Jason Long
2014-Dec-29 12:52 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Thank you so much. I did some changes like below : /dev/mapper/vg_print-lv_root / ext4 user_xattr,acl,defaults 1 1 Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any output. I added below lines to [global] section too : vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes But about below commands can you tell me more? net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator net rpc rights list accounts -Uadministrator I hope they are not Dangerous!!!! In the "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" , the other steps are in Windows!!! Can I doing via Linux too? Thanks. On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 29/12/14 06:38, Jason Long wrote:> Thank you so much. > You right, My realm is "jasondomaini.jasondomain.jj" and I change configure as below : > > > [global] > workgroup = JASONDOMAINI > server string = Samba Server Version %v > # logs split per machine > log file = /var/log/samba/log.%m > # max 50KB per log file, then rotate > max log size = 50 > security = ADS > realm = JASONDOMAINI.JASONDOMAIN.JJ > passdb backend = tdbsam > load printers = yes > cups options = raw > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > #idmap config SAMDOM:backend = ad > idmap config JASONDOMAINI:backend = ad > idmap config JASONDOMAINI:schema_mode = rfc2307 > idmap config JASONDOMAINI:range = 500-40000 > > > > When I use "SSH" on my CentOS and enter "jasondomain\jason", It show me the root partition and I can open "Test" directory But it has two problems : > > 1- Why it show root partition? > 2- I can't browse it via Windows explorer!!! > > I want to know use AD users in Linux is Hard? > > In your opinion I used a correct command to set ACL? > > #getfacl test/ > > > # file: test/ > # owner: JASONDOMAINI\134JASON > # group: JASONDOMAINI\134grp-JASON-rw > user::rwx > group::r-x > group:JASONDOMAINI\134grp-JASON-rw:rwx > mask::rwx > other::r-x > > > and in "getent group" it show me below group : > > JASONDOMAINI\134grp-JASON-rw > > > in your idea, Am I use correct command to set permission? > > > > > > > On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 28/12/14 15:48, Jason Long wrote: >> Thank you so much. >> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad". >> How about Workgroup? is must change "JASONDOMAIN" too? >> About your question I must say that I Test this share via Linux too and Windows and Linux has same problem. >> >> About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!! >> What is your idea? >> >> Thanks. >> >> >> > I am loosing track here a bit, but if your dns domain is example.com, > then your windows AD realm should be something like internal.example.com > and your workgroup/domain name should be INTERNAL, that is, they all > rely on each other. > > So anywhere that you come across these, you should use the relevant one, > this is the relevant parts from a Unix client on my domain: > > [global] > workgroup = INTERNAL > security = ADS > realm = INTERNAL.EXAMPLE.COM > .......... > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > idmap config INTERNAL : backend = ad > idmap config INTERNAL : range = 10000-999999 > idmap config INTERNAL : schema_mode = rfc2307 > > As for using 'PUTTY', this was just a way of testing whether you can > connect to the Unix machine. > > > RowlandOK, we are getting closer right, answers to your questions 1) I think that you may find that this is also printed 'Could not chdir to home directory', in which case you will end up in the root of computer. 2) Are you running the 'nmbd' daemon ? Even if this is not running you should be able to navigate to the share by entering the path. Have a look here: https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2014-Dec-29 13:02 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
On 29/12/14 12:52, Jason Long wrote:> Thank you so much. > > I did some changes like below : > > /dev/mapper/vg_print-lv_root / ext4 user_xattr,acl,defaults 1 1 > > > Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any output. > I added below lines to [global] section too : > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > But about below commands can you tell me more? > > net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator > net rpc rights list accounts -Uadministrator > > I hope they are not Dangerous!!!!No :-) The first one gives members of Domain Admins the right to change windows ACL's on a share The second list accounts and what rights they have.> > In the "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" , the other steps are in Windows!!! Can I doing via Linux too? >Yes, but it is just easier via windows Rowland> > Thanks. > > > > > > On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 29/12/14 06:38, Jason Long wrote: >> Thank you so much. >> You right, My realm is "jasondomaini.jasondomain.jj" and I change configure as below : >> >> >> [global] >> workgroup = JASONDOMAINI >> server string = Samba Server Version %v >> # logs split per machine >> log file = /var/log/samba/log.%m >> # max 50KB per log file, then rotate >> max log size = 50 >> security = ADS >> realm = JASONDOMAINI.JASONDOMAIN.JJ >> passdb backend = tdbsam >> load printers = yes >> cups options = raw >> idmap config *:backend = tdb >> idmap config *:range = 70001-80000 >> #idmap config SAMDOM:backend = ad >> idmap config JASONDOMAINI:backend = ad >> idmap config JASONDOMAINI:schema_mode = rfc2307 >> idmap config JASONDOMAINI:range = 500-40000 >> >> >> >> When I use "SSH" on my CentOS and enter "jasondomain\jason", It show me the root partition and I can open "Test" directory But it has two problems : >> >> 1- Why it show root partition? >> 2- I can't browse it via Windows explorer!!! >> >> I want to know use AD users in Linux is Hard? >> >> In your opinion I used a correct command to set ACL? >> >> #getfacl test/ >> >> >> # file: test/ >> # owner: JASONDOMAINI\134JASON >> # group: JASONDOMAINI\134grp-JASON-rw >> user::rwx >> group::r-x >> group:JASONDOMAINI\134grp-JASON-rw:rwx >> mask::rwx >> other::r-x >> >> >> and in "getent group" it show me below group : >> >> JASONDOMAINI\134grp-JASON-rw >> >> >> in your idea, Am I use correct command to set permission? >> >> >> >> >> >> >> On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >> On 28/12/14 15:48, Jason Long wrote: >>> Thank you so much. >>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad". >>> How about Workgroup? is must change "JASONDOMAIN" too? >>> About your question I must say that I Test this share via Linux too and Windows and Linux has same problem. >>> >>> About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!! >>> What is your idea? >>> >>> Thanks. >>> >>> >>> >> I am loosing track here a bit, but if your dns domain is example.com, >> then your windows AD realm should be something like internal.example.com >> and your workgroup/domain name should be INTERNAL, that is, they all >> rely on each other. >> >> So anywhere that you come across these, you should use the relevant one, >> this is the relevant parts from a Unix client on my domain: >> >> [global] >> workgroup = INTERNAL >> security = ADS >> realm = INTERNAL.EXAMPLE.COM >> .......... >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> idmap config INTERNAL : backend = ad >> idmap config INTERNAL : range = 10000-999999 >> idmap config INTERNAL : schema_mode = rfc2307 >> >> As for using 'PUTTY', this was just a way of testing whether you can >> connect to the Unix machine. >> >> >> Rowland > OK, we are getting closer > > right, answers to your questions > 1) I think that you may find that this is also printed 'Could not chdir > to home directory', in which case you will end up in the root of computer. > > 2) Are you running the 'nmbd' daemon ? Even if this is not running you > should be able to navigate to the share by entering the path. Have a > look here: > > https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs > > > Rowland >
Jason Long
2014-Dec-31 09:17 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Thank you so much but I run below commands on linux : # net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator # net rpc rights list accounts -Uadministrator it ask me a password for "administrator: Enter administrator's password: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_NO_LOGON_SERVERS Must I enter windows administrator password? Thanks. On Monday, December 29, 2014 5:10 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 29/12/14 12:52, Jason Long wrote:> Thank you so much. > > I did some changes like below : > > /dev/mapper/vg_print-lv_root / ext4 user_xattr,acl,defaults 1 1 > > > Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any output. > I added below lines to [global] section too : > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > But about below commands can you tell me more? > > net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator > net rpc rights list accounts -Uadministrator > > I hope they are not Dangerous!!!!No :-) The first one gives members of Domain Admins the right to change windows ACL's on a share The second list accounts and what rights they have.> > In the "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" , the other steps are in Windows!!! Can I doing via Linux too? >Yes, but it is just easier via windows Rowland> > Thanks. > > > > > > On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 29/12/14 06:38, Jason Long wrote: >> Thank you so much. >> You right, My realm is "jasondomaini.jasondomain.jj" and I change configure as below : >> >> >> [global] >> workgroup = JASONDOMAINI >> server string = Samba Server Version %v >> # logs split per machine >> log file = /var/log/samba/log.%m >> # max 50KB per log file, then rotate >> max log size = 50 >> security = ADS >> realm = JASONDOMAINI.JASONDOMAIN.JJ >> passdb backend = tdbsam >> load printers = yes >> cups options = raw >> idmap config *:backend = tdb >> idmap config *:range = 70001-80000 >> #idmap config SAMDOM:backend = ad >> idmap config JASONDOMAINI:backend = ad >> idmap config JASONDOMAINI:schema_mode = rfc2307 >> idmap config JASONDOMAINI:range = 500-40000 >> >> >> >> When I use "SSH" on my CentOS and enter "jasondomain\jason", It show me the root partition and I can open "Test" directory But it has two problems : >> >> 1- Why it show root partition? >> 2- I can't browse it via Windows explorer!!! >> >> I want to know use AD users in Linux is Hard? >> >> In your opinion I used a correct command to set ACL? >> >> #getfacl test/ >> >> >> # file: test/ >> # owner: JASONDOMAINI\134JASON >> # group: JASONDOMAINI\134grp-JASON-rw >> user::rwx >> group::r-x >> group:JASONDOMAINI\134grp-JASON-rw:rwx >> mask::rwx >> other::r-x >> >> >> and in "getent group" it show me below group : >> >> JASONDOMAINI\134grp-JASON-rw >> >> >> in your idea, Am I use correct command to set permission? >> >> >> >> >> >> >> On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >> On 28/12/14 15:48, Jason Long wrote: >>> Thank you so much. >>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad". >>> How about Workgroup? is must change "JASONDOMAIN" too? >>> About your question I must say that I Test this share via Linux too and Windows and Linux has same problem. >>> >>> About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!! >>> What is your idea? >>> >>> Thanks. >>> >>> >>> >> I am loosing track here a bit, but if your dns domain is example.com, >> then your windows AD realm should be something like internal.example.com >> and your workgroup/domain name should be INTERNAL, that is, they all >> rely on each other. >> >> So anywhere that you come across these, you should use the relevant one, >> this is the relevant parts from a Unix client on my domain: >> >> [global] >> workgroup = INTERNAL >> security = ADS >> realm = INTERNAL.EXAMPLE.COM >> .......... >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> idmap config INTERNAL : backend = ad >> idmap config INTERNAL : range = 10000-999999 >> idmap config INTERNAL : schema_mode = rfc2307 >> >> As for using 'PUTTY', this was just a way of testing whether you can >> connect to the Unix machine. >> >> >> Rowland > OK, we are getting closer > > right, answers to your questions > 1) I think that you may find that this is also printed 'Could not chdir > to home directory', in which case you will end up in the root of computer. > > 2) Are you running the 'nmbd' daemon ? Even if this is not running you > should be able to navigate to the share by entering the path. Have a > look here: > > https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs > > > Rowland >
Reasonably Related Threads
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.