samba - Jan 2015 - Use Samba with ACL for read Active Directory and set Permissions via it.

Thanks.

I enter "net ads testjoin" and it show me :

ads_connect: No logon servers
Join to domain is not valid: No logon servers

If it is incorrect, Why I can Login to Linux via Windows account? As you see, I
followed the steps on Video.

:(.



On Saturday, January 3, 2015 1:13 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
On 03/01/15 05:41, Jason Long wrote:
> Thank you.
> Command show below error :
>
> Could not connect to server 192.168.1.1
> Connection failed: NT_STATUS_INVALID_WORKSTATION
>
> :(
>
>
>
> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
> On 31/12/14 09:55, Jason Long wrote:
>> Thanks.
>> I changed the command as below :
>>
>> #net rpc rights grant 'jasondomain\Domain Admins'
SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1
>>
>> But Got below error :
>>
>> Could not connect to server 192.168.1.1
>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>
>> Cheers.
>>
>>
>>
>>
>>
>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny <rowlandpenny
at googlemail.com> wrote:
>> On 31/12/14 09:17, Jason Long wrote:
>>> Thank you so much but I run below commands on linux :
>>>
>>>
>>> # net rpc rights grant 'jasondomain\Domain Admins'
SeDiskOperatorPrivilege -Uadministrator
>>> # net rpc rights list accounts -Uadministrator
>>>
>>> it ask me a password for "administrator:
>>>
>>> Enter administrator's password:
>>> Could not connect to server 127.0.0.1
>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>>>
>>> Must I enter windows administrator password?
>>>
>>>
>>> Thanks.
>>>
>>>
>>>
>>>
>>>
>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>> On 29/12/14 12:52, Jason Long wrote:
>>>> Thank you so much.
>>>>
>>>> I did some changes like below :
>>>>
>>>> /dev/mapper/vg_print-lv_root /                       ext4   
user_xattr,acl,defaults        1 1
>>>>
>>>>
>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not
have any output.
>>>> I added below lines to [global] section too :
>>>>
>>>> vfs objects = acl_xattr
>>>> map acl inherit = Yes
>>>> store dos attributes = Yes
>>>>
>>>> But about below commands can you tell me more?
>>>>
>>>> net rpc rights grant 'SAMDOM\Domain Admins'
SeDiskOperatorPrivilege -Uadministrator
>>>> net rpc rights list accounts -Uadministrator
>>>>
>>>> I hope they are not Dangerous!!!!
>>> No :-)
>>>
>>> The first one gives members of Domain Admins the right to change
windows
>>> ACL's on a share
>>> The second list accounts and what rights they have.
>>>
>>>> In the
"https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
, the other steps are in Windows!!! Can I doing via Linux too?
>>>>    
>>> Yes, but it is just easier via windows
>>>
>>> Rowland
>>>
>>>
>>>>  
>>>> Thanks.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>> On 29/12/14 06:38, Jason Long wrote:
>>>>> Thank you so much.
>>>>> You right, My realm is
"jasondomaini.jasondomain.jj"  and I change configure as below :
>>>>>
>>>>>
>>>>> [global]
>>>>> workgroup = JASONDOMAINI
>>>>> server string = Samba Server Version %v
>>>>> # logs split per machine
>>>>> log file = /var/log/samba/log.%m
>>>>> # max 50KB per log file, then rotate
>>>>> max log size = 50
>>>>> security = ADS
>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>> passdb backend = tdbsam
>>>>> load printers = yes
>>>>> cups options = raw
>>>>> idmap config *:backend = tdb
>>>>> idmap config *:range = 70001-80000
>>>>> #idmap config SAMDOM:backend = ad
>>>>> idmap config JASONDOMAINI:backend = ad
>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307
>>>>> idmap config JASONDOMAINI:range = 500-40000
>>>>>
>>>>>
>>>>>
>>>>> When I use "SSH" on my CentOS and enter
