Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

Mandriva Directory Server On Debian Etch


This document describes how to set up the Mandriva Directory Server (MDS) on Debian Etch. The resulting system provides a full-featured office server for small and medium companies – easy to administer via the web-based Mandriva Management Console (MMC).

 

Main Features

  • Easy administration via MMC
  • System wide OpenLDAP integration
  • SAMBA Primary Domain Controller (PDC)
  • Postfix Mailserver with Dovecot, Amavis, Spamassassin and ClamAV (POP3/IMAP/SSL/TLS/Quota)
  • BIND DNS-server
  • ISC DHCP-server
  • Squid web-proxy with SquidGuard

This howto is a practical guide without any warranty – it doesn’t cover the theoretical backgrounds. There are many ways to set up such a system – this is the way I chose.

 

Preamble

This howto is quite complex. Please take your time, read it extensively and follow the steps minutely. The smallest amount of variance might effect that your setup won’t work accurately.

1 Preparation

1.1 Basic System

Set up a standard debian etch system and update it. I used the following configuration for this howto and the attached virtual machine that is available for our subscribers:

Hostname: server1.example.com
SAMBA domain: EXAMPLE
IP: 192.168.0.100
Gateway: 192.168.0.2
All Passwords: Kreationnext

 

1.2 Hostname

Edit the hosts file – assign the hostname to the server IP.

vi /etc/hosts

It should look like this:

127.0.0.1       localhost.localdomain   localhost
192.168.0.100   server1.example.com     server1

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

 

Afterwards insert the hostname into the hostname file …

echo server1.example.com > /etc/hostname

… and reboot the system.

reboot

When the system is up again, the output of the both commands …

hostname

… and …

hostname -f

… should be:

server1.example.com

 

1.3 Filesystem ACLs

In order that SAMBA is able to map filesystem-ACLs between the Linux server and the Windows clients you need to add ACL-support to the corresponding mount point.

vi /etc/fstab

Add the option “acl” to the mount point where the SAMBA directories will be stored and the SAMBA users will have their homes. In my case it’s “/” – the content should look like this:

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
/dev/sda1       /               ext3    defaults,acl,errors=remount-ro 0       1
/dev/sda5       none            swap    sw              0       0
/dev/hdc        /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

 

Afterwards remount the mountpoint to take the changes effect.

mount -o remount /

If all went well, the command …

mount -l

… should show the option “acl” for the corresponding mountpoint:

/dev/sda1 on / type ext3 (rw,acl,errors=remount-ro)

 

2 Repositories

2.1 MDS

The MDS repository provides the MDS related packages and also patched packages for bind9 & dhcp3.

vi /etc/apt/sources.list

Add the following lines to the file.

# MDS repository
deb http://mds.mandriva.org/pub/mds/debian etch main

 

2.2 Debian Volatile

The Debian Volatile repository provides newer packages for ClamAV & Spamassassin than the standard debian repository.

vi /etc/apt/sources.list

Add the following lines to the file.

# Debian Volatile
deb http://volatile.debian.org/debian-volatile etch/volatile main contrib non-free

 

2.3 Debian Backports

The Debian Backports repository provides newer packages for dovecot.

vi /etc/apt/sources.list

Add the following lines to the file.

# Debian Etch Backports
deb http://www.backports.org/debian etch-backports main

Afterwards refresh apt.

apt-get update

 

3 Needed packages

3.1 Install

Install the needed packages for this setup.

apt-get install mmc-web-base mmc-web-mail mmc-web-network mmc-web-proxy mmc-web-samba mmc-agent python-mmc-plugins-tools python-mmc-base python-mmc-mail python-mmc-network python-mmc-proxy python-mmc-samba postfix postfix-ldap sasl2-bin libsasl2 libsasl2-modules amavisd-new libdbd-ldap-perl libnet-ph-perl libnet-snpp-perl libnet-telnet-perl lzop nomarch zoo clamav clamav-daemon gzip bzip2 unzip unrar-free unzoo arj spamassassin libnet-dns-perl razor pyzor dcc-client slapd ldap-utils libnss-ldap libpam-ldap dhcp3-server dhcp3-server-ldap bind9 samba smbclient smbldap-tools cupsys cupsys-client foomatic-db-engine foomatic-db foomatic-db-hpijs foomatic-db-gutenprint foomatic-filters foomatic-filters-ppds fontconfig hpijs-ppds linuxprinting.org-ppds

The actual dovecot-packages in the standard debian repository have a bug in conjunction with LDAP – so you have to use the dovecot-packages from Debian Backports.

apt-get install -t etch-backports dovecot-common dovecot-imapd dovecot-pop3d

If you want to use HP printers it’s recommeded to install a few more packages.

apt-get install hplip libusb-dev python-dev python-reportlab libcupsys2-dev libjpeg62-dev libsnmp9-dev lsb-core

 

3.2 Configuration

During the installation of the new packages you’ll be asked a few questions – answer them as follows.

 

3.2.1 LDAP

Enter the password for the LDAP admin and confirm it. (Kreationnext)

 

3.2.2 Samba

Enter a name for your domain. (EXAMPLE)
Select “No” when you’re asked if the smb.conf should be modified to use WINS settings from DHCP.

 

3.2.3 Postfix

Select “Internet Site” as general type of configuration.
Enter “server1.example.com” as mail name.

