Jason Long
2015-Jan-04 10:17 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Thanks a lot. I enter the command and result is : Using short domain name -- JASONDOMAINI Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ' but after run "net rpc testjoin" : Unable to find a suitable server for domain JASONDOMAINI Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL I guess I understand what is my problem. I'm really sorry :(. On Windows OS i used "set" command and it show me : USERDNSDOMAIN= JASONDOMAIN.JJ USERDOMAIN= JASONDOMAINI I guess that I must change "JASONDOMAINI" in below texts to "JASONDOMAIN" : idmap config JASONDOMAINI : range = 10000-999999 idmap config JASONDOMAINI : schema_mode = rfc2307 Am I right? On Saturday, January 3, 2015 7:44 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 03/01/15 15:08, Jason Long wrote:> Thank you. > I used below videos for join my Linux Box to Windows domain : > > http://www.youtube.com/watch?v=Y3TFPDT9uic > > Please look at this video and I used instructions in it and LikeWiseOpen tool. > > > Cheers. > > > > On Saturday, January 3, 2015 5:45 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 03/01/15 12:38, Jason Long wrote: >> Thanks. >> >> I enter "net ads testjoin" and it show me : >> >> ads_connect: No logon servers >> Join to domain is not valid: No logon servers > You are *not* joined to the domain, I suppose this should have been > asked earlier, but how did you do the domain join ? > > Rowland > > > >> If it is incorrect, Why I can Login to Linux via Windows account? As you see, I followed the steps on Video. >> >> :(. >> >> >> >> On Saturday, January 3, 2015 1:13 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >> On 03/01/15 05:41, Jason Long wrote: >>> Thank you. >>> Command show below error : >>> >>> Could not connect to server 192.168.1.1 >>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>> >>> :( >>> >>> >>> >>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>> On 31/12/14 09:55, Jason Long wrote: >>>> Thanks. >>>> I changed the command as below : >>>> >>>> #net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1 >>>> >>>> But Got below error : >>>> >>>> Could not connect to server 192.168.1.1 >>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>> >>>> Cheers. >>>> >>>> >>>> >>>> >>>> >>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>>> On 31/12/14 09:17, Jason Long wrote: >>>>> Thank you so much but I run below commands on linux : >>>>> >>>>> >>>>> # net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator >>>>> # net rpc rights list accounts -Uadministrator >>>>> >>>>> it ask me a password for "administrator: >>>>> >>>>> Enter administrator's password: >>>>> Could not connect to server 127.0.0.1 >>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS >>>>> >>>>> Must I enter windows administrator password? >>>>> >>>>> >>>>> Thanks. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>>>> On 29/12/14 12:52, Jason Long wrote: >>>>>> Thank you so much. >>>>>> >>>>>> I did some changes like below : >>>>>> >>>>>> /dev/mapper/vg_print-lv_root / ext4 user_xattr,acl,defaults 1 1 >>>>>> >>>>>> >>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any output. >>>>>> I added below lines to [global] section too : >>>>>> >>>>>> vfs objects = acl_xattr >>>>>> map acl inherit = Yes >>>>>> store dos attributes = Yes >>>>>> >>>>>> But about below commands can you tell me more? >>>>>> >>>>>> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator >>>>>> net rpc rights list accounts -Uadministrator >>>>>> >>>>>> I hope they are not Dangerous!!!! >>>>> No :-) >>>>> >>>>> The first one gives members of Domain Admins the right to change windows >>>>> ACL's on a share >>>>> The second list accounts and what rights they have. >>>>> >>>>>> In the "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" , the other steps are in Windows!!! Can I doing via Linux too? >>>>>> >>>>> Yes, but it is just easier via windows >>>>> >>>>> Rowland >>>>> >>>>> >>>>>> >>>>>> Thanks. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>>>>> On 29/12/14 06:38, Jason Long wrote: >>>>>>> Thank you so much. >>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I change configure as below : >>>>>>> >>>>>>> >>>>>>> [global] >>>>>>> workgroup = JASONDOMAINI >>>>>>> server string = Samba Server Version %v >>>>>>> # logs split per machine >>>>>>> log file = /var/log/samba/log.%m >>>>>>> # max 50KB per log file, then rotate >>>>>>> max log size = 50 >>>>>>> security = ADS >>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>>> passdb backend = tdbsam >>>>>>> load printers = yes >>>>>>> cups options = raw >>>>>>> idmap config *:backend = tdb >>>>>>> idmap config *:range = 70001-80000 >>>>>>> #idmap config SAMDOM:backend = ad >>>>>>> idmap config JASONDOMAINI:backend = ad >>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307 >>>>>>> idmap config JASONDOMAINI:range = 500-40000 >>>>>>> >>>>>>> >>>>>>> >>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", It show me the root partition and I can open "Test" directory But it has two problems : >>>>>>> >>>>>>> 1- Why it show root partition? >>>>>>> 2- I can't browse it via Windows explorer!!! >>>>>>> >>>>>>> I want to know use AD users in Linux is Hard? >>>>>>> >>>>>>> In your opinion I used a correct command to set ACL? >>>>>>> >>>>>>> #getfacl test/ >>>>>>> >>>>>>> >>>>>>> # file: test/ >>>>>>> # owner: JASONDOMAINI\134JASON >>>>>>> # group: JASONDOMAINI\134grp-JASON-rw >>>>>>> user::rwx >>>>>>> group::r-x >>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx >>>>>>> mask::rwx >>>>>>> other::r-x >>>>>>> >>>>>>> >>>>>>> and in "getent group" it show me below group : >>>>>>> >>>>>>> JASONDOMAINI\134grp-JASON-rw >>>>>>> >>>>>>> >>>>>>> in your idea, Am I use correct command to set permission? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>>>>>> On 28/12/14 15:48, Jason Long wrote: >>>>>>>> Thank you so much. >>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad". >>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too? >>>>>>>> About your question I must say that I Test this share via Linux too and Windows and Linux has same problem. >>>>>>>> >>>>>>>> About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!! >>>>>>>> What is your idea? >>>>>>>> >>>>>>>> Thanks. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> I am loosing track here a bit, but if your dns domain is example.com, >>>>>>> then your windows AD realm should be something like internal.example.com >>>>>>> and your workgroup/domain name should be INTERNAL, that is, they all >>>>>>> rely on each other. >>>>>>> >>>>>>> So anywhere that you come across these, you should use the relevant one, >>>>>>> this is the relevant parts from a Unix client on my domain: >>>>>>> >>>>>>> [global] >>>>>>> workgroup = INTERNAL >>>>>>> security = ADS >>>>>>> realm = INTERNAL.EXAMPLE.COM >>>>>>> .......... >>>>>>> idmap config * : backend = tdb >>>>>>> idmap config * : range = 2000-9999 >>>>>>> idmap config INTERNAL : backend = ad >>>>>>> idmap config INTERNAL : range = 10000-999999 >>>>>>> idmap config INTERNAL : schema_mode = rfc2307 >>>>>>> >>>>>>> As for using 'PUTTY', this was just a way of testing whether you can >>>>>>> connect to the Unix machine. >>>>>>> >>>>>>> >>>>>>> Rowland >>>>>> OK, we are getting closer >>>>>> >>>>>> right, answers to your questions >>>>>> 1) I think that you may find that this is also printed 'Could not chdir >>>>>> to home directory', in which case you will end up in the root of computer. >>>>>> >>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not running you >>>>>> should be able to navigate to the share by entering the path. Have a >>>>>> look here: >>>>>> >>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs >>>>>> >>>>>> >>>>>> Rowland >>>>>> >>>> You are trying to run the command on a client, try adding either: >>>> >>>> -S server name >>>> >>>> OR >>>> >>>> -I address of target server >>>> >>>> where 'server' is the AD DC. >>>> >>>> Yes, you need to supply the password of the Domain Administrator. >>>> >>>> >>>> Rowland >>>> >>> OK, try it like this: >>> >>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege >>> -UAdministrator -I 192.168.1.1 >>> >>> This works for me on a client joined to the domain. >>> >>> >>> Rowland >>> >> Sounds like