≡ Menu

Installing and Configuring qmail 1.03 on OpenBSD

by on February 10, 2006

This document is a mirror of the OpenBSD Qmail howto originally located at http://www.sancho2k.net/filemgmt_data/files/qmail.html

This document describes the process for installation and configuration of qmail for a simple SMTP server on OpenBSD. The process described will accomodate basic mail delivery and relaying from trusted hosts. No effort will be made to accomodate mail retrieval through POP3 or IMAP; this requires seperate programs and will not be covered in this HOWTO (although there will be links to information on these subjects later on). qmail is a very powerful and secure MTA and as such, there are far more capable setups possible than described here; it would be recommended to the reader to investigate further information available online and in-print, namely Life with qmail (http://www.lifewithqmail.org/) and The qmail Handbook, (Apress, ISBN 1-893115-40-2) both authored by Dave Sill.

1.0 – Introduction

Internet email is one of the most popular uses for computers today. This holds true both on the desktop end, such as a home user reading the email from thier ISP, or the server end such as the mail server at the ISP. Setting up a reliable and efficent email server is simple today given that you have a connection to the internet and a system to install it on.

For many years, the de facto standard for routing mail on the Internet has been Sendmail. Sendmail has been freely available for many years and has been included with just about every free UNIX-like operating system available, such as *BSD or Linux. This availability has made Sendmail widely used, but often overlooked in terms of security. Past versions of Sendmail have been subsceptible to many severe security threats and exploits. Some argue that these security concerns are in the past, but to assume that current versions are different in this respect is naive; it would take a major recoding of Sendmail to make it as secure as such a widely used and prominent utility should be.

Several other mail programs (specifically MTAs, or Mail Transfer Agents) have cropped up in recent years; Postfix, Exim, and qmail being the most popular. Of the three, qmail holds the torch for the most secure implementation and offers many other features that make it worth investigating.

2.0 – Foreword

A couple of words in pretense of this guide.

Most of the information presented here has been obtained in one form or another from various informative sources, namely Dave Sills’ writings online and in his book (see text in red above). My purpose is to present this guide as a concise and direct HOWTO written for users of OpenBSD; experience has shown me that those new to an operating system with something in mind often find it helpful to read something geared specifically toward thier system; hence, this HOWTO will contain syntax that fits exactly the syntax used in OpenBSD.

Also in forward, let me credit Professor Dan J. Bernstein, author of qmail and several other significant pieces of software. I have great respect for djb’s software and development skills; few programmers can code with his eye for simplicity and security-mindedness (as evidenced by his money-backed guarantees). There exists those in the public that criticize djb for his rudeness, crudeness, abrasiveness, overall personality, etc. etc. My point in this case is this: if the software is excellent, use it. Regardless of djb’s personality, the software is still excellent. To those who refuse to use “djbware” based on the personality of the author: you are fools.

Now on to the stuff that matters. Prior to running qmail, there are a couple of things to remember and prepare for:

  • qmail is an MTA. It routes mail for users in a domain. In order to be recognized as a domain’s Mail Exchanger, there must exist within the DNS records for that zone an MX record that points to the name of the mail server (not IP address). Ensure that your DNS is correct and set up properly before attempting to use qmail. If you’ve not got DNS fully set up or need a pointer, or even if you do have it set up but want a better DNS package, check out djbdns – it’s a powerful and secure DNS package also written by djb.
  • There is a certain way to run qmail, and a certain way to install it. The reasons behind this are simple; it works best doing it in this way. If you are a hotshot admin that thinks that something shouldn’t run out of /var/qmail and think that you want to change it, by all means GO AHEAD. But remember that the documentation you will find is for what is generally accepted as a default qmail installation – the wise admin will not stray from this, but will accept the philosophy of Tai Chi and go with the flow. Bottom line – don’t try to get fancy unless you know what you’re doing – there shouldn’t be many compelling reasons to stray from the steps given in this and other qmail howtos.
  • There is other accompanying software besides qmail that we will be installing. If you have the idea to not install it, remember that it is insignificantly small, lightweight, stable, secure, and keeps qmail ticking. djb wrote both of them. If you have a problem installing them still, see the last bullet point above.

In the matter of commands that are to be entered in, I will attempt to make everything so that they can be copied in from the browser and pasted directly into your shell. Note however, that some commands will have to be modified to fit your exact configuration and should not be copied and pasted verbatim. Care should be taken to edit these commands before entering them ito your system.

3.0 – Download Software

So. . . the first item of business is downloading the following packages. ucspi-tcp and daemontools are both useful helper packages for qmail (and most of djb’s software, incidentally) that can help control the various services including logging. The most current version of these packages is linked to from here; little development on this software occurs simply because there have been no inherent security concerns or feature bloat since their release. qmail, for example, has stayed at version 1.03 for somewhere around four years now without requiring revision.

The first link is to the current (as of the time of this writing) version of the package; the second link will direct you to the home page for the program so that you can investigate the release of a more current version.

daemontools daemontools-0.76.tar.gz daemontools home

Once all of the packages have been downloaded, proceed on and we will begin installation.

4.0 – Installation

Installation of qmail will involve several steps, namely installing daemontools and rebooting (since svscanboot will be started from rc.local), installing ucspi-tcp, and finally installing qmail. Although the post-installation configuration is still technically considered installation, we will split this off into a seperate section.

