[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Rowland Penny
rowlandpenny at googlemail.com
Mon Jan 12 08:34:24 MST 2015
On 12/01/15 14:53, Jason Long wrote:
> Thank you.
> I'm really sorry Bro.
> You right, When I get properties from AD, "Domain name(Pre-Windows 2000)" is "JASONDOMAINI". I'm sorry :( but when I want to join a Windows client to my domain I use "JASONDOMAIN.JJ" !!!!
> I guess that we must change SAMBA configuration.
>
> Cheers.
>
>
>
>
> On Friday, January 9, 2015 1:55 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 09/01/15 08:40, Jason Long wrote:
>> Thanks.
>> I'm confused. Can I paste "set" command on windows for you?
>> "jason" account is administrator and can join and dis-join any computer.
>>
>> Cheers.
>>
>>
>>
>> On Wednesday, January 7, 2015 2:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> On 07/01/15 10:51, Jason Long wrote:
>>> Thank you.
>>> I changed my "krb5.conf" as below :
>>>
>>>
>>> [logging]
>>> default = FILE:/var/log/krb5libs.log
>>> kdc = FILE:/var/log/krb5kdc.log
>>> admin_server = FILE:/var/log/kadmind.log
>>>
>>> [libdefaults]
>>> default_realm = JASONDOMAIN.JJ
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>> ticket_lifetime = 24h
>>> renew_lifetime = 7d
>>> forwardable = yes
>>> default_keytab_name = /etc/krb5.keytab
>>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>>> pkinit_kdc_hostname = <DNS>
>>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>>> pkinit_eku_checking = kpServerAuth
>>> pkinit_win2k_require_binding = false
>>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>>
>> My krb5.conf is:
>>
>> [libdefaults]
>> default_realm = EXAMPLE.LAN
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>>> and removed "krb5.keytab" too. You told me that my domain name is "jasondomaini" but it is wrong, My domain name is "jasondomain.jj" and backend is "jasondomaini", For example, when I want to login into Windows use "jasondomaini\jason".
>>>
>>> After enter the command "net ads join -U jason at jasondomain.jj", My computer joined but when use "net rpc testjoin" , I got same error as below :
>>>
>>> Unable to find a suitable server for domain JASONDOMAINI
>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>>>
>>> I don't know why it see domain name as "JASONDOMAINI". How can I edit it?
>> You shouldn't because 'JASONDOMAINI' *IS* your domain name *NOT* the
>> backend!!!
>>
>> The join command should be 'net ads join -U jason at JASONDOMAIN.JJ' , but
>> does 'jason' have the required rights to join the domain ?? Try again
>> but this time use:
>>
>> net ads join -U Administrator at JASONDOMAIN.JJ
>>
>> and enter the 'Administrator' password when prompted.
>>
>> Rowland
>>> Thanks.
>>>
>>>
>>>
>>>
>>> On Tuesday, January 6, 2015 12:57 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>> On 06/01/15 06:17, Jason Long wrote:
>>>> Thanks.
>>>> My domain name is "jasondomain.jj" and backend is "jasondomaini".
>>> No, your realm name is "jasondomain.jj" and it would seem that your
>>> domain name is "jasondomaini", the domain name can also be known as the
>>> 'workgroup' name.
>>>
>>> Set smb.conf to match this:
>>>
>>> [global]
>>> workgroup = JASONDOMAINI
>>> security = ADS
>>> realm = JASONDOMAIN.JJ
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> server string = Samba 4 Client %h
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind use default domain = yes
>>> winbind expand groups = 4
>>> winbind nss info = rfc2307
>>> winbind refresh tickets = Yes
>>> winbind offline logon = yes
>>> winbind normalize names = Yes
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000-9999
>>> idmap config JASONDOMAINI : backend = ad
>>> idmap config JASONDOMAINI : range = 10000-999999
>>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>> printcap name = cups
>>> cups options = raw
>>> usershare allow guests = yes
>>> domain master = no
>>> local master = no
>>> preferred master = no
>>> os level = 20
>>> map to guest = bad user
>>>
>>> set /etc/krb5.conf to this:
>>>
>>> [libdefaults]
>>> default_realm = JASONDOMAIN.JJ
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>> ticket_lifetime = 24h
>>> forwardable = yes
>>>
>>> set /etc/resolv.conf
>>>
>>> nameserver <ip of your windows server>
>>> search jasondomain.jj
>>>
>>> If /etc/krb5.keytab exists, delete it.
