Hi everybody, I made a pretty complete howto for samba on debian servers. This howto covers samba + ldap + cups + recycle bin + samba-vscan + phpldapadmin + ACL + Extended Attributes. this howto is also based on the idealx howto If you do this setup, you should be able to use the NT4 Usermanager, setup Point en Print Printing. set rights from explorer etc. other nice tools is ldapadmin ( ldapadmin.sf.net ) a must check it out. We will use a Debian Sarge as setup. If you never used Debian before, you can follow this how-to (http://www.howtoforge.com/perfect_setup_debian_sarge ) , please read the comment below the pages first, this can save you time and problems or install Debian without any software packaged, we will install them later when needed. Checking the kernel of compile your own kernel if needed. I try to give a complete solution for this how-to, this is because lots of people where asking the same things on the samba list and lots of people make the same mistakes. This is my company's running setup. I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb ) , with 50 users 25 printers which do about 150.000 prints a month. I thank my company to let me make this document. Please if you have improvements, comments, send them to me. Louis van Belle INDEX Page nr. 1 Checking the kernel or compile your own kernel 3 1.1 Preparing apt configuration 3 1.2 Preparing the kernel 3 1.3 setup the /etc/fstab 3 1.4 final touch, lilo (or grub) 3 2 Pre-installation of the debian packages 4 2.1 Samba and Ldap 4 2.2 basic rights setup for samba 4 2.3 why this rights setup. 4 3 LDAP Server configuration 5 4 installation/configuration libnss, libpam (-ldap) 7 5 Samba and smbldap-tools Configuration 8 5.1 smbldap-tools installation/configuration 8 5.2 setting up samba base config 8 5.3 Configuring smbldap.conf 9 5.4 set the samba ldap admin password 9 5.5 Samba PRIVILEGES Setup 10 6 CUPS - Printer software 11 6.1 Setup Cups 11 6.2 Setup Cups PDF Printer. - Creating a PDF Printer 11 7 Configuring phpldapadmin 12 7.1 installation of phpldapadmin ( and apache ) 12 8.0 On-Access virus scanning on samba (samba-clamav) 13 8.1 Installing ClamAV 13 8.2 get the sources ( samba & samba-vscan ) 13 9.0 Recycle bin on samba 14 9.1 Recycle bin configuration 14 Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS 15 Appendix 2 APT 16 2.1 APT HOWTO 16 2.2 Files from /etc/apt 17 2.2.1 /etc/apt/apt.conf 17 2.2.2 /etc/apt/preferences 17 1 Checking the kernel or compile your own kernel 1.1 Preparing apt configuration for this go check out my apt howto. if you apt config is setup rights, follow the steps below. ncurses interface for compiling the kernel apt-get install libncurses5-dev get the kernel source apt-get install kernel-source-2.6.8 kernel-package installer right kernel and activate EXT2/3 + Extended attributes and setup CIFS kernel support to in kernel. 1.2 Preparing the kernel apt-get install kernel-source-2.6.8 kernel-package fakeroot libc6-dev libncurses5-dev cd /usr/src tar -jxf kernel-source-2.6.8.tar.bz2 ln -s /usr/src/linux /usr/src/kernel-source-2.6.8 cp /boot/config-2.6.8-2-* /usr/src/linux/.config cd linux make menuconfig - File systems - Ext2/3 + extended options also File systems - Miscellaneous filesystems - CramFS and File systems - Network File Systems - CIFS support + extended Attributes now create the kernel and install it. fakeroot make-kpkg --append-to-kernel=-mykernel --initrd kernel_image This create a file kernel-image-2.6.8.custom.1.0_i386.deb under /usr/src dpkg -i kernel-image-2.6.8.custom.1.0_i386.deb to install the kernel 1.3 setup the /etc/fstab /etc/fstab : add the acl and user_xattr to the right partition /dev/xxx /home ext3 defaults,acl,user_xattr I use /home/samba for the samba environment. All the needed samba directories will be put here. !! This is important ! 1.4 final touch, lilo (or grub) lilo and reboot , login and do 'uname -a' and you wil see a line like this. Linux ms249-lin-001 2.6.8-mykernel #1 Wed Jun 1 15:03:47 CEST 2005 i686 Your server is now ready for samba 3. 2 Pre-installation of the debian packages 2.1 Samba and Ldap apt-get install slapd samba libsasl2-modules sasl2-bin openssl db4.2-util ldap-utils samba-doc libxml-parser-perl libauthen-sasl-perl Configuring slapd set an dns name - internal.yourdomain.tld - Give it a name/description - set that admin password for the ldap manager ( cn=admin,dc=internal,dc=yourdomain,dc=tld - Allow LDAPv2 protocol? yes Configure samba set a domain name DOMAIN Use password encryption? Yes Modify smb.conf to use WINS settings from DHCP? No How do you want to run Samba? Daemons Create samba password database, /var/lib/samba/passdb.tdb? No !!! else you will end up with lots of users from debian in this password file and you don't want that. Setup samba.schema file for ldap zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema In this setup I use /home/samba for the samba environment. i use these directories. /home/samba skel,data,profiles,netlogon,printers,spool /home/users/ username 2.2 basic rights setup for samba /home/samba 777 Administrator:Domain Admins /home/samba/spool 777 Administrator:Domain Admins /home/samba/printers 775 Administrator:Domain Admins /home/samba/profiles 777 Administrator:Domain Admins /home/samba/netlogon 775 Administrator:Domain Admins /home/samba/data 775 Administrator:Domain Admins /home/samba/temp 777 Administrator:Domain Admins /home/samba/tools 755 Administrator:Domain Admins /home/samba/skel 755 Administrator:Domain Admins 2.3 why this rights setup. 1 Administrator can create in complete samba environment. 2 In data directories my users are not allowed to create sub dir's, I create one for the department, and set rights to that department, from that point they can create directories. 3 Profiles 777, in the samba config is a parameter defined valid users = %u @"Domain Administrators" Only the user and administrator can access the user profile directories. create mask and directory mask make sure rights are set primary to the user. 3 LDAP Server configuration Configure slapd.conf, but first stop the slapd server ( /etc/init.d/slapd stop ) Create ldap certificates for ssl support mkdir /etc/ldap/tls ## self signed certificate openssl req -newkey rsa:1024 -x509 -nodes -out ldap-server.pem - keyout ldap-server.pem -days 3650 ( where Common Name ldap.yourdomain.tld ) edit /etc/ldap/slapd.conf put these below the other line, the order of schema files must be correct. insert the line "include /etc/ldap/schema/samba.schema" add these line before the database definition TLSCACertificateFile /etc/ldap/ssl/ldap-server.pem TLSCertificateFile /etc/ldap/ssl/ldap-server.pem TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem Now its time for the ldap database configuration for samba example of the /etc/slapd.conf ( database 1 configuration ) ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory in database #1 suffix "dc=internal,dc=yourdomain,dc=tld" rootdn "cn=admin,dc=rotterdam,dc=bazuin,dc=nl" rootpw {MD5}fsadsdafasfaewfw ## create the rootpw ## echo rootpw `slappasswd -h {Md5}` >> /etc/ldap/slapd.conf # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # Indexing options for database #1 ### !!!!! Always run slapindex(8) after changing indices!!!!!! ### and first STOP the LDAP SERVER ( /etc/init.d/slapd stop ) index objectClass,uidNumber,gidNumber eq index cn,sn,uid,displayName pres,eq,sub index memberUid,mail,givenname eq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName, eq ## default index index default eq # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write by * read # samba access list include /etc/ldap/samba-access.conf Example of the /etc/samba-access.conf ( database 1 configuration ) ### OLD Samba no DSA users used access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM ustChange by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write by anonymous auth by self write by * none access to attrs=loginShell by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write by * none access to attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,sn,givenname by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write by self write by * read See appendix 1 if you want a more secure ldap database. !! this setup does not help you to setting this up. !! run slapindex and start the slapd server /etc/init.d/slapd start 4 installation/configuration libnss, libpam (-ldap) apt-get install libnss-ldap libpam-ldap Configuring libnss-ldap define the host 127.0.0.1 distinguished name of the search base dc=internal,dc=yourdomain,dc=tld LDAP version to use 3 database requires login No Make configuration readable/writeable by owner only No Configuring libpam-ldap Make local root Database admin. Yes Database requires logging in. No Root login account cn=admin,dc=internal,dc=yourdomain,dc=tld set your password ( same as above for admin ) Local crypt to use when changing passwords exop Configure nsswitch # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis Now test the server ldapsearch -x -D "cn=admin,dc=internal,dc=yourdomain,dc=tld" -W (enter the password) if you see result: 0 Success for now this is ok. 5 Samba and smbldap-tools Configuration 5.1 smbldap-tools installation/configuration apt-get install smbldap-tools copy the default config from the example directorie. cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/ cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/ cd /etc/smbldap-tools gunzip smbldap.conf.gz first the easy part. in /etc/smbldap-tools/smbldap_bind.conf change this to admin slaveDN="cn=admin,dc=internal,dc=yourdomain,dc=tld" slavePw="Yourpassword" masterDN="cn=admin,dc=internal,dc=yourdomain,dc=tld" masterPw="Yourpassword" 5.2 setting up samba base config start with the default config cd /etc/samba cp /usr/share/doc/smbldap-tools/examples/smb.conf.gz /etc/samba gunzip smb.conf.gz change the config to your needs some tips using samba on a firewalled system use the following setting, here eth0 is the internal side interfaces = eth0 lo bind interfaces only = yes change the binary location from /opt/.. to /usr/sbin/smbldap-.... the smbldap-tools are installed by debian in /usr/sbin also in this setup /home/. must be changed to /home/samba/. This will save you a lot of troubles with rights. 5.3 Configuring smbldap.conf first we need to get some samba info net getlocalsid SID for domain SERVERNAME is: S-1-5-21-2074673303-3377769770-2933042573 change the SID in smbldap.conf in the your sid. change the suffix to your suffix (dc=internal,dc=yourdomain,dc=tld) change the hash_encryption to MD5 change userLoginShell="bin/nologin" and you nologin, because im Configuring ldap for samba only. set the home directory ( in my case /home/users/%U ) set the other to your needs. 5.4 set the samba ldap admin password smbpasswd -w ldapadmin_password Setting stored password for "cn=admin,dc=internal,dc=yourdomain,dc=tld" in secrets.tdb now we go fill the ldap database with the base setup. smbldap-populate -a Administrator -b nobody -u 2000 -g 2000 users are created with uid => 2000 groups are created with gid => 2000 !!!! DO NOT RUN THIS IF YOU ALREADY CREATED USERS. YOUR UID/GID's WILL GET MESSED UPPED. smbpasswd -a root because root is needed for setting up the Privileges. Now set the Administrator password and enable this user smbldap-passwd Administrator smbldap-usermod -J Administrator 5.5 Samba PRIVILEGES Setup First check you rights and get to know the commands. net rpc rights list accounts list users net rpc rights list list defined rights. to get what for rights are defined and users/groups IF you use a PDC/BDC setup these commands must be done on both servers!! test these commands: net rpc group (output) Domain Admins Domain Users Domain Guests Domain Computers or ( see next page ) slapcat | grep Group | grep dn (output) dn: ou=Groups,dc=internal,dc=yourdomain,dc=tld dn: cn=Domain Admins,ou=Groups,dc=internal,dc=yourdomain,dc=tld dn: cn=Domain Users,ou=Groups,dc=internal,dc=yourdomain,dc=tld dn: cn=Domain Guests,ou=Groups,dc=internal,dc=yourdomain,dc=tld dn: cn=Domain Computers,ou=Groups,dc=internal,dc=yourdomain,dc=tld dn: cn=Administrators,ou=Groups,dc=internal,dc=yourdomain,dc=tld dn: cn=Print Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld dn: cn=Backup Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld dn: cn=Replicators,ou=Groups,dc=internal,dc=yourdomain,dc=tld these are the privileges on samba 3.0.14a ( debian ) Privilege Description SeMachineAccountPrivilege Add machines to domain SePrintOperatorPrivilege Manage printers SeAddUsersPrivilege Add users and groups to the domain SeRemoteShutdownPrivilege Force shutdown from a remote system SeDiskOperatorPrivilege Manage disk share give the "Domain Admins" all of the SE Rights. ( -S Servernaam -U Username%Password ) net -S PDC -U root%Password rpc rights grant "DOMAIN\Domain Admins" \ SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege \ SeDiskOperatorPrivilege SeRemoteShutdownPrivilege Give the "Printer Operators" all Print manage rights. ( -S Servernaam -U Username%Password ) net -S PDC -U root%Password rpc rights grant "DOMAIN\Print Operators" SePrintOperatorPrivilege 6 CUPS - Printer software apt-cache search cups to get the info which packages are available I installed these packages. apt-get install cups-pdf cupsys cupsys-bsd cupsys-pt cupsys-client \ foomatic-bin foomatic-filters cupsys-driver-gimpprint gs-esp ( and dependencies ) Configuring cupsys-bsd Do you want to set up the BSD lpd compatibility server? Yes all others leave default. 6.1 Setup Cups /etc/cups/cups.conf here locate the lines Allow From 127.0.0.1 and change it to your network so you can login on the cups web interface. for example: Allow from 192.168.( this way I can manage it from 2 departments. ) (192.168.1.x and 168.192.2.x ) now you can logon on http://serverip:631/ make it safer to manage by adding a user to lpadmin group and this user can create printer queues I create printers with the following options. socket://printerIPnumber:9100 ( for hp jetdirect ), Raw, Raw_queue I only use cups as spooler for windows pc's and *nix servers. First we are going to create 1 printer device and this is the CUPS PDF Printer. 6.2 Setup Cups PDF Printer. - Creating a PDF Printer With this printer you can create PDF files bij just printing to it. - logon the web interface and choose add printer. Name:pdf_printer Location: %homedir%\cups-pdf Description: pdf created in homedir\cups-pdf Continue - Device: Virtual Printer(PDF printer) choose it, its below, Continue - Choose the model/Driver for PDF_printer, Postscript, Continue klik on manage printers to see what you have created. klik on Print Test Page to test the pdf printer. a file is put in the cups-pdf directory of the user you logged on with. 7 Configuring phpldapadmin 7.1 installation of phpldapadmin ( and apache ) get the packages apt-get install phpldapadmin php4 apache What is your LDAP server host address? 127.0.0.1 ( you the ip/hostname where the ldapserver is ) ldaps protocol instead of ldap? No What is the distinguished name of the search base? dc=internal,dc=youdomain,dc=tld Which type of authentication you want to use? session What is the login dn for the LDAP server? cn=admin,dc=internal,dc=yourdomain,dc=tld Which web server would you like to reconfigure automatically? select all and press OK. restart webservers now: Yes 8.0 On-Access virus scanning on samba (samba-clamav) 8.1 Installing ClamAV apt-get install clamav arj unzoo lha clamav-freshclam clamav-daemon Configuring clamav-freshclam : Daemon Choose a close mirror Should clamd be notified after updates? Yes 8.2 get the sources ( samba & samba-vscan ) mkdir /usr/src/sources cd /usr/src/sources apt-get install dpkg-dev apt-get source samba apt-get build-dep samba cd samba-3.0-14a vi source/include/version.h here remove the a from the 14 ( 3.0.14a => 3.0.14 ) ./debian/rules configure-stamp cd source ./make proto cd ../.. wget http://switch.dl.sourceforge.net/sourceforge/openantivirus/samba-vscan-0.3.6 b.tar.bz2 tar xjvf samba-vscan-0.3.6b.tar.bz2 cd samba-vscan-0.3.6b ./configure --with-samba-source=/usr/src/sources/samba-3.0.14a/source make && make install cp clamav/vscan-clamav.conf /etc/samba/samba-vscan-clamav.conf change in the samba-vscan-clamav.conf clamd socket name = /var/run/clamav/clamd.ctl infected spins action = quarantine ( or delete , which I choose.) When I put that lines in my smb.conf file, I can't access the share : vfs object = vscan-clamav vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf An example: [public] comment = Public Directory path = /home/public vfs object = vscan-clamav vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf !!! BEWARE !!!! if samba upgrade to a higer version you MUST recompile your samba-vscan. set samba to hold for no upgrade. echo packagename hold | dpkg --set-selections set to hold echo packagename install | dpkg --set-selections set to install 9.0 Recycle bin on samba 9.1 Recycle bin configuration configure samba for using the recycle bin. I made my manager happy with this. create a file in /etc/samba and fill it with the options below. /etc/samba/samba-recycle.conf name = .recycle mode = KEEP_DIRECTORIES|VERSIONS|TOUCH maxsize = 0 exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~??|~*.tmp excludedir = /tmp|/temp|/cache noversions = *.doc|*.xls|*.ppt add this to you share, same as vscan. vfs object = recycle recycle: config-files = /etc/samba/samba-recycle.conf create a recycle bin directorie and hide it for the users. I created .recycle this way ( because of the dot) users don't see this IF.. you don't set you explorer to view hidden files. restart samba and your done. You are ready to use your samba server. Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS see http://www.idealx.org/prj/samba/smbldap-howto.en.html #### users can authenticate and change their password #access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM ustChange # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by dn="cn=nssldap,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by self write # by anonymous auth # by * none # some attributes need to be readable anonymously so that 'id user' can answer correctly ##access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by * read # somme attributes can be writable by users themselves ##access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,s n,givenname # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by self write # by * read ## some attributes need to be writable for samba #access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,samb aLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctF lags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfileP ath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,s ambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHisto ry,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,samb aNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaSha reName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption, sambaStringListoption,sambaPrivilegeList # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by self read # by * none ## samba need to be able to create the samba domain account #access to dn.base="dc=internal,dc=yourdomain,dc=tld" # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by * none ## samba need to be able to create new users account #access to dn="ou=Users,dc=internal,dc=yourdomain,dc=tld" # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by * none ## samba need to be able to create new groups account #access to dn="ou=Groups,dc=internal,dc=yourdomain,dc=tld" # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by * none ## samba need to be able to create new computers account #access to dn="ou=Computers,dc=internal,dc=yourdomain,dc=tld" # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write # by * none # ## this can be omitted but we leave it: there could be other branch ## in the directory #access to * # by self read # by * none Appendix 2 APT 2.1 APT HOWTO Preparing apt for online packages. After installing from CD or DVD adjust your apt config. This setup makes sure your are using stable packages, that you are using Debian Sarge. In the apt.conf we defined the default release of debian this case stable ( Sarge 3.1r0). The Show-Upgrade "true" is used for showing us the packages which are going to be installed, I like to see what I'm installing. The sources.list if you used a CD/DVD for installing you can leave this line in the sources.list. This can save you bandwidth. My server is on a remote location and I don't use the cd anymore. I added the clamav as stable because I want a new clamav for virus scanning more info : http://www.clamav.net/binary.html The testing and unstable sources are also unmarked, that if you really need a newer version of a program then you can try to create it from debian source. You can get the source install programs and search by using the following commands: apt-get install package = get & install package apt-get remove package = remove package apt-get remove --purge package = remove and purge all files of package dpkg --purge package = purge all files of package apt-cache search package = search for package or part of package name apt-cache show package = get info over package dpkg-reconfigure -plow package = reconfigure with priority low ( most options ) for this first cd /usr/src. apt-get source package = get source files of packaged 2.2 Files from /etc/apt 2.2.1 /etc/apt/apt.conf APT::Default-Release "stable"; APT::Get::Show-Upgraded "true"; // 16 MB Limit APT::Cache-limit 16777216; // if you have /tmp with no mounted with noexec, you need this. #DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";}; #DPkg::Post-Invoke {"mount -o remount /tmp";}; 2.2.2 /etc/apt/preferences Package: * Pin: release a=stable Pin-Priority: 990 Package: * Pin: release a=testing Pin-Priority: 500 Package: * Pin: release a=unstable Pin-Priority: 50 Package: * Pin: release a=sarge,l=debian-volatile Pin-Priority: 990 2.2.3 /etc/apt/sources.list # See sources.list(5) for more information, especialy # Remember that you can only use http, ftp or file URIs # CDROMs are managed through the apt-cdrom tool. #----------------------------------------------------------------- # We definect the PIN which sets the prioratie of packages selects # see also the apt-howto # http://www.debian.org/doc/manuals/apt-howto/index.en.html # and a nice howto for apt-pinning for beginners. # http://jaqque.sbih.org/kplug/apt-pinning.html #----------------------------------------------------------------- #----------------------------------------------------------------- # Stable PIN 990 PRODUCTION TREE deb ftp://ftp.nl.debian.org/debian stable main contrib non-free deb-src ftp://ftp.nl.debian.org/debian stable main contrib non-free deb http://http.us.debian.org/debian stable main contrib non-free # Stable Security updates deb http://security.debian.org/ stable/updates main contrib non-free deb-src http://security.debian.org/ stable/updates main contrib non-free #------------------------------------------------------------------ ## Debian VOLATILE , used for clamav PINNED 990 deb http://ftp.nl.debian.org/debian-volatile sarge/volatile main #----------------------------------------------------------------- #----------------------------------------------------------------- # WARNING USE BELOW AT OWN RISK # Testing ( PIN 500 ) #deb ftp://ftp.nl.debian.org/debian testing main contrib non-free #deb-src ftp://ftp.nl.debian.org/debian testing main contrib non-free #deb http://http.us.debian.org/debian testing main contrib non-free # Testing Security updates #deb http://security.debian.org/ testing/updates main contrib non-free #deb-src http://security.debian.org/ testing/updates main contrib non-free #----------------------------------------------------------------- #----------------------------------------------------------------- # WARNING USE BELOW AT OWN RISK # Unstable ( PIN 050 ) #deb ftp://ftp.nl.debian.org/debian unstable main contrib non-free #deb-src http://ftp.nl.debian.org/debian unstable main contrib non-free #deb http://http.us.debian.org/debian unstable main contrib non-free # unstable Security updates #deb http://security.debian.org/ unstable/updates main contrib non-free #deb-src http://security.debian.org/ unstable/updates main contrib non-free #----------------------------------------------------------------- #----------------------------------------------------------------- #### BACKPORTS to STABLE ( Debian Sarge 3.1r0 ) ## Laatest Samba from samba.org #deb http://us4.samba.org/samba/ftp/Binary_Packages/Debian sarge samba #deb-src http://us2.samba.org/samba/ftp/Binary_Packages/Debian sarge samba #------------------------------------------------------------------ ## MPEG/AVI addons +W32CODECS With MPlayer #deb ftp://ftp.nerim.net/debian-marillat/ sarge main #------------------------------------------------------------------ ## www.dotdeb.org, updated php4/php5 mysql-41 mysql-50 qmail clamav etc etc. ## check the site for the packages list. if you want only 1 package ( preferred ) ## change the line to #deb http://packages.dotdeb.org stable php5 for example #deb http://packages.dotdeb.org stable all #deb-src http://packages.dotdeb.org stable all #------------------------------------------------------------------ ## BootSplash ( does not work on every kernel ) www.bootsplash.de ## http://www.planamente.ch/emidio/pages/linux_howto_bootsplash.php deb http://debian.bootsplash.de unstable main deb-src http://debian.bootsplash.de unstable main
