[Samba] Samba as fileserver on Active Directory domain
Ivan Ordonez
iordonez at berkeley.edu
Mon Oct 5 17:49:40 MDT 2009
I was able to set ACL with local username but can't do it on domain
username or groups.
hostname ~ # getfacl /shared/drive
getfacl: Removing leading '/' from absolute path names
# file: shared/drive
# owner: mylocalusername
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::rwx
default:other::r-x
When I tried to set ACLs for domain account or groups, it was invalid
option.
hostname ~ #setfacl -m g:"DOMAIN+Domain Admins":rwx /shared/drive
setfacl: Option -m: Invalid argument near character 3
hostname ~ #setfacl -m g:"DOMAIN+myusername":rwx /shared/drive
setfacl: Option -m: Invalid argument near character 3
I believe the drive is mounted and ACL is enable.
hostname ~ # mount
/dev/hda3 on / type ext3 (rw,noatime,acl)
Here is my /etc/fstab
/dev/hda3 / ext3 noatime,acl 0 1
What I find odd is running wbinfo and getent command to be very
inconsistent. I would sometimes get result and sometimes not.
hostname ~ # wbinfo -u
Error looking up domain users
Any other suggestions?
Thanks.
Robert LeBlanc wrote:
> Sorry, my bad, 3.3.8 was the security release. It sounds like it is
> working however. As far as ACLs, make sure that ACLs are turned on on
> your file system (mount -o acl for most filesystems) and the make sure
> you have the ACL packages for your distro installed (Debian apt-get
> install acl). Then it's a matter of using the setfacl command like
> `setfacl -m
> d:u:<ad-user>:rwx,u:<ad-user>:rwx,d:g:<ad-group>:rx,g:<ad-group>:rx
> /my/shared/dir.
>
> You can add as many ACLs as you want, remember that the linux default
> rwx perms sets the max for ACL users and groups. If the linux user
> (owner) ACL is rx, then even though an ACL specifies another user with
> rwx, they will only have rx. The second thing to remember is that the
> default ACL is not needed, but if specified will set those ACLs on all
> new files and directories and act much like Windows. If you set the
> permissions using Windows, the default ACL will be set. Thidly, only
> Linux user and group have the file counted against their quota,
> permissions assigned in ACLs do not affect thoes user and groups
> quotas. Fourtly, some applications are not ACL aware, Apache for
> instance does not look at ACLs on Linux. To check your set ACLs, use
> getfacl /this/is/my/file.
>
> Hope that helps.
>
> Robert LeBlanc
> Life Sciences & Undergraduate Education Computer Support
> Brigham Young University
>
>
> On Mon, Oct 5, 2009 at 2:34 PM, Ivan Ordonez <iordonez at berkeley.edu
> <mailto:iordonez at berkeley.edu>> wrote:
>
> I was able to install 3.3.8 version of Samba. I am running it
> now. I can see shares, but could not write at all.
>
> ACL seems simple but I can't get it to work. Any help or advise
> would be greatly appreciated.
>
>
> Robert LeBlanc wrote:
>> The changes have not made it into a 3.3.x release yet, 3.3.7 was
>> a security release, ideally 3.3.8 should have the fix. There were
>> quiet a number of configuration changes from 3.0.x to 3.3.x in
>> regards to Active Directory, you may not be able to use you old
>> config without updating some things.
>>
>> Robert LeBlanc
>> Life Sciences & Undergraduate Education Computer Support
>> Brigham Young University
>>
>>
>> On Mon, Oct 5, 2009 at 10:02 AM, Ivan Ordonez
>> <iordonez at berkeley.edu <mailto:iordonez at berkeley.edu>> wrote:
>>
>>
>> I am using Samba version 3.0.36. When I upgraded to 3.3.7, I
>> got some "realm" complaints when I run testparm and some
>> "ADS" related error. The 3.3.7 version is masked by Gentoo
>> portage and not sure if it will be available soon.
>>
>> Thanks,
>> -Ivan
>>
>>
>> Robert LeBlanc wrote:
>>> What version of samba are you using? I submitted a patch to
>>> Samba that is in 3.4.1 and slated for the next version of
>>> 3.3.x that fixes the workgroup/realm thing. It falls back to
>>> SPEGO without the patch, but it takes a little while, the
>>> patch speeds things up.
>>>
>>> Robert LeBlanc
>>> Life Sciences & Undergraduate Education Computer Support
>>> Brigham Young University
>>>
>>>
>>> On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson
>>> <jpetersson at garnser.se <mailto:jpetersson at garnser.se>> wrote:
>>>
>>> How did you solve the kerberos portion how things, when
>>> winbind tries
>>> to connect to my server the kerberos sessions fails as
>>> it tries to
>>> connect with the workgroup instead of the realm.
>>>
>>> Thanks
>>>
>>> /Jonathan
>>>
>>> On Fri, Oct 2, 2009 at 9:36 AM, Ivan Ordonez
>>> <iordonez at berkeley.edu <mailto:iordonez at berkeley.edu>>
>>> wrote:
>>> >
>>> >
>>> > Jonathan Petersson wrote:
>>> >>
>>> >> Hi Ivan,
>>> >>
>>> >> I'm working on a similar thing but is having some
>>> issues with the
>>> >> kerberos sessions between samba and AD. Is your Samba
>>> server a member
>>> >> of a Win2k8R2 or a Win2k3 domain?
