[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Rowland Penny
rowlandpenny at googlemail.com
Mon Jan 5 02:04:45 MST 2015
On 05/01/15 07:02, Jason Long wrote:
> Thanks a lot.
> I changed the below lines to correct domain name :
>
> idmap config JASONDOMAIN : range = 10000-999999
> idmap config JASONDOMAIN : schema_mode = rfc2307
>
> and after join, the command "net rpc testjoin" show same error :
>
> Unable to find a suitable server for domain JASONDOMAINI
> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>
> I have an idea and I guess that "/etc/krb5.conf" has some incorrect options. The file is "
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = JASONDOMAIN.JJ
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = yes
> default_keytab_name = /etc/krb5.keytab
> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> pkinit_kdc_hostname = <DNS>
> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
> pkinit_eku_checking = kpServerAuth
> pkinit_win2k_require_binding = false
> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>
> [realms]
> EXAMPLE.COM = {
> kdc = kerberos.example.com
> admin_server = kerberos.example.com
> }
> JASONDOMAIN.JJ = {
> auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/
> auth_to_local = RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/
> auth_to_local = DEFAULT
> }
>
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
> .JASONDOMAIN.JJ = JASONDOMAIN.JJ
> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ
> [capaths]
> [appdefaults]
> pam = {
> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
> forwardable = true
> validate = true
> }
> httpd = {
> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1
> }
>
>
>
> What is your idea? I must tell you that after removed LikeWise and configure manually, I can't login to Linux via Windows AD accounts.
>
>
> Thanks.
>
>
>
>
>
>
> On Sunday, January 4, 2015 5:11 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 04/01/15 13:00, Rowland Penny wrote:
>> On 04/01/15 10:17, Jason Long wrote:
>>> Thanks a lot.
>>> I enter the command and result is :
>>>
>>> Using short domain name -- JASONDOMAINI
>>> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ'
>>> but after run "net rpc testjoin" :
>>>
>>> Unable to find a suitable server for domain JASONDOMAINI
>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>>>
>>> I guess I understand what is my problem. I'm really sorry :(.
>>>
>>> On Windows OS i used "set" command and it show me :
>>>
>>> USERDNSDOMAIN= JASONDOMAIN.JJ
>>> USERDOMAIN= JASONDOMAINI
>>>
>>> I guess that I must change "JASONDOMAINI" in below texts to
>>> "JASONDOMAIN" :
>>>
>>> idmap config JASONDOMAINI : range = 10000-999999
>>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>>
>>> Am I right?
>>>
>>>
>>>
>>>
>>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny
>>> <rowlandpenny at googlemail.com> wrote:
>>> On 03/01/15 15:08, Jason Long wrote:
>>>> Thank you.
>>>> I used below videos for join my Linux Box to Windows domain :
>>>>
>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic
>>>>
>>>> Please look at this video and I used instructions in it and
>>>> LikeWiseOpen tool.
>>>>
>>>>
>>>> Cheers.
>>>>
>>>>
>>>>
>>>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny
>>>> <rowlandpenny at googlemail.com> wrote:
>>>> On 03/01/15 12:38, Jason Long wrote:
>>>>> Thanks.
>>>>>
>>>>> I enter "net ads testjoin" and it show me :
>>>>>
>>>>> ads_connect: No logon servers
>>>>> Join to domain is not valid: No logon servers
>>>> You are *not* joined to the domain, I suppose this should have been
>>>> asked earlier, but how did you do the domain join ?
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>>> If it is incorrect, Why I can Login to Linux via Windows account?
>>>>> As you see, I followed the steps on Video.
>>>>>
>>>>> :(.
>>>>>
>>>>>
>>>>>
>>>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny
>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>> On 03/01/15 05:41, Jason Long wrote:
>>>>>> Thank you.
>>>>>> Command show below error :
>>>>>>
>>>>>> Could not connect to server 192.168.1.1
>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>>
>>>>>> :(
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny
>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>> On 31/12/14 09:55, Jason Long wrote:
>>>>>>> Thanks.
>>>>>>> I changed the command as below :
>>>>>>>
>>>>>>> #net rpc rights grant 'jasondomain\Domain Admins'
>>>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1
>>>>>>>
>>>>>>> But Got below error :
>>>>>>>
>>>>>>> Could not connect to server 192.168.1.1
>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>>>
>>>>>>> Cheers.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny
>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>> On 31/12/14 09:17, Jason Long wrote:
>>>>>>>> Thank you so much but I run below commands on linux :
>>>>>>>>
>>>>>>>>
>>>>>>>> # net rpc rights grant 'jasondomain\Domain Admins'
>>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>>> # net rpc rights list accounts -Uadministrator
>>>>>>>>
>>>>>>>> it ask me a password for "administrator:
>>>>>>>>
>>>>>>>> Enter administrator's password:
>>>>>>>> Could not connect to server 127.0.0.1
>>>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>>>>>>>>
>>>>>>>> Must I enter windows administrator password?
