samba - Jun 2005 - Debian Samba 3.0.14a with ldap, recyle + little SETUP for samba + Ldap

Hi everybody, im new here so this is what i use and know
Im using Debian Sarge (stable) with LDAP, i used the Idealx as example

here my small howto

### README FOR EASY SAMBA SETUP
First make sure you have a running debian server.

install the following packages

apt-get install slapd ldap-utils samba samba-doc libpam-ldap /
libnss-ldap libslapd2-dev phpldapadmin autofs-ldap /
smbldap-tools apache php4-ldap

its possible you need some extra perl modules.
i add user with the smbldap-useradd command
i manage users and groups with ldapadmin (ldapadmin.sf.net)
i check and export with phpldapadmin.


If ldap is installed and samba is ready with ldap setup
follow the next steps.

FOR ACL you need kernel patches for 2.4 
for 2.6 recompile with acl enabled.
I run on ext3

1 ) smbpasswd -w password  ( Samba LDAP Admin wachtwoord)
    ( Setting stored password for "cn=admin,dc=domain,dc=tld" in
secrets.tdb
)
    
2 ) net getlocalsid
    ( SID for domain PDC is: S-1-5-21-1514036618-1238540321-4235948366 )
    
3 ) Adjust the SID=" .....   " in /etc/smbldap-tools/smbldap.conf

4 ) smbldap-populate -u 2000 -g 2000
    start samba users met uid/gid 2000 
	i have separated my system users and samba ldap users
	system uses the debian defaults.
	samba uses its own skel.

5a) smbpasswd -a root
    use the password of the real root account.

5b) net join PDC
    this lets the PDC join the Domain

6a) Check the NT SE Rights
    net rpc rights list accounts
    (rootpasswd)
    
    
6b) Which rights are possible
    net rpc rights list
    (rootpasswd)
    
7 ) Adding rights to domain groups
	WARNING, If your are using PDC/BDC setup, this also has to be done
on the BDC.
    
    "net rpc group"  of "slapcat | grep Group | grep dn"
    (rootpasswd)
	Domain Admins
        Domain Users
	Domain Guests
        Domain Computers
	Administrators
        Print Operators
	Backup Operators
        Replicators

	Privilege 			Description 
	SeMachineAccountPrivilege  Add machines to domain
	SePrintOperatorPrivilege   Manage printers
	SeAddUsersPrivilege        Add users and groups to the domain
	SeRemoteShutdownPrivilege  Force shutdown from a remote system
	SeDiskOperatorPrivilege    Manage disk share

    
Give the  "Domain Admins" all rights. ( -S Servernaam -U
Username%Password )
    
    net -S PDC -U root%Password rpc rights grant "DOMAIN\Domain
Admins" /
    SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege /

    SeDiskOperatorPrivilege SeRemoteShutdownPrivilege

Give the "Printer Operators" all Print manage rights. ( -S Servernaam
-U
Username%Password )
    net -S PDC -U root%Password rpc rights grant "DOMAIN\Print
Operators"
SePrintOperatorPrivilege

8 ) Set the Administrator's password.
    "smbldap-passwd Administrator"

9 ) Activeer het Administrator account. ? needed ? i 
    "smbldap-usermod -J Administrator"

10 ) add DSA users ( see idealx setup ) ( i didnt used it yet ) 

11) instal winbind ( apt-get install winbind
    set winbind
    wbinfo --set-auth-user DOMAIN\\Administrator%password





#########   SMB.CONF
# Global parameters
[global]
## NETBIOS / DOMAIN / SERVER SETTINGS
#	realm = SUBDOMAIN.DOMAIN.NL
	interfaces = eth0 lo
	bind interfaces only = yes
	netbios name = PDC
	server string = MS249-LIN-001
	workgroup = DOMAIN
	domain logons = Yes
	preferred master = Yes
	domain master = Yes
	os level = 65
	min protocol = NT1
	lm announce = no
	lanman auth = no
	disable netbios = no
	encrypt passwords = true
	admin users = @"Domain Admins"
	enable privileges = yes
	security = user
	time server = yes
	dns proxy = yes
	socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
	keep alive = 60

## USER/LDAP SETTINGS
	username map = /etc/samba/users.map
	guest account = nobody
	obey pam restrictions = No
	ldap passwd sync = yes
	passdb backend = ldapsam:ldap://ldap/

	ldap suffix = dc=subdomain,dc=domain,dc=nl
	ldap admin dn = cn=admin,dc=subdomain,dc=domain,dc=nl
	ldap user suffix = ou=Users
	ldap machine suffix = ou=Computers
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=Users
	ldap delete dn = Yes
	ldap ssl = no
	
	add user script = /usr/sbin/smbldap-useradd -m "%u"
	delete user script = /usr/sbin/smbldap-userdel "%u"
	add group script = /usr/sbin/smbldap-groupadd -p "%g"
	delete group script = /usr/sbin/smbldap-groupdel "%g"
	add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
	delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
	set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
	add machine script = /usr/sbin/smbldap-useradd -w "%u"
	