>>>
>>> make sure the time on the client matches the server.
>>>
>>> then try to join the domain:
>>>
>>> net ads join -U Administrator at JASONDOMAIN.JJ
>>>
>>>
>>> Rowland
>>>> On Monday, January 5, 2015 3:48 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>> On 05/01/15 11:09, Jason Long wrote:
>>>>> Thank you.
>>>>>
>>>>> My Windows is Windows server 2008 R2.
>>>>> About realm name, My domain name is "JASONDOMAIN.JJ".
>>>>> My Windows not have any Workgroup Name. It is Domain.
>>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Monday, January 5, 2015 1:05 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>>> On 05/01/15 07:02, Jason Long wrote:
>>>>>> Thanks a lot.
>>>>>> I changed the below lines to correct domain name :
>>>>>>
>>>>>> idmap config JASONDOMAIN : range = 10000-999999
>>>>>> idmap config JASONDOMAIN : schema_mode = rfc2307
>>>>>>
>>>>>> and after join, the command "net rpc testjoin" show same error :
>>>>>>
>>>>>> Unable to find a suitable server for domain JASONDOMAINI
>>>>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>>>>>>
>>>>>> I have an idea and I guess that "/etc/krb5.conf" has some incorrect options. The file is "
>>>>>>
>>>>>> [logging]
>>>>>> default = FILE:/var/log/krb5libs.log
>>>>>> kdc = FILE:/var/log/krb5kdc.log
>>>>>> admin_server = FILE:/var/log/kadmind.log
>>>>>>
>>>>>> [libdefaults]
>>>>>> default_realm = JASONDOMAIN.JJ
>>>>>> dns_lookup_realm = false
>>>>>> dns_lookup_kdc = true
>>>>>> ticket_lifetime = 24h
>>>>>> renew_lifetime = 7d
>>>>>> forwardable = yes
>>>>>> default_keytab_name = /etc/krb5.keytab
>>>>>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>>>>>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>>>>>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>>>>>> pkinit_kdc_hostname = <DNS>
>>>>>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>>>>>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>>>>>> pkinit_eku_checking = kpServerAuth
>>>>>> pkinit_win2k_require_binding = false
>>>>>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>>>>>
>>>>>> [realms]
>>>>>> EXAMPLE.COM = {
>>>>>> kdc = kerberos.example.com
>>>>>> admin_server = kerberos.example.com
>>>>>> }
>>>>>> JASONDOMAIN.JJ = {
>>>>>> auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/
>>>>>> auth_to_local = RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/
>>>>>> auth_to_local = DEFAULT
>>>>>> }
>>>>>>
>>>>>> [domain_realm]
>>>>>> .example.com = EXAMPLE.COM
>>>>>> example.com = EXAMPLE.COM
>>>>>> .JASONDOMAIN.JJ = JASONDOMAIN.JJ
>>>>>> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ
>>>>>> [capaths]
>>>>>> [appdefaults]
>>>>>> pam = {
>>>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>>>>>> forwardable = true
>>>>>> validate = true
>>>>>> }
>>>>>> httpd = {
>>>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
>>>>>> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1
>>>>>> }
>>>>>>
>>>>>>
>>>>>>
>>>>>> What is your idea? I must tell you that after removed LikeWise and configure manually, I can't login to Linux via Windows AD accounts.
>>>>>>
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sunday, January 4, 2015 5:11 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>>>>> On 04/01/15 13:00, Rowland Penny wrote:
>>>>>>> On 04/01/15 10:17, Jason Long wrote:
>>>>>>>> Thanks a lot.
