# # http://en.opensuse.org/Howto_setup_SUSE_as_SAMBA_PDC_with_OpenLDAP,_DYNDNS_and_CLAM # # # 26-Jul-06 amo Extract of sample samba config # # Installing Samba Package First you need to find which packages os Samba service have been installed, and if the list of packages differs from one below install individual packages by hand or via Yast: zendo:~ # rpm -qa | grep samba samba-client-3.0.12-5 samba-doc-3.0.12-5 samba-3.0.12-5 samba-pdb-3.0.12-5 samba-winbind-3.0.12-5 yast2-samba-client-2.11.5-3 yast2-samba-server-2.11.14-3 samba-vscan-0.3.5-37 So use either *YaST* or *RPM* command to install missing packages that are needed for this setup: The *YaST* way ( you dont need package version, just package-name eg. samba-vscan ): yast -i package-name The *RPM* way ( assuming you are in same directory as *RPM* packages ): rpm -Uvh package-name Now check if other packages are installed, and if not install them: # rpm -qa | grep dhcp-server # rpm- qa | grep bind # rpm -qa | grep clamav # rpm -qa | grep perl Be sure that previous command(s) list following packages: dhcp-server-3.0.2-6 bind-9.3.1-3 clamav-db-0.85.1-1.1 clamav-0.85.1-1.1 perl-URI-1.35-3 perl-ldap-0.29-137 perl-Convert-ASN1-0.18-69 perl-Crypt-SmbHash-0.02-3 [edit ] Server Setup [edit ] Samba Setup Move your old /smb.conf/ file to a safe place: # cd /etc/samba/ # mv smb.conf smb.conf.OLD Now using your favorite ascii editor , edit or create /smb.conf/ file in //etc/samba/ directory and modify or add these lines to it. Note that for the /workgroup/ statement, if foobar.tld is longer than 15 characters Samba will truncate it! I recommend you to build /smb.conf/ file from scratch as defined below: # Defining domain name, hostname #################################################### [global] workgroup = foobar.tld netbios name = bar # Specifying ldapsam backend database #################################################### passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers # Specifying printing subsystem #################################################### printcap name = cups printing = cups # Path to IDEALX scripts (we will get to that soon) #################################################### add user script = /usr/local/sbin/smbldap-useradd -m %u delete user script = /usr/local/sbin/smbldap-userdel %u add group script = /usr/local/sbin/smbldap-groupadd -p %g delete group script = /usr/local/sbin/smbldap-groupdel %g add user to group script = /usr/local/sbin/smbldap-groupmod -m %g %u delete user from group script = /usr/local/sbin/smbldap-groupmod -x %g %u set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u add machine script = /usr/local/sbin/smbldap-useradd -w %u # if you want to add machines to domain automaticaly, add machine script is: # add machine script = /usr/local/sbin/smbldap-useradd -w -i %u # proved on SUSE 10.0 # # Various other directives ( man smb.conf ) #################################################### obey pam restrictions = Yes logon script = scripts\logon.bat logon path = \\%L\Profiles\%U logon drive = H: logon home = \\%L\%U domain logons = Yes os level = 44 preferred master = Yes domain master = Yes dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd show add printer wizard = yes # OpenLDAP stuff is defined here ################################################### ldap suffix = dc=foobar,dc=tld ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Users ldap admin dn = cn=Manager,dc=foobar,dc=tld ldap ssl = no ldap passwd sync = Yes idmap uid = 15000-20000 idmap gid = 15000-20000 # Defining logging facility #################################################### log level = 2 log file = /var/log/samba/%m.log # Virus Scanning Definition #################################################### vfs object = vscan-clamav vscan-clamav: config-file = /etc/samba/vscan-clamav.conf # Defining user home directories #################################################### [homes] comment = Home Directories valid users = %S read only = No browseable = No # Defining printers #################################################### [printers] comment = All Printers path = /var/spool/samba printer admin = @"Print Operators" read only = Yes guest ok = Yes printable = Yes browseable = No # Defining printers #################################################### [print$] path = /var/lib/samba/drivers/ guest ok = No browseable = Yes read only = Yes valid users = @"Print Operators" write list = @"Print Operators" create mask = 0664 directory mask = 0775 # Defining network logon service #################################################### [netlogon] comment = NLService path = /var/lib/samba/netlogon guest ok = Yes browseable = No # Defining profile share ( for roaming profiles ) #################################################### [profiles] comment = Roaming Profiles path = /var/lib/samba/profiles create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes force user = %U valid users = %U "Domain Admins" read only = No profile acls = Yes # Defining arbitary shared resource #################################################### [share] comment = data share path = /opt/stuff valid users = %U Using your favorite ascii editor , edit /smbusers/ file in //etc/samba/ directory and modify or add ( unless added by default ) following line: root = Administrator You must have been confused about IDEALX script part in smb.conf, so here comes an explanation: "*IDEALX* scripts are a collection of /user{add,del,mod}/ and /group{add,del,mod}/ system tools ( scripts ) to manipulate users and groups stored in *LDAP* directory". So copy these scripts to appropriate destination directory: # cd /usr/share/doc/packages/samba/examples/LDAP/smbldap-tools-*/ # cp smbldap-* /usr/local/sbin Now lets check our config for syntatical corectness, you should get an output as shown below: # testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[netlogon]" Processing section "[profiles]" Processing section "[share]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions Now give Samba permission to create roaming profile directories: # chmod 1777 /var/lib/samba/profiles Now start *Samba* service(s): # rcsmb start # rcnmb start And list resources on your server: # smbclient -L localhost -N added interface ip=192.168.1.104 bcast=192.168.1.255 nmask=255.255.255.0 Anonymous login successful Domain=[FOOBAR.TLD] OS=[Unix] Server=[Samba 3.0.12-5-SUSE] Sharename Type Comment --------- ---- ------- profiles Disk Roaming Profiles share Disk share IPC$ IPC IPC Service (Samba 3.0.12-5-SUSE) ADMIN$ IPC IPC Service (Samba 3.0.12-5-SUSE) Anonymous login successful Domain=[FOOBAR.TLD] OS=[Unix] Server=[Samba 3.0.12-5-SUSE] Server Comment --------- ------- BAR Samba 3.0.12-5-SUSE Workgroup Master --------- ------- FOOBAR.TLD BAR [edit ] OpenLDAP Setup Using your favorite ascii editor , edit /slapd.conf/ file in //etc/openldap/ directory and modify or add these lines to it ( i recommend you to build /slapd.conf/ file from scratch ): # Defining schemas and schema file locations ################################################################ include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba3.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args # Defining our database and admin user + password ################################################################ database bdb suffix "dc=foobar,dc=tld" rootdn "cn=Manager,dc=foobar,dc=tld" rootpw secret directory /var/lib/ldap # Indexing for faster queries ( bad indexes can slow things up ) ################################################################# index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUid eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub # Defining Access Control Lists for access to various parts of our # databse. We can live without ACL's aswell, but some security should # be in place. # preventng users from viewing passwords, employee number ... etc ###################################################################### access to attr=userpassword,clearpassword,ldappassword by anonymous auth by self write by dn="cn=Manager,dc=foobar,dc=tld" write by * none access to * by dn="cn=Manager,dc=foobar,dc=tld" write by users read by self write by * read Once you have modified file to look like the one presented above, make sure that you have /samba3.schema/ file inside //etc/openldap/schema/ directory ( list the directory and see ). If you dont have it, install package named /samba-client/. Next step in our OpenLDAP backend configuration we need to create hierarchy of our OpenLDAP domain. We will use *IDEALX* scripts to populate *LDAP* tree, first thing u should do is create /smbldap-tools/ directory inside //etc/ directory and copy /smbldap.conf/, /smbldap_bind.conf/ from //usr/share/doc/packages/samba/examples/LDAP/smbldap-tools-0.8.7// directory to it: # cd /usr/share/doc/packages/samba/examples/LDAP/smbldap-tools-0.8.7/ # cp smbldap_bind.conf /etc/smbldap-tools # cp smbldap.conf /etc/smbldap-tools # cp