Jason Long
2014-Dec-31 09:17 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Thank you so much but I run below commands on linux : # net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator # net rpc rights list accounts -Uadministrator it ask me a password for "administrator: Enter administrator's password: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_NO_LOGON_SERVERS Must I enter windows administrator password? Thanks. On Monday, December 29, 2014 5:10 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 29/12/14 12:52, Jason Long wrote:> Thank you so much. > > I did some changes like below : > > /dev/mapper/vg_print-lv_root / ext4 user_xattr,acl,defaults 1 1 > > > Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any output. > I added below lines to [global] section too : > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > But about below commands can you tell me more? > > net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator > net rpc rights list accounts -Uadministrator > > I hope they are not Dangerous!!!!No :-) The first one gives members of Domain Admins the right to change windows ACL's on a share The second list accounts and what rights they have.> > In the "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" , the other steps are in Windows!!! Can I doing via Linux too? >Yes, but it is just easier via windows Rowland> > Thanks. > > > > > > On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 29/12/14 06:38, Jason Long wrote: >> Thank you so much. >> You right, My realm is "jasondomaini.jasondomain.jj" and I change configure as below : >> >> >> [global] >> workgroup = JASONDOMAINI >> server string = Samba Server Version %v >> # logs split per machine >> log file = /var/log/samba/log.%m >> # max 50KB per log file, then rotate >> max log size = 50 >> security = ADS >> realm = JASONDOMAINI.JASONDOMAIN.JJ >> passdb backend = tdbsam >> load printers = yes >> cups options = raw >> idmap config *:backend = tdb >> idmap config *:range = 70001-80000 >> #idmap config SAMDOM:backend = ad >> idmap config JASONDOMAINI:backend = ad >> idmap config JASONDOMAINI:schema_mode = rfc2307 >> idmap config JASONDOMAINI:range = 500-40000 >> >> >> >> When I use "SSH" on my CentOS and enter "jasondomain\jason", It show me the root partition and I can open "Test" directory But it has two problems : >> >> 1- Why it show root partition? >> 2- I can't browse it via Windows explorer!!! >> >> I want to know use AD users in Linux is Hard? >> >> In your opinion I used a correct command to set ACL? >> >> #getfacl test/ >> >> >> # file: test/ >> # owner: JASONDOMAINI\134JASON >> # group: JASONDOMAINI\134grp-JASON-rw >> user::rwx >> group::r-x >> group:JASONDOMAINI\134grp-JASON-rw:rwx >> mask::rwx >> other::r-x >> >> >> and in "getent group" it show me below group : >> >> JASONDOMAINI\134grp-JASON-rw >> >> >> in your idea, Am I use correct command to set permission? >> >> >> >> >> >> >> On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >> On 28/12/14 15:48, Jason Long wrote: >>> Thank you so much. >>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad". >>> How about Workgroup? is must change "JASONDOMAIN" too? >>> About your question I must say that I Test this share via Linux too and Windows and Linux has same problem. >>> >>> About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!! >>> What is your idea? >>> >>> Thanks. >>> >>> >>> >> I am loosing track here a bit, but if your dns domain is example.com, >> then your windows AD realm should be something like internal.example.com >> and your workgroup/domain name should be INTERNAL, that is, they all >> rely on each other. >> >> So anywhere that you come across these, you should use the relevant one, >> this is the relevant parts from a Unix client on my domain: >> >> [global] >> workgroup = INTERNAL >> security = ADS >> realm = INTERNAL.EXAMPLE.COM >> .......... >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> idmap config INTERNAL : backend = ad >> idmap config INTERNAL : range = 10000-999999 >> idmap config INTERNAL : schema_mode = rfc2307 >> >> As for using 'PUTTY', this was just a way of testing whether you can >> connect to the Unix machine. >> >> >> Rowland > OK, we are getting closer > > right, answers to your questions > 1) I think that you may find that this is also printed 'Could not chdir > to home directory', in which case you will end up in the root of computer. > > 2) Are you running the 'nmbd' daemon ? Even if this is not running you > should be able to navigate to the share by entering the path. Have a > look here: > > https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs > > > Rowland >
Rowland Penny
2014-Dec-31 09:34 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
