I recently switched to the Mac side and so far I hadn’t got any big problems. That is until one rainy day I suddenly lost the ability to connect to my Windows shares on my desktop! The really strange thing is nothing had changed…

I’ve searched high and low for solutions and found out all I had to do was change two values in the Windows registry

You can read all about it on http://alan.lamielle.net/2009/09/03/windows-7-nonpaged-pool-srv-error-2017, but for those who don’t want to click, here is a quick summary:

Apparently Windows doesn’t like it when you’re transferring large files trough the samba protocol which leads to memory allocation errors. Change the following registry keys to fix this once and for all:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\LargeSystemCache (change to “1″)

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\Size (change to “3″)

After changing these values and restarting the “Server” service, I was back able to connect to my beloved shares

Anyone who have  used ldapsearch (you know, that handy dandy tool to query your LDAP-database) in a script, will eventually notice one big problem. For reasons beyond my understanding, the original author of this tool decided that it would be cool to apply line wrapping when output is generated with lines over 76 characters. Guess what, it’s not… I searched on the almighty Internet for a solution and found several, but the following I liked the most.

perl -p00e 's/\r?\n //g'
 
# Example
ldapsearch -xLLL -h oh.mighty.ldapserver -b dc=example,dc=com | perl -p00e 's/\r?\n //g'

Why? It’s short, does it’s job fast and perl is widely supported. I found this little gem on a mailinglist, but because it’s so easily overlooked, I posted it here.

Although I don’t have a lot of visitors, I wish each and everyone of you a great 2011. May the best day of last year become the worst one of this year!

I searched high and low for a good guide on how to set up a Samba server that uses Kerberos for authentication and OpenLDAP to get the users. I stumbled upon the Ubuntu Community Guide, which gave me some insight on how to get Samba to play along with Kerberos, but it didn’t provide any details about LDAP integration. After some searching and a lot of testing, I finally completed this complex puzzle.

Because I’ve recently acquired the good habit of documenting the stuff I do (well, at least I try to…), I’m putting it here for future reference. I’m also sure it will be of some use for someone else . I’ve tested this on Ubuntu 10.04 and 10.10 without significant problems. I’ve set up a Kerberos KDC using the Ubuntu Server Guide (Kerberos) and the Ubuntu Server Guide (Kerberos and LDAP) . So let’s get going, first we’ll start by installing some packages.

sudo apt-get install samba libnss-ldap krb5-user

This installs samba (duh…), krb5-user, which is needed for the Kerberos part and libnss-ldap, which is needed for the LDAP part. Doing this will trigger some configuration screens to pop up. When configuring ldap-auth-config, use the following settings:

LDAP server Uniform Resource Identifier: <your LDAP-server, something like ldap://ldap.example.com>

Distinguished name of the search base: <your search base, something like dc=example,dc=com>

LDAP version to use: 3

Make local root database admin:  No

Does the LDAP database require login: No

Next, you’ll be presented with some configuration screens for Kerberos, type in the following:

Default Kerberos version 5 realm: <your Kerberos realm, something like EXAMPLE.COM>

Now, if you’ve done your homework properly and your DNS-server has got some appropriate SRV-records, the wizard will notice this and you’re done. Otherwise, you’ll have to give it some more information like the FQDN of the server hosting the Kerberos KDC daemon. Normally, you’re back at the commandline. Execute the following command to update your /etc/nsswitch.conf file:

sudo auth-client-config -t nss -p lac_ldap

Switch to the computer that acts as the Kerberos KDC and generate a keytab for the Samba server using the following commands:

kadmin -p admin/admin
 
kadmin: addprinc -randkey cifs/fileserver.example.com
 
kadmin: ktadd -k /path/to/keytab -e rc4-hmac:normal cifs/fileserver.example.com

Replace fileserver.example.com with the FQDN of the Samba server, this is important! Next get the resulting keytab on the Samba server, for example by using scp. Next, we’ll adjust some files. Edit /etc/ldap/ldap.conf as follows:

#
# LDAP Defaults
#
 
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
 
BASE    dc=example,dc=com
URI     ldap://ldap.example.com
TLS_REQCERT allow
 
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

And finally, adjust /etc/samba/smb.conf and make following adjustments:

[global]
   workgroup = LINKUP.LOCAL
   server string = %h server (Samba, Ubuntu)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
 
   security = ADS
   realm = LINKUP.LOCAL
   password server = your.kdc.server
   kerberos method = dedicated keytab
   dedicated keytab file = /etc/krb5.keytab
 
   encrypt password = true
   obey pam restrictions = no
   unix password sync = no
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bas user
 
   usershare allow guests = no
 
   [public]
   comment = "Public share for everyone"
   path = /data/public
   browsable = yes
   guest ok = yes
   read only = no
   create mask = 0755
 
   [private]
   comment = "Private share"
   path = /data/private
   browsable = yes
   guest ok = no
   read only = no
   create mask = 0755
   # This is a group from OpenLDAP
   valid users = @testgroup

In this example, there are two folder I shared, make sure whatever you want to share, actually exists (in my example /data/public and /data/private). Believe it or not, that was all that was necessary! Do the following quick tests to check everything is working properly:

getent passwd

Should return your users, including the users from OpenLDAP. Next, get a client computer and log in. Make sure your user got a valid ticket (check klist) and try the following:

smbclient -k \\\\fileserver.linkup.local\\public

If this results in a smb prompt, your work is done! If not, leave a comment and I’ll try to help you out

It wasn’t simple and required a lot more experience to succeed than the Microsoft certificates, but I managed to pass my first exam! Things I immediately noticed, were the quality of the available course material. While the MS-books are fairly detailed and clear, the books covering LPI certification are surprisingly short and are lacking in detail. That led to an increasing amout of personal experience required if you would want to pass this. Luckily, I had my fair share off Linux experience, but still…

Nonetheless, still only 3 exams and 405€ (!) to go to become LPIC-1 (and there’s also 2 and 3!!!!!) certified…

It has taken quite some time, but without further ado, I present you  my new site I hope you all like it because every minute I spend working on this, I had better spent on finishing my school assignments. Nonetheless I think putting together this site wasn’t a waste a time, mainly because now I finally got a place to dump my non-stop rambling! Even more important, at last I got a place where I can post information I find on the internet,  knowing that that piece of information will be offline within the next few weeks (for example, the bits and pieces for implementing a Kerberos KDC and client login!)

Thanks for visiting and leave a comment if you like the site!

After a long, hard time of studying, I finally acquired my first two Microsoft certificates! For those who don’t know me IRL, the last few weeks I’ve been busy learning for the 70-640 exam (Configuring Windows Server 2008 Active Directory) and the 70-642 exam (Configuring Windows Server 2008 Network Infrastructure) and the trouble finally paid off! With a very nice score of 880 and a more average of 716 respectively I passed both exams and became a Microsoft Certified Technology Specialist! Needless to say, I’m more than happy with this achievement