[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Rowland Penny
rowlandpenny at googlemail.com
Sat Dec 27 05:12:25 MST 2014
On 27/12/14 11:55, Jason Long wrote:
> You right. I joined my Linux box into Windows domain.
> Of course. I attached my "smb.conf". Can you see it?
>
>
> On Saturday, December 27, 2014 3:36 AM, Rowland Penny
> <rowlandpenny at googlemail.com> wrote:
>
>
> On 27/12/14 06:44, Jason Long wrote:
>
> > Thank you so much.
> > No, I'm not. I joined my linux to Windows domain because of AD. I
> can define some users in my Linux and Windows clients use it to open
> share and ... but my problem is that I have a lot of users and groups
> and Redefine all of them in Linux is a little silly :(. I joined my
> Linux to Windows domain because of use AD users and groups.
> >
> > About your question :
> > "Where did you setup the password for 'jasondomain\jason'? Again,
> if you
> > didn't set a password, more modern versions of windows won't allow
> you to
> > login (or attach a share) remotely."
> >
> > I must say that "jason" is defined in AD on Windows OS and I use it
> for login into Linux.
> >
> >
> > "You don't say what happens when you try to open 'test'. You say it
> can't let you? What error message does it give you? "
> > It don't show me any error and just show Login Windows again :(.
> >
> >
> >
> >
> > On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org
> <mailto:samba at tlinx.org>> wrote:
> > Jason Long wrote:
> >> Hello Folks.
> >> How are you?
> >>
> >> I joined my CentOS into Windows Domain and I want to give
> Permission to files and Directory via Active Directory. When I use
> "getent passwd" and "getent group", I can see All AD users and Groups.
> I use below command to give Permission to a Folder via ACL :
> >>
> >> setfacl -m g:"jasondomain\jason-rw":rwx
> /home/local/jasondomain/jason/test
> >>
> >> and I create a part for my "smb.conf" file :
> >>
> >> [Test]
> >> comment = test
> >> path = /home/local/jasondomain/jason/test
> >> browsable = yes
> >> inherit acls = yes
> >> inherit permissions = yes
> >> inherit owner = yes
> >> map acl inherit = yes
> >> acl check permissions = yes
> >> nt acl support = yes
> >> #valid users = %D\%S
> >> #write list = @jasondomain\domain^admins
> >> read only = no
> >>
> >>
> >> but when I browse the "Test" directory it ask me username and
> password and when I enter "jasondomain\jason" as username it can't let
> me to open the "Test" directory. What is the problem?
> >>
> > ----
> > Are you already logged into the server under different credentials,
> > like 'WORKGROUP', jason (i.e. do you already have some shares mounted?)
> >
> > If I remember, Windows won't allow the same workstation to connect under
> > two different user id's. If you already have something mounted from
> your
> > workstation with different credentials, you need to close (unmount /
> unmap)
> > those other connections.
> >
> > Where did you setup the password for 'jasondomain\jason'? Again, if you
> > didn't set a password, more modern versions of windows won't allow
> you to
> > login (or attach a share) remotely.
> >
> > You don't say what happens when you try to open 'test'. You say it
> >
> > can't let
> > you? What error message does it give you?
>
>
> OK, If I understand you correctly, you have setup samba on a Centos
> machine and joined it to a windows machine, is this correct ?
>
> Could you post the entire smb.conf from your Centos machine.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
OK, after wading through all the un-needed lines, I got this:
[global]
workgroup = MYGROUP
server string = Samba Server Version %v
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
security = user
passdb backend = tdbsam
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[Test]
comment = Public Stuff
path = /home/local/HAMSHAHRY/jokar/test/
browsable = yes
inherit acls = yes
inherit permissions = yes
inherit owner = yes
map acl inherit = yes
acl check permissions = yes
nt acl support = yes
read only = no
Try changing 'security = user' to 'security = ads' and adding the
required winbind & idmap lines, see:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
Yes, I know it says 'member server', but you can use it for a client as
well.
Rowland
More information about the samba
mailing list