[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Jason Long
hack3rcon at yahoo.com
Mon Jan 5 00:02:19 MST 2015
Thanks a lot.
I changed the below lines to correct domain name :
idmap config JASONDOMAIN : range = 10000-999999
idmap config JASONDOMAIN : schema_mode = rfc2307
and after join, the command "net rpc testjoin" show same error :
Unable to find a suitable server for domain JASONDOMAINI
Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
I have an idea and I guess that "/etc/krb5.conf" has some incorrect options. The file is "
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = JASONDOMAIN.JJ
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
default_keytab_name = /etc/krb5.keytab
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
pkinit_kdc_hostname = <DNS>
pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
pkinit_eku_checking = kpServerAuth
pkinit_win2k_require_binding = false
pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
JASONDOMAIN.JJ = {
auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/
auth_to_local = RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/
auth_to_local = DEFAULT
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
.JASONDOMAIN.JJ = JASONDOMAIN.JJ
.adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ
[capaths]
[appdefaults]
pam = {
mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
forwardable = true
validate = true
}
httpd = {
mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1
}
What is your idea? I must tell you that after removed LikeWise and configure manually, I can't login to Linux via Windows AD accounts.
Thanks.
On Sunday, January 4, 2015 5:11 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
On 04/01/15 13:00, Rowland Penny wrote:
> On 04/01/15 10:17, Jason Long wrote:
>> Thanks a lot.
>> I enter the command and result is :
>>
>> Using short domain name -- JASONDOMAINI
>> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ'
>> but after run "net rpc testjoin" :
>>
>> Unable to find a suitable server for domain JASONDOMAINI
>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>>
>> I guess I understand what is my problem. I'm really sorry :(.
>>
>> On Windows OS i used "set" command and it show me :
>>
>> USERDNSDOMAIN= JASONDOMAIN.JJ
>> USERDOMAIN= JASONDOMAINI
>>
>> I guess that I must change "JASONDOMAINI" in below texts to
>> "JASONDOMAIN" :
>>
>> idmap config JASONDOMAINI : range = 10000-999999
>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>
>> Am I right?
>>
>>
>>
>>
>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny
>> <rowlandpenny at googlemail.com> wrote:
>> On 03/01/15 15:08, Jason Long wrote:
>>> Thank you.
>>> I used below videos for join my Linux Box to Windows domain :
>>>
>>> http://www.youtube.com/watch?v=Y3TFPDT9uic
>>>
>>> Please look at this video and I used instructions in it and
>>> LikeWiseOpen tool.
>>>
>>>
>>> Cheers.
>>>
>>>
>>>
>>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny
>>> <rowlandpenny at googlemail.com> wrote:
>>> On 03/01/15 12:38, Jason Long wrote:
>>>> Thanks.
>>>>
>>>> I enter "net ads testjoin" and it show me :
>>>>
>>>> ads_connect: No logon servers
>>>> Join to domain is not valid: No logon servers
>>> You are *not* joined to the domain, I suppose this should have been
>>> asked earlier, but how did you do the domain join ?
>>>
>>> Rowland
>>>
>>>
>>>
>>>> If it is incorrect, Why I can Login to Linux via Windows account?
>>>> As you see, I followed the steps on Video.
>>>>
>>>> :(.
>>>>
>>>>
>>>>
>>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny
>>>> <rowlandpenny at googlemail.com> wrote:
>>>> On 03/01/15 05:41, Jason Long wrote:
>>>>> Thank you.
>>>>> Command show below error :
>>>>>
>>>>> Could not connect to server 192.168.1.1
>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>
>>>>> :(
>>>>>
>>>>>
>>>>>
>>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny
>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>> On 31/12/14 09:55, Jason Long wrote:
>>>>>> Thanks.
>>>>>> I changed the command as below :
>>>>>>
>>>>>> #net rpc rights grant 'jasondomain\Domain Admins'
>>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1
>>>>>>
>>>>>> But Got below error :
>>>>>>
>>>>>> Could not connect to server 192.168.1.1
>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>>
>>>>>> Cheers.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny
>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>> On 31/12/14 09:17, Jason Long wrote:
>>>>>>> Thank you so much but I run below commands on linux :
>>>>>>>
>>>>>>>
>>>>>>> # net rpc rights grant 'jasondomain\Domain Admins'
>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>> # net rpc rights list accounts -Uadministrator
>>>>>>>
>>>>>>> it ask me a password for "administrator:
>>>>>>>
>>>>>>> Enter administrator's password:
>>>>>>> Could not connect to server 127.0.0.1
>>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>>>>>>>
>>>>>>> Must I enter windows administrator password?