4.0.1 – daemontools

Installing daemontools is very straightforward. All in all, it is a brilliant package. daemontools is designed to monitor a service to ensure that it stays running all the time, and if it is detected as having exited for any reason, restarting the daemon automatically. It works similar in that respect to one of inittab’s functions, without however requiring that the admin edit a config file.

First steps are as follows: create a directory at /package that daemontools will be installed from, and run the install script from the daemontools source in that directory:

These steps have installed daemontools into the system. To complete the installation, reboot the system in order to allow svscanboot to start properly from /etc/rc.local. When the system comes back up, log in and we will continue with installation of ucspi-tcp.

4.0.2 – ucspi-tcp

ucspi-tcp installation will be equally easy and similar to daemontools, with the lack of any special directories or reboot.

Now with the pre-required packages installed, go on through to the installation of qmail.

4.0.3 – qmail

There are a few more steps involved in installing qmail. For instance, as the following commands show, a couple of different system accounts and groups are created. The reason behind this is that unlike Sendmail, qmail runs as several individual pieces; Sendmail is one monolithic program performing many complicated functions. This means a couple of things, namely that what affects one aspect or process of Sendmail affects Sendmail as a whole. If compromise occurs on one level, Sendmail as a whole is affected. Under qmail, this is broken up into several different processes running under the control of different user IDs and daemons; this process and privilege separation leads to a more secure program with less potential for bugs (less complication means less room for error.) This is evidenced by its very secure and stable history – compare this to Sendmail’s security and bug list, and the differences become apparent.

You should probably see an error indicating that /var/qmail/alias doesn’t exist; this is expected, as it has not been created yet. This will be taken care of as we continue the installation:

This final command will compile the binaries and other files and install qmail into the system; most of the files into /var/qmail and some into /etc. The next thing to do is make sure that qmail is aware of the host’s fully qualified domain name (FQDN). This can be accomplished by one of two ways, depending on whether you can resolve the DNS name of the qmail server (requiring reverse DNS to be functioning) or if you would like to specify it yourself.

  • In order to allow DNS to resolve your IP address to the FQDN of the qmail host, use the config.sh script:
  • If you do not have a PTR record for the server’s IP and cannot resolve to the hostname with DNS, use the config-fast script:

    Where my.host.name is the FQDN of the qmail server. This should also be the hostname that you are designating as the MX for your DNS zone.

You should at this point have daemontools, ucspi-tcp, and qmail installed on the system; continue on to the configuration section where we complete the setup details and configuration of qmail.

5.0 – Configuration

This section continues on with some post-installation steps for qmail and configuration of files for settings.

An important point to remember is this: running an MTA (Mail Transfer Agent, or mail relay server, etc.) is that it is a fairly complicated piece of machinery. To successfully and properly operate a public mail server is to have a solid understanding of the way that DNS and SMTP work, as well as System and Network administration knowledge in general. More advanced topics include operation of POP and IMAP protocols, as mentioned earlier. Add into this optional SPAM control, and perhaps the most important (based on its impact and potential for affecting others on the Internet) is understanding of relay control. For this reason, it is imperative to understand the configuration options and operation process that qmail uses and how it works. We will cover the most basic setup and post-setup options in this section.

The first file we will create is qmail’s rc file. This is the control script that runs the neccesary commands to launch the qmail binaries. Using your text editor, create this file at /var/qmail/rc

With the rc file in place, make it executable.

And create the mail logging directory:

Traditional UXIX mailboxes have been in mbox format, where new messages are appended to the end of a previous file, making one large mailbox file. This has the potentail for unreliable mail delivery and loss of messages, among other problems. The maildir format of mailboxes was introduced with qmail; this writes individual messages to thier own seperate file in the user’s mailbox directory. We need to tell qmail to use Maildir delivery

Now it is time to create a script to control qmail with. The qmailctl script allows the administrator to start, stop, restart, and manipulate other operations of qmail. Create this file at /var/qmail/bin/qmailctl

Make the qmailctl file executable and link it into a directory in the executable path:

The purpose of installing daemontools earlier was to have a process to monitor and control the qmail daemons. It uses a facility called supervise to accomplish this; create the run scripts that supervise will read to run qmail fuctions:

Create a file at /var/qmail/supervise/qmail-send/run with the following contents:

Create a file at /var/qmail/supervise/qmail-send/log/run with the following contents:

Create a file at /var/qmail/supervise/qmail-smtpd/run with the following contents:

qmail uses the concurrencyincoming file to control the number of simultaneous SMTP connections that can be made. Create this file with an echo statement:

Create a file at /var/qmail/supervise/qmail-smtpd/log/run with the following contents:

Now all of the run files need to be made executable:

We now need to create the log directories:

The following command will link qmail-send and qmail-smtpd into the /service directory; this will make the daemons available to be controlled by supervise. Since we don’t want the daemons to start quite yet, we’ll tell qmailctl to stop them:

5.0.1 – SMTP Relaying Access Control

The matter of relaying mail is a serious one that has led to a lot happening in the world of electronic mail. In the past, many SMTP servers were set up as open relays, meaning that anyone on the Internet could send mail from an SMTP server to any recipient in the world; what this led to was spammers sending bulk mail and using an open relay as the server to send from. This quickly evolved into a problem with wasted bandwidth and worse, the rapid spread of SPAM across the Internet. To counteract this, rules on relaying were estblished. Any SMTP server that is known to be an open relay can now be placed on a blackhole list and mail from these servers denied; the possibility exists that SPAM may be sent out from any open-relay. For this reason, and to prevent unwanted clients from using your mail server as a server to send their junk mail from, be sure to implement some relay control.

qmail makes this easy by maintaining a database of allowed IP addresses that may send mail to domains other than the ones for which qmail accepts mail. Using echo commands, we can create a file that allows anyone on the server as well as anyone in our private address range to send mail through our server:

The above commands added anyone in a 127.x.x.x address and a 10.0.0.x address to be allowed to relay mail onto outside mail servers. The syntax would be similar for any other address ranges you wanted to add. Note that the address range ends in a period; for instance, to add any address in your private 192.168.x.x range:

The cdb argument passed to qmailctl tells it to take the file /etc/tcp.smtp and compile it into a fast-to-parse database format that qmail reads.

5.0.2 – Replacing Sendmail with qmail

OpenBSD comes stock with Sendmail installed and functioning on the system. qmail comes with replacement binaries that can be used to replace Sendmail; this is needed since a lot of mail utilities and system functions take for granted that sendmail will be installed on the system, and therefore will not operate if sendmail binaries are not found.

The first step is to determine the PID of the running Sendmail process and kill it:

The following string of commands will backup the old Sendmail binaries and disable them, and then replace them with the qmail versions of the binaries:

There also exists an alternate, and possibly cleaner, way to do this. OpenBSD knows which mail-related programs to run based on the configuration outlined in the file /etc/mailer.conf. Take a look at the original file, and see how all functions are pointing to the original sendmail binary. The below /etc/mailer.conf makes it so that the system will use qmail instead of sendmail when a mail capability is needed:

Both of these options seem to work; you may either replace the sendmail binaries with the qmail versions, as in the first example, or change the mailer.conf to point to qmail instead, as in the second example.

There is also a crontab entry that should be disabled. Use the command crontab -e to open your crontab for editing and find the line that has the comment "sendmail clientmqueue runner" and comment the cron entry out. This prevents the Sendmail process from occuring. After this line has been commented out, save and exit the crontab file. You should see a notice confirming the changes you made:

Finally, OpenBSD comes by default configured with Sendmail running. Although it only listens for local connections, it will need to be disabled nonetheless. In typical BSD fashion, this can be done from /etc/rc.conf – simply make the change indicated below.

From:

To:

Now Sendmail will not be launched at boot.

NOTE: I may as well include, at this point, a small bit of side information for users of OpenBSD 3.2 and (possibly) higher. Changes to the structure of the filesystem where /var is located have put the nosuid option active on it; in order for qmail to function correctly when installed to /var/qmail, make sure that the nosuid option is disabled. To do this, edit the /etc/fstab and remove this option, and then remount the filesystem. For example, here is my newly-edited fstab file, showing the difference (the original line is commented out, and replaced with a new line without the nosuid option.)

5.0.3 – Configuring Mail AliasesBy default, qmail is configured to use mail accounts based on real accounts from /etc/passwd. But like Sendmail, qmail can be configured to deliver mail to accounts that use aliases. We will configure qmail to send mail to certain accounts that should exist on any mail system. Since logging in as root should be minimized, we’ll configure qmail to deliver system mail addressed to root to a non-root user, as well as some mail-related aliases, DNS admin, and Web Administrator mail to go to the same user. Say the nonprivileged user that will recieve mail for these accounts is called “bob” – we can use the following commands:

The next commands set the proper permissions on the alias files and start qmail – configuration is almost complete.

There are a couple of control files that should be configured to match your site’s configuration at this point. Control files (located under /var/qmail/control) are where options are set for qmail to read and operate from. Rather than one large config file with many hard to find options, each control file represents an option or setting within the qmail configuration.

The /var/qmail/control/rcpthosts file specifies which domains qmail will accept mail for. If you’ve gone this far, rcpthosts already contains the FQDN of your local server. We need to add the DNS domain name now. As an example – say your mail host will recieve mail for its local FQDN (we’ll call this mail.somedomain.com) and also for the entire somedomain.com domain. The file should then contain:

The /var/qmail/control/locals file contains domain names that should be delived locally on this host, or in other words, that the mailboxes will be located on this server. This would be different to configurations where although the server is responsible for handling mail for a given domain, the mail is actually delivered to another server for mailbox storage and serving. Given the above example, the locals file should exactly mirror the rcpthosts file:

Given the above example, mail sent from the server will be shown from the return address as such: mailuser@mail.somedomain.com. We want mail to be shown as from mailuser@somedomain.com, omitting the host name. For this, make sure that /var/qmail/control/defaultdomain contains the domain that mail should be shown as coming from:

A good way to make sure that new users added to the system will automatically have a mailbox is to create a Maildir in the /etc/skel directory; the contents of this directory are copied into the new user’s home directory and changed to thier ownership. Note that this should be done as the root user.

Finally, we should now be ready to start qmail and test.

6.0 – Testing the Installation

At this point, qmail should be completely installed and running. There are a couple of things to do to check and verify that all is working as it should.

