[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Rowland Penny
rowlandpenny at googlemail.com
Fri Jan 9 02:31:34 MST 2015
On 09/01/15 08:40, Jason Long wrote:
> Thanks.
> I'm confused. Can I paste "set" command on windows for you?
> "jason" account is administrator and can join and dis-join any computer.
>
> Cheers.
>
>
>
> On Wednesday, January 7, 2015 2:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 07/01/15 10:51, Jason Long wrote:
>> Thank you.
>> I changed my "krb5.conf" as below :
>>
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = JASONDOMAIN.JJ
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = yes
>> default_keytab_name = /etc/krb5.keytab
>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> pkinit_kdc_hostname = <DNS>
>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>> pkinit_eku_checking = kpServerAuth
>> pkinit_win2k_require_binding = false
>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>
> My krb5.conf is:
>
> [libdefaults]
> default_realm = EXAMPLE.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
>> and removed "krb5.keytab" too. You told me that my domain name is "jasondomaini" but it is wrong, My domain name is "jasondomain.jj" and backend is "jasondomaini", For example, when I want to login into Windows use "jasondomaini\jason".
>>
>> After enter the command "net ads join -U jason at jasondomain.jj", My computer joined but when use "net rpc testjoin" , I got same error as below :
>>
>> Unable to find a suitable server for domain JASONDOMAINI
>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>>
>> I don't know why it see domain name as "JASONDOMAINI". How can I edit it?
> You shouldn't because 'JASONDOMAINI' *IS* your domain name *NOT* the
> backend!!!
>
> The join command should be 'net ads join -U jason at JASONDOMAIN.JJ' , but
> does 'jason' have the required rights to join the domain ?? Try again
> but this time use:
>
> net ads join -U Administrator at JASONDOMAIN.JJ
>
> and enter the 'Administrator' password when prompted.
>
> Rowland
>>
>> Thanks.
>>
>>
>>
>>
>> On Tuesday, January 6, 2015 12:57 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> On 06/01/15 06:17, Jason Long wrote:
>>> Thanks.
>>> My domain name is "jasondomain.jj" and backend is "jasondomaini".
>> No, your realm name is "jasondomain.jj" and it would seem that your
>> domain name is "jasondomaini", the domain name can also be known as the
>> 'workgroup' name.
>>
>> Set smb.conf to match this:
>>
>> [global]
>> workgroup = JASONDOMAINI
>> security = ADS
>> realm = JASONDOMAIN.JJ
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> server string = Samba 4 Client %h
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind use default domain = yes
>> winbind expand groups = 4
>> winbind nss info = rfc2307
>> winbind refresh tickets = Yes
>> winbind offline logon = yes
>> winbind normalize names = Yes
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-9999
>> idmap config JASONDOMAINI : backend = ad
>> idmap config JASONDOMAINI : range = 10000-999999
>> idmap config JASONDOMAINI : schema_mode = rfc2307
>> printcap name = cups
>> cups options = raw
>> usershare allow guests = yes
>> domain master = no
>> local master = no
>> preferred master = no
>> os level = 20
>> map to guest = bad user
>>
>> set /etc/krb5.conf to this:
>>
>> [libdefaults]
>> default_realm = JASONDOMAIN.JJ
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> set /etc/resolv.conf
>>
>> nameserver <ip of your windows server>
>> search jasondomain.jj
>>
>> If /etc/krb5.keytab exists, delete it.
>>
>> make sure the time on the client matches the server.
>>
>> then try to join the domain:
>>
>> net ads join -U Administrator at JASONDOMAIN.JJ
>>
>>
>> Rowland
>>>
>>> On Monday, January 5, 2015 3:48 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>> On 05/01/15 11:09, Jason Long wrote:
>>>> Thank you.
>>>>
>>>> My Windows is Windows server 2008 R2.
>>>> About realm name, My domain name is "JASONDOMAIN.JJ".
>>>> My Windows not have any Workgroup Name. It is Domain.
>>>>
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>> On Monday, January 5, 2015 1:05 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>> On 05/01/15 07:02, Jason Long wrote:
>>>>> Thanks a lot.
