This site is now 100% read-only, and retired.

Debian, CUPS, Samba... Days of grief

Posted by lloyd on Tue 29 Nov 2005 at 13:22

I've studied the books, read the websites, posted for help -- followed the various recipes slavishly, but still, despite generous hints from forum responders, can't get simple peer-to-peer print and file sharing to work.

As a business owner if I can't get a handle on what should be a simple configuration issue I may have to abandon my plan of moving my business from MS to Debian Linux. I've been using Debian for over a year personally and love it. But I can't run a business when it takes days to install a simple mixed network and configure it.

Part of the problem is that nowhere have I found a source that gives me a simple overview, a clear step-by-step procedure, and diagnostics to zero in on the problems. Every source seems to say something different.

Here's what I'm trying to do:

Network

windowsA running MS 2000 Server
linuxA running Debian 2.6.8-2-k7 -- network printer HP PhotoSmart P1100
> linuxB running Debian 2.6.8-2-k7

Users

Lloyd
Others once I get the hang of it

Goal

1. Access files from any machine on the LAN from any other
2. Copy files from any machine on the LAN to any other
3. Print to the network printer from any machine on the LAN

Diagnosis

In many different configurations I've met one or another of my goals but never all three at the same time. I simply can't tell which configuration step result in success, so I get one thing working, change config to get something else working, break the first thing that I got working without understanding how to fix it again.

Overview

My understanding of the process -- and some of my uncertainties

1) Install hpijs drivers on linuxA (And ghostscript? foomatic? ...)
1) Configure cupsd.conf
2) Configure smb.conf
3) Create Linux users using adduser
4) Create smb users using smbpasswd (Same names as Linux users? Same or different passwords?)
5) Let CUPS know about smb users with cupsaddsmb (Same entries as step 4?)
6) Transfer Windows driver for PhotoSmart to linuxA (Some recommend using driver for Postscript printer such as Apple Laserwriter???)
7) Restart CUPS and Samba

My CUPS configuration

ServerName linuxA
AccessLog /var/log/cups/access_log
ErrorLog /var/log/cups/error_log
PrintCap /var/run/cups/printcap
User lp
Group lpadmin
Port 631
Browsing On
BrowseProtocols = cups
BrowseAddress = @LOCAL
BrowseAllow = @LOCAL

I'm not quite sure how location /, location /jobs, and location /admin should be configured for best security.

my smb.conf configuration

[global]
load printers = yes
printing = cups
printcap name = cups

[printers]
comment = All Printers
path = /var/spool/samba
browsable = no
public = yes
guest ok = yes
writable = no
printable = yes
printer admin = root

[print$]
comment = Printer Drivers
path = /etc/samba/drivers
browsable = yes
guest ok = no
read only = yes
write list = root

Also, all sources mention security, but give very little information on how I can evaluate my configuration for security risks and plug them.

What am I missing? What controls what? How does anybody master this stuff without six-months of study and experimentation? Why does it have to be this way?

Many thanks,

Lloyd

 

 


Re: Debian, CUPS, Samba... Days of grief
Posted by Anonymous (67.79.xx.xx) on Tue 29 Nov 2005 at 14:00
For 'simple setup', have you tried webmin? It might help.

[ Parent ]

Re: Debian, CUPS, Samba... Days of grief
Posted by TedKotz (63.109.xx.xx) on Tue 29 Nov 2005 at 15:02
This needs to be approached as two separate tasks first make sure printing is working on the linux box. Then worry about getting Samba to share it with windows.

Setting up the printer.
1. Make sure you have all the printer packages you need installed on linuxA.

aptitude install cupsys cupsys-bsd hpijs

2. make sure cupsd.conf is properly configured. Your settings seem fine.

3. restart cups

/etc/init.d/cupsys restart

4. web browse to http://localhost:631/

5. you should see a web interface, with a printers tab. click the printer tab.
It might ask for you're root username and password.

6. click add a printer and follow the wizard. Print a testpage if you like.

7. after adding the printer, run lpq to see that the printer is listed.

lpq

8. you should now be able to print.

lpr testfile.txt

Setting up samba
1. Install all needed packages.

aptitude install samba swat

2. web browse to http://localhost:901/

3. you should see the swat web interface for configuring samba. samba configuration depends heavily on how you plan to use it. swat makes it much easier.

4. you should make sure in the printer tab it is set to use cups.

5. restart all in the status tab.

6. if you go back to the printers tab it should list your printer.

7. windows machines should now be able to see it.

good luck

[ Parent ]

Re: Debian, CUPS, Samba... Days of grief
Posted by Anonymous (150.135.xx.xx) on Sun 14 May 2006 at 22:41
Excellent response. Worked for me as well. Thank you.

