[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Jason Long
hack3rcon at yahoo.com
Fri Jan 9 01:40:02 MST 2015
Thanks.
I'm confused. Can I paste "set" command on windows for you?
"jason" account is administrator and can join and dis-join any computer.
Cheers.
On Wednesday, January 7, 2015 2:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
On 07/01/15 10:51, Jason Long wrote:
> Thank you.
> I changed my "krb5.conf" as below :
>
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = JASONDOMAIN.JJ
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = yes
> default_keytab_name = /etc/krb5.keytab
> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> pkinit_kdc_hostname = <DNS>
> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
> pkinit_eku_checking = kpServerAuth
> pkinit_win2k_require_binding = false
> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>
My krb5.conf is:
[libdefaults]
default_realm = EXAMPLE.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
>
> and removed "krb5.keytab" too. You told me that my domain name is "jasondomaini" but it is wrong, My domain name is "jasondomain.jj" and backend is "jasondomaini", For example, when I want to login into Windows use "jasondomaini\jason".
>
> After enter the command "net ads join -U jason at jasondomain.jj", My computer joined but when use "net rpc testjoin" , I got same error as below :
>
> Unable to find a suitable server for domain JASONDOMAINI
> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>
> I don't know why it see domain name as "JASONDOMAINI". How can I edit it?
You shouldn't because 'JASONDOMAINI' *IS* your domain name *NOT* the
backend!!!
The join command should be 'net ads join -U jason at JASONDOMAIN.JJ' , but
does 'jason' have the required rights to join the domain ?? Try again
but this time use:
net ads join -U Administrator at JASONDOMAIN.JJ
and enter the 'Administrator' password when prompted.
Rowland
>
>
> Thanks.
>
>
>
>
> On Tuesday, January 6, 2015 12:57 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 06/01/15 06:17, Jason Long wrote:
>> Thanks.
>> My domain name is "jasondomain.jj" and backend is "jasondomaini".
> No, your realm name is "jasondomain.jj" and it would seem that your
> domain name is "jasondomaini", the domain name can also be known as the
> 'workgroup' name.
>
> Set smb.conf to match this:
>
> [global]
> workgroup = JASONDOMAINI
> security = ADS
> realm = JASONDOMAIN.JJ
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> server string = Samba 4 Client %h
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind expand groups = 4
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind offline logon = yes
> winbind normalize names = Yes
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> idmap config JASONDOMAINI : backend = ad
> idmap config JASONDOMAINI : range = 10000-999999
> idmap config JASONDOMAINI : schema_mode = rfc2307
> printcap name = cups
> cups options = raw
> usershare allow guests = yes
> domain master = no
> local master = no
> preferred master = no
> os level = 20
> map to guest = bad user
>
> set /etc/krb5.conf to this:
>
> [libdefaults]
> default_realm = JASONDOMAIN.JJ
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> set /etc/resolv.conf
>
> nameserver <ip of your windows server>
> search jasondomain.jj
>
> If /etc/krb5.keytab exists, delete it.
>
> make sure the time on the client matches the server.
>
> then try to join the domain:
>
> net ads join -U Administrator at JASONDOMAIN.JJ
>
>
> Rowland
>>
>>
>> On Monday, January 5, 2015 3:48 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> On 05/01/15 11:09, Jason Long wrote:
>>> Thank you.
>>>
>>> My Windows is Windows server 2008 R2.
>>> About realm name, My domain name is "JASONDOMAIN.JJ".
>>> My Windows not have any Workgroup Name. It is Domain.
>>>
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>>> On Monday, January 5, 2015 1:05 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>> On 05/01/15 07:02, Jason Long wrote:
>>>> Thanks a lot.
