[Samba] SOLVED: Samba as fileserver on Active Directory domain
Ivan Ordonez
iordonez at berkeley.edu
Wed Oct 14 10:36:14 MDT 2009
We got our Samba joined our Active Directory domain as a fileserver. We
emerge the latest Samba version on 3.4.2. Instead of using the group
name on Active Directory as the owner and group of a directory or file
we are sharing, I used GID and UID instead.
hostname~#chown 11111:2000000 /share/test
Also, below is a portion of my smb.conf.
[test]
comment = test
path = /share/test
public = yes
browseable = yes
writable = yes
users = "MYDOMAIN+mygroup"
Thanks,
-Ivan
Ivan Ordonez wrote:
> I was able to set ACL with local username but can't do it on domain
> username or groups.
>
> hostname ~ # getfacl /shared/drive
> getfacl: Removing leading '/' from absolute path names
> # file: shared/drive
> # owner: mylocalusername
> # group: root
> user::rwx
> group::r-x
> other::r-x
> default:user::rwx
> default:group::rwx
> default:other::r-x
>
> When I tried to set ACLs for domain account or groups, it was invalid
> option.
>
> hostname ~ #setfacl -m g:"DOMAIN+Domain Admins":rwx /shared/drive
> setfacl: Option -m: Invalid argument near character 3
>
> hostname ~ #setfacl -m g:"DOMAIN+myusername":rwx /shared/drive
> setfacl: Option -m: Invalid argument near character 3
>
> I believe the drive is mounted and ACL is enable.
>
> hostname ~ # mount
> /dev/hda3 on / type ext3 (rw,noatime,acl)
>
> Here is my /etc/fstab
> /dev/hda3 / ext3 noatime,acl 0 1
>
> What I find odd is running wbinfo and getent command to be very
> inconsistent. I would sometimes get result and sometimes not.
> hostname ~ # wbinfo -u
> Error looking up domain users
>
> Any other suggestions?
>
> Thanks.
>
>
>
>
>
>
>
>
>
> Robert LeBlanc wrote:
>> Sorry, my bad, 3.3.8 was the security release. It sounds like it is
>> working however. As far as ACLs, make sure that ACLs are turned on on
>> your file system (mount -o acl for most filesystems) and the make
>> sure you have the ACL packages for your distro installed (Debian
>> apt-get install acl). Then it's a matter of using the setfacl command
>> like `setfacl -m
>> d:u:<ad-user>:rwx,u:<ad-user>:rwx,d:g:<ad-group>:rx,g:<ad-group>:rx
>> /my/shared/dir.
>>
>> You can add as many ACLs as you want, remember that the linux default
>> rwx perms sets the max for ACL users and groups. If the linux user
>> (owner) ACL is rx, then even though an ACL specifies another user
>> with rwx, they will only have rx. The second thing to remember is
>> that the default ACL is not needed, but if specified will set those
>> ACLs on all new files and directories and act much like Windows. If
>> you set the permissions using Windows, the default ACL will be set.
>> Thidly, only Linux user and group have the file counted against their
>> quota, permissions assigned in ACLs do not affect thoes user and
>> groups quotas. Fourtly, some applications are not ACL aware, Apache
>> for instance does not look at ACLs on Linux. To check your set ACLs,
>> use getfacl /this/is/my/file.
>>
>> Hope that helps.
>>
>> Robert LeBlanc
>> Life Sciences & Undergraduate Education Computer Support
>> Brigham Young University
>>
>>
>> On Mon, Oct 5, 2009 at 2:34 PM, Ivan Ordonez <iordonez at berkeley.edu
>> <mailto:iordonez at berkeley.edu>> wrote:
>>
>> I was able to install 3.3.8 version of Samba. I am running it
>> now. I can see shares, but could not write at all.
>> ACL seems simple but I can't get it to work. Any help or advise
>> would be greatly appreciated.