[ Parent ]

Re: Debian, CUPS, Samba... Days of grief
Posted by Eirik (129.177.xx.xx) on Tue 29 Nov 2005 at 15:12
Part of the problem is that nowhere have I found a source that gives me a simple overview, a clear step-by-step procedure, and diagnostics to zero in on the problems. Every source seems to say something different.

I'm not surprised -- while setting this up in a hetrogenous environement can seem simple, the truth of the matter is rather complex, and can still be daunting, even when you've done it several times before

Here's what I'm trying to do:

You have one windows computer (Windows A)running ms 2000 server. Is it set up as an active domain controller ? Normally this is how you would set it up -- either explicitly or by installing Microsoft Small Buisiness Server. I'll assume you're using workgroup security, then I'll revisit domain security later.

You have two Debian/Sarge systems (LinuxA and LinuxB) and want to share a HP PhotoSmart P1100 printer, connected to LinuxA.

You currently want the user Lloyd to have access to the printer from all 3 computers, and to have access to fileshares on all 3 machines.

In order for this to work, you need to:

  • Set up the printer on LinuxA, and verify that local printing is working. Remember that CUPS comes with a web-configuration, accessible locally as http://localhost:631.
  • Allow access to the printer to other computers -- the easiest would be to use the ipp-protocol -- this can be done using cups only, and is not dependant on Samba. Share the printer via ipp in CUPS, and connect to it via CUPS/ipp from LinuxB and ipp from WindowsA. Have a look at http://www.owlfish.com/thoughts/winipp-cups-2003-07-20.html.
  • Allow access to some folder on LinuxA via Samba. Use security=user, and follow samba docs. Verify that you can access the files from the Windowscomputer
  • Setup will be identical on LinuxB
  • Allow access to a fileshare on the Windows 2000 server. How to do this is dependent on your setup -- if you've previously used workgroup security this should be straight forward. In order to access these files from Linux you need to mount them with eg:mkdir /mnt/win
    mount //windowsA/share -tsmbfs -oUsername=Lloyd,Workgroup=MyWorkGroup,rw /mnt/win

If you have set up your windows server as a Active Domain master, you'll be better off joining the Linux-computers to the domain, and using the Windows-machine to authenticate against. This has it's own complexities, but basically you need to install samba on both machines, and then issue the command net ads join as root. It's a little more to it than that -- see documentation the at www.samba.org.

Note that Samba isn't designed to be used for ad-hoc filesharing. Usually you'll want to have one server with user files, that can be backed up easily.

Hope this gets you a little further.

[ Parent ]

Re: Debian, CUPS, Samba... Days of grief
Posted by Bauna (200.115.xx.xx) on Tue 29 Nov 2005 at 16:47
I going to try ti explain my config.
1) Samba
#the name of the printer HAS TO be the same on cups
[stylus_color_740]
printing = cups
printable = yes
guest ok = yes
path = /var/spool/samba
#this is the MOST important setting
#you can configure a queue en CUPS with "raw driver" and configure the drivers on the windows boxes
use client driver = yes
[xerox_phaser_3120]
printing = cups
printable = yes
guest ok = yes
path = /var/spool/samba
use client driver = yes



2) CUPS
2.1) install the foomatic-db, foomatic-db-gimp-print, foomatic-db-engine this packages has almost alld rivers
2.2) try some drivers (not allways the recomended driver is the best option)
2.3) enable browsing for your intranet
example in :
# BrowseAddress: specifies a broadcast address to be used. By
# default browsing information is not sent!
#
# Note: HP-UX does not properly handle broadcast unless you have a
# Class A, B, C, or D netmask (i.e. no CIDR support).
#
# Note: Using the "global" broadcast address (255.255.255.255) will
# activate a Linux demand-dial link with the default configuration.
# If you have a LAN as well as the dial-up link, use the LAN's
# broadcast address.
#
# The @LOCAL address broadcasts to all non point-to-point interfaces.
# For example, if you have a LAN and a dial-up link, @LOCAL would
# send printer updates to the LAN but not to the dial-up link.
# Similarly, the @IF(name) address sends to the named network
# interface, e.g. @IF(eth0) under Linux. Interfaces are refreshed
# automatically (no more than once every 60 seconds), so they can
# be used on dynamically-configured interfaces, e.g. PPP, 802.11, etc.
#

#BrowseAddress x.y.z.255
#BrowseAddress x.y.255.255
#BrowseAddress x.255.255.255
#BrowseAddress 255.255.255.255
#BrowseAddress @LOCAL
BrowseAddress @IF(eth1)

#restrict access for intraner
<location />
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From 192.168.3.*
</location>


I hope this works for you too.

Bauna

[ Parent ]

Re: Debian, CUPS, Samba... Days of grief
Posted by Anonymous (61.11.xx.xx) on Wed 30 Nov 2005 at 03:45
Is samba really needed? If you have cupsd running on linuxA, can't you just access it by setting the network printer on windowsA to ipp://something (I can't remember the details, but that's how I've done it years ago (heh, which is why I've forgotten all about it - fit and forget - but samba was not needed just for cups)).