 

3.2.4 Libnss-LDAP

Enter “ldap://127.0.0.1/” as LDAP server URI.
Enter “dc=example,dc=com” as name for the search base.
Select the LDAP version. (3)
Enter “cn=admin,dc=example,dc=com” as LDAP account for root.
Enter the password for the LDAP admin. (Kreationnext)

 

3.2.5 Libpam-LDAP

Select “Yes” when you’re asked if the local root should be the database admin.
Select “No” when you’re asked if the LDAP database requires login.
Enter “cn=admin,dc=example,dc=com” as LDAP account for root.
Enter the password for the LDAP admin. (Kreationnext)

 

4 LDAP Configuration

4.1 Schema Files

First copy the schema files for MMC, mail, SAMBA, printer, DNS and DHCP into the LDAP schema directory.

cp /usr/share/doc/python-mmc-base/contrib/ldap/mmc.schema /etc/ldap/schema/
cp /usr/share/doc/python-mmc-base/contrib/ldap/mail.schema /etc/ldap/schema/
zcat /usr/share/doc/python-mmc-base/contrib/ldap/samba.schema.gz > /etc/ldap/schema/samba.schema
zcat /usr/share/doc/python-mmc-base/contrib/ldap/printer.schema.gz > /etc/ldap/schema/printer.schema
zcat /usr/share/doc/python-mmc-base/contrib/ldap/dnszone.schema.gz > /etc/ldap/schema/dnszone.schema
zcat /usr/share/doc/python-mmc-base/contrib/ldap/dhcp.schema.gz > /etc/ldap/schema/dhcp.schema

Next include the schema files into the LDAP configuration

vi /etc/ldap/slapd.conf

Include the schema files after the inetorgperson schema.

include /etc/ldap/schema/mmc.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/printer.schema
include /etc/ldap/schema/mail.schema
include /etc/ldap/schema/dnszone.schema
include /etc/ldap/schema/dhcp.schema

Enable the schemacheck (below the included schema files).

schemacheck on

 

4.2 Basic Configuration

In this step you’ll need the ldap admin password (that you defined during the package installation in step 3) in encrypted form (SSHA) – so let’s encrypt it.

slappasswd -s %ldap_admin_password%

E.g.:

slappasswd -s Kreationnext

The output should look like this:

{SSHA}kPd9OeiwGx4lyZUiQ2NFmzXV0JWyLV9A

Note it down and proceed – open the LDAP server configuration file.

vi /etc/ldap/slapd.conf

Search the commented line with the entry for the LDAP admin (rootdn) …

# rootdn “cn=admin,dc=example,dc=com”

… and comment it out. After that add a new line straight below. You have to enter the encrypted ldap admin password that you generated at the beginning of this step.

rootpw %encrypted_ldap_admin_password%

E.g.:

rootpw {SSHA}kPd9OeiwGx4lyZUiQ2NFmzXV0JWyLV9A

Next we have to modify the indexing options for the database. Search the following entry:

# Indexing options for database #1

Remove the line below …

index objectClass eq

… and insert the following lines:

index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index zoneName,relativeDomainName eq
index dhcpHWAddress,dhcpClassData eq

Now add SAMBA to the access-list for the database. Search the following line:

access to attrs=userPassword,shadowLastChange

Change it that it looks like this:

access to attrs=userPassword,sambaLMPassword,sambaNTPassword

At this point the LDAP server configuration file should look like this:

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/mmc.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/printer.schema
include         /etc/ldap/schema/mail.schema
include         /etc/ldap/schema/dnszone.schema
include         /etc/ldap/schema/dhcp.schema

schemacheck     on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel        0

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_bdb

# The maximum number of entries that is returned for a search operation
sizelimit 500

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend         bdb
checkpoint 512 30

#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend                <other>

#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        bdb

# The base of your directory in database #1
suffix          "dc=example,dc=com"

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn          "cn=admin,dc=example,dc=com"
rootpw          {SSHA}kPd9OeiwGx4lyZUiQ2NFmzXV0JWyLV9A

# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0

# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057
# for more information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500

# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500

# Number of lockers
dbconfig set_lk_max_lockers 1500

# Indexing options for database #1
index      objectClass,uidNumber,gidNumber                  eq
index      cn,sn,uid,displayName                            pres,sub,eq
index      memberUid,mail,givenname                         eq,subinitial
index      sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq
index      zoneName,relativeDomainName                 	    eq 
index      dhcpHWAddress,dhcpClassData                      eq

# Save the time that the entry gets modified, for database #1
lastmod         on

# Where to store the replica logs for database #1
# replogfile    /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by dn="cn=admin,dc=example,dc=com" write
        by anonymous auth
        by self write
        by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work 
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=example,dc=com" write
        by * read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
#        by dn="cn=admin,dc=example,dc=com" write
#        by dnattr=owner write

#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database        <other>

# The base of your directory for database #2
#suffix         "dc=debian,dc=org"

 

Additionally you have to edit the LDAP configuration file.

vi /etc/ldap/ldap.conf

Add the following lines:

host 127.0.0.1
base dc=example,dc=com

Afterwards restart the LDAP server.

/etc/init.d/slapd restart

5 SAMBA

5.1 Basic Configuration

First stop SAMBA.