>>>>>>>
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny
>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>> On 29/12/14 12:52, Jason Long wrote:
>>>>>>>> Thank you so much.
>>>>>>>>
>>>>>>>> I did some changes like below :
>>>>>>>>
>>>>>>>> /dev/mapper/vg_print-lv_root / ext4
>>>>>>>> user_xattr,acl,defaults 1 1
>>>>>>>>
>>>>>>>>
>>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any
>>>>>>>> output.
>>>>>>>> I added below lines to [global] section too :
>>>>>>>>
>>>>>>>> vfs objects = acl_xattr
>>>>>>>> map acl inherit = Yes
>>>>>>>> store dos attributes = Yes
>>>>>>>>
>>>>>>>> But about below commands can you tell me more?
>>>>>>>>
>>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins'
>>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>>> net rpc rights list accounts -Uadministrator
>>>>>>>>
>>>>>>>> I hope they are not Dangerous!!!!
>>>>>>> No :-)
>>>>>>>
>>>>>>> The first one gives members of Domain Admins the right to change
>>>>>>> windows
>>>>>>> ACL's on a share
>>>>>>> The second list accounts and what rights they have.
>>>>>>>
>>>>>>>> In the
>>>>>>>> "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
>>>>>>>> , the other steps are in Windows!!! Can I doing via Linux too?
>>>>>>> Yes, but it is just easier via windows
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny
>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>> On 29/12/14 06:38, Jason Long wrote:
>>>>>>>>> Thank you so much.
>>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I
>>>>>>>>> change configure as below :
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [global]
>>>>>>>>> workgroup = JASONDOMAINI
>>>>>>>>> server string = Samba Server Version %v
>>>>>>>>> # logs split per machine
>>>>>>>>> log file = /var/log/samba/log.%m
>>>>>>>>> # max 50KB per log file, then rotate
>>>>>>>>> max log size = 50
>>>>>>>>> security = ADS
>>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>> passdb backend = tdbsam
>>>>>>>>> load printers = yes
>>>>>>>>> cups options = raw
>>>>>>>>> idmap config *:backend = tdb
>>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>>> #idmap config SAMDOM:backend = ad
>>>>>>>>> idmap config JASONDOMAINI:backend = ad
>>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307
>>>>>>>>> idmap config JASONDOMAINI:range = 500-40000
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason",
>>>>>>>>> It show me the root partition and I can open "Test" directory
>>>>>>>>> But it has two problems :
>>>>>>>>>
>>>>>>>>> 1- Why it show root partition?
>>>>>>>>> 2- I can't browse it via Windows explorer!!!
>>>>>>>>>
>>>>>>>>> I want to know use AD users in Linux is Hard?
>>>>>>>>>
>>>>>>>>> In your opinion I used a correct command to set ACL?
>>>>>>>>>
>>>>>>>>> #getfacl test/
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> # file: test/
>>>>>>>>> # owner: JASONDOMAINI\134JASON
>>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw
>>>>>>>>> user::rwx
>>>>>>>>> group::r-x
>>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>>>>> mask::rwx
>>>>>>>>> other::r-x
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> and in "getent group" it show me below group :
>>>>>>>>>
>>>>>>>>> JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> in your idea, Am I use correct command to set permission?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny
>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>> On 28/12/14 15:48, Jason Long wrote:
>>>>>>>>>> Thank you so much.
>>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad
>>>>>>>>>> " to "idmap config JASONDOMAIN:backend = ad".
>>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too?
>>>>>>>>>> About your question I must say that I Test this share via
>>>>>>>>>> Linux too and Windows and Linux has same problem.
>>>>>>>>>>
>>>>>>>>>> About "What I would do is, install the OpenSSH server on the
>>>>>>>>>> linux machine, install 'PUTTY' on a windows machine and try
>>>>>>>>>> to login via 'PUTTY' and use the SSH protocol." , You mean is
>>>>>>>>>> that Windows clients use SSH to work with this directory? I
>>>>>>>>>> want to made this Linux Box as a File server and Windows
>>>>>>>>>> Clients need graphical browser to copy and paste file into
>>>>>>>>>> this directory!!!!!!!
>>>>>>>>>> What is your idea?
