diff options
author | John Terpstra <jht@samba.org> | 2005-03-04 07:07:44 +0000 |
---|---|---|
committer | Gerald W. Carter <jerry@samba.org> | 2008-04-23 08:46:14 -0500 |
commit | 8734c9d5e8f146ba44189fb33cde6ecc2943e991 (patch) | |
tree | 24e2fbaf10cf394da53b67b9402f19cb2aafc1e6 | |
parent | 5d5395f48d1aac60928ddc324439d238f54c6628 (diff) | |
download | samba-8734c9d5e8f146ba44189fb33cde6ecc2943e991.tar.gz samba-8734c9d5e8f146ba44189fb33cde6ecc2943e991.tar.bz2 samba-8734c9d5e8f146ba44189fb33cde6ecc2943e991.zip |
Updating in readiness for 3.0.12
(This used to be commit 40b6b9752607be6edd5fabaa21d8d2da4f48dc41)
-rw-r--r-- | docs/Samba-Guide/Chap06-MakingHappyUsers.xml | 566 |
1 files changed, 372 insertions, 194 deletions
diff --git a/docs/Samba-Guide/Chap06-MakingHappyUsers.xml b/docs/Samba-Guide/Chap06-MakingHappyUsers.xml index 4f72876dc2..21a328cedb 100644 --- a/docs/Samba-Guide/Chap06-MakingHappyUsers.xml +++ b/docs/Samba-Guide/Chap06-MakingHappyUsers.xml @@ -9,7 +9,12 @@ ]> <chapter id="happy"> - <title>Making Users Happy</title> + <title>Making Happy Users</title> + +<note><para> +This chapter is under reconstruction/modification. The data here is incomplete at this time. +Please check back in a few days time as the contents are undergoing change. +</para></note> <para> It has been said, <quote>A day that is without troubles is not fulfilling. Rather, give @@ -964,11 +969,17 @@ </indexterm><indexterm> <primary>Red Hat Linux</primary> </indexterm> - All configuration files and locations are shown for SUSE Linux 9.0. The file locations for - Red Hat Linux are similar. You may need to adjust the locations for your particular - Linux system distribution/implementation. + All configuration files and locations are shown for SUSE Linux 9.2 and are equaly valid for SUSE + Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to + adjust the locations for your particular Linux system distribution/implementation. </para> +<note><para> +The following information applies to Samba-3.0.12 when used with the Idealx smbldap-tools scripts +version 0.8.7. If using a different version of Samba, or of the smbldap-tools tarball, please +verify that the versions you are about to use are matching. +</para></note> + <para> The steps in the process involve changes from the network configuration shown in <link linkend="Big500users"/>. @@ -1000,7 +1011,7 @@ <thead> <row> <entry align="center">SUSE Linux 8.x</entry> - <entry align="center">SUSE Linux 9</entry> + <entry align="center">SUSE Linux 9.x</entry> <entry align="center">Red Hat Linux 9</entry> </row> </thead> @@ -1055,8 +1066,6 @@ follow these guidelines, the resulting system should work fine. </para> -<?latex \newpage ?> - <procedure> <step><para><indexterm> <primary>/etc/openldap/slapd.conf</primary> @@ -1066,16 +1075,16 @@ </para></step> <step><para><indexterm> - <primary>/var/lib/ldap</primary> + <primary>/data/ldap</primary> </indexterm><indexterm> <primary>group account</primary> </indexterm><indexterm> <primary>user account</primary> </indexterm> - Remove all files from the directory <filename>/var/lib/ldap</filename>, making certain that + Remove all files from the directory <filename>/data/ldap</filename>, making certain that the directory exists with permissions: <screen> -&rootprompt; ls -al /var/lib | grep ldap +&rootprompt; ls -al /data | grep ldap drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap </screen> This may require you to add a user and a group account for LDAP if they do not exist. @@ -1091,12 +1100,20 @@ include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema -include /etc/openldap/schema/samba.schema +include /etc/openldap/schema/samba3.