/etc/init.d/samba stop

Copy the example SAMBA configuration file into the SAMBA directory …

cp /usr/share/doc/python-mmc-base/contrib/samba/smb.conf /etc/samba/

… and adjust it to your needs.

vi /etc/samba/smb.conf

Set the following values in the section [global]:

workgroup = EXAMPLE
netbiosname = PDC-SRV-EXAMPLE
ldap admin dn = cn=admin,dc=example,dc=com
ldap suffix = dc=example,dc=com
logon path = \\%N\profiles\%U

Add the following lines to the section [global]:

preferred master = yes
os level = 65
wins support = yes
timeserver = yes
socket options = SO_KEEPALIVE IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
logon drive = H:
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = “Changing password for*\nNew password*” %n\n “*Retype new password*” %n\n
add user script = /usr/sbin/smbldap-useradd -m “%u”
add user to group script = /usr/sbin/smbldap-groupmod -m “%u” “%g”
set primary group script = /usr/sbin/smbldap-usermod -g “%g” “%u”
add group script = /usr/sbin/ambldap-groupadd -p “%g”
delete user script = /usr/sbin/smbldap-userdel “%u”
delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” “%g”
delete group script = /usr/sbin/smbldap-groupdel “%g”
obey pam restrictions = no
ldap idmap suffix = ou=Users
ldap delete dn = yes
security = user

Add the following line to the section [homes]:

hide files = /Maildir/

Remove the following line from the sections [printers] and [print$]:

printer admin = root,@lpadmin

Set the following values in the section [print$]:

write list = Administrator,root,@lpadmin

Add the following line to the section [profiles]:

hide files = /desktop.ini/ntuser.ini/NTUSER.*/

Set the following values in the section [archives]:

path = /home/samba/archives

At this point the SAMBA configuration file should look like this:

     [global]
        workgroup = EXAMPLE
        netbiosname = PDC-SRV-EXAMPLE
        preferred master = yes
        os level = 65
        wins support = yes
        enable privileges = yes
        timeserver = yes
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
        log level = 3
        null passwords = yes
        security = user
        # unix charset = ISO8859-1
        name resolve order = bcast host
        domain logons = yes
        domain master = yes
        printing = cups
        printcap name = cups
        logon path = \\%N\profiles\%U
        logon script = logon.bat
        logon drive = H:
        map acl inherit = yes
        nt acl support = yes
        passdb backend = ldapsam:ldap://127.0.0.1/
        obey pam restrictions = no
        ldap admin dn = cn=admin,dc=example,dc=com
        ldap suffix = dc=example,dc=com
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Users
        ldap passwd sync = yes
        ldap delete dn = yes
        passwd program = /usr/sbin/smbldap-passwd -u %u
        passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n
       
	add user script = /usr/sbin/smbldap-useradd -m "%u"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        add group script = /usr/sbin/ambldap-groupadd -p "%g"
        add machine script = /usr/lib/mmc/add_machine_script '%u'
        delete user script = /usr/sbin/smbldap-userdel "%u"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
     [homes]
        comment = Home directories
        browseable = no
        writeable = yes
        create mask = 0700
        directory mask = 0700
	hide files = /Maildir/
     [public]
        comment = Public share
        path = /home/samba/shares/public
        browseable = yes
        public = yes
        writeable = yes
     [archives]
        comment = Backup share
        path = /home/samba/archives
        browseable = yes
        public = no
        writeable = no
     [printers]
        comment = Printers
        path = /tmp
        browseable = no
        public = yes
        guest ok = yes
        writeable = no
        printable = yes
     [print$]
        comment = Drivers
        path = /var/lib/samba/printers
        browseable = yes
        guest ok = yes
        read only = yes
        write list = Administrator,root,@lpadmin
     [netlogon]
        path = /home/samba/netlogon
        public = no
        writeable = no
        browseable = no
     [profiles]
        path = /home/samba/profiles
        writeable = yes
        create mask = 0700
        directory mask = 0700
        browseable = no
        hide files = /desktop.ini/ntuser.ini/NTUSER.*/
     [partage]
        comment = aucun
        path = /home/samba/partage
        browseable = yes
        public = no
        writeable = yes

 

If all went ok, the command …

testparm

… should give no errors.

Now give SAMBA the needed credentials to write into the LDAP.

smbpasswd -w %ldap_admin_password%

E.g.:

smbpasswd -w Kreationnext

The output should look like this:

Setting stored password for “cn=admin,dc=example,dc=com” in secrets.tdb

Next you need to create a SID for your workgroup.

net getlocalsid %your_workgroup%

E.g.:

net getlocalsid EXAMPLE

The output should look like this – note it down you’ll need it in a few moments:

SID for domain EXAMPLE is: S-1-5-21-3159899821-123882392-54881133

Check if the SID has really been recorded into LDAP.

slapcat | grep sambaDomainName

The output should look like this:

dn: sambaDomainName=EXAMPLE,dc=example,dc=com
sambaDomainName: EXAMPLE

Now start SAMBA

/etc/init.d/samba start

 

5.2 LDAP Directory

First you need to create the smbldap-tools configuration file – it defines how to communicate with the LDAP server.

vi /etc/smbldap-tools/smbldap_bind.conf

The content should look like this:

slaveDN="cn=admin,dc=example,dc=com"
slavePw="Kreationnext"
masterDN="cn=admin,dc=example,dc=com"
masterPw="Kreationnext"

