Hi Samba users
we have a samba 3 system we use as a NAS for a windows AD setup but we are
having serious issues with the ad integration.
has anyone any tips or trick for the AD windows 2008r2/ samba integration ?
we basically can't add groups or users to the share from the AD dc. we just
get access denied even if we make the domain admins and current user the
owner of the share. we have tried various configs and the below seems to
get us part of the way.
i would appreciate any suggestions for you guys :-)
[global]
log file = /var/log/samba/log.%m
winbind nss info = rfc2307
load printers = yes
idmap gid = 10000-30000
# winbind trusted domains only = yes
encrypt passwords = yes
realm = "DOMAIN removed for security reasons"
# winbind use default domain = yes
passdb backend = tdbsam
cups options = raw
netbios name = sfnas02
server string = Samba Server Version %v
idmap uid = 10000-30000
workgroup = "DOMAIN removed for security reasons"
os level = 20
security = ADS
max log size = 50
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = Yes
vfs objects = acl_xattr
acl_xattr:ignore system acls = yes
map acl inherit = Yes
store dos attributes = Yes
acl group control = Yes
acl map full control = Yes
On Wed, 2013-12-04 at 10:38 +0000, paul harford wrote:> Hi Samba users > we have a samba 3 system we use as a NAS for a windows AD setup but we are > having serious issues with the ad integration.Hi Have you joined the NAS to the domain? Do you have a keytab on the NAS which contains its machine key?> > has anyone any tips or trick for the AD windows 2008r2/ samba integration ? > > we basically can't add groups or users to the share from the AD dc. we just > get access denied even if we make the domain admins and current user the > owner of the share. we have tried various configs and the below seems to > get us part of the way.Not sure if I understand. You would add files to a share. Not users or groups. Do you mean that you wish only certain users or groups to access the files in the share? If so, which share? Your config doesn't seem to have any shares which users would access.> > i would appreciate any suggestions for you guys :-)Which version of samba do you have on the NAS? I think the first thing we must do is get the NAS properly joined to the domain but almost certainly we'll have to revise your smb.conf HTH. To get us started at least. Steve> > [global] > > log file = /var/log/samba/log.%m > > winbind nss info = rfc2307 > > load printers = yes > > idmap gid = 10000-30000 > > # winbind trusted domains only = yes > > encrypt passwords = yes > > realm = "DOMAIN removed for security reasons" > > # winbind use default domain = yes > > passdb backend = tdbsam > > cups options = raw > > netbios name = sfnas02 > > server string = Samba Server Version %v > > idmap uid = 10000-30000 > > workgroup = "DOMAIN removed for security reasons" > > os level = 20 > > security = ADS > > max log size = 50 > > winbind enum users = yes > > winbind enum groups = yes > > > > winbind nested groups = Yes > > vfs objects = acl_xattr > > acl_xattr:ignore system acls = yes > > map acl inherit = Yes > > store dos attributes = Yes > > acl group control = Yes > > acl map full control = Yes
On 04/12/13 11:40, paul harford wrote:> Hi Rowland > Thanks for your reply, i did play around with a similar config (see > below in email) but it didn't seem to make much difference. Which is > why i reverted to the one i included it seemed to allow me to do more > but not everything i needed. > > When i do wbinfo -u and -g all looks good when i do getent passwd i > can see all the users and the same for groups. > > > At the moment we just have a test share but basically there will be > user shares on the NAS and we want to restrict the share to certain > users and groups etc > > > > > [global] > > workgroup = Domain Name > > security = ADS > realm = Domain Name.int > encrypt passwords = yes > > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config Domain Name:backend = ad > idmap config Domain Name:schema_mode = rfc2307 > idmap config Domain Name:range = 500-40000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > log file = /var/log/samba/log.%m > # passdb backend = tdbsam > netbios name = system name > server string = Samba Server Version %v > os level = 20 > max log size = 50 > > > > > > On 4 December 2013 11:33, Rowland Penny <rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>> wrote: > > On 04/12/13 10:59, steve wrote: > > On Wed, 2013-12-04 at 10:38 +0000, paul harford wrote: > > Hi Samba users > we have a samba 3 system we use as a NAS for a windows AD > setup but we are > having serious issues with the ad integration. > > Hi > Have you joined the NAS to the domain? Do you have a keytab on > the NAS > which contains its machine key? > > has anyone any tips or trick for the AD windows 2008r2/ > samba integration ? > > we basically can't add groups or users to the share from > the AD dc. we just > get access denied even if we make the domain admins and > current user the > owner of the share. we have tried various configs and the > below seems to > get us part of the way. > > Not sure if I understand. You would add files to a share. Not > users or > groups. Do you mean that you wish only certain users or groups > to access > the files in the share? > > If so, which share? Your config doesn't seem to have any > shares which > users would access. > > i would appreciate any suggestions for you guys :-) > > Which version of samba do you have on the NAS? I think the > first thing > we must do is get the NAS properly joined to the domain but almost > certainly we'll have to revise your smb.conf > > HTH. To get us started at least. > Steve > > > > [global] > > log file = /var/log/samba/log.