>>> >>
>>> >> Thanks
>>> >>
>>> >> /Jonathan
>>> >>
>>> >> On Fri, Oct 2, 2009 at 9:00 AM, Ivan Ordonez
>>> <iordonez at berkeley.edu <mailto:iordonez at berkeley.edu>>
>>> >> wrote:
>>> >>
>>> >>>
>>> >>> Robert LeBlanc wrote:
>>> >>>
>>> >>>>
>>> >>>> What are the permissions on /shared/drive? We use
>>> ACLs to control access
>>> >>>> rather than smb.conf. This gives us great
>>> flexability and you can kind
>>> >>>> of
>>> >>>> manage it using a Windows machine. If you have
>>> Kerberos keytab
>>> >>>> generated,
>>> >>>> you can smbmount on Linux using the -o sec=krb5 and
>>> no passwords are
>>> >>>> needed,
>>> >>>> it also obeys ACL. The only catch is that you need
>>> to use RID or LDAP
>>> >>>> for
>>> >>>> uid/gid mapping or else your permissions won't line up.
>>> >>>>
>>> >>>> Robert LeBlanc
>>> >>>> Life Sciences & Undergraduate Education Computer
>>> Support
>>> >>>> Brigham Young University
>>> >>>>
>>> >>>>
>>> >>>> On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez
>>> <iordonez at berkeley.edu <mailto:iordonez at berkeley.edu>
>>> >>>> <mailto:iordonez at berkeley.edu
>>> <mailto:iordonez at berkeley.edu>>> wrote:
>>> >>>>
>>> >>>> Hello,
>>> >>>>
>>> >>>> We have a Gentoo box running Samba and is a
>>> member of the Active
>>> >>>> Directory domain. This Gentoo box will be a
>>> fileserver when
>>> >>>> everything is completed and setup as it should.
>>> I want our users
>>> >>>> to login to their computer (Computers are all
>>> members of the same
>>> >>>> Active Directory domain) using Active Directory
>>> accounts/domain
>>> >>>> for authentication. I am using Winbind for Active
>>> Directory
>>> >>>> authentication/integration. I'm almost done
>>> except file permission
>>> >>>> issue. All is working smoothly (ie. wbinfo,
>>> smbclient, getent,
>>> >>>> etc.). I can access/map the shared drive on the
>>> Gentoo box from
>>> >>>> any Windows computer, login to a machine without
>>> a problem using
>>> >>>> Active Directory accounts. The Active Directory
>>> authentication
>>> >>>> with Winbind is working as it should.
>>> >>>>
>>> >>>> For some odd reason, I can't figure out how to
>>> give permissions to
>>> >>>> all users the ability to make changes/add new
>>> folders on the
>>> >>>> shared drive. I am getting access denied even
>>> when the users or
>>> >>>> group are valid users of the shared drive per
>>> smb.conf. Below is
>>> >>>> my smb.conf shared configuration:
>>> >>>>
>>> >>>> [shared]
>>> >>>> comment = shared
>>> >>>> path = /shared/drive
>>> >>>> read only = no
>>> >>>> inherit permissions = yes
>>> >>>> create mask = 755
>>> >>>> directory mask = 755
>>> >>>> valid users = @"MYDOMAIN+mygroup"
>>> >>>> browseable = yes
>>> >>>> writable = yes
>>> >>>>
>>> >>>> Any help would be greatly appreciated.
>>> >>>>
>>> >>>> -Ivan
>>> >>>> -- To unsubscribe from this list go to the
>>> following URL and read
>>> >>>> the
>>> >>>> instructions:
>>> https://lists.samba.org/mailman/options/samba
>>> >>>>
>>> >>>>
>>> >>>
>>> >>> Hi,
>>> >>>
>>> >>> The files and folders on the shared drive are owned
>>> by local Linux
>>> >>> account.
>>> >>> The permissions are read, write and execute by the
>>> owner, read and write
>>> >>> by
>>> >>> group and all. I was hoping that smb.conf will
>>> control the shared drive
>>> >>> access but having a hard time doing so. I would
>>> like to use ACL if that
>>> >>> is
>>> >>> the best way to make it work. Would you mind
>>> giving me few pointers or
>>> >>> point me to the right direction to get started on
>>> ACL? I am no LDAP
>>> >>> expert
>>> >>> but I think I can get by if I have to use it.
>>> >>>
>>> >>> Thanks!
>>> >>>
>>> >>> -Ivan
>>> >>> --
>>> >>> To unsubscribe from this list go to the following
>>> URL and read the
>>> >>> instructions:
>>> https://lists.samba.org/mailman/options/samba
>>> >>>
>>> >>>
>>> >
>>> > Hi Jonathan,
>>> >
>>> > Our Samba server is a member of Win2k8R2 domain.
>>> > Thanks,
>>> > -Ivan
>>> >
>>>
>>>
>>
>
More information about the samba
mailing list