"jasondomain\jason", It show me the root partition and I can open
"Test" directory But it has two problems :
>>>>>
>>>>> 1- Why it show root partition?
>>>>> 2- I can't browse it via Windows explorer!!!
>>>>>
>>>>> I want to know use AD users in Linux is Hard?
>>>>>
>>>>> In your opinion I used a correct command to set ACL?
>>>>>
>>>>> #getfacl test/
>>>>>
>>>>>
>>>>> # file: test/
>>>>> # owner: JASONDOMAINI\134JASON
>>>>> # group: JASONDOMAINI\134grp-JASON-rw
>>>>> user::rwx
>>>>> group::r-x
>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>> mask::rwx
>>>>> other::r-x
>>>>>
>>>>>
>>>>> and in "getent group" it show me below group :
>>>>>
>>>>> JASONDOMAINI\134grp-JASON-rw
>>>>>
>>>>>
>>>>> in your idea, Am I use correct command to set permission?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>>> On 28/12/14 15:48, Jason Long wrote:
>>>>>> Thank you so much.
>>>>>> Thus I must change "idmap config
JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend =
ad".
>>>>>> How about Workgroup? is must change
"JASONDOMAIN" too?
>>>>>> About your question I must say that I Test this share
via Linux too and Windows and Linux has same problem.
>>>>>>
>>>>>> About "What I would do is, install the OpenSSH
server on the linux machine, install 'PUTTY' on a windows machine and
try to login via 'PUTTY' and use the SSH protocol." , You mean is
that Windows clients use SSH to work with this directory? I want to made this
Linux Box as a File server and Windows Clients need graphical browser to copy
and paste file into this directory!!!!!!!
>>>>>> What is your idea?
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>>
>>>>>>
>>>>> I am loosing track here a bit, but if your dns domain is
example.com,
>>>>> then your windows AD realm should be something like
internal.example.com
>>>>> and your workgroup/domain name should be INTERNAL, that is,
they all
>>>>> rely on each other.
>>>>>
>>>>> So anywhere that you come across these, you should use the
relevant one,
>>>>> this is the relevant parts from a Unix client on my domain:
>>>>>
>>>>> [global]
>>>>>               workgroup = INTERNAL
>>>>>               security = ADS
>>>>>               realm = INTERNAL.EXAMPLE.COM
>>>>>               ..........
>>>>>               idmap config * : backend = tdb
>>>>>               idmap config * : range = 2000-9999
>>>>>               idmap config INTERNAL : backend  = ad
>>>>>               idmap config INTERNAL : range = 10000-999999
>>>>>               idmap config INTERNAL : schema_mode = rfc2307
>>>>>
>>>>> As for using 'PUTTY', this was just a way of
testing whether you can
>>>>> connect to the Unix machine.
>>>>>
>>>>>
>>>>> Rowland
>>>> OK, we are getting closer
>>>>
>>>> right, answers to your questions
>>>> 1) I think that you may find that this is also printed
'Could not chdir
>>>> to home directory', in which case you will end up in the
root of computer.
>>>>
>>>> 2) Are you running the 'nmbd' daemon ? Even if this is
not running you
>>>> should be able to navigate to the share by entering the path.
Have a
>>>> look here:
>>>>
>>>>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>
>>>>
>>>> Rowland
>>>>
>> You are trying to run the command on a client, try adding either:
>>
>> -S server name
>>
>> OR
>>
>> -I address of target server
>>
>> where 'server' is the AD DC.
>>
>> Yes, you need to supply the password of the Domain Administrator.
>>
>>
>> Rowland
>>
> OK, try it like this:
>
> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
> -UAdministrator -I 192.168.1.1
>
> This works for me on a client joined to the domain.
>
>
> Rowland
>
Sounds like something is wrong with the join, what does 'net ads 
testjoin' return ? You may have to run this command with sudo.


Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 03/01/15 12:38, Jason Long wrote:
> Thanks.
>
> I enter "net ads testjoin" and it show me :
>
> ads_connect: No logon servers
> Join to domain is not valid: No logon servers
You are *not* joined to the domain, I suppose this should have been 
asked earlier, but how did you do the domain join ?

Rowland

>
> If it is incorrect, Why I can Login to Linux via Windows account? As you
see, I followed the steps on Video.
>
> :(.
>
>
>
> On Saturday, January 3, 2015 1:13 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
> On 03/01/15 05:41, Jason Long wrote:
>> Thank you.
>> Command show below error :
>>
>> Could not connect to server 192.168.1.1
>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>
>> :(
>>
>>
>>
>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny <rowlandpenny
at googlemail.com> wrote:
>> On 31/12/14 09:55, Jason Long wrote:
>>> Thanks.
>>> I changed the command as below :
>>>
>>> #net rpc rights grant 'jasondomain\Domain Admins'
SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1
>>>
>>> But Got below error :
>>>
>>> Could not connect to server 192.168.1.1
>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>
>>> Cheers.
>>>
>>>
>>>
>>>
>>>
>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>> On 31/12/14 09:17, Jason Long wrote:
>>>> Thank you so much but I run below commands on linux :
>>>>
>>>>
>>>> # net rpc rights grant 'jasondomain\Domain Admins'
SeDiskOperatorPrivilege -Uadministrator
>>>> # net rpc rights list accounts -Uadministrator
>>>>
>>>> it ask me a password for "administrator:
>>>>
>>>> Enter administrator's password:
>>>> Could not connect to server 127.0.0.1
>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>>>>
>>>> Must I enter windows administrator password?
>>>>
>>>>
>>>> Thanks.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>> On 29/12/14 12:52, Jason Long wrote:
>>>>> Thank you so much.
>>>>>
>>>>> I did some changes like below :
>>>>>
>>>>> /dev/mapper/vg_print-lv_root /                       ext4  
user_xattr,acl,defaults        1 1
>>>>>
>>>>>
>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root"
not have any output.
>>>>> I added below lines to [global] section too :
>>>>>
>>>>> vfs objects = acl_xattr
>>>>> map acl inherit = Yes
>>>>> store dos attributes = Yes
>>>>>
>>>>> But about below commands can you tell me more?
>>>>>
>>>>> net rpc rights grant 'SAMDOM\Domain Admins'
SeDiskOperatorPrivilege -Uadministrator
>>>>> net rpc rights list accounts -Uadministrator
>>>>>
>>>>> I hope they are not Dangerous!!!!
>>>> No :-)
>>>>
>>>> The first one gives members of Domain Admins the right to
change windows
>>>> ACL's on a share
>>>> The second list accounts and what rights they have.
>>>>
>>>>> In the
"https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
, the other steps are in Windows!!! Can I doing via Linux too?
>>>>>     
>>>> Yes, but it is just easier via windows
>>>>
>>>> Rowland
>>>>
>>>>
>>>>>   
>>>>> Thanks.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>>> On 29/12/14 06:38, Jason Long wrote:
>>>>>> Thank you so much.
>>>>>> You right, My realm is
"jasondomaini.jasondomain.jj"  and I change configure as below :
>>>>>>
>>>>>>
>>>>>> [global]
>>>>>> workgroup = JASONDOMAINI
>>>>>> server string = Samba Server Version %v
>>>>>> # logs split per machine
>>>>>> log file = /var/log/samba/log.%m
>>>>>> # max 50KB per log file, then rotate
>>>>>> max log size = 50
>>>>>> security = ADS
>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>> passdb backend = tdbsam
>>>>>> load printers = yes
>>>>>> cups options = raw
>>>>>> idmap config *:backend = tdb
>>>>>> idmap config *:range = 70001-80000
>>>>>> #idmap config SAMDOM:backend = ad
>>>>>> idmap config JASONDOMAINI:backend = ad
>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307
>>>>>> idmap config JASONDOMAINI:range = 500-40000
>>>>>>
