[Samba] Solaris 10 + Samba 3.0.24 = AD-Member Win2003Server
Neuwald, Björn
Neuwald at medianet.freinet.de
Thu Feb 15 07:50:55 GMT 2007
Hi!
I have problems with my Samba 3.0.24 on my Solaris 10 machine.
I hope u can help me?
I "google'd" a lot and asked many people but nobody can help me.
So... I have...
Solaris 10 with Samba 3.0.24
Kerberos installed
OpenLDAP installed
OpenSSL installed
I configured and compiled Samba 3.0.24 (Options: ./configure --prefix=/usr/local/samba --with-winbind --with-ads --with-ldap --with-krb5=/usr/local --with-acl-support )
Know i want Samba to be a member of the ADS Domain.
I maked an "Keytab"-File with the following command on the Windows 2003 Domaincontroller:
C:\>ktpass -princ host/FQDN at XXX.XXXX.DE -mapuser XXX\user1 -pass ***** -out c:\user1.keytab
After this i configured SWAT...and SWAT was working good.
Then i registered the "Keytab"-File with the following commands:
#/usr/local/sbin/ktutil
#ktutil: rkt /usr/local/krb5/usr1.keytab
#ktutil: wkt /usr/local/krb5/krb5.keytab
I set copied the "libnss_winbind.so" and set the symbolic links.
#cp .../samba-3.0.24/source/nsswitch/libnss_winbind.so /usr/lib
#ln -s libnss_winbind.so libnss_winbind.so.1
#ln -s libnss_winbind.so nss_winbind.so.1
#ln -s libnss_winbind.so nss_winbind.so.2
After this is configured Kerberos...edited "krb5.conf" like this:
# krb5.conf template
# In order to complete this configuration file
# you will need to replace the __<name>__ placeholders
# with appropriate values for your network.
#
[libdefaults]
ticket_lifetime = 24000
default_realm = XXX.XXXX.DE
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
[realms]
NTBV.BZ-FREIBURG.DE = {
kdc = server1.xx.xxxx.de
kdc = server2.xx.xxxx.de
admin_server = server1.xx.xxxx.de
default_domain = xx.xxxx.de
}
[domain_realm]
.mn.freinet.de = XXX.XXXX.DE
mn.freinet.de = XXX.XXXX.DE
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
Now i edited the "/etc/nscd.conf", I added the following:
...
# logfile /var/adm/nscd.log
enable-cache hosts no
enable-cache passwd no
enable-cache group no
...
And the "/etc/nsswitch.conf" i edited too:
....
passwd: files winbind
group: files winbind
....
Via "SWAT", i configured Samba like this:
# Samba config file created using SWAT
# from 172.16.124.6 (172.16.124.6)
# Date: 2006/09/11 15:14:18
[global]
workgroup = XX
realm = XX.XXXX.DE
netbios name = test1
server string = SambaTest
interfaces = 192.168.20.19
bind interfaces only = Yes
security = ADS
password server = server1.xx.xxx.de
log file = /user/local/samba/log/log.%m
ldap ssl = No
idmap uid = 5000-100000000
idmap gid = 5000-100000000
template homedir = /usr/local/samba/%D/%U
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
force create mode = 0775
force directory mode = 06775
[medianet]
comment = TestShare
path = /shared
valid users = @XX\group1, at XX\group4
read only = No
Then I Registered the Server in the Active Directory:
#kinit domainadmin
Password for domainadmin at XX.XXXX.DE:
#
#./net ads join
Using short domain name - XX
Joined 'test1' to realm 'XX.XXXXX.DE'#
Then i tested the following:
#/usr/local/samba/bin/wbinfo -u
XX\user1
XX\user2
XX\user3
XX\user4
# /usr/local/samba/bin/wbinfo -g
XX\group1
XX\group2
XX\group3
XX\group4
XX\group5
#/usr/local/samba/bin/net ads info
LDAP server: 192.168.20.1
LDAP server name: server1.XX.XXXX.de
Realm: XX.XXXX.DE
Bind Path: dc=XX,dc=XXXX,dc=DE
LDAP port: 389
Server time: Tue, 12 Sep 2006 14:10:57 MEST
KDC server: 192.168.20.1
Server time offset: 0
# id "XX\user1"
uid=5000(XX\user1) gid=5000(XX\group4)
# ./wbinfo -r "XX\user1"
group3
group4
I created a Test Share, like in the Samba config.
Valid User/group for the Share was the group1 ("@XX\group1") and group4 ("@XX\group2"), like configured in smb.conf.
The user user1 which have the primary-group group4 "XX\group4" and is also member of the group3 "XX\group3"
must enter this share and should be allowed to enter it. Ok this works.
But when i want to enter an folder in this share, which i created in Solaris (for example "/shared/testfolder") and added the ACL: #setfacl -m g:"XX\group3":rwx /shared/testfolder, then the window on my windows machine appears, that i have not the permission to enter it.
But the user1 have the primary-group group4 and the secondary-group group3. The share have rights in samba (valid-users) for group4 and group1. the folder in the share have via acl permissions set (rwx) for the group3, and in group3 is the user 1 a member.
So, think nested groups or secondary groups are completely ignored.
I hope u can help me.
Best Regards, Björn
__________________________________________________________________________________
MediaNet GmbH Netzwerk- und Applikations-Service
Lörracher Straße 5a, D-79115 Freiburg
Telefon 0761/496-1400 - e-mail: info at medianet.freinet.de
Geschäftsführer: Meinhard Fleig - Handelsregister Freiburg HRB 4869
Bankverbindung: Sparkasse Freiburg - BLZ 680 501 01 - Konto 211 085 7
__________________________________________________________________________________
More information about the samba
mailing list