[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.

Rowland Penny rowlandpenny at googlemail.com
Mon Dec 29 06:02:05 MST 2014


On 29/12/14 12:52, Jason Long wrote:
> Thank you so much.
>
> I did some changes like below :
>
> /dev/mapper/vg_print-lv_root /                       ext4    user_xattr,acl,defaults	    1 1
>
>
> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any output.
> I added below lines to [global] section too :
>
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> But about below commands can you tell me more?
>
> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
> net rpc rights list accounts -Uadministrator
>
> I hope they are not Dangerous!!!!

No :-)

The first one gives members of Domain Admins the right to change windows 
ACL's on a share
The second list accounts and what rights they have.

>
> In the "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" , the other steps are in Windows!!! Can I doing via Linux too?
>    

Yes, but it is just easier via windows

Rowland

>   
> Thanks.
>
>
>
>
>
> On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 29/12/14 06:38, Jason Long wrote:
>> Thank you so much.
>> You right, My realm is "jasondomaini.jasondomain.jj"  and I change configure as below :
>>
>>
>> [global]
>> workgroup = JASONDOMAINI
>> server string = Samba Server Version %v
>> # logs split per machine
>> log file = /var/log/samba/log.%m
>> # max 50KB per log file, then rotate
>> max log size = 50
>> security = ADS
>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>> passdb backend = tdbsam
>> load printers = yes
>> cups options = raw
>> idmap config *:backend = tdb
>> idmap config *:range = 70001-80000
>> #idmap config SAMDOM:backend = ad
>> idmap config JASONDOMAINI:backend = ad
>> idmap config JASONDOMAINI:schema_mode = rfc2307
>> idmap config JASONDOMAINI:range = 500-40000
>>
>>
>>
>> When I use "SSH" on my CentOS and enter "jasondomain\jason", It show me the root partition and I can open "Test" directory But it has two problems :
>>
>> 1- Why it show root partition?
>> 2- I can't browse it via Windows explorer!!!
>>
>> I want to know use AD users in Linux is Hard?
>>
>> In your opinion I used a correct command to set ACL?
>>
>> #getfacl test/
>>
>>
>> # file: test/
>> # owner: JASONDOMAINI\134JASON
>> # group: JASONDOMAINI\134grp-JASON-rw
>> user::rwx
>> group::r-x
>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>> mask::rwx
>> other::r-x
>>
>>
>> and in "getent group" it show me below group :
>>
>> JASONDOMAINI\134grp-JASON-rw
>>
>>
>> in your idea, Am I use correct command to set permission?
>>
>>
>>
>>
>>
>>
>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> On 28/12/14 15:48, Jason Long wrote:
>>> Thank you so much.
>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad".
>>> How about Workgroup? is must change "JASONDOMAIN" too?
>>> About your question I must say that I Test this share via Linux too and Windows and Linux has same problem.
>>>
>>> About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!!
>>> What is your idea?
>>>
>>> Thanks.
>>>
>>>
>>>
>> I am loosing track here a bit, but if your dns domain is example.com,
>> then your windows AD realm should be something like internal.example.com
>> and your workgroup/domain name should be INTERNAL, that is, they all
>> rely on each other.
>>
>> So anywhere that you come across these, you should use the relevant one,
>> this is the relevant parts from a Unix client on my domain:
>>
>> [global]
>>            workgroup = INTERNAL
>>            security = ADS
>>            realm = INTERNAL.EXAMPLE.COM
>>            ..........
>>            idmap config * : backend = tdb
>>            idmap config * : range = 2000-9999
>>            idmap config INTERNAL : backend  = ad
>>            idmap config INTERNAL : range = 10000-999999
>>            idmap config INTERNAL : schema_mode = rfc2307
>>
>> As for using 'PUTTY', this was just a way of testing whether you can
>> connect to the Unix machine.
>>
>>
>> Rowland
> OK, we are getting closer
>
> right, answers to your questions
> 1) I think that you may find that this is also printed 'Could not chdir
> to home directory', in which case you will end up in the root of computer.
>
> 2) Are you running the 'nmbd' daemon ? Even if this is not running you
> should be able to navigate to the share by entering the path. Have a
> look here:
>
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>
>
> Rowland
>



More information about the samba mailing list