HOWTO SAMBA-LDAP Domain Controller (with Real Time antivirus)
From Gentoo Linux Wiki
| Installation • Kernel & Hardware • Networks • Portage • Software • System • X Server • Gaming • Non-x86 • Emulators • Misc |
This article is still a Stub. You can help Gentoo-Wiki by expanding it.
Contents |
[edit] Introduction to this HOWTO
[edit] Purpose
[edit] Before you use this guide
Implement LDAP on your system following this guide: HOWTO LDAPv3.
[edit] Brief Overview
After presenting the various USE flags, the following list will outline all of the topics covered as they are presented:
- On the Samba server:
- Install and configure CLAM-AV
- Install and configure Samba
- Install and configure CUPS
- Adding the printer to CUPS
- Adding the PS drivers for the Windows clients
- On the Unix clients:
- Install and configure CUPS
- Configuring a default printer
- Mounting a Windows or Samba share
- On the Windows Clients:
- Configuring the printer
- Accessing Samba shares
[edit] Requirements
We will need the following:
- net-fs/samba
- app-antivirus/clamav
- net-print/cups
- net-print/foomatic
- net-print/hpijs (if you have an HP printer)
- net-nds/smbldap-tools
- A kernel of sorts (preferably 2.4.24+ or 2.6.x)
- A printer (PS or non-PS, maybe not TOO new or fancy)
- A working network (home/office/etc) consisting of more than one machine)
The main package we use here is net-fs/samba, however, you will need a kernel with smbfs support enabled in order to mount a samba or windows share from another computer. CUPS will be emerged if it is not already. app-antivirus/clamav will be used also, but others should be easily adapted to work with Samba.
[edit] Setup the USE Flags
Before emerging anything, take a look at the various USE flags available to Samba.
acl ads cups ldap pam readline oav
Depending on the network topology and the specific requirements of the server, the USE flags outlined below will define what to include or exclude from the emerging of Samba.
| USE flag | Description |
| acl | Enables Access Control Lists. The ACL support in Samba uses a patched ext2/ext3, or SGI's XFS in order to function properly as it extends more detailed access to files or directories; much more so than typical *nix GID/UID schemas. |
| ads | Include support for Kerberos. |
| cups | This enables support for the Common Unix Printing System. This provides an interface allowing local CUPS printers to be shared to other systems in the network. |
| ldap | Enables the Lightweight Directory Access Protocol (LDAP). If Samba is expected to use Active Directory, this option must be used. This would be used in the event Samba needs to login to or provide login to a Domain/Active Directory Server. The kerberos USE flag is needed for proper functioning of this option. |
| pam | Include support for pluggable authentication modules (PAM). This provides the ability to authenticate users on the Samba Server, which is required if users have to login to your server. The kerberos USE flag is recommended along with this option. |
| readline | Link Samba against libreadline. This is highly recommended and should probably not be disabled. |
| oav | Provides on-access scanning of Samba shares with FRISK F-Prot Daemon, Kaspersky AntiVirus, OpenAntiVirus.org ScannerDaemon, Sophos Sweep (SAVI), Symantec CarrierScan, and Trend Micro (VSAPI). |
[edit] Server Software Installation
[edit] Emerging Samba and Tools
emerge net-fs/samba net-nds/smbldap-tools
[edit] Configuring Your System
With /etc/openldap/slapd.conf, add this to the last of the includes:
| File: /etc/openldap/slapd.conf |
include /etc/openldap/schema/samba.schemaand this towards the end: index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial |
Note: If you get the warning message "AttributeType not found" while starting the ldap service, use this configuration instead.
| File: /etc/openldap/slapd.conf |
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schemaand this towards the end: index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial |
Note: Don't forget to remove the line "index objectClass eq" if you use the default configuration file or attribute objectClass will be defined twice causing ldap not starting anymore.
Next up is /etc/samba/smb.conf, add this to your global:
| File: /etc/samba/smb.conf |
passdb backend = ldapsam:ldap://your.address.to.ldap.server/ ldap passwd sync = Yes ldap suffix = dc=ldap,dc=net ldap admin dn = cn=root,dc=ldap,dc=net ldap ssl = start tls ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes #delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" #delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" |
Be sure to replace dc=ldap,dc=net and the your.address.to.ldap.server
Restart samba and do the following:
smbpasswd -w <ldap admin password>
with the appropriate password. Now samba should be able to talk to ldap.
We will now want to configure smbldap-tools to populate our database.
The config files are in /etc/smbldap-tools, you will have to modify smbldap.conf and smbldap_bind.conf to match your settings. Once configured, run
smbldap-populate
If you have any connection problems, check that ldap is running, the path to ldap is correct, the password is correct, and that the TLS settings are correct
[edit] Managing users
smbldap-tools should have all the things you need; here is a list of the tools:
- /usr/sbin/smbldap-groupadd
- /usr/sbin/smbldap-groupdel
- /usr/sbin/smbldap-useradd
- /usr/sbin/smbldap-groupmod
- /usr/sbin/smbldap-userdel
- /usr/sbin/smbldap-groupshow
- /usr/sbin/smbldap-userinfo
- /usr/sbin/smbldap-passwd
- /usr/sbin/smbldap-usermod
- /usr/sbin/smbldap-populate
- /usr/sbin/smbldap-usershow
Also take note that there needs to be corresponding unix groups and users for the system to work. The ids must be the same, but the names can vary. However, note that you may have to use the unix group name or user name instead of the ldap name when setting permissions on the samba shares. You can use these scripts, but I also recommend you install phpldapadmin to make your life easier
- Apecar 11:15, 16 Oct 2004 (GMT)
[edit] Possible Issues
smbldap-populate's error messages can sometimes be quite vexing. For instance:
| File: smbldap-populate |
Populating LDAP directory for domain <Your Domain> (<Your SID>) (using builtin directory structure) adding new entry: dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 7. adding new entry: ou=Users,dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 11. adding new entry: ou=Groups,dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 15. adding new entry: ou=Computers,dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 19. adding new entry: ou=Idmap,dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 23. adding new entry: uid=root,ou=Users,dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 48. adding new entry: uid=nobody,ou=Users,dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 73. adding new entry: cn=Domain Admins,ou=Groups,dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 84. adding new entry: cn=Domain Users,ou=Groups,dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 94. adding new entry: cn=Domain Guests,ou=Groups,dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 104. adding new entry: cn=Domain Computers,ou=Groups,dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 114. adding new entry: cn=Administrators,ou=Groups,dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 155. adding new entry: cn=Account Operators,ou=Groups,dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 175. adding new entry: cn=Print Operators,ou=Groups,dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 185. adding new entry: cn=Backup Operators,ou=Groups,dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 195. adding new entry: cn=Replicators,ou=Groups,dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 205. adding new entry: cn=NextFreeUnixId,dc=<Your Domain>,dc=org failed to add entry: Unknown error at /usr/sbin/smbldap-populate line 471, <GEN1> line 211. Please provide a password for the domain root: No such object at /usr/sbin//smbldap_tools.pm line 341. |
It turns out that you simply need the execute bit set on your database. This can be done painlessly with this: "chmod 700 -R /var/lib/openldap-*"
