I am trying to get our prototype Linux workstation to allow users to see shares on our legacy MicroSoft Windows-2000 Domain Server, I can find guides for setting up Samba as a Primary Domain Controller but I cannot seem to locate any good and expansive guide for setting up a samba workstation and just joining the domain. Perhaps this is so trivial a process no-one thinks that it requires such a guide. We have user logins to that workstation using the existing Windows Domain controller for authentication but I cannot seem to unlock how to allow access to the shares. We have CUPS configured to the networked printers but I had to use the administrator's id and password to get that to work. I am really looking for a comprehensive guide to the entire process from the CentOS workstation point of view and any pointers to such are earnestly sought. I found this site: http://linux.unimelb.edu.au/server/course/fc3/samba.html which seems to fairly complete but I lack sufficient experience with samba and kerberos to determine exactly what this is telling me. I believe at this point that I should be using the "ADS security model" but I have no idea what a "kerberos realm" is (at least with respect to an existing MicroSoft Domain). I also lack the knowledge of how to configure this portion of the set up so a guiding hand is most welcome. Our fqdn for the Microsoft domain is "brockley.harte-lyne.ca" I have set up the samba server setting to this: Basic: Workgroup: brockley Description: <fqhn of Linux workstation> Security: Auth Mode: ADS Auth. Server: BRDC-01.Brockley.Harte-Lyne.ca Kerberos Realm: blank (and I cannot set it so that the setting is preserved) Encrypt Passwords: Yes Guest Account: No Guest Account Regards, -- James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
James B. Byrne wrote:> I am trying to get our prototype Linux workstation to allow users to see > shares on our legacy MicroSoft Windows-2000 Domain Server, I can find > guides for setting up Samba as a Primary Domain Controller but I cannot > seem to locate any good and expansive guide for setting up a samba > workstation and just joining the domain. Perhaps this is so trivial a > process no-one thinks that it requires such a guide. > > We have user logins to that workstation using the existing Windows Domain > controller for authentication but I cannot seem to unlock how to allow > access to the shares. We have CUPS configured to the networked printers > but I had to use the administrator's id and password to get that to work. > > I am really looking for a comprehensive guide to the entire process from > the CentOS workstation point of view and any pointers to such are > earnestly sought. I found this site: > http://linux.unimelb.edu.au/server/course/fc3/samba.html which seems to > fairly complete but I lack sufficient experience with samba and kerberos > to determine exactly what this is telling me. I believe at this point > that I should be using the "ADS security model" but I have no idea what a > "kerberos realm" is (at least with respect to an existing MicroSoft > Domain). I also lack the knowledge of how to configure this portion of > the set up so a guiding hand is most welcome. > > Our fqdn for the Microsoft domain is "brockley.harte-lyne.ca" > > I have set up the samba server setting to this: > > Basic: Workgroup: brockley Description: <fqhn of Linux workstation> > > Security: Auth Mode: ADS Auth. Server: BRDC-01.Brockley.Harte-Lyne.ca > Kerberos Realm: blank (and I cannot set it so that the setting is > preserved) Encrypt Passwords: Yes Guest Account: No Guest Account > >Are you making sure that you re-start the Samba server after making any configuration changes? I'm only asking as this one has caused a few "Homer" moments for me (doh!).