>>
>>
>> Robert LeBlanc wrote:
>>> The changes have not made it into a 3.3.x release yet, 3.3.7 was
>>> a security release, ideally 3.3.8 should have the fix. There were
>>> quiet a number of configuration changes from 3.0.x to 3.3.x in
>>> regards to Active Directory, you may not be able to use you old
>>> config without updating some things.
>>>
>>> Robert LeBlanc
>>> Life Sciences & Undergraduate Education Computer Support
>>> Brigham Young University
>>>
>>>
>>> On Mon, Oct 5, 2009 at 10:02 AM, Ivan Ordonez
>>> <iordonez at berkeley.edu <mailto:iordonez at berkeley.edu>> wrote:
>>>
>>>
>>> I am using Samba version 3.0.36. When I upgraded to 3.3.7, I
>>> got some "realm" complaints when I run testparm and some
>>> "ADS" related error. The 3.3.7 version is masked by Gentoo
>>> portage and not sure if it will be available soon.
>>>
>>> Thanks,
>>> -Ivan
>>>
>>>
>>> Robert LeBlanc wrote:
>>>> What version of samba are you using? I submitted a patch to
>>>> Samba that is in 3.4.1 and slated for the next version of
>>>> 3.3.x that fixes the workgroup/realm thing. It falls back to
>>>> SPEGO without the patch, but it takes a little while, the
>>>> patch speeds things up.
>>>>
>>>> Robert LeBlanc
>>>> Life Sciences & Undergraduate Education Computer Support
>>>> Brigham Young University
>>>>
>>>>
>>>> On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson
>>>> <jpetersson at garnser.se <mailto:jpetersson at garnser.se>> wrote:
>>>>
>>>> How did you solve the kerberos portion how things, when
>>>> winbind tries
>>>> to connect to my server the kerberos sessions fails as
>>>> it tries to
>>>> connect with the workgroup instead of the realm.
>>>>
>>>> Thanks
>>>>
>>>> /Jonathan
>>>>
>>>> On Fri, Oct 2, 2009 at 9:36 AM, Ivan Ordonez
>>>> <iordonez at berkeley.edu <mailto:iordonez at berkeley.edu>>
>>>> wrote:
>>>> >
>>>> >
>>>> > Jonathan Petersson wrote:
>>>> >>
>>>> >> Hi Ivan,
>>>> >>
>>>> >> I'm working on a similar thing but is having some
>>>> issues with the
>>>> >> kerberos sessions between samba and AD. Is your Samba
>>>> server a member
>>>> >> of a Win2k8R2 or a Win2k3 domain?
>>>> >>
>>>> >> Thanks
>>>> >>
>>>> >> /Jonathan
>>>> >>
>>>> >> On Fri, Oct 2, 2009 at 9:00 AM, Ivan Ordonez
>>>> <iordonez at berkeley.edu <mailto:iordonez at berkeley.edu>>
>>>> >> wrote:
>>>> >>
>>>> >>>
>>>> >>> Robert LeBlanc wrote:
>>>> >>>
>>>> >>>>
>>>> >>>> What are the permissions on /shared/drive? We use
>>>> ACLs to control access
>>>> >>>> rather than smb.conf. This gives us great
>>>> flexability and you can kind
>>>> >>>> of
>>>> >>>> manage it using a Windows machine. If you have
>>>> Kerberos keytab
>>>> >>>> generated,
>>>> >>>> you can smbmount on Linux using the -o sec=krb5 and
>>>> no passwords are
>>>> >>>> needed,
>>>> >>>> it also obeys ACL. The only catch is that you need
>>>> to use RID or LDAP
>>>> >>>> for
>>>> >>>> uid/gid mapping or else your permissions won't
>>>> line up.