>>>>>>>> I enter the command and result is :
>>>>>>>>
>>>>>>>> Using short domain name -- JASONDOMAINI
>>>>>>>> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ'
>>>>>>>> but after run "net rpc testjoin" :
>>>>>>>>
>>>>>>>> Unable to find a suitable server for domain JASONDOMAINI
>>>>>>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>>>>>>>>
>>>>>>>> I guess I understand what is my problem. I'm really sorry :(.
>>>>>>>>
>>>>>>>> On Windows OS i used "set" command and it show me :
>>>>>>>>
>>>>>>>> USERDNSDOMAIN= JASONDOMAIN.JJ
>>>>>>>> USERDOMAIN= JASONDOMAINI
>>>>>>>>
>>>>>>>> I guess that I must change "JASONDOMAINI" in below texts to
>>>>>>>> "JASONDOMAIN" :
>>>>>>>>
>>>>>>>> idmap config JASONDOMAINI : range = 10000-999999
>>>>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>>>>>>>
>>>>>>>> Am I right?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny
>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>> On 03/01/15 15:08, Jason Long wrote:
>>>>>>>>> Thank you.
>>>>>>>>> I used below videos for join my Linux Box to Windows domain :
>>>>>>>>>
>>>>>>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic
>>>>>>>>>
>>>>>>>>> Please look at this video and I used instructions in it and
>>>>>>>>> LikeWiseOpen tool.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Cheers.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny
>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>> On 03/01/15 12:38, Jason Long wrote:
>>>>>>>>>> Thanks.
>>>>>>>>>>
>>>>>>>>>> I enter "net ads testjoin" and it show me :
>>>>>>>>>>
>>>>>>>>>> ads_connect: No logon servers
>>>>>>>>>> Join to domain is not valid: No logon servers
>>>>>>>>> You are *not* joined to the domain, I suppose this should have been
>>>>>>>>> asked earlier, but how did you do the domain join ?
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> If it is incorrect, Why I can Login to Linux via Windows account?
>>>>>>>>>> As you see, I followed the steps on Video.
>>>>>>>>>>
>>>>>>>>>> :(.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny
>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>> On 03/01/15 05:41, Jason Long wrote:
>>>>>>>>>>> Thank you.
>>>>>>>>>>> Command show below error :
>>>>>>>>>>>
>>>>>>>>>>> Could not connect to server 192.168.1.1
>>>>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>>>>>>>
>>>>>>>>>>> :(
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny
>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>>> On 31/12/14 09:55, Jason Long wrote:
>>>>>>>>>>>> Thanks.
>>>>>>>>>>>> I changed the command as below :
>>>>>>>>>>>>
>>>>>>>>>>>> #net rpc rights grant 'jasondomain\Domain Admins'
>>>>>>>>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1
>>>>>>>>>>>>
>>>>>>>>>>>> But Got below error :
>>>>>>>>>>>>
>>>>>>>>>>>> Could not connect to server 192.168.1.1
>>>>>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>>>>>>>>
>>>>>>>>>>>> Cheers.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny
>>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>>>> On 31/12/14 09:17, Jason Long wrote:
>>>>>>>>>>>>> Thank you so much but I run below commands on linux :
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> # net rpc rights grant 'jasondomain\Domain Admins'
>>>>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>>>>>>>> # net rpc rights list accounts -Uadministrator
>>>>>>>>>>>>>
>>>>>>>>>>>>> it ask me a password for "administrator:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Enter administrator's password:
>>>>>>>>>>>>> Could not connect to server 127.0.0.1
>>>>>>>>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>>>>>>>>>>>>>
>>>>>>>>>>>>> Must I enter windows administrator password?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny
>>>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>>>>> On 29/12/14 12:52, Jason Long wrote:
>>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I did some changes like below :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> /dev/mapper/vg_print-lv_root / ext4
>>>>>>>>>>>>>> user_xattr,acl,defaults 1 1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any
>>>>>>>>>>>>>> output.
