Jason Long
2014-Dec-28 11:54 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Thank you so much. I changed "SAMDOM" to "jasondomain" and also "winbind use default domain = no" but problem exist. int he photo that I sent, I changed "WORKGROUP" to "jasondomain" too. I have a question, My domain have a prefix with ".jj" and it is "jasondomain.jj". I changed : [global] workgroup = JASONDOMAIN.JJ server string = Samba Server Version %v # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50 security = ads passdb backend = tdbsam load printers = yes cups options = raw idmap config *:backend = tdb idmap config *:range = 70001-80000 #idmap config SAMDOM:backend = ad idmap config JASONDOMAIN.JJ:backend = ad idmap config JASONDOMAIN.JJ:schema_mode = rfc2307 idmap config JASONDOMAIN.JJ:range = 500-40000 Am I right? If yes, My problem not solved :( about your question I must say that "No", I have not any "jason" user in Linux machine. Yes, I use "jasondomain\jason" for login into Linux machine and "jason" is a user that defined in Windows Active Directory. Thanks. On Sunday, December 28, 2014 1:41 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 28/12/14 08:47, Jason Long wrote:> I never used four different Workgroup or Domain. My domain is > "jasondomain" and as you see my last "smb.conf" it is. I change > "MYGROUP" to "jasondomain" but problem not solved. > > > On Saturday, December 27, 2014 7:02 AM, Rowland Penny > <rowlandpenny at googlemail.com> wrote: > > > On 27/12/14 14:18, Jason Long wrote: > > Thank you so much. > > I changed my "smb.conf" and "password-auth-ac". I attached two file > > for you and you can see them. My problem not solved :( and login > > windows showed and not accept my username and password, I attached > it too. > > I paste my "fstab" file here and as you see the "acl" is enabled for > > "root" : > > > > # > > # /etc/fstab > > # Created by anaconda on Wed Dec 24 10:02:57 2014 > > # > > # Accessible filesystems, by reference, are maintained under '/dev/disk' > > # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more > > info > > # > > /dev/mapper/vg_print-lv_root / ext4 acl,defaults 1 1 > > UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot ext4 > > defaults 1 2 > > /dev/mapper/vg_print-lv_swap swap swap defaults 0 0 > > tmpfs /dev/shm tmpfs defaults > > 0 0 > > devpts /dev/pts devpts gid=5,mode=620 0 0 > > sysfs /sys sysfs defaults > > 0 0 > > proc /proc proc defaults > > 0 0 > > > > I paste "getfacl" for test directory here : > > > > getfacl test/ > > # file: test/ > > # owner: jasondomain\134jason > > # group: jasondomain\134grp-jason-rw > > user::rwx > > group::r-x > > group:jasondomain\134grp-jason-rw:rwx > > mask::rwx > > other::r-x > > > > After change "password-auth-ac", When I want to restart "winbind" > > server it show me an error as below : > > > > #service smb restart > > Shutting down SMB services: [ OK ] > > Starting SMB services: [ OK ] > > # service winbind restart > > Shutting down Winbind services: [FAILED] > > Starting Winbind services: [ OK ] > > > > > > In your opinion what is the problem? > > > > > > > > On Saturday, December 27, 2014 4:12 AM, Rowland Penny > > <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> > wrote: > > > > > > On 27/12/14 11:55, Jason Long wrote: > >> You right. I joined my Linux box into Windows domain. > >> Of course. I attached my "smb.conf". Can you see it? > >> > >> > >> On Saturday, December 27, 2014 3:36 AM, Rowland Penny > >> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> > <mailto:rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>> wrote: > >> > >> > >> On 27/12/14 06:44, Jason Long wrote: > >> > >> > Thank you so much. > >> > No, I'm not. I joined my linux to Windows domain because of AD. I > >> can define some users in my Linux and Windows clients use it to open > >> share and ... but my problem is that I have a lot of users and groups > >> and Redefine all of them in Linux is a little silly :(. I joined my > >> Linux to Windows domain because of use AD users and groups. > >> > > >> > About your question : > >> > "Where did you setup the password for 'jasondomain\jason'? Again, > >> if you > >> > didn't set a password, more modern versions of windows won't allow > >> you to > >> > login (or attach a share) remotely." > >> > > >> > I must say that "jason" is defined in AD on Windows OS and I use it > >> for login into Linux. > >> > > >> > > >> > "You don't say what happens when you try to open 'test'. You say > >> it can't let you? What error message does it give you? " > >> > It don't show me any error and just show Login Windows again :(. > >> > > >> > > >> > > >> > > >> > On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org > <mailto:samba at tlinx.org> > >> <mailto:samba at tlinx.org <mailto:samba at tlinx.org>>> wrote: > >> > Jason Long wrote: > >> >> Hello Folks. > >> >> How are