HOWTO

SAMBA + OpenLDAP

Step-by-Step Guide to Configure a GNU/Linux System as a SAMBA PDC with OpenLDAP backend



  1. Introduction
  2. About Author
  1. Software
  2. Installing Necessary Software
  3. Server Setup
  4. Dynamic DNS Setup
  5. Content Checking
  6. Client Setup



Intro

This is a step by step guide on how to configure GNU/Linux system with Samba, OpenLDAP, DHCP, DNS and ClamAV. Even though this setup is concentraded on a platform SUSE 9.3, with minor tweaks you should get it working on any GNU/Linux distribution.

This document is released under Creative Commons licence.


About Author

Written by Daniel "drade" Radetic from boobah_dot_info.
Words of praise, critique, suggestion .. etc are welcome at address

Special thanks to Michael 'buk' Scherer for pointing out numerous errors in first version of this tutorial ( which caused revision and rewrite of same ).


1: Overview of the Software i used to create this setup

Distribution: SUSE 9.3 Professional

SUSE LINUX Professional 9.3, features an easy-to-install Linux operating system. SUSE 9.3 uses the latest versions of open source networking features like Samba, Apache, DNS and DHCP to power robust home networks that include Web hosting, centralized printing and media workstations. With special features to speed everything from server setup and configuration to software updating, SUSE LINUX Professional contains the most comprehensive set of tools ever included in a retail Linux package. SUSE LINUX Professional comes complete with the latest versions of Apache, DNS, DHCP, Samba, NFS, SLP and NIS.

Backend Database: OpenLDAP 2.2.23-6

OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol.

Name Resolution: Named(BIND) 9.3.1-3

(Berkeley Internet Name Domain, previously: Berkeley Internet Name Daemon) is the most commonly used DNS server on the Internet, especially on Unix-like systems, where it is a de facto standard. BIND (BIND 9) was written from scratch in part to address the architectural difficulties with auditing the earlier BIND code bases, and also to support DNSSEC (DNS Security Extensions). Other important features of BIND 9 include: TSIG, DNS notify, nsupdate, IPv6, rndc flush, views, multiprocessor support, and an improved portability architecture.

TCP/IP Settings Automatization: DHCP-Server 3.0.2-6

DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems.

Anti Virus Software: Samba Vscan 0.3.5-37

Samba Vscan is a proof-of-concept module for Samba, which uses the VFS (virtual file system) features of Samba 2.2.x/3.0 to provide an on-access Samba anti-virus. Of course, Samba has to be compiled with VFS support.

Go to top.


2: Installing Necessary Software

Assuming you have working installation of SUSE 9.3 Professional, you will need to install a few packages to make this tutorial work for you. Also

Installing Samba Package

First you need to find which packages os Samba service have been installed, and if the list of packages differs from one below install individual packages by hand or via Yast:

zendo:~ # rpm -qa | grep samba
samba-client-3.0.12-5
samba-doc-3.0.12-5
samba-3.0.12-5
samba-pdb-3.0.12-5
samba-winbind-3.0.12-5
yast2-samba-client-2.11.5-3
yast2-samba-server-2.11.14-3
samba-vscan-0.3.5-37

So use either 'yast' or 'rpm' command to install missing packages that are needed for this setup:

The YaST way ( you dont need package version, just package-name eg. samba-vscan ):

yast -i package-name

The RPM way ( assuming you are in same directory as RPM packages ):

rpm -Uvh package-name

Now check if other packages are installed, and if not install them:

rpm -qa | grep dhcp-server
rpm- qa | grep bind
rpm -qa | grep clamav
rpm -qa | grep perl

Be sure that previous command list following packages:

dhcp-server-3.0.2-6
bind-9.3.1-3
clamav-db-0.85.1-1.1
clamav-0.85.1-1.1
perl-URI-1.35-3
perl-ldap-0.29-137
perl-Convert-ASN1-0.18-69
perl-Crypt-SmbHash-0.02-3
Go to top.


