[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.

Jason Long hack3rcon at yahoo.com
Wed Dec 31 02:55:36 MST 2014


Thanks.
I changed the command as below :

#net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1

But Got below error :

Could not connect to server 192.168.1.1
Connection failed: NT_STATUS_INVALID_WORKSTATION

Cheers.





On Wednesday, December 31, 2014 1:35 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
On 31/12/14 09:17, Jason Long wrote:
> Thank you so much but I run below commands on linux :
>
>
> # net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
> # net rpc rights list accounts -Uadministrator
>
> it ask me a password for "administrator:
>
> Enter administrator's password:
> Could not connect to server 127.0.0.1
> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>
> Must I enter windows administrator password?
>
>
> Thanks.
>
>
>
>
>
> On Monday, December 29, 2014 5:10 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 29/12/14 12:52, Jason Long wrote:
>> Thank you so much.
>>
>> I did some changes like below :
>>
>> /dev/mapper/vg_print-lv_root /                       ext4    user_xattr,acl,defaults        1 1
>>
>>
>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any output.
>> I added below lines to [global] section too :
>>
>> vfs objects = acl_xattr
>> map acl inherit = Yes
>> store dos attributes = Yes
>>
>> But about below commands can you tell me more?
>>
>> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
>> net rpc rights list accounts -Uadministrator
>>
>> I hope they are not Dangerous!!!!
> No :-)
>
> The first one gives members of Domain Admins the right to change windows
> ACL's on a share
> The second list accounts and what rights they have.
>
>> In the "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" , the other steps are in Windows!!! Can I doing via Linux too?
>>    
> Yes, but it is just easier via windows
>
> Rowland
>
>
>>  
>> Thanks.
>>
>>
>>
>>
>>
>> On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> On 29/12/14 06:38, Jason Long wrote:
>>> Thank you so much.
>>> You right, My realm is "jasondomaini.jasondomain.jj"  and I change configure as below :
>>>
>>>
>>> [global]
>>> workgroup = JASONDOMAINI
>>> server string = Samba Server Version %v
>>> # logs split per machine
>>> log file = /var/log/samba/log.%m
>>> # max 50KB per log file, then rotate
>>> max log size = 50
>>> security = ADS
>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>> passdb backend = tdbsam
>>> load printers = yes
>>> cups options = raw
>>> idmap config *:backend = tdb
>>> idmap config *:range = 70001-80000
>>> #idmap config SAMDOM:backend = ad
>>> idmap config JASONDOMAINI:backend = ad
>>> idmap config JASONDOMAINI:schema_mode = rfc2307
>>> idmap config JASONDOMAINI:range = 500-40000
>>>
>>>
>>>
>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", It show me the root partition and I can open "Test" directory But it has two problems :
>>>
>>> 1- Why it show root partition?
>>> 2- I can't browse it via Windows explorer!!!
>>>
>>> I want to know use AD users in Linux is Hard?
>>>
>>> In your opinion I used a correct command to set ACL?
>>>
>>> #getfacl test/
>>>
>>>
>>> # file: test/
>>> # owner: JASONDOMAINI\134JASON
>>> # group: JASONDOMAINI\134grp-JASON-rw
>>> user::rwx
>>> group::r-x
>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>> mask::rwx
>>> other::r-x
>>>
>>>
>>> and in "getent group" it show me below group :
>>>
>>> JASONDOMAINI\134grp-JASON-rw
>>>
>>>
>>> in your idea, Am I use correct command to set permission?
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>> On 28/12/14 15:48, Jason Long wrote:
>>>> Thank you so much.
>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad".
>>>> How about Workgroup? is must change "JASONDOMAIN" too?
>>>> About your question I must say that I Test this share via Linux too and Windows and Linux has same problem.
>>>>
>>>> About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!!
>>>> What is your idea?
>>>>
>>>> Thanks.
>>>>
>>>>
>>>>
>>> I am loosing track here a bit, but if your dns domain is example.com,
>>> then your windows AD realm should be something like internal.example.com
>>> and your workgroup/domain name should be INTERNAL, that is, they all
>>> rely on each other.
>>>
>>> So anywhere that you come across these, you should use the relevant one,
>>> this is the relevant parts from a Unix client on my domain:
>>>
>>> [global]
>>>             workgroup = INTERNAL
>>>             security = ADS
>>>             realm = INTERNAL.EXAMPLE.COM
>>>             ..........
>>>             idmap config * : backend = tdb
>>>             idmap config * : range = 2000-9999
>>>             idmap config INTERNAL : backend  = ad
>>>             idmap config INTERNAL : range = 10000-999999
>>>             idmap config INTERNAL : schema_mode = rfc2307
>>>
>>> As for using 'PUTTY', this was just a way of testing whether you can
>>> connect to the Unix machine.
>>>
>>>
>>> Rowland
>> OK, we are getting closer
>>
>> right, answers to your questions
>> 1) I think that you may find that this is also printed 'Could not chdir
>> to home directory', in which case you will end up in the root of computer.
>>
>> 2) Are you running the 'nmbd' daemon ? Even if this is not running you
>> should be able to navigate to the share by entering the path. Have a
>> look here:
>>
>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>
>>
>> Rowland
>>

You are trying to run the command on a client, try adding either:

-S server name

OR

-I address of target server

where 'server' is the AD DC.

Yes, you need to supply the password of the Domain Administrator.


Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list