|
|
# installation : SAMBA pour Debian 7
|
|
|
|
|
|
|
|
|
[[_TOC_]]
|
|
|
|
|
|
|
|
|
## commun
|
|
|
|
|
|
ATTENTION: do not forget to have the shell set to /bin/false,
|
|
|
otherwise the account can login via SSH!
|
|
|
<http://www.ibm.com/developerworks/linux/tutorials/l-ldapsamba/>
|
|
|
<https://wiki.samba.org/index.php/Samba_%26_LDAP>
|
|
|
|
|
|
|
|
|
# apt-get install samba samba-common-bin smbclient smbldap-tools cifs-utils
|
|
|
|
|
|
[RAISON:
|
|
|
cifs-utils: support CIFS/SMB pour mount]
|
|
|
|
|
|
# gunzip -c /usr/share/doc/samba/examples/LDAP/samba.schema.gz >/tmp/samba.schema
|
|
|
# /home/rescue/bin/ldap-schema2ldif.sh /tmp/samba.schema
|
|
|
# etckeeper commit 'ldap/slapd.d/cn=config/cn=schema/cn={7}samba.ldif: new file'
|
|
|
|
|
|
# /home/rescue/bin/ldap-add-samba-acl-index.sh [$ADMIN $DC]
|
|
|
# etckeeper commit 'ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif: add samba* ACL'
|
|
|
|
|
|
# service samba stop
|
|
|
# nano /etc/samba/smb.conf
|
|
|
[replace and add]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
workgroup = $ORG
|
|
|
|
|
|
# The name you will see in "Network Neighbourhood", defaults to your hostname
|
|
|
netbios name = %h
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
[add and replace]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
## <https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/DNSDHCP.html>
|
|
|
; wins support = no
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
[add after
|
|
|
; name resolve order = lmhosts host wins bcast]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
|
|
|
# Specify which ports the server should listen on for SMB traffic.
|
|
|
## <http://support.microsoft.com/kb/204279>
|
|
|
## <http://ntsecurity.nu/papers/port445/>
|
|
|
## <http://lists.samba.org/archive/samba/2004-April/084048.html>
|
|
|
; smb ports = 139
|
|
|
|
|
|
# This parameter determines if nmbd advertises itself as a time server to
|
|
|
# Windows clients
|
|
|
; time server = no
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
[replace]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
security = user
|
|
|
|
|
|
# You may wish to use password encryption. See the section on
|
|
|
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
|
|
|
encrypt passwords = yes
|
|
|
|
|
|
# Allow or disallow client access to accounts that have null passwords.
|
|
|
null passwords = no
|
|
|
|
|
|
# If you are using encrypted passwords, Samba will need to know what
|
|
|
# password database type you are using.
|
|
|
####### LDAP support #######
|
|
|
## <file:///usr/share/doc/smbldap-tools/README.Debian.gz>
|
|
|
passdb backend = ldapsam:ldap://$(hostname -f)
