samba - Dec 2014 - Use Samba with ACL for read Active Directory and set Permissions via it.

You right. I joined my Linux box into Windows domain.Of course. I attached my
"smb.conf". Can you see it?

     On Saturday, December 27, 2014 3:36 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
   

 On 27/12/14 06:44, Jason Long wrote:
> Thank you so much.
> No, I'm not. I joined my linux to Windows domain because of AD. I can
define some users in my Linux and Windows clients use it to open share and ...
but my problem is that I have a lot of users and groups and Redefine all of them
in Linux is a little silly :(. I joined my Linux to Windows domain because of
use AD users and groups.
>
> About your question :
> "Where did you setup the password for 'jasondomain\jason'??
Again, if you
> didn't set a password, more modern versions of windows won't allow
you to
> login (or attach a share) remotely."
>
> I must say that "jason" is defined in AD on Windows OS and I use
it for login into Linux.
>
>
> "You don't say what happens when you try to open 'test'.?
You say it can't let you?? What error message does it give you? "
> It don't show me any error and just show Login Windows again :(.
>? 
>
>
>
> On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org>
wrote:
> Jason Long wrote:
>> Hello Folks.
>> How are you?
>>
>> I joined my CentOS into Windows Domain and I want to give Permission to
files and Directory via Active Directory. When I use "getent passwd"
and "getent group", I can see All AD users and Groups. I use below
command to give Permission to a Folder via ACL :
>>
>> setfacl -m g:"jasondomain\jason-rw":rwx
/home/local/jasondomain/jason/test
>>
>> and I create a part for my "smb.conf" file :
>>
>> [Test]
>> comment = test
>> path = /home/local/jasondomain/jason/test
>> browsable = yes
>> inherit acls = yes
>> inherit permissions = yes
>> inherit owner = yes
>> map acl inherit = yes
>> acl check permissions = yes
>> nt acl support = yes
>> #valid users = %D\%S
>> #write list = @jasondomain\domain^admins
>> read only = no
>>
>>
>> but when I browse the "Test" directory it ask me username and
password and when I enter "jasondomain\jason" as username it can't
let me to open the "Test" directory. What is the problem?
>>? 
> ----
>? ? ? Are you already logged into the server under different credentials,
> like 'WORKGROUP', jason (i.e. do you already have some shares
mounted?)
>
> If I remember, Windows won't allow the same workstation to connect
under
> two different user id's.? If you already have something mounted from
your
> workstation with different credentials, you need to close (unmount / unmap)
> those other connections.
>
> Where did you setup the password for 'jasondomain\jason'?? Again,
if you
> didn't set a password, more modern versions of windows won't allow
you to
> login (or attach a share) remotely.
>
> You don't say what happens when you try to open 'test'.? You
say it
>
> can't let
> you?? What error message does it give you?
OK, If I understand you correctly, you have setup samba on a Centos 
machine and joined it to a windows machine, is this correct ?

Could you post the entire smb.conf from your Centos machine.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba

Excuse me, If you looked at "smb.conf", you can understand that I
change my domain and account. I forgot to tell it.

     On Saturday, December 27, 2014 3:55 AM, Jason Long <hack3rcon at
yahoo.com> wrote:
   

 You right. I joined my Linux box into Windows domain.Of course. I attached my
"smb.conf". Can you see it?

     On Saturday, December 27, 2014 3:36 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
   