For other linux boxen (eg linuxB) you have cups client configured to work with cupsd.

I'll look it up later on my lan and give details.

Also, (to Lloyd) have you consider hiring a debian geek to fix it up for you and show you the ropes? That's the next step if you can't figure it out after all this.

Failing that, ubuntu breezy is a probably a no-brainer for this sort of thing.

all the best
PJ

[ Parent ]

Re: Debian, CUPS, Samba... Days of grief
Posted by Anonymous (194.66.xx.xx) on Wed 30 Nov 2005 at 17:37
Samba is not necessary. Setup a raw queue on linuxA in cups. For an example see http://www.owlfish.com/thoughts/winipp-cups-2003-07-20.html
(get the permissions correct in /etc/cups/cupsd.conf).

Then create a windows network printer using:
ipp://linuxA:631/printers/[raw queue name]

Hope that helps.
Andy.

[ Parent ]

Re: Debian, CUPS, Samba... Days of grief
Posted by Anonymous (130.83.xx.xx) on Thu 31 Aug 2006 at 08:05
If you have Windows 95 it is maybe easier to use a samba shared printer than to install the ipp package for Win 95 ...

[ Parent ]

Re: Debian, CUPS, Samba... Days of grief
Posted by Anonymous (83.98.xx.xx) on Tue 6 Dec 2005 at 21:35
Here is the complete solution you want to run.

It covers: Kernel CIFS + Extended Attributes, Samba, Ldap,smbldap-tools, CUPS, Recycle-bin, virusscanner, use of NT4 Usermanager, PHPLdapAdmin, Privileges for better management.
i only compiled the samba-vscan other packages are all in stable.
i also use ldapadmin (ldapadmin.sf.net)

I made this howto for my company,

Give my a email if you liked it, made improvements or sugestions.

Greetz,

thcnbl@rushcompany.com


INDEX
Page nr.

1 Checking the kernel or compile your own kernel 3
1.1 Preparing apt configuration 3
1.2 Preparing the kernel 3
1.3 setup the /etc/fstab 3
1.4 final touch, lilo (or grub) 3
2 Pre-installation of the debian packages 4
2.1 Samba and Ldap 4
2.2 basic rights setup for samba 4
2.3 why this rights setup. 4
3 LDAP Server configuration 5
4 installation/configuration libnss, libpam (-ldap) 7
5 Samba and smbldap-tools Configuration 8
5.1 smbldap-tools installation/configuration 8
5.2 setting up samba base config 8
5.3 Configuring smbldap.conf 9
5.4 set the samba ldap admin password 9
5.5 Samba PRIVILEGES Setup 10
6 CUPS - Printer software 11
6.1 Setup Cups 11
6.2 Setup Cups PDF Printer. - Creating a PDF Printer 11
7 Configuring phpldapadmin 12
7.1 installation of phpldapadmin ( and apache ) 12
8.0 On-Access virus scanning on samba (samba-clamav) 13
8.1 Installing ClamAV 13
8.2 get the sources ( samba & samba-vscan ) 13
9.0 Recycle bin on samba 14
9.1 Recycle bin configuration 14
Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS 15
Appendix 2 APT 16
2.1 APT HOWTO 16
2.2 Files from /etc/apt 17
2.2.1 /etc/apt/apt.conf 17
2.2.2 /etc/apt/preferences 17




1 Checking the kernel or compile your own kernel
1.1 Preparing apt configuration

for this go check out my apt howto.

if you apt config is setup rights, follow the steps below.

ncurses interface for compiling the kernel
apt-get install libncurses5-dev

get the kernel source
apt-get install kernel-source-2.6.8 kernel-package

installer right kernel and activate EXT2/3 + Extended attributes
and setup CIFS kernel support to in kernel.

1.2 Preparing the kernel
apt-get install kernel-source-2.6.8 kernel-package fakeroot
libc6-dev libncurses5-dev

cd /usr/src
tar -jxf kernel-source-2.6.8.tar.bz2
ln -s /usr/src/linux /usr/src/kernel-source-2.6.8
cp /boot/config-2.6.8-2-* /usr/src/linux/.config
cd linux
make menuconfig - File systems - Ext2/3 + extended options
also File systems - Miscellaneous filesystems -
CramFS
and File systems - Network File Systems - CIFS
support
+ extended Attributes
now create the kernel and install it.

fakeroot make-kpkg --append-to-kernel=-mykernel --initrd
kernel_image

This create a file kernel-image-2.6.8.custom.1.0_i386.deb under
/usr/src

dpkg -i kernel-image-2.6.8.custom.1.0_i386.deb to install the
kernel
1.3 setup the /etc/fstab

/etc/fstab : add the acl and user_xattr to the right partition

/dev/xxx /home ext3 defaults,acl,user_xattr

I use /home/samba for the samba environment.
All the needed samba directories will be put here. !!
This is important !

