Samba service deployment and configuration guide

Preparation

Download the image here.
After reading the XenU Deployment Guide configure the machine with the following parameters:
- Volume size: 3GB
- RAM: 512 MB
- Name: samba

  vmcreate --size 3G --file samba-1.1_3.tgz --ip 128 --ip 192.168.69.22 samba

* Create a LVM volume named samba_home in which the mail will reside. The size should be sufficient to contain the data. For example, 30GB in size:

  lvcreate -L30G -n samba_home sys
  mkfs -t ext3 /dev/sys/samba_home

Add the volume to the virtual machine configuration (/etc/xen/auto/samba) as disk hda2.

  [ 'phy:/dev/sys/samba,hda1,w','phy:/dev/sys/samba_home,hda2,w','phy:/dev/sys/swap_samba,hdb1,w' ]

Boot the virtual machine:

  xm create -c /etc/xen/auto/samba

Machine configuration

There are two configuration options available:

Centralised configuration: if the machine is going to be integrated in a ModularIT management structure.
Local configuration: if the machine is not going to be integrated in a ModularIT management structure.

Centralized configuration

On the Puppet server

The global parameters of the Samba service are defined in the client group of the machine:

  ## Samba service variables
  # IP of the samba server
  $samba_ip = "192.168.69.22" 
  # NetBIOS domain name
  $smbdomain = "DEVEL" 
  # NetBIOS name of the samba server
  $smbname = "servidor"

Create the entry of the ModularIT machine being installed:

  node "devel.samba" inherits "devel" {
        # First installation?
        $bootstrap = yes

        $modularit_name = "devel.samba" 
        $comment = "Development Samba" 
        include modularit 
  }

Client configuration (The machine being installed)

puppetd is restarted in debug mode to ensure that it updates correctly:

  /etc/init.d/puppet stop
  puppetd --debug --no-daemonize --runinterval 60 --fqdn NOMBRE_MODULARIT --server PUPPET_MODULARIT

The parameters NOMBRE_MODULARIT and PUPPET_MODULARIT will be provided by the service manager (register with the mailing list if you have questions regarding this).
The puppet is started as a service after it has completed several cycles without generating errors:

  /etc/init.d/puppet restart

PIFIA should be executed to ensure that notifications to Nagios are functioning correctly.

  /var/lib/pica/bin/scheduler Emergency
  /var/lib/pica/bin/scheduler Warning

Ensure that Nagios is not generating alerts that read OK. At this point critical AIDE alerts are expected.

Local configuration

The following installation mode is needed when the machine is not integrated in a centralized ModularIT management structure.

Go to the /opt directory.
Download the ModularIT configuration tree:

  links --source "http://git.modularit.org/?p=modularit.git;a=snapshot;h=HEAD;sf=tgz" | tar xvzf -

This will create the /opt/modularit directory.
A directory for the puppet modules is created:

  mkdir /etc/puppet/modules
  ln -s /opt/modularit/Puppet/modularit /etc/puppet/modules/

Edit the file /opt/modularit/Puppet/offline/variables.pp and modify it so that the correct configuration is used. This file will be common to all ModularIT installations.
Edit the file /opt/modularit/Puppet/offline/offline.pp to reflect the name and type of the ModularIT machine, in this case: ldap. The file will be different for each machine (The name and type of machine are always different).
Once the configuration has been completed, execute puppet in off-line mode.

  puppet --debug /opt/modularit/Puppet/offline/offline.pp

The process should finish without errors.

Service preparation

Execute Samba service initialization script:

  modularit_samba_init.rb

This script does the following:

Configures the system to use LDAP users.
Establishes the configured SSID, that has to match with the LDAP one.
Configures the LDAP access key for Samba.
Once the service is running, check that LDAP groups and users accounts are available using: getent passwd and getent group.
Check the connection to Samba with the admin user and its access.

  smbclient -L server -Uadmin

SELinux activation

To activate SELinux (with SELinux active, an error occurs when adding machines to the domain because smbldap-useradd does not find smbldap_tools.pm in @INC):

In /etc/sysconfig/selinux establish:

 SELINUX=enforcing

Label the file system and reboot:

  fixfiles relabel
  reboot

Activate the home sharing:

   setsebool -P samba_enable_home_dirs 1

Activate domain controller support to allow group/user management scripts execution. This variable activates the execution permission of the groups and users management scripts from Samba (labelled useradd_exec_t and groupadd_exec_t):

  setsebool -P samba_domain_controller on

Label the scripts from smbldap-tools in useradd_exec_t and groupadd_exec_t context:

  semanage fcontext -a -t useradd_exec_t '/usr/sbin/smbldap-user.*'
  restorecon -R -v /usr/sbin/smbldap-user*
  semanage fcontext -a -t groupadd_exec_t '/usr/sbin/smbldap-group.*'
  restorecon -R -v /usr/sbin/smbldap-group*

To ensure that every label is correct, compare them with the ones from useradd and groupadd programs:

  ls -Z /usr/sbin/useradd /usr/sbin/smbldap-useradd
  ls -Z /usr/sbin/groupadd /usr/sbin/smbldap-groupadd

Initializing AIDE

Once everything is functioning correctly, initialize the AIDE databases as described in the AIDE.

Tests

Add a machine to the domain.
Login a session on the domain with the admin user and ensure that the mobile profile has been created in /home/samba/profiles.

Also available in: HTML TXT

ModularIT

Wiki