>>>>>>
>>>>>>
>>>>>> When I use "SSH" on my CentOS and enter
"jasondomain\jason", It show me the root partition and I can open
"Test" directory But it has two problems :
>>>>>>
>>>>>> 1- Why it show root partition?
>>>>>> 2- I can't browse it via Windows explorer!!!
>>>>>>
>>>>>> I want to know use AD users in Linux is Hard?
>>>>>>
>>>>>> In your opinion I used a correct command to set ACL?
>>>>>>
>>>>>> #getfacl test/
>>>>>>
>>>>>>
>>>>>> # file: test/
>>>>>> # owner: JASONDOMAINI\134JASON
>>>>>> # group: JASONDOMAINI\134grp-JASON-rw
>>>>>> user::rwx
>>>>>> group::r-x
>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>> mask::rwx
>>>>>> other::r-x
>>>>>>
>>>>>>
>>>>>> and in "getent group" it show me below group
:
>>>>>>
>>>>>> JASONDOMAINI\134grp-JASON-rw
>>>>>>
>>>>>>
>>>>>> in your idea, Am I use correct command to set
permission?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>>>> On 28/12/14 15:48, Jason Long wrote:
>>>>>>> Thank you so much.
>>>>>>> Thus I must change "idmap config
JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend =
ad".
>>>>>>> How about Workgroup? is must change
"JASONDOMAIN" too?
>>>>>>> About your question I must say that I Test this
share via Linux too and Windows and Linux has same problem.
>>>>>>>
>>>>>>> About "What I would do is, install the OpenSSH
server on the linux machine, install 'PUTTY' on a windows machine and
try to login via 'PUTTY' and use the SSH protocol." , You mean is
that Windows clients use SSH to work with this directory? I want to made this
Linux Box as a File server and Windows Clients need graphical browser to copy
and paste file into this directory!!!!!!!
>>>>>>> What is your idea?
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> I am loosing track here a bit, but if your dns domain
is example.com,
>>>>>> then your windows AD realm should be something like
internal.example.com
>>>>>> and your workgroup/domain name should be INTERNAL, that
is, they all
>>>>>> rely on each other.
>>>>>>
>>>>>> So anywhere that you come across these, you should use
the relevant one,
>>>>>> this is the relevant parts from a Unix client on my
domain:
>>>>>>
>>>>>> [global]
>>>>>>                workgroup = INTERNAL
>>>>>>                security = ADS
>>>>>>                realm = INTERNAL.EXAMPLE.COM
>>>>>>                ..........
>>>>>>                idmap config * : backend = tdb
>>>>>>                idmap config * : range = 2000-9999
>>>>>>                idmap config INTERNAL : backend  = ad
>>>>>>                idmap config INTERNAL : range =
10000-999999
>>>>>>                idmap config INTERNAL : schema_mode =
rfc2307
>>>>>>
>>>>>> As for using 'PUTTY', this was just a way of
testing whether you can
>>>>>> connect to the Unix machine.
>>>>>>
>>>>>>
>>>>>> Rowland
>>>>> OK, we are getting closer
>>>>>
>>>>> right, answers to your questions
>>>>> 1) I think that you may find that this is also printed
'Could not chdir
>>>>> to home directory', in which case you will end up in
the root of computer.
>>>>>
>>>>> 2) Are you running the 'nmbd' daemon ? Even if this
is not running you
>>>>> should be able to navigate to the share by entering the
path. Have a
>>>>> look here:
>>>>>
>>>>>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>
>>>>>
>>>>> Rowland
>>>>>
>>> You are trying to run the command on a client, try adding either:
>>>
>>> -S server name
>>>
>>> OR
>>>
>>> -I address of target server
>>>
>>> where 'server' is the AD DC.
>>>
>>> Yes, you need to supply the password of the Domain Administrator.
>>>
>>>
>>> Rowland
>>>
>> OK, try it like this:
>>
>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
>> -UAdministrator -I 192.168.1.1
>>
>> This works for me on a client joined to the domain.
>>
>>
>> Rowland
>>
> Sounds like something is wrong with the join, what does 'net ads
> testjoin' return ? You may have to run this command with sudo.
>
>
> Rowland
>

