[Samba] Samba as fileserver on Active Directory domain

Robert LeBlanc robert at leblancnet.us
Sat Oct 3 23:13:50 MDT 2009 

What version of samba are you using? I submitted a patch to Samba that is in
3.4.1 and slated for the next version of 3.3.x that fixes the
workgroup/realm thing. It falls back to SPEGO without the patch, but it
takes a little while, the patch speeds things up.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University


On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson
<jpetersson at garnser.se>wrote:

> How did you solve the kerberos portion how things, when winbind tries
> to connect to my server the kerberos sessions fails as it tries to
> connect with the workgroup instead of the realm.
>
> Thanks
>
> /Jonathan
>
> On Fri, Oct 2, 2009 at 9:36 AM, Ivan Ordonez <iordonez at berkeley.edu>
> wrote:
> >
> >
> > Jonathan Petersson wrote:
> >>
> >> Hi Ivan,
> >>
> >> I'm working on a similar thing but is having some issues with the
> >> kerberos sessions between samba and AD. Is your Samba server a member
> >> of a Win2k8R2 or a Win2k3 domain?
> >>
> >> Thanks
> >>
> >> /Jonathan
> >>
> >> On Fri, Oct 2, 2009 at 9:00 AM, Ivan Ordonez <iordonez at berkeley.edu>
> >> wrote:
> >>
> >>>
> >>> Robert LeBlanc wrote:
> >>>
> >>>>
> >>>> What are the permissions on /shared/drive? We use ACLs to control
> access
> >>>> rather than smb.conf. This gives us great flexability and you can kind
> >>>> of
> >>>> manage it using a Windows machine. If you have Kerberos keytab
> >>>> generated,
> >>>> you can smbmount on Linux using the -o sec=krb5 and no passwords are
> >>>> needed,
> >>>> it also obeys ACL. The only catch is that you need to use RID or LDAP
> >>>> for
> >>>> uid/gid mapping or else your permissions won't line up.
> >>>>
> >>>> Robert LeBlanc
> >>>> Life Sciences & Undergraduate Education Computer Support
> >>>> Brigham Young University
> >>>>
> >>>>
> >>>> On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez <iordonez at berkeley.edu
> >>>> <mailto:iordonez at berkeley.edu>> wrote:
> >>>>
> >>>>   Hello,
> >>>>
> >>>>   We have a Gentoo box running Samba and is a member of the Active
> >>>>   Directory domain. This Gentoo box will be a fileserver when
> >>>>   everything is completed and setup as it should.  I want our users
> >>>>   to login to their computer (Computers are all members of the same
> >>>>   Active Directory domain) using Active Directory accounts/domain
> >>>>   for authentication. I am using Winbind for Active Directory
> >>>>   authentication/integration. I'm almost done except file permission
> >>>>   issue.  All is working smoothly (ie. wbinfo, smbclient, getent,
> >>>>   etc.). I can access/map the shared drive on the Gentoo box from
> >>>>   any Windows computer, login to a machine without a problem using
> >>>>   Active Directory accounts.  The Active Directory authentication
> >>>>   with Winbind is working as it should.
> >>>>
> >>>>   For some odd reason, I can't figure out how to give permissions to
> >>>>   all users the ability to make changes/add new folders on the
> >>>>   shared drive. I am getting access denied even when the users or
> >>>>   group are valid users of the shared drive per smb.conf.  Below is
> >>>>   my smb.conf shared configuration:
> >>>>
> >>>>   [shared]
> >>>>         comment = shared
> >>>>         path = /shared/drive
> >>>>         read only = no
> >>>>         inherit permissions = yes
> >>>>         create mask = 755
> >>>>         directory mask = 755
> >>>>         valid users = @"MYDOMAIN+mygroup"
> >>>>         browseable = yes
> >>>>         writable = yes
> >>>>
> >>>>   Any help would be greatly appreciated.
> >>>>
> >>>>   -Ivan
> >>>>   --    To unsubscribe from this list go to the following URL and read
> >>>> the
> >>>>   instructions:  https://lists.samba.org/mailman/options/samba
> >>>>
> >>>>
> >>>
> >>> Hi,
> >>>
> >>> The files and folders on the shared drive are owned by local Linux
> >>> account.
> >>>  The permissions are read, write and execute by the owner, read and
> write
> >>> by
> >>> group and all.  I was hoping that smb.conf will control the shared
> drive
> >>> access but having a hard time doing so.  I would like to use ACL if
> that
> >>> is
> >>> the best way to make it work.   Would you mind giving me few pointers
> or
> >>> point me to the right direction to get started on ACL?  I am no LDAP
> >>> expert
> >>> but I think I can get by if I have to use it.
> >>>
> >>> Thanks!
> >>>
> >>> -Ivan
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >>>
> >
> > Hi Jonathan,
> >
> > Our Samba server is a member of Win2k8R2 domain.
> > Thanks,
> > -Ivan
> >
>

More information about the samba mailing list