[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Rowland Penny
rowlandpenny at googlemail.com
Sat Jan 3 06:40:20 MST 2015
On 03/01/15 12:38, Jason Long wrote:
> Thanks.
>
> I enter "net ads testjoin" and it show me :
>
> ads_connect: No logon servers
> Join to domain is not valid: No logon servers
You are *not* joined to the domain, I suppose this should have been
asked earlier, but how did you do the domain join ?
Rowland
>
> If it is incorrect, Why I can Login to Linux via Windows account? As you see, I followed the steps on Video.
>
> :(.
>
>
>
> On Saturday, January 3, 2015 1:13 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 03/01/15 05:41, Jason Long wrote:
>> Thank you.
>> Command show below error :
>>
>> Could not connect to server 192.168.1.1
>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>
>> :(
>>
>>
>>
>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> On 31/12/14 09:55, Jason Long wrote:
>>> Thanks.
>>> I changed the command as below :
>>>
>>> #net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1
>>>
>>> But Got below error :
>>>
>>> Could not connect to server 192.168.1.1
>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>
>>> Cheers.
>>>
>>>
>>>
>>>
>>>
>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>> On 31/12/14 09:17, Jason Long wrote:
>>>> Thank you so much but I run below commands on linux :
>>>>
>>>>
>>>> # net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
>>>> # net rpc rights list accounts -Uadministrator
>>>>
>>>> it ask me a password for "administrator:
>>>>
>>>> Enter administrator's password:
>>>> Could not connect to server 127.0.0.1
>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>>>>
>>>> Must I enter windows administrator password?
>>>>
>>>>
>>>> Thanks.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>> On 29/12/14 12:52, Jason Long wrote:
>>>>> Thank you so much.
>>>>>
>>>>> I did some changes like below :
>>>>>
>>>>> /dev/mapper/vg_print-lv_root / ext4 user_xattr,acl,defaults 1 1
>>>>>
>>>>>
>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any output.
>>>>> I added below lines to [global] section too :
>>>>>
>>>>> vfs objects = acl_xattr
>>>>> map acl inherit = Yes
>>>>> store dos attributes = Yes
>>>>>
>>>>> But about below commands can you tell me more?
>>>>>
>>>>> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
>>>>> net rpc rights list accounts -Uadministrator
>>>>>
>>>>> I hope they are not Dangerous!!!!
>>>> No :-)
>>>>
>>>> The first one gives members of Domain Admins the right to change windows
>>>> ACL's on a share
>>>> The second list accounts and what rights they have.
>>>>
>>>>> In the "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" , the other steps are in Windows!!! Can I doing via Linux too?
>>>>>
>>>> Yes, but it is just easier via windows
>>>>
>>>> Rowland
>>>>
>>>>
>>>>>
>>>>> Thanks.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>>> On 29/12/14 06:38, Jason Long wrote:
>>>>>> Thank you so much.
>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I change configure as below :
>>>>>>
>>>>>>
>>>>>> [global]
>>>>>> workgroup = JASONDOMAINI
>>>>>> server string = Samba Server Version %v
>>>>>> # logs split per machine
>>>>>> log file = /var/log/samba/log.%m
>>>>>> # max 50KB per log file, then rotate
>>>>>> max log size = 50
>>>>>> security = ADS
>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>> passdb backend = tdbsam
>>>>>> load printers = yes
>>>>>> cups options = raw
>>>>>> idmap config *:backend = tdb
>>>>>> idmap config *:range = 70001-80000
>>>>>> #idmap config SAMDOM:backend = ad
>>>>>> idmap config JASONDOMAINI:backend = ad
>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307
>>>>>> idmap config JASONDOMAINI:range = 500-40000
>>>>>>
>>>>>>
>>>>>>
>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", It show me the root partition and I can open "Test" directory But it has two problems :
>>>>>>
>>>>>> 1- Why it show root partition?
>>>>>> 2- I can't browse it via Windows explorer!!!
>>>>>>
>>>>>> I want to know use AD users in Linux is Hard?
>>>>>>
>>>>>> In your opinion I used a correct command to set ACL?
>>>>>>
>>>>>> #getfacl test/
>>>>>>
>>>>>>
>>>>>> # file: test/
>>>>>> # owner: JASONDOMAINI\134JASON
>>>>>> # group: JASONDOMAINI\134grp-JASON-rw
>>>>>> user::rwx
>>>>>> group::r-x
>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>> mask::rwx
>>>>>> other::r-x
>>>>>>
>>>>>>
>>>>>> and in "getent group" it show me below group :
>>>>>>
>>>>>> JASONDOMAINI\134grp-JASON-rw
>>>>>>
>>>>>>
>>>>>> in your idea, Am I use correct command to set permission?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>>>> On 28/12/14 15:48, Jason Long wrote:
>>>>>>> Thank you so much.
>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad".
>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too?
>>>>>>> About your question I must say that I Test this share via Linux too and Windows and Linux has same problem.
>>>>>>>
>>>>>>> About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!!
>>>>>>> What is your idea?
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> I am loosing track here a bit, but if your dns domain is example.com,
>>>>>> then your windows AD realm should be something like internal.example.com
>>>>>> and your workgroup/domain name should be INTERNAL, that is, they all
>>>>>> rely on each other.
>>>>>>
>>>>>> So anywhere that you come across these, you should use the relevant one,
>>>>>> this is the relevant parts from a Unix client on my domain:
>>>>>>
>>>>>> [global]
>>>>>> workgroup = INTERNAL
>>>>>> security = ADS
>>>>>> realm = INTERNAL.EXAMPLE.COM
>>>>>> ..........
>>>>>> idmap config * : backend = tdb
>>>>>> idmap config * : range = 2000-9999
>>>>>> idmap config INTERNAL : backend = ad
>>>>>> idmap config INTERNAL : range = 10000-999999
>>>>>> idmap config INTERNAL : schema_mode = rfc2307
>>>>>>
>>>>>> As for using 'PUTTY', this was just a way of testing whether you can
>>>>>> connect to the Unix machine.
>>>>>>
>>>>>>
>>>>>> Rowland
>>>>> OK, we are getting closer
>>>>>
>>>>> right, answers to your questions
>>>>> 1) I think that you may find that this is also printed 'Could not chdir
>>>>> to home directory', in which case you will end up in the root of computer.
>>>>>
>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not running you
>>>>> should be able to navigate to the share by entering the path. Have a
>>>>> look here:
>>>>>
>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>
>>>>>
>>>>> Rowland
>>>>>
>>> You are trying to run the command on a client, try adding either:
>>>
>>> -S server name
>>>
>>> OR
>>>
>>> -I address of target server
>>>
>>> where 'server' is the AD DC.
>>>
>>> Yes, you need to supply the password of the Domain Administrator.
>>>
>>>
>>> Rowland
>>>
>> OK, try it like this:
>>
>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
>> -UAdministrator -I 192.168.1.1
>>
>> This works for me on a client joined to the domain.
>>
>>
>> Rowland
>>
> Sounds like something is wrong with the join, what does 'net ads
> testjoin' return ? You may have to run this command with sudo.
>
>
> Rowland
>
More information about the samba
mailing list