smbldap_tools.pm /usr/local/sbin #chmod 644 /usr/local/sbin/smbldap_tools.pm # cd /etc/smbldap-tools # chmod 644 smbldap.conf # chmod 600 smbldap_bind.conf Using your favorite ascii editor , edit /smbldap.conf/ file in //etc/smbldap-tools/ directory and modify or add these lines to it ( i recommend you to build /smbldap.conf/ file from scratch ): # To obtain you own *SID* number issue command /net getlocalsid/ # And put it below ############################################################### SID="S-1-5-21-2139989288-483860436-2398042574" slaveLDAP="127.0.0.1" slavePort="389" masterLDAP="127.0.0.1" masterPort="389" ldapTLS="0" verify="require" cafile="/etc/smbldap-tools/ca.pem" clientcert="/etc/smbldap-tools/smbldap-tools.pem" clientkey="/etc/smbldap-tools/smbldap-tools.key" suffix="dc=example,dc=tld" usersdn="ou=Users,${suffix}" computersdn="ou=Computers,${suffix}" groupsdn="ou=Groups,${suffix}" idmapdn="ou=Idmap,${suffix}" sambaUnixIdPooldn="sambaDomainName=foobar.tld,${suffix}" scope="sub" hash_encrypt="SSHA" crypt_salt_format="%s" userLoginShell="/bin/bash" userHome="/home/%U" userGecos="System User" defaultUserGid="513" defaultComputerGid="515" skeletonDir="/etc/skel" defaultMaxPasswordAge="99" userSmbHome="\\BAR\homes\%U" userProfile="\\BAR\profiles\%U" userHomeDrive="H:" userScript="%U.cmd" mailDomain="foobar.tld" with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" with_slappasswd="0" slappasswd="/usr/sbin/slappasswd" Using your favorite ascii editor , edit /smbldap_tools.pm/ file in //usr/local/sbin/ directory and modify or add these lines to it: my $smbldap_conf="/etc/smbldap-tools/smbldap.conf"; my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; Again using your favorite ascii editor , edit /smbldap_bind.conf/ file in //etc/smbldap-tools/ directory and modify or add these lines to it: slaveDN="cn=Manager,dc=example,dc=tld" slavePw="secret" masterDN="cn=Manager,dc=example,dc=tld" masterPw="secret" And yet again using your favorite ascii editor , edit /smbldap-populate/ file in //usr/local/sbin/ directory and modify or add these lines to it ( the default is *Administrator*, but i've had problems joining workstations to domain using that account because above in samba setup we map *root* to *Administrator* and you need user with *uid=0* to join workstations to domain. If you have a solution for using user with uid that is not 0 please feel free to contact me and ill modify the tutorial ): my $adminName = $Options{'a'}; if (!defined($adminName)) { $adminName = "Admin"; } Once you have made changes to the /smbldap-populate/ file, you need to run it from //usr/local/sbin/ directory, but before that start *LDAP* server ( you should see the output on the screen looking like this ): # rcldap start # /usr/local/sbin/smbldap-populate Using workgroup name from sambaUnixIdPooldn (smbldap.conf): sambaDomainName=foobar.tld Using builtin directory structure adding new entry: dc=fooobar,dc=tld adding new entry: ou=Users,dc=foobar,dc=tld adding new entry: ou=Groups,dc=foobar,dc=tld adding new entry: ou=Computers,dc=foobar,dc=tld adding new entry: ou=Idmap,dc=foobar,dc=tld adding new entry: sambaDomainName=foobar.tld,dc=foobar,dc=tld adding new entry: uid=Admin,ou=Users,dc=foobar,dc=tld adding new entry: uid=nobody,ou=Users,dc=foobar,dc=tld adding new entry: cn=Domain Admins,ou=Groups,dc=foobar,dc=tld adding new entry: cn=Domain Users,ou=Groups,dc=foobar,dc=tld adding new entry: cn=Domain Guests,ou=Groups,dc=foobar,dc=tld adding new entry: cn=Domain Computers,ou=Groups,dc=foobar,dc=tld adding new entry: cn=Administrators,ou=Groups,dc=foobar,dc=tld adding new entry: cn=Print Operators,ou=Groups,dc=foobar,dc=tld adding new entry: cn=Backup Operators,ou=Groups,dc=foobar,dc=tld Before we move on cat the ldap database to ensure that entries have been made, you should get an output like this: # slapcat dn: dc=foobar,dc=tld objectClass: dcObject objectClass: organization o: foobar dc: foobar structuralObjectClass: organization entryUUID: fc296908-e259-1027-9686-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014007Z entryCSN: 20040124014007Z#000001#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014007Z dn: ou=Users,dc=foobar,dc=tld objectClass: organizationalUnit ou: Users structuralObjectClass: organizationalUnit entryUUID: fc4bf504-e259-1027-9687-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014007Z entryCSN: 20040124014007Z#000002#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014007Z