The Samba-Bugzilla – Attachment 1769 Details for
Bug 3550
logon with ssh and id commands is sparse - su and id info correct
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
How I configured samba
samba config.txt (text/plain), 12.25 KB, created by
David Shapiro
on 2006-03-02 08:00:08 UTC
(
hide
)
Description:
How I configured samba
Filename:
MIME Type:
Creator:
David Shapiro
Created:
2006-03-02 08:00:08 UTC
Size:
12.25 KB
patch
obsolete
> Install Procedure > >1. Copy from hq1ap100:/usr/local/depot/samba to /usr/local on the destination server and untar them: > ldap.tar > heimdal-krb5.tar > samba.tar >2. Enable aio support (see notes below on this) >3. Copy from hq1ap100:/usr/local/depot/samba/smb and slapd to /etc/init.d on the destination server >4. Softlink in /etc/rc.d/rc2.d smb and slapd as S91slapd and S92smb >5. Add to /etc/services: > ># kerberos ports >kerberos 88/udp kdc # Kerberos authentication--udp >kerberos 88/tcp kdc # Kerberos authentication--tcp >kerberos-sec 750/udp # Kerberos authentication--udp >kerberos-sec 750/tcp # Kerberos authentication--tcp >kerberos_master 751/udp # Kerberos authentication >kerberos_master 751/tcp # Kerberos authentication >kerberos-adm 749/tcp # Kerberos 5 admin/changepw >kerberos-adm 749/udp # Kerberos 5 admin/changepw >kpop 1109/tcp # Pop with Kerberos >kshell 544/tcp cmd # and remote shell >klogin 543/tcp # Kerberos authenticated rlogin >eklogin 2105/tcp # Kerberos encrypted rlogin >krb5_prop 754/tcp # Kerberos slave propagation >krb524 4444/tcp # Kerberos 5 to 4 ticket xlator >swat 901/tcp # samba swat > >Note: Some of the kerberos entries are already in /etc/services, so clean up duplicates. > >6. Copy /usr/local/samba/lib/WINBIND /usr/lib/security >7. Modify /etc/security/user (see notes below on this) >8. Modify /usr/lib/security/methods.cfg (see notes below on this) >9. Have an NT Admin run net ads join -U<domain admin account>%<password> >10. Add to /.profile env PATH /usr/local/samba/bin and /usr/local/samba/sbin >11. Run smb start to start samba. >12. Test by typing \\servername\public to see if you get access without prompting to the public folder. Validate you can still log into the system with ssh. > > > > Build Procedure Used > >Install gcc 4.0.2 for your os level (http://aixpdslib.seas.ucla.edu/categories/development.html) >Install libiconv 1.9.2 for your os level (http://aixpdslib.seas.ucla.edu/categories/development.html) >Install gnu make 3.80 and rename it gmake >Install m4 1.4.3 >Install autoconf 2.59 >Install bison 2.0 > >----------------------- >Install db-4.4.20 >----------------------- >cd into dist >mkdir build >cd build >env CC="gcc -D_LINUX_SOURCE_COMPAT" ../configure \ >--prefix=/usr/local/bdb \ >--enable-static-yes --enable-shared=no >gmake >gmake install > >-------------- >openssl-0.9.8a >-------------- >./config threads no-shared --prefix=/usr/local/ssl > >gmake >gmake install > >----------------- >cyrus-sasl-2.1.21 >----------------- >Comment out line 111 in saslint.h: >/* extern sasl_global_callbacks_t global_callbacks; */ > >env CC="gcc -D_LINUX_SOURCE_COMPAT" \ >CPPFLAGS="-I/usr/include" \ >LDFLAGS="-L/usr/lib" \ >../configure --with-openssl=/usr/local/ssl \ >--with-bdb-libdir=/usr/local/bdb/lib \ >--with-bdb-incdir=/usr/local/bdb/include \ >--disable-gssapi --prefix=/usr/local/cyrus-sasl >gmake >gmake install > >--------------- >openldap-2.3.11 >--------------- >mkdir build2 >cd build2 >env CC="gcc -D_LINUX_SOURCE_COMPAT -D_THREAD_SAFE" \ >CPPFLAGS="-I/usr/include -I/usr/local/bdb/include -I/usr/local/cyrus-sasl/include -I /usr/local/ssl/include" \ >LDFLAGS="-L/usr/lib -L/usr/local/ssl/lib -L/usr/local/bdb/lib -lpthread" \ >../configure --enable-dynamic --enable-spasswd \ >--enable-bdb --enable-crypt --enable-slapd --enable-slurpd \ >--with-cyrus-sasl=yes --with-tls=openssl --enable-rlookups \ >--with-threads=posix --prefix=/usr/local/openldap \ >--enable-shared=no --enable-static=yes \ >--with-ssl=/usr/local/ssl --with-tls >gmake depend >gmake >gmake install > >----------------------- >Heimdal-0.7 Kerberos >----------------------- >env CC="gcc -D_LINUX_SOURCE_COMPAT -D_THREAD_SAFE" \ >../configure --prefix=/usr/local/heimdal-krb5 \ >--prefix=/usr/local/heimdal-krb5 \ >--with-openldap=/usr/local/openldap \ >--with-openldap-lib=/usr/local/openldap/lib \ >--with-openssl=/usr/local/ssl \ >--with-openssl-lib=/usr/local/ssl/lib \ >--with-openssl-include=/usr/local/ssl/include \ >--enable-shared=no --enable-static=yes > >gmake >gmake install > >Enable AIO: >AIO support is installed in this package. If you have problems starting Samba, >try the following: > > $ lsdev -Cc posix_aio > posix_aio0 Available Posix Asynchronous I/O > >If the above says "Defined" instead of "Available": > > $ mkdev -l posix_aio0 > posix_aio0 Available > > $ chdev -l posix_aio0 -a autoconfig=available -P > posix_aio0 changed > > >----------------------- >Samba 3.0.21c >----------------------- >#!/bin/ksh -x > >export LIBPATH=/usr/lib:/usr/local/lib:/opt/freeware/lib > >env "CC=gcc" \ >CFLAGS="-DPAM_AUTHTOK_RECOVER_ERR=PAM_AUTHTOK_RECOVERY_ERR -DPAM_EXTERN=extern -D_LINUX_SOURCE_COMPAT" \ >CPPFLAGS="-I/usr/local/bdb/include -I/usr/local/ssl/include -I/usr/local/include -I/usr/local" \ >LDFLAGS="-L/usr/local/bdb/lib -L/usr/local/cyrus-sasl/lib -L/usr/local/ssl/lib -L/usr/local/openldap/lib -L/usr/l >ocal/lib /usr/local/lib/libiconv.a /usr/local/lib/libintl.a -liconv -L/usr/lib -lc" \ >../configure --prefix=/usr/local/samba --with-shared-modules=idmap_ad,idmap_rid --with-ads --with-ldap --with-pam > --with-krb5=/usr/local/heimdal-krb5 --with-winbind --with-acl-support --with-utmp --with-quotas --with-sendfile- >support --with-aio-support --enable-shared=yes --disable-static --with-libiconv=/usr/local > >/usr/local/bin/gmake >exit >/usr/local/bin/gmake install > >for i in WINBIND pam_winbind.so; do > if [ -f /usr/lib/security/$i ]; then > mv /usr/lib/security/$i /usr/lib/security/$i.old > chmod 555 nsswitch/$i > cp nsswitch/$i /usr/lib/security > rm /usr/lib/security/$i.old > else > cp nsswitch/$i /usr/lib/security > fi >done > ># Add to /usr/lib/security config file >#* PAM: >#* program = /usr/lib/security/PAM ># >#WINBIND: ># program = /usr/lib/security/WINBIND ># options = authonly >#* options = auth=PAM,db=BUILTIN > > > >Changed in /etc/security/user for default: > >SYSTEM = "WINBIND OR WINBIND[FAILURE] AND compat" > > >My smb.conf now looks like the following: > >[global] > workgroup = BCBSNC > realm = BCBSNC.COM > server string = User management Server > security = ADS > #idmap backend = rid:BCBSNC=100000-200000 > #idmap backend = ad > password server = wdcmc01.bcbsnc.com > log level = 10 > log file = /usr/local/samba/var/log.%m > max log size = 50 > name resolve order = hosts wins lmhosts bcast > socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 > preferred master = No > local master = No > dns proxy = No > wins server = svcmc02, svcmc03 > ldap ssl = no > idmap uid = 100000-200000 > idmap gid = 100000-200000 > template shell = /bin/ksh > template homedir = /home/%D/%U > winbind separator = + > winbind nested groups = Yes > winbind use default domain = Yes > aio read size = 1 > aio write size = 1 > >[homes] > root preexec = [ ! -e /home/%D/%U ] && { /bin/mkdir -p /home/%D/%U; /bin/chmod 750 /home/%D/%U; /bin/chown %D+%U:st >aff /home/%D/%U; } > path = /home/%D/%U > valid users = %D+%U > read only = No > browseable = No > >[public] > path = /usr/local/samba/public > valid users = "BCBSNC+domain users" > write list = "BCBSNC+domain users" > read only = No > > >[home] > > path = /home/%D/%u > valid users = %S > read only = No > browseable = No > >[samba] > > path = /usr/local/samba > username = DOMAIN+mylogin > valid users = DOMAIN+mylogin > > >My /usr/lib/security/methods.cfg: > >NIS: > > program = /usr/lib/security/NIS > program_64 = /usr/lib/security/NIS_64 > >DCE: > > program = /usr/lib/security/DCE > >WINBIND: > > program = /usr/lib/security/WINBIND > options = authonly >* options = auth=PAM,db=BUILTIN > >* PAM: >* program = /usr/lib/security/PAM > >Note: (I haven't had luck with pam either. It will not let me log in if I use >it too) > > >Enable LDAP (optional): -- I did not get this working other than I have an ldap server running with the schema, but getting >samba to use it has not worked > >copied samba/source/example/LDAP/samba.schema to /usr/local/openldap/etc/openldap/schema folder >Added to /usr/local/openldap/etc/slapd.conf: > ># Samba required schemas >include /usr/local/openldap/etc/openldap/cosine.schema >include /usr/local/openldap/etc/openldap/inetorgperson.schema >include /usr/local/openldap/etc/openldap/nis.schema >include /usr/local/openldap/etc/openldap/samba.schema > >####################################################################### ># BDB database definitions >####################################################################### >database bdb >suffix "dc=BCBSNC,dc=COM" >rootdn "cn=Manager,dc=BCBSNC,dc=COM" ># Cleartext passwords, especially for the rootdn, should ># be avoid. See slappasswd(8) and slapd.conf(5) for details. ># Use of strong authentication encouraged. >rootpw tI1lfp4Ld@p ># The database directory MUST exist prior to running slapd AND ># should only be accessible by the slapd and slap tools. ># Mode 700 recommended. >directory /usr/local/openldap/var/openldap-data >####################################################################### ># Cache >####################################################################### ># dbcachesize if database is ldbm instead of bdb >cachesize 40000 ># dbcachesize 60000000 >checkpoint 512 720 >####################################################################### ># Samba Indexes >####################################################################### >index objectClass eq >index cn,sn,uid,displayName pres,sub,eq >index uidNumber,gidNumber eq >index sambaSID eq >index sambaPrimaryGroupSID eq >index objectClass pres,eq >index sambaDomainName eq >index rid,primaryGroupID eq >index default sub > >access to * > by self write > by * read > >Made directory /usr/local/openldap/var/openldap-data and set chmod 700 > > >Ran /usr/local/openldap/sbin/slapindex -f slapd.conf >Note: {SSHA}2EgvAmD9a6etIIroRCnXmH9HESpnfFa0 > > >#!/bin/ksh > >#mkssys -s smbd -G smb -p /usr/local/samba/sbin/smbd -u 0 -a "-F" -R -S -n 15 -f 3 >#mkssys -s nmbd -G smb -p /usr/local/samba/sbin/nmbd -u 0 -a "-F" -R -S -n 15 -f 3 >#mkssys -s winbindd -G smb -p /usr/local/samba/sbin/winbindd -u 0 -a "-F" -R -S -n 15 -f 3 > >case "$1" in > start) > /usr/local/samba/sbin/nmbd -D > /usr/local/samba/sbin/winbindd -B > /usr/local/samba/sbin/smbd -D > > #startsrc -s nmbd > #startsrc -s winbindd > #startsrc -s smbd > ;; > stop) > for daemon in smbd winbindd nmbd; do > pid=`ps -ef | grep -v grep | grep /usr/local/samba/sbin/$daemon | awk '{ print $2 }'` > if [ ! -z "$pid" ]; then > echo "kill pid: $pid" > kill $pid > else > echo "Daemon $daemon is not running..." > fi > done > > #stopsrc -s smbd > #stopsrc -s winbindd > #stopsrc -s nmbd > > ;; > status) > for daemon in smbd winbindd nmbd; do > pid=`ps -ef | grep -v grep | grep /usr/local/samba/sbin/$daemon | awk '{ print $2 }'` > if [ ! -z "$pid" ]; then > echo "Daemon $daemon is running..." > else > echo "Daemon $daemon is not running..." > fi > done > ;; > > *) echo "$0 <stop|start|status>" > ;; >esac >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1769">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 3550
: 1769