[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.

Rowland Penny rowlandpenny at googlemail.com
Wed Dec 31 03:05:13 MST 2014


On 31/12/14 09:55, Jason Long wrote:
> Thanks.
> I changed the command as below :
>
> #net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1
>
> But Got below error :
>
> Could not connect to server 192.168.1.1
> Connection failed: NT_STATUS_INVALID_WORKSTATION
>
> Cheers.
>
>
>
>
>
> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 31/12/14 09:17, Jason Long wrote:
>> Thank you so much but I run below commands on linux :
>>
>>
>> # net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
>> # net rpc rights list accounts -Uadministrator
>>
>> it ask me a password for "administrator:
>>
>> Enter administrator's password:
>> Could not connect to server 127.0.0.1
>> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>>
>> Must I enter windows administrator password?
>>
>>
>> Thanks.
>>
>>
>>
>>
>>
>> On Monday, December 29, 2014 5:10 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> On 29/12/14 12:52, Jason Long wrote:
>>> Thank you so much.
>>>
>>> I did some changes like below :
>>>
>>> /dev/mapper/vg_print-lv_root /                       ext4    user_xattr,acl,defaults        1 1
>>>
>>>
>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any output.
>>> I added below lines to [global] section too :
>>>
>>> vfs objects = acl_xattr
>>> map acl inherit = Yes
>>> store dos attributes = Yes
>>>
>>> But about below commands can you tell me more?
>>>
>>> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
>>> net rpc rights list accounts -Uadministrator
>>>
>>> I hope they are not Dangerous!!!!
>> No :-)
>>
>> The first one gives members of Domain Admins the right to change windows
>> ACL's on a share
>> The second list accounts and what rights they have.
>>
>>> In the "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" , the other steps are in Windows!!! Can I doing via Linux too?
>>>     
>> Yes, but it is just easier via windows
>>
>> Rowland
>>
>>
>>>   
>>> Thanks.
>>>
>>>
>>>
>>>
>>>
>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>> On 29/12/14 06:38, Jason Long wrote:
>>>> Thank you so much.
>>>> You right, My realm is "jasondomaini.jasondomain.jj"  and I change configure as below :
>>>>
>>>>
>>>> [global]
>>>> workgroup = JASONDOMAINI
>>>> server string = Samba Server Version %v
>>>> # logs split per machine
>>>> log file = /var/log/samba/log.%m
>>>> # max 50KB per log file, then rotate
>>>> max log size = 50
>>>> security = ADS
>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>> passdb backend = tdbsam
>>>> load printers = yes
>>>> cups options = raw
>>>> idmap config *:backend = tdb
>>>> idmap config *:range = 70001-80000
>>>> #idmap config SAMDOM:backend = ad
>>>> idmap config JASONDOMAINI:backend = ad
>>>> idmap config JASONDOMAINI:schema_mode = rfc2307
>>>> idmap config JASONDOMAINI:range = 500-40000
>>>>
>>>>
>>>>
>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", It show me the root partition and I can open "Test" directory But it has two problems :
>>>>
>>>> 1- Why it show root partition?
>>>> 2- I can't browse it via Windows explorer!!!
>>>>
>>>> I want to know use AD users in Linux is Hard?
>>>>
>>>> In your opinion I used a correct command to set ACL?
>>>>
>>>> #getfacl test/
>>>>
>>>>
>>>> # file: test/
>>>> # owner: JASONDOMAINI\134JASON
>>>> # group: JASONDOMAINI\134grp-JASON-rw
>>>> user::rwx
>>>> group::r-x
>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>> mask::rwx
>>>> other::r-x
>>>>
>>>>
>>>> and in "getent group" it show me below group :
>>>>
>>>> JASONDOMAINI\134grp-JASON-rw
>>>>
>>>>
>>>> in your idea, Am I use correct command to set permission?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>> On 28/12/14 15:48, Jason Long wrote:
>>>>> Thank you so much.
>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad".
>>>>> How about Workgroup? is must change "JASONDOMAIN" too?
>>>>> About your question I must say that I Test this share via Linux too and Windows and Linux has same problem.
>>>>>
>>>>> About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!!
>>>>> What is your idea?
>>>>>
>>>>> Thanks.
>>>>>
>>>>>
>>>>>
>>>> I am loosing track here a bit, but if your dns domain is example.com,
>>>> then your windows AD realm should be something like internal.example.com
>>>> and your workgroup/domain name should be INTERNAL, that is, they all
>>>> rely on each other.
>>>>
>>>> So anywhere that you come across these, you should use the relevant one,
>>>> this is the relevant parts from a Unix client on my domain:
>>>>
>>>> [global]
>>>>              workgroup = INTERNAL
>>>>              security = ADS
>>>>              realm = INTERNAL.EXAMPLE.COM
>>>>              ..........
>>>>              idmap config * : backend = tdb
>>>>              idmap config * : range = 2000-9999
>>>>              idmap config INTERNAL : backend  = ad
>>>>              idmap config INTERNAL : range = 10000-999999
>>>>              idmap config INTERNAL : schema_mode = rfc2307
>>>>
>>>> As for using 'PUTTY', this was just a way of testing whether you can
>>>> connect to the Unix machine.
>>>>
>>>>
>>>> Rowland
>>> OK, we are getting closer
>>>
>>> right, answers to your questions
>>> 1) I think that you may find that this is also printed 'Could not chdir
>>> to home directory', in which case you will end up in the root of computer.
>>>
>>> 2) Are you running the 'nmbd' daemon ? Even if this is not running you
>>> should be able to navigate to the share by entering the path. Have a
>>> look here:
>>>
>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>
>>>
>>> Rowland
>>>
> You are trying to run the command on a client, try adding either:
>
> -S server name
>
> OR
>
> -I address of target server
>
> where 'server' is the AD DC.
>
> Yes, you need to supply the password of the Domain Administrator.
>
>
> Rowland
>

OK, try it like this:

net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege 
-UAdministrator -I 192.168.1.1

This works for me on a client joined to the domain.

Rowland



More information about the samba mailing list