[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Rowland Penny
rowlandpenny at googlemail.com
Sat Jan 3 08:43:38 MST 2015
On 03/01/15 15:08, Jason Long wrote:
> Thank you.
> I used below videos for join my Linux Box to Windows domain :
>
> http://www.youtube.com/watch?v=Y3TFPDT9uic
>
> Please look at this video and I used instructions in it and LikeWiseOpen tool.
>
>
> Cheers.
>
>
>
> On Saturday, January 3, 2015 5:45 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 03/01/15 12:38, Jason Long wrote:
>> Thanks.
>>
>> I enter "net ads testjoin" and it show me :
>>
>> ads_connect: No logon servers
>> Join to domain is not valid: No logon servers
> You are *not* joined to the domain, I suppose this should have been
> asked earlier, but how did you do the domain join ?
>
> Rowland
>
>
>
>> If it is incorrect, Why I can Login to Linux via Windows account? As you see, I followed the steps on Video.
>>
>> :(.
>>
>>
>>
>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> On 03/01/15 05:41, Jason Long wrote:
>>> Thank you.
>>> Command show below error :
>>>
>>> Could not connect to server 192.168.1.1
>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>
>>> :(
>>>
>>>
>>>
>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>> On 31/12/14 09:55, Jason Long wrote:
>>>> Thanks.
>>>> I changed the command as below :
>>>>
>>>> #net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1
>>>>
>>>> But Got below error :
>>>>
>>>> Could not connect to server 192.168.1.1
>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>
>>>> Cheers.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>> On 31/12/14 09:17, Jason Long wrote:
>>>>> Thank you so much but I run below commands on linux :
>>>>>
>>>>>
>>>>> # net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
>>>>> # net rpc rights list accounts -Uadministrator
>>>>>
>>>>> it ask me a password for "administrator:
>>>>>
>>>>> Enter administrator's password:
>>>>> Could not connect to server 127.0.0.1
>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>>>>>
>>>>> Must I enter windows administrator password?
>>>>>
>>>>>
>>>>> Thanks.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>>> On 29/12/14 12:52, Jason Long wrote:
>>>>>> Thank you so much.
>>>>>>
>>>>>> I did some changes like below :
>>>>>>
>>>>>> /dev/mapper/vg_print-lv_root / ext4 user_xattr,acl,defaults 1 1
>>>>>>
>>>>>>
>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any output.
>>>>>> I added below lines to [global] section too :
>>>>>>
>>>>>> vfs objects = acl_xattr
>>>>>> map acl inherit = Yes
>>>>>> store dos attributes = Yes
>>>>>>
>>>>>> But about below commands can you tell me more?
>>>>>>
>>>>>> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
>>>>>> net rpc rights list accounts -Uadministrator
>>>>>>
>>>>>> I hope they are not Dangerous!!!!
>>>>> No :-)
>>>>>
>>>>> The first one gives members of Domain Admins the right to change windows
>>>>> ACL's on a share
>>>>> The second list accounts and what rights they have.
>>>>>
>>>>>> In the "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" , the other steps are in Windows!!! Can I doing via Linux too?
>>>>>>
>>>>> Yes, but it is just easier via windows
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>>>> On 29/12/14 06:38, Jason Long wrote:
>>>>>>> Thank you so much.
>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I change configure as below :
>>>>>>>
>>>>>>>
>>>>>>> [global]
>>>>>>> workgroup = JASONDOMAINI
>>>>>>> server string = Samba Server Version %v
>>>>>>> # logs split per machine
>>>>>>> log file = /var/log/samba/log.%m
>>>>>>> # max 50KB per log file, then rotate
>>>>>>> max log size = 50
>>>>>>> security = ADS
>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>> passdb backend = tdbsam
>>>>>>> load printers = yes
>>>>>>> cups options = raw
>>>>>>> idmap config *:backend = tdb
>>>>>>> idmap config *:range = 70001-80000
>>>>>>> #idmap config SAMDOM:backend = ad
>>>>>>> idmap config JASONDOMAINI:backend = ad
>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307
>>>>>>> idmap config JASONDOMAINI:range = 500-40000
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", It show me the root partition and I can open "Test" directory But it has two problems :
>>>>>>>
>>>>>>> 1- Why it show root partition?
>>>>>>> 2- I can't browse it via Windows explorer!!!
>>>>>>>
>>>>>>> I want to know use AD users in Linux is Hard?
>>>>>>>
>>>>>>> In your opinion I used a correct command to set ACL?