something is wrong with the join, what does 'net ads >> testjoin' return ? You may have to run this command with sudo. >> >> >> Rowland >>Sometimes I wonder why all the time is spent on keeping the samba wiki updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I cannot recommend using either of these, because quite simply, they are not needed. Check the following files: /etc/samba/smb.conf [global] workgroup = JASONDOMAINI security = ADS realm = JASONDOMAINI.JASONDOMAIN.JJ dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Samba 4 Client %h winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind expand groups = 4 winbind nss info = rfc2307 winbind refresh tickets = Yes winbind normalize names = Yes idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config JASONDOMAINI : backend = ad idmap config JASONDOMAINI : range = 10000-999999 idmap config JASONDOMAINI : schema_mode = rfc2307 printcap name = cups cups options = raw usershare allow guests = yes domain master = no local master = no preferred master = no os level = 20 map to guest = bad user vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes log level = 6 /etc/krb5.conf [libdefaults] default_realm = JASONDOMAINI.JASONDOMAIN.JJ dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes /etc/resolv.conf nameserver <your AD DC's ipaddress> search jasondomaini.jasondomain.jj If required, alter them to match the above, check that 'hostname' returns only the hostname of the client, check that 'hostname -f' returns the FQDN. If either are not correct, fix them. Remove likewiseopen Once everything is correct, run the following command: net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ You should be asked for the domain Administrators password, enter this and you should join the domain Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Jan-04 13:00 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
On 04/01/15 10:17, Jason Long wrote:> Thanks a lot. > I enter the command and result is : > > Using short domain name -- JASONDOMAINI > Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ' > but after run "net rpc testjoin" : > > Unable to find a suitable server for domain JASONDOMAINI > Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL > > I guess I understand what is my problem. I'm really sorry :(. > > On Windows OS i used "set" command and it show me : > > USERDNSDOMAIN= JASONDOMAIN.JJ > USERDOMAIN= JASONDOMAINI > > I guess that I must change "JASONDOMAINI" in below texts to "JASONDOMAIN" : > > idmap config JASONDOMAINI : range = 10000-999999 > idmap config JASONDOMAINI : schema_mode = rfc2307 > > Am I right? > > > > > On Saturday, January 3, 2015 7:44 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 03/01/15 15:08, Jason Long wrote: >> Thank you. >> I used below videos for join my Linux Box to Windows domain : >> >> http://www.youtube.com/watch?v=Y3TFPDT9uic >> >> Please look at this video and I used instructions in it and LikeWiseOpen tool. >> >> >> Cheers. >> >> >> >> On Saturday, January 3, 2015 5:45 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >> On 03/01/15 12:38, Jason Long wrote: >>> Thanks. >>> >>> I enter "net ads testjoin" and it show me : >>> >>> ads_connect: No logon servers >>> Join to domain is not valid: No logon servers >> You are *not* joined to the domain, I suppose this should have been >> asked earlier, but how did you do the domain join ? >> >> Rowland >> >> >> >>> If it is incorrect, Why I can Login to Linux via Windows account? As you see, I followed the steps on Video. >>> >>> :(. >>> >>> >>> >>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>> On 03/01/15 05:41, Jason Long wrote: >>>> Thank you. >>>> Command show below error : >>>> >>>> Could not connect to server 192.168.1.1 >>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>> >>>> :( >>>> >>>> >>>> >>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>>> On 31/12/14 09:55, Jason Long wrote: >>>>> Thanks. >>>>> I changed the command as below : >>>>> >>>>> #net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1 >>>>> >>>>> But Got below error : >>>>> >>>>> Could not connect to server 192.168.1.1 >>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>> >>>>> Cheers. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>>>> On 31/12/14 09:17, Jason Long wrote: >>>>>> Thank you so much but I run below commands on linux : >>>>>> >>>>>> >>>>>> # net rpc rights grant 'jasondomain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator >>>>>> # net rpc rights list accounts -Uadministrator >>>>>> >>>>>> it ask me a password for "administrator: >>>>>> >>>>>> Enter administrator's password: >>>>>> Could not connect to server 127.0.0.1 >>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS >>>>>> >>>>>> Must I enter windows administrator password? >>>>>> >>>>>> >>>>>> Thanks. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>>>>> On 29/12/14 12:52, Jason Long wrote: >>>>>>> Thank you so much. >>>>>>> >>>>>>> I did some changes like below : >>>>>>> >>>>>>> /dev/mapper/vg_print-lv_root / ext4 user_xattr,acl,defaults 1 1 >>>>>>> >>>>>>> >>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any output. >>>>>>> I added below lines to [global] section too : >>>>>>> >>>>>>> vfs objects = acl_xattr >>>>>>> map acl inherit = Yes >>>>>>> store dos attributes = Yes >>>>>>> >>>>>>> But about below commands can you tell me more? >>>>>>> >>>>>>> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator >>>>>>> net rpc rights list accounts -Uadministrator >>>>>>> >>>>>>> I hope they are not Dangerous!!!! >>>>>> No :-) >>>>>> >>>>>> The first one gives members of Domain Admins the right to change windows >>>>>> ACL's on a share >>>>>> The second list accounts and what rights they have. >>>>>> >>>>>>> In the "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" , the other steps are in Windows!!! Can I doing via Linux too? >>>>>>> >>>>>> Yes, but it is just easier via windows >>>>>> >>>>>> Rowland >>>>>> >>>>>> >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>>>>>> On 29/12/14 06:38, Jason Long wrote: >>>>>>>> Thank you so much. >>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I change configure as below : >>>>>>>> >>>>>>>> >>>>>>>> [global] >>>>>>>> workgroup = JASONDOMAINI >>>>>>>> server string = Samba Server Version %v >>>>>>>> # logs split per machine >>>>>>>> log file = /var/log/samba/log.%m >>>>>>>> # max 50KB per log file, then rotate >>>>>>>> max log size = 50 >>>>>>>> security = ADS >>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>>>> passdb backend = tdbsam >>>>>>>> load printers = yes >>>>>>>> cups options = raw >>>>>>>> idmap config *:backend = tdb >>>>>>>> idmap config *:range = 70001-80000 >>>>>>>> #idmap config SAMDOM:backend = ad >>>>>>>> idmap config JASONDOMAINI:backend = ad >>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307 >>>>>>>> idmap config JASONDOMAINI:range = 500-40000 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", It show me the root partition and I can open "Test" directory But it has two problems : >>>>>>>> >>>>>>>> 1- Why it show root partition? >>>>>>>> 2- I can't browse it via Windows explorer!!! >>>>>>>> >>>>>>>> I want to know use AD users in Linux is Hard? >>>>>>>> >>>>>>>> In your opinion I used a correct command to set ACL? >>>>>>>> >>>>>>>> #getfacl test/ >>>>>>>> >>>>>>>> >>>>>>>> # file: test/ >>>>>>>> # owner: JASONDOMAINI\134JASON >>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw >>>>>>>> user::rwx >>>>>>>> group::r-x >>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx >>>>>>>> mask::rwx >>>>>>>> other::r-x >>>>>>>> >>>>>>>> >>>>>>>> and in "getent group" it show me below group : >>>>>>>> >>>>>>>> JASONDOMAINI\134grp-JASON-rw >>>>>>>> >>>>>>>> >>>>>>>> in your idea, Am I use correct command to set permission? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: >>>>>>>> On 28/12/14 15:48, Jason Long wrote: >>>>>>>>> Thank you so much. >>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad " to "idmap config JASONDOMAIN:backend = ad". >>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too? >>>>>>>>> About your question I must say that I Test this share via Linux too and Windows and Linux has same problem. >>>>>>>>> >>>>>>>>> About "What I would do is, install the OpenSSH server on the linux machine, install 'PUTTY' on a windows machine and try to login via 'PUTTY' and use the SSH protocol." , You mean is that Windows clients use SSH to work with this directory? I want to made this Linux Box as a File server and Windows Clients need graphical browser to copy and paste file into this directory!!!!!!! >>>>>>>>> What is your idea? >>>>>>>>> >>>>>>>>> Thanks. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> I am loosing track here a bit, but if your dns domain is example.com, >>>>>>>> then your windows AD realm should be something like internal.example.com >>>>>>>> and your workgroup/domain name should be INTERNAL, that is, they all >>>>>>>> rely on each other. >>>>>>>> >>>>>>>> So anywhere that you come across these, you should use the relevant one, >>>>>>>> this is the relevant parts from a Unix client on my domain: >>>>>>>> >>>>>>>> [global] >>>>>>>> workgroup = INTERNAL >>>>>>>> security = ADS >>>>>>>> realm = INTERNAL.EXAMPLE.COM >>>>>>>> .......... >>>>>>>> idmap config * : backend = tdb >>>>>>>> idmap config * : range = 2000-9999 >>>>>>>> idmap config INTERNAL : backend = ad >>>>>>>> idmap config INTERNAL : range = 10000-999999 >>>>>>>> idmap config INTERNAL : schema_mode = rfc2307 >>>>>>>> >>>>>>>> As for using 'PUTTY', this was just a way of testing whether you can >>>>>>>> connect to the Unix machine. >>>>>>>> >>>>>>>> >>>>>>>> Rowland >>>>>>> OK, we are getting closer >>>>>>> >>>>>>> right, answers to your questions >>>>>>> 1) I think that you may find that this is also printed 'Could not chdir >>>>>>> to home directory', in which case you will end up in the root of computer. >>>>>>> >>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not running you >>>>>>> should be able to navigate to the share by entering the path. Have a >>>>>>> look here: >>>>>>> >>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs >>>>>>> >>>>>>> >>>>>>> Rowland >>>>>>> >>>>> You are trying to run the command on a client, try adding either: >>>>> >>>>> -S server name >>>>> >>>>> OR >>>>> >>>>> -I address of target server >>>>> >>>>> where 'server' is the AD DC. >>>>> >>>>> Yes, you need to supply the password of the Domain Administrator. >>>>> >>>>> >>>>> Rowland >>>>> >>>> OK, try it like this: >>>> >>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege >>>> -UAdministrator -I 192.168.1.1 >>>> >>>> This works for me on a client joined to the domain. >>>> >>>> >>>> Rowland >>>> >>> Sounds like something is wrong with the join, what does 'net ads >>> testjoin' return ? You may have to run this command with sudo. >>> >>> >>> Rowland >>> > Sometimes I wonder why all the time is spent on keeping the samba wiki > updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I > cannot recommend using either of these, because quite simply, they are > not needed. > > Check the following files: > > /etc/samba/smb.conf > > [global] > workgroup = JASONDOMAINI > security = ADS > realm = JASONDOMAINI.JASONDOMAIN.JJ > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = Samba 4 Client %h > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind expand groups = 4 > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind normalize names = Yes > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > idmap config JASONDOMAINI : backend = ad > idmap config JASONDOMAINI : range = 10000-999999 > idmap config JASONDOMAINI : schema_mode = rfc2307 > printcap name = cups > cups options = raw > usershare allow guests = yes > domain master = no > local master = no > preferred master = no > os level = 20 > map to guest = bad user > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > log level = 6 > > /etc/krb5.conf > > [libdefaults] > default_realm = JASONDOMAINI.JASONDOMAIN.JJ > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > /etc/resolv.conf > > nameserver <your AD DC's ipaddress> > search jasondomaini.jasondomain.jj > > If required, alter them to match the above, check that 'hostname' > returns only the hostname of the client, check that 'hostname -f' > returns the FQDN. If either are not correct, fix them. > > Remove likewiseopen > > Once everything is correct, run the following command: > > net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ > > You should be asked for the domain Administrators password, enter this > and you should join the domain > > Rowland >What Windows DC are you using ? What is the realm name * workgroup name on the Windows DC ? Rowland
