[Samba] problem with sessions
Tony Peña
emperor.cu at gmail.com
Thu Mar 2 11:40:46 UTC 2017
Hi again.
the users work usually in this way, browsing the network to find a serverdc
using \\serverdc on explorer file. and after that them choose the correct
share and working on inside with their files need it.
someone set that share as mapped unit with letter Z or Y. but they normally
work in this way daily.
so, i can't set browseable = No because the users need to be see the shares
on the server, else them turn crazy
Ok i restart samba-ad-dc with this settings
root at server-dc:/etc/samba# cat smb.conf
[global]
workgroup = serverdc
realm = SERVERDC.LCL
netbios name = server-dc
server string = Server DC
server role = active directory domain controller
server services = -dns
server signing = auto
ldap server require strong auth = no
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
interfaces = lo,ens160
bind interfaces only = yes
map to guest = Bad User
log level = 3
log file = /var/log/samba/samba.log
max log size = 100000
include = /etc/samba/shares.conf
[netlogon]
path = /var/lib/samba/sysvol/serverdc.lcl/scripts
browseable = no
read only = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = no
--------
shares.conf
47 shares like
[FooBar]
comment = FooBar
path = /home/samba/shares/foobar
browseable = Yes # users need to browse the network because them
working in this way for many years.
read only = No
force create mode = 0660
force directory mode = 0660
vfs objects = acl_xattr full_audit
full_audit:failure = connect opendir disconnect unlink mkdir rmdir open
rename
-----
resolv.conf
nameserver 127.0.0.1
search serverdc.lcl
-----
krb5.conf
[libdefaults]
default_realm = SERVERDC.LCL
dns_lookup_kdc = true
dns_lookup_realm = false
-------
all bind files
root at server-dc:/etc/samba# cat /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/keys";
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
include "/etc/bind/named.conf.local";
--------
named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-------------------------------
named.conf.local
// Generated by Zentyal
acl "trusted" {
localhost;
localnets;
};
acl "internal-local-nets" {
192.168.100.0/22;
};
dlz "AD DNS Zone" {
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
};
zone "100.168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/db.100.168.192";
update-policy {
// The only allowed dynamic updates are PTR records
grant serverdc.lcl. subdomain 100.168.192.in-addr.arpa. PTR TXT;
// Grant from localhost
grant local-ddns zonesub any;
};
};
zone "0.168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/db.0.168.192";
update-policy {
// The only allowed dynamic updates are PTR records
grant serverdc.lcl. subdomain 0.168.192.in-addr.arpa. PTR TXT;
// Grant from localhost
grant local-ddns zonesub any;
};
};
zone "10.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "16.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "17.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "18.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "19.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "20.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "21.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "22.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "23.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "24.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "25.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "26.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "27.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "28.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "29.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "30.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "31.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
----------
named.conf.options
options {
sortlist {
{ 192.168.100.0/22 ;{ 192.168.100.0/22 ; };};
};
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
//query-source address * port 53;
//transfer-source * port 53;
//notify-source * port 53;
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
auth-nxdomain no; # conform to RFC1035
allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
allow-transfer { internal-local-nets; };
};
logging { category lame-servers { null; }; };
------------
after change on smb.conf and krb5.conf with suggestions.
I can on the pc client logout and login into the domain,
can browse the \\server-dc and user Library Ok, but FooBar no (is fine in
this way for this users logged) because the ACL working with filesystem and
is ok....
but my problem from the beginning.... how can i know if i don't lose the
access into (e.g Library share) after 2/3 days ?
exist some tools/command to show if the time expire to the share access? or
with this settings is ok and not happend again?
because my big problem is that! the acl of the share are working ok. it's
just i don't know why after days lose the access and need to restart
services and logout & login again :(
2017-03-01 18:26 GMT+01:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Wed, 1 Mar 2017 17:48:47 +0100
> Tony Peña <emperor.cu at gmail.com> wrote:
>
> > server role = dc
> > server role = active directory domain controller
> > i'm correct ?
>
> Nearly, but you should only have one 'server role' line and the second
> line is the correct one.
>
> >
> > ----
> >
> > on include shares.conf is all share directorys...i got 47 shares...
> > so .. i just paste here 1 as example,, the rest are equals just
> > changing the path
> >
> > [library]
> > comment = Library in common
> > path = /home/samba/shares/Library
> > browseable = Yes
> > read only = No
> > force create mode = 0660
> > force directory mode = 0660
> > vfs objects = acl_xattr full_audit
> > full_audit:failure = connect opendir disconnect unlink mkdir
> > rmdir open rename
>
> I take it you haven't read this wiki page:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_
> Active_Directory_Domain_Controller#Using_the_Domain_
> Controller_as_a_File_Server
>
> You cannot use POSIX ACLs on a Samba AD DC, so your share should be
> something like this:
>
> [library]
> comment = Library in common
> path = /home/samba/shares/Library
> read only = No
> vfs objects = full_audit
> full_audit:failure = connect opendir disconnect unlink mkdir rmdir
> open rename
>
> You also had 'browseable = yes', this the default setting, but it has
> no affect on a DC, there is no browsing on a Samba AD DC.
>
> Once you have changed the share, you will need to read this wiki page:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >
> >
> > the filesystem is with acl,
> >
> > the filesystem on thouse are: user : group : others
> >
> > drwxrwx---+ 9 SERVERDC\administrator adm
> > 4,0K mar 1 14:26 Library
>
> You will probably need to change this to root:domain admins
>
> Talking of which, I hope you haven't given Administrator a uidNumber.
>
> >
> > on resolv.conf
> >
> > root at server-dc:~# cat /etc/resolv.conf
> >
> > nameserver 127.0.0.1
> > nameserver 8.8.8.8
> > nameserver 8.8.4.4
> > search serverdc.lcl
>
> You should remove the google nameservers, they should be set as
> forwarders in your bind9 conf files.
>
> >
> > the bind is ok,
>
> I didn't ask if it was 'ok', I asked how you have set it up, I think
> you need to post your bind9 conf files.
>
> > i register PC into domain and it's added into ldap
> > so i can ping NAME_OF_PC and pinging normally and see it using
> > pdbedit. this is somethings i can't understand in some how...
> > normally i use openldap, but int this case is samba (simulate ldap) ?
> > because i see samba run process to can see from my ldap client the
> > whole directory
>
> Yes, Samba 4 running as an AD DC does use its own ldap and the DNS info
> is stored in AD, but you need to use 'samba_dlz' to connect to it. You
> also need to setup bind9 correctly.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'
Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
<https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001
More information about the samba
mailing list