samba - Aug 2004 - Howto setup SLES 9 w/Samba 3.04 in a Domain & SSL SWAT

I'd imagine document will answer many prayers for stumped admins

These are my notes to setup SuSE Linux Enterprise Server v9
and how to configure Samba v3.04-SuSE to work as a member server in a
domain
Also, this document contains FULL instructions on how to setup SSL
Secured SWAT (Samba Web Administration Tool) 

This document is a step by step guide to installing SLES and Samba.  Of
course you don't need a RAID configured system like mine, but I'm going
to assume you know how to at least load linux and can plug in your own
stuff where you need it.

Hope this helps many of you.. Good Luck, if you have questions, please
feel free to contact me.

Loaded using SLES 9 Samba 3.04-SuSE

You will need CDs SLES1-SLES3 to complete this install.

Make sure the RAIDs are in an OPTIMAL state before you start
installation
Create 2 Containers, Container 0 named SLES9 and is 10gb, Container 1
named NAS
and is the remaining space, approx. 1.6TB
Boot from CD1
Select Installation
Software agreement click I agree
Language - English
Select New Installation
Partioning
	Create Custom Partition
		Custom Partition for experts
		Create
		Select SDA
		Primary
		Do Not format, Change File System ID to Linux Swap
		Click format
		Size, End = +1gb
		Ok
		Create
		Select SDA
		Primary
		Ok
		Create
		Select SDB
		Primary
		Mount Point = /nas
		Ok
		Next
Software
	Default
		Detailed Selection
		Select all of the following
		LSB
		C/C++
		Analizing Tools
			Uncheck SNORT
			Uncheck AIDE
		File Server
			Check all Samba entries
		Click Accept
		Click Continue for dependancy Changes
Time Zone
	Eastern
	Hardware clock set to Local time
	Accept

Click accept
Click Yes Install
Install starts
After CD swaps are done, the system reboots
Install continues

Root Password = (whatever you want)
Next
Click Network Interfaces
Click Change
Click Edit
Click STATIC Ip = Static ip for this box (ie. 192.168.1.2)
Click Host Name
Host name = nas1
Domain = yourdomain.com
name server = your dns name servers IP
name server = your dns name servers IP
Ok
Routing
default gateway = your gateway IP
Ok
Next
Finish
Next
Select Yes, Test Connection, Next
Result should = Success if network is config'd properly
Next
Yes Run Online Update
Change location from .de to .com in Location line
Click Next
Username = your suse portal username
Password = your suse portal password
Login
Select all security & Recommended, except Linux Kernel
Select Optional Update for Yast2-installation\
Click accept
Updates will start to download
Click Finish
Click Next
Authentication Method = LDAP
Next
LDAP Client Config = use all defaults, Click Next
Create LDAP User = username deleteme
Next
Accept warning for password and continue
Release notes, read, then click Next
Click Graphics Cards
	Click Monitor
		Change configuration
		Properties
		Dell M770
		Finish
	Click Color and Resolution
		Change configuration
		Properties
		Resolution Tab
		Click 1280x1024
		Click Ok
		CliCk Finish
	finalize
	click Test
	make sure you can see the screen and click save
	Click ok
Click Next
Click Finish
Linux boots
login as root
Go into Yast 
Click online update
	Click Next
	enter SLES portal user and pass, click keep Authentication data,
login
	Select any kernel updates available as well as any other
security or recommended updates.
		If kernel updates are available you will get a warning,
after you have read the warning click
		install patch.
	Click Finish
If you installed a kernel update, reboot
login as root

Install Stunnel
	Open YAST, software, Install & Remove Software
	Filters, Search, Input Stunnel
	Install Stunnel v4.05

Configuring SWAT over Stunnel

1. We generate a private key (1024 bit size) : 

	/usr/sbin/openssl genrsa -out /etc/stunnel/swat.key 1024 

2. Generate a certificate signing request (csr) using the server key
generated above(output will be PEM formatted.) 

	/usr/sbin/openssl req -new -key /etc/stunnel/swat.key -out
/etc/stunnel/swat.csr 

3. Create a self-signed certificate (X509 structure) the output will be
PEM formatted.  

	/usr/sbin/openssl x509 -req -days 365 -in /etc/stunnel/swat.csr
-signkey /etc/stunnel/swat.key -out 	/etc/stunnel/swat.crt 

4. Prepare certificate for stunnel. According to samba / stunnel
documentation says that a blank line is needed between private key and
certificate and another blank line at the end of the file 

	echo "" > ~/blankline.txt 
	cat /etc/stunnel/swat.key ~/blankline.txt /etc/stunnel/swat.crt
~/blankline.txt > /etc/stunnel/swat.pem

5. Set the file permissions so no one but root has access to the file 

	chmod 700 /etc/stunnel/swat.pem 

6. Configure STUNNEL to start at boot
	
	vim /etc/stunnel/swat.conf
		copy the following into this file:

cert = /etc/stunnel/swat.pem
pid = /var/run/stunnel.swat
service = swat

[swat]
accept = 901
exec = /usr/sbin/swat
execargs = swat
TIMEOUTclose = 0

		Save & Exit vim

	vim /etc/init.d/boot.local
		add the following line
			stunnel /etc/stunnel/swat.conf
		Save & Exit

Start Stunnel Manually 
	stunnel /etc/stunnel/swat.conf

Open Yast
	Network Services
	Samba Server

*** PLEASE NOTE, if this is a re-installation, DELETE the Samba Host
computer completely from the 
your domain(s)

	click status 
	ensure that all 3 processes are running, if not, start them, and
then click restart all
		Workgroup = Your NT/2k/AD Domain Name
		No Domain Controller, Next
		Enable on Boot 
		Shares Tab
			disable all shares
			Click add
			Share name = Nas
			Share Description = Check Imaging
			Share Type = Directory
			Share path = (select a mount point ie. /nas or
/home/bob/smbshare, etc.)
			Ok
		Identity Tab
			remote wins server name = (Input your WINS
server IP here, We run wins on seperate box)
			Click Advanced Settings, Expert Global
			Click Add
				idmap uid = 10000-11000 (if you have
more than 1000 users change the 11000 to whatever)
			Click Add
				idmap gid = 10000-11000 (if you have
more than 1000 users change the 11000 to whatever)
			Click Ok
			Click Advacned Settings, LDAP Settings, Click
Ok
			Click Advacned User Authentication Sources
				Click Add
				smbpasswd File, ok
				Click Add
				ldap
		Join the domain = Yes
			username = someone your domain administrator
group
		Prompted for root user password for samba
			use same password as root user in linux
	System
	Runlevel editor
	Change NSCD to disable
	winbindd to enable
To test winbind
	open a terminal window 
	type wbinfo -u
	you should see a list of members in your domain, this may take a
few moments
Now, open a browser
login to https://IP.Wins.or.DNS.name.of.your.Samba.Server:901 
username is root user
	click shares, click advanced 
	choose share = nas
		change admin users to = '@Yourdomain\Domain
Administrators Group Name' (use quotes, or just individual usernames
					like Yourdomain\joebob without
quotes), seperate by comma's
		Click commit changes
	Click Status, and Restart All

Neil Proctor
First Volunteer Bank IT Dept