Eu configurei um Debian para ser servidor de PDF trabalhando em
conjunto com o AD para que os arquivos impressos tenham o nome do
usu�rio que os imprimiu e ao mesmo tempo que estes arquivos n�o sejam
sobrescritos no caso de v�rias impross�es simult�neas. Consegui
colocar o samba no dom�nio com muito trabalho e ainda assim n�o �
perfeito pois falha muito, isso quando n�o pede senha de login no
samba sendo que ele j� est� no dom�nio.
Enfim, aqui vai a listagem das configura��es que fiz que talvez possa
te ajudar a "come�ar" a fazer testes por a�.
/etc/samba/smb.conf
[global]
client use spnego = yes
password server = 10.1.1.19
netbios name = PDFSRV
hosts allow = 10.0.0.0/255.0.0.0 127.0.0.1
interfaces = eth0 10.1.2.254
local master = no
domain master = no
realm = AD.SERVER
winbind uid = 10000-20000
winbind gid = 10000-20000
auth methods = winbind
winbind enum users = yes
winbind enum groups = yes
workgroup = SEU-WORKGROUP
server string = %h server (Samba %v)
wins server = 10.1.1.1
dns proxy = no
name resolve order = lmhosts host wins bcast
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /etc/samba/panic-action %d
security = ads
encrypt passwords = true
passdb backend = tdbsam guest
invalid users = root
unix password sync = no
load printers = yes
printing = bsd
socket options = TCP_NODELAY
#======================= Share Definitions =======================
[homes]
comment = Home Directories
browseable = no
# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
writable = no
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0700
[printers]
comment = All Printers
browseable = no
path = /tmp
printable = yes
public = no
writable = no
create mode = 0700
[pdf]
comment = Master PDF Server
path = /tmp
printable = Yes
guest ok = yes
print command = /usr/bin/printpdf %s %m %U &
; printer driver = "Lexmark Color 4079 plus PS"
[PDFFiles]
create mask = 0775
public = yes
writable = yes
path = /samba/pdfs
comment = Bandeja de PDF�s
/etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
AD.SERVER = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
/etc/ldap/ldap.conf
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.4.8.6 2000/09/05
17:54:38 kurt Exp $
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=AD,dc=SERVER
URI ldap://ldap.ad.server
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = ad.server
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
ad.server= {
kdc = 10.1.1.19:88
admin_server = ad.server:749
default_domain = ad.server
}
[domain_realm]
.ad.master = ad.server
ad.master = ad.server
[kdc]
profile = /etc/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/pam.d/login (adcione as linhas)
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
/etc/pam.d/samba
#%PAM-1.0
auth required pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
/etc/nsswitch.conf
passwd: files winbind
group: files winbind
shadow: files
hosts: files dns
networks: files
dpkg -l |grep samba
samba 3.0.11-1
samba-common 3.0.11-1
dpkg -l|grep krb
krb5-admin-ser 1.2.4-5woody6
krb5-clients 1.2.4-5woody6
krb5-config 1.4
krb5-kdc 1.2.4-5woody6
krb5-user 1.2.4-5woody6
libkrb5-dev 1.2.4-5woody6
libkrb53 1.2.4-5woody6
libpam-krb5 1.0-7
openafs-krb5 1.3-8
dpkg -l|grep ldap
ldap-utils 2.0.23-6.3
libldap2 2.0.23-6.3
dpkg -l|grep pam
libpam-krb5 1.0-7
libpam-modules 0.72-35
libpam-runtime 0.72-35
libpam0g 0.72-35
dpkg -l|grep winbind
winbind 3.0.11-1
cat /etc/apt/sources.list
deb http://us1.samba.org/samba/ftp/Binary_Packages/Debian/samba3/ stable main
deb http://security.debian.org/ stable/updates main
deb http://http.us.debian.org/debian stable main contrib non-free
deb http://ftp.br.debian.org/debian testing main contrib non-free
deb http://ftp.br.debian.org/debian-non-US testing/non-US main contrib non-free
deb http://ftp.br.debian.org/debian unstable main contrib non-free
deb http://ftp.br.debian.org/debian-non-US unstable/non-US main contrib non-free
deb http://ftp.br.debian.org/debian stable main contrib non-free
deb http://ftp.br.debian.org/debian-non-US stable/non-US main contrib non-free
> Estou querendo implementar um samba em uma rede j� controlada por um
> AD. Quero que os usu�rios do AD possam ter uma pasta 'home' no samba,
> e tenham restri��es por grupos para determinados compartilhamentos.
> Acredito que alguem ja deve ter feito isso. Recomenda��es?
---------------------------------------------------------------------------
Esta lista � patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br
Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br
Regras de utiliza��o da lista: http://linux-br.conectiva.com.br
FAQ: http://www.zago.eti.br/menu.html
