[Samba] Samba as fileserver on Active Directory domain
Ivan Ordonez
iordonez at berkeley.edu
Mon Oct 5 14:34:46 MDT 2009
I was able to install 3.3.8 version of Samba. I am running it now. I
can see shares, but could not write at all.
ACL seems simple but I can't get it to work. Any help or advise would
be greatly appreciated.
Robert LeBlanc wrote:
> The changes have not made it into a 3.3.x release yet, 3.3.7 was a
> security release, ideally 3.3.8 should have the fix. There were quiet
> a number of configuration changes from 3.0.x to 3.3.x in regards to
> Active Directory, you may not be able to use you old config without
> updating some things.
>
> Robert LeBlanc
> Life Sciences & Undergraduate Education Computer Support
> Brigham Young University
>
>
> On Mon, Oct 5, 2009 at 10:02 AM, Ivan Ordonez <iordonez at berkeley.edu
> <mailto:iordonez at berkeley.edu>> wrote:
>
>
> I am using Samba version 3.0.36. When I upgraded to 3.3.7, I got
> some "realm" complaints when I run testparm and some "ADS"
> related error. The 3.3.7 version is masked by Gentoo portage and
> not sure if it will be available soon.
>
> Thanks,
> -Ivan
>
>
> Robert LeBlanc wrote:
>> What version of samba are you using? I submitted a patch to Samba
>> that is in 3.4.1 and slated for the next version of 3.3.x that
>> fixes the workgroup/realm thing. It falls back to SPEGO without
>> the patch, but it takes a little while, the patch speeds things up.
>>
>> Robert LeBlanc
>> Life Sciences & Undergraduate Education Computer Support
>> Brigham Young University
>>
>>
>> On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson
>> <jpetersson at garnser.se <mailto:jpetersson at garnser.se>> wrote:
>>
>> How did you solve the kerberos portion how things, when
>> winbind tries
>> to connect to my server the kerberos sessions fails as it
>> tries to
>> connect with the workgroup instead of the realm.
>>
>> Thanks
>>
>> /Jonathan
>>
>> On Fri, Oct 2, 2009 at 9:36 AM, Ivan Ordonez
>> <iordonez at berkeley.edu <mailto:iordonez at berkeley.edu>> wrote:
>> >
>> >
>> > Jonathan Petersson wrote:
>> >>
>> >> Hi Ivan,
>> >>
>> >> I'm working on a similar thing but is having some issues
>> with the
>> >> kerberos sessions between samba and AD. Is your Samba
>> server a member
>> >> of a Win2k8R2 or a Win2k3 domain?
>> >>
>> >> Thanks
>> >>
>> >> /Jonathan
>> >>
>> >> On Fri, Oct 2, 2009 at 9:00 AM, Ivan Ordonez
>> <iordonez at berkeley.edu <mailto:iordonez at berkeley.edu>>
>> >> wrote:
>> >>
>> >>>
>> >>> Robert LeBlanc wrote:
>> >>>
>> >>>>
>> >>>> What are the permissions on /shared/drive? We use ACLs
>> to control access
>> >>>> rather than smb.conf. This gives us great flexability
>> and you can kind
>> >>>> of
>> >>>> manage it using a Windows machine. If you have Kerberos
>> keytab
>> >>>> generated,
>> >>>> you can smbmount on Linux using the -o sec=krb5 and no
>> passwords are
>> >>>> needed,
>> >>>> it also obeys ACL. The only catch is that you need to
>> use RID or LDAP
>> >>>> for
>> >>>> uid/gid mapping or else your permissions won't line up.
>> >>>>
>> >>>> Robert LeBlanc
>> >>>> Life Sciences & Undergraduate Education Computer Support
>> >>>> Brigham Young University
>> >>>>
>> >>>>
>> >>>> On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez
>> <iordonez at berkeley.edu <mailto:iordonez at berkeley.edu>
>> >>>> <mailto:iordonez at berkeley.edu
>> <mailto:iordonez at berkeley.edu>>> wrote:
>> >>>>
>> >>>> Hello,
>> >>>>
>> >>>> We have a Gentoo box running Samba and is a member of
>> the Active
>> >>>> Directory domain. This Gentoo box will be a fileserver
>> when
>> >>>> everything is completed and setup as it should. I
>> want our users
>> >>>> to login to their computer (Computers are all members
>> of the same
>> >>>> Active Directory domain) using Active Directory
>> accounts/domain
>> >>>> for authentication. I am using Winbind for Active
>> Directory
>> >>>> authentication/integration. I'm almost done except
>> file permission
>> >>>> issue. All is working smoothly (ie. wbinfo,
>> smbclient, getent,
>> >>>> etc.). I can access/map the shared drive on the Gentoo
>> box from
>> >>>> any Windows computer, login to a machine without a
>> problem using
>> >>>> Active Directory accounts. The Active Directory
>> authentication
>> >>>> with Winbind is working as it should.
>> >>>>
>> >>>> For some odd reason, I can't figure out how to give
>> permissions to
>> >>>> all users the ability to make changes/add new folders
>> on the
>> >>>> shared drive. I am getting access denied even when the
>> users or
>> >>>> group are valid users of the shared drive per
>> smb.conf. Below is
>> >>>> my smb.conf shared configuration:
>> >>>>
>> >>>> [shared]
>> >>>> comment = shared
>> >>>> path = /shared/drive
>> >>>> read only = no
>> >>>> inherit permissions = yes
>> >>>> create mask = 755
>> >>>> directory mask = 755
>> >>>> valid users = @"MYDOMAIN+mygroup"
>> >>>> browseable = yes
>> >>>> writable = yes
>> >>>>
>> >>>> Any help would be greatly appreciated.
>> >>>>
>> >>>> -Ivan
>> >>>> -- To unsubscribe from this list go to the
>> following URL and read
>> >>>> the
>> >>>> instructions:
>> https://lists.samba.org/mailman/options/samba
>> >>>>
>> >>>>
>> >>>
>> >>> Hi,
>> >>>
>> >>> The files and folders on the shared drive are owned by
>> local Linux
>> >>> account.
>> >>> The permissions are read, write and execute by the
>> owner, read and write
>> >>> by
>> >>> group and all. I was hoping that smb.conf will control
>> the shared drive
>> >>> access but having a hard time doing so. I would like to
>> use ACL if that
>> >>> is
>> >>> the best way to make it work. Would you mind giving me
>> few pointers or
>> >>> point me to the right direction to get started on ACL? I
>> am no LDAP
>> >>> expert
>> >>> but I think I can get by if I have to use it.
>> >>>
>> >>> Thanks!
>> >>>
>> >>> -Ivan
>> >>> --
>> >>> To unsubscribe from this list go to the following URL and
>> read the
>> >>> instructions: https://lists.samba.org/mailman/options/samba
>> >>>
>> >>>
>> >
>> > Hi Jonathan,
>> >
>> > Our Samba server is a member of Win2k8R2 domain.
>> > Thanks,
>> > -Ivan
>> >
>>
>>
>
More information about the samba
mailing list