1.4 final touch, lilo (or grub)

lilo and reboot , login and do 'uname -a' and you wil see a line
like
this.
Linux ms249-lin-001 2.6.8-mykernel #1 Wed Jun 1 15:03:47 CEST 2005
i686

Your server is now ready for samba 3.
2 Pre-installation of the debian packages
2.1 Samba and Ldap

apt-get install slapd samba libsasl2-modules sasl2-bin openssl
db4.2-util ldap-utils samba-doc libxml-parser-perl libauthen-sasl-perl

Configuring slapd
set an dns name - internal.yourdomain.tld
- Give it a name/description
- set that admin password for the ldap manager
( cn=admin,dc=internal,dc=yourdomain,dc=tld
- Allow LDAPv2 protocol? yes

Configure samba
set a domain name DOMAIN
Use password encryption? Yes
Modify smb.conf to use WINS settings from DHCP? No
How do you want to run Samba? Daemons
Create samba password database, /var/lib/samba/passdb.tdb? No !!!
else
you will end up with lots of users from debian in this password file
and you don't want that.

Setup samba.schema file for ldap
zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz >
/etc/ldap/schema/samba.schema

In this setup I use /home/samba for the samba environment.
i use these directories.
/home/samba skel,data,profiles,netlogon,printers,spool
/home/users/ username

2.2 basic rights setup for samba

/home/samba 777 Administrator:Domain
Admins
/home/samba/spool 777 Administrator:Domain
Admins
/home/samba/printers 775 Administrator:Domain Admins
/home/samba/profiles 777 Administrator:Domain Admins
/home/samba/netlogon 775 Administrator:Domain Admins
/home/samba/data 775 Administrator:Domain
Admins
/home/samba/temp 777 Administrator:Domain
Admins
/home/samba/tools 755 Administrator:Domain
Admins
/home/samba/skel 755 Administrator:Domain
Admins


2.3 why this rights setup.

1 Administrator can create in complete samba environment.
2 In data directories my users are not allowed to create sub dir's,
I
create one for the department, and set rights to that department,
from that point they can create directories.
3 Profiles 777, in the samba config is a parameter defined
valid users = %u @"Domain Administrators"
Only the user and administrator can access the user profile
directories.
create mask and directory mask make sure rights are set primary to
the user.
3 LDAP Server configuration

Configure slapd.conf, but first stop the slapd server (
/etc/init.d/slapd stop )

Create ldap certificates for ssl support
mkdir /etc/ldap/tls

## self signed certificate
openssl req -newkey rsa:1024 -x509 -nodes -out ldap-server.pem -
keyout
ldap-server.pem -days 3650 ( where Common Name =
ldap.yourdomain.tld )

edit /etc/ldap/slapd.conf
put these below the other line, the order of schema files must be

correct.
insert the line "include /etc/ldap/schema/samba.schema"

add these line before the database definition
TLSCACertificateFile /etc/ldap/ssl/ldap-server.pem
TLSCertificateFile /etc/ldap/ssl/ldap-server.pem
TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem

Now its time for the ldap database configuration for samba

example of the /etc/slapd.conf ( database 1 configuration )

################################################################# ######
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb

# The base of your directory in database #1
suffix "dc=internal,dc=yourdomain,dc=tld"

rootdn "cn=admin,dc=internal,dc=yourdomain,dc=tld"
rootpw {MD5}fsadsdafasfaewfw

## create the rootpw
## echo rootpw `slappasswd -h {Md5}` >> /etc/ldap/slapd.conf

# Where the database file are
physically stored for database #1
directory "/var/lib/ldap"

# Indexing options for database #1
### !!!!! Always run slapindex(8) after changing indices!!!!!!
### and first STOP the LDAP SERVER ( /etc/init.d/slapd stop )
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,eq,sub
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName, eq
## default index
index default eq

# Save the time that the entry gets modified, for database #1
lastmod on

# Where to store the replica logs for database #1
replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword
by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
by anonymous auth
by self write
by * none


# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
by * read

# samba access list
include /etc/ldap/samba-access.conf

Example of the /etc/samba-access.conf ( database 1 configuration )

### OLD Samba no DSA users used
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSe t,sambaPwdM
ustChange
by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
by anonymous auth
by self write
by * none

access to attrs=loginShell
by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
by * none

access to
attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,s n,givenname
by dn="cn=admin,dc=internal,dc=yourdomain,dc=tld" write
by self write
by * read


See appendix 1 if you want a more secure ldap database.
!! this setup does not help you to setting this up. !!