Thank you.
I used below videos for join my Linux Box to Windows domain :

http://www.youtube.com/watch?v=Y3TFPDT9uic

Please look at this video and I used instructions in it and LikeWiseOpen tool.


Cheers. 



On Saturday, January 3, 2015 5:45 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
On 03/01/15 12:38, Jason Long wrote:
> Thanks.
>
> I enter "net ads testjoin" and it show me :
>
> ads_connect: No logon servers
> Join to domain is not valid: No logon servers
You are *not* joined to the domain, I suppose this should have been 
asked earlier, but how did you do the domain join ?

Rowland


>
> If it is incorrect, Why I can Login to Linux via Windows account? As you
see, I followed the steps on Video.
>
> :(.
>
>
>
> On Saturday, January 3, 2015 1:13 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
> On 03/01/15 05:41, Jason Long wrote:
>> Thank you.
>> Command show below error :
>>
>> Could not connect to server 192.168.1.1
>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>
>> :(
>>
>>
>>
>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny <rowlandpenny
at googlemail.com> wrote:
>> On 31/12/14 09:55, Jason Long wrote:
>>> Thanks.
>>> I changed the command as below :
>>>
>>> #net rpc rights grant 'jasondomain\Domain Admins'
SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1
>>>
>>> But Got below error :
>>>
>>> Could not connect to server 192.168.1.1
>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>
>>> Cheers.
>>>
>>>
>>>
>>>
>>>
>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>> On 31/12/14 09:17, Jason Long wrote:
>>>> Thank you so much but I run below commands on linux :
>>>>
>>>>
>>>> # net rpc rights grant 'jasondomain\Domain Admins'
SeDiskOperatorPrivilege -Uadministrator
>>>> # net rpc rights list accounts -Uadministrator
>>>>
>>>> it ask me a password for "administrator:
>>>>
>>>> Enter administrator's password:
>>>> Could not connect to server 127.0.0.1
>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>>>>
>>>> Must I enter windows administrator password?
>>>>
>>>>
>>>> Thanks.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>> On 29/12/14 12:52, Jason Long wrote:
>>>>> Thank you so much.
>>>>>
>>>>> I did some changes like below :
>>>>>
>>>>> /dev/mapper/vg_print-lv_root /                       ext4  
user_xattr,acl,defaults        1 1
>>>>>
>>>>>
>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root"
not have any output.
>>>>> I added below lines to [global] section too :
>>>>>
>>>>> vfs objects = acl_xattr
>>>>> map acl inherit = Yes
>>>>> store dos attributes = Yes
>>>>>
>>>>> But about below commands can you tell me more?
>>>>>
>>>>> net rpc rights grant 'SAMDOM\Domain Admins'
SeDiskOperatorPrivilege -Uadministrator
>>>>> net rpc rights list accounts -Uadministrator
>>>>>
>>>>> I hope they are not Dangerous!!!!
>>>> No :-)
>>>>
>>>> The first one gives members of Domain Admins the right to
change windows
>>>> ACL's on a share
>>>> The second list accounts and what rights they have.
>>>>
>>>>> In the
"https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
, the other steps are in Windows!!! Can I doing via Linux too?
>>>>>    
>>>> Yes, but it is just easier via windows
>>>>
>>>> Rowland
>>>>
>>>>
>>>>>  
>>>>> Thanks.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>>> On 29/12/14 06:38, Jason Long wrote:
>>>>>> Thank you so much.
>>>>>> You right, My realm is
"jasondomaini.jasondomain.jj"  and I change configure as below :
>>>>>>
>>>>>>
>>>>>> [global]
>>>>>> workgroup = JASONDOMAINI
>>>>>> server string = Samba Server Version %v
>>>>>> # logs split per machine
>>>>>> log file = /var/log/samba/log.%m
>>>>>> # max 50KB per log file, then rotate
>>>>>> max log size = 50
>>>>>> security = ADS
>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>> passdb backend = tdbsam
>>>>>> load printers = yes
>>>>>> cups options = raw
>>>>>> idmap config *:backend = tdb
>>>>>> idmap config *:range = 70001-80000
>>>>>> #idmap config SAMDOM:backend = ad
>>>>>> idmap config JASONDOMAINI:backend = ad