On 31/12/14 09:17, Jason Long wrote:> Thank you so much but I run below commands on linux : > > > # net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator > # net rpc rights list accounts -Uadministrator > > it ask me a password for "administrator: > > Enter administrator's password: > Could not connect to server 127.0.0.1 > Connection failed: NT_STATUS_NO_LOGON_SERVERS > > Must I enter windows administrator password? > > > Thanks. > > > > > > On Monday, December 29, 2014 5:10 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 29/12/14 12:52, Jason Long wrote: >> Thank you so much. >> >> I did some changes like below : >> >> /dev/mapper/vg_print-lv_root / ext4 user_xattr,acl,defaults 1 1 >> >> >> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any output. >> I added below lines to [global] section too : >> >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> >> But about below commands can you tell me more? >> >> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator >> net rpc rights list accounts -Uadministrator >> >> I hope they are not Dangerous!!!! > No :-) > > The first one gives members of Domain Admins the right to change windows > ACL's on a share > The second list accounts and what rights they have. > >> In the "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" , the other steps are in Windows!!! Can I doing via Linux too? >> > Yes, but it is just easier via windows > > Rowland > > >> >> Thanks. >> >> >> >> >> >> On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >> On 29/12/14 06:38, Jason Long wrote: >>> Thank you so much. >>> You right, My realm is "jasondomaini.jasondomain.jj" and I change configure as below : >>> >>> >>> [global] >>> workgroup = JASONDOMAINI >>> server string = Samba Server Version %v >>> # logs split per machine >>> log file = /var/log/samba/log.%m >>> # max 50KB per log file, then rotate >>> max log size = 50 >>> security = ADS >>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>> passdb backend = tdbsam >>> load printers = yes >>> cups options = raw >>> idmap config *:backend = tdb >>> idmap config *:range = 70001-80000 >>> #idmap config SAMDOM:backend = ad >>> idmap config JASONDOMAINI:backend = ad >>> idmap config JASONDOMAINI:schema_mode = rfc2307 >>> idmap config JASONDOMAINI:range = 500-40000 >>> >>> >>> >>> When I use "SSH" on my CentOS and enter "jasondomain\jason", It show me the root partition and I can open "Test" directory But it has two problems : >>> >>> 1- Why it show root partition? >>> 2- I can't browse it via Windows explorer!!! >>> >>> I want to know use AD users in Linux is Hard? >>> >>> In your opinion I used a correct command to set ACL? >>> >>> #getfacl test/ >>> >>> >>> # file: test/ >>> # owner: JASONDOMAINI\134JASON >>> # group: JASONDOMAINI\134grp-JASON-rw >>> user::rwx >>> group::r-x >>> group:JASONDOMAINI\134grp-JASON-rw:rwx >>> mask::rwx >>> other::r-x >>> >>> >>> and in "getent group" it show me below group : >>> >>> JASONDOMAINI\134grp-JASON-rw >>> >>> >>> in your idea, Am I use correct command to set permission? >>> >>> >>> >>> >>> >>> >>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>> On 28/12/14 15:48, Jason Long wrote: >>>> Thank you so much. >>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad". >>>> How about Workgroup? is must change "JASONDOMAIN" too? >>>> About your question I must say that I Test this share via Linux too and Windows and Linux has same problem. >>>> >>>> About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!! >>>> What is your idea? >>>> >>>> Thanks. >>>> >>>> >>>> >>> I am loosing track here a bit, but if your dns domain is example.com, >>> then your windows AD realm should be something like internal.example.com >>> and your workgroup/domain name should be INTERNAL, that is, they all >>> rely on each other. >>> >>> So anywhere that you come across these, you should use the relevant one, >>> this is the relevant parts from a Unix client on my domain: >>> >>> [global] >>> workgroup = INTERNAL >>> security = ADS >>> realm = INTERNAL.EXAMPLE.COM >>> .......... >>> idmap config * : backend = tdb >>> idmap config * : range = 2000-9999 >>> idmap config INTERNAL : backend = ad >>> idmap config INTERNAL : range = 10000-999999 >>> idmap config INTERNAL : schema_mode = rfc2307 >>> >>> As for using 'PUTTY', this was just a way of testing whether you can >>> connect to the Unix machine. >>> >>> >>> Rowland >> OK, we are getting closer >> >> right, answers to your questions >> 1) I think that you may find that this is also printed 'Could not chdir >> to home directory', in which case you will end up in the root of computer. >> >> 2) Are you running the 'nmbd' daemon ? Even if this is not running you >> should be able to navigate to the share by entering the path. Have a >> look here: >> >> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs >> >> >> Rowland >>You are trying to run the command on a client, try adding either: -S server name OR -I address of target server where 'server' is the AD DC. Yes, you need to supply the password of the Domain Administrator. Rowland
Jason Long