>>>>>>>>>>>>>> I added below lines to [global] section too :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>>>>>>> map acl inherit = Yes
>>>>>>>>>>>>>> store dos attributes = Yes
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> But about below commands can you tell me more?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins'
>>>>>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>>>>>>>>> net rpc rights list accounts -Uadministrator
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I hope they are not Dangerous!!!!
>>>>>>>>>>>>> No :-)
>>>>>>>>>>>>>
>>>>>>>>>>>>> The first one gives members of Domain Admins the right to change
>>>>>>>>>>>>> windows
>>>>>>>>>>>>> ACL's on a share
>>>>>>>>>>>>> The second list accounts and what rights they have.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> In the
>>>>>>>>>>>>>> "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
>>>>>>>>>>>>>> , the other steps are in Windows!!! Can I doing via Linux too?
>>>>>>>>>>>>> Yes, but it is just easier via windows
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny
>>>>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>>>>>> On 29/12/14 06:38, Jason Long wrote:
>>>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I
>>>>>>>>>>>>>>> change configure as below :
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>> workgroup = JASONDOMAINI
>>>>>>>>>>>>>>> server string = Samba Server Version %v
>>>>>>>>>>>>>>> # logs split per machine
>>>>>>>>>>>>>>> log file = /var/log/samba/log.%m
>>>>>>>>>>>>>>> # max 50KB per log file, then rotate
>>>>>>>>>>>>>>> max log size = 50
>>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>>>>>>>> passdb backend = tdbsam
>>>>>>>>>>>>>>> load printers = yes
>>>>>>>>>>>>>>> cups options = raw
>>>>>>>>>>>>>>> idmap config *:backend = tdb
>>>>>>>>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>>>>>>>>> #idmap config SAMDOM:backend = ad
>>>>>>>>>>>>>>> idmap config JASONDOMAINI:backend = ad
>>>>>>>>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307
>>>>>>>>>>>>>>> idmap config JASONDOMAINI:range = 500-40000
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason",
>>>>>>>>>>>>>>> It show me the root partition and I can open "Test" directory
>>>>>>>>>>>>>>> But it has two problems :
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 1- Why it show root partition?
>>>>>>>>>>>>>>> 2- I can't browse it via Windows explorer!!!
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I want to know use AD users in Linux is Hard?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> In your opinion I used a correct command to set ACL?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> #getfacl test/
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> # file: test/
>>>>>>>>>>>>>>> # owner: JASONDOMAINI\134JASON
>>>>>>>>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>>>>> user::rwx
>>>>>>>>>>>>>>> group::r-x
>>>>>>>>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>>>>>>>>>>> mask::rwx
>>>>>>>>>>>>>>> other::r-x
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> and in "getent group" it show me below group :
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> in your idea, Am I use correct command to set permission?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny
>>>>>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>>>>>>>>> On 28/12/14 15:48, Jason Long wrote:
>>>>>>>>>>>>>>>> Thank you so much.
>>>>>>>>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad
>>>>>>>>>>>>>>>> " to "idmap config JASONDOMAIN:backend = ad".
>>>>>>>>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too?
>>>>>>>>>>>>>>>> About your question I must say that I Test this share via
>>>>>>>>>>>>>>>> Linux too and Windows and Linux has same problem.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> About "What I would do is, install the OpenSSH server on the
>>>>>>>>>>>>>>>> linux machine, install 'PUTTY' on a windows machine and try
>>>>>>>>>>>>>>>> to login via 'PUTTY' and use the SSH protocol." , You mean is
>>>>>>>>>>>>>>>> that Windows clients use SSH to work with this directory? I
>>>>>>>>>>>>>>>> want to made this Linux Box as a File server and Windows
>>>>>>>>>>>>>>>> Clients need graphical browser to copy and paste file into
>>>>>>>>>>>>>>>> this directory!!!!!!!