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny
>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>> On 29/12/14 12:52, Jason Long wrote:
>>>>>>>>> Thank you so much.
>>>>>>>>>
>>>>>>>>> I did some changes like below :
>>>>>>>>>
>>>>>>>>> /dev/mapper/vg_print-lv_root / ext4
>>>>>>>>> user_xattr,acl,defaults 1 1
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any
>>>>>>>>> output.
>>>>>>>>> I added below lines to [global] section too :
>>>>>>>>>
>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>> map acl inherit = Yes
>>>>>>>>> store dos attributes = Yes
>>>>>>>>>
>>>>>>>>> But about below commands can you tell me more?
>>>>>>>>>
>>>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins'
>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>>>> net rpc rights list accounts -Uadministrator
>>>>>>>>>
>>>>>>>>> I hope they are not Dangerous!!!!
>>>>>>>> No :-)
>>>>>>>>
>>>>>>>> The first one gives members of Domain Admins the right to change
>>>>>>>> windows
>>>>>>>> ACL's on a share
>>>>>>>> The second list accounts and what rights they have.
>>>>>>>>
>>>>>>>>> In the
>>>>>>>>> "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
>>>>>>>>> , the other steps are in Windows!!! Can I doing via Linux too?
>>>>>>>> Yes, but it is just easier via windows
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>>> Thanks.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny
>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>> On 29/12/14 06:38, Jason Long wrote:
>>>>>>>>>> Thank you so much.
>>>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I
>>>>>>>>>> change configure as below :
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [global]
>>>>>>>>>> workgroup = JASONDOMAINI
>>>>>>>>>> server string = Samba Server Version %v
>>>>>>>>>> # logs split per machine
>>>>>>>>>> log file = /var/log/samba/log.%m
>>>>>>>>>> # max 50KB per log file, then rotate
>>>>>>>>>> max log size = 50
>>>>>>>>>> security = ADS
>>>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>>> passdb backend = tdbsam
>>>>>>>>>> load printers = yes
>>>>>>>>>> cups options = raw
>>>>>>>>>> idmap config *:backend = tdb
>>>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>>>> #idmap config SAMDOM:backend = ad
>>>>>>>>>> idmap config JASONDOMAINI:backend = ad
>>>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307
>>>>>>>>>> idmap config JASONDOMAINI:range = 500-40000
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason",
>>>>>>>>>> It show me the root partition and I can open "Test" directory
>>>>>>>>>> But it has two problems :
>>>>>>>>>>
>>>>>>>>>> 1- Why it show root partition?
>>>>>>>>>> 2- I can't browse it via Windows explorer!!!
>>>>>>>>>>
>>>>>>>>>> I want to know use AD users in Linux is Hard?
>>>>>>>>>>
>>>>>>>>>> In your opinion I used a correct command to set ACL?
>>>>>>>>>>
>>>>>>>>>> #getfacl test/
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> # file: test/
>>>>>>>>>> # owner: JASONDOMAINI\134JASON
>>>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>> user::rwx
>>>>>>>>>> group::r-x
>>>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>>>>>> mask::rwx
>>>>>>>>>> other::r-x
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> and in "getent group" it show me below group :
>>>>>>>>>>
>>>>>>>>>> JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> in your idea, Am I use correct command to set permission?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny
>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>> On 28/12/14 15:48, Jason Long wrote:
>>>>>>>>>>> Thank you so much.
>>>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad
>>>>>>>>>>> " to "idmap config JASONDOMAIN:backend = ad".
>>>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too?
>>>>>>>>>>> About your question I must say that I Test this share via
>>>>>>>>>>> Linux too and Windows and Linux has same problem.
>>>>>>>>>>>
>>>>>>>>>>> About "What I would do is, install the OpenSSH server on the
>>>>>>>>>>> linux machine, install 'PUTTY' on a windows machine and try
>>>>>>>>>>> to login via 'PUTTY' and use the SSH protocol." , You mean is
>>>>>>>>>>> that Windows clients use SSH to work with this directory? I
>>>>>>>>>>> want to made this Linux Box as a File server and Windows
>>>>>>>>>>> Clients need graphical browser to copy and paste file into
>>>>>>>>>>> this directory!!!!!!!
>>>>>>>>>>> What is your idea?
>>>>>>>>>>>
>>>>>>>>>>> Thanks.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> I am loosing track here a bit, but if your dns domain is
>>>>>>>>>> example.com,
>>>>>>>>>> then your windows AD realm should be something like
>>>>>>>>>> internal.example.com
>>>>>>>>>> and your workgroup/domain name should be INTERNAL, that is,
>>>>>>>>>> they all
>>>>>>>>>> rely on each other.
>>>>>>>>>>
>>>>>>>>>> So anywhere that you come across these, you should use the
>>>>>>>>>> relevant one,
>>>>>>>>>> this is the relevant parts from a Unix client on my domain:
>>>>>>>>>>
>>>>>>>>>> [global]
>>>>>>>>>> workgroup = INTERNAL
>>>>>>>>>> security = ADS
>>>>>>>>>> realm = INTERNAL.EXAMPLE.COM
>>>>>>>>>> ..........
>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>> idmap config INTERNAL : backend = ad
>>>>>>>>>> idmap config INTERNAL : range = 10000-999999
>>>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307
>>>>>>>>>>
>>>>>>>>>> As for using 'PUTTY', this was just a way of testing whether
>>>>>>>>>> you can
>>>>>>>>>> connect to the Unix machine.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>> OK, we are getting closer
>>>>>>>>>
>>>>>>>>> right, answers to your questions
>>>>>>>>> 1) I think that you may find that this is also printed 'Could
>>>>>>>>> not chdir
>>>>>>>>> to home directory', in which case you will end up in the root
>>>>>>>>> of computer.
>>>>>>>>>
>>>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not
>>>>>>>>> running you
>>>>>>>>> should be able to navigate to the share by entering the path.
>>>>>>>>> Have a
>>>>>>>>> look here:
>>>>>>>>>
>>>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>> You are trying to run the command on a client, try adding either:
>>>>>>>
>>>>>>> -S server name
>>>>>>>
>>>>>>> OR
>>>>>>>
>>>>>>> -I address of target server
>>>>>>>
>>>>>>> where 'server' is the AD DC.
>>>>>>>
>>>>>>> Yes, you need to supply the password of the Domain Administrator.
>>>>>>>
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> OK, try it like this:
>>>>>>
>>>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
>>>>>> -UAdministrator -I 192.168.1.1
>>>>>>
>>>>>> This works for me on a client joined to the domain.
>>>>>>
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> Sounds like something is wrong with the join, what does 'net ads
>>>>> testjoin' return ? You may have to run this command with sudo.
>>>>>
>>>>>
>>>>> Rowland
>>>>>
>>> Sometimes I wonder why all the time is spent on keeping the samba wiki
>>> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I
>>> cannot recommend using either of these, because quite simply, they are
>>> not needed.
>>>
>>> Check the following files:
>>>
>>> /etc/samba/smb.conf
>>>
>>> [global]
>>> workgroup = JASONDOMAINI
>>> security = ADS
>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> server string = Samba 4 Client %h
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind use default domain = yes
>>> winbind expand groups = 4
>>> winbind nss info = rfc2307
>>> winbind refresh tickets = Yes
>>> winbind normalize names = Yes
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000-9999
>>> idmap config JASONDOMAINI : backend = ad
>>> idmap config JASONDOMAINI : range = 10000-999999
>>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>> printcap name = cups
>>> cups options = raw
>>> usershare allow guests = yes
>>> domain master = no
>>> local master = no
>>> preferred master = no
>>> os level = 20
>>> map to guest = bad user
>>> vfs objects = acl_xattr
>>> map acl inherit = Yes
>>> store dos attributes = Yes
>>> log level = 6
>>>
>>> /etc/krb5.conf
>>>
>>> [libdefaults]
>>> default_realm = JASONDOMAINI.JASONDOMAIN.JJ
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>> ticket_lifetime = 24h
>>> forwardable = yes
>>>
>>> /etc/resolv.conf
>>>
>>> nameserver <your AD DC's ipaddress>
>>> search jasondomaini.jasondomain.jj
>>>
>>> If required, alter them to match the above, check that 'hostname'
>>> returns only the hostname of the client, check that 'hostname -f'
>>> returns the FQDN. If either are not correct, fix them.
>>>
>>> Remove likewiseopen
>>>
>>> Once everything is correct, run the following command:
>>>
>>> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ
>>>
>>> You should be asked for the domain Administrators password, enter this
>>> and you should join the domain
>>>
>>> Rowland
>>>
>> What Windows DC are you using ?
>> What is the realm name * workgroup name on the Windows DC ?
>>
>> Rowland
> oops, that should have been:
>
>
> What is the realm name & workgroup name on the Windows DC ?
>
> Rowland
>
Hi, will you answer these questions:
What Windows DC are you using ?
What is the realm name on the Windows DC ?
What is the workgroup name on the Windows DC ?
You do not need all of what you have in /etc/krb5.conf, but please
answer the questions above first.
Rowland
More information about the samba
mailing list