[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Jason Long
hack3rcon at yahoo.com
Sat Dec 27 07:18:53 MST 2014
Thank you so much.I changed my "smb.conf" and "password-auth-ac". I attached two file for you and you can see them. My problem not solved :( and login windows showed and not accept my username and password, I attached it too. I paste my "fstab" file here and as you see the "acl" is enabled for "root" :
## /etc/fstab# Created by anaconda on Wed Dec 24 10:02:57 2014## Accessible filesystems, by reference, are maintained under '/dev/disk'# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info#/dev/mapper/vg_print-lv_root / ext4 acl,defaults 1 1UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot ext4 defaults 1 2/dev/mapper/vg_print-lv_swap swap swap defaults 0 0tmpfs /dev/shm tmpfs defaults 0 0devpts /dev/pts devpts gid=5,mode=620 0 0sysfs /sys sysfs defaults 0 0proc /proc proc defaults 0 0
I paste "getfacl" for test directory here :
getfacl test/# file: test/# owner: jasondomain\134jason# group: jasondomain\134grp-jason-rwuser::rwxgroup::r-xgroup:jasondomain\134grp-jason-rw:rwxmask::rwxother::r-x
After change "password-auth-ac", When I want to restart "winbind" server it show me an error as below :
#service smb restartShutting down SMB services: [ OK ]Starting SMB services: [ OK ]# service winbind restartShutting down Winbind services: [FAILED]
Starting Winbind services: [ OK ]
In your opinion what is the problem?
On Saturday, December 27, 2014 4:12 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
On 27/12/14 11:55, Jason Long wrote:
You right. I joined my Linux box into Windows domain. Of course. I attached my "smb.conf". Can you see it?
On Saturday, December 27, 2014 3:36 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
On 27/12/14 06:44, Jason Long wrote:
> Thank you so much.
> No, I'm not. I joined my linux to Windows domain because of AD. I can define some users in my Linux and Windows clients use it to open share and ... but my problem is that I have a lot of users and groups and Redefine all of them in Linux is a little silly :(. I joined my Linux to Windows domain because of use AD users and groups.
>
> About your question :
> "Where did you setup the password for 'jasondomain\jason'? Again, if you
> didn't set a password, more modern versions of windows won't allow you to
> login (or attach a share) remotely."
>
> I must say that "jason" is defined in AD on Windows OS and I use it for login into Linux.
>
>
> "You don't say what happens when you try to open 'test'. You say it can't let you? What error message does it give you? "
> It don't show me any error and just show Login Windows again :(.
>
>
>
>
> On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org> wrote:
> Jason Long wrote:
>> Hello Folks.
>> How are you?
>>
>> I joined my CentOS into Windows Domain and I want to give Permission to files and Directory via Active Directory. When I use "getent passwd" and "getent group", I can see All AD users and Groups. I use below command to give Permission to a Folder via ACL :
>>
>> setfacl -m g:"jasondomain\jason-rw":rwx /home/local/jasondomain/jason/test
>>
>> and I create a part for my "smb.conf" file :
>>
>> [Test]
>> comment = test
>> path = /home/local/jasondomain/jason/test
>> browsable = yes
>> inherit acls = yes
>> inherit permissions = yes
>> inherit owner = yes
>> map acl inherit = yes
>> acl check permissions = yes
>> nt acl support = yes
>> #valid users = %D\%S
>> #write list = @jasondomain\domain^admins
>> read only = no
>>
>>
>> but when I browse the "Test" directory it ask me username and password and when I enter "jasondomain\jason" as username it can't let me to open the "Test" directory. What is the problem?
>>
> ----
> Are you already logged into the server under different credentials,
> like 'WORKGROUP', jason (i.e. do you already have some shares mounted?)
>
> If I remember, Windows won't allow the same workstation to connect under
> two different user id's. If you already have something mounted from your
> workstation with different credentials, you need to close (unmount / unmap)
> those other connections.
>
> Where did you setup the password for 'jasondomain\jason'? Again, if you
> didn't set a password, more modern versions of windows won't allow you to
> login (or attach a share) remotely.
>
> You don't say what happens when you try to open 'test'. You say it
>
> can't let
> you? What error message does it give you?
OK, If I understand you correctly, you have setup samba on a Centos
machine and joined it to a windows machine, is this correct ?
Could you post the entire smb.conf from your Centos machine.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
OK, after wading through all the un-needed lines, I got this:
[global]
workgroup = MYGROUP
server string = Samba Server Version %v
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
security = user
passdb backend = tdbsam
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[Test]
comment = Public Stuff
path = /home/local/HAMSHAHRY/jokar/test/
browsable = yes
inherit acls = yes
inherit permissions = yes
inherit owner = yes
map acl inherit = yes
acl check permissions = yes
nt acl support = yes
read only = no
Try changing 'security = user' to 'security = ads' and adding the required winbind & idmap lines, see: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
Yes, I know it says 'member server', but you can use it for a client as well.
Rowland
More information about the samba
mailing list