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args -database ldbm +access to * + by self write + by users read + by anonymous auth + +database bdb +checkpoint 1024 5 +cachesize 10000 + suffix "dc=abmas,dc=biz" rootdn "cn=Manager,dc=abmas,dc=biz" @@ -1198,40 +1215,52 @@ index default sub <example id="ch6-nss01"> <title>Configuration File for NSS LDAP Support &smbmdash; <filename>/etc/ldap.conf</filename></title> <screen> -SIZELIMIT 200 -TIMELIMIT 15 -DEREF never - host 127.0.0.1 + base dc=abmas,dc=biz + binddn cn=Manager,dc=abmas,dc=biz bindpw not24get +timelimit 50 +bind_timelimit 50 +bind_policy hard + +idle_timelimit 3600 + pam_password exop -nss_base_passwd ou=People,dc=abmas,dc=biz?one -nss_base_shadow ou=People,dc=abmas,dc=biz?one +nss_base_passwd ou=People,dc=abmas,dc=biz?one +nss_base_shadow ou=People,dc=abmas,dc=biz?one nss_base_group ou=Groups,dc=abmas,dc=biz?one + +ssl off </screen> </example> <example id="ch6-nss02"> <title>Configuration File for NSS LDAP Clients Support &smbmdash; <filename>/etc/ldap.conf</filename></title> <screen> -SIZELIMIT 200 -TIMELIMIT 15 -DEREF never +host 172.16.0.1 -host 172.16.0.1 base dc=abmas,dc=biz + binddn cn=Manager,dc=abmas,dc=biz bindpw not24get +timelimit 50 +bind_timelimit 50 +bind_policy hard + +idle_timelimit 3600 + pam_password exop nss_base_passwd ou=People,dc=abmas,dc=biz?one nss_base_shadow ou=People,dc=abmas,dc=biz?one nss_base_group ou=Groups,dc=abmas,dc=biz?one + +ssl off </screen> </example> @@ -1317,10 +1346,11 @@ session optional pam_mail.so <para><indexterm> <primary>Samba RPM Packages</primary> </indexterm> - Verify that the Samba-3.0.2 (or later) packages are installed on each SUSE Linux server - before following the steps below. If Samba-3.0.2 (or later) is not installed, you have the + Verify that the Samba-3.0.12 (or later) packages are installed on each SUSE Linux server + before following the steps below. If Samba-3.0.12 (or later) is not installed, you have the choice to either build your own or to obtain the packages from a dependable source. - Packages for SUSE Linux 8.2 and 9.0, and Red Hat 9.0 are included on the CD-ROM that + Packages for SUSE Linux 8.x, 9.x and SUSE Linux Enterprise Server 9, as well as for + Red Hat Fedora Core and Red Hat Enteprise Linux Server 3 and 4 are included on the CD-ROM that is included at the back of this book. </para> @@ -1331,31 +1361,40 @@ session optional pam_mail.so <link linkend="ch6-massive-smbconfb"/>, <link linkend="ch6-shareconfa"/>, and <link linkend="ch6-shareconfb"/> into the <filename>/etc/samba/</filename> directory. The three files should be added together to form the &smb.conf; - file. + master file. It is a good practice to call this file something like + <filename>smb.conf.master</filename>, and then to perform all file edits + on the master file. The operational &smb.conf; is then generated as shown in + the next step. </para></step> <step><para><indexterm> <primary>testparm</primary> </indexterm> - Verify the contents of the &smb.conf; file that is generated by Samba - as it collates all the included files. You do this by executing: + Create and verify the contents of the &smb.conf; file that is generated by: +<screen> +&rootprompt; testparm -s smb.conf.master > smb.conf +</screen> + Immediately follow this with the following: <screen> -&rootprompt; testparm -s > test.conf +&rootprompt; testparm </screen> The output that is created should be free from errors, as shown here: <screen> +Load smb config files from /etc/samba/smb.conf +Processing section "[accounts]" +Processing section "[service]" +Processing section "[pidata]" Processing section "[homes]" Processing section "[printers]" Processing section "[apps]" Processing section "[netlogon]" Processing section "[profiles]" Processing section "[profdata]" -Processing section "[IPC$]" -Processing section "[accounts]" -Processing section "[service]" -Processing section "[pidata]" +Processing section "[print$]" Loaded services file OK. +Server role: ROLE_DOMAIN_PDC +Press enter to see a dump of your service definitions </screen> </para></step> @@ -1404,11 +1443,16 @@ Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb A report such as the following means that the Domain Security Identifier (SID) has not yet been written to the <filename>secrets.tdb</filename> or to the LDAP backend: <screen> -[2003/12/16 22:32:20, 0] utils/net.c:net_getlocalsid(414) - Can't fetch domain SID for name: MASSIVE +[2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852) + failed to bind to server ldap://massive.abmas.biz with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server + (unknown) +[2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169) + smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timed out) </screen> - When the Domain has been created and written to the <filename>secrets.tdb</filename> - file, the output should