[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Rowland Penny
rowlandpenny at googlemail.com
Sun Jan 4 06:00:21 MST 2015
On 04/01/15 10:17, Jason Long wrote:
> Thanks a lot.
> I enter the command and result is :
>
> Using short domain name -- JASONDOMAINI
> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ'
> but after run "net rpc testjoin" :
>
> Unable to find a suitable server for domain JASONDOMAINI
> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>
> I guess I understand what is my problem. I'm really sorry :(.
>
> On Windows OS i used "set" command and it show me :
>
> USERDNSDOMAIN= JASONDOMAIN.JJ
> USERDOMAIN= JASONDOMAINI
>
> I guess that I must change "JASONDOMAINI" in below texts to "JASONDOMAIN" :
>
> idmap config JASONDOMAINI : range = 10000-999999
> idmap config JASONDOMAINI : schema_mode = rfc2307
>
> Am I right?
>
>
>
>
> On Saturday, January 3, 2015 7:44 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 03/01/15 15:08, Jason Long wrote:
>> Thank you.
>> I used below videos for join my Linux Box to Windows domain :
>>
>> http://www.youtube.com/watch?v=Y3TFPDT9uic
>>
>> Please look at this video and I used instructions in it and LikeWiseOpen tool.
>>
>>
>> Cheers.
>>
>>
>>
>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> On 03/01/15 12:38, Jason Long wrote:
>>> Thanks.
>>>
>>> I enter "net ads testjoin" and it show me :
>>>
>>> ads_connect: No logon servers
>>> Join to domain is not valid: No logon servers
>> You are *not* joined to the domain, I suppose this should have been
>> asked earlier, but how did you do the domain join ?
>>
>> Rowland
>>
>>
>>
>>> If it is incorrect, Why I can Login to Linux via Windows account? As you see, I followed the steps on Video.
>>>
>>> :(.
>>>
>>>
>>>
>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>> On 03/01/15 05:41, Jason Long wrote:
>>>> Thank you.
>>>> Command show below error :
>>>>
>>>> Could not connect to server 192.168.1.1
>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>
>>>> :(
>>>>
>>>>
>>>>
>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>> On 31/12/14 09:55, Jason Long wrote:
>>>>> Thanks.
>>>>> I changed the command as below :
>>>>>
>>>>> #net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1
>>>>>
>>>>> But Got below error :
>>>>>
>>>>> Could not connect to server 192.168.1.1
>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>
>>>>> Cheers.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>>> On 31/12/14 09:17, Jason Long wrote:
>>>>>> Thank you so much but I run below commands on linux :
>>>>>>
>>>>>>
>>>>>> # net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
>>>>>> # net rpc rights list accounts -Uadministrator
>>>>>>
>>>>>> it ask me a password for "administrator:
>>>>>>
>>>>>> Enter administrator's password:
>>>>>> Could not connect to server 127.0.0.1
>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>>>>>>
>>>>>> Must I enter windows administrator password?
>>>>>>
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>>>> On 29/12/14 12:52, Jason Long wrote:
>>>>>>> Thank you so much.
>>>>>>>
>>>>>>> I did some changes like below :
>>>>>>>
>>>>>>> /dev/mapper/vg_print-lv_root / ext4 user_xattr,acl,defaults 1 1
>>>>>>>
>>>>>>>
>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any output.
>>>>>>> I added below lines to [global] section too :
>>>>>>>
>>>>>>> vfs objects = acl_xattr
>>>>>>> map acl inherit = Yes
>>>>>>> store dos attributes = Yes
>>>>>>>
>>>>>>> But about below commands can you tell me more?
>>>>>>>
>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
>>>>>>> net rpc rights list accounts -Uadministrator
>>>>>>>
>>>>>>> I hope they are not Dangerous!!!!
>>>>>> No :-)
>>>>>>
>>>>>> The first one gives members of Domain Admins the right to change windows
>>>>>> ACL's on a share
>>>>>> The second list accounts and what rights they have.
>>>>>>
>>>>>>> In the "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" , the other steps are in Windows!!! Can I doing via Linux too?
>>>>>>>
>>>>>> Yes, but it is just easier via windows
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>>>>> On 29/12/14 06:38, Jason Long wrote:
>>>>>>>> Thank you so much.
>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I change configure as below :
>>>>>>>>
>>>>>>>>
>>>>>>>> [global]
>>>>>>>> workgroup = JASONDOMAINI
>>>>>>>> server string = Samba Server Version %v
>>>>>>>> # logs split per machine
>>>>>>>> log file = /var/log/samba/log.%m
>>>>>>>> # max 50KB per log file, then rotate
>>>>>>>> max log size = 50
>>>>>>>> security = ADS
>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>> passdb backend = tdbsam
>>>>>>>> load printers = yes
>>>>>>>> cups options = raw
>>>>>>>> idmap config *:backend = tdb
>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>> #idmap config SAMDOM:backend = ad
>>>>>>>> idmap config JASONDOMAINI:backend = ad
>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307
>>>>>>>> idmap config JASONDOMAINI:range = 500-40000
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", It show me the root partition and I can open "Test" directory But it has two problems :
>>>>>>>>
>>>>>>>> 1- Why it show root partition?