%m > > winbind nss info = rfc2307 > > load printers = yes > > idmap gid = 10000-30000 > > # winbind trusted domains only = yes > > encrypt passwords = yes > > realm = "DOMAIN removed for security reasons" > > # winbind use default domain = yes > > passdb backend = tdbsam > > cups options = raw > > netbios name = sfnas02 > > server string = Samba Server Version %v > > idmap uid = 10000-30000 > > workgroup = "DOMAIN removed for security reasons" > > os level = 20 > > security = ADS > > max log size = 50 > > winbind enum users = yes > > winbind enum groups = yes > > > > winbind nested groups = Yes > > vfs objects = acl_xattr > > acl_xattr:ignore system acls = yes > > map acl inherit = Yes > > store dos attributes = Yes > > acl group control = Yes > > acl map full control = Yes > > > Hi, I am with Steve here, more info needed, it would seem that > your samba 3 is either very old or setup incorrectly, for instance > with a late 3.6 setup I would expect the winbind part to look > similar to this: > > > winbind enum groups = yes > winbind use default domain = yes > winbind expand groups = 4 > > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind offline logon = yes > winbind normalize names = Yes > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 10000-30000 > idmap config DOMAIN:backend = ad > idmap config *:range = 1100-2000 > idmap config *:backend = tdb > > With this and uidNumber's & gidNumber's in AD, the AD users and > groups should be able to connect. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >Can you please tell us us what version of samba you are using (smbd -V) and also post a (sanitized) getent for a user Rowland
On Wed, 2013-12-04 at 11:04 +0000, paul harford wrote:> Hi Steve > Yes the nas is joined to the domain. When i do wbinfo -u and -g all > looks good when i do getent passwd i can see all the users and the > same for groups. > > > i didn't stick up the share config but its listed below > > > [tshare] > > valid users = @"Domain removed\domain admins",@"Domain removed > \domain users" > > path = /testpool/tshare > > write list = @"Domain removed\domain admins",@"Domain removed > \domain users" > > > This was just a test share but basically there will be user share on > the NAS and we want to restrict the share to certain users and groups > etc > > > haven't heard of the keytab before can you explain ? >> > Thanks for the response its appreciated > > > PaulHi Phew. AD, kerberos and keytabs would need a whole book to describe but basically, with kerberos, not only does the user have to prove himself, but also the machine on which he is working has to too. Hence the keytab which must contain the machine key. This can be produced when the machine is joined to the domain or, if you forgot, afterwards as outlined below. Add to smb.conf: kerberos method = system keytab now issue: net ads keytab create -UAdministrator and enter the windows Administrator password That should get us to the next stage or give errors which will help us further. Meanwhile, what does /etc/krb5.conf look like? Cheers, Steve
Hi Steve
i did a net ads join - U "username" and that worked fine
i have also added what you mentioned above all went ok no errors
samba version is 3.6.9
krb5.conf is as follows
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = domain name.INT
[realms]
domain name.INT = {
default_domain = domain name.INT
kdc = dc01.domain name.int:88
admin_server = dc01.domain name.int:749
}
[domain_realm]
domain name.int = DOMAIN NAME.INT
i was searching around and as you said its a whole big world of pain when
try to use AD, kerberos. Thanks again for you help
Paul
On 4 December 2013 11:14, steve <steve at steve-ss.com> wrote:
> On Wed, 2013-12-04 at 11:04 +0000, paul harford wrote:
> > Hi Steve
> > Yes the nas is joined to the domain. When i do wbinfo -u and -g all
> > looks good when i do getent passwd i can see all the users and the
> > same for groups.
> >
> >
> > i didn't stick up the share config but its listed below
> >
> >
> > [tshare]
> >
> > valid users = @"Domain removed\domain
admins",@"Domain removed
> > \domain users"
> >
> > path = /testpool/tshare
> >
> > write list = @"Domain removed\domain
admins",@"Domain removed
> > \domain users"
> >
> >
> > This was just a test share but basically there will be user share on
> > the NAS and we want to restrict the share to certain users and groups
> > etc
> >
> >
> > haven't heard of the keytab before can you explain ?