look like this: + The attempt to read the SID will attempt to bind to the LDAP server. Because the LDAP server + is not running this operation will fail by way of a time out, as shown above. This is + normal output, do not worry about this error message. When the Domain has been created and + written to the <filename>secrets.tdb</filename> file, the output should look like this: <screen> SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 </screen> @@ -1448,7 +1492,7 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 of the PDC. rsync is a useful tool here as it resembles the NT replication service quite closely. If you do use NFS, do not forget to start the NFS server as follows: <screen> -&rootprompt; rcnfs start +&rootprompt; rcnfsserver start </screen> </para></step> </procedure> @@ -1468,6 +1512,7 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 <smbconfoption><name>interfaces</name><value>eth1, lo</value></smbconfoption> <smbconfoption><name>bind interfaces only</name><value>Yes</value></smbconfoption> <smbconfoption><name>passdb backend</name><value>ldapsam:ldap://massive.abmas.biz</value></smbconfoption> + <smbconfoption><name>enable privileges</name><value>Yes</value></smbconfoption> <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption> <smbconfoption><name>log level</name><value>1</value></smbconfoption> <smbconfoption><name>syslog</name><value>0</value></smbconfoption> @@ -1478,18 +1523,22 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 <smbconfoption><name>time server</name><value>Yes</value></smbconfoption> <smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption> <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption> - <smbconfoption><name>add user script</name><value>/var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'</value></smbconfoption> - <smbconfoption><name>delete user script</name><value>/var/lib/samba/sbin/smbldap-userdel.pl '%u'</value></smbconfoption> - <smbconfoption><name>add group script</name><value>/var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'</value></smbconfoption> - <smbconfoption><name>delete group script</name><value>/var/lib/samba/sbin/smbldap-groupdel.pl '%g'</value></smbconfoption> - <smbconfoption><name>add user to group script</name><value>/var/lib/samba/sbin/</value></smbconfoption> - <member><parameter>smbldap-groupmod.pl -m '%u' '%g'</parameter></member> - <smbconfoption><name>delete user from group script</name><value>/var/lib/samba/sbin/</value></smbconfoption> - <member><parameter>smbldap-groupmod.pl -x '%u' '%g'</parameter></member> - <smbconfoption><name>set primary group script</name><value>/var/lib/samba/sbin/</value></smbconfoption> - <member><parameter>smbldap-usermod.pl -g '%g' '%u'</parameter></member> - <smbconfoption><name>add machine script</name><value>/var/lib/samba/sbin/</value></smbconfoption> - <member><parameter>smbldap-useradd.pl -w '%u'</parameter></member> + <smbconfoption><name>add user script</name><value>/opt/IDEALX/sbin/smbldap-useradd -m "%u"</value></smbconfoption> + <smbconfoption><name>delete user script</name><value>/opt/IDEALX/sbin/smbldap-userdel "%u"</value></smbconfoption> + <smbconfoption><name>add group script</name><value>/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</value></smbconfoption> + <smbconfoption><name>delete group script</name><value>/opt/IDEALX/sbin/smbldap-groupdel "%g"</value></smbconfoption> + <smbconfoption><name>add user to group script</name><value>/opt/IDEALX/sbin/</value></smbconfoption> + <member><parameter>smbldap-groupmod -m "%u" "%g"</parameter></member> + <smbconfoption><name>delete user from group script</name><value>/opt/IDEALX/sbin/</value></smbconfoption> + <member><parameter>smbldap-groupmod -x "%u" "%g"</parameter></member> + <smbconfoption><name>set primary group script</name><value>/opt/IDEALX/sbin/</value></smbconfoption> + <member><parameter>smbldap-usermod -g "%g" "%u"</parameter></member> + <smbconfoption><name>add machine script</name><value>/opt/IDEALX/sbin/</value></smbconfoption> + <member><parameter>smbldap-useradd -w "%u"</parameter></member> +</smbconfexample> + +<smbconfexample id="ch6-massive-smbconfb"> +<title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part B</title> <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption> <smbconfoption><name>logon