Debian Tools

Debian Linux

Debian Linux Tools & Howto

1. Using Radius, Ldap and Pptpd (English)
2. VMplayer Error while powering on: Failed to connect to peer process (English)
3. How to use Monster TV/TV2 (Japanese)
4. How to connect OCN.Phone from YAMAHA RTV700 (Japanese)
5. IPSec between Centurysys XR-410 and YAMAHA RTV700 (Japanese)
6. How to configure LDAP on Linux (English)

Using Radius, Ldap and Pptpd ( 2007-05-02 )	This information seems to be valuable. Yes :2 No:0
Microsoft Windows Clients can access to Linux Samba server by VPN (Point to Point Tunnel Protocol ). This document explains How to configure Radius and Pptpd on Linux 2.6.* kernel. Ldap configuration is explained in another section. Overview: User/Password authentication is performed by Radius server. Ldap is the database which contains user/password and other informations. Authentication method is ms-chap-v2 with 128bit microsoft point to point encryption(MPPE). Environment: Debian Linux lenny amd64 kernel 2.6.20.7 pptpd v1.3.0 freeradius v1.1.3 Conditions: Ldap server is already configured. server name ldap.abcde.com basedn = ou=People,dc=abcde,dc=com admin entry = cn=admin,dc=abcde,dc=com admin password = aaaaa Radius is a client/server pair and they run on the same server. Configure Radius Client: Install radiusclient and freeradius by "apt-get install radiusclient1 freeradius" . Go into /etc/radiusclient directory. We need configure dictionary, dictionary.microsoft, radiusclient.conf and servers. First configure dictionary. This requires only one modification. The last line must be INCLUDE /etc/rediusclient/dictionary.microsoft You might see "$INCLUDE dictionary.microsoft". Due to a syntax problem, it does not work correctly. You must delete $ sign and type full path of the include file. Next, configure dictionary.microsoft. You couldn't find the file in the directory and must copy it from /usr/share/freeradius/dictionary.microsoft. The syntax of this file is new but radius.so could understand only old one. We have to modify the file. Delete "BEGIN-VENDOR MICROSOFT" line. Delete "END-VENDOR MICROSOFT" line. Delete lines which start "ATTRIBUTE" and contain "encrypt=1" or "encrypt=2" . Replace all occurrences of the word "octets" by "string" . Add the word "Microsoft" to the end of the line which start with "ATTRIBUTE" . Note: Some lines have a comment starting with "#" at the end of line. In this case, you must add the word before the comment. Insert following three lines if necessary. ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft Note: These three lines are basically contained already, but some version of freeradius lack them. Third configure radiusclient.conf. auth_order radius auth_server localhost acctserver localhost servers /etc/radiusclient/servers These four line are important. Auth_order line normally shows "radius,local" but "local" sometimes causes unexpected side effects. You would better delete it. Localhost means this server. Radius server will run on the same server. Configure servers. localhost seckeybbb This file contains only one line, server name and security key. This key must be the same as one that Radius server indicate. I will explain it later. Configure Radius Server: Go into /etc/freeeradius directory. We needs configure clients.conf, ldap.attrmap, radiusd.conf and users. Configure clients.conf. This file describes what clients can access the server. client 127.0.0.1 { secret = seckeybbb shortname = localhost nastype = other } At this time, Radius server and client run on the same machine, so that 127.0.0.1 is the only necessary entry. seckeybbb is the name of security key which is determined in the client configuration. Configure ldap.attrmap. This file describe what name of attribute of Radius fits to that of Ldap. Basically default settings is enough except the three lines. checkItem LM-Password