|
|
|
|
|
|
obey pam restrictions = no
|
|
|
|
|
|
ldap ssl = start tls
|
|
|
ldap suffix = $DC
|
|
|
ldap user suffix = ou=users
|
|
|
ldap group suffix = ou=groups
|
|
|
ldap machine suffix = ou=hosts
|
|
|
ldap idmap suffix = ou=idmap
|
|
|
ldap admin dn = cn=admin,$DC
|
|
|
ldap delete dn = no
|
|
|
|
|
|
# Don't use Samba's internal LDAP password sync
|
|
|
ldap passwd sync = no
|
|
|
|
|
|
# This boolean parameter controls whether Samba attempts to sync the Unix
|
|
|
# password with the SMB password when the encrypted SMB password in the
|
|
|
# passdb is changed.
|
|
|
unix password sync = yes
|
|
|
|
|
|
# Use an external program to manage passwords
|
|
|
passwd program = /usr/sbin/smbldap-passwd %u
|
|
|
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
|
|
|
|
|
|
# This boolean controls whether PAM will be used for password changes
|
|
|
# when requested by an SMB client instead of the program listed in
|
|
|
# 'passwd program'. The default is 'no'.
|
|
|
pam password change = no
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
[replace]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
# Is this machine able to authenticate users. Both PDC and BDC
|
|
|
# must have this setting enabled. If you are the BDC you must
|
|
|
# change the 'domain master' setting to no
|
|
|
domain logons = yes
|
|
|
|
|
|
# The following setting only takes effect if 'domain logons' is set
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
[add and replace]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
# Since Windows Vista it is called "profile.V2"
|
|
|
## <https://en.wikipedia.org/wiki/Roaming_user_profile>
|
|
|
## <https://technet.microsoft.com/en-us/library/cc974331%28WS.10%29.aspx>
|
|
|
logon path = \\inubo.$(dnsdomainname)\%U\profile
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
[replace]
|
|
|
logon drive = H:
|
|
|
logon home = \\inubo.$(dnsdomainname)\%U
|
|
|
[replace]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
## <https://en.wikipedia.org/wiki/Batch_file>
|
|
|
## <http://waynes-world-it.blogspot.fr/2008/08/difference-between-bat-and-cmd.html>
|
|
|
### ATTENTION, netlogon must be manuallay synchronized!
|
|
|
logon script = logon.cmd
|
|
|
|
|
|
# This allows Unix users to be created on the domain controller via the SAMR
|
|
|
# RPC pipe.
|
|
|
; add user script = /usr/sbin/smbldap-useradd -m "%u"
|
|
|
; delete user script = /usr/sbin/smbldap-userdel "%u"
|
|
|
|
|
|
# This allows machine accounts to be created on the domain controller via the
|
|
|
# SAMR RPC pipe.
|
|
|
; add machine script = /usr/sbin/smbldap-useradd -w "%u"
|
|
|
|
|
|
# This allows Unix groups to be created on the domain controller via the SAMR
|
|
|
# RPC pipe.
|
|
|
; add group script = /usr/sbin/smbldap-groupadd -p "%g"
|
|
|
; delete group script = /usr/sbin/smbldap-groupdel "%g"
|
|
|
; add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
|
|
|
; delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
|
|
|
; set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
|
|
|
|
|
|
########## Printing ##########
|
|
|
|
|
|
# If you want to automatically load your printer list rather
|
|
|
# than setting them up individually then you'll need this
|
|
|
; load printers = yes
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
[replace]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
[homes]
|
|
|
comment = Home Directories
|
|
|
browseable = no
|
|
|
read only = no
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
[add comments]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
[homes]
|
|
|
## ATTENTION, by default UMASK=022 in /etc/login.defs
|
|
|
create mask = 0700
|
|
|
|
|
|
## ATTENTION, by default UMASK=022 in /etc/login.defs
|
|
|
directory mask = 0700
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
[replace]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
# If you have a local network then you could try:
|
|
|
# IPTOS_LOWDELAY TCP_NODELAY
|
|
|
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
[replace]
|
|
|
idmap config * : backend = ldap:ldap://$(hostname -f)
|
|
|
idmap config * : range = 100000-200000
|
|
|
template homedir = /home/users/%U
|
|
|
template shell = /bin/false
|
|
|
[add after winbind enum users]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
