[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Rowland Penny
rowlandpenny at googlemail.com
Sun Dec 28 05:15:29 MST 2014
On 28/12/14 11:54, Jason Long wrote:
>
> Thank you so much.
>
> I changed "SAMDOM" to "jasondomain" and also "winbind use default domain = no" but problem exist. int he photo that I sent, I changed "WORKGROUP" to "jasondomain" too.
> I have a question, My domain have a prefix with ".jj" and it is "jasondomain.jj". I changed :
>
>
> [global]
> workgroup = JASONDOMAIN.JJ
> server string = Samba Server Version %v
> # logs split per machine
> log file = /var/log/samba/log.%m
> # max 50KB per log file, then rotate
> max log size = 50
> security = ads
> passdb backend = tdbsam
> load printers = yes
> cups options = raw
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> #idmap config SAMDOM:backend = ad
> idmap config JASONDOMAIN.JJ:backend = ad
> idmap config JASONDOMAIN.JJ:schema_mode = rfc2307
> idmap config JASONDOMAIN.JJ:range = 500-40000
>
>
> Am I right? If yes, My problem not solved :(
>
>
> about your question I must say that "No", I have not any "jason" user in Linux machine.
> Yes, I use "jasondomain\jason" for login into Linux machine and "jason" is a user that defined in Windows Active Directory.
>
>
> Thanks.
>
>
>
>
>
> On Sunday, December 28, 2014 1:41 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 28/12/14 08:47, Jason Long wrote:
>> I never used four different Workgroup or Domain. My domain is
>> "jasondomain" and as you see my last "smb.conf" it is. I change
>> "MYGROUP" to "jasondomain" but problem not solved.
>>
>>
>> On Saturday, December 27, 2014 7:02 AM, Rowland Penny
>> <rowlandpenny at googlemail.com> wrote:
>>
>>
>> On 27/12/14 14:18, Jason Long wrote:
>>> Thank you so much.
>>> I changed my "smb.conf" and "password-auth-ac". I attached two file
>>> for you and you can see them. My problem not solved :( and login
>>> windows showed and not accept my username and password, I attached
>> it too.
>>> I paste my "fstab" file here and as you see the "acl" is enabled for
>>> "root" :
>>>
>>> #
>>> # /etc/fstab
>>> # Created by anaconda on Wed Dec 24 10:02:57 2014
>>> #
>>> # Accessible filesystems, by reference, are maintained under '/dev/disk'
>>> # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more
>>> info
>>> #
>>> /dev/mapper/vg_print-lv_root / ext4 acl,defaults 1 1
>>> UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot ext4
>>> defaults 1 2
>>> /dev/mapper/vg_print-lv_swap swap swap defaults 0 0
>>> tmpfs /dev/shm tmpfs defaults
>>> 0 0
>>> devpts /dev/pts devpts gid=5,mode=620 0 0
>>> sysfs /sys sysfs defaults
>>> 0 0
>>> proc /proc proc defaults
>>> 0 0
>>>
>>> I paste "getfacl" for test directory here :
>>>
>>> getfacl test/
>>> # file: test/
>>> # owner: jasondomain\134jason
>>> # group: jasondomain\134grp-jason-rw
>>> user::rwx
>>> group::r-x
>>> group:jasondomain\134grp-jason-rw:rwx
>>> mask::rwx
>>> other::r-x
>>>
>>> After change "password-auth-ac", When I want to restart "winbind"
>>> server it show me an error as below :
>>>
>>> #service smb restart
>>> Shutting down SMB services: [ OK ]
>>> Starting SMB services: [ OK ]
>>> # service winbind restart
>>> Shutting down Winbind services: [FAILED]
>>> Starting Winbind services: [ OK ]
>>>
>>>
>>> In your opinion what is the problem?
>>>
>>>
>>>
>>> On Saturday, December 27, 2014 4:12 AM, Rowland Penny
>>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>>
>> wrote:
>>>
>>> On 27/12/14 11:55, Jason Long wrote:
>>>> You right. I joined my Linux box into Windows domain.
>>>> Of course. I attached my "smb.conf". Can you see it?
>>>>
>>>>
>>>> On Saturday, December 27, 2014 3:36 AM, Rowland Penny
>>>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>>>
>>>> On 27/12/14 06:44, Jason Long wrote:
>>>>
>>>>> Thank you so much.
>>>>> No, I'm not. I joined my linux to Windows domain because of AD. I
>>>> can define some users in my Linux and Windows clients use it to open
>>>> share and ... but my problem is that I have a lot of users and groups
>>>> and Redefine all of them in Linux is a little silly :(. I joined my
>>>> Linux to Windows domain because of use AD users and groups.
>>>>> About your question :
>>>>> "Where did you setup the password for 'jasondomain\jason'? Again,
>>>> if you
>>>>> didn't set a password, more modern versions of windows won't allow
>>>> you to
>>>>> login (or attach a share) remotely."
>>>>>
>>>>> I must say that "jason" is defined in AD on Windows OS and I use it
>>>> for login into Linux.
