| Installing a test server | ||
|---|---|---|
 | Compile grade Samba settings |  |
| Installing a test server | ||
|---|---|---|
| | Compile grade Samba settings | |
We have unattended installs that create a Debian Lenny with accounts, firewalling, logging, yada yada yada. We run such an install on a virtual machine.
We use XFS under Samba, and on this test machine, we steal /srv, and convert it to XFS...
admin@testserver:~$ sudo umount /srv
admin@testserver:~$ sudo apt-get install xfsprogs dmsetup
admin@testserver:~$ sudo sed -i -s '/\/srv/ { s%/srv%/lwphome% ; s%ext3%xfs% ; s%defaults%relatime,uquota,pquota% }' /etc/fstab
admin@testserver:~$ grep xfs /etc/fstab
/dev/mapper/lwp17-lvsrv /lwphome xfs relatime,uquota,pquota 0 2
admin@testserver:~$ sudo mkfs.xfs -f /dev/mapper/lwp17-lvsrv
meta-data=/dev/mapper/lwp17-lvsrv isize=256 agcount=4, agsize=156160 blks
= sectsz=512 attr=2
data = bsize=4096 blocks=624640, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096
log =internal log bsize=4096 blocks=2560, version=2
= sectsz=512 sunit=0 blks, lazy-count=0
realtime =none extsz=4096 blocks=0, rtextents=0
admin@testserver:~$ sudo mkdir /lwphome
admin@testserver:~$ sudo mount -a
Since our new Samba will have to come from the backports repository, we'll add that:
admin@testserver:~$ sudo apt-get update
admin@testserver:~$ sudo apt-get dist-upgrade
admin@testserver:~$ sudo sh -c 'echo "deb http://www.backports.org/debian lenny-backports main contrib non-free" > /etc/apt/sources.list.d/lenny-backports.list'
admin@testserver:~$ sudo apt-get install debian-backports-keyring
admin@testserver:~$ apt-get update
admin@testserver:~$ sudo apt-get dist-upgrade
At this point, no packages should be listed for upgrade, as the default version is still lenny, not lenny-backports
admin@testserver:~$ sudo apt-get install samba -t lenny-backports
In order for the Samba server to work, the account the Samba clients use to log in with must be known as system users on the server. So getent must resolve them.
We install the packages:
admin@testserver:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get --yes install libpam-ldap libpam-ccreds libnss-ldap libnss-db ca-certificates nss-updatedb
... configure /etc/nsswitch.conf:
<snip> passwd: files db group: files db shadow: files ldap <snip>
... configure /etc/ldap/ldap.conf:
SIZELIMIT 0 TIMELIMIT 0 URI ldaps://ldapserver.mydomain.com BASE ou=my,o=domain,c=nl TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_REQCERT allow
... configure /etc/libnss-ldap.conf:
debug 10 uri ldaps://ldapserver.mydomain.com ldap_version 3 bind_policy soft timelimit 10 bind_timelimit 6 ssl on tls_checkpeer no tls_cacertfile /etc/ssl/certs/ca-certificates.crt base ou=my,o=domain,c=nl scope sub binddn cn=accounter,ou=my,o=domain,c=nl bindpw verysecretofcourse pam_login_attribute uid pam_password md5 pam_min_uid 70000 pam_max_uid 9999999999
... update the credentials cache:
admin@testserver:!$ sudo /usr/sbin/nss_updatedb ldap > /dev/null 2>&1
... and test whether it works (it does):
admin@testserver:~$ getent passwd p217811
p217811:*:10217811:10217811:p217811:/home/p217811:/bin/bash
In /etc/samba/smb.conf, set ldap ssl to no:
<snip> ldap ssl = no passdb backend = ldapsam:ldaps://ldapserver.mydomain.com <snip>
This is necessary because the LDAP URI already specifies “ldaps://”, and with ldap ssl set to yes the Samba daemon will try to start the TLS layer twice, resulting in an error that would be harmless to the communication, but the Samba daemon drops the connection because of it anyway.
... now create /var/lib/samba/secrets.tdb by using:
admin@testserver:~$ sudo smbpasswd -w verysupersecretpasswd
user@remotemachine:~$ ssh -X username@sambaclient.mydomain.com
user@sambaclient.mydomain.com's password:
Linux cit-zb-39-116 2.6.31-20-generic #58-Ubuntu SMP Fri Mar 12 04:38:19 UTC 2010 x86_64
<snip>
user@sambaclient.mydomain.com:~$ mount|grep user
//testserver.mydomain.com/user on /home/user type cifs (rw,mand)
user@sambaclient.mydomain.com:~$