samba - Jan 2015 - Use Samba with ACL for read Active Directory and set Permissions via it.

On 04/01/15 13:00, Rowland Penny wrote:
> On 04/01/15 10:17, Jason Long wrote:
>> Thanks a lot.
>> I enter the command and result is :
>>
>> Using short domain name -- JASONDOMAINI
>> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ'
>> but after run "net rpc testjoin" :
>>
>> Unable to find a suitable server for domain JASONDOMAINI
>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>
>> I guess I understand what is my problem. I'm really sorry :(.
>>
>> On Windows OS i used "set" command and it show me :
>>
>> USERDNSDOMAIN= JASONDOMAIN.JJ
>> USERDOMAIN= JASONDOMAINI
>>
>> I guess that I must change "JASONDOMAINI" in below texts to 
>> "JASONDOMAIN" :
>>
>> idmap config JASONDOMAINI : range = 10000-999999
>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>
>> Am I right?
>>
>>
>>
>>
>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny 
>> <rowlandpenny at googlemail.com> wrote:
>> On 03/01/15 15:08, Jason Long wrote:
>>> Thank you.
>>> I used below videos for join my Linux Box to Windows domain :
>>>
>>> http://www.youtube.com/watch?v=Y3TFPDT9uic
>>>
>>> Please look at this video and I used instructions in it and 
>>> LikeWiseOpen tool.
>>>
>>>
>>> Cheers.
>>>
>>>
>>>
>>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny 
>>> <rowlandpenny at googlemail.com> wrote:
>>> On 03/01/15 12:38, Jason Long wrote:
>>>> Thanks.
>>>>
>>>> I enter "net ads testjoin" and it show me :
>>>>
>>>> ads_connect: No logon servers
>>>> Join to domain is not valid: No logon servers
>>> You are *not* joined to the domain, I suppose this should have been
>>> asked earlier, but how did you do the domain join ?
>>>
>>> Rowland
>>>
>>>
>>>
>>>> If it is incorrect, Why I can Login to Linux via Windows
account?
>>>> As you see, I followed the steps on Video.
>>>>
>>>> :(.
>>>>
>>>>
>>>>
>>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny 
>>>> <rowlandpenny at googlemail.com> wrote:
>>>> On 03/01/15 05:41, Jason Long wrote:
>>>>> Thank you.
>>>>> Command show below error :
>>>>>
>>>>> Could not connect to server 192.168.1.1
>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>
>>>>> :(
>>>>>
>>>>>
>>>>>
>>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny 
>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>> On 31/12/14 09:55, Jason Long wrote:
>>>>>> Thanks.
>>>>>> I changed the command as below :
>>>>>>
>>>>>> #net rpc rights grant 'jasondomain\Domain
Admins'
>>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator
-I 192.168.1.1
>>>>>>
>>>>>> But Got below error :
>>>>>>
>>>>>> Could not connect to server 192.168.1.1
>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>>
>>>>>> Cheers.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny 
>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>> On 31/12/14 09:17, Jason Long wrote:
>>>>>>> Thank you so much but I run below commands on linux
:
>>>>>>>
>>>>>>>
>>>>>>> # net rpc rights grant 'jasondomain\Domain
Admins'
>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>> # net rpc rights list accounts -Uadministrator
>>>>>>>
>>>>>>> it ask me a password for "administrator:
>>>>>>>
>>>>>>> Enter administrator's password:
>>>>>>> Could not connect to server 127.0.0.1
>>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>>>>>>>
>>>>>>> Must I enter windows administrator password?
>>>>>>>
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny
>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>> On 29/12/14 12:52, Jason Long wrote:
>>>>>>>> Thank you so much.
>>>>>>>>
>>>>>>>> I did some changes like below :
>>>>>>>>
>>>>>>>> /dev/mapper/vg_print-lv_root / ext4    
>>>>>>>> user_xattr,acl,defaults        1 1
>>>>>>>>
>>>>>>>>
>>>>>>>> Then "lsof | grep
/dev/mapper/vg_print-lv_root" not have any
>>>>>>>> output.
>>>>>>>> I added below lines to [global] section too :
>>>>>>>>
>>>>>>>> vfs objects = acl_xattr
>>>>>>>> map acl inherit = Yes
>>>>>>>> store dos attributes = Yes
>>>>>>>>
>>>>>>>> But about below commands can you tell me more?
>>>>>>>>
>>>>>>>> net rpc rights grant 'SAMDOM\Domain
Admins'
>>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>>> net rpc rights list accounts -Uadministrator
>>>>>>>>
>>>>>>>> I hope they are not Dangerous!!!!
>>>>>>> No :-)
>>>>>>>
>>>>>>> The first one gives members of Domain Admins the
right to change
>>>>>>> windows
>>>>>>> ACL's on a share
>>>>>>> The second list accounts and what rights they have.
>>>>>>>
>>>>>>>> In the 
>>>>>>>>
"https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
>>>>>>>> , the other steps are in Windows!!! Can I doing
via Linux too?
>>>>>>> Yes, but it is just easier via windows
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>>>>   Thanks.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland
Penny
>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>> On 29/12/14 06:38, Jason Long wrote:
>>>>>>>>> Thank you so much.
>>>>>>>>> You right, My realm is
"jasondomaini.jasondomain.jj"  and I
>>>>>>>>> change configure as below :
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [global]
>>>>>>>>> workgroup = JASONDOMAINI
>>>>>>>>> server string = Samba Server Version %v
>>>>>>>>> # logs split per machine
>>>>>>>>> log file = /var/log/samba/log.%m
>>>>>>>>> # max 50KB per log file, then rotate
>>>>>>>>> max log size = 50
>>>>>>>>> security = ADS
>>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>> passdb backend = tdbsam
>>>>>>>>> load printers = yes
>>>>>>>>> cups options = raw
>>>>>>>>> idmap config *:backend = tdb
>>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>>> #idmap config SAMDOM:backend = ad
>>>>>>>>> idmap config JASONDOMAINI:backend = ad
>>>>>>>>> idmap config JASONDOMAINI:schema_mode =
rfc2307
>>>>>>>>> idmap config JASONDOMAINI:range = 500-40000
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> When I use "SSH" on my CentOS and
enter "jasondomain\jason",
>>>>>>>>> It show me the root partition and I can
open "Test" directory
>>>>>>>>> But it has two problems :
>>>>>>>>>
>>>>>>>>> 1- Why it show root partition?
>>>>>>>>> 2- I can't browse it via Windows
explorer!!!
>>>>>>>>>
>>>>>>>>> I want to know use AD users in Linux is
Hard?
>>>>>>>>>
>>>>>>>>> In your opinion I used a correct command to
set ACL?
>>>>>>>>>
>>>>>>>>> #getfacl test/
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> # file: test/
>>>>>>>>> # owner: JASONDOMAINI\134JASON
>>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw
>>>>>>>>> user::rwx
>>>>>>>>> group::r-x
>>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>>>>> mask::rwx
>>>>>>>>> other::r-x
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> and in "getent group" it show me
below group :
>>>>>>>>>
>>>>>>>>> JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> in your idea, Am I use correct command to
set permission?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Sunday, December 28, 2014 9:37 AM,
Rowland Penny
>>>>>>>>> <rowlandpenny at googlemail.com>
wrote:
>>>>>>>>> On 28/12/14 15:48, Jason Long wrote:
>>>>>>>>>> Thank you so much.
>>>>>>>>>> Thus I must change "idmap config
JASONDOMAIN.JJ:backend = ad
>>>>>>>>>> " to "idmap config
JASONDOMAIN:backend = ad".
>>>>>>>>>> How about Workgroup? is must change
"JASONDOMAIN" too?
>>>>>>>>>> About your question I must say that I
Test this share via
>>>>>>>>>> Linux too and Windows and Linux has
same problem.
>>>>>>>>>>
>>>>>>>>>> About "What I would do is, install
the OpenSSH server on the
>>>>>>>>>> linux machine, install 'PUTTY'
on a windows machine and try
>>>>>>>>>> to login via 'PUTTY' and use
the SSH protocol." , You mean is
>>>>>>>>>> that Windows clients use SSH to work
with this directory? I
>>>>>>>>>> want to made this Linux Box as a File
server and Windows
>>>>>>>>>> Clients need graphical browser to copy
and paste file into
>>>>>>>>>> this directory!!!!!!!
>>>>>>>>>> What is your idea?
>>>>>>>>>>
>>>>>>>>>> Thanks.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> I am loosing track here a bit, but if your
dns domain is
>>>>>>>>> example.com,
>>>>>>>>> then your windows AD realm should be
something like
>>>>>>>>> internal.example.com
>>>>>>>>> and your workgroup/domain name should be
INTERNAL, that is,
>>>>>>>>> they all
>>>>>>>>> rely on each other.
>>>>>>>>>
>>>>>>>>> So anywhere that you come across these, you
should use the
>>>>>>>>> relevant one,
>>>>>>>>> this is the relevant parts from a Unix
client on my domain:
>>>>>>>>>
>>>>>>>>> [global]
>>>>>>>>>                  workgroup = INTERNAL
>>>>>>>>>                  security = ADS
>>>>>>>>>                  realm =
INTERNAL.EXAMPLE.COM
>>>>>>>>>                  ..........
>>>>>>>>>                  idmap config * : backend =
tdb
>>>>>>>>>                  idmap config * : range =
2000-9999
>>>>>>>>>                  idmap config INTERNAL :
backend = ad
>>>>>>>>>                  idmap config INTERNAL :
range = 10000-999999
>>>>>>>>>                  idmap config INTERNAL :
schema_mode = rfc2307
>>>>>>>>>
>>>>>>>>> As for using 'PUTTY', this was just
a way of testing whether
>>>>>>>>> you can
>>>>>>>>> connect to the Unix machine.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>> OK, we are getting closer
>>>>>>>>
>>>>>>>> right, answers to your questions
>>>>>>>> 1) I think that you may find that this is also
printed 'Could
>>>>>>>> not chdir
>>>>>>>> to home directory', in which case you will
end up in the root
>>>>>>>> of computer.
>>>>>>>>
>>>>>>>> 2) Are you running the 'nmbd' daemon ?
Even if this is not
>>>>>>>> running you
>>>>>>>> should be able to navigate to the share by
entering the path.
>>>>>>>> Have a
>>>>>>>> look here:
>>>>>>>>
>>>>>>>>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>> You are trying to run the command on a client, try
adding either:
>>>>>>
>>>>>> -S server name
>>>>>>
>>>>>> OR
>>>>>>
>>>>>> -I address of target server
>>>>>>
>>>>>> where 'server' is the AD DC.
>>>>>>
>>>>>> Yes, you need to supply the password of the Domain
Administrator.
>>>>>>
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> OK, try it like this:
>>>>>
>>>>> net rpc rights grant 'Domain Admins'
SeDiskOperatorPrivilege
>>>>> -UAdministrator -I 192.168.1.1
>>>>>
>>>>> This works for me on a client joined to the domain.
>>>>>
>>>>>
>>>>> Rowland
>>>>>
>>>> Sounds like something is wrong with the join, what does
'net ads
>>>> testjoin' return ? You may have to run this command with
sudo.
>>>>
>>>>
>>>> Rowland
>>>>
>> Sometimes I wonder why all the time is spent on keeping the samba wiki
>> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I
>> cannot recommend using either of these, because quite simply, they are
>> not needed.
>>
>> Check the following files:
>>
>> /etc/samba/smb.conf
>>
>> [global]
>>           workgroup = JASONDOMAINI
>>           security = ADS
>>           realm = JASONDOMAINI.JASONDOMAIN.JJ
>>           dedicated keytab file = /etc/krb5.keytab
>>           kerberos method = secrets and keytab
>>           server string = Samba 4 Client %h
>>           winbind enum users = yes
>>           winbind enum groups = yes
>>           winbind use default domain = yes
>>           winbind expand groups = 4
>>           winbind nss info = rfc2307
>>           winbind refresh tickets = Yes
>>           winbind normalize names = Yes
>>           idmap config * : backend = tdb
>>           idmap config * : range = 2000-9999
>>           idmap config JASONDOMAINI : backend  = ad
>>           idmap config JASONDOMAINI : range = 10000-999999
>>           idmap config JASONDOMAINI : schema_mode = rfc2307
>>           printcap name = cups
>>           cups options = raw
>>           usershare allow guests = yes
>>           domain master = no
>>           local master = no
>>           preferred master = no
>>           os level = 20
>>           map to guest = bad user
>>           vfs objects = acl_xattr
>>           map acl inherit = Yes
>>           store dos attributes = Yes
>>           log level = 6
>>
>> /etc/krb5.conf
>>
>> [libdefaults]
>>        default_realm = JASONDOMAINI.JASONDOMAIN.JJ
>>        dns_lookup_realm = false
>>        dns_lookup_kdc = true
>>        ticket_lifetime = 24h
>>        forwardable = yes
>>
>> /etc/resolv.conf
>>
>> nameserver <your AD DC's ipaddress>
>> search jasondomaini.jasondomain.jj
>>
>> If required, alter them to match the above, check that
'hostname'
>> returns only the hostname of the client, check that 'hostname
-f'
>> returns the FQDN. If either are not correct, fix them.
>>
>> Remove likewiseopen
>>
>> Once everything is correct, run the following command:
>>
>> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ
>>
>> You should be asked for the domain Administrators password, enter this
>> and you should join the domain
>>
>> Rowland
>>
> What Windows DC are you using ?
> What is the realm name * workgroup name on the Windows DC ?
>
> Rowland
oops, that should have been:

What is the realm name & workgroup name on the Windows DC ?

Rowland

Thanks a lot.
I changed the below lines to correct domain name :

idmap config JASONDOMAIN : range = 10000-999999
idmap config JASONDOMAIN : schema_mode = rfc2307

and after join, the command "net rpc testjoin" show same error :

Unable to find a suitable server for domain JASONDOMAINI
Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL

I have an idea and I guess that "/etc/krb5.conf" has some incorrect
options. The file is "

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = JASONDOMAIN.JJ
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
default_keytab_name = /etc/krb5.keytab
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
pkinit_kdc_hostname = <DNS>
pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
pkinit_eku_checking = kpServerAuth
pkinit_win2k_require_binding = false
pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so

[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
JASONDOMAIN.JJ = {
auth_to_local =
RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/
auth_to_local =
RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/
auth_to_local = DEFAULT
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
.JASONDOMAIN.JJ = JASONDOMAIN.JJ
.adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ
[capaths]
[appdefaults]
pam = {
mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
forwardable = true
validate = true
}
httpd = {
mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1
}



What is your idea? I must tell you that after removed LikeWise and configure
manually, I can't login to Linux via Windows AD accounts.


Thanks.
 





On Sunday, January 4, 2015 5:11 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
On 04/01/15 13:00, Rowland Penny wrote:
> On 04/01/15 10:17, Jason Long wrote:
>> Thanks a lot.
>> I enter the command and result is :
>>
>> Using short domain name -- JASONDOMAINI
>> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ'
>> but after run "net rpc testjoin" :
>>
>> Unable to find a suitable server for domain JASONDOMAINI
>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>
>> I guess I understand what is my problem. I'm really sorry :(.
>>
>> On Windows OS i used "set" command and it show me :
>>
>> USERDNSDOMAIN= JASONDOMAIN.JJ
>> USERDOMAIN= JASONDOMAINI
>>
>> I guess that I must change "JASONDOMAINI" in below texts to 
>> "JASONDOMAIN" :
>>
>> idmap config JASONDOMAINI : range = 10000-999999
>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>
>> Am I right?
>>
>>
>>
>>
>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny 
>> <rowlandpenny at googlemail.com> wrote:
>> On 03/01/15 15:08, Jason Long wrote:
>>> Thank you.
>>> I used below videos for join my Linux Box to Windows domain :
>>>
>>> http://www.youtube.com/watch?v=Y3TFPDT9uic
>>>
>>> Please look at this video and I used instructions in it and 
>>> LikeWiseOpen tool.
>>>
>>>
>>> Cheers.
>>>
>>>
>>>
>>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny 
>>> <rowlandpenny at googlemail.com> wrote:
>>> On 03/01/15 12:38, Jason Long wrote:
>>>> Thanks.
>>>>
>>>> I enter "net ads testjoin" and it show me :
>>>>
>>>> ads_connect: No logon servers
>>>> Join to domain is not valid: No logon servers
>>> You are *not* joined to the domain, I suppose this should have been
>>> asked earlier, but how did you do the domain join ?
>>>
>>> Rowland
>>>
>>>
>>>
>>>> If it is incorrect, Why I can Login to Linux via Windows
account?
>>>> As you see, I followed the steps on Video.
>>>>
>>>> :(.
>>>>
>>>>
>>>>
>>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny 
>>>> <rowlandpenny at googlemail.com> wrote:
>>>> On 03/01/15 05:41, Jason Long wrote:
>>>>> Thank you.
>>>>> Command show below error :
>>>>>
>>>>> Could not connect to server 192.168.1.1
>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>
>>>>> :(
>>>>>
>>>>>
>>>>>
>>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny 
>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>> On 31/12/14 09:55, Jason Long wrote:
>>>>>> Thanks.
>>>>>> I changed the command as below :
>>>>>>
>>>>>> #net rpc rights grant 'jasondomain\Domain
Admins'
>>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator
-I 192.168.1.1
>>>>>>
>>>>>> But Got below error :
>>>>>>
>>>>>> Could not connect to server 192.168.1.1
>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>>
>>>>>> Cheers.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny 
>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>> On 31/12/14 09:17, Jason Long wrote:
>>>>>>> Thank you so much but I run below commands on linux
:
>>>>>>>
>>>>>>>
>>>>>>> # net rpc rights grant 'jasondomain\Domain
Admins'
>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>> # net rpc rights list accounts -Uadministrator
>>>>>>>
>>>>>>> it ask me a password for "administrator:
>>>>>>>
>>>>>>> Enter administrator's password:
>>>>>>> Could not connect to server 127.0.0.1
>>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>>>>>>>
>>>>>>> Must I enter windows administrator password?
>>>>>>>
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny
>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>> On 29/12/14 12:52, Jason Long wrote:
>>>>>>>> Thank you so much.
>>>>>>>>
>>>>>>>> I did some changes like below :
>>>>>>>>
>>>>>>>> /dev/mapper/vg_print-lv_root / ext4    
>>>>>>>> user_xattr,acl,defaults        1 1
>>>>>>>>
>>>>>>>>
>>>>>>>> Then "lsof | grep
/dev/mapper/vg_print-lv_root" not have any
>>>>>>>> output.
>>>>>>>> I added below lines to [global] section too :
>>>>>>>>
>>>>>>>> vfs objects = acl_xattr
>>>>>>>> map acl inherit = Yes
>>>>>>>> store dos attributes = Yes
>>>>>>>>
>>>>>>>> But about below commands can you tell me more?
>>>>>>>>
>>>>>>>> net rpc rights grant 'SAMDOM\Domain
Admins'
>>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>>> net rpc rights list accounts -Uadministrator
>>>>>>>>
>>>>>>>> I hope they are not Dangerous!!!!
>>>>>>> No :-)
>>>>>>>
>>>>>>> The first one gives members of Domain Admins the
right to change
>>>>>>> windows
>>>>>>> ACL's on a share
>>>>>>> The second list accounts and what rights they have.
>>>>>>>
>>>>>>>> In the 
>>>>>>>>
"https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
>>>>>>>> , the other steps are in Windows!!! Can I doing
via Linux too?
>>>>>>> Yes, but it is just easier via windows
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>>>>   Thanks.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland
Penny
>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>> On 29/12/14 06:38, Jason Long wrote:
>>>>>>>>> Thank you so much.
>>>>>>>>> You right, My realm is
"jasondomaini.jasondomain.jj"  and I
>>>>>>>>> change configure as below :
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [global]
>>>>>>>>> workgroup = JASONDOMAINI
>>>>>>>>> server string = Samba Server Version %v
>>>>>>>>> # logs split per machine
>>>>>>>>> log file = /var/log/samba/log.%m
>>>>>>>>> # max 50KB per log file, then rotate
>>>>>>>>> max log size = 50
>>>>>>>>> security = ADS
>>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>> passdb backend = tdbsam
>>>>>>>>> load printers = yes
>>>>>>>>> cups options = raw
>>>>>>>>> idmap config *:backend = tdb
>>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>>> #idmap config SAMDOM:backend = ad
>>>>>>>>> idmap config JASONDOMAINI:backend = ad
>>>>>>>>> idmap config JASONDOMAINI:schema_mode =
rfc2307
>>>>>>>>> idmap config JASONDOMAINI:range = 500-40000
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> When I use "SSH" on my CentOS and
enter "jasondomain\jason",
>>>>>>>>> It show me the root partition and I can
open "Test" directory
>>>>>>>>> But it has two problems :
>>>>>>>>>
>>>>>>>>> 1- Why it show root partition?
>>>>>>>>> 2- I can't browse it via Windows
explorer!!!
>>>>>>>>>
>>>>>>>>> I want to know use AD users in Linux is
Hard?
>>>>>>>>>
>>>>>>>>> In your opinion I used a correct command to
set ACL?
>>>>>>>>>
>>>>>>>>> #getfacl test/
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> # file: test/
>>>>>>>>> # owner: JASONDOMAINI\134JASON
>>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw
>>>>>>>>> user::rwx
>>>>>>>>> group::r-x
>>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>>>>> mask::rwx
>>>>>>>>> other::r-x
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> and in "getent group" it show me
below group :
>>>>>>>>>
>>>>>>>>> JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> in your idea, Am I use correct command to
set permission?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Sunday, December 28, 2014 9:37 AM,
Rowland Penny
>>>>>>>>> <rowlandpenny at googlemail.com>
wrote:
>>>>>>>>> On 28/12/14 15:48, Jason Long wrote:
>>>>>>>>>> Thank you so much.
>>>>>>>>>> Thus I must change "idmap config
JASONDOMAIN.JJ:backend = ad
>>>>>>>>>> " to "idmap config
JASONDOMAIN:backend = ad".
>>>>>>>>>> How about Workgroup? is must change
"JASONDOMAIN" too?
>>>>>>>>>> About your question I must say that I
Test this share via
>>>>>>>>>> Linux too and Windows and Linux has
same problem.
>>>>>>>>>>
>>>>>>>>>> About "What I would do is, install
the OpenSSH server on the
>>>>>>>>>> linux machine, install 'PUTTY'
on a windows machine and try
>>>>>>>>>> to login via 'PUTTY' and use
the SSH protocol." , You mean is
>>>>>>>>>> that Windows clients use SSH to work
with this directory? I
>>>>>>>>>> want to made this Linux Box as a File
server and Windows
>>>>>>>>>> Clients need graphical browser to copy
and paste file into
>>>>>>>>>> this directory!!!!!!!
>>>>>>>>>> What is your idea?
>>>>>>>>>>
>>>>>>>>>> Thanks.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> I am loosing track here a bit, but if your
dns domain is
>>>>>>>>> example.com,
>>>>>>>>> then your windows AD realm should be
something like
>>>>>>>>> internal.example.com
>>>>>>>>> and your workgroup/domain name should be
INTERNAL, that is,
>>>>>>>>> they all
>>>>>>>>> rely on each other.
>>>>>>>>>
>>>>>>>>> So anywhere that you come across these, you
should use the
>>>>>>>>> relevant one,
>>>>>>>>> this is the relevant parts from a Unix
client on my domain:
>>>>>>>>>
>>>>>>>>> [global]
>>>>>>>>>                  workgroup = INTERNAL
>>>>>>>>>                  security = ADS
>>>>>>>>>                  realm =
INTERNAL.EXAMPLE.COM
>>>>>>>>>                  ..........
>>>>>>>>>                  idmap config * : backend =
tdb
>>>>>>>>>                  idmap config * : range =
2000-9999
>>>>>>>>>                  idmap config INTERNAL :
backend = ad
>>>>>>>>>                  idmap config INTERNAL :
range = 10000-999999
>>>>>>>>>                  idmap config INTERNAL :
schema_mode = rfc2307
>>>>>>>>>
>>>>>>>>> As for using 'PUTTY', this was just
a way of testing whether
>>>>>>>>> you can
>>>>>>>>> connect to the Unix machine.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>> OK, we are getting closer
>>>>>>>>
>>>>>>>> right, answers to your questions
>>>>>>>> 1) I think that you may find that this is also
printed 'Could
>>>>>>>> not chdir
>>>>>>>> to home directory', in which case you will
end up in the root
>>>>>>>> of computer.
>>>>>>>>
>>>>>>>> 2) Are you running the 'nmbd' daemon ?
Even if this is not
>>>>>>>> running you
>>>>>>>> should be able to navigate to the share by
entering the path.
>>>>>>>> Have a
>>>>>>>> look here:
>>>>>>>>
>>>>>>>>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>> You are trying to run the command on a client, try
adding either:
>>>>>>
>>>>>> -S server name
>>>>>>
>>>>>> OR
>>>>>>
>>>>>> -I address of target server
>>>>>>
>>>>>> where 'server' is the AD DC.
>>>>>>
>>>>>> Yes, you need to supply the password of the Domain
Administrator.
>>>>>>
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> OK, try it like this:
>>>>>
>>>>> net rpc rights grant 'Domain Admins'
SeDiskOperatorPrivilege
>>>>> -UAdministrator -I 192.168.1.1
>>>>>
>>>>> This works for me on a client joined to the domain.
>>>>>
>>>>>
>>>>> Rowland
>>>>>
>>>> Sounds like something is wrong with the join, what does
'net ads
>>>> testjoin' return ? You may have to run this command with
sudo.
>>>>
>>>>
>>>> Rowland
>>>>
>> Sometimes I wonder why all the time is spent on keeping the samba wiki
>> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I
>> cannot recommend using either of these, because quite simply, they are
>> not needed.
>>
>> Check the following files:
>>
>> /etc/samba/smb.conf
>>
>> [global]
>>           workgroup = JASONDOMAINI
>>           security = ADS
>>           realm = JASONDOMAINI.JASONDOMAIN.JJ
>>           dedicated keytab file = /etc/krb5.keytab
>>           kerberos method = secrets and keytab
>>           server string = Samba 4 Client %h
>>           winbind enum users = yes
>>           winbind enum groups = yes
>>           winbind use default domain = yes
>>           winbind expand groups = 4
>>           winbind nss info = rfc2307
>>           winbind refresh tickets = Yes
>>           winbind normalize names = Yes
>>           idmap config * : backend = tdb
>>           idmap config * : range = 2000-9999
>>           idmap config JASONDOMAINI : backend  = ad
>>           idmap config JASONDOMAINI : range = 10000-999999
>>           idmap config JASONDOMAINI : schema_mode = rfc2307
>>           printcap name = cups
>>           cups options = raw
>>           usershare allow guests = yes
>>           domain master = no
>>           local master = no
>>           preferred master = no
>>           os level = 20
>>           map to guest = bad user
>>           vfs objects = acl_xattr
>>           map acl inherit = Yes
>>           store dos attributes = Yes
>>           log level = 6
>>
>> /etc/krb5.conf
>>
>> [libdefaults]
>>        default_realm = JASONDOMAINI.JASONDOMAIN.JJ
>>        dns_lookup_realm = false
>>        dns_lookup_kdc = true
>>        ticket_lifetime = 24h
>>        forwardable = yes
>>
>> /etc/resolv.conf
>>
>> nameserver <your AD DC's ipaddress>
>> search jasondomaini.jasondomain.jj
>>
>> If required, alter them to match the above, check that
'hostname'
>> returns only the hostname of the client, check that 'hostname
-f'
>> returns the FQDN. If either are not correct, fix them.
>>
>> Remove likewiseopen
>>
>> Once everything is correct, run the following command:
>>
>> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ
>>
>> You should be asked for the domain Administrators password, enter this
>> and you should join the domain
>>
>> Rowland
>>
> What Windows DC are you using ?
> What is the realm name * workgroup name on the Windows DC ?
>
> Rowland
oops, that should have been:


What is the realm name & workgroup name on the Windows DC ?

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 05/01/15 07:02, Jason Long wrote:
> Thanks a lot.
> I changed the below lines to correct domain name :
>
> idmap config JASONDOMAIN : range = 10000-999999
> idmap config JASONDOMAIN : schema_mode = rfc2307
>
> and after join, the command "net rpc testjoin" show same error :
>
> Unable to find a suitable server for domain JASONDOMAINI
> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL
>
> I have an idea and I guess that "/etc/krb5.conf" has some
incorrect options. The file is "
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = JASONDOMAIN.JJ
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = yes
> default_keytab_name = /etc/krb5.keytab
> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5
DES-CBC-CRC
> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> pkinit_kdc_hostname = <DNS>
> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
> pkinit_eku_checking = kpServerAuth
> pkinit_win2k_require_binding = false
> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>
> [realms]
> EXAMPLE.COM = {
> kdc = kerberos.example.com
> admin_server = kerberos.example.com
> }
> JASONDOMAIN.JJ = {
> auth_to_local =
RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/
> auth_to_local =
RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/
> auth_to_local = DEFAULT
> }
>
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
> .JASONDOMAIN.JJ = JASONDOMAIN.JJ
> .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ
> [capaths]
> [appdefaults]
> pam = {
> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
> forwardable = true
> validate = true
> }
> httpd = {
> mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ
> reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1
> }
>
>
>
> What is your idea? I must tell you that after removed LikeWise and
configure manually, I can't login to Linux via Windows AD accounts.
>
>
> Thanks.
>   
>
>
>
>
>
> On Sunday, January 4, 2015 5:11 AM, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
> On 04/01/15 13:00, Rowland Penny wrote:
>> On 04/01/15 10:17, Jason Long wrote:
>>> Thanks a lot.
>>> I enter the command and result is :
>>>
>>> Using short domain name -- JASONDOMAINI
>>> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ'
>>> but after run "net rpc testjoin" :
>>>
>>> Unable to find a suitable server for domain JASONDOMAINI
>>> Join to domain 'JASONDOMAINI' is not valid:
NT_STATUS_UNSUCCESSFUL
>>>
>>> I guess I understand what is my problem. I'm really sorry :(.
>>>
>>> On Windows OS i used "set" command and it show me :
>>>
>>> USERDNSDOMAIN= JASONDOMAIN.JJ
>>> USERDOMAIN= JASONDOMAINI
>>>
>>> I guess that I must change "JASONDOMAINI" in below texts
to
>>> "JASONDOMAIN" :
>>>
>>> idmap config JASONDOMAINI : range = 10000-999999
>>> idmap config JASONDOMAINI : schema_mode = rfc2307
>>>
>>> Am I right?
>>>
>>>
>>>
>>>
>>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny
>>> <rowlandpenny at googlemail.com> wrote:
>>> On 03/01/15 15:08, Jason Long wrote:
>>>> Thank you.
>>>> I used below videos for join my Linux Box to Windows domain :
>>>>
>>>> http://www.youtube.com/watch?v=Y3TFPDT9uic
>>>>
>>>> Please look at this video and I used instructions in it and
>>>> LikeWiseOpen tool.
>>>>
>>>>
>>>> Cheers.
>>>>
>>>>
>>>>
>>>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny
>>>> <rowlandpenny at googlemail.com> wrote:
>>>> On 03/01/15 12:38, Jason Long wrote:
>>>>> Thanks.
>>>>>
>>>>> I enter "net ads testjoin" and it show me :
>>>>>
>>>>> ads_connect: No logon servers
>>>>> Join to domain is not valid: No logon servers
>>>> You are *not* joined to the domain, I suppose this should have
been
>>>> asked earlier, but how did you do the domain join ?
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>>> If it is incorrect, Why I can Login to Linux via Windows
account?
>>>>> As you see, I followed the steps on Video.
>>>>>
>>>>> :(.
>>>>>
>>>>>
>>>>>
>>>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny
>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>> On 03/01/15 05:41, Jason Long wrote:
>>>>>> Thank you.
>>>>>> Command show below error :
>>>>>>
>>>>>> Could not connect to server 192.168.1.1
>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>>
>>>>>> :(
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny
>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>> On 31/12/14 09:55, Jason Long wrote:
>>>>>>> Thanks.
>>>>>>> I changed the command as below :
>>>>>>>
>>>>>>> #net rpc rights grant 'jasondomain\Domain
Admins'
>>>>>>> SeDiskOperatorPrivilege -U
jasondomain\\administrator -I 192.168.1.1
>>>>>>>
>>>>>>> But Got below error :
>>>>>>>
>>>>>>> Could not connect to server 192.168.1.1
>>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION
>>>>>>>
>>>>>>> Cheers.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland
Penny
>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>> On 31/12/14 09:17, Jason Long wrote:
>>>>>>>> Thank you so much but I run below commands on
linux :
>>>>>>>>
>>>>>>>>
>>>>>>>> # net rpc rights grant 'jasondomain\Domain
Admins'
>>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>>> # net rpc rights list accounts -Uadministrator
>>>>>>>>
>>>>>>>> it ask me a password for "administrator:
>>>>>>>>
>>>>>>>> Enter administrator's password:
>>>>>>>> Could not connect to server 127.0.0.1
>>>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS
>>>>>>>>
>>>>>>>> Must I enter windows administrator password?
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland
Penny
>>>>>>>> <rowlandpenny at googlemail.com> wrote:
>>>>>>>> On 29/12/14 12:52, Jason Long wrote:
>>>>>>>>> Thank you so much.
>>>>>>>>>
>>>>>>>>> I did some changes like below :
>>>>>>>>>
>>>>>>>>> /dev/mapper/vg_print-lv_root / ext4
>>>>>>>>> user_xattr,acl,defaults        1 1
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Then "lsof | grep
/dev/mapper/vg_print-lv_root" not have any
>>>>>>>>> output.
>>>>>>>>> I added below lines to [global] section too
:
>>>>>>>>>
>>>>>>>>> vfs objects = acl_xattr
>>>>>>>>> map acl inherit = Yes
>>>>>>>>> store dos attributes = Yes
>>>>>>>>>
>>>>>>>>> But about below commands can you tell me
more?
>>>>>>>>>
>>>>>>>>> net rpc rights grant 'SAMDOM\Domain
Admins'
>>>>>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>>>>>> net rpc rights list accounts
-Uadministrator
>>>>>>>>>
>>>>>>>>> I hope they are not Dangerous!!!!
>>>>>>>> No :-)
>>>>>>>>
>>>>>>>> The first one gives members of Domain Admins
the right to change
>>>>>>>> windows
>>>>>>>> ACL's on a share
>>>>>>>> The second list accounts and what rights they
have.
>>>>>>>>
>>>>>>>>> In the
>>>>>>>>>
"https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs"
>>>>>>>>> , the other steps are in Windows!!! Can I
doing via Linux too?
>>>>>>>> Yes, but it is just easier via windows
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>>>    Thanks.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Monday, December 29, 2014 1:59 AM,
Rowland Penny
>>>>>>>>> <rowlandpenny at googlemail.com>
wrote:
>>>>>>>>> On 29/12/14 06:38, Jason Long wrote:
>>>>>>>>>> Thank you so much.
>>>>>>>>>> You right, My realm is
"jasondomaini.jasondomain.jj"  and I
>>>>>>>>>> change configure as below :
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [global]
>>>>>>>>>> workgroup = JASONDOMAINI
>>>>>>>>>> server string = Samba Server Version %v
>>>>>>>>>> # logs split per machine
>>>>>>>>>> log file = /var/log/samba/log.%m
>>>>>>>>>> # max 50KB per log file, then rotate
>>>>>>>>>> max log size = 50
>>>>>>>>>> security = ADS
>>>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>>>>>>>> passdb backend = tdbsam
>>>>>>>>>> load printers = yes
>>>>>>>>>> cups options = raw
>>>>>>>>>> idmap config *:backend = tdb
>>>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>>>> #idmap config SAMDOM:backend = ad
>>>>>>>>>> idmap config JASONDOMAINI:backend = ad
>>>>>>>>>> idmap config JASONDOMAINI:schema_mode =
rfc2307
>>>>>>>>>> idmap config JASONDOMAINI:range =
500-40000
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> When I use "SSH" on my CentOS
and enter "jasondomain\jason",
>>>>>>>>>> It show me the root partition and I can
open "Test" directory
>>>>>>>>>> But it has two problems :
>>>>>>>>>>
>>>>>>>>>> 1- Why it show root partition?
>>>>>>>>>> 2- I can't browse it via Windows
explorer!!!
>>>>>>>>>>
>>>>>>>>>> I want to know use AD users in Linux is
Hard?
>>>>>>>>>>
>>>>>>>>>> In your opinion I used a correct
command to set ACL?
>>>>>>>>>>
>>>>>>>>>> #getfacl test/
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> # file: test/
>>>>>>>>>> # owner: JASONDOMAINI\134JASON
>>>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>> user::rwx
>>>>>>>>>> group::r-x
>>>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx
>>>>>>>>>> mask::rwx
>>>>>>>>>> other::r-x
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> and in "getent group" it show
me below group :
>>>>>>>>>>
>>>>>>>>>> JASONDOMAINI\134grp-JASON-rw
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> in your idea, Am I use correct command
to set permission?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Sunday, December 28, 2014 9:37 AM,
Rowland Penny
>>>>>>>>>> <rowlandpenny at googlemail.com>
wrote:
>>>>>>>>>> On 28/12/14 15:48, Jason Long wrote:
>>>>>>>>>>> Thank you so much.
>>>>>>>>>>> Thus I must change "idmap
config JASONDOMAIN.JJ:backend = ad
>>>>>>>>>>> " to "idmap config
JASONDOMAIN:backend = ad".
>>>>>>>>>>> How about Workgroup? is must change
"JASONDOMAIN" too?
>>>>>>>>>>> About your question I must say that
I Test this share via
>>>>>>>>>>> Linux too and Windows and Linux has
same problem.
>>>>>>>>>>>
>>>>>>>>>>> About "What I would do is,
install the OpenSSH server on the
>>>>>>>>>>> linux machine, install
'PUTTY' on a windows machine and try
>>>>>>>>>>> to login via 'PUTTY' and
use the SSH protocol." , You mean is
>>>>>>>>>>> that Windows clients use SSH to
work with this directory? I
>>>>>>>>>>> want to made this Linux Box as a
File server and Windows
>>>>>>>>>>> Clients need graphical browser to
copy and paste file into
>>>>>>>>>>> this directory!!!!!!!
>>>>>>>>>>> What is your idea?
>>>>>>>>>>>
>>>>>>>>>>> Thanks.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> I am loosing track here a bit, but if
your dns domain is
>>>>>>>>>> example.com,
>>>>>>>>>> then your windows AD realm should be
something like
>>>>>>>>>> internal.example.com
>>>>>>>>>> and your workgroup/domain name should
be INTERNAL, that is,
>>>>>>>>>> they all
>>>>>>>>>> rely on each other.
>>>>>>>>>>
>>>>>>>>>> So anywhere that you come across these,
you should use the
>>>>>>>>>> relevant one,
>>>>>>>>>> this is the relevant parts from a Unix
client on my domain:
>>>>>>>>>>
>>>>>>>>>> [global]
>>>>>>>>>>                   workgroup = INTERNAL
>>>>>>>>>>                   security = ADS
>>>>>>>>>>                   realm =
INTERNAL.EXAMPLE.COM
>>>>>>>>>>                   ..........
>>>>>>>>>>                   idmap config * :
backend = tdb
>>>>>>>>>>                   idmap config * :
range = 2000-9999
>>>>>>>>>>                   idmap config INTERNAL
: backend = ad
>>>>>>>>>>                   idmap config INTERNAL
: range = 10000-999999
>>>>>>>>>>                   idmap config INTERNAL
: schema_mode = rfc2307
>>>>>>>>>>
>>>>>>>>>> As for using 'PUTTY', this was
just a way of testing whether
>>>>>>>>>> you can
>>>>>>>>>> connect to the Unix machine.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>> OK, we are getting closer
>>>>>>>>>
>>>>>>>>> right, answers to your questions
>>>>>>>>> 1) I think that you may find that this is
also printed 'Could
>>>>>>>>> not chdir
>>>>>>>>> to home directory', in which case you
will end up in the root
>>>>>>>>> of computer.
>>>>>>>>>
>>>>>>>>> 2) Are you running the 'nmbd'
daemon ? Even if this is not
>>>>>>>>> running you
>>>>>>>>> should be able to navigate to the share by
entering the path.
>>>>>>>>> Have a
>>>>>>>>> look here:
>>>>>>>>>
>>>>>>>>>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>> You are trying to run the command on a client, try
adding either:
>>>>>>>
>>>>>>> -S server name
>>>>>>>
>>>>>>> OR
>>>>>>>
>>>>>>> -I address of target server
>>>>>>>
>>>>>>> where 'server' is the AD DC.
>>>>>>>
>>>>>>> Yes, you need to supply the password of the Domain
Administrator.
>>>>>>>
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> OK, try it like this:
>>>>>>
>>>>>> net rpc rights grant 'Domain Admins'
SeDiskOperatorPrivilege
>>>>>> -UAdministrator -I 192.168.1.1
>>>>>>
>>>>>> This works for me on a client joined to the domain.
>>>>>>
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> Sounds like something is wrong with the join, what does
'net ads
>>>>> testjoin' return ? You may have to run this command
with sudo.
>>>>>
>>>>>
>>>>> Rowland
>>>>>
>>> Sometimes I wonder why all the time is spent on keeping the samba
wiki
>>> updated. Likewiseopen was replaced sometime ago by PowerBroker
Open, I
>>> cannot recommend using either of these, because quite simply, they
are
>>> not needed.
>>>
>>> Check the following files:
>>>
>>> /etc/samba/smb.conf
>>>
>>> [global]
>>>            workgroup = JASONDOMAINI
>>>            security = ADS
>>>            realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>            dedicated keytab file = /etc/krb5.keytab
>>>            kerberos method = secrets and keytab
>>>            server string = Samba 4 Client %h
>>>            winbind enum users = yes
>>>            winbind enum groups = yes
>>>            winbind use default domain = yes
>>>            winbind expand groups = 4
>>>            winbind nss info = rfc2307
>>>            winbind refresh tickets = Yes
>>>            winbind normalize names = Yes
>>>            idmap config * : backend = tdb
>>>            idmap config * : range = 2000-9999
>>>            idmap config JASONDOMAINI : backend  = ad
>>>            idmap config JASONDOMAINI : range = 10000-999999
>>>            idmap config JASONDOMAINI : schema_mode = rfc2307
>>>            printcap name = cups
>>>            cups options = raw
>>>            usershare allow guests = yes
>>>            domain master = no
>>>            local master = no
>>>            preferred master = no
>>>            os level = 20
>>>            map to guest = bad user
>>>            vfs objects = acl_xattr
>>>            map acl inherit = Yes
>>>            store dos attributes = Yes
>>>            log level = 6
>>>
>>> /etc/krb5.conf
>>>
>>> [libdefaults]
>>>         default_realm = JASONDOMAINI.JASONDOMAIN.JJ
>>>         dns_lookup_realm = false
>>>         dns_lookup_kdc = true
>>>         ticket_lifetime = 24h
>>>         forwardable = yes
>>>
>>> /etc/resolv.conf
>>>
>>> nameserver <your AD DC's ipaddress>
>>> search jasondomaini.jasondomain.jj
>>>
>>> If required, alter them to match the above, check that
'hostname'
>>> returns only the hostname of the client, check that 'hostname
-f'
>>> returns the FQDN. If either are not correct, fix them.
>>>
>>> Remove likewiseopen
>>>
>>> Once everything is correct, run the following command:
>>>
>>> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ
>>>
>>> You should be asked for the domain Administrators password, enter
this
>>> and you should join the domain
>>>
>>> Rowland
>>>
>> What Windows DC are you using ?
>> What is the realm name * workgroup name on the Windows DC ?
>>
>> Rowland
> oops, that should have been:
>
>
> What is the realm name & workgroup name on the Windows DC ?
>
> Rowland
>
Hi, will you answer these questions:

What Windows DC are you using ?
What is the realm name on the Windows DC ?
What is the workgroup name on the Windows DC ?

You do not need all of what you have in /etc/krb5.conf, but please 
answer the questions above first.

Rowland