dn: ou=Groups,dc=foobar,dc=tld objectClass: organizationalUnit ou: Groups structuralObjectClass: organizationalUnit entryUUID: fc4e6cb2-e259-1027-9688-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014007Z entryCSN: 20040124014007Z#000003#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014007Z dn: ou=Computers,dc=foobar,dc=tld objectClass: organizationalUnit ou: Computers structuralObjectClass: organizationalUnit entryUUID: fc55504a-e259-1027-9689-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014008Z entryCSN: 20040124014008Z#000001#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014008Z dn: ou=Idmap,dc=foobar,dc=tld objectClass: organizationalUnit ou: Idmap structuralObjectClass: organizationalUnit entryUUID: fc58a128-e259-1027-968a-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014008Z entryCSN: 20040124014008Z#000002#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014008Z dn: sambaDomainName=efoobar.tld,dc=foobar,dc=tld objectClass: sambaDomain objectClass: sambaUnixIdPool sambaDomainName: example.tld sambaSID: S-1-5-21-2139989288-483860436-2398042574 uidNumber: 1000 gidNumber: 1000 structuralObjectClass: sambaDomain entryUUID: fc5fcfac-e259-1027-968b-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014008Z entryCSN: 20040124014008Z#000003#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014008Z dn: uid=Admin,ou=Users,dc=foobar,dc=tld cn: Admin sn: Admin objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 512 uid: Admin uidNumber: 998 homeDirectory: /home/Admin sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\bar\homes\Admin sambaHomeDrive: H: sambaProfilePath: \\bar\profiles\Admin\ sambaPrimaryGroupSID: S-1-5-21-2139989288-483860436-2398042574-512 sambaLMPassword: XXX sambaNTPassword: XXX sambaAcctFlags: [U ] sambaSID: S-1-5-21-2139989288-483860436-2398042574-2996 loginShell: /bin/false gecos: Netbios Domain Administrator structuralObjectClass: inetOrgPerson entryUUID: fc9199a6-e259-1027-968c-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014008Z entryCSN: 20040124014008Z#000004#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014008Z dn: uid=nobody,ou=Users,dc=foobar,dc=tld cn: nobody sn: nobody objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 514 uid: nobody uidNumber: 999 homeDirectory: /dev/null sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\bar\homes\nobody sambaHomeDrive: H: sambaProfilePath: \\bar\profiles\nobody sambaPrimaryGroupSID: S-1-5-21-2139989288-483860436-2398042574-514 sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaAcctFlags: [NU ] sambaSID: S-1-5-21-2139989288-483860436-2398042574-2998 loginShell: /bin/false structuralObjectClass: inetOrgPerson entryUUID: fcbe3362-e259-1027-968d-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014008Z entryCSN: 20040124014008Z#000005#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014008Z dn: cn=Domain Admins,ou=Groups,dc=foobar,dc=tld objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins memberUid: Admin description: Netbios Domain Administrators sambaSID: S-1-5-21-2139989288-483860436-2398042574-512 sambaGroupType: 2 displayName: Domain Admins structuralObjectClass: posixGroup entryUUID: fcc7222e-e259-1027-968e-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014008Z entryCSN: 20040124014008Z#000006#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014008Z dn: cn=Domain Users,ou=Groups,dc=foobar,dc=tld objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 513 cn: Domain Users description: Netbios Domain Users sambaSID: S-1-5-21-2139989288-483860436-2398042574-513 sambaGroupType: 2 displayName: Domain Users structuralObjectClass: posixGroup entryUUID: fceb2534-e259-1027-968f-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014008Z entryCSN: 20040124014008Z#000007#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014008Z dn: cn=Domain Guests,ou=Groups,dc=foobar,dc=tld objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 514 cn: Domain Guests description: Netbios Domain Guests Users sambaSID: S-1-5-21-2139989288-483860436-2398042574-514 sambaGroupType: 2 displayName: Domain Guests structuralObjectClass: posixGroup entryUUID: fcf449fc-e259-1027-9690-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014009Z entryCSN: 20040124014009Z#000001#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014009Z dn: cn=Domain Computers,ou=Groups,dc=foobar,dc=tld objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 515 cn: Domain