Installing a test server
Prev Compile grade Samba settings Next

Installing a test server

  1. Installing the machine

    We have unattended installs that create a Debian Lenny with accounts, firewalling, logging, yada yada yada. We run such an install on a virtual machine.

  2. Creating a filesystem for Samba to export

    We use XFS under Samba, and on this test machine, we steal /srv, and convert it to XFS...

    admin@testserver:~$ sudo umount /srv
    admin@testserver:~$ sudo apt-get install xfsprogs dmsetup
    admin@testserver:~$ sudo sed -i -s '/\/srv/ { s%/srv%/lwphome% ; s%ext3%xfs% ; s%defaults%relatime,uquota,pquota% }' /etc/fstab
    admin@testserver:~$ grep xfs /etc/fstab
    /dev/mapper/lwp17-lvsrv /lwphome            xfs    relatime,uquota,pquota        0       2
    admin@testserver:~$  sudo mkfs.xfs -f /dev/mapper/lwp17-lvsrv
    meta-data=/dev/mapper/lwp17-lvsrv isize=256    agcount=4, agsize=156160 blks
    =                       sectsz=512   attr=2
    data     =                       bsize=4096   blocks=624640, imaxpct=25
    =                       sunit=0      swidth=0 blks
    naming   =version 2              bsize=4096
    log      =internal log           bsize=4096   blocks=2560, version=2
    =                       sectsz=512   sunit=0 blks, lazy-count=0
    realtime =none                   extsz=4096   blocks=0, rtextents=0
    admin@testserver:~$ sudo mkdir /lwphome
    admin@testserver:~$ sudo  mount -a

  3. Adding the backports repository

    Since our new Samba will have to come from the backports repository, we'll add that:

    admin@testserver:~$ sudo apt-get update
    admin@testserver:~$ sudo apt-get dist-upgrade
    admin@testserver:~$ sudo sh -c 'echo "deb http://www.backports.org/debian lenny-backports main contrib non-free" > /etc/apt/sources.list.d/lenny-backports.list'
    admin@testserver:~$ sudo apt-get install debian-backports-keyring
    admin@testserver:~$ apt-get update
    admin@testserver:~$ sudo apt-get dist-upgrade

    At this point, no packages should be listed for upgrade, as the default version is still lenny, not lenny-backports

  4. Installing Samba

    admin@testserver:~$ sudo apt-get install samba -t lenny-backports

  5. Configuring Samba for use with the LDAP server

    1. Copying Samba settings

      We copy the smb.conf of to /etc/samba/smb.conf, and run testparm on it for good measure. Then we restart the Samba server:

      admin@testserver:~$ sudo /etc/init.d/samba restart

    2. Making getent work on the server

      In order for the Samba server to work, the account the Samba clients use to log in with must be known as system users on the server. So getent must resolve them. We install the packages:

      admin@testserver:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get --yes install libpam-ldap libpam-ccreds libnss-ldap libnss-db ca-certificates nss-updatedb

      ... configure /etc/nsswitch.conf: 

        <snip>
passwd:         files db
group:          files db
shadow:         files ldap
  <snip>

      ... configure /etc/ldap/ldap.conf: 

      SIZELIMIT   0
TIMELIMIT   0
URI         ldaps://ldapserver.mydomain.com
BASE        ou=my,o=domain,c=nl
TLS_CACERT  /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow

      ... configure /etc/libnss-ldap.conf: 

      debug 10
uri ldaps://ldapserver.mydomain.com
ldap_version 3
bind_policy soft
timelimit 10
bind_timelimit 6
ssl on
tls_checkpeer no
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
base ou=my,o=domain,c=nl
scope sub
binddn cn=accounter,ou=my,o=domain,c=nl
bindpw verysecretofcourse
pam_login_attribute uid
pam_password md5
pam_min_uid 70000
pam_max_uid 9999999999

      ... update the credentials cache:

      admin@testserver:!$ sudo /usr/sbin/nss_updatedb ldap > /dev/null 2>&1

      ... and test whether it works (it does):

      admin@testserver:~$ getent passwd p217811
            p217811:*:10217811:10217811:p217811:/home/p217811:/bin/bash

  6. Enabling LDAP lookup of Samba accounts

    In /etc/samba/smb.conf, set ldap ssl to no: 

    <snip>
ldap ssl = no
passdb backend = ldapsam:ldaps://ldapserver.mydomain.com
<snip>

    This is necessary because the LDAP URI already specifies ldaps://, and with ldap ssl set to yes the Samba daemon will try to start the TLS layer twice, resulting in an error that would be harmless to the communication, but the Samba daemon drops the connection because of it anyway.

    ... now create /var/lib/samba/secrets.tdb by using:

    admin@testserver:~$ sudo smbpasswd -w verysupersecretpasswd

  7. Verify that your setup works

    user@remotemachine:~$ ssh -X username@sambaclient.mydomain.com
    user@sambaclient.mydomain.com's password:
    Linux cit-zb-39-116 2.6.31-20-generic #58-Ubuntu SMP Fri Mar 12 04:38:19 UTC 2010 x86_64
    <snip>

    user@sambaclient.mydomain.com:~$ mount|grep user
    //testserver.mydomain.com/user on /home/user type cifs (rw,mand)
    user@sambaclient.mydomain.com:~$

Prev Up Next
Installing a test client  Home  Smbd daemons contending for byte range lock on brlocks.tdb