run slapindex
and start the slapd server
/etc/init.d/slapd start
4 installation/configuration libnss, libpam (-ldap)

apt-get install libnss-ldap libpam-ldap

Configuring libnss-ldap
define the host
127.0.0.1
distinguished name of the search base
dc=internal,dc=yourdomain,dc=tld

LDAP version to use
3
database requires login
No
Make configuration readable/writeable by owner only
No

Configuring libpam-ldap
Make local root Database admin.
Yes
Database requires logging in.
No
Root login account
cn=admin,dc=internal,dc=yourdomain,dc=tld
set your password
( same as above for admin )

Local crypt to use when changing passwords
exop

Configure nsswitch
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat ldap
group: compat ldap
shadow: compat ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis


Now test the server
ldapsearch -x -D "cn=admin,dc=internal,dc=yourdomain,dc=tld" -W
(enter the password)
if you see
result: 0 Success

for now this is ok.
5 Samba and smbldap-tools Configuration

5.1 smbldap-tools installation/configuration

apt-get install smbldap-tools

copy the default config from the example directorie.
cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf
/etc/smbldap-tools/

cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/
cd /etc/smbldap-tools
gunzip smbldap.conf.gz

first the easy part.

in /etc/smbldap-tools/smbldap_bind.conf
change this to admin
slaveDN="cn=admin,dc=internal,dc=yourdomain,dc=tld"
slavePw="Yourpassword"
masterDN="cn=admin,dc=internal,dc=yourdomain,dc=tld"
masterPw="Yourpassword"

5.2 setting up samba base config

start with the default config
cd /etc/samba
cp /usr/share/doc/smbldap-tools/examples/smb.conf.gz /etc/samba
gunzip smb.conf.gz

change the config to your needs
some tips using samba on a firewalled system
use the following setting, here eth0 is the internal side

interfaces = eth0 lo
bind interfaces only = yes

change the binary location from /opt/..
to /usr/sbin/smbldap-....
the smbldap-tools are installed by debian in /usr/sbin

also in this setup /home/. must be changed to /home/samba/.
This will save you a lot of troubles with rights.


5.3 Configuring smbldap.conf

first we need to get some samba info

net getlocalsid

SID for domain SERVERNAME is: S-1-5-21-2074673303-3377769770-2933042573
change the SID in smbldap.conf in the your sid.


change the suffix to your suffix (dc=internal,dc=yourdomain,dc=tld)
change the hash_encryption to MD5
change userLoginShell="bin/nologin"
and you nologin, because im Configuring ldap for samba only.
set the home directory ( in my case /home/users/%U )
set the other to your needs.


5.4 set the samba ldap admin password

smbpasswd -w ldapadmin_password
Setting stored password for "cn=admin,dc=internal,dc=yourdomain,dc=tld" in
secrets.tdb

now we go fill the ldap database with the base setup.

smbldap-populate -a Administrator -b nobody -u 2000 -g 2000

users are created with uid => 2000
groups are created with gid => 2000


!!!! DO NOT RUN THIS IF YOU ALREADY CREATED USERS. YOUR UID/GID's WILL GET
MESSED UPPED.

smbpasswd -a root
because root is needed for setting up the Privileges.

Now set the Administrator password and enable this user
smbldap-passwd Administrator
smbldap-usermod -J Administrator

Let the server join the domain.
net join -S SERVERNAME -U Administrator

5.5 Samba PRIVILEGES Setup

First check you rights and get to know the commands.

net rpc rights list accounts list users
net rpc rights list list defined rights.

to get what for rights are defined and users/groups

IF you use a PDC/BDC setup these commands must be done on both servers!!

test these commands:

net rpc group
(output)
Domain Admins
Domain Users
Domain Guests
Domain Computers

or

( see next page )

slapcat | grep Group | grep dn

(output)
dn: ou=Groups,dc=internal,dc=yourdomain,dc=tld
dn: cn=Domain Admins,ou=Groups,dc=internal,dc=yourdomain,dc=tld
dn: cn=Domain Users,ou=Groups,dc=internal,dc=yourdomain,dc=tld
dn: cn=Domain Guests,ou=Groups,dc=internal,dc=yourdomain,dc=tld
dn: cn=Domain Computers,ou=Groups,dc=internal,dc=yourdomain,dc=tld
dn: cn=Administrators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
dn: cn=Print Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
dn: cn=Backup Operators,ou=Groups,dc=internal,dc=yourdomain,dc=tld
dn: cn=Replicators,ou=Groups,dc=internal,dc=yourdomain,dc=tld


these are the privileges on samba 3.0.14a ( debian )

Privilege Description
SeMachineAccountPrivilege Add machines to domain
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeRemoteShutdownPrivilege Force shutdown from a remote system
SeDiskOperatorPrivilege Manage disk share


give the "Domain Admins" all of the SE Rights.
( -S Servernaam -U Username%Password )

net -S PDC -U root%Password rpc rights grant "DOMAIN\Domain Admins" \
SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege \
SeDiskOperatorPrivilege SeRemoteShutdownPrivilege


Give the "Printer Operators" all Print manage rights.
( -S Servernaam -U Username%Password )

net -S PDC -U root%Password rpc rights grant "DOMAIN\Print Operators"
SePrintOperatorPrivilege
6 CUPS - Printer software

apt-cache search cups to get the info which packages are available

I installed these packages.
apt-get install cups-pdf cupsys cupsys-bsd cupsys-pt cupsys-client \
foomatic-bin foomatic-filters cupsys-driver-gimpprint gs-esp ( and
dependencies )

Configuring cupsys-bsd
Do you want to set up the BSD lpd compatibility server? Yes
all others leave default.

6.1 Setup Cups /etc/cups/cups.conf

here locate the lines Allow From 127.0.0.1
and change it to your network so you can login on the cups web
interface.
for example:
Allow from 192.168.( this way I can manage it from 2 departments. )
(192.168.1.x and 168.192.2.x )

now you can logon on http://serverip:631/
make it safer to manage by adding a user to lpadmin group
and this user can create printer queues

I create printers with the following options.
socket://printerIPnumber:9100 ( for hp jetdirect ), Raw,
Raw_queue

I only use cups as spooler for windows pc's and *nix servers.

First we are going to create 1 printer device and this is the CUPS
PDF Printer.


6.2 Setup Cups PDF Printer. - Creating a PDF Printer

With this printer you can create PDF files bij just printing to it.

- logon the web interface and choose add printer.
Name:pdf_printer
Location: %homedir%\cups-pdf
Description: pdf created in homedir\cups-pdf
Continue
- Device: Virtual Printer(PDF printer) choose it, its below,
Continue
- Choose the model/Driver for PDF_printer, Postscript,
Continue

klik on manage printers to see what you have created.
klik on Print Test Page to test the pdf printer.

a file is put in the cups-pdf directory of the user you logged on
with.





7 Configuring phpldapadmin

7.1 installation of phpldapadmin ( and apache )

get the packages
apt-get install phpldapadmin php4 apache

What is your LDAP server host address? 127.0.0.1
( you the ip/hostname where the ldapserver is )

ldaps protocol instead of ldap? No

What is the distinguished name of the search base?
dc=internal,dc=youdomain,dc=tld

Which type of authentication you want to use? session

What is the login dn for the LDAP server?
cn=admin,dc=internal,dc=yourdomain,dc=tld

Which web server would you like to reconfigure automatically?
select all and press OK.

restart webservers now: Yes

8.0 On-Access virus scanning on samba (samba-clamav)
8.1 Installing ClamAV

apt-get install clamav arj unzoo lha clamav-freshclam clamav-daemon
Configuring clamav-freshclam : Daemon
Choose a close mirror
Should clamd be notified after updates? Yes
8.2 get the sources ( samba & samba-vscan )

mkdir /usr/src/sources
cd /usr/src/sources

apt-get install dpkg-dev
apt-get source samba
apt-get build-dep samba

cd samba-3.0-14a
vi source/include/version.h

here remove the a from the 14 ( 3.0.14a => 3.0.14 )

./debian/rules configure-stamp
cd source
./make proto
cd ../..

wget
http://switch.dl.sourceforge.net/sourceforge/openantivirus/samba- vscan-0.3.6
b.tar.bz2

tar xjvf samba-vscan-0.3.6b.tar.bz2

cd samba-vscan-0.3.6b
./configure
--with-samba-source=/usr/src/sources/samba-3.0.14a/source
make && make install

cp clamav/vscan-clamav.conf /etc/samba/samba-vscan-clamav.conf
change in the samba-vscan-clamav.conf
clamd socket name = /var/run/clamav/clamd.ctl
infected spins action = quarantine ( or delete , which I choose.)

When I put that lines in my smb.conf file, I can't access the share
:
vfs object = vscan-clamav
vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf

An example:
[public]
comment = Public Directory
path = /home/public
vfs object = vscan-clamav
vscan-clamav: config-file = /etc/samba/samba-vscan-clamav.conf

!!! BEWARE !!!! if samba upgrade to a higer version you MUST
recompile
your samba-vscan. set samba to hold for no upgrade.

echo packagename hold | dpkg --set-selections set to hold
echo packagename install | dpkg --set-selections set to install
9.0 Recycle bin on samba
9.1 Recycle bin configuration

configure samba for using the recycle bin.
I made my manager happy with this.

create a file in /etc/samba
and fill it with the options below.