sambaLMPassword checkItem NT-Password sambaNTPassword #checkItem SMB-Account-CTRL-TEXT sambaAcctFlags lmPassword changed to sambaLMPassword, ntPassword changed to sambaNTPassword and accFlags changed to sambaAccFlags after samba3.0 . CheckItem must be commented out in the current version because the data including white spaces cause a problem. Configure radiusd.conf This file contains many functions but most of them accept default settings. We only change modules. Modules section includes pap, chap, pam, unix, eap, mschap, ldap and others. We needs configure only mschap and ldap. Other settings may be commented out or left alone. Modules section defines what and how to use functions. In mschap, we have to configure the three lines. use_mppe = yes require_encryption = yes require_strong = yes In ldap, following six lines have to be configured. server = "localhost" identity = "cn=admin,dc=abcde,dc=com" password = aaaaa basedn = "ou=People,dc=abcde,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #access_attr = "dialupAccess" Identity and password are the administrative entry of Ldap server. I am not sure but I suppose these lines might be unnecessary if ldap is configured that anyone can access the database with this basedn and filter. When you see the error message "rlm_mschap: No User-Password configured. Cannot create LM-Password.", you must add these two lines or reconfigure ldap server that anyone can access the database without authentication. Configure sites-available/default This file contains authorize and authenticate section. We have to change these modules. Authorize Section declares what method will be used. This time, Mschap and Ldap are the only methods required. authorize { ldap mschap } Authenticate Section declares what authenticate method will be used. Mschap is the only one at this time. authenticate { Auth-Type MS-CHAP { mschap } } Note: Even though using ldap server currently, it must never declare ldap here. Authentication method is mschap, not ldap. Configure users. This file explains what client choose what methods or functions. DEFAULT Auth-Type = MS-CHAP NAS-IP-Address = 127.0.0.1 The only client is 127.0.0.1(localhost) and it requires MS-CHAP. Again, Auth-Type = LDAP is not a good idea. Configure Pptpd: Install pptpd by "apt-get install pptpd". We have to configure /etc/ppp/pptpd-options and /etc/pptpd.conf. Configure pptpd-options. # Name of the local system for authentication purposes name gateway # Optional: domain name to use for authentication domain abcde.com # Auth & Encryption refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 # specifies the secondary DNS address. ms-dns 10.10.10.1 ms-dns 10.10.10.2 plugin radius.so Authentication is only mschap version 2 and other methods are refused. Microsoft point to pint encryption 128bit version (mppe-128) is required. Plugin radius.so is required. Configure pptpd.conf. option /etc/ppp/pptpd-options localip 10.10.10.4 remoteip 10.10.10.11-40 Localip is IP address of this server and remote IPs are clients' ip addresses which the server leases. How to Confirm settings: Start pptpd and radius server. # /etc/init.d/freeradius restart # /etc/init.d/pptpd restart Connect from Windows client. If failed, check /var/log/syslog. When you find error message "MPPE required but not available", check dictionary.microsoft. Perhaps, you missed MPPE attributes. See Configuration Radius Client 7 - f . Vote: Is this information valuable?
VMplayer Error "while powering on: Failed to connect to peer process" (2007-06-08)	This information seems to be valuable. Yes :4 No:4
Symptom: When launching vmplayer, it gets an eroor "while powering on: Failed to connect to peer process". Solution: If the archi is amd64 and also using i386 in a chroot environemnt. You probably need to apt-get upgrade in the chroot environment. Vote: Is this information valuable?
Monster TV/TV2 でテレビを見る (2007-01-10)	この情報は役に立ちました。はい :3 いいえ:1
SKNet社のMonster TV/TV2 のTV チューナーカードをLinuxで利用する方法を紹介します。このチューナーカードは、Linuxではパッチが必要ですが、saa7134というドライバーで認識できます。kernel-2.6.10に対するパッチが利用しやすいので、kernel-2.6.10での利用方法を説明します。 1. kernel-2.6.10 のソースを入手する。 2. linux-2.6.10-rc1-mm4.monstertv.1.diff.gz を入手する。 3. Patchを適用して、kernelを構築する。 4. /etc/modprobe.d/saa7134 というファイルを作成し、次の内容を記述する。 options saa7134 card=48 5. アプリケーションとして、tvtimeをインストールする。 6. ~/.tvtime/stationlist.xml を編集する。私のところでは、次のようにしています。 <list norm="NTSC-JP" frequencies="japan-broadcast" audio="bg"> <station name="NHK General" active="1" position="1" band="Japan Broadcast" channel="1" finetune="0" norm="NTSC-JP" audio="auto"/> <station name="Weather" active="1" position="2" band="Japan Broadcast" channel="2" finetune="0" norm="NTSC-JP" audio="auto"/> <station name="SUN" active="1" position="3" band="Japan Broadcast" channel="3" finetune="0" norm="NTSC-JP" audio="auto"/> <station name="MBS" active="1" position="4" band="Japan Broadcast" channel="4" finetune="0" norm="NTSC-JP" audio="auto"/> <station name="K-Vision" active="1" position="5" band="Japan Broadcast" channel="5" finetune="0" norm="NTSC-JP" audio="auto"/> <station name="ABC" active="1" position="6" band="Japan Broadcast" channel="6" finetune="0" norm="NTSC-JP" audio="auto"/> <station name="KTV" active="1" position="8" band="Japan Broadcast" channel="8" finetune="0" norm="NTSC-JP" audio="auto"/> <station name="Shoping" active="1" position="9" band="Japan Broadcast" channel="9" finetune="0" norm="NTSC-JP" audio="auto"/> <station name="YTV" active="1" position="10" band="Japan Broadcast" channel="10" finetune="0" norm="NTSC-JP" audio="auto"/> <station name="OBS" active="1" position="11" band="Japan Broadcast" channel="11" finetune="0" norm="NTSC-JP" audio="auto"/> <station name="NHK Education" active="1" position="12" band="Japan Broadcast" channel="12" finetune="0" norm="NTSC-JP" audio="auto"/> </list> </stationlist> なお、MonsterTV2においては、tuner=43 card=48 として動作します。投票: この情報は役に立ちましたか？
YAMAHA RTV700からIP電話に接続する (2007-09-23)	この情報は役に立ちました。はい :2 いいえ:0
YAMAHAのルーターRTV700から、IP電話を利用する方法を紹介します。 NTT提供のVoIPアダプタを利用せず、RTV700に直接電話機を接続します。YAMAHAのホームページでは、ヒュージョン・コミュニケーションズやぷららネットワークスとの接続のみ確認していますが、他のプロバイダーとも接続できます。その他の設定を選び、次のように設定します。 1. VoIP電話番号: -を入れない050で始まる11桁の自電話番号。例: 05011112222 2. VoIPサーバ名:SIPサーバー名: プロバイダーより割り当てられた接続サーバー名。例: voip-1111.ocn.ne.jp 3. サービスドメイン:SIPドメイン: プロバイダーより割り当てられたVoIPドメイン名。例: sp-voip.ocn.ne.jp 4. VoIPユーザーID:SIPユーザーID:ユーザーID: プロバイダーより割り当てられたユーザーID。例: 334VVYYJJ 5. VoIPパスワード:SIPパスワード:パスワード: プロバイダーより割り当てられたパスワード。例: pASS0354 6. SIPサーバーアドレス:SIPサーバーIPアドレス: VoIPサーバー名に同じ。例: voip-1111.ocn.ne.jp 7. SIPアドレス:SIP_url: 電話番号@サービスドメイン。例: 05011112222@sp-voip.ocn.ne.jp。 8. SIPユーザ名:ユーザ名: sip:で始まるSIPアドレスで、@以降を含む場合と含まない場合がある。例: sip:05011112222 又は sip:05011112222@sp-voip.ne.jp 注意: VoIPユーザーID@サービスドメイン名ではない。 TEL1ポートにFAX,TEL2ポートに電話機をつないだ例のコマンドは次のようになります。 analog sip arrive incoming-signal 1 1 sip:05011112222@sp-voip.ne.jp no-ringing-fax <===無共鳴着信 analog pad rtp receive 1 -6db <===FAXの場合、エコーを避けるため音量を落す。 analog pad rtp send 1 -6db <===同上 analog use 1 on analog sip arrive permit 1 on analog sip call permit 1 on analog sip call myname 1 sip:05011112222 analog sip call display name 1 05011112222 analog sip arrive myaddress 1 1 sip:05011112222@sp-voip.ne.jp analog use 2 on analog sip arrive permit 2 off <===電話着信させる場合は on analog sip call permit 2 on analog sip call myname 2 sip:05011112222 analog sip call display name 2 05011112222 analog sip arrive myaddress 2 1 sip:05011112222@sp-voip.ne.jp analog supplementary-service pseudo call-waiting analog extension dial prefix line prefix="0000" analog extension dial prefix sip server=1 <===IP電話からの発信をプレフィックス無しとしている。server=1が必要。 sip use on sip server 1 voip-1111.ocn.ne.jp register udp sip:05011112222@sp-voip.ne.jp 334VVYYJJ pASS0354 投票: この情報は役に立ちましたか？
Centurysys XR-410とYAMAHA RTV700をIPSecで接続する。 (2007-09-26)	この情報は役に立ちました。はい :2 いいえ:0
異機種間のIPSec接続の例、CenturysysのXR-410とYAMAHAのRTV700の接続例を示します。前提条件: 少なくとも一方は固定IPアドレスを持たなければなりません。 XR-410及びRTV700のWAN側IFに直接global IPが割り振られて入る場合はmainモードで接続します。(例1) 一方が動的IPもしくは固定IPであってもCTUや他のルーターのNAT下にあり、WAN側IFにglobal IPが割り振られていない場合はaggressiveモードで接続します。(例2) 双方でpsk key(事前共通鍵)を使用します。双方でpfsの使用はしないようにします。例1 mainモード接続: XR-410側 IPアドレス 211.111.111.111/29 XR-410側local network 192.168.2.0/24 RTV700側 IPアドレス 212.222.222.222/29 RTV700側local network 192.168.1.0/24 psk key KEYSAMPLE 双方ともPPPoEによりプロバイダーに接続。 XR-410の設定: 1. 本装置の設定:NAT Traversal:使用しない。 <===必要無し 2. 本装置の設定1:インターフェースのIPアドレス: 211.111.111.111 3. 本装置の設定1:上位のルータIPアドレス: %ppp0 <===PPPoE接続とする 4. 本装置の設定1:インターフェースのID: 空白 <===`mainモードでは指定しない。 5. IKE/ISAKMPの設定1:インターフェースのIPアドレス: 212.222.222.222 6. IKE/ISAKMPの設定1:上位ルータのIPアドレス: 空白 7. IKE/ISAKMPの設定1:インターフェースのID: 空白 8. IKE/ISAKMPの設定1:モードの設定: mainモード 9. IKE/ISAKMPの設定1:transformの設定1番目: group2-3des-md5 <===相手側と合わせる 10.IKE/ISAKMPの設定1:IKEのライフタイム: 3600 <===default 相手側に合わせる 11.IKE/ISAKMPの設定1:鍵の設定: PSKを利用する: KEYSAMPLE 12.IPSecポリシーの設定1:本装置側のLAN側のネットワークアドレス: 192.168.2.0/24 13.IPSecポリシーの設定1:相手側のLAN側のネットワークアドレス: 192.168.1.0/24 14.IPSecポリシーの設定1:PH2のTransformの選択: 3des-md5 15.IPSecポリシーの設定1:PFS:使用しない 16.IPSecポリシーの設定1:SAのライフタイム: 28800 <===default 相手側に合わせる RTV700の設定: pp select 1 ip pp nat descriptor 1000 pp enable 1 nat descriptor type 1000 masquerade <===インターネット用のmasquerade割り当て nat descriptor address outer 1000 212.222.222.222 <=== IPSecとは違うglobal IPを割り当てる nat descriptor address inner 1000 192.168.1.1-192.168.1.254 ip route 192.168.2.0/24 gateway tunnel 1 tunnel select 1 ipsec tunnel 101 ipsec sa policy 101 1 esp 3des-cbc md5-hmac ipsec ike encryption 1 3des-cbc ipsec ike esp-encapsulation 1 off ipsec ike group 1 modp1024 ipsec ike hash 1 md5 ipsec ike local address 1 212.222.222.222 ipsec ike local id 1 192.168.1.0/24 ipsec ike log 1 key-info message-info payload-info ipsec ike pfs 1 off ipsec ike pre-shared-key 1 KEYSAMPLE ipsec ike remote address 1 211.111.111.111 ipsec ike remote id 1 192.168.2.0/24 <===mainモードの場合remote nameは指定しない ip tunnel address 212.222.222.222/29 tunnel enable 1 例2 aggressiveモード接続: XR-410側 CTUのWAN側IPアドレス 213.113.113.113/29 <=== 固定IPでも利用しない。動的IPの時は不要。 XR-410側 CTUのLAN側IPアドレス 192.168.24.1/24 XR-410側 WAN側IPアドレス 192.168.24.9 XR-410側local network 192.168.3.0/24 RTV700側 IPアドレス 212.222.222.222/29 RTV700側local network 192.168.1.0/24 psk key KEYSAMPLE 双方ともPPPoEによりプロバイダーに接続。 XR-410の設定: 1. 本装置の設定:NAT Traversal:使用しない。 <===必要無し 2. 本装置の設定1:インターフェースのIPアドレス: 192.168.24.9 3. 本装置の設定1:上位のルータIPアドレス: 192.168.24.1 <===CTUのLAN側アドレス 4. 本装置の設定1:インターフェースのID: @GATESAMPLE <===相手側に合わす 5. IKE/ISAKMPの設定1:インターフェースのIPアドレス: 212.222.222.222 6. IKE/ISAKMPの設定1:上位ルータのIPアドレス: 空白 7. IKE/ISAKMPの設定1:インターフェースのID: 空白 8. IKE/ISAKMPの設定1:モードの設定: aggressiveモード 9. IKE/ISAKMPの設定1:transformの設定1番目: group2-3des-md5 <===相手側と合わせる 10.IKE/ISAKMPの設定1:IKEのライフタイム: 3600 <===default 相手側に合わせる 11.IKE/ISAKMPの設定1:鍵の設定: PSKを利用する: KEYSAMPLE 12.IPSecポリシーの設定1:本装置側のLAN側のネットワークアドレス: 192.168.3.0/24 13.IPSecポリシーの設定1:相手側のLAN側のネットワークアドレス: 192.168.1.0/24 14.IPSecポリシーの設定1:PH2のTransformの選択: 3des-md5 15.IPSecポリシーの設定1:PFS:使用しない 16.IPSecポリシーの設定1:SAのライフタイム: 28800 <===default 相手側に合わせる RTV700の設定: pp select 1 ip pp nat descriptor 1000 pp enable 1 nat descriptor type 1000 masquerade <===インターネット用のmasquerade割り当て nat descriptor address outer 1000 212.222.222.222 <=== IPSecとは違うglobal IPを割り当てる nat descriptor address inner 1000 192.168.1.1-192.168.1.254 ip route 192.168.3.0/24 gateway tunnel 2 tunnel select 2 ipsec tunnel 102 ipsec sa policy 102 2 esp 3des-cbc md5-hmac ipsec ike encryption 2 3des-cbc ipsec ike esp-encapsulation 2 off ipsec ike group 2 modp1024 ipsec ike hash 2 md5 ipsec ike local address 2 212.222.222.222 ipsec ike local id 2 192.168.1.0/24 ipsec ike log 2 key-info message-info payload-info ipsec ike pfs 2 off ipsec ike pre-shared-key 2 KEYSAMPLE ipsec ike remote address 2 any <===aggressiveモードの場合anyを指定 ipsec ike remote id 2 192.168.3.0/24 ipsec ike remote name 2 GATESAMPLE <===相手側@GATESAMPLEの@を省いて指定 ip tunnel address 212.222.222.222/29 tunnel enable 2 投票: この情報は役に立ちましたか？
How to configure LDAP on Linux (2007-10-30)	This information seems to be valuable. Yes :0 No:1
Ldap ( Lightweight Directory Access Protocol ) can unify users and groups in a network in order to manage them as the same users and groups as those in other servers. Passwords for login, email, samba and pptpd can be the same as those in other servers and modified at the same time. This document explains how to configure Ldap on Linux 2.6.* kernel. Pptpd configuration is explained in another section. Environment: Debian Linux lenny i386 kernel 2.6.19.1 slapd v2.3.38-1 libnss-ldap v256-1 Conditions: Master Ldap server is ldap.abcde.com. [192.168.1.111] Slave Ldap server is ldap2.abcde.com. [192.168.1.112] File(samba) server is file.abcde.com. [192.168.1.113] Mail(postfix)server is mail.abcde.com.[192.168.1.114] Samba workgroup is WORKGROUP Overview: Ldap is designed to work as a client and server model. Each email, ftp or samba server requests an authentication to the Ldap server. Ldap normally runs duplicated because its malfunction makes deadly damage to the entire network. Install OpenLdap to master Ldap server: Install slapd, ldap-tools, smbldap-tools, sasl2-bin by "apt-get install slapd ldap-utils smbldap-tools sasl2-bin". The name of OpenLdap package is "slapd" and ldap-utils contains usefull tools. Smbldap-tools will install samba.schema into /etc/ldap/schema. sasl2-bin will install saslauthd daemon which can accept authentication request from a client that doesn't have an ability to inquire to LDAP server directly. Configure slapd by post-installation script. base DN dc=abcde,dc=com organization abcde.com Admin password aaaaaa Add samba.schema to /etc/ldap/schema. gzip -cd /usr/share/doc/smamba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema Add smbldap.conf and smbldap_bind.conf to /etc/smbldap-tools/. gzip -cd /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/ Configure /etc/smbldap-tools/smbldap.conf by hand. sambaDomain="WORKGROUP" slaveLDAP="192.168.1.112" slavePort="389" masterLDAP="192.168.1.111" masterPort="389" suffix="dc=abcde,dc=com" mailDomain="abcde.com" Configure /etc/smbldap-tools/smbldap_bind.conf by hand. slaveDN="cn=admin,dc=abcde.dc=com" slavePw="aaaaaa" masterDN="cn=admin,dc=abcde.com" masterPw="aaaaaa" As this file stores administrative DN and password, its permission should be 600. Configure /etc/ldap/slapd.conf by hand. # Features to permit #allow bind_v2 After installing Radius server, you need to uncomment this. Radius server trys to connect by ldap version 2. # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema After install Radius server, you also have to insert include /etc/ldap/schema/RADIUS-LDAPv3.schema # Load additional module moduleload syncprov # Indexing options for database #1 index objectClass,uid,cn,gidNumber,memberUid,sambaSID,uidNumber,entryCSN,entryUUID eq cachesize 200 idlcachesize 1000 This is a master LDAP server and it is necessary to duplicate the database to another slave LDAP server by syncprov. # Replica is obsolete, now configure syncprov #1 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 access to attrs=SambaLMPassword by self read by anonymous auth by * none access to attrs=SambaNTPassword by self read by anonymous auth by * none access to attrs=userPassword by anonymous auth by self write by * none Note: 'by dn="cn=admin,dc=abcde,dc=com" write' is no longer needed. Configure /etc/default/saslauthd by hand. The only one line you have to modify id ; START=yes Create initial database and register test entry. ldapadd -x -W -D "cn=admin,dc=abcde,dc=com" -f initial.ldif Before execute this command, you have to create initial.ldif as follows. dn: ou=People,dc=abcde,dc=com ou: People objectClass: organizationalUnit objectClass: top dn: uid=test,ou=People,dc=abcde,dc=com uid: test cn: test objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash uidNumber: 1901 gidNumber: 1000 homeDirectory: /home/test gecos: Test User mail: test@abcde.com sn: Test givenName: User dn: ou=Group,dc=abcde,dc=com ou: Group objectClass: organizationalUnit objectClass: top dn: cn=users,ou=Group,dc=abcde,dc=com cn: users objectClass: posixGroup objectClass: top gidNumber: 1000 memberUid: test Check ldap database. By using following commands, you can confirm Ldap entries. slapcat -- Display whole database entries. ldapsearch -x "(cn=test)" -- Display test user contents. id test -- Display test user's uid, gid and group. Note: If you can't get desireble result, you may reboot the system. Install OpenLdap to slave Ldap server: The installation is the same as that of master Ldap, but some configrations are different. Install slapd, ldap-tools, smbldap-tools, sasl2-bin by "apt-get install slapd ldap-utils smbldap-tools sasl2-bin". Configure slapd by post-installation script. Add samba.schema to /etc/ldap/schema. Add smbldap.conf and smbldap_bind.conf to /etc/smbldap-tools/. Configure /etc/smbldap-tools/smbldap.conf by hand. Configure /etc/smbldap-tools/smbldap_bind.conf by hand. Configure /etc/ldap/slapd.conf by hand. Following configurations are different from those of master Ldap. # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # This is a slave get from Master rootdn cn=replica,dc=abcde,dc=com rootpw aaaaaa updatedn cn=replica,dc=abcde,dc=com updateref uri=ldap://ldap.abcde.com/dc=abcde,dc=com Slave Ldap acts as only reference server, and forwards update requests to the master Ldap. Configure /etc/default/saslauthd by hand. Create initial database and register test entry. The database will be created when master Ldap's slurpd starts up. Check ldap database. Installation and configuretion on Ldap client: The installation and configuration must be done on all servers which are going to connect to LDAP servers. These are required on Master and slave Ldap servers themselves as well. Install libpam-ldap by "apt-get install libpam-ldap". Configure /etc/pam_ldap.conf by hand. uri ldap://127.0.0.1/ ldap://192.168.1.111/ base dc=abcde,dc=com rootbinddn cn=admin,dc=abcde,dc=com This configuration file shows how to access LDAP servers by pam modules. Uri must specify Ip addresses of LDAP servers. In case of LDAP server itself, it points to localhost, 127.0.0.1. Install libnss-ldap and by "apt-get install libnss-ldap". Configure /etc/libnss-ldap.conf by hand. uri ldap://127.0.0.1/ ldap://192.168.1.111/ base dc=abcde,dc=com rootbinddn cn=admin,dc=abcde,dc=com This configuration file will be used to get uid, gid and home directory from LDAP server. Uri must specify Ip addresses of LDAP servers. In case of LDAP server itself, it points to localhost, 127.0.0.1. Configure /etc/nsswitch.conf by hand. passwd: files ldap group: files ldap shadow: files ldap The authentication order is by /etc/passwd first and next by ldap. Configure /etc/pam.d/common-account account sufficient pam_ldap.so account required pam_unix.so try_first_pass Try_first_pass entry prevents to request account twice by pam_unix.so and pam_ldap.so. Configure /etc/pam.d/common-auth auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure try_first_pass Configure /etc/pam.d/common-password password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass Configure /etc/pam.d/common-session session sufficient pam_ldap.so session required pam_unix.so use_first_pass Configure /etc/ldap/ldap.conf BASE dc=abcde,dc=com URI ldap://localhost ldap://ldap2.abcde.com SASL_SECPROPS none SASL_REALM ABCDE.COM URI must point to master and slave Ldap servers. This example shows ldap.abcde.com itself, so that ldap://localhost is equivalent to ldap://ldap.abcde.com. Configure Samba server: Configure /etc/samba/smb.conf. passdb backend = ldapsam:"ldap://ldap.abcde.com ldap://ldap2.abcde.com" ldap suffix = dc=abcde,dc=com ldap admin dn = cn=admin,dc=abcde,dc=com ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap ssl = no idmap uid = 40000-50000 idmap gid = 40000-50000 obey pam restrictions = no ; Do ldap passwd sync ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd %u # administer user and groups from Windows add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" Tell Samba administrative password for Ldap. smbpasswd -w aaaaaa Register users to samba. smbldap-useradd -a -g users -m -A 1 -B 0 testuser1 -a makes both unix and samba account, -g users is the group which testuser1 will participate in, -m makes his/hers home directory, -A 1 allows testuser1 to change his/hers own passsword, -B 0 may not have testuser1 change his/hers password in a term, default 30 days. Note: -S surname causes a problem for postfix, because cn will be Givenname Surname but Postfix regards cn must be simple userid. Vote: Is this information valuable?