How to build Samba PDC (squeeze)のソースを表示

= Get release image for Debian GNU/Linux =
[http://www.debian.org/distrib/netinst#smallcd small CD] にある 180MB
以下のイメージを入手。

* debian-6.0.0-i386-netinst.iso を使用

= Build VMware Virtual Machine =

== How to create VM ==

Run the Virtual Machine Wizard

* Select ''Custom''
* Select ''Workstation 5'' as Hardware compatibility
** Do not check ''ESX Server''
* Select ''Linux'' as guest OS
* Select ''Debian 5'' as version
* Set ''sambapdc'' as VM's name
* Set ''1'' as number of CPU
* Set ''256MB'' as available memory
* Leave ''NAT'' at Network Connection
* Leave ''LSI Logic'' at I/O controller type
* Select ''Create new virtual disk''
* Select ''SCSI'' as type of virtual disk and leave other settings

== Installing Squeeze ==

=== Running Installer ===

* Select '''Install''' (Not ''Graphical Install')
* Select '''English''' at Choose language
* Select '''Japan''' at Choose country
* Select '''United States''' at Default locale
* Select '''American English''' at Keymap to use
* Select as below at Configure network
** Hostname is '''sambapdc'''
** Domain Name is '''sambadom.local'''
* Set as below at Set up users and passwords
** Set '''samba''' at Root password
** Push ''<Go Back>'' several times until '''Debian installer main menu''' is shown at Full name for new user in Set up users and passwords
: Remember that lots of unused packages are installed if you continue to install as usual
* Select as below at Partition disks
** Select '''Guided - use entire disk''' (defalt)
** Select '''All files in one partition''' (default)
** Push '''Finish partitioning and write changes to disk'''
** Select '''<Yes>''' at Write changes to disks?
* Basic packages are installed during Installing the base system Window.
* Select '''Install the GRUB boot loader on a hard disk'''
** Select '''<Yes>''' at Install the GRUB boot loader to the master boot record?
* Select '''<Continue>''' at Installation complete

=== Basic settings ===

* Added settings for eth1 if needed

: Added these settings in /etc/network/interfaces
 allow-hotplug eth1
 iface eth1 inet dhcp

* Configure APT

: Modify /etc/apt/sources.list
<pre>
deb http://ftp.jp.debian.org/debian etch main
deb http://security.debian.org/ etch/updates main
</pre>

: Note that only '''main''' is set because of reducing disk space.

* Specify tmpfs for filesystem of /tmp
: add /etc/fstab as below:
 /dev/shm   /tmp   tmpfs defaults 0 0

: This is not necessary but reduces disk space for install

* Specify tmpfs for /var/cache/apt
: add /etc/fstab as below:
 /dev/shm   /var/cache/apt   tmpfs defaults 0 0

: This is not necessary but reduces disk space for install

: Enable these changes
 # mount /tmp
 # mount /var/cache/apt

* Installing ftp
: Uses only to receive files
 # apt-get install ftp
 # apt-get clean

* Installing packages for ACL and extended attributes
 # apt-get install attr acl 

* Add acl,user_xattr as mount option in /etc/fstab

: change '''errors=remount-ro''' to '''defaults,acl,user_xattr,errors=remount-ro'''

: change mount options with remount option
 mount -o remount,rw,acl,user_xattr,errors=remoun-ro /dev/sda1 /

= Build Samba + LDAP environment =

== Installing and setting packages ==

=== Install and Configuring libnss-ldap and libpam-ldap ===

 apt-get install libnss-ldap libpam-ldap

* Setting of libnss-ldap
: URL is '''ldapi:///'''
: DN is '''dc=sambadom,dc=local'''
: LDAP version is '''3'''
: LDAP account for root is '''cn=admin,dc=sambadom,dc=local'''
: Password is '''ldap'''

* Settings of libpam-ldap
: Allow LDAP admin account ... is '''<Yes>'''
: Does the LDAP database require login? is '''<No>'''
: LDAP account for root is '''cn=admin,dc=sambadom,dc=local'''
: Password is '''ldap'''

* Adding '''LDAP''' into /etc/nsswitch.conf file

 --- nsswitch.conf.org   2009-09-10 03:02:29.000000000 +0900
 +++ nsswitch.conf       2009-09-07 22:10:09.000000000 +0900
 @@ -4,9 +4,9 @@
  # If you have the `glibc-doc-reference' and `info' packages
 installed, try:
  # `info libc "Name Service Switch"' for information about this file.
 