path</name><value>\\%L\profiles\%U</value></smbconfoption> <smbconfoption><name>logon drive</name><value>X:</value></smbconfoption> @@ -1500,10 +1549,6 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 <smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption> <smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption> <smbconfoption><name>ldap group suffix</name><value>ou=Groups</value></smbconfoption> -</smbconfexample> - -<smbconfexample id="ch6-massive-smbconfb"> -<title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part B</title> <smbconfoption><name>ldap idmap suffix</name><value>ou=Idmap</value></smbconfoption> <smbconfoption><name>ldap admin dn</name><value>cn=Manager,dc=abmas,dc=biz</value></smbconfoption> <smbconfoption><name>idmap backend</name><value>ldap:ldap://massive.abmas.biz</value></smbconfoption> @@ -1518,43 +1563,52 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 <sect2> - <title>Install and Configure Idealx SMB-LDAP Scripts</title> + <title>Install and Configure Idealx smbldap-tools Scripts</title> <para><indexterm> <primary>Idealx</primary> <secondary>smbldap-tools</secondary> </indexterm> The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts - on the LDAP server. You have chosen the Idealx scripts since they are part of the - Samba-3 package distribution. On your SUSE Linux system, you find these scripts in the - <filename>/usr/share/doc/packages/samba3/Examples/LDAP/smbldap-tools</filename> - directory. On a Red Hat Linux system, they are in a similar path. If you cannot find - the scripts on your system, it is easy enough to download them from the Idealx + on the LDAP server. You have chosen the Idealx scripts since they are the best known + LDAP configuration scripts. The use of these scripts will help avoid the necessity + to create custom scripts. It is easy to download them from the Idealx <ulink url="http://samba.idealx.org/index.en.html">Web Site.</ulink> The tarball may - be directly <ulink - url="http://samba.idealx.org/dist/smbldap-tools-0.8.2.tgz">downloaded</ulink> - for this site, also. + be directly <ulink url="http://samba.idealx.org/dist/smbldap-tools-0.8.7.tgz">downloaded</ulink> + for this site, also. Alternately, you may obtain the + <ulink url="http://samba.idealx.org/dist/smbldap-tools-0.8.7-3.src.rpm">smbldap-tools-0.8.7-3.src.rpm</ulink> + file that may be used to build an installable RPM package for your Linux system. </para> - <para> - In your installation, the smbldap-tools are located in <filename>/var/lib/samba/sbin</filename>. - They can be installed in any convenient directory of your choice, in which case you must - change the path to them in your &smb.conf; file on the PDC (<constant>MASSIVE</constant>). - </para> +<note><para> +The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must +change the path to them in your &smb.conf; file on the PDC (<constant>MASSIVE</constant>). +</para></note> <para> + The smbldap-tools are located in <filename>/opt/IDEALX/sbin</filename>. The scripts are not needed on BDC machines because all LDAP updates are handled by the PDC alone. </para> + <sect3> + <title>Installation of smbldap-tools from the tarball</title> + + <para> + To perform a manual installation of the smbldap-tools scripts the following procedure may be used: + </para> + <procedure id="idealxscript"> <step><para> - Create the <filename>/var/lib/samba/sbin</filename> directory, and set its permissions + Create the <filename>/opt/IDEALX/sbin</filename> directory, and set its permissions and ownership as shown here: <screen> -&rootprompt; mkdir -p /var/lib/samba/sbin -&rootprompt; chown root.root /var/lib/samba/sbin -&rootprompt; chmod 755 /var/lib/samba/sbin +&rootprompt; mkdir -p /opt/IDEALX/sbin +&rootprompt; chown root.root /opt/IDEALX/sbin +&rootprompt; chmod 755 /opt/IDEALX/sbin +&rootprompt; mkdir -p /etc/smbldap-tools +&rootprompt; chown root.root /etc/smbldap-tools +&rootprompt; chmod 755 /etc/smbldap-tools </screen> </para></step> @@ -1565,118 +1619,30 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 </para></step> <step><para> - Copy all the <filename>.pl</filename> and <filename>.pm</filename> files into the - <filename>/var/lib/samba/sbin</filename> directory, as