>>>>> I changed the below lines to correct domain name :
>>>>>
>>>>> idmap config JASONDOMAIN : range = 10000-999999
>>>>> idmap config JASONDOMAIN : schema_mode = rfc2307
>>>>>
>>>>> and after join, the command "net rpc testjoin" show same error :
>>>>>
>>>>> Unable to find a suitable server for domain JASONDOMAINI
>>>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>>>>>
>>>>> I have an idea and I guess that "/etc/krb5.conf" has some incorrect options. The file is "
>>>>>
>>>>> [logging]
>>>>> default = FILE:/var/log/krb5libs.log
>>>>> kdc = FILE:/var/log/krb5kdc.log
>>>>> admin_server = FILE:/var/log/kadmind.log
>>>>>
>>>>> [libdefaults]
>>>>> default_realm = JASONDOMAIN.JJ
>>>>> dns_lookup_realm = false
>>>>> dns_lookup_kdc = true
>>>>> ticket_lifetime = 24h
>>>>> renew_lifetime = 7d
>>>>> forwardable = yes
>>>>> default_keytab_name = /etc/krb5.keytab
>>>>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>>>>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>>>>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>>>>> pkinit_kdc_hostname = <DNS>
>>>>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>>>>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>>>>> pkinit_eku_checking = kpServerAuth
>>>>> pkinit_win2k_require_binding = false
>>>>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>>>>
>>>>> [realms]
>>>>> EXAMPLE.COM = {
>>>>> kdc = kerberos.example.com
>>>>> admin_server = kerberos.example.com
>>>>> }
>>>>> JASONDOMAIN.JJ = {
>>>>> auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/
>>>>> auth_to_local = RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/
>>>>> auth_to_local = DEFAULT
>>>>> }
>>>>>
>>>>> [domain_realm]
>>>>> .example.com = EXAMPLE.COM
>>>>> example.com = EXAMPLE.COM
>>>>> .JASONDOMAIN.JJ = JASONDOMAIN.JJ
>>>>> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ
>>>>> [capaths]
>>>>> [appdefaults]
>>>>> pam = {
>>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>>>>> forwardable = true
>>>>> validate = true
>>>>> }
>>>>> httpd = {
>>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>>>>> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1
>>>>> }
>>>>>
>>>>>
>>>>>
>>>>> What is your idea? I must tell you that after removed LikeWise and configure manually, I can't login to Linux via Windows AD accounts.
>>>>>
>>>>>
>>>>> Thanks.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sunday, January 4, 2015 5:11 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>>> On 04/01/15 13:00, Rowland Penny wrote:
>>>>>> On 04/01/15 10:17, Jason Long wrote:
>>>>>>> Thanks a lot.
>>>>>>> I enter the command and result is :
>>>>>>>
>>>>>>> Using short domain name -- JASONDOMAINI
>>>>>>> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ'
>>>>>>> but after run "net rpc testjoin" :
>>>>>>>
>>>>>>> Unable to find a suitable server for domain JASONDOMAINI
>>>>>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>>>>>>>
>>>>>>> I guess I understand what is my problem. I'm really sorry :(.
>>>>>>>
>>>>>>> On Windows OS i used "set" command and it show me :
>>>>>>>
>>>>>>> USERDNSDOMAIN= JASONDOMAIN.JJ
>>>>>>> USERDOMAIN= JASONDOMAINI
>>>>>>>
>>>>>>> I guess that I must change "JASONDOMAINI" in below texts to
>>>>>>> "JASONDOMAIN" :
>>>>>>>
>>>>>>> idmap config JASONDOMAINI : range = 10000-999999
>>>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>>>>>>
>>>>>>> Am I right?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny
>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>> On 03/01/15 15:08, Jason Long wrote:
>>>>>>>> Thank you.
>>>>>>>> I used below videos for join my Linux Box to Windows domain :
>>>>>>>>
>>>>>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic
>>>>>>>>
>>>>>>>> Please look at this video and I used instructions in it and
>>>>>>>> LikeWiseOpen tool.
>>>>>>>>
>>>>>>>>
>>>>>>>> Cheers.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny
>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>> On 03/01/15 12:38, Jason Long wrote:
>>>>>>>>> Thanks.