The first thing to check is that the right processes are running – the ps command can be used to verify this. See the following usage and expected results:

As can be seen, there are 2 supervise processes managing qmail-send and qmail-smtpd and 2 multilog processes running as qmaill managing logging for these daemons. The other qmail proccesses should look something like this:

  • 1 qmail-send process running as qmails
  • 1 tcpserver process running as qmaild
  • 1 qmail-lspawn proccess running as root
  • 1 qmail-rspawn process running as qmailr
  • 1 qmail-clean process running as qmailq

If all checks out on these processes, test mail delivery by sending a test message through qmail-inject. First, make sure to create a Maildir for the user that was set up earlier in an alias to recieve root’s mail. Use the maildirmake utility to do this. **AS THE USER** (not as root) execute the following command in your home directory:

This command creates the Maildir mailbox structure under the user’s home directory, which consists of individual folders for management of unread, read, and other types of messages. Once the maildir is created, send a test message:

And now look for a message in the newly arrived mail from within this user’s directory:

If there is a file in this folder, then you know that:

  1. The mail delivery subsystem of qmail is working perfectly
  2. The qmail alias system is working perfectly

Another test would be to make sure that qmail is listening to the SMTP port on your host. Verify this with the use of the telnet utility:

If qmail is listening and accepting connections, you will see something like this:

{ 1 comment }

Samba – sharing Files and Printers with MS Windows on OpenBSD

by on February 10, 2006

Table of Contents

  • Introduction
  • Installing the Packaged Version
  • Starting samba with each reboot
    • Starting through inetd
  • Testing the installation
  • SWAT – The Samba Web Administration Tool
  • Adding Users
  • Co-habiting with Windows NT PDC
    • Adding the Samba Server to the Primary Domain Controller
    • Joining the Samba server to the Primary Domain Controller
    • Updating the /etc/samba/smb.conf
  • Authentication for NT, Win9X Workstations
    • Configuration File settings
    • Machine Account Creation
  • Using stunnel to secure SWAT password communications
  • Author and Copyright

Introduction

The Samba Suite of programs allows you to share Unix resources with SMB Clients (in many cases MS Windows clients.) This significantly simplifies client access to OpenBSD printing and file resources. Users on client machines access Samba resources as they would any other (file/print) resource available from SMB servers such as Windows NT or Windows 9x.

We use OpenBSD/Samba to allow our network users to use the same tools for accessing their files on the OpenBSD/Samba box as they previously did when the same resources were on the Win NT boxes. Users can open their files from within their applications or use Windows Explorer to browse through the OpenBSD/Samba shares.

Installing the Packaged Version

[package: samba-2.0.7.tgz (available on cd-distribution and OpenBSD ftp mirrors)]
[ref: Samba Book available from http://www.samba.org]

Install the package using pkg_add

# pkg_add /[path-to-package]/samba-2.0.7.tgz

The samba package will be installed and you may wish to copy one of the sample configuration files as a starter for your samba setup. For example:

# cp /usr/local/lib/samba/smb.conf.sample /etc/samba/smb.conf

The quickest way to start samba is to launch the daemons manually:

# /usr/local/sbin/smbd -D
# /usr/local/sbin/nmbd -D

Although we don’t want to be frustrated with having to do that manually everytime we start the computer, it is a good way to test whether the installation files did get installed.

(note that samba-2.2.1a in OpenBSD 3.0 locates the smbd/nmbd files in /usr/local/libexec)

Starting samba as a server service

[ref: ../ports/net/samba/files/README.OpenBSD]

There are at least three different methods available for starting the samba daemons (smbd, and nmbd) The two most appropriate for starting the server at each boot process is a scripting addition or configuring inetd. The BSDish scripting is adding instructions to the /etc/rc.local file, System V’sh solutions create a separate startup script.

Edit the /etc/rc.conf.local file to include in Section 2 the following lines:

smbd=YES
nmbd=YES

Edit: /etc/rc.local.

After the ‘starting local daemons’ and before the following echo ‘.’, Insert the following instructions to the /etc/rc.local file:

echo -n ‘starting local daemons:’
# [ … stuff left out … ]

if [ -f /etc/samba/smb.conf ]; then
if [ X”${smbd}” != X”NO” -a -x /usr/local/libexec/smbd ]; then
echo -n ‘ smbd’; /usr/local/libexec/smbd -D
fi
if [ X”${nmbd}” != X”NO” -a -x /usr/local/libexec/nmbd ]; then
echo -n ‘ nmbd’; /usr/local/libexec/nmbd -D
fi
fi

# [ … stuff left out … ]

echo ‘.’

Now each restart of the machine will automatically check to see whether we have enabled samba in the configuration file (rc.conf.local) and then start the smbd, and nmbd daemons. If we wish to disable samba we can simply change smbd=YES to smbd=NO ; nmbd=YES to nmbd=NO

Starting samba as an inetd service

If you chose the inetd path then two files /etc/services and /etc/inetd.conf need to be updated. Note that to only use the rc.local update or this configuration but do not use both as it may cause problems further down the line for you.

/etc/services : change this file to include the following lines

netbios-ssn 139/tcp
netbios-ns 137/udp

/etc/inetd.conf : change this file to update the lines referring to the above ports

netbios-ssn stream tcp nowait root /usr/local/libexec/smbd
netbios-ns dgram udp wait root /usr/local/libexec/nmbd

Of course one advantage of inetd is you don’t have to restart the computer to get things up and running. Just send a -HUP signal to inetd and samba will be started.