shown here: -<screen> -&rootprompt; cd /usr/share/doc/packages/samba3/Examples/LDAP/smbldap-tools -&rootprompt; cp *.pl *.pm /var/lib/samba/sbin -</screen> - </para></step> - - <step><para><indexterm> - <primary>mkntpasswd</primary> - </indexterm> - You must compile the <command>mkntpasswd</command> tool and then install it into - the <filename>/var/lib/samba/sbin</filename> directory, as shown here: + Copy all the <filename>smbldap-*</filename> and the <filename>configure.pl</filename> files into the + <filename>/opt/IDEALX/sbin</filename> directory, as shown here: <screen> -&rootprompt; cd mkntpwd -&rootprompt; make -gcc -O2 -DMPU8086 -c -o getopt.o getopt.c -gcc -O2 -DMPU8086 -c -o md4.o md4.c -gcc -O2 -DMPU8086 -c -o mkntpwd.o mkntpwd.c -mkntpwd.c: In function `main': -mkntpwd.c:37: warning: return type of `main' is not `int' -gcc -O2 -DMPU8086 -c -o smbdes.o smbdes.c -gcc -O2 -DMPU8086 -o mkntpwd getopt.o md4.o mkntpwd.o smbdes.o -&rootprompt; cp mkntpwd /var/lib/samba/sbin +&rootprompt; cd smbldap-tools-0.8.7/ +&rootprompt; cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/ +&rootprompt; cp smbldap*conf /etc/smbldap-tools/ +&rootprompt; chmod 750 /opt/IDEALX/sbin/smbldap-* +&rootprompt; chmod 750 /opt/IDEALX/sbin/configure.pl +&rootprompt; chmod 640 /etc/smbldap-tools/smbldap.conf +&rootprompt; chmod 600 /etc/smbldap-tools/smbldap_bind.conf </screen> - The smbldap-tools scripts must now be configured. </para></step> <step><para> - Change to the <filename>/var/lib/samba/sbin</filename> directory, and edit the - <filename>/var/lib/samba/sbin/smbldap_conf.pm</filename> to affect the changes + The smbldap-tools scripts master control file must now be configured. + Change to the <filename>/opt/IDEALX/sbin</filename> directory, then edit the + <filename>/opt/IDEALX/sbin/smbldap_conf.pm</filename> to affect the changes shown here: <screen> -# Put your own SID -# to obtain this number do: "net getlocalsid" -#$SID='S-1-5-21-1671648649-242858427-2873575837'; -$SID='S-1-5-21-3504140859-1010554828-2431957765'; -... -# LDAP Suffix -# Ex: $suffix = "dc=IDEALX,dc=ORG"; -$suffix = "dc=abmas,dc=biz"; -... -# Where are stored Users -# Ex: $usersdn = "ou=Users,$suffix"; ... -$usersou = q(People); -$usersdn = "ou=$usersou,$suffix"; - -# Where are stored Computers -# Ex: $computersdn = "ou=Computers,$suffix"; ... -$computersou = q(People); -$computersdn = "ou=$computersou,$suffix"; - -# Where are stored Groups -# Ex $groupsdn = "ou=Groups,$suffix"; ... -$groupsou = q(Groups); -$groupsdn = "ou=$groupsou,$suffix"; - -# Default scope Used -$scope = "sub"; - -# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) -$hash_encrypt="MD5"; -... -############################ -# Credential Configuration # -############################ -# Bind DN used -# Ex: $binddn = "cn=admin,$suffix"; ... -$binddn = "cn=Manager,$suffix"; - -# Bind DN passwd used -# Ex: $bindpasswd = 'secret'; for 'secret' -$bindpasswd = 'not24get'; ... -# Login defs -# Default Login Shell -# Ex: $_userLoginShell = q(/bin/bash); -#$_userLoginShell = q(_LOGINSHELL_); -$_userLoginShell = q(/bin/bash); - -# Home directory prefix (without username) -# Ex: $_userHomePrefix = q(/home/); -#$_userHomePrefix = q(_HOMEPREFIX_); -$_userHomePrefix = q(/home/); -... -# The UNC path to home drives location without the -# username last extension (will be dynamically prepended) -# Ex: q(\\\\My-PDC-netbios-name\\homes) -# Just comment this if you want to use the smb.conf -# 'logon home' directive # and/or desabling roaming profiles -#$_userSmbHome = q(\\\\_PDCNAME_\\homes); -$_userSmbHome = q(\\\\MASSIVE\\homes); - -# The UNC path to profiles locations without the username -# last extension (will be dynamically prepended) -# Ex: q(\\\\My-PDC-netbios-name\\profiles\\) -# Just comment this if you want to use the smb.conf -# 'logon path' directive and/or desabling roaming profiles -$_userProfile = q(\\\\MASSIVE\\profiles\\); - -# The default Home Drive Letter mapping -# (automatically mapped at logon time if home directory exists) -# Ex: q(U:) for U: -#$_userHomeDrive = q(_HOMEDRIVE_); -$_userHomeDrive = q(H:); -... -# Allows not to use smbpasswd -# (if $with_smbpasswd == 0 in smbldap_conf.pm) but -# prefer mkntpwd... most of the time, it's a wise choice :-) -$with_smbpasswd = 