>>>>>
>>>>> "You don't say what happens when you try to open 'test'. You say
>>>> it can't let you? What error message does it give you? "
>>>>> It don't show me any error and just show Login Windows again :(.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org
>> <mailto:samba at tlinx.org>
>>>> <mailto:samba at tlinx.org <mailto:samba at tlinx.org>>> wrote:
>>>>> Jason Long wrote:
>>>>>> Hello Folks.
>>>>>> How are you?
>>>>>>
>>>>>> I joined my CentOS into Windows Domain and I want to give
>>>> Permission to files and Directory via Active Directory. When I use
>>>> "getent passwd" and "getent group", I can see All AD users and
>>>> Groups. I use below command to give Permission to a Folder via ACL :
>>>>>> setfacl -m g:"jasondomain\jason-rw":rwx
>>>> /home/local/jasondomain/jason/test
>>>>>> and I create a part for my "smb.conf" file :
>>>>>>
>>>>>> [Test]
>>>>>> comment = test
>>>>>> path = /home/local/jasondomain/jason/test
>>>>>> browsable = yes
>>>>>> inherit acls = yes
>>>>>> inherit permissions = yes
>>>>>> inherit owner = yes
>>>>>> map acl inherit = yes
>>>>>> acl check permissions = yes
>>>>>> nt acl support = yes
>>>>>> #valid users = %D\%S
>>>>>> #write list = @jasondomain\domain^admins
>>>>>> read only = no
>>>>>>
>>>>>>
>>>>>> but when I browse the "Test" directory it ask me username and
>>>> password and when I enter "jasondomain\jason" as username it can't
>>>> let me to open the "Test" directory. What is the problem?
>>>>> ----
>>>>> Are you already logged into the server under different
>>>> credentials,
>>>>> like 'WORKGROUP', jason (i.e. do you already have some shares
>> mounted?)
>>>>> If I remember, Windows won't allow the same workstation to connect
>>>> under
>>>>> two different user id's. If you already have something mounted
>>>> from your
>>>>> workstation with different credentials, you need to close (unmount
>>>> / unmap)
>>>>> those other connections.
>>>>>
>>>>> Where did you setup the password for 'jasondomain\jason'? Again,
>> if you
>>>>> didn't set a password, more modern versions of windows won't allow
>>>> you to
>>>>> login (or attach a share) remotely.
>>>>>
>>>>> You don't say what happens when you try to open 'test'. You say it
>>>>>
>>>>> can't let
>>>>> you? What error message does it give you?
>>>>
>>>> OK, If I understand you correctly, you have setup samba on a Centos
>>>> machine and joined it to a windows machine, is this correct ?
>>>>
>>>> Could you post the entire smb.conf from your Centos machine.
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>>
>>> OK, after wading through all the un-needed lines, I got this:
>>>
>>> [global]
>>> workgroup = MYGROUP
>>> server string = Samba Server Version %v
>>> # logs split per machine
>>> log file = /var/log/samba/log.%m
>>> # max 50KB per log file, then rotate
>>> max log size = 50
>>> security = user
>>> passdb backend = tdbsam
>>> load printers = yes
>>> cups options = raw
>>>
>>> [homes]
>>> comment = Home Directories
>>> browseable = no
>>> writable = yes
>>>
>>> [printers]
>>> comment = All Printers
>>> path = /var/spool/samba
>>> browseable = no
>>> guest ok = no
>>> writable = no
>>> printable = yes
>>>
>>> [Test]
>>> comment = Public Stuff
>>> path = /home/local/HAMSHAHRY/jokar/test/
>>> browsable = yes
>>> inherit acls = yes
>>> inherit permissions = yes
>>> inherit owner = yes
>>> map acl inherit = yes
>>> acl check permissions = yes
>>> nt acl support = yes
>>> read only = no
>>>
>>> Try changing 'security = user' to 'security = ads' and adding the
>>> required winbind & idmap lines, see:
>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>
>>> Yes, I know it says 'member server', but you can use it for a client
>>> as well.
>>>
>>> Rowland
>>>
>>>
>>>
>> Hi, you seem to be using **four**, yes four different workgroup (also
>> known as domain) names:
>> In smb.conf: MYGROUP & SAMDOM
>> When trying to login: jasondomain & WORKGROUP
>>
>> They all need to be the same, you also need to add uidNumber's to your
>> users and a gidNumber to at least 'Domain Users'
>>
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
> OK, in the last smb.conf you posted there are these lines:
>
> workgroup = MYGROUP
>
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 500-40000
>
> Also in samba-1.png:
>
> Username: jasondomain\jason
>
> domain: WORKGROUP
>
> I make that 4 workgroup names, ok you have changed MYGROUP, but what
> about SAMDOM ?
>
> You also have 'winbind use default domain = yes' , because of this, you
> do not need to use 'jasondomain\jason', just 'jason' should work.
>
> Do you by any chance have a Unix user called 'jason' on the samba machine ?
>
> Also, when you try to login as 'jasondomain\jason' are you doing this on
> the samba machine ?
>
>
> Rowland
>
OK, I am 99% sure that you cannot have a dot in a workgroup name.
As to logging into the machine, I meant are you trying to connect to a
share on the linux machine from the linux machine.
What I would do is, install the OpenSSH server on the linux machine,
install 'PUTTY' on a windows machine and try to login via 'PUTTY' and
use the SSH protocol.
Rowland
More information about the samba
mailing list