 On 27/12/14 06:44, Jason Long wrote:
> Thank you so much.
> No, I'm not. I joined my linux to Windows domain because of AD. I can
define some users in my Linux and Windows clients use it to open share and ...
but my problem is that I have a lot of users and groups and Redefine all of them
in Linux is a little silly :(. I joined my Linux to Windows domain because of
use AD users and groups.
>
> About your question :
> "Where did you setup the password for 'jasondomain\jason'??
Again, if you
> didn't set a password, more modern versions of windows won't allow
you to
> login (or attach a share) remotely."
>
> I must say that "jason" is defined in AD on Windows OS and I use
it for login into Linux.
>
>
> "You don't say what happens when you try to open 'test'.?
You say it can't let you?? What error message does it give you? "
> It don't show me any error and just show Login Windows again :(.
>? 
>
>
>
> On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org>
wrote:
> Jason Long wrote:
>> Hello Folks.
>> How are you?
>>
>> I joined my CentOS into Windows Domain and I want to give Permission to
files and Directory via Active Directory. When I use "getent passwd"
and "getent group", I can see All AD users and Groups. I use below
command to give Permission to a Folder via ACL :
>>
>> setfacl -m g:"jasondomain\jason-rw":rwx
/home/local/jasondomain/jason/test
>>
>> and I create a part for my "smb.conf" file :
>>
>> [Test]
>> comment = test
>> path = /home/local/jasondomain/jason/test
>> browsable = yes
>> inherit acls = yes
>> inherit permissions = yes
>> inherit owner = yes
>> map acl inherit = yes
>> acl check permissions = yes
>> nt acl support = yes
>> #valid users = %D\%S
>> #write list = @jasondomain\domain^admins
>> read only = no
>>
>>
>> but when I browse the "Test" directory it ask me username and
password and when I enter "jasondomain\jason" as username it can't
let me to open the "Test" directory. What is the problem?
>>? 
> ----
>? ? ? Are you already logged into the server under different credentials,
> like 'WORKGROUP', jason (i.e. do you already have some shares
mounted?)
>
> If I remember, Windows won't allow the same workstation to connect
under
> two different user id's.? If you already have something mounted from
your
> workstation with different credentials, you need to close (unmount / unmap)
> those other connections.
>
> Where did you setup the password for 'jasondomain\jason'?? Again,
if you
> didn't set a password, more modern versions of windows won't allow
you to
> login (or attach a share) remotely.
>
> You don't say what happens when you try to open 'test'.? You
say it
>
> can't let
> you?? What error message does it give you?
OK, If I understand you correctly, you have setup samba on a Centos 
machine and joined it to a windows machine, is this correct ?

Could you post the entire smb.conf from your Centos machine.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba

On 27/12/14 11:55, Jason Long wrote:
> You right. I joined my Linux box into Windows domain.
> Of course. I attached my "smb.conf". Can you see it?
>
>
> On Saturday, December 27, 2014 3:36 AM, Rowland Penny 
> <rowlandpenny at googlemail.com> wrote:
>
>
> On 27/12/14 06:44, Jason Long wrote:
>
> > Thank you so much.
> > No, I'm not. I joined my linux to Windows domain because of AD. I 
> can define some users in my Linux and Windows clients use it to open 
> share and ... but my problem is that I have a lot of users and groups 
> and Redefine all of them in Linux is a little silly :(. I joined my 
> Linux to Windows domain because of use AD users and groups.
> >
> > About your question :
> > "Where did you setup the password for
'jasondomain\jason'?  Again,
> if you
> > didn't set a password, more modern versions of windows won't
allow
> you to
> > login (or attach a share) remotely."
> >
> > I must say that "jason" is defined in AD on Windows OS and I
use it
> for login into Linux.
> >
> >
> > "You don't say what happens when you try to open
'test'.  You say it
> can't let you?  What error message does it give you? "
> > It don't show me any error and just show Login Windows again :(.
> >
> >
> >
> >
> > On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org 
> <mailto:samba at tlinx.org>> wrote:
> > Jason Long wrote:
> >> Hello Folks.
> >> How are you?
> >>
> >> I joined my CentOS into Windows Domain and I want to give 
> Permission to files and Directory via Active Directory. When I use 
> "getent passwd" and "getent group", I can see All AD
users and Groups.
> I use below command to give Permission to a Folder via ACL :
> >>
> >> setfacl -m g:"jasondomain\jason-rw":rwx 
> /home/local/jasondomain/jason/test
> >>
> >> and I create a part for my "smb.conf" file :
> >>
> >> [Test]
> >> comment = test
> >> path = /home/local/jasondomain/jason/test
> >> browsable = yes
> >> inherit acls = yes
> >> inherit permissions = yes
> >> inherit owner = yes
> >> map acl inherit = yes
> >> acl check permissions = yes
> >> nt acl support = yes
> >> #valid users = %D\%S
> >> #write list = @jasondomain\domain^admins
> >> read only = no
> >>
> >>
> >> but when I browse the "Test" directory it ask me
username and
> password and when I enter "jasondomain\jason" as username it
can't let
> me to open the "Test" directory. What is the problem?
> >>
> > ----
> >      Are you already logged into the server under different
credentials,
> > like 'WORKGROUP', jason (i.e. do you already have some shares
mounted?)
> >
> > If I remember, Windows won't allow the same workstation to connect
under
> > two different user id's.  If you already have something mounted
from
> your
> > workstation with different credentials, you need to close (unmount / 
> unmap)
> > those other connections.
> >
> > Where did you setup the password for 'jasondomain\jason'? 
Again, if you
> > didn't set a password, more modern versions of windows won't
allow
> you to
> > login (or attach a share) remotely.
> >
> > You don't say what happens when you try to open 'test'. 
You say it
> >
> > can't let
> > you?  What error message does it give you?
>
>
> OK, If I understand you correctly, you have setup samba on a Centos
> machine and joined it to a windows machine, is this correct ?
>
> Could you post the entire smb.conf from your Centos machine.
>
> Rowland
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
OK, after wading through all the un-needed lines, I got this:

[global]
     workgroup = MYGROUP
     server string = Samba Server Version %v
     # logs split per machine
     log file = /var/log/samba/log.%m
     # max 50KB per log file, then rotate
     max log size = 50
     security = user
     passdb backend = tdbsam
     load printers = yes
     cups options = raw

[homes]
     comment = Home Directories
     browseable = no
     writable = yes

[printers]
     comment = All Printers
     path = /var/spool/samba
     browseable = no
     guest ok = no
     writable = no
     printable = yes

[Test]
comment = Public Stuff
path = /home/local/HAMSHAHRY/jokar/test/
browsable = yes
inherit acls = yes
inherit permissions = yes
inherit owner = yes
map acl inherit = yes
acl check permissions = yes
nt acl support = yes
read only = no

Try changing 'security = user' to 'security = ads' and adding
the
required winbind & idmap lines, see: 
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Yes, I know it says 'member server', but you can use it for a client as 
well.

Rowland

Thank you so much.I changed my "smb.conf" and
"password-auth-ac". I attached two file for you and you can see them.
My problem not solved :( and login windows showed and not accept my username and
password, I attached it too.?I paste my "fstab" file here and as you
see the "acl" is enabled for "root" :
## /etc/fstab# Created by anaconda on Wed Dec 24 10:02:57 2014## Accessible
filesystems, by reference, are maintained under '/dev/disk'# See man
pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more
info#/dev/mapper/vg_print-lv_root / ? ? ? ? ? ? ? ? ? ? ? ext4 ? ?acl,defaults ?
? ? ?1 1UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot ? ? ? ? ? ? ? ? ? ext4 ?
?defaults ? ? ? ?1 2/dev/mapper/vg_print-lv_swap swap ? ? ? ? ? ? ? ? ? ?swap ?
?defaults ? ? ? ?0 0tmpfs ? ? ? ? ? ? ? ? ? /dev/shm ? ? ? ? ? ? ? ?tmpfs ?
defaults ? ? ? ?0 0devpts ? ? ? ? ? ? ? ? ?/dev/pts ? ? ? ? ? ? ? ?devpts
?gid=5,mode=620 ?0 0sysfs ? ? ? ? ? ? ? ? ? /sys ? ? ? ? ? ? ? ? ? ?sysfs ?
defaults ? ? ? ?0 0proc ? ? ? ? ? ? ? ? ? ?/proc ? ? ? ? ? ? ? ? ? proc ?
?defaults ? ? ? ?0 0
I paste "getfacl" for test directory here :
getfacl test/# file: test/# owner: jasondomain\134jason# group:
jasondomain\134grp-jason-rwuser::rwxgroup::r-xgroup:jasondomain\134grp-jason-rw:rwxmask::rwxother::r-x
After change "password-auth-ac", When I want to restart
"winbind" server it show me an error as below :
#service smb restartShutting down SMB services: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?[
?OK ?]Starting SMB services: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [ ?OK ?]#
service winbind restartShutting down Winbind services: ? ? ? ? ? ? ? ? ? ?
?[FAILED]
Starting Winbind services: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [ ?OK ?]

In your opinion what is the problem?
 

     On Saturday, December 27, 2014 4:12 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
   

  On 27/12/14 11:55, Jason Long wrote:
  
  You right. I joined my Linux box into Windows domain. Of course. I attached my
"smb.conf". Can you see it?
 