/etc/samba/samba-recycle.conf

name = .recycle
mode = KEEP_DIRECTORIES|VERSIONS|TOUCH
maxsize = 0
exclude = .tmp|.temp|.o|.obj|~$|.~??|~*.tmp
excludedir = /tmp|/temp|/cache
noversions = .doc|.xls|*.ppt

add this to you share, same as vscan.

vfs object = recycle
recycle: config-files = /etc/samba/samba-recycle.conf

create a recycle bin directorie and hide it for the users.

I created .recycle this way ( because of the dot) users don't see
this
IF.. you don't set you explorer to view hidden files.

restart samba and your done.

You are ready to use your samba server.



Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS
see http://www.idealx.org/prj/samba/smbldap-howto.en.html
#### users can authenticate and change their password
#access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSe t,sambaPwdM
ustChange
# by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
# by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld "
write
# by dn="cn=nssldap,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
# by self write
# by anonymous auth
# by * none
# some attributes need to be readable anonymously so that 'id user' can
answer correctly
##access to
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,mem berUid
# by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
# by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld "
write
# by * read
# somme attributes can be writable by users themselves
##access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell ,gecos,cn,s
n,givenname
# by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
# by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld "
write
# by self write
# by * read
## some attributes need to be writable for samba
#access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLog onTime,samb
aLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange ,sambaAcctF
lags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sa mbaProfileP
ath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaD omainName,s
ambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPa sswordHisto
ry,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGro upType,samb
aNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBa se,sambaSha
reName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaSt ringOption,
sambaStringListoption,sambaPrivilegeList
# by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
# by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld "
write
# by self read
# by * none
## samba need to be able to create the samba domain account
#access to dn.base="dc=internal,dc=yourdomain,dc=tld"
# by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
# by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld "
write
# by * none
## samba need to be able to create new users account
#access to dn="ou=Users,dc=internal,dc=yourdomain,dc=tld"
# by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
# by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld "
write
# by * none
## samba need to be able to create new groups account
#access to dn="ou=Groups,dc=internal,dc=yourdomain,dc=tld"
# by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
# by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld "
write
# by * none
## samba need to be able to create new computers account
#access to dn="ou=Computers,dc=internal,dc=yourdomain,dc=tld"
# by dn="cn=samba,ou=DSA,dc=internal,dc=yourdomain,dc=tld" write
# by dn="cn=smbldap-tools,ou=DSA,dc=internal,dc=yourdomain,dc=tld "
write
# by * none
#
## this can be omitted but we leave it: there could be other branch
## in the directory
#access to *
# by self read
# by * none


Appendix 2 APT

2.1 APT HOWTO

Preparing apt for online packages.
After installing from CD or DVD adjust your apt config.

This setup makes sure your are using stable packages, that you are using
Debian Sarge.

In the apt.conf we defined the default release of debian this case stable (
Sarge 3.1r0).
The Show-Upgrade "true" is used for showing us the packages which are going
to be installed, I like to see what I'm installing.

The sources.list if you used a CD/DVD for installing you can leave this
line in the sources.list. This can save you bandwidth. My server is on a
remote location and I don't use the cd anymore.
I added the clamav as stable because I want a new clamav for virus scanning
more info : http://www.clamav.net/binary.html

The testing and unstable sources are also unmarked, that if you really need
a newer version of a program then you can try to create it from debian
source.

You can get the source install programs and search by using the following
commands:

apt-get install package = get & install package
apt-get remove package = remove package
apt-get remove --purge package = remove and purge all files of package
dpkg --purge package = purge all files of package

apt-cache search package = search for package or part of
package name
apt-cache show package = get info over package
dpkg-reconfigure -plow package = reconfigure with priority low ( most
options )

for this first cd /usr/src.
apt-get source package = get source files of packaged












2.2 Files from /etc/apt

2.2.1 /etc/apt/apt.conf

APT::Default-Release "stable";
APT::Get::Show-Upgraded "true";
// 16 MB Limit
APT::Cache-limit 16777216;
// if you have /tmp with no mounted with noexec, you need this.
#DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
#DPkg::Post-Invoke {"mount -o remount /tmp";};