Thanks for writing this. It is very timely. I am just about to start building my samba server (to replace my ancient RH9 samba server!). I have my ldap going but haven't started learning the samba/ldap integration part. I think your guide will be useful. On 12/6/05, Louis van Belle <louis@van-belle.nl> wrote:> Hi everybody, > > I made a pretty complete howto for samba on debian servers. > > This howto covers samba + ldap + cups + recycle bin + samba-vscan > + phpldapadmin + ACL + Extended Attributes. > > this howto is also based on the idealx howto > > If you do this setup, you should be able to use the NT4 Usermanager, > setup Point en Print Printing. set rights from explorer etc. > other nice tools is ldapadmin ( ldapadmin.sf.net ) a must check it out. > > We will use a Debian Sarge as setup. > If you never used Debian before, you can follow this how-to > (http://www.howtoforge.com/perfect_setup_debian_sarge ) , > please read the comment below the pages first, > this can save you time and problems or install Debian without > any software packaged, we will install them later when needed. > Checking the kernel of compile your own kernel if needed. > > I try to give a complete solution for this how-to, > this is because lots of people where asking the same things on > the samba list and lots of people make the same mistakes. > > This is my company's running setup. > > I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb ) , with 50 users > 25 printers which do about 150.000 prints a month. > > I thank my company to let me make this document. > > > Please if you have improvements, comments, send them to me. > > Louis van Belle > > > > > > INDEX > Page nr. > > 1 Checking the kernel or compile your own kernel 3 > 1.1 Preparing apt configuration 3 > 1.2 Preparing the kernel 3 > 1.3 setup the /etc/fstab 3 > 1.4 final touch, lilo (or grub) 3 > 2 Pre-installation of the debian packages 4 > 2.1 Samba and Ldap 4 > 2.2 basic rights setup for samba 4 > 2.3 why this rights setup. 4 > 3 LDAP Server configuration 5 > 4 installation/configuration libnss, libpam (-ldap) 7 > 5 Samba and smbldap-tools Configuration 8 > 5.1 smbldap-tools installation/configuration 8 > 5.2 setting up samba base config 8 > 5.3 Configuring smbldap.conf 9 > 5.4 set the samba ldap admin password 9 > 5.5 Samba PRIVILEGES Setup 10 > 6 CUPS - Printer software 11 > 6.1 Setup Cups 11 > 6.2 Setup Cups PDF Printer. - Creating a PDF Printer 11 > 7 Configuring phpldapadmin 12 > 7.1 installation of phpldapadmin ( and apache ) 12 > 8.0 On-Access virus scanning on samba (samba-clamav) 13 > 8.1 Installing ClamAV 13 > 8.2 get the sources ( samba & samba-vscan ) 13 > 9.0 Recycle bin on samba 14 > 9.1 Recycle bin configuration 14 > Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS 15 > Appendix 2 APT 16 > 2.1 APT HOWTO 16 > 2.2 Files from /etc/apt 17 > 2.2.1 /etc/apt/apt.conf 17 > 2.2.2 /etc/apt/preferences 17 > > > > > 1 Checking the kernel or compile your own kernel > 1.1 Preparing apt configuration > > for this go check out my apt howto. > > if you apt config is setup rights, follow the steps below. > > ncurses interface for compiling the kernel > apt-get install libncurses5-dev > > get the kernel source > apt-get install kernel-source-2.6.8 kernel-package > > installer right kernel and activate EXT2/3 + Extended attributes > and setup CIFS kernel support to in kernel. > > 1.2 Preparing the kernel > apt-get install kernel-source-2.6.8 kernel-package fakeroot > libc6-dev libncurses5-dev > > cd /usr/src > tar -jxf kernel-source-2.6.8.tar.bz2 > ln -s /usr/src/linux /usr/src/kernel-source-2.6.8 > cp /boot/config-2.6.8-2-* /usr/src/linux/.config > cd linux > make menuconfig - File systems - Ext2/3 + extended options > also File systems - Miscellaneous filesystems - > CramFS > and File systems - Network File Systems - CIFS > support > + extended Attributes > now create the kernel and install it. > > fakeroot make-kpkg --append-to-kernel=-mykernel --initrd > kernel_image > > This create a file kernel-image-2.6.8.custom.1.0_i386.deb under > /usr/src > > dpkg -i kernel-image-2.6.8.custom.1.0_i386.deb to install the > kernel > 1.3 setup the /etc/fstab > > /etc/fstab : add the acl and user_xattr to the right partition > > /dev/xxx /home ext3 defaults,acl,user_xattr > > I use /home/samba for the samba environment. > All the needed samba directories will be put here. !! > This is important ! > > 1.4 final touch, lilo (or grub) > > lilo and reboot , login and do 'uname -a' and you wil see a line > like > this. > Linux ms249-lin-001 2.6.8-mykernel #1 Wed Jun 1 15:03:47 CEST 2005 > i686 > > Your server is now ready for samba 3. > 2 Pre-installation of the debian packages > 2.1 Samba and Ldap > > apt-get install slapd samba libsasl2-modules sasl2-bin openssl > db4.2-util ldap-utils samba-doc libxml-parser-perl libauthen-sasl-perl > > Configuring slapd > set an dns name - internal.yourdomain.tld > - Give it a name/description > - set that admin password for the ldap manager > ( cn=admin,dc=internal,dc=yourdomain,dc=tld > - Allow LDAPv2 protocol? yes > > Configure samba > set a domain name DOMAIN > Use password encryption? Yes > Modify smb.conf to use WINS settings from DHCP? No > How do you want to run Samba? Daemons > Create samba password database, /var/lib/samba/passdb.tdb? No !!! > else > you will end up with lots of users from debian in this password file > and you don't want that. > > Setup samba.schema file for ldap > zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > > /etc/ldap/schema/samba.schema > > In this setup I use /home/samba for the samba environment. > i use these directories. > /home/samba skel,data,profiles,netlogon,printers,spool > /home/users/ username > > 2.2 basic rights setup for samba > > /home/samba 777 Administrator:Domain > Admins > /home/samba/spool 777 Administrator:Domain > Admins > /home/samba/printers 775 Administrator:Domain Admins > /home/samba/profiles 777 Administrator:Domain Admins > /home/samba/netlogon 775 Administrator:Domain Admins > /home/samba/data 775 Administrator:Domain > Admins > /home/samba/temp 777 Administrator:Domain > Admins > /home/samba/tools 755 Administrator:Domain > Admins > /home/samba/skel 755 Administrator:Domain > Admins > > > 2.3 why this rights setup. > > 1 Administrator can create in complete samba environment. > 2 In data directories my users are not allowed to create sub dir's, > I > create one for the department, and set rights to that department, > from that point they can create directories. > 3 Profiles 777, in the samba config is a parameter defined > valid users = %u @"Domain Administrators" > Only the user and administrator can access the user profile > directories. > create mask and directory mask make sure rights are set primary to > the user. > 3 LDAP Server configuration > > Configure slapd.conf, but first stop the slapd server ( > /etc/init.d/slapd stop ) > > Create ldap certificates for ssl support > mkdir /etc/ldap/tls > > ## self signed certificate > openssl req -newkey rsa:1024 -x509 -nodes -out ldap-server.pem - > keyout > ldap-server.pem -days 3650 ( where Common Name > ldap.yourdomain.tld ) > > edit /etc/ldap/slapd.conf > put these below the other line, the order of schema files must be > > correct. > insert the line "include /etc/ldap/schema/samba.schema" > > add these line before the database definition > TLSCACertificateFile /etc/ldap/ssl/ldap-server.pem > TLSCertificateFile /etc/ldap/ssl/ldap-server.pem > TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem > > Now its time for the ldap database configuration for samba > > example of the /etc/slapd.conf ( database 1 configuration ) > > ####################################################################### > # Specific Directives for database #1, of type bdb: > # Database specific directives apply to this databasse until another > # 'database' directive occurs > database bdb > > # The base of your directory in database #1 > suffix "dc=internal,dc=yourdomain,dc=tld" > > rootdn "cn=admin,dc=rotterdam,dc=bazuin,dc=nl" > rootpw {MD5}fsadsdafasfaewfw > > ## create the rootpw > ## echo rootpw `slappasswd -h {Md5}` >> /etc/ldap/slapd.conf > > # Where the database file are > physically stored for database #1 > directory "/var/lib/ldap" > > # Indexing options for database #1 > ### !!!!! Always run slapindex(8) after changing indices!!!!!! > ### and first STOP the LDAP SERVER ( /etc/init.d/slapd stop ) > index objectClass,uidNumber,gidNumber eq > index cn,sn,uid,displayName pres,eq,sub > index memberUid,mail,givenname eq,subinitial > index sambaSID,sambaPrimaryGroupSID,sambaDomainName, eq > ## default index > index default eq > > # Save the time that the entry gets modified, for database #1 > lastmod on > > # Where to store the replica logs for database #1 > replogfile /var/lib/ldap/replog > # The userPassword by default can be changed > # by the entry owning it if they are authenticated. > # Others should not be able to see it, except the > # admin entry below > # These access lines apply to database #1 only > access to attrs=userPassword > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by anonymous auth > by self write > by * none > > > # Ensure read access to the base for things like > # supportedSASLMechanisms. Without this you may > # have problems with SASL not knowing what > # mechanisms are available and the like. > # Note that this is covered by the 'access to *' > # ACL below too but if you change that as people > # are wont to do you'll still need this if you > # want SASL (and possible other things) to work > # happily. > access to dn.base="" by * read > > # The admin dn has full write access, everyone else > # can read everything. > access to * > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by * read > > # samba access list > include /etc/ldap/samba-access.conf > > Example of the /etc/samba-access.conf ( database 1 configuration ) > > ### OLD Samba no DSA users used > access to > attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM > ustChange > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by anonymous auth > by self write > by * none > > access to attrs=loginShell > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by * none > > access to > attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,sn,givenname > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by self write > by * read > > > See appendix 1 if you want a more secure ldap database. > !! this setup does not help you to setting this up. !! > > run slapindex > and start the slapd server > /etc/init.d/slapd start > 4 installation/configuration libnss, libpam (-ldap) > > apt-get install libnss-ldap libpam-ldap > > Configuring libnss-ldap > define the host > 127.0.0.1 > distinguished name of the search base > dc=internal,dc=yourdomain,dc=tld > > LDAP version to use > 3 > database requires login > No > Make configuration readable/writeable by owner only > No > > Configuring libpam-ldap > Make local root Database admin. > Yes > Database requires logging in. > No > Root login account > cn=admin,dc=internal,dc=yourdomain,dc=tld > set your password > ( same as above for admin ) > > Local crypt to use when changing passwords > exop > > Configure nsswitch > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat ldap > group: compat ldap > shadow: compat ldap > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > > Now test the server > ldapsearch -x -D "cn=admin,dc=internal,dc=yourdomain,dc=tld" -W > (enter the password) > if you see > result: 0 Success > > for now this is ok. > 5 Samba and smbldap-tools Configuration > > 5.1 smbldap-tools installation/configuration > > apt-get install smbldap-tools > > copy the default config from the example directorie. > cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf > /etc/smbldap-tools/ > > cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/ > cd /etc/smbldap-tools > gunzip smbldap.conf.gz > > first the easy part. > > in /etc/smbldap-tools/smbldap_bind.conf > change this to admin > slaveDN="cn=admin,dc=internal,dc=yourdomain,dc=tld" > slavePw="Yourpassword" > masterDN="cn=admin,dc=internal,dc=yourdomain,dc=tld" > masterPw="Yourpassword" > > 5.2 setting up samba base config > > start with the default config > cd /etc/samba > cp /usr/share/doc/smbldap-tools/examples/smb.conf.gz /etc/samba > gunzip smb.conf.gz > > change the config to your needs > some tips using samba on a firewalled system > use the following setting, here eth0 is the internal side > > interfaces = eth0 lo > bind interfaces only = yes > > change the binary location from /opt/.. > to /usr/sbin/smbldap-.... > the smbldap-tools are installed by debian in /usr/sbin > > also in this setup /home/. must be changed to /home/samba/. > This will save you a lot of troubles with rights. > > > 5.3 Configuring smbldap.conf > > first we need to get some samba info > > net getlocalsid > > SID for domain SERVERNAME is: S-1-5-21-2074673303-3377769770-2933042573 > change the SID in smbldap.conf in the your sid. > > > change the suffix to your suffix (dc=internal,dc=yourdomain,dc=tld) > change the hash_encryption to MD5 > change userLoginShell="bin/nologin" > and you nologin, because im Configuring ldap for samba only. > set the home directory ( in my case /home/users/%U ) > set the other to your needs. > > > 5.4 set the samba ldap admin password > > smbpasswd -w ldapadmin_password > Setting stored password for "cn=admin,dc=internal,dc=yourdomain,dc=tld" in > secrets.tdb > > now we go fill the ldap database with the base setup. > > smbldap-populate -a Administrator -b nobody -u 2000 -g 2000 > > users are created with uid => 2000 > groups are created with gid => 2000 > > > !!!! DO NOT RUN THIS IF YOU ALREADY CREATED USERS. YOUR UID/GID's WILL GET > MESSED UPPED. > > smbpasswd -a root > because root is needed for setting up the Privileges. > > Now set the Administrator password and enable this user > smbldap-passwd Administrator > smbldap-usermod -J Administrator > > > 5.5 Samba PRIVILEGES Setup > > First check you rights and get to know the commands. > > net rpc rights list accounts list users > net rpc rights list list defined rights. > > to get what for rights are defined and users/groups > > IF you use a PDC/BDC setup these commands must be done on both servers!! > > test these commands: > > net rpc group > (output) > Domain Admins > Domain Users > Domain Guests > Domain Computers > > or > > ( see next page ) > > slapcat | grep Group | grep dn > > (output) > dn: ou=Groups,dc=internal,dc=yourdomain,dc=tld > dn: cn=Domain Admins,ou=Groups,dc=internal,dc=yourdomain,dc=tld > dn: cn=Domain Users,ou=Groups,dc=internal,dc=yourdomain,dc=tld > dn: cn=Domain Guests,ou=Groups,dc=internal,dc=yourdomain,dc=tld > dn: cn=Domain Computers,ou=Groups,dc=internal,dc=yourdomain,dc=tld > dn: cn=Administrators,ou=Groups,dc=internal,dc=yourdomain,dc=tld > dn: cn=Print Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld > dn: cn=Backup Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld > dn: cn=Replicators,ou=Groups,dc=internal,dc=yourdomain,dc=tld > > > these are the privileges on samba 3.0.14a ( debian ) > > Privilege Description > SeMachineAccountPrivilege Add machines to domain > SePrintOperatorPrivilege Manage printers > SeAddUsersPrivilege Add users and groups to the domain > SeRemoteShutdownPrivilege Force shutdown from a remote system > SeDiskOperatorPrivilege Manage disk share > > > give the "Domain Admins" all of the SE Rights. > ( -S Servernaam -U Username%Password ) > > net -S PDC -U root%Password rpc rights grant "DOMAIN\Domain Admins" \ > SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege \ > SeDiskOperatorPrivilege SeRemoteShutdownPrivilege > > > Give the "Printer Operators" all Print manage rights. > ( -S Servernaam -U Username%Password ) > > net -S PDC -U root%Password rpc rights grant "DOMAIN\Print Operators" > SePrintOperatorPrivilege > 6 CUPS - Printer software > > apt-cache search cups to get the info which packages are available > > I installed these packages. > apt-get install cups-pdf cupsys cupsys-bsd cupsys-pt cupsys-client \ > foomatic-bin foomatic-filters cupsys-driver-gimpprint gs-esp ( and > dependencies ) > > Configuring cupsys-bsd > Do you want to set up the BSD lpd compatibility server? Yes > all others leave default. > > 6.1 Setup Cups /etc/cups/cups.conf > > here locate the lines Allow From 127.0.0.1 > and change it to your network so you can login on the cups web > interface. > for example: > Allow from 192.168.( this way I can manage it from 2 departments. ) > (192.168.1.x and 168.192.2.x ) > > now you can logon on http://serverip:631/ > make it safer to manage by adding a user to lpadmin group > and this user can create printer queues > > I create printers with the following options. > socket://printerIPnumber:9100 ( for hp jetdirect ), Raw, > Raw_queue > > I only use cups as spooler for windows pc's and *nix servers. > > First we are going to create 1 printer device and this is the CUPS > PDF Printer. > > > 6.2 Setup Cups PDF Printer. - Creating a PDF Printer > > With this printer you can create PDF files bij just printing to it. > > - logon the web interface and choose add printer. > Name:pdf_printer > Location: %homedir%\cups-pdf > Description: pdf created in homedir\cups-pdf > Continue > - Device: Virtual Printer(PDF printer) choose it, its below, > Continue > - Choose the model/Driver for PDF_printer, Postscript, > Continue > > klik on manage printers to see what you have created. > klik on Print Test Page to test the pdf printer. > > a file is put in the cups-pdf directory of the user you logged on > with. > > > > > > 7 Configuring phpldapadmin > > 7.1 installation of phpldapadmin ( and apache ) > > get the packages > apt-get install phpldapadmin php4 apache > > What is your LDAP server host address? 127.0.0.1 > ( you the ip/hostname where the ldapserver is ) > > ldaps protocol instead of ldap? No > > What is the distinguished name of the search base? > dc=internal,dc=youdomain,dc=tld > > Which type of authentication you want to use? session > > What is the login dn for the LDAP server? > cn=admin,dc=internal,dc=yourdomain,dc=tld > > Which web server would you like to reconfigure automatically? > select all and press OK. > > restart webservers now: Yes > > 8.0 On-Access virus scanning on samba (samba-clamav) > 8.1 Installing ClamAV > > apt-get install clamav arj unzoo lha clamav-freshclam clamav-daemon > Configuring clamav-freshclam : Daemon > Choose a close mirror > Should clamd be notified after updates? Yes > 8.2 get the sources ( samba & samba-vscan ) > > mkdir /usr/src/sources > cd /usr/src/sources > > apt-get install dpkg-dev > apt-get source samba > apt-get build-dep samba > > cd samba-3.0-14a > vi source/include/version.h > > here remove the a from the 14 ( 3.0.14a => 3.0.14 ) > > ./debian/rules configure-stamp > cd source > ./make proto > cd ../.. > > wget > http://switch.dl.sourceforge.net/sourceforge/openantivirus/samba-vscan-0.3.6 > b.tar.bz2 > > tar xjvf samba-vscan-0.3.6b.tar.bz2 > > cd samba-vscan-0.3.6b > ./configure > --with-samba-source=/usr/src/sources/samba-3.0.14a/source > make && make install > > cp clamav/vscan-clamav.conf /etc/samba/samba-vscan-clamav.conf > change in the samba-vscan-clamav.conf > clamd socket name = /var/run/clamav/clamd.ctl > infected spins action = quarantine ( or delete , which I choose.) > > When I put that lines in my smb.conf file, I can't access the share > : > vfs object = vscan-clamav > vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf > > An example: > [public] > comment = Public Directory > path = /home/public > vfs object = vscan-clamav > vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf > > !!! BEWARE !!!! if samba upgrade to a higer version you MUST > recompile > your samba-vscan. set samba to hold for no upgrade. > > echo packagename hold | dpkg --set-selections set to hold > echo packagename install | dpkg --set-selections set to install > 9.0 Recycle bin on samba > 9.1 Recycle bin configuration > > configure samba for using the recycle bin. > I made my manager happy with this. > > create a file in /etc/samba > and fill it with the options below. > > /etc/samba/samba-recycle.conf > > name = .recycle > mode = KEEP_DIRECTORIES|VERSIONS|TOUCH > maxsize = 0 > exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~??