[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Rowland Penny
rowlandpenny at googlemail.com
Mon Jan 5 04:48:02 MST 2015
On 05/01/15 11:09, Jason Long wrote:
>
>
> Thank you.
>
> My Windows is Windows server 2008 R2.
> About realm name, My domain name is "JASONDOMAIN.JJ".
> My Windows not have any Workgroup Name. It is Domain.
>
>
> Thanks
>
>
>
>
> On Monday, January 5, 2015 1:05 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 05/01/15 07:02, Jason Long wrote:
>> Thanks a lot.
>> I changed the below lines to correct domain name :
>>
>> idmap config JASONDOMAIN : range = 10000-999999
>> idmap config JASONDOMAIN : schema_mode = rfc2307
>>
>> and after join, the command "net rpc testjoin" show same error :
>>
>> Unable to find a suitable server for domain JASONDOMAINI
>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>>
>> I have an idea and I guess that "/etc/krb5.conf" has some incorrect options. The file is "
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = JASONDOMAIN.JJ
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = yes
>> default_keytab_name = /etc/krb5.keytab
>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> pkinit_kdc_hostname = <DNS>
>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>> pkinit_eku_checking = kpServerAuth
>> pkinit_win2k_require_binding = false
>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>
>> [realms]
>> EXAMPLE.COM = {
>> kdc = kerberos.example.com
>> admin_server = kerberos.example.com
>> }
>> JASONDOMAIN.JJ = {
>> auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/
>> auth_to_local = RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/
>> auth_to_local = DEFAULT
>> }
>>
>> [domain_realm]
>> .example.com = EXAMPLE.COM
>> example.com = EXAMPLE.COM
>> .JASONDOMAIN.JJ = JASONDOMAIN.JJ
>> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ
>> [capaths]
>> [appdefaults]
>> pam = {
>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>> forwardable = true
>> validate = true
>> }
>> httpd = {
>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1
>> }
>>
>>
>>
>> What is your idea? I must tell you that after removed LikeWise and configure manually, I can't login to Linux via Windows AD accounts.
>>
>>
>> Thanks.
>>
>>
>>
>>
>>
>>
>> On Sunday, January 4, 2015 5:11 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> On 04/01/15 13:00, Rowland Penny wrote:
>>> On 04/01/15 10:17, Jason Long wrote:
>>>> Thanks a lot.
>>>> I enter the command and result is :
>>>>
>>>> Using short domain name -- JASONDOMAINI
>>>> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ'
>>>> but after run "net rpc testjoin" :
>>>>
>>>> Unable to find a suitable server for domain JASONDOMAINI
>>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>>>>
>>>> I guess I understand what is my problem. I'm really sorry :(.
>>>>
>>>> On Windows OS i used "set" command and it show me :
>>>>
>>>> USERDNSDOMAIN= JASONDOMAIN.JJ
>>>> USERDOMAIN= JASONDOMAINI
>>>>
>>>> I guess that I must change "JASONDOMAINI" in below texts to
>>>> "JASONDOMAIN" :
>>>>
>>>> idmap config JASONDOMAINI : range = 10000-999999
>>>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>>>
>>>> Am I right?
>>>>
>>>>
>>>>
>>>>
>>>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny
>>>> <rowlandpenny at googlemail.com> wrote:
>>>> On 03/01/15 15:08, Jason Long wrote:
>>>>> Thank you.
>>>>> I used below videos for join my Linux Box to Windows domain :
>>>>>
>>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic
>>>>>
>>>>> Please look at this video and I used instructions in it and
>>>>> LikeWiseOpen tool.
>>>>>
>>>>>
>>>>> Cheers.
>>>>>
>>>>>
>>>>>
>>>>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny
>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>> On 03/01/15 12:38, Jason Long wrote:
>>>>>> Thanks.
>>>>>>
>>>>>> I enter "net ads testjoin" and it show me :
>>>>>>
>>>>>> ads_connect: No logon servers
>>>>>> Join to domain is not valid: No logon servers
>>>>> You are *not* joined to the domain, I suppose this should have been
>>>>> asked earlier, but how did you do the domain join ?
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>>>> If it is incorrect, Why I can Login to Linux via Windows account?
>>>>>> As you see, I followed the steps on Video.
>>>>>>
>>>>>> :(.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny
>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>> On 03/01/15 05:41, Jason Long wrote:
>>>>>>> Thank you.
>>>>>>> Command show below error :
>>>>>>>
>>>>>>> Could not connect to server 192.168.1.1
>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>>>
>>>>>>> :(
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny
>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>> On 31/12/14 09:55, Jason Long wrote:
>>>>>>>> Thanks.
>>>>>>>> I changed the command as below :
>>>>>>>>
>>>>>>>> #net rpc rights grant 'jasondomain\Domain Admins'
>>>>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1
>>>>>>>>
>>>>>>>> But Got below error :
>>>>>>>>
>>>>>>>> Could not connect to server 192.168.1.1
>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>>>>
>>>>>>>> Cheers.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny
>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>> On 31/12/14 09:17, Jason Long wrote:
>>>>>>>>> Thank you so much but I run below commands on linux :
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> # net rpc rights grant 'jasondomain\Domain Admins'
>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>>>> # net rpc rights list accounts -Uadministrator
>>>>>>>>>
>>>>>>>>> it ask me a password for "administrator:
>>>>>>>>>
>>>>>>>>> Enter administrator's password:
>>>>>>>>> Could not connect to server 127.0.0.1
>>>>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>>>>>>>>>
>>>>>>>>> Must I enter windows administrator password?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny
>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>> On 29/12/14 12:52, Jason Long wrote:
>>>>>>>>>> Thank you so much.
>>>>>>>>>>
>>>>>>>>>> I did some changes like below :
>>>>>>>>>>
>>>>>>>>>> /dev/mapper/vg_print-lv_root / ext4
>>>>>>>>>> user_xattr,acl,defaults 1 1
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any
>>>>>>>>>> output.
>>>>>>>>>> I added below lines to [global] section too :
>>>>>>>>>>
>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>
>>>>>>>>>> But about below commands can you tell me more?
>>>>>>>>>>
>>>>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins'
>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>>>>> net rpc rights list accounts -Uadministrator
>>>>>>>>>>
>>>>>>>>>> I hope they are not Dangerous!!!!
>>>>>>>>> No :-)
>>>>>>>>>
>>>>>>>>> The first one gives members of Domain Admins the right to change
>>>>>>>>> windows
>>>>>>>>> ACL's on a share
>>>>>>>>> The second list accounts and what rights they have.
>>>>>>>>>
>>>>>>>>>> In the
>>>>>>>>>> "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
>>>>>>>>>> , the other steps are in Windows!!! Can I doing via Linux too?
>>>>>>>>> Yes, but it is just easier via windows
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Thanks.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny
>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>> On 29/12/14 06:38, Jason Long wrote:
>>>>>>>>>>> Thank you so much.
>>>>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I
>>>>>>>>>>> change configure as below :
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> [global]
>>>>>>>>>>> workgroup = JASONDOMAINI
>>>>>>>>>>> server string = Samba Server Version %v
>>>>>>>>>>> # logs split per machine
>>>>>>>>>>> log file = /var/log/samba/log.%m
>>>>>>>>>>> # max 50KB per log file, then rotate
>>>>>>>>>>> max log size = 50
>>>>>>>>>>> security = ADS
>>>>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>>>> passdb backend = tdbsam
>>>>>>>>>>> load printers = yes
>>>>>>>>>>> cups options = raw
>>>>>>>>>>> idmap config *:backend = tdb
>>>>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>>>>> #idmap config SAMDOM:backend = ad
>>>>>>>>>>> idmap config JASONDOMAINI:backend = ad
>>>>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307
>>>>>>>>>>> idmap config JASONDOMAINI:range = 500-40000
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason",
>>>>>>>>>>> It show me the root partition and I can open "Test" directory
>>>>>>>>>>> But it has two problems :
>>>>>>>>>>>
>>>>>>>>>>> 1- Why it show root partition?
>>>>>>>>>>> 2- I can't browse it via Windows explorer!!!
>>>>>>>>>>>
>>>>>>>>>>> I want to know use AD users in Linux is Hard?
>>>>>>>>>>>
>>>>>>>>>>> In your opinion I used a correct command to set ACL?
>>>>>>>>>>>
>>>>>>>>>>> #getfacl test/
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> # file: test/
>>>>>>>>>>> # owner: JASONDOMAINI\134JASON
>>>>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>> user::rwx
>>>>>>>>>>> group::r-x
>>>>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>>>>>>> mask::rwx
>>>>>>>>>>> other::r-x
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> and in "getent group" it show me below group :
>>>>>>>>>>>
>>>>>>>>>>> JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> in your idea, Am I use correct command to set permission?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny
>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>>> On 28/12/14 15:48, Jason Long wrote:
>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad
>>>>>>>>>>>> " to "idmap config JASONDOMAIN:backend = ad".
>>>>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too?
>>>>>>>>>>>> About your question I must say that I Test this share via
>>>>>>>>>>>> Linux too and Windows and Linux has same problem.
>>>>>>>>>>>>
>>>>>>>>>>>> About "What I would do is, install the OpenSSH server on the
>>>>>>>>>>>> linux machine, install 'PUTTY' on a windows machine and try
>>>>>>>>>>>> to login via 'PUTTY' and use the SSH protocol." , You mean is
>>>>>>>>>>>> that Windows clients use SSH to work with this directory? I
>>>>>>>>>>>> want to made this Linux Box as a File server and Windows
>>>>>>>>>>>> Clients need graphical browser to copy and paste file into
>>>>>>>>>>>> this directory!!!!!!!
>>>>>>>>>>>> What is your idea?
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> I am loosing track here a bit, but if your dns domain is
>>>>>>>>>>> example.com,
>>>>>>>>>>> then your windows AD realm should be something like
>>>>>>>>>>> internal.example.com
>>>>>>>>>>> and your workgroup/domain name should be INTERNAL, that is,
>>>>>>>>>>> they all
>>>>>>>>>>> rely on each other.
>>>>>>>>>>>
>>>>>>>>>>> So anywhere that you come across these, you should use the
>>>>>>>>>>> relevant one,
>>>>>>>>>>> this is the relevant parts from a Unix client on my domain:
>>>>>>>>>>>
>>>>>>>>>>> [global]
>>>>>>>>>>> workgroup = INTERNAL
>>>>>>>>>>> security = ADS
>>>>>>>>>>> realm = INTERNAL.EXAMPLE.COM
>>>>>>>>>>> ..........
>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>> idmap config INTERNAL : backend = ad
>>>>>>>>>>> idmap config INTERNAL : range = 10000-999999
>>>>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307
>>>>>>>>>>>
>>>>>>>>>>> As for using 'PUTTY', this was just a way of testing whether
>>>>>>>>>>> you can
>>>>>>>>>>> connect to the Unix machine.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>> OK, we are getting closer
>>>>>>>>>>
>>>>>>>>>> right, answers to your questions
>>>>>>>>>> 1) I think that you may find that this is also printed 'Could
>>>>>>>>>> not chdir
>>>>>>>>>> to home directory', in which case you will end up in the root
>>>>>>>>>> of computer.
>>>>>>>>>>
>>>>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not
>>>>>>>>>> running you
>>>>>>>>>> should be able to navigate to the share by entering the path.
>>>>>>>>>> Have a
>>>>>>>>>> look here:
>>>>>>>>>>
>>>>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>> You are trying to run the command on a client, try adding either:
>>>>>>>>
>>>>>>>> -S server name
>>>>>>>>
>>>>>>>> OR
>>>>>>>>
>>>>>>>> -I address of target server
>>>>>>>>
>>>>>>>> where 'server' is the AD DC.
>>>>>>>>
>>>>>>>> Yes, you need to supply the password of the Domain Administrator.
>>>>>>>>
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>> OK, try it like this:
>>>>>>>
>>>>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
>>>>>>> -UAdministrator -I 192.168.1.1
>>>>>>>
>>>>>>> This works for me on a client joined to the domain.
>>>>>>>
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> Sounds like something is wrong with the join, what does 'net ads
>>>>>> testjoin' return ? You may have to run this command with sudo.
>>>>>>
>>>>>>
>>>>>> Rowland
>>>>>>
>>>> Sometimes I wonder why all the time is spent on keeping the samba wiki
>>>> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I
>>>> cannot recommend using either of these, because quite simply, they are
>>>> not needed.
>>>>
>>>> Check the following files:
>>>>
>>>> /etc/samba/smb.conf
>>>>
>>>> [global]
>>>> workgroup = JASONDOMAINI
>>>> security = ADS
>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>> dedicated keytab file = /etc/krb5.keytab
>>>> kerberos method = secrets and keytab
>>>> server string = Samba 4 Client %h
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> winbind use default domain = yes
>>>> winbind expand groups = 4
>>>> winbind nss info = rfc2307
>>>> winbind refresh tickets = Yes
>>>> winbind normalize names = Yes
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 2000-9999
>>>> idmap config JASONDOMAINI : backend = ad
>>>> idmap config JASONDOMAINI : range = 10000-999999
>>>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>>> printcap name = cups
>>>> cups options = raw
>>>> usershare allow guests = yes
>>>> domain master = no
>>>> local master = no
>>>> preferred master = no
>>>> os level = 20
>>>> map to guest = bad user
>>>> vfs objects = acl_xattr
>>>> map acl inherit = Yes
>>>> store dos attributes = Yes
>>>> log level = 6
>>>>
>>>> /etc/krb5.conf
>>>>
>>>> [libdefaults]
>>>> default_realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>> ticket_lifetime = 24h
>>>> forwardable = yes
>>>>
>>>> /etc/resolv.conf
>>>>
>>>> nameserver <your AD DC's ipaddress>
>>>> search jasondomaini.jasondomain.jj
>>>>
>>>> If required, alter them to match the above, check that 'hostname'
>>>> returns only the hostname of the client, check that 'hostname -f'
>>>> returns the FQDN. If either are not correct, fix them.
>>>>
>>>> Remove likewiseopen
>>>>
>>>> Once everything is correct, run the following command:
>>>>
>>>> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ
>>>>
>>>> You should be asked for the domain Administrators password, enter this
>>>> and you should join the domain
>>>>
>>>> Rowland
>>>>
>>> What Windows DC are you using ?
>>> What is the realm name * workgroup name on the Windows DC ?
>>>
>>> Rowland
>> oops, that should have been:
>>
>>
>> What is the realm name & workgroup name on the Windows DC ?
>>
>> Rowland
>>
> Hi, will you answer these questions:
>
> What Windows DC are you using ?
> What is the realm name on the Windows DC ?
> What is the workgroup name on the Windows DC ?
>
> You do not need all of what you have in /etc/krb5.conf, but please
> answer the questions above first.
>
> Rowland
>
OK, so what is your 'domain' name (and No, it is not 'JASONDOMAIN.JJ')
Rowland
More information about the samba
mailing list