiles share Disk share IPC$ IPC IPC Service (Samba 3.0.12-5-SUSE) ADMIN$ IPC IPC Service (Samba 3.0.12-5-SUSE) Anonymous login successful Domain=[FOOBAR.TLD] OS=[Unix] Server=[Samba 3.0.12-5-SUSE]
Server Comment --------- ------- BAR Samba 3.0.12-5-SUSE
Workgroup Master --------- ------- FOOBAR.TLD BAR
OpenLDAP Setup
Using your favorite ascii editor, edit slapd.conf file in /etc/openldap directory and modify or add these lines to it ( i recommend you to build slapd.conf file from scratch ):
# Defining schemas and schema file locations ################################################################ include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
# Defining our database and admin user + password ################################################################ database bdb suffix "dc=foobar,dc=tld" rootdn "cn=Manager,dc=foobar,dc=tld" rootpw secret directory /var/lib/ldap
# Indexing for faster queries ( bad indexes can slow things up ) ################################################################# index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUid eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
# Defining Access Control Lists for access to various parts of our # databse. We can live without ACL's aswell, but some security should # be in place. # preventng users from viewing passwords, employee number ... etc ###################################################################### access to attr=userpassword,clearpassword,ldappassword by anonymous auth by self write by dn="cn=Manager,dc=foobar,dc=tld" write by * none
access to * by dn="cn=Manager,dc=foobar,dc=tld" write by users read by self write by * read
Once you have modified file to look like the one presented above, make sure that you have samba3.schema file inside /etc/openldap/schema directory ( list the directory and see ). If you dont have it, install package named samba-client.
Next step in our OpenLDAP backend configuration we need to create hierarchy of our OpenLDAP domain. We will use IDEALX scripts to populate LDAP tree, first thing u should do is create smbldap-tools directory inside /etc directory and copy smbldap.conf, smbldap_bind.conf from /usr/share/doc/packages/samba/examples/LDAP/smbldap-tools-0.8.7/ directory to it:
# cd /usr/share/doc/packages/samba/examples/LDAP/smbldap-tools-0.8.7/ # cp smbldap_bind.conf /etc/smbldap-tools # cp smbldap.conf /etc/smbldap-tools # cp smbldap_tools.pm /usr/local/sbin #chmod 644 /usr/local/sbin/smbldap_tools.pm # cd /etc/smbldap-tools # chmod 644 smbldap.conf # chmod 600 smbldap_bind.conf
Using your favorite ascii editor, edit smbldap.conf file in /etc/smbldap-tools directory and modify or add these lines to it ( i recommend you to build smbldap.conf file from scratch ):
# To obtain you own SID number issue command net getlocalsid # And put it below ############################################################### SID="S-1-5-21-2139989288-483860436-2398042574"
slaveLDAP="127.0.0.1" slavePort="389" masterLDAP="127.0.0.1" masterPort="389" ldapTLS="0" verify="require" cafile="/etc/smbldap-tools/ca.pem" clientcert="/etc/smbldap-tools/smbldap-tools.pem" clientkey="/etc/smbldap-tools/smbldap-tools.key" suffix="dc=example,dc=tld" usersdn="ou=Users,${suffix}" computersdn="ou=Computers,${suffix}" groupsdn="ou=Groups,${suffix}" idmapdn="ou=Idmap,${suffix}" sambaUnixIdPooldn="sambaDomainName=foobar.tld,${suffix}" scope="sub" hash_encrypt="SSHA" crypt_salt_format="%s" userLoginShell="/bin/bash" userHome="/home/%U" userGecos="System User" defaultUserGid="513" defaultComputerGid="515" skeletonDir="/etc/skel" defaultMaxPasswordAge="99" userSmbHome="\\BAR\homes\%U" userProfile="\\BAR\profiles\%U" userHomeDrive="H:" userScript="%U.cmd" mailDomain="foobar.tld" with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" with_slappasswd="0" slappasswd="/usr/sbin/slappasswd"
Using your favorite ascii editor, edit smbldap_tools.pm file in /usr/local/sbin directory and modify or add these lines to it:
my $smbldap_conf="/etc/smbldap-tools/smbldap.conf"; my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";
Again using your favorite ascii editor, edit smbldap_bind.conf file in /etc/smbldap-tools directory and modify or add these lines to it:
slaveDN="cn=Manager,dc=example,dc=tld" slavePw="secret" masterDN="cn=Manager,dc=example,dc=tld" masterPw="secret"
And yet again using your favorite ascii editor, edit smbldap-populate file in /usr/local/sbin directory and modify or add these lines to it ( the default is Administrator, but i've had problems joining workstations to domain using that account because above in samba setup we map root to Administrator and you need user with uid=0 to join workstations to domain. If you have a solution for using user with uid that is not 0 please feel free to contact me and ill modify the tutorial ):