|~*.tmp > excludedir = /tmp|/temp|/cache > noversions = *.doc|*.xls|*.ppt > > add this to you share, same as vscan. > > vfs object = recycle > recycle: config-files = /etc/samba/samba-recycle.conf > > create a recycle bin directorie and hide it for the users. > > I created .recycle this way ( because of the dot) users don't see > this > IF.. you don't set you explorer to view hidden files. > > restart samba and your done. > > You are ready to use your samba server. > > > > Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS > see http://www.idealx.org/prj/samba/smbldap-howto.en.html > #### users can authenticate and change their password > #access to > attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM > ustChange > # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write > # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" > write > # by dn="cn=nssldap,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write > # by self write > # by anonymous auth > # by * none > # some attributes need to be readable anonymously so that 'id user' can > answer correctly > ##access to > attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid > # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write > # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" > write > # by * read > # somme attributes can be writable by users themselves > ##access to > attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,s > n,givenname > # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write > # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" > write > # by self write > # by * read > ## some attributes need to be writable for samba > #access to > attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,samb > aLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctF > lags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfileP > ath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,s > ambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHisto > ry,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,samb > aNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaSha > reName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption, > sambaStringListoption,sambaPrivilegeList > # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write > # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" > write > # by self read > # by * none > ## samba need to be able to create the samba domain account > #access to dn.base="dc=internal,dc=yourdomain,dc=tld" > # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write > # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" > write > # by * none > ## samba need to be able to create new users account > #access to dn="ou=Users,dc=internal,dc=yourdomain,dc=tld" > # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write > # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" > write > # by * none > ## samba need to be able to create new groups account > #access to dn="ou=Groups,dc=internal,dc=yourdomain,dc=tld" > # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write > # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" > write > # by * none > ## samba need to be able to create new computers account > #access to dn="ou=Computers,dc=internal,dc=yourdomain,dc=tld" > # by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write > # by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" > write > # by * none > # > ## this can be omitted but we leave it: there could be other branch > ## in the directory > #access to * > # by self read > # by * none > > > Appendix 2 APT > > 2.1 APT HOWTO > > Preparing apt for online packages. > After installing from CD or DVD adjust your apt config. > > This setup makes sure your are using stable packages, that you are using > Debian Sarge. > > In the apt.conf we defined the default release of debian this case stable ( > Sarge 3.1r0). > The Show-Upgrade "true" is used for showing us the packages which are going > to be installed, I like to see what I'm installing. > > The sources.list if you used a CD/DVD for installing you can leave this > line in the sources.list. This can save you bandwidth. My server is on a > remote location and I don't use the cd anymore. > I added the clamav as stable because I want a new clamav for virus scanning > more info : http://www.clamav.net/binary.html > > The testing and unstable sources are also unmarked, that if you really need > a newer version of a program then you can try to create it from debian > source. > > You can get the source install programs and search by using the following > commands: > > apt-get install package = get & install package > apt-get remove package = remove package > apt-get remove --purge package = remove and purge all files of package > dpkg --purge package = purge all files of package > > apt-cache search package = search for package or part of > package name > apt-cache show package = get info over package > dpkg-reconfigure -plow package = reconfigure with priority low ( most > options ) > > for this first cd /usr/src. > apt-get source package = get source files of packaged > > > > > > > > > > > > > 2.2 Files from /etc/apt > > 2.2.1 /etc/apt/apt.conf > > APT::Default-Release "stable"; > APT::Get::Show-Upgraded "true"; > // 16 MB Limit > APT::Cache-limit 16777216; > // if you have /tmp with no mounted with noexec, you need this. > #DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";}; > #DPkg::Post-Invoke {"mount -o remount /tmp";}; > > > > 2.2.2 /etc/apt/preferences > > Package: * > Pin: release a=stable > Pin-Priority: 990 > > Package: * > Pin: release a=testing > Pin-Priority: 500 > > Package: * > Pin: release a=unstable > Pin-Priority: 50 > > Package: * > Pin: release a=sarge,l=debian-volatile > Pin-Priority: 990 > > > > > > > > > > > > > > 2.2.3 /etc/apt/sources.list > > # See sources.list(5) for more information, especialy > # Remember that you can only use http, ftp or file URIs > # CDROMs are managed through the apt-cdrom tool. > #----------------------------------------------------------------- > # We definect the PIN which sets the prioratie of packages selects > # see also the apt-howto > # http://www.debian.org/doc/manuals/apt-howto/index.en.html > # and a nice howto for apt-pinning for beginners. > # http://jaqque.sbih.org/kplug/apt-pinning.html > #----------------------------------------------------------------- > #----------------------------------------------------------------- > # Stable PIN 990 PRODUCTION TREE > deb ftp://ftp.nl.debian.org/debian stable main contrib non-free > deb-src ftp://ftp.nl.debian.org/debian stable main contrib non-free > deb http://http.us.debian.org/debian stable main contrib non-free > # Stable Security updates > deb http://security.debian.org/ stable/updates main contrib non-free > deb-src http://security.debian.org/ stable/updates main contrib non-free > #------------------------------------------------------------------ > ## Debian VOLATILE , used for clamav PINNED 990 > deb http://ftp.nl.debian.org/debian-volatile sarge/volatile main > #----------------------------------------------------------------- > #----------------------------------------------------------------- > # WARNING USE BELOW AT OWN RISK > # Testing ( PIN 500 ) > #deb ftp://ftp.nl.debian.org/debian testing main contrib non-free > #deb-src ftp://ftp.nl.debian.org/debian testing main contrib non-free > #deb http://http.us.debian.org/debian testing main contrib non-free > # Testing Security updates > #deb http://security.debian.org/ testing/updates main contrib non-free > #deb-src http://security.debian.org/ testing/updates main contrib non-free > #----------------------------------------------------------------- > #----------------------------------------------------------------- > # WARNING USE BELOW AT OWN RISK > # Unstable ( PIN 050 ) > #deb ftp://ftp.nl.debian.org/debian unstable main contrib non-free > #deb-src http://ftp.nl.debian.org/debian unstable main contrib non-free > #deb http://http.us.debian.org/debian unstable main contrib non-free > # unstable Security updates > #deb http://security.debian.org/ unstable/updates main contrib non-free > #deb-src http://security.debian.org/ unstable/updates main contrib non-free > #----------------------------------------------------------------- > #----------------------------------------------------------------- > #### BACKPORTS to STABLE ( Debian Sarge 3.1r0 ) > ## Laatest Samba from samba.org > #deb http://us4.samba.org/samba/ftp/Binary_Packages/Debian sarge samba > #deb-src http://us2.samba.org/samba/ftp/Binary_Packages/Debian sarge samba > > #------------------------------------------------------------------ > ## MPEG/AVI addons +W32CODECS With MPlayer > #deb ftp://ftp.nerim.net/debian-marillat/ sarge main > #------------------------------------------------------------------ > ## www.dotdeb.org, updated php4/php5 mysql-41 mysql-50 qmail clamav etc etc. > ## check the site for the packages list. if you want only 1 package ( > preferred ) > ## change the line to #deb http://packages.dotdeb.org stable php5 for > example > #deb http://packages.dotdeb.org stable all > #deb-src http://packages.dotdeb.org stable all > #------------------------------------------------------------------ > ## BootSplash ( does not work on every kernel ) www.bootsplash.de > ## http://www.planamente.ch/emidio/pages/linux_howto_bootsplash.php > deb http://debian.bootsplash.de unstable main > deb-src http://debian.bootsplash.de unstable main > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >-- If you reply to a message I posted to a mailing list, and you want me to see your reply, be sure to put my address in the 'To:', or I might not see the message.
I was following the howto below to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by Samba. Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP Server configuration". Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) I've attached my ldap.conf and the output when I try to start ldap (in a debug mode). Slapindex says the same things but ends with "bad configuration file". Any help will be greatly appreciated. Louis van Belle wrote:>Hi everybody, > >I made a pretty complete howto for samba on debian servers. > >This howto covers samba + ldap + cups + recycle bin + samba-vscan >+ phpldapadmin + ACL + Extended Attributes. > >this howto is also based on the idealx howto > >If you do this setup, you should be able to use the NT4 Usermanager, >setup Point en Print Printing. set rights from explorer etc. >other nice tools is ldapadmin ( ldapadmin.sf.net ) a must check it out. > >We will use a Debian Sarge as setup. >If you never used Debian before, you can follow this how-to >(http://www.howtoforge.com/perfect_setup_debian_sarge ) , >please read the comment below the pages first, >this can save you time and problems or install Debian without >any software packaged, we will install them later when needed. >Checking the kernel of compile your own kernel if needed. > >I try to give a complete solution for this how-to, >this is because lots of people where asking the same things on >the samba list and lots of people make the same mistakes. > >This is my company's running setup. > >I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb ) , with 50 users >25 printers which do about 150.000 prints a month. > >I thank my company to let me make this document. > > >Please if you have improvements, comments, send them to me. > >Louis van Belle > > > > > >INDEX >Page nr. > >1 Checking the kernel or compile your own kernel 3 >1.1 Preparing apt configuration 3 >1.2 Preparing the kernel 3 >1.3 setup the /etc/fstab 3 >1.4 final touch, lilo (or grub) 3 >2 Pre-installation of the debian packages 4 >2.1 Samba and Ldap 4 >2.2 basic rights setup for samba 4 >2.3 why this rights setup. 4 >3 LDAP Server configuration 5 >4 installation/configuration libnss, libpam (-ldap) 7 >5 Samba and smbldap-tools Configuration 8 >5.1 smbldap-tools installation/configuration 8 >5.2 setting up samba base config 8 >5.3 Configuring smbldap.conf 9 >5.4 set the samba ldap admin password 9 >5.5 Samba PRIVILEGES Setup 10 >6 CUPS - Printer software 11 >6.1 Setup Cups 11 >6.2 Setup Cups PDF Printer. - Creating a PDF Printer 11 >7 Configuring phpldapadmin 12 >7.1 installation of phpldapadmin ( and apache ) 12 >8.0 On-Access virus scanning on samba (samba-clamav) 13 >8.1 Installing ClamAV 13 >8.2 get the sources ( samba & samba-vscan ) 13 >9.0 Recycle bin on samba 14 >9.1 Recycle bin configuration 14 >Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS 15 >Appendix 2 APT 16 >2.1 APT HOWTO 16 >2.2 Files from /etc/apt 17 >2.2.1 /etc/apt/apt.conf 17 >2.2.2 /etc/apt/preferences 17 > > > > >1 Checking the kernel or compile your own kernel >1.1 Preparing apt configuration > > for this go check out my apt howto. > > if you apt config is setup rights, follow the steps below. > > ncurses interface for compiling the kernel > apt-get install libncurses5-dev > > get the kernel source > apt-get install kernel-source-2.6.8 kernel-package > > installer right kernel and activate EXT2/3 + Extended attributes > and setup CIFS kernel support to in kernel. > >1.2 Preparing the kernel > apt-get install kernel-source-2.6.8 kernel-package fakeroot >libc6-dev libncurses5-dev > > cd /usr/src > tar -jxf kernel-source-2.6.8.tar.bz2 > ln -s /usr/src/linux /usr/src/kernel-source-2.6.8 > cp /boot/config-2.6.8-2-* /usr/src/linux/.config > cd linux > make menuconfig - File systems - Ext2/3 + extended options > also File systems - Miscellaneous filesystems - >CramFS > and File systems - Network File Systems - CIFS >support > + extended Attributes > now create the kernel and install it. > > fakeroot make-kpkg --append-to-kernel=-mykernel --initrd >kernel_image > > This create a file kernel-image-2.6.8.custom.1.0_i386.deb under > /usr/src > > dpkg -i kernel-image-2.6.8.custom.1.0_i386.deb to install the >kernel >1.3 setup the /etc/fstab > > /etc/fstab : add the acl and user_xattr to the right partition > > /dev/xxx /home ext3 defaults,acl,user_xattr > > I use /home/samba for the samba environment. > All the needed samba directories will be put here. !! > This is important ! > >1.4 final touch, lilo (or grub) > > lilo and reboot , login and do 'uname -a' and you wil see a line >like > this. > Linux ms249-lin-001 2.6.8-mykernel #1 Wed Jun 1 15:03:47 CEST 2005 >i686 > > Your server is now ready for samba 3. >2 Pre-installation of the debian packages >2.1 Samba and Ldap > > apt-get install slapd samba libsasl2-modules sasl2-bin openssl > db4.2-util ldap-utils samba-doc libxml-parser-perl libauthen-sasl-perl > >Configuring slapd > set an dns name - internal.yourdomain.tld > - Give it a name/description > - set that admin password for the ldap manager > ( cn=admin,dc=internal,dc=yourdomain,dc=tld > - Allow LDAPv2 protocol? yes > >Configure samba > set a domain name DOMAIN > Use password encryption? Yes > Modify smb.conf to use WINS settings from DHCP? No > How do you want to run Samba? Daemons > Create samba password database, /var/lib/samba/passdb.tdb? No !!! >else > you will end up with lots of users from debian in this password file >and you don't want that. > >Setup samba.schema file for ldap > zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > >/etc/ldap/schema/samba.schema > >In this setup I use /home/samba for the samba environment. > i use these directories. > /home/samba skel,data,profiles,netlogon,printers,spool > /home/users/ username > >2.2 basic rights setup for samba > > /home/samba 777 Administrator:Domain >Admins > /home/samba/spool 777 Administrator:Domain >Admins > /home/samba/printers 775 Administrator:Domain Admins > /home/samba/profiles 777 Administrator:Domain Admins > /home/samba/netlogon 775 Administrator:Domain Admins > /home/samba/data 775 Administrator:Domain >Admins > /home/samba/temp 777 Administrator:Domain >Admins > /home/samba/tools 755 Administrator:Domain >Admins > /home/samba/skel 755 Administrator:Domain >Admins > > >2.3 why this rights setup. > > 1 Administrator can create in complete samba environment. > 2 In data directories my users are not allowed to create sub dir's, >I > create one for the department, and set rights to that department, >from that point they can create directories. > 3 Profiles 777, in the samba config is a parameter defined > valid users = %u @"Domain Administrators" > Only the user and administrator can access the user profile >directories. > create mask and directory mask make sure rights are set primary to >the user. >3 LDAP Server configuration > > Configure slapd.conf, but first stop the slapd server ( >/etc/init.d/slapd stop ) > > Create ldap certificates for ssl support > mkdir /etc/ldap/tls > > ## self signed certificate > openssl req -newkey rsa:1024 -x509 -nodes -out ldap-server.pem - >keyout > ldap-server.pem -days 3650 ( where Common Name >ldap.yourdomain.tld ) > > edit /etc/ldap/slapd.conf > put these below the other line, the order of schema files must be > > correct. > insert the line "include /etc/ldap/schema/samba.schema" > > add these line before the database definition > TLSCACertificateFile /etc/ldap/ssl/ldap-server.pem > TLSCertificateFile /etc/ldap/ssl/ldap-server.pem > TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem > >Now its time for the ldap database configuration for samba > >example of the /etc/slapd.conf ( database 1 configuration ) > >####################################################################### ># Specific Directives for database #1, of type bdb: ># Database specific directives apply to this databasse until another ># 'database' directive occurs >database bdb > ># The base of your directory in database #1 >suffix "dc=internal,dc=yourdomain,dc=tld" > >rootdn "cn=admin,dc=rotterdam,dc=bazuin,dc=nl" >rootpw {MD5}fsadsdafasfaewfw > > ## create the rootpw > ## echo rootpw `slappasswd -h {Md5}` >> /etc/ldap/slapd.conf > ># Where the database file are >physically stored for database #1 >directory "/var/lib/ldap" > ># Indexing options for database #1 >### !!!!! Always run slapindex(8) after changing indices!!!!!! >### and first STOP the LDAP SERVER ( /etc/init.d/slapd stop ) >index objectClass,uidNumber,gidNumber eq >index cn,sn,uid,displayName pres,eq,sub >index memberUid,mail,givenname eq,subinitial >index sambaSID,sambaPrimaryGroupSID,sambaDomainName, eq >## default index >index default eq > ># Save the time that the entry gets modified, for database #1 >lastmod on > ># Where to store the replica logs for database #1 >replogfile /var/lib/ldap/replog ># The userPassword by default can be changed ># by the entry owning it if they are authenticated. ># Others should not be able to see it, except the ># admin entry below ># These access lines apply to database #1 only >access to attrs=userPassword > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by anonymous auth > by self write > by * none > > ># Ensure read access to the base for things like ># supportedSASLMechanisms. Without this you may ># have problems with SASL not knowing what ># mechanisms are available and the like. ># Note that this is covered by the 'access to *' ># ACL below too but if you change that as people ># are wont to do you'll still need this if you ># want SASL (and possible other things) to work ># happily. >access to dn.base="" by * read > ># The admin dn has full write access, everyone else ># can read everything. >access to * > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by * read > ># samba access list >include /etc/ldap/samba-access.conf > >Example of the /etc/samba-access.conf ( database 1 configuration ) > >### OLD Samba no DSA users used >access to >attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM >ustChange > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by anonymous auth > by self write > by * none > >access to attrs=loginShell > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by * none > >access to >attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,sn,givenname > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by self write > by * read > > >See appendix 1 if you want a more secure ldap database. >!! this setup does not help you to setting this up. !! > >run slapindex >and start the slapd server >/etc/init.d/slapd start >4 installation/configuration libnss, libpam (-ldap) > >apt-get install libnss-ldap libpam-ldap > >Configuring libnss-ldap > define the host > 127.0.0.1 > distinguished name of the search base > dc=internal,dc=yourdomain,dc=tld > > LDAP version to use > 3 > database requires login > No > Make configuration readable/writeable by owner only > No > >Configuring libpam-ldap > Make local root Database admin. > Yes > Database requires logging in. > No > Root login account > cn=admin,dc=internal,dc=yourdomain,dc=tld > set your password > ( same as above for admin ) > > Local crypt to use when changing passwords > exop > >Configure nsswitch ># /etc/nsswitch.conf ># ># Example configuration of GNU Name Service Switch functionality. ># If you have the `glibc-doc' and `info' packages installed, try: ># `info libc "Name Service Switch"' for information about this file. > >passwd: compat ldap >group: compat ldap >shadow: compat ldap > >hosts: files dns >networks: files > >protocols: db files >services: db files >ethers: db files >rpc: db files > >netgroup: nis > > >Now test the server >ldapsearch -x -D "cn=admin,dc=internal,dc=yourdomain,dc=tld" -W >(enter the password) >if you see >result: 0 Success > >for now this is ok. >5 Samba and smbldap-tools Configuration > >5.1 smbldap-tools installation/configuration > >apt-get install smbldap-tools > >copy the default config from the example directorie. >cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf >/etc/smbldap-tools/ > >cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/ >cd /etc/smbldap-tools >gunzip smbldap.conf.gz > >first the easy part. > >in /etc/smbldap-tools/smbldap_bind.conf >change this to admin >slaveDN="cn=admin,dc=internal,dc=yourdomain,dc=tld" >slavePw="Yourpassword" >masterDN="cn=admin,dc=internal,dc=yourdomain,dc=tld" >masterPw="Yourpassword" > >5.2 setting up samba base config > >start with the default config >cd /etc/samba >cp /usr/share/doc/smbldap-tools/examples/smb.conf.gz /etc/samba >gunzip smb.conf.gz > >change the config to your needs >some tips using samba on a firewalled system >use the following setting, here eth0 is the internal side > > interfaces = eth0 lo > bind interfaces only = yes > >change the binary location from /opt/.. >to /usr/sbin/smbldap-.... >the smbldap-tools are installed by debian in /usr/sbin > >also in this setup /home/. must be changed to /home/samba/. >This will save