Computers description: Netbios Domain Computers accounts sambaSID: S-1-5-21-2139989288-483860436-2398042574-515 sambaGroupType: 2 displayName: Domain Computers structuralObjectClass: posixGroup entryUUID: fcfe6612-e259-1027-9691-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014009Z entryCSN: 20040124014009Z#000002#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014009Z dn: cn=Administrators,ou=Groups,dc=foobar,dc=tld objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators structuralObjectClass: posixGroup entryUUID: fd077900-e259-1027-9692-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014009Z entryCSN: 20040124014009Z#000003#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014009Z dn: cn=Print Operators,ou=Groups,dc=foobar,dc=tld objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 550 cn: Print Operators description: Netbios Domain Print Operators sambaSID: S-1-5-32-550 sambaGroupType: 5 displayName: Print Operators structuralObjectClass: posixGroup entryUUID: fd1062c2-e259-1027-9693-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014009Z entryCSN: 20040124014009Z#000004#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014009Z dn: cn=Backup Operators,ou=Groups,dc=foobar,dc=tld objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 551 cn: Backup Operators description: Netbios Domain Members can bypass file security to back up files sambaSID: S-1-5-32-551 sambaGroupType: 5 displayName: Backup Operators structuralObjectClass: posixGroup entryUUID: fd181b16-e259-1027-9694-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014009Z entryCSN: 20040124014009Z#000005#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014009Z dn: cn=Replicators,ou=Groups,dc=foobar,dc=tld objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 552 cn: Replicators description: Netbios Domain Supports file replication in a sambaDomainName sambaSID: S-1-5-32-552 sambaGroupType: 5 displayName: Replicators structuralObjectClass: posixGroup entryUUID: fd211446-e259-1027-9695-c73f68847b0c creatorsName: cn=Manager,dc=foobar,dc=tld createTimestamp: 20040124014009Z entryCSN: 20040124014009Z#000006#00#000000 modifiersName: cn=Manager,dc=foobar,dc=tld modifyTimestamp: 20040124014009Z Now (re)start all daemons: # rcldap start # rcsmb start # rcnmb start Lets add a few accounts to our *LDAP* database: first we need to add *root* account for *SAMBA* because adding client machine to domain requires usage of *administrator* account ( account with *uid 0* ) and second we need to add the *LDAP* password to the /secrets.tdb/ file so that *SAMBA* can update the *LDAP* database: # smbpasswd -a root # smbpasswd -w secret Setting stored password for "cn=Manager,dc=foobar,dc=tld" in secrets.tdb Note, the /smbpasswd -w secret/ is what *SAMBA* will use to update the *LDAP* database, make it be the same as one defined in /slapd.conf/ file under *rootpw* directive. Use *IDEALX* scripts to add user/group ... etc accounts to *LDAP* which will be used with *SAMBA*: # smbldap-useradd -a USERNAME In order to get system to authenticate via *LDAP* and to use those posix accounts stored in *LDAP* for *SAMBA*, you need to set you system to do authetication via *LDAP* for local and remote connections. So use *YaST* to configure your system as *LDAP* client: Image:Yastldap.png Once you've got that covered, use your favorite ascii editor , edit /nsswitch.conf/ file in //etc// directory and modify or add following directive: passwd: files ldap group: files ldap Now list entries in administrative database to see if your system indeed sees both local system and *LDAP* stored accounts ( if you havent added any account yet there should be at least two *Admin* and *nobody*, i have included only the two even though the command will output all accounts ): # getent passwd +::0:0::: Admin:x:998:512:Netbios Domain Administrator:/home/Admin:/bin/false nobody:x:999:514:nobody:/dev/null:/bin/false If everything is set as descried above you need to edit one two more file to ensure perfect automation, first create directory /scripts/ inside //etc/samba/ directory: # echo session required pam_mkhomedir.so skel=/etc/skel umask=0022 >>/etc/pam.d/common-session Phew, now that all of this is configured you may move on with tutorial :D !! [edit ] Dynamic DNS Setup [edit ] Preconfiguration Setps To be able to create our *dynDNS* infrastructure we need to do a few things before actually configuring both *DHCP* and *DNS* servers for dynamic updates. First