samba - Dec 2014 - Use Samba with ACL for read Active Directory and set Permissions via it.

Thank you so much but I run below commands on linux :


# net rpc rights grant 'jasondomain\Domain Admins'
SeDiskOperatorPrivilege -Uadministrator
# net rpc rights list accounts -Uadministrator

it ask me a password for "administrator:

Enter administrator's password:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_NO_LOGON_SERVERS

Must I enter windows administrator password?


Thanks.





On Monday, December 29, 2014 5:10 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
On 29/12/14 12:52, Jason Long wrote:
> Thank you so much.
>
> I did some changes like below :
>
> /dev/mapper/vg_print-lv_root /                       ext4   
user_xattr,acl,defaults        1 1
>
>
> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any
output.
> I added below lines to [global] section too :
>
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> But about below commands can you tell me more?
>
> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege
-Uadministrator
> net rpc rights list accounts -Uadministrator
>
> I hope they are not Dangerous!!!!
No :-)

The first one gives members of Domain Admins the right to change windows 
ACL's on a share
The second list accounts and what rights they have.
>
> In the
"https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
, the other steps are in Windows!!! Can I doing via Linux too?
>    
Yes, but it is just easier via windows

Rowland

>  
> Thanks.
>
>
>
>
>
> On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
> On 29/12/14 06:38, Jason Long wrote:
>> Thank you so much.
>> You right, My realm is "jasondomaini.jasondomain.jj"  and I
change configure as below :
>>
>>
>> [global]
>> workgroup = JASONDOMAINI
>> server string = Samba Server Version %v
>> # logs split per machine
>> log file = /var/log/samba/log.%m
>> # max 50KB per log file, then rotate
>> max log size = 50
>> security = ADS
>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>> passdb backend = tdbsam
>> load printers = yes
>> cups options = raw
>> idmap config *:backend = tdb
>> idmap config *:range = 70001-80000
>> #idmap config SAMDOM:backend = ad
>> idmap config JASONDOMAINI:backend = ad
>> idmap config JASONDOMAINI:schema_mode = rfc2307
>> idmap config JASONDOMAINI:range = 500-40000
>>
>>
>>
>> When I use "SSH" on my CentOS and enter
"jasondomain\jason", It show me the root partition and I can open
"Test" directory But it has two problems :
>>
>> 1- Why it show root partition?
>> 2- I can't browse it via Windows explorer!!!
>>
>> I want to know use AD users in Linux is Hard?
>>
>> In your opinion I used a correct command to set ACL?
>>
>> #getfacl test/
>>
>>
>> # file: test/
>> # owner: JASONDOMAINI\134JASON
>> # group: JASONDOMAINI\134grp-JASON-rw
>> user::rwx
>> group::r-x
>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>> mask::rwx
>> other::r-x
>>
>>
>> and in "getent group" it show me below group :
>>
>> JASONDOMAINI\134grp-JASON-rw
>>
>>
>> in your idea, Am I use correct command to set permission?
>>
>>
>>
>>
>>
>>
>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
>> On 28/12/14 15:48, Jason Long wrote:
>>> Thank you so much.
>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad
" to "idmap config JASONDOMAIN:backend = ad".
>>> How about Workgroup? is must change "JASONDOMAIN" too?
>>> About your question I must say that I Test this share via Linux too
and Windows and Linux has same problem.
>>>
>>> About "What I would do is, install the OpenSSH server on the
linux machine, install 'PUTTY' on a windows machine and try to login via
'PUTTY' and use the SSH protocol." , You mean is that Windows
clients use SSH to work with this directory? I want to made this Linux Box as a
File server and Windows Clients need graphical browser to copy and paste file
into this directory!!!!!!!
>>> What is your idea?
>>>
>>> Thanks.
>>>
>>>
>>>
>> I am loosing track here a bit, but if your dns domain is example.com,
>> then your windows AD realm should be something like
internal.example.com
>> and your workgroup/domain name should be INTERNAL, that is, they all
>> rely on each other.
>>
>> So anywhere that you come across these, you should use the relevant
one,
>> this is the relevant parts from a Unix client on my domain:
>>
>> [global]
>>            workgroup = INTERNAL
>>            security = ADS
>>            realm = INTERNAL.EXAMPLE.COM
>>            ..........
>>            idmap config * : backend = tdb
>>            idmap config * : range = 2000-9999
>>            idmap config INTERNAL : backend  = ad
>>            idmap config INTERNAL : range = 10000-999999
>>            idmap config INTERNAL : schema_mode = rfc2307
>>
>> As for using 'PUTTY', this was just a way of testing whether
you can
>> connect to the Unix machine.
>>
>>
>> Rowland
> OK, we are getting closer
>
> right, answers to your questions
> 1) I think that you may find that this is also printed 'Could not chdir
> to home directory', in which case you will end up in the root of
computer.
>
> 2) Are you running the 'nmbd' daemon ? Even if this is not running
you
> should be able to navigate to the share by entering the path. Have a
> look here:
>
>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>
>
> Rowland
>