you? > >> >> > >> >> I joined my CentOS into Windows Domain and I want to give > >> Permission to files and Directory via Active Directory. When I use > >> "getent passwd" and "getent group", I can see All AD users and > >> Groups. I use below command to give Permission to a Folder via ACL : > >> >> > >> >> setfacl -m g:"jasondomain\jason-rw":rwx > >> /home/local/jasondomain/jason/test > >> >> > >> >> and I create a part for my "smb.conf" file : > >> >> > >> >> [Test] > >> >> comment = test > >> >> path = /home/local/jasondomain/jason/test > >> >> browsable = yes > >> >> inherit acls = yes > >> >> inherit permissions = yes > >> >> inherit owner = yes > >> >> map acl inherit = yes > >> >> acl check permissions = yes > >> >> nt acl support = yes > >> >> #valid users = %D\%S > >> >> #write list = @jasondomain\domain^admins > >> >> read only = no > >> >> > >> >> > >> >> but when I browse the "Test" directory it ask me username and > >> password and when I enter "jasondomain\jason" as username it can't > >> let me to open the "Test" directory. What is the problem? > >> >> > >> > ---- > >> > Are you already logged into the server under different > >> credentials, > >> > like 'WORKGROUP', jason (i.e. do you already have some shares > mounted?) > >> > > >> > If I remember, Windows won't allow the same workstation to connect > >> under > >> > two different user id's. If you already have something mounted > >> from your > >> > workstation with different credentials, you need to close (unmount > >> / unmap) > >> > those other connections. > >> > > >> > Where did you setup the password for 'jasondomain\jason'? Again, > if you > >> > didn't set a password, more modern versions of windows won't allow > >> you to > >> > login (or attach a share) remotely. > >> > > >> > You don't say what happens when you try to open 'test'. You say it > >> > > >> > can't let > >> > you? What error message does it give you? > >> > >> > >> OK, If I understand you correctly, you have setup samba on a Centos > >> machine and joined it to a windows machine, is this correct ? > >> > >> Could you post the entire smb.conf from your Centos machine. > >> > >> Rowland > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > >> > > OK, after wading through all the un-needed lines, I got this: > > > > [global] > > workgroup = MYGROUP > > server string = Samba Server Version %v > > # logs split per machine > > log file = /var/log/samba/log.%m > > # max 50KB per log file, then rotate > > max log size = 50 > > security = user > > passdb backend = tdbsam > > load printers = yes > > cups options = raw > > > > [homes] > > comment = Home Directories > > browseable = no > > writable = yes > > > > [printers] > > comment = All Printers > > path = /var/spool/samba > > browseable = no > > guest ok = no > > writable = no > > printable = yes > > > > [Test] > > comment = Public Stuff > > path = /home/local/HAMSHAHRY/jokar/test/ > > browsable = yes > > inherit acls = yes > > inherit permissions = yes > > inherit owner = yes > > map acl inherit = yes > > acl check permissions = yes > > nt acl support = yes > > read only = no > > > > Try changing 'security = user' to 'security = ads' and adding the > > required winbind & idmap lines, see: > > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > > > Yes, I know it says 'member server', but you can use it for a client > > as well. > > > > Rowland > > > > > > > > Hi, you seem to be using **four**, yes four different workgroup (also > known as domain) names: > In smb.conf: MYGROUP & SAMDOM > When trying to login: jasondomain & WORKGROUP > > They all need to be the same, you also need to add uidNumber's to your > users and a gidNumber to at least 'Domain Users' > > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >OK, in the last smb.conf you posted there are these lines: workgroup = MYGROUP idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 500-40000 Also in samba-1.png: Username: jasondomain\jason domain: WORKGROUP I make that 4 workgroup names, ok you have changed MYGROUP, but what about SAMDOM ? You also have 'winbind use default domain = yes' , because of this, you do not need to use 'jasondomain\jason', just 'jason' should work. Do you by any chance have a Unix user called 'jason' on the samba machine ? Also, when you try to login as 'jasondomain\jason' are you doing this on the samba machine ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2014-Dec-28 12:15 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
