Jason Long
2014-Dec-28 08:47 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
I never used four different Workgroup or Domain. My domain is "jasondomain" and as you see my last "smb.conf" it is. I change "MYGROUP" to "jasondomain" but problem not solved. On Saturday, December 27, 2014 7:02 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 27/12/14 14:18, Jason Long wrote:> Thank you so much. > I changed my "smb.conf" and "password-auth-ac". I attached two file > for you and you can see them. My problem not solved :( and login > windows showed and not accept my username and password, I attached it too. >? I paste my "fstab" file here and as you see the "acl" is enabled for > "root" : > > # > # /etc/fstab > # Created by anaconda on Wed Dec 24 10:02:57 2014 > # > # Accessible filesystems, by reference, are maintained under '/dev/disk' > # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more > info > # > /dev/mapper/vg_print-lv_root / ext4? ? acl,defaults? ? ? ? 1 1 > UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot? ? ? ? ? ? ext4? >? defaults? ? ? ? 1 2 > /dev/mapper/vg_print-lv_swap swap? swap? ? defaults? ? ? ? 0 0 > tmpfs? ? ? ? ? ? ? ? ? /dev/shm? ? ? ? ? ? ? ? tmpfs? defaults? ? ? >? 0 0 > devpts? ? ? ? ? ? ? ? ? /dev/pts? devpts? gid=5,mode=620? 0 0 > sysfs? ? ? ? ? ? ? ? ? /sys? ? ? ? ? ? ? ? ? ? sysfs? defaults? ? ? >? 0 0 > proc? ? ? ? ? ? ? ? ? ? /proc? ? ? ? ? ? ? ? ? proc? ? defaults? ? ? >? 0 0 > > I paste "getfacl" for test directory here : > > getfacl test/ > # file: test/ > # owner: jasondomain\134jason > # group: jasondomain\134grp-jason-rw > user::rwx > group::r-x > group:jasondomain\134grp-jason-rw:rwx > mask::rwx > other::r-x > > After change "password-auth-ac", When I want to restart "winbind" > server it show me an error as below : > > #service smb restart > Shutting down SMB services:? ? ? ? ? ? ? ? ? ? [? OK? ] > Starting SMB services:? ? ? ? ? ? ? ? ? ? ? ? ? [? OK? ] > # service winbind restart > Shutting down Winbind services:? ? ? ? ? ? ? [FAILED] > Starting Winbind services:? ? ? ? ? ? ? ? ? ? [? OK? ] > > > In your opinion what is the problem? > > > > On Saturday, December 27, 2014 4:12 AM, Rowland Penny > <rowlandpenny at googlemail.com> wrote: > > > On 27/12/14 11:55, Jason Long wrote: >> You right. I joined my Linux box into Windows domain. >> Of course. I attached my "smb.conf". Can you see it? >> >> >> On Saturday, December 27, 2014 3:36 AM, Rowland Penny >> <rowlandpenny at googlemail.com> <mailto:rowlandpenny at googlemail.com> wrote: >> >> >> On 27/12/14 06:44, Jason Long wrote: >> >> > Thank you so much. >> > No, I'm not. I joined my linux to Windows domain because of AD. I >> can define some users in my Linux and Windows clients use it to open >> share and ... but my problem is that I have a lot of users and groups >> and Redefine all of them in Linux is a little silly :(. I joined my >> Linux to Windows domain because of use AD users and groups. >> > >> > About your question : >> > "Where did you setup the password for 'jasondomain\jason'? Again, >> if you >> > didn't set a password, more modern versions of windows won't allow >> you to >> > login (or attach a share) remotely." >> > >> > I must say that "jason" is defined in AD on Windows OS and I use it >> for login into Linux. >> > >> > >> > "You don't say what happens when you try to open 'test'.? You say >> it can't let you?? What error message does it give you? " >> > It don't show me any error and just show Login Windows again :(. >> > >> > >> > >> > >> > On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org >> <mailto:samba at tlinx.org>> wrote: >> > Jason Long wrote: >> >> Hello Folks. >> >> How are you? >> >> >> >> I joined my CentOS into Windows Domain and I want to give >> Permission to files and Directory via Active Directory. When I use >> "getent passwd" and "getent group", I can see All AD users and >> Groups. I use below command to give Permission to a Folder via ACL : >> >> >> >> setfacl -m g:"jasondomain\jason-rw":rwx >> /home/local/jasondomain/jason/test >> >> >> >> and I create a part for my "smb.conf" file : >> >> >> >> [Test] >> >> comment = test >> >> path = /home/local/jasondomain/jason/test >> >> browsable = yes >> >> inherit acls = yes >> >> inherit permissions = yes >> >> inherit owner = yes >> >> map acl inherit = yes >> >> acl check permissions = yes >> >> nt acl support = yes >> >> #valid users = %D\%S >> >> #write list = @jasondomain\domain^admins >> >> read only = no >> >> >> >> >> >> but when I browse the "Test" directory it ask me username and >> password and when I enter "jasondomain\jason" as username it can't >> let me to open the "Test" directory. What is the problem? >> >> >> > ---- >> >? ? ? Are you already logged into the server under different >> credentials, >> > like 'WORKGROUP', jason (i.e. do you already have some shares mounted?) >> > >> > If I remember, Windows won't allow the same workstation to connect >> under >> > two different user id's.? If you already have something mounted >> from your >> > workstation with different credentials, you need to close (unmount >> / unmap) >> > those other connections. >> > >> > Where did you setup the password for 'jasondomain\jason'? Again, if you >> > didn't set a password, more modern versions of windows won't allow >> you to >> > login (or attach a share) remotely. >> > >> > You don't say what happens when you try to open 'test'.? You say it >> > >> > can't let >> > you?? What error message does it give you? >> >> >> OK, If I understand you correctly, you have setup samba on a Centos >> machine and joined it to a windows machine, is this correct ? >> >> Could you post the entire smb.conf from your Centos machine. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > OK, after wading through all the un-needed lines, I got this: > > [global] >? ? workgroup = MYGROUP >? ? server string = Samba Server Version %v >? ? # logs split per machine >? ? log file = /var/log/samba/log.%m >? ? # max 50KB per log file, then rotate >? ? max log size = 50 >? ? security = user >? ? passdb backend = tdbsam >? ? load printers = yes >? ? cups options = raw > > [homes] >? ? comment = Home Directories >? ? browseable = no >? ? writable = yes > > [printers] >? ? comment = All Printers >? ? path = /var/spool/samba >? ? browseable = no >? ? guest ok = no >? ? writable = no >? ? printable = yes > > [Test] > comment = Public Stuff > path = /home/local/HAMSHAHRY/jokar/test/ > browsable = yes > inherit acls = yes > inherit permissions = yes > inherit owner = yes > map acl inherit = yes > acl check permissions = yes > nt acl support = yes > read only = no > > Try changing 'security = user' to 'security = ads' and adding the > required winbind & idmap lines, see: > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > Yes, I know it says 'member server', but you can use it for a client > as well. > > Rowland > > >Hi, you seem to be using **four**, yes four different workgroup (also known as domain) names: In smb.conf: MYGROUP & SAMDOM When trying to login: jasondomain & WORKGROUP They all need to be the same, you also need to add uidNumber's to your users and a gidNumber to at least 'Domain Users' Rowland -- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba
Rowland Penny
2014-Dec-28 09:40 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
On 28/12/14 08:47, Jason Long wrote:> I never used four different Workgroup or Domain. My domain is > "jasondomain" and as you see my last "smb.conf" it is. I change > "MYGROUP" to "jasondomain" but problem not solved. > > > On Saturday, December 27, 2014 7:02 AM, Rowland Penny > <rowlandpenny at googlemail.com> wrote: > > > On 27/12/14 14:18, Jason Long wrote: > > Thank you so much. > > I changed my "smb.conf" and "password-auth-ac". I attached two file > > for you and you can see them. My problem not solved :( and login > > windows showed and not accept my username and password, I attached > it too. > > I paste my "fstab" file here and as you see the "acl" is enabled for > > "root" : > > > > # > > # /etc/fstab > > # Created by anaconda on Wed Dec 24 10:02:57 2014 > > # > > # Accessible filesystems, by reference, are maintained under '/dev/disk' > > # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more > > info > > # > > /dev/mapper/vg_print-lv_root / ext4 acl,defaults 1 1 > > UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot ext4 > > defaults 1 2 > > /dev/mapper/vg_print-lv_swap