 -passwd:         compat
 -group:          compat
 +passwd:         compat ldap
 +group:          compat ldap
  shadow:         compat
 
  hosts:          files dns
  networks:       files

=== Installing Samba and OpenLDAP ===

* installing slapd package

 # apt-get install slapd ldap-utils

: Set '''ldap''' as Admin password 

ldap-utils package is for management purpose, so it is not required for running, although the description is assumed it is installed.

* Installing Samba packages

 # apt-get install samba winbind smbclient

: Set ''SAMBADOM'' as workgroup/domain name 

smbclient package is for management and test purpose, so it is not required for running.

* Installing pam_smbpass package

 # apt-get install libpam-smbpass

* Removing nscd
: Running nscd sometime makes a trouble that adding or removing an user or a group is not affected immediately.
 # apt-get remove nscd

=== PAM configuration ===

'''Because pam-auth-update command automatically sets PAM
related-files, basically we do not need to edit them manually.'''

But we have to set these settings manually:

* /etc/pam.d/common-password
: Comment out pam_winbind.so line.

* /etc/pam.d/common-session
: Add mkhomedir option in pam_winbind.so line.

=== Installing crackcheck command ===

* Installing cracklib package

# apt-get install libcrack2

: used by crackcheck command

Run on the box where development packages are installed.

 # apt-get install cracklib2-dev

 # apt-get install samba-doc
 # cd /usr/share/doc/samba-doc/examples/auth/crackcheck
 # make
 # strip crackcheck

Copy '''crackcheck''' binary to /usr/local/sbin/crackcheck on sambapdc

=== Installing mgrshare script ===

Extract mgrshare script (included in
[http://wiki.samba.gr.jp/mediawiki/images/1/10/Sambapdc4.tar.gz
sambapdc4.tar.gz] ) and install:

 # mv mgrshare  /usr/local/sbin/mgrshare
 # chmod +x /usr/local/sbin/mgrshare

=== Installing smbchsh ===

Extract smbchsh script (included in
[http://wiki.samba.gr.jp/mediawiki/images/1/10/Sambapdc4.tar.gz
sambapdc4.tar.gz] ) and install to /usr/local/bin/smbchsh.

Here is the content of smbchsh:

 #!/bin/sh
 
 SHELL=$1
 
 echo "dn: uid=${USER},ou=users,dc=samba,dc=local
 changetype: modify
 replace: loginShell
 loginShell: $1
 " | ldapmodify -x -D "uid=${USER},ou=users,dc=samba,dc=local" -W

=== Installing remove-old-files-in-recycle-bin ===

Extract remove-old-files-in-recycle-bin script (included in
[http://wiki.samba.gr.jp/mediawiki/images/1/10/Sambapdc4.tar.gz
sambapdc4.tar.gz] ) and install as /usr/local/sbin/remove-old-files-in-recycle-bin:

 #!/bin/sh
 
 trashdir=.recycle
 rootdir=/var/lib/samba/shares
 olddays=14
 
 cd ${rootdir}
 
 for targetdir in *; do
   if [ -d ${targetdir}/${trashdir} ]; then
     cd ${targetdir}/${trashdir}
     find . -atime +${olddays} -exec rm {} \;
   fi
 done

=== Creating home directory ===

 # mkdir /home/SAMBADOM

=== Creating smbusers file ===

Extract smbusers file (included in
[http://wiki.samba.gr.jp/mediawiki/images/1/10/Sambapdc4.tar.gz
Sambapdc4.tar.gz] ) and install as /etc/samba/smbusers

== Setting Samba + LDAP environment ==

=== Setting LDAP ===

Remember that LDAP settings are stored in LDAP after Squeeze

* Installing schema file for Samba

 # apt-get install samba-doc
 # apt-get clean

 # zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema

 # apt-get remove samba-doc
 # apt-get clean

: samba-doc package is removed after extracting schema file

* Generating LDIF file for Samba schema

 # cd /tmp
 # ln -s /etc/ldap/schema .
 # mkdir dummy_slapd.d

:Creating /tmp/dummy_slapd.conf file as below:

 include schema/core.schema
 include schema/cosine.schema
 include schema/inetorgperson.schema
 include schema/nis.schema
 include schema/samba.schema

 # slaptest -f dummy_slapd.conf -F dummy_slapd.d
 config file testing succeeded

: Modifying LDIF file 

Rename cn={4}samba.ldif under dummy_slapd.d/cn=config/cn=schema to samba.ldif 

and modify as below:

** The top 3 lines before:

 dn: cn={4}samba
 objectClass: olcSchemaConfig
 cn: {4}samba


** The top 3 lines after:

dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba

** The last 7 lines before:

structuralObjectClass: olcSchemaConfig
entryUUID: a671adca-3aa0-1030-8ae6-516ef773ec5f
creatorsName: cn=config
createTimestamp: 20110704154721Z
entryCSN: 20110704154721.872107Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110704154721Z

** The last 7 line after: 
(Removed)

: Register samba.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -f samba.ldif
 adding new entry "cn=samba,cn=schema,cn=config"

* Initial settings
: Create sambadom.ldif as below:

 dn: olcDatabase={1}hdb,cn=config
 changetype:modify
 add: olcDbIndex
 olcDbIndex: uidNumber,gidNumber,uid,sambaSID,cn,memberuid eq
 -
 add: olcAccess
 olcAccess: to attrs=loginShell by dn="cn=admin,dc=samba,dc=local" write by self write by * read
 olcAccess: to attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="cn=admin,dc=samba,dc=local" write by self write by * none

 # ldapadd -Y EXTERNAL -H ldapi:/// -f sambadom.ldif
 adding new entry "olcDatabase={1}hdb,cn=config"

=== Create initial schema ===

* Create sambadom.local.ldif file as below:

 dn: ou=users,dc=sambadom,dc=local
 objectClass: top
 objectClass: organizationalUnit
 ou: users
 
 dn: ou=groups,dc=sambadom,dc=local
 objectClass: top
 objectClass: organizationalUnit
 ou: groups
 
 dn: ou=idmap,dc=sambadom,dc=local
 objectClass: top
 objectClass: organizationalUnit
 ou: idmap
 
 dn: ou=computers,dc=sambadom,dc=local
 objectClass: top
 objectClass: organizationalUnit
 ou: computers

* Register sambadom.local.ldif with ldapadd :

 # cat sambadom.local.ldif | ldapadd -D
   cn=admin,dc=sambadom,dc=local -W -x -H ldapi:///
 Enter LDAP Password: 
 adding new entry "ou=users,dc=samba,dc=local"
 
 adding new entry "ou=groups,dc=samba,dc=local"
 ...

=== Setting Samba ===

* Stopping Samba

 # /etc/init.d/samba stop
 # /etc/init.d/winbind stop

* Installing smb.conf

Create smb.conf as /etc/samba/smb.conf (included in  [http://wiki.samba.gr.jp/mediawiki/images/1/10/Sambapdc4.tar.gz sambapdc4.tar.gz])

 # mv /etc/samba/smb.conf /etc/samba/smb.conf.org
 # mv smb.conf /etc/samba/smb.conf

* Installing smbusers file

Create smbusers as /etc/samba/smbusers

* Store LDAP password

 # smbpasswd -w ldap
 Setting stored password for "cn=admin,dc=sambadom,dc=local" in secrets.tdb

* Store initial settings into LDAP

Start winbindd (only) before running 'net sam provision'

 # /etc/init.d/winbind start
 Starting the Winbind daemon: winbind.
 # net sam provision
 Checking for Domain Users group.
 Adding the Domain Users group.
 Checking for Domain Admins group.
 Adding the Domain Admins group.
 Check for Administrator account.
 Adding the Administrator user.
 Checking for Guest user.
 Adding the Guest user.
 Checking Guest's group.
 Adding the Domain Guests group.

*  Initial settings for Administrator user

: Setting his password 'samba'

 # smbpasswd Administrator
 New SMB password: <== samba
 Retype new SMB password: <== samba

* Starting Samba

=== Setting automated home directory creation ===

* Create a file as /usr/local/sbin/createhomedir and chmod +rx :

: This setting is needed because automated home directory creation via PAM cannot work with Samba.

 #!/bin/bash
 
 homedir=/home/$1/$2
 
 if [ ! -d $homedir ]; then
         mkdir $homedir
         chmod 700 $homedir
         chown $2:domusers $homedir
 fi
 exit 0

=== Setting syslog ===

* Creating a file as /etc/rsyslog.d/samba.conf :

 local1.*                -/var/log/samba/log.audit

* And
 
 # touch /var/log/samba/log.audit
 # /etc/init.d/rsyslog restart

* Creating a file as /etc/logrotate.d/samba-syslog :

 /var/log/samba/log.audit
 {
        rotate 4
        weekly
        missingok
        notifempty
        compress
        delaycompress
        sharedscripts
        postrotate
                invoke-rc.d rsyslog reload > /dev/null
        endscript
 }