Testing the installation

[Config file: /etc/samba/smb.conf ]
[Utility: smbclient]

A quick diagnostic test to verify whether the nmbd/smbd daemons are working is to use the smbclient program, one of the tools supplied with the samba suite of programs. smbclient attempts a client connection to an smb server, so one simple test is to attempt a connection to our localhost smb server.

# smbclient -U% -L localhost

The -U% specifies attempt the connection with User % (% expands to be root, or current login) -L specifies the hostname to connect to (localhost.) The above command should show the Shares available on the localhost server (ipc$ et. al.) as well as other machines in the Work-group.

Sharename Type Comment
———- —– ——-
IPC$ IPC IPC Service (Samba Server)Server Comment
——— ——-
OPENBSDBOX Samba Server

In the above example, the returned displays the Server OPENBSDBOX as being in the smb workgroup. OPENBSDBOX is the short-name for this sample localhost.

Basic configuration file settings that can be used to approximate the initial part of what your samba server should look like to to set the following settings in the configuration file /etc/samba/smb.conf

workgroup = myworkgroup
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
unix password sync = yes
passwd program = /usr/bin/passwd %u
interfaces ip_for_eth0 ip_for_eth1

ip_for_eth0 and ip_for_eth1 – These are the ip-addresses for the Ethernet cards on your server that you wish Samba to service through. For example, if you had one ethernet card for your LAN (eth0:192.168.101.5) and one ethernet card for your external connection (ISP eth1:202.123.44.1) then you can specify something like:

interfaces 192.168.101.5

This would allow machines on your local LAN access to the samba server, but not machines connected through any other devices.

Encrypt Passwords: All the clients i am using with my samba server will be Win98 or Win2000 and i want passwords encrypted when passed between the server and machines in preparation for when the sites go live on the internet. Likewise, i don’t want to spend the time setting up the script to modify all the clients to send clear-text passwords.

Setting up SWAT – the Samba Web Administration Tool

[Config file: /etc/services ]
[Config file: /etc/inetd.conf ]

SWAT provides a GUI based tool for modifying samba’s configuration file /etc/samba/smb.conf. Unfortunately it can also cause disastrous things such as wipe the configuration file (actual experience.) Following are the steps required to configure swat, which is installed but not enabled by the samba installation.

Edit /etc/services to include the following line

swat 901/tcp # Samba Web Administration Tool

Edit /etc/inetd.conf to include the following lines

swat stream tcp nowait.400 root /usr/local/sbin/swat swat

Restart the inetd daemon so it can re-read the changes you have made to the /etc/inetd.conf file.

# kill -HUP cat /var/run/inetd.pid

You should now be able to point a browser (for example Windows/Internet Explorer) at your webserver:901 to configure samba using the SWAT GUI interface instead of having to manually edit through the smb.conf file.

Security Concern. I think swat sends passwords cleartext. You should be aware of this problem if concerned about potential security compromises by using swat.

Adding Users

[Config file: /etc/samba/smbusers ]
[Config file: /etc/samba/smbpasswd]
[Utility: /usr/local/bin/smbpasswd ]

To make sure that you can access the smb shares from other clients, make sure you add the smb access users to the /etc/samba/smbusers and the /etc/samba/smbpasswd file. I find this necessary because I specify the use of encrypted passwords for authentication.

smbpasswd -a login-id

For example:

# smbpasswd -a samt

More Information:

Run by root, the smbpasswd program can “-a” add a new user to the smbpasswd file. This is also a neat trick for finding out where the smbpasswd is ‘supposed’ to be located.

Other useful options:

-x delete the user information
-d disable the user account
-e enable a disabled account, no effect if account currently enabled
-r remote machine on which smb access is to be changed.

Controlling the Server

The following shell script (based on ndc.sh) is a quick hack for starting/stopping the Samba servers. As I have had to play around a lot with the configuration files, restarting the servers, it is somewhat useful to have a script to cut down the number of keystrokes.

Co-habiting with NT Server – Primary Domain Controller

As my environments is OpenBSD/Samba joining an existing Windows NT Primary Domain Controller (PDC) I need to maintain authentication on one server to minimise work-load. For this discussion we will use DEMO_DOMAIN as the domain and PDC_SERVER as the name of the Primary Domain Controller (Windows NT 4.0x server) server.

The following are the basic steps for enabling NT Domain authentication for Samba connections.

  1. On the PDC, Manually add the Samba Server netbios name as an NT Server/Workstation
  2. Join the Domain from the samba server using smbpasswd -j DEMO_DOMAIN -r PDC_SERVER
  3. Modify smb.conf to specify encrypted passwords and security=domain
  4. Restart the Samba Server

Adding the Samba Server to the Primary Domain Controller

On the Win NT (4.0 ) PDC Server, start the Administrator -> Server Manager program. Add the OpenBSD/Samba server you have installed as a “Windows NT Workstation or Server”

On the Win2000 Advanced Server PDC, start the Administrator -> Active Directory Users and Computers. Select the Domain you will be adding the OpenBSD/Samba server to. Add a new computer and make sure you select the check-box “Allow pre-Windows 2000 computers to use this account”

For the name of the OpenBSD/Samba server, use the NetBIOS name you have either specified in /etc/samba/smb.conf, or use the short-name of the server (OPENBSDBOX for this example).