>>>>>>>>>>
>>>>>>>>>> Thanks.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> I am loosing track here a bit, but if your dns domain is
>>>>>>>>> example.com,
>>>>>>>>> then your windows AD realm should be something like
>>>>>>>>> internal.example.com
>>>>>>>>> and your workgroup/domain name should be INTERNAL, that is,
>>>>>>>>> they all
>>>>>>>>> rely on each other.
>>>>>>>>>
>>>>>>>>> So anywhere that you come across these, you should use the
>>>>>>>>> relevant one,
>>>>>>>>> this is the relevant parts from a Unix client on my domain:
>>>>>>>>>
>>>>>>>>> [global]
>>>>>>>>> workgroup = INTERNAL
>>>>>>>>> security = ADS
>>>>>>>>> realm = INTERNAL.EXAMPLE.COM
>>>>>>>>> ..........
>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>> idmap config INTERNAL : backend = ad
>>>>>>>>> idmap config INTERNAL : range = 10000-999999
>>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307
>>>>>>>>>
>>>>>>>>> As for using 'PUTTY', this was just a way of testing whether
>>>>>>>>> you can
>>>>>>>>> connect to the Unix machine.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>> OK, we are getting closer
>>>>>>>>
>>>>>>>> right, answers to your questions
>>>>>>>> 1) I think that you may find that this is also printed 'Could
>>>>>>>> not chdir
>>>>>>>> to home directory', in which case you will end up in the root
>>>>>>>> of computer.
>>>>>>>>
>>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not
>>>>>>>> running you
>>>>>>>> should be able to navigate to the share by entering the path.
>>>>>>>> Have a
>>>>>>>> look here:
>>>>>>>>
>>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>> You are trying to run the command on a client, try adding either:
>>>>>>
>>>>>> -S server name
>>>>>>
>>>>>> OR
>>>>>>
>>>>>> -I address of target server
>>>>>>
>>>>>> where 'server' is the AD DC.
>>>>>>
>>>>>> Yes, you need to supply the password of the Domain Administrator.
>>>>>>
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> OK, try it like this:
>>>>>
>>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
>>>>> -UAdministrator -I 192.168.1.1
>>>>>
>>>>> This works for me on a client joined to the domain.
>>>>>
>>>>>
>>>>> Rowland
>>>>>
>>>> Sounds like something is wrong with the join, what does 'net ads
>>>> testjoin' return ? You may have to run this command with sudo.
>>>>
>>>>
>>>> Rowland
>>>>
>> Sometimes I wonder why all the time is spent on keeping the samba wiki
>> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I
>> cannot recommend using either of these, because quite simply, they are
>> not needed.
>>
>> Check the following files:
>>
>> /etc/samba/smb.conf
>>
>> [global]
>> workgroup = JASONDOMAINI
>> security = ADS
>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> server string = Samba 4 Client %h
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind use default domain = yes
>> winbind expand groups = 4
>> winbind nss info = rfc2307
>> winbind refresh tickets = Yes
>> winbind normalize names = Yes
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-9999
>> idmap config JASONDOMAINI : backend = ad
>> idmap config JASONDOMAINI : range = 10000-999999
>> idmap config JASONDOMAINI : schema_mode = rfc2307
>> printcap name = cups
>> cups options = raw
>> usershare allow guests = yes
>> domain master = no
>> local master = no
>> preferred master = no
>> os level = 20
>> map to guest = bad user
>> vfs objects = acl_xattr
>> map acl inherit = Yes
>> store dos attributes = Yes
>> log level = 6
>>
>> /etc/krb5.conf
>>
>> [libdefaults]
>> default_realm = JASONDOMAINI.JASONDOMAIN.JJ
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> /etc/resolv.conf
>>
>> nameserver <your AD DC's ipaddress>
>> search jasondomaini.jasondomain.jj
>>
>> If required, alter them to match the above, check that 'hostname'
>> returns only the hostname of the client, check that 'hostname -f'
>> returns the FQDN. If either are not correct, fix them.
>>
>> Remove likewiseopen
>>
>> Once everything is correct, run the following command:
>>
>> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ
>>
>> You should be asked for the domain Administrators password, enter this
>> and you should join the domain
>>
>> Rowland
>>
> What Windows DC are you using ?
> What is the realm name * workgroup name on the Windows DC ?
>
> Rowland
oops, that should have been:
What is the realm name & workgroup name on the Windows DC ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list