On 28/12/14 11:54, Jason Long wrote:> > Thank you so much. > > I changed "SAMDOM" to "jasondomain" and also "winbind use default domain = no" but problem exist. int he photo that I sent, I changed "WORKGROUP" to "jasondomain" too. > I have a question, My domain have a prefix with ".jj" and it is "jasondomain.jj". I changed : > > > [global] > workgroup = JASONDOMAIN.JJ > server string = Samba Server Version %v > # logs split per machine > log file = /var/log/samba/log.%m > # max 50KB per log file, then rotate > max log size = 50 > security = ads > passdb backend = tdbsam > load printers = yes > cups options = raw > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > #idmap config SAMDOM:backend = ad > idmap config JASONDOMAIN.JJ:backend = ad > idmap config JASONDOMAIN.JJ:schema_mode = rfc2307 > idmap config JASONDOMAIN.JJ:range = 500-40000 > > > Am I right? If yes, My problem not solved :( > > > about your question I must say that "No", I have not any "jason" user in Linux machine. > Yes, I use "jasondomain\jason" for login into Linux machine and "jason" is a user that defined in Windows Active Directory. > > > Thanks. > > > > > > On Sunday, December 28, 2014 1:41 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 28/12/14 08:47, Jason Long wrote: >> I never used four different Workgroup or Domain. My domain is >> "jasondomain" and as you see my last "smb.conf" it is. I change >> "MYGROUP" to "jasondomain" but problem not solved. >> >> >> On Saturday, December 27, 2014 7:02 AM, Rowland Penny >> <rowlandpenny at googlemail.com> wrote: >> >> >> On 27/12/14 14:18, Jason Long wrote: >>> Thank you so much. >>> I changed my "smb.conf" and "password-auth-ac". I attached two file >>> for you and you can see them. My problem not solved :( and login >>> windows showed and not accept my username and password, I attached >> it too. >>> I paste my "fstab" file here and as you see the "acl" is enabled for >>> "root" : >>> >>> # >>> # /etc/fstab >>> # Created by anaconda on Wed Dec 24 10:02:57 2014 >>> # >>> # Accessible filesystems, by reference, are maintained under '/dev/disk' >>> # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more >>> info >>> # >>> /dev/mapper/vg_print-lv_root / ext4 acl,defaults 1 1 >>> UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot ext4 >>> defaults 1 2 >>> /dev/mapper/vg_print-lv_swap swap swap defaults 0 0 >>> tmpfs /dev/shm tmpfs defaults >>> 0 0 >>> devpts /dev/pts devpts gid=5,mode=620 0 0 >>> sysfs /sys sysfs defaults >>> 0 0 >>> proc /proc proc defaults >>> 0 0 >>> >>> I paste "getfacl" for test directory here : >>> >>> getfacl test/ >>> # file: test/ >>> # owner: jasondomain\134jason >>> # group: jasondomain\134grp-jason-rw >>> user::rwx >>> group::r-x >>> group:jasondomain\134grp-jason-rw:rwx >>> mask::rwx >>> other::r-x >>> >>> After change "password-auth-ac", When I want to restart "winbind" >>> server it show me an error as below : >>> >>> #service smb restart >>> Shutting down SMB services: [ OK ] >>> Starting SMB services: [ OK ] >>> # service winbind restart >>> Shutting down Winbind services: [FAILED] >>> Starting Winbind services: [ OK ] >>> >>> >>> In your opinion what is the problem? >>> >>> >>> >>> On Saturday, December 27, 2014 4:12 AM, Rowland Penny >>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> >> wrote: >>> >>> On 27/12/14 11:55, Jason Long wrote: >>>> You right. I joined my Linux box into Windows domain. >>>> Of course. I attached my "smb.conf". Can you see it? >>>> >>>> >>>> On Saturday, December 27, 2014 3:36 AM, Rowland Penny >>>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> >> <mailto:rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>> wrote: >>>> >>>> On 27/12/14 06:44, Jason Long wrote: >>>> >>>>> Thank you so much. >>>>> No, I'm not. I joined my linux to Windows domain because of AD. I >>>> can define some users in my Linux and Windows clients use it to open >>>> share and ... but my problem is that I have a lot of users and groups >>>> and Redefine all of them in Linux is a little silly :(. I joined my >>>> Linux to Windows domain because of use AD users and groups. >>>>> About your question : >>>>> "Where did you setup the password for 'jasondomain\jason'? Again, >>>> if you >>>>> didn't set a password, more modern versions of windows won't allow >>>> you to >>>>> login (or attach a share) remotely." >>>>> >>>>> I must say that "jason" is defined in AD on Windows OS and I use it >>>> for login into Linux. >>>>> >>>>> "You don't say what happens when you try to open 'test'. You say >>>> it can't let you? What error message does it give you? " >>>>> It don't show me any error and just show Login Windows again :(. >>>>> >>>>> >>>>> >>>>> >>>>> On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org >> <mailto:samba at tlinx.org> >>>> <mailto:samba at tlinx.org <mailto:samba at tlinx.org>>> wrote: >>>>> Jason Long wrote: >>>>>> Hello Folks. >>>>>> How are you? >>>>>> >>>>>> I joined my CentOS into Windows Domain and I want to give >>>> Permission to files and Directory via Active Directory. When I use >>>> "getent passwd" and "getent group", I can see All AD users and >>>> Groups. I use below command to give Permission to a Folder via ACL : >>>>>> setfacl -m g:"jasondomain\jason-rw":rwx >>>> /home/local/jasondomain/jason/test >>>>>> and I create a part for my "smb.conf" file : >>>>>> >>>>>> [Test] >>>>>> comment = test >>>>>> path = /home/local/jasondomain/jason/test >>>>>> browsable = yes >>>>>> inherit acls = yes >>>>>> inherit permissions = yes >>>>>> inherit owner = yes >>>>>> map acl inherit = yes >>>>>> acl check permissions = yes >>>>>> nt acl support = yes >>>>>> #valid users = %D\%S >>>>>> #write list = @jasondomain\domain^admins >>>>>> read only = no >>>>>> >>>>>> >>>>>> but when I browse the "Test" directory it ask me username and >>>> password and when I enter "jasondomain\jason" as username it can't >>>> let me to open the "Test" directory. What is the problem? >>>>> ---- >>>>> Are you already logged into the server under different >>>> credentials, >>>>> like 'WORKGROUP', jason (i.e. do you already have some shares >> mounted?) >>>>> If I remember, Windows won't allow the same workstation to connect >>>> under >>>>> two different user id's. If you already have something mounted >>>> from your >>>>> workstation with different credentials, you need to close (unmount >>>> / unmap) >>>>> those other connections. >>>>> >>>>> Where did you setup the password for 'jasondomain\jason'? Again, >> if you >>>>> didn't set a password, more modern versions of windows won't allow >>>> you to >>>>> login (or attach a share) remotely. >>>>> >>>>> You don't say what happens when you try to open 'test'. You say it >>>>> >>>>> can't let >>>>> you? What error message does it give you? >>>> >>>> OK, If I understand you correctly, you have setup samba on a Centos >>>> machine and joined it to a windows machine, is this correct ? >>>> >>>> Could you post the entire smb.conf from your Centos machine. >>>> >>>> Rowland >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>>> >>> OK, after wading through all the un-needed lines, I got this: >>> >>> [global] >>> workgroup = MYGROUP >>> server string = Samba Server Version %v >>> # logs split per machine >>> log file = /var/log/samba/log.%m >>> # max 50KB per log file, then rotate >>> max log size = 50 >>> security = user >>> passdb backend = tdbsam >>> load printers = yes >>> cups options = raw >>> >>> [homes] >>> comment = Home Directories >>> browseable = no >>> writable = yes >>> >>> [printers] >>> comment = All Printers >>> path = /var/spool/samba >>> browseable = no >>> guest ok = no >>> writable = no >>> printable = yes >>> >>> [Test] >>> comment = Public Stuff >>> path = /home/local/HAMSHAHRY/jokar/test/ >>> browsable = yes >>> inherit acls = yes >>> inherit permissions = yes >>> inherit owner = yes >>> map acl inherit = yes >>> acl check permissions = yes >>> nt acl support = yes >>> read only = no >>> >>> Try changing 'security = user' to 'security = ads' and adding the >>> required winbind & idmap lines, see: >>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>> >>> Yes, I know it says 'member server', but you can use it for a client >>> as well. >>> >>> Rowland >>> >>> >>> >> Hi, you seem to be using **four**, yes four different workgroup (also >> known as domain) names: >> In smb.conf: MYGROUP & SAMDOM >> When trying to login: jasondomain & WORKGROUP >> >> They all need to be the same, you also need to add uidNumber's to your >> users and a gidNumber to at least 'Domain Users' >> >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > OK, in the last smb.conf you posted there are these lines: > > workgroup = MYGROUP > > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 500-40000 > > Also in samba-1.png: > > Username: jasondomain\jason > > domain: WORKGROUP > > I make that 4 workgroup names, ok you have changed MYGROUP, but what > about SAMDOM ? > > You also have 'winbind use default domain = yes' , because of this, you > do not need to use 'jasondomain\jason', just 'jason' should work. > > Do you by any chance have a Unix user called 'jason' on the samba machine ? > > Also, when you try to login as 'jasondomain\jason' are you doing this on > the samba machine ? > > > Rowland >OK, I am 99% sure that you cannot have a dot in a workgroup name. As to logging into the machine, I meant are you trying to connect to a share on the linux machine from the linux machine. What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol. Rowland
Jason Long