0; -$smbpasswd = "/usr/bin/smbpasswd"; -$mk_ntpasswd = "/var/lib/samba/sbin/mkntpwd"; +# ugly funcs using global variables and spawning openldap clients + +my $smbldap_conf="/etc/smbldap-tools/smbldap.conf"; +my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; ... </screen> </para></step> @@ -1685,15 +1651,205 @@ $mk_ntpasswd = "/var/lib/samba/sbin/mkntpwd"; To complete the configuration of the smbldap-tools, set the permissions and ownership by executing the following commands: <screen> -&rootprompt; chown root.root /var/lib/samba/sbin/* -&rootprompt; chmod 755 /var/lib/samba/sbin/smb*pl -&rootprompt; chmod 640 /var/lib/samba/sbin/smb*pm -&rootprompt; chmod 555 /var/lib/samba/sbin/mkntpwd +&rootprompt; chown root.root /opt/IDEALX/sbin/* +&rootprompt; chmod 755 /opt/IDEALX/sbin/smbldap-* +&rootprompt; chmod 640 /opt/IDEALX/sbin/smb*pm </screen> - The smbldap-tools scripts are now ready for use. + The smbldap-tools scripts are now ready for the configuration step outlined in + <link linkend="smbldap-init">Configuration of smbldap-tools</link>. </para></step> </procedure> + </sect3> + + <sect3> + <title>Installing smbldap-tools from the RPM Package</title> + + <para> + In the event that you have elected to use the RPM package provided by Idealx, download the + source RPM <filename>smbldap-tools-0.8.7-3.src.rpm</filename>, then follow the following procedure: + </para> + + <procedure> + + <step><para> + Install the source RPM that has been downloaded as follows: +<screen> +&rootprompt; rpm -i smbldap-tools-0.8.7-3.src.rpm +</screen> + </para></step> + + <step><para> + Change into the directory in which the SPEC files are located. On SUSE Linux: +<screen> +&rootprompt; cd /usr/src/packages/SPECS +</screen> + On Red Hat Linux systems: +<screen> +&rootprompt; cd /usr/src/redhat/SPECS +</screen> + </para></step> + + <step><para> + Edit the <filename>smbldap-tools.spec</filename> file to change the value of the + <constant>_sysconfig</constant> macro as shown here: +<screen> +%define _prefix /opt/IDEALX +%define _sysconfdir /etc +</screen> + Note: Any suitable directory can be specified. + </para></step> + + <step><para> + Build the package by executing: +<screen> +&rootprompt; rpmbuild -ba -v smbldap-tools.spec +</screen> + A build process that has completed without error will place the installable binary + files in the directory <filename>../RPMS/noarch</filename>. + </para></step> + + <step><para> + Install the binary package by executing: +<screen> +&rootprompt; rpm -Uvh ../RPMS/noarch/smbldap-tools-0.8.7-3.noarch.rpm +</screen> + </para></step> + + </procedure> + + <para> + The Idealx scripts should now be ready for configuration using the steps outlined in + <link linkend="smbldap-init">Configuration of smbldap-tools</link>. + </para> + + </sect3> + + <sect3 id="smbldap-init"> + <title>Configuration of smbldap-tools</title> + + <para> + Prior to use the smbldap-tools must be configured to match the settings in the &smb.conf; file + and to match the settings in the <filename>/etc/openldap/slapd.conf</filename> file. The assumption + is made that the &smb.conf; file has correct contents. The following procedure will ensure that + this is completed correctly: + </para> + + <para> + The smbldap-tools require that the netbios name (machine name) of the Samba server be included + in the &smb.conf; file. + </para> + + <procedure> + + <step><para> + Change into the directory that contains the <filename>configure.pl</filename> script. +<screen> +&rootprompt; cd /opt/IDEALX/sbin +</screen> + </para></step> + + <step><para> + Execute the <filename>configure.pl</filename> script as follows: +<screen> +&rootprompt; ./configure.pl +</screen> + The interactive use of this script for the PDC is demonstrated here: +<screen> +Unrecognized escape \p passed through at ./configure.pl line 194. +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + smbldap-tools script configuration + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Before starting, check + . if your samba controller is up and running. + . if the domain SID is defined (you can get it with the 'net getlocalsid') + + . you can leave the configuration using the Crtl-c key combination + . empty value can be set with the "." caracter +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +Looking for configuration files... + +Samba Config File Location [/etc/samba/smb.conf] > +smbldap Config file Location (global parameters) [/etc/smbldap-tools/smbldap.conf] > +smbldap Config file Location (bind parameters) [/etc/smbldap-tools/smbldap_bind.conf] > +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Let's start configuring the smbldap-tools scripts ... + +. workgroup name: name of the domain Samba act as a PDC + workgroup name [MEGANET2] > +. netbios name: netbios name of the samba controler + netbios name [MASSIVE] > +. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:' + logon drive [X:] > +. logon home: home directory location (for Win95/98 or NT Workstation). + (use %U as username) Ex:'\\MASSIVE\home\%U' + logon home (leave blank if you don't want homeDirectory) [\\MASSIVE\home\%U] > \\MASSIVE\%U +. logon path: directory where roaming profiles are stored. Ex:'\\MASSIVE\profiles\%U' + logon path (leave blank if you don't want roaming profile) [\\MASSIVE\profiles\%U] > +. home directory prefix (use %U as username) [/home/%U] > /home/users/%U +. default user netlogon script (use %U as username) [%U.cmd] > scripts\login.cmd + default password validation time (time in days) [45] > 0 +. ldap suffix [dc=abmas,dc=biz] > +. ldap group suffix [ou=Groups] > +. ldap user suffix [ou=People] > +. ldap machine suffix [ou=People] > +. Idmap suffix [ou=Idmap] > +. sambaUnixIdPooldn: object where you want to store the next uidNumber + and gidNumber available for new users and groups + sambaUnixIdPooldn object (relative to ${suffix}) [cn=NextFreeUnixId] > +. ldap master server: IP adress or DNS name of the master (writable) ldap server +Use of uninitialized value in scalar chomp at ./configure.pl line 138, <STDIN> line 17. +Use of uninitialized value in hash element at ./configure.pl line 140, <STDIN> line 17. +Use of uninitialized value in concatenation (.) or string at ./configure.pl line 144, <STDIN> line 17. +Use of uninitialized value in string at ./configure.pl line 145, <STDIN> line 17. + ldap master server [] > 127.0.0.1 +. ldap master port [389] > +. ldap master bind dn [cn=Manager,dc=abmas,dc=biz] > +. ldap master bind password [] > +. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one +Use of uninitialized value in scalar chomp at ./configure.pl line 138, <STDIN> line 21. +Use of uninitialized value in hash element at ./configure.pl line 140, <STDIN> line 21. +Use of uninitialized value in concatenation (.) or string at ./configure.pl line 144, <STDIN> line 21. +Use of uninitialized value in string at ./configure.pl line 145, <STDIN> line 21. + ldap slave server [] > 127.0.0.1 +. ldap slave port [389] > +. ldap slave bind dn [cn=Manager,dc=abmas,dc=biz] > +. ldap slave bind password [] > +. ldap tls support (1/0) [0] > +. SID for domain MEGANET2: SID of the domain (can be obtained with 'net getlocalsid MASSIVE') + SID for domain MEGANET2 [S-1-5-21-3504140859-1010554828-2431957765] > +. unix password encryption: encryption used for unix passwords + unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5 +. default user gidNumber [513] > +. default computer gidNumber [515] > +. default login shell [/bin/bash] > +. default domain name to append to mail adress [] > abmas.biz +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +backup old configuration files: + /etc/smbldap-tools/smbldap.conf->etc/smbldap-tools/smbldap.conf.old + /etc/smbldap-tools/smbldap_bind.conf->etc/smbldap-tools/smbldap_bind.conf.old +writing new configuration file: + /etc/smbldap-tools/smbldap.conf done. + /etc/smbldap-tools/smbldap_bind.conf done. +</screen> + Since a slave LDAP server has not been configured it is necessary to specify the IP + address of the master LDAP server for both the master and the slave configuration + prompts. + </para></step> + + <step><para> + Change to the directory that contains the <filename>smbldap.conf</filename> file + then verify its contents. + </para></step> + + </procedure> + + <para> + The smbldap-tools are now ready for use. + </para> + + </sect3> + </sect2> <sect2> @@ -1755,10 +1911,10 @@ $mk_ntpasswd = "/var/lib/samba/sbin/mkntpwd"; </para> <para><indexterm> - <primary>smbldap-populate.pl</primary> + <primary>smbldap-populate</primary> </indexterm> The