[Samba] Linux local user problem when security = ADS

Alberto Moreno portsbsd at gmail.com
Thu Jun 25 03:04:03 GMT 2009 

On Wed, Jun 24, 2009 at 12:34 PM, Reginald0<regi0 at ig.com.br> wrote:
>
> Hi, folks!
>
> I have two RHEL5 Linux machines, both successfuly joined to a Windows 2008
> Server AD domain. I can see AD users, groups, checking trusts, etc.
> My problem is that when I try to mount a share from one Linux machine to the
> other using a local user, I receive the message "mount error 13 = Permission
> denied".
> If I add the user with same name/password to the Windows AD domain, then I
> can mount the share, and this way I can read but can't write to the mounted
> folder on the client side, unless I set "chmod 777" on the server side, but
> this would open a security hole on my system.
> Before join these two machines to a domain, I was using "security = share"
> and "username map" option to map the server local user to the client remote
> user, and it was working flawlessly.
> Follows below the relevant configuration:
>
> ________________________________
>
> "/etc/samba/smb.conf" on server:
>
> [GLOBAL]
>  security = ADS
>  workgroup = DOMAINNAME
>  realm = DOMAINNAME
>  password server = DOMAINSERVERNAME
>  username map = /etc/samba/smbusers
>  winbind use default domain = yes
>  winbind uid = 10000-20000
>  winbind gid = 10000-20000
>
> [SHARE]
>  path = /share
>  writable = yes
>  browseable = no
>  create mask = 0664
>  valid users = remoteusername
> ________________________________
>
> "/etc/samba/smbusers" on server:
>
> localusername = remoteusername
> ________________________________
>
> "mount" command on client:
>
> mount -t cifs //MACHINE1/SHARE /share -o user=remoteusername
> ________________________________
>
>
> If you need some more information, please advise me.
>
> Thanks in advance,
>
> Reginald0
>
> --
> View this message in context: http://www.nabble.com/Linux-local-user-problem-when-security-%3D-ADS-tp24189729p24189729.html
> Sent from the Samba - General mailing list archive at Nabble.com.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

 Last week I did this, I join my samba server running centos 5.3 with
a AD server running Win 2k3.

 Went I start testing, wbinfo -u, wbinfo -g show all my users and
groups from AD, the goal of this is that we don't need to add the each
user to Linux+samba user db like we did before with NT4.

  Now, the:

username map = /etc/samba/smbusers

  I don't like it, I don't have right access to my samba server to see
my settings, but I remember that if I would like to share a folder
like your example, I did this:

mkdir share
chmod 0664 share
chown DOMAIN+username share

[SHARE]
  path = /share
  writable = yes
  browseable = no
  create mask = 0664
  valid users = DOMAIN+username
  write list =  DOMAIN+username

 Just to point that, I setup winbind, pam and all that stuff to make
my AD server to samba all the info about names+groups.

  See latter.
--
LIving the dream...

More information about the samba mailing list