|
|
|
# This parameter specifies whether the winbindd daemon should operate on
|
|
|
# users without domain component in their username. Users without a
|
|
|
# domain component are treated as is part of the winbindd servers own
|
|
|
# domain. While this does not benifit Windows users, it makes SSH, FTP and
|
|
|
# e-mail function in a way much closer to the way they would in a native
|
|
|
# Unix system.
|
|
|
winbind use default domain = yes
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
# smbpasswd -W
|
|
|
[LDAP admin password]
|
|
|
|
|
|
|
|
|
## PDC (master)
|
|
|
|
|
|
# nano /etc/hosts
|
|
|
[add]
|
|
|
127.0.1.1 $(hostname -f) $(hostname) inubo.$(dnsdomainname)
|
|
|
# nano /etc/samba/smb.conf
|
|
|
[replace]
|
|
|
server string = inubo server
|
|
|
wins support = yes
|
|
|
time server = yes
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
[uncomment]
|
|
|
add machine script = /usr/sbin/smbldap-useradd -w "%u"
|
|
|
[replace]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
## <http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html>
|
|
|
domain master = yes
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
[uncomment]
|
|
|
winbind enum groups = yes
|
|
|
winbind enum users = yes
|
|
|
[uncomment]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
[netlogon]
|
|
|
comment = Network Logon Service
|
|
|
path = /srv/samba/netlogon
|
|
|
guest ok = yes
|
|
|
read only = yes
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
# service samba start
|
|
|
# mkdir -p /srv/samba/netlogon
|
|
|
# nano !$/logon.cmd
|
|
|
[add]
|
|
|
net use $DRIVE: \\inubo.$(dnsdomainname)\$SHARE [$PASSWORD] [/user:$USER]
|
|
|
# cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/smbldap_bind.conf
|
|
|
# nano !$
|
|
|
[replace]
|
|
|
slaveDN="cn=admin,$DC"
|
|
|
slavePw="$PWD"
|
|
|
masterDN="cn=admin,$DC"
|
|
|
masterPw="$PWD"
|
|
|
# chmod 0600 !$
|
|
|
# zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz >/etc/smbldap-tools/smbldap.conf
|
|
|
# nano !$
|
|
|
[replace]
|
|
|
SID="$(net getlocalsid)"
|
|
|
[replace]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
## <http://bugs.debian.org/566400>
|
|
|
sambaDomain="$ORG"
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
[comment]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
#slaveLDAP="ldap.example.com"
|
|
|
#slavePort="389"
|
|
|
masterLDAP="$(hostname -f)"
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
[remove]
|
|
|
masterPort="389"
|
|
|
[replace]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
ldapTLS="1"
|
|
|
#ldapSSL="0"
|
|
|
verify="require"
|
|
|
cafile="/etc/ssl/certs/ssl-cert-snakeoil.pem"
|
|
|
#clientcert="/etc/smbldap-tools/smbldap-tools.example.com.pem"
|
|
|
#clientkey="/etc/smbldap-tools/smbldap-tools.example.com.key"
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
[replace]
|
|
|
suffix="$DC"
|
|
|
usersdn="ou=users,${suffix}"
|
|
|
computersdn="ou=hosts,${suffix}"
|
|
|
groupsdn="ou=groups,${suffix}"
|
|
|
idmapdn="ou=idmap,${suffix}"
|
|
|
[replace]
|
|
|
userLoginShell="/bin/false"
|
|
|
userHome="/home/users/%U"
|
|
|
[comment]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
#userSmbHome="\\PDC-SRV\%U"
|
|
|
#userProfile="\\PDC-SRV\profiles\%U"
|
|
|
#userHomeDrive="H:"
|
|
|
#userScript="logon.bat"
|
|
|
#mailDomain="example.com"
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
# chmod 0644 !$
|
|
|
[if smbldap-tools < 0.9.7-1+deb7u1 <http://bugs.debian.org/700477>
|
|
|
# sed -i -e 's/samba_bindir\/netx/samba_bindir\/net/' /usr/share/perl5/smbldap_tools.pm
|
|
|
]
|
|
|
# smbldap-populate
|
|
|
Populating LDAP directory for domain $ORG ($SID)
|
|
|
(using builtin directory structure)
|
|
|
|
|
|
Use of uninitialized value $smbldap_tools::config{"clientcert"} in string at /usr/share/perl5/smbldap_tools.pm line 358.
|
|
|
Use of uninitialized value $smbldap_tools::config{"clientkey"} in string at /usr/share/perl5/smbldap_tools.pm line 358.
|
|
|
entry $DC already exist.
|
|
|
entry ou=users,$DC already exist.
|
|
|
entry ou=groups,$DC already exist.
|
|
|
entry ou=hosts,$DC already exist.
|
|
|
adding new entry: sambaDomainName=$ORG,$DC
|
|
|
adding new entry: uid=root,ou=users,$DC
|
|
|
adding new entry: uid=nobody,ou=users,$DC
|
|
|
adding new entry: cn=Domain Admins,ou=groups,$DC
|
|
|
adding new entry: cn=Domain Users,ou=groups,$DC
|
|
|
adding new entry: cn=Domain Guests,ou=groups,$DC
|
|
|
adding new entry: cn=Domain Computers,ou=groups,$DC
|
|
|
adding new entry: cn=Administrators,ou=groups,$DC
|
|
|
adding new entry: cn=Account Operators,ou=groups,$DC
|
|
|
adding new entry: cn=Print Operators,ou=groups,$DC
|
|
|
adding new entry: cn=Backup Operators,ou=groups,$DC
|
|
|
adding new entry: cn=Replicators,ou=groups,$DC
|
|
|
|
|
|
Please provide a password for the domain root:
|
|
|
Use of uninitialized value $smbldap_tools::config{"clientcert"} in string at /usr/share/perl5/smbldap_tools.pm line 358.
|
|
|
Use of uninitialized value $smbldap_tools::config{"clientkey"} in string at /usr/share/perl5/smbldap_tools.pm line 358.