following steps initialize the LDAP database, and then you can add user and group - accounts that Samba can use. You use the <command>smbldap-populate.pl</command> to + accounts that Samba can use. You use the <command>smbldap-populate</command> to seed the LDAP database. You then manually add the accounts shown in <link linkend="ch6-bigacct"/>. The list of users does not cover all 500 network users; it provides examples only. </para> @@ -1857,33 +2013,53 @@ Starting ldap-server done </para></step> <step><para> - Change to the <filename>/var/lib/samba/sbin</filename> directory. + Change to the <filename>/opt/IDEALX/sbin</filename> directory. </para></step> <step><para> Execute the script that will populate the LDAP database as shown here: <screen> &rootprompt; ./smbldap-populate.pl +</screen> + The expected output from this is: +<screen> +Using workgroup name from smb.conf: sambaDomainName=MEGANET2 +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +=> Warning: you must update smbldap.conf configuration file to : +=> sambaUnixIdPooldn parameter must be set to "sambaDomainName=MEGANET2,dc=abmas,dc=biz" +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Using builtin directory structure adding new entry: dc=abmas,dc=biz adding new entry: ou=People,dc=abmas,dc=biz adding new entry: ou=Groups,dc=abmas,dc=biz -adding new entry: ou=Computers,dc=abmas,dc=biz -adding new entry: uid=Administrator,ou=People,dc=abmas,dc=biz +entry ou=People,dc=abmas,dc=biz already exist. +adding new entry: ou=Idmap,dc=abmas,dc=biz +adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz +adding new entry: uid=root,ou=People,dc=abmas,dc=biz adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz -adding new entry: cn=Users,ou=Groups,dc=abmas,dc=biz -adding new entry: cn=Guests,ou=Groups,dc=abmas,dc=biz -adding new entry: cn=Power Users,ou=Groups,dc=abmas,dc=biz -adding new entry: cn=Account Operators,ou=Groups,dc=abmas,dc=biz -adding new entry: cn=Server Operators,ou=Groups,dc=abmas,dc=biz adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz -adding new entry: cn=Replicator,ou=Groups,dc=abmas,dc=biz -adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz +adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz +</screen> + </para></step> + + <step><para> + Edit the <filename>/etc/smbldap-tools/smbldap.conf</filename> file so that the following + information is changed from: +<screen> +# Where to store next uidNumber and gidNumber available +sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" +</screen> + to read, after modification: +<screen> +# Where to store next uidNumber and gidNumber available +#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" +sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz" </screen> </para></step> @@ -2083,7 +2259,7 @@ uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users) management of user and group accounts requires that the UID=0. You decide to rectify this immediately as demonstrated here: <screen> -&rootprompt; cd /var/lib/samba/sbin +&rootprompt; cd /opt/IDEALX/sbin &rootprompt; ./smbldap-usermod.pl -u 0 Administrator </screen> </para></step> @@ -2641,6 +2817,7 @@ smb: \> q <smbconfoption><name>workgroup</name><value>MEGANET2</value></smbconfoption> <smbconfoption><name>netbios name</name><value>BLDG1</value></smbconfoption> <smbconfoption><name>passdb backend</name><value>ldapsam:ldap://massive.abmas.biz</value></smbconfoption> + <smbconfoption><name>enable privileges</name><value>Yes</value></smbconfoption> <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption> <smbconfoption><name>log level</name><value>1</value></smbconfoption> <smbconfoption><name>syslog</name><value>0</value></smbconfoption> @@ -2678,6 +2855,7 @@ smb: \> q <smbconfoption><name>workgroup</name><value>MEGANET2</value></smbconfoption> <smbconfoption><name>netbios name</name><value>BLDG2</value></smbconfoption> <smbconfoption><name>passdb backend</name><value>ldapsam:ldap://massive.abmas.biz</value></smbconfoption> + <smbconfoption><name>enable privileges</name><value>Yes</value></smbconfoption> <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption> <smbconfoption><name>log level</name><value>1</value></smbconfoption> <smbconfoption><name>syslog</name><value>0</value></smbconfoption> |