2014-Dec-31 09:55 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Thanks. I changed the command as below : #net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1 But Got below error : Could not connect to server 192.168.1.1 Connection failed: NT_STATUS_INVALID_WORKSTATION Cheers. On Wednesday, December 31, 2014 1:35 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 31/12/14 09:17, Jason Long wrote:> Thank you so much but I run below commands on linux : > > > # net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator > # net rpc rights list accounts -Uadministrator > > it ask me a password for "administrator: > > Enter administrator's password: > Could not connect to server 127.0.0.1 > Connection failed: NT_STATUS_NO_LOGON_SERVERS > > Must I enter windows administrator password? > > > Thanks. > > > > > > On Monday, December 29, 2014 5:10 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 29/12/14 12:52, Jason Long wrote: >> Thank you so much. >> >> I did some changes like below : >> >> /dev/mapper/vg_print-lv_root / ext4 user_xattr,acl,defaults 1 1 >> >> >> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any output. >> I added below lines to [global] section too : >> >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> >> But about below commands can you tell me more? >> >> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator >> net rpc rights list accounts -Uadministrator >> >> I hope they are not Dangerous!!!! > No :-) > > The first one gives members of Domain Admins the right to change windows > ACL's on a share > The second list accounts and what rights they have. > >> In the "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" , the other steps are in Windows!!! Can I doing via Linux too? >> > Yes, but it is just easier via windows > > Rowland > > >> >> Thanks. >> >> >> >> >> >> On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >> On 29/12/14 06:38, Jason Long wrote: >>> Thank you so much. >>> You right, My realm is "jasondomaini.jasondomain.jj" and I change configure as below : >>> >>> >>> [global] >>> workgroup = JASONDOMAINI >>> server string = Samba Server Version %v >>> # logs split per machine >>> log file = /var/log/samba/log.%m >>> # max 50KB per log file, then rotate >>> max log size = 50 >>> security = ADS >>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>> passdb backend = tdbsam >>> load printers = yes >>> cups options = raw >>> idmap config *:backend = tdb >>> idmap config *:range = 70001-80000 >>> #idmap config SAMDOM:backend = ad >>> idmap config JASONDOMAINI:backend = ad >>> idmap config JASONDOMAINI:schema_mode = rfc2307 >>> idmap config JASONDOMAINI:range = 500-40000 >>> >>> >>> >>> When I use "SSH" on my CentOS and enter "jasondomain\jason", It show me the root partition and I can open "Test" directory But it has two problems : >>> >>> 1- Why it show root partition? >>> 2- I can't browse it via Windows explorer!!! >>> >>> I want to know use AD users in Linux is Hard? >>> >>> In your opinion I used a correct command to set ACL? >>> >>> #getfacl test/ >>> >>> >>> # file: test/ >>> # owner: JASONDOMAINI\134JASON >>> # group: JASONDOMAINI\134grp-JASON-rw >>> user::rwx >>> group::r-x >>> group:JASONDOMAINI\134grp-JASON-rw:rwx >>> mask::rwx >>> other::r-x >>> >>> >>> and in "getent group" it show me below group : >>> >>> JASONDOMAINI\134grp-JASON-rw >>> >>> >>> in your idea, Am I use correct command to set permission? >>> >>> >>> >>> >>> >>> >>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>> On 28/12/14 15:48, Jason Long wrote: >>>> Thank you so much. >>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad". >>>> How about Workgroup? is must change "JASONDOMAIN" too? >>>> About your question I must say that I Test this share via Linux too and Windows and Linux has same problem. >>>> >>>> About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!! >>>> What is your idea? >>>> >>>> Thanks. >>>> >>>> >>>> >>> I am loosing track here a bit, but if your dns domain is example.com, >>> then your windows AD realm should be something like internal.example.com >>> and your workgroup/domain name should be INTERNAL, that is, they all >>> rely on each other. >>> >>> So anywhere that you come across these, you should use the relevant one, >>> this is the relevant parts from a Unix client on my domain: >>> >>> [global] >>> workgroup = INTERNAL >>> security = ADS >>> realm = INTERNAL.EXAMPLE.COM >>> .......... >>> idmap config * : backend = tdb >>> idmap config * : range = 2000-9999 >>> idmap config INTERNAL : backend = ad >>> idmap config INTERNAL : range = 10000-999999 >>> idmap config INTERNAL : schema_mode = rfc2307 >>> >>> As for using 'PUTTY', this was just a way of testing whether you can >>> connect to the Unix machine. >>> >>> >>> Rowland >> OK, we are getting closer >> >> right, answers to your questions >> 1) I think that you may find that this is also printed 'Could not chdir >> to home directory', in which case you will end up in the root of computer. >> >> 2) Are you running the 'nmbd' daemon ? Even if this is not running you >> should be able to navigate to the share by entering the path. Have a >> look here: >> >> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs >> >> >> Rowland >>You are trying to run the command on a client, try adding either: -S server name OR -I address of target server where 'server' is the AD DC. Yes, you need to supply the password of the Domain Administrator. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Maybe Matching Threads
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.