Installing a test server

  1. We have unattended installs that create a Debian Lenny with accounts, firewalling, logging, yada yada yada. We run such an install on a virtual machine.

  2. We use XFS under Samba, and on this test machine, we steal /srv, and convert it to XFS...

    admin@testserver:~$ sudo umount /srv
    admin@testserver:~$ sudo apt-get install xfsprogs dmsetup
    admin@testserver:~$ sudo sed -i -s '/\/srv/ { s%/srv%/lwphome% ; s%ext3%xfs% ; s%defaults%relatime,uquota,pquota% }' /etc/fstab
    admin@testserver:~$ grep xfs /etc/fstab
    /dev/mapper/lwp17-lvsrv /lwphome            xfs    relatime,uquota,pquota        0       2
    admin@testserver:~$  sudo mkfs.xfs -f /dev/mapper/lwp17-lvsrv
    meta-data=/dev/mapper/lwp17-lvsrv isize=256    agcount=4, agsize=156160 blks
    =                       sectsz=512   attr=2
    data     =                       bsize=4096   blocks=624640, imaxpct=25
    =                       sunit=0      swidth=0 blks
    naming   =version 2              bsize=4096
    log      =internal log           bsize=4096   blocks=2560, version=2
    =                       sectsz=512   sunit=0 blks, lazy-count=0
    realtime =none                   extsz=4096   blocks=0, rtextents=0
    admin@testserver:~$ sudo mkdir /lwphome
    admin@testserver:~$ sudo  mount -a

  3. Since our new Samba will have to come from the backports repository, we'll add that:

    admin@testserver:~$ sudo apt-get update
    admin@testserver:~$ sudo apt-get dist-upgrade
    admin@testserver:~$ sudo sh -c 'echo "deb lenny-backports main contrib non-free" > /etc/apt/sources.list.d/lenny-backports.list'
    admin@testserver:~$ sudo apt-get install debian-backports-keyring
    admin@testserver:~$ apt-get update
    admin@testserver:~$ sudo apt-get dist-upgrade

    At this point, no packages should be listed for upgrade, as the default version is still lenny, not lenny-backports

  4. admin@testserver:~$ sudo apt-get install samba -t lenny-backports

    1. In order for the Samba server to work, the account the Samba clients use to log in with must be known as system users on the server. So getent must resolve them. We install the packages:

      admin@testserver:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get --yes install libpam-ldap libpam-ccreds libnss-ldap libnss-db ca-certificates nss-updatedb

      ... configure /etc/nsswitch.conf:

      passwd:         files db
      group:          files db
      shadow:         files ldap

      ... configure /etc/ldap/ldap.conf:

      SIZELIMIT   0
      TIMELIMIT   0
      URI         ldaps://
      BASE        ou=my,o=domain,c=nl
      TLS_CACERT  /etc/ssl/certs/ca-certificates.crt
      TLS_REQCERT allow

      ... configure /etc/libnss-ldap.conf:

      debug 10
      uri ldaps://
      ldap_version 3
      bind_policy soft
      timelimit 10
      bind_timelimit 6
      ssl on
      tls_checkpeer no
      tls_cacertfile /etc/ssl/certs/ca-certificates.crt
      base ou=my,o=domain,c=nl
      scope sub
      binddn cn=accounter,ou=my,o=domain,c=nl
      bindpw verysecretofcourse
      pam_login_attribute uid
      pam_password md5
      pam_min_uid 70000
      pam_max_uid 9999999999

      ... update the credentials cache:

      admin@testserver:!$ sudo /usr/sbin/nss_updatedb ldap > /dev/null 2>&1

      ... and test whether it works (it does):

      admin@testserver:~$ getent passwd p217811

  5. In /etc/samba/smb.conf, set ldap ssl to no:

    ldap ssl = no
    passdb backend = ldapsam:ldaps://

    This is necessary because the LDAP URI already specifies ldaps://, and with ldap ssl set to yes the Samba daemon will try to start the TLS layer twice, resulting in an error that would be harmless to the communication, but the Samba daemon drops the connection because of it anyway.

    ... now create /var/lib/samba/secrets.tdb by using:

    admin@testserver:~$ sudo smbpasswd -w verysupersecretpasswd

  6. user@remotemachine:~$ ssh -X's password:
    Linux cit-zb-39-116 2.6.31-20-generic #58-Ubuntu SMP Fri Mar 12 04:38:19 UTC 2010 x86_64
    <snip>$ mount|grep user
    // on /home/user type cifs (rw,mand)$