Server Setup

Samba Setup

Move your old smb.conf file to a safe place:

# cd /etc/samba/
# mv smb.conf smb.conf.OLD

Now using your favorite text editor, edit/create 'smb.conf' file in /etc/samba directory and modify or add these lines to it ( i recommend you to build smb.conf file from scratch as defined below):

# Defining domain name, hostname
####################################################
[global]
workgroup = foobar.tld
netbios name = bar

# Specifying ldapsam backend database
####################################################
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers

# Specifying printing subsystem     
####################################################
printcap name = cups
printing = cups

# Path to IDEALX scripts (we will get to that soon)
####################################################
add user script = /usr/local/sbin/smbldap-useradd -m %u
delete user script = /usr/local/sbin/smbldap-userdel %u
add group script = /usr/local/sbin/smbldap-groupadd -p %g
delete group script = /usr/local/sbin/smbldap-groupdel %g
add user to group script = /usr/local/sbin/ \
smbldap-groupmod -m '%g' '%u'
delete user from group script = /usr/local/sbin/ \
smbldap-groupmod -x '%g' '%u'
set primary group script = /usr/local/sbin/ \
smbldap-usermod -g '%g' '%u'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'

# Various other directives ( man smb.conf )
####################################################
logon script = scripts\logon.bat
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 44
preferred master = Yes
domain master = Yes
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes

# OpenLDAP stuff is defined here
###################################################
ldap suffix = dc=foobar,dc=tld
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap admin dn = cn=Manager,dc=foobar,dc=tld
ldap ssl = no
ldap passwd sync = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000

# Defining logging facility
####################################################
log level = 2
log file = /var/log/samba/%m.log

# Virus Scanning Definition
####################################################
vfs object = vscan-clamav
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

# Defining user home directories
####################################################
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
root preexec = /etc/samba/scripts/create_home.sh "/home/%u" "%u" "%g"

# Defining printers
####################################################
[printers]
comment = All Printers
path = /var/spool/samba
printer admin = @"Print Operators" 
read only  = Yes
guest ok = Yes
printable = Yes
browseable = No

# Defining printers
####################################################
[print$]
path = /var/lib/samba/drivers/
guest ok = No
browseable = Yes
read only = Yes
valid users = @"Print Operators"
write list = @"Print Operators"
create mask = 0664
directory mask = 0775

# Defining network logon service             
####################################################
[netlogon]
comment = NLService
path = /var/lib/samba/netlogon
guest ok = Yes
browseable = No

# Defining profile share ( for roaming profiles )
####################################################
[profiles]
comment = Roaming Profiles
path = /var/lib/samba/profiles
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
force user = %U
valid users = %U "Domain Admins"
read only = No
profile acls = Yes

# Defining aritrary shared resource
####################################################
[share]
comment = data share
path = /opt/stuff
valid users = %U

Using your favorite text editor, edit 'smbusers' file in /etc/samba directory and modify or add ( unless added by default ) following line:

root = Administrator

You must have been confused about IDEALX script part in smb.conf, so here comes an explanation: "IDEALX scripts are a collection of user{add,del,mod} and group{add,del,mod}system tools ( scripts ) to manipulate users and groups stored in LDAP directory".

So copy these scripts to appropriate destination directory:

# cd /usr/share/doc/packages/samba/examples/LDAP/smbldap-tools-0.8.7/
# cp smbldap-* /usr/local/sbin

Now lets check our config for syntatical corectness, you should get an output as shown below:

# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[share]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

Now start Samba service(s):

# rcsmb start
# rcnmb start

And list resources on your server:

# smbclient -L localhost -N
added interface ip=192.168.1.2 bcast=192.168.1.255 nmask=255.255.255.0
Anonymous login successful
Domain=[FOOBAR.TLD] OS=[Unix] Server=[Samba 3.0.12-5-SUSE]

        Sharename       Type      Comment
        ---------       ----      -------
        profiles        Disk      Roaming Profiles
        share           Disk      share
        IPC$            IPC       IPC Service (Samba 3.0.12-5-SUSE)
        ADMIN$          IPC       IPC Service (Samba 3.0.12-5-SUSE)
Anonymous login successful
Domain=[FOOBAR.TLD] OS=[Unix] Server=[Samba 3.0.12-5-SUSE]

        Server               Comment
        ---------            -------
        BAR	             Samba 3.0.12-5-SUSE

        Workgroup            Master
        ---------            -------
        FOOBAR.TLD           BAR
Go to top.


