[debian-lan-devel] samba support

Julien Lambot jlambot at gmail.com
Wed Apr 24 13:42:12 UTC 2013 

Hi list,

I made some tests and got a working samba/ldap/kerberos configuration.

Here are already some snippets for testing.
 Next week, I will work on getting them automated into debian-lan's fai.
Please leave me some time for that :)

Now I will look at
- pam-synccr
- syncing the autofs locally (and I'm a bit stuck with autofs for now).
- getting an additional share in autofs ldap (I made some attempts but
still cannot get the adequate ldap configuration for an additional share
e.g.: /lan/mainserver/group0)
- generating the ldap cn=config and the required ldifs for the whole stuff.

Caveats:
Parameters are surely not optimal yet. It's a first attempt.
Currently the "domain" configuration is not complete (regarding groups,...)
The goal was to provide network access to MS clients. I will further dig
that point.
I skipped the integration of smbldap-tools as they seems to be a lot
deprecated within wheezy Thereby the populate part can be done directly
with an ldif and the user management should be left to gosa.

----

SERVER_A SIDE:

aptitude install gosa-plugin-samba

mkdir -v -m 1777 /srv/nfs4/home0/profiles
mkdir -v -m 1777 /srv/nfs4/home0/netlogon
mkdir -m 755 /srv/nfs4/home0/group

smb.conf :

        dos charset = CP932
        display charset = UTF-8
        workgroup = INTERN
        realm = INTERN
        server string = %h server
        security = ADS
        map to guest = Bad User
        obey pam restrictions = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
        dedicated keytab file = /etc/krb5.keytab.cifs
        kerberos method = dedicated keytab
        syslog = 4
        log file = /var/log/samba/log.%m
        max log size = 1000
        name resolve order = wins lmhosts host bcast
        time server = Yes
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=65536
SO_RCVBUF=65536
        printcap name = cups
        logon drive = H:
        domain logons = Yes
        os level = 35
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        usershare allow guests = No
        panic action = /usr/share/samba/panic-action %d
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        idmap config * : backend = tdb
        admin users = admin, root
        map acl inherit = Yes
        use sendfile = Yes
        cups options = "raw"
        force printername = Yes
        case sensitive = No
        strict locking = No
        dos filetime resolution = Yes
        fake directory create times = Yes

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        create mask = 0700
        directory mask = 0700
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /srv/nfs4/home0/netlogon
        guest ok = Yes

[profiles]
        comment = Users profiles
        path = /srv/nfs4/home0/profiles
        create mask = 0600
        directory mask = 0700
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        print ok = Yes
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers

[group]
        comment = Internal Share
        path = /lan/mainserver/home0/group
        read only = No
        create mask = 0660
        directory mask = 0770
        browseable = No

slapd.conf

#access to attrs=userPassword
#       by anonymous auth
#       by self write
#       by * none

access to
attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,sambaPwdMustChange,sambaPwdLastSet
       by anonymous auth
       by self write
       by * none

# add indexes
index  sambaSID               eq
index  sambaPrimaryGroupSID   eq
index  sambaDomainName        eq


kerberos conf
## to add in /srv/fai/config/scripts/KDC_LDAP/10-slapd-KDC

kadmin.local -q "addprinc -randkey cifs/mainserver.intern"
kadmin.local -q "ktadd -k /etc/krb5.keytab.cifs cifs/mainserver.intern"

/etc/security/limits.conf
# append to avoid samba warnings.
*               soft    nofile          16384
*               hard    nofile          16384



CLIENT_A SIDE:

Packages added to browse samba shares from within thunar.
gvfs gvfs-backends gvfs-bin gvfs-common gvfs-daemons gvfs-fuse gvfs-libs
And for default samba connectivity:
smbclient

To test from command line
log as user on workstationXX
then
kinit
smbclient -k \\\\mainserver.intern\\$YOURUSER


Now, I start testing a real MS client.

Thanks for your comments and reports.

Julien
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/debian-lan-devel/attachments/20130424/f6490526/attachment.html>

More information about the debian-lan-devel mailing list