>>>>>>>>>
>>>>>>>>> I enter "net ads testjoin" and it show me :
>>>>>>>>>
>>>>>>>>> ads_connect: No logon servers
>>>>>>>>> Join to domain is not valid: No logon servers
>>>>>>>> You are *not* joined to the domain, I suppose this should have been
>>>>>>>> asked earlier, but how did you do the domain join ?
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> If it is incorrect, Why I can Login to Linux via Windows account?
>>>>>>>>> As you see, I followed the steps on Video.
>>>>>>>>>
>>>>>>>>> :(.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny
>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>> On 03/01/15 05:41, Jason Long wrote:
>>>>>>>>>> Thank you.
>>>>>>>>>> Command show below error :
>>>>>>>>>>
>>>>>>>>>> Could not connect to server 192.168.1.1
>>>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>>>>>>
>>>>>>>>>> :(
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny
>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>> On 31/12/14 09:55, Jason Long wrote:
>>>>>>>>>>> Thanks.
>>>>>>>>>>> I changed the command as below :
>>>>>>>>>>>
>>>>>>>>>>> #net rpc rights grant 'jasondomain\Domain Admins'
>>>>>>>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1
>>>>>>>>>>>
>>>>>>>>>>> But Got below error :
>>>>>>>>>>>
>>>>>>>>>>> Could not connect to server 192.168.1.1
>>>>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>>>>>>>
>>>>>>>>>>> Cheers.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny
>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>>> On 31/12/14 09:17, Jason Long wrote:
>>>>>>>>>>>> Thank you so much but I run below commands on linux :
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> # net rpc rights grant 'jasondomain\Domain Admins'
>>>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>>>>>>> # net rpc rights list accounts -Uadministrator
>>>>>>>>>>>>
>>>>>>>>>>>> it ask me a password for "administrator:
>>>>>>>>>>>>
>>>>>>>>>>>> Enter administrator's password:
>>>>>>>>>>>> Could not connect to server 127.0.0.1
>>>>>>>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>>>>>>>>>>>>
>>>>>>>>>>>> Must I enter windows administrator password?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny
>>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>>>> On 29/12/14 12:52, Jason Long wrote:
>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I did some changes like below :
>>>>>>>>>>>>>
>>>>>>>>>>>>> /dev/mapper/vg_print-lv_root / ext4
>>>>>>>>>>>>> user_xattr,acl,defaults 1 1
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any
>>>>>>>>>>>>> output.
>>>>>>>>>>>>> I added below lines to [global] section too :
>>>>>>>>>>>>>
>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>>>
>>>>>>>>>>>>> But about below commands can you tell me more?
>>>>>>>>>>>>>
>>>>>>>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins'
>>>>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>>>>>>>> net rpc rights list accounts -Uadministrator
>>>>>>>>>>>>>
>>>>>>>>>>>>> I hope they are not Dangerous!!!!
>>>>>>>>>>>> No :-)
>>>>>>>>>>>>
>>>>>>>>>>>> The first one gives members of Domain Admins the right to change
>>>>>>>>>>>> windows
>>>>>>>>>>>> ACL's on a share
>>>>>>>>>>>> The second list accounts and what rights they have.
>>>>>>>>>>>>
>>>>>>>>>>>>> In the
>>>>>>>>>>>>> "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
>>>>>>>>>>>>> , the other steps are in Windows!!! Can I doing via Linux too?
>>>>>>>>>>>> Yes, but it is just easier via windows
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny
>>>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>>>>> On 29/12/14 06:38, Jason Long wrote:
>>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I
>>>>>>>>>>>>>> change configure as below :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>> workgroup = JASONDOMAINI
>>>>>>>>>>>>>> server string = Samba Server Version %v
>>>>>>>>>>>>>> # logs split per machine
>>>>>>>>>>>>>> log file = /var/log/samba/log.%m
>>>>>>>>>>>>>> # max 50KB per log file, then rotate
>>>>>>>>>>>>>> max log size = 50
>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>>>>>>> passdb backend = tdbsam
>>>>>>>>>>>>>> load printers = yes
>>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>>> idmap config *:backend = tdb
>>>>>>>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>>>>>>>> #idmap config SAMDOM:backend = ad
>>>>>>>>>>>>>> idmap config JASONDOMAINI:backend = ad
>>>>>>>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307
>>>>>>>>>>>>>> idmap config JASONDOMAINI:range = 500-40000
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason",
>>>>>>>>>>>>>> It show me the root partition and I can open "Test" directory
>>>>>>>>>>>>>> But it has two problems :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 1- Why it show root partition?