>>>> I changed the below lines to correct domain name :
>>>>
>>>> idmap config JASONDOMAIN : range = 10000-999999
>>>> idmap config JASONDOMAIN : schema_mode = rfc2307
>>>>
>>>> and after join, the command "net rpc testjoin" show same error :
>>>>
>>>> Unable to find a suitable server for domain JASONDOMAINI
>>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>>>>
>>>> I have an idea and I guess that "/etc/krb5.conf" has some incorrect options. The file is "
>>>>
>>>> [logging]
>>>> default = FILE:/var/log/krb5libs.log
>>>> kdc = FILE:/var/log/krb5kdc.log
>>>> admin_server = FILE:/var/log/kadmind.log
>>>>
>>>> [libdefaults]
>>>> default_realm = JASONDOMAIN.JJ
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>> ticket_lifetime = 24h
>>>> renew_lifetime = 7d
>>>> forwardable = yes
>>>> default_keytab_name = /etc/krb5.keytab
>>>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>>>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>>>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>>>> pkinit_kdc_hostname = <DNS>
>>>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>>>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>>>> pkinit_eku_checking = kpServerAuth
>>>> pkinit_win2k_require_binding = false
>>>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>>>
>>>> [realms]
>>>> EXAMPLE.COM = {
>>>> kdc = kerberos.example.com
>>>> admin_server = kerberos.example.com
>>>> }
>>>> JASONDOMAIN.JJ = {
>>>> auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/
>>>> auth_to_local = RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/
>>>> auth_to_local = DEFAULT
>>>> }
>>>>
>>>> [domain_realm]
>>>> .example.com = EXAMPLE.COM
>>>> example.com = EXAMPLE.COM
>>>> .JASONDOMAIN.JJ = JASONDOMAIN.JJ
>>>> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ
>>>> [capaths]
>>>> [appdefaults]
>>>> pam = {
>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>>>> forwardable = true
>>>> validate = true
>>>> }
>>>> httpd = {
>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>>>> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1
>>>> }
>>>>
>>>>
>>>>
>>>> What is your idea? I must tell you that after removed LikeWise and configure manually, I can't login to Linux via Windows AD accounts.
>>>>
>>>>
>>>> Thanks.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Sunday, January 4, 2015 5:11 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>> On 04/01/15 13:00, Rowland Penny wrote:
>>>>> On 04/01/15 10:17, Jason Long wrote:
>>>>>> Thanks a lot.
>>>>>> I enter the command and result is :
>>>>>>
>>>>>> Using short domain name -- JASONDOMAINI
>>>>>> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ'
>>>>>> but after run "net rpc testjoin" :
>>>>>>
>>>>>> Unable to find a suitable server for domain JASONDOMAINI
>>>>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>>>>>>
>>>>>> I guess I understand what is my problem. I'm really sorry :(.
>>>>>>
>>>>>> On Windows OS i used "set" command and it show me :
>>>>>>
>>>>>> USERDNSDOMAIN= JASONDOMAIN.JJ
>>>>>> USERDOMAIN= JASONDOMAINI
>>>>>>
>>>>>> I guess that I must change "JASONDOMAINI" in below texts to
>>>>>> "JASONDOMAIN" :
>>>>>>
>>>>>> idmap config JASONDOMAINI : range = 10000-999999
>>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>>>>>
>>>>>> Am I right?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny
>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>> On 03/01/15 15:08, Jason Long wrote:
>>>>>>> Thank you.
>>>>>>> I used below videos for join my Linux Box to Windows domain :
>>>>>>>
>>>>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic
>>>>>>>
>>>>>>> Please look at this video and I used instructions in it and
>>>>>>> LikeWiseOpen tool.
>>>>>>>
>>>>>>>
>>>>>>> Cheers.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny
>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>> On 03/01/15 12:38, Jason Long wrote:
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>> I enter "net ads testjoin" and it show me :
>>>>>>>>
>>>>>>>> ads_connect: No logon servers
>>>>>>>> Join to domain is not valid: No logon servers
>>>>>>> You are *not* joined to the domain, I suppose this should have been
>>>>>>> asked earlier, but how did you do the domain join ?
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> If it is incorrect, Why I can Login to Linux via Windows account?
>>>>>>>> As you see, I followed the steps on Video.
