Jason Long
2014-Dec-27 14:18 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Thank you so much.I changed my "smb.conf" and "password-auth-ac". I attached two file for you and you can see them. My problem not solved :( and login windows showed and not accept my username and password, I attached it too.?I paste my "fstab" file here and as you see the "acl" is enabled for "root" : ## /etc/fstab# Created by anaconda on Wed Dec 24 10:02:57 2014## Accessible filesystems, by reference, are maintained under '/dev/disk'# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info#/dev/mapper/vg_print-lv_root / ? ? ? ? ? ? ? ? ? ? ? ext4 ? ?acl,defaults ? ? ? ?1 1UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot ? ? ? ? ? ? ? ? ? ext4 ? ?defaults ? ? ? ?1 2/dev/mapper/vg_print-lv_swap swap ? ? ? ? ? ? ? ? ? ?swap ? ?defaults ? ? ? ?0 0tmpfs ? ? ? ? ? ? ? ? ? /dev/shm ? ? ? ? ? ? ? ?tmpfs ? defaults ? ? ? ?0 0devpts ? ? ? ? ? ? ? ? ?/dev/pts ? ? ? ? ? ? ? ?devpts ?gid=5,mode=620 ?0 0sysfs ? ? ? ? ? ? ? ? ? /sys ? ? ? ? ? ? ? ? ? ?sysfs ? defaults ? ? ? ?0 0proc ? ? ? ? ? ? ? ? ? ?/proc ? ? ? ? ? ? ? ? ? proc ? ?defaults ? ? ? ?0 0 I paste "getfacl" for test directory here : getfacl test/# file: test/# owner: jasondomain\134jason# group: jasondomain\134grp-jason-rwuser::rwxgroup::r-xgroup:jasondomain\134grp-jason-rw:rwxmask::rwxother::r-x After change "password-auth-ac", When I want to restart "winbind" server it show me an error as below : #service smb restartShutting down SMB services: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?[ ?OK ?]Starting SMB services: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [ ?OK ?]# service winbind restartShutting down Winbind services: ? ? ? ? ? ? ? ? ? ? ?[FAILED] Starting Winbind services: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [ ?OK ?] In your opinion what is the problem? On Saturday, December 27, 2014 4:12 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 27/12/14 11:55, Jason Long wrote: You right. I joined my Linux box into Windows domain. Of course. I attached my "smb.conf". Can you see it? On Saturday, December 27, 2014 3:36 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 27/12/14 06:44, Jason Long wrote: > Thank you so much. > No, I'm not. I joined my linux to Windows domain because of AD. I can define some users in my Linux and Windows clients use it to open share and ... but my problem is that I have a lot of users and groups and Redefine all of them in Linux is a little silly :(. I joined my Linux to Windows domain because of use AD users and groups. > > About your question : > "Where did you setup the password for 'jasondomain\jason'?? Again, if you > didn't set a password, more modern versions of windows won't allow you to > login (or attach a share) remotely." > > I must say that "jason" is defined in AD on Windows OS and I use it for login into Linux. > > > "You don't say what happens when you try to open 'test'.? You say it can't let you?? What error message does it give you? " > It don't show me any error and just show Login Windows again :(. >? > > > > On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org> wrote: > Jason Long wrote: >> Hello Folks. >> How are you? >> >> I joined my CentOS into Windows Domain and I want to give Permission to files and Directory via Active Directory. When I use "getent passwd" and "getent group", I can see All AD users and Groups. I use below command to give Permission to a Folder via ACL : >> >> setfacl -m g:"jasondomain\jason-rw":rwx /home/local/jasondomain/jason/test >> >> and I create a part for my "smb.conf" file : >> >> [Test] >> comment = test >> path = /home/local/jasondomain/jason/test >> browsable = yes >> inherit acls = yes >> inherit permissions = yes >> inherit owner = yes >> map acl inherit = yes >> acl check permissions = yes >> nt acl support = yes >> #valid users = %D\%S >> #write list = @jasondomain\domain^admins >> read only = no >> >> >> but when I browse the "Test" directory it ask me username and password