Joining the Samba server to the Primary Domain Controller

This only works if the OpenBSD/Samba server has been ‘installed’ into the domain as mentioned above, so make sure that you have followed the above step and verified the OpenBSD/Samba server is a valid ‘NT Workstation or Server.’

From the OpenBSD/Samba machine join the Primary Domain by using the smbpasswd “join” facility

# smbpasswd -j DEMO_DOMAIN -r PDC_SERVER

Updating /etc/samba/smb.conf

To complete joining the Domain, we need to make a few configuration changes. (a) we need to tell Samba to use the Primary Domain Controller for authentication, and (b) We need to use encrypted passwords. Windows NT sp3 and greater default to using encrypted password transmission.

File /etc/samba/smb.conf

domain controller = PDC_SERVER
encrypt passwords = yes

Restart the samba server and user connections will now be verified through the Windows NT Domain Controller. Note that users still need a valid account on the server if user directories are expected.

Authentication for NT, Win9X Workstations

[ref: Samba-2.2.2/docs/Samba-HOWTO-Collection.pdf]

With later versions of Samba (2.2.2) we are able to use the OpenBSD/Samba combination to authenticate users for a LAN comprising Windows NT and Win9X clients. In this scenario, your OpenBSD/Samba server is the Primary Domain Controller (Windows Speak) and provides authentication for your Windows clients.

By configuring your clients to forcibly join the domain, you can ensure all workstation users must be validated from the OpenBSD/Samba server.

We may want to do this if we do not have a legitimate (Microsoft) Windows Server that can authenticate as the primary domain controller.

The Samba distribution actually comes with a HOWTO for this task (Chapter 8. How to Configure Samba 2.2 as a Primary Domain Controller)

In short, we set the configurations (in a working Samba system):

  • Configuration File settings
  • Machine Account Creation

Configuration File settings

To configure your Samba server to provide user authentication you will need to include the following.

Diagram – portion of [global]

Security is set to user (not domain as you would initially expect.) The server is set to be the domain master and service domain logons which is where we will configure user authentication.

Machine Account Creation.

The add user script will be used by Samba to add a machine account for joining NT Workstations to the domain. This script will create an /etc/passwd entry using the client workstation’s netbios name. At this writing (Samba 2.2.2) Samba requires the /etc/passwd entry before it can create a Samba account for the workstation.

Since OpenBSD typically does not allow workstations to have the dollar character “$” in a user-id we need to modify the useradd source to allow the dollar character “$”. Of course, you can manually create the accounts and not need to change the source code. Unix, including OpenBSD, readily allows the $ sign, but the user creation programs do not normally allow the use of dollar signs for a number of practical reasons.

Using stunnel to secure SWAT password communication

package: stunnel-3.8.tgz
package: openssl (installed either as source build or ssl2?)
[ref: OpenBSD FAQ 10.6 Setting up a Secure HTTP Server with SSL]
[local: openss# – Secured Communications]
[ref: Samba Book]

Samba can be set up to communicate exclusively through SSL, which is great but seems to be problematically difficult (as in real difficult) to roll out on a WinX environment. By at least forcing SWAT communications to use SSL then we add one level of security ? Using information available from the Samba site and the OpenBSD FAQ, I have generated this step-by-step list for using SSL with SWAT under OpenBSD (installation with 2.7)

1. install the stunnel package

# pkg_add /[location-of-packages]/stunnel-3.8.tgz

After stunnel is installed, you have to create a server certificate and put the result in /etc/ssl/private/stunnel.pem. For more information on how to create certificates, read ssl(8). For more information on stunnel, read stunnel(8).

2. Prepare certificate for stunnel. According to samba doc’s stunnel documentation says that a blank line is needed between private key and certificate and another blank line at the end of the file (make sure you have created the server certificates per references above.)

# echo “” > ~/blankline.txt
# cat /etc/ssl/private/server.key ~/blankline.txt /etc/ssl/server.crt
~/blankline.txt > /etc/ssl/stunnel.pem

3. Move the stunnel.pem file to a standardised location

# mv /etc/ssl/stunnel.pem /etc/ssl/private

4. Set the file permissions so no root have no access to the file

# chmod 700 /etc/ssl/private/stunnel.pem

5. Remove swat entry from inetd.conf (restart inetd)

# kill -HUP cat /var/run/inetd.pid

6. Start stunnel

# /usr/local/sbin/stunnel -p /etc/ssl/private/stunnel.pem -d 901 -l /usr/local/sbin/swat — swat

7. We now include stunnel into the configuration for SWAT

Edit the /etc/rc.conf.local file to include the following line:

stunnel_swat=YES

Edit: /etc/rc.local.

After the ‘starting local daemons’ and before the following echo ‘.’, Insert the following instructions to the /etc/rc.local file:

echo -n ‘starting local daemons:’
# [ … stuff left out … ]

if [ -f /etc/samba/smb.conf ]; then
if [ X”${smbd}” = X”YES” -a X”${nmbd}” = X”YES” -a X”${stunnel_swat}” = X”YES” -a -x /usr/local/sbin/stunnel ]; then
echo -n ‘ stunnel_swat’;
/usr/local/sbin/stunnel -p /etc/ssl/private/stunnel.pem -d 901 -l /usr/local/sbin/swat — swat
fi
fi

# [ … stuff left out … ]

echo ‘.’