Hello James I'm using W2k AD domain spread acros all country (not so big but ...). And users from AD using samba shares on Centos 4 (single authentication). The best reading howto solve this for me is http://www.brentnorris.net/samba2005.html <http://www.brentnorris.net/samba2005.html> . It working great form me about 1 year with authenticating users from different locations and using diferent shares on some Centos boxes (main file server). Many thanks to both Centos team and Brent. Regards Bla? Bogataj -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20060927/0f965af2/attachment-0001.html>
On Tue, September 26, 2006 18:38, TimJowers at Yahoo.Com wrote:> Hi James, > I'd like to know the configuration you have working. We can mount > Windows shares but the SMB connection dialog seems to hang. Kill > it and the drive is actually mounted. Still trying to master it myself.I used authconfig to set the connection parameters on the Linux box to authenticate against the domain controllers using winbind. The detailed instructions can be found online here: http://www.redmondmag.com/columns/article.asp?EditorialsID=858 This recipe sets up the Linux station to use active directory as the authentication system and so our users can login on the station as brockley\username and use their domain password without problem. Users can also see all of the machines on the domain from within Nautilus but when they click on a machine to see its shares then they get a permissions error. Apparently their windows credentials are not supplied to nautilus and the access mode set on the windows NTFS5 is equivalent to " root:root rwx------- " I would like to avoid having to statically mount the shares with explicitly assigned credentials but I cannot find any documentation on how to configure nautilus or CentOS to use the login credentials to access available network shares dynamically. I suspect that this problem needs to be solved on the windows side of thing and I am presently reviewing the documentation at: http://ca.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id2616824 To see if I can figure this stuff out sufficiently to get the domain shares visible to ordinary users of the Linux station. I have also read through the Microsoft documentation on sfu but I find it incredibly dense going. http://www.microsoft.com/technet/interopmigration/unix/sfu/sfu3perm.mspx Regards, Jim -- James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Following along on my quest for Windows and Samba harmony it seems to me that because we do not allow "everyone" access to our domain shares but restrict access to a special Windows security group that this might be at the "root" (pardon the pun) of my difficulties. It appears that "everyone" is the group membership that all Linux samba "users" map to by default. So perhaps the answer lies in the smb.conf file and specifically in the entry "force group". Does anyone on the list have experience with using this technique and if so can they comment on it? As it happens our security group name has both spaces and the character "&" in it so if this is going to cause issues I would like to be informed about any group naming limitations as well. Regards, Jim -- James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
I altered the /etc/samba/smb.conf file to use '_' as the winbind
separator
character and asigned BROCKLEY_ADMINISTRATOR to the admin users:
--->
winbind separator = _
admin users = BROCKLEY_ADMINISTRATOR
<---
After a restart of the smb service (#service smb restart) I get this:
--->
# smbclient -L BRDC-01
Password: <cr>
Domain=[BROCKLEY] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
Sharename Type Comment
--------- ---- -------
USERS$ Disk Redirected User Folders
PMAIL$ Disk Pegasus E-Mail network depository
imports.1 Printer Duplex - XCap Tray
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
exports.1 Printer HP LaserJet 4 P1
NETLOGON Disk Logon server share
QB$ Disk QuickBooks Financial Data Share
UPLOAD$ Disk General file depository
PROFILES$ Disk Roaming Profiles Folder
UPLOAD Disk General File Depository
ADMIN$ Disk Remote Admin
SYSVOL Disk Logon server share
C$ Disk Default share
imports.3 Printer HP LaserJet 2100 P03
imports.2 Printer HP LaserJet 2100 P02
Domain=[BROCKLEY] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
Server Comment
--------- -------
BRDC-01 Primary Domain Contoller
BRDC-02 Secondary Domain Cintroller
BRMS-02 Administration
BRWS-09 Accounting
BRWS-11 Exports
BRWS-14 Administration
BRWS-15 Imports
BRWS-16 Imports
BRWS-17
... snip
BRWS-LX-01 BRWS-LX-01.brockley.harte-lyne.ca
BRWS-MW-19
Workgroup Master
--------- -------
BROCKLEY BRDC-01
[root at BRWS-LX-01 etc]# mount -t smbfs //brdc-01/upload$ /ms-win/shares -U
brockley_byrnejb
mount: bad UUID
<---
So, a bad UUID tells me that I am not getting a UUID from the PDC and that
the one being provided by the smbclient is meaningless. So, how do I
obtain an appropriate UUID/GUID assigned to look at these shares?
--
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3