[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.

Rowland Penny rowlandpenny at googlemail.com
Sat Dec 27 08:01:47 MST 2014


On 27/12/14 14:18, Jason Long wrote:
> Thank you so much.
> I changed my "smb.conf" and "password-auth-ac". I attached two file 
> for you and you can see them. My problem not solved :( and login 
> windows showed and not accept my username and password, I attached it too.
>  I paste my "fstab" file here and as you see the "acl" is enabled for 
> "root" :
>
> #
> # /etc/fstab
> # Created by anaconda on Wed Dec 24 10:02:57 2014
> #
> # Accessible filesystems, by reference, are maintained under '/dev/disk'
> # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more 
> info
> #
> /dev/mapper/vg_print-lv_root / ext4    acl,defaults        1 1
> UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot             ext4   
>  defaults        1 2
> /dev/mapper/vg_print-lv_swap swap  swap    defaults        0 0
> tmpfs                   /dev/shm                tmpfs   defaults       
>  0 0
> devpts                  /dev/pts  devpts  gid=5,mode=620  0 0
> sysfs                   /sys                    sysfs   defaults       
>  0 0
> proc                    /proc                   proc    defaults       
>  0 0
>
> I paste "getfacl" for test directory here :
>
> getfacl test/
> # file: test/
> # owner: jasondomain\134jason
> # group: jasondomain\134grp-jason-rw
> user::rwx
> group::r-x
> group:jasondomain\134grp-jason-rw:rwx
> mask::rwx
> other::r-x
>
> After change "password-auth-ac", When I want to restart "winbind" 
> server it show me an error as below :
>
> #service smb restart
> Shutting down SMB services:                    [  OK  ]
> Starting SMB services:                           [  OK  ]
> # service winbind restart
> Shutting down Winbind services:              [FAILED]
> Starting Winbind services:                     [  OK  ]
>
>
> In your opinion what is the problem?
>
>
>
> On Saturday, December 27, 2014 4:12 AM, Rowland Penny 
> <rowlandpenny at googlemail.com> wrote:
>
>
> On 27/12/14 11:55, Jason Long wrote:
>> You right. I joined my Linux box into Windows domain.
>> Of course. I attached my "smb.conf". Can you see it?
>>
>>
>> On Saturday, December 27, 2014 3:36 AM, Rowland Penny 
>> <rowlandpenny at googlemail.com> <mailto:rowlandpenny at googlemail.com> wrote:
>>
>>
>> On 27/12/14 06:44, Jason Long wrote:
>>
>> > Thank you so much.
>> > No, I'm not. I joined my linux to Windows domain because of AD. I 
>> can define some users in my Linux and Windows clients use it to open 
>> share and ... but my problem is that I have a lot of users and groups 
>> and Redefine all of them in Linux is a little silly :(. I joined my 
>> Linux to Windows domain because of use AD users and groups.
>> >
>> > About your question :
>> > "Where did you setup the password for 'jasondomain\jason'? Again, 
>> if you
>> > didn't set a password, more modern versions of windows won't allow 
>> you to
>> > login (or attach a share) remotely."
>> >
>> > I must say that "jason" is defined in AD on Windows OS and I use it 
>> for login into Linux.
>> >
>> >
>> > "You don't say what happens when you try to open 'test'.  You say 
>> it can't let you?  What error message does it give you? "
>> > It don't show me any error and just show Login Windows again :(.
>> >
>> >
>> >
>> >
>> > On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org 
>> <mailto:samba at tlinx.org>> wrote:
>> > Jason Long wrote:
>> >> Hello Folks.
>> >> How are you?
>> >>
>> >> I joined my CentOS into Windows Domain and I want to give 
>> Permission to files and Directory via Active Directory. When I use 
>> "getent passwd" and "getent group", I can see All AD users and 
>> Groups. I use below command to give Permission to a Folder via ACL :
>> >>
>> >> setfacl -m g:"jasondomain\jason-rw":rwx 
>> /home/local/jasondomain/jason/test
>> >>
>> >> and I create a part for my "smb.conf" file :
>> >>
>> >> [Test]
>> >> comment = test
>> >> path = /home/local/jasondomain/jason/test
>> >> browsable = yes
>> >> inherit acls = yes
>> >> inherit permissions = yes
>> >> inherit owner = yes
>> >> map acl inherit = yes
>> >> acl check permissions = yes
>> >> nt acl support = yes
>> >> #valid users = %D\%S
>> >> #write list = @jasondomain\domain^admins
>> >> read only = no
>> >>
>> >>
>> >> but when I browse the "Test" directory it ask me username and 
>> password and when I enter "jasondomain\jason" as username it can't 
>> let me to open the "Test" directory. What is the problem?
>> >>
>> > ----
>> >      Are you already logged into the server under different 
>> credentials,
>> > like 'WORKGROUP', jason (i.e. do you already have some shares mounted?)
>> >
>> > If I remember, Windows won't allow the same workstation to connect 
>> under
>> > two different user id's.  If you already have something mounted 
>> from your
>> > workstation with different credentials, you need to close (unmount 
>> / unmap)
>> > those other connections.
>> >
>> > Where did you setup the password for 'jasondomain\jason'? Again, if you
>> > didn't set a password, more modern versions of windows won't allow 
>> you to
>> > login (or attach a share) remotely.
>> >
>> > You don't say what happens when you try to open 'test'.  You say it
>> >
>> > can't let
>> > you?  What error message does it give you?
>>
>>
>> OK, If I understand you correctly, you have setup samba on a Centos
>> machine and joined it to a windows machine, is this correct ?
>>
>> Could you post the entire smb.conf from your Centos machine.
>>
>> Rowland
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> OK, after wading through all the un-needed lines, I got this:
>
> [global]
>     workgroup = MYGROUP
>     server string = Samba Server Version %v
>     # logs split per machine
>     log file = /var/log/samba/log.%m
>     # max 50KB per log file, then rotate
>     max log size = 50
>     security = user
>     passdb backend = tdbsam
>     load printers = yes
>     cups options = raw
>
> [homes]
>     comment = Home Directories
>     browseable = no
>     writable = yes
>
> [printers]
>     comment = All Printers
>     path = /var/spool/samba
>     browseable = no
>     guest ok = no
>     writable = no
>     printable = yes
>
> [Test]
> comment = Public Stuff
> path = /home/local/HAMSHAHRY/jokar/test/
> browsable = yes
> inherit acls = yes
> inherit permissions = yes
> inherit owner = yes
> map acl inherit = yes
> acl check permissions = yes
> nt acl support = yes
> read only = no
>
> Try changing 'security = user' to 'security = ads' and adding the 
> required winbind & idmap lines, see: 
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> Yes, I know it says 'member server', but you can use it for a client 
> as well.
>
> Rowland
>
>
>

Hi, you seem to be using **four**, yes four different workgroup (also 
known as domain) names:
In smb.conf: MYGROUP & SAMDOM
When trying to login: jasondomain & WORKGROUP

They all need to be the same, you also need to add uidNumber's to your 
users and a gidNumber to at least 'Domain Users'

Rowland





More information about the samba mailing list