swap swap defaults 0 0 > > tmpfs /dev/shm tmpfs defaults > > 0 0 > > devpts /dev/pts devpts gid=5,mode=620 0 0 > > sysfs /sys sysfs defaults > > 0 0 > > proc /proc proc defaults > > 0 0 > > > > I paste "getfacl" for test directory here : > > > > getfacl test/ > > # file: test/ > > # owner: jasondomain\134jason > > # group: jasondomain\134grp-jason-rw > > user::rwx > > group::r-x > > group:jasondomain\134grp-jason-rw:rwx > > mask::rwx > > other::r-x > > > > After change "password-auth-ac", When I want to restart "winbind" > > server it show me an error as below : > > > > #service smb restart > > Shutting down SMB services: [ OK ] > > Starting SMB services: [ OK ] > > # service winbind restart > > Shutting down Winbind services: [FAILED] > > Starting Winbind services: [ OK ] > > > > > > In your opinion what is the problem? > > > > > > > > On Saturday, December 27, 2014 4:12 AM, Rowland Penny > > <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> > wrote: > > > > > > On 27/12/14 11:55, Jason Long wrote: > >> You right. I joined my Linux box into Windows domain. > >> Of course. I attached my "smb.conf". Can you see it? > >> > >> > >> On Saturday, December 27, 2014 3:36 AM, Rowland Penny > >> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> > <mailto:rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>> wrote: > >> > >> > >> On 27/12/14 06:44, Jason Long wrote: > >> > >> > Thank you so much. > >> > No, I'm not. I joined my linux to Windows domain because of AD. I > >> can define some users in my Linux and Windows clients use it to open > >> share and ... but my problem is that I have a lot of users and groups > >> and Redefine all of them in Linux is a little silly :(. I joined my > >> Linux to Windows domain because of use AD users and groups. > >> > > >> > About your question : > >> > "Where did you setup the password for 'jasondomain\jason'? Again, > >> if you > >> > didn't set a password, more modern versions of windows won't allow > >> you to > >> > login (or attach a share) remotely." > >> > > >> > I must say that "jason" is defined in AD on Windows OS and I use it > >> for login into Linux. > >> > > >> > > >> > "You don't say what happens when you try to open 'test'. You say > >> it can't let you? What error message does it give you? " > >> > It don't show me any error and just show Login Windows again :(. > >> > > >> > > >> > > >> > > >> > On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org > <mailto:samba at tlinx.org> > >> <mailto:samba at tlinx.org <mailto:samba at tlinx.org>>> wrote: > >> > Jason Long wrote: > >> >> Hello Folks. > >> >> How are you? > >> >> > >> >> I joined my CentOS into Windows Domain and I want to give > >> Permission to files and Directory via Active Directory. When I use > >> "getent passwd" and "getent group", I can see All AD users and > >> Groups. I use below command to give Permission to a Folder via ACL : > >> >> > >> >> setfacl -m g:"jasondomain\jason-rw":rwx > >> /home/local/jasondomain/jason/test > >> >> > >> >> and I create a part for my "smb.conf" file : > >> >> > >> >> [Test] > >> >> comment = test > >> >> path = /home/local/jasondomain/jason/test > >> >> browsable = yes > >> >> inherit acls = yes > >> >> inherit permissions = yes > >> >> inherit owner = yes > >> >> map acl inherit = yes > >> >> acl check permissions = yes > >> >> nt acl support = yes > >> >> #valid users = %D\%S > >> >> #write list = @jasondomain\domain^admins > >> >> read only = no > >> >> > >> >> > >> >> but when I browse the "Test" directory it ask me username and > >> password and when I enter "jasondomain\jason" as username it can't > >> let me to open the "Test" directory. What is the problem? > >> >> > >> > ---- > >> > Are you already logged into the server under different > >> credentials, > >> > like 'WORKGROUP', jason (i.e. do you already have some shares > mounted?) > >> > > >> > If I remember, Windows won't allow the same workstation to connect > >> under > >> > two different user id's. If you already have something mounted > >> from your > >> > workstation with different credentials, you need to close (unmount > >> / unmap) > >> > those other connections. > >> > > >> > Where did you setup the password for 