samba - Dec 2014 - Use Samba with ACL for read Active Directory and set Permissions via it.

Thank you so much.

I changed "SAMDOM" to "jasondomain" and also "winbind
use default domain = no" but problem exist. int he photo that I sent, I
changed "WORKGROUP" to "jasondomain" too.
I have a question, My domain have a prefix with ".jj" and it is
"jasondomain.jj". I changed :


[global]
workgroup = JASONDOMAIN.JJ
server string = Samba Server Version %v
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
security = ads
passdb backend = tdbsam
load printers = yes
cups options = raw
idmap config *:backend = tdb
idmap config *:range = 70001-80000
#idmap config SAMDOM:backend = ad
idmap config JASONDOMAIN.JJ:backend = ad
idmap config JASONDOMAIN.JJ:schema_mode = rfc2307
idmap config JASONDOMAIN.JJ:range = 500-40000


Am I right? If yes, My problem not solved :(


about your question I must say that "No", I have not any
"jason" user in Linux machine.
Yes, I use "jasondomain\jason" for login into Linux machine and
"jason" is a user that defined in Windows Active Directory.


Thanks.





On Sunday, December 28, 2014 1:41 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
On 28/12/14 08:47, Jason Long wrote:
> I never used four different Workgroup or Domain. My domain is 
> "jasondomain" and as you see my last "smb.conf" it is.
I change
> "MYGROUP" to "jasondomain" but problem not solved.
>
>
> On Saturday, December 27, 2014 7:02 AM, Rowland Penny 
> <rowlandpenny at googlemail.com> wrote:
>
>
> On 27/12/14 14:18, Jason Long wrote:
> > Thank you so much.
> > I changed my "smb.conf" and "password-auth-ac". I
attached two file
> > for you and you can see them. My problem not solved :( and login
> > windows showed and not accept my username and password, I attached 
> it too.
> >  I paste my "fstab" file here and as you see the
"acl" is enabled for
> > "root" :
> >
> > #
> > # /etc/fstab
> > # Created by anaconda on Wed Dec 24 10:02:57 2014
> > #
> > # Accessible filesystems, by reference, are maintained under
'/dev/disk'
> > # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more
> > info
> > #
> > /dev/mapper/vg_print-lv_root / ext4 acl,defaults        1 1
> > UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot         ext4
> >  defaults        1 2
> > /dev/mapper/vg_print-lv_swap swap  swap defaults        0 0
> > tmpfs                  /dev/shm tmpfs  defaults
> >  0 0
> > devpts                  /dev/pts  devpts gid=5,mode=620  0 0
> > sysfs                  /sys sysfs  defaults
> >  0 0
> > proc                    /proc proc    defaults
> >  0 0
> >
> > I paste "getfacl" for test directory here :
> >
> > getfacl test/
> > # file: test/
> > # owner: jasondomain\134jason
> > # group: jasondomain\134grp-jason-rw
> > user::rwx
> > group::r-x
> > group:jasondomain\134grp-jason-rw:rwx
> > mask::rwx
> > other::r-x
> >
> > After change "password-auth-ac", When I want to restart
"winbind"
> > server it show me an error as below :
> >
> > #service smb restart
> > Shutting down SMB services:                    [ OK  ]
> > Starting SMB services:                          [ OK  ]
> > # service winbind restart
> > Shutting down Winbind services: [FAILED]
> > Starting Winbind services:                    [ OK  ]
> >
> >
> > In your opinion what is the problem?
> >
> >
> >
> > On Saturday, December 27, 2014 4:12 AM, Rowland Penny
> > <rowlandpenny at googlemail.com <mailto:rowlandpenny at
googlemail.com>>
> wrote:
> >
> >
> > On 27/12/14 11:55, Jason Long wrote:
> >> You right. I joined my Linux box into Windows domain.
> >> Of course. I attached my "smb.conf". Can you see it?
> >>
> >>
> >> On Saturday, December 27, 2014 3:36 AM, Rowland Penny
> >> <rowlandpenny at googlemail.com <mailto:rowlandpenny at
googlemail.com>>
> <mailto:rowlandpenny at googlemail.com 
> <mailto:rowlandpenny at googlemail.com>> wrote:
> >>
> >>
> >> On 27/12/14 06:44, Jason Long wrote:
> >>
> >> > Thank you so much.
> >> > No, I'm not. I joined my linux to Windows domain because
of AD. I
> >> can define some users in my Linux and Windows clients use it to
open
> >> share and ... but my problem is that I have a lot of users and
groups
> >> and Redefine all of them in Linux is a little silly :(. I joined
my
> >> Linux to Windows domain because of use AD users and groups.
> >> >
> >> > About your question :
> >> > "Where did you setup the password for
'jasondomain\jason'? Again,
> >> if you
> >> > didn't set a password, more modern versions of windows
won't allow
> >> you to