>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307
>>>>>> idmap config JASONDOMAINI:range = 500-40000
>>>>>>
>>>>>>
>>>>>>
>>>>>> When I use "SSH" on my CentOS and enter
"jasondomain\jason", It show me the root partition and I can open
"Test" directory But it has two problems :
>>>>>>
>>>>>> 1- Why it show root partition?
>>>>>> 2- I can't browse it via Windows explorer!!!
>>>>>>
>>>>>> I want to know use AD users in Linux is Hard?
>>>>>>
>>>>>> In your opinion I used a correct command to set ACL?
>>>>>>
>>>>>> #getfacl test/
>>>>>>
>>>>>>
>>>>>> # file: test/
>>>>>> # owner: JASONDOMAINI\134JASON
>>>>>> # group: JASONDOMAINI\134grp-JASON-rw
>>>>>> user::rwx
>>>>>> group::r-x
>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>> mask::rwx
>>>>>> other::r-x
>>>>>>
>>>>>>
>>>>>> and in "getent group" it show me below group
:
>>>>>>
>>>>>> JASONDOMAINI\134grp-JASON-rw
>>>>>>
>>>>>>
>>>>>> in your idea, Am I use correct command to set
permission?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
>>>>>> On 28/12/14 15:48, Jason Long wrote:
>>>>>>> Thank you so much.
>>>>>>> Thus I must change "idmap config
JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend =
ad".
>>>>>>> How about Workgroup? is must change
"JASONDOMAIN" too?
>>>>>>> About your question I must say that I Test this
share via Linux too and Windows and Linux has same problem.
>>>>>>>
>>>>>>> About "What I would do is, install the OpenSSH
server on the linux machine, install 'PUTTY' on a windows machine and
try to login via 'PUTTY' and use the SSH protocol." , You mean is
that Windows clients use SSH to work with this directory? I want to made this
Linux Box as a File server and Windows Clients need graphical browser to copy
and paste file into this directory!!!!!!!
>>>>>>> What is your idea?
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> I am loosing track here a bit, but if your dns domain
is example.com,
>>>>>> then your windows AD realm should be something like
internal.example.com
>>>>>> and your workgroup/domain name should be INTERNAL, that
is, they all
>>>>>> rely on each other.
>>>>>>
>>>>>> So anywhere that you come across these, you should use
the relevant one,
>>>>>> this is the relevant parts from a Unix client on my
domain:
>>>>>>
>>>>>> [global]
>>>>>>                workgroup = INTERNAL
>>>>>>                security = ADS
>>>>>>                realm = INTERNAL.EXAMPLE.COM
>>>>>>                ..........
>>>>>>                idmap config * : backend = tdb
>>>>>>                idmap config * : range = 2000-9999
>>>>>>                idmap config INTERNAL : backend  = ad
>>>>>>                idmap config INTERNAL : range =
10000-999999
>>>>>>                idmap config INTERNAL : schema_mode =
rfc2307
>>>>>>
>>>>>> As for using 'PUTTY', this was just a way of
testing whether you can
>>>>>> connect to the Unix machine.
>>>>>>
>>>>>>
>>>>>> Rowland
>>>>> OK, we are getting closer
>>>>>
>>>>> right, answers to your questions
>>>>> 1) I think that you may find that this is also printed
'Could not chdir
>>>>> to home directory', in which case you will end up in
the root of computer.
>>>>>
>>>>> 2) Are you running the 'nmbd' daemon ? Even if this
is not running you
>>>>> should be able to navigate to the share by entering the
path. Have a
>>>>> look here:
>>>>>
>>>>>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>
>>>>>
>>>>> Rowland
>>>>>
>>> You are trying to run the command on a client, try adding either:
>>>
>>> -S server name
>>>
>>> OR
>>>
>>> -I address of target server
>>>
>>> where 'server' is the AD DC.
>>>
>>> Yes, you need to supply the password of the Domain Administrator.
>>>
>>>
>>> Rowland
>>>
>> OK, try it like this:
>>
>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege
>> -UAdministrator -I 192.168.1.1
>>
>> This works for me on a client joined to the domain.
>>
>>
>> Rowland
>>
> Sounds like something is wrong with the join, what does 'net ads
> testjoin' return ? You may have to run this command with sudo.
>
>
> Rowland
>