Get release image for Debian GNU/Linux

Download small CD

• Actually use debian-6.0.0-i386-netinst.iso

Build VMware Virtual Machine

How to create VM

Run the Virtual Machine Wizard

• Select Custom
• Select Workstation 5 as Hardware compatibility
  • Do not check ESX Server
• Select Linux as guest OS
• Select Debian 5 as version
• Set sambapdc as VM's name
• Set 1 as number of CPU
• Set 256MB as available memory
• Leave NAT at Network Connection
• Leave LSI Logic at I/O controller type
• Select Create new virtual disk
• Select SCSI as type of virtual disk and leave other settings

Installing Squeeze

Running Installer

• Select Install (Not Graphical Install')
• Select English at Choose language
• Select Japan at Choose country
• Select United States at Default locale
• Select American English at Keymap to use
• Select as below at Configure network
  • Hostname is sambapdc
  • Domain Name is sambadom.local
• Set as below at Set up users and passwords
  • Set samba at Root password
  • Push <Go Back> several times until Debian installer main menu is shown at Full name for new user in Set up users and passwords

Remember that lots of unused packages are installed if you continue to install as usual

• Select as below at Partition disks
  • Select Guided - use entire disk (defalt)
  • Select All files in one partition (default)
  • Push Finish partitioning and write changes to disk
  • Select <Yes> at Write changes to disks?
• Basic packages are installed during Installing the base system Window.
• Select Install the GRUB boot loader on a hard disk
  • Select <Yes> at Install the GRUB boot loader to the master boot record?
• Select <Continue> at Installation complete

Basic settings

• Added settings for eth1 if needed

Added these settings in /etc/network/interfaces

allow-hotplug eth1
iface eth1 inet dhcp

• Configure APT

Modify /etc/apt/sources.list

deb http://ftp.jp.debian.org/debian etch main
deb http://security.debian.org/ etch/updates main

Note that only main is set because of reducing disk space.

• Specify tmpfs for filesystem of /tmp

add /etc/fstab as below:

/dev/shm   /tmp   tmpfs defaults 0 0

This is not necessary but reduces disk space for install

• Specify tmpfs for /var/cache/apt

add /etc/fstab as below:

/dev/shm   /var/cache/apt   tmpfs defaults 0 0

This is not necessary but reduces disk space for install

Enable these changes

# mount /tmp
# mount /var/cache/apt

• Installing ftp

Uses only to receive files

# apt-get install ftp
# apt-get clean

• Installing packages for ACL and extended attributes

# apt-get install attr acl 

• Add acl,user_xattr as mount option in /etc/fstab

change errors=remount-ro to defaults,acl,user_xattr,errors=remount-ro

change mount options with remount option

mount -o remount,rw,acl,user_xattr,errors=remoun-ro /dev/sda1 /

Build Samba + LDAP environment

Installing and setting packages

Install and Configuring libnss-ldap and libpam-ldap

apt-get install libnss-ldap libpam-ldap

• Setting of libnss-ldap

URL is ldapi:///

DN is dc=sambadom,dc=local

LDAP version is 3

LDAP account for root is cn=admin,dc=sambadom,dc=local

Password is ldap

• Settings of libpam-ldap

Allow LDAP admin account ... is <Yes>

Does the LDAP database require login? is <No>

LDAP account for root is cn=admin,dc=sambadom,dc=local

Password is ldap

• Adding LDAP into /etc/nsswitch.conf file

--- nsswitch.conf.org   2009-09-10 03:02:29.000000000 +0900
+++ nsswitch.conf       2009-09-07 22:10:09.000000000 +0900
@@ -4,9 +4,9 @@
 # If you have the `glibc-doc-reference' and `info' packages
installed, try:
 # `info libc "Name Service Switch"' for information about this file.

-passwd:         compat
-group:          compat
+passwd:         compat ldap
+group:          compat ldap
 shadow:         compat

 hosts:          files dns
 networks:       files

Installing Samba and OpenLDAP

• installing slapd package

# apt-get install slapd ldap-utils

Set ldap as Admin password

ldap-utils package is for management purpose, so it is not required for running, although the description is assumed it is installed.