> >> > login (or attach a share) remotely."
> >> >
> >> > I must say that "jason" is defined in AD on Windows
OS and I use it
> >> for login into Linux.
> >> >
> >> >
> >> > "You don't say what happens when you try to open
'test'.  You say
> >> it can't let you?  What error message does it give you? "
> >> > It don't show me any error and just show Login Windows
again :(.
> >> >
> >> >
> >> >
> >> >
> >> > On Friday, December 26, 2014 2:35 PM, Linda W <samba at
tlinx.org
> <mailto:samba at tlinx.org>
> >> <mailto:samba at tlinx.org <mailto:samba at
tlinx.org>>> wrote:
> >> > Jason Long wrote:
> >> >> Hello Folks.
> >> >> How are you?
> >> >>
> >> >> I joined my CentOS into Windows Domain and I want to give
> >> Permission to files and Directory via Active Directory. When I use
> >> "getent passwd" and "getent group", I can see
All AD users and
> >> Groups. I use below command to give Permission to a Folder via ACL
:
> >> >>
> >> >> setfacl -m g:"jasondomain\jason-rw":rwx
> >> /home/local/jasondomain/jason/test
> >> >>
> >> >> and I create a part for my "smb.conf" file :
> >> >>
> >> >> [Test]
> >> >> comment = test
> >> >> path = /home/local/jasondomain/jason/test
> >> >> browsable = yes
> >> >> inherit acls = yes
> >> >> inherit permissions = yes
> >> >> inherit owner = yes
> >> >> map acl inherit = yes
> >> >> acl check permissions = yes
> >> >> nt acl support = yes
> >> >> #valid users = %D\%S
> >> >> #write list = @jasondomain\domain^admins
> >> >> read only = no
> >> >>
> >> >>
> >> >> but when I browse the "Test" directory it ask
me username and
> >> password and when I enter "jasondomain\jason" as
username it can't
> >> let me to open the "Test" directory. What is the
problem?
> >> >>
> >> > ----
> >> >      Are you already logged into the server under different
> >> credentials,
> >> > like 'WORKGROUP', jason (i.e. do you already have
some shares
> mounted?)
> >> >
> >> > If I remember, Windows won't allow the same workstation
to connect
> >> under
> >> > two different user id's.  If you already have something
mounted
> >> from your
> >> > workstation with different credentials, you need to close
(unmount
> >> / unmap)
> >> > those other connections.
> >> >
> >> > Where did you setup the password for
'jasondomain\jason'? Again,
> if you
> >> > didn't set a password, more modern versions of windows
won't allow
> >> you to
> >> > login (or attach a share) remotely.
> >> >
> >> > You don't say what happens when you try to open
'test'.  You say it
> >> >
> >> > can't let
> >> > you?  What error message does it give you?
> >>
> >>
> >> OK, If I understand you correctly, you have setup samba on a
Centos
> >> machine and joined it to a windows machine, is this correct ?
> >>
> >> Could you post the entire smb.conf from your Centos machine.
> >>
> >> Rowland
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> >>
> > OK, after wading through all the un-needed lines, I got this:
> >
> > [global]
> >    workgroup = MYGROUP
> >    server string = Samba Server Version %v
> >    # logs split per machine
> >    log file = /var/log/samba/log.%m
> >    # max 50KB per log file, then rotate
> >    max log size = 50
> >    security = user
> >    passdb backend = tdbsam
> >    load printers = yes
> >    cups options = raw
> >
> > [homes]
> >    comment = Home Directories
> >    browseable = no
> >    writable = yes
> >
> > [printers]
> >    comment = All Printers
> >    path = /var/spool/samba
> >    browseable = no
> >    guest ok = no
> >    writable = no
> >    printable = yes
> >
> > [Test]
> > comment = Public Stuff
> > path = /home/local/HAMSHAHRY/jokar/test/
> > browsable = yes
> > inherit acls = yes
> > inherit permissions = yes
> > inherit owner = yes
> > map acl inherit = yes
> > acl check permissions = yes
> > nt acl support = yes
> > read only = no
> >
> > Try changing 'security = user' to 'security = ads' and
adding the
> > required winbind & idmap lines, see:
> > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> >
> > Yes, I know it says 'member server', but you can use it for a
client
> > as well.
> >
> > Rowland
> >
> >
> >
>
> Hi, you seem to be using **four**, yes four different workgroup (also
> known as domain) names:
> In smb.conf: MYGROUP & SAMDOM
> When trying to login: jasondomain & WORKGROUP
>
> They all need to be the same, you also need to add uidNumber's to your
> users and a gidNumber to at least 'Domain Users'
>
>
> Rowland
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
OK, in the last smb.conf you posted there are these lines:

workgroup = MYGROUP

idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 500-40000

Also in samba-1.png:

Username: jasondomain\jason

domain:     WORKGROUP

I make that 4 workgroup names, ok you have changed MYGROUP, but what 
about SAMDOM ?

You also have 'winbind use default domain = yes' , because of this, you 
do not need to use 'jasondomain\jason', just 'jason' should
work.

Do you by any chance have a Unix user called 'jason' on the samba
machine ?

Also, when you try to login as 'jasondomain\jason' are you doing this on
the samba machine ?


Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 28/12/14 11:54, Jason Long wrote:
>
> Thank you so much.
>
> I changed "SAMDOM" to "jasondomain" and also
"winbind use default domain = no" but problem exist. int he photo that
I sent, I changed "WORKGROUP" to "jasondomain" too.
> I have a question, My domain have a prefix with ".jj" and it is
"jasondomain.jj". I changed :
>
>
> [global]
> workgroup = JASONDOMAIN.JJ
> server string = Samba Server Version %v
> # logs split per machine
> log file = /var/log/samba/log.%m
> # max 50KB per log file, then rotate
> max log size = 50
> security = ads
> passdb backend = tdbsam
> load printers = yes
> cups options = raw
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> #idmap config SAMDOM:backend = ad
> idmap config JASONDOMAIN.JJ:backend = ad
> idmap config JASONDOMAIN.JJ:schema_mode = rfc2307
> idmap config JASONDOMAIN.JJ:range = 500-40000
>
>
> Am I right? If yes, My problem not solved :(
>
>
> about your question I must say that "No", I have not any
"jason" user in Linux machine.
> Yes, I use "jasondomain\jason" for login into Linux machine and
"jason" is a user that defined in Windows Active Directory.
>
>
> Thanks.
>
>
>
>
>
> On Sunday, December 28, 2014 1:41 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
> On 28/12/14 08:47, Jason Long wrote:
>> I never used four different Workgroup or Domain. My domain is
>> "jasondomain" and as you see my last "smb.conf" it
is. I change
>> "MYGROUP" to "jasondomain" but problem not solved.
>>
>>
>> On Saturday, December 27, 2014 7:02 AM, Rowland Penny
>> <rowlandpenny at googlemail.com> wrote:
>>
>>
>> On 27/12/14 14:18, Jason Long wrote:
>>> Thank you so much.
>>> I changed my "smb.conf" and "password-auth-ac".
I attached two file
>>> for you and you can see them. My problem not solved :( and login
>>> windows showed and not accept my username and password, I attached
>> it too.
>>>   I paste my "fstab" file here and as you see the
"acl" is enabled for
>>> "root" :
>>>
>>> #
>>> # /etc/fstab
>>> # Created by anaconda on Wed Dec 24 10:02:57 2014
>>> #
>>> # Accessible filesystems, by reference, are maintained under
'/dev/disk'
>>> # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for
more
>>> info
>>> #
>>> /dev/mapper/vg_print-lv_root / ext4 acl,defaults        1 1
>>> UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot         ext4
>>>   defaults        1 2
>>> /dev/mapper/vg_print-lv_swap swap  swap defaults        0 0
>>> tmpfs                  /dev/shm tmpfs  defaults
>>>   0 0
>>> devpts                  /dev/pts  devpts gid=5,mode=620  0 0
>>> sysfs                  /sys sysfs  defaults
>>>   0 0
>>> proc                    /proc proc    defaults
>>>   0 0
>>>
>>> I paste "getfacl" for test directory here :
>>>
>>> getfacl test/
>>> # file: test/
>>> # owner: jasondomain\134jason
>>> # group: jasondomain\134grp-jason-rw
>>> user::rwx
>>> group::r-x
>>> group:jasondomain\134grp-jason-rw:rwx
>>> mask::rwx
>>> other::r-x
>>>
>>> After change "password-auth-ac", When I want to restart
"winbind"
>>> server it show me an error as below :
>>>
>>> #service smb restart
>>> Shutting down SMB services:                    [ OK  ]
>>> Starting SMB services:                          [ OK  ]
>>> # service winbind restart
>>> Shutting down Winbind services: [FAILED]
>>> Starting Winbind services:                    [ OK  ]
>>>
>>>
>>> In your opinion what is the problem?
>>>
>>>
>>>
>>> On Saturday, December 27, 2014 4:12 AM, Rowland Penny
>>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at
googlemail.com>>
>> wrote:
>>>
>>> On 27/12/14 11:55, Jason Long wrote:
>>>> You right. I joined my Linux box into Windows domain.
>>>> Of course. I attached my "smb.conf". Can you see it?
>>>>
>>>>
>>>> On Saturday, December 27, 2014 3:36 AM, Rowland Penny
>>>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at
googlemail.com>>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>>>
>>>> On 27/12/14 06:44, Jason Long wrote:
>>>>
>>>>> Thank you so much.
>>>>> No, I'm not. I joined my linux to Windows domain
because of AD. I
>>>> can define some users in my Linux and Windows clients use it to
open
>>>> share and ... but my problem is that I have a lot of users and
groups
>>>> and Redefine all of them in Linux is a little silly :(. I
joined my
>>>> Linux to Windows domain because of use AD users and groups.
>>>>> About your question :
>>>>> "Where did you setup the password for
'jasondomain\jason'? Again,
>>>> if you
>>>>> didn't set a password, more modern versions of windows
won't allow
>>>> you to
