[debian-lan-devel] samba support

Andreas B. Mundt andi.mundt at web.de
Thu Apr 25 06:32:59 UTC 2013 

Hi Julien!

On Wed, Apr 24, 2013 at 03:42:12PM +0200, Julien Lambot wrote:
> Hi list,
>
> I made some tests and got a working samba/ldap/kerberos configuration.

Hey, that sounds really, really great!

> Here are already some snippets for testing.
>  Next week, I will work on getting them automated into debian-lan's fai.
> Please leave me some time for that :)

No Problem of course!

> Now I will look at
> - pam-synccr
> - syncing the autofs locally (and I'm a bit stuck with autofs for now).
> - getting an additional share in autofs ldap (I made some attempts but
> still cannot get the adequate ldap configuration for an additional share
> e.g.: /lan/mainserver/group0)
> - generating the ldap cn=config and the required ldifs for the whole stuff.
>
> Caveats:
> Parameters are surely not optimal yet. It's a first attempt.
> Currently the "domain" configuration is not complete (regarding groups,...)
> The goal was to provide network access to MS clients. I will further dig
> that point.
> I skipped the integration of smbldap-tools as they seems to be a lot
> deprecated within wheezy Thereby the populate part can be done directly
> with an ldif and the user management should be left to gosa.
>
> ----
>
> SERVER_A SIDE:
>
> aptitude install gosa-plugin-samba
>
> mkdir -v -m 1777 /srv/nfs4/home0/profiles
> mkdir -v -m 1777 /srv/nfs4/home0/netlogon
> mkdir -m 755 /srv/nfs4/home0/group
>
> smb.conf :
>
>         dos charset = CP932
>         display charset = UTF-8
>         workgroup = INTERN
>         realm = INTERN
>         server string = %h server
>         security = ADS
>         map to guest = Bad User
>         obey pam restrictions = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>         unix password sync = Yes
>         dedicated keytab file = /etc/krb5.keytab.cifs
>         kerberos method = dedicated keytab
>         syslog = 4
>         log file = /var/log/samba/log.%m
>         max log size = 1000
>         name resolve order = wins lmhosts host bcast
>         time server = Yes
>         socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=65536
> SO_RCVBUF=65536
>         printcap name = cups
>         logon drive = H:
>         domain logons = Yes
>         os level = 35
>         preferred master = Yes
>         domain master = Yes
>         dns proxy = No
>         wins support = Yes
>         usershare allow guests = No
>         panic action = /usr/share/samba/panic-action %d
>         template shell = /bin/bash
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         idmap config * : backend = tdb
>         admin users = admin, root
>         map acl inherit = Yes
>         use sendfile = Yes
>         cups options = "raw"
>         force printername = Yes
>         case sensitive = No
>         strict locking = No
>         dos filetime resolution = Yes
>         fake directory create times = Yes
>
> [homes]
>         comment = Home Directories
>         valid users = %S
>         read only = No
>         create mask = 0700
>         directory mask = 0700
>         browseable = No
>
> [netlogon]
>         comment = Network Logon Service
>         path = /srv/nfs4/home0/netlogon
>         guest ok = Yes
>
> [profiles]
>         comment = Users profiles
>         path = /srv/nfs4/home0/profiles
>         create mask = 0600
>         directory mask = 0700
>         browseable = No
>
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         printable = Yes
>         print ok = Yes
>         browseable = No
>
> [print$]
>         comment = Printer Drivers
>         path = /var/lib/samba/printers
>
> [group]
>         comment = Internal Share
>         path = /lan/mainserver/home0/group
>         read only = No
>         create mask = 0660
>         directory mask = 0770
>         browseable = No
>
> slapd.conf
>
> #access to attrs=userPassword
> #       by anonymous auth
> #       by self write
> #       by * none
>
> access to
> attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,sambaPwdMustChange,sambaPwdLastSet
>        by anonymous auth
>        by self write
>        by * none
>
> # add indexes
> index  sambaSID               eq
> index  sambaPrimaryGroupSID   eq
> index  sambaDomainName        eq
>
>
> kerberos conf
> ## to add in /srv/fai/config/scripts/KDC_LDAP/10-slapd-KDC
>
> kadmin.local -q "addprinc -randkey cifs/mainserver.intern"
> kadmin.local -q "ktadd -k /etc/krb5.keytab.cifs cifs/mainserver.intern"
>
> /etc/security/limits.conf
> # append to avoid samba warnings.
> *               soft    nofile          16384
> *               hard    nofile          16384
>
>
>
> CLIENT_A SIDE:
>
> Packages added to browse samba shares from within thunar.
> gvfs gvfs-backends gvfs-bin gvfs-common gvfs-daemons gvfs-fuse gvfs-libs
> And for default samba connectivity:
> smbclient
>
> To test from command line
> log as user on workstationXX
> then
> kinit
> smbclient -k \\\\mainserver.intern\\$YOURUSER
>
>
> Now, I start testing a real MS client.
>
> Thanks for your comments and reports.
>

Great.  I have unfortunatelly no time to test this week.
Keep up the good work!

Best regards,

     Andi

More information about the debian-lan-devel mailing list