>>>>>>>>>>>>>> 2- I can't browse it via Windows explorer!!!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I want to know use AD users in Linux is Hard?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> In your opinion I used a correct command to set ACL?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #getfacl test/
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # file: test/
>>>>>>>>>>>>>> # owner: JASONDOMAINI\134JASON
>>>>>>>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>>>> user::rwx
>>>>>>>>>>>>>> group::r-x
>>>>>>>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>>>>>>>>>> mask::rwx
>>>>>>>>>>>>>> other::r-x
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> and in "getent group" it show me below group :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> in your idea, Am I use correct command to set permission?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny
>>>>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>>>>>> On 28/12/14 15:48, Jason Long wrote:
>>>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad
>>>>>>>>>>>>>>> " to "idmap config JASONDOMAIN:backend = ad".
>>>>>>>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too?
>>>>>>>>>>>>>>> About your question I must say that I Test this share via
>>>>>>>>>>>>>>> Linux too and Windows and Linux has same problem.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> About "What I would do is, install the OpenSSH server on the
>>>>>>>>>>>>>>> linux machine, install 'PUTTY' on a windows machine and try
>>>>>>>>>>>>>>> to login via 'PUTTY' and use the SSH protocol." , You mean is
>>>>>>>>>>>>>>> that Windows clients use SSH to work with this directory? I
>>>>>>>>>>>>>>> want to made this Linux Box as a File server and Windows
>>>>>>>>>>>>>>> Clients need graphical browser to copy and paste file into
>>>>>>>>>>>>>>> this directory!!!!!!!
>>>>>>>>>>>>>>> What is your idea?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I am loosing track here a bit, but if your dns domain is
>>>>>>>>>>>>>> example.com,
>>>>>>>>>>>>>> then your windows AD realm should be something like
>>>>>>>>>>>>>> internal.example.com
>>>>>>>>>>>>>> and your workgroup/domain name should be INTERNAL, that is,
>>>>>>>>>>>>>> they all
>>>>>>>>>>>>>> rely on each other.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> So anywhere that you come across these, you should use the
>>>>>>>>>>>>>> relevant one,
>>>>>>>>>>>>>> this is the relevant parts from a Unix client on my domain:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>> workgroup = INTERNAL
>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>> realm = INTERNAL.EXAMPLE.COM
>>>>>>>>>>>>>> ..........
>>>>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>>>>> idmap config INTERNAL : backend = ad
>>>>>>>>>>>>>> idmap config INTERNAL : range = 10000-999999
>>>>>>>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> As for using 'PUTTY', this was just a way of testing whether
>>>>>>>>>>>>>> you can
>>>>>>>>>>>>>> connect to the Unix machine.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>> OK, we are getting closer
>>>>>>>>>>>>>
>>>>>>>>>>>>> right, answers to your questions
>>>>>>>>>>>>> 1) I think that you may find that this is also printed 'Could
>>>>>>>>>>>>> not chdir
>>>>>>>>>>>>> to home directory', in which case you will end up in the root
>>>>>>>>>>>>> of computer.
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not
>>>>>>>>>>>>> running you
>>>>>>>>>>>>> should be able to navigate to the share by entering the path.
>>>>>>>>>>>>> Have a
>>>>>>>>>>>>> look here:
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>> You are trying to run the command on a client, try adding either:
>>>>>>>>>>>
>>>>>>>>>>> -S server name
>>>>>>>>>>>
>>>>>>>>>>> OR
>>>>>>>>>>>
>>>>>>>>>>> -I address of target server
>>>>>>>>>>>
>>>>>>>>>>> where 'server' is the AD DC.
>>>>>>>>>>>
>>>>>>>>>>> Yes, you need to supply the password of the Domain Administrator.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>> OK, try it like this:
>>>>>>>>>>
>>>>>>>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
>>>>>>>>>> -UAdministrator -I 192.168.1.1
>>>>>>>>>>
>>>>>>>>>> This works for me on a client joined to the domain.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>> Sounds like something is wrong with the join, what does 'net ads
>>>>>>>>> testjoin' return ? You may have to run this command with sudo.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>> Sometimes I wonder why all the time is spent on keeping the samba wiki
>>>>>>> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I
>>>>>>> cannot recommend using either of these, because quite simply, they are
>>>>>>> not needed.