>>>>> login (or attach a share) remotely."
>>>>>
>>>>> I must say that "jason" is defined in AD on
Windows OS and I use it
>>>> for login into Linux.
>>>>>
>>>>> "You don't say what happens when you try to open
'test'.  You say
>>>> it can't let you?  What error message does it give you?
"
>>>>> It don't show me any error and just show Login Windows
again :(.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Friday, December 26, 2014 2:35 PM, Linda W <samba at
tlinx.org
>> <mailto:samba at tlinx.org>
>>>> <mailto:samba at tlinx.org <mailto:samba at
tlinx.org>>> wrote:
>>>>> Jason Long wrote:
>>>>>> Hello Folks.
>>>>>> How are you?
>>>>>>
>>>>>> I joined my CentOS into Windows Domain and I want to
give
>>>> Permission to files and Directory via Active Directory. When I
use
>>>> "getent passwd" and "getent group", I can
see All AD users and
>>>> Groups. I use below command to give Permission to a Folder via
ACL :
>>>>>> setfacl -m g:"jasondomain\jason-rw":rwx
>>>> /home/local/jasondomain/jason/test
>>>>>> and I create a part for my "smb.conf" file :
>>>>>>
>>>>>> [Test]
>>>>>> comment = test
>>>>>> path = /home/local/jasondomain/jason/test
>>>>>> browsable = yes
>>>>>> inherit acls = yes
>>>>>> inherit permissions = yes
>>>>>> inherit owner = yes
>>>>>> map acl inherit = yes
>>>>>> acl check permissions = yes
>>>>>> nt acl support = yes
>>>>>> #valid users = %D\%S
>>>>>> #write list = @jasondomain\domain^admins
>>>>>> read only = no
>>>>>>
>>>>>>
>>>>>> but when I browse the "Test" directory it ask
me username and
>>>> password and when I enter "jasondomain\jason" as
username it can't
>>>> let me to open the "Test" directory. What is the
problem?
>>>>> ----
>>>>>       Are you already logged into the server under
different
>>>> credentials,
>>>>> like 'WORKGROUP', jason (i.e. do you already have
some shares
>> mounted?)
>>>>> If I remember, Windows won't allow the same workstation
to connect
>>>> under
>>>>> two different user id's.  If you already have something
mounted
>>>> from your
>>>>> workstation with different credentials, you need to close
(unmount
>>>> / unmap)
>>>>> those other connections.
>>>>>
>>>>> Where did you setup the password for
'jasondomain\jason'? Again,
>> if you
>>>>> didn't set a password, more modern versions of windows
won't allow
>>>> you to
>>>>> login (or attach a share) remotely.
>>>>>
>>>>> You don't say what happens when you try to open
'test'.  You say it
>>>>>
>>>>> can't let
>>>>> you?  What error message does it give you?
>>>>
>>>> OK, If I understand you correctly, you have setup samba on a
Centos
>>>> machine and joined it to a windows machine, is this correct ?
>>>>
>>>> Could you post the entire smb.conf from your Centos machine.
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>>
>>> OK, after wading through all the un-needed lines, I got this:
>>>
>>> [global]
>>>     workgroup = MYGROUP
>>>     server string = Samba Server Version %v
>>>     # logs split per machine
>>>     log file = /var/log/samba/log.%m
>>>     # max 50KB per log file, then rotate
>>>     max log size = 50
>>>     security = user
>>>     passdb backend = tdbsam
>>>     load printers = yes
>>>     cups options = raw
>>>
>>> [homes]
>>>     comment = Home Directories
>>>     browseable = no
>>>     writable = yes
>>>
>>> [printers]
>>>     comment = All Printers
>>>     path = /var/spool/samba
>>>     browseable = no
>>>     guest ok = no
>>>     writable = no
>>>     printable = yes
>>>
>>> [Test]
>>> comment = Public Stuff
>>> path = /home/local/HAMSHAHRY/jokar/test/
>>> browsable = yes
>>> inherit acls = yes
>>> inherit permissions = yes
>>> inherit owner = yes
>>> map acl inherit = yes
>>> acl check permissions = yes
>>> nt acl support = yes
>>> read only = no
>>>
>>> Try changing 'security = user' to 'security = ads'
and adding the
>>> required winbind & idmap lines, see:
>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>
>>> Yes, I know it says 'member server', but you can use it for
a client
>>> as well.
>>>
>>> Rowland
>>>
>>>
>>>
>> Hi, you seem to be using **four**, yes four different workgroup (also
>> known as domain) names:
>> In smb.conf: MYGROUP & SAMDOM
>> When trying to login: jasondomain & WORKGROUP
>>
>> They all need to be the same, you also need to add uidNumber's to
your
>> users and a gidNumber to at least 'Domain Users'
>>
>>
>> Rowland
>>
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
> OK, in the last smb.conf you posted there are these lines:
>
> workgroup = MYGROUP
>
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 500-40000
>
> Also in samba-1.png:
>
> Username: jasondomain\jason
>
> domain:     WORKGROUP
>
> I make that 4 workgroup names, ok you have changed MYGROUP, but what
> about SAMDOM ?
>
> You also have 'winbind use default domain = yes' , because of this,
you
> do not need to use 'jasondomain\jason', just 'jason' should
work.
>
> Do you by any chance have a Unix user called 'jason' on the samba
machine ?
>
> Also, when you try to login as 'jasondomain\jason' are you doing
this on
> the samba machine ?
>
>
> Rowland
>
OK, I am 99% sure that you cannot have a dot in a workgroup name.

