samba - Dec 2014 - Use Samba with ACL for read Active Directory and set Permissions via it.

Hello Folks.
How are you?

I joined my CentOS into Windows Domain and I want to give Permission to files
and Directory via Active Directory. When I use "getent passwd" and
"getent group", I can see All AD users and Groups. I use below command
to give Permission to a Folder via ACL :

setfacl -m g:"jasondomain\jason-rw":rwx
/home/local/jasondomain/jason/test

and I create a part for my "smb.conf" file :

[Test]
comment = test
path = /home/local/jasondomain/jason/test
browsable = yes
inherit acls = yes
inherit permissions = yes
inherit owner = yes
map acl inherit = yes
acl check permissions = yes
nt acl support = yes
#valid users = %D\%S
#write list = @jasondomain\domain^admins
read only = no


but when I browse the "Test" directory it ask me username and password
and when I enter "jasondomain\jason" as username it can't let me
to open the "Test" directory. What is the problem?

Cheers.

Jason Long wrote:
> Hello Folks.
> How are you?
>
> I joined my CentOS into Windows Domain and I want to give Permission to
files and Directory via Active Directory. When I use "getent passwd"
and "getent group", I can see All AD users and Groups. I use below
command to give Permission to a Folder via ACL :
>
> setfacl -m g:"jasondomain\jason-rw":rwx
/home/local/jasondomain/jason/test
>
> and I create a part for my "smb.conf" file :
>
> [Test]
> comment = test
> path = /home/local/jasondomain/jason/test
> browsable = yes
> inherit acls = yes
> inherit permissions = yes
> inherit owner = yes
> map acl inherit = yes
> acl check permissions = yes
> nt acl support = yes
> #valid users = %D\%S
> #write list = @jasondomain\domain^admins
> read only = no
>
>
> but when I browse the "Test" directory it ask me username and
password and when I enter "jasondomain\jason" as username it can't
let me to open the "Test" directory. What is the problem?
>   
----
    Are you already logged into the server under different credentials,
like 'WORKGROUP', jason (i.e. do you already have some shares mounted?)

If I remember, Windows won't allow the same workstation to connect under
two different user id's.  If you already have something mounted from your
workstation with different credentials, you need to close (unmount / unmap)
those other connections.

Where did you setup the password for 'jasondomain\jason'?  Again, if you
didn't set a password, more modern versions of windows won't allow you
to
login (or attach a share) remotely.

You don't say what happens when you try to open 'test'.  You say it 
can't let
you?  What error message does it give you?

I use this script to create folders for users
#!/bin/bash

if [ ! -e /data/homes/$1/$2 ]; then
        /usr/bin/mkdir -p /data/homes/$1/$2
        /usr/bin/chown "$2":"Domain Users" /data/homes/$1/$2
        /usr/bin/chmod g+s /data/homes/$1/$2
        /usr/bin/chmod 770 /data/homes/$1/$2
        /usr/bin/setfacl -m g:"domain admins":rwx /data/homes/$1/$2
        /usr/bin/setfacl -m u:"$2":rwx /data/homes/$1/$2
fi
exit 0
 [global]
        template shell = /bin/bash
        template homedir = /data/homes/%D/%U
        root preexec = /usr/bin/mkhomedir.sh %D %U


SO what happens when you chown jason /home/local/jasondomain/jason/test
is jason also listed in /etc/password there could be a conflict

Thank you so much.
No, I'm not. I joined my linux to Windows domain because of AD. I can define
some users in my Linux and Windows clients use it to open share and ... but my
problem is that I have a lot of users and groups and Redefine all of them in
Linux is a little silly :(. I joined my Linux to Windows domain because of use
AD users and groups.

About your question :
"Where did you setup the password for 'jasondomain\jason'?  Again,
if you
didn't set a password, more modern versions of windows won't allow you
to
login (or attach a share) remotely."

I must say that "jason" is defined in AD on Windows OS and I use it
for login into Linux.


"You don't say what happens when you try to open 'test'.  You
say it can't let you?  What error message does it give you? "
It don't show me any error and just show Login Windows again :(.
 



On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org> wrote:
Jason Long wrote:
> Hello Folks.
> How are you?
>
> I joined my CentOS into Windows Domain and I want to give Permission to
files and Directory via Active Directory. When I use "getent passwd"
and "getent group", I can see All AD users and Groups. I use below
command to give Permission to a Folder via ACL :
>
> setfacl -m g:"jasondomain\jason-rw":rwx
/home/local/jasondomain/jason/test
>
> and I create a part for my "smb.conf" file :
>
> [Test]
> comment = test
> path = /home/local/jasondomain/jason/test
> browsable = yes
> inherit acls = yes
> inherit permissions = yes
> inherit owner = yes
> map acl inherit = yes
> acl check permissions = yes
> nt acl support = yes
> #valid users = %D\%S
> #write list = @jasondomain\domain^admins
> read only = no
>
>
> but when I browse the "Test" directory it ask me username and
password and when I enter "jasondomain\jason" as username it can't
let me to open the "Test" directory. What is the problem?
>  
----
    Are you already logged into the server under different credentials,
like 'WORKGROUP', jason (i.e. do you already have some shares mounted?)

If I remember, Windows won't allow the same workstation to connect under
two different user id's.  If you already have something mounted from your
workstation with different credentials, you need to close (unmount / unmap)
those other connections.

Where did you setup the password for 'jasondomain\jason'?  Again, if you
didn't set a password, more modern versions of windows won't allow you
to
login (or attach a share) remotely.

You don't say what happens when you try to open 'test'.  You say it 

can't let
you?  What error message does it give you?