 

Now create the main configuration file.

vi /etc/smbldap-tools/smbldap.conf

The content should look like this (Replace the SID with your own!):

SID="S-1-5-21-3159899821-123882392-54881133"
sambaDomain="EXAMPLE"
ldapTLS="0"
suffix="dc=example,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=EXAMPLE,${suffix}"
scope="sub"
hash_encrypt="SSHA"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\PDC-SRV-EXAMPLE\%U"
userProfile="\\PDC-SRV-EXAMPLE\profiles\%U"
userHomeDrive="H:"
userScript="logon.bat"
mailDomain="example.com"
smbpasswd="/usr/bin/smbpasswd"

 

Time to populate the LDAP diretory. This will also create the domain administrator account (Administrator)

smbldap-populate -m 512 -a Administrator

Note: You’ll be asked to enter a password for the domain administrator account.

Afterwards you have to modify the uid-number for this account – otherwise you won’t be able to use the mailserver with this account. Additionally we add this account to the group “Domain Users” :

smbldap-usermod -u 3000 -G “Domain Users” Administrator

 

5.3 NSS LDAP Configuration

In this step we configure the system to use the LDAP directory to get user and group lists.

Edit the nsswitch configuration.

vi /etc/nsswitch.conf

The content should look like this:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

 

5.4 SAMBA Directories

Create the needed directories for the SAMBA server, …

mkdir -p /home/samba/shares/public/
mkdir /home/samba/netlogon/
mkdir /home/samba/profiles/
mkdir /home/samba/partage/
mkdir /home/samba/archives/

… change the ownership and adjust the rights.

chown -R :”Domain Users” /home/samba/
chmod 777 /var/spool/samba/ /home/samba/shares/public/
chmod 755 /home/samba/netlogon/
chmod 770 /home/samba/profiles/ /home/samba/partage/
chmod 700 /home/samba/archives/

 

6 PAM LDAP Configuration

In this step you’ll add LDAP-support to PAM.

vi /etc/pam.d/common-account

The content should look like this:

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account required        pam_unix.so
account sufficient      pam_ldap.so

 

vi /etc/pam.d/common-auth

The content should look like this:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth    sufficient      pam_unix.so nullok_secure
auth    sufficient      pam_ldap.so use_first_pass
auth    required        pam_deny.so

 

vi /etc/pam.d/common-password

The content should look like this:

#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define  the services to be
#used to change user passwords.  The default is pam_unix
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.
password        sufficient      pam_unix.so nullok obscure min=4 max=8 md5
password        sufficient      pam_ldap.so use_first_pass use_authtok
password        required        pam_deny.so
# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required       pam_cracklib.so retry=3 minlen=6 difok=3
# password required       pam_unix.so use_authtok nullok md5

 

vi /etc/pam.d/common-session

The content should look like this:

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#
session required        pam_unix.so
session optional        pam_ldap.so

 

Afterwards reboot the system.

reboot

When the system is up again, give the group “Domain Admins” the right to add machines to the domain.

net -U Administrator rpc rights grant ‘DOMAIN\Domain Admins’ SeMachineAccountPrivilege

 

7 SSL For Mail

First prepare a configuration file with the needed information.

vi /etc/ssl/mail.cnf

Add the following content:

[ req ] 
default_bits            = 2048 
default_keyfile         = privkey.pem 
distinguished_name      = req_distinguished_name 
prompt                  = no 
string_mask             = nombstr 
x509_extensions         = server_cert
[ req_distinguished_name ] 
countryName             = DE 
stateOrProvinceName     = Niedersachsen
localityName            = Lueneburg
organizationName        = Projektfarm GmbH
organizationalUnitName  = IT
commonName              = server1.example.com
emailAddress            = postmaster@example.com
[ server_cert ] 
basicConstraints        = critical, CA:FALSE 
subjectKeyIdentifier    = hash 
keyUsage                = digitalSignature, keyEncipherment 
extendedKeyUsage        = serverAuth, clientAuth 
nsCertType              = server 
nsComment               = "mailserver"

Now create the SSL certificate …

openssl req -x509 -new -config /etc/ssl/mail.cnf -out /etc/ssl/certs/mail.pem -keyout /etc/ssl/private/mail.key -days 365 -nodes -batch

… and adjust the rights for the key in order that only root is allowed to read it.

chmod 600 /etc/ssl/private/mail.key

8 SASL Configuration

Postfix will use SASL to authenticate users against the LDAP server.

mkdir -p /var/spool/postfix/var/run/saslauthd/

Adjust the default settings.

vi /etc/default/saslauthd

It should look like this:

START=yes
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

 

vi /etc/saslauthd.conf

It should look like this:

ldap_servers: ldap://127.0.0.1
ldap_search_base: ou=Users,dc=example,dc=com
ldap_filter: (&(objectClass=mailAccount)(mail=%u@%r)(mailenable=OK))

vi /etc/postfix/sasl/smtpd.conf

It should look like this:

pwcheck_method: saslauthd
mech_list: plain login

 

Add Postfix to the SASL group …

adduser postfix sasl

… and restart SASL.