OpenLDAP Setup

Using your favorite text editor, edit 'slapd.conf' file in /etc/openldap directory and modify or add these lines to it ( i recommend you to build slapd.conf file from scratch ):

# Defining schemas and schema file locations
################################################################
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba3.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

# Defining our database and admin user + password
################################################################
database        bdb
suffix          "dc=foobar,dc=tld"
rootdn          "cn=Manager,dc=foobar,dc=tld"
rootpw          secret
directory       /var/lib/ldap

# Indexing for faster queries ( bad indexes can slow things up )
#################################################################
index   objectClass     eq
index cn                      pres,sub,eq
index sn                      pres,sub,eq
index uid                     pres,sub,eq
index displayName             pres,sub,eq
index uidNumber               eq
index gidNumber               eq
index memberUid               eq
index   sambaSID              eq
index   sambaPrimaryGroupSID  eq
index   sambaDomainName       eq
index   default               sub


# Defining Access Control Lists for access to various parts of our 
# databse. We can live without ACL's aswell, but some security should 
# be in place.
# preventng users from viewing passwords, employee number ... etc
######################################################################
access to attr=userpassword,clearpassword,ldappassword
    by anonymous auth
    by self write
    by dn="cn=Manager,dc=foobar,dc=tld" write
    by * none

access to *
    by dn="cn=Manager,dc=foobar,dc=tld" write
    by users read
    by self write
    by * read

Once you have modified file to look like the one presented above, make sure that you have samba3.schema file inside /etc/openldap/schema directory ( list the directory and see ). If you dont have it, install package named 'samba-client'.

Next step in our OpenLDAP backend configuration we need to create hierarchy of our OpenLDAP domain. We will use IDEALX scripts to populate LDAP tree, first thing u should do is create 'smbldap-tools' directory inside /etc directory and copy 'smbldap.conf', 'smbldap_bind.conf' from /usr/share/doc/packages/samba/examples/LDAP/smbldap-tools-0.8.7/ directory to it:

# cd /usr/share/doc/packages/samba/examples/LDAP/smbldap-tools-0.8.7/
# cp smbldap_bind.conf /etc/smbldap-tools
# cp smbldap.conf /etc/smbldap-tools
# cp smbldap_tools.pm /usr/local/sbin
# chmod 644 /usr/local/sbin/smbldap_tools.pm
# cd /etc/smbldap-tools
# chmod 644 smbldap.conf
# chmod 600 smbldap_bind.conf 

Using your favorite text editor, edit 'smbldap.conf' file in /etc/smbldap-tools directory and modify or add these lines to it ( i recommend you to build smbldap.conf file from scratch ):

# To obtain you own SID number issue command 'net getlocalsid'
# And put it below
###############################################################
SID="S-1-5-21-2139989288-483860436-2398042574"

slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
verify="require"
cafile="/etc/smbldap-tools/ca.pem"
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
clientkey="/etc/smbldap-tools/smbldap-tools.key" 
suffix="dc=example,dc=tld"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"  
sambaUnixIdPooldn="sambaDomainName=foobar.tld,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userGecos="System User"
defaultUserGid="513"   
defaultComputerGid="515"
skeletonDir="/etc/skel"        
defaultMaxPasswordAge="99"     
userSmbHome="\\BAR\homes\%U"   
userProfile="\\BAR\profiles\%U"
userHomeDrive="H:"
userScript="%U.cmd"
mailDomain="foobar.tld"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

Using your favorite text editor, edit 'smbldap_tools.pm' file in /usr/local/sbin directory and modify or add these lines to it:

my $smbldap_conf="/etc/smbldap-tools/smbldap.conf";
my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";

And again using your favorite text editor, edit 'smbldap_bind.pm' file in /etc/smbldap-tools directory and modify or add these lines to it:

slaveDN="cn=Manager,dc=example,dc=tld"
slavePw="secret"
masterDN="cn=Manager,dc=example,dc=tld"
masterPw="secret"

And yet again using your favorite text editor, edit 'smbldap-populate' file in /usr/local/sbin directory and modify or add these lines to it ( the default is Administrator, but i've had problems joining workstations to domain using that account because above in samba setup we map root to Administrator and you need user with uid=0 to join workstations to domain. If you have a solution for using user with uid that is not 0 please feel free to contact me and ill modify the tutorial ):

my $adminName = $Options{'a'};
if (!defined($adminName)) {
  $adminName = "Admin";
}

Once you have made changes to the 'smbldap-populate' you need to run it from /usr/local/sbin directory, but before that start LDAP server ( you should see the output on the screen looking like this ):