2014-Dec-28 15:47 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Thank you so much. Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad". How about Workgroup? is must change "JASONDOMAIN" too? About your question I must say that I Test this share via Linux too and Windows and Linux has same problem. About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!! What is your idea? Thanks. On Sunday, December 28, 2014 4:16 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 28/12/14 11:54, Jason Long wrote:> > Thank you so much. > > I changed "SAMDOM" to "jasondomain" and also "winbind use default domain = no" but problem exist. int he photo that I sent, I changed "WORKGROUP" to "jasondomain" too. > I have a question, My domain have a prefix with ".jj" and it is "jasondomain.jj". I changed : > > > [global] > workgroup = JASONDOMAIN.JJ > server string = Samba Server Version %v > # logs split per machine > log file = /var/log/samba/log.%m > # max 50KB per log file, then rotate > max log size = 50 > security = ads > passdb backend = tdbsam > load printers = yes > cups options = raw > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > #idmap config SAMDOM:backend = ad > idmap config JASONDOMAIN.JJ:backend = ad > idmap config JASONDOMAIN.JJ:schema_mode = rfc2307 > idmap config JASONDOMAIN.JJ:range = 500-40000 > > > Am I right? If yes, My problem not solved :( > > > about your question I must say that "No", I have not any "jason" user in Linux machine. > Yes, I use "jasondomain\jason" for login into Linux machine and "jason" is a user that defined in Windows Active Directory. > > > Thanks. > > > > > > On Sunday, December 28, 2014 1:41 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 28/12/14 08:47, Jason Long wrote: >> I never used four different Workgroup or Domain. My domain is >> "jasondomain" and as you see my last "smb.conf" it is. I change >> "MYGROUP" to "jasondomain" but problem not solved. >> >> >> On Saturday, December 27, 2014 7:02 AM, Rowland Penny >> <rowlandpenny at googlemail.com> wrote: >> >> >> On 27/12/14 14:18, Jason Long wrote: >>> Thank you so much. >>> I changed my "smb.conf" and "password-auth-ac". I attached two file >>> for you and you can see them. My problem not solved :( and login >>> windows showed and not accept my username and password, I attached >> it too. >>> I paste my "fstab" file here and as you see the "acl" is enabled for >>> "root" : >>> >>> # >>> # /etc/fstab >>> # Created by anaconda on Wed Dec 24 10:02:57 2014 >>> # >>> # Accessible filesystems, by reference, are maintained under '/dev/disk' >>> # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more >>> info >>> # >>> /dev/mapper/vg_print-lv_root / ext4 acl,defaults 1 1 >>> UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot ext4 >>> defaults 1 2 >>> /dev/mapper/vg_print-lv_swap swap swap defaults 0 0 >>> tmpfs /dev/shm tmpfs defaults >>> 0 0 >>> devpts /dev/pts devpts gid=5,mode=620 0 0 >>> sysfs /sys sysfs defaults >>> 0 0 >>> proc /proc proc defaults >>> 0 0 >>> >>> I paste "getfacl" for test directory here : >>> >>> getfacl test/ >>> # file: test/ >>> # owner: jasondomain\134jason >>> # group: jasondomain\134grp-jason-rw >>> user::rwx >>> group::r-x >>> group:jasondomain\134grp-jason-rw:rwx >>> mask::rwx >>> other::r-x >>> >>> After change "password-auth-ac", When I want to restart "winbind" >>> server it show me an error as below : >>> >>> #service smb restart >>> Shutting down SMB services: [ OK ] >>> Starting SMB services: [ OK ] >>> # service winbind restart >>> Shutting down Winbind services: [FAILED] >>> Starting Winbind services: [ OK ] >>> >>> >>> In your opinion what is the problem? >>> >>> >>> >>> On Saturday, December 27, 2014 4:12 AM, Rowland Penny >>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> >> wrote: >>> >>> On 27/12/14 11:55, Jason Long wrote: >>>> You right. I joined my Linux box into Windows domain. >>>> Of course. I attached my "smb.conf". Can you see it? >>>> >>>> >>>> On Saturday, December 27, 2014 3:36 AM, Rowland Penny >>>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> >> <mailto:rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>> wrote: >>>> >>>> On 27/12/14 06:44, Jason Long wrote: >>>> >>>>> Thank you so much. >>>>> No, I'm not. I joined my linux to Windows domain because of AD. I >>>> can define some users in my Linux and Windows clients use it to open >>>> share and ... but my problem is that I have a lot of users and groups >>>> and Redefine all of them in Linux is a little silly :(. I joined my >>>> Linux to Windows domain because of use AD users and groups. >>>>> About your question : >>>>> "Where did you setup the password for 'jasondomain\jason'? Again, >>>> if you >>>>> didn't set a password, more modern versions of windows won't allow >>>> you to >>>>> login (or attach a share) remotely." >>>>> >>>>> I must say that "jason" is defined in AD on Windows OS and I use it >>>> for login into Linux. >>>>> >>>>> "You don't say what happens when you try to open 'test'. You say >>>> it can't let you? What error message does it give you? " >>>>> It don't show me any error and just show Login Windows again :(. >>>>> >>>>> >>>>> >>>>> >>>>> On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org >> <mailto:samba at tlinx.org> >>>> <mailto:samba at tlinx.org <mailto:samba at tlinx.org>>> wrote: >>>>> Jason Long wrote: >>>>>> Hello Folks. >>>>>> How are you? >>>>>> >>>>>> I joined my CentOS into Windows Domain and I want to give >>>> Permission to files and Directory via Active Directory. When I use >>>> "getent passwd" and "getent group", I can see All AD users and >>>> Groups. I use below command to give Permission to a Folder via ACL : >>>>>> setfacl -m g:"jasondomain\jason-rw":rwx >>>> /home/local/jasondomain/jason/test >>>>>> and I create a part for my "smb.conf" file : >>>>>> >>>>>> [Test] >>>>>> comment = test >>>>>> path = /home/local/jasondomain/jason/test >>>>>> browsable = yes >>>>>> inherit acls = yes >>>>>> inherit permissions = yes >>>>>> inherit owner = yes >>>>>> map acl inherit = yes >>>>>> acl check permissions = yes >>>>>> nt acl support = yes >>>>>> #valid users = %D\%S >>>>>> #write list = @jasondomain\domain^admins >>>>>> read only = no >>>>>> >>>>>> >>>>>> but when I browse the "Test" directory it ask me username and >>>> password and when I enter "jasondomain\jason" as username it can't >>>> let me to open the "Test" directory. What is the problem? >>>>> ---- >>>>> Are you already logged into the server under different >>>> credentials, >>>>> like 'WORKGROUP', jason (i.e. do you already have some shares >> mounted?) >>>>> If I remember, Windows won't allow the same workstation to connect >>>> under >>>>> two different user id's. If you already have something mounted >>>> from your >>>>> workstation with different credentials, you need to close (unmount >>>> / unmap) >>>>> those other connections. >>>>> >>>>> Where did you setup the password for 'jasondomain\jason'? Again, >> if you >>>>> didn't set a password, more modern versions of windows won't allow >>>> you to >>>>> login (or attach a share) remotely. >>>>> >>>>> You don't say what happens when you try to open 'test'. You say it >>>>> >>>>> can't let >>>>> you? What error message does it give you? >>>> >>>> OK, If I understand you correctly, you have setup samba on a Centos >>>> machine and joined it to a windows machine, is this correct ? >>>> >>>> Could you post the entire smb.conf from your Centos machine. >>>> >>>> Rowland >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>>> >>> OK, after wading through all the un-needed lines, I got this: >>> >>> [global] >>> workgroup = MYGROUP >>> server string = Samba Server Version %v >>> # logs split per machine >>> log file = /var/log/samba/log.%m >>> # max 50KB per log file, then rotate >>> max log size = 50 >>> security = user >>> passdb backend = tdbsam >>> load printers = yes >>> cups options = raw >>> >>> [homes] >>> comment = Home Directories >>> browseable = no >>> writable = yes >>> >>> [printers] >>> comment = All Printers >>> path = /var/spool/samba >>> browseable = no >>> guest ok = no >>> writable = no >>> printable = yes >>> >>> [Test] >>> comment = Public Stuff >>> path = /home/local/HAMSHAHRY/jokar/test/ >>> browsable = yes >>> inherit acls = yes >>> inherit permissions = yes >>> inherit owner = yes >>> map acl inherit = yes >>> acl check permissions = yes >>> nt acl support = yes >>> read only = no >>> >>> Try changing 'security = user' to 'security = ads' and adding the >>> required winbind & idmap lines, see: >>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>> >>> Yes, I know it says 'member server', but you can use it for a client >>> as well. >>> >>> Rowland >>> >>> >>> >> Hi, you seem to be using **four**, yes four different workgroup (also >> known as domain) names: >> In smb.conf: MYGROUP & SAMDOM >> When trying to login: jasondomain & WORKGROUP >> >> They all need to be the same, you also need to add uidNumber's to your >> users and a gidNumber to at least 'Domain Users' >> >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > OK, in the last smb.conf you posted there are these lines: > > workgroup = MYGROUP > > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 500-40000 > > Also in samba-1.png: > > Username: jasondomain\jason > > domain: WORKGROUP > > I make that 4 workgroup names, ok you have changed MYGROUP, but what > about SAMDOM ? > > You also have 'winbind use default domain = yes' , because of this, you > do not need to use 'jasondomain\jason', just 'jason' should work. > > Do you by any chance have a Unix user called 'jason' on the samba machine ? > > Also, when you try to login as 'jasondomain\jason' are you doing this on > the samba machine ? > > > Rowland >OK, I am 99% sure that you cannot have a dot in a workgroup name. As to logging into the machine, I meant are you trying to connect to a share on the linux machine from the linux machine. What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Jason Long