>>>>>>>
>>>>>>> Check the following files:
>>>>>>>
>>>>>>> /etc/samba/smb.conf
>>>>>>>
>>>>>>> [global]
>>>>>>> workgroup = JASONDOMAINI
>>>>>>> security = ADS
>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>> kerberos method = secrets and keytab
>>>>>>> server string = Samba 4 Client %h
>>>>>>> winbind enum users = yes
>>>>>>> winbind enum groups = yes
>>>>>>> winbind use default domain = yes
>>>>>>> winbind expand groups = 4
>>>>>>> winbind nss info = rfc2307
>>>>>>> winbind refresh tickets = Yes
>>>>>>> winbind normalize names = Yes
>>>>>>> idmap config * : backend = tdb
>>>>>>> idmap config * : range = 2000-9999
>>>>>>> idmap config JASONDOMAINI : backend = ad
>>>>>>> idmap config JASONDOMAINI : range = 10000-999999
>>>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>>>>>> printcap name = cups
>>>>>>> cups options = raw
>>>>>>> usershare allow guests = yes
>>>>>>> domain master = no
>>>>>>> local master = no
>>>>>>> preferred master = no
>>>>>>> os level = 20
>>>>>>> map to guest = bad user
>>>>>>> vfs objects = acl_xattr
>>>>>>> map acl inherit = Yes
>>>>>>> store dos attributes = Yes
>>>>>>> log level = 6
>>>>>>>
>>>>>>> /etc/krb5.conf
>>>>>>>
>>>>>>> [libdefaults]
>>>>>>> default_realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>> dns_lookup_realm = false
>>>>>>> dns_lookup_kdc = true
>>>>>>> ticket_lifetime = 24h
>>>>>>> forwardable = yes
>>>>>>>
>>>>>>> /etc/resolv.conf
>>>>>>>
>>>>>>> nameserver <your AD DC's ipaddress>
>>>>>>> search jasondomaini.jasondomain.jj
>>>>>>>
>>>>>>> If required, alter them to match the above, check that 'hostname'
>>>>>>> returns only the hostname of the client, check that 'hostname -f'
>>>>>>> returns the FQDN. If either are not correct, fix them.
>>>>>>>
>>>>>>> Remove likewiseopen
>>>>>>>
>>>>>>> Once everything is correct, run the following command:
>>>>>>>
>>>>>>> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>
>>>>>>> You should be asked for the domain Administrators password, enter this
>>>>>>> and you should join the domain
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> What Windows DC are you using ?
>>>>>> What is the realm name * workgroup name on the Windows DC ?
>>>>>>
>>>>>> Rowland
>>>>> oops, that should have been:
>>>>>
>>>>>
>>>>> What is the realm name & workgroup name on the Windows DC ?
>>>>>
>>>>> Rowland
>>>>>
>>>> Hi, will you answer these questions:
>>>>
>>>> What Windows DC are you using ?
>>>> What is the realm name on the Windows DC ?
>>>> What is the workgroup name on the Windows DC ?
>>>>
>>>> You do not need all of what you have in /etc/krb5.conf, but please
>>>> answer the questions above first.
>>>>
>>>> Rowland
>>>>
>>> OK, so what is your 'domain' name (and No, it is not 'JASONDOMAIN.JJ')
>>>
>>> Rowland
>>>
Your confused !!!
looking back over what you posted I found this:
Thanks a lot.
I changed the below lines to correct domain name :
idmap config JASONDOMAIN : range = 10000-999999
idmap config JASONDOMAIN : schema_mode = rfc2307
and after join, the command "net rpc testjoin" show same error :
Unable to find a suitable server for domain JASONDOMAINI
Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
this was 05/01/15 07:02
Totally missed it then, but now it sticks out like a sore thumb, is your
workgroup/NETBiosdomain 'JASONDOMAIN' *OR* 'JASONDOMAINI' ?????
Rowland
More information about the samba
mailing list