Jason Long
2014-Dec-28 15:48 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Thank you so much. Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad". How about Workgroup? is must change "JASONDOMAIN" too? About your question I must say that I Test this share via Linux too and Windows and Linux has same problem. About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!! What is your idea? Thanks. On Sunday, December 28, 2014 4:23 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 28/12/14 11:54, Jason Long wrote:> > Thank you so much. > > I changed "SAMDOM" to "jasondomain" and also "winbind use default domain = no" but problem exist. int he photo that I sent, I changed "WORKGROUP" to "jasondomain" too. > I have a question, My domain have a prefix with ".jj" and it is "jasondomain.jj". I changed : > > > [global] > workgroup = JASONDOMAIN.JJ > server string = Samba Server Version %v > # logs split per machine > log file = /var/log/samba/log.%m > # max 50KB per log file, then rotate > max log size = 50 > security = ads > passdb backend = tdbsam > load printers = yes > cups options = raw > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > #idmap config SAMDOM:backend = ad > idmap config JASONDOMAIN.JJ:backend = ad > idmap config JASONDOMAIN.JJ:schema_mode = rfc2307 > idmap config JASONDOMAIN.JJ:range = 500-40000 > > > Am I right? If yes, My problem not solved :( > > > about your question I must say that "No", I have not any "jason" user in Linux machine. > Yes, I use "jasondomain\jason" for login into Linux machine and "jason" is a user that defined in Windows Active Directory. > > > Thanks. > > > > > > On Sunday, December 28, 2014 1:41 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 28/12/14 08:47, Jason Long wrote: >> I never used four different Workgroup or Domain. My domain is >> "jasondomain" and as you see my last "smb.conf" it is. I change >> "MYGROUP" to "jasondomain" but problem not solved. >> >> >> On Saturday, December 27, 2014 7:02 AM, Rowland Penny >> <rowlandpenny at googlemail.com> wrote: >> >> >> On 27/12/14 14:18, Jason Long wrote: >>> Thank you so much. >>> I changed my "smb.conf" and "password-auth-ac". I attached two file >>> for you and you can see them. My problem not solved :( and login >>> windows showed and not accept my username and password, I attached >> it too. >>> I paste my "fstab" file here and as you see the "acl" is enabled for >>> "root" : >>> >>> # >>> # /etc/fstab >>> # Created by anaconda on Wed Dec 24 10:02:57 2014 >>> # >>> # Accessible filesystems, by reference, are maintained under '/dev/disk' >>> # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more >>> info >>> # >>> /dev/mapper/vg_print-lv_root / ext4 acl,defaults 1 1 >>> UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot ext4 >>> defaults 1 2 >>> /dev/mapper/vg_print-lv_swap swap swap defaults 0 0 >>> tmpfs /dev/shm tmpfs defaults >>> 0 0 >>> devpts /dev/pts devpts gid=5,mode=620 0 0 >>> sysfs /sys sysfs defaults >>> 0 0 >>> proc /proc proc defaults >>> 0 0 >>> >>> I paste "getfacl" for test directory here : >>> >>> getfacl test/ >>> # file: test/ >>> # owner: jasondomain\134jason >>> # group: jasondomain\134grp-jason-rw >>> user::rwx >>> group::r-x >>> group:jasondomain\134grp-jason-rw:rwx >>> mask::rwx >>> other::r-x >>> >>> After change "password-auth-ac", When I want to restart "winbind" >>> server it show me an error as below : >>> >>> #service smb restart >>> Shutting down SMB services: [ OK ] >>> Starting SMB services: [ OK ] >>> # service winbind restart >>> Shutting down Winbind services: [FAILED] >>> Starting Winbind services: [ OK ] >>> >>> >>> In your opinion what is the problem? >>> >>> >>> >>> On Saturday, December 27, 2014 4:12 AM, Rowland Penny >>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> >> wrote: >>> >>> On 27/12/14 11:55, Jason Long wrote: >>>> You right. I joined my Linux box into Windows domain. >>>> Of course. I attached my "smb.conf". Can you see it? >>>> >>>> >>>> On Saturday, December 27, 2014 3:36 AM, Rowland Penny >>>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> >> <mailto:rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>> wrote: >>>> >>>> On 27/12/14 06:44, Jason Long wrote: >>>> >>>>> Thank you so much. >>>>> No, I'm not. I joined my linux to Windows domain because of AD. I >>>> can define some users in my Linux and Windows clients use it to open >>>> share and ... but my problem is that I have a lot of users and groups >>>> and Redefine all of them in Linux is a little silly :(. I joined my >>>> Linux to Windows domain