>>>>>>>>>>>>>>>> What is your idea?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I am loosing track here a bit, but if your dns domain is
>>>>>>>>>>>>>>> example.com,
>>>>>>>>>>>>>>> then your windows AD realm should be something like
>>>>>>>>>>>>>>> internal.example.com
>>>>>>>>>>>>>>> and your workgroup/domain name should be INTERNAL, that is,
>>>>>>>>>>>>>>> they all
>>>>>>>>>>>>>>> rely on each other.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> So anywhere that you come across these, you should use the
>>>>>>>>>>>>>>> relevant one,
>>>>>>>>>>>>>>> this is the relevant parts from a Unix client on my domain:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>> workgroup = INTERNAL
>>>>>>>>>>>>>>> security = ADS
>>>>>>>>>>>>>>> realm = INTERNAL.EXAMPLE.COM
>>>>>>>>>>>>>>> ..........
>>>>>>>>>>>>>>> idmap config * : backend = tdb
>>>>>>>>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>>>>>>>>> idmap config INTERNAL : backend = ad
>>>>>>>>>>>>>>> idmap config INTERNAL : range = 10000-999999
>>>>>>>>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> As for using 'PUTTY', this was just a way of testing whether
>>>>>>>>>>>>>>> you can
>>>>>>>>>>>>>>> connect to the Unix machine.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>> OK, we are getting closer
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> right, answers to your questions
>>>>>>>>>>>>>> 1) I think that you may find that this is also printed 'Could
>>>>>>>>>>>>>> not chdir
>>>>>>>>>>>>>> to home directory', in which case you will end up in the root
>>>>>>>>>>>>>> of computer.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not
>>>>>>>>>>>>>> running you
>>>>>>>>>>>>>> should be able to navigate to the share by entering the path.
>>>>>>>>>>>>>> Have a
>>>>>>>>>>>>>> look here:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>> You are trying to run the command on a client, try adding either:
>>>>>>>>>>>>
>>>>>>>>>>>> -S server name
>>>>>>>>>>>>
>>>>>>>>>>>> OR
>>>>>>>>>>>>
>>>>>>>>>>>> -I address of target server
>>>>>>>>>>>>
>>>>>>>>>>>> where 'server' is the AD DC.
>>>>>>>>>>>>
>>>>>>>>>>>> Yes, you need to supply the password of the Domain Administrator.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>> OK, try it like this:
>>>>>>>>>>>
>>>>>>>>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
>>>>>>>>>>> -UAdministrator -I 192.168.1.1
>>>>>>>>>>>
>>>>>>>>>>> This works for me on a client joined to the domain.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>> Sounds like something is wrong with the join, what does 'net ads
>>>>>>>>>> testjoin' return ? You may have to run this command with sudo.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>> Sometimes I wonder why all the time is spent on keeping the samba wiki
>>>>>>>> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I
>>>>>>>> cannot recommend using either of these, because quite simply, they are
>>>>>>>> not needed.
