Rowland Penny
2015-Jan-07 10:59 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
On 07/01/15 10:51, Jason Long wrote:> Thank you. > I changed my "krb5.conf" as below : > > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = JASONDOMAIN.JJ > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = yes > default_keytab_name = /etc/krb5.keytab > default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > pkinit_kdc_hostname = <DNS> > pkinit_anchors = DIR:/var/lib/pbis/trusted_certs > pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> > pkinit_eku_checking = kpServerAuth > pkinit_win2k_require_binding = false > pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so >My krb5.conf is: [libdefaults] default_realm = EXAMPLE.LAN dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes> > and removed "krb5.keytab" too. You told me that my domain name is "jasondomaini" but it is wrong, My domain name is "jasondomain.jj" and backend is "jasondomaini", For example, when I want to login into Windows use "jasondomaini\jason". > > After enter the command "net ads join -U jason at jasondomain.jj", My computer joined but when use "net rpc testjoin" , I got same error as below : > > Unable to find a suitable server for domain JASONDOMAINI > Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL > > I don't know why it see domain name as "JASONDOMAINI". How can I edit it?You shouldn't because 'JASONDOMAINI' *IS* your domain name *NOT* the backend!!! The join command should be 'net ads join -U jason at JASONDOMAIN.JJ' , but does 'jason' have the required rights to join the domain ?? Try again but this time use: net ads join -U Administrator at JASONDOMAIN.JJ and enter the 'Administrator' password when prompted. Rowland> > > Thanks. > > > > > On Tuesday, January 6, 2015 12:57 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 06/01/15 06:17, Jason Long wrote: >> Thanks. >> My domain name is "jasondomain.jj" and backend is "jasondomaini". > No, your realm name is "jasondomain.jj" and it would seem that your > domain name is "jasondomaini", the domain name can also be known as the > 'workgroup' name. > > Set smb.conf to match this: > > [global] > workgroup = JASONDOMAINI > security = ADS > realm = JASONDOMAIN.JJ > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = Samba 4 Client %h > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind expand groups = 4 > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind offline logon = yes > winbind normalize names = Yes > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > idmap config JASONDOMAINI : backend = ad > idmap config JASONDOMAINI : range = 10000-999999 > idmap config JASONDOMAINI : schema_mode = rfc2307 > printcap name = cups > cups options = raw > usershare allow guests = yes > domain master = no > local master = no > preferred master = no > os level = 20 > map to guest = bad user > > set /etc/krb5.conf to this: > > [libdefaults] > default_realm = JASONDOMAIN.JJ > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > set /etc/resolv.conf > > nameserver <ip of your windows server> > search jasondomain.jj > > If /etc/krb5.keytab exists, delete it. > > make sure the time on the client matches the server. > > then try to join the domain: > > net ads join -U Administrator at JASONDOMAIN.JJ > > > Rowland >> >> >> On Monday, January 5, 2015 3:48 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >> On 05/01/15 11:09, Jason Long wrote: >>> Thank you. >>> >>> My Windows is Windows server 2008 R2. >>> About realm name, My domain name is "JASONDOMAIN.JJ". >>> My Windows not have any Workgroup Name. It is Domain. >>> >>> >>> Thanks >>> >>> >>> >>> >>> On Monday, January 5, 2015 1:05 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>> On 05/01/15 07:02, Jason Long wrote: >>>> Thanks a lot. >>>> I changed the below lines to correct domain name : >>>> >>>> idmap config JASONDOMAIN : range = 10000-999999 >>>> idmap config JASONDOMAIN : schema_mode = rfc2307 >>>> >>>> and after join, the command "net rpc testjoin" show same error : >>>> >>>> Unable to find a suitable server for domain JASONDOMAINI >>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >>>> >>>> I have an idea and I guess that "/etc/krb5.conf" has some incorrect options. The file is " >>>> >>>> [logging] >>>> default = FILE:/var/log/krb5libs.log >>>> kdc = FILE:/var/log/krb5kdc.log >>>> admin_server = FILE:/var/log/kadmind.log >>>> >>>> [libdefaults] >>>> default_realm = JASONDOMAIN.JJ >>>> dns_lookup_realm = false >>>> dns_lookup_kdc = true >>>> ticket_lifetime = 24h >>>> renew_lifetime = 7d >>>> forwardable = yes >>>> default_keytab_name = /etc/krb5.keytab >>>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>>> pkinit_kdc_hostname = <DNS> >>>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs >>>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> >>>> pkinit_eku_checking = kpServerAuth >>>> pkinit_win2k_require_binding = false >>>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so >>>> >>>> [realms] >>>> EXAMPLE.COM = { >>>> kdc = kerberos.example.com >>>> admin_server = kerberos.example.com >>>> } >>>> JASONDOMAIN.JJ = { >>>> auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/ >>>> auth_to_local = RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/ >>>> auth_to_local = DEFAULT >>>> } >>>> >>>> [domain_realm] >>>> .example.com = EXAMPLE.COM >>>> example.com = EXAMPLE.COM >>>> .JASONDOMAIN.JJ = JASONDOMAIN.JJ >>>> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ >>>> [capaths] >>>> [appdefaults] >>>> pam = { >>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ >>>> forwardable = true >>>> validate = true >>>> } >>>> httpd = { >>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ >>>> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1 >>>> } >>>> >>>> >>>> >>>> What is your idea? I must tell you that after removed LikeWise and configure manually, I can't login to Linux via Windows AD accounts. >>>> >>>> >>>> Thanks. >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Sunday, January 4, 2015 5:11 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>>> On 04/01/15 13:00, Rowland Penny wrote: >>>>> On 04/01/15 10:17, Jason Long wrote: >>>>>> Thanks a lot. >>>>>> I enter the command and result is : >>>>>> >>>>>> Using short domain name -- JASONDOMAINI >>>>>> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ' >>>>>> but after run "net rpc testjoin" : >>>>>> >>>>>> Unable to find a suitable server for domain JASONDOMAINI >>>>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >>>>>> >>>>>> I guess I understand what is my problem. I'm really sorry :(. >>>>>> >>>>>> On Windows OS i used "set" command and it show me : >>>>>> >>>>>> USERDNSDOMAIN= JASONDOMAIN.JJ >>>>>> USERDOMAIN= JASONDOMAINI >>>>>> >>>>>> I guess that I must change "JASONDOMAINI" in below texts to >>>>>> "JASONDOMAIN" : >>>>>> >>>>>> idmap config JASONDOMAINI : range = 10000-999999 >>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307 >>>>>> >>>>>> Am I right? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny >>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>> On 03/01/15 15:08, Jason Long wrote: >>>>>>> Thank you. >>>>>>> I used below videos for join my Linux Box to Windows domain : >>>>>>> >>>>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic >>>>>>> >>>>>>> Please look at this video and I used instructions in it and >>>>>>> LikeWiseOpen tool. >>>>>>> >>>>>>> >>>>>>> Cheers. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny >>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>> On 03/01/15 12:38, Jason Long wrote: >>>>>>>> Thanks. >>>>>>>> >>>>>>>> I enter "net ads testjoin" and it show me : >>>>>>>> >>>>>>>> ads_connect: No logon servers >>>>>>>> Join to domain is not valid: No logon servers >>>>>>> You are *not* joined to the domain, I suppose this should have been >>>>>>> asked earlier, but how did you do the domain join ? >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>> >>>>>>> >>>>>>>> If it is incorrect, Why I can Login to Linux via Windows account? >>>>>>>> As you see, I followed the steps on Video. >>>>>>>> >>>>>>>> :(. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny >>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>> On 03/01/15 05:41, Jason Long wrote: >>>>>>>>> Thank you. >>>>>>>>> Command show below error : >>>>>>>>> >>>>>>>>> Could not connect to server 192.168.1.1 >>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>>>>> >>>>>>>>> :( >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny >>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>> On 31/12/14 09:55, Jason Long wrote: >>>>>>>>>> Thanks. >>>>>>>>>> I changed the command as below : >>>>>>>>>> >>>>>>>>>> #net rpc rights grant 'jasondomain\Domain Admins' >>>>>>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1 >>>>>>>>>> >>>>>>>>>> But Got below error : >>>>>>>>>> >>>>>>>>>> Could not connect to server 192.168.1.1 >>>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>>>>>> >>>>>>>>>> Cheers. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny >>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>> On 31/12/14 09:17, Jason Long wrote: >>>>>>>>>>> Thank you so much but I run below commands on linux : >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> # net rpc rights grant 'jasondomain\Domain Admins' >>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>>>>> # net rpc rights list accounts -Uadministrator >>>>>>>>>>> >>>>>>>>>>> it ask me a password for "administrator: >>>>>>>>>>> >>>>>>>>>>> Enter administrator's password: >>>>>>>>>>> Could not connect to server 127.0.0.1 >>>>>>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS >>>>>>>>>>> >>>>>>>>>>> Must I enter windows administrator password? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Thanks. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny >>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>> On 29/12/14 12:52, Jason Long wrote: >>>>>>>>>>>> Thank you so much. >>>>>>>>>>>> >>>>>>>>>>>> I did some changes like below : >>>>>>>>>>>> >>>>>>>>>>>> /dev/mapper/vg_print-lv_root / ext4 >>>>>>>>>>>> user_xattr,acl,defaults 1 1 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any >>>>>>>>>>>> output. >>>>>>>>>>>> I added below lines to [global] section too : >>>>>>>>>>>> >>>>>>>>>>>> vfs objects = acl_xattr >>>>>>>>>>>> map acl inherit = Yes >>>>>>>>>>>> store dos attributes = Yes >>>>>>>>>>>> >>>>>>>>>>>> But about below commands can you tell me more? >>>>>>>>>>>> >>>>>>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins' >>>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>>>>>> net rpc rights list accounts -Uadministrator >>>>>>>>>>>> >>>>>>>>>>>> I hope they are not Dangerous!!!! >>>>>>>>>>> No :-) >>>>>>>>>>> >>>>>>>>>>> The first one gives members of Domain Admins the right to change >>>>>>>>>>> windows >>>>>>>>>>> ACL's on a share >>>>>>>>>>> The second list accounts and what rights they have. >>>>>>>>>>> >>>>>>>>>>>> In the >>>>>>>>>>>> "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" >>>>>>>>>>>> , the other steps are in Windows!!! Can I doing via Linux too? >>>>>>>>>>> Yes, but it is just easier via windows >>>>>>>>>>> >>>>>>>>>>> Rowland >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> Thanks. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny >>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>>> On 29/12/14 06:38, Jason Long wrote: >>>>>>>>>>>>> Thank you so much. >>>>>>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I >>>>>>>>>>>>> change configure as below : >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> [global] >>>>>>>>>>>>> workgroup = JASONDOMAINI >>>>>>>>>>>>> server string = Samba Server Version %v >>>>>>>>>>>>> # logs split per machine >>>>>>>>>>>>> log file = /var/log/samba/log.%m >>>>>>>>>>>>> # max 50KB per log file, then rotate >>>>>>>>>>>>> max log size = 50 >>>>>>>>>>>>> security = ADS >>>>>>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>>>>>>>>> passdb backend = tdbsam >>>>>>>>>>>>> load printers = yes >>>>>>>>>>>>> cups options = raw >>>>>>>>>>>>> idmap config *:backend = tdb >>>>>>>>>>>>> idmap config *:range = 70001-80000 >>>>>>>>>>>>> #idmap config SAMDOM:backend = ad >>>>>>>>>>>>> idmap config JASONDOMAINI:backend = ad >>>>>>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307 >>>>>>>>>>>>> idmap config JASONDOMAINI:range = 500-40000 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", >>>>>>>>>>>>> It show me the root partition and I can open "Test" directory >>>>>>>>>>>>> But it has two problems : >>>>>>>>>>>>> >>>>>>>>>>>>> 1- Why it show root partition? >>>>>>>>>>>>> 2- I can't browse it via Windows explorer!!! >>>>>>>>>>>>> >>>>>>>>>>>>> I want to know use AD users in Linux is Hard? >>>>>>>>>>>>> >>>>>>>>>>>>> In your opinion I used a correct command to set ACL? >>>>>>>>>>>>> >>>>>>>>>>>>> #getfacl test/ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> # file: test/ >>>>>>>>>>>>> # owner: JASONDOMAINI\134JASON >>>>>>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw >>>>>>>>>>>>> user::rwx >>>>>>>>>>>>> group::r-x >>>>>>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx >>>>>>>>>>>>> mask::rwx >>>>>>>>>>>>> other::r-x >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> and in "getent group" it show me below group : >>>>>>>>>>>>> >>>>>>>>>>>>> JASONDOMAINI\134grp-JASON-rw >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> in your idea, Am I use correct command to set permission? >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny >>>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>>>> On 28/12/14 15:48, Jason Long wrote: >>>>>>>>>>>>>> Thank you so much. >>>>>>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad >>>>>>>>>>>>>> " to "idmap config JASONDOMAIN:backend = ad". >>>>>>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too? >>>>>>>>>>>>>> About your question I must say that I Test this share via >>>>>>>>>>>>>> Linux too and Windows and Linux has same problem. >>>>>>>>>>>>>> >>>>>>>>>>>>>> About "What I would do is, install the OpenSSH server on the >>>>>>>>>>>>>> linux machine, install 'PUTTY' on a windows machine and try >>>>>>>>>>>>>> to login via 'PUTTY' and use the SSH protocol." , You mean is >>>>>>>>>>>>>> that Windows clients use SSH to work with this directory? I >>>>>>>>>>>>>> want to made this Linux Box as a File server and Windows >>>>>>>>>>>>>> Clients need graphical browser to copy and paste file into >>>>>>>>>>>>>> this directory!!!!!!! >>>>>>>>>>>>>> What is your idea? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> I am loosing track here a bit, but if your dns domain is >>>>>>>>>>>>> example.com, >>>>>>>>>>>>> then your windows AD realm should be something like >>>>>>>>>>>>> internal.example.com >>>>>>>>>>>>> and your workgroup/domain name should be INTERNAL, that is, >>>>>>>>>>>>> they all >>>>>>>>>>>>> rely on each other. >>>>>>>>>>>>> >>>>>>>>>>>>> So anywhere that you come across these, you should use the >>>>>>>>>>>>> relevant one, >>>>>>>>>>>>> this is the relevant parts from a Unix client on my domain: >>>>>>>>>>>>> >>>>>>>>>>>>> [global] >>>>>>>>>>>>> workgroup = INTERNAL >>>>>>>>>>>>> security = ADS >>>>>>>>>>>>> realm = INTERNAL.EXAMPLE.COM >>>>>>>>>>>>> .......... >>>>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>>>> idmap config INTERNAL : backend = ad >>>>>>>>>>>>> idmap config INTERNAL : range = 10000-999999 >>>>>>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307 >>>>>>>>>>>>> >>>>>>>>>>>>> As for using 'PUTTY', this was just a way of testing whether >>>>>>>>>>>>> you can >>>>>>>>>>>>> connect to the Unix machine. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Rowland >>>>>>>>>>>> OK, we are getting closer >>>>>>>>>>>> >>>>>>>>>>>> right, answers to your questions >>>>>>>>>>>> 1) I think that you may find that this is also printed 'Could >>>>>>>>>>>> not chdir >>>>>>>>>>>> to home directory', in which case you will end up in the root >>>>>>>>>>>> of computer. >>>>>>>>>>>> >>>>>>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not >>>>>>>>>>>> running you >>>>>>>>>>>> should be able to navigate to the share by entering the path. >>>>>>>>>>>> Have a >>>>>>>>>>>> look here: >>>>>>>>>>>> >>>>>>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Rowland >>>>>>>>>>>> >>>>>>>>>> You are trying to run the command on a client, try adding either: >>>>>>>>>> >>>>>>>>>> -S server name >>>>>>>>>> >>>>>>>>>> OR >>>>>>>>>> >>>>>>>>>> -I address of target server >>>>>>>>>> >>>>>>>>>> where 'server' is the AD DC. >>>>>>>>>> >>>>>>>>>> Yes, you need to supply the password of the Domain Administrator. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>> OK, try it like this: >>>>>>>>> >>>>>>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege >>>>>>>>> -UAdministrator -I 192.168.1.1 >>>>>>>>> >>>>>>>>> This works for me on a client joined to the domain. >>>>>>>>> >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>> Sounds like something is wrong with the join, what does 'net ads >>>>>>>> testjoin' return ? You may have to run this command with sudo. >>>>>>>> >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>> Sometimes I wonder why all the time is spent on keeping the samba wiki >>>>>> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I >>>>>> cannot recommend using either of these, because quite simply, they are >>>>>> not needed. >>>>>> >>>>>> Check the following files: >>>>>> >>>>>> /etc/samba/smb.conf >>>>>> >>>>>> [global] >>>>>> workgroup = JASONDOMAINI >>>>>> security = ADS >>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>> kerberos method = secrets and keytab >>>>>> server string = Samba 4 Client %h >>>>>> winbind enum users = yes >>>>>> winbind enum groups = yes >>>>>> winbind use default domain = yes >>>>>> winbind expand groups = 4 >>>>>> winbind nss info = rfc2307 >>>>>> winbind refresh tickets = Yes >>>>>> winbind normalize names = Yes >>>>>> idmap config * : backend = tdb >>>>>> idmap config * : range = 2000-9999 >>>>>> idmap config JASONDOMAINI : backend = ad >>>>>> idmap config JASONDOMAINI : range = 10000-999999 >>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307 >>>>>> printcap name = cups >>>>>> cups options = raw >>>>>> usershare allow guests = yes >>>>>> domain master = no >>>>>> local master = no >>>>>> preferred master = no >>>>>> os level = 20 >>>>>> map to guest = bad user >>>>>> vfs objects = acl_xattr >>>>>> map acl inherit = Yes >>>>>> store dos attributes = Yes >>>>>> log level = 6 >>>>>> >>>>>> /etc/krb5.conf >>>>>> >>>>>> [libdefaults] >>>>>> default_realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>> dns_lookup_realm = false >>>>>> dns_lookup_kdc = true >>>>>> ticket_lifetime = 24h >>>>>> forwardable = yes >>>>>> >>>>>> /etc/resolv.conf >>>>>> >>>>>> nameserver <your AD DC's ipaddress> >>>>>> search jasondomaini.jasondomain.jj >>>>>> >>>>>> If required, alter them to match the above, check that 'hostname' >>>>>> returns only the hostname of the client, check that 'hostname -f' >>>>>> returns the FQDN. If either are not correct, fix them. >>>>>> >>>>>> Remove likewiseopen >>>>>> >>>>>> Once everything is correct, run the following command: >>>>>> >>>>>> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ >>>>>> >>>>>> You should be asked for the domain Administrators password, enter this >>>>>> and you should join the domain >>>>>> >>>>>> Rowland >>>>>> >>>>> What Windows DC are you using ? >>>>> What is the realm name * workgroup name on the Windows DC ? >>>>> >>>>> Rowland >>>> oops, that should have been: >>>> >>>> >>>> What is the realm name & workgroup name on the Windows DC ? >>>> >>>> Rowland >>>> >>> Hi, will you answer these questions: >>> >>> What Windows DC are you using ? >>> What is the realm name on the Windows DC ? >>> What is the workgroup name on the Windows DC ? >>> >>> You do not need all of what you have in /etc/krb5.conf, but please >>> answer the questions above first. >>> >>> Rowland >>> >> OK, so what is your 'domain' name (and No, it is not 'JASONDOMAIN.JJ') >> >> Rowland >>
Jason Long
2015-Jan-09 08:40 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Thanks. I'm confused. Can I paste "set" command on windows for you? "jason" account is administrator and can join and dis-join any computer. Cheers. On Wednesday, January 7, 2015 2:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 07/01/15 10:51, Jason Long wrote:> Thank you. > I changed my "krb5.conf" as below : > > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = JASONDOMAIN.JJ > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = yes > default_keytab_name = /etc/krb5.keytab > default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > pkinit_kdc_hostname = <DNS> > pkinit_anchors = DIR:/var/lib/pbis/trusted_certs > pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> > pkinit_eku_checking = kpServerAuth > pkinit_win2k_require_binding = false > pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so >My krb5.conf is: [libdefaults] default_realm = EXAMPLE.LAN dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes> > and removed "krb5.keytab" too. You told me that my domain name is "jasondomaini" but it is wrong, My domain name is "jasondomain.jj" and backend is "jasondomaini", For example, when I want to login into Windows use "jasondomaini\jason". > > After enter the command "net ads join -U jason at jasondomain.jj", My computer joined but when use "net rpc testjoin" , I got same error as below : > > Unable to find a suitable server for domain JASONDOMAINI > Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL > > I don't know why it see domain name as "JASONDOMAINI". How can I edit it?You shouldn't because 'JASONDOMAINI' *IS* your domain name *NOT* the backend!!! The join command should be 'net ads join -U jason at JASONDOMAIN.JJ' , but does 'jason' have the required rights to join the domain ?? Try again but this time use: net ads join -U Administrator at JASONDOMAIN.JJ and enter the 'Administrator' password when prompted. Rowland> > > Thanks. > > > > > On Tuesday, January 6, 2015 12:57 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 06/01/15 06:17, Jason Long wrote: >> Thanks. >> My domain name is "jasondomain.jj" and backend is "jasondomaini". > No, your realm name is "jasondomain.jj" and it would seem that your > domain name is "jasondomaini", the domain name can also be known as the > 'workgroup' name. > > Set smb.conf to match this: > > [global] > workgroup = JASONDOMAINI > security = ADS > realm = JASONDOMAIN.JJ > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = Samba 4 Client %h > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind expand groups = 4 > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind offline logon = yes > winbind normalize names = Yes > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > idmap config JASONDOMAINI : backend = ad > idmap config JASONDOMAINI : range = 10000-999999 > idmap config JASONDOMAINI : schema_mode = rfc2307 > printcap name = cups > cups options = raw > usershare allow guests = yes > domain master = no > local master = no > preferred master = no > os level = 20 > map to guest = bad user > > set /etc/krb5.conf to this: > > [libdefaults] > default_realm = JASONDOMAIN.JJ > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > set /etc/resolv.conf > > nameserver <ip of your windows server> > search jasondomain.jj > > If /etc/krb5.keytab exists, delete it. > > make sure the time on the client matches the server. > > then try to join the domain: > > net ads join -U Administrator at JASONDOMAIN.JJ > > > Rowland >> >> >> On Monday, January 5, 2015 3:48 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >> On 05/01/15 11:09, Jason Long wrote: >>> Thank you. >>> >>> My Windows is Windows server 2008 R2. >>> About realm name, My domain name is "JASONDOMAIN.JJ". >>> My Windows not have any Workgroup Name. It is Domain. >>> >>> >>> Thanks >>> >>> >>> >>> >>> On Monday, January 5, 2015 1:05 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>> On 05/01/15 07:02, Jason Long wrote: >>>> Thanks a lot. >>>> I changed the below lines to correct domain name : >>>> >>>> idmap config JASONDOMAIN : range = 10000-999999 >>>> idmap config JASONDOMAIN : schema_mode = rfc2307 >>>> >>>> and after join, the command "net rpc testjoin" show same error : >>>> >>>> Unable to find a suitable server for domain JASONDOMAINI >>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >>>> >>>> I have an idea and I guess that "/etc/krb5.conf" has some incorrect options. The file is " >>>> >>>> [logging] >>>> default = FILE:/var/log/krb5libs.log >>>> kdc = FILE:/var/log/krb5kdc.log >>>> admin_server = FILE:/var/log/kadmind.log >>>> >>>> [libdefaults] >>>> default_realm = JASONDOMAIN.JJ >>>> dns_lookup_realm = false >>>> dns_lookup_kdc = true >>>> ticket_lifetime = 24h >>>> renew_lifetime = 7d >>>> forwardable = yes >>>> default_keytab_name = /etc/krb5.keytab >>>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>>> pkinit_kdc_hostname = <DNS> >>>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs >>>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> >>>> pkinit_eku_checking = kpServerAuth >>>> pkinit_win2k_require_binding = false >>>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so >>>> >>>> [realms] >>>> EXAMPLE.COM = { >>>> kdc = kerberos.example.com >>>> admin_server = kerberos.example.com >>>> } >>>> JASONDOMAIN.JJ = { >>>> auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/ >>>> auth_to_local = RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/ >>>> auth_to_local = DEFAULT >>>> } >>>> >>>> [domain_realm] >>>> .example.com = EXAMPLE.COM >>>> example.com = EXAMPLE.COM >>>> .JASONDOMAIN.JJ = JASONDOMAIN.JJ >>>> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ >>>> [capaths] >>>> [appdefaults] >>>> pam = { >>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ >>>> forwardable = true >>>> validate = true >>>> } >>>> httpd = { >>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ >>>> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1 >>>> } >>>> >>>> >>>> >>>> What is your idea? I must tell you that after removed LikeWise and configure manually, I can't login to Linux via Windows AD accounts. >>>> >>>> >>>> Thanks. >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Sunday, January 4, 2015 5:11 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>>> On 04/01/15 13:00, Rowland Penny wrote: >>>>> On 04/01/15 10:17, Jason Long wrote: >>>>>> Thanks a lot. >>>>>> I enter the command and result is : >>>>>> >>>>>> Using short domain name -- JASONDOMAINI >>>>>> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ' >>>>>> but after run "net rpc testjoin" : >>>>>> >>>>>> Unable to find a suitable server for domain JASONDOMAINI >>>>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >>>>>> >>>>>> I guess I understand what is my problem. I'm really sorry :(. >>>>>> >>>>>> On Windows OS i used "set" command and it show me : >>>>>> >>>>>> USERDNSDOMAIN= JASONDOMAIN.JJ >>>>>> USERDOMAIN= JASONDOMAINI >>>>>> >>>>>> I guess that I must change "JASONDOMAINI" in below texts to >>>>>> "JASONDOMAIN" : >>>>>> >>>>>> idmap config JASONDOMAINI : range = 10000-999999 >>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307 >>>>>> >>>>>> Am I right? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny >>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>> On 03/01/15 15:08, Jason Long wrote: >>>>>>> Thank you. >>>>>>> I used below videos for join my Linux Box to Windows domain : >>>>>>> >>>>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic >>>>>>> >>>>>>> Please look at this video and I used instructions in it and >>>>>>> LikeWiseOpen tool. >>>>>>> >>>>>>> >>>>>>> Cheers. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny >>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>> On 03/01/15 12:38, Jason Long wrote: >>>>>>>> Thanks. >>>>>>>> >>>>>>>> I enter "net ads testjoin" and it show me : >>>>>>>> >>>>>>>> ads_connect: No logon servers >>>>>>>> Join to domain is not valid: No logon servers >>>>>>> You are *not* joined to the domain, I suppose this should have been >>>>>>> asked earlier, but how did you do the domain join ? >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>> >>>>>>> >>>>>>>> If it is incorrect, Why I can Login to Linux via Windows account? >>>>>>>> As you see, I followed the steps on Video. >>>>>>>> >>>>>>>> :(. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny >>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>> On 03/01/15 05:41, Jason Long wrote: >>>>>>>>> Thank you. >>>>>>>>> Command show below error : >>>>>>>>> >>>>>>>>> Could not connect to server 192.168.1.1 >>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>>>>> >>>>>>>>> :( >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny >>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>> On 31/12/14 09:55, Jason Long wrote: >>>>>>>>>> Thanks. >>>>>>>>>> I changed the command as below : >>>>>>>>>> >>>>>>>>>> #net rpc rights grant 'jasondomain\Domain Admins' >>>>>>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1 >>>>>>>>>> >>>>>>>>>> But Got below error : >>>>>>>>>> >>>>>>>>>> Could not connect to server 192.168.1.1 >>>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>>>>>> >>>>>>>>>> Cheers. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny >>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>> On 31/12/14 09:17, Jason Long wrote: >>>>>>>>>>> Thank you so much but I run below commands on linux : >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> # net rpc rights grant 'jasondomain\Domain Admins' >>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>>>>> # net rpc rights list accounts -Uadministrator >>>>>>>>>>> >>>>>>>>>>> it ask me a password for "administrator: >>>>>>>>>>> >>>>>>>>>>> Enter administrator's password: >>>>>>>>>>> Could not connect to server 127.0.0.1 >>>>>>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS >>>>>>>>>>> >>>>>>>>>>> Must I enter windows administrator password? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Thanks. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny >>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>> On 29/12/14 12:52, Jason Long wrote: >>>>>>>>>>>> Thank you so much. >>>>>>>>>>>> >>>>>>>>>>>> I did some changes like below : >>>>>>>>>>>> >>>>>>>>>>>> /dev/mapper/vg_print-lv_root / ext4 >>>>>>>>>>>> user_xattr,acl,defaults 1 1 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any >>>>>>>>>>>> output. >>>>>>>>>>>> I added below lines to [global] section too : >>>>>>>>>>>> >>>>>>>>>>>> vfs objects = acl_xattr >>>>>>>>>>>> map acl inherit = Yes >>>>>>>>>>>> store dos attributes = Yes >>>>>>>>>>>> >>>>>>>>>>>> But about below commands can you tell me more? >>>>>>>>>>>> >>>>>>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins' >>>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>>>>>> net rpc rights list accounts -Uadministrator >>>>>>>>>>>> >>>>>>>>>>>> I hope they are not Dangerous!!!! >>>>>>>>>>> No :-) >>>>>>>>>>> >>>>>>>>>>> The first one gives members of Domain Admins the right to change >>>>>>>>>>> windows >>>>>>>>>>> ACL's on a share >>>>>>>>>>> The second list accounts and what rights they have. >>>>>>>>>>> >>>>>>>>>>>> In the >>>>>>>>>>>> "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" >>>>>>>>>>>> , the other steps are in Windows!!! Can I doing via Linux too? >>>>>>>>>>> Yes, but it is just easier via windows >>>>>>>>>>> >>>>>>>>>>> Rowland >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> Thanks. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny >>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>>> On 29/12/14 06:38, Jason Long wrote: >>>>>>>>>>>>> Thank you so much. >>>>>>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I >>>>>>>>>>>>> change configure as below : >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> [global] >>>>>>>>>>>>> workgroup = JASONDOMAINI >>>>>>>>>>>>> server string = Samba Server Version %v >>>>>>>>>>>>> # logs split per machine >>>>>>>>>>>>> log file = /var/log/samba/log.%m >>>>>>>>>>>>> # max 50KB per log file, then rotate >>>>>>>>>>>>> max log size = 50 >>>>>>>>>>>>> security = ADS >>>>>>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>>>>>>>>> passdb backend = tdbsam >>>>>>>>>>>>> load printers = yes >>>>>>>>>>>>> cups options = raw >>>>>>>>>>>>> idmap config *:backend = tdb >>>>>>>>>>>>> idmap config *:range = 70001-80000 >>>>>>>>>>>>> #idmap config SAMDOM:backend = ad >>>>>>>>>>>>> idmap config JASONDOMAINI:backend = ad >>>>>>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307 >>>>>>>>>>>>> idmap config JASONDOMAINI:range = 500-40000 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", >>>>>>>>>>>>> It show me the root partition and I can open "Test" directory >>>>>>>>>>>>> But it has two problems : >>>>>>>>>>>>> >>>>>>>>>>>>> 1- Why it show root partition? >>>>>>>>>>>>> 2- I can't browse it via Windows explorer!!! >>>>>>>>>>>>> >>>>>>>>>>>>> I want to know use AD users in Linux is Hard? >>>>>>>>>>>>> >>>>>>>>>>>>> In your opinion I used a correct command to set ACL? >>>>>>>>>>>>> >>>>>>>>>>>>> #getfacl test/ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> # file: test/ >>>>>>>>>>>>> # owner: JASONDOMAINI\134JASON >>>>>>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw >>>>>>>>>>>>> user::rwx >>>>>>>>>>>>> group::r-x >>>>>>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx >>>>>>>>>>>>> mask::rwx >>>>>>>>>>>>> other::r-x >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> and in "getent group" it show me below group : >>>>>>>>>>>>> >>>>>>>>>>>>> JASONDOMAINI\134grp-JASON-rw >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> in your idea, Am I use correct command to set permission? >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny >>>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>>>> On 28/12/14 15:48, Jason Long wrote: >>>>>>>>>>>>>> Thank you so much. >>>>>>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad >>>>>>>>>>>>>> " to "idmap config JASONDOMAIN:backend = ad". >>>>>>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too? >>>>>>>>>>>>>> About your question I must say that I Test this share via >>>>>>>>>>>>>> Linux too and Windows and Linux has same problem. >>>>>>>>>>>>>> >>>>>>>>>>>>>> About "What I would do is, install the OpenSSH server on the >>>>>>>>>>>>>> linux machine, install 'PUTTY' on a windows machine and try >>>>>>>>>>>>>> to login via 'PUTTY' and use the SSH protocol." , You mean is >>>>>>>>>>>>>> that Windows clients use SSH to work with this directory? I >>>>>>>>>>>>>> want to made this Linux Box as a File server and Windows >>>>>>>>>>>>>> Clients need graphical browser to copy and paste file into >>>>>>>>>>>>>> this directory!!!!!!! >>>>>>>>>>>>>> What is your idea? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> I am loosing track here a bit, but if your dns domain is >>>>>>>>>>>>> example.com, >>>>>>>>>>>>> then your windows AD realm should be something like >>>>>>>>>>>>> internal.example.com >>>>>>>>>>>>> and your workgroup/domain name should be INTERNAL, that is, >>>>>>>>>>>>> they all >>>>>>>>>>>>> rely on each other. >>>>>>>>>>>>> >>>>>>>>>>>>> So anywhere that you come across these, you should use the >>>>>>>>>>>>> relevant one, >>>>>>>>>>>>> this is the relevant parts from a Unix client on my domain: >>>>>>>>>>>>> >>>>>>>>>>>>> [global] >>>>>>>>>>>>> workgroup = INTERNAL >>>>>>>>>>>>> security = ADS >>>>>>>>>>>>> realm = INTERNAL.EXAMPLE.COM >>>>>>>>>>>>> .......... >>>>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>>>> idmap config INTERNAL : backend = ad >>>>>>>>>>>>> idmap config INTERNAL : range = 10000-999999 >>>>>>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307 >>>>>>>>>>>>> >>>>>>>>>>>>> As for using 'PUTTY', this was just a way of testing whether >>>>>>>>>>>>> you can >>>>>>>>>>>>> connect to the Unix machine. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Rowland >>>>>>>>>>>> OK, we are getting closer >>>>>>>>>>>> >>>>>>>>>>>> right, answers to your questions >>>>>>>>>>>> 1) I think that you may find that this is also printed 'Could >>>>>>>>>>>> not chdir >>>>>>>>>>>> to home directory', in which case you will end up in the root >>>>>>>>>>>> of computer. >>>>>>>>>>>> >>>>>>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not >>>>>>>>>>>> running you >>>>>>>>>>>> should be able to navigate to the share by entering the path. >>>>>>>>>>>> Have a >>>>>>>>>>>> look here: >>>>>>>>>>>> >>>>>>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Rowland >>>>>>>>>>>> >>>>>>>>>> You are trying to run the command on a client, try adding either: >>>>>>>>>> >>>>>>>>>> -S server name >>>>>>>>>> >>>>>>>>>> OR >>>>>>>>>> >>>>>>>>>> -I address of target server >>>>>>>>>> >>>>>>>>>> where 'server' is the AD DC. >>>>>>>>>> >>>>>>>>>> Yes, you need to supply the password of the Domain Administrator. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>> OK, try it like this: >>>>>>>>> >>>>>>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege >>>>>>>>> -UAdministrator -I 192.168.1.1 >>>>>>>>> >>>>>>>>> This works for me on a client joined to the domain. >>>>>>>>> >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>> Sounds like something is wrong with the join, what does 'net ads >>>>>>>> testjoin' return ? You may have to run this command with sudo. >>>>>>>> >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>> Sometimes I wonder why all the time is spent on keeping the samba wiki >>>>>> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I >>>>>> cannot recommend using either of these, because quite simply, they are >>>>>> not needed. >>>>>> >>>>>> Check the following files: >>>>>> >>>>>> /etc/samba/smb.conf >>>>>> >>>>>> [global] >>>>>> workgroup = JASONDOMAINI >>>>>> security = ADS >>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>> kerberos method = secrets and keytab >>>>>> server string = Samba 4 Client %h >>>>>> winbind enum users = yes >>>>>> winbind enum groups = yes >>>>>> winbind use default domain = yes >>>>>> winbind expand groups = 4 >>>>>> winbind nss info = rfc2307 >>>>>> winbind refresh tickets = Yes >>>>>> winbind normalize names = Yes >>>>>> idmap config * : backend = tdb >>>>>> idmap config * : range = 2000-9999 >>>>>> idmap config JASONDOMAINI : backend = ad >>>>>> idmap config JASONDOMAINI : range = 10000-999999 >>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307 >>>>>> printcap name = cups >>>>>> cups options = raw >>>>>> usershare allow guests = yes >>>>>> domain master = no >>>>>> local master = no >>>>>> preferred master = no >>>>>> os level = 20 >>>>>> map to guest = bad user >>>>>> vfs objects = acl_xattr >>>>>> map acl inherit = Yes >>>>>> store dos attributes = Yes >>>>>> log level = 6 >>>>>> >>>>>> /etc/krb5.conf >>>>>> >>>>>> [libdefaults] >>>>>> default_realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>> dns_lookup_realm = false >>>>>> dns_lookup_kdc = true >>>>>> ticket_lifetime = 24h >>>>>> forwardable = yes >>>>>> >>>>>> /etc/resolv.conf >>>>>> >>>>>> nameserver <your AD DC's ipaddress> >>>>>> search jasondomaini.jasondomain.jj >>>>>> >>>>>> If required, alter them to match the above, check that 'hostname' >>>>>> returns only the hostname of the client, check that 'hostname -f' >>>>>> returns the FQDN. If either are not correct, fix them. >>>>>> >>>>>> Remove likewiseopen >>>>>> >>>>>> Once everything is correct, run the following command: >>>>>> >>>>>> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ >>>>>> >>>>>> You should be asked for the domain Administrators password, enter this >>>>>> and you should join the domain >>>>>> >>>>>> Rowland >>>>>> >>>>> What Windows DC are you using ? >>>>> What is the realm name * workgroup name on the Windows DC ? >>>>> >>>>> Rowland >>>> oops, that should have been: >>>> >>>> >>>> What is the realm name & workgroup name on the Windows DC ? >>>> >>>> Rowland >>>> >>> Hi, will you answer these questions: >>> >>> What Windows DC are you using ? >>> What is the realm name on the Windows DC ? >>> What is the workgroup name on the Windows DC ? >>> >>> You do not need all of what you have in /etc/krb5.conf, but please >>> answer the questions above first. >>> >>> Rowland >>> >> OK, so what is your 'domain' name (and No, it is not 'JASONDOMAIN.JJ') >> >> Rowland >>
Rowland Penny
2015-Jan-09 09:31 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
On 09/01/15 08:40, Jason Long wrote:> Thanks. > I'm confused. Can I paste "set" command on windows for you? > "jason" account is administrator and can join and dis-join any computer. > > Cheers. > > > > On Wednesday, January 7, 2015 2:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 07/01/15 10:51, Jason Long wrote: >> Thank you. >> I changed my "krb5.conf" as below : >> >> >> [logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> default_realm = JASONDOMAIN.JJ >> dns_lookup_realm = false >> dns_lookup_kdc = true >> ticket_lifetime = 24h >> renew_lifetime = 7d >> forwardable = yes >> default_keytab_name = /etc/krb5.keytab >> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >> pkinit_kdc_hostname = <DNS> >> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs >> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> >> pkinit_eku_checking = kpServerAuth >> pkinit_win2k_require_binding = false >> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so >> > My krb5.conf is: > > [libdefaults] > default_realm = EXAMPLE.LAN > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > >> and removed "krb5.keytab" too. You told me that my domain name is "jasondomaini" but it is wrong, My domain name is "jasondomain.jj" and backend is "jasondomaini", For example, when I want to login into Windows use "jasondomaini\jason". >> >> After enter the command "net ads join -U jason at jasondomain.jj", My computer joined but when use "net rpc testjoin" , I got same error as below : >> >> Unable to find a suitable server for domain JASONDOMAINI >> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >> >> I don't know why it see domain name as "JASONDOMAINI". How can I edit it? > You shouldn't because 'JASONDOMAINI' *IS* your domain name *NOT* the > backend!!! > > The join command should be 'net ads join -U jason at JASONDOMAIN.JJ' , but > does 'jason' have the required rights to join the domain ?? Try again > but this time use: > > net ads join -U Administrator at JASONDOMAIN.JJ > > and enter the 'Administrator' password when prompted. > > Rowland >> >> Thanks. >> >> >> >> >> On Tuesday, January 6, 2015 12:57 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >> On 06/01/15 06:17, Jason Long wrote: >>> Thanks. >>> My domain name is "jasondomain.jj" and backend is "jasondomaini". >> No, your realm name is "jasondomain.jj" and it would seem that your >> domain name is "jasondomaini", the domain name can also be known as the >> 'workgroup' name. >> >> Set smb.conf to match this: >> >> [global] >> workgroup = JASONDOMAINI >> security = ADS >> realm = JASONDOMAIN.JJ >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> server string = Samba 4 Client %h >> winbind enum users = yes >> winbind enum groups = yes >> winbind use default domain = yes >> winbind expand groups = 4 >> winbind nss info = rfc2307 >> winbind refresh tickets = Yes >> winbind offline logon = yes >> winbind normalize names = Yes >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> idmap config JASONDOMAINI : backend = ad >> idmap config JASONDOMAINI : range = 10000-999999 >> idmap config JASONDOMAINI : schema_mode = rfc2307 >> printcap name = cups >> cups options = raw >> usershare allow guests = yes >> domain master = no >> local master = no >> preferred master = no >> os level = 20 >> map to guest = bad user >> >> set /etc/krb5.conf to this: >> >> [libdefaults] >> default_realm = JASONDOMAIN.JJ >> dns_lookup_realm = false >> dns_lookup_kdc = true >> ticket_lifetime = 24h >> forwardable = yes >> >> set /etc/resolv.conf >> >> nameserver <ip of your windows server> >> search jasondomain.jj >> >> If /etc/krb5.keytab exists, delete it. >> >> make sure the time on the client matches the server. >> >> then try to join the domain: >> >> net ads join -U Administrator at JASONDOMAIN.JJ >> >> >> Rowland >>> >>> On Monday, January 5, 2015 3:48 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>> On 05/01/15 11:09, Jason Long wrote: >>>> Thank you. >>>> >>>> My Windows is Windows server 2008 R2. >>>> About realm name, My domain name is "JASONDOMAIN.JJ". >>>> My Windows not have any Workgroup Name. It is Domain. >>>> >>>> >>>> Thanks >>>> >>>> >>>> >>>> >>>> On Monday, January 5, 2015 1:05 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>>> On 05/01/15 07:02, Jason Long wrote: >>>>> Thanks a lot. >>>>> I changed the below lines to correct domain name : >>>>> >>>>> idmap config JASONDOMAIN : range = 10000-999999 >>>>> idmap config JASONDOMAIN : schema_mode = rfc2307 >>>>> >>>>> and after join, the command "net rpc testjoin" show same error : >>>>> >>>>> Unable to find a suitable server for domain JASONDOMAINI >>>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >>>>> >>>>> I have an idea and I guess that "/etc/krb5.conf" has some incorrect options. The file is " >>>>> >>>>> [logging] >>>>> default = FILE:/var/log/krb5libs.log >>>>> kdc = FILE:/var/log/krb5kdc.log >>>>> admin_server = FILE:/var/log/kadmind.log >>>>> >>>>> [libdefaults] >>>>> default_realm = JASONDOMAIN.JJ >>>>> dns_lookup_realm = false >>>>> dns_lookup_kdc = true >>>>> ticket_lifetime = 24h >>>>> renew_lifetime = 7d >>>>> forwardable = yes >>>>> default_keytab_name = /etc/krb5.keytab >>>>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>>>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>>>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>>>> pkinit_kdc_hostname = <DNS> >>>>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs >>>>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> >>>>> pkinit_eku_checking = kpServerAuth >>>>> pkinit_win2k_require_binding = false >>>>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so >>>>> >>>>> [realms] >>>>> EXAMPLE.COM = { >>>>> kdc = kerberos.example.com >>>>> admin_server = kerberos.example.com >>>>> } >>>>> JASONDOMAIN.JJ = { >>>>> auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/ >>>>> auth_to_local = RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/ >>>>> auth_to_local = DEFAULT >>>>> } >>>>> >>>>> [domain_realm] >>>>> .example.com = EXAMPLE.COM >>>>> example.com = EXAMPLE.COM >>>>> .JASONDOMAIN.JJ = JASONDOMAIN.JJ >>>>> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ >>>>> [capaths] >>>>> [appdefaults] >>>>> pam = { >>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ >>>>> forwardable = true >>>>> validate = true >>>>> } >>>>> httpd = { >>>>> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ >>>>> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1 >>>>> } >>>>> >>>>> >>>>> >>>>> What is your idea? I must tell you that after removed LikeWise and configure manually, I can't login to Linux via Windows AD accounts. >>>>> >>>>> >>>>> Thanks. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Sunday, January 4, 2015 5:11 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>>>> On 04/01/15 13:00, Rowland Penny wrote: >>>>>> On 04/01/15 10:17, Jason Long wrote: >>>>>>> Thanks a lot. >>>>>>> I enter the command and result is : >>>>>>> >>>>>>> Using short domain name -- JASONDOMAINI >>>>>>> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ' >>>>>>> but after run "net rpc testjoin" : >>>>>>> >>>>>>> Unable to find a suitable server for domain JASONDOMAINI >>>>>>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >>>>>>> >>>>>>> I guess I understand what is my problem. I'm really sorry :(. >>>>>>> >>>>>>> On Windows OS i used "set" command and it show me : >>>>>>> >>>>>>> USERDNSDOMAIN= JASONDOMAIN.JJ >>>>>>> USERDOMAIN= JASONDOMAINI >>>>>>> >>>>>>> I guess that I must change "JASONDOMAINI" in below texts to >>>>>>> "JASONDOMAIN" : >>>>>>> >>>>>>> idmap config JASONDOMAINI : range = 10000-999999 >>>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307 >>>>>>> >>>>>>> Am I right? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny >>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>> On 03/01/15 15:08, Jason Long wrote: >>>>>>>> Thank you. >>>>>>>> I used below videos for join my Linux Box to Windows domain : >>>>>>>> >>>>>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic >>>>>>>> >>>>>>>> Please look at this video and I used instructions in it and >>>>>>>> LikeWiseOpen tool. >>>>>>>> >>>>>>>> >>>>>>>> Cheers. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny >>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>> On 03/01/15 12:38, Jason Long wrote: >>>>>>>>> Thanks. >>>>>>>>> >>>>>>>>> I enter "net ads testjoin" and it show me : >>>>>>>>> >>>>>>>>> ads_connect: No logon servers >>>>>>>>> Join to domain is not valid: No logon servers >>>>>>>> You are *not* joined to the domain, I suppose this should have been >>>>>>>> asked earlier, but how did you do the domain join ? >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> If it is incorrect, Why I can Login to Linux via Windows account? >>>>>>>>> As you see, I followed the steps on Video. >>>>>>>>> >>>>>>>>> :(. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny >>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>> On 03/01/15 05:41, Jason Long wrote: >>>>>>>>>> Thank you. >>>>>>>>>> Command show below error : >>>>>>>>>> >>>>>>>>>> Could not connect to server 192.168.1.1 >>>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>>>>>> >>>>>>>>>> :( >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny >>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>> On 31/12/14 09:55, Jason Long wrote: >>>>>>>>>>> Thanks. >>>>>>>>>>> I changed the command as below : >>>>>>>>>>> >>>>>>>>>>> #net rpc rights grant 'jasondomain\Domain Admins' >>>>>>>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1 >>>>>>>>>>> >>>>>>>>>>> But Got below error : >>>>>>>>>>> >>>>>>>>>>> Could not connect to server 192.168.1.1 >>>>>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>>>>>>> >>>>>>>>>>> Cheers. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny >>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>> On 31/12/14 09:17, Jason Long wrote: >>>>>>>>>>>> Thank you so much but I run below commands on linux : >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> # net rpc rights grant 'jasondomain\Domain Admins' >>>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>>>>>> # net rpc rights list accounts -Uadministrator >>>>>>>>>>>> >>>>>>>>>>>> it ask me a password for "administrator: >>>>>>>>>>>> >>>>>>>>>>>> Enter administrator's password: >>>>>>>>>>>> Could not connect to server 127.0.0.1 >>>>>>>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS >>>>>>>>>>>> >>>>>>>>>>>> Must I enter windows administrator password? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Thanks. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny >>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>>> On 29/12/14 12:52, Jason Long wrote: >>>>>>>>>>>>> Thank you so much. >>>>>>>>>>>>> >>>>>>>>>>>>> I did some changes like below : >>>>>>>>>>>>> >>>>>>>>>>>>> /dev/mapper/vg_print-lv_root / ext4 >>>>>>>>>>>>> user_xattr,acl,defaults 1 1 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any >>>>>>>>>>>>> output. >>>>>>>>>>>>> I added below lines to [global] section too : >>>>>>>>>>>>> >>>>>>>>>>>>> vfs objects = acl_xattr >>>>>>>>>>>>> map acl inherit = Yes >>>>>>>>>>>>> store dos attributes = Yes >>>>>>>>>>>>> >>>>>>>>>>>>> But about below commands can you tell me more? >>>>>>>>>>>>> >>>>>>>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins' >>>>>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>>>>>>> net rpc rights list accounts -Uadministrator >>>>>>>>>>>>> >>>>>>>>>>>>> I hope they are not Dangerous!!!! >>>>>>>>>>>> No :-) >>>>>>>>>>>> >>>>>>>>>>>> The first one gives members of Domain Admins the right to change >>>>>>>>>>>> windows >>>>>>>>>>>> ACL's on a share >>>>>>>>>>>> The second list accounts and what rights they have. >>>>>>>>>>>> >>>>>>>>>>>>> In the >>>>>>>>>>>>> "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" >>>>>>>>>>>>> , the other steps are in Windows!!! Can I doing via Linux too? >>>>>>>>>>>> Yes, but it is just easier via windows >>>>>>>>>>>> >>>>>>>>>>>> Rowland >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> Thanks. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny >>>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>>>> On 29/12/14 06:38, Jason Long wrote: >>>>>>>>>>>>>> Thank you so much. >>>>>>>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I >>>>>>>>>>>>>> change configure as below : >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> [global] >>>>>>>>>>>>>> workgroup = JASONDOMAINI >>>>>>>>>>>>>> server string = Samba Server Version %v >>>>>>>>>>>>>> # logs split per machine >>>>>>>>>>>>>> log file = /var/log/samba/log.%m >>>>>>>>>>>>>> # max 50KB per log file, then rotate >>>>>>>>>>>>>> max log size = 50 >>>>>>>>>>>>>> security = ADS >>>>>>>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>>>>>>>>>> passdb backend = tdbsam >>>>>>>>>>>>>> load printers = yes >>>>>>>>>>>>>> cups options = raw >>>>>>>>>>>>>> idmap config *:backend = tdb >>>>>>>>>>>>>> idmap config *:range = 70001-80000 >>>>>>>>>>>>>> #idmap config SAMDOM:backend = ad >>>>>>>>>>>>>> idmap config JASONDOMAINI:backend = ad >>>>>>>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307 >>>>>>>>>>>>>> idmap config JASONDOMAINI:range = 500-40000 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", >>>>>>>>>>>>>> It show me the root partition and I can open "Test" directory >>>>>>>>>>>>>> But it has two problems : >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1- Why it show root partition? >>>>>>>>>>>>>> 2- I can't browse it via Windows explorer!!! >>>>>>>>>>>>>> >>>>>>>>>>>>>> I want to know use AD users in Linux is Hard? >>>>>>>>>>>>>> >>>>>>>>>>>>>> In your opinion I used a correct command to set ACL? >>>>>>>>>>>>>> >>>>>>>>>>>>>> #getfacl test/ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> # file: test/ >>>>>>>>>>>>>> # owner: JASONDOMAINI\134JASON >>>>>>>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw >>>>>>>>>>>>>> user::rwx >>>>>>>>>>>>>> group::r-x >>>>>>>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx >>>>>>>>>>>>>> mask::rwx >>>>>>>>>>>>>> other::r-x >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> and in "getent group" it show me below group : >>>>>>>>>>>>>> >>>>>>>>>>>>>> JASONDOMAINI\134grp-JASON-rw >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> in your idea, Am I use correct command to set permission? >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny >>>>>>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>>>>>> On 28/12/14 15:48, Jason Long wrote: >>>>>>>>>>>>>>> Thank you so much. >>>>>>>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad >>>>>>>>>>>>>>> " to "idmap config JASONDOMAIN:backend = ad". >>>>>>>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too? >>>>>>>>>>>>>>> About your question I must say that I Test this share via >>>>>>>>>>>>>>> Linux too and Windows and Linux has same problem. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> About "What I would do is, install the OpenSSH server on the >>>>>>>>>>>>>>> linux machine, install 'PUTTY' on a windows machine and try >>>>>>>>>>>>>>> to login via 'PUTTY' and use the SSH protocol." , You mean is >>>>>>>>>>>>>>> that Windows clients use SSH to work with this directory? I >>>>>>>>>>>>>>> want to made this Linux Box as a File server and Windows >>>>>>>>>>>>>>> Clients need graphical browser to copy and paste file into >>>>>>>>>>>>>>> this directory!!!!!!! >>>>>>>>>>>>>>> What is your idea? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> I am loosing track here a bit, but if your dns domain is >>>>>>>>>>>>>> example.com, >>>>>>>>>>>>>> then your windows AD realm should be something like >>>>>>>>>>>>>> internal.example.com >>>>>>>>>>>>>> and your workgroup/domain name should be INTERNAL, that is, >>>>>>>>>>>>>> they all >>>>>>>>>>>>>> rely on each other. >>>>>>>>>>>>>> >>>>>>>>>>>>>> So anywhere that you come across these, you should use the >>>>>>>>>>>>>> relevant one, >>>>>>>>>>>>>> this is the relevant parts from a Unix client on my domain: >>>>>>>>>>>>>> >>>>>>>>>>>>>> [global] >>>>>>>>>>>>>> workgroup = INTERNAL >>>>>>>>>>>>>> security = ADS >>>>>>>>>>>>>> realm = INTERNAL.EXAMPLE.COM >>>>>>>>>>>>>> .......... >>>>>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>>>>> idmap config INTERNAL : backend = ad >>>>>>>>>>>>>> idmap config INTERNAL : range = 10000-999999 >>>>>>>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307 >>>>>>>>>>>>>> >>>>>>>>>>>>>> As for using 'PUTTY', this was just a way of testing whether >>>>>>>>>>>>>> you can >>>>>>>>>>>>>> connect to the Unix machine. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Rowland >>>>>>>>>>>>> OK, we are getting closer >>>>>>>>>>>>> >>>>>>>>>>>>> right, answers to your questions >>>>>>>>>>>>> 1) I think that you may find that this is also printed 'Could >>>>>>>>>>>>> not chdir >>>>>>>>>>>>> to home directory', in which case you will end up in the root >>>>>>>>>>>>> of computer. >>>>>>>>>>>>> >>>>>>>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not >>>>>>>>>>>>> running you >>>>>>>>>>>>> should be able to navigate to the share by entering the path. >>>>>>>>>>>>> Have a >>>>>>>>>>>>> look here: >>>>>>>>>>>>> >>>>>>>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Rowland >>>>>>>>>>>>> >>>>>>>>>>> You are trying to run the command on a client, try adding either: >>>>>>>>>>> >>>>>>>>>>> -S server name >>>>>>>>>>> >>>>>>>>>>> OR >>>>>>>>>>> >>>>>>>>>>> -I address of target server >>>>>>>>>>> >>>>>>>>>>> where 'server' is the AD DC. >>>>>>>>>>> >>>>>>>>>>> Yes, you need to supply the password of the Domain Administrator. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Rowland >>>>>>>>>>> >>>>>>>>>> OK, try it like this: >>>>>>>>>> >>>>>>>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege >>>>>>>>>> -UAdministrator -I 192.168.1.1 >>>>>>>>>> >>>>>>>>>> This works for me on a client joined to the domain. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>> Sounds like something is wrong with the join, what does 'net ads >>>>>>>>> testjoin' return ? You may have to run this command with sudo. >>>>>>>>> >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>> Sometimes I wonder why all the time is spent on keeping the samba wiki >>>>>>> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I >>>>>>> cannot recommend using either of these, because quite simply, they are >>>>>>> not needed. >>>>>>> >>>>>>> Check the following files: >>>>>>> >>>>>>> /etc/samba/smb.conf >>>>>>> >>>>>>> [global] >>>>>>> workgroup = JASONDOMAINI >>>>>>> security = ADS >>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>>> kerberos method = secrets and keytab >>>>>>> server string = Samba 4 Client %h >>>>>>> winbind enum users = yes >>>>>>> winbind enum groups = yes >>>>>>> winbind use default domain = yes >>>>>>> winbind expand groups = 4 >>>>>>> winbind nss info = rfc2307 >>>>>>> winbind refresh tickets = Yes >>>>>>> winbind normalize names = Yes >>>>>>> idmap config * : backend = tdb >>>>>>> idmap config * : range = 2000-9999 >>>>>>> idmap config JASONDOMAINI : backend = ad >>>>>>> idmap config JASONDOMAINI : range = 10000-999999 >>>>>>> idmap config JASONDOMAINI : schema_mode = rfc2307 >>>>>>> printcap name = cups >>>>>>> cups options = raw >>>>>>> usershare allow guests = yes >>>>>>> domain master = no >>>>>>> local master = no >>>>>>> preferred master = no >>>>>>> os level = 20 >>>>>>> map to guest = bad user >>>>>>> vfs objects = acl_xattr >>>>>>> map acl inherit = Yes >>>>>>> store dos attributes = Yes >>>>>>> log level = 6 >>>>>>> >>>>>>> /etc/krb5.conf >>>>>>> >>>>>>> [libdefaults] >>>>>>> default_realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>>> dns_lookup_realm = false >>>>>>> dns_lookup_kdc = true >>>>>>> ticket_lifetime = 24h >>>>>>> forwardable = yes >>>>>>> >>>>>>> /etc/resolv.conf >>>>>>> >>>>>>> nameserver <your AD DC's ipaddress> >>>>>>> search jasondomaini.jasondomain.jj >>>>>>> >>>>>>> If required, alter them to match the above, check that 'hostname' >>>>>>> returns only the hostname of the client, check that 'hostname -f' >>>>>>> returns the FQDN. If either are not correct, fix them. >>>>>>> >>>>>>> Remove likewiseopen >>>>>>> >>>>>>> Once everything is correct, run the following command: >>>>>>> >>>>>>> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ >>>>>>> >>>>>>> You should be asked for the domain Administrators password, enter this >>>>>>> and you should join the domain >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>> What Windows DC are you using ? >>>>>> What is the realm name * workgroup name on the Windows DC ? >>>>>> >>>>>> Rowland >>>>> oops, that should have been: >>>>> >>>>> >>>>> What is the realm name & workgroup name on the Windows DC ? >>>>> >>>>> Rowland >>>>> >>>> Hi, will you answer these questions: >>>> >>>> What Windows DC are you using ? >>>> What is the realm name on the Windows DC ? >>>> What is the workgroup name on the Windows DC ? >>>> >>>> You do not need all of what you have in /etc/krb5.conf, but please >>>> answer the questions above first. >>>> >>>> Rowland >>>> >>> OK, so what is your 'domain' name (and No, it is not 'JASONDOMAIN.JJ') >>> >>> Rowland >>>Your confused !!! looking back over what you posted I found this: Thanks a lot. I changed the below lines to correct domain name : idmap config JASONDOMAIN : range = 10000-999999 idmap config JASONDOMAIN : schema_mode = rfc2307 and after join, the command "net rpc testjoin" show same error : Unable to find a suitable server for domain JASONDOMAINI Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL this was 05/01/15 07:02 Totally missed it then, but now it sticks out like a sore thumb, is your workgroup/NETBiosdomain 'JASONDOMAIN' *OR* 'JASONDOMAINI' ????? Rowland
Possibly Parallel Threads
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.