• Installing Samba packages

# apt-get install samba winbind smbclient

Set SAMBADOM as workgroup/domain name

smbclient package is for management and test purpose, so it is not required for running.

• Installing pam_smbpass package

# apt-get install libpam-smbpass

• Removing nscd

Running nscd sometime makes a trouble that adding or removing an user or a group is not affected immediately.

# apt-get remove nscd

PAM configuration

Because pam-auth-update command automatically sets PAM related-files, basically we do not need to edit them manually.

But we have to set these settings manually:

• /etc/pam.d/common-password

Comment out pam_winbind.so line.

• /etc/pam.d/common-session

Add mkhomedir option in pam_winbind.so line.

Installing crackcheck command

• Installing cracklib package

1. apt-get install libcrack2

used by crackcheck command

Run on the box where development packages are installed.

# apt-get install cracklib2-dev

# apt-get install samba-doc
# cd /usr/share/doc/samba-doc/examples/auth/crackcheck
# make
# strip crackcheck

Copy crackcheck binary to /usr/local/sbin/crackcheck on sambapdc

Installing mgrshare script

Extract mgrshare script (included in [http://wiki.samba.gr.jp/mediawiki/images/1/10/Sambapdc4.tar.gz sambapdc4.tar.gz] ) and install:

# mv mgrshare  /usr/local/sbin/mgrshare
# chmod +x /usr/local/sbin/mgrshare

Installing smbchsh

Extract smbchsh script (included in [http://wiki.samba.gr.jp/mediawiki/images/1/10/Sambapdc4.tar.gz sambapdc4.tar.gz] ) and install to /usr/local/bin/smbchsh.

Here is the content of smbchsh:

#!/bin/sh

SHELL=$1

echo "dn: uid=${USER},ou=users,dc=samba,dc=local
changetype: modify
replace: loginShell
loginShell: $1
" | ldapmodify -x -D "uid=${USER},ou=users,dc=samba,dc=local" -W

Installing remove-old-files-in-recycle-bin

Extract remove-old-files-in-recycle-bin script (included in [http://wiki.samba.gr.jp/mediawiki/images/1/10/Sambapdc4.tar.gz sambapdc4.tar.gz] ) and install as /usr/local/sbin/remove-old-files-in-recycle-bin:

#!/bin/sh

trashdir=.recycle
rootdir=/var/lib/samba/shares
olddays=14

cd ${rootdir}

for targetdir in *; do
  if [ -d ${targetdir}/${trashdir} ]; then
    cd ${targetdir}/${trashdir}
    find . -atime +${olddays} -exec rm {} \;
  fi
done

Creating home directory

# mkdir /home/SAMBADOM

Creating smbusers file

Extract smbusers file (included in [http://wiki.samba.gr.jp/mediawiki/images/1/10/Sambapdc4.tar.gz Sambapdc4.tar.gz] ) and install as /etc/samba/smbusers

Setting Samba + LDAP environment

Setting LDAP

Remember that LDAP settings are stored in LDAP after Squeeze

• Installing schema file for Samba

# apt-get install samba-doc
# apt-get clean

# zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema

# apt-get remove samba-doc
# apt-get clean

samba-doc package is removed after extracting schema file

• Generating LDIF file for Samba schema

# cd /tmp
# ln -s /etc/ldap/schema .
# mkdir dummy_slapd.d

Creating /tmp/dummy_slapd.conf file as below:

include schema/core.schema
include schema/cosine.schema
include schema/inetorgperson.schema
include schema/nis.schema
include schema/samba.schema

# slaptest -f dummy_slapd.conf -F dummy_slapd.d
config file testing succeeded

Modifying LDIF file

Rename cn={4}samba.ldif under dummy_slapd.d/cn=config/cn=schema to samba.ldif

and modify as below:

• • The top 3 lines before:

dn: cn={4}samba
objectClass: olcSchemaConfig
cn: {4}samba

• • The top 3 lines after:

dn: cn=samba,cn=schema,cn=config objectClass: olcSchemaConfig cn: samba

• • The last 7 lines before:

structuralObjectClass: olcSchemaConfig entryUUID: a671adca-3aa0-1030-8ae6-516ef773ec5f creatorsName: cn=config createTimestamp: 20110704154721Z entryCSN: 20110704154721.872107Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20110704154721Z