# rcldap start
# /usr/local/sbin/smbldap-populate
Using workgroup name from sambaUnixIdPooldn (smbldap.conf): sambaDomainName=foobar.tld
Using builtin directory structure
adding new entry: dc=fooobar,dc=tld
adding new entry: ou=Users,dc=foobar,dc=tld
adding new entry: ou=Groups,dc=foobar,dc=tld
adding new entry: ou=Computers,dc=foobar,dc=tld
adding new entry: ou=Idmap,dc=foobar,dc=tld
adding new entry: sambaDomainName=foobar.tld,dc=foobar,dc=tld
adding new entry: uid=Admin,ou=Users,dc=foobar,dc=tld
adding new entry: uid=nobody,ou=Users,dc=foobar,dc=tld
adding new entry: cn=Domain Admins,ou=Groups,dc=foobar,dc=tld
adding new entry: cn=Domain Users,ou=Groups,dc=foobar,dc=tld
adding new entry: cn=Domain Guests,ou=Groups,dc=foobar,dc=tld
adding new entry: cn=Domain Computers,ou=Groups,dc=foobar,dc=tld
adding new entry: cn=Administrators,ou=Groups,dc=foobar,dc=tld
adding new entry: cn=Print Operators,ou=Groups,dc=foobar,dc=tld
adding new entry: cn=Backup Operators,ou=Groups,dc=foobar,dc=tld

Before we move on cat the ldap databse to ensure that entries have been made, you should get an output like this:

# slapcat
dn: dc=foobar,dc=tld
objectClass: dcObject
objectClass: organization
o: foobar
dc: foobar
structuralObjectClass: organization
entryUUID: fc296908-e259-1027-9686-c73f68847b0c
creatorsName: cn=Manager,dc=foobar,dc=tld
createTimestamp: 20040124014007Z
entryCSN: 20040124014007Z#000001#00#000000
modifiersName: cn=Manager,dc=foobar,dc=tld
modifyTimestamp: 20040124014007Z

dn: ou=Users,dc=foobar,dc=tld
objectClass: organizationalUnit
ou: Users
structuralObjectClass: organizationalUnit
entryUUID: fc4bf504-e259-1027-9687-c73f68847b0c
creatorsName: cn=Manager,dc=foobar,dc=tld
createTimestamp: 20040124014007Z
entryCSN: 20040124014007Z#000002#00#000000
modifiersName: cn=Manager,dc=foobar,dc=tld
modifyTimestamp: 20040124014007Z

dn: ou=Groups,dc=foobar,dc=tld
objectClass: organizationalUnit
ou: Groups
structuralObjectClass: organizationalUnit
entryUUID: fc4e6cb2-e259-1027-9688-c73f68847b0c
creatorsName: cn=Manager,dc=foobar,dc=tld
createTimestamp: 20040124014007Z
entryCSN: 20040124014007Z#000003#00#000000
modifiersName: cn=Manager,dc=foobar,dc=tld
modifyTimestamp: 20040124014007Z

dn: ou=Computers,dc=foobar,dc=tld
objectClass: organizationalUnit
ou: Computers
structuralObjectClass: organizationalUnit
entryUUID: fc55504a-e259-1027-9689-c73f68847b0c
creatorsName: cn=Manager,dc=foobar,dc=tld
createTimestamp: 20040124014008Z
entryCSN: 20040124014008Z#000001#00#000000
modifiersName: cn=Manager,dc=foobar,dc=tld
modifyTimestamp: 20040124014008Z

dn: ou=Idmap,dc=foobar,dc=tld
objectClass: organizationalUnit
ou: Idmap
structuralObjectClass: organizationalUnit
entryUUID: fc58a128-e259-1027-968a-c73f68847b0c
creatorsName: cn=Manager,dc=foobar,dc=tld
createTimestamp: 20040124014008Z
entryCSN: 20040124014008Z#000002#00#000000
modifiersName: cn=Manager,dc=foobar,dc=tld
modifyTimestamp: 20040124014008Z