|
|
|
Changing UNIX and samba passwords for root
|
|
|
New password:
|
|
|
Retype new password:
|
|
|
[à sauver comme "Samba root" dans inubo/commun/Clients/$ORG/$ORG.kdb]
|
|
|
# etckeeper commit '*: LDAP and Samba as PDC'
|
|
|
|
|
|
*[si nécessaire]*
|
|
|
|
|
|
[[create home directory on login|installation/ldap#createhomeonlogin]]
|
|
|
|
|
|
[[home directories in /srv|installation/mail#srvhomeusers]]
|
|
|
|
|
|
|
|
|
## BDC (slave)
|
|
|
|
|
|
# nano /etc/samba/smb.conf
|
|
|
[replace]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
## <http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html>
|
|
|
domain master = no
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
# net rpc getsid
|
|
|
# service samba start
|
|
|
# etckeeper commit '*: LDAP and Samba as BDC'
|
|
|
|
|
|
|
|
|
## partages
|
|
|
|
|
|
[[LDAP local authentication|installation/ldap#ldaplocalauthentication]]
|
|
|
|
|
|
*[si premier partage]*
|
|
|
|
|
|
# mkdir -p /srv/samba/inubo
|
|
|
# chown info.$ORG:$ORG !$
|
|
|
# chmod u+rwxs,g+rx,o-rwx !$
|
|
|
|
|
|
*[pour partage nobackup (à tester)]*
|
|
|
|
|
|
## (Pour exclure une partie du serveur de la sauvegarde Bacula)
|
|
|
## Détail du FileSet sambabackup (consultable depuis BAT)
|
|
|
## FileSet: name=sambabackup
|
|
|
## INCLUDE /srv/backup/samba/
|
|
|
## EXCLUDE /srv/backup/samba/nobackup/
|
|
|
|
|
|
# mkdir -p /srv/samba/nobackup
|
|
|
# chown info.$ORG:$ORG !$
|
|
|
# chmod u+rwxs,g+rx,o-rwx !$
|
|
|
|
|
|
*[pour chaque partage]*
|
|
|
|
|
|
# mkdir -p /srv/samba/inubo/$SHARE
|
|
|
# chown info.$ORG:$GROUP !$
|
|
|
# chmod u+rwxs,g+rwxs,o-rwx !$
|
|
|
# nano /etc/samba/smb.conf
|
|
|
[add at the end]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
|
|
|
[$SHARE]
|
|
|
path = /srv/samba/inubo/$SHARE
|
|
|
browseable = yes
|
|
|
hide unreadable = yes
|
|
|
read only = no
|
|
|
guest ok = no
|
|
|
create mask = 0660
|
|
|
directory mask = 0770
|
|
|
valid users = @$GROUP
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
# service samba restart
|
|
|
# smbclient -L \\localhost -U it.$ORG
|
|
|
# etckeeper commit 'samba/smb.conf: add $SHARE'
|
|
|
|
|
|
## Client Windows
|
|
|
|
|
|
### Connexion à un domaine Samba
|
|
|
|
|
|
[[(ref)|http://www.enterprisenetworkingplanet.com/windows/article.php/3849061/Use-Samba-With-Windows-7-Clients.htm]]
|
|
|
|
|
|
Go to: Control Panel -> Administrative Tools -> Local Security Policy
|
|
|
|
|
|
Select: Local Policies -> Security Options
|
|
|
|
|
|
"Network security: LAN Manager authentication level" -> Send LM & NTLM
|
|
|
===> NON, défaut "Send LM & NTLM, prefer NTLMv2"
|
|
|
|
|
|
"Minimum session security for NTLM SSP" -> uncheck: Require 128-bit
|
|
|
encryption
|
|
|
===> NON, pas de minimum
|
|
|
|
|
|
|
|
|
Dans regedit, éditer les clefs [[Fichier reg|Win7_Samba3DomainMember.reg]]
|
|
|
|
|
|
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters
|
|
|
(DWORD) DomainCompatibilityMode = 1
|
|
|
(DWORD) DNSNameResolutionRequired = 0
|
|
|
|
|
|
Attention, ne pas modifier les clefs dans Netlogon
|
|
|
|
|
|
|
|
|
### Outils de diagnostique
|
|
|
|
|
|
Tester si le domaine est joignable
|
|
|
|
|
|
nltest /dsgetdc:domainname
|
|
|
|
|
|
[[https://support.microsoft.com/en-us/kb/247811]] |