• • The last 7 line after:

(Removed)

Register samba.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -f samba.ldif
adding new entry "cn=samba,cn=schema,cn=config"

• Initial settings

Create sambadom.ldif as below:

dn: olcDatabase={1}hdb,cn=config
changetype:modify
add: olcDbIndex
olcDbIndex: uidNumber,gidNumber,uid,sambaSID,cn,memberuid eq
-
add: olcAccess
olcAccess: to attrs=loginShell by dn="cn=admin,dc=samba,dc=local" write by self write by * read
olcAccess: to attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="cn=admin,dc=samba,dc=local" write by self write by * none

# ldapadd -Y EXTERNAL -H ldapi:/// -f sambadom.ldif
adding new entry "olcDatabase={1}hdb,cn=config"

Create initial schema

• Create sambadom.local.ldif file as below:

dn: ou=users,dc=sambadom,dc=local
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=sambadom,dc=local
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=idmap,dc=sambadom,dc=local
objectClass: top
objectClass: organizationalUnit
ou: idmap

dn: ou=computers,dc=sambadom,dc=local
objectClass: top
objectClass: organizationalUnit
ou: computers

• Register sambadom.local.ldif with ldapadd :

# cat sambadom.local.ldif | ldapadd -D
  cn=admin,dc=sambadom,dc=local -W -x -H ldapi:///
Enter LDAP Password: 
adding new entry "ou=users,dc=samba,dc=local"

adding new entry "ou=groups,dc=samba,dc=local"
...

Setting Samba

• Stopping Samba

# /etc/init.d/samba stop
# /etc/init.d/winbind stop

• Installing smb.conf

Create smb.conf as /etc/samba/smb.conf (included in sambapdc4.tar.gz)

# mv /etc/samba/smb.conf /etc/samba/smb.conf.org
# mv smb.conf /etc/samba/smb.conf

• Installing smbusers file

Create smbusers as /etc/samba/smbusers

• Store LDAP password

# smbpasswd -w ldap
Setting stored password for "cn=admin,dc=sambadom,dc=local" in secrets.tdb

• Store initial settings into LDAP

Start winbindd (only) before running 'net sam provision'

# /etc/init.d/winbind start
Starting the Winbind daemon: winbind.
# net sam provision
Checking for Domain Users group.
Adding the Domain Users group.
Checking for Domain Admins group.
Adding the Domain Admins group.
Check for Administrator account.
Adding the Administrator user.
Checking for Guest user.
Adding the Guest user.
Checking Guest's group.
Adding the Domain Guests group.

• Initial settings for Administrator user

Setting his password 'samba'

# smbpasswd Administrator
New SMB password: <== samba
Retype new SMB password: <== samba

• Starting Samba

Setting automated home directory creation

• Create a file as /usr/local/sbin/createhomedir and chmod +rx :

This setting is needed because automated home directory creation via PAM cannot work with Samba.

#!/bin/bash

homedir=/home/$1/$2

if [ ! -d $homedir ]; then
        mkdir $homedir
        chmod 700 $homedir
        chown $2:domusers $homedir
fi
exit 0

Setting syslog

• Creating a file as /etc/rsyslog.d/samba.conf :

local1.*                -/var/log/samba/log.audit

• And

# touch /var/log/samba/log.audit
# /etc/init.d/rsyslog restart

• Creating a file as /etc/logrotate.d/samba-syslog :

/var/log/samba/log.audit
{
       rotate 4
       weekly
       missingok
       notifempty
       compress
       delaycompress
       sharedscripts
       postrotate
               invoke-rc.d rsyslog reload > /dev/null
       endscript
}