dn: sambaDomainName=foobar.tld,dc=foobar,dc=tld
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: example.tld
sambaSID: S-1-5-21-2139989288-483860436-2398042574
uidNumber: 1000
gidNumber: 1000
structuralObjectClass: sambaDomain
entryUUID: fc5fcfac-e259-1027-968b-c73f68847b0c
creatorsName: cn=Manager,dc=foobar,dc=tld
createTimestamp: 20040124014008Z
entryCSN: 20040124014008Z#000003#00#000000
modifiersName: cn=Manager,dc=foobar,dc=tld
modifyTimestamp: 20040124014008Z

dn: uid=Admin,ou=Users,dc=foobar,dc=tld
cn: Admin
sn: Admin
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 512
uid: Admin
uidNumber: 998
homeDirectory: /home/Admin
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\bar\homes\Admin
sambaHomeDrive: H:
sambaProfilePath: \\bar\profiles\Admin\
sambaPrimaryGroupSID: S-1-5-21-2139989288-483860436-2398042574-512
sambaLMPassword: XXX
sambaNTPassword: XXX
sambaAcctFlags: [U          ]
sambaSID: S-1-5-21-2139989288-483860436-2398042574-2996
loginShell: /bin/false
gecos: Netbios Domain Administrator
structuralObjectClass: inetOrgPerson
entryUUID: fc9199a6-e259-1027-968c-c73f68847b0c
creatorsName: cn=Manager,dc=foobar,dc=tld
createTimestamp: 20040124014008Z
entryCSN: 20040124014008Z#000004#00#000000
modifiersName: cn=Manager,dc=foobar,dc=tld
modifyTimestamp: 20040124014008Z

dn: uid=nobody,ou=Users,dc=foobar,dc=tld
cn: nobody
sn: nobody
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 514
uid: nobody
uidNumber: 999
homeDirectory: /dev/null
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\bar\homes\nobody
sambaHomeDrive: H:
sambaProfilePath: \\bar\profiles\nobody
sambaPrimaryGroupSID: S-1-5-21-2139989288-483860436-2398042574-514
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [NU         ]
sambaSID: S-1-5-21-2139989288-483860436-2398042574-2998
loginShell: /bin/false
structuralObjectClass: inetOrgPerson
entryUUID: fcbe3362-e259-1027-968d-c73f68847b0c
creatorsName: cn=Manager,dc=foobar,dc=tld
createTimestamp: 20040124014008Z
entryCSN: 20040124014008Z#000005#00#000000
modifiersName: cn=Manager,dc=foobar,dc=tld
modifyTimestamp: 20040124014008Z

dn: cn=Domain Admins,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: Admin
description: Netbios Domain Administrators
sambaSID: S-1-5-21-2139989288-483860436-2398042574-512
sambaGroupType: 2
displayName: Domain Admins
structuralObjectClass: posixGroup
entryUUID: fcc7222e-e259-1027-968e-c73f68847b0c
creatorsName: cn=Manager,dc=foobar,dc=tld
createTimestamp: 20040124014008Z
entryCSN: 20040124014008Z#000006#00#000000
modifiersName: cn=Manager,dc=foobar,dc=tld
modifyTimestamp: 20040124014008Z

dn: cn=Domain Users,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: S-1-5-21-2139989288-483860436-2398042574-513
sambaGroupType: 2
displayName: Domain Users
structuralObjectClass: posixGroup
entryUUID: fceb2534-e259-1027-968f-c73f68847b0c
creatorsName: cn=Manager,dc=foobar,dc=tld
createTimestamp: 20040124014008Z
entryCSN: 20040124014008Z#000007#00#000000
modifiersName: cn=Manager,dc=foobar,dc=tld
modifyTimestamp: 20040124014008Z

dn: cn=Domain Guests,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-2139989288-483860436-2398042574-514
sambaGroupType: 2
displayName: Domain Guests
structuralObjectClass: posixGroup
entryUUID: fcf449fc-e259-1027-9690-c73f68847b0c
creatorsName: cn=Manager,dc=foobar,dc=tld
createTimestamp: 20040124014009Z
entryCSN: 20040124014009Z#000001#00#000000
modifiersName: cn=Manager,dc=foobar,dc=tld
modifyTimestamp: 20040124014009Z

dn: cn=Domain Computers,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-2139989288-483860436-2398042574-515
sambaGroupType: 2
displayName: Domain Computers
structuralObjectClass: posixGroup
entryUUID: fcfe6612-e259-1027-9691-c73f68847b0c
creatorsName: cn=Manager,dc=foobar,dc=tld
createTimestamp: 20040124014009Z
entryCSN: 20040124014009Z#000002#00#000000
modifiersName: cn=Manager,dc=foobar,dc=tld
modifyTimestamp: 20040124014009Z