As to logging into the machine, I meant are you trying to connect to a 
share on the linux machine from the linux machine.

What I would do is, install the OpenSSH server on the linux machine, 
install 'PUTTY' on a windows machine and try to login via
'PUTTY' and
use the SSH protocol.

Rowland

Thank you so much.
Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to
"idmap config JASONDOMAIN:backend = ad".
How about Workgroup? is must change "JASONDOMAIN" too?
About your question I must say that I Test this share via Linux too and Windows
and Linux has same problem.

About "What I would do is, install the OpenSSH server on the linux machine,
install 'PUTTY' on a windows machine and try to login via
'PUTTY' and use the SSH protocol." , You mean is that Windows
clients use SSH to work with this directory? I want to made this Linux Box as a
File server and Windows Clients need graphical browser to copy and paste file
into this directory!!!!!!!
What is your idea?

Thanks.





On Sunday, December 28, 2014 4:16 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
On 28/12/14 11:54, Jason Long wrote:
>
> Thank you so much.
>
> I changed "SAMDOM" to "jasondomain" and also
"winbind use default domain = no" but problem exist. int he photo that
I sent, I changed "WORKGROUP" to "jasondomain" too.
> I have a question, My domain have a prefix with ".jj" and it is
"jasondomain.jj". I changed :
>
>
> [global]
> workgroup = JASONDOMAIN.JJ
> server string = Samba Server Version %v
> # logs split per machine
> log file = /var/log/samba/log.%m
> # max 50KB per log file, then rotate
> max log size = 50
> security = ads
> passdb backend = tdbsam
> load printers = yes
> cups options = raw
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> #idmap config SAMDOM:backend = ad
> idmap config JASONDOMAIN.JJ:backend = ad
> idmap config JASONDOMAIN.JJ:schema_mode = rfc2307
> idmap config JASONDOMAIN.JJ:range = 500-40000
>
>
> Am I right? If yes, My problem not solved :(
>
>
> about your question I must say that "No", I have not any
"jason" user in Linux machine.
> Yes, I use "jasondomain\jason" for login into Linux machine and
"jason" is a user that defined in Windows Active Directory.
>
>
> Thanks.
>
>
>
>
>
> On Sunday, December 28, 2014 1:41 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
> On 28/12/14 08:47, Jason Long wrote:
>> I never used four different Workgroup or Domain. My domain is
>> "jasondomain" and as you see my last "smb.conf" it
is. I change
>> "MYGROUP" to "jasondomain" but problem not solved.
>>
>>
>> On Saturday, December 27, 2014 7:02 AM, Rowland Penny
>> <rowlandpenny at googlemail.com> wrote:
>>
>>
>> On 27/12/14 14:18, Jason Long wrote:
>>> Thank you so much.
>>> I changed my "smb.conf" and "password-auth-ac".
I attached two file
>>> for you and you can see them. My problem not solved :( and login
>>> windows showed and not accept my username and password, I attached
>> it too.
>>>   I paste my "fstab" file here and as you see the
"acl" is enabled for
>>> "root" :
>>>
>>> #
>>> # /etc/fstab
>>> # Created by anaconda on Wed Dec 24 10:02:57 2014
>>> #
>>> # Accessible filesystems, by reference, are maintained under
'/dev/disk'
>>> # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for
more
>>> info
>>> #
>>> /dev/mapper/vg_print-lv_root / ext4 acl,defaults        1 1
>>> UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot         ext4
>>>   defaults        1 2
>>> /dev/mapper/vg_print-lv_swap swap  swap defaults        0 0
>>> tmpfs                  /dev/shm tmpfs  defaults
>>>   0 0
>>> devpts                  /dev/pts  devpts gid=5,mode=620  0 0
>>> sysfs                  /sys sysfs  defaults
>>>   0 0
>>> proc                    /proc proc    defaults
>>>   0 0
>>>
>>> I paste "getfacl" for test directory here :
>>>
>>> getfacl test/
>>> # file: test/
>>> # owner: jasondomain\134jason
>>> # group: jasondomain\134grp-jason-rw
>>> user::rwx
>>> group::r-x
>>> group:jasondomain\134grp-jason-rw:rwx
>>> mask::rwx
>>> other::r-x
>>>
>>> After change "password-auth-ac", When I want to restart
"winbind"
>>> server it show me an error as below :
>>>
>>> #service smb restart
>>> Shutting down SMB services:                    [ OK  ]
>>> Starting SMB services:                          [ OK  ]
>>> # service winbind restart
>>> Shutting down Winbind services: [FAILED]
>>> Starting Winbind services:                    [ OK  ]
>>>
>>>
>>> In your opinion what is the problem?
>>>
>>>
>>>
>>> On Saturday, December 27, 2014 4:12 AM, Rowland Penny
>>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at
googlemail.com>>
>> wrote:
>>>
>>> On 27/12/14 11:55, Jason Long wrote:
>>>> You right. I joined my Linux box into Windows domain.
>>>> Of course. I attached my "smb.conf". Can you see it?
>>>>
>>>>
>>>> On Saturday, December 27, 2014 3:36 AM, Rowland Penny
>>>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at
googlemail.com>>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>>>
>>>> On 27/12/14 06:44, Jason Long wrote:
>>>>
>>>>> Thank you so much.
>>>>> No, I'm not. I joined my linux to Windows domain
because of AD. I
>>>> can define some users in my Linux and Windows clients use it to
open
>>>> share and ... but my problem is that I have a lot of users and
groups
>>>> and Redefine all of them in Linux is a little silly :(. I
joined my
>>>> Linux to Windows domain because of use AD users and groups.