>>>>>>>>
>>>>>>>> :(.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny
>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>> On 03/01/15 05:41, Jason Long wrote:
>>>>>>>>> Thank you.
>>>>>>>>> Command show below error :
>>>>>>>>>
>>>>>>>>> Could not connect to server 192.168.1.1
>>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>>>>>
>>>>>>>>> :(
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny
>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>> On 31/12/14 09:55, Jason Long wrote:
>>>>>>>>>> Thanks.
>>>>>>>>>> I changed the command as below :
>>>>>>>>>>
>>>>>>>>>> #net rpc rights grant 'jasondomain\Domain Admins'
>>>>>>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1
>>>>>>>>>>
>>>>>>>>>> But Got below error :
>>>>>>>>>>
>>>>>>>>>> Could not connect to server 192.168.1.1
>>>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>>>>>>
>>>>>>>>>> Cheers.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny
>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>> On 31/12/14 09:17, Jason Long wrote:
>>>>>>>>>>> Thank you so much but I run below commands on linux :
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> # net rpc rights grant 'jasondomain\Domain Admins'
>>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>>>>>> # net rpc rights list accounts -Uadministrator
>>>>>>>>>>>
>>>>>>>>>>> it ask me a password for "administrator:
>>>>>>>>>>>
>>>>>>>>>>> Enter administrator's password:
>>>>>>>>>>> Could not connect to server 127.0.0.1
>>>>>>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>>>>>>>>>>>
>>>>>>>>>>> Must I enter windows administrator password?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Thanks.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny
>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>>> On 29/12/14 12:52, Jason Long wrote:
>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>
>>>>>>>>>>>> I did some changes like below :
>>>>>>>>>>>>
>>>>>>>>>>>> /dev/mapper/vg_print-lv_root / ext4
>>>>>>>>>>>> user_xattr,acl,defaults 1 1
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any
>>>>>>>>>>>> output.
>>>>>>>>>>>> I added below lines to [global] section too :
>>>>>>>>>>>>
>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>>
>>>>>>>>>>>> But about below commands can you tell me more?
>>>>>>>>>>>>
>>>>>>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins'
>>>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>>>>>>> net rpc rights list accounts -Uadministrator
>>>>>>>>>>>>
>>>>>>>>>>>> I hope they are not Dangerous!!!!
>>>>>>>>>>> No :-)
>>>>>>>>>>>
>>>>>>>>>>> The first one gives members of Domain Admins the right to change
>>>>>>>>>>> windows
>>>>>>>>>>> ACL's on a share
>>>>>>>>>>> The second list accounts and what rights they have.
>>>>>>>>>>>
>>>>>>>>>>>> In the
>>>>>>>>>>>> "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
>>>>>>>>>>>> , the other steps are in Windows!!! Can I doing via Linux too?
>>>>>>>>>>> Yes, but it is just easier via windows
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny
>>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>>>> On 29/12/14 06:38, Jason Long wrote:
>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I
>>>>>>>>>>>>> change configure as below :
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> [global]
>>>>>>>>>>>>> workgroup = JASONDOMAINI
>>>>>>>>>>>>> server string = Samba Server Version %v
>>>>>>>>>>>>> # logs split per machine
>>>>>>>>>>>>> log file = /var/log/samba/log.%m
>>>>>>>>>>>>> # max 50KB per log file, then rotate
>>>>>>>>>>>>> max log size = 50
>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>>>>>> passdb backend = tdbsam
>>>>>>>>>>>>> load printers = yes
>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>> idmap config *:backend = tdb
>>>>>>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>>>>>>> #idmap config SAMDOM:backend = ad
>>>>>>>>>>>>> idmap config JASONDOMAINI:backend = ad
>>>>>>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307
>>>>>>>>>>>>> idmap config JASONDOMAINI:range = 500-40000
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason",
>>>>>>>>>>>>> It show me the root partition and I can open "Test" directory
>>>>>>>>>>>>> But it has two problems :
>>>>>>>>>>>>>
>>>>>>>>>>>>> 1- Why it show root partition?