2.2.2 /etc/apt/preferences

Package: *
Pin: release a=stable
Pin-Priority: 990

Package: *
Pin: release a=testing
Pin-Priority: 500

Package: *
Pin: release a=unstable
Pin-Priority: 50

Package: *
Pin: release a=sarge,l=debian-volatile
Pin-Priority: 990













2.2.3 /etc/apt/sources.list

# See sources.list(5) for more information, especialy
# Remember that you can only use http, ftp or file URIs
# CDROMs are managed through the apt-cdrom tool.
#---------------------------------------------------------------- -
# We definect the PIN which sets the prioratie of packages selects
# see also the apt-howto
# http://www.debian.org/doc/manuals/apt-howto/index.en.html
# and a nice howto for apt-pinning for beginners.
# http://jaqque.sbih.org/kplug/apt-pinning.html
#---------------------------------------------------------------- -
#---------------------------------------------------------------- -
# Stable PIN 990 PRODUCTION TREE
deb ftp://ftp.nl.debian.org/debian stable main contrib non-free
deb-src ftp://ftp.nl.debian.org/debian stable main contrib non-free
deb http://http.us.debian.org/debian stable main contrib non-free
# Stable Security updates
deb http://security.debian.org/ stable/updates main contrib non-free
deb-src http://security.debian.org/ stable/updates main contrib non-free
#---------------------------------------------------------------- --
## Debian VOLATILE , used for clamav PINNED 990
deb http://ftp.nl.debian.org/debian-volatile sarge/volatile main
#---------------------------------------------------------------- -
#---------------------------------------------------------------- -
# WARNING USE BELOW AT OWN RISK
# Testing ( PIN 500 )
#deb ftp://ftp.nl.debian.org/debian testing main contrib non-free
#deb-src ftp://ftp.nl.debian.org/debian testing main contrib non-free
#deb http://http.us.debian.org/debian testing main contrib non-free
# Testing Security updates
#deb http://security.debian.org/ testing/updates main contrib non-free
#deb-src http://security.debian.org/ testing/updates main contrib non-free
#---------------------------------------------------------------- -
#---------------------------------------------------------------- -
# WARNING USE BELOW AT OWN RISK
# Unstable ( PIN 050 )
#deb ftp://ftp.nl.debian.org/debian unstable main contrib non-free
#deb-src http://ftp.nl.debian.org/debian unstable main contrib non-free
#deb http://http.us.debian.org/debian unstable main contrib non-free
# unstable Security updates
#deb http://security.debian.org/ unstable/updates main contrib non-free
#deb-src http://security.debian.org/ unstable/updates main contrib non-free
#---------------------------------------------------------------- -
#---------------------------------------------------------------- -
#### BACKPORTS to STABLE ( Debian Sarge 3.1r0 )
## Laatest Samba from samba.org
#deb http://us4.samba.org/samba/ftp/Binary_Packages/Debian sarge samba
#deb-src http://us2.samba.org/samba/ftp/Binary_Packages/Debian sarge samba

#---------------------------------------------------------------- --
## MPEG/AVI addons +W32CODECS With MPlayer
#deb ftp://ftp.nerim.net/debian-marillat/ sarge main
#---------------------------------------------------------------- --
## www.dotdeb.org, updated php4/php5 mysql-41 mysql-50 qmail clamav etc etc.
## check the site for the packages list. if you want only 1 package (
preferred )
## change the line to #deb http://packages.dotdeb.org stable php5 for
example
#deb http://packages.dotdeb.org stable all
#deb-src http://packages.dotdeb.org stable all
#---------------------------------------------------------------- --
## BootSplash ( does not work on every kernel ) www.bootsplash.de
## http://www.planamente.ch/emidio/pages/linux_howto_bootsplash.php
deb http://debian.bootsplash.de unstable main
deb-src http://debian.bootsplash.de unstable main


[ Parent ]

Re: Debian, CUPS, Samba... Days of grief
Posted by sjpwong (203.42.xx.xx) on Fri 9 Dec 2005 at 00:21
My commiserations, sometimes it does seem to be too hard. What I generally find is that it seems to take a long time to learn and set things up but once they are working they keep working nlike MS Windows which seems to be forever breaking for unknown reasons.

I came across this document which seems to be a fantastic overview of setting up a Linux small business server:

http://hannibal.solstice.nl/

I have not personally been through it (I probably will be soon) but it looks very good.

Good luck, it will be worthwhile...

[ Parent ]

Re: Debian, CUPS, Samba... Days of grief
Posted by Anonymous (202.83.xx.xx) on Sun 8 Jan 2006 at 23:27
Lloyd,
If I were you I would consider moving to a debian based alternative os. My recommendation is Ubuntu. Since it appears thet you may be a savvy computer user, you still need assistance to get advanced things up and running. All the things you want to do a fairly easy to accomplish for advanced linux users. I currently run a network of 50+ users and I have only 1 windows box and 4 Linux servers using Active directory.

Ubuntu gives you the stability of debian and the package management, without some of the issues of debian. They have a great community and an extensive forums with most of your issues resolved with clear step by step howtos. I have tried just about every flavor of linux and ubuntu imho the most ready for primetime version around.

That's my 2 cents worth
Rueben Gooch
Brisbane Australia

[ Parent ]

Re: Debian, CUPS, Samba... Days of grief
Posted by Anonymous (172.188.xx.xx) on Tue 27 Feb 2007 at 22:00
Ubuntu? Why run with a beta version of Etch?

[ Parent ]