Creating shares

# mkdir /var/lib/samba/shares
# cd /var/lib/samba/shares

• 'NETLOGON' share

# mkdir /var/lib/samba/shares/netlogon

# mkdir /var/lib/samba/shares/printers
# chmod 775 domadmins
# chgrp domadmins printers

• 'profiles' share

# mkdir /var/lib/samba/shares/profiles
# chmod 1777 /var/lib/samba/shares/profiles

• 'shared' share

shares where users who belong to Domain Users group can read and write

# mkdir /var/lib/samba/shares/shared
# chgrp domusers shared
# chmod g+ws shared

• 'aclshare1' share

Create aclshare1ro and aclshare1rw group and confirm their GID before creating 'aclshare1'

# net sam createlocalgroup aclshare1ro
Created local group aclshare1ro with RID 1001
# net sam createlocalgroup aclshare1rw
Created local group aclshare1rw with RID 1002

# net groupmap list ntgroup=aclshare1ro
aclshare1ro (S-1-5-21-3643489711-3443204727-2039806625-1001) -> 10011
# net groupmap list ntgroup=aclshare1rw
aclshare1rw (S-1-5-21-3643489711-3443204727-2039806625-1002) -> 10012

# mkdir /var/lib/samba/shared/aclshare1
# chown root:root aclshare1
# chmod 770 aclshare1
# setfacl -m group:10011:r-x aclshare1
# setfacl -m group:10012:rwx aclshare1
# setfacl -d -m group:10011:r-x aclshare1
# setfacl -d -m group:10012:rwx aclshare1

• 'aclshare2' share

Create aclshare2ro and aclshare2rw group and confirm their GID before creating 'aclshare2'

# net sam createlocalgroup aclshare2ro
Created local group aclshare1ro with RID 1003
# net sam createlocalgroup aclshare2rw
Created local group aclshare1rw with RID 1004

# net groupmap list ntgroup=aclshare1ro
aclshare1ro (S-1-5-21-3643489711-3443204727-2039806625-1003) -> 10013
# net groupmap list ntgroup=aclshare1rw
aclshare1rw (S-1-5-21-3643489711-3443204727-2039806625-1004) -> 10014

# mkdir /var/lib/samba/shared/aclshare1
# chown root:root aclshare1
# chmod 770 aclshare1
# setfacl -m group:10014:rwx aclshare2
# setfacl -m group:10013:r-x aclshare2
# setfacl -d -m group:10014:rwx aclshare2
# setfacl -d -m group:10013:r-x aclshare2

• 'share_test' share

# mkdir /var/lib/samba/shares/share_test
# chmod 1777 share_test

# mkdir share_test/hide_unreadable
# cd share_test/hide_unreadable
# touch normal.txt
# touch secure.txt
# chmod 600 secure.txt

# mkdir share_test/veto_files
# cd  share_test/veto_files
# touch dummy.exe
# mkdir GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

• Installing var-check script

works with "root preexec" line on share_test share and shows all value of Samba variables. Installing as /usr/local/sbin/var-check:

#!/bin/sh

VARLIST='%U %G %h %L %m %M %R %d %a %I %i %T %D %w %v %V %S %P %u %g %H %N %p e1 e2'

rm /tmp/var.txt

for var in $VARLIST; do
  echo "$var : $1" >> /tmp/var.txt
  shift
done

Creating users

• Creating ldap01, ldap02 and ldap03 user

ldap01 and ldap02 user belong to aclshare1rw and aclshare2rw group

ldap03 user belongs to aclshare1ro and aclshare2ro group

• Their home directory is set as \\sambapdc\username, mounted to H:
• Their username is set as "LDAP User nn"
• Their password is set not to expired.

For ldap01 user

# smbpasswd -a ldap01
# pdbedit -c "[X]" -f "LDAP01 user" -h '\\sambapdc\ldap01' -D h: ldap01

# net sam addmem aclshare1rw ldap01
Added SAMBADOM\ldap01 to SAMBADOM\aclshare1rw
# net sam addmem aclshare2rw ldap01
Added SAMBADOM\ldap01 to SAMBADOM\aclshare2rw

Installing SWAT (Option)

• Installing SWAT

# apt-get install swat

• Setting below to /etc/hosts.allow file

Resticted access into local subnet.

ALL: LOCAL

Last of all

• Initialization WINS database

Remove wins.dat and wins.tdb under /var/lib/samba

• Removing VMware log files