>>>>>>>>
>>>>>>>> Check the following files:
>>>>>>>>
>>>>>>>> /etc/samba/smb.conf
>>>>>>>>
>>>>>>>> [global]
>>>>>>>> workgroup = JASONDOMAINI
>>>>>>>> security = ADS
>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>> kerberos method = secrets and keytab
>>>>>>>> server string = Samba 4 Client %h
>>>>>>>> winbind enum users = yes
>>>>>>>> winbind enum groups = yes
>>>>>>>> winbind use default domain = yes
>>>>>>>> winbind expand groups = 4
>>>>>>>> winbind nss info = rfc2307
>>>>>>>> winbind refresh tickets = Yes
>>>>>>>> winbind normalize names = Yes
>>>>>>>> idmap config * : backend = tdb
>>>>>>>> idmap config * : range = 2000-9999
>>>>>>>> idmap config JASONDOMAINI : backend = ad
>>>>>>>> idmap config JASONDOMAINI : range = 10000-999999
>>>>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>>>>>>> printcap name = cups
>>>>>>>> cups options = raw
>>>>>>>> usershare allow guests = yes
>>>>>>>> domain master = no
>>>>>>>> local master = no
>>>>>>>> preferred master = no
>>>>>>>> os level = 20
>>>>>>>> map to guest = bad user
>>>>>>>> vfs objects = acl_xattr
>>>>>>>> map acl inherit = Yes
>>>>>>>> store dos attributes = Yes
>>>>>>>> log level = 6
>>>>>>>>
>>>>>>>> /etc/krb5.conf
>>>>>>>>
>>>>>>>> [libdefaults]
>>>>>>>> default_realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>> dns_lookup_realm = false
>>>>>>>> dns_lookup_kdc = true
>>>>>>>> ticket_lifetime = 24h
>>>>>>>> forwardable = yes
>>>>>>>>
>>>>>>>> /etc/resolv.conf
>>>>>>>>
>>>>>>>> nameserver <your AD DC's ipaddress>
>>>>>>>> search jasondomaini.jasondomain.jj
>>>>>>>>
>>>>>>>> If required, alter them to match the above, check that 'hostname'
>>>>>>>> returns only the hostname of the client, check that 'hostname -f'
>>>>>>>> returns the FQDN. If either are not correct, fix them.
>>>>>>>>
>>>>>>>> Remove likewiseopen
>>>>>>>>
>>>>>>>> Once everything is correct, run the following command:
>>>>>>>>
>>>>>>>> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>
>>>>>>>> You should be asked for the domain Administrators password, enter this
>>>>>>>> and you should join the domain
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>> What Windows DC are you using ?
>>>>>>> What is the realm name * workgroup name on the Windows DC ?
>>>>>>>
>>>>>>> Rowland
>>>>>> oops, that should have been:
>>>>>>
>>>>>>
>>>>>> What is the realm name & workgroup name on the Windows DC ?
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> Hi, will you answer these questions:
>>>>>
>>>>> What Windows DC are you using ?
>>>>> What is the realm name on the Windows DC ?
>>>>> What is the workgroup name on the Windows DC ?
>>>>>
>>>>> You do not need all of what you have in /etc/krb5.conf, but please
>>>>> answer the questions above first.
>>>>>
>>>>> Rowland
>>>>>
>>>> OK, so what is your 'domain' name (and No, it is not 'JASONDOMAIN.JJ')
>>>>
>>>> Rowland
>>>>
> Your confused !!!
>
> looking back over what you posted I found this:
>
> Thanks a lot.
> I changed the below lines to correct domain name :
>
> idmap config JASONDOMAIN : range = 10000-999999
> idmap config JASONDOMAIN : schema_mode = rfc2307
>
> and after join, the command "net rpc testjoin" show same error :
>
> Unable to find a suitable server for domain JASONDOMAINI
> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>
> this was 05/01/15 07:02
>
> Totally missed it then, but now it sticks out like a sore thumb, is your
> workgroup/NETBiosdomain 'JASONDOMAIN' *OR* 'JASONDOMAINI' ?????
>
> Rowland
When you join a Unix client to an AD domain, you use 'net ads join -U
Administrator' (or another user that has the right to join machines to
the domain)
You need to have lines in smb.conf similar to these:
workgroup = DOMAIN
realm = DOMAIN.TLD
idmap config DOMAIN : backend = ad
idmap config DOMAIN : schema_mode = rfc2307
idmap config DOMAIN : range = RANGE
Which in your case would be:
workgroup = JASONDOMAINI
realm = JASONDOMAIN.JJ
idmap config JASONDOMAINI : backend = ad
idmap config JASONDOMAINI : schema_mode = rfc2307
idmap config JASONDOMAINI : range = RANGE
You would also have to have your realm in /etc/krb5.conf
[libdefaults]
default_realm = JASONDOMAIN.JJ
dns_lookup_realm = false
dns_lookup_kdc = true
The /etc/resolv.conf should look something like this:
search jasondomain.jj
nameserver <ipaddress of your AD DC>
With these all set correctly, the join should work.
Rowland
More information about the samba
mailing list