2014-Dec-28 15:48 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Thank you so much. Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad". How about Workgroup? is must change "JASONDOMAIN" too? About your question I must say that I Test this share via Linux too and Windows and Linux has same problem. About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!! What is your idea? Thanks. On Sunday, December 28, 2014 4:23 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 28/12/14 11:54, Jason Long wrote:> > Thank you so much. > > I changed "SAMDOM" to "jasondomain" and also "winbind use default domain = no" but problem exist. int he photo that I sent, I changed "WORKGROUP" to "jasondomain" too. > I have a question, My domain have a prefix with ".jj" and it is "jasondomain.jj". I changed : > > > [global] > workgroup = JASONDOMAIN.JJ > server string = Samba Server Version %v > # logs split per machine > log file = /var/log/samba/log.%m > # max 50KB per log file, then rotate > max log size = 50 > security = ads > passdb backend = tdbsam > load printers = yes > cups options = raw > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > #idmap config SAMDOM:backend = ad > idmap config JASONDOMAIN.JJ:backend = ad > idmap config JASONDOMAIN.JJ:schema_mode = rfc2307 > idmap config JASONDOMAIN.JJ:range = 500-40000 > > > Am I right? If yes, My problem not solved :( > > > about your question I must say that "No", I have not any "jason" user in Linux machine. > Yes, I use "jasondomain\jason" for login into Linux machine and "jason" is a user that defined in Windows Active Directory. > > > Thanks. > > > > > > On Sunday, December 28, 2014 1:41 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 28/12/14 08:47, Jason Long wrote: >> I never used four different Workgroup or Domain. My domain is >> "jasondomain" and as you see my last "smb.conf" it is. I change >> "MYGROUP" to "jasondomain" but problem not solved. >> >> >> On Saturday, December 27, 2014 7:02 AM, Rowland Penny >> <rowlandpenny at googlemail.com> wrote: >> >> >> On 27/12/14 14:18, Jason Long wrote: >>> Thank you so much. >>> I changed my "smb.conf" and "password-auth-ac". I attached two file >>> for you and you can see them. My problem not solved :( and login >>> windows showed and not accept my username and password, I attached >> it too. >>> I paste my "fstab" file here and as you see the "acl" is enabled for >>> "root" : >>> >>> # >>> # /etc/fstab >>> # Created by anaconda on Wed Dec 24 10:02:57 2014 >>> # >>> # Accessible filesystems, by reference, are maintained under '/dev/disk' >>> # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more >>> info >>> # >>> /dev/mapper/vg_print-lv_root / ext4 acl,defaults 1 1 >>> UUID=9ad25e0f-4f1a-4c6a-a419-98a016fcc30d /boot ext4 >>> defaults 1 2 >>> /dev/mapper/vg_print-lv_swap swap swap defaults 0 0 >>> tmpfs /dev/shm tmpfs defaults >>> 0 0 >>> devpts /dev/pts devpts gid=5,mode=620 0 0 >>> sysfs /sys sysfs defaults >>> 0 0 >>> proc /proc proc defaults >>> 0 0 >>> >>> I paste "getfacl" for test directory here : >>> >>> getfacl test/ >>> # file: test/ >>> # owner: jasondomain\134jason >>> # group: jasondomain\134grp-jason-rw >>> user::rwx >>> group::r-x >>> group:jasondomain\134grp-jason-rw:rwx >>> mask::rwx >>> other::r-x >>> >>> After change "password-auth-ac", When I want to restart "winbind" >>> server it show me an error as below : >>> >>> #service smb restart >>> Shutting down SMB services: [ OK ] >>> Starting SMB services: [ OK ] >>> # service winbind restart >>> Shutting down Winbind services: [FAILED] >>> Starting Winbind services: [ OK ] >>> >>> >>> In your opinion what is the problem? >>> >>> >>> >>> On Saturday, December 27, 2014 4:12 AM, Rowland Penny >>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> >> wrote: >>> >>> On 27/12/14 11:55, Jason Long wrote: >>>> You right. I joined my Linux box into Windows domain. >>>> Of course. I attached my "smb.conf". Can you see it? >>>> >>>> >>>> On Saturday, December 27, 2014 3:36 AM, Rowland Penny >>>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> >> <mailto:rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>> wrote: >>>> >>>> On 27/12/14 06:44, Jason Long wrote: >>>> >>>>> Thank you so much. >>>>> No, I'm not. I joined my linux to Windows domain because of AD. I >>>> can define some users in my Linux and Windows clients use it to open >>>> share and ... but my problem is that I have a lot of users and groups >>>> and Redefine all of them in Linux is a little silly :(. I joined my >>>> Linux to Windows domain because of use AD users and groups. >>>>> About your question : >>>>> "Where did you setup the password for 'jasondomain\jason'? Again, >>>> if you >>>>> didn't set a password, more modern versions of windows won't allow >>>> you to >>>>> login (or attach a share) remotely." >>>>> >>>>> I must say that "jason" is defined in AD on Windows OS and I use it >>>> for login into Linux. >>>>> >>>>> "You don't say what happens when you try to open 'test'. You say >>>> it can't let you? What error message does it give you? " >>>>> It don't show me any error and just show Login Windows again :(. >>>>> >>>>> >>>>> >>>>> >>>>> On Friday, December 26, 2014 2:35 