you a lot of troubles with rights. > > >5.3 Configuring smbldap.conf > >first we need to get some samba info > >net getlocalsid > >SID for domain SERVERNAME is: S-1-5-21-2074673303-3377769770-2933042573 >change the SID in smbldap.conf in the your sid. > > >change the suffix to your suffix (dc=internal,dc=yourdomain,dc=tld) >change the hash_encryption to MD5 >change userLoginShell="bin/nologin" >and you nologin, because im Configuring ldap for samba only. >set the home directory ( in my case /home/users/%U ) >set the other to your needs. > > >5.4 set the samba ldap admin password > >smbpasswd -w ldapadmin_password >Setting stored password for "cn=admin,dc=internal,dc=yourdomain,dc=tld" in >secrets.tdb > >now we go fill the ldap database with the base setup. > >smbldap-populate -a Administrator -b nobody -u 2000 -g 2000 > >users are created with uid => 2000 >groups are created with gid => 2000 > > >!!!! DO NOT RUN THIS IF YOU ALREADY CREATED USERS. YOUR UID/GID's WILL GET >MESSED UPPED. > >smbpasswd -a root >because root is needed for setting up the Privileges. > >Now set the Administrator password and enable this user >smbldap-passwd Administrator >smbldap-usermod -J Administrator > > >5.5 Samba PRIVILEGES Setup > >First check you rights and get to know the commands. > >net rpc rights list accounts list users >net rpc rights list list defined rights. > >to get what for rights are defined and users/groups > >IF you use a PDC/BDC setup these commands must be done on both servers!! > >test these commands: > >net rpc group >(output) >Domain Admins >Domain Users >Domain Guests >Domain Computers > >or > >( see next page ) > >slapcat | grep Group | grep dn > >(output) >dn: ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Domain Admins,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Domain Users,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Domain Guests,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Domain Computers,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Administrators,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Print Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Backup Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Replicators,ou=Groups,dc=internal,dc=yourdomain,dc=tld > > >these are the privileges on samba 3.0.14a ( debian ) > >Privilege Description >SeMachineAccountPrivilege Add machines to domain >SePrintOperatorPrivilege Manage printers >SeAddUsersPrivilege Add users and groups to the domain >SeRemoteShutdownPrivilege Force shutdown from a remote system >SeDiskOperatorPrivilege Manage disk share > > >give the "Domain Admins" all of the SE Rights. >( -S Servernaam -U Username%Password ) > >net -S PDC -U root%Password rpc rights grant "DOMAIN\Domain Admins" \ > SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege \ > SeDiskOperatorPrivilege SeRemoteShutdownPrivilege > > >Give the "Printer Operators" all Print manage rights. >( -S Servernaam -U Username%Password ) > >net -S PDC -U root%Password rpc rights grant "DOMAIN\Print Operators" >SePrintOperatorPrivilege >6 CUPS - Printer software > >apt-cache search cups to get the info which packages are available > >I installed these packages. >apt-get install cups-pdf cupsys cupsys-bsd cupsys-pt cupsys-client \ >foomatic-bin foomatic-filters cupsys-driver-gimpprint gs-esp ( and >dependencies ) > >Configuring cupsys-bsd > Do you want to set up the BSD lpd compatibility server? Yes > all others leave default. > >6.1 Setup Cups /etc/cups/cups.conf > > here locate the lines Allow From 127.0.0.1 > and change it to your network so you can login on the cups web >interface. > for example: > Allow from 192.168.( this way I can manage it from 2 departments. ) > (192.168.1.x and 168.192.2.x ) > > now you can logon on http://serverip:631/ > make it safer to manage by adding a user to lpadmin group > and this user can create printer queues > > I create printers with the following options. > socket://printerIPnumber:9100 ( for hp jetdirect ), Raw, >Raw_queue > > I only use cups as spooler for windows pc's and *nix servers. > > First we are going to create 1 printer device and this is the CUPS >PDF Printer. > > >6.2 Setup Cups PDF Printer. - Creating a PDF Printer > > With this printer you can create PDF files bij just printing to it. > > - logon the web interface and choose add printer. > Name:pdf_printer > Location: %homedir%\cups-pdf > Description: pdf created in homedir\cups-pdf > Continue > - Device: Virtual Printer(PDF printer) choose it, its below, > Continue > - Choose the model/Driver for PDF_printer, Postscript, > Continue > > klik on manage printers to see what you have created. > klik on Print Test Page to test the pdf printer. > > a file is put in the cups-pdf directory of the user you logged on >with. > > > > > >7 Configuring phpldapadmin > >7.1 installation of phpldapadmin ( and apache ) > > get the packages > apt-get install phpldapadmin php4 apache > > What is your LDAP server host address? 127.0.0.1 > ( you the ip/hostname where the ldapserver is ) > > ldaps protocol instead of ldap? No > > What is the distinguished name of the search base? > dc=internal,dc=youdomain,dc=tld > > Which type of authentication you want to use? session > > What is the login dn for the LDAP server? > cn=admin,dc=internal,dc=yourdomain,dc=tld > > Which web server would you like to reconfigure automatically? > select all and press OK. > > restart webservers now: Yes > >8.0 On-Access virus scanning on samba (samba-clamav) >8.1 Installing ClamAV > > apt-get install clamav arj unzoo lha clamav-freshclam clamav-daemon > Configuring clamav-freshclam : Daemon > Choose a close mirror > Should clamd be notified after updates? Yes >8.2 get the sources ( samba & samba-vscan ) > > mkdir /usr/src/sources > cd /usr/src/sources > > apt-get install dpkg-dev > apt-get source samba > apt-get build-dep samba > > cd samba-3.0-14a > vi source/include/version.h > > here remove the a from the 14 ( 3.0.14a => 3.0.14 ) > > ./debian/rules configure-stamp > cd source > ./make proto > cd ../.. > > wget >http://switch.dl.sourceforge.net/sourceforge/openantivirus/samba-vscan-0.3.6 >b.tar.bz2 > > tar xjvf samba-vscan-0.3.6b.tar.bz2 > > cd samba-vscan-0.3.6b > ./configure >--with-samba-source=/usr/src/sources/samba-3.0.14a/source > make && make install > > cp clamav/vscan-clamav.conf /etc/samba/samba-vscan-clamav.conf > change in the samba-vscan-clamav.conf > clamd socket name = /var/run/clamav/clamd.ctl > infected spins action = quarantine ( or delete , which I choose.) > > When I put that lines in my smb.conf file, I can't access the share >: > vfs object = vscan-clamav > vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf > > An example: > [public] > comment = Public Directory > path = /home/public > vfs object = vscan-clamav > vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf > > !!! BEWARE !!!! if samba upgrade to a higer version you MUST >recompile > your samba-vscan. set samba to hold for no upgrade. > > echo packagename hold | dpkg --set-selections set to hold > echo packagename install | dpkg --set-selections set to install >9.0 Recycle bin on samba >9.1 Recycle bin configuration > > configure samba for using the recycle bin. > I made my manager happy with this. > > create a file in /etc/samba > and fill it with the options below. > > /etc/samba/samba-recycle.conf > > name = .recycle > mode = KEEP_DIRECTORIES|VERSIONS|TOUCH > maxsize = 0 > exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~??|~*.tmp > excludedir = /tmp|/temp|/cache > noversions = *.doc|*.xls|*.ppt > > add this to you share, same as vscan. > > vfs object = recycle > recycle: config-files = /etc/samba/samba-recycle.conf > > create a recycle bin directorie and hide it for the users. > > I created .recycle this way ( because of the dot) users don't see >this > IF.. you don't set you explorer to view hidden files. > >restart samba and your done. > >You are ready to use your samba server. > > > >Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS >see http://www.idealx.org/prj/samba/smbldap-howto.en.html >#### users can authenticate and change their password >#access to >attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM >ustChange ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by dn="cn=nssldap,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by self write ># by anonymous auth ># by * none ># some attributes need to be readable anonymously so that 'id user' can >answer correctly >##access to >attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by * read ># somme attributes can be writable by users themselves >##access to >attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,s >n,givenname ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by self write ># by * read >## some attributes need to be writable for samba >#access to >attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,samb >aLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctF >lags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfileP >ath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,s >ambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHisto >ry,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,samb >aNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaSha >reName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption, >sambaStringListoption,sambaPrivilegeList ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by self read ># by * none >## samba need to be able to create the samba domain account >#access to dn.base="dc=internal,dc=yourdomain,dc=tld" ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by * none >## samba need to be able to create new users account >#access to dn="ou=Users,dc=internal,dc=yourdomain,dc=tld" ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by * none >## samba need to be able to create new groups account >#access to dn="ou=Groups,dc=internal,dc=yourdomain,dc=tld" ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by * none >## samba need to be able to create new computers account >#access to dn="ou=Computers,dc=internal,dc=yourdomain,dc=tld" ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by * none ># >## this can be omitted but we leave it: there could be other branch >## in the directory >#access to * ># by self read ># by * none > > >Appendix 2 APT > >2.1 APT HOWTO > >Preparing apt for online packages. >After installing from CD or DVD adjust your apt config. > >This setup makes sure your are using stable packages, that you are using >Debian Sarge. > >In the apt.conf we defined the default release of debian this case stable ( >Sarge 3.1r0). >The Show-Upgrade "true" is used for showing us the packages which are going >to be installed, I like to see what I'm installing. > >The sources.list if you used a CD/DVD for installing you can leave this >line in the sources.list. This can save you bandwidth. My server is on a >remote location and I don't use the cd anymore. >I added the clamav as stable because I want a new clamav for virus scanning >more info : http://www.clamav.net/binary.html > >The testing and unstable sources are also unmarked, that if you really need >a newer version of a program then you can try to create it from debian >source. > >You can get the source install programs and search by using the following >commands: > >apt-get install package = get & install package >apt-get remove package = remove package >apt-get remove --purge package = remove and purge all files of package >dpkg --purge package = purge all files of package > >apt-cache search package = search for package or part of >package name >apt-cache show package = get info over package >dpkg-reconfigure -plow package = reconfigure with priority low ( most >options ) > >for this first cd /usr/src. >apt-get source package = get source files of packaged > > > > > > > > > > > > >2.2 Files from /etc/apt > >2.2.1 /etc/apt/apt.conf > >APT::Default-Release "stable"; >APT::Get::Show-Upgraded "true"; >// 16 MB Limit >APT::Cache-limit 16777216; >// if you have /tmp with no mounted with noexec, you need this. >#DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";}; >#DPkg::Post-Invoke {"mount -o remount /tmp";}; > > > >2.2.2 /etc/apt/preferences > >Package: * >Pin: release a=stable >Pin-Priority: 990 > >Package: * >Pin: release a=testing >Pin-Priority: 500 > >Package: * >Pin: release a=unstable >Pin-Priority: 50 > >Package: * >Pin: release a=sarge,l=debian-volatile >Pin-Priority: 990 > > > > > > > > > > > > > >2.2.3 /etc/apt/sources.list > ># See sources.list(5) for more information, especialy ># Remember that you can only use http, ftp or file URIs ># CDROMs are managed through the apt-cdrom tool. >#----------------------------------------------------------------- ># We definect the PIN which sets the prioratie of packages selects ># see also the apt-howto ># http://www.debian.org/doc/manuals/apt-howto/index.en.html ># and a nice howto for apt-pinning for beginners. ># http://jaqque.sbih.org/kplug/apt-pinning.html >#----------------------------------------------------------------- >#----------------------------------------------------------------- ># Stable PIN 990 PRODUCTION TREE >deb ftp://ftp.nl.debian.org/debian stable main contrib non-free >deb-src ftp://ftp.nl.debian.org/debian stable main contrib non-free >deb http://http.us.debian.org/debian stable main contrib non-free ># Stable Security updates >deb http://security.debian.org/ stable/updates main contrib non-free >deb-src http://security.debian.org/ stable/updates main contrib non-free >#------------------------------------------------------------------ >## Debian VOLATILE , used for clamav PINNED 990 >deb http://ftp.nl.debian.org/debian-volatile sarge/volatile main >#----------------------------------------------------------------- >#----------------------------------------------------------------- ># WARNING USE BELOW AT OWN RISK ># Testing ( PIN 500 ) >#deb ftp://ftp.nl.debian.org/debian testing main contrib non-free >#deb-src ftp://ftp.nl.debian.org/debian testing main contrib non-free >#deb http://http.us.debian.org/debian testing main contrib non-free ># Testing Security updates >#deb http://security.debian.org/ testing/updates main contrib non-free >#deb-src http://security.debian.org/ testing/updates main contrib non-free >#----------------------------------------------------------------- >#----------------------------------------------------------------- ># WARNING USE BELOW AT OWN RISK ># Unstable ( PIN 050 ) >#deb ftp://ftp.nl.debian.org/debian unstable main contrib non-free >#deb-src http://ftp.nl.debian.org/debian unstable main contrib non-free >#deb http://http.us.debian.org/debian unstable main contrib non-free ># unstable Security updates >#deb http://security.debian.org/ unstable/updates main contrib non-free >#deb-src http://security.debian.org/ unstable/updates main contrib non-free >#----------------------------------------------------------------- >#----------------------------------------------------------------- >#### BACKPORTS to STABLE ( Debian Sarge 3.1r0 ) >## Laatest Samba from samba.org >#deb http://us4.samba.org/samba/ftp/Binary_Packages/Debian sarge samba >#deb-src http://us2.samba.org/samba/ftp/Binary_Packages/Debian sarge samba > >#------------------------------------------------------------------ >## MPEG/AVI addons +W32CODECS With MPlayer >#deb ftp://ftp.nerim.net/debian-marillat/ sarge main >#------------------------------------------------------------------ >## www.dotdeb.org, updated php4/php5 mysql-41 mysql-50 qmail clamav etc etc. >## check the site for the packages list. if you want only 1 package ( >preferred ) >## change the line to #deb http://packages.dotdeb.org stable php5 for >example >#deb http://packages.dotdeb.org stable all >#deb-src http://packages.dotdeb.org stable all >#------------------------------------------------------------------ >## BootSplash ( does not work on every kernel ) www.bootsplash.de >## http://www.planamente.ch/emidio/pages/linux_howto_bootsplash.php >deb http://debian.bootsplash.de unstable main >deb-src http://debian.bootsplash.de unstable main > > > >-------------- next part -------------- @(#) $OpenLDAP: slapd 2.2.23 (May 30 2005 08:52:42) $ @pulsar:/home/torsten/packages/openldap/openldap2.2-2.2.23/debian/build/servers/slapd daemon_init: <null> daemon_init: listen on ldap:/// daemon_init: 1 listeners to open... ldap_url_parse_ext(ldap:///) daemon: initialized ldap:/// daemon_init: 2 listeners opened ldap_pvt_gethostbyname_a: host=semper, r=0 slapd init: initiated server. slap_sasl_init: initialized! reading config file /etc/ldap/slapd.conf line 2 (allow bind_v2) line 14 (include /etc/ldap/schema/core.schema) reading config file /etc/ldap/schema/core.schema line 77 (attributetype ( 2.5.4.2 NAME 'knowledgeInformation' DESC 'RFC2256: knowledge information' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )) line 86 (attributetype ( 2.5.4.4 NAME ( 'sn' 'surname' ) DESC 'RFC2256: last (family) name(s) for which the entity is known by' SUP name )) line 92 (attributetype ( 2.5.4.5 NAME 'serialNumber' DESC 'RFC2256: serial number of the entity' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )) line 96 (attributetype ( 2.5.4.6 NAME ( 'c' 'countryName' ) DESC 'RFC2256: ISO-3166 country 2-letter code' SUP name SINGLE-VALUE )) line 100 (attributetype ( 2.5.4.7 NAME ( 'l' 'localityName' ) DESC 'RFC2256: locality which this object resides in' SUP name )) line 104 (attributetype ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' ) DESC 'RFC2256: state or province which this object resides in' SUP name )) line 110 (attributetype ( 2.5.4.9 NAME ( 'street' 'streetAddress' ) DESC 'RFC2256: street address of this object' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )) line 114 (attributetype ( 2.5.4.10 NAME ( 'o' 'organizationName' ) DESC 'RFC2256: organization this object belongs to' SUP name )) line 118 (attributetype ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) DESC 'RFC2256: organizational unit this object belongs to' SUP name )) line 122 (attributetype ( 2.5.4.12 NAME 'title' DESC 'RFC2256: title associated with the entity' SUP name )) line 128 (attributetype ( 2.5.4.13 NAME 'description' DESC 'RFC2256: descriptive information' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )) line 133 (attributetype ( 2.5.4.14 NAME 'searchGuide' DESC 'RFC2256: search guide, obsoleted by enhancedSearchGuide' SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )) line 139 (attributetype ( 2.5.4.15 NAME 'businessCategory' DESC 'RFC2256: business category' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )) line 145 (attributetype ( 2.5.4.16 NAME 'postalAddress' DESC 'RFC2256: postal address' EQUALITY caseIgnoreListMatch SUBSTR caseIgnoreListSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )) line 151 (attributetype ( 2.5.4.17 NAME 'postalCode' DESC 'RFC2256: postal code' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )) line 157 (attributetype ( 2.5.4.18 NAME 'postOfficeBox' DESC 'RFC2256: Post Office Box' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )) line 163 (attributetype ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' DESC 'RFC2256: Physical Delivery Office Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )) line 169 (attributetype ( 2.5.4.20 NAME 'telephoneNumber' DESC 'RFC2256: Telephone Number' EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )) line 173 (attributetype ( 2.5.4.21 NAME 'telexNumber' DESC 'RFC2256: Telex Number' SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )) line 177 (attributetype ( 2.5.4.22 NAME 'teletexTerminalIdentifier' DESC 'RFC2256: Teletex Terminal Identifier' SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )) line 181 (attributetype ( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' ) DESC 'RFC2256: Facsimile (Fax) Telephone Number' SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )) line 187 (attributetype ( 2.5.4.24 NAME 'x121Address' DESC 'RFC2256: X.121 Address' EQUALITY numericStringMatch SUBSTR numericStringSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )) line 193 (attributetype ( 2.5.4.25 NAME 'internationaliSDNNumber' DESC 'RFC2256: international ISDN number' EQUALITY numericStringMatch SUBSTR numericStringSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} )) line 198 (attributetype ( 2.5.4.26 NAME 'registeredAddress' DESC 'RFC2256: registered postal address' SUP postalAddress SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )) line 204 (attributetype ( 2.5.4.27 NAME 'destinationIndicator' DESC 'RFC2256: destination indicator' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )) line 209 (attributetype ( 2.5.4.28 NAME 'preferredDeliveryMethod' DESC 'RFC2256: preferred delivery method' SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 SINGLE-VALUE )) line 215 (attributetype ( 2.5.4.29 NAME 'presentationAddress' DESC 'RFC2256: presentation address' EQUALITY presentationAddressMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 SINGLE-VALUE )) line 220 (attributetype ( 2.5.4.30 NAME 'supportedApplicationContext' DESC 'RFC2256: supported application context' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )) line 224 (attributetype ( 2.5.4.31 NAME 'member' DESC 'RFC2256: member of a group' SUP distinguishedName )) line 228 (attributetype ( 2.5.4.32 NAME 'owner' DESC 'RFC2256: owner (of the object)' SUP distinguishedName )) line 232 (attributetype ( 2.5.4.33 NAME 'roleOccupant' DESC 'RFC2256: occupant of role' SUP distinguishedName )) line 236 (attributetype ( 2.5.4.34 NAME 'seeAlso' DESC 'RFC2256: DN of related object' SUP distinguishedName )) line 249 (attributetype ( 2.5.4.36 NAME 'userCertificate' DESC 'RFC2256: X.509 user certificate, use ;binary' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )) line 256 (attributetype ( 2.5.4.37 NAME 'cACertificate' DESC 'RFC2256: X.509 CA certificate, use ;binary' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )) line 261 (attributetype ( 2.5.4.38 NAME 'authorityRevocationList' DESC 'RFC2256: X.509 authority revocation list, use ;binary' SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )) line 266 (attributetype ( 2.5.4.39 NAME 'certificateRevocationList' DESC 'RFC2256: X.509 certificate revocation list, use ;binary' SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )) line 271 (attributetype ( 2.5.4.40 NAME 'crossCertificatePair' DESC 'RFC2256: X.509 cross certificate pair, use ;binary' SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )) line 281 (attributetype ( 2.5.4.42 NAME ( 'givenName' 'gn' ) DESC 'RFC2256: first name(s) for which the entity is known by' SUP name )) line 285 (attributetype ( 2.5.4.43 NAME 'initials' DESC 'RFC2256: initials of some or all of names, but not the surname(s).' SUP name )) line 289 (attributetype ( 2.5.4.44 NAME 'generationQualifier' DESC 'RFC2256: name