and when I enter "jasondomain\jason" as username it can't let me to open the "Test" directory. What is the problem? >>? > ---- >? ? ? Are you already logged into the server under different credentials, > like 'WORKGROUP', jason (i.e. do you already have some shares mounted?) > > If I remember, Windows won't allow the same workstation to connect under > two different user id's.? If you already have something mounted from your > workstation with different credentials, you need to close (unmount / unmap) > those other connections. > > Where did you setup the password for 'jasondomain\jason'?? Again, if you > didn't set a password, more modern versions of windows won't allow you to > login (or attach a share) remotely. > > You don't say what happens when you try to open 'test'.? You say it > > can't let > you?? What error message does it give you? OK, If I understand you correctly, you have setup samba on a Centos machine and joined it to a windows machine, is this correct ? Could you post the entire smb.conf from your Centos machine. Rowland -- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba OK, after wading through all the un-needed lines, I got this: [global] ??? workgroup = MYGROUP ??? server string = Samba Server Version %v??? ??? # logs split per machine ??? log file = /var/log/samba/log.%m ??? # max 50KB per log file, then rotate ??? max log size = 50 ??? security = user ??? passdb backend = tdbsam ??? load printers = yes ??? cups options = raw ??? [homes] ??? comment = Home Directories ??? browseable = no ??? writable = yes ??? [printers] ??? comment = All Printers ??? path = /var/spool/samba ??? browseable = no ??? guest ok = no ??? writable = no ??? printable = yes ??? [Test] comment = Public Stuff path = /home/local/HAMSHAHRY/jokar/test/ browsable = yes inherit acls = yes inherit permissions = yes inherit owner = yes map acl inherit = yes acl check permissions = yes nt acl support = yes read only = no Try changing 'security = user' to 'security = ads' and adding the required winbind & idmap lines, see: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server Yes, I know it says 'member server', but you can use it for a client as well. Rowland
Rowland Penny
2014-Dec-27 15:01 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
On 27/12/14 14:18, Jason Long wrote:> Thank you so much. > I changed my "smb.conf" and "password-auth-ac". I attached two file > for you and you can see them. My problem not solved :( and login > windows showed and not accept my username and password, I attached it too. > I paste my "fstab" file here and as you see the "acl" is enabled for > "root" : > > # > # /etc/fstab > # Created by anaconda on Wed Dec 24 10:02:57 2014 > # > # Accessible filesystems, by reference, are maintained under '/dev/disk' > # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more > info > # > /dev/mapper/vg_print-lv_root / ext4 acl,defaults 1 1 > UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot ext4 > defaults 1 2 > /dev/mapper/vg_print-lv_swap swap swap defaults 0 0 > tmpfs /dev/shm tmpfs defaults > 0 0 > devpts /dev/pts devpts gid=5,mode=620 0 0 > sysfs /sys sysfs defaults > 0 0 > proc /proc proc defaults > 0 0 > > I paste "getfacl" for test directory here : > > getfacl test/ > # file: test/ > # owner: jasondomain\134jason > # group: jasondomain\134grp-jason-rw > user::rwx > group::r-x > group:jasondomain\134grp-jason-rw:rwx > mask::rwx > other::r-x > > After change "password-auth-ac", When I want to restart "winbind" > server it show me an error as below : > > #service smb restart > Shutting down SMB services: [ OK ] > Starting SMB services: [ OK ] > # service winbind restart > Shutting down Winbind services: [FAILED] > Starting Winbind services: [ OK ] > > > In your opinion what is the problem? > > > > On Saturday, December 27, 2014 4:12 AM, Rowland Penny > <rowlandpenny at googlemail.com> wrote: > > > On 27/12/14 11:55, Jason Long wrote: >> You right. I joined my Linux box into Windows domain. >> Of course. I