my $adminName = $Options{'a'};
if (!defined($adminName)) {
$adminName = "Admin";
}
Once you have made changes to the smbldap-populate file, you need to run it from /usr/local/sbin directory, but before that start LDAP server ( you should see the output on the screen looking like this ):
# rcldap start # /usr/local/sbin/smbldap-populate Using workgroup name from sambaUnixIdPooldn (smbldap.conf): sambaDomainName=foobar.tld Using builtin directory structure adding new entry: dc=fooobar,dc=tld adding new entry: ou=Users,dc=foobar,dc=tld adding new entry: ou=Groups,dc=foobar,dc=tld adding new entry: ou=Computers,dc=foobar,dc=tld adding new entry: ou=Idmap,dc=foobar,dc=tld adding new entry: sambaDomainName=foobar.tld,dc=foobar,dc=tld adding new entry: uid=Admin,ou=Users,dc=foobar,dc=tld adding new entry: uid=nobody,ou=Users,dc=foobar,dc=tld adding new entry: cn=Domain Admins,ou=Groups,dc=foobar,dc=tld adding new entry: cn=Domain Users,ou=Groups,dc=foobar,dc=tld adding new entry: cn=Domain Guests,ou=Groups,dc=foobar,dc=tld adding new entry: cn=Domain Computers,ou=Groups,dc=foobar,dc=tld adding new entry: cn=Administrators,ou=Groups,dc=foobar,dc=tld adding new entry: cn=Print Operators,ou=Groups,dc=foobar,dc=tld adding new entry: cn=Backup Operators,ou=Groups,dc=foobar,dc=tld
Before we move on cat the ldap database to ensure that entries have been made, you should get an output like this:
# slapcat dn: dc=foobar,dc=tld objectClass: dcObject objectClass: organization o: foobar dc: foobar structuralObjectClass: organization entryUUID: fc296908-e259-1027-9686-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014007Z entryCSN: 20040124014007Z#000001#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014007Z
dn: ou=Users,dc=foobar,dc=tld objectClass: organizationalUnit ou: Users structuralObjectClass: organizationalUnit entryUUID: fc4bf504-e259-1027-9687-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014007Z entryCSN: 20040124014007Z#000002#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014007Z
dn: ou=Groups,dc=foobar,dc=tld objectClass: organizationalUnit ou: Groups structuralObjectClass: organizationalUnit entryUUID: fc4e6cb2-e259-1027-9688-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014007Z entryCSN: 20040124014007Z#000003#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014007Z
dn: ou=Computers,dc=foobar,dc=tld objectClass: organizationalUnit ou: Computers structuralObjectClass: organizationalUnit entryUUID: fc55504a-e259-1027-9689-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014008Z entryCSN: 20040124014008Z#000001#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014008Z
dn: ou=Idmap,dc=foobar,dc=tld objectClass: organizationalUnit ou: Idmap structuralObjectClass: organizationalUnit entryUUID: fc58a128-e259-1027-968a-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014008Z entryCSN: 20040124014008Z#000002#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014008Z
dn: sambaDomainName=efoobar.tld,dc=foobar,dc=tld objectClass: sambaDomain objectClass: sambaUnixIdPool sambaDomainName: example.tld sambaSID: S-1-5-21-2139989288-483860436-2398042574 uidNumber: 1000 gidNumber: 1000 structuralObjectClass: sambaDomain entryUUID: fc5fcfac-e259-1027-968b-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014008Z entryCSN: 20040124014008Z#000003#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014008Z
dn: uid=Admin,ou=Users,dc=foobar,dc=tld cn: Admin sn: Admin objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 512 uid: Admin uidNumber: 998 homeDirectory: /home/Admin sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\bar\homes\Admin sambaHomeDrive: H: sambaProfilePath: \\bar\profiles\Admin\ sambaPrimaryGroupSID: S-1-5-21-2139989288-483860436-2398042574-512 sambaLMPassword: XXX sambaNTPassword: XXX sambaAcctFlags: [U ] sambaSID: S-1-5-21-2139989288-483860436-2398042574-2996 loginShell: /bin/false gecos: Netbios Domain Administrator structuralObjectClass: inetOrgPerson entryUUID: fc9199a6-e259-1027-968c-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014008Z entryCSN: 20040124014008Z#000004#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014008Z
dn: uid=nobody,ou=Users,dc=foobar,dc=tld cn: nobody sn: nobody objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 514 uid: nobody uidNumber: 999 homeDirectory: /dev/null sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\bar\homes\nobody sambaHomeDrive: H: sambaProfilePath: \\bar\profiles\nobody sambaPrimaryGroupSID: S-1-5-21-2139989288-483860436-2398042574-514 sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaAcctFlags: [NU ] sambaSID: S-1-5-21-2139989288-483860436-2398042574-2998 loginShell: /bin/false structuralObjectClass: inetOrgPerson entryUUID: fcbe3362-e259-1027-968d-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014008Z entryCSN: 20040124014008Z#000005#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014008Z