PM, Linda W <samba at tlinx.org >> <mailto:samba at tlinx.org> >>>> <mailto:samba at tlinx.org <mailto:samba at tlinx.org>>> wrote: >>>>> Jason Long wrote: >>>>>> Hello Folks. >>>>>> How are you? >>>>>> >>>>>> I joined my CentOS into Windows Domain and I want to give >>>> Permission to files and Directory via Active Directory. When I use >>>> "getent passwd" and "getent group", I can see All AD users and >>>> Groups. I use below command to give Permission to a Folder via ACL : >>>>>> setfacl -m g:"jasondomain\jason-rw":rwx >>>> /home/local/jasondomain/jason/test >>>>>> and I create a part for my "smb.conf" file : >>>>>> >>>>>> [Test] >>>>>> comment = test >>>>>> path = /home/local/jasondomain/jason/test >>>>>> browsable = yes >>>>>> inherit acls = yes >>>>>> inherit permissions = yes >>>>>> inherit owner = yes >>>>>> map acl inherit = yes >>>>>> acl check permissions = yes >>>>>> nt acl support = yes >>>>>> #valid users = %D\%S >>>>>> #write list = @jasondomain\domain^admins >>>>>> read only = no >>>>>> >>>>>> >>>>>> but when I browse the "Test" directory it ask me username and >>>> password and when I enter "jasondomain\jason" as username it can't >>>> let me to open the "Test" directory. What is the problem? >>>>> ---- >>>>> Are you already logged into the server under different >>>> credentials, >>>>> like 'WORKGROUP', jason (i.e. do you already have some shares >> mounted?) >>>>> If I remember, Windows won't allow the same workstation to connect >>>> under >>>>> two different user id's. If you already have something mounted >>>> from your >>>>> workstation with different credentials, you need to close (unmount >>>> / unmap) >>>>> those other connections. >>>>> >>>>> Where did you setup the password for 'jasondomain\jason'? Again, >> if you >>>>> didn't set a password, more modern versions of windows won't allow >>>> you to >>>>> login (or attach a share) remotely. >>>>> >>>>> You don't say what happens when you try to open 'test'. You say it >>>>> >>>>> can't let >>>>> you? What error message does it give you? >>>> >>>> OK, If I understand you correctly, you have setup samba on a Centos >>>> machine and joined it to a windows machine, is this correct ? >>>> >>>> Could you post the entire smb.conf from your Centos machine. >>>> >>>> Rowland >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>>> >>> OK, after wading through all the un-needed lines, I got this: >>> >>> [global] >>> workgroup = MYGROUP >>> server string = Samba Server Version %v >>> # logs split per machine >>> log file = /var/log/samba/log.%m >>> # max 50KB per log file, then rotate >>> max log size = 50 >>> security = user >>> passdb backend = tdbsam >>> load printers = yes >>> cups options = raw >>> >>> [homes] >>> comment = Home Directories >>> browseable = no >>> writable = yes >>> >>> [printers] >>> comment = All Printers >>> path = /var/spool/samba >>> browseable = no >>> guest ok = no >>> writable = no >>> printable = yes >>> >>> [Test] >>> comment = Public Stuff >>> path = /home/local/HAMSHAHRY/jokar/test/ >>> browsable = yes >>> inherit acls = yes >>> inherit permissions = yes >>> inherit owner = yes >>> map acl inherit = yes >>> acl check permissions = yes >>> nt acl support = yes >>> read only = no >>> >>> Try changing 'security = user' to 'security = ads' and adding the >>> required winbind & idmap lines, see: >>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>> >>> Yes, I know it says 'member server', but you can use it for a client >>> as well. >>> >>> Rowland >>> >>> >>> >> Hi, you seem to be using **four**, yes four different workgroup (also >> known as domain) names: >> In smb.conf: MYGROUP & SAMDOM >> When trying to login: jasondomain & WORKGROUP >> >> They all need to be the same, you also need to add uidNumber's to your >> users and a gidNumber to at least 'Domain Users' >> >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > OK, in the last smb.conf you posted there are these lines: > > workgroup = MYGROUP > > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 500-40000 > > Also in samba-1.png: > > Username: jasondomain\jason > > domain: WORKGROUP > > I make that 4 workgroup names, ok you have changed MYGROUP, but what > about SAMDOM ? > > You also have 'winbind use default domain = yes' , because of this, you > do not need to use 'jasondomain\jason', just 'jason' should work. > > Do you by any chance have a Unix user called 'jason' on the samba machine ? > > Also, when you try to login as 'jasondomain\jason' are you doing this on > the samba machine ? > > > Rowland >OK, I am 99% sure that you cannot have a dot in a workgroup name. As to logging into the machine, I meant are you trying to connect to a share on the linux machine from the linux machine. What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol. Rowland
Seemingly Similar Threads
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.