[debian-lan-devel] samba support

Julien Lambot jlambot at gmail.com
Sat Apr 27 20:43:10 UTC 2013


Hi Andreas

I have now a working debian-lan/gosa/samba setup.
Do you have guidelines for the integration with FAI within debian-lan?
What do you expect as files or scripts in order to fit the framework?
I will do my best to provide the necessary components.

Now, go on testing eduroaming/educlient :)


On Thu, Apr 25, 2013 at 8:32 AM, Andreas B. Mundt <andi.mundt at web.de> wrote:

> Hi Julien!
>
> On Wed, Apr 24, 2013 at 03:42:12PM +0200, Julien Lambot wrote:
> > Hi list,
> >
> > I made some tests and got a working samba/ldap/kerberos configuration.
>
> Hey, that sounds really, really great!
>
> > Here are already some snippets for testing.
> >  Next week, I will work on getting them automated into debian-lan's fai.
> > Please leave me some time for that :)
>
> No Problem of course!
>
> > Now I will look at
> > - pam-synccr
> > - syncing the autofs locally (and I'm a bit stuck with autofs for now).
> > - getting an additional share in autofs ldap (I made some attempts but
> > still cannot get the adequate ldap configuration for an additional share
> > e.g.: /lan/mainserver/group0)
> > - generating the ldap cn=config and the required ldifs for the whole
> stuff.
> >
> > Caveats:
> > Parameters are surely not optimal yet. It's a first attempt.
> > Currently the "domain" configuration is not complete (regarding
> groups,...)
> > The goal was to provide network access to MS clients. I will further dig
> > that point.
> > I skipped the integration of smbldap-tools as they seems to be a lot
> > deprecated within wheezy Thereby the populate part can be done directly
> > with an ldif and the user management should be left to gosa.
> >
> > ----
> >
> > SERVER_A SIDE:
> >
> > aptitude install gosa-plugin-samba
> >
> > mkdir -v -m 1777 /srv/nfs4/home0/profiles
> > mkdir -v -m 1777 /srv/nfs4/home0/netlogon
> > mkdir -m 755 /srv/nfs4/home0/group
> >
> > smb.conf :
> >
> >         dos charset = CP932
> >         display charset = UTF-8
> >         workgroup = INTERN
> >         realm = INTERN
> >         server string = %h server
> >         security = ADS
> >         map to guest = Bad User
> >         obey pam restrictions = Yes
> >         passwd program = /usr/bin/passwd %u
> >         passwd chat = *Enter\snew\s*\spassword:* %n\n
> > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> >         unix password sync = Yes
> >         dedicated keytab file = /etc/krb5.keytab.cifs
> >         kerberos method = dedicated keytab
> >         syslog = 4
> >         log file = /var/log/samba/log.%m
> >         max log size = 1000
> >         name resolve order = wins lmhosts host bcast
> >         time server = Yes
> >         socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=65536
> > SO_RCVBUF=65536
> >         printcap name = cups
> >         logon drive = H:
> >         domain logons = Yes
> >         os level = 35
> >         preferred master = Yes
> >         domain master = Yes
> >         dns proxy = No
> >         wins support = Yes
> >         usershare allow guests = No
> >         panic action = /usr/share/samba/panic-action %d
> >         template shell = /bin/bash
> >         winbind enum users = Yes
> >         winbind enum groups = Yes
> >         idmap config * : backend = tdb
> >         admin users = admin, root
> >         map acl inherit = Yes
> >         use sendfile = Yes
> >         cups options = "raw"
> >         force printername = Yes
> >         case sensitive = No
> >         strict locking = No
> >         dos filetime resolution = Yes
> >         fake directory create times = Yes
> >
> > [homes]
> >         comment = Home Directories
> >         valid users = %S
> >         read only = No
> >         create mask = 0700
> >         directory mask = 0700
> >         browseable = No
> >
> > [netlogon]
> >         comment = Network Logon Service
> >         path = /srv/nfs4/home0/netlogon
> >         guest ok = Yes
> >
> > [profiles]
> >         comment = Users profiles
> >         path = /srv/nfs4/home0/profiles
> >         create mask = 0600
> >         directory mask = 0700
> >         browseable = No
> >
> > [printers]
> >         comment = All Printers
> >         path = /var/spool/samba
> >         printable = Yes
> >         print ok = Yes
> >         browseable = No
> >
> > [print$]
> >         comment = Printer Drivers
> >         path = /var/lib/samba/printers
> >
> > [group]
> >         comment = Internal Share
> >         path = /lan/mainserver/home0/group
> >         read only = No
> >         create mask = 0660
> >         directory mask = 0770
> >         browseable = No
> >
> > slapd.conf
> >
> > #access to attrs=userPassword
> > #       by anonymous auth
> > #       by self write
> > #       by * none
> >
> > access to
> >
> attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,sambaPwdMustChange,sambaPwdLastSet
> >        by anonymous auth
> >        by self write
> >        by * none
> >
> > # add indexes
> > index  sambaSID               eq
> > index  sambaPrimaryGroupSID   eq
> > index  sambaDomainName        eq
> >
> >
> > kerberos conf
> > ## to add in /srv/fai/config/scripts/KDC_LDAP/10-slapd-KDC
> >
> > kadmin.local -q "addprinc -randkey cifs/mainserver.intern"
> > kadmin.local -q "ktadd -k /etc/krb5.keytab.cifs cifs/mainserver.intern"
> >
> > /etc/security/limits.conf
> > # append to avoid samba warnings.
> > *               soft    nofile          16384
> > *               hard    nofile          16384
> >
> >
> >
> > CLIENT_A SIDE:
> >
> > Packages added to browse samba shares from within thunar.
> > gvfs gvfs-backends gvfs-bin gvfs-common gvfs-daemons gvfs-fuse gvfs-libs
> > And for default samba connectivity:
> > smbclient
> >
> > To test from command line
> > log as user on workstationXX
> > then
> > kinit
> > smbclient -k \\\\mainserver.intern\\$YOURUSER
> >
> >
> > Now, I start testing a real MS client.
> >
> > Thanks for your comments and reports.
> >
>
> Great.  I have unfortunatelly no time to test this week.
> Keep up the good work!
>
> Best regards,
>
>      Andi
>
> _______________________________________________
> debian-lan-devel mailing list
> debian-lan-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/debian-lan-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/debian-lan-devel/attachments/20130427/5deb109e/attachment.html>


More information about the debian-lan-devel mailing list