>>>>> About your question :
>>>>> "Where did you setup the password for
'jasondomain\jason'? Again,
>>>> if you
>>>>> didn't set a password, more modern versions of windows
won't allow
>>>> you to
>>>>> login (or attach a share) remotely."
>>>>>
>>>>> I must say that "jason" is defined in AD on
Windows OS and I use it
>>>> for login into Linux.
>>>>>
>>>>> "You don't say what happens when you try to open
'test'.  You say
>>>> it can't let you?  What error message does it give you?
"
>>>>> It don't show me any error and just show Login Windows
again :(.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Friday, December 26, 2014 2:35 PM, Linda W <samba at
tlinx.org
>> <mailto:samba at tlinx.org>
>>>> <mailto:samba at tlinx.org <mailto:samba at
tlinx.org>>> wrote:
>>>>> Jason Long wrote:
>>>>>> Hello Folks.
>>>>>> How are you?
>>>>>>
>>>>>> I joined my CentOS into Windows Domain and I want to
give
>>>> Permission to files and Directory via Active Directory. When I
use
>>>> "getent passwd" and "getent group", I can
see All AD users and
>>>> Groups. I use below command to give Permission to a Folder via
ACL :
>>>>>> setfacl -m g:"jasondomain\jason-rw":rwx
>>>> /home/local/jasondomain/jason/test
>>>>>> and I create a part for my "smb.conf" file :
>>>>>>
>>>>>> [Test]
>>>>>> comment = test
>>>>>> path = /home/local/jasondomain/jason/test
>>>>>> browsable = yes
>>>>>> inherit acls = yes
>>>>>> inherit permissions = yes
>>>>>> inherit owner = yes
>>>>>> map acl inherit = yes
>>>>>> acl check permissions = yes
>>>>>> nt acl support = yes
>>>>>> #valid users = %D\%S
>>>>>> #write list = @jasondomain\domain^admins
>>>>>> read only = no
>>>>>>
>>>>>>
>>>>>> but when I browse the "Test" directory it ask
me username and
>>>> password and when I enter "jasondomain\jason" as
username it can't
>>>> let me to open the "Test" directory. What is the
problem?
>>>>> ----
>>>>>       Are you already logged into the server under
different
>>>> credentials,
>>>>> like 'WORKGROUP', jason (i.e. do you already have
some shares
>> mounted?)
>>>>> If I remember, Windows won't allow the same workstation
to connect
>>>> under
>>>>> two different user id's.  If you already have something
mounted
>>>> from your
>>>>> workstation with different credentials, you need to close
(unmount
>>>> / unmap)
>>>>> those other connections.
>>>>>
>>>>> Where did you setup the password for
'jasondomain\jason'? Again,
>> if you
>>>>> didn't set a password, more modern versions of windows
won't allow
>>>> you to
>>>>> login (or attach a share) remotely.
>>>>>
>>>>> You don't say what happens when you try to open
'test'.  You say it
>>>>>
>>>>> can't let
>>>>> you?  What error message does it give you?
>>>>
>>>> OK, If I understand you correctly, you have setup samba on a
Centos
>>>> machine and joined it to a windows machine, is this correct ?
>>>>
>>>> Could you post the entire smb.conf from your Centos machine.
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>>
>>> OK, after wading through all the un-needed lines, I got this:
>>>
>>> [global]
>>>     workgroup = MYGROUP
>>>     server string = Samba Server Version %v
>>>     # logs split per machine
>>>     log file = /var/log/samba/log.%m
>>>     # max 50KB per log file, then rotate
>>>     max log size = 50
>>>     security = user
>>>     passdb backend = tdbsam
>>>     load printers = yes
>>>     cups options = raw
>>>
>>> [homes]
>>>     comment = Home Directories
>>>     browseable = no
>>>     writable = yes
>>>
>>> [printers]
>>>     comment = All Printers
>>>     path = /var/spool/samba
>>>     browseable = no
>>>     guest ok = no
>>>     writable = no
>>>     printable = yes
>>>
>>> [Test]
>>> comment = Public Stuff
>>> path = /home/local/HAMSHAHRY/jokar/test/
>>> browsable = yes
>>> inherit acls = yes
>>> inherit permissions = yes
>>> inherit owner = yes
>>> map acl inherit = yes
>>> acl check permissions = yes
>>> nt acl support = yes
>>> read only = no
>>>
>>> Try changing 'security = user' to 'security = ads'
and adding the
>>> required winbind & idmap lines, see:
>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>
>>> Yes, I know it says 'member server', but you can use it for
a client
>>> as well.
>>>
>>> Rowland
>>>
>>>
>>>
>> Hi, you seem to be using **four**, yes four different workgroup (also
>> known as domain) names:
>> In smb.conf: MYGROUP & SAMDOM
>> When trying to login: jasondomain & WORKGROUP
>>
>> They all need to be the same, you also need to add uidNumber's to
your
>> users and a gidNumber to at least 'Domain Users'
>>
>>
>> Rowland
>>
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
> OK, in the last smb.conf you posted there are these lines:
>
> workgroup = MYGROUP
>
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 500-40000
>
> Also in samba-1.png:
>
> Username: jasondomain\jason
>
> domain:     WORKGROUP
>
> I make that 4 workgroup names, ok you have changed MYGROUP, but what
> about SAMDOM ?
>
> You also have 'winbind use default domain = yes' , because of this,
you
> do not need to use 'jasondomain\jason', just 'jason' should
work.
>
> Do you by any chance have a Unix user called 'jason' on the samba
machine ?
>
> Also, when you try to login as 'jasondomain\jason' are you doing
this on
> the samba machine ?
>
>
> Rowland
>
OK, I am 99% sure that you cannot have a dot in a workgroup name.

As to logging into the machine, I meant are you trying to connect to a 
share on the linux machine from the linux machine.

What I would do is, install the OpenSSH server on the linux machine, 
install 'PUTTY' on a windows machine and try to login via
'PUTTY' and
use the SSH protocol.


Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Thank you so much.
Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to
"idmap config JASONDOMAIN:backend = ad".
How about Workgroup? is must change "JASONDOMAIN" too?
About your question I must say that I Test this share via Linux too and Windows
and Linux has same problem.

About "What I would do is, install the OpenSSH server on the linux machine,
install 'PUTTY' on a windows machine and try to login via
'PUTTY' and use the SSH protocol." , You mean is that Windows
clients use SSH to work with this directory? I want to made this Linux Box as a
File server and Windows Clients need graphical browser to copy and paste file
into this directory!!!!!!!
What is your idea?

Thanks.






On Sunday, December 28, 2014 4:23 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
On 28/12/14 11:54, Jason Long wrote:
>
> Thank you so much.
>
> I changed "SAMDOM" to "jasondomain" and also
"winbind use default domain = no" but problem exist. int he photo that
I sent, I changed "WORKGROUP" to "jasondomain" too.
> I have a question, My domain have a prefix with ".jj" and it is
"jasondomain.jj". I changed :
>
>
> [global]
> workgroup = JASONDOMAIN.JJ
> server string = Samba Server Version %v
> # logs split per machine
> log file = /var/log/samba/log.%m
> # max 50KB per log file, then rotate
> max log size = 50
> security = ads
> passdb backend = tdbsam
> load printers = yes
> cups options = raw
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> #idmap config SAMDOM:backend = ad
> idmap config JASONDOMAIN.JJ:backend = ad
> idmap config JASONDOMAIN.JJ:schema_mode = rfc2307
> idmap config JASONDOMAIN.JJ:range = 500-40000
>
>
> Am I right? If yes, My problem not solved :(
>
>
> about your question I must say that "No", I have not any
"jason" user in Linux machine.
> Yes, I use "jasondomain\jason" for login into Linux machine and
"jason" is a user that defined in Windows Active Directory.
>
>
> Thanks.
>
>
>
>
>
> On Sunday, December 28, 2014 1:41 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
> On 28/12/14 08:47, Jason Long wrote:
>> I never used four different Workgroup or Domain. My domain is
>> "jasondomain" and as you see my last "smb.conf" it
is. I change
>> "MYGROUP" to "jasondomain" but problem not solved.
>>
>>
>> On Saturday, December 27, 2014 7:02 AM, Rowland Penny
>> <rowlandpenny at googlemail.com> wrote:
>>
>>
>> On 27/12/14 14:18, Jason Long wrote:
>>> Thank you so much.
>>> I changed my "smb.conf" and "password-auth-ac".
I attached two file
>>> for you and you can see them. My problem not solved :( and login
>>> windows showed and not accept my username and password, I attached
>> it too.
>>>   I paste my "fstab" file here and as you see the
"acl" is enabled for
>>> "root" :
>>>
>>> #
>>> # /etc/fstab
>>> # Created by anaconda on Wed Dec 24 10:02:57 2014
>>> #
>>> # Accessible filesystems, by reference, are maintained under
'/dev/disk'
>>> # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for
more
>>> info
>>> #
>>> /dev/mapper/vg_print-lv_root / ext4 acl,defaults        1 1
>>> UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot         ext4
>>>   defaults        1 2
>>> /dev/mapper/vg_print-lv_swap swap  swap defaults        0 0
>>> tmpfs                  /dev/shm tmpfs  defaults
>>>   0 0
>>> devpts                  /dev/pts  devpts gid=5,mode=620  0 0
>>> sysfs                  /sys sysfs  defaults
>>>   0 0
>>> proc                    /proc proc    defaults
>>>   0 0
>>>
>>> I paste "getfacl" for test directory here :
>>>
>>> getfacl test/
>>> # file: test/
>>> # owner: jasondomain\134jason
>>> # group: jasondomain\134grp-jason-rw
>>> user::rwx
>>> group::r-x
>>> group:jasondomain\134grp-jason-rw:rwx
>>> mask::rwx
>>> other::r-x
>>>
>>> After change "password-auth-ac", When I want to restart
"winbind"
>>> server it show me an error as below :
>>>
>>> #service smb restart
>>> Shutting down SMB services:                    [ OK  ]
>>> Starting SMB services:                          [ OK  ]
>>> # service winbind restart
>>> Shutting down Winbind services: [FAILED]
>>> Starting Winbind services:                    [ OK  ]
>>>
>>>
>>> In your opinion what is the problem?
>>>
>>>
>>>
>>> On Saturday, December 27, 2014 4:12 AM, Rowland Penny
>>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at
googlemail.com>>
>> wrote:
>>>
>>> On 27/12/14 11:55, Jason Long wrote:
>>>> You right. I joined my Linux box into Windows domain.
>>>> Of course. I attached my "smb.conf". Can you see it?
>>>>
>>>>
>>>> On Saturday, December 27, 2014 3:36 AM, Rowland Penny
>>>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at
googlemail.com>>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>>>
>>>> On 27/12/14 06:44, Jason Long wrote:
>>>>
>>>>> Thank you so much.
>>>>> No, I'm not. I joined my linux to Windows domain
because of AD. I
>>>> can define some users in my Linux and Windows clients use it to
open
>>>> share and ... but my problem is that I have a lot of users and
groups
>>>> and Redefine all of them in Linux is a little silly :(. I
joined my
>>>> Linux to Windows domain because of use AD users and groups.
>>>>> About your question :
>>>>> "Where did you setup the password for
'jasondomain\jason'? Again,