dn: cn=Administrators,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the 
computer/sambaDomainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
structuralObjectClass: posixGroup
entryUUID: fd077900-e259-1027-9692-c73f68847b0c
creatorsName: cn=Manager,dc=foobar,dc=tld
createTimestamp: 20040124014009Z
entryCSN: 20040124014009Z#000003#00#000000
modifiersName: cn=Manager,dc=foobar,dc=tld
modifyTimestamp: 20040124014009Z

dn: cn=Print Operators,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 5
displayName: Print Operators
structuralObjectClass: posixGroup
entryUUID: fd1062c2-e259-1027-9693-c73f68847b0c
creatorsName: cn=Manager,dc=foobar,dc=tld
createTimestamp: 20040124014009Z
entryCSN: 20040124014009Z#000004#00#000000
modifiersName: cn=Manager,dc=foobar,dc=tld
modifyTimestamp: 20040124014009Z

dn: cn=Backup Operators,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up files
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators
structuralObjectClass: posixGroup
entryUUID: fd181b16-e259-1027-9694-c73f68847b0c
creatorsName: cn=Manager,dc=foobar,dc=tld
createTimestamp: 20040124014009Z
entryCSN: 20040124014009Z#000005#00#000000
modifiersName: cn=Manager,dc=foobar,dc=tld
modifyTimestamp: 20040124014009Z

dn: cn=Replicators,ou=Groups,dc=foobar,dc=tld
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators
structuralObjectClass: posixGroup
entryUUID: fd211446-e259-1027-9695-c73f68847b0c
creatorsName: cn=Manager,dc=foobar,dc=tld
createTimestamp: 20040124014009Z
entryCSN: 20040124014009Z#000006#00#000000
modifiersName: cn=Manager,dc=foobar,dc=tld
modifyTimestamp: 20040124014009Z

Now (re)start all daemons:

# rcldap start
# rcsmb start
# rcnmb start

Lets add a few accounts to our LDAP database: first we need to add root account for SAMBA because adding client machine to domain requires usage of administrator account ( account with uid 0 ) and second we need to add the LDAP password to the secrets.tdb file so that SAMBA can update the LDAP database:

# smbpasswd -a root
# smbpasswd -w secret
Setting stored password for "cn=Manager,dc=foobar,dc=tld" in secrets.tdb

Note, the 'smbpasswd -w secret' is what SAMBA will use to update the LDAP database, make it be the same as one defined in 'slapd.conf' file under 'rootpw' directive.

Use IDEALX scripts to add user/group ... etc accounts to LDAP which will be used with SAMBA:

# smbldap-useradd -a USERNAME

In order to get system to authenticate via LDAP and to use those posix accounts stored in LDAP for SAMBA, you need to set you system to do authetication via LDAP for local and remote connections.

So use YaST to configure your system as LDAP client:

Once you've got that covered, use your favorite text editor, edit 'nsswitch.conf' file in /etc/ directory and modify or add following directive:

passwd: files ldap
group: files ldap

Now list entries in administrative databse to see if your system indeed sees both local system and LDAP stored accounts ( if you havent added any account yet there should be at least two Admin and nobody, i have included only the two even though the command will output all accounts ):

# getnet passwd
+::0:0:::
Admin:x:998:512:Netbios Domain Administrator:/home/Admin:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false

If everything is set as descried above you need to edit one two more file to ensure perfect automation, first create directory 'scripts' inside /etc/samba directory:

# mkdir /etc/samba/scripts

Then using your favorite editor create 'create_home.sh' file inside /etc/samba/scripts directory with following content ( this script is used to autocreate users homedir via SAMBA unless if it has already been created ):

 
#!/bin/bash
if [ ! -d "$1" ] 
then
  mkdir "$1"
  chmod -R 770 "$1"
  chown -R "$2" "$1"
  chgrp -R "$3" "$1"
  cp /etc/skel/.* $1
  cp -a /etc/skel/* $1
fi

Two more files to edit and we're done, first using your favorite editor append to 'login' file inside /etc/pam.d directory following line ( this addition is used to autocreate users homedir for local logins unless if they have already been created ):

session  required     /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022

And finally using your favorite editor append to 'sshd' file inside /etc/pam.d directory following line ( this addition is used to autocreate users homedir for SSH logins unless if they have already been created ):

session  required     /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022

Phew, now that all of this is configured you may move on with tutorial :D !!