>>>> >>>>
>>>> >>>> Robert LeBlanc
>>>> >>>> Life Sciences & Undergraduate Education Computer
>>>> Support
>>>> >>>> Brigham Young University
>>>> >>>>
>>>> >>>>
>>>> >>>> On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez
>>>> <iordonez at berkeley.edu <mailto:iordonez at berkeley.edu>
>>>> >>>> <mailto:iordonez at berkeley.edu
>>>> <mailto:iordonez at berkeley.edu>>> wrote:
>>>> >>>>
>>>> >>>> Hello,
>>>> >>>>
>>>> >>>> We have a Gentoo box running Samba and is a
>>>> member of the Active
>>>> >>>> Directory domain. This Gentoo box will be a
>>>> fileserver when
>>>> >>>> everything is completed and setup as it should.
>>>> I want our users
>>>> >>>> to login to their computer (Computers are all
>>>> members of the same
>>>> >>>> Active Directory domain) using Active Directory
>>>> accounts/domain
>>>> >>>> for authentication. I am using Winbind for Active
>>>> Directory
>>>> >>>> authentication/integration. I'm almost done
>>>> except file permission
>>>> >>>> issue. All is working smoothly (ie. wbinfo,
>>>> smbclient, getent,
>>>> >>>> etc.). I can access/map the shared drive on the
>>>> Gentoo box from
>>>> >>>> any Windows computer, login to a machine without
>>>> a problem using
>>>> >>>> Active Directory accounts. The Active Directory
>>>> authentication
>>>> >>>> with Winbind is working as it should.
>>>> >>>>
>>>> >>>> For some odd reason, I can't figure out how to
>>>> give permissions to
>>>> >>>> all users the ability to make changes/add new
>>>> folders on the
>>>> >>>> shared drive. I am getting access denied even
>>>> when the users or
>>>> >>>> group are valid users of the shared drive per
>>>> smb.conf. Below is
>>>> >>>> my smb.conf shared configuration:
>>>> >>>>
>>>> >>>> [shared]
>>>> >>>> comment = shared
>>>> >>>> path = /shared/drive
>>>> >>>> read only = no
>>>> >>>> inherit permissions = yes
>>>> >>>> create mask = 755
>>>> >>>> directory mask = 755
>>>> >>>> valid users = @"MYDOMAIN+mygroup"
>>>> >>>> browseable = yes
>>>> >>>> writable = yes
>>>> >>>>
>>>> >>>> Any help would be greatly appreciated.
>>>> >>>>
>>>> >>>> -Ivan
>>>> >>>> -- To unsubscribe from this list go to the
>>>> following URL and read
>>>> >>>> the
>>>> >>>> instructions:
>>>> https://lists.samba.org/mailman/options/samba
>>>> >>>>
>>>> >>>>
>>>> >>>
>>>> >>> Hi,
>>>> >>>
>>>> >>> The files and folders on the shared drive are owned
>>>> by local Linux
>>>> >>> account.
>>>> >>> The permissions are read, write and execute by the
>>>> owner, read and write
>>>> >>> by
>>>> >>> group and all. I was hoping that smb.conf will
>>>> control the shared drive
>>>> >>> access but having a hard time doing so. I would
>>>> like to use ACL if that
>>>> >>> is
>>>> >>> the best way to make it work. Would you mind
>>>> giving me few pointers or
>>>> >>> point me to the right direction to get started on
>>>> ACL? I am no LDAP
>>>> >>> expert
>>>> >>> but I think I can get by if I have to use it.
>>>> >>>
>>>> >>> Thanks!
>>>> >>>
>>>> >>> -Ivan
>>>> >>> --
>>>> >>> To unsubscribe from this list go to the following
>>>> URL and read the
>>>> >>> instructions:
>>>> https://lists.samba.org/mailman/options/samba
>>>> >>>
>>>> >>>
>>>> >
>>>> > Hi Jonathan,
>>>> >
>>>> > Our Samba server is a member of Win2k8R2 domain.
>>>> > Thanks,
>>>> > -Ivan
>>>> >
>>>>
>>>>
>>>
>>
More information about the samba
mailing list