== Creating shares ==

 # mkdir /var/lib/samba/shares
 # cd /var/lib/samba/shares

* 'NETLOGON' share
 # mkdir /var/lib/samba/shares/netlogon

 # mkdir /var/lib/samba/shares/printers
 # chmod 775 domadmins
 # chgrp domadmins printers

* 'profiles' share

 # mkdir /var/lib/samba/shares/profiles
 # chmod 1777 /var/lib/samba/shares/profiles

* 'shared' share
: shares where users who belong to Domain Users group can read and write

 # mkdir /var/lib/samba/shares/shared
 # chgrp domusers shared
 # chmod g+ws shared

* 'aclshare1' share
: Create aclshare1ro and aclshare1rw group and confirm their GID before creating 'aclshare1'

 # net sam createlocalgroup aclshare1ro
 Created local group aclshare1ro with RID 1001
 # net sam createlocalgroup aclshare1rw
 Created local group aclshare1rw with RID 1002

 # net groupmap list ntgroup=aclshare1ro
 aclshare1ro (S-1-5-21-3643489711-3443204727-2039806625-1001) -> 10011
 # net groupmap list ntgroup=aclshare1rw
 aclshare1rw (S-1-5-21-3643489711-3443204727-2039806625-1002) -> 10012

 # mkdir /var/lib/samba/shared/aclshare1
 # chown root:root aclshare1
 # chmod 770 aclshare1
 # setfacl -m group:10011:r-x aclshare1
 # setfacl -m group:10012:rwx aclshare1
 # setfacl -d -m group:10011:r-x aclshare1
 # setfacl -d -m group:10012:rwx aclshare1

* 'aclshare2' share
: Create aclshare2ro and aclshare2rw group and confirm their GID before creating 'aclshare2'
 # net sam createlocalgroup aclshare2ro
 Created local group aclshare1ro with RID 1003
 # net sam createlocalgroup aclshare2rw
 Created local group aclshare1rw with RID 1004

 # net groupmap list ntgroup=aclshare1ro
 aclshare1ro (S-1-5-21-3643489711-3443204727-2039806625-1003) -> 10013
 # net groupmap list ntgroup=aclshare1rw
 aclshare1rw (S-1-5-21-3643489711-3443204727-2039806625-1004) -> 10014

 # mkdir /var/lib/samba/shared/aclshare1
 # chown root:root aclshare1
 # chmod 770 aclshare1
 # setfacl -m group:10014:rwx aclshare2
 # setfacl -m group:10013:r-x aclshare2
 # setfacl -d -m group:10014:rwx aclshare2
 # setfacl -d -m group:10013:r-x aclshare2

* 'share_test' share

 # mkdir /var/lib/samba/shares/share_test
 # chmod 1777 share_test

 # mkdir share_test/hide_unreadable
 # cd share_test/hide_unreadable
 # touch normal.txt
 # touch secure.txt
 # chmod 600 secure.txt

 # mkdir share_test/veto_files
 # cd  share_test/veto_files
 # touch dummy.exe
 # mkdir GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

* Installing var-check script
: works with "root preexec" line on share_test share and shows all value of Samba variables. Installing as /usr/local/sbin/var-check:

 #!/bin/sh
 
 VARLIST='%U %G %h %L %m %M %R %d %a %I %i %T %D %w %v %V %S %P %u %g %H %N %p e1 e2'
 
 rm /tmp/var.txt
 
 for var in $VARLIST; do
   echo "$var : $1" >> /tmp/var.txt
   shift
 done

=== Creating users ===

* Creating ldap01, ldap02 and ldap03 user

:ldap01 and ldap02 user belong to aclshare1rw and aclshare2rw group
:ldap03 user belongs to aclshare1ro and aclshare2ro group

* Their home directory is set as \\sambapdc\''username'', mounted to H:
* Their username is set as "LDAP User ''nn''"
* Their password is set not to expired.

: For ldap01 user

 # smbpasswd -a ldap01
 # pdbedit -c "[X]" -f "LDAP01 user" -h '\\sambapdc\ldap01' -D h: ldap01

 # net sam addmem aclshare1rw ldap01
 Added SAMBADOM\ldap01 to SAMBADOM\aclshare1rw
 # net sam addmem aclshare2rw ldap01
 Added SAMBADOM\ldap01 to SAMBADOM\aclshare2rw

=== Installing SWAT (Option) ===

* Installing SWAT

 # apt-get install swat

* Setting below to /etc/hosts.allow file
: Resticted access into local subnet.
 ALL: LOCAL

=== Last of all ===

* Initialization WINS database

Remove wins.dat and wins.tdb under /var/lib/samba

* Removing VMware log files