>>>>>>>
>>>>>>> #getfacl test/
>>>>>>>
>>>>>>>
>>>>>>> # file: test/
>>>>>>> # owner: JASONDOMAINI\134JASON
>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw
>>>>>>> user::rwx
>>>>>>> group::r-x
>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>>> mask::rwx
>>>>>>> other::r-x
>>>>>>>
>>>>>>>
>>>>>>> and in "getent group" it show me below group :
>>>>>>>
>>>>>>> JASONDOMAINI\134grp-JASON-rw
>>>>>>>
>>>>>>>
>>>>>>> in your idea, Am I use correct command to set permission?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>>>>> On 28/12/14 15:48, Jason Long wrote:
>>>>>>>> Thank you so much.
>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad".
>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too?
>>>>>>>> About your question I must say that I Test this share via Linux too and Windows and Linux has same problem.
>>>>>>>>
>>>>>>>> About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!!
>>>>>>>> What is your idea?
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> I am loosing track here a bit, but if your dns domain is example.com,
>>>>>>> then your windows AD realm should be something like internal.example.com
>>>>>>> and your workgroup/domain name should be INTERNAL, that is, they all
>>>>>>> rely on each other.
>>>>>>>
>>>>>>> So anywhere that you come across these, you should use the relevant one,
>>>>>>> this is the relevant parts from a Unix client on my domain:
>>>>>>>
>>>>>>> [global]
>>>>>>> workgroup = INTERNAL
>>>>>>> security = ADS
>>>>>>> realm = INTERNAL.EXAMPLE.COM
>>>>>>> ..........
>>>>>>> idmap config * : backend = tdb
>>>>>>> idmap config * : range = 2000-9999
>>>>>>> idmap config INTERNAL : backend = ad
>>>>>>> idmap config INTERNAL : range = 10000-999999
>>>>>>> idmap config INTERNAL : schema_mode = rfc2307
>>>>>>>
>>>>>>> As for using 'PUTTY', this was just a way of testing whether you can
>>>>>>> connect to the Unix machine.
>>>>>>>
>>>>>>>
>>>>>>> Rowland
>>>>>> OK, we are getting closer
>>>>>>
>>>>>> right, answers to your questions
>>>>>> 1) I think that you may find that this is also printed 'Could not chdir
>>>>>> to home directory', in which case you will end up in the root of computer.
>>>>>>
>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not running you
>>>>>> should be able to navigate to the share by entering the path. Have a
>>>>>> look here:
>>>>>>
>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>
>>>>>>
>>>>>> Rowland
>>>>>>
>>>> You are trying to run the command on a client, try adding either:
>>>>
>>>> -S server name
>>>>
>>>> OR
>>>>
>>>> -I address of target server
>>>>
>>>> where 'server' is the AD DC.
>>>>
>>>> Yes, you need to supply the password of the Domain Administrator.
>>>>
>>>>
>>>> Rowland
>>>>
>>> OK, try it like this:
>>>
>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
>>> -UAdministrator -I 192.168.1.1
>>>
>>> This works for me on a client joined to the domain.
>>>
>>>
>>> Rowland
>>>
>> Sounds like something is wrong with the join, what does 'net ads
>> testjoin' return ? You may have to run this command with sudo.
>>
>>
>> Rowland
>>
Sometimes I wonder why all the time is spent on keeping the samba wiki
updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I
cannot recommend using either of these, because quite simply, they are
not needed.
Check the following files:
/etc/samba/smb.conf
[global]
workgroup = JASONDOMAINI
security = ADS
realm = JASONDOMAINI.JASONDOMAIN.JJ
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind normalize names = Yes
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config JASONDOMAINI : backend = ad
idmap config JASONDOMAINI : range = 10000-999999
idmap config JASONDOMAINI : schema_mode = rfc2307
printcap name = cups
cups options = raw
usershare allow guests = yes
domain master = no
local master = no
preferred master = no
os level = 20
map to guest = bad user
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
log level = 6
/etc/krb5.conf
[libdefaults]
default_realm = JASONDOMAINI.JASONDOMAIN.JJ
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
/etc/resolv.conf
nameserver <your AD DC's ipaddress>
search jasondomaini.jasondomain.jj
If required, alter them to match the above, check that 'hostname'
returns only the hostname of the client, check that 'hostname -f'
returns the FQDN. If either are not correct, fix them.
Remove likewiseopen
Once everything is correct, run the following command:
net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ
You should be asked for the domain Administrators password, enter this
and you should join the domain
Rowland
More information about the samba
mailing list