attached my "smb.conf". Can you see it? >> >> >> On Saturday, December 27, 2014 3:36 AM, Rowland Penny >> <rowlandpenny at googlemail.com> <mailto:rowlandpenny at googlemail.com> wrote: >> >> >> On 27/12/14 06:44, Jason Long wrote: >> >> > Thank you so much. >> > No, I'm not. I joined my linux to Windows domain because of AD. I >> can define some users in my Linux and Windows clients use it to open >> share and ... but my problem is that I have a lot of users and groups >> and Redefine all of them in Linux is a little silly :(. I joined my >> Linux to Windows domain because of use AD users and groups. >> > >> > About your question : >> > "Where did you setup the password for 'jasondomain\jason'? Again, >> if you >> > didn't set a password, more modern versions of windows won't allow >> you to >> > login (or attach a share) remotely." >> > >> > I must say that "jason" is defined in AD on Windows OS and I use it >> for login into Linux. >> > >> > >> > "You don't say what happens when you try to open 'test'. You say >> it can't let you? What error message does it give you? " >> > It don't show me any error and just show Login Windows again :(. >> > >> > >> > >> > >> > On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org >> <mailto:samba at tlinx.org>> wrote: >> > Jason Long wrote: >> >> Hello Folks. >> >> How are you? >> >> >> >> I joined my CentOS into Windows Domain and I want to give >> Permission to files and Directory via Active Directory. When I use >> "getent passwd" and "getent group", I can see All AD users and >> Groups. I use below command to give Permission to a Folder via ACL : >> >> >> >> setfacl -m g:"jasondomain\jason-rw":rwx >> /home/local/jasondomain/jason/test >> >> >> >> and I create a part for my "smb.conf" file : >> >> >> >> [Test] >> >> comment = test >> >> path = /home/local/jasondomain/jason/test >> >> browsable = yes >> >> inherit acls = yes >> >> inherit permissions = yes >> >> inherit owner = yes >> >> map acl inherit = yes >> >> acl check permissions = yes >> >> nt acl support = yes >> >> #valid users = %D\%S >> >> #write list = @jasondomain\domain^admins >> >> read only = no >> >> >> >> >> >> but when I browse the "Test" directory it ask me username and >> password and when I enter "jasondomain\jason" as username it can't >> let me to open the "Test" directory. What is the problem? >> >> >> > ---- >> > Are you already logged into the server under different >> credentials, >> > like 'WORKGROUP', jason (i.e. do you already have some shares mounted?) >> > >> > If I remember, Windows won't allow the same workstation to connect >> under >> > two different user id's. If you already have something mounted >> from your >> > workstation with different credentials, you need to close (unmount >> / unmap) >> > those other connections. >> > >> > Where did you setup the password for 'jasondomain\jason'? Again, if you >> > didn't set a password, more modern versions of windows won't allow >> you to >> > login (or attach a share) remotely. >> > >> > You don't say what happens when you try to open 'test'. You say it >> > >> > can't let >> > you? What error message does it give you? >> >> >> OK, If I understand you correctly, you have setup samba on a Centos >> machine and joined it to a windows machine, is this correct ? >> >> Could you post the entire smb.conf from your Centos machine. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > OK, after wading through all the un-needed lines, I got this: > > [global] > workgroup = MYGROUP > server string = Samba Server Version %v > # logs split per machine > log file = /var/log/samba/log.