[Samba] how to join to AD ? -Annoyed

[Robert LeBlanc]

On Thu, Dec 17, 2009 at 8:23 AM, mistofeles <ptmusta at utu.fi> wrote:

>
>
> Robert LeBlanc wrote:
> >
> > You seem to be having a lot more trouble with this than it should be.
> >
> Yes, I know, I'm stupid ;)
> And after reading hundreds of pages of Samba documentation I still feel
> stupid.
>
> - I didn't find line 'password server = KDC' in your smb.conf. I tought it
> must be there.
> Login/access is OK. Here my troubles begin.
>

Password server by default will query the domain for servers to use, you may
override it and specify an order or pin it to specific servers. I choose to
leave the default so that I don't have to worry about which DCs are up and
if any more are added or removed in the future. I left it out to use the
defaults, check the man page for more info.


> Robert LeBlanc wrote:
> >
> > As far as file security, Samba will honor Linux's file permissions
> > including ACLs.
> >
> It seems that I do not understand the system Samba handles the permissions.
>
> It seems that in terminal Linux 'User' permissions (rwx------) are used but
> in Samba the access is determined with 'World' (------rwx), if group is nol
> valid AD group. Or it is determine by 'Group' (---rwx---), if the group is
> valid 'domain users'.
>

Linux and Samba will try the user's permissions, then group and then other.
This makes permission fall though more easily as generally you will give
more permissions to users and less permissions to other (world). Since we
usually use ACLs, user and group are given all permissions (usually they
need all permissions in most cases) and then give more restricted access
using ACL to other users and groups. The world permissions are set as normal
since ACLs don't make much sense in this situation. I usually map this to
the Everyone group in Windows in my head. Basically, our linux users that
login to the system has the same exact access as they do over Samba. Maybe
one of my share defs can help:

[users]
   comment = Life Sciences user share
   browseable = yes
   path = /ls/users
   guest ok = no
   read only = no
   admin users = lfsci-csr
   create mask = 0770
   directory mask = 0770
   veto files = /.forward/.bash*/.profile/
   dos filemode = yes
   posix locking = no
   hide unreadable = yes
   vfs objects = shadow_copy2
   shadow:snapdir = /ls/snapshots/users
   shadow:basedir = /ls/users
   shadow:fixinodes = yes

We have one share and users have folders that only they can see.

drwxr-sr-x  57 root     root      4.0K 2009-12-17 03:14 users

A user folder:
drwxrws--- 18 rleblanc    lfsci-csr 4.0K 2009-12-14 10:05 rleblanc

When someone with no access connects to the share, they see a blank screen,
When I access the same share (I'm a member of lfsci-csr), I see everyone's
folder. When a regular user logs in, they only see their folder. This allows
me to quickly help someone when they are having data problems, as that share
is already mapped on my machines.



> After reading your message twice I made some tuning and found that this
> line
> in [homes] made the permissions work:
>  path = /home/%U
> Note %U. With %S it left users directories wide open RW if d---rwx---
> My conf's are still mostly as I have laid them.
>
> Now there is some funny behaviour. If I query \\myserver\somebody (somebody
> is a member of AD) on the WinXP MyComputer address line, I get my own
> directory \\myserver\myself in window.
> This doesn't matter, it happends in my old samba 2 server too.
>
> Another funny thing is that in Win there is both: 'homes' and 'myself' and
> they both are connected to 'homes'.
>
> After all this hacking my smb.conf is full of carbage, but it works. I will
> collect my conf's to my WWW page ASAP.
>
> I've cut out as much stuff as I could from my smb.conf file, and the
defaults work great most of the time. If you have time, you might want to
see what can be thrown out to make reading your conf a little easier.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University