On 31/12/14 09:17, Jason Long wrote:
> Thank you so much but I run below commands on linux :
>
>
> # net rpc rights grant 'jasondomain\Domain Admins'
SeDiskOperatorPrivilege -Uadministrator
> # net rpc rights list accounts -Uadministrator
>
> it ask me a password for "administrator:
>
> Enter administrator's password:
> Could not connect to server 127.0.0.1
> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>
> Must I enter windows administrator password?
>
>
> Thanks.
>
>
>
>
>
> On Monday, December 29, 2014 5:10 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
> On 29/12/14 12:52, Jason Long wrote:
>> Thank you so much.
>>
>> I did some changes like below :
>>
>> /dev/mapper/vg_print-lv_root /                       ext4   
user_xattr,acl,defaults        1 1
>>
>>
>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any
output.
>> I added below lines to [global] section too :
>>
>> vfs objects = acl_xattr
>> map acl inherit = Yes
>> store dos attributes = Yes
>>
>> But about below commands can you tell me more?
>>
>> net rpc rights grant 'SAMDOM\Domain Admins'
SeDiskOperatorPrivilege -Uadministrator
>> net rpc rights list accounts -Uadministrator
>>
>> I hope they are not Dangerous!!!!
> No :-)
>
> The first one gives members of Domain Admins the right to change windows
> ACL's on a share
> The second list accounts and what rights they have.
>
>> In the
"https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
, the other steps are in Windows!!! Can I doing via Linux too?
>>     
> Yes, but it is just easier via windows
>
> Rowland
>
>
>>   
>> Thanks.
>>
>>
>>
>>
>>
>> On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
>> On 29/12/14 06:38, Jason Long wrote:
>>> Thank you so much.
>>> You right, My realm is "jasondomaini.jasondomain.jj"  and
I change configure as below :
>>>
>>>
>>> [global]
>>> workgroup = JASONDOMAINI
>>> server string = Samba Server Version %v
>>> # logs split per machine
>>> log file = /var/log/samba/log.%m
>>> # max 50KB per log file, then rotate
>>> max log size = 50
>>> security = ADS
>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>> passdb backend = tdbsam
>>> load printers = yes
>>> cups options = raw
>>> idmap config *:backend = tdb
>>> idmap config *:range = 70001-80000
>>> #idmap config SAMDOM:backend = ad
>>> idmap config JASONDOMAINI:backend = ad
>>> idmap config JASONDOMAINI:schema_mode = rfc2307
>>> idmap config JASONDOMAINI:range = 500-40000
>>>
>>>
>>>
>>> When I use "SSH" on my CentOS and enter
"jasondomain\jason", It show me the root partition and I can open
"Test" directory But it has two problems :
>>>
>>> 1- Why it show root partition?
>>> 2- I can't browse it via Windows explorer!!!
>>>
>>> I want to know use AD users in Linux is Hard?
>>>
>>> In your opinion I used a correct command to set ACL?
>>>
>>> #getfacl test/
>>>
>>>
>>> # file: test/
>>> # owner: JASONDOMAINI\134JASON
>>> # group: JASONDOMAINI\134grp-JASON-rw
>>> user::rwx
>>> group::r-x
>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>> mask::rwx
>>> other::r-x
>>>
>>>
>>> and in "getent group" it show me below group :
>>>
>>> JASONDOMAINI\134grp-JASON-rw
>>>
>>>
>>> in your idea, Am I use correct command to set permission?
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>> On 28/12/14 15:48, Jason Long wrote:
>>>> Thank you so much.
>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend =
ad " to "idmap config JASONDOMAIN:backend = ad".
>>>> How about Workgroup? is must change "JASONDOMAIN"
too?
>>>> About your question I must say that I Test this share via Linux
too and Windows and Linux has same problem.
>>>>
>>>> About "What I would do is, install the OpenSSH server on
the linux machine, install 'PUTTY' on a windows machine and try to login
via 'PUTTY' and use the SSH protocol." , You mean is that Windows
clients use SSH to work with this directory? I want to made this Linux Box as a
File server and Windows Clients need graphical browser to copy and paste file
into this directory!!!!!!!
>>>> What is your idea?
>>>>
>>>> Thanks.
>>>>
>>>>
>>>>
>>> I am loosing track here a bit, but if your dns domain is
example.com,
>>> then your windows AD realm should be something like
internal.example.com
>>> and your workgroup/domain name should be INTERNAL, that is, they
all
>>> rely on each other.
>>>
>>> So anywhere that you come across these, you should use the relevant
one,
>>> this is the relevant parts from a Unix client on my domain:
>>>
>>> [global]
>>>             workgroup = INTERNAL
>>>             security = ADS
>>>             realm = INTERNAL.EXAMPLE.COM
>>>             ..........
>>>             idmap config * : backend = tdb
>>>             idmap config * : range = 2000-9999
>>>             idmap config INTERNAL : backend  = ad
>>>             idmap config INTERNAL : range = 10000-999999
>>>             idmap config INTERNAL : schema_mode = rfc2307
>>>
>>> As for using 'PUTTY', this was just a way of testing
whether you can
>>> connect to the Unix machine.
>>>
>>>
>>> Rowland
>> OK, we are getting closer
>>
>> right, answers to your questions
>> 1) I think that you may find that this is also printed 'Could not
chdir
>> to home directory', in which case you will end up in the root of
computer.
>>
>> 2) Are you running the 'nmbd' daemon ? Even if this is not
running you
>> should be able to navigate to the share by entering the path. Have a
>> look here:
>>
>>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>
>>
>> Rowland
>>
You are trying to run the command on a client, try adding either:

-S server name

OR

-I address of target server

where 'server' is the AD DC.

Yes, you need to supply the password of the Domain Administrator.

Rowland

Thanks.
I changed the command as below :

#net rpc rights grant 'jasondomain\Domain Admins'
SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1

But Got below error :

Could not connect to server 192.168.1.1
Connection failed: NT_STATUS_INVALID_WORKSTATION

Cheers.





On Wednesday, December 31, 2014 1:35 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
On 31/12/14 09:17, Jason Long wrote:
> Thank you so much but I run below commands on linux :
>
>
> # net rpc rights grant 'jasondomain\Domain Admins'
SeDiskOperatorPrivilege -Uadministrator
> # net rpc rights list accounts -Uadministrator
>
> it ask me a password for "administrator:
>
> Enter administrator's password:
> Could not connect to server 127.0.0.1
> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>
> Must I enter windows administrator password?
>
>
> Thanks.
>
>
>
>
>
> On Monday, December 29, 2014 5:10 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
> On 29/12/14 12:52, Jason Long wrote:
>> Thank you so much.
>>
>> I did some changes like below :
>>
>> /dev/mapper/vg_print-lv_root /                       ext4   
user_xattr,acl,defaults        1 1
>>
>>
>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any
output.
>> I added below lines to [global] section too :
>>
>> vfs objects = acl_xattr
>> map acl inherit = Yes
>> store dos attributes = Yes
>>
>> But about below commands can you tell me more?
>>
>> net rpc rights grant 'SAMDOM\Domain Admins'
SeDiskOperatorPrivilege -Uadministrator
>> net rpc rights list accounts -Uadministrator
>>
>> I hope they are not Dangerous!!!!
> No :-)
>
> The first one gives members of Domain Admins the right to change windows
> ACL's on a share
> The second list accounts and what rights they have.
>
>> In the
"https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
, the other steps are in Windows!!! Can I doing via Linux too?
>>    
> Yes, but it is just easier via windows
>
> Rowland
>
>
>>  
>> Thanks.
>>
>>
>>
>>
>>
>> On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
>> On 29/12/14 06:38, Jason Long wrote:
>>> Thank you so much.
>>> You right, My realm is "jasondomaini.jasondomain.jj"  and
I change configure as below :
>>>
>>>
>>> [global]
>>> workgroup = JASONDOMAINI
>>> server string = Samba Server Version %v
>>> # logs split per machine
>>> log file = /var/log/samba/log.%m
>>> # max 50KB per log file, then rotate
>>> max log size = 50
>>> security = ADS
>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>> passdb backend = tdbsam
>>> load printers = yes
>>> cups options = raw
>>> idmap config *:backend = tdb
>>> idmap config *:range = 70001-80000
>>> #idmap config SAMDOM:backend = ad
>>> idmap config JASONDOMAINI:backend = ad
>>> idmap config JASONDOMAINI:schema_mode = rfc2307
>>> idmap config JASONDOMAINI:range = 500-40000
>>>
>>>
>>>
>>> When I use "SSH" on my CentOS and enter
"jasondomain\jason", It show me the root partition and I can open
"Test" directory But it has two problems :
>>>