/etc/init.d/saslauthd restart

 

9 Postfix Configuration

9.1 Example Configuration

For this setup I chose the configuration without virtual domains – maybe I’ll add the needed steps for a virtual domain setup in the near future. First copy the example configuration file into the postfix directory. It’s the base for the following configuration.

cp /usr/share/doc/python-mmc-base/contrib/postfix/no-virtual-domain/* /etc/postfix/

 

9.2 Main Configuration

First adjust the main configuration file.

vi /etc/postfix/main.cf

Edit the file that it fits to your domain and additionally add some restrictions and the authentication settings – the content should look like this:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = yes
append_at_myorigin = yes
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
myhostname = server1.example.com
mydomain = example.com
alias_maps = ldap:/etc/postfix/ldap-aliases.cf,  hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com,example.com,localhost.localdomain,localhost
mail_destination_recipient_limit = 1
mailbox_command = /usr/lib/dovecot/deliver -d "$USER"@"$DOMAIN"
relayhost = 
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
# Use Maildir
home_mailbox = Maildir/
# Wait until the RCPT TO command before evaluating restrictions 
smtpd_delay_reject = yes
# Basics Restrictions 
smtpd_helo_required = yes 
strict_rfc821_envelopes = yes
# Requirements for the connecting server 
smtpd_client_restrictions = 
   permit_mynetworks, 
   permit_sasl_authenticated, 
   reject_rbl_client bl.spamcop.net, 
   reject_rbl_client dnsbl.njabl.org, 
   reject_rbl_client cbl.abuseat.org, 
   reject_rbl_client sbl-xbl.spamhaus.org, 
   reject_rbl_client list.dsbl.org, 
   permit
# Requirements for the HELO statement 
smtpd_helo_restrictions = 
   permit_mynetworks, 
   permit_sasl_authenticated, 
   reject_non_fqdn_hostname, 
   reject_invalid_hostname, 
   permit
# Requirements for the sender address 
smtpd_sender_restrictions = 
   permit_mynetworks, 
   permit_sasl_authenticated, 
   reject_non_fqdn_sender, 
   reject_unknown_sender_domain, 
   permit
# Requirement for the recipient address 
smtpd_recipient_restrictions = 
   permit_mynetworks, 
   permit_sasl_authenticated, 
   reject_non_fqdn_recipient, 
   reject_unknown_recipient_domain, 
   reject_unauth_destination, 
   permit
# Enable SASL authentication for the smtpd daemon 
smtpd_sasl_auth_enable = yes 
smtpd_sasl_type = dovecot 
smtpd_sasl_path = private/auth
# Fix for outlook
broken_sasl_auth_clients = yes
# Reject anonymous connections 
smtpd_sasl_security_options = noanonymous 
smtpd_sasl_local_domain =
# SSL/TLS
smtpd_tls_security_level = may 
smtpd_tls_loglevel = 1 
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem 
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
# Amavis
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

 

9.3 LDAP Aliases Configuration

Now you have to edit the aliases configuration.

vi /etc/postfix/ldap-aliases.cf

Edit the file that it fits to your domain – it should look like this:

server_host = 127.0.0.1
search_base = ou=Users,dc=example,dc=com
query_filter = (&(objectClass=mailAccount)(mailalias=%s)(mailenable=OK))
result_attribute = maildrop
version = 3

 

9.4 Master Configuration

The master configuration is the last part of the postfix configuration.

vi /etc/postfix/master.cf

Add the following lines:

# SMTPS
smtps inet n – – – – smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes

# Dovecot
dovecot unix – n n – – pipe
flags=DRhu user=dovecot:mail argv=/usr/lib/dovecot/deliver -d $recipient

# Mail to Amavis
amavis unix – – – – 10 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20

# Mail from Amavis
127.0.0.1:10025 inet n – – – – smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Restart Postfix:

/etc/init.d/postfix restart

 

10 Dovecot

Dovecot will provide POP3- (SSL/TLS), IMAP- (SSL/TLS) and quota-support to the mailserver.

10.1 Main Configuration

echo “” > /etc/dovecot/dovecot.conf
vi /etc/dovecot/dovecot.conf

The content should look like this:

protocols = imap imaps pop3 pop3s 
listen = 0.0.0.0
login_greeting = example.com mailserver ready. 
mail_location = maildir:~/Maildir
disable_plaintext_auth = no
ssl_cert_file = /etc/ssl/certs/mail.pem 
ssl_key_file = /etc/ssl/private/mail.key
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot.log
# IMAP configuration
protocol imap {
    mail_plugins = quota imap_quota
}
# POP3 configuration
protocol pop3 {
    pop3_uidl_format = %08Xu%08Xv
    mail_plugins = quota
}
             
# LDA configuration 
protocol lda { 
    postmaster_address = postmaster 
    auth_socket_path = /var/run/dovecot/auth-master
    mail_plugins = quota 
} 
                                         
# LDAP authentication
 
auth default {
    mechanisms = plain login
 
    passdb ldap { 
        args = /etc/dovecot/dovecot-ldap.conf 
    }
     
    userdb ldap { 
        args = /etc/dovecot/dovecot-ldap.conf 
    }
     
    socket listen { 
        master { 
            path = /var/run/dovecot/auth-master 
            mode = 0660 
            user = dovecot 
            group = mail 
        }
        client {
            path = /var/spool/postfix/private/auth
            mode = 0660
            user = postfix
            group = postfix
        }
    }
}

 

10.2 LDAP Configuration

echo “” > /etc/dovecot/dovecot-ldap.conf
vi /etc/dovecot/dovecot-ldap.conf

The content should look like this:

hosts = 127.0.0.1
auth_bind = yes
ldap_version = 3
base = dc=example,dc=com
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,mailbox=mail,mailuserquota=quota=maildir:storage
user_filter = (&(objectClass=mailAccount)(mail=%u)(mailenable=OK))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=mailAccount)(mail=%u)(mailenable=OK))
default_pass_scheme = CRYPT
user_global_gid = mail

 

10.3 Deliver

Next adjust the rights for the dovecot deliver – so dovecot will use the right uid and gid when it stores messages in the maildirs.

dpkg-statoverride –update –add root dovecot 4755 /usr/lib/dovecot/deliver

Afterwards restart Dovecot.

/etc/init.d/dovecot restart

11 Amavisd

Postfix will pass incomming mails to Amavis. Amavis on the other hand will pass them to Spamassassin an ClamAV. After the mails have been checked they’ll be passed back to Postfix. Configure Amavis as follows.

vi /etc/amavis/conf.d/15-content_filter_mode

It should look like this:

use strict;
@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
1;

vi /etc/amavis/conf.d/50-user

It should look like this:

use strict;
$pax='pax';
1;

 

Afterwards add the user clamav to the amavis group and restart amavis & ClamAV.

adduser clamav amavis
/etc/init.d/amavis restart
/etc/init.d/clamav-daemon restart
/etc/init.d/clamav-freshclam restart

 

12 Spamassassin

In this step you’ll enable additional plugins to increase spam detection.

vi /etc/spamassassin/local.cf

Add the following content to the file:

# dcc
use_dcc 1
dcc_path /usr/bin/dccproc

#pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor

#razor
use_razor2 1
razor_config /etc/razor/razor-agent.conf

#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1

vi /etc/spamassassin/v310.pre

Uncomment the line for the dcc-plugin. It should look like this:

loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop
loadplugin Mail::SpamAssassin::Plugin::AWL
loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
loadplugin Mail::SpamAssassin::Plugin::ReplaceTags

 

Now configure spamassassin to run as daemon.

vi /etc/default/spamassassin

Set ENABLED=1. It should look like this:

ENABLED=1
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamd.pid"
#NICE="--nicelevel 15"
CRON=0

 

Afterwards start spamassassin and restart amavis.

/etc/init.d/spamassassin start
/etc/init.d/amavis restart

 

13 BIND Configuration

First copy a customized configuration file into the bind directory.

cp /usr/share/doc/python-mmc-base/contrib/bind/named.conf /etc/bind/

Afterwards we change the slapd starting point that it starts before bind.

update-rc.d -f slapd remove && update-rc.d slapd start 14 2 3 4 5 . stop 86 0 1 6 .

Edit the resolv configuration.

vi /etc/resolv.conf

It should look like this:

nameserver 127.0.0.1
nameserver 192.168.0.2

 

14 DHCP Configuration

First copy the customized configuration file into the dhcp3 directory.

cp /usr/share/doc/python-mmc-base/contrib/dhcpd/dhcpd.conf /etc/dhcp3/
vi /etc/dhcp3/dhcpd.conf

Edit the file that it fits to your needs – it should look like this:

ldap-server "localhost";
ldap-port 389;
ldap-username "cn=admin, dc=example, dc=com";
ldap-password "Kreationnext";
ldap-base-dn "dc=example, dc=com";
ldap-method dynamic;
ldap-debug-file "/var/log/dhcp-ldap-startup.log";

 

15 SquidGuard/Squid Configuration

Squid with SquidGuard will be used to disable the accessibility of selected websites.

 

15.1 Configuration Files

15.1.1 SquidGuard

Copy the example configuration file into the squid directory, create an empty bad-domins-list (otherwise the mmc-proxy-plugin won’t load) and edit the configuration file.

cp /usr/share/doc/python-mmc-base/contrib/proxy/squidGuard.conf /etc/squid/
touch /var/lib/squidguard/db/bad.destdomainlist
vi /etc/squid/squidGuard.conf

16 Webinterface Configuration

16.1 SSL Certificate

This SSL certificate will be used for the MMC and the CUPS web-frontend.

mkdir /etc/apache2/ssl/
openssl req -new -x509 -keyout /etc/apache2/ssl/server.key -out /etc/apache2/ssl/server.crt -days 365 -nodes
chmod 600 /etc/apache2/ssl/server.key
cp /etc/apache2/ssl/* /etc/cups/ssl/

 

16.2 CUPS

In order that you can access the CUPS web-frontend from other machines in your network, you have to adjust some settings.

vi /etc/cups/cupsd.conf

Change:

Listen localhost:631

To:

Listen %server_ip%:631

Change:

# Restrict access to the server…
<Location />
Order allow,deny
Allow localhost
</Location>

# Restrict access to the admin pages…
<Location /admin>
Encryption Required
Order allow,deny
Allow localhost
</Location>

# Restrict access to configuration files…
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow localhost
</Location>

To:

# Restrict access to the server…
<Location />
Order allow,deny
Allow localhost
Allow 192.168.0.0/24
</Location>

# Restrict access to the admin pages…
<Location /admin>
Encryption Required
Order allow,deny
Allow localhost
Allow 192.168.0.0/24
</Location>

# Restrict access to configuration files…
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow localhost
Allow 192.168.0.0/24
</Location>

Afterwards restart CUPS.

/etc/init.d/cupsys restart

Now you’re able to manage your CUPS printers via the CUPS webinterface from your workstation. Open https://192.168.0.100:631/ (Later, when the nameserver and the dhcp-server are configured, you should connect via https://server1.example.com:631) within your preferred browser and log in as root. Please note that if there is no Linux driver available for your printer and you want to use this printer only from your Windows workstations trough SAMBA, you can use the printer manufacturer “RAW” and install the correct driver on your Windows workstations.

Please note that if you are going to set up a HP printer, you should add it to CUPS via hplip (command line). The exact command depends on the connection type of your device – have a look at “hp-setup –help”. E.g.: For a network-printer with the IP 192.168.0.20 the command is “hp-setup -i 192.168.0.20“. Afterwards you can adjust the printer settings (resolution etc.) within the CUPS webinterface.

After you added a new printer to CUPS, you’ll have to add it to Samba via

cupsaddsmb -a

 

16.3 MMC

We’ll create two vhosts – one for http-connections and one for https-connections.

16.3.1 HTTP VHost

vi /etc/apache2/sites-available/http

Add the following configuration.

<VirtualHost 192.168.0.100:80>

   ServerName server1.example.com

   RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

</VirtualHost>

 

16.3.2 HTTPS VHost

vi /etc/apache2/sites-available/https

Add the following configuration.

NameVirtualHost 192.168.0.100:443

<VirtualHost 192.168.0.100:443>

   ServerName server1.example.com
ServerAdmin Administrator@example.com
DocumentRoot /usr/share/mmc/

   SSLEngine on
SSLCertificateKeyFile ssl/server.key
SSLCertificateFile ssl/server.crt
SSLProtocol all
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

   <Directory /usr/share/mmc/>
AllowOverride None
Order allow,deny
Allow from 192.168.0.0/24
php_flag short_open_tag on
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
</Directory>

   ErrorLog /var/log/apache2/mmc_error.log
CustomLog /var/log/apache2/mmc_access.log combined
LogLevel warn

</VirtualHost>

Add the HTTPS listen port to the apache configuration.

vi /etc/apache2/ports.conf

Add the following line:

Listen 443

 

16.4 Modules & Sites

After that we enable the new sites, …

a2ensite http
a2ensite https

… the rewrite module …

a2enmod rewrite

… and the ssl module.

a2enmod ssl

Now restart apache.

/etc/init.d/apache2 restart

 

17 MMC Plugins

17.1 MMC Base-Plugin Configuration

Edit MMC base-plugin configuration file.

vi /etc/mmc/plugins/base.ini

Edit the baseDN that it fits to your domain, insert the correct ldap admin password and change the destination path for the archives – the content should look like this:

[ldap]
# LDAP we are connected to
host = 127.0.0.1
# LDAP base DN
baseDN = dc=example, dc=com
# Users location in the LDAP
baseUsersDN = ou=Users, %(basedn)s
# Groups location in the LDAP
baseGroupsDN = ou=Groups, %(basedn)s
# Computers Locations
baseComputersDN = ou=Computers, %(basedn)s
# LDAP manager
rootName = cn=admin, %(basedn)s
password = Kreationnext
# If enabled, the MMC will create/move/delete the home of the users
# Else will do nothing, but only write user informations into LDAP
userHomeAction = 1
# Skeleton directory to populate a new home directory
skelDir = /etc/skel
# If set, all new users will belong to this group when created
defaultUserGroup = Domain Users
# Default home directory for users
defaultHomeDir = /home
# user uid number start
uidStart = 10000
# group gid number start
gidStart = 10000
# LDAP log file path
logfile = /var/log/ldap.log
# FDS log file path
# logfile = /opt/fedora-ds/slapd-hostname/logs/access
# you can specify here where you can authorized creation of your homedir
# default is your defaultHomeDir
# example:
# authorizedHomeDir = /home, /home2, /mnt/depot/newhome
[backup-tools]
# Path of the backup tools
path = /usr/lib/mmc/backup-tools
# Where are put the archives
destpath = /home/samba/archives

 

17.2 MMC Mail-Plugin Configuration

Edit MMC mail-plugin configuration file.

vi /etc/mmc/plugins/mail.ini

Edit the vDomainDN that it fits to your domain, comment the line for postfix delivery and comment out the line for dovecot delivery – the content should look like this:

[main]
disable = 0
# Enable virtual domain support
vDomainSupport = 0
# If vdomain enabled, OU where the domain are stored
vDomainDN = ou=mailDomains, dc=example, dc=com
[userDefault]
# For Postfix delivery
# mailbox = %homeDirectory%/Maildir/
# For Dovecot delivery
mailbox = maildir:%homeDirectory%/Maildir/
# Default quota (200 MBytes) set for user
mailuserquota = 204800

 

17.3 MMC Network-Plugin Configuration

Edit MMC network-plugin configuration file.

vi /etc/mmc/plugins/network.ini

Edit the domain name that it fits to your domain – the content should look like this:

[main]
disable = 0
[dhcp]
dn = ou=DHCP,dc=example,dc=com
pidfile = /var/run/dhcpd.pid
init = /etc/init.d/dhcp3-server
logfile = /var/log/daemon.log
leases = /var/lib/dhcp3/dhcpd.leases
[dns]
dn = ou=DNS,dc=example,dc=com
pidfile = /var/run/bind/run/named.pid
init = /etc/init.d/bind9
logfile = /var/log/daemon.log
bindroot = /etc/bind/
binduser = bind
# dnsreader = DNS Reader
# dnsreaderpassword = DNSReaderPassword

 

18 MMC Agent Initial Start

At this point the mmc-agent is ready for the initial start.

/etc/init.d/mmc-agent start

During the first startup the mmc-agent writes some bind and dhcp related settings into the LDAP – so you have to restart bind (the dhcp-server is not running at the moment).

/etc/init.d/bind9 restart

19 MMC Webinterface

Now you can access the MMC webinterface via https://192.168.0.100 (http is not working at the moment). Log in as root. Later, when the nameserver and the dhcp-server are configured (and you are using them), you should connect via http://server1.example.com (the connection will automatically be diverted to https) or https://server1.example.com.

login

Welcome to the Mandriva Management Console.

overview

 

19.1 First Steps: DNS Zone

Click on “Network” in the main-menu at the top and afterwards on “Add DNS Zone” in the left menu. Edit the settings as shown on the screenshot below. Click on “Create” to save the settings. Note: A DHCP subnet with basic settings will be created – you’ll edit it in the next step (19.2).

add_dns_zone

add_host_alias1

Click on the “pen & paper” symbol next to the host entry.

add_host_alias2

Insert “blocked” as hostname alias and confirm the setting.

add_host_alias3

19.2 First Steps: DHCP Subnet Configuration

Now you have to edit the DHCP subnet. Click on “DCHP subnets” on the left side and afterwards on the “pen & paper” symbol next to the subnet entry.

edit_dhcp_subnet1

Edit the settings as shown on the screenshots below. Maybe you want to use another ip-range for the address pool or other lease-times. Click on “Confirm” to save the settings. Note: The domain name servers are separated by a comma – without spaces.

edit_dhcp_subnet2

Now the DHCP settings are complete and you can start the DHCP server. Click on “Network services management” on the left side and afterwards click on the green triangle to start the DHCP server. Note: Whenever you create/delete/change DHCP subnets you have to restart the DHCP server.

start_dhcp_server

19.3 First Steps: Domain Administrator Mailaccount

If you want to use the Administrator mailaccount you have to enable it. Click on “Users” in the main menu on the top – you’ll see the users list. Click on the “pen & paper” symbol next to the Administrator entry.

edit_admin

Enter a mail address into the corresponding field.

edit_admin_mail1

Enable the mail plugin, enter a desired quota and save the settings.
* Maybe you have to insert the quota once again (because the MMC overwrote the quota with the default value) and save the settings. (I had to do so)

edit_admin_mail2

19.4 First Steps: First Domain User Account

Time to create the first domain user account. Click on “Add” on the left side and create a user as shown on the screnshots below. Keep in mind, that you probably have to edit the quota twice. Note: Some settings have a red underline – when you hover over them you’ll see a short description about this setting.

first_user1

first_user2

first_user3

20 The Client Side

I’ve tested this with Windows XP Pro SP2 – but it should also work with other Windows versions.

  • Be sure that no other DHCP server than the one on the server is running
  • Start Windows and log in as local administrator
  • Configure your network connection to use DHCP
  • Right click on “My Computer” and select “Properties
  • Switch to the tab “Computer Name” and click on “Change
  • Insert a desired computer name, mark the radio button “Domain” and enter “EXAMPLE” (without the quotes!)
  • Click on “OK” to take the changes effect
  • A few moments later you’ll be asked for a username and password. Use the domain administrator account that you created at step 5.2 (e.g.: Username “Administrator” with the password “Kreationnext”) and click on “OK
  • If all went ok, you’ll get a welcome message
  • Restart the system
  • When the system is up again, log in with the domain administrator account that you created at step 5.2 (e.g.: Username “Administrator” with the password “Kreationnext”). Be sure that you select the domain from the drop down menu!
  • Click on “Start” and afterwards on “execute“. Enter “gpedit.msc” and click on “OK“.
  • Browse to the Internet Explorer settings and activate “proxy settings per computer.

gpedit1

gpedit2

Now open the Internet Explorer, click on “Extras” and afterwards on “Internet Options“. Edit the proxy settings as shown on the screenshot below.

proxy

  • Log out and in again with the domain user account that you configured at step 19.4 (e.g.: Username “olli” with the password “Kreationnext”). Be sure that you select the domain from the drop down menu! Domain users won’t be able to change the proxy settings.

 

21 Some Notes…

  • If you have a dynamic IP, you should read Falko’s howto about relaying: http://www.Kreationnext.com/postfix_relaying_through_another_mailserver
  • If you want to catch mails from other mailservers, you should read Falko’s howto about fetchmail: http://www.Kreationnext.com/debian_etch_fetchmail
  • If you want to create policies for your windows clients, you should take a look at http://support.microsoft.com/kb/910203/EN-US/

 

  • Debian: http://www.debian.org/
  • Mandriva Directory Server: http://mds.mandriva.org/

Comments

comments