Go to top.


Dynamic DNS Setup

Preconfiguration Setps

To be able to create our dynDNS infrastructure we need to do a few things before actually configuring both DHCP and DNS servers for dynamic updates. First we need to create a key that will be used for secure communication between DHCP and DNS server.

To create the key and file that hold the key declaration issue following command:

# cd /etc
# genDDNSkey

This will by default create a file named named.keys with key DHCP_UPDATER, of course you can choose a different key and file by issuing ( for other options read help pages ):

# genDDNSkey --key-file=/ur/path --key-name MY_KEY_NAME

Once the key has been created, you need to tell both DHCP and DNS daemons to use this file since they both run in chroot jail.

Using your favorite text editor, edit 'dhcpd' file in /etc/sysconfig directory and modify or add following directive:

DHCPD_CONF_INCLUDE_FILES="/etc/named.keys"

Using your favorite text editor, edit 'named' file in /etc/sysconfig directory and modify or add following directive:

NAMED_CONF_INCLUDE_FILES="/etc/named.keys"

Now you can move on towards configuring your DHCP and DNS servers.

DHCP Setup

Using your favorite text editor, edit 'dhcpd.conf' file in /etc directory and modify or add these lines to it ( i recommend you to build dhcpd.conf file from scratch ). Also the IP address scheme, values are arbitrary, you will set these to reflect your network scheme:

# File with key we shall use to securely update zone files
###########################################################
include "/etc/named.keys";

# Our server is authority
#########################################################
server-identifier bar.foobar.tld;
authoritative;

# Zone specification
###########################################
zone foobar.forward {
        primary 192.168.1.104;
        key DHCP_UPDATER;
}
zone foobar.reverse {
        primary 192.168.1.104;
        key DHCP_UPDATER;
}

# Various options
########################################
default-lease-time 86400;
max-lease-time 172800;

option domain-name "foobar.tld";
option domain-name-servers 192.168.1.104;

ignore client-updates;
ddns-domainname "foobar.tld";
ddns-updates on;
ddns-update-style interim;

# Declaration of network properties ( range ... )
#################################################
subnet 192.168.1.0 netmask 255.255.255.0 {
        range dynamic-bootp 192.168.1.10 192.168.1.254;
        zone foobar.tld { primary 127.0.0.1; key DHCP_UPDATER; }
        zone 1.168.192.in-addr.arpa. { primary 127.0.0.1; key DHCP_UPDATER; }
        option subnet-mask 255.255.255.0;
        option routers 192.168.1.1;
        one-lease-per-client on;
}

Above configuration allows for range between 1 - 10 that are reserved for hard-wired IP addresses, and range allotted for dynamic assignment is set from 10 - 254.

Go to top.


Name Server Setup

Using your favorite text editor, edit 'named.conf' file in /etc directory and modify or add these lines to it ( i recommend you to build named.conf file from scratch ). Also as in the example of DHCP above, values and ranges are arbitrary and you will set them to values u desire.

# Include file with key
#################################################
include "/etc/named.keys";

# Access Control Lists
#################################################
acl mynet {
        192.168.1.0/24;
        127.0.0.1;
};

# Various Options
#################################################
options {
        directory "/var/lib/named";
        allow-query { mynet; };
        forwarders { 83.139.64.3; };
};

# Misc zone declarations
#################################################
zone "localhost" in {
        type master;
        file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" in {
        type master;
        file "127.0.0.zone";
};

zone "." in {
        type hint;
        file "root.hint";
};

# Forward foobar.tld zone declaration
#################################################
zone "foobar.tld" {
        type master;
        file "dyn/foobar.forward";
        allow-update { key DHCP_UPDATER; };
        allow-query { mynet; };
        allow-transfer { mynet; };
        };

# Reverse foobar.tld zone declaration
#################################################
zone "1.168.192.in-addr.arpa" {
        type master;
        file "dyn/foobar.reverse";
        allow-update { key DHCP_UPDATER; };
        allow-query { mynet; };
        allow-transfer { mynet; };
};

Now once you have made named.conf file, you must setup/create actual zone files.