>>>>>>>> 2- I can't browse it via Windows explorer!!!
>>>>>>>>
>>>>>>>> I want to know use AD users in Linux is Hard?
>>>>>>>>
>>>>>>>> In your opinion I used a correct command to set ACL?
>>>>>>>>
>>>>>>>> #getfacl test/
>>>>>>>>
>>>>>>>>
>>>>>>>> # file: test/
>>>>>>>> # owner: JASONDOMAINI\134JASON
>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw
>>>>>>>> user::rwx
>>>>>>>> group::r-x
>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>>>> mask::rwx
>>>>>>>> other::r-x
>>>>>>>>
>>>>>>>>
>>>>>>>> and in "getent group" it show me below group :
>>>>>>>>
>>>>>>>> JASONDOMAINI\134grp-JASON-rw
>>>>>>>>
>>>>>>>>
>>>>>>>> in your idea, Am I use correct command to set permission?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>>>>>> On 28/12/14 15:48, Jason Long wrote:
>>>>>>>>> Thank you so much.
>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad".
>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too?
>>>>>>>>> About your question I must say that I Test this share via Linux too and Windows and Linux has same problem.
>>>>>>>>>
>>>>>>>>> About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!!
>>>>>>>>> What is your idea?
>>>>>>>>>
>>>>>>>>> Thanks.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> I am loosing track here a bit, but if your dns domain is example.com,
>>>>>>>> then your windows AD realm should be something like internal.example.com
>>>>>>>> and your workgroup/domain name should be INTERNAL, that is, they all
>>>>>>>> rely on each other.
>>>>>>>>
>>>>>>>> So anywhere that you come across these, you should use the relevant one,
>>>>>>>> this is the relevant parts from a Unix client on my domain:
>>>>>>>>
>>>>>>>> [global]
>>>>>>>> workgroup = INTERNAL
>>>>>>>> security = ADS
>>>>>>>> realm = INTERNAL.EXAMPLE.COM
>>>>>>>> ..........
>>>>>>>> idmap config * : backend = tdb
>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>> idmap config INTERNAL : backend = ad
>>>>>>>> idmap config INTERNAL : range = 10000-999999
>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307
>>>>>>>>
>>>>>>>> As for using 'PUTTY', this was just a way of testing whether you can
>>>>>>>> connect to the Unix machine.
>>>>>>>>
>>>>>>>>
>>>>>>>> Rowland
>>>>>>> OK, we are getting closer
>>>>>>>
>>>>>>> right, answers to your questions
>>>>>>> 1) I think that you may find that this is also printed 'Could not chdir
>>>>>>> to home directory', in which case you will end up in the root of computer.
>>>>>>>
>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not running you
>>>>>>> should be able to navigate to the share by entering the path. Have a
>>>>>>> look here:
>>>>>>>
>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>> You are trying to run the command on a client, try adding either:
>>>>>
>>>>> -S server name
>>>>>
>>>>> OR
>>>>>
>>>>> -I address of target server
>>>>>
>>>>> where 'server' is the AD DC.
>>>>>
>>>>> Yes, you need to supply the password of the Domain Administrator.
>>>>>
>>>>>
>>>>> Rowland
>>>>>
>>>> OK, try it like this:
>>>>
>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
>>>> -UAdministrator -I 192.168.1.1
>>>>
>>>> This works for me on a client joined to the domain.
>>>>
>>>>
>>>> Rowland
>>>>
>>> Sounds like something is wrong with the join, what does 'net ads
>>> testjoin' return ? You may have to run this command with sudo.
>>>
>>>
>>> Rowland
>>>
> Sometimes I wonder why all the time is spent on keeping the samba wiki
> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I
> cannot recommend using either of these, because quite simply, they are
> not needed.
>
> Check the following files:
>
> /etc/samba/smb.conf
>
> [global]
> workgroup = JASONDOMAINI
> security = ADS
> realm = JASONDOMAINI.JASONDOMAIN.JJ
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> server string = Samba 4 Client %h
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind expand groups = 4
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind normalize names = Yes
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> idmap config JASONDOMAINI : backend = ad
> idmap config JASONDOMAINI : range = 10000-999999
> idmap config JASONDOMAINI : schema_mode = rfc2307
> printcap name = cups
> cups options = raw
> usershare allow guests = yes
> domain master = no
> local master = no
> preferred master = no
> os level = 20
> map to guest = bad user
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> log level = 6
>
> /etc/krb5.conf
>
> [libdefaults]
> default_realm = JASONDOMAINI.JASONDOMAIN.JJ
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> /etc/resolv.conf
>
> nameserver <your AD DC's ipaddress>
> search jasondomaini.jasondomain.jj
>
> If required, alter them to match the above, check that 'hostname'
> returns only the hostname of the client, check that 'hostname -f'
> returns the FQDN. If either are not correct, fix them.
>
> Remove likewiseopen
>
> Once everything is correct, run the following command:
>
> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ
>
> You should be asked for the domain Administrators password, enter this
> and you should join the domain
>
> Rowland
>
What Windows DC are you using ?
What is the realm name * workgroup name on the Windows DC ?
Rowland
More information about the samba
mailing list