>>>>>>>>>>>>> 2- I can't browse it via Windows explorer!!!
>>>>>>>>>>>>>
>>>>>>>>>>>>> I want to know use AD users in Linux is Hard?
>>>>>>>>>>>>>
>>>>>>>>>>>>> In your opinion I used a correct command to set ACL?
>>>>>>>>>>>>>
>>>>>>>>>>>>> #getfacl test/
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> # file: test/
>>>>>>>>>>>>> # owner: JASONDOMAINI\134JASON
>>>>>>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>>> user::rwx
>>>>>>>>>>>>> group::r-x
>>>>>>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>>>>>>>>> mask::rwx
>>>>>>>>>>>>> other::r-x
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> and in "getent group" it show me below group :
>>>>>>>>>>>>>
>>>>>>>>>>>>> JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> in your idea, Am I use correct command to set permission?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny
>>>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>>>>> On 28/12/14 15:48, Jason Long wrote:
>>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad
>>>>>>>>>>>>>> " to "idmap config JASONDOMAIN:backend = ad".
>>>>>>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too?
>>>>>>>>>>>>>> About your question I must say that I Test this share via
>>>>>>>>>>>>>> Linux too and Windows and Linux has same problem.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> About "What I would do is, install the OpenSSH server on the
>>>>>>>>>>>>>> linux machine, install 'PUTTY' on a windows machine and try
>>>>>>>>>>>>>> to login via 'PUTTY' and use the SSH protocol." , You mean is
>>>>>>>>>>>>>> that Windows clients use SSH to work with this directory? I
>>>>>>>>>>>>>> want to made this Linux Box as a File server and Windows
>>>>>>>>>>>>>> Clients need graphical browser to copy and paste file into
>>>>>>>>>>>>>> this directory!!!!!!!
>>>>>>>>>>>>>> What is your idea?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> I am loosing track here a bit, but if your dns domain is
>>>>>>>>>>>>> example.com,
>>>>>>>>>>>>> then your windows AD realm should be something like
>>>>>>>>>>>>> internal.example.com
>>>>>>>>>>>>> and your workgroup/domain name should be INTERNAL, that is,
>>>>>>>>>>>>> they all
>>>>>>>>>>>>> rely on each other.
>>>>>>>>>>>>>
>>>>>>>>>>>>> So anywhere that you come across these, you should use the
>>>>>>>>>>>>> relevant one,
>>>>>>>>>>>>> this is the relevant parts from a Unix client on my domain:
>>>>>>>>>>>>>
>>>>>>>>>>>>> [global]
>>>>>>>>>>>>> workgroup = INTERNAL
>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>> realm = INTERNAL.EXAMPLE.COM
>>>>>>>>>>>>> ..........
>>>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>>>> idmap config INTERNAL : backend = ad
>>>>>>>>>>>>> idmap config INTERNAL : range = 10000-999999
>>>>>>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307
>>>>>>>>>>>>>
>>>>>>>>>>>>> As for using 'PUTTY', this was just a way of testing whether
>>>>>>>>>>>>> you can
>>>>>>>>>>>>> connect to the Unix machine.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>> OK, we are getting closer
>>>>>>>>>>>>
>>>>>>>>>>>> right, answers to your questions
>>>>>>>>>>>> 1) I think that you may find that this is also printed 'Could
>>>>>>>>>>>> not chdir
>>>>>>>>>>>> to home directory', in which case you will end up in the root
>>>>>>>>>>>> of computer.
>>>>>>>>>>>>
>>>>>>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not
>>>>>>>>>>>> running you
>>>>>>>>>>>> should be able to navigate to the share by entering the path.
>>>>>>>>>>>> Have a
>>>>>>>>>>>> look here:
>>>>>>>>>>>>
>>>>>>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>> You are trying to run the command on a client, try adding either:
>>>>>>>>>>
>>>>>>>>>> -S server name
>>>>>>>>>>
>>>>>>>>>> OR
>>>>>>>>>>
>>>>>>>>>> -I address of target server
>>>>>>>>>>
>>>>>>>>>> where 'server' is the AD DC.