Rowland Penny
2015-Jan-04 13:10 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
On 04/01/15 13:00, Rowland Penny wrote:> On 04/01/15 10:17, Jason Long wrote: >> Thanks a lot. >> I enter the command and result is : >> >> Using short domain name -- JASONDOMAINI >> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ' >> but after run "net rpc testjoin" : >> >> Unable to find a suitable server for domain JASONDOMAINI >> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >> >> I guess I understand what is my problem. I'm really sorry :(. >> >> On Windows OS i used "set" command and it show me : >> >> USERDNSDOMAIN= JASONDOMAIN.JJ >> USERDOMAIN= JASONDOMAINI >> >> I guess that I must change "JASONDOMAINI" in below texts to >> "JASONDOMAIN" : >> >> idmap config JASONDOMAINI : range = 10000-999999 >> idmap config JASONDOMAINI : schema_mode = rfc2307 >> >> Am I right? >> >> >> >> >> On Saturday, January 3, 2015 7:44 AM, Rowland Penny >> <rowlandpenny at googlemail.com> wrote: >> On 03/01/15 15:08, Jason Long wrote: >>> Thank you. >>> I used below videos for join my Linux Box to Windows domain : >>> >>> http://www.youtube.com/watch?v=Y3TFPDT9uic >>> >>> Please look at this video and I used instructions in it and >>> LikeWiseOpen tool. >>> >>> >>> Cheers. >>> >>> >>> >>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny >>> <rowlandpenny at googlemail.com> wrote: >>> On 03/01/15 12:38, Jason Long wrote: >>>> Thanks. >>>> >>>> I enter "net ads testjoin" and it show me : >>>> >>>> ads_connect: No logon servers >>>> Join to domain is not valid: No logon servers >>> You are *not* joined to the domain, I suppose this should have been >>> asked earlier, but how did you do the domain join ? >>> >>> Rowland >>> >>> >>> >>>> If it is incorrect, Why I can Login to Linux via Windows account? >>>> As you see, I followed the steps on Video. >>>> >>>> :(. >>>> >>>> >>>> >>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny >>>> <rowlandpenny at googlemail.com> wrote: >>>> On 03/01/15 05:41, Jason Long wrote: >>>>> Thank you. >>>>> Command show below error : >>>>> >>>>> Could not connect to server 192.168.1.1 >>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>> >>>>> :( >>>>> >>>>> >>>>> >>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny >>>>> <rowlandpenny at googlemail.com> wrote: >>>>> On 31/12/14 09:55, Jason Long wrote: >>>>>> Thanks. >>>>>> I changed the command as below : >>>>>> >>>>>> #net rpc rights grant 'jasondomain\Domain Admins' >>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1 >>>>>> >>>>>> But Got below error : >>>>>> >>>>>> Could not connect to server 192.168.1.1 >>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>> >>>>>> Cheers. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny >>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>> On 31/12/14 09:17, Jason Long wrote: >>>>>>> Thank you so much but I run below commands on linux : >>>>>>> >>>>>>> >>>>>>> # net rpc rights grant 'jasondomain\Domain Admins' >>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>> # net rpc rights list accounts -Uadministrator >>>>>>> >>>>>>> it ask me a password for "administrator: >>>>>>> >>>>>>> Enter administrator's password: >>>>>>> Could not connect to server 127.0.0.1 >>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS >>>>>>> >>>>>>> Must I enter windows administrator password? >>>>>>> >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny >>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>> On 29/12/14 12:52, Jason Long wrote: >>>>>>>> Thank you so much. >>>>>>>> >>>>>>>> I did some changes like below : >>>>>>>> >>>>>>>> /dev/mapper/vg_print-lv_root / ext4 >>>>>>>> user_xattr,acl,defaults 1 1 >>>>>>>> >>>>>>>> >>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any >>>>>>>> output. >>>>>>>> I added below lines to [global] section too : >>>>>>>> >>>>>>>> vfs objects = acl_xattr >>>>>>>> map acl inherit = Yes >>>>>>>> store dos attributes = Yes >>>>>>>> >>>>>>>> But about below commands can you tell me more? >>>>>>>> >>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins' >>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>> net rpc rights list accounts -Uadministrator >>>>>>>> >>>>>>>> I hope they are not Dangerous!!!! >>>>>>> No :-) >>>>>>> >>>>>>> The first one gives members of Domain Admins the right to change >>>>>>> windows >>>>>>> ACL's on a share >>>>>>> The second list accounts and what rights they have. >>>>>>> >>>>>>>> In the >>>>>>>> "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" >>>>>>>> , the other steps are in Windows!!! Can I doing via Linux too? >>>>>>> Yes, but it is just easier via windows >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>> >>>>>>>> Thanks. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny >>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>> On 29/12/14 06:38, Jason Long wrote: >>>>>>>>> Thank you so much. >>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I >>>>>>>>> change configure as below : >>>>>>>>> >>>>>>>>> >>>>>>>>> [global] >>>>>>>>> workgroup = JASONDOMAINI >>>>>>>>> server string = Samba Server Version %v >>>>>>>>> # logs split per machine >>>>>>>>> log file = /var/log/samba/log.%m >>>>>>>>> # max 50KB per log file, then rotate >>>>>>>>> max log size = 50 >>>>>>>>> security = ADS >>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>>>>> passdb backend = tdbsam >>>>>>>>> load printers = yes >>>>>>>>> cups options = raw >>>>>>>>> idmap config *:backend = tdb >>>>>>>>> idmap config *:range = 70001-80000 >>>>>>>>> #idmap config SAMDOM:backend = ad >>>>>>>>> idmap config JASONDOMAINI:backend = ad >>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307 >>>>>>>>> idmap config JASONDOMAINI:range = 500-40000 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", >>>>>>>>> It show me the root partition and I can open "Test" directory >>>>>>>>> But it has two problems : >>>>>>>>> >>>>>>>>> 1- Why it show root partition? >>>>>>>>> 2- I can't browse it via Windows explorer!!! >>>>>>>>> >>>>>>>>> I want to know use AD users in Linux is Hard? >>>>>>>>> >>>>>>>>> In your opinion I used a correct command to set ACL? >>>>>>>>> >>>>>>>>> #getfacl test/ >>>>>>>>> >>>>>>>>> >>>>>>>>> # file: test/ >>>>>>>>> # owner: JASONDOMAINI\134JASON >>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw >>>>>>>>> user::rwx >>>>>>>>> group::r-x >>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx >>>>>>>>> mask::rwx >>>>>>>>> other::r-x >>>>>>>>> >>>>>>>>> >>>>>>>>> and in "getent group" it show me below group : >>>>>>>>> >>>>>>>>> JASONDOMAINI\134grp-JASON-rw >>>>>>>>> >>>>>>>>> >>>>>>>>> in your idea, Am I use correct command to set permission? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny >>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>> On 28/12/14 15:48, Jason Long wrote: >>>>>>>>>> Thank you so much. >>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad >>>>>>>>>> " to "idmap config JASONDOMAIN:backend = ad". >>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too? >>>>>>>>>> About your question I must say that I Test this share via >>>>>>>>>> Linux too and Windows and Linux has same problem. >>>>>>>>>> >>>>>>>>>> About "What I would do is, install the OpenSSH server on the >>>>>>>>>> linux machine, install 'PUTTY' on a windows machine and try >>>>>>>>>> to login via 'PUTTY' and use the SSH protocol." , You mean is >>>>>>>>>> that Windows clients use SSH to work with this directory? I >>>>>>>>>> want to made this Linux Box as a File server and Windows >>>>>>>>>> Clients need graphical browser to copy and paste file into >>>>>>>>>> this directory!!!!!!! >>>>>>>>>> What is your idea? >>>>>>>>>> >>>>>>>>>> Thanks. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> I am loosing track here a bit, but if your dns domain is >>>>>>>>> example.com, >>>>>>>>> then your windows AD realm should be something like >>>>>>>>> internal.example.com >>>>>>>>> and your workgroup/domain name should be INTERNAL, that is, >>>>>>>>> they all >>>>>>>>> rely on each other. >>>>>>>>> >>>>>>>>> So anywhere that you come across these, you should use the >>>>>>>>> relevant one, >>>>>>>>> this is the relevant parts from a Unix client on my domain: >>>>>>>>> >>>>>>>>> [global] >>>>>>>>> workgroup = INTERNAL >>>>>>>>> security = ADS >>>>>>>>> realm = INTERNAL.EXAMPLE.COM >>>>>>>>> .......... >>>>>>>>> idmap config * : backend = tdb >>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>> idmap config INTERNAL : backend = ad >>>>>>>>> idmap config INTERNAL : range = 10000-999999 >>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307 >>>>>>>>> >>>>>>>>> As for using 'PUTTY', this was just a way of testing whether >>>>>>>>> you can >>>>>>>>> connect to the Unix machine. >>>>>>>>> >>>>>>>>> >>>>>>>>> Rowland >>>>>>>> OK, we are getting closer >>>>>>>> >>>>>>>> right, answers to your questions >>>>>>>> 1) I think that you may find that this is also printed 'Could >>>>>>>> not chdir >>>>>>>> to home directory', in which case you will end up in the root >>>>>>>> of computer. >>>>>>>> >>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not >>>>>>>> running you >>>>>>>> should be able to navigate to the share by entering the path. >>>>>>>> Have a >>>>>>>> look here: >>>>>>>> >>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>> You are trying to run the command on a client, try adding either: >>>>>> >>>>>> -S server name >>>>>> >>>>>> OR >>>>>> >>>>>> -I address of target server >>>>>> >>>>>> where 'server' is the AD DC. >>>>>> >>>>>> Yes, you need to supply the password of the Domain Administrator. >>>>>> >>>>>> >>>>>> Rowland >>>>>> >>>>> OK, try it like this: >>>>> >>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege >>>>> -UAdministrator -I 192.168.1.1 >>>>> >>>>> This works for me on a client joined to the domain. >>>>> >>>>> >>>>> Rowland >>>>> >>>> Sounds like something is wrong with the join, what does 'net ads >>>> testjoin' return ? You may have to run this command with sudo. >>>> >>>> >>>> Rowland >>>> >> Sometimes I wonder why all the time is spent on keeping the samba wiki >> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I >> cannot recommend using either of these, because quite simply, they are >> not needed. >> >> Check the following files: >> >> /etc/samba/smb.conf >> >> [global] >> workgroup = JASONDOMAINI >> security = ADS >> realm = JASONDOMAINI.JASONDOMAIN.JJ >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> server string = Samba 4 Client %h >> winbind enum users = yes >> winbind enum groups = yes >> winbind use default domain = yes >> winbind expand groups = 4 >> winbind nss info = rfc2307 >> winbind refresh tickets = Yes >> winbind normalize names = Yes >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> idmap config JASONDOMAINI : backend = ad >> idmap config JASONDOMAINI : range = 10000-999999 >> idmap config JASONDOMAINI : schema_mode = rfc2307 >> printcap name = cups >> cups options = raw >> usershare allow guests = yes >> domain master = no >> local master = no >> preferred master = no >> os level = 20 >> map to guest = bad user >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> log level = 6 >> >> /etc/krb5.conf >> >> [libdefaults] >> default_realm = JASONDOMAINI.JASONDOMAIN.JJ >> dns_lookup_realm = false >> dns_lookup_kdc = true >> ticket_lifetime = 24h >> forwardable = yes >> >> /etc/resolv.conf >> >> nameserver <your AD DC's ipaddress> >> search jasondomaini.jasondomain.jj >> >> If required, alter them to match the above, check that 'hostname' >> returns only the hostname of the client, check that 'hostname -f' >> returns the FQDN. If either are not correct, fix them. >> >> Remove likewiseopen >> >> Once everything is correct, run the following command: >> >> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ >> >> You should be asked for the domain Administrators password, enter this >> and you should join the domain >> >> Rowland >> > What Windows DC are you using ? > What is the realm name * workgroup name on the Windows DC ? > > Rowlandoops, that should have been: What is the realm name & workgroup name on the Windows DC ? Rowland
Possibly Parallel Threads
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.