we need to create a *key* that will be used for secure communication between *DHCP* and *DNS* server. To create the *key* and file that hold the *key* declaration issue following command: # cd /etc # genDDNSkey This will by default create a file named /named.keys/ with key *DHCP_UPDATER*, of course you can choose a different *key* and file by issuing ( for other options read help pages ): # genDDNSkey --key-file=/ur/path --key-name MY_KEY_NAME Once the *key* has been created, you need to tell both *DHCP* and *DNS* daemons to use this file since they both run in chroot jail. Using your favorite ascii editor , edit /dhcpd/ file in //etc/sysconfig/ directory and modify or add following directive: DHCPD_CONF_INCLUDE_FILES="/etc/named.keys" Using your favorite ascii editor , edit /named/ file in //etc/sysconfig/ directory and modify or add following directive: NAMED_CONF_INCLUDE_FILES="/etc/named.keys" Now you can move on towards configuring your *DHCP* and *DNS* servers. [edit ] DHCP Setup Using your favorite ascii editor , edit /dhcpd.conf/ file in //etc/ directory and modify or add these lines to it ( i recommend you to build /dhcpd.conf/ file from scratch ). Also the *IP* address scheme, values are arbitrary, you will set these to reflect your network scheme: # File with key we shall use to securely update zone files ########################################################### include "/etc/named.keys"; # Our server is authority ######################################################### server-identifier bar.foobar.tld; authoritative; # Zone specification ########################################### zone foobar.forward { primary 192.168.1.104; key DHCP_UPDATER; } zone foobar.reverse { primary 192.168.1.104; key DHCP_UPDATER; } # Various options ######################################## default-lease-time 86400; max-lease-time 172800; option domain-name "foobar.tld"; option domain-name-servers 192.168.1.104; ignore client-updates; ddns-domainname "foobar.tld"; ddns-updates on; ddns-update-style interim; # Declaration of network properties ( range ... ) ################################################# subnet 192.168.1.0 netmask 255.255.255.0 { range dynamic-bootp 192.168.1.10 192.168.1.254; zone foobar.tld { primary 127.0.0.1; key DHCP_UPDATER; } zone 1.168.192.in-addr.arpa. { primary 127.0.0.1; key DHCP_UPDATER; } option subnet-mask 255.255.255.0; option routers 192.168.1.1; one-lease-per-client on; } Above configuration allows for range between /1 - 10/ that are reserved for *hard-wired IP* addresses, and range allotted for dynamic assignment is set from /10 - 254/. [edit ] Name Server Setup Using your favorite ascii editor , edit /named.conf/ file in //etc/ directory and modify or add these lines to it ( i recommend you to build /named.conf/ file from scratch ). Also as in the example of *DHCP* above, values and ranges are arbitrary and you will set them to values u desire. # Include file with key ################################################# include "/etc/named.keys"; # Access Control Lists ################################################# acl mynet { 192.168.1.0/24; 127.0.0.1; }; # Various Options ################################################# options { directory "/var/lib/named"; allow-query { mynet; }; forwarders { 83.139.64.3; }; }; # Misc zone declarations ################################################# zone "localhost" in { type master; file "localhost.zone"; }; zone "0.0.127.in-addr.arpa" in { type master; file "127.0.0.zone"; }; zone "." in { type hint; file "root.hint"; }; # Forward foobar.tld zone declaration ################################################# zone "foobar.tld" { type master; file "dyn/foobar.forward"; allow-update { key DHCP_UPDATER; }; allow-query { mynet; }; allow-transfer { mynet; }; }; # Reverse foobar.tld zone declaration ################################################# zone "1.168.192.in-addr.arpa" { type master; file "dyn/foobar.reverse"; allow-update { key DHCP_UPDATER; }; allow-query { mynet; }; allow-transfer { mynet; }; }; Now once you have made /named.conf/ file, you must setup/create actual zone files. Using your favorite ascii editor , create /foobar.forward/ file in //var/lib/named/dyn/ directory and modify or add these lines to it ( i recommend you to build /foobar.forward/ file from scratch ). $TTL 5D @ IN SOA bar.foobar.tld. root.foobar.tld. ( 200524085 ; serial 3H ; refresh 1H ; retry 1W ; expire 5D ) ; minimum @ NS bar.foobar.tld. bar A 192.168.1.104 