Now each restart of the machine will automatically check to see whether we have enabled stunnel for swat in the configuration file (rc.conf) and then start the stunnel. If we wish to disable stunnel for swat we can simply change stunnel_swat=YES to stunnel_swat=NO.

Connect to the SSL enabled site using https://your_sambaserver:901 and accept the certificate.

Optimizing the Kernel

[ref: afterboot(8), config(8), options(4), boot_config(8), OpenBSD FAQ: Kernel Configuration]
[ref: CD1:src.tar.gz]

This is not necessary to get samba running. Kernel optimization is only if you percieve some performance problem with your samba configuration and you don’t have a critical configuration while you experiment.

I’ve seen a number of discussions recommending that you can improve the performance of OpenBSD with Samba by increasing the number of NMBCLUSTERS for the Kernel. The specific option is noted here and I go into further discussions on making the changes. It seems that the GENERIC kernel is more optimised for streaming based protocol communication than packet/ack protocols.

option “NMBCLUSTERS=8192”

From the man page:

option NMBCLUSTERS=value

Size of kernel mbuf cluster map, mb_map, in CLBYTES-sized logical pages. Default on most ports is 256 (512 with “option GATEWAY”). See /usr/include/machine/param.h for exact default information. Increase this value if “mb_map full” messages appear.

Note that the quotation marks are significant (use them) as the option is actually a compiler directive.

A simplified process is listed below, for more details see the man and FAQ references above (config 8, options 4).

After decompressing the OpenBSD source tree onto your hard-disk (/usr/src), do the following:

# cd /usr/src/sys/arch/[$ARCH]/conf

This moves us into the custom configurations for your hardware architecture. Doing a listing in this directory will give you a sample of machine configurations. On my I386 architecture an ls will indicate

# ls -al
CVS GANDALF LUCIFIER OPRAH RAMDISKB SARUMAN
DISKLESS GENERIC Makefile.i386 PETRA RAMDISKC WALDORF
ELBERETH HERMES NETTAN RAMDISK RAMDISK_CD

Make a copy of the Generic kernel configuration. Remember that this is the most tested configuration, so lets not stray too far from ‘working’ configuration.

# cp GENERIC MYCUSTOMKERNEL

We can now edit the configuration file MYCUSTOMKERNEL to include the directive for NMBCLUSTERS.

Edit: /usr/src/arch/[architecture]/conf/MYCUSTOMKERNEL to include:

option “NMBCLUSTERS=8192”

After you have saved the above modifications we can now configure the kernel compilation, and make the kernel.

# config MYCUSTOMKERNEL
Don’t forget to run “make depend”
# cd ../compile/MYCUSTOMKERNEL
# make depend && make

To use the kernel copy the kernel to the root directory and make it available during boot time.

# cp /bsd /bsd.working
# cp /usr/arch/[architecture]/compile/MYCUSTOMKERNEL/bsd /bsd.nmb

We first make a backup of the existing/generic kernel (the docs says that most use a sequence like bsd.1 bsd.2 and I’m only using named kernels above as a demonstration.)

Next I copy the customised kernel into the root partition so boot can find it. In our experimental case I do not make it the default kernel.

When you restart your server and get to the boot prompt, we can specify the new kernel we wish to try.

>> OpenBSD i386 BOOT 1.36

boot > bsd.nmb

The boot messages will scroll through your screen and you get to the login prompt. After login in you should see a display of your new kernel.

Last login: (date) from (ip-address)
OpenBSD 2.8 (MYCUSTOMKERNEL) #1: (date-of-compilation)
Welcome to OpenBSD: The proactively secure Unix-like operating system.

If you find the new kernel behaves as expected, without causing other problems on your system, then you can copy the new kernel over the default boot kernel. (Remember to have first backed up your working kernel)

# cp /bsd.nmb /bsd

Please take the time to read the FAQ and afterboot(8) man pages before you continue.

More Kernel Options ?

The below kernel options may be of interest to you, remember that I’m as much in the dark about these things as you are and you’re as likely to kill your machine with my advice as you are to get things working.

From the man page:

option BUFCACHEPERCENT=integer

Percentage of RAM to use as a file system buffer. It defaults to 5.

option QUOTA

Enables kernel support for file system quotas. See quotaon(8), edquota(8), repquota(8), and quota(1) for details. Note that quotas only work on “ffs” file systems, although rpc.rquotad(8) permits them to be accessed over NFS.

Note that option QUOTA is already configured in the /usr/src/sys/conf/GENERIC file which is ‘included’ in the GENERIC configuration. BUFCACHEPERCENT is of interest in my configuration where the OpenBSD Samba server is primarily functioning as a file server and we wish to increase responsiveness to a plethora of multimedia files used by our students.

Getting at Windows Shares

package: Sharity-light_1_2.tgz

Sometimes you want to access the Windows (eg. Win95, Win98, Win2000, WinNT) file share from within the Unix box. Sharity-Light is similar to the Linux only smbfs (smbmount, smbumount) which allows the user to mount a Windows file-share onto your unix file-system.

http://www.obdev.at/Products/Sharity.html

Check out the developer’s website above for more information on the “light” version and their commercial product.