'jasondomain\jason'? Again, > if you > >> > didn't set a password, more modern versions of windows won't allow > >> you to > >> > login (or attach a share) remotely. > >> > > >> > You don't say what happens when you try to open 'test'. You say it > >> > > >> > can't let > >> > you? What error message does it give you? > >> > >> > >> OK, If I understand you correctly, you have setup samba on a Centos > >> machine and joined it to a windows machine, is this correct ? > >> > >> Could you post the entire smb.conf from your Centos machine. > >> > >> Rowland > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > >> > > OK, after wading through all the un-needed lines, I got this: > > > > [global] > > workgroup = MYGROUP > > server string = Samba Server Version %v > > # logs split per machine > > log file = /var/log/samba/log.%m > > # max 50KB per log file, then rotate > > max log size = 50 > > security = user > > passdb backend = tdbsam > > load printers = yes > > cups options = raw > > > > [homes] > > comment = Home Directories > > browseable = no > > writable = yes > > > > [printers] > > comment = All Printers > > path = /var/spool/samba > > browseable = no > > guest ok = no > > writable = no > > printable = yes > > > > [Test] > > comment = Public Stuff > > path = /home/local/HAMSHAHRY/jokar/test/ > > browsable = yes > > inherit acls = yes > > inherit permissions = yes > > inherit owner = yes > > map acl inherit = yes > > acl check permissions = yes > > nt acl support = yes > > read only = no > > > > Try changing 'security = user' to 'security = ads' and adding the > > required winbind & idmap lines, see: > > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > > > Yes, I know it says 'member server', but you can use it for a client > > as well. > > > > Rowland > > > > > > > > Hi, you seem to be using **four**, yes four different workgroup (also > known as domain) names: > In smb.conf: MYGROUP & SAMDOM > When trying to login: jasondomain & WORKGROUP > > They all need to be the same, you also need to add uidNumber's to your > users and a gidNumber to at least 'Domain Users' > > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >OK, in the last smb.conf you posted there are these lines: workgroup = MYGROUP idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 500-40000 Also in samba-1.png: Username: jasondomain\jason domain: WORKGROUP I make that 4 workgroup names, ok you have changed MYGROUP, but what about SAMDOM ? You also have 'winbind use default domain = yes' , because of this, you do not need to use 'jasondomain\jason', just 'jason' should work. Do you by any chance have a Unix user called 'jason' on the samba machine ? Also, when you try to login as 'jasondomain\jason' are you doing this on the samba machine ? Rowland
Jason Long
2014-Dec-28 11:51 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Thank you so much. I changed "SAMDOM" to "jasondomain" and also "winbind use default domain = no" but problem exist. int he photo that I sent, I changed "WORKGROUP" to "jasondomain" too. I have a question, My domain have a prefix with ".jj" and it is "jasondomain.jj". I changed : [global] workgroup = JASONDOMAIN.JJ server string = Samba Server Version %v # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50 security = ads passdb backend = tdbsam load printers = yes cups options = raw idmap config *:backend = tdb idmap config *:range = 70001-80000 #idmap config SAMDOM:backend = ad idmap config JASONDOMAIN.JJ:backend = ad idmap config JASONDOMAIN.JJ:schema_mode = rfc2307 idmap config JASONDOMAIN.JJ:range = 500-40000 Am I right? If yes, My problem not solved :( On Sunday, December 28, 2014 1:41 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 28/12/14 08:47, Jason Long wrote:> I never used four different Workgroup or Domain. My domain is > "jasondomain" and as you see my last "smb.conf" it is. I change > "MYGROUP" to "jasondomain" but problem not solved. > > > On Saturday, December 27, 2014 7:02 AM, Rowland Penny > <rowlandpenny at googlemail.com> wrote: > > > On 27/12/14 14:18, Jason Long wrote: > > Thank you so much. > > I changed my "smb.conf" and "password-auth-ac". I attached two file > > for you and you can see them. My problem not solved :( and login > > windows showed and not accept my username and password, I attached > it too. > > I paste my "fstab" file here and as you see the "acl" is enabled for > > "root" : > > > > # > > # /etc/fstab > > # Created by anaconda on Wed Dec 24 10:02:57 2014 > > # > > # Accessible filesystems, by reference, are maintained under '/dev/disk' > > # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more > > info > > # > > /dev/mapper/vg_print-lv_root / ext4 acl,defaults 1 1 > > UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot ext4 > > defaults 1 2 > > /dev/mapper/vg_print-lv_swap swap swap defaults 0 0 > > tmpfs /dev/shm tmpfs defaults > > 0 0 > > devpts /dev/pts devpts gid=5,mode=620 0 0 > > sysfs /sys sysfs defaults > > 0 0 > > proc /proc proc defaults > > 0 0 > > > > I paste "getfacl" for test directory here : > > > > getfacl test/ > > # file: test/ > > # owner: jasondomain\134jason > > # group: jasondomain\134grp-jason-rw > > user::rwx > > group::r-x > > group:jasondomain\134grp-jason-rw:rwx > > mask::rwx > > other::r-x > > > > After change "password-auth-ac", When I want to restart "winbind" > > server it show me an error as below : > > > > #service smb restart > > Shutting down SMB services: [ OK ] > > Starting SMB services: [ OK ] > > # service winbind restart > > Shutting down Winbind services: [FAILED] > > Starting Winbind services: [ OK ] > > > > > > In your opinion what is the problem? > > > > > > > > On Saturday, December 27, 2014 4:12 AM, Rowland Penny > > <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> > wrote: > > > > > > On 27/12/14 11:55, Jason Long wrote: > >> You right. I joined my Linux box into Windows domain. > >> Of course. I attached my "smb.conf". Can you see it? > >> > >> > >> On Saturday, December 27, 2014 3:36 AM, Rowland Penny > >> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> > <mailto:rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>> wrote: > >> > >> > >> On 27/12/14 06:44, Jason Long wrote: > >> > >> > Thank you so much. > >> > No, I'm not. I joined my linux to Windows domain because of AD. I > >> can define some users in my Linux and Windows clients use it to open > >> share and ... but my problem is that I have a lot of users and groups > >> and Redefine all of them in Linux is a little silly :(. I joined my > >> Linux to Windows domain because of use AD users and groups. > >> > > >> > About your question : > >> > "Where did you setup the password for 'jasondomain\jason'? Again, > >> if you > >> > didn't set a password, more modern versions of windows won't allow > >> you to > >> > login (or attach a share) remotely." > >> > > >> > I must say that "jason" is defined in AD on Windows OS and I use it > >> for login into Linux. > >> > > >> > > >> > "You don't say what happens when you try to open 'test'. You say > >> it can't let you? What error message does it give you? " > >> > It don't show me any error and just show Login Windows again :(. > >> > > >> > > >> > > >> > > >> > On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org > <mailto:samba at tlinx.org> > >> <mailto:samba at tlinx.org <mailto:samba at tlinx.org>>> wrote: > >> > Jason Long wrote: > >> >> Hello Folks. > >> >> How are you? > >> >> > >> >> I joined my CentOS into Windows Domain and I want to give > >> Permission to files and Directory via Active Directory. When I use > >> "getent passwd" and "getent group", I can see All AD users and > >> Groups. I use below command to give Permission to a Folder via ACL : > >> >> > >> >> setfacl -m g:"jasondomain\jason-rw":rwx > >> /home/local/jasondomain/jason/test > >> >> > >> >> and I create a part for my "smb.conf" file : > >> >> > >> >> [Test] > >> >> comment = test > >> >> path = /home/local/jasondomain/jason/test > >> >> browsable = yes > >> >> inherit acls = yes > >> >> inherit permissions = yes > >> >> inherit owner = yes > >> >> map acl inherit = yes > >> >> acl check permissions = yes > >> >> nt acl support = yes > >> >> #valid users = %D\%S > >> >> #write list = @jasondomain\domain^admins > >> >> read only = no > >> >> > >> >> > >> >> but when I browse the "Test" directory it ask me username and > >> password and when I enter "jasondomain\jason" as username it can't > >> let me to open the "Test" directory. What is the problem? > >> >> > >> > ---- > >> > Are you already logged into the server under different > >> credentials, > >> > like 'WORKGROUP', jason (i.e. do you already have some shares > mounted?) > >> > > >> > If I remember, Windows won't allow the same workstation to connect > >> under > >> > two different user id's. If you already have something mounted > >> from your > >> > workstation with different credentials, you need to close (unmount > >> / unmap) > >> > those other connections. > >> > > >> > Where did you setup the password for 'jasondomain\jason'? Again, > if you > >> > didn't set a password, more modern versions of windows won't allow > >> you to > >> > login (or attach a share) remotely. > >> > > >> > You don't say what happens when you try to open 'test'. You say it > >> > > >> > can't let > >> > you? What error message does it give you? > >> > >> > >> OK, If I understand you correctly, you have setup samba on a Centos > >> machine and joined it to a windows machine, is this correct ? > >> > >> Could you post the entire smb.conf from your Centos machine. > >> > >> Rowland > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > >> > > OK, after wading through all the un-needed lines, I got this: > > > > [global] > > workgroup = MYGROUP > > server string = Samba Server Version %v > > # logs split per machine > > log file = /var/log/samba/log.%m > > # max 50KB per log file, then rotate > > max log size = 50 > > security = user > > passdb backend = tdbsam > > load printers = yes > > cups options = raw > > > > [homes] > > comment = Home Directories > > browseable = no > > writable = yes > > > > [printers] > > comment = All Printers > > path = /var/spool/samba > > browseable = no > > guest ok = no > > writable = no > > printable = yes > > > > [Test] > > comment = Public Stuff > > path = /home/local/HAMSHAHRY/jokar/test/ > > browsable = yes > > inherit acls = yes > > inherit permissions = yes > > inherit owner = yes > > map acl inherit = yes > > acl check permissions = yes > > nt acl support = yes > > read only = no > > > > Try changing 'security = user' to 'security = ads' and adding the > > required winbind & idmap lines, see: > > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > > > Yes, I know it says 'member server', but you can use it for a client > > as well. > > > > Rowland > > > > > > > > Hi, you seem to be using **four**, yes four different workgroup (also > known as domain) names: > In smb.conf: MYGROUP & SAMDOM > When trying to login: jasondomain & WORKGROUP > > They all need to be the same, you also need to add uidNumber's to your > users and a gidNumber to at least 'Domain Users' > > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >OK, in the last smb.conf you posted there are these lines: workgroup = MYGROUP idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 500-40000 Also in samba-1.png: Username: jasondomain\jason domain: WORKGROUP I make that 4 workgroup names, ok you have changed MYGROUP, but what about SAMDOM ? You also have 'winbind use default domain = yes' , because of this, you do not need to use 'jasondomain\jason', just 'jason' should work. Do you by any chance have a Unix user called 'jason' on the samba machine ? Also, when you try to login as 'jasondomain\jason' are you doing this on the samba machine ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Jason Long
2014-Dec-28 11:54 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Thank you so much. I changed "SAMDOM" to "jasondomain" and also "winbind use default domain = no" but problem exist. int he photo that I sent, I changed "WORKGROUP" to "jasondomain" too. I have a question, My domain have a prefix with ".jj" and it is "jasondomain.jj". I changed : [global] workgroup = JASONDOMAIN.JJ server string = Samba Server Version %v # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50 security = ads passdb backend = tdbsam load printers = yes cups options = raw idmap config *:backend = tdb idmap config *:range = 70001-80000 #idmap config SAMDOM:backend = ad idmap config JASONDOMAIN.JJ:backend = ad idmap config JASONDOMAIN.JJ:schema_mode = rfc2307 idmap config JASONDOMAIN.JJ:range = 500-40000 Am I right? If yes, My problem not solved :( about your question I must say that "No", I have not any "jason" user in Linux machine. Yes, I use "jasondomain\jason" for login into Linux machine and "jason" is a user that defined in Windows Active Directory. Thanks. On Sunday, December 28, 2014 1:41 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 28/12/14 08:47, Jason Long wrote:> I never used four different Workgroup or Domain. My domain is > "jasondomain" and as you see my last "smb.conf" it is. I change > "MYGROUP" to "jasondomain" but problem not solved. > > > On Saturday, December 27, 2014 7:02 AM, Rowland Penny > <rowlandpenny at googlemail.com> wrote: > > > On 27/12/14 14:18, Jason Long wrote: > > Thank you so much. > > I changed my "smb.conf" and "password-auth-ac". I attached two file > > for you and you can see them. My problem not solved :( and login > > windows showed and not accept my username and password, I attached > it too. > > I paste my "fstab" file here and as you see the "acl" is enabled for > > "root" : > > > > # > > # /etc/fstab > > # Created by anaconda on Wed Dec 24 10:02:57 2014 > > # > > # Accessible filesystems, by reference, are maintained under '/dev/disk' > > # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more > > info > > # > > /dev/mapper/vg_print-lv_root / ext4 acl,defaults 1 1 > > UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot ext4 > > defaults 1 2 > > /dev/mapper/vg_print-lv_swap swap swap defaults 0 0 > > tmpfs /dev/shm tmpfs defaults > > 0 0 > > devpts /dev/pts devpts gid=5,mode=620 0 0 > > sysfs /sys sysfs defaults > > 0 0 > > proc /proc proc defaults > > 0 0 > > > > I paste "getfacl" for test directory here : > > > > getfacl test/ > > # file: test/ > > # owner: jasondomain\134jason > > # group: jasondomain\134grp-jason-rw > > user::rwx > > group::r-x > > group:jasondomain\134grp-jason-rw:rwx > > mask::rwx > > other::r-x > > > > After change "password-auth-ac", When I want to restart "winbind" > > server it show me an error as below : > > > > #service smb restart > > Shutting down SMB services: [ OK ] > > Starting SMB services: [ OK ] > > # service winbind restart > > Shutting down Winbind services: [FAILED] > > Starting Winbind services: [ OK ] > > > > > > In your opinion what is the problem? > > > > > > > > On Saturday, December 27, 2014 4:12 AM, Rowland Penny > > <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> > wrote: > > > > > > On 27/12/14 11:55, Jason Long wrote: > >> You right. I joined my Linux box into Windows domain. > >> Of course. I attached my "smb.conf". Can you see it? > >> > >> > >> On Saturday, December 27, 2014 3:36 AM, Rowland Penny > >> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> > <mailto:rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>> wrote: > >> > >> > >> On 27/12/14 06:44, Jason Long wrote: > >> > >> > Thank you so much. > >> > No, I'm not. I joined my linux to Windows domain because of AD. I > >> can define some users in my Linux and Windows clients use it to open > >> share and ... but my problem is that I have a lot of users and groups > >> and Redefine all of them in Linux is a little silly :(. I joined my > >> Linux to Windows domain because of use AD users and groups. > >> > > >> > About your question : > >> > "Where did you setup the password for 'jasondomain\jason'? Again, > >> if you > >> > didn't set a password, more modern versions of windows won't allow > >> you to > >> > login (or attach a share) remotely." > >> > > >> > I must say that "jason" is defined in AD on Windows OS and I use it > >> for login into Linux. > >> > > >> > > >> > "You don't say what happens when you try to open 'test'. You say > >> it can't let you? What error message does it give you? " > >> > It don't show me any error and just show Login Windows again :(. > >> > > >> > > >> > > >> > > >> > On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org > <mailto:samba at tlinx.org> > >> <mailto:samba at tlinx.org <mailto:samba at tlinx.org>>> wrote: > >> > Jason Long wrote: > >> >> Hello Folks. > >> >> How are you? > >> >> > >> >> I joined my CentOS into Windows Domain and I want to give > >> Permission to files and Directory via Active Directory. When I use > >> "getent passwd" and "getent group", I can see All AD users and > >> Groups. I use below command to give Permission to a Folder via ACL : > >> >> > >> >> setfacl -m g:"jasondomain\jason-rw":rwx > >> /home/local/jasondomain/jason/test > >> >> > >> >> and I create a part for my "smb.conf" file : > >> >> > >> >> [Test] > >> >> comment = test > >> >> path = /home/local/jasondomain/jason/test > >> >> browsable = yes > >> >> inherit acls = yes > >> >> inherit permissions = yes > >> >> inherit owner = yes > >> >> map acl inherit = yes > >> >> acl check permissions = yes > >> >> nt acl support = yes > >> >> #valid users = %D\%S > >> >> #write list = @jasondomain\domain^admins > >> >> read only = no > >> >> > >> >> > >> >> but when I browse the "Test" directory it ask me username and > >> password and when I enter "jasondomain\jason" as username it can't > >> let me to open the "Test" directory. What is the problem? > >> >> > >> > ---- > >> > Are you already logged into the server under different > >> credentials, > >> > like 'WORKGROUP', jason (i.e. do you already have some shares > mounted?) > >> > > >> > If I remember, Windows won't allow the same workstation to connect > >> under > >> > two different user id's. If you already have something mounted > >> from your > >> > workstation with different credentials, you need to close (unmount > >> / unmap) > >> > those other connections. > >> > > >> > Where did you setup the password for 'jasondomain\jason'? Again, > if you > >> > didn't set a password, more modern versions of windows won't allow > >> you to > >> > login (or attach a share) remotely. > >> > > >> > You don't say what happens when you try to open 'test'. You say it > >> > > >> > can't let > >> > you? What error message does it give you? > >> > >> > >> OK, If I understand you correctly, you have setup samba on a Centos > >> machine and joined it to a windows machine, is this correct ? > >> > >> Could you post the entire smb.conf from your Centos machine. > >> > >> Rowland > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > >> > > OK, after wading through all the un-needed lines, I got this: > > > > [global] > > workgroup = MYGROUP > > server string = Samba Server Version %v > > # logs split per machine > > log file = /var/log/samba/log.%m > > # max 50KB per log file, then rotate > > max log size = 50 > > security = user > > passdb backend = tdbsam > > load printers = yes > > cups options = raw > > > > [homes] > > comment = Home Directories > > browseable = no > > writable = yes > > > > [printers] > > comment = All Printers > > path = /var/spool/samba > > browseable = no > > guest ok = no > > writable = no > > printable = yes > > > > [Test] > > comment = Public Stuff > > path = /home/local/HAMSHAHRY/jokar/test/ > > browsable = yes > > inherit acls = yes > > inherit permissions = yes > > inherit owner = yes > > map acl inherit = yes > > acl check permissions = yes > > nt acl support = yes > > read only = no > > > > Try changing 'security = user' to 'security = ads' and adding the > > required winbind & idmap lines, see: > > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > > > Yes, I know it says 'member server', but you can use it for a client > > as well. > > > > Rowland > > > > > > > > Hi, you seem to be using **four**, yes four different workgroup (also > known as domain) names: > In smb.conf: MYGROUP & SAMDOM > When trying to login: jasondomain & WORKGROUP > > They all need to be the same, you also need to add uidNumber's to your > users and a gidNumber to at least 'Domain Users' > > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >OK, in the last smb.conf you posted there are these lines: workgroup = MYGROUP idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 500-40000 Also in samba-1.png: Username: jasondomain\jason domain: WORKGROUP I make that 4 workgroup names, ok you have changed MYGROUP, but what about SAMDOM ? You also have 'winbind use default domain = yes' , because of this, you do not need to use 'jasondomain\jason', just 'jason' should work. Do you by any chance have a Unix user called 'jason' on the samba machine ? Also, when you try to login as 'jasondomain\jason' are you doing this on the samba machine ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.