Using your favorite text editor, create 'foobar.forward' file in /var/lib/named/dyn directory and modify or add these lines to it ( i recommend you to build foobar.forward file from scratch ).

$TTL 5D
@              IN SOA  bar.foobar.tld. root.foobar.tld. (
                                        200524085  ; serial
                                        3H         ; refresh
                                        1H         ; retry
                                        1W         ; expire
                                        5D )       ; minimum

@                        NS      bar.foobar.tld.

bar                      A      192.168.1.104
zazen                    A      192.168.1.100

Using your favorite text editor, create 'foobar.reverse' file in /var/lib/named/dyn directory and modify or add these lines to it ( i recommend you to build foobar.reverse file from scratch ).

$TTL 5D
@                      IN SOA  bar.foobar.tld. root.foobar.tld. (
                                200524086  ; serial
                                3H         ; refresh
                                1H         ; retry
                                1W         ; expire
                                5H )       ; minimum

@                        NS      bar.foobar.tld.

104                     PTR     bar.foobar.tld.
100                     PTR     zazen.foobar.tld.

Both zone files for localhost are by default created so you need not recreating them, the root.hint is included by default aswell.

Go to top.


Content Checking

ClamAV

Setting up content checking in SAMBA is a bit screwy and requires some modifications done. So first copy the 'vscan-clamav.conf' file from /usr/share/doc/packages/samba-vscan/ directory to /etc/samba directory.

# cp  /usr/share/doc/packages/samba-vscan/vscan-clamav.conf /etc/samba

Now create directory named 'clamd' in /var/run directory and change it's ownership to user and group vscan.

# mkdir /var/run/clamd
# chown vscan:vscan /var/run/clamd

Also we need to create directory which will be used as quarantine and give ownership to 'vscan' user:

# mkdir /var/lib/clamav/quarantine
# chown vscan /var/lib/clamav/quarantine

Using your favorite text editor, create 'vscan-clamav.conf' file in /etc/samba directory and modify or add these lines to it ( i recommend you to build vscan-clamav.conf file from scratch ).

[samba-vscan]
max file size = 0
verbose file logging = yes
scan on open = yes
scan on close = yes
deny access on error = yes
deny access on minor error = yes
send warning message = yes
infected file action = quarantine
quarantine directory  = /var/lib/clamav/quarantine
quarantine prefix = vir-
max lru files entries = 100
lru file entry lifetime = 5
exclude file types =
clamd socket name = /var/run/clamd/clamd
libclamav max files in archive = 1000
libclamav max archived file size = 10 * 1048576
libclamav max recursion level = 5

Using your favorite text editor, create 'clamd.conf' file in /etc/ directory and modify or add these lines to it ( i recommend you to build clamd.conf file from scratch ).

LogFile /var/log/clamd
LogFileUnlock
LogSyslog
LogFacility LOG_MAIL
LogVerbose
PidFile /var/lib/clamav/clamd.pid
DatabaseDirectory /var/lib/clamav
LocalSocket /var/run/clamd/clamd
FixStaleSocket
User vscan
Foreground
Debug
ScanRAR

Start all daemons:

# rcnamed start
# rcdhcpd start
# rcldap start
# rcsmb start
# rcnmb start
# rcclamd star

All we have to do is setup our clients and we are done ( almost but not yet ).

Go to top.


Client Setup

Setting up client to connect to domain is not that hard, assuming that all of you services work in sweet harmony ( let's come together right now, oh yeah in sweeeet harmony ).

Ok, let's commence our journey of joining a client workstation to SAMBA domain. The machine account should be added to domain automatically by default, but if it doesnt you will need to add POSIX machine account for it first ( Note that '$' is there for a reason, and it specifies that the account is a machine account.):

# smbldap-useradd -w machine_name$

Now on your windows workstation, right click 'My Computer' and choose 'Properties', you should be presented with a panel like this:

Now press 'Properties' button and you will get a panel like this:

Click on radio button of Domain and type in domain name 'foobar.tld', now press 'Ok' button and you will be presented with a panel like this:

Add username 'Administrator' and password for it ( remember smbpasswd -a root ).
If you configured everything well you should get a popup like this:


Press 'Ok' and reboot your workstation, once booted login to domain with user account you added with 'smbldap-useradd' script.


Go to top.