%m > # max 50KB per log file, then rotate > max log size = 50 > security = user > passdb backend = tdbsam > load printers = yes > cups options = raw > > [homes] > comment = Home Directories > browseable = no > writable = yes > > [printers] > comment = All Printers > path = /var/spool/samba > browseable = no > guest ok = no > writable = no > printable = yes > > [Test] > comment = Public Stuff > path = /home/local/HAMSHAHRY/jokar/test/ > browsable = yes > inherit acls = yes > inherit permissions = yes > inherit owner = yes > map acl inherit = yes > acl check permissions = yes > nt acl support = yes > read only = no > > Try changing 'security = user' to 'security = ads' and adding the > required winbind & idmap lines, see: > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > Yes, I know it says 'member server', but you can use it for a client > as well. > > Rowland > > >Hi, you seem to be using **four**, yes four different workgroup (also known as domain) names: In smb.conf: MYGROUP & SAMDOM When trying to login: jasondomain & WORKGROUP They all need to be the same, you also need to add uidNumber's to your users and a gidNumber to at least 'Domain Users' Rowland
Jason Long
2014-Dec-28 08:47 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
I never used four different Workgroup or Domain. My domain is "jasondomain" and as you see my last "smb.conf" it is. I change "MYGROUP" to "jasondomain" but problem not solved. On Saturday, December 27, 2014 7:02 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 27/12/14 14:18, Jason Long wrote:> Thank you so much. > I changed my "smb.conf" and "password-auth-ac". I attached two file > for you and you can see them. My problem not solved :( and login > windows showed and not accept my username and password, I attached it too. >? I paste my "fstab" file here and as you see the "acl" is enabled for > "root" : > > # > # /etc/fstab > # Created by anaconda on Wed Dec 24 10:02:57 2014 > # > # Accessible filesystems, by reference, are maintained under '/dev/disk' > # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more > info > # > /dev/mapper/vg_print-lv_root / ext4? ? acl,defaults? ? ? ? 1 1 > UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot? ? ? ? ? ? ext4? >? defaults? ? ? ? 1 2 > /dev/mapper/vg_print-lv_swap swap? swap? ? defaults? ? ? ? 0 0 > tmpfs? ? ? ? ? ? ? ? ? /dev/shm? ? ? ? ? ? ? ? tmpfs? defaults? ? ? >? 0 0 > devpts? ? ? ? ? ? ? ? ? /dev/pts? devpts? gid=5,mode=620? 0 0 > sysfs? ? ? ? ? ? ? ? ? /sys? ? ? ? ? ? ? ? ? ? sysfs? defaults? ? ? >? 0 0 > proc? ? ? ? ? ? ? ? ? ? /proc? ? ? ? ? ? ? ? ? proc? ? defaults? ? ? >? 0 0 > > I paste "getfacl" for test directory here : > > getfacl test/ > # file: test/ > # owner: jasondomain\134jason > # group: jasondomain\134grp-jason-rw > user::rwx > group::r-x > group:jasondomain\134grp-jason-rw:rwx > mask::rwx > other::r-x > > After change "password-auth-ac", When I want to restart "winbind" > server it show me an error as below : > > #service smb restart > Shutting down SMB services:? ? ? ? ? ? ? ? ? ? [? OK? ] > Starting SMB services:? ? ? ? ? ? ? ? ? ? ? ? ? [? OK? ] > # service winbind restart > Shutting down Winbind services:? ? ? ? ? ? ? [FAILED] > Starting Winbind services:? ? ? ? ? ? ? ? ? ? [? OK? ] > > > In your opinion what is the problem? > > > > On Saturday, December 27, 2014 4:12 AM, Rowland Penny > <rowlandpenny at googlemail.com> wrote: > > > On 27/12/14 11:55, Jason Long wrote: >> You right. I joined my Linux box into Windows domain. >> Of course. I attached my "smb.conf". Can you see it? >> >> >> On Saturday, December 27, 2014 3:36 AM, Rowland Penny >> <rowlandpenny at googlemail.com> <mailto:rowlandpenny at googlemail.com> wrote: >> >> >> On 27/12/14 06:44, Jason Long wrote: >> >> > Thank you so much. >> > No, I'm not. I joined my linux to Windows domain because of AD. I >> can define some users in my Linux and Windows clients use it to open >> share and ... but my problem is that I have a lot of users and groups >> and Redefine all of them in Linux is a little silly :(. I joined my >> Linux to Windows domain because of use AD users and groups. >> > >> > About your question : >> > "Where did you setup the password for 'jasondomain\jason'? Again, >> if you >> > didn't set a password, more modern versions of windows won't allow >> you to >> > login (or attach a share) remotely." >> > >> > I must say that "jason" is defined in AD on