dn: cn=Domain Admins,ou=Groups,dc=foobar,dc=tld objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins memberUid: Admin description: Netbios Domain Administrators sambaSID: S-1-5-21-2139989288-483860436-2398042574-512 sambaGroupType: 2 displayName: Domain Admins structuralObjectClass: posixGroup entryUUID: fcc7222e-e259-1027-968e-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014008Z entryCSN: 20040124014008Z#000006#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014008Z
dn: cn=Domain Users,ou=Groups,dc=foobar,dc=tld objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 513 cn: Domain Users description: Netbios Domain Users sambaSID: S-1-5-21-2139989288-483860436-2398042574-513 sambaGroupType: 2 displayName: Domain Users structuralObjectClass: posixGroup entryUUID: fceb2534-e259-1027-968f-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014008Z entryCSN: 20040124014008Z#000007#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014008Z
dn: cn=Domain Guests,ou=Groups,dc=foobar,dc=tld objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 514 cn: Domain Guests description: Netbios Domain Guests Users sambaSID: S-1-5-21-2139989288-483860436-2398042574-514 sambaGroupType: 2 displayName: Domain Guests structuralObjectClass: posixGroup entryUUID: fcf449fc-e259-1027-9690-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014009Z entryCSN: 20040124014009Z#000001#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014009Z
dn: cn=Domain Computers,ou=Groups,dc=foobar,dc=tld objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 515 cn: Domain Computers description: Netbios Domain Computers accounts sambaSID: S-1-5-21-2139989288-483860436-2398042574-515 sambaGroupType: 2 displayName: Domain Computers structuralObjectClass: posixGroup entryUUID: fcfe6612-e259-1027-9691-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014009Z entryCSN: 20040124014009Z#000002#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014009Z
dn: cn=Administrators,ou=Groups,dc=foobar,dc=tld objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators structuralObjectClass: posixGroup entryUUID: fd077900-e259-1027-9692-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014009Z entryCSN: 20040124014009Z#000003#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014009Z
dn: cn=Print Operators,ou=Groups,dc=foobar,dc=tld objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 550 cn: Print Operators description: Netbios Domain Print Operators sambaSID: S-1-5-32-550 sambaGroupType: 5 displayName: Print Operators structuralObjectClass: posixGroup entryUUID: fd1062c2-e259-1027-9693-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014009Z entryCSN: 20040124014009Z#000004#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014009Z
dn: cn=Backup Operators,ou=Groups,dc=foobar,dc=tld objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 551 cn: Backup Operators description: Netbios Domain Members can bypass file security to back up files sambaSID: S-1-5-32-551 sambaGroupType: 5 displayName: Backup Operators structuralObjectClass: posixGroup entryUUID: fd181b16-e259-1027-9694-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014009Z entryCSN: 20040124014009Z#000005#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014009Z
dn: cn=Replicators,ou=Groups,dc=foobar,dc=tld objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 552 cn: Replicators description: Netbios Domain Supports file replication in a sambaDomainName sambaSID: S-1-5-32-552 sambaGroupType: 5 displayName: Replicators structuralObjectClass: posixGroup entryUUID: fd211446-e259-1027-9695-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014009Z entryCSN: 20040124014009Z#000006#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014009Z
Now (re)start all daemons:
# rcldap start # rcsmb start # rcnmb start
Lets add a few accounts to our LDAP database: first we need to add root account for SAMBA because adding client machine to domain requires usage of administrator account ( account with uid 0 ) and second we need to add the LDAP password to the secrets.tdb file so that SAMBA can update the LDAP database:
# smbpasswd -a root # smbpasswd -w secret Setting stored password for "cn=Manager,dc=foobar,dc=tld" in secrets.tdb
Note, the smbpasswd -w secret is what SAMBA will use to update the LDAP database, make it be the same as one defined in slapd.conf file under rootpw directive.
Use IDEALX scripts to add user/group ... etc accounts to LDAP which will be used with SAMBA:
# smbldap-useradd -a USERNAME
In order to get system to authenticate via LDAP and to use those posix accounts stored in LDAP for SAMBA, you need to set you system to do authetication via LDAP for local and remote connections.
So use YaST to configure your system as LDAP client:
Once you've got that covered, use your favorite ascii editor, edit nsswitch.conf file in /etc/ directory and modify or add following directive:
passwd: files ldap group: files ldap
Now list entries in administrative database to see if your system indeed sees both local system and LDAP stored accounts ( if you havent added any account yet there should be at least two Admin and nobody, i have included only the two even though the command will output all accounts ):
# getent passwd +::0:0::: Admin:x:998:512:Netbios Domain Administrator:/home/Admin:/bin/false nobody:x:999:514:nobody:/dev/null:/bin/false
If everything is set as descried above you need to edit one two more file to ensure perfect automation, first create directory scripts inside /etc/samba directory:
# echo session required pam_mkhomedir.so skel=/etc/skel umask=0022 >>/etc/pam.d/common-session
Phew, now that all of this is configured you may move on with tutorial :D !!
Dynamic DNS Setup
Preconfiguration Setps
To be able to create our dynDNS infrastructure we need to do a few things before actually configuring both DHCP and DNS servers for dynamic updates. First we need to create a key that will be used for secure communication between DHCP and DNS server.
To create the key and file that hold the key declaration issue following command:
# cd /etc # genDDNSkey
This will by default create a file named named.keys with key DHCP_UPDATER, of course you can choose a different key and file by issuing ( for other options read help pages ):
# genDDNSkey --key-file=/ur/path --key-name MY_KEY_NAME
Once the key has been created, you need to tell both DHCP and DNS daemons to use this file since they both run in chroot jail.
Using your favorite ascii editor, edit dhcpd file in /etc/sysconfig directory and modify or add following directive:
DHCPD_CONF_INCLUDE_FILES="/etc/named.keys"
Using your favorite ascii editor, edit named file in /etc/sysconfig directory and modify or add following directive:
NAMED_CONF_INCLUDE_FILES="/etc/named.keys"
Now you can move on towards configuring your DHCP and DNS servers.
DHCP Setup
Using your favorite ascii editor, edit dhcpd.conf file in /etc directory and modify or add these lines to it ( i recommend you to build dhcpd.conf file from scratch ). Also the IP address scheme, values are arbitrary, you will set these to reflect your network scheme:
# File with key we shall use to securely update zone files ########################################################### include "/etc/named.keys";
# Our server is authority ######################################################### server-identifier bar.foobar.tld; authoritative;
# Zone specification ########################################### zone foobar.forward { primary 192.168.1.104; key DHCP_UPDATER; } zone foobar.reverse { primary 192.168.1.104; key DHCP_UPDATER; }
# Various options ######################################## default-lease-time 86400; max-lease-time 172800;
option domain-name "foobar.tld"; option domain-name-servers 192.168.1.104;
ignore client-updates; ddns-domainname "foobar.tld"; ddns-updates on; ddns-update-style interim;
# Declaration of network properties ( range ... ) ################################################# subnet 192.168.1.0 netmask 255.255.255.0 { range dynamic-bootp 192.168.1.10 192.168.1.254; zone foobar.tld { primary 127.0.0.1; key DHCP_UPDATER; } zone 1.168.192.in-addr.arpa. { primary 127.0.0.1; key DHCP_UPDATER; } option subnet-mask 255.255.255.0; option routers 192.168.1.1; one-lease-per-client on; }
Above configuration allows for range between 1 - 10 that are reserved for hard-wired IP addresses, and range allotted for dynamic assignment is set from 10 - 254.
Name Server Setup
Using your favorite ascii editor, edit named.conf file in /etc directory and modify or add these lines to it ( i recommend you to build named.conf file from scratch ). Also as in the example of DHCP above, values and ranges are arbitrary and you will set them to values u desire.
# Include file with key ################################################# include "/etc/named.keys";
# Access Control Lists ################################################# acl mynet { 192.168.1.0/24; 127.0.0.1; };
# Various Options ################################################# options { directory "/var/lib/named"; allow-query { mynet; }; forwarders { 83.139.64.3; }; };
# Misc zone declarations ################################################# zone "localhost" in { type master; file "localhost.zone"; };
zone "0.0.127.in-addr.arpa" in { type master; file "127.0.0.zone"; };
zone "." in { type hint; file "root.hint"; };
# Forward foobar.tld zone declaration ################################################# zone "foobar.tld" { type master; file "dyn/foobar.forward"; allow-update { key DHCP_UPDATER; }; allow-query { mynet; }; allow-transfer { mynet; }; };
# Reverse foobar.tld zone declaration ################################################# zone "1.168.192.in-addr.arpa" { type master; file "dyn/foobar.reverse"; allow-update { key DHCP_UPDATER; }; allow-query { mynet; }; allow-transfer { mynet; }; };
Now once you have made named.conf file, you must setup/create actual zone files.
Using your favorite ascii editor, create foobar.forward file in /var/lib/named/dyn directory and modify or add these lines to it ( i recommend you to build foobar.forward file from scratch ).
$TTL 5D
@ IN SOA bar.foobar.tld. root.foobar.tld. (
200524085 ; serial
3H ; refresh
1H ; retry
1W ; expire
5D ) ; minimum
@ NS bar.foobar.tld.
bar A 192.168.1.104
Using your favorite ascii editor, create foobar.reverse file in /var/lib/named/dyn directory and modify or add these lines to it ( i recommend you to build foobar.reverse file from scratch ):
$TTL 5D
@ IN SOA bar.foobar.tld. root.foobar.tld. (
200524086 ; serial
3H ; refresh
1H ; retry
1W ; expire
5H ) ; minimum
@ NS bar.foobar.tld.
104 PTR bar.foobar.tld.
Both zone files for localhost are by default created so you need not recreating them, the root.hint is included by default aswell.
Content Checking
ClamAV
Setting up content checking in SAMBA is a bit screwy and requires some modifications done. So first copy the vscan-clamav.conf file from /usr/share/doc/packages/samba-vscan/ directory to /etc/samba directory:
# cp /usr/share/doc/packages/samba-vscan/vscan-clamav.conf /etc/samba
Now create directory named clamd in /var/run directory and change it's ownership to user and group vscan:
# mkdir /var/run/clamd # chown vscan:vscan /var/run/clamd
Also we need to create directory which will be used as quarantine and give ownership to vscan user:
# mkdir /var/lib/clamav/quarantine # chown vscan /var/lib/clamav/quarantine
Using your favorite ascii editor, create vscan-clamav.conf file in /etc/samba directory and modify or add these lines to it ( i recommend you to build vscan-clamav.conf file from scratch ):
[samba-vscan] max file size = 0 verbose file logging = yes scan on open = yes scan on close = yes deny access on error = yes deny access on minor error = yes send warning message = yes infected file action = quarantine quarantine directory = /var/lib/clamav/quarantine quarantine prefix = vir- max lru files entries = 100 lru file entry lifetime = 5 exclude file types = clamd socket name = /var/run/clamd/clamd libclamav max files in archive = 1000 libclamav max archived file size = 10 * 1048576 libclamav max recursion level = 5
Using your favorite ascii editor, create clamd.conf file in /etc/ directory and modify or add these lines to it ( i recommend you to build clamd.conf file from scratch ):
LogFile /var/log/clamd LogFileUnlock LogSyslog LogFacility LOG_MAIL LogVerbose PidFile /var/lib/clamav/clamd.pid DatabaseDirectory /var/lib/clamav LocalSocket /var/run/clamd/clamd FixStaleSocket User vscan #Change to root for roaming profiles in $HOME folder, to avoid "Access is denied" on profile access. Foreground Debug ScanRAR
Start all daemons:
# rcnamed start # rcdhcpd start # rcldap start # rcsmb start # rcnmb start # rcclamd star
Make all daemons run by default on machine startup:
# chkconfig named on # chkconfig dhcpd on # chkconfig smb on # chkconfig nmb on # chkconfig clamd on
Client Setup
Setting up client to connect to domain is not that hard, assuming that all of your services work in sweet harmony ( let's come together right now, oh yeah in sweeeet harmony ).
Ok, let's commence our journey of joining a client workstation to SAMBA domain. The machine account should be added to domain automatically by default, but if it doesnt you will need to add POSIX machine account for it first ( Note that $ is there for a reason, and it specifies that the account is a machine account.):
# smbldap-useradd -w machine_name$
Now on your windows workstation, right click My Computer and choose Properties, you should be presented with a panel like this:
Now press Properties button and you will get a panel like this:
Click on radio button of Domain and type in domain name foobar.tld, now press Ok button and you will be presented with a panel like this:
Add username Administrator and password for it ( remember smbpasswd -a root ). If you configured everything well you should get a popup like this:
File:Welcome.jpg
Press Ok and reboot your workstation, once booted login to domain with user account you added with smbldap-useradd script.
This site uses the YAML CSS framework.
About openSUSE | Disclaimers | Feedback
This page was last modified on 27 November 2009, at 08:41. This page has been accessed 126,799 times.