       On Saturday, December 27, 2014 3:36 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
   
 
 On 27/12/14 06:44, Jason Long wrote: 
 > Thank you so much.
 > No, I'm not. I joined my linux to Windows domain because of AD. I can
define some users in my Linux and Windows clients use it to open share and ...
but my problem is that I have a lot of users and groups and Redefine all of them
in Linux is a little silly :(. I joined my Linux to Windows domain because of
use AD users and groups.
 >
 > About your question :
 > "Where did you setup the password for 'jasondomain\jason'??
Again, if you
 > didn't set a password, more modern versions of windows won't allow
you to
 > login (or attach a share) remotely."
 >
 > I must say that "jason" is defined in AD on Windows OS and I use
it for login into Linux.
 >
 >
 > "You don't say what happens when you try to open 'test'.?
You say it can't let you?? What error message does it give you? "
 > It don't show me any error and just show Login Windows again :(.
 >? 
 >
 >
 >
 > On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org>
wrote:
 > Jason Long wrote:
 >> Hello Folks.
 >> How are you?
 >>
 >> I joined my CentOS into Windows Domain and I want to give Permission
to files and Directory via Active Directory. When I use "getent
passwd" and "getent group", I can see All AD users and Groups. I
use below command to give Permission to a Folder via ACL :
 >>
 >> setfacl -m g:"jasondomain\jason-rw":rwx
/home/local/jasondomain/jason/test
 >>
 >> and I create a part for my "smb.conf" file :
 >>
 >> [Test]
 >> comment = test
 >> path = /home/local/jasondomain/jason/test
 >> browsable = yes
 >> inherit acls = yes
 >> inherit permissions = yes
 >> inherit owner = yes
 >> map acl inherit = yes
 >> acl check permissions = yes
 >> nt acl support = yes
 >> #valid users = %D\%S
 >> #write list = @jasondomain\domain^admins
 >> read only = no
 >>
 >>
 >> but when I browse the "Test" directory it ask me username
and password and when I enter "jasondomain\jason" as username it
can't let me to  open the "Test" directory. What is the problem?
 >>? 
 > ----
 >? ? ? Are you already logged into the server under different credentials,
 > like 'WORKGROUP', jason (i.e. do you already have some shares
mounted?)
 >
 > If I remember, Windows won't allow the same workstation to connect
under
 > two different user id's.? If you already have something mounted from
your
 > workstation with different credentials, you need to close (unmount /
unmap)
 > those other connections.
 >
 > Where did you setup the password for 'jasondomain\jason'?? Again,
if you
 > didn't set a password, more modern versions of windows won't allow
you to
 > login (or attach a share) remotely.
 >
 > You don't say what happens when you try to open 'test'.? You
say it
 >
 > can't let
 > you?? What error message does it give you? 
 
 OK, If I understand you correctly, you have setup samba on a Centos 
 machine and joined it to a windows machine, is this correct ?
 
 Could you post the entire smb.conf from your Centos machine.
 
 Rowland
 
 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:? https://lists.samba.org/mailman/options/samba 
  
 
      
 OK, after wading through all the un-needed lines, I got this:
 
 [global]
 ??? workgroup = MYGROUP
 ??? server string = Samba Server Version %v??? 
 ??? # logs split per machine
 ??? log file = /var/log/samba/log.%m
 ??? # max 50KB per log file, then rotate
 ??? max log size = 50
 ??? security = user
 ??? passdb backend = tdbsam
 ??? load printers = yes
 ??? cups options = raw
 ??? 
 [homes]
 ??? comment = Home Directories
 ??? browseable = no
 ??? writable = yes
 ??? 
 [printers]
 ??? comment = All Printers
 ??? path = /var/spool/samba
 ??? browseable = no
 ??? guest ok = no
 ??? writable = no
 ??? printable = yes
 ??? 
 [Test]
 comment = Public Stuff
 path = /home/local/HAMSHAHRY/jokar/test/
 browsable = yes
 inherit acls = yes
 inherit permissions = yes
 inherit owner = yes
 map acl inherit = yes
 acl check permissions = yes
 nt acl support = yes
 read only = no
 
 Try changing 'security = user' to 'security = ads' and adding
the required winbind & idmap lines, see:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
 
 Yes, I know it says 'member server', but you can use it for a client as
well.
 
 Rowland