>>>>>>>>>>
>>>>>>>>>> Yes, you need to supply the password of the Domain Administrator.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>> OK, try it like this:
>>>>>>>>>
>>>>>>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
>>>>>>>>> -UAdministrator -I 192.168.1.1
>>>>>>>>>
>>>>>>>>> This works for me on a client joined to the domain.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>> Sounds like something is wrong with the join, what does 'net ads
>>>>>>>> testjoin' return ? You may have to run this command with sudo.
>>>>>>>>
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>> Sometimes I wonder why all the time is spent on keeping the samba wiki
>>>>>> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I
>>>>>> cannot recommend using either of these, because quite simply, they are
>>>>>> not needed.
>>>>>>
>>>>>> Check the following files:
>>>>>>
>>>>>> /etc/samba/smb.conf
>>>>>>
>>>>>> [global]
>>>>>> workgroup = JASONDOMAINI
>>>>>> security = ADS
>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>> kerberos method = secrets and keytab
>>>>>> server string = Samba 4 Client %h
>>>>>> winbind enum users = yes
>>>>>> winbind enum groups = yes
>>>>>> winbind use default domain = yes
>>>>>> winbind expand groups = 4
>>>>>> winbind nss info = rfc2307
>>>>>> winbind refresh tickets = Yes
>>>>>> winbind normalize names = Yes
>>>>>> idmap config * : backend = tdb
>>>>>> idmap config * : range = 2000-9999
>>>>>> idmap config JASONDOMAINI : backend = ad
>>>>>> idmap config JASONDOMAINI : range = 10000-999999
>>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>>>>> printcap name = cups
>>>>>> cups options = raw
>>>>>> usershare allow guests = yes
>>>>>> domain master = no
>>>>>> local master = no
>>>>>> preferred master = no
>>>>>> os level = 20
>>>>>> map to guest = bad user
>>>>>> vfs objects = acl_xattr
>>>>>> map acl inherit = Yes
>>>>>> store dos attributes = Yes
>>>>>> log level = 6
>>>>>>
>>>>>> /etc/krb5.conf
>>>>>>
>>>>>> [libdefaults]
>>>>>> default_realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>> dns_lookup_realm = false
>>>>>> dns_lookup_kdc = true
>>>>>> ticket_lifetime = 24h
>>>>>> forwardable = yes
>>>>>>
>>>>>> /etc/resolv.conf
>>>>>>
>>>>>> nameserver <your AD DC's ipaddress>
>>>>>> search jasondomaini.jasondomain.jj
>>>>>>
>>>>>> If required, alter them to match the above, check that 'hostname'
>>>>>> returns only the hostname of the client, check that 'hostname -f'
>>>>>> returns the FQDN. If either are not correct, fix them.
>>>>>>
>>>>>> Remove likewiseopen
>>>>>>
>>>>>> Once everything is correct, run the following command:
>>>>>>
>>>>>> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>
>>>>>> You should be asked for the domain Administrators password, enter this
>>>>>> and you should join the domain
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> What Windows DC are you using ?
>>>>> What is the realm name * workgroup name on the Windows DC ?
>>>>>
>>>>> Rowland
>>>> oops, that should have been:
>>>>
>>>>
>>>> What is the realm name & workgroup name on the Windows DC ?
>>>>
>>>> Rowland
>>>>
>>> Hi, will you answer these questions:
>>>
>>> What Windows DC are you using ?
>>> What is the realm name on the Windows DC ?
>>> What is the workgroup name on the Windows DC ?
>>>
>>> You do not need all of what you have in /etc/krb5.conf, but please
>>> answer the questions above first.
>>>
>>> Rowland
>>>
>> OK, so what is your 'domain' name (and No, it is not 'JASONDOMAIN.JJ')
>>
>> Rowland
>>
More information about the samba
mailing list