Author and Copyright

Copyright (c) 2000/1/2 Samiuela LV Taufa. All Rights Reserved.

I reserve the right to be totally incorrect even at the best advice of betters. In other words, I’m probably wrong in enough places for you to call me an idiot, but don’t ’cause you’ll hurt my sensibilities, just tell me where I went wrong and I’ll try again.

You are permitted and encouraged to use this guide for fun or for profit as you see fit. If you republish this work in what-ever form, it would be nice (though not enforceable) to be credited.

Samba – sharing Files and Printers with Microsoft Windows
{ 0 comments }

Antara 2 Pilihan

by on February 9, 2006

Kenapah didunia ini seringkali kita dihadapkan sama 2 atau lebih pilihan, mending kalau lah pilihan itu salah satu ada yang bisa di abaikan dan tidak begitu berarti dalam mempengaruhi kehidupan kita, tapi kalau misalnya kita disuruh milih diatanra 2 pilihan trus kedua-dua sangat berarti bagi kita…..trusss…..apa yang musti di lakukan ?

Langkah terakhir kita hanya serahkan ke Alloh swt, kita lakukan saja? solat istikhoroh..beres kan ?

Terus gw berpikir, gw khan manuasia yang diberikan akal sama pikiran oleh Alloh swt, terusapakahh? gw hanya harus pasrah begitu saja ?

{ 0 comments }

SAYBIA — The Second You Sleep

by on February 8, 2006

You close your eyes

And leave me naked by your side

You close the door so I can’t see, the love you keep inside

The love you keep for me

It fills me up

It feels like living in a dream

It fills me up so I can’t see

The love you keep inside

The love you keep for me

I stay to watch you fade away

I dream of you tonight

Tomorrow you’ll be gone

It gives me time to stay, to watch you fade away

I dream of you tonight

Tomorrow you’ll be gone

I wish by God you’d stay

I stay awake

I stay awake and watch you breathe

I stay awake and watch you fly, away into the night

Escaping through a dream

I stay to watch you fade away

I dream of you tonight

Tomorrow you’ll be gone

I gives me time to stay

To watch you fade away

I dream of you tonight

Tomorrow you’ll be gone

I wish by God you’d stay

Stay…

Stay…

I stay to watch you fade away

I dream of you tonight

Tomorrow you’ll be gone

It gives me time to stay

To watch you fade away

I dream of you tonight

Tomorrow you’ll be gone

It gives me time to stay

To watch you fade away

I dream of you tonight

Tomorrow you’ll be gone

I wish by God you’d stay

Stay…

Stay…

Stay…

I wish by God you’d stay…

{ 0 comments }

WordPress 2.0.1 Released

by on February 8, 2006

It?s been exactly one month since we released the well-received WordPress 2.0 release. In the past 4 weeks we?ve been listening closely to feedback, squashing bugs wherever we find them, and watching how 2.0 handled under different loads.

We?ve rolled up all the most important fixes into a 2.0.1 release, which is now available for download.
All in all we?ve closed 114 bugs in the 2.0.1 release, which you?re welcome to check out if you?re curious about every fix. To summarize:

  • You can now specify an upload directory, and whether to use date-based storage or not.
  • Caching has been fixed under certain PHP enviroments.
  • Permalinks have been fixed for weird enviroments as well.
  • XML-RPC uploading works.
  • Compatibility with older versions of PHP.
  • Several WYSIWYG fixes and cleanups.
  • Imports now use much less memory.
  • Now works with MySQL 5.0 in strict mode.

Happy blogging!

{ 0 comments }

Separated – USHER

by on February 6, 2006

Oh no, no, no, no

If love was a bird
Then we wouldn’t have wings
If love was a sky
We’d be blue
If love was a choir
You and I could never sing
Cause love isn’t for me and you

If love was an Oscar
You and I could never win
Cause we can never act out our parts
If love is the Bible
Then we are lost in sin
Because its not in our hearts

So why don’t you go your way
And I’ll go mine
Live your life, and I’ll live mine
Baby you’ll do well, and I’ll be fine
Cause we’re better off, separated

If love was a fire
Then we have lost the spark
Love never felt so cold
If love was a light
Then we’re lost in the dark
Left with no one to hold

If love was a sport
We’re not on the same team
You and I are destined to lose
If love was an ocean
Then we are just a stream
Cause love isn’t for me and you

So why don’t you go your way
And I’ll go mine
Live your life, and I’ll live mine
Baby you’ll do well, and I’ll be fine
Cause we’re better off, separated

Girl I know we had some good times
It’s sad but now we gotta say goodbye
Girl you know I love you, I can’t deny
I can’t say we didn’t try to make it work for you and I
I know it hurts so much but it’s best for us
Somewhere along this windy road we lost the trust
So I’ll walk away so you don’t have to see me cry
It’s killing me so, why don’t you go

So why don’t you go your way
And I’ll go mine
Live your life, and I’ll live mine
Baby you’ll do well, and I’ll be fine
Cause we’re better off, separated

{ 0 comments }
Next Posts Previous Posts

Categories

@2021 www.ASEP.id

WP Admin