Using your favorite ascii editor , create /foobar.reverse/ file in //var/lib/named/dyn/ directory and modify or add these lines to it ( i recommend you to build /foobar.reverse/ file from scratch ): $TTL 5D @ IN SOA bar.foobar.tld. root.foobar.tld. ( 200524086 ; serial 3H ; refresh 1H ; retry 1W ; expire 5H ) ; minimum @ NS bar.foobar.tld. 104 PTR bar.foobar.tld. Both zone files for *localhost* are by default created so you need not recreating them, the /root.hint/ is included by default aswell. [edit ] Content Checking [edit ] ClamAV Setting up content checking in *SAMBA* is a bit screwy and requires some modifications done. So first copy the /vscan-clamav.conf/ file from //usr/share/doc/packages/samba-vscan// directory to //etc/samba/ directory: # cp /usr/share/doc/packages/samba-vscan/vscan-clamav.conf /etc/samba Now create directory named /clamd/ in //var/run/ directory and change it's ownership to user and group *vscan*: # mkdir /var/run/clamd # chown vscan:vscan /var/run/clamd Also we need to create directory which will be used as *quarantine* and give ownership to *vscan* user: # mkdir /var/lib/clamav/quarantine # chown vscan /var/lib/clamav/quarantine Using your favorite ascii editor , create /vscan-clamav.conf/ file in //etc/samba/ directory and modify or add these lines to it ( i recommend you to build /vscan-clamav.conf/ file from scratch ): [samba-vscan] max file size = 0 verbose file logging = yes scan on open = yes scan on close = yes deny access on error = yes deny access on minor error = yes send warning message = yes infected file action = quarantine quarantine directory = /var/lib/clamav/quarantine quarantine prefix = vir- max lru files entries = 100 lru file entry lifetime = 5 exclude file types = clamd socket name = /var/run/clamd/clamd libclamav max files in archive = 1000 libclamav max archived file size = 10 * 1048576 libclamav max recursion level = 5 Using your favorite ascii editor , create /clamd.conf/ file in //etc// directory and modify or add these lines to it ( i recommend you to build /clamd.conf/ file from scratch ): LogFile /var/log/clamd LogFileUnlock LogSyslog LogFacility LOG_MAIL LogVerbose PidFile /var/lib/clamav/clamd.pid DatabaseDirectory /var/lib/clamav LocalSocket /var/run/clamd/clamd FixStaleSocket User vscan Foreground Debug ScanRAR Start all daemons: # rcnamed start # rcdhcpd start # rcldap start # rcsmb start # rcnmb start # rcclamd star Make all daemons run by default on machine startup: # chkconfig named on # chkconfig dhcpd on # chkconfig smb on # chkconfig nmb on # chkconfig clamd on [edit ] Client Setup Setting up client to connect to domain is not that hard, assuming that all of you services work in sweet harmony ( let's come together right now, oh yeah in sweeeet harmony ). Ok, let's commence our journey of joining a client workstation to *SAMBA* domain. The machine account should be added to domain automatically by default, but if it doesnt you will need to add *POSIX* machine account for it first ( Note that *$* is there for a reason, and it specifies that the account is a machine account.): # smbldap-useradd -w machine_name$ Now on your windows workstation, right click *My Computer* and choose *Properties*, you should be presented with a panel like this: Image:Network-properties.jpg Now press *Properties* button and you will get a panel like this: Image:Prop-add.jpg Click on radio button of Domain and type in domain name /foobar.tld/, now press *Ok* button and you will be presented with a panel like this: Image:Auth-prompt.jpg Add username *Administrator* and password for it ( remember /smbpasswd -a root/ ). If you configured everything well you should get a popup like this: Image:Welcome.jpg Press *Ok* and reboot your workstation, once booted login to domain with user account you added with /smbldap-useradd/ script. Retrieved from "http://en.opensuse.org/Howto_setup_SUSE_as_SAMBA_PDC_with_OpenLDAP%2C_DYNDNS_and_CLAM" Categories : Howto | SINTEROP Project | Installation | Configuration | Networking Views * Article * Discussion * Edit * History The content on this and other wiki pages is posted by community members who are not acting for or on behalf of Novell, Inc., whether or not they otherwise have affiliation with Novell. * This page was last modified 11:39, 4 July 2006. * This page has been accessed 18,079 times. * * About openSUSE * * Content is available under Legal . * Disclaimers * Communicate * Download * Report a Bug # # # End of file