> >
>
> >
> > Thanks for the response its appreciated
> >
> >
> > Paul
>
> Hi
> Phew. AD, kerberos and keytabs would need a whole book to describe but
> basically, with kerberos, not only does the user have to prove himself,
> but also the machine on which he is working has to too. Hence the keytab
> which must contain the machine key. This can be produced when the
> machine is joined to the domain or, if you forgot, afterwards as
> outlined below.
>
> Add to smb.conf:
> kerberos method = system keytab
>
> now issue:
> net ads keytab create -UAdministrator
> and enter the windows Administrator password
>
> That should get us to the next stage or give errors which will help us
> further.
>
> Meanwhile, what does
> /etc/krb5.conf
> look like?
>
> Cheers,
> Steve
>
>
>
Hi Steve i've just noticed after making the changes you mentioned the getent passwd doesn't return the list of domain users now neither does getent groups wbinfo - u and -g booth still return the list of domain users and groups Paul On 4 December 2013 11:14, steve <steve at steve-ss.com> wrote:> On Wed, 2013-12-04 at 11:04 +0000, paul harford wrote: > > Hi Steve > > Yes the nas is joined to the domain. When i do wbinfo -u and -g all > > looks good when i do getent passwd i can see all the users and the > > same for groups. > > > > > > i didn't stick up the share config but its listed below > > > > > > [tshare] > > > > valid users = @"Domain removed\domain admins",@"Domain removed > > \domain users" > > > > path = /testpool/tshare > > > > write list = @"Domain removed\domain admins",@"Domain removed > > \domain users" > > > > > > This was just a test share but basically there will be user share on > > the NAS and we want to restrict the share to certain users and groups > > etc > > > > > > haven't heard of the keytab before can you explain ? > > > > > > > Thanks for the response its appreciated > > > > > > Paul > > Hi > Phew. AD, kerberos and keytabs would need a whole book to describe but > basically, with kerberos, not only does the user have to prove himself, > but also the machine on which he is working has to too. Hence the keytab > which must contain the machine key. This can be produced when the > machine is joined to the domain or, if you forgot, afterwards as > outlined below. > > Add to smb.conf: > kerberos method = system keytab > > now issue: > net ads keytab create -UAdministrator > and enter the windows Administrator password > > That should get us to the next stage or give errors which will help us > further. > > Meanwhile, what does > /etc/krb5.conf > look like? > > Cheers, > Steve > > >
for good info about this look here. http://www.danbishop.org/2012/06/02/ubuntu-12-04-ultimate-server-guide/ and here http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/ these where very usefull for me. Louis>-----Oorspronkelijk bericht----- >Van: harfordmeister at gmail.com >[mailto:samba-bounces at lists.samba.org] Namens paul harford >Verzonden: woensdag 4 december 2013 14:45 >Aan: steve; samba at lists.samba.org >Onderwerp: Re: [Samba] W2k8r2 and samba 3 integration > >Hi Steve >i've just noticed after making the changes you mentioned the >getent passwd >doesn't return the list of domain users now neither does getent groups > >wbinfo - u and -g booth still return the list of domain users >and groups > >Paul > > >On 4 December 2013 11:14, steve <steve at steve-ss.com> wrote: > >> On Wed, 2013-12-04 at 11:04 +0000, paul harford wrote: >> > Hi Steve >> > Yes the nas is joined to the domain. When i do wbinfo -u and -g all >> > looks good when i do getent passwd i can see all the users and the >> > same for groups. >> > >> > >> > i didn't stick up the share config but its listed below >> > >> > >> > [tshare] >> > >> > valid users = @"Domain removed\domain >admins",@"Domain removed >> > \domain users" >> > >> > path = /testpool/tshare >> > >> > write list = @"Domain removed\domain >admins",@"Domain removed >> > \domain users" >> > >> > >> > This was just a test share but basically there will be >user share on >> > the NAS and we want to restrict the share to certain users >and groups >> > etc >> > >> > >> > haven't heard of the keytab before can you explain ? >> > >> >> > >> > Thanks for the response its appreciated >> > >> > >> > Paul >> >> Hi >> Phew. AD, kerberos and keytabs would need a whole book to >describe but >> basically, with kerberos, not only does the user have to >prove himself, >> but also the machine on which he is working has to too. >Hence the keytab >> which must contain the machine key. This can be produced when the >> machine is joined to the domain or, if you forgot, afterwards as >> outlined below. >> >> Add to smb.conf: >> kerberos method = system keytab >> >> now issue: >> net ads keytab create -UAdministrator >> and enter the windows Administrator password >> >> That should get us to the next stage or give errors which >will help us >> further. >> >> Meanwhile, what does >> /etc/krb5.conf >> look like? >> >> Cheers, >> Steve >> >> >> >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >