[debian-lan-devel] samba support
Julien Lambot
jlambot at gmail.com
Sat Apr 27 20:43:10 UTC 2013
Hi Andreas
I have now a working debian-lan/gosa/samba setup.
Do you have guidelines for the integration with FAI within debian-lan?
What do you expect as files or scripts in order to fit the framework?
I will do my best to provide the necessary components.
Now, go on testing eduroaming/educlient :)
On Thu, Apr 25, 2013 at 8:32 AM, Andreas B. Mundt <andi.mundt at web.de> wrote:
> Hi Julien!
>
> On Wed, Apr 24, 2013 at 03:42:12PM +0200, Julien Lambot wrote:
> > Hi list,
> >
> > I made some tests and got a working samba/ldap/kerberos configuration.
>
> Hey, that sounds really, really great!
>
> > Here are already some snippets for testing.
> > Next week, I will work on getting them automated into debian-lan's fai.
> > Please leave me some time for that :)
>
> No Problem of course!
>
> > Now I will look at
> > - pam-synccr
> > - syncing the autofs locally (and I'm a bit stuck with autofs for now).
> > - getting an additional share in autofs ldap (I made some attempts but
> > still cannot get the adequate ldap configuration for an additional share
> > e.g.: /lan/mainserver/group0)
> > - generating the ldap cn=config and the required ldifs for the whole
> stuff.
> >
> > Caveats:
> > Parameters are surely not optimal yet. It's a first attempt.
> > Currently the "domain" configuration is not complete (regarding
> groups,...)
> > The goal was to provide network access to MS clients. I will further dig
> > that point.
> > I skipped the integration of smbldap-tools as they seems to be a lot
> > deprecated within wheezy Thereby the populate part can be done directly
> > with an ldif and the user management should be left to gosa.
> >
> > ----
> >
> > SERVER_A SIDE:
> >
> > aptitude install gosa-plugin-samba
> >
> > mkdir -v -m 1777 /srv/nfs4/home0/profiles
> > mkdir -v -m 1777 /srv/nfs4/home0/netlogon
> > mkdir -m 755 /srv/nfs4/home0/group
> >
> > smb.conf :
> >
> > dos charset = CP932
> > display charset = UTF-8
> > workgroup = INTERN
> > realm = INTERN
> > server string = %h server
> > security = ADS
> > map to guest = Bad User
> > obey pam restrictions = Yes
> > passwd program = /usr/bin/passwd %u
> > passwd chat = *Enter\snew\s*\spassword:* %n\n
> > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> > unix password sync = Yes
> > dedicated keytab file = /etc/krb5.keytab.cifs
> > kerberos method = dedicated keytab
> > syslog = 4
> > log file = /var/log/samba/log.%m
> > max log size = 1000
> > name resolve order = wins lmhosts host bcast
> > time server = Yes
> > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=65536
> > SO_RCVBUF=65536
> > printcap name = cups
> > logon drive = H:
> > domain logons = Yes
> > os level = 35
> > preferred master = Yes
> > domain master = Yes
> > dns proxy = No
> > wins support = Yes
> > usershare allow guests = No
> > panic action = /usr/share/samba/panic-action %d
> > template shell = /bin/bash
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > idmap config * : backend = tdb
> > admin users = admin, root
> > map acl inherit = Yes
> > use sendfile = Yes
> > cups options = "raw"
> > force printername = Yes
> > case sensitive = No
> > strict locking = No
> > dos filetime resolution = Yes
> > fake directory create times = Yes
> >
> > [homes]
> > comment = Home Directories
> > valid users = %S
> > read only = No
> > create mask = 0700
> > directory mask = 0700
> > browseable = No
> >
> > [netlogon]
> > comment = Network Logon Service
> > path = /srv/nfs4/home0/netlogon
> > guest ok = Yes
> >
> > [profiles]
> > comment = Users profiles
> > path = /srv/nfs4/home0/profiles
> > create mask = 0600
> > directory mask = 0700
> > browseable = No
> >
> > [printers]
> > comment = All Printers
> > path = /var/spool/samba
> > printable = Yes
> > print ok = Yes
> > browseable = No
> >
> > [print$]
> > comment = Printer Drivers
> > path = /var/lib/samba/printers
> >
> > [group]
> > comment = Internal Share
> > path = /lan/mainserver/home0/group
> > read only = No
> > create mask = 0660
> > directory mask = 0770
> > browseable = No
> >
> > slapd.conf
> >
> > #access to attrs=userPassword
> > # by anonymous auth
> > # by self write
> > # by * none
> >
> > access to
> >
> attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,sambaPwdMustChange,sambaPwdLastSet
> > by anonymous auth
> > by self write
> > by * none
> >
> > # add indexes
> > index sambaSID eq
> > index sambaPrimaryGroupSID eq
> > index sambaDomainName eq
> >
> >
> > kerberos conf
> > ## to add in /srv/fai/config/scripts/KDC_LDAP/10-slapd-KDC
> >
> > kadmin.local -q "addprinc -randkey cifs/mainserver.intern"
> > kadmin.local -q "ktadd -k /etc/krb5.keytab.cifs cifs/mainserver.intern"
> >
> > /etc/security/limits.conf
> > # append to avoid samba warnings.
> > * soft nofile 16384
> > * hard nofile 16384
> >
> >
> >
> > CLIENT_A SIDE:
> >
> > Packages added to browse samba shares from within thunar.
> > gvfs gvfs-backends gvfs-bin gvfs-common gvfs-daemons gvfs-fuse gvfs-libs
> > And for default samba connectivity:
> > smbclient
> >
> > To test from command line
> > log as user on workstationXX
> > then
> > kinit
> > smbclient -k \\\\mainserver.intern\\$YOURUSER
> >
> >
> > Now, I start testing a real MS client.
> >
> > Thanks for your comments and reports.
> >
>
> Great. I have unfortunatelly no time to test this week.
> Keep up the good work!
>
> Best regards,
>
> Andi
>
> _______________________________________________
> debian-lan-devel mailing list
> debian-lan-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/debian-lan-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/debian-lan-devel/attachments/20130427/5deb109e/attachment.html>
More information about the debian-lan-devel
mailing list