## WINS/DNS SETTINGS
#
# Also needed when using ACL
#
	wins support = Yes
	password server = PDC
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	winbind use default domain = yes
	winbind separator = \
	winbind cache time = 15
	winbind enum users = yes
	winbind enum groups = yes
	template shell = /bin/false
	template homedir = /home/users/%U


## LOGGING
	utmp = yes
	syslog = 0
	log level = 2
	panic action = /usr/share/samba/panic-action %d
	max log size = 1000
	log file = /var/log/samba/log.%m


## MISC FILES/DIRECTORIES
	nt acl support = yes
	map acl inherit = yes
	dos charset = 850
	unix charset = ISO8859-1
	preserve case = yes
	short preserve case = yes
	case sensitive = no
	directory mask = 0750
	hide dot files = yes
	hide unreadable = yes
	hide files = /desktop.ini/
#	veto files = /*.eml/*.nws/riched20.dll/*.{*}/
	veto files = /*.eml/*.nws/*.{*}/
	veto oplock files = /*.doc/*.xls/*.mdb/
	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
	create mask = 0644

## MISC OTHER
	mangling method = hash2
	deadtime = 10
	map to guest = Bad User

## MISC PROFILE
	logon script = logon.cmd
	logon home = \\%L\%U
	logon path = \\%L\profiles\%U
	logon drive = P:

## PRINTING Section 1 !! Global Settings !!  
	printing = cups
	load printers = Yes
	show add printer wizard = Yes
	max print jobs = 100
	printcap name = cups
	printer admin = @"Printer Operators",@"Domain
Admins",Administrator,root
	lpq cache time = 20
	use client driver = No
	disable spoolss = No

# PRINTING Section 2 !! 
# users are able to connect to any printer specified in the Samba host's 
# printcap file  ( /etc/printcap ) provided through cups
[printers]
        comment = All Network Printers
        printable = yes
        path = /home/samba/spool
        browseable = No
	guest ok = yes
	public = yes
	read only = yes
	writable = no
	create mode = 0777
        lpq command = /usr/bin/lpq -P'%p'
        lprm command = /usr/bin/lprm -P'%p' %j
	lppause command = /usr/sbin/lpc hold '%p' %j
	lpresume command = /usr/sbin/lpc release '%p' %j
	queueresume command = /usr/sbin/lpc start '%p'
	queuepause command = /usr/sbin/lpc stop '%p'
# Print Command is not used when using cups
#	print command = /usr/bin/lpr -r -P'%p' %s
	

### Printing Section 3 "The Windows Printer drivers"
# Required permissions
# The account used to connect to the Samba host must have 
# a UID of 0 (i.e., a root account). ( or Administrator )
# The account used to connect to the Samba host must be 
# named in the printer adminlist. 
# Or The account used to connect to the Samba host must have 
# SEPrintOperatorRights
[print$]
	comment = Printer Drivers Download Area
	path = /home/samba/printers
	browseable = no
	guest ok = no
	read only = yes
	write list = @"Print Operators",@"Domain
Admins",Administrator,root
	create mask = 0664
	directory mask = 0775
	valid users = @"Domain Users",@"Print
Operators",@"Domain
Admins",Administrator,root

[netlogon]
	browseable = Yes
	comment = NetLogon Service
	write list = @"Domain Admins",Administrator
	path = /home/samba/netlogon

[profiles]
        path = /home/samba/profiles
	comment = Profiel omgeving
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = No
        guest ok = Yes
        profile acls = yes
        csc policy = disable
        # next line is a great way to secure the profiles 
        force user = %U 
        # next line allows administrator to access all profiles 
        valid users = %U
	nt acl support = no
	default case = lower
	short preserve case = no
	case sensitive = no

[homes]
        comment = Prive documenten van %U
        read only = No
        create mask = 0644
        directory mask = 0775
        browseable = No
	vfs object = recycle 
	recycle: config-files = /etc/samba/samba-recycle.conf
#	vfs object = recycle vscan-clamav
#	vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf

/remove this and below from the smb.conf
( this is in the samba-recycle.conf ) 
name = .recycle
mode = KEEP_DIRECTORIES|VERSIONS|TOUCH
maxsize = 0
exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~??
excludedir = /tmp|/temp|/cache
noversions = *.doc|*.xls|*.ppt

i have a cronjob which empty's the recyle bin 
ever week on saturday morning after the back ! 

/remove_end

[afdelingen]
        comment = Afdelings Documenten
        path = /home/samba/afdelingen
	browseable = Yes
        read only = No
        directory mask = 2775
        create mask = 2664
	users = @"domain users"