because of use AD users and groups. >>>>> About your question : >>>>> "Where did you setup the password for 'jasondomain\jason'? Again, >>>> if you >>>>> didn't set a password, more modern versions of windows won't allow >>>> you to >>>>> login (or attach a share) remotely." >>>>> >>>>> I must say that "jason" is defined in AD on Windows OS and I use it >>>> for login into Linux. >>>>> >>>>> "You don't say what happens when you try to open 'test'. You say >>>> it can't let you? What error message does it give you? " >>>>> It don't show me any error and just show Login Windows again :(. >>>>> >>>>> >>>>> >>>>> >>>>> On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org >> <mailto:samba at tlinx.org> >>>> <mailto:samba at tlinx.org <mailto:samba at tlinx.org>>> wrote: >>>>> Jason Long wrote: >>>>>> Hello Folks. >>>>>> How are you? >>>>>> >>>>>> I joined my CentOS into Windows Domain and I want to give >>>> Permission to files and Directory via Active Directory. When I use >>>> "getent passwd" and "getent group", I can see All AD users and >>>> Groups. I use below command to give Permission to a Folder via ACL : >>>>>> setfacl -m g:"jasondomain\jason-rw":rwx >>>> /home/local/jasondomain/jason/test >>>>>> and I create a part for my "smb.conf" file : >>>>>> >>>>>> [Test] >>>>>> comment = test >>>>>> path = /home/local/jasondomain/jason/test >>>>>> browsable = yes >>>>>> inherit acls = yes >>>>>> inherit permissions = yes >>>>>> inherit owner = yes >>>>>> map acl inherit = yes >>>>>> acl check permissions = yes >>>>>> nt acl support = yes >>>>>> #valid users = %D\%S >>>>>> #write list = @jasondomain\domain^admins >>>>>> read only = no >>>>>> >>>>>> >>>>>> but when I browse the "Test" directory it ask me username and >>>> password and when I enter "jasondomain\jason" as username it can't >>>> let me to open the "Test" directory. What is the problem? >>>>> ---- >>>>> Are you already logged into the server under different >>>> credentials, >>>>> like 'WORKGROUP', jason (i.e. do you already have some shares >> mounted?) >>>>> If I remember, Windows won't allow the same workstation to connect >>>> under >>>>> two different user id's. If you already have something mounted >>>> from your >>>>> workstation with different credentials, you need to close (unmount >>>> / unmap) >>>>> those other connections. >>>>> >>>>> Where did you setup the password for 'jasondomain\jason'? Again, >> if you >>>>> didn't set a password, more modern versions of windows won't allow >>>> you to >>>>> login (or attach a share) remotely. >>>>> >>>>> You don't say what happens when you try to open 'test'. You say it >>>>> >>>>> can't let >>>>> you? What error message does it give you? >>>> >>>> OK, If I understand you correctly, you have setup samba on a Centos >>>> machine and joined it to a windows machine, is this correct ? >>>> >>>> Could you post the entire smb.conf from your Centos machine. >>>> >>>> Rowland >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>>> >>> OK, after wading through all the un-needed lines, I got this: >>> >>> [global] >>> workgroup = MYGROUP >>> server string = Samba Server Version %v >>> # logs split per machine >>> log file = /var/log/samba/log.%m >>> # max 50KB per log file, then rotate >>> max log size = 50 >>> security = user >>> passdb backend = tdbsam >>> load printers = yes >>> cups options = raw >>> >>> [homes] >>> comment = Home Directories >>> browseable = no >>> writable = yes >>> >>> [printers] >>> comment = All Printers >>> path = /var/spool/samba >>> browseable = no >>> guest ok = no >>> writable = no >>> printable = yes >>> >>> [Test] >>> comment = Public Stuff >>> path = /home/local/HAMSHAHRY/jokar/test/ >>> browsable = yes >>> inherit acls = yes >>> inherit permissions = yes >>> inherit owner = yes >>> map acl inherit = yes >>> acl check permissions = yes >>> nt acl support = yes >>> read only = no >>> >>> Try changing 'security = user' to 'security = ads' and adding the >>> required winbind & idmap lines, see: >>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>> >>> Yes, I know it says 'member server', but you can use it for a client >>> as well. >>> >>> Rowland >>> >>> >>> >> Hi, you seem to be using **four**, yes four different workgroup (also >> known as domain) names: >> In smb.conf: MYGROUP & SAMDOM >> When trying to login: jasondomain & WORKGROUP >> >> They all need to be the same, you also need to add uidNumber's to your >> users and a gidNumber to at least 'Domain Users' >> >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > OK, in the last smb.conf you posted there are these lines: > > workgroup = MYGROUP > > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 500-40000 > > Also in samba-1.png: > > Username: jasondomain\jason > > domain: WORKGROUP > > I make that 4 workgroup names, ok you have changed MYGROUP, but what > about SAMDOM ? > > You also have 'winbind use default domain = yes' , because of this, you > do not need to use 'jasondomain\jason', just 'jason' should work. > > Do you by any chance have a Unix user called 'jason' on the samba machine ? > > Also, when you try to login as 'jasondomain\jason' are you doing this on > the samba machine ? > > > Rowland >OK, I am 99% sure that you cannot have a dot in a workgroup name. As to logging into the machine, I meant are you trying to connect to a share on the linux machine from the linux machine. What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol. Rowland
Rowland Penny
2014-Dec-28 17:36 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
On 28/12/14 15:48, Jason Long wrote:> Thank you so much. > Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad". > How about Workgroup? is must change "JASONDOMAIN" too? > About your question I must say that I Test this share via Linux too and Windows and Linux has same problem. > > About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!! > What is your idea? > > Thanks. > > >I am loosing track here a bit, but if your dns domain is example.com, then your windows AD realm should be something like internal.example.com and your workgroup/domain name should be INTERNAL, that is, they all rely on each other. So anywhere that you come across these, you should use the relevant one, this is the relevant parts from a Unix client on my domain: [global] workgroup = INTERNAL security = ADS realm = INTERNAL.EXAMPLE.COM .......... idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config INTERNAL : backend = ad idmap config INTERNAL : range = 10000-999999 idmap config INTERNAL : schema_mode = rfc2307 As for using 'PUTTY', this was just a way of testing whether you can connect to the Unix machine. Rowland
Jason Long
2014-Dec-29 06:38 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Thank you so much. You right, My realm is "jasondomaini.jasondomain.jj" and I change configure as below : [global] workgroup = JASONDOMAINI server string = Samba Server Version %v # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50 security = ADS realm = JASONDOMAINI.JASONDOMAIN.JJ passdb backend = tdbsam load printers = yes cups options = raw idmap config *:backend = tdb idmap config *:range = 70001-80000 #idmap config SAMDOM:backend = ad idmap config JASONDOMAINI:backend = ad idmap config JASONDOMAINI:schema_mode = rfc2307 idmap config JASONDOMAINI:range = 500-40000 When I use "SSH" on my CentOS and enter "jasondomain\jason", It show me the root partition and I can open "Test" directory But it has two problems : 1- Why it show root partition? 2- I can't browse it via Windows explorer!!! I want to know use AD users in Linux is Hard? In your opinion I used a correct command to set ACL? #getfacl test/ # file: test/ # owner: JASONDOMAINI\134JASON # group: JASONDOMAINI\134grp-JASON-rw user::rwx group::r-x group:JASONDOMAINI\134grp-JASON-rw:rwx mask::rwx other::r-x and in "getent group" it show me below group : JASONDOMAINI\134grp-JASON-rw in your idea, Am I use correct command to set permission? On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 28/12/14 15:48, Jason Long wrote:> Thank you so much. > Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad". > How about Workgroup? is must change "JASONDOMAIN" too? > About your question I must say that I Test this share via Linux too and Windows and Linux has same problem. > > About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!! > What is your idea? > > Thanks. > > >I am loosing track here a bit, but if your dns domain is example.com, then your windows AD realm should be something like internal.example.com and your workgroup/domain name should be INTERNAL, that is, they all rely on each other. So anywhere that you come across these, you should use the relevant one, this is the relevant parts from a Unix client on my domain: [global] workgroup = INTERNAL security = ADS realm = INTERNAL.EXAMPLE.COM .......... idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config INTERNAL : backend = ad idmap config INTERNAL : range = 10000-999999 idmap config INTERNAL : schema_mode = rfc2307 As for using 'PUTTY', this was just a way of testing whether you can connect to the Unix machine. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.