>>> 1- Why it show root partition?
>>> 2- I can't browse it via Windows explorer!!!
>>>
>>> I want to know use AD users in Linux is Hard?
>>>
>>> In your opinion I used a correct command to set ACL?
>>>
>>> #getfacl test/
>>>
>>>
>>> # file: test/
>>> # owner: JASONDOMAINI\134JASON
>>> # group: JASONDOMAINI\134grp-JASON-rw
>>> user::rwx
>>> group::r-x
>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>> mask::rwx
>>> other::r-x
>>>
>>>
>>> and in "getent group" it show me below group :
>>>
>>> JASONDOMAINI\134grp-JASON-rw
>>>
>>>
>>> in your idea, Am I use correct command to set permission?
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>> On 28/12/14 15:48, Jason Long wrote:
>>>> Thank you so much.
>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend =
ad " to "idmap config JASONDOMAIN:backend = ad".
>>>> How about Workgroup? is must change "JASONDOMAIN"
too?
>>>> About your question I must say that I Test this share via Linux
too and Windows and Linux has same problem.
>>>>
>>>> About "What I would do is, install the OpenSSH server on
the linux machine, install 'PUTTY' on a windows machine and try to login
via 'PUTTY' and use the SSH protocol." , You mean is that Windows
clients use SSH to work with this directory? I want to made this Linux Box as a
File server and Windows Clients need graphical browser to copy and paste file
into this directory!!!!!!!
>>>> What is your idea?
>>>>
>>>> Thanks.
>>>>
>>>>
>>>>
>>> I am loosing track here a bit, but if your dns domain is
example.com,
>>> then your windows AD realm should be something like
internal.example.com
>>> and your workgroup/domain name should be INTERNAL, that is, they
all
>>> rely on each other.
>>>
>>> So anywhere that you come across these, you should use the relevant
one,
>>> this is the relevant parts from a Unix client on my domain:
>>>
>>> [global]
>>>             workgroup = INTERNAL
>>>             security = ADS
>>>             realm = INTERNAL.EXAMPLE.COM
>>>             ..........
>>>             idmap config * : backend = tdb
>>>             idmap config * : range = 2000-9999
>>>             idmap config INTERNAL : backend  = ad
>>>             idmap config INTERNAL : range = 10000-999999
>>>             idmap config INTERNAL : schema_mode = rfc2307
>>>
>>> As for using 'PUTTY', this was just a way of testing
whether you can
>>> connect to the Unix machine.
>>>
>>>
>>> Rowland
>> OK, we are getting closer
>>
>> right, answers to your questions
>> 1) I think that you may find that this is also printed 'Could not
chdir
>> to home directory', in which case you will end up in the root of
computer.
>>
>> 2) Are you running the 'nmbd' daemon ? Even if this is not
running you
>> should be able to navigate to the share by entering the path. Have a
>> look here:
>>
>>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>
>>
>> Rowland
>>
You are trying to run the command on a client, try adding either:

-S server name

OR

-I address of target server

where 'server' is the AD DC.

Yes, you need to supply the password of the Domain Administrator.


Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba