Rowland Penny
2015-Jan-04 13:10 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
On 04/01/15 13:00, Rowland Penny wrote:> On 04/01/15 10:17, Jason Long wrote: >> Thanks a lot. >> I enter the command and result is : >> >> Using short domain name -- JASONDOMAINI >> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ' >> but after run "net rpc testjoin" : >> >> Unable to find a suitable server for domain JASONDOMAINI >> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >> >> I guess I understand what is my problem. I'm really sorry :(. >> >> On Windows OS i used "set" command and it show me : >> >> USERDNSDOMAIN= JASONDOMAIN.JJ >> USERDOMAIN= JASONDOMAINI >> >> I guess that I must change "JASONDOMAINI" in below texts to >> "JASONDOMAIN" : >> >> idmap config JASONDOMAINI : range = 10000-999999 >> idmap config JASONDOMAINI : schema_mode = rfc2307 >> >> Am I right? >> >> >> >> >> On Saturday, January 3, 2015 7:44 AM, Rowland Penny >> <rowlandpenny at googlemail.com> wrote: >> On 03/01/15 15:08, Jason Long wrote: >>> Thank you. >>> I used below videos for join my Linux Box to Windows domain : >>> >>> http://www.youtube.com/watch?v=Y3TFPDT9uic >>> >>> Please look at this video and I used instructions in it and >>> LikeWiseOpen tool. >>> >>> >>> Cheers. >>> >>> >>> >>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny >>> <rowlandpenny at googlemail.com> wrote: >>> On 03/01/15 12:38, Jason Long wrote: >>>> Thanks. >>>> >>>> I enter "net ads testjoin" and it show me : >>>> >>>> ads_connect: No logon servers >>>> Join to domain is not valid: No logon servers >>> You are *not* joined to the domain, I suppose this should have been >>> asked earlier, but how did you do the domain join ? >>> >>> Rowland >>> >>> >>> >>>> If it is incorrect, Why I can Login to Linux via Windows account? >>>> As you see, I followed the steps on Video. >>>> >>>> :(. >>>> >>>> >>>> >>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny >>>> <rowlandpenny at googlemail.com> wrote: >>>> On 03/01/15 05:41, Jason Long wrote: >>>>> Thank you. >>>>> Command show below error : >>>>> >>>>> Could not connect to server 192.168.1.1 >>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>> >>>>> :( >>>>> >>>>> >>>>> >>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny >>>>> <rowlandpenny at googlemail.com> wrote: >>>>> On 31/12/14 09:55, Jason Long wrote: >>>>>> Thanks. >>>>>> I changed the command as below : >>>>>> >>>>>> #net rpc rights grant 'jasondomain\Domain Admins' >>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1 >>>>>> >>>>>> But Got below error : >>>>>> >>>>>> Could not connect to server 192.168.1.1 >>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>> >>>>>> Cheers. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny >>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>> On 31/12/14 09:17, Jason Long wrote: >>>>>>> Thank you so much but I run below commands on linux : >>>>>>> >>>>>>> >>>>>>> # net rpc rights grant 'jasondomain\Domain Admins' >>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>> # net rpc rights list accounts -Uadministrator >>>>>>> >>>>>>> it ask me a password for "administrator: >>>>>>> >>>>>>> Enter administrator's password: >>>>>>> Could not connect to server 127.0.0.1 >>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS >>>>>>> >>>>>>> Must I enter windows administrator password? >>>>>>> >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny >>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>> On 29/12/14 12:52, Jason Long wrote: >>>>>>>> Thank you so much. >>>>>>>> >>>>>>>> I did some changes like below : >>>>>>>> >>>>>>>> /dev/mapper/vg_print-lv_root / ext4 >>>>>>>> user_xattr,acl,defaults 1 1 >>>>>>>> >>>>>>>> >>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any >>>>>>>> output. >>>>>>>> I added below lines to [global] section too : >>>>>>>> >>>>>>>> vfs objects = acl_xattr >>>>>>>> map acl inherit = Yes >>>>>>>> store dos attributes = Yes >>>>>>>> >>>>>>>> But about below commands can you tell me more? >>>>>>>> >>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins' >>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>> net rpc rights list accounts -Uadministrator >>>>>>>> >>>>>>>> I hope they are not Dangerous!!!! >>>>>>> No :-) >>>>>>> >>>>>>> The first one gives members of Domain Admins the right to change >>>>>>> windows >>>>>>> ACL's on a share >>>>>>> The second list accounts and what rights they have. >>>>>>> >>>>>>>> In the >>>>>>>> "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" >>>>>>>> , the other steps are in Windows!!! Can I doing via Linux too? >>>>>>> Yes, but it is just easier via windows >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>> >>>>>>>> Thanks. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny >>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>> On 29/12/14 06:38, Jason Long wrote: >>>>>>>>> Thank you so much. >>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I >>>>>>>>> change configure as below : >>>>>>>>> >>>>>>>>> >>>>>>>>> [global] >>>>>>>>> workgroup = JASONDOMAINI >>>>>>>>> server string = Samba Server Version %v >>>>>>>>> # logs split per machine >>>>>>>>> log file = /var/log/samba/log.%m >>>>>>>>> # max 50KB per log file, then rotate >>>>>>>>> max log size = 50 >>>>>>>>> security = ADS >>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>>>>> passdb backend = tdbsam >>>>>>>>> load printers = yes >>>>>>>>> cups options = raw >>>>>>>>> idmap config *:backend = tdb >>>>>>>>> idmap config *:range = 70001-80000 >>>>>>>>> #idmap config SAMDOM:backend = ad >>>>>>>>> idmap config JASONDOMAINI:backend = ad >>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307 >>>>>>>>> idmap config JASONDOMAINI:range = 500-40000 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", >>>>>>>>> It show me the root partition and I can open "Test" directory >>>>>>>>> But it has two problems : >>>>>>>>> >>>>>>>>> 1- Why it show root partition? >>>>>>>>> 2- I can't browse it via Windows explorer!!! >>>>>>>>> >>>>>>>>> I want to know use AD users in Linux is Hard? >>>>>>>>> >>>>>>>>> In your opinion I used a correct command to set ACL? >>>>>>>>> >>>>>>>>> #getfacl test/ >>>>>>>>> >>>>>>>>> >>>>>>>>> # file: test/ >>>>>>>>> # owner: JASONDOMAINI\134JASON >>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw >>>>>>>>> user::rwx >>>>>>>>> group::r-x >>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx >>>>>>>>> mask::rwx >>>>>>>>> other::r-x >>>>>>>>> >>>>>>>>> >>>>>>>>> and in "getent group" it show me below group : >>>>>>>>> >>>>>>>>> JASONDOMAINI\134grp-JASON-rw >>>>>>>>> >>>>>>>>> >>>>>>>>> in your idea, Am I use correct command to set permission? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny >>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>> On 28/12/14 15:48, Jason Long wrote: >>>>>>>>>> Thank you so much. >>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad >>>>>>>>>> " to "idmap config JASONDOMAIN:backend = ad". >>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too? >>>>>>>>>> About your question I must say that I Test this share via >>>>>>>>>> Linux too and Windows and Linux has same problem. >>>>>>>>>> >>>>>>>>>> About "What I would do is, install the OpenSSH server on the >>>>>>>>>> linux machine, install 'PUTTY' on a windows machine and try >>>>>>>>>> to login via 'PUTTY' and use the SSH protocol." , You mean is >>>>>>>>>> that Windows clients use SSH to work with this directory? I >>>>>>>>>> want to made this Linux Box as a File server and Windows >>>>>>>>>> Clients need graphical browser to copy and paste file into >>>>>>>>>> this directory!!!!!!! >>>>>>>>>> What is your idea? >>>>>>>>>> >>>>>>>>>> Thanks. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> I am loosing track here a bit, but if your dns domain is >>>>>>>>> example.com, >>>>>>>>> then your windows AD realm should be something like >>>>>>>>> internal.example.com >>>>>>>>> and your workgroup/domain name should be INTERNAL, that is, >>>>>>>>> they all >>>>>>>>> rely on each other. >>>>>>>>> >>>>>>>>> So anywhere that you come across these, you should use the >>>>>>>>> relevant one, >>>>>>>>> this is the relevant parts from a Unix client on my domain: >>>>>>>>> >>>>>>>>> [global] >>>>>>>>> workgroup = INTERNAL >>>>>>>>> security = ADS >>>>>>>>> realm = INTERNAL.EXAMPLE.COM >>>>>>>>> .......... >>>>>>>>> idmap config * : backend = tdb >>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>> idmap config INTERNAL : backend = ad >>>>>>>>> idmap config INTERNAL : range = 10000-999999 >>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307 >>>>>>>>> >>>>>>>>> As for using 'PUTTY', this was just a way of testing whether >>>>>>>>> you can >>>>>>>>> connect to the Unix machine. >>>>>>>>> >>>>>>>>> >>>>>>>>> Rowland >>>>>>>> OK, we are getting closer >>>>>>>> >>>>>>>> right, answers to your questions >>>>>>>> 1) I think that you may find that this is also printed 'Could >>>>>>>> not chdir >>>>>>>> to home directory', in which case you will end up in the root >>>>>>>> of computer. >>>>>>>> >>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not >>>>>>>> running you >>>>>>>> should be able to navigate to the share by entering the path. >>>>>>>> Have a >>>>>>>> look here: >>>>>>>> >>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>> You are trying to run the command on a client, try adding either: >>>>>> >>>>>> -S server name >>>>>> >>>>>> OR >>>>>> >>>>>> -I address of target server >>>>>> >>>>>> where 'server' is the AD DC. >>>>>> >>>>>> Yes, you need to supply the password of the Domain Administrator. >>>>>> >>>>>> >>>>>> Rowland >>>>>> >>>>> OK, try it like this: >>>>> >>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege >>>>> -UAdministrator -I 192.168.1.1 >>>>> >>>>> This works for me on a client joined to the domain. >>>>> >>>>> >>>>> Rowland >>>>> >>>> Sounds like something is wrong with the join, what does 'net ads >>>> testjoin' return ? You may have to run this command with sudo. >>>> >>>> >>>> Rowland >>>> >> Sometimes I wonder why all the time is spent on keeping the samba wiki >> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I >> cannot recommend using either of these, because quite simply, they are >> not needed. >> >> Check the following files: >> >> /etc/samba/smb.conf >> >> [global] >> workgroup = JASONDOMAINI >> security = ADS >> realm = JASONDOMAINI.JASONDOMAIN.JJ >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> server string = Samba 4 Client %h >> winbind enum users = yes >> winbind enum groups = yes >> winbind use default domain = yes >> winbind expand groups = 4 >> winbind nss info = rfc2307 >> winbind refresh tickets = Yes >> winbind normalize names = Yes >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> idmap config JASONDOMAINI : backend = ad >> idmap config JASONDOMAINI : range = 10000-999999 >> idmap config JASONDOMAINI : schema_mode = rfc2307 >> printcap name = cups >> cups options = raw >> usershare allow guests = yes >> domain master = no >> local master = no >> preferred master = no >> os level = 20 >> map to guest = bad user >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> log level = 6 >> >> /etc/krb5.conf >> >> [libdefaults] >> default_realm = JASONDOMAINI.JASONDOMAIN.JJ >> dns_lookup_realm = false >> dns_lookup_kdc = true >> ticket_lifetime = 24h >> forwardable = yes >> >> /etc/resolv.conf >> >> nameserver <your AD DC's ipaddress> >> search jasondomaini.jasondomain.jj >> >> If required, alter them to match the above, check that 'hostname' >> returns only the hostname of the client, check that 'hostname -f' >> returns the FQDN. If either are not correct, fix them. >> >> Remove likewiseopen >> >> Once everything is correct, run the following command: >> >> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ >> >> You should be asked for the domain Administrators password, enter this >> and you should join the domain >> >> Rowland >> > What Windows DC are you using ? > What is the realm name * workgroup name on the Windows DC ? > > Rowlandoops, that should have been: What is the realm name & workgroup name on the Windows DC ? Rowland
Jason Long
2015-Jan-05 07:02 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
Thanks a lot. I changed the below lines to correct domain name : idmap config JASONDOMAIN : range = 10000-999999 idmap config JASONDOMAIN : schema_mode = rfc2307 and after join, the command "net rpc testjoin" show same error : Unable to find a suitable server for domain JASONDOMAINI Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL I have an idea and I guess that "/etc/krb5.conf" has some incorrect options. The file is " [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = JASONDOMAIN.JJ dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes default_keytab_name = /etc/krb5.keytab default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC pkinit_kdc_hostname = <DNS> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> pkinit_eku_checking = kpServerAuth pkinit_win2k_require_binding = false pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so [realms] EXAMPLE.COM = { kdc = kerberos.example.com admin_server = kerberos.example.com } JASONDOMAIN.JJ = { auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/ auth_to_local = RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/ auth_to_local = DEFAULT } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM .JASONDOMAIN.JJ = JASONDOMAIN.JJ .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ [capaths] [appdefaults] pam = { mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ forwardable = true validate = true } httpd = { mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1 } What is your idea? I must tell you that after removed LikeWise and configure manually, I can't login to Linux via Windows AD accounts. Thanks. On Sunday, January 4, 2015 5:11 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: On 04/01/15 13:00, Rowland Penny wrote:> On 04/01/15 10:17, Jason Long wrote: >> Thanks a lot. >> I enter the command and result is : >> >> Using short domain name -- JASONDOMAINI >> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ' >> but after run "net rpc testjoin" : >> >> Unable to find a suitable server for domain JASONDOMAINI >> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >> >> I guess I understand what is my problem. I'm really sorry :(. >> >> On Windows OS i used "set" command and it show me : >> >> USERDNSDOMAIN= JASONDOMAIN.JJ >> USERDOMAIN= JASONDOMAINI >> >> I guess that I must change "JASONDOMAINI" in below texts to >> "JASONDOMAIN" : >> >> idmap config JASONDOMAINI : range = 10000-999999 >> idmap config JASONDOMAINI : schema_mode = rfc2307 >> >> Am I right? >> >> >> >> >> On Saturday, January 3, 2015 7:44 AM, Rowland Penny >> <rowlandpenny at googlemail.com> wrote: >> On 03/01/15 15:08, Jason Long wrote: >>> Thank you. >>> I used below videos for join my Linux Box to Windows domain : >>> >>> http://www.youtube.com/watch?v=Y3TFPDT9uic >>> >>> Please look at this video and I used instructions in it and >>> LikeWiseOpen tool. >>> >>> >>> Cheers. >>> >>> >>> >>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny >>> <rowlandpenny at googlemail.com> wrote: >>> On 03/01/15 12:38, Jason Long wrote: >>>> Thanks. >>>> >>>> I enter "net ads testjoin" and it show me : >>>> >>>> ads_connect: No logon servers >>>> Join to domain is not valid: No logon servers >>> You are *not* joined to the domain, I suppose this should have been >>> asked earlier, but how did you do the domain join ? >>> >>> Rowland >>> >>> >>> >>>> If it is incorrect, Why I can Login to Linux via Windows account? >>>> As you see, I followed the steps on Video. >>>> >>>> :(. >>>> >>>> >>>> >>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny >>>> <rowlandpenny at googlemail.com> wrote: >>>> On 03/01/15 05:41, Jason Long wrote: >>>>> Thank you. >>>>> Command show below error : >>>>> >>>>> Could not connect to server 192.168.1.1 >>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>> >>>>> :( >>>>> >>>>> >>>>> >>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny >>>>> <rowlandpenny at googlemail.com> wrote: >>>>> On 31/12/14 09:55, Jason Long wrote: >>>>>> Thanks. >>>>>> I changed the command as below : >>>>>> >>>>>> #net rpc rights grant 'jasondomain\Domain Admins' >>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1 >>>>>> >>>>>> But Got below error : >>>>>> >>>>>> Could not connect to server 192.168.1.1 >>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>> >>>>>> Cheers. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny >>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>> On 31/12/14 09:17, Jason Long wrote: >>>>>>> Thank you so much but I run below commands on linux : >>>>>>> >>>>>>> >>>>>>> # net rpc rights grant 'jasondomain\Domain Admins' >>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>> # net rpc rights list accounts -Uadministrator >>>>>>> >>>>>>> it ask me a password for "administrator: >>>>>>> >>>>>>> Enter administrator's password: >>>>>>> Could not connect to server 127.0.0.1 >>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS >>>>>>> >>>>>>> Must I enter windows administrator password? >>>>>>> >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny >>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>> On 29/12/14 12:52, Jason Long wrote: >>>>>>>> Thank you so much. >>>>>>>> >>>>>>>> I did some changes like below : >>>>>>>> >>>>>>>> /dev/mapper/vg_print-lv_root / ext4 >>>>>>>> user_xattr,acl,defaults 1 1 >>>>>>>> >>>>>>>> >>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any >>>>>>>> output. >>>>>>>> I added below lines to [global] section too : >>>>>>>> >>>>>>>> vfs objects = acl_xattr >>>>>>>> map acl inherit = Yes >>>>>>>> store dos attributes = Yes >>>>>>>> >>>>>>>> But about below commands can you tell me more? >>>>>>>> >>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins' >>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>> net rpc rights list accounts -Uadministrator >>>>>>>> >>>>>>>> I hope they are not Dangerous!!!! >>>>>>> No :-) >>>>>>> >>>>>>> The first one gives members of Domain Admins the right to change >>>>>>> windows >>>>>>> ACL's on a share >>>>>>> The second list accounts and what rights they have. >>>>>>> >>>>>>>> In the >>>>>>>> "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" >>>>>>>> , the other steps are in Windows!!! Can I doing via Linux too? >>>>>>> Yes, but it is just easier via windows >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>> >>>>>>>> Thanks. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny >>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>> On 29/12/14 06:38, Jason Long wrote: >>>>>>>>> Thank you so much. >>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I >>>>>>>>> change configure as below : >>>>>>>>> >>>>>>>>> >>>>>>>>> [global] >>>>>>>>> workgroup = JASONDOMAINI >>>>>>>>> server string = Samba Server Version %v >>>>>>>>> # logs split per machine >>>>>>>>> log file = /var/log/samba/log.%m >>>>>>>>> # max 50KB per log file, then rotate >>>>>>>>> max log size = 50 >>>>>>>>> security = ADS >>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>>>>> passdb backend = tdbsam >>>>>>>>> load printers = yes >>>>>>>>> cups options = raw >>>>>>>>> idmap config *:backend = tdb >>>>>>>>> idmap config *:range = 70001-80000 >>>>>>>>> #idmap config SAMDOM:backend = ad >>>>>>>>> idmap config JASONDOMAINI:backend = ad >>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307 >>>>>>>>> idmap config JASONDOMAINI:range = 500-40000 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", >>>>>>>>> It show me the root partition and I can open "Test" directory >>>>>>>>> But it has two problems : >>>>>>>>> >>>>>>>>> 1- Why it show root partition? >>>>>>>>> 2- I can't browse it via Windows explorer!!! >>>>>>>>> >>>>>>>>> I want to know use AD users in Linux is Hard? >>>>>>>>> >>>>>>>>> In your opinion I used a correct command to set ACL? >>>>>>>>> >>>>>>>>> #getfacl test/ >>>>>>>>> >>>>>>>>> >>>>>>>>> # file: test/ >>>>>>>>> # owner: JASONDOMAINI\134JASON >>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw >>>>>>>>> user::rwx >>>>>>>>> group::r-x >>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx >>>>>>>>> mask::rwx >>>>>>>>> other::r-x >>>>>>>>> >>>>>>>>> >>>>>>>>> and in "getent group" it show me below group : >>>>>>>>> >>>>>>>>> JASONDOMAINI\134grp-JASON-rw >>>>>>>>> >>>>>>>>> >>>>>>>>> in your idea, Am I use correct command to set permission? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny >>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>> On 28/12/14 15:48, Jason Long wrote: >>>>>>>>>> Thank you so much. >>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad >>>>>>>>>> " to "idmap config JASONDOMAIN:backend = ad". >>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too? >>>>>>>>>> About your question I must say that I Test this share via >>>>>>>>>> Linux too and Windows and Linux has same problem. >>>>>>>>>> >>>>>>>>>> About "What I would do is, install the OpenSSH server on the >>>>>>>>>> linux machine, install 'PUTTY' on a windows machine and try >>>>>>>>>> to login via 'PUTTY' and use the SSH protocol." , You mean is >>>>>>>>>> that Windows clients use SSH to work with this directory? I >>>>>>>>>> want to made this Linux Box as a File server and Windows >>>>>>>>>> Clients need graphical browser to copy and paste file into >>>>>>>>>> this directory!!!!!!! >>>>>>>>>> What is your idea? >>>>>>>>>> >>>>>>>>>> Thanks. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> I am loosing track here a bit, but if your dns domain is >>>>>>>>> example.com, >>>>>>>>> then your windows AD realm should be something like >>>>>>>>> internal.example.com >>>>>>>>> and your workgroup/domain name should be INTERNAL, that is, >>>>>>>>> they all >>>>>>>>> rely on each other. >>>>>>>>> >>>>>>>>> So anywhere that you come across these, you should use the >>>>>>>>> relevant one, >>>>>>>>> this is the relevant parts from a Unix client on my domain: >>>>>>>>> >>>>>>>>> [global] >>>>>>>>> workgroup = INTERNAL >>>>>>>>> security = ADS >>>>>>>>> realm = INTERNAL.EXAMPLE.COM >>>>>>>>> .......... >>>>>>>>> idmap config * : backend = tdb >>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>> idmap config INTERNAL : backend = ad >>>>>>>>> idmap config INTERNAL : range = 10000-999999 >>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307 >>>>>>>>> >>>>>>>>> As for using 'PUTTY', this was just a way of testing whether >>>>>>>>> you can >>>>>>>>> connect to the Unix machine. >>>>>>>>> >>>>>>>>> >>>>>>>>> Rowland >>>>>>>> OK, we are getting closer >>>>>>>> >>>>>>>> right, answers to your questions >>>>>>>> 1) I think that you may find that this is also printed 'Could >>>>>>>> not chdir >>>>>>>> to home directory', in which case you will end up in the root >>>>>>>> of computer. >>>>>>>> >>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not >>>>>>>> running you >>>>>>>> should be able to navigate to the share by entering the path. >>>>>>>> Have a >>>>>>>> look here: >>>>>>>> >>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>> You are trying to run the command on a client, try adding either: >>>>>> >>>>>> -S server name >>>>>> >>>>>> OR >>>>>> >>>>>> -I address of target server >>>>>> >>>>>> where 'server' is the AD DC. >>>>>> >>>>>> Yes, you need to supply the password of the Domain Administrator. >>>>>> >>>>>> >>>>>> Rowland >>>>>> >>>>> OK, try it like this: >>>>> >>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege >>>>> -UAdministrator -I 192.168.1.1 >>>>> >>>>> This works for me on a client joined to the domain. >>>>> >>>>> >>>>> Rowland >>>>> >>>> Sounds like something is wrong with the join, what does 'net ads >>>> testjoin' return ? You may have to run this command with sudo. >>>> >>>> >>>> Rowland >>>> >> Sometimes I wonder why all the time is spent on keeping the samba wiki >> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I >> cannot recommend using either of these, because quite simply, they are >> not needed. >> >> Check the following files: >> >> /etc/samba/smb.conf >> >> [global] >> workgroup = JASONDOMAINI >> security = ADS >> realm = JASONDOMAINI.JASONDOMAIN.JJ >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> server string = Samba 4 Client %h >> winbind enum users = yes >> winbind enum groups = yes >> winbind use default domain = yes >> winbind expand groups = 4 >> winbind nss info = rfc2307 >> winbind refresh tickets = Yes >> winbind normalize names = Yes >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> idmap config JASONDOMAINI : backend = ad >> idmap config JASONDOMAINI : range = 10000-999999 >> idmap config JASONDOMAINI : schema_mode = rfc2307 >> printcap name = cups >> cups options = raw >> usershare allow guests = yes >> domain master = no >> local master = no >> preferred master = no >> os level = 20 >> map to guest = bad user >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> log level = 6 >> >> /etc/krb5.conf >> >> [libdefaults] >> default_realm = JASONDOMAINI.JASONDOMAIN.JJ >> dns_lookup_realm = false >> dns_lookup_kdc = true >> ticket_lifetime = 24h >> forwardable = yes >> >> /etc/resolv.conf >> >> nameserver <your AD DC's ipaddress> >> search jasondomaini.jasondomain.jj >> >> If required, alter them to match the above, check that 'hostname' >> returns only the hostname of the client, check that 'hostname -f' >> returns the FQDN. If either are not correct, fix them. >> >> Remove likewiseopen >> >> Once everything is correct, run the following command: >> >> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ >> >> You should be asked for the domain Administrators password, enter this >> and you should join the domain >> >> Rowland >> > What Windows DC are you using ? > What is the realm name * workgroup name on the Windows DC ? > > Rowlandoops, that should have been: What is the realm name & workgroup name on the Windows DC ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Jan-05 09:04 UTC
[Samba] Use Samba with ACL for read Active Directory and set Permissions via it.
On 05/01/15 07:02, Jason Long wrote:> Thanks a lot. > I changed the below lines to correct domain name : > > idmap config JASONDOMAIN : range = 10000-999999 > idmap config JASONDOMAIN : schema_mode = rfc2307 > > and after join, the command "net rpc testjoin" show same error : > > Unable to find a suitable server for domain JASONDOMAINI > Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL > > I have an idea and I guess that "/etc/krb5.conf" has some incorrect options. The file is " > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = JASONDOMAIN.JJ > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = yes > default_keytab_name = /etc/krb5.keytab > default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > pkinit_kdc_hostname = <DNS> > pkinit_anchors = DIR:/var/lib/pbis/trusted_certs > pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> > pkinit_eku_checking = kpServerAuth > pkinit_win2k_require_binding = false > pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so > > [realms] > EXAMPLE.COM = { > kdc = kerberos.example.com > admin_server = kerberos.example.com > } > JASONDOMAIN.JJ = { > auth_to_local = RULE:[1:$0\$1](^JASONDOMAIN\.JJ\\.*)s/^JASONDOMAIN\.JJ/JASONDOMAINI/ > auth_to_local = RULE:[1:$0\$1](^ADVER\.JASONDOMAIN\.JJ\\.*)s/^ADVER\.JASONDOMAIN\.JJ/ADVER/ > auth_to_local = DEFAULT > } > > [domain_realm] > .example.com = EXAMPLE.COM > example.com = EXAMPLE.COM > .JASONDOMAIN.JJ = JASONDOMAIN.JJ > .adver.JASONDOMAIN.JJ = ADVER.JASONDOMAIN.JJ > [capaths] > [appdefaults] > pam = { > mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ > forwardable = true > validate = true > } > httpd = { > mappings = JASONDOMAINI\\(.*) $1 at JASONDOMAIN.JJ > reverse_mappings = (.*)@JASONDOMAIN\.JJ JASONDOMAINI\$1 > } > > > > What is your idea? I must tell you that after removed LikeWise and configure manually, I can't login to Linux via Windows AD accounts. > > > Thanks. > > > > > > > On Sunday, January 4, 2015 5:11 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > On 04/01/15 13:00, Rowland Penny wrote: >> On 04/01/15 10:17, Jason Long wrote: >>> Thanks a lot. >>> I enter the command and result is : >>> >>> Using short domain name -- JASONDOMAINI >>> Joined 'PRINTMAH' to dns domain 'JASONDOMAIN.JJ' >>> but after run "net rpc testjoin" : >>> >>> Unable to find a suitable server for domain JASONDOMAINI >>> Join to domain 'JASONDOMAINI' is not valid: NT_STATUS_UNSUCCESSFUL >>> >>> I guess I understand what is my problem. I'm really sorry :(. >>> >>> On Windows OS i used "set" command and it show me : >>> >>> USERDNSDOMAIN= JASONDOMAIN.JJ >>> USERDOMAIN= JASONDOMAINI >>> >>> I guess that I must change "JASONDOMAINI" in below texts to >>> "JASONDOMAIN" : >>> >>> idmap config JASONDOMAINI : range = 10000-999999 >>> idmap config JASONDOMAINI : schema_mode = rfc2307 >>> >>> Am I right? >>> >>> >>> >>> >>> On Saturday, January 3, 2015 7:44 AM, Rowland Penny >>> <rowlandpenny at googlemail.com> wrote: >>> On 03/01/15 15:08, Jason Long wrote: >>>> Thank you. >>>> I used below videos for join my Linux Box to Windows domain : >>>> >>>> http://www.youtube.com/watch?v=Y3TFPDT9uic >>>> >>>> Please look at this video and I used instructions in it and >>>> LikeWiseOpen tool. >>>> >>>> >>>> Cheers. >>>> >>>> >>>> >>>> On Saturday, January 3, 2015 5:45 AM, Rowland Penny >>>> <rowlandpenny at googlemail.com> wrote: >>>> On 03/01/15 12:38, Jason Long wrote: >>>>> Thanks. >>>>> >>>>> I enter "net ads testjoin" and it show me : >>>>> >>>>> ads_connect: No logon servers >>>>> Join to domain is not valid: No logon servers >>>> You are *not* joined to the domain, I suppose this should have been >>>> asked earlier, but how did you do the domain join ? >>>> >>>> Rowland >>>> >>>> >>>> >>>>> If it is incorrect, Why I can Login to Linux via Windows account? >>>>> As you see, I followed the steps on Video. >>>>> >>>>> :(. >>>>> >>>>> >>>>> >>>>> On Saturday, January 3, 2015 1:13 AM, Rowland Penny >>>>> <rowlandpenny at googlemail.com> wrote: >>>>> On 03/01/15 05:41, Jason Long wrote: >>>>>> Thank you. >>>>>> Command show below error : >>>>>> >>>>>> Could not connect to server 192.168.1.1 >>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>> >>>>>> :( >>>>>> >>>>>> >>>>>> >>>>>> On Wednesday, December 31, 2014 2:05 AM, Rowland Penny >>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>> On 31/12/14 09:55, Jason Long wrote: >>>>>>> Thanks. >>>>>>> I changed the command as below : >>>>>>> >>>>>>> #net rpc rights grant 'jasondomain\Domain Admins' >>>>>>> SeDiskOperatorPrivilege -U jasondomain\\administrator -I 192.168.1.1 >>>>>>> >>>>>>> But Got below error : >>>>>>> >>>>>>> Could not connect to server 192.168.1.1 >>>>>>> Connection failed: NT_STATUS_INVALID_WORKSTATION >>>>>>> >>>>>>> Cheers. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Wednesday, December 31, 2014 1:35 AM, Rowland Penny >>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>> On 31/12/14 09:17, Jason Long wrote: >>>>>>>> Thank you so much but I run below commands on linux : >>>>>>>> >>>>>>>> >>>>>>>> # net rpc rights grant 'jasondomain\Domain Admins' >>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>> # net rpc rights list accounts -Uadministrator >>>>>>>> >>>>>>>> it ask me a password for "administrator: >>>>>>>> >>>>>>>> Enter administrator's password: >>>>>>>> Could not connect to server 127.0.0.1 >>>>>>>> Connection failed: NT_STATUS_NO_LOGON_SERVERS >>>>>>>> >>>>>>>> Must I enter windows administrator password? >>>>>>>> >>>>>>>> >>>>>>>> Thanks. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Monday, December 29, 2014 5:10 AM, Rowland Penny >>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>> On 29/12/14 12:52, Jason Long wrote: >>>>>>>>> Thank you so much. >>>>>>>>> >>>>>>>>> I did some changes like below : >>>>>>>>> >>>>>>>>> /dev/mapper/vg_print-lv_root / ext4 >>>>>>>>> user_xattr,acl,defaults 1 1 >>>>>>>>> >>>>>>>>> >>>>>>>>> Then "lsof | grep /dev/mapper/vg_print-lv_root" not have any >>>>>>>>> output. >>>>>>>>> I added below lines to [global] section too : >>>>>>>>> >>>>>>>>> vfs objects = acl_xattr >>>>>>>>> map acl inherit = Yes >>>>>>>>> store dos attributes = Yes >>>>>>>>> >>>>>>>>> But about below commands can you tell me more? >>>>>>>>> >>>>>>>>> net rpc rights grant 'SAMDOM\Domain Admins' >>>>>>>>> SeDiskOperatorPrivilege -Uadministrator >>>>>>>>> net rpc rights list accounts -Uadministrator >>>>>>>>> >>>>>>>>> I hope they are not Dangerous!!!! >>>>>>>> No :-) >>>>>>>> >>>>>>>> The first one gives members of Domain Admins the right to change >>>>>>>> windows >>>>>>>> ACL's on a share >>>>>>>> The second list accounts and what rights they have. >>>>>>>> >>>>>>>>> In the >>>>>>>>> "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs" >>>>>>>>> , the other steps are in Windows!!! Can I doing via Linux too? >>>>>>>> Yes, but it is just easier via windows >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>>> >>>>>>>>> Thanks. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Monday, December 29, 2014 1:59 AM, Rowland Penny >>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>> On 29/12/14 06:38, Jason Long wrote: >>>>>>>>>> Thank you so much. >>>>>>>>>> You right, My realm is "jasondomaini.jasondomain.jj" and I >>>>>>>>>> change configure as below : >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [global] >>>>>>>>>> workgroup = JASONDOMAINI >>>>>>>>>> server string = Samba Server Version %v >>>>>>>>>> # logs split per machine >>>>>>>>>> log file = /var/log/samba/log.%m >>>>>>>>>> # max 50KB per log file, then rotate >>>>>>>>>> max log size = 50 >>>>>>>>>> security = ADS >>>>>>>>>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>>>>>>>>> passdb backend = tdbsam >>>>>>>>>> load printers = yes >>>>>>>>>> cups options = raw >>>>>>>>>> idmap config *:backend = tdb >>>>>>>>>> idmap config *:range = 70001-80000 >>>>>>>>>> #idmap config SAMDOM:backend = ad >>>>>>>>>> idmap config JASONDOMAINI:backend = ad >>>>>>>>>> idmap config JASONDOMAINI:schema_mode = rfc2307 >>>>>>>>>> idmap config JASONDOMAINI:range = 500-40000 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> When I use "SSH" on my CentOS and enter "jasondomain\jason", >>>>>>>>>> It show me the root partition and I can open "Test" directory >>>>>>>>>> But it has two problems : >>>>>>>>>> >>>>>>>>>> 1- Why it show root partition? >>>>>>>>>> 2- I can't browse it via Windows explorer!!! >>>>>>>>>> >>>>>>>>>> I want to know use AD users in Linux is Hard? >>>>>>>>>> >>>>>>>>>> In your opinion I used a correct command to set ACL? >>>>>>>>>> >>>>>>>>>> #getfacl test/ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> # file: test/ >>>>>>>>>> # owner: JASONDOMAINI\134JASON >>>>>>>>>> # group: JASONDOMAINI\134grp-JASON-rw >>>>>>>>>> user::rwx >>>>>>>>>> group::r-x >>>>>>>>>> group:JASONDOMAINI\134grp-JASON-rw:rwx >>>>>>>>>> mask::rwx >>>>>>>>>> other::r-x >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> and in "getent group" it show me below group : >>>>>>>>>> >>>>>>>>>> JASONDOMAINI\134grp-JASON-rw >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> in your idea, Am I use correct command to set permission? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Sunday, December 28, 2014 9:37 AM, Rowland Penny >>>>>>>>>> <rowlandpenny at googlemail.com> wrote: >>>>>>>>>> On 28/12/14 15:48, Jason Long wrote: >>>>>>>>>>> Thank you so much. >>>>>>>>>>> Thus I must change "idmap config JASONDOMAIN.JJ:backend = ad >>>>>>>>>>> " to "idmap config JASONDOMAIN:backend = ad". >>>>>>>>>>> How about Workgroup? is must change "JASONDOMAIN" too? >>>>>>>>>>> About your question I must say that I Test this share via >>>>>>>>>>> Linux too and Windows and Linux has same problem. >>>>>>>>>>> >>>>>>>>>>> About "What I would do is, install the OpenSSH server on the >>>>>>>>>>> linux machine, install 'PUTTY' on a windows machine and try >>>>>>>>>>> to login via 'PUTTY' and use the SSH protocol." , You mean is >>>>>>>>>>> that Windows clients use SSH to work with this directory? I >>>>>>>>>>> want to made this Linux Box as a File server and Windows >>>>>>>>>>> Clients need graphical browser to copy and paste file into >>>>>>>>>>> this directory!!!!!!! >>>>>>>>>>> What is your idea? >>>>>>>>>>> >>>>>>>>>>> Thanks. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> I am loosing track here a bit, but if your dns domain is >>>>>>>>>> example.com, >>>>>>>>>> then your windows AD realm should be something like >>>>>>>>>> internal.example.com >>>>>>>>>> and your workgroup/domain name should be INTERNAL, that is, >>>>>>>>>> they all >>>>>>>>>> rely on each other. >>>>>>>>>> >>>>>>>>>> So anywhere that you come across these, you should use the >>>>>>>>>> relevant one, >>>>>>>>>> this is the relevant parts from a Unix client on my domain: >>>>>>>>>> >>>>>>>>>> [global] >>>>>>>>>> workgroup = INTERNAL >>>>>>>>>> security = ADS >>>>>>>>>> realm = INTERNAL.EXAMPLE.COM >>>>>>>>>> .......... >>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>> idmap config INTERNAL : backend = ad >>>>>>>>>> idmap config INTERNAL : range = 10000-999999 >>>>>>>>>> idmap config INTERNAL : schema_mode = rfc2307 >>>>>>>>>> >>>>>>>>>> As for using 'PUTTY', this was just a way of testing whether >>>>>>>>>> you can >>>>>>>>>> connect to the Unix machine. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>> OK, we are getting closer >>>>>>>>> >>>>>>>>> right, answers to your questions >>>>>>>>> 1) I think that you may find that this is also printed 'Could >>>>>>>>> not chdir >>>>>>>>> to home directory', in which case you will end up in the root >>>>>>>>> of computer. >>>>>>>>> >>>>>>>>> 2) Are you running the 'nmbd' daemon ? Even if this is not >>>>>>>>> running you >>>>>>>>> should be able to navigate to the share by entering the path. >>>>>>>>> Have a >>>>>>>>> look here: >>>>>>>>> >>>>>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>> You are trying to run the command on a client, try adding either: >>>>>>> >>>>>>> -S server name >>>>>>> >>>>>>> OR >>>>>>> >>>>>>> -I address of target server >>>>>>> >>>>>>> where 'server' is the AD DC. >>>>>>> >>>>>>> Yes, you need to supply the password of the Domain Administrator. >>>>>>> >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>> OK, try it like this: >>>>>> >>>>>> net rpc rights grant 'Domain Admins' SeDiskOperatorPrivilege >>>>>> -UAdministrator -I 192.168.1.1 >>>>>> >>>>>> This works for me on a client joined to the domain. >>>>>> >>>>>> >>>>>> Rowland >>>>>> >>>>> Sounds like something is wrong with the join, what does 'net ads >>>>> testjoin' return ? You may have to run this command with sudo. >>>>> >>>>> >>>>> Rowland >>>>> >>> Sometimes I wonder why all the time is spent on keeping the samba wiki >>> updated. Likewiseopen was replaced sometime ago by PowerBroker Open, I >>> cannot recommend using either of these, because quite simply, they are >>> not needed. >>> >>> Check the following files: >>> >>> /etc/samba/smb.conf >>> >>> [global] >>> workgroup = JASONDOMAINI >>> security = ADS >>> realm = JASONDOMAINI.JASONDOMAIN.JJ >>> dedicated keytab file = /etc/krb5.keytab >>> kerberos method = secrets and keytab >>> server string = Samba 4 Client %h >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind use default domain = yes >>> winbind expand groups = 4 >>> winbind nss info = rfc2307 >>> winbind refresh tickets = Yes >>> winbind normalize names = Yes >>> idmap config * : backend = tdb >>> idmap config * : range = 2000-9999 >>> idmap config JASONDOMAINI : backend = ad >>> idmap config JASONDOMAINI : range = 10000-999999 >>> idmap config JASONDOMAINI : schema_mode = rfc2307 >>> printcap name = cups >>> cups options = raw >>> usershare allow guests = yes >>> domain master = no >>> local master = no >>> preferred master = no >>> os level = 20 >>> map to guest = bad user >>> vfs objects = acl_xattr >>> map acl inherit = Yes >>> store dos attributes = Yes >>> log level = 6 >>> >>> /etc/krb5.conf >>> >>> [libdefaults] >>> default_realm = JASONDOMAINI.JASONDOMAIN.JJ >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> ticket_lifetime = 24h >>> forwardable = yes >>> >>> /etc/resolv.conf >>> >>> nameserver <your AD DC's ipaddress> >>> search jasondomaini.jasondomain.jj >>> >>> If required, alter them to match the above, check that 'hostname' >>> returns only the hostname of the client, check that 'hostname -f' >>> returns the FQDN. If either are not correct, fix them. >>> >>> Remove likewiseopen >>> >>> Once everything is correct, run the following command: >>> >>> net ads join -U Administrator at JASONDOMAINI.JASONDOMAIN.JJ >>> >>> You should be asked for the domain Administrators password, enter this >>> and you should join the domain >>> >>> Rowland >>> >> What Windows DC are you using ? >> What is the realm name * workgroup name on the Windows DC ? >> >> Rowland > oops, that should have been: > > > What is the realm name & workgroup name on the Windows DC ? > > Rowland >Hi, will you answer these questions: What Windows DC are you using ? What is the realm name on the Windows DC ? What is the workgroup name on the Windows DC ? You do not need all of what you have in /etc/krb5.conf, but please answer the questions above first. Rowland
Possibly Parallel Threads
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.
- Use Samba with ACL for read Active Directory and set Permissions via it.