>>>> if you
>>>>> didn't set a password, more modern versions of windows
won't allow
>>>> you to
>>>>> login (or attach a share) remotely."
>>>>>
>>>>> I must say that "jason" is defined in AD on
Windows OS and I use it
>>>> for login into Linux.
>>>>>
>>>>> "You don't say what happens when you try to open
'test'.  You say
>>>> it can't let you?  What error message does it give you?
"
>>>>> It don't show me any error and just show Login Windows
again :(.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Friday, December 26, 2014 2:35 PM, Linda W <samba at
tlinx.org
>> <mailto:samba at tlinx.org>
>>>> <mailto:samba at tlinx.org <mailto:samba at
tlinx.org>>> wrote:
>>>>> Jason Long wrote:
>>>>>> Hello Folks.
>>>>>> How are you?
>>>>>>
>>>>>> I joined my CentOS into Windows Domain and I want to
give
>>>> Permission to files and Directory via Active Directory. When I
use
>>>> "getent passwd" and "getent group", I can
see All AD users and
>>>> Groups. I use below command to give Permission to a Folder via
ACL :
>>>>>> setfacl -m g:"jasondomain\jason-rw":rwx
>>>> /home/local/jasondomain/jason/test
>>>>>> and I create a part for my "smb.conf" file :
>>>>>>
>>>>>> [Test]
>>>>>> comment = test
>>>>>> path = /home/local/jasondomain/jason/test
>>>>>> browsable = yes
>>>>>> inherit acls = yes
>>>>>> inherit permissions = yes
>>>>>> inherit owner = yes
>>>>>> map acl inherit = yes
>>>>>> acl check permissions = yes
>>>>>> nt acl support = yes
>>>>>> #valid users = %D\%S
>>>>>> #write list = @jasondomain\domain^admins
>>>>>> read only = no
>>>>>>
>>>>>>
>>>>>> but when I browse the "Test" directory it ask
me username and
>>>> password and when I enter "jasondomain\jason" as
username it can't
>>>> let me to open the "Test" directory. What is the
problem?
>>>>> ----
>>>>>       Are you already logged into the server under
different
>>>> credentials,
>>>>> like 'WORKGROUP', jason (i.e. do you already have
some shares
>> mounted?)
>>>>> If I remember, Windows won't allow the same workstation
to connect
>>>> under
>>>>> two different user id's.  If you already have something
mounted
>>>> from your
>>>>> workstation with different credentials, you need to close
(unmount
>>>> / unmap)
>>>>> those other connections.
>>>>>
>>>>> Where did you setup the password for
'jasondomain\jason'? Again,
>> if you
>>>>> didn't set a password, more modern versions of windows
won't allow
>>>> you to
>>>>> login (or attach a share) remotely.
>>>>>
>>>>> You don't say what happens when you try to open
'test'.  You say it
>>>>>
>>>>> can't let
>>>>> you?  What error message does it give you?
>>>>
>>>> OK, If I understand you correctly, you have setup samba on a
Centos
>>>> machine and joined it to a windows machine, is this correct ?
>>>>
>>>> Could you post the entire smb.conf from your Centos machine.
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>>
>>> OK, after wading through all the un-needed lines, I got this:
>>>
>>> [global]
>>>     workgroup = MYGROUP
>>>     server string = Samba Server Version %v
>>>     # logs split per machine
>>>     log file = /var/log/samba/log.%m
>>>     # max 50KB per log file, then rotate
>>>     max log size = 50
>>>     security = user
>>>     passdb backend = tdbsam
>>>     load printers = yes
>>>     cups options = raw
>>>
>>> [homes]
>>>     comment = Home Directories
>>>     browseable = no
>>>     writable = yes
>>>
>>> [printers]
>>>     comment = All Printers
>>>     path = /var/spool/samba
>>>     browseable = no
>>>     guest ok = no
>>>     writable = no
>>>     printable = yes
>>>
>>> [Test]
>>> comment = Public Stuff
>>> path = /home/local/HAMSHAHRY/jokar/test/
>>> browsable = yes
>>> inherit acls = yes
>>> inherit permissions = yes
>>> inherit owner = yes
>>> map acl inherit = yes
>>> acl check permissions = yes
>>> nt acl support = yes
>>> read only = no
>>>
>>> Try changing 'security = user' to 'security = ads'
and adding the
>>> required winbind & idmap lines, see:
>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>
>>> Yes, I know it says 'member server', but you can use it for
a client
>>> as well.
>>>
>>> Rowland
>>>
>>>
>>>
>> Hi, you seem to be using **four**, yes four different workgroup (also
>> known as domain) names:
>> In smb.conf: MYGROUP & SAMDOM
>> When trying to login: jasondomain & WORKGROUP
>>
>> They all need to be the same, you also need to add uidNumber's to
your
>> users and a gidNumber to at least 'Domain Users'
>>
>>
>> Rowland
>>
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
> OK, in the last smb.conf you posted there are these lines:
>
> workgroup = MYGROUP
>
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 500-40000
>
> Also in samba-1.png:
>
> Username: jasondomain\jason
>
> domain:     WORKGROUP
>
> I make that 4 workgroup names, ok you have changed MYGROUP, but what
> about SAMDOM ?
>
> You also have 'winbind use default domain = yes' , because of this,
you
> do not need to use 'jasondomain\jason', just 'jason' should
work.
>
> Do you by any chance have a Unix user called 'jason' on the samba
machine ?
>
> Also, when you try to login as 'jasondomain\jason' are you doing
this on
> the samba machine ?
>
>
> Rowland
>
OK, I am 99% sure that you cannot have a dot in a workgroup name.

As to logging into the machine, I meant are you trying to connect to a 
share on the linux machine from the linux machine.

What I would do is, install the OpenSSH server on the linux machine, 
install 'PUTTY' on a windows machine and try to login via
'PUTTY' and
use the SSH protocol.


Rowland