<div dir="ltr"><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div>Hi list,<br><br></div>I made some tests and got a working samba/ldap/kerberos configuration.<br><br></div>Here are already some snippets for testing.<br>
</div>
Next week, I will work on getting them automated into debian-lan's fai.<br>
</div>Please leave me some time for that :)<br><br></div>Now I will look at <br>- pam-synccr<br>- syncing the autofs locally (and I'm a bit stuck with autofs for now).<br></div><div>- getting an additional share in autofs ldap (I made some attempts but still cannot get the adequate ldap configuration for an additional share e.g.: /lan/mainserver/group0)<br>
</div><div>- generating the ldap cn=config and the required ldifs for the whole stuff.<br>
</div><div><br></div><div>Caveats:<br></div>Parameters are surely not optimal yet. It's a first attempt.<br>
</div><div>Currently the "domain" configuration is not complete (regarding groups,...) The goal was to provide network access to MS clients. I will further dig that point.<br></div><div>I skipped the integration of smbldap-tools as they seems to be a lot deprecated within wheezy Thereby the populate part can be done directly with an ldif and the user management should be left to gosa.<br>
<br>----<br></div><div><br></div><div>SERVER_A SIDE:<br></div><div>
<br>aptitude install gosa-plugin-samba<br><br>mkdir -v -m 1777 /srv/nfs4/home0/profiles<br>mkdir -v -m 1777 /srv/nfs4/home0/netlogon<br></div><div>mkdir -m 755 /srv/nfs4/home0/group</div><div><br></div>smb.conf :<br><br>
dos charset = CP932<br> display charset = UTF-8<br>
workgroup = INTERN<br> realm = INTERN<br> server string = %h server<br> security = ADS<br> map to guest = Bad User<br> obey pam restrictions = Yes<br> passwd program = /usr/bin/passwd %u<br>
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .<br> unix password sync = Yes<br> dedicated keytab file = /etc/krb5.keytab.cifs<br> kerberos method = dedicated keytab<br>
syslog = 4<br> log file = /var/log/samba/log.%m<br> max log size = 1000<br> name resolve order = wins lmhosts host bcast<br> time server = Yes<br> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=65536 SO_RCVBUF=65536<br>
printcap name = cups<br> logon drive = H:<br> domain logons = Yes<br> os level = 35<br> preferred master = Yes<br> domain master = Yes<br> dns proxy = No<br> wins support = Yes<br>
usershare allow guests = No<br> panic action = /usr/share/samba/panic-action %d<br> template shell = /bin/bash<br> winbind enum users = Yes<br> winbind enum groups = Yes<br> idmap config * : backend = tdb<br>
admin users = admin, root<br> map acl inherit = Yes<br> use sendfile = Yes<br> cups options = "raw"<br> force printername = Yes<br> case sensitive = No<br> strict locking = No<br>
dos filetime resolution = Yes<br> fake directory create times = Yes<br></div><div><br>[homes]<br> comment = Home Directories<br> valid users = %S<br> read only = No<br> create mask = 0700<br>
directory mask = 0700<br> browseable = No<br><br>[netlogon]<br> comment = Network Logon Service<br> path = /srv/nfs4/home0/netlogon<br> guest ok = Yes<br><br>[profiles]<br> comment = Users profiles<br>
path = /srv/nfs4/home0/profiles<br> create mask = 0600<br> directory mask = 0700<br> browseable = No<br><br>[printers]<br> comment = All Printers<br> path = /var/spool/samba<br>
printable = Yes<br>
print ok = Yes<br> browseable = No<br><br>[print$]<br> comment = Printer Drivers<br> path = /var/lib/samba/printers<br><br>[group]<br> comment = Internal Share<br> path = /lan/mainserver/home0/group<br>
read only = No<br> create mask = 0660<br> directory mask = 0770<br> browseable = No<br><br></div><div>slapd.conf<br><br>#access to attrs=userPassword<br># by anonymous auth<br># by self write<br>
# by * none<br><br>access to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,sambaPwdMustChange,sambaPwdLastSet<br> by anonymous auth<br> by self write<br> by * none<br><br></div>
<div># add indexes<br>index sambaSID eq<br>index sambaPrimaryGroupSID eq<br>index sambaDomainName eq<br><br></div><div><br></div>kerberos conf <br>## to add in /srv/fai/config/scripts/KDC_LDAP/10-slapd-KDC<br>
<br>kadmin.local -q "addprinc -randkey cifs/mainserver.intern"<br>
kadmin.local -q "ktadd -k /etc/krb5.keytab.cifs cifs/mainserver.intern"<br><br></div><div>/etc/security/limits.conf<br></div><div># append to avoid samba warnings.<br>* soft nofile 16384<br>
* hard nofile 16384<br>
<br></div><div><br><br></div>CLIENT_A SIDE:<br><br></div>Packages added to browse samba shares from within thunar.<br>gvfs gvfs-backends gvfs-bin gvfs-common gvfs-daemons gvfs-fuse gvfs-libs <br></div><div>And for default samba connectivity:<br>
</div>smbclient<br><br></div>To test from command line<br></div>log as user on workstationXX<br></div>then<br>kinit<br>smbclient -k \\\\mainserver.intern\\$YOURUSER<br><br><br></div><div>Now, I start testing a real MS client.<br>
</div><br></div>Thanks for your comments and reports.<br>
<br></div>Julien<br><div><div><div><br><div><div><div><div><br><div><div><br></div></div></div></div></div></div></div></div></div></div>