qualifier indicating a generation' SUP name )) line 294 (attributetype ( 2.5.4.45 NAME 'x500UniqueIdentifier' DESC 'RFC2256: X.500 unique identifier' EQUALITY bitStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )) line 301 (attributetype ( 2.5.4.46 NAME 'dnQualifier' DESC 'RFC2256: DN qualifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )) line 305 (attributetype ( 2.5.4.47 NAME 'enhancedSearchGuide' DESC 'RFC2256: enhanced search guide' SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )) line 310 (attributetype ( 2.5.4.48 NAME 'protocolInformation' DESC 'RFC2256: protocol information' EQUALITY protocolInformationMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )) line 320 (attributetype ( 2.5.4.50 NAME 'uniqueMember' DESC 'RFC2256: unique member of a group' EQUALITY uniqueMemberMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )) line 326 (attributetype ( 2.5.4.51 NAME 'houseIdentifier' DESC 'RFC2256: house identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )) line 331 (attributetype ( 2.5.4.52 NAME 'supportedAlgorithms' DESC 'RFC2256: supported algorithms' SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )) line 336 (attributetype ( 2.5.4.53 NAME 'deltaRevocationList' DESC 'RFC2256: delta revocation list; use ;binary' SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )) line 340 (attributetype ( 2.5.4.54 NAME 'dmdName' DESC 'RFC2256: name of DMD' SUP name )) line 355 (objectclass ( 2.5.6.2 NAME 'country' DESC 'RFC2256: a country' SUP top STRUCTURAL MUST c MAY ( searchGuide $ description ) )) line 360 (objectclass ( 2.5.6.3 NAME 'locality' DESC 'RFC2256: a locality' SUP top STRUCTURAL MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) )) line 371 (objectclass ( 2.5.6.4 NAME 'organization' DESC 'RFC2256: an organization' SUP top STRUCTURAL MUST o MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )) line 382 (objectclass ( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an organizational unit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )) line 388 (objectclass ( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )) line 397 (objectclass ( 2.5.6.7 NAME 'organizationalPerson' DESC 'RFC2256: an organizational person' SUP person STRUCTURAL MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) )) line 408 (objectclass ( 2.5.6.8 NAME 'organizationalRole' DESC 'RFC2256: an organizational role' SUP top STRUCTURAL MUST cn MAY ( x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l $ description ) )) line 414 (objectclass ( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of names (DNs)' SUP top STRUCTURAL MUST ( member $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )) line 425 (objectclass ( 2.5.6.10 NAME 'residentialPerson' DESC 'RFC2256: an residential person' SUP person STRUCTURAL MUST l MAY ( businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l ) )) line 431 (objectclass ( 2.5.6.11 NAME 'applicationProcess' DESC 'RFC2256: an application process' SUP top STRUCTURAL MUST cn MAY ( seeAlso $ ou $ l $ description ) )) line 438 (objectclass ( 2.5.6.12 NAME 'applicationEntity' DESC 'RFC2256: an application entity' SUP top STRUCTURAL MUST ( presentationAddress $ cn ) MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ description ) )) line 443 (objectclass ( 2.5.6.13 NAME 'dSA' DESC 'RFC2256: a directory system agent (a server)' SUP applicationEntity STRUCTURAL MAY knowledgeInformation )) line 449 (objectclass ( 2.5.6.14 NAME 'device' DESC 'RFC2256: a device' SUP top STRUCTURAL MUST cn MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )) line 454 (objectclass ( 2.5.6.15 NAME 'strongAuthenticationUser' DESC 'RFC2256: a strong authentication user' SUP top AUXILIARY MUST userCertificate )) line 460 (objectclass ( 2.5.6.16 NAME 'certificationAuthority' DESC 'RFC2256: a certificate authority' SUP top AUXILIARY MUST ( authorityRevocationList $ certificateRevocationList $ cACertificate ) MAY crossCertificatePair )) line 466 (objectclass ( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a group of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( uniqueMember $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )) line 471 (objectclass ( 2.5.6.18 NAME 'userSecurityInformation' DESC 'RFC2256: a user security information' SUP top AUXILIARY MAY ( supportedAlgorithms ) )) line 475 (objectclass ( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP certificationAuthority AUXILIARY MAY ( deltaRevocationList ) )) line 481 (objectclass ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL MUST ( cn ) MAY ( certificateRevocationList $ authorityRevocationList $ deltaRevocationList ) )) line 491 (objectclass ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST ( dmdName ) MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )) line 499 (objectclass ( 2.5.6.21 NAME 'pkiUser' DESC 'RFC2587: a PKI user' SUP top AUXILIARY MAY userCertificate )) line 505 (objectclass ( 2.5.6.22 NAME 'pkiCA' DESC 'RFC2587: PKI certificate authority' SUP top AUXILIARY MAY ( authorityRevocationList $ certificateRevocationList $ cACertificate $ crossCertificatePair ) )) line 510 (objectclass ( 2.5.6.23 NAME 'deltaCRL' DESC 'RFC2587: PKI user' SUP top AUXILIARY MAY deltaRevocationList )) line 523 (objectclass ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: object that contains the URI attribute type' MAY ( labeledURI ) SUP top AUXILIARY )) line 533 (attributetype ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) DESC 'RFC1274: user identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )) line 540 (attributetype ( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbox' ) DESC 'RFC1274: RFC822 Mailbox' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )) line 545 (objectclass ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' DESC 'RFC1274: simple security object' SUP top AUXILIARY MUST userPassword )) line 553 (attributetype ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domainComponent' ) DESC 'RFC1274/2247: domain component' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )) line 558 (objectclass ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247: domain component object' SUP top AUXILIARY MUST dc )) line 563 (objectclass ( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid object' SUP top AUXILIARY MUST uid )) line 571 (attributetype ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' DESC 'RFC1274: domain associated with object' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )) line 579 (attributetype ( 1.2.840.113549.1.9.1 NAME ( 'email' 'emailAddress' 'pkcs9email' ) DESC 'RFC2459: legacy attribute for email addresses in DNs' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ))>>> dnNormalize: <cn=Subschema>=> ldap_bv2dn(cn=Subschema,0) ldap_err2string <= ldap_bv2dn(cn=Subschema)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(cn=subschema)=0 Success <<< dnNormalize: <cn=subschema> line 15 (include /etc/ldap/schema/cosine.schema) reading config file /etc/ldap/schema/cosine.schema line 130 (attributetype ( 0.9.2342.19200300.100.1.2 NAME 'textEncodedORAddress' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )) line 168 (attributetype ( 0.9.2342.19200300.100.1.4 NAME 'info' DESC 'RFC1274: general information' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} )) line 187 (attributetype ( 0.9.2342.19200300.100.1.5 NAME ( 'drink' 'favouriteDrink' ) DESC 'RFC1274: favorite drink' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )) line 205 (attributetype ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber' DESC 'RFC1274: room number' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )) line 227 (attributetype ( 0.9.2342.19200300.100.1.7 NAME 'photo' DESC 'RFC1274: photo (G3 fax)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.23{25000} )) line 248 (attributetype ( 0.9.2342.19200300.100.1.8 NAME 'userClass' DESC 'RFC1274: category of user' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )) line 264 (attributetype ( 0.9.2342.19200300.100.1.9 NAME 'host' DESC 'RFC1274: host computer' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )) line 279 (attributetype ( 0.9.2342.19200300.100.1.10 NAME 'manager' DESC 'RFC1274: DN of manager' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )) line 296 (attributetype ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier' DESC 'RFC1274: unique identifier of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )) line 312 (attributetype ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle' DESC 'RFC1274: title of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )) line 329 (attributetype ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion' DESC 'RFC1274: version of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )) line 344 (attributetype ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor' DESC 'RFC1274: DN of author of document' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )) line 361 (attributetype ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation' DESC 'RFC1274: location of document original' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )) line 380 (attributetype ( 0.9.2342.19200300.100.1.20 DESC 'RFC1274: home telephone number' NAME ( 'homePhone' 'homeTelephoneNumber' ) EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )) line 395 (attributetype ( 0.9.2342.19200300.100.1.21 NAME 'secretary' DESC 'RFC1274: DN of secretary' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )) line 411 (attributetype ( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox' SYNTAX 1.3.6.1.4.1.1466.115.121.1.39 )) line 480 (attributetype ( 0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )) line 486 (attributetype ( 0.9.2342.19200300.100.1.27 NAME 'mDRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )) line 501 (attributetype ( 0.9.2342.19200300.100.1.28 NAME 'mXRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )) line 516 (attributetype ( 0.9.2342.19200300.100.1.29 NAME 'nSRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )) line 531 (attributetype ( 0.9.2342.19200300.100.1.30 NAME 'sOARecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )) line 546 (attributetype ( 0.9.2342.19200300.100.1.31 NAME 'cNAMERecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )) line 581 (attributetype ( 0.9.2342.19200300.100.1.38 NAME 'associatedName' DESC 'RFC1274: DN of entry associated with domain' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )) line 599 (attributetype ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress' DESC 'RFC1274: home postal address' EQUALITY caseIgnoreListMatch SUBSTR caseIgnoreListSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )) line 616 (attributetype ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle' DESC 'RFC1274: personal title' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )) line 635 (attributetype ( 0.9.2342.19200300.100.1.41 NAME ( 'mobile' 'mobileTelephoneNumber' ) DESC 'RFC1274: mobile telephone number' EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )) line 653 (attributetype ( 0.9.2342.19200300.100.1.42 NAME ( 'pager' 'pagerTelephoneNumber' ) DESC 'RFC1274: pager telephone number' EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )) line 671 (attributetype ( 0.9.2342.19200300.100.1.43 NAME ( 'co' 'friendlyCountryName' ) DESC 'RFC1274: friendly country name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )) line 691 (attributetype ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier' DESC 'RFC1274: unique identifer' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )) line 713 (attributetype ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus' DESC 'RFC1274: organizational status' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )) line 734 (attributetype ( 0.9.2342.19200300.100.1.46 NAME 'janetMailbox' DESC 'RFC1274: Janet mailbox' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )) line 764 (attributetype ( 0.9.2342.19200300.100.1.47 NAME 'mailPreferenceOption' DESC 'RFC1274: mail preference option' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )) line 781 (attributetype ( 0.9.2342.19200300.100.1.48 NAME 'buildingName' DESC 'RFC1274: name of building' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )) line 796 (attributetype ( 0.9.2342.19200300.100.1.49 NAME 'dSAQuality' DESC 'RFC1274: DSA Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.19 SINGLE-VALUE )) line 811 (attributetype ( 0.9.2342.19200300.100.1.50 NAME 'singleLevelQuality' DESC 'RFC1274: Single Level Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SINGLE-VALUE )) line 827 (attributetype ( 0.9.2342.19200300.100.1.51 NAME 'subtreeMinimumQuality' DESC 'RFC1274: Subtree Mininum Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SINGLE-VALUE )) line 843 (attributetype ( 0.9.2342.19200300.100.1.52 NAME 'subtreeMaximumQuality' DESC 'RFC1274: Subtree Maximun Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SINGLE-VALUE )) line 865 (attributetype ( 0.9.2342.19200300.100.1.53 NAME 'personalSignature' DESC 'RFC1274: Personal Signature (G3 fax)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.23 )) line 884 (attributetype ( 0.9.2342.19200300.100.1.54 NAME 'dITRedirect' DESC 'RFC1274: DIT Redirect' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )) line 900 (attributetype ( 0.9.2342.19200300.100.1.55 NAME 'audio' DESC 'RFC1274: audio (u-law)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.4{25000} )) line 916 (attributetype ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher' DESC 'RFC1274: publisher of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )) line 1084 (objectclass ( 0.9.2342.19200300.100.4.4 NAME ( 'pilotPerson' 'newPilotPerson' ) SUP person STRUCTURAL MAY ( userid $ textEncodedORAddress $ rfc822Mailbox $ favouriteDrink $ roomNumber $ userClass $ homeTelephoneNumber $ homePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod $ businessCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $ pagerTelephoneNumber $ organizationalStatus $ mailPreferenceOption $ personalSignature ) )) line 1110 (objectclass ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCTURAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ host ) )) line 1142 (objectclass ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STRUCTURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ documentTitle $ documentVersion $ documentAuthor $ documentLocation $ documentPublisher ) )) line 1165 (objectclass ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURAL MUST commonName MAY ( roomNumber $ description $ seeAlso $ telephoneNumber ) )) line 1191 (objectclass ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top STRUCTURAL MUST commonName MAY ( description $ seeAlso $ telephonenumber $ localityName $ organizationName $ organizationalUnitName ) )) line 1222 (objectclass ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCTURAL MUST domainComponent MAY ( associatedName $ organizationName $ description $ businessCategory $ seeAlso $ searchGuide $ userPassword $ localityName $ stateOrProvinceName $ streetAddress $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress $ x121Address ) )) line 1252 (objectclass ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' SUP domain STRUCTURAL MAY ( commonName $ surname $ description $ seeAlso $ telephoneNumber $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress $ x121Address ) )) line 1275 (objectclass ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' SUP domain STRUCTURAL MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord ) )) line 1293 (objectclass ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' DESC 'RFC1274: an object related to an domain' SUP top AUXILIARY MUST associatedDomain )) line 1311 (objectclass ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP country STRUCTURAL MUST friendlyCountryName )) line 1345 (objectclass ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' SUP ( organization $ organizationalUnit ) STRUCTURAL MAY buildingName )) line 1361 (objectclass ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dsa STRUCTURAL MAY dSAQuality )) line 1382 (objectclass ( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData' SUP top AUXILIARY MUST dsaQuality MAY ( subtreeMinimumQuality $ subtreeMaximumQuality ) )) line 16 (include /etc/ldap/schema/nis.schema) reading config file /etc/ldap/schema/nis.schema line 40 (attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' DESC 'An integer uniquely identifying a user in an administrative domain' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 45 (attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' DESC 'An integer uniquely identifying a group in an administrative domain' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 51 (attributetype ( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field; the common name' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )) line 56 (attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absolute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )) line 61 (attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'The path to the login shell' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )) line 65 (attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 69 (attributetype ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 73 (attributetype ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 77 (attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 81 (attributetype ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 85 (attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 89 (attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 94 (attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )) line 99 (attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )) line 103 (attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Netgroup triple' SYNTAX 1.3.6.1.1.1.0.0 )) line 107 (attributetype ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 110 (attributetype ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' SUP name )) line 114 (attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 118 (attributetype ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 123 (attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'IP address' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )) line 128 (attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' DESC 'IP network' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )) line 133 (attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' DESC 'IP netmask' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )) line 138 (attributetype ( 1.3.6.1.1.1.1.22 NAME 'macAddress' DESC 'MAC address' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )) line 142 (attributetype ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' DESC 'rpc.bootparamd parameter' SYNTAX 1.3.6.1.1.1.0.1 )) line 147 (attributetype ( 1.3.6.1.1.1.1.24 NAME 'bootFile' DESC 'Boot image name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )) line 150 (attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' SUP name )) line 155 (attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} SINGLE-VALUE )) line 162 (objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) )) line 169 (objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY DESC 'Additional attributes for shadow passwords' MUST uid MAY ( userPassword $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ description ) )) line 174 (objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top STRUCTURAL DESC 'Abstraction of a group of accounts' MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) )) line 179 (objectclass ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL DESC 'Abstraction an Internet Protocol service' MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY ( description ) )) line 184 (objectclass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL DESC 'Abstraction of an IP protocol' MUST ( cn $ ipProtocolNumber $ description ) MAY description )) line 189 (objectclass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL DESC 'Abstraction of an ONC/RPC binding' MUST ( cn $ oncRpcNumber $ description ) MAY description )) line 194 (objectclass ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY DESC 'Abstraction of a host, an IP device' MUST ( cn $ ipHostNumber ) MAY ( l $ description $ manager ) )) line 199 (objectclass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL DESC 'Abstraction of an IP network' MUST ( cn $ ipNetworkNumber ) MAY ( ipNetmaskNumber $ l $ description $ manager ) )) line 204 (objectclass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL DESC 'Abstraction of a netgroup' MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )) line 209 (objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL DESC 'A generic abstraction of a NIS map' MUST nisMapName MAY description )) line 214 (objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL DESC 'An entry in a NIS map' MUST ( cn $ nisMapEntry $ nisMapName ) MAY description )) line 218 (objectclass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY DESC 'A device with a MAC address' MAY macAddress )) line 222 (objectclass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY DESC 'A device with boot parameters' MAY ( bootFile $ bootParameter ) )) line 17 (include /etc/ldap/schema/inetorgperson.schema) reading config file /etc/ldap/schema/inetorgperson.schema line 36 (attributetype ( 2.16.840.1.113730.3.1.1 NAME 'carLicense' DESC 'RFC2798: vehicle license or registration plate' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )) line 46 (attributetype ( 2.16.840.1.113730.3.1.2 NAME 'departmentNumber' DESC 'RFC2798: identifies a department within an organization' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )) line 59 (attributetype ( 2.16.840.1.113730.3.1.241 NAME 'displayName' DESC 'RFC2798: preferred name to be used when displaying entries' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )) line 70 (attributetype ( 2.16.840.1.113730.3.1.3 NAME 'employeeNumber' DESC 'RFC2798: numerically identifies an employee within an organization' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )) line 81 (attributetype ( 2.16.840.1.113730.3.1.4 NAME 'employeeType' DESC 'RFC2798: type of employment for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )) line 92 (attributetype ( 0.9.2342.19200300.100.1.60 NAME 'jpegPhoto' DESC 'RFC2798: a JPEG image' SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 )) line 107 (attributetype ( 2.16.840.1.113730.3.1.39 NAME 'preferredLanguage' DESC 'RFC2798: preferred written or spoken language for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )) line 123 (attributetype ( 2.16.840.1.113730.3.1.40 NAME 'userSMIMECertificate' DESC 'RFC2798: PKCS#7 SignedData used to support S/MIME' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )) line 135 (attributetype ( 2.16.840.1.113730.3.1.216 NAME 'userPKCS12' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )) line 155 (objectclass ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) )) line 18 (include /etc/ldap/schema/samba.schema) reading config file /etc/ldap/schema/samba.schema line 185 (attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )) line 190 (attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )) line 198 (attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )) line 206 (attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 211 (attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 'Timestamp of when the user is allowed to update the password' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 216 (attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 221 (attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 226 (attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 231 (attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC 'Timestamp of when the user will be logged off automatically' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 236 (attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 241 (attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 246 (attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )) line 254 (attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'Driver letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )) line 259 (attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )) line 264 (attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )) line 269 (attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )) line 274 (attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Home directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )) line 279 (attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )) line 284 (attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )) line 289 (attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )) line 298 (attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )) line 308 (attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' DESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )) line 313 (attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Security ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )) line 321 (attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 330 (attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 335 (attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 340 (attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 345 (attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 350 (attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'Share Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )) line 356 (attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC 'Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )) line 361 (attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC 'A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )) line 366 (attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DESC 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 371 (attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC 'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )) line 376 (attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )) line 390 (attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC 'Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )) line 395 (attributetype ( 1.3.6.1.4.1.7165.2.1.56 NAME 'sambaAccountPolicyName' DESC 'Account Policy Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )) line 400 (attributetype ( 1.3.6.1.4.1.7165.2.1.57 NAME 'sambaAccountPolicyValue' DESC 'Account Policy Value' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )) line 425 (objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory $ sambaLogonHours))) line 433 (objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description $ sambaSIDList ))) line 441 (objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL DESC 'Samba Trust Password' MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ))) line 451 (objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase ) )) line 458 (objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY DESC 'Pool for allocating UNIX uids/gids' MUST ( uidNumber $ gidNumber ) )) line 464 (objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY DESC 'Mapping from a SID to an ID' MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) )) line 468 (objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL DESC 'Structural Class for a SID' MUST ( sambaSID ) )) line 472 (objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY DESC 'Samba Configuration Section' MAY ( description ) )) line 477 (objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL DESC 'Samba Share Section' MUST ( sambaShareName ) MAY ( description ) )) line 483 (objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL DESC 'Samba Configuration Option' MUST ( sambaOptionName ) MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoption $ description ) )) line 495 (objectclass ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaAccountPolicy' SUP top STRUCTURAL DESC 'Samba Account Policy' MUST ( sambaAccountPolicyName $ sambaAccountPolicyValue ) MAY ( description ) )) line 22 (schemacheck on) line 26 (pidfile /var/run/slapd/slapd.pid) line 29 (argsfile /var/run/slapd.args) line 32 (loglevel 0) line 35 (modulepath /usr/lib/ldap) line 36 (moduleload back_bdb) loaded module back_bdb bdb_back_initialize: initialize BDB backend module back_bdb: null module registered line 38 (TLSCACertificateFile /etc/ldap/ssl/ldap-server.pem) line 39 (TLSCertificateFile /etc/ldap/ssl/ldap-server.pem) line 40 (TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem) line 46 (backend bdb) line 47 (checkpoint 512 30) line 59 (database bdb) bdb_db_init: Initializing BDB database line 62 (suffix "dc=rahim-dale,dc=org")>>> dnPrettyNormal: <dc=rahim-dale,dc=org>=> ldap_bv2dn(dc=rahim-dale,dc=org,0) ldap_err2string <= ldap_bv2dn(dc=rahim-dale,dc=org)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(dc=rahim-dale,dc=org)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(dc=rahim-dale,dc=org)=0 Success <<< dnPrettyNormal: <dc=rahim-dale,dc=org>, <dc=rahim-dale,dc=org> line 64 (rootdn "cn=admin,dc=toronto,dc=ontario,dc=ca")>>> dnPrettyNormal: <cn=admin,dc=toronto,dc=ontario,dc=ca>=> ldap_bv2dn(cn=admin,dc=toronto,dc=ontario,dc=ca,0) ldap_err2string <= ldap_bv2dn(cn=admin,dc=toronto,dc=ontario,dc=ca)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(cn=admin,dc=toronto,dc=ontario,dc=ca)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(cn=admin,dc=toronto,dc=ontario,dc=ca)=0 Success <<< dnPrettyNormal: <cn=admin,dc=toronto,dc=ontario,dc=ca>, <cn=admin,dc=toronto,dc=ontario,dc=ca> line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix slapd shutdown: freeing system resources. slapd stopped. connections_destroy: nothing to destroy. -------------- next part -------------- # Allow LDAPv2 binds allow bind_v2 # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd.args # Read slapd.conf(5) for possible values loglevel 0 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb TLSCACertificateFile /etc/ldap/ssl/ldap-server.pem TLSCertificateFile /etc/ldap/ssl/ldap-server.pem TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb checkpoint 512 30 ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory in database #1 suffix "dc=rahim-dale,dc=org" rootdn "cn=admin,dc=toronto,dc=ontario,dc=ca" rootpw {MD5}hdduy/+JqjCnJjCWiKOGBQ= # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # Indexing options for database #1 index objectClass,uidNumber,gidNumber eq index cn,sn,uid,displayName pres,eq,sub index memberUid,mail,givenname eq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq # default index index default eq # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword by dn="cn=admin,dc=rahim-dale,dc=org" write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=rahim-dale,dc=org" write by * read # samba access list include /etc/ldap/samba-access.conf # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=rahim-dale,dc=org" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be bdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org"
I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP Server configuration". Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains "bad configuration file". Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote:>Hi everybody, > >I made a pretty complete howto for samba on debian servers. > >This howto covers samba + ldap + cups + recycle bin + samba-vscan >+ phpldapadmin + ACL + Extended Attributes. > >this howto is also based on the idealx howto > >If you do this setup, you should be able to use the NT4 Usermanager, >setup Point en Print Printing. set rights from explorer etc. >other nice tools is ldapadmin ( ldapadmin.sf.net ) a must check it out. > >We will use a Debian Sarge as setup. >If you never used Debian before, you can follow this how-to >(http://www.howtoforge.com/perfect_setup_debian_sarge ) , >please read the comment below the pages first, >this can save you time and problems or install Debian without >any software packaged, we will install them later when needed. >Checking the kernel of compile your own kernel if needed. > >I try to give a complete solution for this how-to, >this is because lots of people where asking the same things on >the samba list and lots of people make the same mistakes. > >This is my company's running setup. > >I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb ) , with 50 users >25 printers which do about 150.000 prints a month. > >I thank my company to let me make this document. > > >Please if you have improvements, comments, send them to me. > >Louis van Belle > > > > > >INDEX >Page nr. > >1 Checking the kernel or compile your own kernel 3 >1.1 Preparing apt configuration 3 >1.2 Preparing the kernel 3 >1.3 setup the /etc/fstab 3 >1.4 final touch, lilo (or grub) 3 >2 Pre-installation of the debian packages 4 >2.1 Samba and Ldap 4 >2.2 basic rights setup for samba 4 >2.3 why this rights setup. 4 >3 LDAP Server configuration 5 >4 installation/configuration libnss, libpam (-ldap) 7 >5 Samba and smbldap-tools Configuration 8 >5.1 smbldap-tools installation/configuration 8 >5.2 setting up samba base config 8 >5.3 Configuring smbldap.conf 9 >5.4 set the samba ldap admin password 9 >5.5 Samba PRIVILEGES Setup 10 >6 CUPS - Printer software 11 >6.1 Setup Cups 11 >6.2 Setup Cups PDF Printer. - Creating a PDF Printer 11 >7 Configuring phpldapadmin 12 >7.1 installation of phpldapadmin ( and apache ) 12 >8.0 On-Access virus scanning on samba (samba-clamav) 13 >8.1 Installing ClamAV 13 >8.2 get the sources ( samba & samba-vscan ) 13 >9.0 Recycle bin on samba 14 >9.1 Recycle bin configuration 14 >Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS 15 >Appendix 2 APT 16 >2.1 APT HOWTO 16 >2.2 Files from /etc/apt 17 >2.2.1 /etc/apt/apt.conf 17 >2.2.2 /etc/apt/preferences 17 > > > > >1 Checking the kernel or compile your own kernel >1.1 Preparing apt configuration > > for this go check out my apt howto. > > if you apt config is setup rights, follow the steps below. > > ncurses interface for compiling the kernel > apt-get install libncurses5-dev > > get the kernel source > apt-get install kernel-source-2.6.8 kernel-package > > installer right kernel and activate EXT2/3 + Extended attributes > and setup CIFS kernel support to in kernel. > >1.2 Preparing the kernel > apt-get install kernel-source-2.6.8 kernel-package fakeroot >libc6-dev libncurses5-dev > > cd /usr/src > tar -jxf kernel-source-2.6.8.tar.bz2 > ln -s /usr/src/linux /usr/src/kernel-source-2.6.8 > cp /boot/config-2.6.8-2-* /usr/src/linux/.config > cd linux > make menuconfig - File systems - Ext2/3 + extended options > also File systems - Miscellaneous filesystems - >CramFS > and File systems - Network File Systems - CIFS >support > + extended Attributes > now create the kernel and install it. > > fakeroot make-kpkg --append-to-kernel=-mykernel --initrd >kernel_image > > This create a file kernel-image-2.6.8.custom.1.0_i386.deb under > /usr/src > > dpkg -i kernel-image-2.6.8.custom.1.0_i386.deb to install the >kernel >1.3 setup the /etc/fstab > > /etc/fstab : add the acl and user_xattr to the right partition > > /dev/xxx /home ext3 defaults,acl,user_xattr > > I use /home/samba for the samba environment. > All the needed samba directories will be put here. !! > This is important ! > >1.4 final touch, lilo (or grub) > > lilo and reboot , login and do 'uname -a' and you wil see a line >like > this. > Linux ms249-lin-001 2.6.8-mykernel #1 Wed Jun 1 15:03:47 CEST 2005 >i686 > > Your server is now ready for samba 3. >2 Pre-installation of the debian packages >2.1 Samba and Ldap > > apt-get install slapd samba libsasl2-modules sasl2-bin openssl > db4.2-util ldap-utils samba-doc libxml-parser-perl libauthen-sasl-perl > >Configuring slapd > set an dns name - internal.yourdomain.tld > - Give it a name/description > - set that admin password for the ldap manager > ( cn=admin,dc=internal,dc=yourdomain,dc=tld > - Allow LDAPv2 protocol? yes > >Configure samba > set a domain name DOMAIN > Use password encryption? Yes > Modify smb.conf to use WINS settings from DHCP? No > How do you want to run Samba? Daemons > Create samba password database, /var/lib/samba/passdb.tdb? No !!! >else > you will end up with lots of users from debian in this password file >and you don't want that. > >Setup samba.schema file for ldap > zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > >/etc/ldap/schema/samba.schema > >In this setup I use /home/samba for the samba environment. > i use these directories. > /home/samba skel,data,profiles,netlogon,printers,spool > /home/users/ username > >2.2 basic rights setup for samba > > /home/samba 777 Administrator:Domain >Admins > /home/samba/spool 777 Administrator:Domain >Admins > /home/samba/printers 775 Administrator:Domain Admins > /home/samba/profiles 777 Administrator:Domain Admins > /home/samba/netlogon 775 Administrator:Domain Admins > /home/samba/data 775 Administrator:Domain >Admins > /home/samba/temp 777 Administrator:Domain >Admins > /home/samba/tools 755 Administrator:Domain >Admins > /home/samba/skel 755 Administrator:Domain >Admins > > >2.3 why this rights setup. > > 1 Administrator can create in complete samba environment. > 2 In data directories my users are not allowed to create sub dir's, >I > create one for the department, and set rights to that department, >from that point they can create directories. > 3 Profiles 777, in the samba config is a parameter defined > valid users = %u @"Domain Administrators" > Only the user and administrator can access the user profile >directories. > create mask and directory mask make sure rights are set primary to >the user. >3 LDAP Server configuration > > Configure slapd.conf, but first stop the slapd server ( >/etc/init.d/slapd stop ) > > Create ldap certificates for ssl support > mkdir /etc/ldap/tls > > ## self signed certificate > openssl req -newkey rsa:1024 -x509 -nodes -out ldap-server.pem - >keyout > ldap-server.pem -days 3650 ( where Common Name >ldap.yourdomain.tld ) > > edit /etc/ldap/slapd.conf > put these below the other line, the order of schema files must be > > correct. > insert the line "include /etc/ldap/schema/samba.schema" > > add these line before the database definition > TLSCACertificateFile /etc/ldap/ssl/ldap-server.pem > TLSCertificateFile /etc/ldap/ssl/ldap-server.pem > TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem > >Now its time for the ldap database configuration for samba > >example of the /etc/slapd.conf ( database 1 configuration ) > >####################################################################### ># Specific Directives for database #1, of type bdb: ># Database specific directives apply to this databasse until another ># 'database' directive occurs >database bdb > ># The base of your directory in database #1 >suffix "dc=internal,dc=yourdomain,dc=tld" > >rootdn "cn=admin,dc=rotterdam,dc=bazuin,dc=nl" >rootpw {MD5}fsadsdafasfaewfw > > ## create the rootpw > ## echo rootpw `slappasswd -h {Md5}` >> /etc/ldap/slapd.conf > ># Where the database file are >physically stored for database #1 >directory "/var/lib/ldap" > ># Indexing options for database #1 >### !!!!! Always run slapindex(8) after changing indices!!!!!! >### and first STOP the LDAP SERVER ( /etc/init.d/slapd stop ) >index objectClass,uidNumber,gidNumber eq >index cn,sn,uid,displayName pres,eq,sub >index memberUid,mail,givenname eq,subinitial >index sambaSID,sambaPrimaryGroupSID,sambaDomainName, eq >## default index >index default eq > ># Save the time that the entry gets modified, for database #1 >lastmod on > ># Where to store the replica logs for database #1 >replogfile /var/lib/ldap/replog ># The userPassword by default can be changed ># by the entry owning it if they are authenticated. ># Others should not be able to see it, except the ># admin entry below ># These access lines apply to database #1 only >access to attrs=userPassword > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by anonymous auth > by self write > by * none > > ># Ensure read access to the base for things like ># supportedSASLMechanisms. Without this you may ># have problems with SASL not knowing what ># mechanisms are available and the like. ># Note that this is covered by the 'access to *' ># ACL below too but if you change that as people ># are wont to do you'll still need this if you ># want SASL (and possible other things) to work ># happily. >access to dn.base="" by * read > ># The admin dn has full write access, everyone else ># can read everything. >access to * > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by * read > ># samba access list >include /etc/ldap/samba-access.conf > >Example of the /etc/samba-access.conf ( database 1 configuration ) > >### OLD Samba no DSA users used >access to >attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM >ustChange > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by anonymous auth > by self write > by * none > >access to attrs=loginShell > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by * none > >access to >attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,sn,givenname > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by self write > by * read > > >See appendix 1 if you want a more secure ldap database. >!! this setup does not help you to setting this up. !! > >run slapindex >and start the slapd server >/etc/init.d/slapd start >4 installation/configuration libnss, libpam (-ldap) > >apt-get install libnss-ldap libpam-ldap > >Configuring libnss-ldap > define the host > 127.0.0.1 > distinguished name of the search base > dc=internal,dc=yourdomain,dc=tld > > LDAP version to use > 3 > database requires login > No > Make configuration readable/writeable by owner only > No > >Configuring libpam-ldap > Make local root Database admin. > Yes > Database requires logging in. > No > Root login account > cn=admin,dc=internal,dc=yourdomain,dc=tld > set your password > ( same as above for admin ) > > Local crypt to use when changing passwords > exop > >Configure nsswitch ># /etc/nsswitch.conf ># ># Example configuration of GNU Name Service Switch functionality. ># If you have the `glibc-doc' and `info' packages installed, try: ># `info libc "Name Service Switch"' for information about this file. > >passwd: compat ldap >group: compat ldap >shadow: compat ldap > >hosts: files dns >networks: files > >protocols: db files >services: db files >ethers: db files >rpc: db files > >netgroup: nis > > >Now test the server >ldapsearch -x -D "cn=admin,dc=internal,dc=yourdomain,dc=tld" -W >(enter the password) >if you see >result: 0 Success > >for now this is ok. >5 Samba and smbldap-tools Configuration > >5.1 smbldap-tools installation/configuration > >apt-get install smbldap-tools > >copy the default config from the example directorie. >cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf >/etc/smbldap-tools/ > >cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/ >cd /etc/smbldap-tools >gunzip smbldap.conf.gz > >first the easy part. > >in /etc/smbldap-tools/smbldap_bind.conf >change this to admin >slaveDN="cn=admin,dc=internal,dc=yourdomain,dc=tld" >slavePw="Yourpassword" >masterDN="cn=admin,dc=internal,dc=yourdomain,dc=tld" >masterPw="Yourpassword" > >5.2 setting up samba base config > >start with the default config >cd /etc/samba >cp /usr/share/doc/smbldap-tools/examples/smb.conf.gz /etc/samba >gunzip smb.conf.gz > >change the config to your needs >some tips using samba on a firewalled system >use the following setting, here eth0 is the internal side > > interfaces = eth0 lo > bind interfaces only = yes > >change the binary location from /opt/.. >to /usr/sbin/smbldap-.... >the smbldap-tools are installed by debian in /usr/sbin > >also in this setup /home/. must be changed to /home/samba/. >This will save you a lot of troubles with rights. > > >5.3 Configuring smbldap.conf > >first we need to get some samba info > >net getlocalsid > >SID for domain SERVERNAME is: S-1-5-21-2074673303-3377769770-2933042573 >change the SID in smbldap.conf in the your sid. > > >change the suffix to your suffix (dc=internal,dc=yourdomain,dc=tld) >change the hash_encryption to MD5 >change userLoginShell="bin/nologin" >and you nologin, because im Configuring ldap for samba only. >set the home directory ( in my case /home/users/%U ) >set the other to your needs. > > >5.4 set the samba ldap admin password > >smbpasswd -w ldapadmin_password >Setting stored password for "cn=admin,dc=internal,dc=yourdomain,dc=tld" in >secrets.tdb > >now we go fill the ldap database with the base setup. > >smbldap-populate -a Administrator -b nobody -u 2000 -g 2000 > >users are created with uid => 2000 >groups are created with gid => 2000 > > >!!!! DO NOT RUN THIS IF YOU ALREADY CREATED USERS. YOUR UID/GID's WILL GET >MESSED UPPED. > >smbpasswd -a root >because root is needed for setting up the Privileges. > >Now set the Administrator password and enable this user >smbldap-passwd Administrator >smbldap-usermod -J Administrator > > >5.5 Samba PRIVILEGES Setup > >First check you rights and get to know the commands. > >net rpc rights list accounts list users >net rpc rights list list defined rights. > >to get what for rights are defined and users/groups > >IF you use a PDC/BDC setup these commands must be done on both servers!! > >test these commands: > >net rpc group >(output) >Domain Admins >Domain Users >Domain Guests >Domain Computers > >or > >( see next page ) > >slapcat | grep Group | grep dn > >(output) >dn: ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Domain Admins,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Domain Users,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Domain Guests,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Domain Computers,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Administrators,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Print Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Backup Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Replicators,ou=Groups,dc=internal,dc=yourdomain,dc=tld > > >these are the privileges on samba 3.0.14a ( debian ) > >Privilege Description >SeMachineAccountPrivilege Add machines to domain >SePrintOperatorPrivilege Manage printers >SeAddUsersPrivilege Add users and groups to the domain >SeRemoteShutdownPrivilege Force shutdown from a remote system >SeDiskOperatorPrivilege Manage disk share > > >give the "Domain Admins" all of the SE Rights. >( -S Servernaam -U Username%Password ) > >net -S PDC -U root%Password rpc rights grant "DOMAIN\Domain Admins" \ > SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege \ > SeDiskOperatorPrivilege SeRemoteShutdownPrivilege > > >Give the "Printer Operators" all Print manage rights. >( -S Servernaam -U Username%Password ) > >net -S PDC -U root%Password rpc rights grant "DOMAIN\Print Operators" >SePrintOperatorPrivilege >6 CUPS - Printer software > >apt-cache search cups to get the info which packages are available > >I installed these packages. >apt-get install cups-pdf cupsys cupsys-bsd cupsys-pt cupsys-client \ >foomatic-bin foomatic-filters cupsys-driver-gimpprint gs-esp ( and >dependencies ) > >Configuring cupsys-bsd > Do you want to set up the BSD lpd compatibility server? Yes > all others leave default. > >6.1 Setup Cups /etc/cups/cups.conf > > here locate the lines Allow From 127.0.0.1 > and change it to your network so you can login on the cups web >interface. > for example: > Allow from 192.168.( this way I can manage it from 2 departments. ) > (192.168.1.x and 168.192.2.x ) > > now you can logon on http://serverip:631/ > make it safer to manage by adding a user to lpadmin group > and this user can create printer queues > > I create printers with the following options. > socket://printerIPnumber:9100 ( for hp jetdirect ), Raw, >Raw_queue > > I only use cups as spooler for windows pc's and *nix servers. > > First we are going to create 1 printer device and this is the CUPS >PDF Printer. > > >6.2 Setup Cups PDF Printer. - Creating a PDF Printer > > With this printer you can create PDF files bij just printing to it. > > - logon the web interface and choose add printer. > Name:pdf_printer > Location: %homedir%\cups-pdf > Description: pdf created in homedir\cups-pdf > Continue > - Device: Virtual Printer(PDF printer) choose it, its below, > Continue > - Choose the model/Driver for PDF_printer, Postscript, > Continue > > klik on manage printers to see what you have created. > klik on Print Test Page to test the pdf printer. > > a file is put in the cups-pdf directory of the user you logged on >with. > > > > > >7 Configuring phpldapadmin > >7.1 installation of phpldapadmin ( and apache ) > > get the packages > apt-get install phpldapadmin php4 apache > > What is your LDAP server host address? 127.0.0.1 > ( you the ip/hostname where the ldapserver is ) > > ldaps protocol instead of ldap? No > > What is the distinguished name of the search base? > dc=internal,dc=youdomain,dc=tld > > Which type of authentication you want to use? session > > What is the login dn for the LDAP server? > cn=admin,dc=internal,dc=yourdomain,dc=tld > > Which web server would you like to reconfigure automatically? > select all and press OK. > > restart webservers now: Yes > >8.0 On-Access virus scanning on samba (samba-clamav) >8.1 Installing ClamAV > > apt-get install clamav arj unzoo lha clamav-freshclam clamav-daemon > Configuring clamav-freshclam : Daemon > Choose a close mirror > Should clamd be notified after updates? Yes >8.2 get the sources ( samba & samba-vscan ) > > mkdir /usr/src/sources > cd /usr/src/sources > > apt-get install dpkg-dev > apt-get source samba > apt-get build-dep samba > > cd samba-3.0-14a > vi source/include/version.h > > here remove the a from the 14 ( 3.0.14a => 3.0.14 ) > > ./debian/rules configure-stamp > cd source > ./make proto > cd ../.. > > wget >http://switch.dl.sourceforge.net/sourceforge/openantivirus/samba-vscan-0.3.6 >b.tar.bz2 > > tar xjvf samba-vscan-0.3.6b.tar.bz2 > > cd samba-vscan-0.3.6b > ./configure >--with-samba-source=/usr/src/sources/samba-3.0.14a/source > make && make install > > cp clamav/vscan-clamav.conf /etc/samba/samba-vscan-clamav.conf > change in the samba-vscan-clamav.conf > clamd socket name = /var/run/clamav/clamd.ctl > infected spins action = quarantine ( or delete , which I choose.) > > When I put that lines in my smb.conf file, I can't access the share >: > vfs object = vscan-clamav > vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf > > An example: > [public] > comment = Public Directory > path = /home/public > vfs object = vscan-clamav > vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf > > !!! BEWARE !!!! if samba upgrade to a higer version you MUST >recompile > your samba-vscan. set samba to hold for no upgrade. > > echo packagename hold | dpkg --set-selections set to hold > echo packagename install | dpkg --set-selections set to install >9.0 Recycle bin on samba >9.1 Recycle bin configuration > > configure samba for using the recycle bin. > I made my manager happy with this. > > create a file in /etc/samba > and fill it with the options below. > > /etc/samba/samba-recycle.conf > > name = .recycle > mode = KEEP_DIRECTORIES|VERSIONS|TOUCH > maxsize = 0 > exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~??|~*.tmp > excludedir = /tmp|/temp|/cache > noversions = *.doc|*.xls|*.ppt > > add this to you share, same as vscan. > > vfs object = recycle > recycle: config-files = /etc/samba/samba-recycle.conf > > create a recycle bin directorie and hide it for the users. > > I created .recycle this way ( because of the dot) users don't see >this > IF.. you don't set you explorer to view hidden files. > >restart samba and your done. > >You are ready to use your samba server. > > > >Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS >see http://www.idealx.org/prj/samba/smbldap-howto.en.html >#### users can authenticate and change their password >#access to >attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM >ustChange ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by dn="cn=nssldap,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by self write ># by anonymous auth ># by * none ># some attributes need to be readable anonymously so that 'id user' can >answer correctly >##access to >attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by * read ># somme attributes can be writable by users themselves >##access to >attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,s >n,givenname ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by self write ># by * read >## some attributes need to be writable for samba >#access to >attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,samb >aLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctF >lags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfileP >ath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,s >ambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHisto >ry,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,samb >aNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaSha >reName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption, >sambaStringListoption,sambaPrivilegeList ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by self read ># by * none >## samba need to be able to create the samba domain account >#access to dn.base="dc=internal,dc=yourdomain,dc=tld" ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by * none >## samba need to be able to create new users account >#access to dn="ou=Users,dc=internal,dc=yourdomain,dc=tld" ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by * none >## samba need to be able to create new groups account >#access to dn="ou=Groups,dc=internal,dc=yourdomain,dc=tld" ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by * none >## samba need to be able to create new computers account >#access to dn="ou=Computers,dc=internal,dc=yourdomain,dc=tld" ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by * none ># >## this can be omitted but we leave it: there could be other branch >## in the directory >#access to * ># by self read ># by * none > > >Appendix 2 APT > >2.1 APT HOWTO > >Preparing apt for online packages. >After installing from CD or DVD adjust your apt config. > >This setup makes sure your are using stable packages, that you are using >Debian Sarge. > >In the apt.conf we defined the default release of debian this case stable ( >Sarge 3.1r0). >The Show-Upgrade "true" is used for showing us the packages which are going >to be installed, I like to see what I'm installing. > >The sources.list if you used a CD/DVD for installing you can leave this >line in the sources.list. This can save you bandwidth. My server is on a >remote location and I don't use the cd anymore. >I added the clamav as stable because I want a new clamav for virus scanning >more info : http://www.clamav.net/binary.html > >The testing and unstable sources are also unmarked, that if you really need >a newer version of a program then you can try to create it from debian >source. > >You can get the source install programs and search by using the following >commands: > >apt-get install package = get & install package >apt-get remove package = remove package >apt-get remove --purge package = remove and purge all files of package >dpkg --purge package = purge all files of package > >apt-cache search package = search for package or part of >package name >apt-cache show package = get info over package >dpkg-reconfigure -plow package = reconfigure with priority low ( most >options ) > >for this first cd /usr/src. >apt-get source package = get source files of packaged > > > > > > > > > > > > >2.2 Files from /etc/apt > >2.2.1 /etc/apt/apt.conf > >APT::Default-Release "stable"; >APT::Get::Show-Upgraded "true"; >// 16 MB Limit >APT::Cache-limit 16777216; >// if you have /tmp with no mounted with noexec, you need this. >#DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";}; >#DPkg::Post-Invoke {"mount -o remount /tmp";}; > > > >2.2.2 /etc/apt/preferences > >Package: * >Pin: release a=stable >Pin-Priority: 990 > >Package: * >Pin: release a=testing >Pin-Priority: 500 > >Package: * >Pin: release a=unstable >Pin-Priority: 50 > >Package: * >Pin: release a=sarge,l=debian-volatile >Pin-Priority: 990 > > > > > > > > > > > > > >2.2.3 /etc/apt/sources.list > ># See sources.list(5) for more information, especialy ># Remember that you can only use http, ftp or file URIs ># CDROMs are managed through the apt-cdrom tool. >#----------------------------------------------------------------- ># We definect the PIN which sets the prioratie of packages selects ># see also the apt-howto ># http://www.debian.org/doc/manuals/apt-howto/index.en.html ># and a nice howto for apt-pinning for beginners. ># http://jaqque.sbih.org/kplug/apt-pinning.html >#----------------------------------------------------------------- >#----------------------------------------------------------------- ># Stable PIN 990 PRODUCTION TREE >deb ftp://ftp.nl.debian.org/debian stable main contrib non-free >deb-src ftp://ftp.nl.debian.org/debian stable main contrib non-free >deb http://http.us.debian.org/debian stable main contrib non-free ># Stable Security updates >deb http://security.debian.org/ stable/updates main contrib non-free >deb-src http://security.debian.org/ stable/updates main contrib non-free >#------------------------------------------------------------------ >## Debian VOLATILE , used for clamav PINNED 990 >deb http://ftp.nl.debian.org/debian-volatile sarge/volatile main >#----------------------------------------------------------------- >#----------------------------------------------------------------- ># WARNING USE BELOW AT OWN RISK ># Testing ( PIN 500 ) >#deb ftp://ftp.nl.debian.org/debian testing main contrib non-free >#deb-src ftp://ftp.nl.debian.org/debian testing main contrib non-free >#deb http://http.us.debian.org/debian testing main contrib non-free ># Testing Security updates >#deb http://security.debian.org/ testing/updates main contrib non-free >#deb-src http://security.debian.org/ testing/updates main contrib non-free >#----------------------------------------------------------------- >#----------------------------------------------------------------- ># WARNING USE BELOW AT OWN RISK ># Unstable ( PIN 050 ) >#deb ftp://ftp.nl.debian.org/debian unstable main contrib non-free >#deb-src http://ftp.nl.debian.org/debian unstable main contrib non-free >#deb http://http.us.debian.org/debian unstable main contrib non-free ># unstable Security updates >#deb http://security.debian.org/ unstable/updates main contrib non-free >#deb-src http://security.debian.org/ unstable/updates main contrib non-free >#----------------------------------------------------------------- >#----------------------------------------------------------------- >#### BACKPORTS to STABLE ( Debian Sarge 3.1r0 ) >## Laatest Samba from samba.org >#deb http://us4.samba.org/samba/ftp/Binary_Packages/Debian sarge samba >#deb-src http://us2.samba.org/samba/ftp/Binary_Packages/Debian sarge samba > >#------------------------------------------------------------------ >## MPEG/AVI addons +W32CODECS With MPlayer >#deb ftp://ftp.nerim.net/debian-marillat/ sarge main >#------------------------------------------------------------------ >## www.dotdeb.org, updated php4/php5 mysql-41 mysql-50 qmail clamav etc etc. >## check the site for the packages list. if you want only 1 package ( >preferred ) >## change the line to #deb http://packages.dotdeb.org stable php5 for >example >#deb http://packages.dotdeb.org stable all >#deb-src http://packages.dotdeb.org stable all >#------------------------------------------------------------------ >## BootSplash ( does not work on every kernel ) www.bootsplash.de >## http://www.planamente.ch/emidio/pages/linux_howto_bootsplash.php >deb http://debian.bootsplash.de unstable main >deb-src http://debian.bootsplash.de unstable main > > > >-------------- next part -------------- # Allow LDAPv2 binds allow bind_v2 # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd.args # Read slapd.conf(5) for possible values loglevel 0 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb TLSCACertificateFile /etc/ldap/ssl/ldap-server.pem TLSCertificateFile /etc/ldap/ssl/ldap-server.pem TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb checkpoint 512 30 ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory in database #1 suffix "dc=rahim-dale,dc=org" rootdn "cn=admin,dc=toronto,dc=ontario,dc=ca" rootpw {MD5}hdduy/+JqjCnJjCWiKOGBQ= # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # Indexing options for database #1 index objectClass,uidNumber,gidNumber eq index cn,sn,uid,displayName pres,eq,sub index memberUid,mail,givenname eq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq # default index index default eq # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword by dn="cn=admin,dc=rahim-dale,dc=org" write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=rahim-dale,dc=org" write by * read # samba access list include /etc/ldap/samba-access.conf # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=rahim-dale,dc=org" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be bdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org"
I was trying to follow the howto below to get Samba-LDAP working on my Debian/Sarge server. I'm stuck in section 5.4: When I try the "smbpasswd -a root" I get: semper:/etc/phpldapadmin/templates# smbpasswd -a root New SMB password: Retype new SMB password: ldapsam_modify_entry: Failed to add user dn= uid=root,ou=Users,dc=rahim-dale,dc=org with: Insufficient access no write access to parent ldapsam_add_sam_account: failed to modify/add user with uid = root (dn = uid=root,ou=Users,dc=rahim-dale,dc=org) Failed to add entry for user root. Failed to modify password entry for user root The next two steps are: smbldap-passwd Administrator -- this works smbldap-usermod -J Administrator -- this fails And after that nothing works. I've managed to get phpldapadmin working (finally) but that doesn't seem to help. I can add accounts, etc., but they don't seem to help. When I try to get a Windows XP computer to join the domain, I get "logon failure: unknown user name or bad password". I can browse the network from a Windows XP machine as well, but can't connect to any network shares that have any security on them. I've gone through the idealx.org smb-ldap documentation and can't see anything obvious that I'm doing wrong. Nor have I found anything in searches that tells me any more than what the immediate error message says (basically they seem to say it's a rights issue so fix it without specifying how to do it). Please help! Louis van Belle wrote:>Hi everybody, > >I made a pretty complete howto for samba on debian servers. > >This howto covers samba + ldap + cups + recycle bin + samba-vscan >+ phpldapadmin + ACL + Extended Attributes. > >this howto is also based on the idealx howto > >If you do this setup, you should be able to use the NT4 Usermanager, >setup Point en Print Printing. set rights from explorer etc. >other nice tools is ldapadmin ( ldapadmin.sf.net ) a must check it out. > >We will use a Debian Sarge as setup. >If you never used Debian before, you can follow this how-to >(http://www.howtoforge.com/perfect_setup_debian_sarge ) , >please read the comment below the pages first, >this can save you time and problems or install Debian without >any software packaged, we will install them later when needed. >Checking the kernel of compile your own kernel if needed. > >I try to give a complete solution for this how-to, >this is because lots of people where asking the same things on >the samba list and lots of people make the same mistakes. > >This is my company's running setup. > >I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb ) , with 50 users >25 printers which do about 150.000 prints a month. > >I thank my company to let me make this document. > > >Please if you have improvements, comments, send them to me. > >Louis van Belle > > > > > >INDEX >Page nr. > >1 Checking the kernel or compile your own kernel 3 >1.1 Preparing apt configuration 3 >1.2 Preparing the kernel 3 >1.3 setup the /etc/fstab 3 >1.4 final touch, lilo (or grub) 3 >2 Pre-installation of the debian packages 4 >2.1 Samba and Ldap 4 >2.2 basic rights setup for samba 4 >2.3 why this rights setup. 4 >3 LDAP Server configuration 5 >4 installation/configuration libnss, libpam (-ldap) 7 >5 Samba and smbldap-tools Configuration 8 >5.1 smbldap-tools installation/configuration 8 >5.2 setting up samba base config 8 >5.3 Configuring smbldap.conf 9 >5.4 set the samba ldap admin password 9 >5.5 Samba PRIVILEGES Setup 10 >6 CUPS - Printer software 11 >6.1 Setup Cups 11 >6.2 Setup Cups PDF Printer. - Creating a PDF Printer 11 >7 Configuring phpldapadmin 12 >7.1 installation of phpldapadmin ( and apache ) 12 >8.0 On-Access virus scanning on samba (samba-clamav) 13 >8.1 Installing ClamAV 13 >8.2 get the sources ( samba & samba-vscan ) 13 >9.0 Recycle bin on samba 14 >9.1 Recycle bin configuration 14 >Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS 15 >Appendix 2 APT 16 >2.1 APT HOWTO 16 >2.2 Files from /etc/apt 17 >2.2.1 /etc/apt/apt.conf 17 >2.2.2 /etc/apt/preferences 17 > > > > >1 Checking the kernel or compile your own kernel >1.1 Preparing apt configuration > > for this go check out my apt howto. > > if you apt config is setup rights, follow the steps below. > > ncurses interface for compiling the kernel > apt-get install libncurses5-dev > > get the kernel source > apt-get install kernel-source-2.6.8 kernel-package > > installer right kernel and activate EXT2/3 + Extended attributes > and setup CIFS kernel support to in kernel. > >1.2 Preparing the kernel > apt-get install kernel-source-2.6.8 kernel-package fakeroot >libc6-dev libncurses5-dev > > cd /usr/src > tar -jxf kernel-source-2.6.8.tar.bz2 > ln -s /usr/src/linux /usr/src/kernel-source-2.6.8 > cp /boot/config-2.6.8-2-* /usr/src/linux/.config > cd linux > make menuconfig - File systems - Ext2/3 + extended options > also File systems - Miscellaneous filesystems - >CramFS > and File systems - Network File Systems - CIFS >support > + extended Attributes > now create the kernel and install it. > > fakeroot make-kpkg --append-to-kernel=-mykernel --initrd >kernel_image > > This create a file kernel-image-2.6.8.custom.1.0_i386.deb under > /usr/src > > dpkg -i kernel-image-2.6.8.custom.1.0_i386.deb to install the >kernel >1.3 setup the /etc/fstab > > /etc/fstab : add the acl and user_xattr to the right partition > > /dev/xxx /home ext3 defaults,acl,user_xattr > > I use /home/samba for the samba environment. > All the needed samba directories will be put here. !! > This is important ! > >1.4 final touch, lilo (or grub) > > lilo and reboot , login and do 'uname -a' and you wil see a line >like > this. > Linux ms249-lin-001 2.6.8-mykernel #1 Wed Jun 1 15:03:47 CEST 2005 >i686 > > Your server is now ready for samba 3. >2 Pre-installation of the debian packages >2.1 Samba and Ldap > > apt-get install slapd samba libsasl2-modules sasl2-bin openssl > db4.2-util ldap-utils samba-doc libxml-parser-perl libauthen-sasl-perl > >Configuring slapd > set an dns name - internal.yourdomain.tld > - Give it a name/description > - set that admin password for the ldap manager > ( cn=admin,dc=internal,dc=yourdomain,dc=tld > - Allow LDAPv2 protocol? yes > >Configure samba > set a domain name DOMAIN > Use password encryption? Yes > Modify smb.conf to use WINS settings from DHCP? No > How do you want to run Samba? Daemons > Create samba password database, /var/lib/samba/passdb.tdb? No !!! >else > you will end up with lots of users from debian in this password file >and you don't want that. > >Setup samba.schema file for ldap > zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > >/etc/ldap/schema/samba.schema > >In this setup I use /home/samba for the samba environment. > i use these directories. > /home/samba skel,data,profiles,netlogon,printers,spool > /home/users/ username > >2.2 basic rights setup for samba > > /home/samba 777 Administrator:Domain >Admins > /home/samba/spool 777 Administrator:Domain >Admins > /home/samba/printers 775 Administrator:Domain Admins > /home/samba/profiles 777 Administrator:Domain Admins > /home/samba/netlogon 775 Administrator:Domain Admins > /home/samba/data 775 Administrator:Domain >Admins > /home/samba/temp 777 Administrator:Domain >Admins > /home/samba/tools 755 Administrator:Domain >Admins > /home/samba/skel 755 Administrator:Domain >Admins > > >2.3 why this rights setup. > > 1 Administrator can create in complete samba environment. > 2 In data directories my users are not allowed to create sub dir's, >I > create one for the department, and set rights to that department, >from that point they can create directories. > 3 Profiles 777, in the samba config is a parameter defined > valid users = %u @"Domain Administrators" > Only the user and administrator can access the user profile >directories. > create mask and directory mask make sure rights are set primary to >the user. >3 LDAP Server configuration > > Configure slapd.conf, but first stop the slapd server ( >/etc/init.d/slapd stop ) > > Create ldap certificates for ssl support > mkdir /etc/ldap/tls > > ## self signed certificate > openssl req -newkey rsa:1024 -x509 -nodes -out ldap-server.pem - >keyout > ldap-server.pem -days 3650 ( where Common Name >ldap.yourdomain.tld ) > > edit /etc/ldap/slapd.conf > put these below the other line, the order of schema files must be > > correct. > insert the line "include /etc/ldap/schema/samba.schema" > > add these line before the database definition > TLSCACertificateFile /etc/ldap/ssl/ldap-server.pem > TLSCertificateFile /etc/ldap/ssl/ldap-server.pem > TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem > >Now its time for the ldap database configuration for samba > >example of the /etc/slapd.conf ( database 1 configuration ) > >####################################################################### ># Specific Directives for database #1, of type bdb: ># Database specific directives apply to this databasse until another ># 'database' directive occurs >database bdb > ># The base of your directory in database #1 >suffix "dc=internal,dc=yourdomain,dc=tld" > >rootdn "cn=admin,dc=rotterdam,dc=bazuin,dc=nl" >rootpw {MD5}fsadsdafasfaewfw > > ## create the rootpw > ## echo rootpw `slappasswd -h {Md5}` >> /etc/ldap/slapd.conf > ># Where the database file are >physically stored for database #1 >directory "/var/lib/ldap" > ># Indexing options for database #1 >### !!!!! Always run slapindex(8) after changing indices!!!!!! >### and first STOP the LDAP SERVER ( /etc/init.d/slapd stop ) >index objectClass,uidNumber,gidNumber eq >index cn,sn,uid,displayName pres,eq,sub >index memberUid,mail,givenname eq,subinitial >index sambaSID,sambaPrimaryGroupSID,sambaDomainName, eq >## default index >index default eq > ># Save the time that the entry gets modified, for database #1 >lastmod on > ># Where to store the replica logs for database #1 >replogfile /var/lib/ldap/replog ># The userPassword by default can be changed ># by the entry owning it if they are authenticated. ># Others should not be able to see it, except the ># admin entry below ># These access lines apply to database #1 only >access to attrs=userPassword > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by anonymous auth > by self write > by * none > > ># Ensure read access to the base for things like ># supportedSASLMechanisms. Without this you may ># have problems with SASL not knowing what ># mechanisms are available and the like. ># Note that this is covered by the 'access to *' ># ACL below too but if you change that as people ># are wont to do you'll still need this if you ># want SASL (and possible other things) to work ># happily. >access to dn.base="" by * read > ># The admin dn has full write access, everyone else ># can read everything. >access to * > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by * read > ># samba access list >include /etc/ldap/samba-access.conf > >Example of the /etc/samba-access.conf ( database 1 configuration ) > >### OLD Samba no DSA users used >access to >attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM >ustChange > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by anonymous auth > by self write > by * none > >access to attrs=loginShell > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by * none > >access to >attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,sn,givenname > by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write > by self write > by * read > > >See appendix 1 if you want a more secure ldap database. >!! this setup does not help you to setting this up. !! > >run slapindex >and start the slapd server >/etc/init.d/slapd start >4 installation/configuration libnss, libpam (-ldap) > >apt-get install libnss-ldap libpam-ldap > >Configuring libnss-ldap > define the host > 127.0.0.1 > distinguished name of the search base > dc=internal,dc=yourdomain,dc=tld > > LDAP version to use > 3 > database requires login > No > Make configuration readable/writeable by owner only > No > >Configuring libpam-ldap > Make local root Database admin. > Yes > Database requires logging in. > No > Root login account > cn=admin,dc=internal,dc=yourdomain,dc=tld > set your password > ( same as above for admin ) > > Local crypt to use when changing passwords > exop > >Configure nsswitch ># /etc/nsswitch.conf ># ># Example configuration of GNU Name Service Switch functionality. ># If you have the `glibc-doc' and `info' packages installed, try: ># `info libc "Name Service Switch"' for information about this file. > >passwd: compat ldap >group: compat ldap >shadow: compat ldap > >hosts: files dns >networks: files > >protocols: db files >services: db files >ethers: db files >rpc: db files > >netgroup: nis > > >Now test the server >ldapsearch -x -D "cn=admin,dc=internal,dc=yourdomain,dc=tld" -W >(enter the password) >if you see >result: 0 Success > >for now this is ok. >5 Samba and smbldap-tools Configuration > >5.1 smbldap-tools installation/configuration > >apt-get install smbldap-tools > >copy the default config from the example directorie. >cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf >/etc/smbldap-tools/ > >cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/ >cd /etc/smbldap-tools >gunzip smbldap.conf.gz > >first the easy part. > >in /etc/smbldap-tools/smbldap_bind.conf >change this to admin >slaveDN="cn=admin,dc=internal,dc=yourdomain,dc=tld" >slavePw="Yourpassword" >masterDN="cn=admin,dc=internal,dc=yourdomain,dc=tld" >masterPw="Yourpassword" > >5.2 setting up samba base config > >start with the default config >cd /etc/samba >cp /usr/share/doc/smbldap-tools/examples/smb.conf.gz /etc/samba >gunzip smb.conf.gz > >change the config to your needs >some tips using samba on a firewalled system >use the following setting, here eth0 is the internal side > > interfaces = eth0 lo > bind interfaces only = yes > >change the binary location from /opt/.. >to /usr/sbin/smbldap-.... >the smbldap-tools are installed by debian in /usr/sbin > >also in this setup /home/. must be changed to /home/samba/. >This will save you a lot of troubles with rights. > > >5.3 Configuring smbldap.conf > >first we need to get some samba info > >net getlocalsid > >SID for domain SERVERNAME is: S-1-5-21-2074673303-3377769770-2933042573 >change the SID in smbldap.conf in the your sid. > > >change the suffix to your suffix (dc=internal,dc=yourdomain,dc=tld) >change the hash_encryption to MD5 >change userLoginShell="bin/nologin" >and you nologin, because im Configuring ldap for samba only. >set the home directory ( in my case /home/users/%U ) >set the other to your needs. > > >5.4 set the samba ldap admin password > >smbpasswd -w ldapadmin_password >Setting stored password for "cn=admin,dc=internal,dc=yourdomain,dc=tld" in >secrets.tdb > >now we go fill the ldap database with the base setup. > >smbldap-populate -a Administrator -b nobody -u 2000 -g 2000 > >users are created with uid => 2000 >groups are created with gid => 2000 > > >!!!! DO NOT RUN THIS IF YOU ALREADY CREATED USERS. YOUR UID/GID's WILL GET >MESSED UPPED. > >smbpasswd -a root >because root is needed for setting up the Privileges. > >Now set the Administrator password and enable this user >smbldap-passwd Administrator >smbldap-usermod -J Administrator > > >5.5 Samba PRIVILEGES Setup > >First check you rights and get to know the commands. > >net rpc rights list accounts list users >net rpc rights list list defined rights. > >to get what for rights are defined and users/groups > >IF you use a PDC/BDC setup these commands must be done on both servers!! > >test these commands: > >net rpc group >(output) >Domain Admins >Domain Users >Domain Guests >Domain Computers > >or > >( see next page ) > >slapcat | grep Group | grep dn > >(output) >dn: ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Domain Admins,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Domain Users,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Domain Guests,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Domain Computers,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Administrators,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Print Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Backup Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld >dn: cn=Replicators,ou=Groups,dc=internal,dc=yourdomain,dc=tld > > >these are the privileges on samba 3.0.14a ( debian ) > >Privilege Description >SeMachineAccountPrivilege Add machines to domain >SePrintOperatorPrivilege Manage printers >SeAddUsersPrivilege Add users and groups to the domain >SeRemoteShutdownPrivilege Force shutdown from a remote system >SeDiskOperatorPrivilege Manage disk share > > >give the "Domain Admins" all of the SE Rights. >( -S Servernaam -U Username%Password ) > >net -S PDC -U root%Password rpc rights grant "DOMAIN\Domain Admins" \ > SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege \ > SeDiskOperatorPrivilege SeRemoteShutdownPrivilege > > >Give the "Printer Operators" all Print manage rights. >( -S Servernaam -U Username%Password ) > >net -S PDC -U root%Password rpc rights grant "DOMAIN\Print Operators" >SePrintOperatorPrivilege >6 CUPS - Printer software > >apt-cache search cups to get the info which packages are available > >I installed these packages. >apt-get install cups-pdf cupsys cupsys-bsd cupsys-pt cupsys-client \ >foomatic-bin foomatic-filters cupsys-driver-gimpprint gs-esp ( and >dependencies ) > >Configuring cupsys-bsd > Do you want to set up the BSD lpd compatibility server? Yes > all others leave default. > >6.1 Setup Cups /etc/cups/cups.conf > > here locate the lines Allow From 127.0.0.1 > and change it to your network so you can login on the cups web >interface. > for example: > Allow from 192.168.( this way I can manage it from 2 departments. ) > (192.168.1.x and 168.192.2.x ) > > now you can logon on http://serverip:631/ > make it safer to manage by adding a user to lpadmin group > and this user can create printer queues > > I create printers with the following options. > socket://printerIPnumber:9100 ( for hp jetdirect ), Raw, >Raw_queue > > I only use cups as spooler for windows pc's and *nix servers. > > First we are going to create 1 printer device and this is the CUPS >PDF Printer. > > >6.2 Setup Cups PDF Printer. - Creating a PDF Printer > > With this printer you can create PDF files bij just printing to it. > > - logon the web interface and choose add printer. > Name:pdf_printer > Location: %homedir%\cups-pdf > Description: pdf created in homedir\cups-pdf > Continue > - Device: Virtual Printer(PDF printer) choose it, its below, > Continue > - Choose the model/Driver for PDF_printer, Postscript, > Continue > > klik on manage printers to see what you have created. > klik on Print Test Page to test the pdf printer. > > a file is put in the cups-pdf directory of the user you logged on >with. > > > > > >7 Configuring phpldapadmin > >7.1 installation of phpldapadmin ( and apache ) > > get the packages > apt-get install phpldapadmin php4 apache > > What is your LDAP server host address? 127.0.0.1 > ( you the ip/hostname where the ldapserver is ) > > ldaps protocol instead of ldap? No > > What is the distinguished name of the search base? > dc=internal,dc=youdomain,dc=tld > > Which type of authentication you want to use? session > > What is the login dn for the LDAP server? > cn=admin,dc=internal,dc=yourdomain,dc=tld > > Which web server would you like to reconfigure automatically? > select all and press OK. > > restart webservers now: Yes > >8.0 On-Access virus scanning on samba (samba-clamav) >8.1 Installing ClamAV > > apt-get install clamav arj unzoo lha clamav-freshclam clamav-daemon > Configuring clamav-freshclam : Daemon > Choose a close mirror > Should clamd be notified after updates? Yes >8.2 get the sources ( samba & samba-vscan ) > > mkdir /usr/src/sources > cd /usr/src/sources > > apt-get install dpkg-dev > apt-get source samba > apt-get build-dep samba > > cd samba-3.0-14a > vi source/include/version.h > > here remove the a from the 14 ( 3.0.14a => 3.0.14 ) > > ./debian/rules configure-stamp > cd source > ./make proto > cd ../.. > > wget >http://switch.dl.sourceforge.net/sourceforge/openantivirus/samba-vscan-0.3.6 >b.tar.bz2 > > tar xjvf samba-vscan-0.3.6b.tar.bz2 > > cd samba-vscan-0.3.6b > ./configure >--with-samba-source=/usr/src/sources/samba-3.0.14a/source > make && make install > > cp clamav/vscan-clamav.conf /etc/samba/samba-vscan-clamav.conf > change in the samba-vscan-clamav.conf > clamd socket name = /var/run/clamav/clamd.ctl > infected spins action = quarantine ( or delete , which I choose.) > > When I put that lines in my smb.conf file, I can't access the share >: > vfs object = vscan-clamav > vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf > > An example: > [public] > comment = Public Directory > path = /home/public > vfs object = vscan-clamav > vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf > > !!! BEWARE !!!! if samba upgrade to a higer version you MUST >recompile > your samba-vscan. set samba to hold for no upgrade. > > echo packagename hold | dpkg --set-selections set to hold > echo packagename install | dpkg --set-selections set to install >9.0 Recycle bin on samba >9.1 Recycle bin configuration > > configure samba for using the recycle bin. > I made my manager happy with this. > > create a file in /etc/samba > and fill it with the options below. > > /etc/samba/samba-recycle.conf > > name = .recycle > mode = KEEP_DIRECTORIES|VERSIONS|TOUCH > maxsize = 0 > exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~??|~*.tmp > excludedir = /tmp|/temp|/cache > noversions = *.doc|*.xls|*.ppt > > add this to you share, same as vscan. > > vfs object = recycle > recycle: config-files = /etc/samba/samba-recycle.conf > > create a recycle bin directorie and hide it for the users. > > I created .recycle this way ( because of the dot) users don't see >this > IF.. you don't set you explorer to view hidden files. > >restart samba and your done. > >You are ready to use your samba server. > > > >Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS >see http://www.idealx.org/prj/samba/smbldap-howto.en.html >#### users can authenticate and change their password >#access to >attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdM >ustChange ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by dn="cn=nssldap,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by self write ># by anonymous auth ># by * none ># some attributes need to be readable anonymously so that 'id user' can >answer correctly >##access to >attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by * read ># somme attributes can be writable by users themselves >##access to >attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,s >n,givenname ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by self write ># by * read >## some attributes need to be writable for samba >#access to >attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,samb >aLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctF >lags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfileP >ath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,s >ambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHisto >ry,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,samb >aNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaSha >reName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption, >sambaStringListoption,sambaPrivilegeList ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by self read ># by * none >## samba need to be able to create the samba domain account >#access to dn.base="dc=internal,dc=yourdomain,dc=tld" ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by * none >## samba need to be able to create new users account >#access to dn="ou=Users,dc=internal,dc=yourdomain,dc=tld" ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by * none >## samba need to be able to create new groups account >#access to dn="ou=Groups,dc=internal,dc=yourdomain,dc=tld" ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by * none >## samba need to be able to create new computers account >#access to dn="ou=Computers,dc=internal,dc=yourdomain,dc=tld" ># by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write ># by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld" >write ># by * none ># >## this can be omitted but we leave it: there could be other branch >## in the directory >#access to * ># by self read ># by * none > > >Appendix 2 APT > >2.1 APT HOWTO > >Preparing apt for online packages. >After installing from CD or DVD adjust your apt config. > >This setup makes sure your are using stable packages, that you are using >Debian Sarge. > >In the apt.conf we defined the default release of debian this case stable ( >Sarge 3.1r0). >The Show-Upgrade "true" is used for showing us the packages which are going >to be installed, I like to see what I'm installing. > >The sources.list if you used a CD/DVD for installing you can leave this >line in the sources.list. This can save you bandwidth. My server is on a >remote location and I don't use the cd anymore. >I added the clamav as stable because I want a new clamav for virus scanning >more info : http://www.clamav.net/binary.html > >The testing and unstable sources are also unmarked, that if you really need >a newer version of a program then you can try to create it from debian >source. > >You can get the source install programs and search by using the following >commands: > >apt-get install package = get & install package >apt-get remove package = remove package >apt-get remove --purge package = remove and purge all files of package >dpkg --purge package = purge all files of package > >apt-cache search package = search for package or part of >package name >apt-cache show package = get info over package >dpkg-reconfigure -plow package = reconfigure with priority low ( most >options ) > >for this first cd /usr/src. >apt-get source package = get source files of packaged > > > > > > > > > > > > >2.2 Files from /etc/apt > >2.2.1 /etc/apt/apt.conf > >APT::Default-Release "stable"; >APT::Get::Show-Upgraded "true"; >// 16 MB Limit >APT::Cache-limit 16777216; >// if you have /tmp with no mounted with noexec, you need this. >#DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";}; >#DPkg::Post-Invoke {"mount -o remount /tmp";}; > > > >2.2.2 /etc/apt/preferences > >Package: * >Pin: release a=stable >Pin-Priority: 990 > >Package: * >Pin: release a=testing >Pin-Priority: 500 > >Package: * >Pin: release a=unstable >Pin-Priority: 50 > >Package: * >Pin: release a=sarge,l=debian-volatile >Pin-Priority: 990 > > > > > > > > > > > > > >2.2.3 /etc/apt/sources.list > ># See sources.list(5) for more information, especialy ># Remember that you can only use http, ftp or file URIs ># CDROMs are managed through the apt-cdrom tool. >#----------------------------------------------------------------- ># We definect the PIN which sets the prioratie of packages selects ># see also the apt-howto ># http://www.debian.org/doc/manuals/apt-howto/index.en.html ># and a nice howto for apt-pinning for beginners. ># http://jaqque.sbih.org/kplug/apt-pinning.html >#----------------------------------------------------------------- >#----------------------------------------------------------------- ># Stable PIN 990 PRODUCTION TREE >deb ftp://ftp.nl.debian.org/debian stable main contrib non-free >deb-src ftp://ftp.nl.debian.org/debian stable main contrib non-free >deb http://http.us.debian.org/debian stable main contrib non-free ># Stable Security updates >deb http://security.debian.org/ stable/updates main contrib non-free >deb-src http://security.debian.org/ stable/updates main contrib non-free >#------------------------------------------------------------------ >## Debian VOLATILE , used for clamav PINNED 990 >deb http://ftp.nl.debian.org/debian-volatile sarge/volatile main >#----------------------------------------------------------------- >#----------------------------------------------------------------- ># WARNING USE BELOW AT OWN RISK ># Testing ( PIN 500 ) >#deb ftp://ftp.nl.debian.org/debian testing main contrib non-free >#deb-src ftp://ftp.nl.debian.org/debian testing main contrib non-free >#deb http://http.us.debian.org/debian testing main contrib non-free ># Testing Security updates >#deb http://security.debian.org/ testing/updates main contrib non-free >#deb-src http://security.debian.org/ testing/updates main contrib non-free >#----------------------------------------------------------------- >#----------------------------------------------------------------- ># WARNING USE BELOW AT OWN RISK ># Unstable ( PIN 050 ) >#deb ftp://ftp.nl.debian.org/debian unstable main contrib non-free >#deb-src http://ftp.nl.debian.org/debian unstable main contrib non-free >#deb http://http.us.debian.org/debian unstable main contrib non-free ># unstable Security updates >#deb http://security.debian.org/ unstable/updates main contrib non-free >#deb-src http://security.debian.org/ unstable/updates main contrib non-free >#----------------------------------------------------------------- >#----------------------------------------------------------------- >#### BACKPORTS to STABLE ( Debian Sarge 3.1r0 ) >## Laatest Samba from samba.org >#deb http://us4.samba.org/samba/ftp/Binary_Packages/Debian sarge samba >#deb-src http://us2.samba.org/samba/ftp/Binary_Packages/Debian sarge samba > >#------------------------------------------------------------------ >## MPEG/AVI addons +W32CODECS With MPlayer >#deb ftp://ftp.nerim.net/debian-marillat/ sarge main >#------------------------------------------------------------------ >## www.dotdeb.org, updated php4/php5 mysql-41 mysql-50 qmail clamav etc etc. >## check the site for the packages list. if you want only 1 package ( >preferred ) >## change the line to #deb http://packages.dotdeb.org stable php5 for >example >#deb http://packages.dotdeb.org stable all >#deb-src http://packages.dotdeb.org stable all >#------------------------------------------------------------------ >## BootSplash ( does not work on every kernel ) www.bootsplash.de >## http://www.planamente.ch/emidio/pages/linux_howto_bootsplash.php >deb http://debian.bootsplash.de unstable main >deb-src http://debian.bootsplash.de unstable main > > > >