Windows OS and I use it >> for login into Linux. >> > >> > >> > "You don't say what happens when you try to open 'test'.? You say >> it can't let you?? What error message does it give you? " >> > It don't show me any error and just show Login Windows again :(. >> > >> > >> > >> > >> > On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org >> <mailto:samba at tlinx.org>> wrote: >> > Jason Long wrote: >> >> Hello Folks. >> >> How are you? >> >> >> >> I joined my CentOS into Windows Domain and I want to give >> Permission to files and Directory via Active Directory. When I use >> "getent passwd" and "getent group", I can see All AD users and >> Groups. I use below command to give Permission to a Folder via ACL : >> >> >> >> setfacl -m g:"jasondomain\jason-rw":rwx >> /home/local/jasondomain/jason/test >> >> >> >> and I create a part for my "smb.conf" file : >> >> >> >> [Test] >> >> comment = test >> >> path = /home/local/jasondomain/jason/test >> >> browsable = yes >> >> inherit acls = yes >> >> inherit permissions = yes >> >> inherit owner = yes >> >> map acl inherit = yes >> >> acl check permissions = yes >> >> nt acl support = yes >> >> #valid users = %D\%S >> >> #write list = @jasondomain\domain^admins >> >> read only = no >> >> >> >> >> >> but when I browse the "Test" directory it ask me username and >> password and when I enter "jasondomain\jason" as username it can't >> let me to open the "Test" directory. What is the problem? >> >> >> > ---- >> >? ? ? Are you already logged into the server under different >> credentials, >> > like 'WORKGROUP', jason (i.e. do you already have some shares mounted?) >> > >> > If I remember, Windows won't allow the same workstation to connect >> under >> > two different user id's.? If you already have something mounted >> from your >> > workstation with different credentials, you need to close (unmount >> / unmap) >> > those other connections. >> > >> > Where did you setup the password for 'jasondomain\jason'? Again, if you >> > didn't set a password, more modern versions of windows won't allow >> you to >> > login (or attach a share) remotely. >> > >> > You don't say what happens when you try to open 'test'.? You say it >> > >> > can't let >> > you?? What error message does it give you? >> >> >> OK, If I understand you correctly, you have setup samba on a Centos >> machine and joined it to a windows machine, is this correct ? >> >> Could you post the entire smb.conf from your Centos machine. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > OK, after wading through all the un-needed lines, I got this: > > [global] >? ? workgroup = MYGROUP >? ? server string = Samba Server Version %v >? ? # logs split per machine >? ? log file = /var/log/samba/log.%m >? ? # max 50KB per log file, then rotate >? ? max log size = 50 >? ? security = user >? ? passdb backend = tdbsam >? ? load printers = yes >? ? cups options = raw > > [homes] >? ? comment = Home Directories >? ? browseable = no >? ? writable = yes > > [printers] >? ? comment = All Printers >? ? path = /var/spool/samba >? ? browseable = no >? ? guest ok = no >? ? writable = no >? ? printable = yes > > [Test] > comment = Public Stuff > path = /home/local/HAMSHAHRY/jokar/test/ > browsable = yes > inherit acls = yes > inherit permissions = yes > inherit owner = yes > map acl inherit = yes > acl check permissions = yes > nt acl support = yes > read only = no > > Try changing 'security = user' to 'security = ads' and adding the > required winbind & idmap lines, see: > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > Yes, I know it says 'member server', but you can use it for a client > as well. > > Rowland > > >Hi, you seem to be using **four**, yes four different workgroup (also known as domain) names: In smb.conf: MYGROUP & SAMDOM When trying to login: jasondomain & WORKGROUP They all need to be the same, you also need to add uidNumber's to your users and a gidNumber to at least 'Domain Users' Rowland -- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.